[Secure-testing-commits] r59011 - static

2017-12-28 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-12-29 07:38:05 + (Fri, 29 Dec 2017)
New Revision: 59011

Modified:
   static/distributions.json
Log:
Add contact point for the supported distributions, cf. #878088

Add an additional field referring to the desired contact address. In
case of no support, the field is not present.

Modified: static/distributions.json
===
--- static/distributions.json   2017-12-29 07:20:18 UTC (rev 59010)
+++ static/distributions.json   2017-12-29 07:38:05 UTC (rev 59011)
@@ -1,15 +1,18 @@
 {
   "wheezy": {
 "major-version": "7",
-"support": "lts"
+"support": "lts",
+"contact": "debian-...@lists.debian.org"
   },
   "jessie": {
 "major-version": "8",
-"support": "security"
+"support": "security",
+"contact": "t...@security.debian.org"
   },
   "stretch": {
 "major-version": "9",
-"support": "security"
+"support": "security",
+"contact": "t...@security.debian.org"
   },
   "buster": {
 "major-version": "10",


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r59010 - data/CVE

2017-12-28 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-12-29 07:20:18 + (Fri, 29 Dec 2017)
New Revision: 59010

Modified:
   data/CVE/list
Log:
Asked MITRE (and confirmed) for rejection of CVE-2017-17496

CVE is invalid, since the respective functions having the problems are
just in dead code and unused. There is no vulnerability. The CVE is
withdrawn by MITRE itself.

Modified: data/CVE/list
===
--- data/CVE/list   2017-12-29 06:46:46 UTC (rev 59009)
+++ data/CVE/list   2017-12-29 07:20:18 UTC (rev 59010)
@@ -6105,8 +6105,8 @@
- tidy-html5  (Vulnerable code introduced after 5.6.0)
- tidy  (Vulnerable code not present)
NOTE: https://github.com/htacg/tidy-html5/issues/656
-CVE-2017-17496 (The socket_create function in socket.c in idevicerestore 
through ...)
-   TODO: check
+CVE-2017-17496
+   REJECTED
 CVE-2017-17495
RESERVED
 CVE-2017-17494


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r59009 - bin

2017-12-28 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-12-29 06:46:46 + (Fri, 29 Dec 2017)
New Revision: 59009

Modified:
   bin/update
Log:
bin/update: Run commands from BASEDIR where update script was called

Reasoning: The script is used for the automatic updates of the CVE list.
This allows to call the script in the sectracker controlled path but
working on the CVE list in a workdirectory.

Modified: bin/update
===
--- bin/update  2017-12-28 22:12:38 UTC (rev 59008)
+++ bin/update  2017-12-29 06:46:46 UTC (rev 59009)
@@ -1,6 +1,9 @@
 #!/bin/sh
 set -e
 
+SCRIPT=$(readlink -f "$0")
+BASEDIR=$(dirname "$SCRIPT")
+
 if [ ! -d CVE ]; then
echo "run in data subdirectory" >&2
exit 1
@@ -15,5 +18,5 @@
 # capath=/etc/ssl/ca-global
 curl -s -o allitems.html.gz 
https://cve.mitre.org/data/downloads/allitems.html.gz
 gunzip allitems.html.gz
-../../bin/updatelist allitems.html ../DSA/list ../DTSA/list ../DLA/list list > 
list.new
+$BASEDIR/updatelist allitems.html ../DSA/list ../DTSA/list ../DLA/list list > 
list.new
 mv -f list.new list


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r59008 - data

2017-12-28 Thread Moritz Muehlenhoff 
Author: jmm
Date: 2017-12-28 22:12:38 + (Thu, 28 Dec 2017)
New Revision: 59008

Modified:
   data/next-oldstable-point-update.txt
   data/next-point-update.txt
Log:
libextractor spu/ospu


Modified: data/next-oldstable-point-update.txt
===
--- data/next-oldstable-point-update.txt2017-12-28 21:29:03 UTC (rev 
59007)
+++ data/next-oldstable-point-update.txt2017-12-28 22:12:38 UTC (rev 
59008)
@@ -47,3 +47,17 @@
[jessie] - soundtouch 1.8.0-1+deb8u1
 CVE-2017-16879
[jessie] - ncurses 5.9+20140913-1+deb8u3
+CVE-2017-17440
+   [jessie] - libextractor 1:1.3-2+deb8u1
+CVE-2017-15266
+   [jessie] - libextractor 1:1.3-2+deb8u1
+CVE-2017-15267
+   [jessie] - libextractor 1:1.3-2+deb8u1
+CVE-2017-15600
+   [jessie] - libextractor 1:1.3-2+deb8u1
+CVE-2017-15601
+   [jessie] - libextractor 1:1.3-2+deb8u1
+CVE-2017-15602
+   [jessie] - libextractor 1:1.3-2+deb8u1
+CVE-2017-15922
+   [jessie] - libextractor 1:1.3-2+deb8u1

Modified: data/next-point-update.txt
===
--- data/next-point-update.txt  2017-12-28 21:29:03 UTC (rev 59007)
+++ data/next-point-update.txt  2017-12-28 22:12:38 UTC (rev 59008)
@@ -37,3 +37,17 @@
[stretch] - soundtouch 1.9.2-2+deb9u1
 CVE-2017-16879
[stretch] - ncurses 6.0+20161126-1+deb9u2
+CVE-2017-17440
+   [stretch] - libextractor 1:1.3-4+deb9u1
+CVE-2017-15266
+   [stretch] - libextractor 1:1.3-4+deb9u1
+CVE-2017-15267
+   [stretch] - libextractor 1:1.3-4+deb9u1
+CVE-2017-15600
+   [stretch] - libextractor 1:1.3-4+deb9u1
+CVE-2017-15601
+   [stretch] - libextractor 1:1.3-4+deb9u1
+CVE-2017-15602
+   [stretch] - libextractor 1:1.3-4+deb9u1
+CVE-2017-15922
+   [stretch] - libextractor 1:1.3-4+deb9u1


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r59007 - data/CVE

2017-12-28 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-12-28 21:29:03 + (Thu, 28 Dec 2017)
New Revision: 59007

Modified:
   data/CVE/list
Log:
Process NFUs

Modified: data/CVE/list
===
--- data/CVE/list   2017-12-28 21:10:14 UTC (rev 59006)
+++ data/CVE/list   2017-12-28 21:29:03 UTC (rev 59007)
@@ -215,31 +215,31 @@
 CVE-2017-17961
RESERVED
 CVE-2017-17960 (PHP Scripts Mall PHP Multivendor Ecommerce has CSRF via ...)
-   TODO: check
+   NOT-FOR-US: PHP Scripts Mall PHP Multivendor Ecommerce
 CVE-2017-17959 (PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection 
via the ...)
-   TODO: check
+   NOT-FOR-US: PHP Scripts Mall PHP Multivendor Ecommerce
 CVE-2017-17958 (PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the ...)
-   TODO: check
+   NOT-FOR-US: PHP Scripts Mall PHP Multivendor Ecommerce
 CVE-2017-17957 (PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection 
via the ...)
-   TODO: check
+   NOT-FOR-US: PHP Scripts Mall PHP Multivendor Ecommerce
 CVE-2017-17956 (PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the ...)
-   TODO: check
+   NOT-FOR-US: PHP Scripts Mall PHP Multivendor Ecommerce
 CVE-2017-17955 (PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the ...)
-   TODO: check
+   NOT-FOR-US: PHP Scripts Mall PHP Multivendor Ecommerce
 CVE-2017-17954 (PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the ...)
-   TODO: check
+   NOT-FOR-US: PHP Scripts Mall PHP Multivendor Ecommerce
 CVE-2017-17953 (PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the 
category.php ...)
-   TODO: check
+   NOT-FOR-US: PHP Scripts Mall PHP Multivendor Ecommerce
 CVE-2017-17952 (PHP Scripts Mall PHP Multivendor Ecommerce has a predicable 
...)
-   TODO: check
+   NOT-FOR-US: PHP Scripts Mall PHP Multivendor Ecommerce
 CVE-2017-17951 (PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection 
via the ...)
-   TODO: check
+   NOT-FOR-US: PHP Scripts Mall PHP Multivendor Ecommerce
 CVE-2017-17950 (Cells Blog 3.5 has SQL Injection via the pub_readpost.php ptid 
...)
-   TODO: check
+   NOT-FOR-US: Cells Blog
 CVE-2017-17949 (Cells Blog 3.5 has XSS via the pub_readpost.php fmid 
parameter. ...)
-   TODO: check
+   NOT-FOR-US: Cells Blog
 CVE-2017-17948 (Cells Blog 3.5 has XSS via the jfdname parameter in an 
act=showpic ...)
-   TODO: check
+   NOT-FOR-US: Cells Blog
 CVE-2017-17947
RESERVED
 CVE-2017-1000411


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r59006 - data/CVE

2017-12-28 Thread security tracker role 
Author: sectracker
Date: 2017-12-28 21:10:14 + (Thu, 28 Dec 2017)
New Revision: 59006

Modified:
   data/CVE/list
Log:
automatic update

Modified: data/CVE/list
===
--- data/CVE/list   2017-12-28 20:44:59 UTC (rev 59005)
+++ data/CVE/list   2017-12-28 21:10:14 UTC (rev 59006)
@@ -1,3 +1,249 @@
+CVE-2018-3709
+   RESERVED
+CVE-2018-3708
+   RESERVED
+CVE-2018-3707
+   RESERVED
+CVE-2018-3706
+   RESERVED
+CVE-2018-3705
+   RESERVED
+CVE-2018-3704
+   RESERVED
+CVE-2018-3703
+   RESERVED
+CVE-2018-3702
+   RESERVED
+CVE-2018-3701
+   RESERVED
+CVE-2018-3700
+   RESERVED
+CVE-2018-3699
+   RESERVED
+CVE-2018-3698
+   RESERVED
+CVE-2018-3697
+   RESERVED
+CVE-2018-3696
+   RESERVED
+CVE-2018-3695
+   RESERVED
+CVE-2018-3694
+   RESERVED
+CVE-2018-3693
+   RESERVED
+CVE-2018-3692
+   RESERVED
+CVE-2018-3691
+   RESERVED
+CVE-2018-3690
+   RESERVED
+CVE-2018-3689
+   RESERVED
+CVE-2018-3688
+   RESERVED
+CVE-2018-3687
+   RESERVED
+CVE-2018-3686
+   RESERVED
+CVE-2018-3685
+   RESERVED
+CVE-2018-3684
+   RESERVED
+CVE-2018-3683
+   RESERVED
+CVE-2018-3682
+   RESERVED
+CVE-2018-3681
+   RESERVED
+CVE-2018-3680
+   RESERVED
+CVE-2018-3679
+   RESERVED
+CVE-2018-3678
+   RESERVED
+CVE-2018-3677
+   RESERVED
+CVE-2018-3676
+   RESERVED
+CVE-2018-3675
+   RESERVED
+CVE-2018-3674
+   RESERVED
+CVE-2018-3673
+   RESERVED
+CVE-2018-3672
+   RESERVED
+CVE-2018-3671
+   RESERVED
+CVE-2018-3670
+   RESERVED
+CVE-2018-3669
+   RESERVED
+CVE-2018-3668
+   RESERVED
+CVE-2018-3667
+   RESERVED
+CVE-2018-3666
+   RESERVED
+CVE-2018-3665
+   RESERVED
+CVE-2018-3664
+   RESERVED
+CVE-2018-3663
+   RESERVED
+CVE-2018-3662
+   RESERVED
+CVE-2018-3661
+   RESERVED
+CVE-2018-3660
+   RESERVED
+CVE-2018-3659
+   RESERVED
+CVE-2018-3658
+   RESERVED
+CVE-2018-3657
+   RESERVED
+CVE-2018-3656
+   RESERVED
+CVE-2018-3655
+   RESERVED
+CVE-2018-3654
+   RESERVED
+CVE-2018-3653
+   RESERVED
+CVE-2018-3652
+   RESERVED
+CVE-2018-3651
+   RESERVED
+CVE-2018-3650
+   RESERVED
+CVE-2018-3649
+   RESERVED
+CVE-2018-3648
+   RESERVED
+CVE-2018-3647
+   RESERVED
+CVE-2018-3646
+   RESERVED
+CVE-2018-3645
+   RESERVED
+CVE-2018-3644
+   RESERVED
+CVE-2018-3643
+   RESERVED
+CVE-2018-3642
+   RESERVED
+CVE-2018-3641
+   RESERVED
+CVE-2018-3640
+   RESERVED
+CVE-2018-3639
+   RESERVED
+CVE-2018-3638
+   RESERVED
+CVE-2018-3637
+   RESERVED
+CVE-2018-3636
+   RESERVED
+CVE-2018-3635
+   RESERVED
+CVE-2018-3634
+   RESERVED
+CVE-2018-3633
+   RESERVED
+CVE-2018-3632
+   RESERVED
+CVE-2018-3631
+   RESERVED
+CVE-2018-3630
+   RESERVED
+CVE-2018-3629
+   RESERVED
+CVE-2018-3628
+   RESERVED
+CVE-2018-3627
+   RESERVED
+CVE-2018-3626
+   RESERVED
+CVE-2018-3625
+   RESERVED
+CVE-2018-3624
+   RESERVED
+CVE-2018-3623
+   RESERVED
+CVE-2018-3622
+   RESERVED
+CVE-2018-3621
+   RESERVED
+CVE-2018-3620
+   RESERVED
+CVE-2018-3619
+   RESERVED
+CVE-2018-3618
+   RESERVED
+CVE-2018-3617
+   RESERVED
+CVE-2018-3616
+   RESERVED
+CVE-2018-3615
+   RESERVED
+CVE-2018-3614
+   RESERVED
+CVE-2018-3613
+   RESERVED
+CVE-2018-3612
+   RESERVED
+CVE-2018-3611
+   RESERVED
+CVE-2018-3610
+   RESERVED
+CVE-2017-17968
+   RESERVED
+CVE-2017-17967 (pptreader.dll in Kingsoft WPS Office 10.1.0.6930 allows remote 
...)
+   TODO: check
+CVE-2017-17966
+   RESERVED
+CVE-2017-17965
+   RESERVED
+CVE-2017-17964
+   RESERVED
+CVE-2017-17963
+   RESERVED
+CVE-2017-17962
+   RESERVED
+CVE-2017-17961
+   RESERVED
+CVE-2017-17960 (PHP Scripts Mall PHP Multivendor Ecommerce has CSRF via ...)
+   TODO: check
+CVE-2017-17959 (PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection 
via the ...)
+   TODO: check
+CVE-2017-17958 (PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the ...)
+   TODO: check
+CVE-2017-17957 (PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection 
via the ...)
+   TODO: check
+CVE-2017-17956 (PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the ...)
+   TODO: check
+CVE-2017-17955 (PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the ...)
+   TODO: check
+CVE-2017-17954 (PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the ...)
+   TODO: check
+CVE-2017-17953 (PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the 
category.php ...)
+   TODO: check
+CVE-2017-17952 (PHP Scripts Mall PHP Multivendor Ecommerce has a predicable 
...)
+   TODO: check
+CVE-2017-17951 (PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection 
via the ...)
+   TODO: check
+CVE-2017-17950 (Cells Blog 3.5

[Secure-testing-commits] r59005 - data/CVE

2017-12-28 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-12-28 20:44:59 + (Thu, 28 Dec 2017)
New Revision: 59005

Modified:
   data/CVE/list
Log:
Add CVE-2017-17932, NFU

Modified: data/CVE/list
===
--- data/CVE/list   2017-12-28 20:19:58 UTC (rev 59004)
+++ data/CVE/list   2017-12-28 20:44:59 UTC (rev 59005)
@@ -57,7 +57,7 @@
 CVE-2017-17933
RESERVED
 CVE-2017-17932 (A buffer overflow vulnerability exists in MediaServer.exe in 
ALLPlayer ...)
-   TODO: check
+   NOT-FOR-US: ALLPlayer
 CVE-2017-17931 (PHP Scripts Mall Resume Clone Script has SQL Injection via the 
...)
NOT-FOR-US: PHP Scripts Mall Resume Clone Script
 CVE-2017-17930 (PHP Scripts Mall Professional Service Script has CSRF via ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r59004 - data/CVE

2017-12-28 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-12-28 20:19:58 + (Thu, 28 Dec 2017)
New Revision: 59004

Modified:
   data/CVE/list
Log:
Add fixing version for two libextractor issues for upload to unstable

Modified: data/CVE/list
===
--- data/CVE/list   2017-12-28 20:10:17 UTC (rev 59003)
+++ data/CVE/list   2017-12-28 20:19:58 UTC (rev 59004)
@@ -6336,7 +6336,7 @@
NOTE: Patch: 
https://bitbucket.org/mpyne/game-music-emu/commits/205290614cdc057541b26adeea05a9d45993f860
NOTE: Additional hardening: 
https://bitbucket.org/mpyne/game-music-emu/commits/4a441e94cba14268bc4e983d4dfd6ed112084d00
 CVE-2017-17440 (GNU Libextractor 1.6 allows remote attackers to cause a denial 
of ...)
-   - libextractor  (bug #883528)
+   - libextractor 1:1.6-2 (bug #883528)
[stretch] - libextractor  (Minor issue)
[jessie] - libextractor  (Minor issue)
[wheezy] - libextractor  (Minor issue)
@@ -13206,7 +13206,7 @@
NOTE: 
https://cgit.kde.org/konversation.git/commit/?h=1.7=6a7f59ee1b9dbc6e5cf9e5f3b306504d02b73ef0
 CVE-2017-15922 (In GNU Libextractor 1.4, there is an out-of-bounds read in the 
...)
{DLA-1198-1}
-   - libextractor  (low; bug #880016)
+   - libextractor 1:1.6-2 (low; bug #880016)
[stretch] - libextractor  (Minor issue)
[jessie] - libextractor  (Minor issue)
NOTE: 
http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg8.html


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r59003 - tools/git-migration

2017-12-28 Thread Guido Guenther 
Author: agx
Date: 2017-12-28 20:10:17 + (Thu, 28 Dec 2017)
New Revision: 59003

Added:
   tools/git-migration/add-security-tracker-bin-submodule
   tools/git-migration/filter-sec-tracker-data
Log:
Add scripts to split security-tracker into data and "binaries"

Added: tools/git-migration/add-security-tracker-bin-submodule
===
--- tools/git-migration/add-security-tracker-bin-submodule  
(rev 0)
+++ tools/git-migration/add-security-tracker-bin-submodule  2017-12-28 
20:10:17 UTC (rev 59003)
@@ -0,0 +1,25 @@
+#!/bin/sh
+#
+# Wire up the security-tracker-bin submodule in security-tracker (the data)
+#
+# For the moment we create compat symlinks so everything stays in place.
+# In the long run we should be able to get rid of most of them.
+#
+# This will be run only once when migrating from svn to git
+
+set -e
+
+SUBMODULE=security-tracker-bin
+
+# From salsa
+#git submodule add ../${SUBMODULE}
+# Local copy for testing
+git submodule add file://$PWD/../$SUBMODULE
+
+git submodule update
+for d in bin check-external lib static templates tools website; do
+rm -f $d
+ln -s $SUBMODULE/$d $d
+done
+
+make check-syntax


Property changes on: tools/git-migration/add-security-tracker-bin-submodule
___
Added: svn:executable
   + *

Added: tools/git-migration/filter-sec-tracker-data
===
--- tools/git-migration/filter-sec-tracker-data (rev 0)
+++ tools/git-migration/filter-sec-tracker-data 2017-12-28 20:10:17 UTC (rev 
59003)
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# Separate security tracker data form the "binaries"
+#
+# With no option the data repo will be built, with
+# "--binary" the binary repo will be built
+#
+# This will be run only once when migrating from svn to git
+
+FILTER='^(conf|data|doc|org|packages|stamps)/|^TODO.gitmigration|^Makefile|^.gitignore'
+BRANCH=master
+
+OUT=v
+if [ "$1" == "--binary" ]; then
+OUT=
+fi
+
+git filter-branch \
+--prune-empty \
+--index-filter "
+git ls-tree -z -r --name-only --full-tree \$GIT_COMMIT \
+| grep -zZE'${OUT}' '"${FILTER}"' \
+| xargs -0 -r git rm --cached -r
+" \
+-- \
+"${BRANCH}"


Property changes on: tools/git-migration/filter-sec-tracker-data
___
Added: svn:executable
   + *


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r59002 - doc

2017-12-28 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-12-28 20:07:51 + (Thu, 28 Dec 2017)
New Revision: 59002

Modified:
   doc/soriano.txt
Log:
sectracker user is as well subscribed to debian-lts-annou...@lists.debian.org

Modified: doc/soriano.txt
===
--- doc/soriano.txt 2017-12-28 17:24:00 UTC (rev 59001)
+++ doc/soriano.txt 2017-12-28 20:07:51 UTC (rev 59002)
@@ -27,6 +27,7 @@
 be notified of changes:
 
   
+  
   
 
 The crontab of the "sectracker" user is set up such that the scripts


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r59001 - in data: . DLA

2017-12-28 Thread Roberto C. Sanchez 
Author: roberto
Date: 2017-12-28 17:24:00 + (Thu, 28 Dec 2017)
New Revision: 59001

Modified:
   data/DLA/list
   data/dla-needed.txt
Log:
Reserve DLA-1224-1 for mercurial

Modified: data/DLA/list
===
--- data/DLA/list   2017-12-28 12:52:37 UTC (rev 59000)
+++ data/DLA/list   2017-12-28 17:24:00 UTC (rev 59001)
@@ -1,3 +1,6 @@
+[28 Dec 2017] DLA-1224-1 mercurial - security update
+   {CVE-2017-17458}
+   [wheezy] - mercurial 2.2.2-4+deb7u6
 [24 Dec 2017] DLA-1223-1 thunderbird - security update
{CVE-2017-7829 CVE-2017-7846 CVE-2017-7847 CVE-2017-7848}
[wheezy] - thunderbird 1:52.5.2-1~deb7u1

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-12-28 12:52:37 UTC (rev 59000)
+++ data/dla-needed.txt 2017-12-28 17:24:00 UTC (rev 59001)
@@ -44,8 +44,6 @@
 --
 linux
 --
-mercurial (Roberto C. Sánchez)
---
 ming (Hugo Lefeuvre)
   NOTE: 20171120: wip, currently working on it with upstream, might take a 
while
   NOTE: Some issues currently in upstream's bug tracker are missing a CVE 
number, so number of issues might increase in the next weeks


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r59000 - /

2017-12-28 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-12-28 12:52:37 + (Thu, 28 Dec 2017)
New Revision: 59000

Modified:
   TODO.gitmigration
Log:
Add some notes on implemented work from the TODO list

Modified: TODO.gitmigration
===
--- TODO.gitmigration   2017-12-28 11:37:15 UTC (rev 58999)
+++ TODO.gitmigration   2017-12-28 12:52:37 UTC (rev 59000)
@@ -56,10 +56,16 @@
   [20:19] < formorer> hope that helps
   [20:27] < formorer> carnil: https://wiki.debian.org/Salsa/Doc#Custom_Hooks
 
+  => agx/Guido implemented a solution installing a pre-commit hook via
+ bin/setup-repo.
+ although that is not an enforcement it is good enough until CI/runners are
+ available
+
 security-team.debian.org website
 
 - move this file to git
 - ping federico3 to update the codebase for security-metrics.d.n (uses git-svn)
+  => This seems not to be updated anymore
 
 sectracker role account:
 - Creation request: https://salsa.debian.org/salsa/support/issues/6
@@ -73,6 +79,7 @@
 
 bin/tracker_data.py:
 - needs a rewrite, contact buxy (Raphaël Hertzog)
+  => agx/Guido fixed this to work with the git repository
 
 old repository:
 - Add a pre-receive hook to prevent accidental pushes to the old alioth


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58999 - data

2017-12-28 Thread Moritz Muehlenhoff 
Author: jmm
Date: 2017-12-28 11:37:15 + (Thu, 28 Dec 2017)
New Revision: 58999

Modified:
   data/next-oldstable-point-update.txt
   data/next-point-update.txt
Log:
ncurses spu/opsu


Modified: data/next-oldstable-point-update.txt
===
--- data/next-oldstable-point-update.txt2017-12-28 11:04:04 UTC (rev 
58998)
+++ data/next-oldstable-point-update.txt2017-12-28 11:37:15 UTC (rev 
58999)
@@ -45,3 +45,5 @@
[jessie] - soundtouch 1.8.0-1+deb8u1
 CVE-2017-9260
[jessie] - soundtouch 1.8.0-1+deb8u1
+CVE-2017-16879
+   [jessie] - ncurses 5.9+20140913-1+deb8u3

Modified: data/next-point-update.txt
===
--- data/next-point-update.txt  2017-12-28 11:04:04 UTC (rev 58998)
+++ data/next-point-update.txt  2017-12-28 11:37:15 UTC (rev 58999)
@@ -35,3 +35,5 @@
[stretch] - soundtouch 1.9.2-2+deb9u1
 CVE-2017-9260
[stretch] - soundtouch 1.9.2-2+deb9u1
+CVE-2017-16879
+   [stretch] - ncurses 6.0+20161126-1+deb9u2


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58998 - data/CVE

2017-12-28 Thread Emilio Pozuelo Monfort 
Author: pochu
Date: 2017-12-28 11:04:04 + (Thu, 28 Dec 2017)
New Revision: 58998

Modified:
   data/CVE/list
Log:
CVE-2017-17664/asterisk n/a on wheezy

Modified: data/CVE/list
===
--- data/CVE/list   2017-12-28 10:58:08 UTC (rev 58997)
+++ data/CVE/list   2017-12-28 11:04:04 UTC (rev 58998)
@@ -5340,6 +5340,7 @@
 CVE-2017-17664 (A Remote Crash issue was discovered in Asterisk Open Source 
13.x before ...)
- asterisk  (bug #884345)
[jessie] - asterisk  (Vulnerable code introduced later)
+   [wheezy] - asterisk  (Vulnerable code introduced later)
NOTE: http://downloads.digium.com/pub/security/AST-2017-012.html
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27382
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27429


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58997 - org

2017-12-28 Thread Guido Guenther 
Author: agx
Date: 2017-12-28 10:58:08 + (Thu, 28 Dec 2017)
New Revision: 58997

Modified:
   org/lts-frontdesk.2018.txt
Log:
lts: agx frontdesk

Modified: org/lts-frontdesk.2018.txt
===
--- org/lts-frontdesk.2018.txt  2017-12-28 10:51:06 UTC (rev 58996)
+++ org/lts-frontdesk.2018.txt  2017-12-28 10:58:08 UTC (rev 58997)
@@ -13,11 +13,11 @@
 
 From 01-01 to 07-01:Chris Lamb 
 From 08-01 to 14-01:
-From 15-01 to 21-01:
+From 15-01 to 21-01:Guido Günther 
 From 22-01 to 28-01:Thorsten Alteholz 
 From 29-01 to 04-02:
 From 05-02 to 11-02:
-From 12-02 to 18-02:
+From 12-02 to 18-02:Guido Günther 
 From 19-02 to 25-02:Chris Lamb 
 From 26-02 to 04-03:
 From 05-03 to 11-03:Chris Lamb 
@@ -28,7 +28,7 @@
 From 09-04 to 15-04:
 From 16-04 to 22-04:
 From 23-04 to 29-04:Thorsten Alteholz 
-From 30-04 to 06-05:
+From 30-04 to 06-05:Guido Günther 
 From 07-05 to 13-05:
 From 14-05 to 20-05:Chris Lamb 
 From 21-05 to 27-05:
@@ -37,7 +37,7 @@
 From 11-06 to 17-06:Thorsten Alteholz 
 From 18-06 to 24-06:
 From 25-06 to 01-07:
-From 02-07 to 08-07:
+From 02-07 to 08-07:Guido Günther 
 From 09-07 to 15-07:
 From 16-07 to 22-07:
 From 23-07 to 29-07:Chris Lamb 
@@ -49,18 +49,18 @@
 From 03-09 to 09-09:Chris Lamb 
 From 10-09 to 16-09:Thorsten Alteholz 
 From 17-09 to 23-09:
-From 24-09 to 30-09:
+From 24-09 to 30-09:Guido Günther 
 From 01-10 to 07-10:Chris Lamb 
 From 08-10 to 14-10:
 From 15-10 to 21-10:
 From 22-10 to 28-10:Thorsten Alteholz 
 From 29-10 to 04-11:
 From 05-11 to 11-11:Chris Lamb 
-From 12-11 to 18-11:
+From 12-11 to 18-11:Guido Günther 
 From 19-11 to 25-11:
 From 26-11 to 02-12:Thorsten Alteholz 
 From 03-12 to 09-12:Chris Lamb 
-From 10-12 to 16-12:
+From 10-12 to 16-12:Guido Günther 
 From 17-12 to 23-12:
 From 24-12 to 30-12:
 From 31-12 to 06-01:


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58996 - in data: . CVE

2017-12-28 Thread Emilio Pozuelo Monfort 
Author: pochu
Date: 2017-12-28 10:51:06 + (Thu, 28 Dec 2017)
New Revision: 58996

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
tor unsupported in wheezy

Modified: data/CVE/list
===
--- data/CVE/list   2017-12-28 10:20:52 UTC (rev 58995)
+++ data/CVE/list   2017-12-28 10:51:06 UTC (rev 58996)
@@ -34282,26 +34282,31 @@
 CVE-2017-8823 (In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 
0.2.9 ...)
{DSA-4054-1}
- tor 0.3.1.9-1
+   [wheezy] - tor  (Not supported in wheezy LTS)
NOTE: https://bugs.torproject.org/24313
NOTE: 
https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516
 CVE-2017-8822 (In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 
0.2.9 ...)
{DSA-4054-1}
- tor 0.3.1.9-1
+   [wheezy] - tor  (Not supported in wheezy LTS)
NOTE: https://bugs.torproject.org/21534
NOTE: 
https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516
 CVE-2017-8821 (In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 
0.2.9 ...)
{DSA-4054-1}
- tor 0.3.1.9-1
+   [wheezy] - tor  (Not supported in wheezy LTS)
NOTE: https://bugs.torproject.org/24246
NOTE: 
https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516
 CVE-2017-8820 (In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 
0.2.9 ...)
{DSA-4054-1}
- tor 0.3.1.9-1
+   [wheezy] - tor  (Not supported in wheezy LTS)
NOTE: https://bugs.torproject.org/24245
NOTE: 
https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516
 CVE-2017-8819 (In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 
0.2.9 ...)
{DSA-4054-1}
- tor 0.3.1.9-1
+   [wheezy] - tor  (Not supported in wheezy LTS)
NOTE: https://bugs.torproject.org/24244
NOTE: 
https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516
 CVE-2017-8818 (curl and libcurl before 7.57.0 on 32-bit platforms allow 
attackers to ...)

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-12-28 10:20:52 UTC (rev 58995)
+++ data/dla-needed.txt 2017-12-28 10:51:06 UTC (rev 58996)
@@ -61,8 +61,6 @@
 --
 tiff3
 --
-tor
---
 wireshark (Thorsten Alteholz)
   NOTE: 2017-08-28: Contacted maintainer since most issues affect 
Jessie/Stretch as well
   NOTE: 2017-12-12: The maintainer asked us to handle the package ourselves. 
See


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58995 - data

2017-12-28 Thread Emilio Pozuelo Monfort 
Author: pochu
Date: 2017-12-28 10:20:52 + (Thu, 28 Dec 2017)
New Revision: 58995

Modified:
   data/dla-needed.txt
Log:
dla: remove rtpproxy, issue marked as unimportant

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-12-28 10:20:11 UTC (rev 58994)
+++ data/dla-needed.txt 2017-12-28 10:20:52 UTC (rev 58995)
@@ -53,9 +53,6 @@
 mupdf
   NOTE: 20171224: Upstream patch does not apply to LTS cleanly. Might need 
hanges to apps/pdfclean.c rather than pdf-write.c (lamby)
 --
-rtpproxy
-  NOTE: it's not clear to me if a fix is even possible. (Raphaël Hertzog)
---
 swftools (Guido Günther)
   NOTE: 20171118: At least CVE-2017-16797 is present. (lamby)
   NOTE: 20171210: likely to be turned into a pkg with limited sec support


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58994 - in data: . CVE

2017-12-28 Thread Emilio Pozuelo Monfort 
Author: pochu
Date: 2017-12-28 10:20:11 + (Thu, 28 Dec 2017)
New Revision: 58994

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
nasm no-dsa on wheezy as well

Modified: data/CVE/list
===
--- data/CVE/list   2017-12-28 10:19:28 UTC (rev 58993)
+++ data/CVE/list   2017-12-28 10:20:11 UTC (rev 58994)
@@ -405,59 +405,70 @@
- nasm 2.13.02-0.1
[stretch] - nasm  (Minor issue)
[jessie] - nasm  (Minor issue)
+   [wheezy] - nasm  (Minor issue)
NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392433
 CVE-2017-17819 (In Netwide Assembler (NASM) 2.14rc0, there is an illegal 
address access ...)
- nasm 2.13.02-0.1
[stretch] - nasm  (Minor issue)
[jessie] - nasm  (Minor issue)
+   [wheezy] - nasm  (Minor issue)
NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392435
NOTE: 
http://repo.or.cz/nasm.git/commit/7524cfd91492e6e3719b959498be584a9ced13af 
(nasm-2.13.02rc3)
 CVE-2017-17818 (In Netwide Assembler (NASM) 2.14rc0, there is a heap-based 
buffer ...)
- nasm 2.13.02-0.1
[stretch] - nasm  (Minor issue)
[jessie] - nasm  (Minor issue)
+   [wheezy] - nasm  (Minor issue)
NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392428
 CVE-2017-17817 (In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free 
in ...)
- nasm 2.13.02-0.1
[stretch] - nasm  (Minor issue)
[jessie] - nasm  (Minor issue)
+   [wheezy] - nasm  (Minor issue)
NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392427
 CVE-2017-17816 (In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free 
in ...)
- nasm 2.13.02-0.1
[stretch] - nasm  (Minor issue)
[jessie] - nasm  (Minor issue)
+   [wheezy] - nasm  (Minor issue)
NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392426
 CVE-2017-17815 (In Netwide Assembler (NASM) 2.14rc0, there is an illegal 
address access ...)
- nasm 2.13.02-0.1
[stretch] - nasm  (Minor issue)
[jessie] - nasm  (Minor issue)
+   [wheezy] - nasm  (Minor issue)
NOTE: 
http://repo.or.cz/nasm.git/commit/c9244eaadd05b27637cde06021bac3fa1d920aa3 
(nasm-2.13.02rc3)
NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392436
 CVE-2017-17814 (In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free 
in ...)
- nasm 2.13.02-0.1
[stretch] - nasm  (Minor issue)
[jessie] - nasm  (Minor issue)
+   [wheezy] - nasm  (Minor issue)
NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392430
 CVE-2017-17813 (In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free 
in the ...)
- nasm 2.13.02-0.1
[stretch] - nasm  (Minor issue)
[jessie] - nasm  (Minor issue)
+   [wheezy] - nasm  (Minor issue)
NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392429
 CVE-2017-17812 (In Netwide Assembler (NASM) 2.14rc0, there is a heap-based 
buffer ...)
- nasm 2.13.02-0.1
[stretch] - nasm  (Minor issue)
[jessie] - nasm  (Minor issue)
+   [wheezy] - nasm  (Minor issue)
NOTE: 
http://repo.or.cz/nasm.git/commit/9b7ee09abfd426b99aa1ea81d19a3b2818eeabf9 
(nasm-2.13.02rc3)
NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392424
 CVE-2017-17811 (In Netwide Assembler (NASM) 2.14rc0, there is a heap-based 
buffer ...)
- nasm 2.13.02-0.1
[stretch] - nasm  (Minor issue)
[jessie] - nasm  (Minor issue)
+   [wheezy] - nasm  (Minor issue)
NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392432
 CVE-2017-17810 (In Netwide Assembler (NASM) 2.14rc0, there is a SEGV on 
unknown ...)
- nasm 2.13.02-0.1
[stretch] - nasm  (Minor issue)
[jessie] - nasm  (Minor issue)
+   [wheezy] - nasm  (Minor issue)
NOTE: 
http://repo.or.cz/nasm.git/commit/59ce1c67b16967c652765e62aa130b7e43f21dd4 
(nasm-2.13.02rc3)
NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392431
 CVE-2017-17809 (In Golden Frog VyprVPN before 2.15.0.5828 for macOS, the 
vyprvpnservice ...)

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-12-28 10:19:28 UTC (rev 58993)
+++ data/dla-needed.txt 2017-12-28 10:20:11 UTC (rev 58994)
@@ -53,8 +53,6 @@
 mupdf
   NOTE: 20171224: Upstream patch does not apply to LTS cleanly. Might need 
hanges to apps/pdfclean.c rather than pdf-write.c (lamby)
 --
-nasm
---
 rtpproxy
   NOTE: it's not clear to me if a fix is even possible. (Raphaël Hertzog)
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58993 - data/CVE

2017-12-28 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-12-28 10:19:28 + (Thu, 28 Dec 2017)
New Revision: 58993

Modified:
   data/CVE/list
Log:
Add bug reference for CVE-2017-17942/tiff, #885579

Modified: data/CVE/list
===
--- data/CVE/list   2017-12-28 09:56:56 UTC (rev 58992)
+++ data/CVE/list   2017-12-28 10:19:28 UTC (rev 58993)
@@ -7,7 +7,7 @@
 CVE-2017-17943
RESERVED
 CVE-2017-17942 (In LibTIFF 4.0.9, there is a heap-based buffer over-read in 
the ...)
-   - tiff 
+   - tiff  (bug #885579)
- tiff3 
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2767
 CVE-2017-17941 (PHP Scripts Mall Single Theater Booking has SQL Injection via 
the ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58992 - data/CVE

2017-12-28 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-12-28 09:56:56 + (Thu, 28 Dec 2017)
New Revision: 58992

Modified:
   data/CVE/list
Log:
Mark nvidia-graphics-drivers issues as unixed

Likely, reading the advisory, that the issues affect older branches as
well, but they just were not addressed in older versions:

> Note:
>
>  - If you are using earlier driver branches of the affected products,
>upgrade to a supported driver branch that contains the fix as listed
>in tables for Windows and Linux.
>  - If you are using GFE, install the latest drivers. GFE security
>bulletins are available on the NVIDIA Product Security page.
>  - CVE-2017-6277 and CVE-2017-6272 were addressed in branch R375.
>However, these CVEs were not disclosed in the previous
>security bulletin.

Cf: https://nvidia.custhelp.com/app/answers/detail/a_id/4544

Modified: data/CVE/list
===
--- data/CVE/list   2017-12-28 09:37:55 UTC (rev 58991)
+++ data/CVE/list   2017-12-28 09:56:56 UTC (rev 58992)
@@ -42545,8 +42545,11 @@
[stretch] - nvidia-graphics-drivers  (Non-free not supported)
[jessie] - nvidia-graphics-drivers  (Non-free not supported)
[wheezy] - nvidia-graphics-drivers  (Non-free not 
supported)
-   - nvidia-graphics-drivers-legacy-340xx 
-   - nvidia-graphics-drivers-legacy-304xx 
+   - nvidia-graphics-drivers-legacy-340xx 
+   [stretch] - nvidia-graphics-drivers-legacy-340xx  (Non-free not 
supported)
+   - nvidia-graphics-drivers-legacy-304xx 
+   [stretch] - nvidia-graphics-drivers-legacy-304xx  (Non-free not 
supported)
+   [jessie] - nvidia-graphics-drivers-legacy-304xx  (Non-free not 
supported)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/4544
 CVE-2017-6271 (NVIDIA Windows GPU Display Driver contains a vulnerability in 
the ...)
NOT-FOR-US: NVIDIA Windows GPU Display Driver
@@ -42562,8 +42565,11 @@
[stretch] - nvidia-graphics-drivers  (Non-free not supported)
[jessie] - nvidia-graphics-drivers  (Non-free not supported)
[wheezy] - nvidia-graphics-drivers  (Non-free not 
supported)
-   - nvidia-graphics-drivers-legacy-340xx 
-   - nvidia-graphics-drivers-legacy-304xx 
+   - nvidia-graphics-drivers-legacy-340xx 
+   [stretch] - nvidia-graphics-drivers-legacy-340xx  (Non-free not 
supported)
+   - nvidia-graphics-drivers-legacy-304xx 
+   [stretch] - nvidia-graphics-drivers-legacy-304xx  (Non-free not 
supported)
+   [jessie] - nvidia-graphics-drivers-legacy-304xx  (Non-free not 
supported)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/4544
 CVE-2017-6266 (NVIDIA GPU Display Driver contains a vulnerability in the 
kernel mode ...)
[experimental] - nvidia-graphics-drivers 384.90-1
@@ -42571,8 +42577,11 @@
[stretch] - nvidia-graphics-drivers  (Non-free not supported)
[jessie] - nvidia-graphics-drivers  (Non-free not supported)
[wheezy] - nvidia-graphics-drivers  (Non-free not 
supported)
-   - nvidia-graphics-drivers-legacy-340xx 
-   - nvidia-graphics-drivers-legacy-304xx 
+   - nvidia-graphics-drivers-legacy-340xx 
+   [stretch] - nvidia-graphics-drivers-legacy-340xx  (Non-free not 
supported)
+   - nvidia-graphics-drivers-legacy-304xx 
+   [stretch] - nvidia-graphics-drivers-legacy-304xx  (Non-free not 
supported)
+   [jessie] - nvidia-graphics-drivers-legacy-304xx  (Non-free not 
supported)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/4544
 CVE-2017-6265
RESERVED


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58990 - in data: . DSA

2017-12-28 Thread Moritz Muehlenhoff 
Author: jmm
Date: 2017-12-28 09:37:28 + (Thu, 28 Dec 2017)
New Revision: 58990

Modified:
   data/DSA/list
   data/dsa-needed.txt
Log:
imagemagick DSA


Modified: data/DSA/list
===
--- data/DSA/list   2017-12-28 09:18:33 UTC (rev 58989)
+++ data/DSA/list   2017-12-28 09:37:28 UTC (rev 58990)
@@ -1,3 +1,6 @@
+[28 Dec 2017] DSA-4074-1 imagemagick - security update
+   {CVE-2017-12877 CVE-2017-16546 CVE-2017-17499 CVE-2017-17504 
CVE-2017-17879}
+   [stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u4
 [23 Dec 2017] DSA-4073-1 linux - security update
{CVE-2017-8824 CVE-2017-16538 CVE-2017-16644 CVE-2017-16995 
CVE-2017-17448 CVE-2017-17449 CVE-2017-17450 CVE-2017-17558 CVE-2017-17712 
CVE-2017-17741 CVE-2017-17805 CVE-2017-17806 CVE-2017-17807 CVE-2017-17862 
CVE-2017-17863 CVE-2017-17864 CVE-2017-1000407 CVE-2017-1000410}
[stretch] - linux 4.9.65-3+deb9u1

Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-12-28 09:18:33 UTC (rev 58989)
+++ data/dsa-needed.txt 2017-12-28 09:37:28 UTC (rev 58990)
@@ -22,7 +22,7 @@
 --
 graphicsmagick
 --
-imagemagick (jmm)
+imagemagick/oldstable (jmm)
 --
 libav/oldstable
   We can ship the next libav 11.x point release when available


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58991 - data/CVE

2017-12-28 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-12-28 09:37:55 + (Thu, 28 Dec 2017)
New Revision: 58991

Modified:
   data/CVE/list
Log:
Add bug reference for CVE-2017-7536

Modified: data/CVE/list
===
--- data/CVE/list   2017-12-28 09:37:28 UTC (rev 58990)
+++ data/CVE/list   2017-12-28 09:37:55 UTC (rev 58991)
@@ -38358,7 +38358,7 @@
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1470817
 CVE-2017-7536 [Privilege escalation when running under the security manager]
RESERVED
-   - libhibernate-validator-java 
+   - libhibernate-validator-java  (bug #885577)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1465573
 CVE-2017-7535
RESERVED


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58989 - data/CVE

2017-12-28 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-12-28 09:18:33 + (Thu, 28 Dec 2017)
New Revision: 58989

Modified:
   data/CVE/list
Log:
Process NFUs

Modified: data/CVE/list
===
--- data/CVE/list   2017-12-28 09:13:35 UTC (rev 58988)
+++ data/CVE/list   2017-12-28 09:18:33 UTC (rev 58989)
@@ -11,17 +11,17 @@
- tiff3 
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2767
 CVE-2017-17941 (PHP Scripts Mall Single Theater Booking has SQL Injection via 
the ...)
-   TODO: check
+   NOT-FOR-US: PHP Scripts Mall Single Theater Booking
 CVE-2017-17940 (PHP Scripts Mall Single Theater Booking has XSS via the title 
parameter ...)
-   TODO: check
+   NOT-FOR-US: PHP Scripts Mall Single Theater Booking
 CVE-2017-17939 (PHP Scripts Mall Single Theater Booking has CSRF via ...)
-   TODO: check
+   NOT-FOR-US: PHP Scripts Mall Single Theater Booking
 CVE-2017-17938 (PHP Scripts Mall Single Theater Booking has XSS via the ...)
-   TODO: check
+   NOT-FOR-US: PHP Scripts Mall Single Theater Booking
 CVE-2017-17937 (Vanguard Marketplace Digital Products PHP has XSS via the 
phps_query ...)
-   TODO: check
+   NOT-FOR-US: Vanguard Marketplace Digital Products PHP
 CVE-2017-17936 (Vanguard Marketplace Digital Products PHP has CSRF via 
/search. ...)
-   TODO: check
+   NOT-FOR-US: Vanguard Marketplace Digital Products PHP
 CVE-2018-3609
RESERVED
 CVE-2018-3608


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58988 - data/CVE

2017-12-28 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-12-28 09:13:35 + (Thu, 28 Dec 2017)
New Revision: 58988

Modified:
   data/CVE/list
Log:
Add CVE-2017-17942/tiff

Modified: data/CVE/list
===
--- data/CVE/list   2017-12-28 09:10:14 UTC (rev 58987)
+++ data/CVE/list   2017-12-28 09:13:35 UTC (rev 58988)
@@ -7,7 +7,9 @@
 CVE-2017-17943
RESERVED
 CVE-2017-17942 (In LibTIFF 4.0.9, there is a heap-based buffer over-read in 
the ...)
-   TODO: check
+   - tiff 
+   - tiff3 
+   NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2767
 CVE-2017-17941 (PHP Scripts Mall Single Theater Booking has SQL Injection via 
the ...)
TODO: check
 CVE-2017-17940 (PHP Scripts Mall Single Theater Booking has XSS via the title 
parameter ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58987 - data/CVE

2017-12-28 Thread security tracker role 
Author: sectracker
Date: 2017-12-28 09:10:14 + (Thu, 28 Dec 2017)
New Revision: 58987

Modified:
   data/CVE/list
Log:
automatic update

Modified: data/CVE/list
===
--- data/CVE/list   2017-12-28 09:06:37 UTC (rev 58986)
+++ data/CVE/list   2017-12-28 09:10:14 UTC (rev 58987)
@@ -1,3 +1,25 @@
+CVE-2017-17946
+   RESERVED
+CVE-2017-17945
+   RESERVED
+CVE-2017-17944
+   RESERVED
+CVE-2017-17943
+   RESERVED
+CVE-2017-17942 (In LibTIFF 4.0.9, there is a heap-based buffer over-read in 
the ...)
+   TODO: check
+CVE-2017-17941 (PHP Scripts Mall Single Theater Booking has SQL Injection via 
the ...)
+   TODO: check
+CVE-2017-17940 (PHP Scripts Mall Single Theater Booking has XSS via the title 
parameter ...)
+   TODO: check
+CVE-2017-17939 (PHP Scripts Mall Single Theater Booking has CSRF via ...)
+   TODO: check
+CVE-2017-17938 (PHP Scripts Mall Single Theater Booking has XSS via the ...)
+   TODO: check
+CVE-2017-17937 (Vanguard Marketplace Digital Products PHP has XSS via the 
phps_query ...)
+   TODO: check
+CVE-2017-17936 (Vanguard Marketplace Digital Products PHP has CSRF via 
/search. ...)
+   TODO: check
 CVE-2018-3609
RESERVED
 CVE-2018-3608
@@ -32,8 +54,8 @@
NOTE: ImageMagick-6: 
https://github.com/ImageMagick/ImageMagick/commit/08278c7cf1c0b4f1da4cdcfaa857ff6b2373a1b2
 CVE-2017-17933
RESERVED
-CVE-2017-17932
-   RESERVED
+CVE-2017-17932 (A buffer overflow vulnerability exists in MediaServer.exe in 
ALLPlayer ...)
+   TODO: check
 CVE-2017-17931 (PHP Scripts Mall Resume Clone Script has SQL Injection via the 
...)
NOT-FOR-US: PHP Scripts Mall Resume Clone Script
 CVE-2017-17930 (PHP Scripts Mall Professional Service Script has CSRF via ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58986 - data/CVE

2017-12-28 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-12-28 09:06:37 + (Thu, 28 Dec 2017)
New Revision: 58986

Modified:
   data/CVE/list
Log:
Add bug reference for CVE-2017-7559, #885576

Modified: data/CVE/list
===
--- data/CVE/list   2017-12-28 08:59:39 UTC (rev 58985)
+++ data/CVE/list   2017-12-28 09:06:37 UTC (rev 58986)
@@ -38230,8 +38230,8 @@
NOTE: Introduced by: 
https://github.com/spacewalkproject/spacewalk/commit/75d9c00b96ab430221c5c7668baebebc74ddd67e
 CVE-2017-7559 [HTTP Request smuggling vulnerability (incomplete fix of 
CVE-2017-2666)]
RESERVED
-   - undertow 
-   NOTE: For an incomplete fix of CVE-2017-2666
+   - undertow  (bug #885576)
+   NOTE: CVE is for an incomplete fix of CVE-2017-2666
NOTE: Invalid characters were still allowed in the query string and 
path parameters.
TODO: check, asked for clarification to Red Hat: 
https://bugzilla.redhat.com/show_bug.cgi?id=1481665#c7
 CVE-2017-7558 [sctp: out-of-bounds read in inet_diag_msg_sctp{,l}addr_fill() 
and sctp_get_sctp_info()]


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 7 commits: two wireshark/imagemagick issues ignored

2017-12-28 Thread Salvatore Bonaccorso 
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d215439e by Moritz Muehlenhoff at 2017-12-28T08:25:42+00:00
two wireshark/imagemagick issues ignored


git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@58979 
e39458fd-73e7-0310-bf30-c45bca0a0e42

- - - - -
e45304a5 by László Böszörményi at 2017-12-28T08:36:41+00:00
Additional patch for CVE-2017-17913/graphicsmagick


git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@58980 
e39458fd-73e7-0310-bf30-c45bca0a0e42

- - - - -
8021b8c5 by Salvatore Bonaccorso at 2017-12-28T08:39:25+00:00
Fix typo in note

git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@58981 
e39458fd-73e7-0310-bf30-c45bca0a0e42

- - - - -
5cdf4631 by László Böszörményi at 2017-12-28T08:40:54+00:00
Add CVE-2017-1791[35]/graphicsmagick fixed version in unstable


git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@58982 
e39458fd-73e7-0310-bf30-c45bca0a0e42

- - - - -
41e5a351 by Salvatore Bonaccorso at 2017-12-28T08:52:27+00:00
Add TODO for CVE-2017-7559

git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@58983 
e39458fd-73e7-0310-bf30-c45bca0a0e42

- - - - -
79dbe713 by Salvatore Bonaccorso at 2017-12-28T08:59:27+00:00
Add Red Hat reference for CVE-2017-7536

git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@58984 
e39458fd-73e7-0310-bf30-c45bca0a0e42

- - - - -
f3a488bb by Salvatore Bonaccorso at 2017-12-28T08:59:39+00:00
Add description for CVE-2017-7536

git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@58985 
e39458fd-73e7-0310-bf30-c45bca0a0e42

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -20,6 +20,8 @@ CVE-2018-3600
RESERVED
 CVE-2017-17935 (The File_read_line function in epan/wslua/wslua_file.c in 
Wireshark ...)
- wireshark 
+   [stretch] - wireshark  (Minor issue)
+   [jessie] - wireshark  (Minor issue)
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14295
NOTE: https://code.wireshark.org/review/#/c/24997/
NOTE: 
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=137ab7d5681486c6d6cc8faac4300b7cd4ec0cf1
@@ -65,16 +67,19 @@ CVE-2017-17917
 CVE-2017-17916
RESERVED
 CVE-2017-17915 (In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a 
heap-based ...)
-   - graphicsmagick 
+   - graphicsmagick 1.3.27-3
NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/1721f1b7e67a
NOTE: https://sourceforge.net/p/graphicsmagick/bugs/535/
 CVE-2017-17914 (In ImageMagick 7.0.7-16 Q16, a vulnerability was found in the 
function ...)
- imagemagick 
+   [stretch] - imagemagick  (Minor issue)
+   [jessie] - imagemagick  (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/908
NOTE: 
https://github.com/ImageMagick/ImageMagick/commit/650ec57d84b7b1dce66435b8cd3b58f7ae66db1b
NOTE: ImageMagick-6: 
https://github.com/ImageMagick/ImageMagick/commit/42781eeebadf111a2e01559735ea504a78192046
 CVE-2017-17913 (In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a 
stack-based ...)
-   - graphicsmagick 
+   - graphicsmagick 1.3.27-3
+   NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/88313ebe379c
NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/6dda3c33f35f
NOTE: https://sourceforge.net/p/graphicsmagick/bugs/536/
TODO: check, potentially just unimportant like similar issue in 
imagemagick
@@ -38227,7 +38232,8 @@ CVE-2017-7559 [HTTP Request smuggling vulnerability 
(incomplete fix of CVE-2017-
RESERVED
- undertow 
NOTE: For an incomplete fix of CVE-2017-2666
-   NOTE: Invalid characters were still allwed in the query string and path 
parameters.
+   NOTE: Invalid characters were still allowed in the query string and 
path parameters.
+   TODO: check, asked for clarification to Red Hat: 
https://bugzilla.redhat.com/show_bug.cgi?id=1481665#c7
 CVE-2017-7558 [sctp: out-of-bounds read in inet_diag_msg_sctp{,l}addr_fill() 
and sctp_get_sctp_info()]
RESERVED
- linux 4.12.13-1
@@ -38326,9 +38332,10 @@ CVE-2017-7537
- dogtag-pki 10.3.5+12-5 (bug #869261)
NOTE: https://github.com/dogtagpki/pki/commit/876d13c6d20e7e1235b9
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1470817
-CVE-2017-7536
+CVE-2017-7536 [Privilege escalation when running under the security manager]
RESERVED
- libhibernate-validator-java 
+   NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1465573
 CVE-2017-7535
RESERVED
- foreman  (bug #663101)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/107c22e993fd2d68c6991c74aeed8ab4570f4702...f3a488bb54a17d84bff0ca02edf3c002e5166d1e

---
View it on GitLab:

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: Update information for CVE-2017-17850/asterisk

2017-12-28 Thread Salvatore Bonaccorso 
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
84ff91a0 by Salvatore Bonaccorso at 2017-12-27T22:20:49+00:00
Update information for CVE-2017-17850/asterisk

Maintainer confirmed question about introducing versions. Confirmed to
be post 13.15.0 and post 13.18.0 partially, resulting in
1:13.17.0~dfsg-1 beeing the first version in Debian including the
vulnerability.

Thanks: Bernhard Schmidt and Tzafrir

git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@58977 
e39458fd-73e7-0310-bf30-c45bca0a0e42

- - - - -
107c22e9 by Salvatore Bonaccorso at 2017-12-27T23:13:38+00:00
CVE-2017-17850/asterisk fixed in unstable

git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@58978 
e39458fd-73e7-0310-bf30-c45bca0a0e42

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -248,7 +248,10 @@ CVE-2017-17858
 CVE-2017-17851
RESERVED
 CVE-2017-17850 (An issue was discovered in Asterisk 13.18.4 and older, 14.7.4 
and ...)
-   - asterisk  (bug #885072)
+   - asterisk 1:13.18.5~dfsg-1 (bug #885072)
+   [stretch] - asterisk  (Vulnerable code introduced after 
13.15.0)
+   [jessie] - asterisk  (Vulnerable code introduced after 
13.15.0)
+   [wheezy] - asterisk  (Vulnerable code introduced after 
13.15.0)
NOTE: http://downloads.asterisk.org/pub/security/AST-2017-014.html
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27480
 CVE-2017-17849 (A buffer overflow vulnerability in GetGo Download Manager 
5.3.0.2712 ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/b55af15f3ef78d574aa2f8f3f4477f92fc986414...107c22e993fd2d68c6991c74aeed8ab4570f4702

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/b55af15f3ef78d574aa2f8f3f4477f92fc986414...107c22e993fd2d68c6991c74aeed8ab4570f4702
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58985 - data/CVE

2017-12-28 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-12-28 08:59:39 + (Thu, 28 Dec 2017)
New Revision: 58985

Modified:
   data/CVE/list
Log:
Add description for CVE-2017-7536

Modified: data/CVE/list
===
--- data/CVE/list   2017-12-28 08:59:27 UTC (rev 58984)
+++ data/CVE/list   2017-12-28 08:59:39 UTC (rev 58985)
@@ -38332,7 +38332,7 @@
- dogtag-pki 10.3.5+12-5 (bug #869261)
NOTE: https://github.com/dogtagpki/pki/commit/876d13c6d20e7e1235b9
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1470817
-CVE-2017-7536
+CVE-2017-7536 [Privilege escalation when running under the security manager]
RESERVED
- libhibernate-validator-java 
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1465573


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58984 - data/CVE

2017-12-28 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-12-28 08:59:27 + (Thu, 28 Dec 2017)
New Revision: 58984

Modified:
   data/CVE/list
Log:
Add Red Hat reference for CVE-2017-7536

Modified: data/CVE/list
===
--- data/CVE/list   2017-12-28 08:52:27 UTC (rev 58983)
+++ data/CVE/list   2017-12-28 08:59:27 UTC (rev 58984)
@@ -38335,6 +38335,7 @@
 CVE-2017-7536
RESERVED
- libhibernate-validator-java 
+   NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1465573
 CVE-2017-7535
RESERVED
- foreman  (bug #663101)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58983 - data/CVE

2017-12-28 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-12-28 08:52:27 + (Thu, 28 Dec 2017)
New Revision: 58983

Modified:
   data/CVE/list
Log:
Add TODO for CVE-2017-7559

Modified: data/CVE/list
===
--- data/CVE/list   2017-12-28 08:40:54 UTC (rev 58982)
+++ data/CVE/list   2017-12-28 08:52:27 UTC (rev 58983)
@@ -38233,6 +38233,7 @@
- undertow 
NOTE: For an incomplete fix of CVE-2017-2666
NOTE: Invalid characters were still allowed in the query string and 
path parameters.
+   TODO: check, asked for clarification to Red Hat: 
https://bugzilla.redhat.com/show_bug.cgi?id=1481665#c7
 CVE-2017-7558 [sctp: out-of-bounds read in inet_diag_msg_sctp{,l}addr_fill() 
and sctp_get_sctp_info()]
RESERVED
- linux 4.12.13-1


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58982 - data/CVE

2017-12-28 Thread László Böszörményi 
Author: gcs
Date: 2017-12-28 08:40:54 + (Thu, 28 Dec 2017)
New Revision: 58982

Modified:
   data/CVE/list
Log:
Add CVE-2017-1791[35]/graphicsmagick fixed version in unstable


Modified: data/CVE/list
===
--- data/CVE/list   2017-12-28 08:39:25 UTC (rev 58981)
+++ data/CVE/list   2017-12-28 08:40:54 UTC (rev 58982)
@@ -67,7 +67,7 @@
 CVE-2017-17916
RESERVED
 CVE-2017-17915 (In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a 
heap-based ...)
-   - graphicsmagick 
+   - graphicsmagick 1.3.27-3
NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/1721f1b7e67a
NOTE: https://sourceforge.net/p/graphicsmagick/bugs/535/
 CVE-2017-17914 (In ImageMagick 7.0.7-16 Q16, a vulnerability was found in the 
function ...)
@@ -78,7 +78,7 @@
NOTE: 
https://github.com/ImageMagick/ImageMagick/commit/650ec57d84b7b1dce66435b8cd3b58f7ae66db1b
NOTE: ImageMagick-6: 
https://github.com/ImageMagick/ImageMagick/commit/42781eeebadf111a2e01559735ea504a78192046
 CVE-2017-17913 (In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a 
stack-based ...)
-   - graphicsmagick 
+   - graphicsmagick 1.3.27-3
NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/88313ebe379c
NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/6dda3c33f35f
NOTE: https://sourceforge.net/p/graphicsmagick/bugs/536/


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58981 - data/CVE

2017-12-28 Thread Salvatore Bonaccorso 
Author: carnil
Date: 2017-12-28 08:39:25 + (Thu, 28 Dec 2017)
New Revision: 58981

Modified:
   data/CVE/list
Log:
Fix typo in note

Modified: data/CVE/list
===
--- data/CVE/list   2017-12-28 08:36:41 UTC (rev 58980)
+++ data/CVE/list   2017-12-28 08:39:25 UTC (rev 58981)
@@ -38232,7 +38232,7 @@
RESERVED
- undertow 
NOTE: For an incomplete fix of CVE-2017-2666
-   NOTE: Invalid characters were still allwed in the query string and path 
parameters.
+   NOTE: Invalid characters were still allowed in the query string and 
path parameters.
 CVE-2017-7558 [sctp: out-of-bounds read in inet_diag_msg_sctp{,l}addr_fill() 
and sctp_get_sctp_info()]
RESERVED
- linux 4.12.13-1


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58980 - data/CVE

2017-12-28 Thread László Böszörményi 
Author: gcs
Date: 2017-12-28 08:36:41 + (Thu, 28 Dec 2017)
New Revision: 58980

Modified:
   data/CVE/list
Log:
Additional patch for CVE-2017-17913/graphicsmagick


Modified: data/CVE/list
===
--- data/CVE/list   2017-12-28 08:25:42 UTC (rev 58979)
+++ data/CVE/list   2017-12-28 08:36:41 UTC (rev 58980)
@@ -79,6 +79,7 @@
NOTE: ImageMagick-6: 
https://github.com/ImageMagick/ImageMagick/commit/42781eeebadf111a2e01559735ea504a78192046
 CVE-2017-17913 (In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a 
stack-based ...)
- graphicsmagick 
+   NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/88313ebe379c
NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/6dda3c33f35f
NOTE: https://sourceforge.net/p/graphicsmagick/bugs/536/
TODO: check, potentially just unimportant like similar issue in 
imagemagick


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58979 - data/CVE

2017-12-28 Thread Moritz Muehlenhoff 
Author: jmm
Date: 2017-12-28 08:25:42 + (Thu, 28 Dec 2017)
New Revision: 58979

Modified:
   data/CVE/list
Log:
two wireshark/imagemagick issues ignored


Modified: data/CVE/list
===
--- data/CVE/list   2017-12-27 23:13:38 UTC (rev 58978)
+++ data/CVE/list   2017-12-28 08:25:42 UTC (rev 58979)
@@ -20,6 +20,8 @@
RESERVED
 CVE-2017-17935 (The File_read_line function in epan/wslua/wslua_file.c in 
Wireshark ...)
- wireshark 
+   [stretch] - wireshark  (Minor issue)
+   [jessie] - wireshark  (Minor issue)
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14295
NOTE: https://code.wireshark.org/review/#/c/24997/
NOTE: 
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=137ab7d5681486c6d6cc8faac4300b7cd4ec0cf1
@@ -70,6 +72,8 @@
NOTE: https://sourceforge.net/p/graphicsmagick/bugs/535/
 CVE-2017-17914 (In ImageMagick 7.0.7-16 Q16, a vulnerability was found in the 
function ...)
- imagemagick 
+   [stretch] - imagemagick  (Minor issue)
+   [jessie] - imagemagick  (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/908
NOTE: 
https://github.com/ImageMagick/ImageMagick/commit/650ec57d84b7b1dce66435b8cd3b58f7ae66db1b
NOTE: ImageMagick-6: 
https://github.com/ImageMagick/ImageMagick/commit/42781eeebadf111a2e01559735ea504a78192046


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits