[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Claim awstats
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 75b6a50e by Brian May at 2018-01-08T17:55:27+11:00 Claim awstats - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -10,7 +10,7 @@ this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- -awstats +awstats (Brian May) -- ca-certificates NOTE: 20170719: maintainer will handle the upload, see https://lists.debian.org/d0b9674a-ac5b-5cc9-1982-fb6f36155...@pbandjelly.org View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/75b6a50e7b0543c1ae642ed8c0aebd47b0c9e858 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/75b6a50e7b0543c1ae642ed8c0aebd47b0c9e858 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add qtpass as proposed via stretch-pu for CVE-2017-18021
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d0de739f by Salvatore Bonaccorso at 2018-01-08T07:11:19+01:00 Add qtpass as proposed via stretch-pu for CVE-2017-18021 - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = --- a/data/next-point-update.txt +++ b/data/next-point-update.txt @@ -55,3 +55,5 @@ CVE-2017-17531 [stretch] - global 6.5.6-2+deb9u1 CVE-2017-1000426 [stretch] - mapproxy 1.9.0-3+deb9u1 +CVE-2017-18021 + [stretch] - qtpass 1.1.6-1+deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d0de739f96eea9583c02969c8a2083bcbbf054b4 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d0de739f96eea9583c02969c8a2083bcbbf054b4 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] LTS: remove imagemagick from dla-needed.txt, it has no issues outstanding
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: f91d5b76 by Roberto C. Sánchez at 2018-01-07T23:29:24-05:00 LTS: remove imagemagick from dla-needed.txt, it has no issues outstanding - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -29,8 +29,6 @@ gifsicle (Chris Lamb) icu NOTE: 20171229: CVE-2017-15422 was reported via Google Code issue report in Chromium project; report is not visible to the public -- -imagemagick (Roberto C. Sánchez) --- lame (Hugo Lefeuvre) NOTE: Couldn't reproduce CVE-2017-{69-72}, but successfully reproduced CVE-2017-150{18,45,46} NOTE: 20171120: Backporting 3.100 is not conceivable, diff >40k lines. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f91d5b7681e36fa77d218008db6d80ca20e60721 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f91d5b7681e36fa77d218008db6d80ca20e60721 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] LTS: annotate CVE-2018-5248/imagemagick as not affecting wheezy
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: f9ccd47e by Roberto C. Sánchez at 2018-01-07T23:27:19-05:00 LTS: annotate CVE-2018-5248/imagemagick as not affecting wheezy - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -17,6 +17,7 @@ CVE-2018-5249 (Cross-site scripting (XSS) vulnerability in Shaarli before 0.8.5 - shaarli (bug #864559) CVE-2018-5248 (In ImageMagick 7.0.7-17 Q16, there is a heap-based buffer over-read in ...) - imagemagick (bug #886588) + [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/927 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/c76434c16b5ac8861ee0c5d5c3ab8974fae3d624 NOTE: https://github.com/ImageMagick/ImageMagick/commit/0272305f91763b5ce119a2c7a0e0084d8241a58d View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f9ccd47e586260863b1945290620ff208144d677 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f9ccd47e586260863b1945290620ff208144d677 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: Claim plexus-utils and plexus-utils2 in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: cfd6b349 by Markus Koschany at 2018-01-08T00:28:26+01:00 Claim plexus-utils and plexus-utils2 in dla-needed.txt - - - - - ac9659d9 by Markus Koschany at 2018-01-08T00:29:23+01:00 Merge branch master of https://salsa.debian.org/security-tracker-team/security-tracker - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -59,9 +59,9 @@ mupdf -- opencv (Thorsten Alteholz) -- -plexus-utils +plexus-utils (Markus Koschany) -- -plexus-utils2 +plexus-utils2 (Markus Koschany) -- poco -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/88d23e9291e77628c794d6a9095a6968005caccd...ac9659d9ca2721eab81865a9cefc620ec50136ea --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/88d23e9291e77628c794d6a9095a6968005caccd...ac9659d9ca2721eab81865a9cefc620ec50136ea You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1232-1 for linux
Ben Hutchings pushed to branch master at Debian Security Tracker / security-tracker Commits: 88d23e92 by Ben Hutchings at 2018-01-07T22:33:12+00:00 Reserve DLA-1232-1 for linux - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[07 Jan 2018] DLA-1232-1 linux - security update + {CVE-2017-5754 CVE-2017-17558 CVE-2017-17741 CVE-2017-17805 CVE-2017-17806 CVE-2017-17807} + [wheezy] - linux 3.2.96-3 [07 Jan 2018] DLA-1231-1 graphicsmagick - security update {CVE-2017-17498 CVE-2017-17500 CVE-2017-17501 CVE-2017-17502 CVE-2017-17503 CVE-2017-17782 CVE-2017-17912 CVE-2017-17915} [wheezy] - graphicsmagick 1.3.16-1.1+deb7u16 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -50,8 +50,6 @@ libvorbis (Guido Günther) NOTE: Underlying reason for CVE-2017-14160 yet unclear, no ustream feedback on this issue. NOTE: Fixes for other CVEs applied upstream and in sid. -- -linux --- ming (Hugo Lefeuvre) NOTE: 20171120: wip, currently working on it with upstream, might take a while NOTE: Some issues currently in upstream's bug tracker are missing a CVE number, so number of issues might increase in the next weeks View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/88d23e9291e77628c794d6a9095a6968005caccd --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/88d23e9291e77628c794d6a9095a6968005caccd You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2017-17783, graphicsmagick: Wheezy is not affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 761f24d8 by Markus Koschany at 2018-01-07T23:21:32+01:00 CVE-2017-17783,graphicsmagick: Wheezy is not affected Issue is not reproducible with ASAN. The function GetPalmPaletteGivenBits is not present in Wheezy. - - - - - b8efa3dd by Markus Koschany at 2018-01-07T23:26:06+01:00 CVE-2017-17913,graphicsmagick: Wheezy is not affected webp feature has not been implemented - - - - - 0147cfaf by Markus Koschany at 2018-01-07T23:28:04+01:00 Reserve DLA-1231-1 for graphicsmagick - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -3834,6 +3834,7 @@ CVE-2017-17914 (In ImageMagick 7.0.7-16 Q16, a vulnerability was found in the fu NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/42781eeebadf111a2e01559735ea504a78192046 CVE-2017-17913 (In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a stack-based ...) - graphicsmagick 1.3.27-3 + [wheezy] - graphicsmagick (webp feature has not been implemented) NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/88313ebe379c NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/6dda3c33f35f NOTE: https://sourceforge.net/p/graphicsmagick/bugs/536/ @@ -4343,6 +4344,7 @@ CVE-2017-17783 (In GraphicsMagick 1.3.27a, there is a buffer over-read in ReadPA - graphicsmagick 1.3.27-2 (bug #884904) [stretch] - graphicsmagick (Minor issue, built with QuantumDepth=16) [jessie] - graphicsmagick (Minor issue) + [wheezy] - graphicsmagick (vulnerable code not present, unreproducible with ASAN) NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=60932931559a NOTE: https://sourceforge.net/p/graphicsmagick/bugs/529/ CVE-2017-17782 (In GraphicsMagick 1.3.27a, there is a heap-based buffer over-read in ...) = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[07 Jan 2018] DLA-1231-1 graphicsmagick - security update + {CVE-2017-17498 CVE-2017-17500 CVE-2017-17501 CVE-2017-17502 CVE-2017-17503 CVE-2017-17782 CVE-2017-17912 CVE-2017-17915} + [wheezy] - graphicsmagick 1.3.16-1.1+deb7u16 [04 Jan 2018] DLA-1230-1 xen - security update {CVE-2017-17044 CVE-2017-17045 CVE-2017-17563 CVE-2017-17564 CVE-2017-17565 CVE-2017-17566} [wheezy] - xen 4.1.6.lts1-11 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -26,8 +26,6 @@ gdk-pixbuf (Chris Lamb) -- gifsicle (Chris Lamb) -- -graphicsmagick (Markus Koschany) --- icu NOTE: 20171229: CVE-2017-15422 was reported via Google Code issue report in Chromium project; report is not visible to the public -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/06f7a42fbb1c6e45cdb3f51ded17fef18d607542...0147cfaf1be3ae3ae4424677aca14da37f559331 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/06f7a42fbb1c6e45cdb3f51ded17fef18d607542...0147cfaf1be3ae3ae4424677aca14da37f559331 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add mapproxy as proposed via stretch-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 06f7a42f by Salvatore Bonaccorso at 2018-01-07T22:27:38+01:00 Add mapproxy as proposed via stretch-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = --- a/data/next-point-update.txt +++ b/data/next-point-update.txt @@ -53,3 +53,5 @@ CVE-2017-15922 [stretch] - libextractor 1:1.3-4+deb9u1 CVE-2017-17531 [stretch] - global 6.5.6-2+deb9u1 +CVE-2017-1000426 + [stretch] - mapproxy 1.9.0-3+deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/06f7a42fbb1c6e45cdb3f51ded17fef18d607542 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/06f7a42fbb1c6e45cdb3f51ded17fef18d607542 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-5248
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3450fea9 by Salvatore Bonaccorso at 2018-01-07T22:16:48+01:00 Add bug reference for CVE-2018-5248 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -16,7 +16,7 @@ CVE-2018-5250 CVE-2018-5249 (Cross-site scripting (XSS) vulnerability in Shaarli before 0.8.5 and ...) - shaarli (bug #864559) CVE-2018-5248 (In ImageMagick 7.0.7-17 Q16, there is a heap-based buffer over-read in ...) - - imagemagick + - imagemagick (bug #886588) NOTE: https://github.com/ImageMagick/ImageMagick/issues/927 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/c76434c16b5ac8861ee0c5d5c3ab8974fae3d624 NOTE: https://github.com/ImageMagick/ImageMagick/commit/0272305f91763b5ce119a2c7a0e0084d8241a58d View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3450fea9073a2239337a9f1cb08680cf0fe94705 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3450fea9073a2239337a9f1cb08680cf0fe94705 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark CVE-2014-10069 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5c982d49 by Salvatore Bonaccorso at 2018-01-07T22:15:54+01:00 Mark CVE-2014-10069 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,5 +1,5 @@ CVE-2014-10069 (Hitron CVE-30360 devices use a 578A958E3DD933FC DES key that is shared ...) - TODO: check + NOT-FOR-US: Hitron CVE-30360 devices CVE-2018-5255 RESERVED CVE-2018-5254 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5c982d49b181c9b3a850b6d4338a95b502b8fa63 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5c982d49b181c9b3a850b6d4338a95b502b8fa63 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: mapproxy no-dsa
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e14808d by Moritz Muehlenhoff at 2018-01-07T22:09:47+01:00 mapproxy no-dsa - - - - - bd6418fe by Moritz Muehlenhoff at 2018-01-07T22:10:43+01:00 Merge branch master of salsa.debian.org:security-tracker-team/security-tracker - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -3032,7 +3032,8 @@ CVE-2017-1000427 (marked version 0.3.6 and earlier is vulnerable to an XSS attac NOTE: https://github.com/chjj/marked/commit/cd2f6f5b7091154c5526e79b5f3bfb4d15995a51 NOTE: nodejs not covered by security support CVE-2017-1000426 (MapProxy version 1.10.3 and older is vulnerable to a Cross Site ...) - - mapproxy 1.10.4-1 + - mapproxy 1.10.4-1 (low) + [stretch] - mapproxy (Minor issue) NOTE: https://github.com/mapproxy/mapproxy/issues/322 NOTE: https://github.com/mapproxy/mapproxy/commit/2e102843203c11b02c002daa08ca59d05d5eff5a (master) NOTE: https://github.com/mapproxy/mapproxy/commit/87faa667007b00ef11ee09b16707aa9ad2e8da28 (1.10.x) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/bb6848e0a78c01f263ffc223826f3928bf28e740...bd6418fe9c9b82b5ee4001a47b80619165514252 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/bb6848e0a78c01f263ffc223826f3928bf28e740...bd6418fe9c9b82b5ee4001a47b80619165514252 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bb6848e0 by security tracker role at 2018-01-07T21:10:12+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,5 @@ +CVE-2014-10069 (Hitron CVE-30360 devices use a 578A958E3DD933FC DES key that is shared ...) + TODO: check CVE-2018-5255 RESERVED CVE-2018-5254 @@ -17770,7 +17772,7 @@ CVE-2017-15566 (Insecure SPANK environment variable handling exists in SchedMD S NOTE: https://bugs.schedmd.com/show_bug.cgi?id=4228 (not public) NOTE: Fixed by: https://github.com/SchedMD/slurm/commit/b30e9e9ee2ade6951bfaf28e15ef77325a206971 CVE-2017-15565 (In Poppler 0.59.0, a NULL Pointer Dereference exists in the ...) - {DLA-1177-1} + {DSA-4079-1 DLA-1177-1} - poppler 0.61.1-2 (bug #879066) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=103016 NOTE: Fixed by: https://cgit.freedesktop.org/poppler/poppler/commit/?id=19ebd40547186a8ea6da08c8d8e2a6d6b7e84f5d @@ -19754,17 +19756,17 @@ CVE-2017-14979 (Gxlcms uses an unsafe character-replacement approach in an attem CVE-2017-14978 RESERVED CVE-2017-14977 (The FoFiTrueType::getCFFBlock function in FoFiTrueType.cc in Poppler ...) - {DLA-1177-1} + {DSA-4079-1 DLA-1177-1} - poppler 0.61.1-2 (low; bug #877952) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=103045 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=19eedc6fb693a62f305e13079501e3105f869f3c CVE-2017-14976 (The FoFiType1C::convertToType0 function in FoFiType1C.cc in Poppler ...) - {DLA-1177-1} + {DSA-4079-1 DLA-1177-1} - poppler 0.61.1-2 (low; bug #877954) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102724 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=da63c35549e8852a410946ab016a3f25ac701bdf CVE-2017-14975 (The FoFiType1C::convertToType0 function in FoFiType1C.cc in Poppler ...) - {DLA-1177-1} + {DSA-4079-1 DLA-1177-1} - poppler 0.61.1-2 (low; bug #877957) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102653 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=a5e5649ecf16fa05770620dbbd4985935dc2bbff @@ -21080,22 +21082,24 @@ CVE-2017-14522 CVE-2017-14521 RESERVED CVE-2017-14520 (In Poppler 0.59.0, a floating point exception occurs in ...) + {DSA-4079-1} - poppler 0.61.1-2 (low; bug #876081) [wheezy] - poppler (vulnerable code not present) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102719 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=504b3590182175390f474657a372e78fb1508262 CVE-2017-14519 (In Poppler 0.59.0, memory corruption occurs in a call to ...) - {DLA-1116-1} + {DSA-4079-1 DLA-1116-1} - poppler 0.61.1-2 (bug #876086) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102701 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=aaf5327649e8f7371c9d3270e7813c43ddfd47ee CVE-2017-14518 (In Poppler 0.59.0, a floating point exception exists in the ...) + {DSA-4079-1} - poppler 0.61.1-2 (low; bug #876082) [wheezy] - poppler (vulnerable code not present) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102688 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=80f9819b6233f9f9b5fd44f0e4cad026e5d048c2 CVE-2017-14517 (In Poppler 0.59.0, a NULL Pointer Dereference exists in the ...) - {DLA-1116-1} + {DSA-4079-1 DLA-1116-1} - poppler 0.61.1-2 (low; bug #876079) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102687 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=476394e7a025e02e4897da2e765df2c895d0708f @@ -32994,7 +32998,7 @@ CVE-2017-9867 CVE-2017-9866 RESERVED CVE-2017-9865 (The function GfxImageColorMap::getGray in GfxState.cc in Poppler 0.54.0 ...) - {DLA-1074-1} + {DSA-4079-1 DLA-1074-1} - poppler 0.57.0-2 (bug #867477) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=100774 NOTE: http://somevulnsofadlab.blogspot.com/2017/06/popplerstack-buffer-overflow-in.html @@ -34794,12 +34798,12 @@ CVE-2017-9778 (GNU Debugger (GDB) 8.0 and earlier fails to detect a negative len CVE-2017-9777 RESERVED CVE-2017-9776 (Integer overflow leading to Heap buffer overflow in JBIG2Stream.cc in ...) - {DLA-1074-1} + {DSA-4079-1 DLA-1074-1} - poppler 0.57.0-2 (bug #865679) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=101541 NOTE: Fixed by: https://cgit.freedesktop.org/poppler/poppler/commit/?id=a3a98a6d83dfbf49f565f5aa2d7c07153a7f62fc CVE-2017-9775 (Stack buffer overflow in GfxState.cc in pdftocairo
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2017-17914
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e0b15c3 by Salvatore Bonaccorso at 2018-01-07T21:55:21+01:00 Add bug reference for CVE-2017-17914 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -3823,7 +3823,7 @@ CVE-2017-17915 (In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a heap-base NOTE: https://sourceforge.net/p/graphicsmagick/bugs/535/ CVE-2017-17914 (In ImageMagick 7.0.7-16 Q16, a vulnerability was found in the function ...) {DLA-1227-1} - - imagemagick + - imagemagick (bug #886584) [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/908 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9e0b15c32c0f7c96fed54a7deb812cacb86ed60c --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9e0b15c32c0f7c96fed54a7deb812cacb86ed60c You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] take PHP
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e0852968 by Moritz Muehlenhoff at 2018-01-07T21:52:44+01:00 take PHP - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -38,9 +38,9 @@ passenger/stable -- php-horde-image -- -php5 +php5 (jmm) -- -php7.0 +php7.0 (jmm) -- phpmyadmin/oldstable -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e08529681f23f0f9cb35e094cbc4c043ee7a6b63 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e08529681f23f0f9cb35e094cbc4c043ee7a6b63 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: poppler DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 104fc240 by Moritz Muehlenhoff at 2018-01-07T21:47:53+01:00 poppler DSA - - - - - 9d045d7a by Moritz Muehlenhoff at 2018-01-07T21:49:18+01:00 Merge branch master of salsa.debian.org:security-tracker-team/security-tracker - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,7 @@ +[07 Jan 2018] DSA-4079-1 poppler - security update + {CVE-2017-9406 CVE-2017-9408 CVE-2017-9775 CVE-2017-9776 CVE-2017-9865 CVE-2017-14517 CVE-2017-14518 CVE-2017-14519 CVE-2017-14520 CVE-2017-14975 CVE-2017-14976 CVE-2017-14977 CVE-2017-15565} + [jessie] - poppler 0.26.5-2+deb8u2 + [stretch] - poppler 0.48.0-2+deb9u1 [04 Jan 2018] DSA-4078-1 linux - security update {CVE-2017-5754} [stretch] - linux 4.9.65-3+deb9u2 = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -46,10 +46,6 @@ phpmyadmin/oldstable -- pjproject -- -poppler (jmm) - 2017-11-23: santiago will prepare a debdiff - 2017-12-02: santiago prepared debdiffs available for review --- qemu/oldstable -- redmine View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/c9bcc9d0f843b242d677db70264dd3148eabda36...9d045d7a0187b3af701b45609865f662dd70763f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/c9bcc9d0f843b242d677db70264dd3148eabda36...9d045d7a0187b3af701b45609865f662dd70763f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark CVE-2018-4868 as unimportant
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c9bcc9d0 by Salvatore Bonaccorso at 2018-01-07T21:43:34+01:00 Mark CVE-2018-4868 as unimportant Specially crafted images processed can cause ouf of memory and exiv2 crash and having negligible impact. Cf. https://github.com/Exiv2/exiv2/issues/202#issuecomment-355750183 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -813,7 +813,7 @@ CVE-2018-4870 CVE-2018-4869 RESERVED CVE-2018-4868 (The Exiv2::Jp2Image::readMetadata function in jp2image.cpp in Exiv2 ...) - - exiv2 + - exiv2 (unimportant) NOTE: https://github.com/Exiv2/exiv2/issues/202 CVE-2017-1000500 (Keycloak SSO versions prior to 2.x are vulnerable to Host Header ...) NOT-FOR-US: Keycloak View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c9bcc9d0f843b242d677db70264dd3148eabda36 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c9bcc9d0f843b242d677db70264dd3148eabda36 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Update entry for CVE-2017-11552
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 438ef6fd by Salvatore Bonaccorso at 2018-01-07T20:15:05+01:00 Update entry for CVE-2017-11552 Further analysis has shown that the isuse has its roots in mpg321 itself rather than libmad. Mark CVE as unimportant to indicate the nonissue. Additionally MITRE was notified about the possibly wrong underlying problem, so they can decide if the CVE should be assigned to src:mpg321. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -29800,10 +29800,11 @@ CVE-2017-11553 (There is an illegal address access in the extend_alias_table fun NOTE: Not reproducible in wheezy/jessie/stretch. NOTE: Reproducible with 0.26-1 (experimental). CVE-2017-11552 (The mad_decoder_run function in decoder.c in libmad 0.15.1b allows ...) - - libmad (low; bug #870406) - [stretch] - libmad (Minor issue) - [jessie] - libmad (Minor issue) - [wheezy] - libmad (Minor issue) + - libmad (unimportant; bug #870406) + NOTE: Futher analysis has shown that the underlying issue is in src:mpg321 + NOTE: Cf. https://bugs.debian.org/870406#25 for more Details. + NOTE: MITRE associates the CVE with libmad, thus mark as unimportant for + NOTE: libmad to indicate the non-issue. NOTE: http://seclists.org/fulldisclosure/2017/Jul/94 CVE-2017-11551 (The id3_field_parse function in field.c in libid3tag 0.15.1b allows ...) - libid3tag 0.15.1b-5 (bug #870333) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/438ef6fd61eedb116f011f9b8066192bd9466c33 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/438ef6fd61eedb116f011f9b8066192bd9466c33 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2017-0880/skia, itp'ed: #818180
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4f268357 by Salvatore Bonaccorso at 2018-01-07T17:11:54+01:00 Add CVE-2017-0880/skia, itped: #818180 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -61408,7 +61408,7 @@ CVE-2016-9687 CVE-2016-9686 (The Puppet Communications Protocol (PCP) Broker incorrectly validates ...) - puppet (Only affects Puppet Enterprise) CVE-2017-0880 (A denial of service vulnerability in the Android media framework ...) - TODO: check + - skia (bug #818180) CVE-2017-0879 (An information disclosure vulnerability in the Android media framework ...) TODO: check CVE-2017-0878 (A remote code execution vulnerability in the Android media framework ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4f268357c7a7a752208cb23a0767661ca0956250 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4f268357c7a7a752208cb23a0767661ca0956250 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2017-10910/node-mqtt, itp'ed, #816028
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5c99f514 by Salvatore Bonaccorso at 2018-01-07T17:11:08+01:00 Add CVE-2017-10910/node-mqtt, itped, #816028 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -31861,7 +31861,7 @@ CVE-2017-10925 (IrfanView 4.44 (32bit) with FPX Plugin 4.47 might allow attacker CVE-2017-10924 (IrfanView 4.44 (32bit) with FPX Plugin 4.47 allows attackers to execute ...) NOT-FOR-US: IrfanView CVE-2017-10910 (MQTT.js 2.x.x prior to 2.15.0 issue in handling PUBLISH tickets may ...) - TODO: check + - node-mqtt (bug #816028) CVE-2017-10909 (Untrusted search path vulnerability in Music Center for PC version ...) NOT-FOR-US: Music Center for PC CVE-2017-10908 (H2O version 2.2.3 and earlier allows remote attackers to cause a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5c99f514c8e8356e5a4f6be7d15256e2db8d912d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5c99f514c8e8356e5a4f6be7d15256e2db8d912d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b055019c by Salvatore Bonaccorso at 2018-01-07T17:09:47+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -3055,7 +3055,7 @@ CVE-2017-1000454 (CMS Made Simple 2.1.6, 2.2, 2.2.1 are vulnerable to Smarty Tem CVE-2017-1000453 (CMS Made Simple version 2.1.6 and 2.2 are vulnerable to Smarty ...) NOT-FOR-US: CMS Made Simple CVE-2017-1000452 (An XML Signature Wrapping vulnerability exists in Samlify 2.2.0 and ...) - TODO: check + NOT-FOR-US: Samlify CVE-2017-1000451 (fs-git is a file system like api for git repository. The fs-git ...) NOT-FOR-US: fs-git CVE-2017-1000450 (In opencv/modules/imgcodecs/src/utils.cpp, functions FillUniColor and ...) @@ -4070,7 +4070,7 @@ CVE-2017-17839 CVE-2017-17838 RESERVED CVE-2017-17837 (The Apache DeltaSpike-JSF 1.8.0 module has a XSS injection leak in the ...) - TODO: check + NOT-FOR-US: Apache DeltaSpike-JSF module CVE-2017-17836 RESERVED CVE-2017-17835 @@ -10044,7 +10044,7 @@ CVE-2018-1192 CVE-2018-1191 RESERVED CVE-2018-1190 (An issue was discovered in these Pivotal Cloud Foundry products: all ...) - TODO: check + NOT-FOR-US: Pivotal CVE-2018-1189 RESERVED CVE-2018-1188 @@ -11155,9 +11155,9 @@ CVE-2017-17100 CVE-2017-17099 (There exists an unauthenticated SEH based Buffer Overflow vulnerability ...) NOT-FOR-US: Flexense SyncBreeze Enterprise CVE-2017-17098 (The writeLog function in fn_common.php in gps-server.net GPS Tracking ...) - TODO: check + NOT-FOR-US: gps-server.net GPS Tracking Software CVE-2017-17097 (gps-server.net GPS Tracking Software (self hosted) 2.x has a password ...) - TODO: check + NOT-FOR-US: gps-server.net GPS Tracking Software CVE-2017-17096 (Cross-site scripting (XSS) vulnerability in the Content Cards plugin ...) NOT-FOR-US: Wordpress plugin CVE-2017-17090 (An issue was discovered in chan_skinny.c in Asterisk Open Source ...) @@ -13321,7 +13321,7 @@ CVE-2018-0116 CVE-2018-0115 RESERVED CVE-2018-0114 (A vulnerability in the Cisco node-jose open source library before ...) - TODO: check + NOT-FOR-US: Cisco node-jose CVE-2018-0113 RESERVED CVE-2018-0112 @@ -20003,11 +20003,11 @@ CVE-2017-14906 CVE-2017-14905 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14904 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) - TODO: check + NOT-FOR-US: Android MediaServer CVE-2017-14903 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14902 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) - TODO: check + NOT-FOR-US: Android CVE-2017-14901 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14900 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) @@ -20017,11 +20017,11 @@ CVE-2017-14899 (In Android for MSM, Firefox OS for MSM, QRD Android, with all An CVE-2017-14898 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14897 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) - TODO: check + NOT-FOR-US: Android CVE-2017-14896 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14895 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) - TODO: check + NOT-FOR-US: Android CVE-2017-14894 RESERVED CVE-2017-14893 @@ -21501,7 +21501,7 @@ CVE-2017-14385 (An issue was discovered in EMC Data Domain DD OS 5.7 family, ver CVE-2017-14384 RESERVED CVE-2017-14383 (In Dell EMC VNX2 versions prior to Operating Environment for File ...) - TODO: check + NOT-FOR-US: EMC VNX CVE-2017-14382 RESERVED CVE-2017-14381 @@ -24969,7 +24969,7 @@ CVE-2017-13058 (In ImageMagick 7.0.6-6, a memory leak vulnerability was found in CVE-2017-13057 RESERVED CVE-2017-13056 (The launchURL function in PDF-XChange Viewer 2.5 (Build 314.0) might ...) - TODO: check + NOT-FOR-US: PDF-XChange Viewer CVE-2017-13055 (The ISO IS-IS parser in tcpdump before 4.9.2 has a buffer over-read in ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 @@ -31451,7 +31451,7 @@ CVE-2017-11045 (In Android for MSM, Firefox OS for MSM, QRD Android, with all An CVE-2017-11044 (In Android for MSM, Firefox
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Claim imagemagick in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: e82c4353 by Roberto C. Sánchez at 2018-01-07T08:11:58-05:00 Claim imagemagick in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -31,7 +31,7 @@ graphicsmagick (Markus Koschany) icu NOTE: 20171229: CVE-2017-15422 was reported via Google Code issue report in Chromium project; report is not visible to the public -- -imagemagick +imagemagick (Roberto C. Sánchez) -- lame (Hugo Lefeuvre) NOTE: Couldn't reproduce CVE-2017-{69-72}, but successfully reproduced CVE-2017-150{18,45,46} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e82c435398837210657157ae6a584bac715496ed --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e82c435398837210657157ae6a584bac715496ed You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2017-1000427/node-marked
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d3721e9f by Salvatore Bonaccorso at 2018-01-07T13:41:31+01:00 Add fixed version for CVE-2017-1000427/node-marked - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -3026,7 +3026,7 @@ CVE-2017-1000433 (pysaml2 version 4.4.0 and older accept any password when run w CVE-2017-1000432 (Vanilla Forums below 2.1.5 are affected by CSRF leading to Deleting ...) NOT-FOR-US: Vanilla Forums CVE-2017-1000427 (marked version 0.3.6 and earlier is vulnerable to an XSS attack in the ...) - - node-marked (unimportant; bug #886451) + - node-marked 0.3.9+dfsg-1 (unimportant; bug #886451) NOTE: https://github.com/chjj/marked/commit/cd2f6f5b7091154c5526e79b5f3bfb4d15995a51 NOTE: nodejs not covered by security support CVE-2017-1000426 (MapProxy version 1.10.3 and older is vulnerable to a Cross Site ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d3721e9f7621f0089bb5e58e1ceec8befb5144a2 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d3721e9f7621f0089bb5e58e1ceec8befb5144a2 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add fixing version for CVE-2017-11551/libid3tag
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 161e427e by Salvatore Bonaccorso at 2018-01-07T13:37:03+01:00 Add fixing version for CVE-2017-11551/libid3tag Cf: https://bugs.debian.org/870333#10 Thanks: Kurt Roeckx - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -29806,11 +29806,9 @@ CVE-2017-11552 (The mad_decoder_run function in decoder.c in libmad 0.15.1b allo [wheezy] - libmad (Minor issue) NOTE: http://seclists.org/fulldisclosure/2017/Jul/94 CVE-2017-11551 (The id3_field_parse function in field.c in libid3tag 0.15.1b allows ...) - - libid3tag (bug #870333) - [stretch] - libid3tag (Minor issue) - [jessie] - libid3tag (Minor issue) - [wheezy] - libid3tag (Minor issue) + - libid3tag 0.15.1b-5 (bug #870333) NOTE: http://seclists.org/fulldisclosure/2017/Jul/85 + NOTE: Same issue as #304913 CVE-2017-11550 (The id3_ucs4_length function in ucs4.c in libid3tag 0.15.1b allows ...) - libid3tag 0.15.1b-9 (bug #405801) NOTE: http://seclists.org/fulldisclosure/2017/Jul/85 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/161e427ee358cfcd6ed5267ce623c2a2d6cc1cdd --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/161e427ee358cfcd6ed5267ce623c2a2d6cc1cdd You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark wildmidi as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 405d8f5c by Salvatore Bonaccorso at 2018-01-07T13:33:21+01:00 Mark wildmidi as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -3106,6 +3106,9 @@ CVE-2017-1000419 (phpBB version 3.2.0 is vulnerable to SSRF in the Remote Avatar - phpbb3 CVE-2017-1000418 (The WildMidi_Open function in WildMIDI since commit ...) - wildmidi 0.4.2-1 (bug #886503) + [stretch] - wildmidi (Minor issue) + [jessie] - wildmidi (Vulnerable code introduced later) + [wheezy] - wildmidi (Vulnerable code introduced later) NOTE: https://github.com/Mindwerks/wildmidi/issues/178 NOTE: https://github.com/Mindwerks/wildmidi/commit/814f31d8eceda8401eb812fc2e94ed143fdad0ab CVE-2017-1000413 (Linaro's open source TEE solution called OP-TEE, version 2.4.0 (and ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/405d8f5cb66d9fd5186fc51bdcfa24ed3dcfb2fe --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/405d8f5cb66d9fd5186fc51bdcfa24ed3dcfb2fe You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add fixing version for wildmidi with unstable upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8d259f4e by Salvatore Bonaccorso at 2018-01-07T13:28:07+01:00 Add fixing version for wildmidi with unstable upload - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -3105,7 +3105,7 @@ CVE-2017-1000420 (Syncthing version 0.14.33 and older is vulnerable to symlink t CVE-2017-1000419 (phpBB version 3.2.0 is vulnerable to SSRF in the Remote Avatar ...) - phpbb3 CVE-2017-1000418 (The WildMidi_Open function in WildMIDI since commit ...) - - wildmidi (bug #886503) + - wildmidi 0.4.2-1 (bug #886503) NOTE: https://github.com/Mindwerks/wildmidi/issues/178 NOTE: https://github.com/Mindwerks/wildmidi/commit/814f31d8eceda8401eb812fc2e94ed143fdad0ab CVE-2017-1000413 (Linaro's open source TEE solution called OP-TEE, version 2.4.0 (and ...) @@ -29379,28 +29379,28 @@ CVE-2017-11665 (The ff_amf_get_field_value function in libavformat/rtmppkt.c in NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/ffcc82219cef0928bed2d558b19ef6ea35634130 NOTE: Fixed in 3.2.7 CVE-2017-11664 (The _WM_SetupMidiEvent function in internal_midi.c:2122 in WildMIDI ...) - - wildmidi (low; bug #871616) + - wildmidi 0.4.2-1 (low; bug #871616) [stretch] - wildmidi (Minor issue) [jessie] - wildmidi (vulnerable code not present) [wheezy] - wildmidi (vulnerable code not present) NOTE: http://seclists.org/fulldisclosure/2017/Aug/12 NOTE: https://github.com/Mindwerks/wildmidi/commit/660b513d99bced8783a4a5984ac2f742c74ebbdd CVE-2017-11663 (The _WM_SetupMidiEvent function in internal_midi.c:2315 in WildMIDI ...) - - wildmidi (low; bug #871616) + - wildmidi 0.4.2-1 (low; bug #871616) [stretch] - wildmidi (Minor issue) [jessie] - wildmidi (vulnerable code not present) [wheezy] - wildmidi (vulnerable code not present) NOTE: http://seclists.org/fulldisclosure/2017/Aug/12 NOTE: https://github.com/Mindwerks/wildmidi/commit/660b513d99bced8783a4a5984ac2f742c74ebbdd CVE-2017-11662 (The _WM_ParseNewMidi function in f_midi.c in WildMIDI 0.4.2 can cause ...) - - wildmidi (low; bug #871616) + - wildmidi 0.4.2-1 (low; bug #871616) [stretch] - wildmidi (Minor issue) [jessie] - wildmidi (vulnerable code not present) [wheezy] - wildmidi (vulnerable code not present) NOTE: http://seclists.org/fulldisclosure/2017/Aug/12 NOTE: https://github.com/Mindwerks/wildmidi/commit/660b513d99bced8783a4a5984ac2f742c74ebbdd CVE-2017-11661 (The _WM_SetupMidiEvent function in internal_midi.c:2318 in WildMIDI ...) - - wildmidi (low; bug #871616) + - wildmidi 0.4.2-1 (low; bug #871616) [stretch] - wildmidi (Minor issue) [jessie] - wildmidi (vulnerable code not present) [wheezy] - wildmidi (vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8d259f4eb0d230ad8151f1cd8b57597afd6f7511 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8d259f4eb0d230ad8151f1cd8b57597afd6f7511 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reference bug tracking qemu status
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 32dbb67e by Salvatore Bonaccorso at 2018-01-07T13:25:24+01:00 Reference bug tracking qemu status - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -47865,6 +47865,7 @@ CVE-2017-5715 (Systems with microprocessors utilizing speculative execution and NOTE: to pass thorugh new MSR and CPUID flags from the host VM to the CPU, to NOTE: allow (future) enabling/disabling ranch prediction features in the Intel NOTE: CPU. + NOTE: Qemu: https://bugs.debian.org/886532 CVE-2017-5714 RESERVED CVE-2017-5713 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/32dbb67e881742de54c7942a8136a338acc26019 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/32dbb67e881742de54c7942a8136a338acc26019 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add note on CVE-2017-5715 for qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 13653c17 by Salvatore Bonaccorso at 2018-01-07T13:22:23+01:00 Add note on CVE-2017-5715 for qemu Add a note on Qemu update. To protect from CVE-2017-5715 one would need to have an 1/ intel / amd cpu microcode update, 2/ a qemu update to pass new MSR and CPU flags from the microcode update 3/ host kernel update. Refer to the relevant part for Qemu: https://lists.nongnu.org/archive/html/qemu-devel/2018-01/msg00811.html - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -47861,7 +47861,10 @@ CVE-2017-5715 (Systems with microprocessors utilizing speculative execution and NOTE: intel-microcode: https://bugs.debian.org/886367 NOTE: intel-microcode: Some microcode updates to partially adress CVE-2017-5715 included in 3.20171215.1 NOTE: amd64-microcode: https://bugs.debian.org/886382 - TODO: check, qemu/qemu-kvm and intel-microcode and amd64-microcode need as well to be tracked + NOTE: Qemu patches: https://lists.nongnu.org/archive/html/qemu-devel/2018-01/msg00811.html + NOTE: to pass thorugh new MSR and CPUID flags from the host VM to the CPU, to + NOTE: allow (future) enabling/disabling ranch prediction features in the Intel + NOTE: CPU. CVE-2017-5714 RESERVED CVE-2017-5713 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/13653c173cff24791b40eeec91d8a9da17215201 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/13653c173cff24791b40eeec91d8a9da17215201 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3bf57810 by security tracker role at 2018-01-07T09:10:12+00:00 automatic update - - - - - 0 changed files: Changes: View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3bf57810094a85d9102ed731c58b5a497e834124 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3bf57810094a85d9102ed731c58b5a497e834124 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 3 commits: Triage imagemagick for LTS
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 5f7be287 by Chris Lamb at 2018-01-07T08:27:51+00:00 Triage imagemagick for LTS - - - - - f6669d6b by Chris Lamb at 2018-01-07T08:28:41+00:00 Triage plexus-utils for LTS - - - - - e0b49c9e by Chris Lamb at 2018-01-07T08:28:46+00:00 Triage plexus-utils2 for LTS - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -31,6 +31,8 @@ graphicsmagick (Markus Koschany) icu NOTE: 20171229: CVE-2017-15422 was reported via Google Code issue report in Chromium project; report is not visible to the public -- +imagemagick +-- lame (Hugo Lefeuvre) NOTE: Couldn't reproduce CVE-2017-{69-72}, but successfully reproduced CVE-2017-150{18,45,46} NOTE: 20171120: Backporting 3.100 is not conceivable, diff >40k lines. @@ -61,6 +63,10 @@ mupdf -- opencv (Thorsten Alteholz) -- +plexus-utils +-- +plexus-utils2 +-- poco -- smarty3 (Chris Lamb) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d8d200d150e4ae52dac7e333a7da966c49788ec4...e0b49c9e1c780db1f04e7b5179789b151a5ed5c6 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d8d200d150e4ae52dac7e333a7da966c49788ec4...e0b49c9e1c780db1f04e7b5179789b151a5ed5c6 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: Triage wildmidi for LTS
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: f3b2d44e by Chris Lamb at 2018-01-07T08:23:51+00:00 Triage wildmidi for LTS - - - - - d8d200d1 by Chris Lamb at 2018-01-07T08:23:56+00:00 Claim wildmidi in data/dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -73,6 +73,8 @@ tiff (Roberto C. Sánchez) -- tiff3 (Roberto C. Sánchez) -- +wildmidi (Chris Lamb) +-- wordpress NOTE: 2017-12-25: Fix requires migrating users from MD5 -> bcrypt. (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/3122b7e2c6527c6ed11181f51fa5edfee43126ac...d8d200d150e4ae52dac7e333a7da966c49788ec4 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/3122b7e2c6527c6ed11181f51fa5edfee43126ac...d8d200d150e4ae52dac7e333a7da966c49788ec4 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: Triage smarty3 for LTS
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 7a38dc46 by Chris Lamb at 2018-01-07T08:22:11+00:00 Triage smarty3 for LTS - - - - - 3122b7e2 by Chris Lamb at 2018-01-07T08:22:28+00:00 Claim smarty3 in data/dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -63,6 +63,8 @@ opencv (Thorsten Alteholz) -- poco -- +smarty3 (Chris Lamb) +-- swftools (Guido Günther) NOTE: 20171118: At least CVE-2017-16797 is present. (lamby) NOTE: 20171210: likely to be turned into a pkg with limited sec support View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/188e433691dab04c8ff0f50f0fc66de1a221a0d5...3122b7e2c6527c6ed11181f51fa5edfee43126ac --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/188e433691dab04c8ff0f50f0fc66de1a221a0d5...3122b7e2c6527c6ed11181f51fa5edfee43126ac You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits