[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] add note for electrum removal
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 764d5195 by Moritz Muehlenhoff at 2018-01-16T08:58:07+01:00 add note for electrum removal - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -928,7 +928,7 @@ CVE-2017-18023 (Office Tracker 11.2.5 has XSS via the logincount parameter to th NOT-FOR-US: Office Tracker CVE-2018- [Password protect the JSONRPC interface] - electrum 3.0.5-1 (bug #886683) - [stretch] - electrum (The version in stretch is unable to connect to current Etherum servers and thus not exploitable, see #886683) + [stretch] - electrum (Unable to connect to current Etherum servers and thus not exploitable, scheduled for removal at #887412) [jessie] - electrum (Only affects >= 2.6) NOTE: https://github.com/spesmilo/electrum/issues/3374 NOTE: http://www.openwall.com/lists/oss-security/2018/01/10/4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/764d51955c549c416ecfada9668cb7779be1cfea --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/764d51955c549c416ecfada9668cb7779be1cfea You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] update note transmission
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 8da51649 by Abhijith PA at 2018-01-16T12:33:21+05:30 update note transmission - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -62,6 +62,7 @@ tiff (Roberto C. Sánchez) tiff3 (Roberto C. Sánchez) -- transmission (Abhijith PA) + NOTE: 20180118: Upstream patch does not apply cleanly. -- wireshark -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8da516496e54f424e6358e29c32a8db8aab17fe7 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8da516496e54f424e6358e29c32a8db8aab17fe7 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2017-3144
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f4d10e87 by Salvatore Bonaccorso at 2018-01-16T07:55:46+01:00 Add bug reference for CVE-2017-3144 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -57081,7 +57081,7 @@ CVE-2017-3145 RESERVED CVE-2017-3144 [dhcp: omapi code doesn't free socket descriptors when empty message is received allowing denial-of-service] RESERVED - - isc-dhcp + - isc-dhcp (bug #887413) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1522918 NOTE: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=1a6b62fe17a42b00fa234d06b6dfde3d03451894 CVE-2017-3143 [An error in TSIG authentication can permit unauthorized dynamic updates] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f4d10e870c99d9ba5515cf0bf0f0ce2a449ce8ef --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f4d10e870c99d9ba5515cf0bf0f0ce2a449ce8ef You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark CVE-2017-3144 as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 39e24c09 by Salvatore Bonaccorso at 2018-01-16T07:56:56+01:00 Mark CVE-2017-3144 as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -57082,6 +57082,8 @@ CVE-2017-3145 CVE-2017-3144 [dhcp: omapi code doesn't free socket descriptors when empty message is received allowing denial-of-service] RESERVED - isc-dhcp (bug #887413) + [stretch] - isc-dhcp (Minor issue) + [jessie] - isc-dhcp (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1522918 NOTE: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=1a6b62fe17a42b00fa234d06b6dfde3d03451894 CVE-2017-3143 [An error in TSIG authentication can permit unauthorized dynamic updates] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/39e24c092f75d70cc3c1a4e8915b9212415d21c4 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/39e24c092f75d70cc3c1a4e8915b9212415d21c4 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: Wrap long comment
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 62f22e31 by Salvatore Bonaccorso at 2018-01-16T06:10:41+01:00 Wrap long comment - - - - - d3bc85a9 by Salvatore Bonaccorso at 2018-01-16T07:17:14+01:00 Add CVE-2017-3144/isc-dhcp - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -41,7 +41,8 @@ CVE-2018-5685 (In GraphicsMagick 1.3.27, there is an infinite loop and applicati - graphicsmagick 1.3.27-4 (bug #887158) NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/52a91ddb1aa6 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/541/ - NOTE: Before 1.3.27, the problem only affects 32-bit architectures (i.e., 4-byte long) it expanded to 64-bit architectures with upstream commit be5e89e6032d + NOTE: Before 1.3.27, the problem only affects 32-bit architectures (i.e., 4-byte long) it + NOTE: expanded to 64-bit architectures with upstream commit be5e89e6032d CVE-2018-5684 (In Libav through 12.2, there is an invalid memcpy call in the ...) - libav NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1110 @@ -57078,8 +57079,11 @@ CVE-2017-3146 RESERVED CVE-2017-3145 RESERVED -CVE-2017-3144 +CVE-2017-3144 [dhcp: omapi code doesn't free socket descriptors when empty message is received allowing denial-of-service] RESERVED + - isc-dhcp + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1522918 + NOTE: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=1a6b62fe17a42b00fa234d06b6dfde3d03451894 CVE-2017-3143 [An error in TSIG authentication can permit unauthorized dynamic updates] RESERVED {DSA-3904-1 DLA-1025-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/6e42cd16f5636613aa1e1a0fda3185de0e8ab53b...d3bc85a9dccb6327aa4dcbfecb26c31cb4805b01 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/6e42cd16f5636613aa1e1a0fda3185de0e8ab53b...d3bc85a9dccb6327aa4dcbfecb26c31cb4805b01 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1245-1 for graphicsmagick
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 6e42cd16 by Roberto C. Sánchez at 2018-01-15T23:12:47-05:00 Reserve DLA-1245-1 for graphicsmagick - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[15 Jan 2018] DLA-1245-1 graphicsmagick - security update + {CVE-2018-5685} + [wheezy] - graphicsmagick 1.3.16-1.1+deb7u17 [16 Jan 2018] DLA-1244-1 ca-certificates - security update [wheezy] - ca-certificates 20130119+deb7u2 [15 Jan 2018] DLA-1243-1 xbmc - security update = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -16,8 +16,6 @@ couchdb (Thorsten Alteholz) exiv2 (Brian May) NOTE: 20180101: built wheezy version with ASAN in jessie and confirmed that CVE-2017-17669 applies to wheezy version -- -graphicsmagick (Roberto C. Sánchez) --- icu NOTE: 20171229: CVE-2017-15422 was reported via Google Code issue report in Chromium project; report is not visible to the public -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6e42cd16f5636613aa1e1a0fda3185de0e8ab53b --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6e42cd16f5636613aa1e1a0fda3185de0e8ab53b You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: fd until 20-05
Luciano Bello pushed to branch master at Debian Security Tracker / security-tracker Commits: 46283705 by Luciano Bello at 2018-01-15T21:27:46-05:00 fd until 20-05 - - - - - fc1725a3 by Luciano Bello at 2018-01-15T21:28:10-05:00 Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker - - - - - 1 changed file: - org/security-frontdesk.2018.txt Changes: = org/security-frontdesk.2018.txt = --- a/org/security-frontdesk.2018.txt +++ b/org/security-frontdesk.2018.txt @@ -1,23 +1,23 @@ From 01-01 to 07-01: From 08-01 to 14-01: -From 15-01 to 21-01: -From 22-01 to 28-01: -From 29-01 to 04-02: -From 05-02 to 11-02: -From 12-02 to 18-02: -From 19-02 to 25-02: -From 26-02 to 04-03: -From 05-03 to 11-03: -From 12-03 to 18-03: -From 19-03 to 25-03: -From 26-03 to 01-04: -From 02-04 to 08-04: -From 09-04 to 15-04: -From 16-04 to 22-04: -From 23-04 to 29-04: -From 30-04 to 06-05: -From 07-05 to 13-05: -From 14-05 to 20-05: +From 15-01 to 21-01: luciano +From 22-01 to 28-01: gilbert +From 29-01 to 04-02: geissert +From 05-02 to 11-02: corsac +From 12-02 to 18-02: thijs +From 19-02 to 25-02: fw +From 26-02 to 04-03: seb +From 05-03 to 11-03: jmm +From 12-03 to 18-03: carnil +From 19-03 to 25-03: luciano +From 26-03 to 01-04: gilbert +From 02-04 to 08-04: geissert +From 09-04 to 15-04: corsac +From 16-04 to 22-04: thijs +From 23-04 to 29-04: fw +From 30-04 to 06-05: seb +From 07-05 to 13-05: jmm +From 14-05 to 20-05: carnil From 21-05 to 27-05: From 28-05 to 03-06: From 04-06 to 10-06: View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/699ef605c758669ef0ec2cb148664c600f219069...fc1725a3a1e35cb4c8541951cee9e9dffee3e678 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/699ef605c758669ef0ec2cb148664c600f219069...fc1725a3a1e35cb4c8541951cee9e9dffee3e678 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Note that CVE-2018-5685/graphicsmagick only affects 32-bit arch << 1.3.27
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 699ef605 by Roberto C. Sánchez at 2018-01-15T20:44:45-05:00 Note that CVE-2018-5685/graphicsmagick only affects 32-bit arch << 1.3.27 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -41,6 +41,7 @@ CVE-2018-5685 (In GraphicsMagick 1.3.27, there is an infinite loop and applicati - graphicsmagick 1.3.27-4 (bug #887158) NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/52a91ddb1aa6 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/541/ + NOTE: Before 1.3.27, the problem only affects 32-bit architectures (i.e., 4-byte long) it expanded to 64-bit architectures with upstream commit be5e89e6032d CVE-2018-5684 (In Libav through 12.2, there is an invalid memcpy call in the ...) - libav NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1110 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/699ef605c758669ef0ec2cb148664c600f219069 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/699ef605c758669ef0ec2cb148664c600f219069 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Update note in dla-needed.txt re. smarty3.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 7606b52c by Chris Lamb at 2018-01-16T08:43:47+11:00 Update note in dla-needed.txt re. smarty3. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -53,6 +53,7 @@ osc -- smarty3 (Chris Lamb) NOTE: 20180108: Maintainer will take care of it, but ping in 6d. (lamby) + NOTE: 20180115: Maintainer pinged. (lamby) -- swftools (Guido Günther) NOTE: 20171118: At least CVE-2017-16797 is present. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7606b52c75db83895ea3897f27ce5deac9cf3863 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7606b52c75db83895ea3897f27ce5deac9cf3863 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 099d23c7 by Salvatore Bonaccorso at 2018-01-15T22:11:38+01:00 Process NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -476,7 +476,7 @@ CVE-2018-5481 CVE-2018-5480 RESERVED CVE-2018-5479 (FoxSash ImgHosting 1.5 (according to footer information) is vulnerable ...) - TODO: check + NOT-FOR-US: FoxSash ImgHosting CVE-2018-5478 RESERVED CVE-2018-5477 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/099d23c78f1096c4c82c433b66760c2c0da30f32 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/099d23c78f1096c4c82c433b66760c2c0da30f32 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2abfa9d1 by security tracker role at 2018-01-15T21:10:21+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -475,8 +475,8 @@ CVE-2018-5481 RESERVED CVE-2018-5480 RESERVED -CVE-2018-5479 - RESERVED +CVE-2018-5479 (FoxSash ImgHosting 1.5 (according to footer information) is vulnerable ...) + TODO: check CVE-2018-5478 RESERVED CVE-2018-5477 @@ -703,7 +703,8 @@ CVE-2016-10706 (The Jetpack plugin before 4.0.3 for WordPress has XSS via a craf NOT-FOR-US: WordPress plugin jetpack CVE-2016-10705 (The Jetpack plugin before 4.0.4 for WordPress has XSS via the Likes ...) NOT-FOR-US: WordPress plugin jetpack -CVE-2018-5702 [rpc session-id mechanism design flaw results in RCE] +CVE-2018-5702 (Transmission through 2.92 relies on X-Transmission-Session-Id (which is ...) + {DSA-4087-1} - transmission (bug #886990) NOTE: http://www.openwall.com/lists/oss-security/2018/01/12/1 NOTE: https://github.com/transmission/transmission/pull/468 @@ -4130,7 +4131,7 @@ CVE-2017-1000424 (Github Electron version 1.6.4 - 1.6.11 and 1.7.0 - 1.7.5 is vu CVE-2017-1000423 (b2evolution version 6.6.0 - 6.8.10 is vulnerable to input validation ...) - b2evolution CVE-2017-1000422 (Gnome gdk-pixbuf 2.36.8 and older is vulnerable to several integer ...) - {DLA-1234-1} + {DSA-4088-1 DLA-1234-1} - gdk-pixbuf 2.36.11-1 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=785973 NOTE: Fixed by: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=0012e066ba37439d402ce46afbc1311530a4ec61 @@ -40534,6 +40535,7 @@ CVE-2017-8316 CVE-2017-8315 RESERVED CVE-2017-8314 (Directory Traversal in Zip Extraction built-in function in Kodi 17.1 ...) + {DLA-1243-1} - kodi 2:17.1+dfsg1-3 (bug #863230) - xbmc NOTE: http://blog.checkpoint.com/2017/05/23/hacked-in-translation/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2abfa9d1462e7914f86ed6ea6d28d4ab585b0f0b --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2abfa9d1462e7914f86ed6ea6d28d4ab585b0f0b You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-5685/graphicsmagick fixed version in unstable
László Böszörményi pushed to branch master at Debian Security Tracker / security-tracker Commits: 18873f25 by Laszlo Boszormenyi (GCS) at 2018-01-15T20:36:11+00:00 Add CVE-2018-5685/graphicsmagick fixed version in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -38,7 +38,7 @@ CVE-2018-5686 (In MuPDF 1.12.0, there is an infinite loop vulnerability and ...) NOTE: pdf_parse_array function in source/pdf/pdf-parse.c does not consider NOTE: EOF. CVE-2018-5685 (In GraphicsMagick 1.3.27, there is an infinite loop and application ...) - - graphicsmagick (bug #887158) + - graphicsmagick 1.3.27-4 (bug #887158) NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/52a91ddb1aa6 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/541/ CVE-2018-5684 (In Libav through 12.2, there is an invalid memcpy call in the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/18873f258af900aaac5a1da405c199aa28e8dbcf --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/18873f258af900aaac5a1da405c199aa28e8dbcf You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1244-1 for ca-certificates
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 521680a4 by Brian May at 2018-01-16T07:33:12+11:00 Reserve DLA-1244-1 for ca-certificates - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,5 @@ +[16 Jan 2018] DLA-1244-1 ca-certificates - security update + [wheezy] - ca-certificates 20130119+deb7u2 [15 Jan 2018] DLA-1243-1 xbmc - security update {CVE-2017-8314} [wheezy] - xbmc 2:11.0~git20120510.82388d5-1+deb7u1 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -10,10 +10,6 @@ this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- -ca-certificates (Brian May) - NOTE: 20170719: maintainer will handle the upload, see https://lists.debian.org/d0b9674a-ac5b-5cc9-1982-fb6f36155...@pbandjelly.org - NOTE: 20171013: pinged maintainer: https://lists.debian.org/87efpuc95w@curie.anarc.at (anarcat) --- couchdb (Thorsten Alteholz) NOTE: Only in wheezy, we are on our own. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/521680a494f94a2cd549b1034b0378c2590ef02d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/521680a494f94a2cd549b1034b0378c2590ef02d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add bug reference for qemu issue: #887392
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b3086a3d by Salvatore Bonaccorso at 2018-01-15T21:25:31+01:00 Add bug reference for qemu issue: #887392 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -47,7 +47,7 @@ CVE-2018-5684 (In Libav through 12.2, there is an invalid memcpy call in the ... TODO: check CVE-2018-5683 [Out-of-bounds read in vga_draw_text routine] RESERVED - - qemu + - qemu (bug #887392) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-01/msg02131.html CVE-2017-18030 [Out-of-bounds access in cirrus_invalidate_region routine] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b3086a3d63309009ced00d7b2adb520ca80ad19a --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b3086a3d63309009ced00d7b2adb520ca80ad19a You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] osc bug
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ac840ce5 by Moritz Muehlenhoff at 2018-01-15T21:21:55+01:00 osc bug - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -37696,7 +37696,7 @@ CVE-2017-9275 RESERVED CVE-2017-9274 [osc executes spec code during "osc commit"] RESERVED - - osc + - osc (bug #887391) [stretch] - osc (Minor issue) [jessie] - osc (Minor issue) NOTE: Details in https://bugzilla.novell.com/show_bug.cgi?id=938556 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ac840ce5ba70b0384d2ccf419347ce9781746fab --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ac840ce5ba70b0384d2ccf419347ce9781746fab You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: no-dsa: electrum, bro, osc
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8de78b99 by Moritz Muehlenhoff at 2018-01-15T21:19:31+01:00 no-dsa: electrum, bro, osc - - - - - 2818c674 by Moritz Muehlenhoff at 2018-01-15T21:20:45+01:00 Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -925,6 +925,7 @@ CVE-2017-18023 (Office Tracker 11.2.5 has XSS via the logincount parameter to th NOT-FOR-US: Office Tracker CVE-2018- [Password protect the JSONRPC interface] - electrum 3.0.5-1 (bug #886683) + [stretch] - electrum (The version in stretch is unable to connect to current Etherum servers and thus not exploitable, see #886683) [jessie] - electrum (Only affects >= 2.6) NOTE: https://github.com/spesmilo/electrum/issues/3374 NOTE: http://www.openwall.com/lists/oss-security/2018/01/10/4 @@ -4074,6 +4075,7 @@ CVE-2017-1000425 (Cross-site scripting (XSS) vulnerability in the /html/portal/f NOT-FOR-US: Liferay Portal CE CVE-2017-1000458 (Bro before Bro v2.5.2 is vulnerable to an out of bounds write in the ...) - bro 2.5.2-1 + [stretch] - bro (Minor issue) NOTE: https://bro-tracker.atlassian.net/browse/BIT-1856 NOTE: https://github.com/bro/bro/commit/6c0f101a62489b1c5927b4ed63b0e1d37db40282 CVE-2017-1000457 (Cross-site scripting (XSS) vulnerability in Help.aspx in mojoPortal ...) @@ -37695,6 +37697,8 @@ CVE-2017-9275 CVE-2017-9274 [osc executes spec code during "osc commit"] RESERVED - osc + [stretch] - osc (Minor issue) + [jessie] - osc (Minor issue) NOTE: Details in https://bugzilla.novell.com/show_bug.cgi?id=938556 NOTE: SUSE adressed the issue not only in the obs-service-source_validator NOTE: and adding a validation in 0.162.0 when using OBS 2.9, cf.: View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/4185134d011e154ea1690b9a0021d18761ce...2818c674ca281ee516164489dcf522946b7a983c --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/4185134d011e154ea1690b9a0021d18761ce...2818c674ca281ee516164489dcf522946b7a983c You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add note for awstats
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 41851999 by Salvatore Bonaccorso at 2018-01-15T21:15:40+01:00 Add note for awstats - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -14,7 +14,8 @@ If needed, specify the release by adding a slash after the name of the source pa -- 389-ds-base (fw) -- -awstats (Abhijith) +awstats (Abhijith PA) + Abhijith PA proposed debdiffs for jessie- and stretch-security for review -- chromium-browser/stable -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4185134d011e154ea1690b9a0021d18761ce --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4185134d011e154ea1690b9a0021d18761ce You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-5683/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: df63a7b4 by Salvatore Bonaccorso at 2018-01-15T21:10:37+01:00 Add CVE-2018-5683/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -45,8 +45,11 @@ CVE-2018-5684 (In Libav through 12.2, there is an invalid memcpy call in the ... - libav NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1110 TODO: check -CVE-2018-5683 +CVE-2018-5683 [Out-of-bounds read in vga_draw_text routine] RESERVED + - qemu + - qemu-kvm + NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-01/msg02131.html CVE-2017-18030 [Out-of-bounds access in cirrus_invalidate_region routine] RESERVED - qemu 1:2.8+dfsg-4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/df63a7b4717f8ff3d1fe09956a0982b6746391c7 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/df63a7b4717f8ff3d1fe09956a0982b6746391c7 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2017-18030 already adressed earlier with the v2.8.1 import
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2138bc47 by Salvatore Bonaccorso at 2018-01-15T21:05:17+01:00 CVE-2017-18030 already adressed earlier with the v2.8.1 import The qemu update versioned 1:2.8+dfsg-4 in unstable did include as patch the 2.8.1 upstream stable/bugfix release including the commit https://git.qemu.org/?p=qemu.git;a=commitdiff;h=f153b563f8cf121aebf5a2fff5f0110faf58ccb3 Adjust the fixing version accordingly. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -49,7 +49,7 @@ CVE-2018-5683 RESERVED CVE-2017-18030 [Out-of-bounds access in cirrus_invalidate_region routine] RESERVED - - qemu 1:2.10.0-1 + - qemu 1:2.8+dfsg-4 - qemu-kvm NOTE: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=f153b563f8cf121aebf5a2fff5f0110faf58ccb3 CVE-2018-5682 (PrestaShop 1.7.2.4 allows user enumeration via the Reset Password ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2138bc47e7bcfe96c8f3ba5ebd9a5ee6949a7be5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2138bc47e7bcfe96c8f3ba5ebd9a5ee6949a7be5 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Track fixing version in unstable for CVE-2017-18030/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 61bd5686 by Salvatore Bonaccorso at 2018-01-15T20:59:04+01:00 Track fixing version in unstable for CVE-2017-18030/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -49,7 +49,7 @@ CVE-2018-5683 RESERVED CVE-2017-18030 [Out-of-bounds access in cirrus_invalidate_region routine] RESERVED - - qemu + - qemu 1:2.10.0-1 - qemu-kvm NOTE: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=f153b563f8cf121aebf5a2fff5f0110faf58ccb3 CVE-2018-5682 (PrestaShop 1.7.2.4 allows user enumeration via the Reset Password ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/61bd568615a5c82171c774da32c373dba6c29702 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/61bd568615a5c82171c774da32c373dba6c29702 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2017-18030/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 73420769 by Salvatore Bonaccorso at 2018-01-15T20:52:32+01:00 Add CVE-2017-18030/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -47,8 +47,11 @@ CVE-2018-5684 (In Libav through 12.2, there is an invalid memcpy call in the ... TODO: check CVE-2018-5683 RESERVED -CVE-2017-18030 +CVE-2017-18030 [Out-of-bounds access in cirrus_invalidate_region routine] RESERVED + - qemu + - qemu-kvm + NOTE: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=f153b563f8cf121aebf5a2fff5f0110faf58ccb3 CVE-2018-5682 (PrestaShop 1.7.2.4 allows user enumeration via the Reset Password ...) NOT-FOR-US: PrestaShop CVE-2018-5681 (PrestaShop 1.7.2.4 has XSS via source-code editing on the "Pages > Edit ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7342076989d0e86ad8476769275a15b5f84e6074 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7342076989d0e86ad8476769275a15b5f84e6074 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add smarty3 to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c8504ae by Salvatore Bonaccorso at 2018-01-15T20:49:01+01:00 Add smarty3 to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -53,6 +53,9 @@ salt -- simplesamlphp -- +smarty3 (luciano) + Maintainer preparing updates for jessie- and stretch-security +-- sqlite3/oldstable -- sssd/stable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2c8504aeb37824277be35a868884a8c7aa213565 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2c8504aeb37824277be35a868884a8c7aa213565 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1243-1 for xbmc
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d17cd90a by Markus Koschany at 2018-01-15T20:08:44+01:00 Reserve DLA-1243-1 for xbmc - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[15 Jan 2018] DLA-1243-1 xbmc - security update + {CVE-2017-8314} + [wheezy] - xbmc 2:11.0~git20120510.82388d5-1+deb7u1 [14 Jan 2018] DLA-1242-1 xmltooling - security update {CVE-2018-0486} [wheezy] - xmltooling 1.4.2-5+deb7u2 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -77,5 +77,3 @@ wordpress NOTE: 2018-08-09: Upstream bug opened 6 years ago and no chages to upstream NOTE: bug in 7 weeks. -- -xbmc (Markus Koschany) --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d17cd90a0706d76b5ba8d3ee3e44d267185530a8 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d17cd90a0706d76b5ba8d3ee3e44d267185530a8 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] gdk-pixbuf DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: cb3fb2f4 by Moritz Muehlenhoff at 2018-01-15T19:53:21+01:00 gdk-pixbuf DSA - - - - - 3 changed files: - data/CVE/list - data/DSA/list - data/dsa-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -47276,23 +47276,26 @@ CVE-2017-6317 (Memory leak in the add_shader_program function in vrend_renderer. - virglrenderer 0.6.0-1 (bug #858255) NOTE: https://cgit.freedesktop.org/virglrenderer/commit/?id=a2f12a1b0f95b13b6f8dc3d05d7b74b4386394e4 (0.6.0) CVE-2017-6314 (The make_available_at_least function in io-tiff.c in gdk-pixbuf allows ...) - - gdk-pixbuf (bug #856448) - [jessie] - gdk-pixbuf (Minor issue, can be fixed via point release) + - gdk-pixbuf (low; bug #856448) + [stretch] - gdk-pixbuf 2.36.5-2+deb9u2 + [jessie] - gdk-pixbuf (Minor issue) [wheezy] - gdk-pixbuf (Minor issue, can be fixed in next update) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=779020 NOTE: http://mov.sx/2017/02/21/bug-hunting-gdk-pixbuf.html NOTE: Fixed by: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=1e513abdb55529f888233d3c96b27352d83aad5f CVE-2017-6313 (Integer underflow in the load_resources function in io-icns.c in ...) - - gdk-pixbuf (bug #856445) - [jessie] - gdk-pixbuf (Minor issue, can be fixed via point release) + - gdk-pixbuf (low; bug #856445) + [stretch] - gdk-pixbuf 2.36.5-2+deb9u2 + [jessie] - gdk-pixbuf (Minor issue) [wheezy] - gdk-pixbuf (Minor issue, can be fixed in next update) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=779016 NOTE: http://mov.sx/2017/02/21/bug-hunting-gdk-pixbuf.html NOTE: Fixed by: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=210b16399a492d05efb209615a143920b24251f4 NOTE: Tests: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=4cc39d479356b6b09e3d62a0f3ab424db6c266d8 CVE-2017-6312 (Integer overflow in io-ico.c in gdk-pixbuf allows context-dependent ...) - - gdk-pixbuf (bug #856444) - [jessie] - gdk-pixbuf (Minor issue, can be fixed via point release) + - gdk-pixbuf (low; bug #856444) + [stretch] - gdk-pixbuf 2.36.5-2+deb9u2 + [jessie] - gdk-pixbuf (Minor issue) [wheezy] - gdk-pixbuf (Minor issue, can be fixed in next update) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=779012 NOTE: http://mov.sx/2017/02/21/bug-hunting-gdk-pixbuf.html = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,7 @@ +[15 Jan 2018] DSA-4088-1 gdk-pixbuf - security update + {CVE-2017-1000422} + [jessie] - gdk-pixbuf 2.31.1-2+deb8u7 + [stretch] - gdk-pixbuf 2.36.5-2+deb9u2 [14 Jan 2018] DSA-4087-1 transmission - security update {CVE-2018-5702} [jessie] - transmission 2.84-0.2+deb8u1 = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -18,8 +18,6 @@ awstats (Abhijith) -- chromium-browser/stable -- -gdk-pixbuf (jmm) --- graphicsmagick -- imagemagick/oldstable (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cb3fb2f451f1fbabeb80a951f13dcea39e58eda0 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cb3fb2f451f1fbabeb80a951f13dcea39e58eda0 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] remove no-dsa for three gdk-pixbuf issues, fixed along in DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 232f85d8 by Moritz Muehlenhoff at 2018-01-15T18:49:39+01:00 remove no-dsa for three gdk-pixbuf issues, fixed along in DSA - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -47277,7 +47277,6 @@ CVE-2017-6317 (Memory leak in the add_shader_program function in vrend_renderer. NOTE: https://cgit.freedesktop.org/virglrenderer/commit/?id=a2f12a1b0f95b13b6f8dc3d05d7b74b4386394e4 (0.6.0) CVE-2017-6314 (The make_available_at_least function in io-tiff.c in gdk-pixbuf allows ...) - gdk-pixbuf (bug #856448) - [stretch] - gdk-pixbuf (Minor issue, can be fixed via point release) [jessie] - gdk-pixbuf (Minor issue, can be fixed via point release) [wheezy] - gdk-pixbuf (Minor issue, can be fixed in next update) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=779020 @@ -47285,7 +47284,6 @@ CVE-2017-6314 (The make_available_at_least function in io-tiff.c in gdk-pixbuf a NOTE: Fixed by: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=1e513abdb55529f888233d3c96b27352d83aad5f CVE-2017-6313 (Integer underflow in the load_resources function in io-icns.c in ...) - gdk-pixbuf (bug #856445) - [stretch] - gdk-pixbuf (Minor issue, can be fixed via point release) [jessie] - gdk-pixbuf (Minor issue, can be fixed via point release) [wheezy] - gdk-pixbuf (Minor issue, can be fixed in next update) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=779016 @@ -47294,7 +47292,6 @@ CVE-2017-6313 (Integer underflow in the load_resources function in io-icns.c in NOTE: Tests: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=4cc39d479356b6b09e3d62a0f3ab424db6c266d8 CVE-2017-6312 (Integer overflow in io-ico.c in gdk-pixbuf allows context-dependent ...) - gdk-pixbuf (bug #856444) - [stretch] - gdk-pixbuf (Minor issue, can be fixed via point release) [jessie] - gdk-pixbuf (Minor issue, can be fixed via point release) [wheezy] - gdk-pixbuf (Minor issue, can be fixed in next update) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=779012 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/232f85d8ca52441937f96b9610257474223906b0 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/232f85d8ca52441937f96b9610257474223906b0 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2017-16909/libraw and CVE-2017-16910/libraw fixed in libraw/ 0.18.6-1. …
Mattia Rizzolo pushed to branch master at Debian Security Tracker / security-tracker Commits: cce9a64a by Mattia Rizzolo at 2018-01-15T18:45:41+01:00 CVE-2017-16909/libraw and CVE-2017-16910/libraw fixed in libraw/ 0.18.6-1. Thanks mfv for notifying. Signed-off-by: Mattia Rizzolo- - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -14672,13 +14672,13 @@ CVE-2017-16911 RESERVED CVE-2017-16910 RESERVED - - libraw + - libraw 0.18.6-1 [wheezy] - libraw (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2017-19 NOTE: https://github.com/LibRaw/LibRaw/commit/2f59bac59dbcbf6bbcf01a9f3eed74307e96ca7e CVE-2017-16909 RESERVED - - libraw + - libraw 0.18.6-1 [wheezy] - libraw (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2017-19 NOTE: https://github.com/LibRaw/LibRaw/commit/2f59bac59dbcbf6bbcf01a9f3eed74307e96ca7e View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cce9a64ae876a85c0b936fbc4f10d5ba6a1232be --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cce9a64ae876a85c0b936fbc4f10d5ba6a1232be You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-5702/transmission assigned
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 770b1da5 by Salvatore Bonaccorso at 2018-01-15T17:41:56+01:00 CVE-2018-5702/transmission assigned - - - - - 2 changed files: - data/CVE/list - data/DSA/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -697,10 +697,8 @@ CVE-2016-10706 (The Jetpack plugin before 4.0.3 for WordPress has XSS via a craf NOT-FOR-US: WordPress plugin jetpack CVE-2016-10705 (The Jetpack plugin before 4.0.4 for WordPress has XSS via the Likes ...) NOT-FOR-US: WordPress plugin jetpack -CVE-2018- [rpc session-id mechanism design flaw results in RCE] +CVE-2018-5702 [rpc session-id mechanism design flaw results in RCE] - transmission (bug #886990) - [stretch] - transmission 2.92-2+deb9u1 - [jessie] - transmission 2.84-0.2+deb8u1 NOTE: http://www.openwall.com/lists/oss-security/2018/01/12/1 NOTE: https://github.com/transmission/transmission/pull/468 NOTE: Proposed patch: https://patch-diff.githubusercontent.com/raw/transmission/transmission/pull/468.diff = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,4 +1,5 @@ [14 Jan 2018] DSA-4087-1 transmission - security update + {CVE-2018-5702} [jessie] - transmission 2.84-0.2+deb8u1 [stretch] - transmission 2.92-2+deb9u1 [13 Jan 2018] DSA-4086-1 libxml2 - security update View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/770b1da5683991a886cc85d0749808049d98a03c --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/770b1da5683991a886cc85d0749808049d98a03c You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process new NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 13067a20 by Salvatore Bonaccorso at 2018-01-15T10:21:57+01:00 Process new NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,7 +1,7 @@ CVE-2018-5701 RESERVED CVE-2018-5700 (Winmail Server through 6.2 allows remote code execution by ...) - TODO: check + NOT-FOR-US: Winmail Server CVE-2018-5699 RESERVED CVE-2017-18031 @@ -27,7 +27,7 @@ CVE-2018-5690 (Cross-site scripting (XSS) vulnerability in admin/users.php in Do CVE-2018-5689 (Cross-site scripting (XSS) vulnerability in admin/auth.php in Dotclear ...) - dotclear CVE-2018-5688 (ILIAS before 5.2.4 has XSS via the cmd parameter to the displayHeader ...) - TODO: check + NOT-FOR-US: ILIAS CVE-2018-5687 (NewsBee allows XSS via the Company Name field in the Settings under ...) NOT-FOR-US: NewsBee CMS CVE-2018-5686 (In MuPDF 1.12.0, there is an infinite loop vulnerability and ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/13067a202bca3a490932d8ba719541708538bdf6 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/13067a202bca3a490932d8ba719541708538bdf6 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c6c1a002 by security tracker role at 2018-01-15T09:10:15+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,11 @@ +CVE-2018-5701 + RESERVED +CVE-2018-5700 (Winmail Server through 6.2 allows remote code execution by ...) + TODO: check +CVE-2018-5699 + RESERVED +CVE-2017-18031 + RESERVED CVE-2018-5698 (libreadstat.a in WizardMac ReadStat 0.1.1 has a heap-based buffer ...) NOT-FOR-US: WizardMac ReadStat CVE-2018-5697 (Icy Phoenix 2.2.0.105 allows SQL injection via an unapprove request to ...) @@ -18,8 +26,8 @@ CVE-2018-5690 (Cross-site scripting (XSS) vulnerability in admin/users.php in Do - dotclear CVE-2018-5689 (Cross-site scripting (XSS) vulnerability in admin/auth.php in Dotclear ...) - dotclear -CVE-2018-5688 - RESERVED +CVE-2018-5688 (ILIAS before 5.2.4 has XSS via the cmd parameter to the displayHeader ...) + TODO: check CVE-2018-5687 (NewsBee allows XSS via the Company Name field in the Settings under ...) NOT-FOR-US: NewsBee CMS CVE-2018-5686 (In MuPDF 1.12.0, there is an infinite loop vulnerability and ...) @@ -311,15 +319,15 @@ CVE-2018-5551 RESERVED CVE-2018-5550 RESERVED -CVE-2015-9250 (An issue was discovered in Skybox Platform before 7.5.401. Directory ...) +CVE-2015-9250 (An issue was discovered in Skybox Platform before 7.5.201. Directory ...) NOT-FOR-US: Skybox Platform -CVE-2015-9249 (An issue was discovered in Skybox Platform before 7.5.401. SQL ...) +CVE-2015-9249 (An issue was discovered in Skybox Platform before 7.5.201. SQL ...) NOT-FOR-US: Skybox Platform -CVE-2015-9248 (An issue was discovered in Skybox Platform before 7.5.401. Stored ...) +CVE-2015-9248 (An issue was discovered in Skybox Platform before 7.5.201. Stored ...) NOT-FOR-US: Skybox Platform CVE-2015-9247 (An issue was discovered in Skybox Platform before 7.5.401. Reflected ...) NOT-FOR-US: Skybox Platform -CVE-2015-9246 (An issue was discovered in Skybox Platform before 7.5.401. Remote ...) +CVE-2015-9246 (An issue was discovered in Skybox Platform before 7.5.201. Remote ...) NOT-FOR-US: Skybox Platform CVE-2018-5549 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c6c1a0029993437cffd1cca1209d9e7383f15c33 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c6c1a0029993437cffd1cca1209d9e7383f15c33 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits