[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: Three vague Android kernel issues

[Moritz Muehlenhoff]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0dcb764e by Moritz Muehlenhoff at 2018-01-23T09:45:43+01:00
Three vague Android kernel issues

- - - - -
f4a34134 by Moritz Muehlenhoff at 2018-01-23T09:46:03+01:00
Merge branch 'master' of 
salsa.debian.org:security-tracker-team/security-tracker

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -26550,11 +26550,15 @@ CVE-2017-13224
 CVE-2017-13223
RESERVED
 CVE-2017-13222 (An information disclosure vulnerability in the Upstream kernel 
kernel. ...)
-   TODO: check
+   - linux 
+   NOTE: No details/release available other than the description of 
'upstream kernel'
 CVE-2017-13221 (An elevation of privilege vulnerability in the Upstream kernel 
wifi ...)
-   TODO: check
+   - linux 
+   NOTE: No details/release available other than the description of 
'upstream kernel wifi driver'
 CVE-2017-13220 (An elevation of privilege vulnerability in the Upstream kernel 
bluez. ...)
-   TODO: check
+   - linux 
+   - bluez 
+   NOTE: No details/release available other than the description of 
'upstream kernel bluez'
 CVE-2017-13219 (A denial of service vulnerability in the Upstream kernel 
synaptics ...)
TODO: check
 CVE-2017-13218 (Access to CNTVCT_EL0 could be used for side channel attacks. 
This ...)


=
data/dsa-needed.txt
=
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -56,8 +56,6 @@ redmine
 --
 ruby2.1/oldstable
 --
-salt
---
 simplesamlphp
 --
 sqlite3/oldstable



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/e2db9347564198d1044ded729fe46732c257a0ed...f4a3413475f7b27a0ab6e6750d69698e8fb75a84

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/e2db9347564198d1044ded729fe46732c257a0ed...f4a3413475f7b27a0ab6e6750d69698e8fb75a84
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
72c1f08d by security tracker role at 2018-01-23T09:10:17+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,3 +1,113 @@
+CVE-2018-6029 (The copy function in application/admin/controller/Article.php 
in ...)
+   TODO: check
+CVE-2018-6028
+   RESERVED
+CVE-2018-6027
+   RESERVED
+CVE-2018-6026
+   RESERVED
+CVE-2018-6025
+   RESERVED
+CVE-2018-6024
+   RESERVED
+CVE-2018-6023
+   RESERVED
+CVE-2018-6022 (Directory traversal vulnerability in ...)
+   TODO: check
+CVE-2018-6021
+   RESERVED
+CVE-2018-6020
+   RESERVED
+CVE-2018-6019
+   RESERVED
+CVE-2018-6018
+   RESERVED
+CVE-2018-6017
+   RESERVED
+CVE-2018-6016
+   RESERVED
+CVE-2018-6015
+   RESERVED
+CVE-2018-6014 (Subsonic v6.1.3 has an insecure allow-access-from 
domain="*" Flash ...)
+   TODO: check
+CVE-2018-6013 (Cross-site scripting (XSS) in BigTree 4.2.19 allows any remote 
users to ...)
+   TODO: check
+CVE-2018-6012
+   RESERVED
+CVE-2018-6011
+   RESERVED
+CVE-2018-6010 (In Yii Framework 2.x before 2.0.14, remote attackers could 
obtain ...)
+   TODO: check
+CVE-2018-6009 (In Yii Framework 2.x before 2.0.14, the switchIdentity function 
in ...)
+   TODO: check
+CVE-2018-6008
+   RESERVED
+CVE-2018-6007
+   RESERVED
+CVE-2018-6006
+   RESERVED
+CVE-2018-6005
+   RESERVED
+CVE-2018-6004
+   RESERVED
+CVE-2017-18074
+   RESERVED
+CVE-2017-18073
+   RESERVED
+CVE-2017-18072
+   RESERVED
+CVE-2017-18071
+   RESERVED
+CVE-2017-18070
+   RESERVED
+CVE-2017-18069
+   RESERVED
+CVE-2017-18068
+   RESERVED
+CVE-2017-18067
+   RESERVED
+CVE-2017-18066
+   RESERVED
+CVE-2017-18065
+   RESERVED
+CVE-2017-18064
+   RESERVED
+CVE-2017-18063
+   RESERVED
+CVE-2017-18062
+   RESERVED
+CVE-2017-18061
+   RESERVED
+CVE-2017-18060
+   RESERVED
+CVE-2017-18059
+   RESERVED
+CVE-2017-18058
+   RESERVED
+CVE-2017-18057
+   RESERVED
+CVE-2017-18056
+   RESERVED
+CVE-2017-18055
+   RESERVED
+CVE-2017-18054
+   RESERVED
+CVE-2017-18053
+   RESERVED
+CVE-2017-18052
+   RESERVED
+CVE-2017-18051
+   RESERVED
+CVE-2017-18050
+   RESERVED
+CVE-2017-18049 (In the CSV export feature of SilverStripe before 3.5.6, 3.6.x 
before ...)
+   TODO: check
+CVE-2017-18048 (Monstra CMS 3.0.4 allows users to upload arbitrary files, 
which leads ...)
+   TODO: check
+CVE-2017-1000417 (MatrixSSL version 3.7.2 adopts a collision-prone OID 
comparison logic ...)
+   TODO: check
+CVE-2017-1000416 (axTLS version 1.5.3 has a coding error in the ASN.1 parser 
resulting ...)
+   TODO: check
 CVE-2018-6003 (An issue was discovered in the _asn1_decode_simple_ber function 
in ...)
TODO: check
 CVE-2018-6002 (The Soundy Background Music plugin 3.9 and below for WordPress 
has ...)
@@ -717,7 +827,7 @@ CVE-2018-103 (Improper input validation bugs in DNSSEC 
validators components
 CVE-2018-102 (Improper input validation bugs in DNSSEC validators 
components in Knot ...)
- knot-recursor 1.5.2-1
 CVE-2018-5704 (Open On-Chip Debugger (OpenOCD) 0.10.0 does not block attempts 
to use ...)
-   {DLA-1253-1}
+   {DSA-4093-1 DLA-1253-1}
- openocd 0.10.0-4 (bug #887488)
NOTE: https://sourceforge.net/p/openocd/mailman/message/36188041/
NOTE: http://openocd.zylin.com/4330
@@ -2635,7 +2745,7 @@ CVE-2017-1000482 (A member of the Plone 2.5-5.1rc1 site 
could set javascript in 
 CVE-2017-1000481 (When you visit a page where you need to login, Plone 
2.5-5.1rc1 sends ...)
NOT-FOR-US: Plone
 CVE-2017-1000480 (Smarty 3 before 3.1.32 is vulnerable to a PHP code injection 
when ...)
-   {DLA-1249-1}
+   {DSA-4094-1 DLA-1249-1}
- smarty 
- smarty3 3.1.31+20161214.1.c7d42e4+selfpack1-3 (bug #886460)
NOTE: 
https://github.com/smarty-php/smarty/commit/614ad1f8b9b00086efc123e49b7bb8efbfa81b61
@@ -12226,10 +12336,10 @@ CVE-2017-17409 (This vulnerability allows remote 
attackers to execute arbitrary 
NOT-FOR-US: Bitdefender Internet Security 2018
 CVE-2017-17408 (This vulnerability allows remote attackers to execute 
arbitrary code ...)
NOT-FOR-US: Bitdefender Internet Security 2018
-CVE-2017-17407
-   RESERVED
-CVE-2017-17406
-   RESERVED
+CVE-2017-17407 (This vulnerability allows remote attackers to execute 
arbitrary code ...)
+   TODO: check
+CVE-2017-17406 (This vulnerability allows remote attackers to execute 
arbitrary code ...)
+   TODO: check
 CVE-2017-17405 (Ruby before 2.4.3 allows Net::FTP command injection. 
Net::FTP#get, ...)
{DLA-1222-1 DLA-1221-1}
- ruby2.5 2.5.0~rc1-1 (bug #884437)
@@ -13477,8

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] binutils fixed

[Moritz Muehlenhoff]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b7e5db1d by Moritz Muehlenhoff at 2018-01-23T14:28:45+01:00
binutils fixed

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -13130,7 +13130,7 @@ CVE-2017-17127 (The vc1_decode_frame function in 
libavcodec/vc1dec.c in Libav 12
NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1099
 CVE-2017-17126 (The load_debug_section function in readelf.c in GNU Binutils 
2.29.1 ...)
[experimental] - binutils 2.29.51.20171208-1
-   - binutils 
+   - binutils 2.29.90.20180122-1 (low)
[stretch] - binutils  (Minor issue)
[jessie] - binutils  (Minor issue)
[wheezy] - binutils  (Minor issue)
@@ -13138,7 +13138,7 @@ CVE-2017-17126 (The load_debug_section function in 
readelf.c in GNU Binutils 2.2
NOTE: 
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f425ec6600b69e39eb605f3128806ff688137ea8
 CVE-2017-17125 (nm.c and objdump.c in GNU Binutils 2.29.1 mishandle certain 
global ...)
[experimental] - binutils 2.29.51.20171128-1
-   - binutils 
+   - binutils 2.29.90.20180122-1 (low)
[stretch] - binutils  (Minor issue)
[jessie] - binutils  (Minor issue)
[wheezy] - binutils  (Minor issue)
@@ -13146,7 +13146,7 @@ CVE-2017-17125 (nm.c and objdump.c in GNU Binutils 
2.29.1 mishandle certain glob
NOTE: 
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=160b1a618ad94988410dc81fce9189fcda5b7ff4
 CVE-2017-17124 (The _bfd_coff_read_string_table function in coffgen.c in the 
Binary ...)
[experimental] - binutils 2.29.51.20171208-1
-   - binutils 
+   - binutils 2.29.90.20180122-1 (low)
[stretch] - binutils  (Minor issue)
[jessie] - binutils  (Minor issue)
[wheezy] - binutils  (Minor issue)
@@ -13154,7 +13154,7 @@ CVE-2017-17124 (The _bfd_coff_read_string_table 
function in coffgen.c in the Bin
NOTE: 
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b0029dce6867de1a2828293177b0e030d2f0f03c
 CVE-2017-17123 (The coff_slurp_reloc_table function in coffcode.h in the 
Binary File ...)
[experimental] - binutils 2.29.51.20171208-1
-   - binutils 
+   - binutils 2.29.90.20180122-1 (low)
[stretch] - binutils  (Minor issue)
[jessie] - binutils  (Minor issue)
[wheezy] - binutils  (Minor issue)
@@ -13162,7 +13162,7 @@ CVE-2017-17123 (The coff_slurp_reloc_table function in 
coffcode.h in the Binary 
NOTE: 
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4581a1c7d304ce14e714b27522ebf3d0188d6543
 CVE-2017-17122 (The dump_relocs_in_section function in objdump.c in GNU 
Binutils 2.29.1 ...)
[experimental] - binutils 2.29.51.20171208-1
-   - binutils 
+   - binutils 2.29.90.20180122-1 (low)
[stretch] - binutils  (Minor issue)
[jessie] - binutils  (Minor issue)
[wheezy] - binutils  (Minor issue)
@@ -13170,7 +13170,7 @@ CVE-2017-17122 (The dump_relocs_in_section function in 
objdump.c in GNU Binutils
NOTE: 
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d785b7d4b877ed465d04072e17ca19d0f47d840f
 CVE-2017-17121 (The Binary File Descriptor (BFD) library (aka libbfd), as 
distributed ...)
[experimental] - binutils 2.29.51.20171208-1
-   - binutils 
+   - binutils 2.29.90.20180122-1 (low)
[stretch] - binutils  (Minor issue)
[jessie] - binutils  (Minor issue)
[wheezy] - binutils  (Minor issue)
@@ -13894,7 +13894,7 @@ CVE-2017-17081 (The gmc_mmx function in 
libavcodec/x86/mpegvideodsp.c in FFmpeg 
NOTE: 
https://github.com/FFmpeg/FFmpeg/commit/58cf31cee7a456057f337b3102a03206d833d5e8
 CVE-2017-17080 (elf.c in the Binary File Descriptor (BFD) library (aka 
libbfd), as ...)
[experimental] - binutils 2.29.51.20171128-1
-   - binutils 
+   - binutils 2.29.90.20180122-1 (low)
[stretch] - binutils  (Minor issue)
[jessie] - binutils  (Minor issue)
[wheezy] - binutils  (Minor issue)
@@ -16352,7 +16352,7 @@ CVE-2017-16852 
(shibsp/metadata/DynamicMetadataProvider.cpp in the Dynamic ...)
NOTE: https://shibboleth.net/community/advisories/secadv_20171115.txt
 CVE-2017-16832 (The pe_bfd_read_buildid function in peicode.h in the Binary 
File ...)
[experimental] - binutils 2.29.51.20171128-1
-   - binutils 
+   - binutils 2.29.90.20180122-1 (low)
[stretch] - binutils  (Minor issue)
[jessie] - binutils  (Minor issue)
[wheezy] - binutils  (Minor issue)
@@ -16360,7 +16360,7 @@ CVE-2017-16832 (The pe_bfd_read_buildid function in 
peicode.h in the Binary File
NOTE: 
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0bb6961f18b8e832d88b490d421ca56cea16c45b
 CVE-2017-16831 (coffgen.c in the Binary File Desc

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] pdns-recursor fixed

[Moritz Muehlenhoff]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e5bdda8e by Moritz Muehlenhoff at 2018-01-23T14:31:04+01:00
pdns-recursor fixed

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -819,7 +819,7 @@ CVE-2018-5706 (An issue was discovered in Octopus Deploy 
before 4.1.9. Any user 
 CVE-2018-5705
RESERVED
 CVE-2018-103 (Improper input validation bugs in DNSSEC validators 
components in ...)
-   - pdns-recursor 
+   - pdns-recursor 4.1.1-1
[stretch] - pdns-recursor  (Only affects 4.1)
[jessie] - pdns-recursor  (Only affects 4.1)
[wheezy] - pdns-recursor  (Only affects 4.1)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/e5bdda8ec66f2f81c09bae323c8a10a145ad7068

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/e5bdda8ec66f2f81c09bae323c8a10a145ad7068
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] gcab fixed

[Moritz Muehlenhoff]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0030fb18 by Moritz Muehlenhoff at 2018-01-23T19:50:17+01:00
gcab fixed

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1643,8 +1643,8 @@ CVE-2018-101 [Libc Realpath Buffer Underflow]
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22679
NOTE: 
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94
 CVE-2018-5345 (A stack-based buffer overflow within GNOME gcab through 0.7.4 
can be ...)
-   - gcab  (bug #887776)
-   TODO: Asked Red Hat if providing more information possible, 
https://bugzilla.redhat.com/show_bug.cgi?id=1527296#c6
+   - gcab 0.7-7> (bug #887776)
+   NOTE: Asked Red Hat if providing more information possible, 
https://bugzilla.redhat.com/show_bug.cgi?id=1527296#c6
 CVE-2018-5344 (In the Linux kernel through 4.14.13, drivers/block/loop.c 
mishandles ...)
- linux 
[jessie] - linux  (Vulnerability introduced later)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/0030fb18149ba0a743f17c25e643848d9eebdc85

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/0030fb18149ba0a743f17c25e643848d9eebdc85
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Cleanup gcab entry

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9c3934aa by Salvatore Bonaccorso at 2018-01-23T20:23:39+01:00
Cleanup gcab entry

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1643,8 +1643,7 @@ CVE-2018-101 [Libc Realpath Buffer Underflow]
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22679
NOTE: 
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94
 CVE-2018-5345 (A stack-based buffer overflow within GNOME gcab through 0.7.4 
can be ...)
-   - gcab 0.7-7> (bug #887776)
-   NOTE: Asked Red Hat if providing more information possible, 
https://bugzilla.redhat.com/show_bug.cgi?id=1527296#c6
+   - gcab 0.7-7 (bug #887776)
 CVE-2018-5344 (In the Linux kernel through 4.14.13, drivers/block/loop.c 
mishandles ...)
- linux 
[jessie] - linux  (Vulnerability introduced later)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/9c3934aa31f29e952eedf282137ca1b88ca7d26d

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/9c3934aa31f29e952eedf282137ca1b88ca7d26d
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark CVE-2017-18045 as NFU

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
44565fa8 by Salvatore Bonaccorso at 2018-01-23T20:24:48+01:00
Mark CVE-2017-18045 as NFU

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -225,7 +225,7 @@ CVE-2018-5952
 CVE-2018-5951
RESERVED
 CVE-2017-18045 (JBMC DirectAdmin before 1.52, when the 
email_ftp_password_change ...)
-   TODO: check
+   NOT-FOR-US: JBMC DirectAdmin
 CVE-2018-5950
RESERVED
 CVE-2018-5949



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/44565fa8766880b9256bc1b42f2c735f55f18f7b

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/44565fa8766880b9256bc1b42f2c735f55f18f7b
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add note for wordpress status on CVE-2018-5776

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c288c98a by Salvatore Bonaccorso at 2018-01-23T20:48:58+01:00
Add note for wordpress status on CVE-2018-5776

Tracking would have been actually enought to track 4.1+dfsg-1 as fixing
version since that version removed the two problematic files, and those
were never agin introduced (they are *not* present in 4.9.1+dfsg-1 for
example, but upstream 4.9.2 then removed the whole problematic
mediaelement part).

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -624,6 +624,10 @@ CVE-2018-5776 (WordPress before 4.9.2 has XSS in the Flash 
fallback files in ...
- wordpress 4.9.2+dfsg-1 (bug #887596)
[stretch] - wordpress  (Vulnerable files have been 
removed before)
[jessie] - wordpress  (Vulnerable files have been removed 
before)
+   NOTE: For jessie and stretch version the files 
silverlightmediaelement.xap and
+   NOTE: flashmediaelement.swf have been removed with the 4.1+dfsg-1 
version.
+   NOTE: sid in version 4.9.1+dfsg-1 did as well *not* have the files but 
track here the
+   NOTE: final wordpress version 4.9.2 which finally removed the 
mediaelement files.
NOTE: 
https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
NOTE: 
https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850
 CVE-2018-5772 (In Exiv2 0.26, there is a segmentation fault caused by 
uncontrolled ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c288c98a6bf62ba3cf772f85fbe436c095ab5842

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c288c98a6bf62ba3cf772f85fbe436c095ab5842
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Adjust source package name for knot-resolver and add reference

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1704cfe8 by Salvatore Bonaccorso at 2018-01-23T20:55:58+01:00
Adjust source package name for knot-resolver and add reference

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -829,7 +829,8 @@ CVE-2018-103 (Improper input validation bugs in DNSSEC 
validators components
[wheezy] - pdns-recursor  (Only affects 4.1)
NOTE: 
https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2018-01.html
 CVE-2018-102 (Improper input validation bugs in DNSSEC validators 
components in Knot ...)
-   - knot-recursor 1.5.2-1
+   - knot-resolver 1.5.2-1
+   NOTE: https://www.knot-resolver.cz/2018-01-22-knot-resolver-1.5.2.html
 CVE-2018-5704 (Open On-Chip Debugger (OpenOCD) 0.10.0 does not block attempts 
to use ...)
{DSA-4093-1 DLA-1253-1}
- openocd 0.10.0-4 (bug #887488)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1704cfe85edc279148f533203ccd97b6ca7e7352

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1704cfe85edc279148f533203ccd97b6ca7e7352
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] libvirt 4.0.0 uploaded to unstable fixing CVE-2018-5748, #887700

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c7b3dfe4 by Salvatore Bonaccorso at 2018-01-23T21:01:36+01:00
libvirt 4.0.0 uploaded to unstable fixing CVE-2018-5748, #887700

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -706,8 +706,7 @@ CVE-2018-5749
RESERVED
 CVE-2018-5748 [resource exhaustion via qemuMonitorIORead() method]
RESERVED
-   [experimental] - libvirt 4.0.0~rc2-1
-   - libvirt  (bug #887700)
+   - libvirt 4.0.0-1 (bug #887700)
[stretch] - libvirt  (Minor issue)
[jessie] - libvirt  (Minor issue)
[wheezy] - libvirt  (Can be fixed in a later update)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c7b3dfe47605ddda00d4c13f23bc5cbd30c70502

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c7b3dfe47605ddda00d4c13f23bc5cbd30c70502
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-6003/libtasn1

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c98a821f by Salvatore Bonaccorso at 2018-01-23T21:17:10+01:00
Add CVE-2018-6003/libtasn1

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -109,7 +109,11 @@ CVE-2017-1000417 (MatrixSSL version 3.7.2 adopts a 
collision-prone OID compariso
 CVE-2017-1000416 (axTLS version 1.5.3 has a coding error in the ASN.1 parser 
resulting ...)
TODO: check
 CVE-2018-6003 (An issue was discovered in the _asn1_decode_simple_ber function 
in ...)
-   TODO: check
+   - libtasn1-6 4.13-2
+   [jessie] - libtasn1-6  (Vulnerable code introduced in 4.3)
+   - libtasn1-3  (Vulnerable code introduced in 4.3)
+   NOTE: Affected function introduced in: 
http://git.savannah.nongnu.org/cgit/libtasn1.git/commit/lib/decoding.c?id=b12bfa8932f44d1d1c25b4a2e385387a62dfbcc9
 (libtasn1_4_3)
+   NOTE: Fixed by: 
http://git.savannah.nongnu.org/cgit/libtasn1.git/commit/?id=c593ae84cfcde8fea45787e53950e0ac71e9ca97
 (libtasn1_4_13)
 CVE-2018-6002 (The Soundy Background Music plugin 3.9 and below for WordPress 
has ...)
TODO: check
 CVE-2018-6001 (The Soundy Audio Playlist plugin 4.6 and below for WordPress 
has ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c98a821f6f659d3d6b14eab875c7a82f7c9a5fcb

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c98a821f6f659d3d6b14eab875c7a82f7c9a5fcb
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark CVE-2017-13716 as unfixed again

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
055651d5 by Salvatore Bonaccorso at 2018-01-23T21:27:08+01:00
Mark CVE-2017-13716 as unfixed again

The changelog for binutils 2.29.90.20180122-1 mentions the CVE as
fixed. But the issue is yet unresolved afaics, the upstream bug
https://sourceware.org/bugzilla/show_bug.cgi?id=22009 has the respective
discussion.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -25575,7 +25575,7 @@ CVE-2017-13718
 CVE-2017-13717
RESERVED
 CVE-2017-13716 (The C++ symbol demangler routine in cplus-dem.c in libiberty, 
as ...)
-   - binutils 2.29.90.20180122-1 (low)
+   - binutils  (low)
[stretch] - binutils  (Minor issue)
[jessie] - binutils  (Minor issue)
[wheezy] - binutils  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/055651d518b923c47aa4b728ed66b272442f812a

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/055651d518b923c47aa4b728ed66b272442f812a
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process NFUs

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8c857635 by Salvatore Bonaccorso at 2018-01-23T21:49:18+01:00
Process NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,5 +1,5 @@
 CVE-2018-6029 (The copy function in application/admin/controller/Article.php 
in ...)
-   TODO: check
+   NOT-FOR-US: NoneCms
 CVE-2018-6028
RESERVED
 CVE-2018-6027
@@ -13,7 +13,7 @@ CVE-2018-6024
 CVE-2018-6023
RESERVED
 CVE-2018-6022 (Directory traversal vulnerability in ...)
-   TODO: check
+   NOT-FOR-US: NoneCms
 CVE-2018-6021
RESERVED
 CVE-2018-6020
@@ -31,15 +31,15 @@ CVE-2018-6015
 CVE-2018-6014 (Subsonic v6.1.3 has an insecure allow-access-from 
domain="*" Flash ...)
TODO: check
 CVE-2018-6013 (Cross-site scripting (XSS) in BigTree 4.2.19 allows any remote 
users to ...)
-   TODO: check
+   NOT-FOR-US: BigTree CMS
 CVE-2018-6012
RESERVED
 CVE-2018-6011
RESERVED
 CVE-2018-6010 (In Yii Framework 2.x before 2.0.14, remote attackers could 
obtain ...)
-   TODO: check
+   NOT-FOR-US: Yii Framework
 CVE-2018-6009 (In Yii Framework 2.x before 2.0.14, the switchIdentity function 
in ...)
-   TODO: check
+   NOT-FOR-US: Yii Framework
 CVE-2018-6008
RESERVED
 CVE-2018-6007
@@ -101,9 +101,9 @@ CVE-2017-18051
 CVE-2017-18050
RESERVED
 CVE-2017-18049 (In the CSV export feature of SilverStripe before 3.5.6, 3.6.x 
before ...)
-   TODO: check
+   NOT-FOR-US: SilverStripe
 CVE-2017-18048 (Monstra CMS 3.0.4 allows users to upload arbitrary files, 
which leads ...)
-   TODO: check
+   NOT-FOR-US: Monstra CMS
 CVE-2017-1000417 (MatrixSSL version 3.7.2 adopts a collision-prone OID 
comparison logic ...)
TODO: check
 CVE-2017-1000416 (axTLS version 1.5.3 has a coding error in the ASN.1 parser 
resulting ...)
@@ -115,13 +115,13 @@ CVE-2018-6003 (An issue was discovered in the 
_asn1_decode_simple_ber function i
NOTE: Affected function introduced in: 
http://git.savannah.nongnu.org/cgit/libtasn1.git/commit/lib/decoding.c?id=b12bfa8932f44d1d1c25b4a2e385387a62dfbcc9
 (libtasn1_4_3)
NOTE: Fixed by: 
http://git.savannah.nongnu.org/cgit/libtasn1.git/commit/?id=c593ae84cfcde8fea45787e53950e0ac71e9ca97
 (libtasn1_4_13)
 CVE-2018-6002 (The Soundy Background Music plugin 3.9 and below for WordPress 
has ...)
-   TODO: check
+   NOT-FOR-US: Soundy Background Music plugin for WordPress
 CVE-2018-6001 (The Soundy Audio Playlist plugin 4.6 and below for WordPress 
has ...)
-   TODO: check
+   NOT-FOR-US: Soundy Audio Playlist plugin for WordPress
 CVE-2018-6000 (An issue was discovered in AsusWRT before 3.0.0.4.384_10007. 
The ...)
-   TODO: check
+   NOT-FOR-US: AsusWRT
 CVE-2018-5999 (An issue was discovered in AsusWRT before 3.0.0.4.384_10007. In 
the ...)
-   TODO: check
+   NOT-FOR-US: AsusWRT
 CVE-2018-5998
RESERVED
 CVE-2018-5997
@@ -197,27 +197,27 @@ CVE-2018-5964
 CVE-2018-5963
RESERVED
 CVE-2018-5962 (index.php in CentOS-WebPanel.com (aka CWP) CentOS Web Panel 
through ...)
-   TODO: check
+   NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel
 CVE-2018-5961 (CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 
v0.9.8.12 has ...)
-   TODO: check
+   NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel
 CVE-2018-5960 (Zenario v7.1 - v7.6 has SQL injection via the `Name` input 
field of ...)
TODO: check
 CVE-2018-5959
RESERVED
 CVE-2018-5958 (In Zillya! Antivirus 3.0.2230.0, the driver file (zef.sys) 
allows local ...)
-   TODO: check
+   NOT-FOR-US: Zillya! Antivirus
 CVE-2018-5957 (In Zillya! Antivirus 3.0.2230.0, the driver file (zef.sys) 
allows local ...)
-   TODO: check
+   NOT-FOR-US: Zillya! Antivirus
 CVE-2018-5956 (In Zillya! Antivirus 3.0.2230.0, the driver file (zef.sys) 
allows local ...)
-   TODO: check
+   NOT-FOR-US: Zillya! Antivirus
 CVE-2018-5955 (An issue was discovered in GitStack through 2.3.10. User 
controlled ...)
TODO: check
 CVE-2017-18047 (Buffer Overflow in the FTP client in LabF nfsAxe 3.7 allows 
remote FTP ...)
TODO: check
 CVE-2017-18046 (Buffer overflow on Dasan GPON ONT WiFi Router H640X 
12.02-01121 ...)
-   TODO: check
+   NOT-FOR-US: Dasan GPON ONT WiFi Router devices
 CVE-2016-10709 (pfSense before 2.3 allows remote authenticated users to 
execute ...)
-   TODO: check
+   NOT-FOR-US: pfSense
 CVE-2016-10708 (sshd in OpenSSH before 7.4 allows remote attackers to cause a 
denial of ...)
TODO: check
 CVE-2018-5954



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/8c8576358eb3164e0ec4bfaab12f27a0494c48fb

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2017-1000417/matrixssl

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
bd83aaa3 by Salvatore Bonaccorso at 2018-01-23T21:49:56+01:00
Add CVE-2017-1000417/matrixssl

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -105,7 +105,7 @@ CVE-2017-18049 (In the CSV export feature of SilverStripe 
before 3.5.6, 3.6.x be
 CVE-2017-18048 (Monstra CMS 3.0.4 allows users to upload arbitrary files, 
which leads ...)
NOT-FOR-US: Monstra CMS
 CVE-2017-1000417 (MatrixSSL version 3.7.2 adopts a collision-prone OID 
comparison logic ...)
-   TODO: check
+   - matrixssl 
 CVE-2017-1000416 (axTLS version 1.5.3 has a coding error in the ASN.1 parser 
resulting ...)
TODO: check
 CVE-2018-6003 (An issue was discovered in the _asn1_decode_simple_ber function 
in ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/bd83aaa3ed59bd21385a6042c04d56857fbbb7fe

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/bd83aaa3ed59bd21385a6042c04d56857fbbb7fe
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2016-10708/openssh

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3f1b865b by Salvatore Bonaccorso at 2018-01-23T21:53:22+01:00
Add CVE-2016-10708/openssh

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -219,7 +219,9 @@ CVE-2017-18046 (Buffer overflow on Dasan GPON ONT WiFi 
Router H640X 12.02-01121 
 CVE-2016-10709 (pfSense before 2.3 allows remote authenticated users to 
execute ...)
NOT-FOR-US: pfSense
 CVE-2016-10708 (sshd in OpenSSH before 7.4 allows remote attackers to cause a 
denial of ...)
-   TODO: check
+   - openssh 1:7.4p1-1
+   NOTE: 
https://anongit.mindrot.org/openssh.git/commit/?id=28652bca29046f62c7045e933e6b931de1d16737
+   NOTE: http://blog.swiecki.net/2018/01/fuzzing-tcp-servers.html
 CVE-2018-5954
RESERVED
 CVE-2018-5953



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3f1b865ba6eef19822f07ab30fef52866767bb05

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3f1b865ba6eef19822f07ab30fef52866767bb05
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reference fix for CVE-2018-5345/gcab

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
979115d1 by Salvatore Bonaccorso at 2018-01-23T21:55:11+01:00
Reference fix for CVE-2018-5345/gcab

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1654,6 +1654,7 @@ CVE-2018-101 [Libc Realpath Buffer Underflow]
NOTE: 
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94
 CVE-2018-5345 (A stack-based buffer overflow within GNOME gcab through 0.7.4 
can be ...)
- gcab 0.7-7 (bug #887776)
+   NOTE: 
https://git.gnome.org/browse/gcab/commit/?id=bd2abee5f0a9b5cbe3a1ab1f338c4fb8f6ca797b
 CVE-2018-5344 (In the Linux kernel through 4.14.13, drivers/block/loop.c 
mishandles ...)
- linux 
[jessie] - linux  (Vulnerability introduced later)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/979115d15c7e8eeb759ce241af73c329973d6b83

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/979115d15c7e8eeb759ce241af73c329973d6b83
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2017-9274/osc

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d03457bc by Salvatore Bonaccorso at 2018-01-23T22:08:56+01:00
Add fixed version for CVE-2017-9274/osc

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -38732,7 +38732,7 @@ CVE-2017-9275
RESERVED
 CVE-2017-9274 [osc executes spec code during "osc commit"]
RESERVED
-   - osc  (bug #887391)
+   - osc 0.162.1-1 (bug #887391)
[stretch] - osc  (Minor issue)
[jessie] - osc  (Minor issue)
[wheezy] - osc  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d03457bc208d97cbb522b094748e6dc37e59940d

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d03457bc208d97cbb522b094748e6dc37e59940d
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a0925bf6 by security tracker role at 2018-01-23T21:10:26+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,3 +1,323 @@
+CVE-2018-6179
+   RESERVED
+CVE-2018-6178
+   RESERVED
+CVE-2018-6177
+   RESERVED
+CVE-2018-6176
+   RESERVED
+CVE-2018-6175
+   RESERVED
+CVE-2018-6174
+   RESERVED
+CVE-2018-6173
+   RESERVED
+CVE-2018-6172
+   RESERVED
+CVE-2018-6171
+   RESERVED
+CVE-2018-6170
+   RESERVED
+CVE-2018-6169
+   RESERVED
+CVE-2018-6168
+   RESERVED
+CVE-2018-6167
+   RESERVED
+CVE-2018-6166
+   RESERVED
+CVE-2018-6165
+   RESERVED
+CVE-2018-6164
+   RESERVED
+CVE-2018-6163
+   RESERVED
+CVE-2018-6162
+   RESERVED
+CVE-2018-6161
+   RESERVED
+CVE-2018-6160
+   RESERVED
+CVE-2018-6159
+   RESERVED
+CVE-2018-6158
+   RESERVED
+CVE-2018-6157
+   RESERVED
+CVE-2018-6156
+   RESERVED
+CVE-2018-6155
+   RESERVED
+CVE-2018-6154
+   RESERVED
+CVE-2018-6153
+   RESERVED
+CVE-2018-6152
+   RESERVED
+CVE-2018-6151
+   RESERVED
+CVE-2018-6150
+   RESERVED
+CVE-2018-6149
+   RESERVED
+CVE-2018-6148
+   RESERVED
+CVE-2018-6147
+   RESERVED
+CVE-2018-6146
+   RESERVED
+CVE-2018-6145
+   RESERVED
+CVE-2018-6144
+   RESERVED
+CVE-2018-6143
+   RESERVED
+CVE-2018-6142
+   RESERVED
+CVE-2018-6141
+   RESERVED
+CVE-2018-6140
+   RESERVED
+CVE-2018-6139
+   RESERVED
+CVE-2018-6138
+   RESERVED
+CVE-2018-6137
+   RESERVED
+CVE-2018-6136
+   RESERVED
+CVE-2018-6135
+   RESERVED
+CVE-2018-6134
+   RESERVED
+CVE-2018-6133
+   RESERVED
+CVE-2018-6132
+   RESERVED
+CVE-2018-6131
+   RESERVED
+CVE-2018-6130
+   RESERVED
+CVE-2018-6129
+   RESERVED
+CVE-2018-6128
+   RESERVED
+CVE-2018-6127
+   RESERVED
+CVE-2018-6126
+   RESERVED
+CVE-2018-6125
+   RESERVED
+CVE-2018-6124
+   RESERVED
+CVE-2018-6123
+   RESERVED
+CVE-2018-6122
+   RESERVED
+CVE-2018-6121
+   RESERVED
+CVE-2018-6120
+   RESERVED
+CVE-2018-6119
+   RESERVED
+CVE-2018-6118
+   RESERVED
+CVE-2018-6117
+   RESERVED
+CVE-2018-6116
+   RESERVED
+CVE-2018-6115
+   RESERVED
+CVE-2018-6114
+   RESERVED
+CVE-2018-6113
+   RESERVED
+CVE-2018-6112
+   RESERVED
+CVE-2018-6111
+   RESERVED
+CVE-2018-6110
+   RESERVED
+CVE-2018-6109
+   RESERVED
+CVE-2018-6108
+   RESERVED
+CVE-2018-6107
+   RESERVED
+CVE-2018-6106
+   RESERVED
+CVE-2018-6105
+   RESERVED
+CVE-2018-6104
+   RESERVED
+CVE-2018-6103
+   RESERVED
+CVE-2018-6102
+   RESERVED
+CVE-2018-6101
+   RESERVED
+CVE-2018-6100
+   RESERVED
+CVE-2018-6099
+   RESERVED
+CVE-2018-6098
+   RESERVED
+CVE-2018-6097
+   RESERVED
+CVE-2018-6096
+   RESERVED
+CVE-2018-6095
+   RESERVED
+CVE-2018-6094
+   RESERVED
+CVE-2018-6093
+   RESERVED
+CVE-2018-6092
+   RESERVED
+CVE-2018-6091
+   RESERVED
+CVE-2018-6090
+   RESERVED
+CVE-2018-6089
+   RESERVED
+CVE-2018-6088
+   RESERVED
+CVE-2018-6087
+   RESERVED
+CVE-2018-6086
+   RESERVED
+CVE-2018-6085
+   RESERVED
+CVE-2018-6084
+   RESERVED
+CVE-2018-6083
+   RESERVED
+CVE-2018-6082
+   RESERVED
+CVE-2018-6081
+   RESERVED
+CVE-2018-6080
+   RESERVED
+CVE-2018-6079
+   RESERVED
+CVE-2018-6078
+   RESERVED
+CVE-2018-6077
+   RESERVED
+CVE-2018-6076
+   RESERVED
+CVE-2018-6075
+   RESERVED
+CVE-2018-6074
+   RESERVED
+CVE-2018-6073
+   RESERVED
+CVE-2018-6072
+   RESERVED
+CVE-2018-6071
+   RESERVED
+CVE-2018-6070
+   RESERVED
+CVE-2018-6069
+   RESERVED
+CVE-2018-6068
+   RESERVED
+CVE-2018-6067
+   RESERVED
+CVE-2018-6066
+   RESERVED
+CVE-2018-6065
+   RESERVED
+CVE-2018-6064
+   RESERVED
+CVE-2018-6063
+   RESERVED
+CVE-2018-6062
+   RESERVED
+CVE-2018-6061
+   RESERVED
+CVE-2018-6060
+   RESERVED
+CVE-2018-6059
+   RESERVED
+CVE-2018-6058
+   RESERVED
+CVE-2018-6057
+   RESERVED
+CVE-2018-6056
+   RESERVED
+CVE-2018-6055
+   RESERVED
+CVE-2018-6054
+   RESERVED
+CVE-2018-6053
+   RESERVED
+CVE-2018-6052
+   RESERVED
+CVE-2018-6051
+   RESERVED
+CVE-2018-6050
+   RESERVED
+CVE-2018-6049
+   RESERVED
+CVE-2018-6048
+   RESERVED
+CVE-2018-6047
+   RESERVED
+CVE-2018-6046
+   RESERVED
+CVE-2018-6045
+   RESERVED
+CVE-2018-6044
+   RESERVED
+CVE-2018-6043
+   RESERVED
+CVE-2018-6042
+   RESERVED
+CVE-2018-6041
+   RESERVED
+CVE-2018-6040
+   RESERVED
+CVE-2018-6039
+   RESERVED
+CVE-2018-6038
+   RESERVED
+CVE-2018-6037
+   RESERVED
+CVE-2018-6036
+   RESERVED
+C

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2017-15107/dnsmasq

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
622fbcad by Salvatore Bonaccorso at 2018-01-23T22:19:46+01:00
Add CVE-2017-15107/dnsmasq

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -21618,7 +21618,9 @@ CVE-2017-15108 (spice-vdagent up to and including 
0.17.0 does not properly escap
NOTE: Fixed by: 
https://cgit.freedesktop.org/spice/linux/vd_agent/commit/?id=8ba174816d245757e743e636df357910e1d5eb61
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1510864
 CVE-2017-15107 (A vulnerability was found in the implementation of DNSSEC in 
Dnsmasq ...)
-   TODO: check
+   - dnsmasq 
+   NOTE: 
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2018q1/011896.html
+   NOTE: 
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=4fe6744a220eddd3f1749b40cac3dfc510787de6
 CVE-2017-15106
RESERVED
 CVE-2017-15105 (A flaw was found in the way unbound before 1.6.8 validated ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/622fbcad5ad86f54cd7191ad7a13c91f4ab93198

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/622fbcad5ad86f54cd7191ad7a13c91f4ab93198
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-5950/mailman (specific possibly to 2.1.x series)

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
99b84a09 by Salvatore Bonaccorso at 2018-01-23T22:23:07+01:00
Add CVE-2018-5950/mailman (specific possibly to 2.1.x series)

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -553,7 +553,8 @@ CVE-2018-5951
 CVE-2017-18045 (JBMC DirectAdmin before 1.52, when the 
email_ftp_password_change ...)
NOT-FOR-US: JBMC DirectAdmin
 CVE-2018-5950 (Cross-site scripting (XSS) vulnerability in the web UI in 
Mailman ...)
-   TODO: check
+   - mailman 
+   NOTE: 
https://www.mail-archive.com/mailman-users@python.org/msg70375.html
 CVE-2018-5949
RESERVED
 CVE-2018-5948



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/99b84a091ce00c85dab2588412069a4bfd4e

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/99b84a091ce00c85dab2588412069a4bfd4e
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2017-15107

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
86f8ddd0 by Salvatore Bonaccorso at 2018-01-23T22:23:44+01:00
Add bug reference for CVE-2017-15107

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -21619,7 +21619,7 @@ CVE-2017-15108 (spice-vdagent up to and including 
0.17.0 does not properly escap
NOTE: Fixed by: 
https://cgit.freedesktop.org/spice/linux/vd_agent/commit/?id=8ba174816d245757e743e636df357910e1d5eb61
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1510864
 CVE-2017-15107 (A vulnerability was found in the implementation of DNSSEC in 
Dnsmasq ...)
-   - dnsmasq 
+   - dnsmasq  (bug #888200)
NOTE: 
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2018q1/011896.html
NOTE: 
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=4fe6744a220eddd3f1749b40cac3dfc510787de6
 CVE-2017-15106



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/86f8ddd0c65e6cdcce63c94b94c94703f12886ff

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/86f8ddd0c65e6cdcce63c94b94c94703f12886ff
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-5950/mailman

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ae643866 by Salvatore Bonaccorso at 2018-01-23T22:28:19+01:00
Add bug reference for CVE-2018-5950/mailman

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -553,7 +553,7 @@ CVE-2018-5951
 CVE-2017-18045 (JBMC DirectAdmin before 1.52, when the 
email_ftp_password_change ...)
NOT-FOR-US: JBMC DirectAdmin
 CVE-2018-5950 (Cross-site scripting (XSS) vulnerability in the web UI in 
Mailman ...)
-   - mailman 
+   - mailman  (bug #888201)
NOTE: 
https://www.mail-archive.com/mailman-users@python.org/msg70375.html
 CVE-2018-5949
RESERVED



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ae643866be9e5081a3130ced93f460e3a3c132fc

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ae643866be9e5081a3130ced93f460e3a3c132fc
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-0486 fixed in xmltooling 1.6.3-1

[Luciano Bello]

Luciano Bello pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d3406990 by Luciano Bello at 2018-01-23T21:20:14-05:00
CVE-2018-0486 fixed in xmltooling 1.6.3-1

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -14874,7 +14874,7 @@ CVE-2018-0487
RESERVED
 CVE-2018-0486 (Shibboleth XMLTooling-C before 1.6.3, as used in Shibboleth 
Service ...)
{DSA-4085-1 DLA-1242-1}
-   - xmltooling 
+   - xmltooling 1.6.3-1
[stretch] - xmltooling  (Xerces is configured to disallow 
DTD use)
NOTE: https://shibboleth.net/community/advisories/secadv_20180112.txt
NOTE: Fixed upstream in 1.6.3 to workaround bug independent of if 
parser already



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d34069901d262353bb400093ba73478fad8ffeeb

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d34069901d262353bb400093ba73478fad8ffeeb
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process two NFUs in Apache NiFi

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
22c3c833 by Salvatore Bonaccorso at 2018-01-24T06:19:42+01:00
Process two NFUs in Apache NiFi

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -19884,6 +19884,7 @@ CVE-2017-15698
RESERVED
 CVE-2017-15697
RESERVED
+   NOT-FOR-US: Apache NiFi
 CVE-2017-15696
RESERVED
 CVE-2017-15695
@@ -29257,6 +29258,7 @@ CVE-2017-12633 (The camel-hessian component in Apache 
Camel 2.x before 2.19.4 an
NOT-FOR-US: Apache Camel
 CVE-2017-12632
RESERVED
+   NOT-FOR-US: Apache NiFi
 CVE-2017-12631 (Apache CXF Fediz ships with a number of container-specific 
plugins to ...)
NOT-FOR-US: Apache CXF
 CVE-2017-12630 (In Apache Drill 1.11.0 and earlier when submitting form from 
Query ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/22c3c833f04c769bae65d2f4a52a9397112346fe

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/22c3c833f04c769bae65d2f4a52a9397112346fe
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add firefox issues from mfsa2018-02

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ee4735ba by Salvatore Bonaccorso at 2018-01-24T06:44:39+01:00
Add firefox issues from mfsa2018-02

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -2504,72 +2504,137 @@ CVE-2018-5123
RESERVED
 CVE-2018-5122
RESERVED
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5122
 CVE-2018-5121
RESERVED
+   - firefox  (Only affects Firefox on Mac OS X)
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5121
 CVE-2018-5120
RESERVED
 CVE-2018-5119
RESERVED
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5119
 CVE-2018-5118
RESERVED
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5118
 CVE-2018-5117
RESERVED
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5117
 CVE-2018-5116
RESERVED
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5116
 CVE-2018-5115
RESERVED
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5115
 CVE-2018-5114
RESERVED
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5114
 CVE-2018-5113
RESERVED
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5113
 CVE-2018-5112
RESERVED
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5112
 CVE-2018-5111
RESERVED
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5111
 CVE-2018-5110
RESERVED
+   - firefox  (Only affects Firefox on Mac OS X)
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5110
 CVE-2018-5109
RESERVED
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5109
 CVE-2018-5108
RESERVED
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5108
 CVE-2018-5107
RESERVED
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5107
 CVE-2018-5106
RESERVED
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5106
 CVE-2018-5105
RESERVED
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5105
 CVE-2018-5104
RESERVED
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5104
 CVE-2018-5103
RESERVED
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5103
 CVE-2018-5102
RESERVED
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5102
 CVE-2018-5101
RESERVED
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5101
 CVE-2018-5100
RESERVED
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5100
 CVE-2018-5099
RESERVED
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5099
 CVE-2018-5098
RESERVED
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5098
 CVE-2018-5097
RESERVED
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5097
 CVE-2018-5096
RESERVED
 CVE-2018-5095
RESERVED
+   - firefox 
+   - skia  (bug #818180)
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5095
 CVE-2018-5094
RESERVED
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5094
 CVE-2018-5093
RESERVED
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5093
 CVE-2018-5092
RESERVED
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5092
 CVE-2018-5091
RESERVED
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5091
 CVE-2018-5090
RESERVED
+   - firefox 
+   NOTE: 
https://www.mozilla.org/en-US/secu

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add firefox-esr issues from mfsa2018-03

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
efb4b841 by Salvatore Bonaccorso at 2018-01-24T06:48:55+01:00
Add firefox-esr issues from mfsa2018-03

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -2523,7 +2523,9 @@ CVE-2018-5118
 CVE-2018-5117
RESERVED
- firefox 
+   - firefox-esr 
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5117
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5117
 CVE-2018-5116
RESERVED
- firefox 
@@ -2575,15 +2577,21 @@ CVE-2018-5105
 CVE-2018-5104
RESERVED
- firefox 
+   - firefox-esr 
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5104
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5104
 CVE-2018-5103
RESERVED
- firefox 
+   - firefox-esr 
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5103
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5103
 CVE-2018-5102
RESERVED
- firefox 
+   - firefox-esr 
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5102
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5102
 CVE-2018-5101
RESERVED
- firefox 
@@ -2595,22 +2603,32 @@ CVE-2018-5100
 CVE-2018-5099
RESERVED
- firefox 
+   - firefox-esr 
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5099
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5099
 CVE-2018-5098
RESERVED
- firefox 
+   - firefox-esr 
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5098
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5098
 CVE-2018-5097
RESERVED
- firefox 
+   - firefox-esr 
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5097
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5097
 CVE-2018-5096
RESERVED
+   - firefox-esr 
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5096
 CVE-2018-5095
RESERVED
- firefox 
+   - firefox-esr 
- skia  (bug #818180)
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5095
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5095
 CVE-2018-5094
RESERVED
- firefox 
@@ -2626,7 +2644,9 @@ CVE-2018-5092
 CVE-2018-5091
RESERVED
- firefox 
+   - firefox-esr 
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5091
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5091
 CVE-2018-5090
RESERVED
- firefox 
@@ -2634,7 +2654,9 @@ CVE-2018-5090
 CVE-2018-5089
RESERVED
- firefox 
+   - firefox-esr 
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5089
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5089
 CVE-2018-5088 (In K7 AntiVirus 15.1.0306, the driver file (K7FWHlpr.sys) 
allows local ...)
NOT-FOR-US: K7 AntiVirus
 CVE-2018-5087 (In K7 AntiVirus 15.1.0306, the driver file (K7FWHlpr.sys) 
allows local ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/efb4b84127ab06c273e7693aa8777669de6b20ad

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/efb4b84127ab06c273e7693aa8777669de6b20ad
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add firefox-esr to dsa-needed list

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d78c41a0 by Salvatore Bonaccorso at 2018-01-24T06:54:15+01:00
Add firefox-esr to dsa-needed list

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -16,6 +16,8 @@ If needed, specify the release by adding a slash after the 
name of the source pa
 --
 chromium-browser/stable
 --
+firefox-esr
+--
 gcab (carnil)
 --
 graphicsmagick



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d78c41a05316ea74ea51a8da09f9e3b4d33e147b

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d78c41a05316ea74ea51a8da09f9e3b4d33e147b
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2017-1513{4, 5}/389-ds-base

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f21175a2 by Salvatore Bonaccorso at 2018-01-24T06:58:55+01:00
Add CVE-2017-1513{4,5}/389-ds-base

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -21579,10 +21579,12 @@ CVE-2017-15137
RESERVED
 CVE-2017-15136
RESERVED
-CVE-2017-15135
+CVE-2017-15135 [Authentication bypass due to lack of size check in 
slapi_ct_memcmp function in ch_malloc.c]
RESERVED
-CVE-2017-15134
+   - 389-ds-base 
+CVE-2017-15134 [Remote DoS via search filters in slapi_filter_sprintf in 
slapd/util.c]
RESERVED
+   - 389-ds-base 
 CVE-2017-15133
RESERVED
 CVE-2017-15132



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/f21175a236cd7a27f4f20cb10c83e607a1a4767c

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/f21175a236cd7a27f4f20cb10c83e607a1a4767c
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] take firefox

[Moritz Muehlenhoff]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2092186c by Moritz Muehlenhoff at 2018-01-24T07:40:14+01:00
take firefox
add and take unbound

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -16,7 +16,7 @@ If needed, specify the release by adding a slash after the 
name of the source pa
 --
 chromium-browser/stable
 --
-firefox-esr
+firefox-esr (jmm)
 --
 gcab (carnil)
 --
@@ -71,6 +71,8 @@ tomcat7/oldstable
 --
 tomcat8
 --
+unbound (jmm)
+--
 xen
 --
 zendframework/oldstable



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2092186c6e9143588f6c48264a8e9dadf7a96f90

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2092186c6e9143588f6c48264a8e9dadf7a96f90
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFU

[Moritz Muehlenhoff]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
afb3f34a by Moritz Muehlenhoff at 2018-01-24T07:41:26+01:00
NFU

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,3 +1,5 @@
+CVE-2018-118
+   NOT-FOR-US: ovirt-engine
 CVE-2018-6179
RESERVED
 CVE-2018-6178



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/afb3f34adf0372ccf5578a8b81f16a2326bab7e7

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/afb3f34adf0372ccf5578a8b81f16a2326bab7e7
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs

[Moritz Muehlenhoff]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
398d5bc9 by Moritz Muehlenhoff at 2018-01-24T07:43:36+01:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -301,25 +301,25 @@ CVE-2018-6031
 CVE-2018-6030
RESERVED
 CVE-2018-116 (Jenkins Ant Plugin 1.7 and earlier failed to escape tool 
names it ...)
-   TODO: check
+   NOT-FOR-US: Jenkins plugin
 CVE-2018-115 (On Jenkins instances with Authorize Project plugin, the 
authentication ...)
-   TODO: check
+   NOT-FOR-US: Jenkins plugin
 CVE-2018-114 (Jenkins Translation Assistance Plugin 1.15 and earlier did 
not require ...)
-   TODO: check
+   NOT-FOR-US: Jenkins plugin
 CVE-2018-113 (Jenkins Release Plugin 2.9 and earlier did not require form 
...)
-   TODO: check
+   NOT-FOR-US: Jenkins plugin
 CVE-2018-112 (Jenkins Warnings Plugin 4.64 and earlier processes XML 
external ...)
-   TODO: check
+   NOT-FOR-US: Jenkins plugin
 CVE-2018-111 (Jenkins FindBugs Plugin 4.71 and earlier processes XML 
external ...)
-   TODO: check
+   NOT-FOR-US: Jenkins plugin
 CVE-2018-110 (Jenkins DRY Plugin 2.49 and earlier processes XML external 
entities in ...)
-   TODO: check
+   NOT-FOR-US: Jenkins plugin
 CVE-2018-109 (Jenkins Checkstyle Plugin 3.49 and earlier processes XML 
external ...)
-   TODO: check
+   NOT-FOR-US: Jenkins plugin
 CVE-2018-108 (Jenkins PMD Plugin 3.49 and earlier processes XML external 
entities in ...)
-   TODO: check
+   NOT-FOR-US: Jenkins plugin
 CVE-2015-1142857 (On multiple SR-IOV cars it is possible for VF's assigned to 
guests to ...)
-   TODO: check
+   NOT-FOR-US: SR-IOV cars
 CVE-2018-6029 (The copy function in application/admin/controller/Article.php 
in ...)
NOT-FOR-US: NoneCms
 CVE-2018-6028
@@ -351,7 +351,7 @@ CVE-2018-6016
 CVE-2018-6015
RESERVED
 CVE-2018-6014 (Subsonic v6.1.3 has an insecure allow-access-from 
domain="*" Flash ...)
-   TODO: check
+   NOT-FOR-US: Subsonic
 CVE-2018-6013 (Cross-site scripting (XSS) in BigTree 4.2.19 allows any remote 
users to ...)
NOT-FOR-US: BigTree CMS
 CVE-2018-6012
@@ -429,7 +429,7 @@ CVE-2017-18048 (Monstra CMS 3.0.4 allows users to upload 
arbitrary files, which 
 CVE-2017-1000417 (MatrixSSL version 3.7.2 adopts a collision-prone OID 
comparison logic ...)
- matrixssl 
 CVE-2017-1000416 (axTLS version 1.5.3 has a coding error in the ASN.1 parser 
resulting ...)
-   TODO: check
+   NOT-FOR-US: axTLS
 CVE-2018-6003 (An issue was discovered in the _asn1_decode_simple_ber function 
in ...)
- libtasn1-6 4.13-2
[jessie] - libtasn1-6  (Vulnerable code introduced in 4.3)
@@ -523,7 +523,7 @@ CVE-2018-5962 (index.php in CentOS-WebPanel.com (aka CWP) 
CentOS Web Panel throu
 CVE-2018-5961 (CentOS-WebPanel.com (aka CWP) CentOS Web Panel through 
v0.9.8.12 has ...)
NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel
 CVE-2018-5960 (Zenario v7.1 - v7.6 has SQL injection via the `Name` input 
field of ...)
-   TODO: check
+   NOT-FOR-US: Zenario
 CVE-2018-5959
RESERVED
 CVE-2018-5958 (In Zillya! Antivirus 3.0.2230.0, the driver file (zef.sys) 
allows local ...)
@@ -535,7 +535,7 @@ CVE-2018-5956 (In Zillya! Antivirus 3.0.2230.0, the driver 
file (zef.sys) allows
 CVE-2018-5955 (An issue was discovered in GitStack through 2.3.10. User 
controlled ...)
TODO: check
 CVE-2017-18047 (Buffer Overflow in the FTP client in LabF nfsAxe 3.7 allows 
remote FTP ...)
-   TODO: check
+   NOT-FOR-US: LabF nfsAxe
 CVE-2017-18046 (Buffer overflow on Dasan GPON ONT WiFi Router H640X 
12.02-01121 ...)
NOT-FOR-US: Dasan GPON ONT WiFi Router devices
 CVE-2016-10709 (pfSense before 2.3 allows remote authenticated users to 
execute ...)
@@ -988,7 +988,7 @@ CVE-2018-5763
 CVE-2018-5762
RESERVED
 CVE-2018-5761 (A man-in-the-middle vulnerability related to vCenter access was 
found ...)
-   TODO: check
+   NOT-FOR-US: Rubrik CDM
 CVE-2018-5760
RESERVED
 CVE-2018-5759



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/398d5bc99cfc7dfca4eec0e4af797ea725e544a4

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/398d5bc99cfc7dfca4eec0e4af797ea725e544a4
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] spectre/meltdown also affects the Nvidia GPUs

[Moritz Muehlenhoff]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3a3f14ce by Moritz Muehlenhoff at 2018-01-24T07:45:57+01:00
spectre/meltdown also affects the Nvidia GPUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -50323,6 +50323,8 @@ CVE-2017-5755
 CVE-2017-5754 (Systems with microprocessors utilizing speculative execution 
and ...)
{DSA-4082-1 DSA-4078-1 DLA-1232-1}
- linux 4.14.12-1
+   - nvidia-graphics-drivers-legacy-340xx 340.106-1
+   [stretch] - nvidia-graphics-drivers-legacy-340xx  (Non-free not 
supported)
NOTE: https://meltdownattack.com/
NOTE: https://xenbits.xen.org/xsa/advisory-254.html
NOTE: 
https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html
@@ -50331,6 +50333,8 @@ CVE-2017-5754 (Systems with microprocessors utilizing 
speculative execution and 
NOTE: https://01.org/security/advisories/intel-oss-10003
 CVE-2017-5753 (Systems with microprocessors utilizing speculative execution 
and ...)
- linux 
+   - nvidia-graphics-drivers-legacy-340xx 340.106-1
+   [stretch] - nvidia-graphics-drivers-legacy-340xx  (Non-free not 
supported)
NOTE: https://spectreattack.com/
NOTE: https://xenbits.xen.org/xsa/advisory-254.html
NOTE: 
https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html
@@ -50430,6 +50434,8 @@ CVE-2017-5715 (Systems with microprocessors utilizing 
speculative execution and 
- virtualbox 5.2.6-dfsg-1
[jessie] - virtualbox  (DSA-3699-1)
[wheezy] - virtualbox  (DSA 3454)
+   - nvidia-graphics-drivers-legacy-340xx 340.106-1
+   [stretch] - nvidia-graphics-drivers-legacy-340xx  (Non-free not 
supported)
 CVE-2017-5714
RESERVED
 CVE-2017-5713



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3a3f14cecfdc40b3508b7726dd7995e5e4918c51

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3a3f14cecfdc40b3508b7726dd7995e5e4918c51
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add as well the nvidia-graphics-drivers and nvidia-graphics-drivers-legacy-304xx source packages

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a4b00460 by Salvatore Bonaccorso at 2018-01-24T08:03:13+01:00
Add as well the nvidia-graphics-drivers and 
nvidia-graphics-drivers-legacy-304xx source packages

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -50323,8 +50323,14 @@ CVE-2017-5755
 CVE-2017-5754 (Systems with microprocessors utilizing speculative execution 
and ...)
{DSA-4082-1 DSA-4078-1 DLA-1232-1}
- linux 4.14.12-1
+   - nvidia-graphics-drivers 384.111-1 (bug #886852)
+   [stretch] - nvidia-graphics-drivers  (Non-free not supported)
+   [jessie] - nvidia-graphics-drivers  (Non-free not supported)
- nvidia-graphics-drivers-legacy-340xx 340.106-1
[stretch] - nvidia-graphics-drivers-legacy-340xx  (Non-free not 
supported)
+   - nvidia-graphics-drivers-legacy-304xx 
+   [stretch] - nvidia-graphics-drivers-legacy-304xx  (Non-free not 
supported)
+   [jessie] - nvidia-graphics-drivers-legacy-304xx  (Non-free not 
supported)
NOTE: https://meltdownattack.com/
NOTE: https://xenbits.xen.org/xsa/advisory-254.html
NOTE: 
https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html
@@ -50333,8 +50339,14 @@ CVE-2017-5754 (Systems with microprocessors utilizing 
speculative execution and 
NOTE: https://01.org/security/advisories/intel-oss-10003
 CVE-2017-5753 (Systems with microprocessors utilizing speculative execution 
and ...)
- linux 
+   - nvidia-graphics-drivers 384.111-1 (bug #886852)
+   [stretch] - nvidia-graphics-drivers  (Non-free not supported)
+   [jessie] - nvidia-graphics-drivers  (Non-free not supported)
- nvidia-graphics-drivers-legacy-340xx 340.106-1
[stretch] - nvidia-graphics-drivers-legacy-340xx  (Non-free not 
supported)
+   - nvidia-graphics-drivers-legacy-304xx 
+   [stretch] - nvidia-graphics-drivers-legacy-304xx  (Non-free not 
supported)
+   [jessie] - nvidia-graphics-drivers-legacy-304xx  (Non-free not 
supported)
NOTE: https://spectreattack.com/
NOTE: https://xenbits.xen.org/xsa/advisory-254.html
NOTE: 
https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html
@@ -50434,8 +50446,14 @@ CVE-2017-5715 (Systems with microprocessors utilizing 
speculative execution and 
- virtualbox 5.2.6-dfsg-1
[jessie] - virtualbox  (DSA-3699-1)
[wheezy] - virtualbox  (DSA 3454)
+   - nvidia-graphics-drivers 384.111-1 (bug #886852)
+   [stretch] - nvidia-graphics-drivers  (Non-free not supported)
+   [jessie] - nvidia-graphics-drivers  (Non-free not supported)
- nvidia-graphics-drivers-legacy-340xx 340.106-1
[stretch] - nvidia-graphics-drivers-legacy-340xx  (Non-free not 
supported)
+   - nvidia-graphics-drivers-legacy-304xx 
+   [stretch] - nvidia-graphics-drivers-legacy-304xx  (Non-free not 
supported)
+   [jessie] - nvidia-graphics-drivers-legacy-304xx  (Non-free not 
supported)
 CVE-2017-5714
RESERVED
 CVE-2017-5713



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a4b0046020132d47ba7376b38fa94a2334e9014f

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a4b0046020132d47ba7376b38fa94a2334e9014f
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Record fixes in unstable for #876414

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6209458e by Salvatore Bonaccorso at 2018-01-24T08:05:07+01:00
Record fixes in unstable for #876414

The fixes were first landing in experimental, and then moved to
unstable. Just for informational purposes still keep the [experimental]
tagged entry, although not strictly needed.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -48900,7 +48900,7 @@ CVE-2017-6273 (NVIDIA ADSP Firmware contains a 
vulnerability in the ADSP Loader 
NOT-FOR-US: NVIDIA ADSP Firmware
 CVE-2017-6272 (NVIDIA GPU Display Driver contains a vulnerability in the 
kernel mode ...)
[experimental] - nvidia-graphics-drivers 384.90-1
-   - nvidia-graphics-drivers  (bug #876414)
+   - nvidia-graphics-drivers 384.98-2 (bug #876414)
[stretch] - nvidia-graphics-drivers  (Non-free not supported)
[jessie] - nvidia-graphics-drivers  (Non-free not supported)
[wheezy] - nvidia-graphics-drivers  (Non-free not 
supported)
@@ -48920,7 +48920,7 @@ CVE-2017-6268 (NVIDIA Windows GPU Display Driver 
contains a vulnerability in the
NOT-FOR-US: NVIDIA Windows GPU Display Driver
 CVE-2017-6267 (NVIDIA GPU Display Driver contains a vulnerability in the 
kernel mode ...)
[experimental] - nvidia-graphics-drivers 384.90-1
-   - nvidia-graphics-drivers  (bug #876414)
+   - nvidia-graphics-drivers 384.98-2 (bug #876414)
[stretch] - nvidia-graphics-drivers  (Non-free not supported)
[jessie] - nvidia-graphics-drivers  (Non-free not supported)
[wheezy] - nvidia-graphics-drivers  (Non-free not 
supported)
@@ -48932,7 +48932,7 @@ CVE-2017-6267 (NVIDIA GPU Display Driver contains a 
vulnerability in the kernel 
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/4544
 CVE-2017-6266 (NVIDIA GPU Display Driver contains a vulnerability in the 
kernel mode ...)
[experimental] - nvidia-graphics-drivers 384.90-1
-   - nvidia-graphics-drivers  (bug #876414)
+   - nvidia-graphics-drivers 384.98-2 (bug #876414)
[stretch] - nvidia-graphics-drivers  (Non-free not supported)
[jessie] - nvidia-graphics-drivers  (Non-free not supported)
[wheezy] - nvidia-graphics-drivers  (Non-free not 
supported)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/6209458e073e7d917d47e80c9b82204b297abeee

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/6209458e073e7d917d47e80c9b82204b297abeee
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-1000005/curl

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
493e516f by Salvatore Bonaccorso at 2018-01-24T08:15:57+01:00
Add CVE-2018-105/curl

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1077,8 +1077,11 @@ CVE-2018-5733
RESERVED
 CVE-2018-5732
RESERVED
-CVE-2018-105
+CVE-2018-105 [HTTP/2 trailer out-of-bounds read]
RESERVED
+   - curl 
+   NOTE: https://curl.haxx.se/docs/adv_2018-824a.html
+   NOTE: Patch: 
https://github.com/curl/curl/commit/fa3dbb9a147488a294.patch
 CVE-2018-5731
RESERVED
 CVE-2018-5730



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/493e516ff83e41bb287c85f7a75236840eb22aed

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/493e516ff83e41bb287c85f7a75236840eb22aed
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2017-17858/mupdf

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
50493a22 by Salvatore Bonaccorso at 2018-01-24T08:46:28+01:00
Add CVE-2017-17858/mupdf

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -6342,7 +6342,9 @@ CVE-2017-17860 (In Samsung Gear products, Bluetooth link 
key is updated to the .
 CVE-2017-17859 (Samsung Internet Browser 6.2.01.12 allows remote attackers to 
bypass ...)
NOT-FOR-US: Samsung Internet Browser
 CVE-2017-17858 (Heap-based buffer overflow in the ensure_solid_xref function 
in ...)
-   TODO: check
+   - mupdf 
+   NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698819 (not public)
+   NOTE: 
http://git.ghostscript.com/?p=mupdf.git;a=commit;h=55c3f68d638ac1263a386e0aaa004bb6e8bde731
 CVE-2017-17851
RESERVED
 CVE-2017-17850 (An issue was discovered in Asterisk 13.18.4 and older, 14.7.4 
and ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/50493a221209d952bb3a387f3c5c64976efef6aa

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/50493a221209d952bb3a387f3c5c64976efef6aa
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add further information for CVE-2018-1000005/curl

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2a05b0d0 by Salvatore Bonaccorso at 2018-01-24T08:23:45+01:00
Add further information for CVE-2018-105/curl

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1083,7 +1083,11 @@ CVE-2018-5732
 CVE-2018-105 [HTTP/2 trailer out-of-bounds read]
RESERVED
- curl 
+   [jessie] - curl  (Vulnerable code introduce later)
+   [wheezy] - curl  (Vulnerable code introduce later)
+   NOTE: https://github.com/curl/curl/pull/2231
NOTE: https://curl.haxx.se/docs/adv_2018-824a.html
+   NOTE: Introduced by: 
https://github.com/curl/curl/commit/0761a51ee0551ad9e5
NOTE: Patch: 
https://github.com/curl/curl/commit/fa3dbb9a147488a294.patch
 CVE-2018-5731
RESERVED



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2a05b0d09a1d490b66f5eda44670aea547be8bbd

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2a05b0d09a1d490b66f5eda44670aea547be8bbd
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add curl to dsa-needed list

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
09b8725a by Salvatore Bonaccorso at 2018-01-24T08:25:21+01:00
Add curl to dsa-needed list

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -16,6 +16,8 @@ If needed, specify the release by adding a slash after the 
name of the source pa
 --
 chromium-browser/stable
 --
+curl (ghedo)
+--
 firefox-esr (jmm)
 --
 gcab (carnil)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/09b8725a0442558f07126a6a41b17905224119a7

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/09b8725a0442558f07126a6a41b17905224119a7
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-1000007/curl

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f7754c3e by Salvatore Bonaccorso at 2018-01-24T08:17:12+01:00
Add CVE-2018-107/curl

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -448,8 +448,11 @@ CVE-2018-5998
RESERVED
 CVE-2018-5997
RESERVED
-CVE-2018-107
+CVE-2018-107 [HTTP authentication leak in redirects]
RESERVED
+   - curl 
+   NOTE: https://curl.haxx.se/docs/adv_2018-b3bf.html
+   NOTE: Patch: https://github.com/curl/curl/commit/af32cd3859336ab.patch
 CVE-2018-5996
RESERVED
 CVE-2018-5995



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/f7754c3ea4f1515551ab1887715f9225a3eb0a6d

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/f7754c3ea4f1515551ab1887715f9225a3eb0a6d
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-104{2, 3, 4, 5}/moodle (removed)

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a817835c by Salvatore Bonaccorso at 2018-01-24T08:47:48+01:00
Add CVE-2018-104{2,3,4,5}/moodle (removed)

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -13036,13 +13036,13 @@ CVE-2018-1047
 CVE-2018-1046
RESERVED
 CVE-2018-1045 (In Moodle 3.x, there is XSS via a calendar event name. ...)
-   TODO: check
+   - moodle 
 CVE-2018-1044 (In Moodle 3.x, quiz web services allow students to see quiz 
results ...)
-   TODO: check
+   - moodle 
 CVE-2018-1043 (In Moodle 3.x, the setting for blocked hosts list can be 
bypassed with ...)
-   TODO: check
+   - moodle 
 CVE-2018-1042 (Moodle 3.x has Server Side Request Forgery in the filepicker. 
...)
-   TODO: check
+   - moodle 
 CVE-2018-1041
RESERVED
 CVE-2017-17380



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a817835c2154d5aefe2073e58eea147093aec0e2

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a817835c2154d5aefe2073e58eea147093aec0e2
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits