[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-1000030/python
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: db35dd30 by Salvatore Bonaccorso at 2018-02-03T08:44:22+01:00 Add CVE-2018-130/python Note: although the upstream bug claims that the Python 3.x is implemented different and more safely, still some versions segfault, thus need proper investigation before marking 3.x versions as not-affected. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -575,6 +575,17 @@ CVE-2018-6377 (In Joomla! before 3.8.4, inadequate input filtering in com_fields NOT-FOR-US: Joomla! CVE-2018-6376 (In Joomla! before 3.8.4, the lack of type casting of a variable in a ...) NOT-FOR-US: Joomla! +CVE-2018-130 [Heap-Buffer-Overflow and Heap-Use-After-Free in Objects/fileobject.c] + - python3.7 + - python3.6 + - python3.5 + - python3.4 + - python3.2 + - python2.7 + - python2.6 + NOTE: https://bugs.python.org/issue31530 + NOTE: https://bugs.python.org/file47157/0001-stop-crashes-when-iterating-over-a-file-on-multiple-.patch + TODO: check, although claimed that Python 3.x is implemented safely, some versions still segfault, thus need proper investigation. CVE-2018-129 RESERVED CVE-2018-126 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/db35dd3063f118818e834e31a07c220aef084aac --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/db35dd3063f118818e834e31a07c220aef084aac You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] LTS: adjust status of binutils/CVE-2018-6543
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: a7c17400 by Roberto C. Sánchez at 2018-02-02T21:33:56-05:00 LTS: adjust status of binutils/CVE-2018-6543 - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -104,6 +104,7 @@ CVE-2018-6543 (In GNU Binutils 2.30, there's an integer overflow in the function - binutils [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) + [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22769 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f2023ce7e8d70b0155cc6206c901e185260918f0 CVE-2018-6542 (In ZZIPlib 0.13.67, there is a bus error (when handling a ...) = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -10,8 +10,6 @@ this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- -binutils --- dovecot (Thorsten Alteholz) NOTE: after applying the patch, login segfaults NOTE: maintainer and security team are looking into this View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a7c174004bf5c50a8d59ff8a78c24bbc376fc740 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a7c174004bf5c50a8d59ff8a78c24bbc376fc740 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add binutils to dla-needed
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 73ed1e07 by Abhijith PA at 2018-02-03T07:32:23+05:30 Add binutils to dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -10,6 +10,8 @@ this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- +binutils +-- dovecot (Thorsten Alteholz) NOTE: after applying the patch, login segfaults NOTE: maintainer and security team are looking into this View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/73ed1e078a2542746d20896e330e42c4c0cdaac1 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/73ed1e078a2542746d20896e330e42c4c0cdaac1 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c4919e4b by Salvatore Bonaccorso at 2018-02-02T23:11:43+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -7,19 +7,19 @@ CVE-2018-6583 CVE-2018-6582 RESERVED CVE-2018-6581 (SQL Injection exists in the JMS Music 1.1.1 component for Joomla! via a ...) - TODO: check + NOT-FOR-US: JMS Music component for Joomla! CVE-2018-6580 (Arbitrary file upload exists in the Jimtawl 2.1.6 and 2.2.5 component ...) - TODO: check + NOT-FOR-US: Jimtawl component for Joomla! CVE-2018-6579 (SQL Injection exists in the JEXTN Reverse Auction 3.1.0 component for ...) - TODO: check + NOT-FOR-US: JEXTN Reverse Auction component for Joomla! CVE-2018-6578 (SQL Injection exists in the JE PayperVideo 3.0.0 component for Joomla! ...) - TODO: check + NOT-FOR-US: JE PayperVideo component for Joomla! CVE-2018-6577 (SQL Injection exists in the JEXTN Membership 3.1.0 component for ...) - TODO: check + NOT-FOR-US: JEXTN Membership component for Joomla! CVE-2018-6576 (SQL Injection exists in Event Manager 1.0 via the event.php id ...) TODO: check CVE-2018-6575 (SQL Injection exists in the JEXTN Classified 1.0.0 component for ...) - TODO: check + NOT-FOR-US: JEXTN Membership component for Joomla! CVE-2018-6574 RESERVED CVE-2018-6573 @@ -77,7 +77,7 @@ CVE-2018-6551 (The malloc implementation in the GNU C Library (aka glibc or libc NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22774 NOTE: Fixed by: https://sourceware.org/git/?p=glibc.git;a=commit;h=8e448310d74b283c5cd02b9ed7fb997b47bf9b22 CVE-2018-6550 (Monstra CMS through 3.0.4 has XSS in the title function in ...) - TODO: check + NOT-FOR-US: Monstra CMS CVE-2017-18122 (A signature-validation bypass issue was discovered in SimpleSAMLphp ...) - simplesamlphp 1.15.0-1 NOTE: https://simplesamlphp.org/security/201710-01 @@ -120,7 +120,7 @@ CVE-2018-6539 CVE-2018-6538 RESERVED CVE-2018-6537 (A buffer overflow vulnerability in the control protocol of Flexense ...) - TODO: check + NOT-FOR-US: Flexense SyncBreeze Enterprise CVE-2018-6536 (An issue was discovered in Icinga 2.x through 2.8.1. The daemon creates ...) - icinga2 [stretch] - icinga2 (Minor issue) @@ -245,7 +245,7 @@ CVE-2018-6488 CVE-2018-6487 RESERVED CVE-2018-6486 (XML External Entity (XXE) vulnerability in Micro Focus Fortify Audit ...) - TODO: check + NOT-FOR-US: Micro Focus Fortify Audit Workbench CVE-2017-18119 RESERVED CVE-2017-18118 @@ -313,19 +313,19 @@ CVE-2017-18088 CVE-2017-18087 RESERVED CVE-2017-18086 (Various resources in Atlassian Confluence Server before version 6.4.2 ...) - TODO: check + NOT-FOR-US: Atlassian Confluence CVE-2017-18085 (The viewdefaultdecorator resource in Atlassian Confluence Server ...) - TODO: check + NOT-FOR-US: Atlassian Confluence CVE-2017-18084 (The usermacros resource in Atlassian Confluence Server before version ...) - TODO: check + NOT-FOR-US: Atlassian Confluence CVE-2017-18083 (The editinword resource in Atlassian Confluence Server before version ...) - TODO: check + NOT-FOR-US: Atlassian Confluence CVE-2017-18082 (The plan configure branches resource in Atlassian Bamboo before ...) - TODO: check + NOT-FOR-US: Atlassian Bamboo CVE-2017-18081 (The signupUser resource in Atlassian Bamboo before version 6.3.1 ...) - TODO: check + NOT-FOR-US: Atlassian Bamboo CVE-2017-18080 (The saveConfigureSecurity resource in Atlassian Bamboo before version ...) - TODO: check + NOT-FOR-US: Atlassian Bamboo CVE-2018-6485 (An integer overflow in the implementation of the posix_memalign in ...) [experimental] - glibc 2.26.9000+20180127.7e23a7dd-0experimental0 - glibc (bug #878159) @@ -2212,23 +2212,23 @@ CVE-2018-5752 CVE-2018-5751 RESERVED CVE-2017-18042 (The update user administration resource in Atlassian Bamboo before ...) - TODO: check + NOT-FOR-US: Atlassian Bamboo CVE-2017-18041 (The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo ...) - TODO: check + NOT-FOR-US: Atlassian Bamboo CVE-2017-18040 (The viewDeploymentVersionCommits resource in Atlassian Bamboo before ...) - TODO: check + NOT-FOR-US: Atlassian Bamboo CVE-2017-18039 (The IncomingMailServers resource in Atlassian Jira from version 6.2.1 ...) - TODO: check + NOT-FOR-US: Atlassian Jira CVE-2017-18038 (The repository settings resource in Atlassian Bitbucket Server before ...) - TODO: check + NOT-FOR-US: Atlassian Bitbucket
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-6536/icinga2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2bd5e386 by Salvatore Bonaccorso at 2018-02-02T23:00:35+01:00 Add CVE-2018-6536/icinga2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -122,7 +122,10 @@ CVE-2018-6538 CVE-2018-6537 (A buffer overflow vulnerability in the control protocol of Flexense ...) TODO: check CVE-2018-6536 (An issue was discovered in Icinga 2.x through 2.8.1. The daemon creates ...) - TODO: check + - icinga2 + [stretch] - icinga2 (Minor issue) + [jessie] - icinga2 (Minor issue) + NOTE: https://github.com/Icinga/icinga2/issues/5991 CVE-2018-6535 RESERVED CVE-2018-6534 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2bd5e386909da76fa3c53d69f2c00f9185c9b2c5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2bd5e386909da76fa3c53d69f2c00f9185c9b2c5 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-6526/mantis
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fd9a4df7 by Salvatore Bonaccorso at 2018-02-02T22:57:17+01:00 Add CVE-2018-6526/mantis - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -142,7 +142,8 @@ CVE-2018-6528 CVE-2018-6527 RESERVED CVE-2018-6526 (view_all_bug_page.php in MantisBT before 2018-02-02 allows remote ...) - TODO: check + - mantis + NOTE: https://mantisbt.org/bugs/view.php?id=23921 CVE-2018-6525 (In nProtect AVS V4.0 4.0.0.38, the driver file (TKFsAv.SYS) allows ...) NOT-FOR-US: nProtect AVS CVE-2018-6524 (In nProtect AVS V4.0 4.0.0.38, the driver file (TKFsAv.SYS) allows ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fd9a4df7498e4030ee7aa0f5da8d8208612b27e6 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fd9a4df7498e4030ee7aa0f5da8d8208612b27e6 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-6541/zziplib
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fa12f51d by Salvatore Bonaccorso at 2018-02-02T22:54:22+01:00 Add CVE-2018-6541/zziplib - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -110,7 +110,8 @@ CVE-2018-6542 (In ZZIPlib 0.13.67, there is a bus error (when handling a ...) - zziplib NOTE: https://github.com/gdraheim/zziplib/issues/17 CVE-2018-6541 (In ZZIPlib 0.13.67, there is a bus error caused by loading of a ...) - TODO: check + - zziplib + NOTE: https://github.com/gdraheim/zziplib/issues/16 CVE-2018-6540 (In ZZIPlib 0.13.67, there is a bus error caused by loading of a ...) TODO: check CVE-2018-6539 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fa12f51d8693a20bc7b2c06f7e22b6bb869b4841 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fa12f51d8693a20bc7b2c06f7e22b6bb869b4841 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-6542/zziplib
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3f186534 by Salvatore Bonaccorso at 2018-02-02T22:53:23+01:00 Add CVE-2018-6542/zziplib - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -107,7 +107,8 @@ CVE-2018-6543 (In GNU Binutils 2.30, there's an integer overflow in the function NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22769 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f2023ce7e8d70b0155cc6206c901e185260918f0 CVE-2018-6542 (In ZZIPlib 0.13.67, there is a bus error (when handling a ...) - TODO: check + - zziplib + NOTE: https://github.com/gdraheim/zziplib/issues/17 CVE-2018-6541 (In ZZIPlib 0.13.67, there is a bus error caused by loading of a ...) TODO: check CVE-2018-6540 (In ZZIPlib 0.13.67, there is a bus error caused by loading of a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3f186534c3847b4bbb1b314baf3a3ffa213522e0 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3f186534c3847b4bbb1b314baf3a3ffa213522e0 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-6544/mupdf
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fb4a1f10 by Salvatore Bonaccorso at 2018-02-02T22:51:45+01:00 Add CVE-2018-6544/mupdf - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -95,7 +95,11 @@ CVE-2018-6546 CVE-2018-6545 (Ipswitch MoveIt v8.1 is vulnerable to a Stored Cross-Site Scripting ...) TODO: check CVE-2018-6544 (pdf_load_obj_stm in pdf/pdf-xref.c in Artifex MuPDF 1.12.0 could ...) - TODO: check + - mupdf + NOTE: http://git.ghostscript.com/?p=mupdf.git;h=26527eef77b3e51c2258c8e40845bfbc015e405d + NOTE: http://git.ghostscript.com/?p=mupdf.git;h=b03def134988da8c800adac1a38a41a1f09a1d89 + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698830 + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698965 CVE-2018-6543 (In GNU Binutils 2.30, there's an integer overflow in the function ...) - binutils [stretch] - binutils (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fb4a1f10d51d56fe8d12d397c5836868a13a3508 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fb4a1f10d51d56fe8d12d397c5836868a13a3508 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Cleanup note for CVE-2018-6353
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 74996217 by Salvatore Bonaccorso at 2018-02-02T22:51:02+01:00 Cleanup note for CVE-2018-6353 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -654,7 +654,7 @@ CVE-2018-6353 (The Python console in Electrum through 2.9.4 and 3.x through 3.0. [stretch] - electrum (scheduled for removal from stretch) [jessie] - electrum (scheduled for removal from jessie) NOTE: https://github.com/spesmilo/electrum/issues/3678 - NOTE: MISC:https://github.com/spesmilo/electrum/pull/3700 + NOTE: https://github.com/spesmilo/electrum/pull/3700 CVE-2018-6352 (In PoDoFo 0.9.5, there is an Excessive Iteration in the ...) - libpodofo [stretch] - libpodofo (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/749962172c34aab4e2497a80b327f05c77efba36 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/749962172c34aab4e2497a80b327f05c77efba36 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-6543/binutils
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 47b0b90f by Salvatore Bonaccorso at 2018-02-02T22:47:22+01:00 Add CVE-2018-6543/binutils - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -97,7 +97,11 @@ CVE-2018-6545 (Ipswitch MoveIt v8.1 is vulnerable to a Stored Cross-Site Scripti CVE-2018-6544 (pdf_load_obj_stm in pdf/pdf-xref.c in Artifex MuPDF 1.12.0 could ...) TODO: check CVE-2018-6543 (In GNU Binutils 2.30, there's an integer overflow in the function ...) - TODO: check + - binutils + [stretch] - binutils (Minor issue) + [jessie] - binutils (Minor issue) + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22769 + NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f2023ce7e8d70b0155cc6206c901e185260918f0 CVE-2018-6542 (In ZZIPlib 0.13.67, there is a bus error (when handling a ...) TODO: check CVE-2018-6541 (In ZZIPlib 0.13.67, there is a bus error caused by loading of a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/47b0b90f2301d5b089ccb83d45083a1f94608d22 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/47b0b90f2301d5b089ccb83d45083a1f94608d22 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2017-18121/simplesamlphp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5396c79f by Salvatore Bonaccorso at 2018-02-02T22:41:33+01:00 Add CVE-2017-18121/simplesamlphp - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -82,7 +82,8 @@ CVE-2017-18122 (A signature-validation bypass issue was discovered in SimpleSAML - simplesamlphp 1.15.0-1 NOTE: https://simplesamlphp.org/security/201710-01 CVE-2017-18121 (The consentAdmin module in SimpleSAMLphp through 1.14.15 is vulnerable ...) - TODO: check + - simplesamlphp 1.15.0-1 + NOTE: https://simplesamlphp.org/security/201709-01 CVE-2018-6549 RESERVED CVE-2018-6548 (A use-after-free issue was discovered in libwebm through 2018-02-02. If ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5396c79ff939b29a8415ec6ab37913161ee47785 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5396c79ff939b29a8415ec6ab37913161ee47785 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2017-18122/simplesamlphp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 000dfe5e by Salvatore Bonaccorso at 2018-02-02T22:39:33+01:00 Add CVE-2017-18122/simplesamlphp - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -79,7 +79,8 @@ CVE-2018-6551 (The malloc implementation in the GNU C Library (aka glibc or libc CVE-2018-6550 (Monstra CMS through 3.0.4 has XSS in the title function in ...) TODO: check CVE-2017-18122 (A signature-validation bypass issue was discovered in SimpleSAMLphp ...) - TODO: check + - simplesamlphp 1.15.0-1 + NOTE: https://simplesamlphp.org/security/201710-01 CVE-2017-18121 (The consentAdmin module in SimpleSAMLphp through 1.14.15 is vulnerable ...) TODO: check CVE-2018-6549 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/000dfe5e64d1fd3246120084d575b539332eeb66 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/000dfe5e64d1fd3246120084d575b539332eeb66 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Record flatpak bug number: #888842
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d36dcc18 by Salvatore Bonaccorso at 2018-02-02T22:18:20+01:00 Record flatpak bug number: #42 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -49,7 +49,7 @@ CVE-2018-6562 CVE-2018-6561 (dijit.Editor in Dojo Toolkit 1.13 allows XSS via the onload attribute ...) TODO: check CVE-2018-6560 (In dbus-proxy/flatpak-proxy.c in Flatpak before 0.8.9, and 0.9.x and ...) - - flatpak 0.10.3-1 + - flatpak 0.10.3-1 (bug #42) [stretch] - flatpak (Minor issue; will be fixed via point release) NOTE: https://github.com/flatpak/flatpak/commit/52346bf187b5a7f1c0fe9075b328b7ad6abe78f6 CVE-2018-6559 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d36dcc183d9672986275cb0109a36f981f49122f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d36dcc183d9672986275cb0109a36f981f49122f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-6561/flatpak
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1cbcc76a by Salvatore Bonaccorso at 2018-02-02T22:15:42+01:00 Add CVE-2018-6561/flatpak - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -49,7 +49,9 @@ CVE-2018-6562 CVE-2018-6561 (dijit.Editor in Dojo Toolkit 1.13 allows XSS via the onload attribute ...) TODO: check CVE-2018-6560 (In dbus-proxy/flatpak-proxy.c in Flatpak before 0.8.9, and 0.9.x and ...) - TODO: check + - flatpak 0.10.3-1 + [stretch] - flatpak (Minor issue; will be fixed via point release) + NOTE: https://github.com/flatpak/flatpak/commit/52346bf187b5a7f1c0fe9075b328b7ad6abe78f6 CVE-2018-6559 RESERVED CVE-2018-6558 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1cbcc76a28c9b9b0f83d556395fe6acd1aa9b90f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1cbcc76a28c9b9b0f83d556395fe6acd1aa9b90f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Drop misleading comment
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5bbbd6db by Moritz Muehlenhoff at 2018-02-02T21:26:21+01:00 Drop misleading comment This is about the softwas as shipped in Debian, so only the Debian setup is relevant here - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -534,8 +534,7 @@ CVE-2017-18078 (systemd-tmpfiles in systemd before 237 attempts to support ...) - systemd 237-1 (unimportant) NOTE: https://github.com/systemd/systemd/issues/7736 NOTE: https://github.com/systemd/systemd/commit/5579f85663d10269e7ac7464be6548c99cea4ada (v237) - NOTE: Neutralised by kernel hardening shipped with Debian, but not upstream Linux - NOTE: workaround: sysctl fs.protected_hardlinks=1, see also #889098 + NOTE: Neutralised by kernel hardening CVE-2018-6362 RESERVED CVE-2018-6361 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5bbbd6dbd4302bebb22012ad29f526ce7b3e8541 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5bbbd6dbd4302bebb22012ad29f526ce7b3e8541 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Sort entries per source package
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a1fe5fa8 by Salvatore Bonaccorso at 2018-02-02T20:20:27+01:00 Sort entries per source package - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -157696,8 +157696,8 @@ CVE-2013-4157 (Red Hat Storage 2.0 allows local users to overwrite arbitrary fil NOT-FOR-US: Red Hat Storage Server CVE-2013-4156 (Apache OpenOffice.org (OOo) before 4.0 allows remote attackers to ...) - libreoffice 1:4.1.0-1 (unimportant) - - openoffice.org (unimportant) [wheezy] - libreoffice (Minor issue) + - openoffice.org (unimportant) NOTE: Harmless crash CVE-2013-4155 (OpenStack Swift before 1.9.1 in Folsom, Grizzly, and Havana allows ...) {DSA-2737-1} @@ -171419,8 +171419,8 @@ CVE-2012-5640 [thttpd: Local DoS vulnerability] CVE-2012-5639 RESERVED - libreoffice (unimportant) - - openoffice.org 1:3.3.0-1 (unimportant) [wheezy] - libreoffice (Minor issue) + - openoffice.org 1:3.3.0-1 (unimportant) NOTE: Since 3.3.0 openoffice.org is a transitional source package NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=58295 NOTE: Additional hardening/UI improvement, not a direct vulnerability View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a1fe5fa8e2ff28b5752dc26948e3c32814613a4f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a1fe5fa8e2ff28b5752dc26948e3c32814613a4f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Triage result.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: a05dd723 by Ola Lundqvist at 2018-02-02T18:45:32+01:00 Triage result. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -72,6 +72,7 @@ CVE-2018-6519 (The SAML2 library before 1.10.4, 2.x before 2.3.5, and 3.x before - simplesamlphp 1.15.2-1 [stretch] - simplesamlphp (Minor issue) [jessie] - simplesamlphp (Minor issue) + [wheezy] - simplesamlphp (Minor issue) NOTE: https://simplesamlphp.org/security/201801-01 NOTE: The issue lies in the simplesamlphp/saml2 part, which is NOTE: updated in 1.15.2 to the respective fixed version. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a05dd7234b6ef4379bba2cffcbe0c3daf0d56beb --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a05dd7234b6ef4379bba2cffcbe0c3daf0d56beb You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1268-1 for p7zip
Antoine Beaupré pushed to branch master at Debian Security Tracker / security-tracker Commits: a5874daa by Antoine Beaupré at 2018-02-02T10:39:42-05:00 Reserve DLA-1268-1 for p7zip - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[02 Feb 2018] DLA-1268-1 p7zip - security update + {CVE-2017-17969} + [wheezy] - p7zip 9.20.1~dfsg.1-4+deb7u3 [02 Feb 2018] DLA-1267-1 squid - security update {CVE-2018-127} [wheezy] - squid 2.7.STABLE9-4.1+deb7u3 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -61,8 +61,6 @@ opencv (Thorsten Alteholz) -- openjdk-7 (Emilio Pozuelo) -- -p7zip (Antoine Beaupré) --- xen NOTE: mention mitigation for CVE-2017-15590 in next DLA NOTE: https://xenbits.xen.org/xsa/advisory-237.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a5874daa6da974582168603f32be9a196ac8c519 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a5874daa6da974582168603f32be9a196ac8c519 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1266-1 for squid3
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 872a4bc8 by Roberto C. Sánchez at 2018-02-02T08:54:59-05:00 Reserve DLA-1266-1 for squid3 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[02 Feb 2018] DLA-1266-1 squid3 - security update + {CVE-2018-124 CVE-2018-127} + [wheezy] - squid3 3.1.20-2.2+deb7u8 [01 Feb 2018] DLA-1249-2 smarty3 - regression update [wheezy] - smarty3 3.1.10-2+deb7u3 [31 Jan 2018] DLA-1265-1 krb5 - security update = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -68,8 +68,6 @@ squid (Roberto C. Sánchez) NOTE: that the code is actually not vulnerable. NOTE: 20180201: Similar code pattern exists in src/client_side.c (Abhijith) -- -squid3 (Roberto C. Sánchez) --- xen NOTE: mention mitigation for CVE-2017-15590 in next DLA NOTE: https://xenbits.xen.org/xsa/advisory-237.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/872a4bc8810f7f9f255ac9ae2e901df1a5ab0656 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/872a4bc8810f7f9f255ac9ae2e901df1a5ab0656 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Take p7zip from dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a1858894 by Salvatore Bonaccorso at 2018-02-02T10:47:02+01:00 Take p7zip from dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -52,7 +52,7 @@ openjdk-8/stable (jmm) -- openjpeg2 -- -p7zip +p7zip (carnil) -- passenger/stable -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a18588945ee35853b5657666ab040e885e309b5b --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a18588945ee35853b5657666ab040e885e309b5b You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] update CVE-2018-6521, 6520/simplesamlphp
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 3964b981 by Abhijith PA at 2018-02-02T14:54:29+05:30 update CVE-2018-6521,6520/simplesamlphp - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -60,11 +60,13 @@ CVE-2018-6521 (The sqlauth module in SimpleSAMLphp before 1.15.2 relies on the M - simplesamlphp 1.15.2-1 [stretch] - simplesamlphp (Minor issue) [jessie] - simplesamlphp (Minor issue) +[wheezy] - simplesamlphp (Minor issue) NOTE: https://simplesamlphp.org/security/201801-03 CVE-2018-6520 (SimpleSAMLphp before 1.15.2 allows remote attackers to bypass an open ...) - simplesamlphp 1.15.2-1 [stretch] - simplesamlphp (Minor issue) [jessie] - simplesamlphp (Minor issue) +[wheezy] - simplesamlphp (Vulnerable code introduced in 1.12) NOTE: https://simplesamlphp.org/security/201801-02 CVE-2018-6519 (The SAML2 library before 1.10.4, 2.x before 2.3.5, and 3.x before 3.1.1 ...) - simplesamlphp 1.15.2-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3964b981daaca77670fcbf1888522672374a5c97 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3964b981daaca77670fcbf1888522672374a5c97 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 065d3af6 by Salvatore Bonaccorso at 2018-02-02T10:12:14+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -47,13 +47,13 @@ CVE-2018-6527 CVE-2018-6526 RESERVED CVE-2018-6525 (In nProtect AVS V4.0 4.0.0.38, the driver file (TKFsAv.SYS) allows ...) - TODO: check + NOT-FOR-US: nProtect AVS CVE-2018-6524 (In nProtect AVS V4.0 4.0.0.38, the driver file (TKFsAv.SYS) allows ...) - TODO: check + NOT-FOR-US: nProtect AVS CVE-2018-6523 (In nProtect AVS V4.0 4.0.0.38, the driver file (TKFsAv.SYS) allows ...) - TODO: check + NOT-FOR-US: nProtect AVS CVE-2018-6522 (In nProtect AVS V4.0 4.0.0.38, the driver file (TKRgFtXp.SYS) allows ...) - TODO: check + NOT-FOR-US: nProtect AVS CVE-2017-18120 RESERVED CVE-2018-6521 (The sqlauth module in SimpleSAMLphp before 1.15.2 relies on the MySQL ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/065d3af68f7ee16a9513ff0355f757b62c730981 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/065d3af68f7ee16a9513ff0355f757b62c730981 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits