[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark chromium-browser as end-of-life for jessie
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9087c027 by Salvatore Bonaccorso at 2018-02-05T06:20:39+01:00 Mark chromium-browser as end-of-life for jessie - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -185,6 +185,7 @@ CVE-2018-6549 RESERVED CVE-2018-6548 (A use-after-free issue was discovered in libwebm through 2018-02-02. If ...) - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in wheezy LTS) NOTE: https://bugs.chromium.org/p/webm/issues/detail?id=1493 NOTE: https://github.com/dwfault/PoCs/blob/master/libwebm%20Vp9HeaderParser%20UAF%20by%20PrintVP9Info/libwebm%20Vp9HeaderParser%20UAF%20by%20PrintVP9Info.md @@ -605,6 +606,7 @@ CVE-2018-6407 (An issue was discovered on Conceptronic CIPCAMPTIWL V3 0.61.30.21 NOT-FOR-US: CIPCAMPTIWL devices CVE-2018-6406 (The function ParseVP9SuperFrameIndex in common/libwebm_util.cc in ...) - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in wheezy LTS) NOTE: https://bugs.chromium.org/p/webm/issues/detail?id=1492 NOTE: https://github.com/dwfault/PoCs/blob/master/libwebm%20ParseVP9SuperFrameIndex%20memory%20corruption/libwebm%20ParseVP9SuperFrameIndex%20OOB%20read.md View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9087c0273dad6007cd134c0caea0ceb152e8478d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9087c0273dad6007cd134c0caea0ceb152e8478d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Drop ceph-deploy ITP
Paul Wise pushed to branch master at Debian Security Tracker / security-tracker
Commits:
7f79ad4f by Paul Wise at 2018-02-05T12:09:15+08:00
Drop ceph-deploy ITP
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -111787,7 +111787,7 @@ CVE-2015- [XSS in group administration]
[jessie] - php-horde 5.2.1+debian0-2+deb8u1
NOTE:
https://github.com/horde/horde/commit/dae5277746abe613de0cacc004e95e9ed9d78220
CVE-2015-4053 (The admin command in ceph-deploy before 1.5.25 uses
world-readable ...)
- - ceph-deploy (bug #694013)
+ - ceph-deploy
NOTE: http://tracker.ceph.com/issues/11694
CVE-2015-4049 (Unisys Libra 43xx, 63xx, and 83xx, and FS600 class systems with
...)
NOT-FOR-US: Unisys Libra
@@ -114929,7 +114929,7 @@ CVE-2015-4085 (Directory traversal vulnerability in
node/hooks/express/tests.js
CVE-2015-3297 (Directory traversal vulnerability in node/utils/Minify.js in
Etherpad ...)
- etherpad-lite (bug #576998)
CVE-2015-3010 (ceph-deploy before 1.5.23 uses weak permissions (644) for ...)
- - ceph-deploy (bug #694013)
+ - ceph-deploy
NOTE: http://www.openwall.com/lists/oss-security/2015/04/09/9
CVE-2015-3405 (ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before
4.3.12 ...)
{DSA-3223-1 DLA-192-1}
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/7f79ad4fe74a65117386ddd37731949e684a4721
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/7f79ad4fe74a65117386ddd37731949e684a4721
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] ceph-deploy accepted into Debian
Paul Wise pushed to branch master at Debian Security Tracker / security-tracker
Commits:
1c6c4f57 by Paul Wise at 2018-02-05T12:07:51+08:00
ceph-deploy accepted into Debian
First version uploaded is newer than the fixed version 1.5.25
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -111787,7 +111787,7 @@ CVE-2015- [XSS in group administration]
[jessie] - php-horde 5.2.1+debian0-2+deb8u1
NOTE:
https://github.com/horde/horde/commit/dae5277746abe613de0cacc004e95e9ed9d78220
CVE-2015-4053 (The admin command in ceph-deploy before 1.5.25 uses
world-readable ...)
- - ceph-deploy (bug #694013)
+ - ceph-deploy (bug #694013)
NOTE: http://tracker.ceph.com/issues/11694
CVE-2015-4049 (Unisys Libra 43xx, 63xx, and 83xx, and FS600 class systems with
...)
NOT-FOR-US: Unisys Libra
@@ -114929,7 +114929,7 @@ CVE-2015-4085 (Directory traversal vulnerability in
node/hooks/express/tests.js
CVE-2015-3297 (Directory traversal vulnerability in node/utils/Minify.js in
Etherpad ...)
- etherpad-lite (bug #576998)
CVE-2015-3010 (ceph-deploy before 1.5.23 uses weak permissions (644) for ...)
- - ceph-deploy (bug #694013)
+ - ceph-deploy (bug #694013)
NOTE: http://www.openwall.com/lists/oss-security/2015/04/09/9
CVE-2015-3405 (ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before
4.3.12 ...)
{DSA-3223-1 DLA-192-1}
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1c6c4f579c19ece2064bba9d613533e8cc6a848f
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1c6c4f579c19ece2064bba9d613533e8cc6a848f
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-0508 to 10: NFU
Luciano Bello pushed to branch master at Debian Security Tracker / security-tracker Commits: c1309e66 by Luciano Bello at 2018-02-04T22:06:29-05:00 CVE-2018-0508 to 10: NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -16398,11 +16398,11 @@ CVE-2018-0512 CVE-2018-0511 (Cross-site scripting vulnerability in WP Retina 2x prior to version ...) NOT-FOR-US: WP Retina CVE-2018-0510 (Buffer overflow in epg search result viewer (kkcald) 0.7.19 and ...) - TODO: check + NOT-FOR-US: kkcal CVE-2018-0509 (Cross-site request forgery (CSRF) vulnerability in epg search result ...) - TODO: check + NOT-FOR-US: kkcal CVE-2018-0508 (Cross-site scripting vulnerability in epg search result viewer ...) - TODO: check + NOT-FOR-US: kkcal CVE-2018-0507 (Untrusted search path vulnerability in FLET'S VIRUS CLEAR Easy Setup ...) NOT-FOR-US: FLET'S VIRUS CLEAR CVE-2018-0506 (Nootka 1.4.4 and earlier allows remote attackers to execute arbitrary ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c1309e66c41c1e6311163d5d3faa7aa65d30a53e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c1309e66c41c1e6311163d5d3faa7aa65d30a53e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2018-6548: chromium-browser
Luciano Bello pushed to branch master at Debian Security Tracker / security-tracker Commits: c6864d05 by Luciano Bello at 2018-02-04T21:35:58-05:00 CVE-2018-6548: chromium-browser unfixed - - - - - 9d6005e5 by Luciano Bello at 2018-02-04T21:49:04-05:00 CVE-2018-6317: NFU - - - - - e939cb82 by Luciano Bello at 2018-02-04T21:51:25-05:00 CVE-2018-5261: NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -184,6 +184,10 @@ CVE-2017-18121 (The consentAdmin module in SimpleSAMLphp through 1.14.15 is vuln CVE-2018-6549 RESERVED CVE-2018-6548 (A use-after-free issue was discovered in libwebm through 2018-02-02. If ...) + - chromium-browser + [wheezy] - chromium-browser (Not supported in wheezy LTS) + NOTE: https://bugs.chromium.org/p/webm/issues/detail?id=1493 + NOTE: https://github.com/dwfault/PoCs/blob/master/libwebm%20Vp9HeaderParser%20UAF%20by%20PrintVP9Info/libwebm%20Vp9HeaderParser%20UAF%20by%20PrintVP9Info.md TODO: check CVE-2018-6547 RESERVED @@ -883,7 +887,7 @@ CVE-2018-6319 (In Sophos Tester Tool 3.2.0.7 Beta, the driver accepts a special CVE-2018-6318 (In Sophos Tester Tool 3.2.0.7 Beta, the driver loads (in the context ...) NOT-FOR-US: Sophos Tester Tool CVE-2018-6317 (The remote management interface in Claymore Dual Miner 10.5 and ...) - TODO: check + NOT-FOR-US: Claymore's Dual Ethereum CVE-2018-6316 RESERVED CVE-2018-6315 (The outputSWF_TEXT_RECORD function (util/outputscript.c) in libming ...) @@ -3595,7 +3599,7 @@ CVE-2018-5263 (The StackIdeas EasyDiscuss (aka com_easydiscuss) extension before CVE-2018-5262 (A stack-based buffer overflow in Flexense DiskBoss 8.8.16 and earlier ...) NOT-FOR-US: Flexense DiskBoss CVE-2018-5261 (An issue was discovered in Flexense DiskBoss 8.8.16 and earlier. Due ...) - TODO: check + NOT-FOR-US: Flexense DiskBoss CVE-2018-5260 RESERVED CVE-2018-5259 (Discuz! DiscuzX X3.4 allows remote authenticated users to bypass ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/886db6a37a59fb415b84eecb27307f3661d8d126...e939cb82604c723baf9e167c3486df5e2deea89a --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/886db6a37a59fb415b84eecb27307f3661d8d126...e939cb82604c723baf9e167c3486df5e2deea89a You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-6612/jhead, #889272
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e8587025 by Salvatore Bonaccorso at 2018-02-04T22:20:48+01:00 Add CVE-2018-6612/jhead, #889272 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5,6 +5,8 @@ CVE-2018-6614 CVE-2018-6613 RESERVED CVE-2018-6612 (An integer underflow bug in the process_EXIF function of the exif.c ...) + - jhead 1:3.00-6 (bug #889272) + NOTE: https://anonscm.debian.org/git/collab-maint/jhead.git/diff/debian/patches/0008-heap-buffer-overflow.patch?id=01f09ab772d0d341cdc1326490dd2aa5aa2a7784 TODO: check CVE-2018-6611 (soundlib/Load_stp.cpp in OpenMPT through 1.27.04.00, and libopenmpt ...) TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e85870250fabc7453dd0e9a60436f34391444e19 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e85870250fabc7453dd0e9a60436f34391444e19 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-6611: update status for stretch version
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f3b86c4 by Salvatore Bonaccorso at 2018-02-04T22:41:33+01:00 CVE-2018-6611: update status for stretch version - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -9,6 +9,7 @@ CVE-2018-6612 (An integer underflow bug in the process_EXIF function of the exif NOTE: https://anonscm.debian.org/git/collab-maint/jhead.git/diff/debian/patches/0008-heap-buffer-overflow.patch?id=01f09ab772d0d341cdc1326490dd2aa5aa2a7784 CVE-2018-6611 (soundlib/Load_stp.cpp in OpenMPT through 1.27.04.00, and libopenmpt ...) - libopenmpt (bug #889545) + [stretch] - libopenmpt (Vulnerable code not present) NOTE: https://github.com/OpenMPT/openmpt/commit/61fc6d3030a4d4283105cb5fb46b27b42fa5575e CVE-2018-6610 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f3b86c44a9ad47f44d7f5a4f732b3e024fb7152 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f3b86c44a9ad47f44d7f5a4f732b3e024fb7152 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-6611
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5a6078d0 by Salvatore Bonaccorso at 2018-02-04T22:39:10+01:00 Add bug reference for CVE-2018-6611 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -8,7 +8,7 @@ CVE-2018-6612 (An integer underflow bug in the process_EXIF function of the exif - jhead 1:3.00-6 (bug #889272) NOTE: https://anonscm.debian.org/git/collab-maint/jhead.git/diff/debian/patches/0008-heap-buffer-overflow.patch?id=01f09ab772d0d341cdc1326490dd2aa5aa2a7784 CVE-2018-6611 (soundlib/Load_stp.cpp in OpenMPT through 1.27.04.00, and libopenmpt ...) - - libopenmpt + - libopenmpt (bug #889545) NOTE: https://github.com/OpenMPT/openmpt/commit/61fc6d3030a4d4283105cb5fb46b27b42fa5575e CVE-2018-6610 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5a6078d02e4fd4f997ef653b708c41a088985f28 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5a6078d02e4fd4f997ef653b708c41a088985f28 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-6611/libopenmpt
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 131995ed by Salvatore Bonaccorso at 2018-02-04T22:23:57+01:00 Add CVE-2018-6611/libopenmpt - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -8,7 +8,8 @@ CVE-2018-6612 (An integer underflow bug in the process_EXIF function of the exif - jhead 1:3.00-6 (bug #889272) NOTE: https://anonscm.debian.org/git/collab-maint/jhead.git/diff/debian/patches/0008-heap-buffer-overflow.patch?id=01f09ab772d0d341cdc1326490dd2aa5aa2a7784 CVE-2018-6611 (soundlib/Load_stp.cpp in OpenMPT through 1.27.04.00, and libopenmpt ...) - TODO: check + - libopenmpt + NOTE: https://github.com/OpenMPT/openmpt/commit/61fc6d3030a4d4283105cb5fb46b27b42fa5575e CVE-2018-6610 RESERVED CVE-2018-6609 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/131995ed56ff0f98632b5095b038551ee693f5b0 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/131995ed56ff0f98632b5095b038551ee693f5b0 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Remove TODO item for CVE-2018-6612
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 38feb681 by Salvatore Bonaccorso at 2018-02-04T22:21:44+01:00 Remove TODO item for CVE-2018-6612 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -7,7 +7,6 @@ CVE-2018-6613 CVE-2018-6612 (An integer underflow bug in the process_EXIF function of the exif.c ...) - jhead 1:3.00-6 (bug #889272) NOTE: https://anonscm.debian.org/git/collab-maint/jhead.git/diff/debian/patches/0008-heap-buffer-overflow.patch?id=01f09ab772d0d341cdc1326490dd2aa5aa2a7784 - TODO: check CVE-2018-6611 (soundlib/Load_stp.cpp in OpenMPT through 1.27.04.00, and libopenmpt ...) TODO: check CVE-2018-6610 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/38feb681dcfde7d224ac976d2afa6cc0555047b4 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/38feb681dcfde7d224ac976d2afa6cc0555047b4 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DSA number for p7zip update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
29c7821e by Salvatore Bonaccorso at 2018-02-04T21:24:12+01:00
Reserve DSA number for p7zip update
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
--- a/data/DSA/list
+++ b/data/DSA/list
@@ -1,3 +1,7 @@
+[04 Feb 2018] DSA-4104-1 p7zip - security update
+ {CVE-2017-17969}
+ [jessie] - p7zip 9.20.1~dfsg.1-4.1+deb8u3
+ [stretch] - p7zip 16.02+dfsg-3+deb9u1
[31 Jan 2018] DSA-4103-1 chromium-browser - security update
{CVE-2017-15420 CVE-2017-15429 CVE-2018-6031 CVE-2018-6032
CVE-2018-6033 CVE-2018-6034 CVE-2018-6035 CVE-2018-6036 CVE-2018-6037
CVE-2018-6038 CVE-2018-6039 CVE-2018-6040 CVE-2018-6041 CVE-2018-6042
CVE-2018-6043 CVE-2018-6045 CVE-2018-6046 CVE-2018-6047 CVE-2018-6048
CVE-2018-6049 CVE-2018-6050 CVE-2018-6051 CVE-2018-6052 CVE-2018-6053
CVE-2018-6054}
[stretch] - chromium-browser 64.0.3282.119-1~deb9u1
=
data/dsa-needed.txt
=
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -52,8 +52,6 @@ openjdk-8/stable (jmm)
--
openjpeg2
--
-p7zip (carnil)
---
passenger/stable
--
php-horde-image
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/29c7821e7b7a71a014287b078396f6f9c0fbbd69
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/29c7821e7b7a71a014287b078396f6f9c0fbbd69
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Cleanup note for CVE-2017-17969
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
01b91368 by Salvatore Bonaccorso at 2018-02-04T21:20:27+01:00
Cleanup note for CVE-2017-17969
The initial patch was anyway not working and subsequent discussions lead
to a fix confirmed by the reporter.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -7234,7 +7234,7 @@ CVE-2017-17969 (Heap-based buffer overflow in the ...)
{DLA-1268-1}
- p7zip 16.02+dfsg-5 (bug #888297)
NOTE:
https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/
- NOTE: fixed in upstream 18.00-beta, backport available for testing in
bug#888297
+ NOTE: Fixed in upstream 18.00-beta.
CVE-2018-3709
RESERVED
CVE-2018-3708
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/01b91368db09fb81bd9c48cbc77fc521257b7666
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/01b91368db09fb81bd9c48cbc77fc521257b7666
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add reference to patch and upstream bug for CVE-2018-5950
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 178d6be1 by Salvatore Bonaccorso at 2018-02-04T20:56:18+01:00 Add reference to patch and upstream bug for CVE-2018-5950 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1854,6 +1854,8 @@ CVE-2017-18045 (JBMC DirectAdmin before 1.52, when the email_ftp_password_change CVE-2018-5950 (Cross-site scripting (XSS) vulnerability in the web UI in Mailman ...) - mailman 1:2.1.26-1 (bug #888201) NOTE: https://mail.python.org/pipermail/mailman-users/2018-February/083011.html + NOTE: Patch: https://launchpadlibrarian.net/355686141/options.patch + NOTE: https://bugs.launchpad.net/mailman/+bug/1747209 CVE-2018-5949 RESERVED CVE-2018-5948 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/178d6be17208407e014ad93ebbb9095cf3f93a9f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/178d6be17208407e014ad93ebbb9095cf3f93a9f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reference mailman advisory/announce for CVE-2018-5950
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e5e5ff7e by Salvatore Bonaccorso at 2018-02-04T20:54:42+01:00 Reference mailman advisory/announce for CVE-2018-5950 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1853,7 +1853,7 @@ CVE-2017-18045 (JBMC DirectAdmin before 1.52, when the email_ftp_password_change NOT-FOR-US: JBMC DirectAdmin CVE-2018-5950 (Cross-site scripting (XSS) vulnerability in the web UI in Mailman ...) - mailman 1:2.1.26-1 (bug #888201) - NOTE: https://www.mail-archive.com/mailman-users@python.org/msg70375.html + NOTE: https://mail.python.org/pipermail/mailman-users/2018-February/083011.html CVE-2018-5949 RESERVED CVE-2018-5948 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e5e5ff7e9686e37cd6187f7f24e5d8078b72b9f4 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e5e5ff7e9686e37cd6187f7f24e5d8078b72b9f4 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1269-1 for dokuwiki
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker
Commits:
397e4079 by Chris Lamb at 2018-02-04T10:33:42+00:00
Reserve DLA-1269-1 for dokuwiki
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
--- a/data/DLA/list
+++ b/data/DLA/list
@@ -1,3 +1,6 @@
+[04 Feb 2018] DLA-1269-1 dokuwiki - security update
+ {CVE-2017-18123}
+ [wheezy] - dokuwiki 0.0.20120125b-2+deb7u2
[02 Feb 2018] DLA-1268-1 p7zip - security update
{CVE-2017-17969}
[wheezy] - p7zip 9.20.1~dfsg.1-4+deb7u3
=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -14,8 +14,6 @@ clamav (Thorsten Alteholz)
--
dojo
--
-dokuwiki (Chris Lamb)
---
dovecot (Thorsten Alteholz)
NOTE: after applying the patch, login segfaults
NOTE: maintainer and security team are looking into this
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/397e4079921fec066f544d68c5184fe9088524f4
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/397e4079921fec066f544d68c5184fe9088524f4
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
e8e1f396 by Salvatore Bonaccorso at 2018-02-04T11:14:01+01:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,7 +1,7 @@
CVE-2018-6607
RESERVED
CVE-2018-6606 (An issue was discovered in MalwareFox AntiMalware 2.74.0.150.
Improper ...)
- TODO: check
+ NOT-FOR-US: MalwareFox AntiMalware
CVE-2018-6605
RESERVED
CVE-2018-6604
@@ -33,7 +33,7 @@ CVE-2018-6594 (lib/Crypto/PublicKey/ElGamal.py in PyCrypto
through 2.6.1 generat
NOTE: The issue is found as well in pycryptodome (fork from
python-crypto)
NOTE: PyCryptodome: https://github.com/Legrandin/pycryptodome/issues/90
CVE-2018-6593 (An issue was discovered in MalwareFox AntiMalware 2.74.0.150.
Improper ...)
- TODO: check
+ NOT-FOR-US: MalwareFox AntiMalware
CVE-2018-6592
RESERVED
CVE-2018-6591
@@ -8354,7 +8354,7 @@ CVE-2017-17705
CVE-2017-17704 (A door-unlocking issue was discovered on Software House iStar
Ultra ...)
NOT-FOR-US: Software House iStar Ultra devices
CVE-2017-17703 (Synacor Zimbra Collaboration Suite (ZCS) before 8.8.3 has
Persistent ...)
- TODO: check
+ NOT-FOR-US: Zimbra
CVE-2017-17702
RESERVED
CVE-2018-3559
@@ -16380,7 +16380,7 @@ CVE-2018-0508 (Cross-site scripting vulnerability in
epg search result viewer ..
CVE-2018-0507 (Untrusted search path vulnerability in FLET'S VIRUS CLEAR Easy
Setup ...)
NOT-FOR-US: FLET'S VIRUS CLEAR
CVE-2018-0506 (Nootka 1.4.4 and earlier allows remote attackers to execute
arbitrary ...)
- TODO: check
+ NOT-FOR-US: Nootka
CVE-2018-0505
RESERVED
CVE-2018-0504
@@ -42365,7 +42365,7 @@ CVE-2017-8785 (FastStone Image Viewer 6.2 has a
Data from Faulting Address
CVE-2017-8784
REJECTED
CVE-2017-8783 (Synacor Zimbra Collaboration Suite (ZCS) before 8.7.10 has
Persistent ...)
- TODO: check
+ NOT-FOR-US: Zimbra
CVE-2017-8782 (The readString function in util/read.c and util/old/read.c in
libming ...)
{DLA-980-1}
- ming
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/e8e1f3968b17e8047bca6d69a86c94cdf79cd8d1
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/e8e1f3968b17e8047bca6d69a86c94cdf79cd8d1
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
0596c286 by security tracker role at 2018-02-04T09:10:16+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,4 +1,26 @@
-CVE-2018-6596 [Security issue with timing attack on WEBHOOK_AUTHORIZATION]
+CVE-2018-6607
+ RESERVED
+CVE-2018-6606 (An issue was discovered in MalwareFox AntiMalware 2.74.0.150.
Improper ...)
+ TODO: check
+CVE-2018-6605
+ RESERVED
+CVE-2018-6604
+ RESERVED
+CVE-2018-6603
+ RESERVED
+CVE-2018-6602
+ RESERVED
+CVE-2018-6601
+ RESERVED
+CVE-2018-6600
+ RESERVED
+CVE-2018-6599
+ RESERVED
+CVE-2018-6598
+ RESERVED
+CVE-2018-6597
+ RESERVED
+CVE-2018-6596 (webhooks/base.py in Anymail (aka django-anymail) before 1.2.1
is prone ...)
- django-anymail 1.3-1 (bug #889450)
NOTE:
https://github.com/anymail/django-anymail/commit/db586ede1fbb41dce21310ea28ae15a1cf1286c5
(v1.3)
NOTE:
https://github.com/anymail/django-anymail/commit/c07998304b4a31df4c61deddcb03d3607a04691b
(v1.2.x-branch)
@@ -8331,8 +8353,8 @@ CVE-2017-17705
RESERVED
CVE-2017-17704 (A door-unlocking issue was discovered on Software House iStar
Ultra ...)
NOT-FOR-US: Software House iStar Ultra devices
-CVE-2017-17703
- RESERVED
+CVE-2017-17703 (Synacor Zimbra Collaboration Suite (ZCS) before 8.8.3 has
Persistent ...)
+ TODO: check
CVE-2017-17702
RESERVED
CVE-2018-3559
@@ -42342,8 +42364,8 @@ CVE-2017-8785 (FastStone Image Viewer 6.2 has a
Data from Faulting Address
NOT-FOR-US: FastStone Image Viewer
CVE-2017-8784
REJECTED
-CVE-2017-8783
- RESERVED
+CVE-2017-8783 (Synacor Zimbra Collaboration Suite (ZCS) before 8.7.10 has
Persistent ...)
+ TODO: check
CVE-2017-8782 (The readString function in util/read.c and util/old/read.c in
libming ...)
{DLA-980-1}
- ming
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/0596c286e11179cda835ef9ab966911d1c331abe
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/0596c286e11179cda835ef9ab966911d1c331abe
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-6188/python-django
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e91c6ac by Salvatore Bonaccorso at 2018-02-04T09:19:28+01:00 Add CVE-2018-6188/python-django - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1132,8 +1132,13 @@ CVE-2018-6196 (w3m through 0.5.3 is prone to an infinite recursion flaw in ...) NOTE: https://github.com/tats/w3m/commit/8354763b90490d4105695df52674d0fcef823e92 CVE-2018-6189 RESERVED -CVE-2018-6188 +CVE-2018-6188 [information leakage in AuthenticationForm] RESERVED + - python-django 1:1.11.10-1 + [stretch] - python-django (Issue introduced in 1.11.8 and 2.0) + [jessie] - python-django (Issue introduced in 1.11.8 and 2.0) + [wheezy] - python-django (Issue introduced in 1.11.8 and 2.0) + NOTE: https://www.djangoproject.com/weblog/2018/feb/01/security-releases/ CVE-2018-6187 (In Artifex MuPDF 1.12.0, there is a heap-based buffer overflow ...) - mupdf (bug #888464) [stretch] - mupdf (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3e91c6acc3d1ca48b05f3a53de0ad2638cb2a757 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3e91c6acc3d1ca48b05f3a53de0ad2638cb2a757 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-6596/django-anymail assigned
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8e33624c by Salvatore Bonaccorso at 2018-02-04T09:01:38+01:00 CVE-2018-6596/django-anymail assigned - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,8 +1,7 @@ -CVE-2018- [Security issue with timing attack on WEBHOOK_AUTHORIZATION] +CVE-2018-6596 [Security issue with timing attack on WEBHOOK_AUTHORIZATION] - django-anymail 1.3-1 (bug #889450) NOTE: https://github.com/anymail/django-anymail/commit/db586ede1fbb41dce21310ea28ae15a1cf1286c5 (v1.3) NOTE: https://github.com/anymail/django-anymail/commit/c07998304b4a31df4c61deddcb03d3607a04691b (v1.2.x-branch) - TODO: check if DSA warranted, is in contrib section CVE-2018-6595 RESERVED CVE-2018-6594 (lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 generates ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8e33624c62d959aa9d00c8a1add41dd6d5c43a2d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8e33624c62d959aa9d00c8a1add41dd6d5c43a2d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
