[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark chromium-browser as end-of-life for jessie
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9087c027 by Salvatore Bonaccorso at 2018-02-05T06:20:39+01:00 Mark chromium-browser as end-of-life for jessie - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -185,6 +185,7 @@ CVE-2018-6549 RESERVED CVE-2018-6548 (A use-after-free issue was discovered in libwebm through 2018-02-02. If ...) - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in wheezy LTS) NOTE: https://bugs.chromium.org/p/webm/issues/detail?id=1493 NOTE: https://github.com/dwfault/PoCs/blob/master/libwebm%20Vp9HeaderParser%20UAF%20by%20PrintVP9Info/libwebm%20Vp9HeaderParser%20UAF%20by%20PrintVP9Info.md @@ -605,6 +606,7 @@ CVE-2018-6407 (An issue was discovered on Conceptronic CIPCAMPTIWL V3 0.61.30.21 NOT-FOR-US: CIPCAMPTIWL devices CVE-2018-6406 (The function ParseVP9SuperFrameIndex in common/libwebm_util.cc in ...) - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in wheezy LTS) NOTE: https://bugs.chromium.org/p/webm/issues/detail?id=1492 NOTE: https://github.com/dwfault/PoCs/blob/master/libwebm%20ParseVP9SuperFrameIndex%20memory%20corruption/libwebm%20ParseVP9SuperFrameIndex%20OOB%20read.md View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9087c0273dad6007cd134c0caea0ceb152e8478d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9087c0273dad6007cd134c0caea0ceb152e8478d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Drop ceph-deploy ITP
Paul Wise pushed to branch master at Debian Security Tracker / security-tracker Commits: 7f79ad4f by Paul Wise at 2018-02-05T12:09:15+08:00 Drop ceph-deploy ITP - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -111787,7 +111787,7 @@ CVE-2015- [XSS in group administration] [jessie] - php-horde 5.2.1+debian0-2+deb8u1 NOTE: https://github.com/horde/horde/commit/dae5277746abe613de0cacc004e95e9ed9d78220 CVE-2015-4053 (The admin command in ceph-deploy before 1.5.25 uses world-readable ...) - - ceph-deploy (bug #694013) + - ceph-deploy NOTE: http://tracker.ceph.com/issues/11694 CVE-2015-4049 (Unisys Libra 43xx, 63xx, and 83xx, and FS600 class systems with ...) NOT-FOR-US: Unisys Libra @@ -114929,7 +114929,7 @@ CVE-2015-4085 (Directory traversal vulnerability in node/hooks/express/tests.js CVE-2015-3297 (Directory traversal vulnerability in node/utils/Minify.js in Etherpad ...) - etherpad-lite (bug #576998) CVE-2015-3010 (ceph-deploy before 1.5.23 uses weak permissions (644) for ...) - - ceph-deploy (bug #694013) + - ceph-deploy NOTE: http://www.openwall.com/lists/oss-security/2015/04/09/9 CVE-2015-3405 (ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 4.3.12 ...) {DSA-3223-1 DLA-192-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7f79ad4fe74a65117386ddd37731949e684a4721 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7f79ad4fe74a65117386ddd37731949e684a4721 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] ceph-deploy accepted into Debian
Paul Wise pushed to branch master at Debian Security Tracker / security-tracker Commits: 1c6c4f57 by Paul Wise at 2018-02-05T12:07:51+08:00 ceph-deploy accepted into Debian First version uploaded is newer than the fixed version 1.5.25 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -111787,7 +111787,7 @@ CVE-2015- [XSS in group administration] [jessie] - php-horde 5.2.1+debian0-2+deb8u1 NOTE: https://github.com/horde/horde/commit/dae5277746abe613de0cacc004e95e9ed9d78220 CVE-2015-4053 (The admin command in ceph-deploy before 1.5.25 uses world-readable ...) - - ceph-deploy (bug #694013) + - ceph-deploy (bug #694013) NOTE: http://tracker.ceph.com/issues/11694 CVE-2015-4049 (Unisys Libra 43xx, 63xx, and 83xx, and FS600 class systems with ...) NOT-FOR-US: Unisys Libra @@ -114929,7 +114929,7 @@ CVE-2015-4085 (Directory traversal vulnerability in node/hooks/express/tests.js CVE-2015-3297 (Directory traversal vulnerability in node/utils/Minify.js in Etherpad ...) - etherpad-lite (bug #576998) CVE-2015-3010 (ceph-deploy before 1.5.23 uses weak permissions (644) for ...) - - ceph-deploy (bug #694013) + - ceph-deploy (bug #694013) NOTE: http://www.openwall.com/lists/oss-security/2015/04/09/9 CVE-2015-3405 (ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 4.3.12 ...) {DSA-3223-1 DLA-192-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1c6c4f579c19ece2064bba9d613533e8cc6a848f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1c6c4f579c19ece2064bba9d613533e8cc6a848f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-0508 to 10: NFU
Luciano Bello pushed to branch master at Debian Security Tracker / security-tracker Commits: c1309e66 by Luciano Bello at 2018-02-04T22:06:29-05:00 CVE-2018-0508 to 10: NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -16398,11 +16398,11 @@ CVE-2018-0512 CVE-2018-0511 (Cross-site scripting vulnerability in WP Retina 2x prior to version ...) NOT-FOR-US: WP Retina CVE-2018-0510 (Buffer overflow in epg search result viewer (kkcald) 0.7.19 and ...) - TODO: check + NOT-FOR-US: kkcal CVE-2018-0509 (Cross-site request forgery (CSRF) vulnerability in epg search result ...) - TODO: check + NOT-FOR-US: kkcal CVE-2018-0508 (Cross-site scripting vulnerability in epg search result viewer ...) - TODO: check + NOT-FOR-US: kkcal CVE-2018-0507 (Untrusted search path vulnerability in FLET'S VIRUS CLEAR Easy Setup ...) NOT-FOR-US: FLET'S VIRUS CLEAR CVE-2018-0506 (Nootka 1.4.4 and earlier allows remote attackers to execute arbitrary ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c1309e66c41c1e6311163d5d3faa7aa65d30a53e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c1309e66c41c1e6311163d5d3faa7aa65d30a53e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2018-6548: chromium-browser
Luciano Bello pushed to branch master at Debian Security Tracker / security-tracker Commits: c6864d05 by Luciano Bello at 2018-02-04T21:35:58-05:00 CVE-2018-6548: chromium-browser unfixed - - - - - 9d6005e5 by Luciano Bello at 2018-02-04T21:49:04-05:00 CVE-2018-6317: NFU - - - - - e939cb82 by Luciano Bello at 2018-02-04T21:51:25-05:00 CVE-2018-5261: NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -184,6 +184,10 @@ CVE-2017-18121 (The consentAdmin module in SimpleSAMLphp through 1.14.15 is vuln CVE-2018-6549 RESERVED CVE-2018-6548 (A use-after-free issue was discovered in libwebm through 2018-02-02. If ...) + - chromium-browser + [wheezy] - chromium-browser (Not supported in wheezy LTS) + NOTE: https://bugs.chromium.org/p/webm/issues/detail?id=1493 + NOTE: https://github.com/dwfault/PoCs/blob/master/libwebm%20Vp9HeaderParser%20UAF%20by%20PrintVP9Info/libwebm%20Vp9HeaderParser%20UAF%20by%20PrintVP9Info.md TODO: check CVE-2018-6547 RESERVED @@ -883,7 +887,7 @@ CVE-2018-6319 (In Sophos Tester Tool 3.2.0.7 Beta, the driver accepts a special CVE-2018-6318 (In Sophos Tester Tool 3.2.0.7 Beta, the driver loads (in the context ...) NOT-FOR-US: Sophos Tester Tool CVE-2018-6317 (The remote management interface in Claymore Dual Miner 10.5 and ...) - TODO: check + NOT-FOR-US: Claymore's Dual Ethereum CVE-2018-6316 RESERVED CVE-2018-6315 (The outputSWF_TEXT_RECORD function (util/outputscript.c) in libming ...) @@ -3595,7 +3599,7 @@ CVE-2018-5263 (The StackIdeas EasyDiscuss (aka com_easydiscuss) extension before CVE-2018-5262 (A stack-based buffer overflow in Flexense DiskBoss 8.8.16 and earlier ...) NOT-FOR-US: Flexense DiskBoss CVE-2018-5261 (An issue was discovered in Flexense DiskBoss 8.8.16 and earlier. Due ...) - TODO: check + NOT-FOR-US: Flexense DiskBoss CVE-2018-5260 RESERVED CVE-2018-5259 (Discuz! DiscuzX X3.4 allows remote authenticated users to bypass ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/886db6a37a59fb415b84eecb27307f3661d8d126...e939cb82604c723baf9e167c3486df5e2deea89a --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/886db6a37a59fb415b84eecb27307f3661d8d126...e939cb82604c723baf9e167c3486df5e2deea89a You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-6612/jhead, #889272
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e8587025 by Salvatore Bonaccorso at 2018-02-04T22:20:48+01:00 Add CVE-2018-6612/jhead, #889272 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5,6 +5,8 @@ CVE-2018-6614 CVE-2018-6613 RESERVED CVE-2018-6612 (An integer underflow bug in the process_EXIF function of the exif.c ...) + - jhead 1:3.00-6 (bug #889272) + NOTE: https://anonscm.debian.org/git/collab-maint/jhead.git/diff/debian/patches/0008-heap-buffer-overflow.patch?id=01f09ab772d0d341cdc1326490dd2aa5aa2a7784 TODO: check CVE-2018-6611 (soundlib/Load_stp.cpp in OpenMPT through 1.27.04.00, and libopenmpt ...) TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e85870250fabc7453dd0e9a60436f34391444e19 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e85870250fabc7453dd0e9a60436f34391444e19 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-6611: update status for stretch version
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f3b86c4 by Salvatore Bonaccorso at 2018-02-04T22:41:33+01:00 CVE-2018-6611: update status for stretch version - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -9,6 +9,7 @@ CVE-2018-6612 (An integer underflow bug in the process_EXIF function of the exif NOTE: https://anonscm.debian.org/git/collab-maint/jhead.git/diff/debian/patches/0008-heap-buffer-overflow.patch?id=01f09ab772d0d341cdc1326490dd2aa5aa2a7784 CVE-2018-6611 (soundlib/Load_stp.cpp in OpenMPT through 1.27.04.00, and libopenmpt ...) - libopenmpt (bug #889545) + [stretch] - libopenmpt (Vulnerable code not present) NOTE: https://github.com/OpenMPT/openmpt/commit/61fc6d3030a4d4283105cb5fb46b27b42fa5575e CVE-2018-6610 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f3b86c44a9ad47f44d7f5a4f732b3e024fb7152 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f3b86c44a9ad47f44d7f5a4f732b3e024fb7152 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-6611
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5a6078d0 by Salvatore Bonaccorso at 2018-02-04T22:39:10+01:00 Add bug reference for CVE-2018-6611 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -8,7 +8,7 @@ CVE-2018-6612 (An integer underflow bug in the process_EXIF function of the exif - jhead 1:3.00-6 (bug #889272) NOTE: https://anonscm.debian.org/git/collab-maint/jhead.git/diff/debian/patches/0008-heap-buffer-overflow.patch?id=01f09ab772d0d341cdc1326490dd2aa5aa2a7784 CVE-2018-6611 (soundlib/Load_stp.cpp in OpenMPT through 1.27.04.00, and libopenmpt ...) - - libopenmpt + - libopenmpt (bug #889545) NOTE: https://github.com/OpenMPT/openmpt/commit/61fc6d3030a4d4283105cb5fb46b27b42fa5575e CVE-2018-6610 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5a6078d02e4fd4f997ef653b708c41a088985f28 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5a6078d02e4fd4f997ef653b708c41a088985f28 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-6611/libopenmpt
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 131995ed by Salvatore Bonaccorso at 2018-02-04T22:23:57+01:00 Add CVE-2018-6611/libopenmpt - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -8,7 +8,8 @@ CVE-2018-6612 (An integer underflow bug in the process_EXIF function of the exif - jhead 1:3.00-6 (bug #889272) NOTE: https://anonscm.debian.org/git/collab-maint/jhead.git/diff/debian/patches/0008-heap-buffer-overflow.patch?id=01f09ab772d0d341cdc1326490dd2aa5aa2a7784 CVE-2018-6611 (soundlib/Load_stp.cpp in OpenMPT through 1.27.04.00, and libopenmpt ...) - TODO: check + - libopenmpt + NOTE: https://github.com/OpenMPT/openmpt/commit/61fc6d3030a4d4283105cb5fb46b27b42fa5575e CVE-2018-6610 RESERVED CVE-2018-6609 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/131995ed56ff0f98632b5095b038551ee693f5b0 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/131995ed56ff0f98632b5095b038551ee693f5b0 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Remove TODO item for CVE-2018-6612
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 38feb681 by Salvatore Bonaccorso at 2018-02-04T22:21:44+01:00 Remove TODO item for CVE-2018-6612 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -7,7 +7,6 @@ CVE-2018-6613 CVE-2018-6612 (An integer underflow bug in the process_EXIF function of the exif.c ...) - jhead 1:3.00-6 (bug #889272) NOTE: https://anonscm.debian.org/git/collab-maint/jhead.git/diff/debian/patches/0008-heap-buffer-overflow.patch?id=01f09ab772d0d341cdc1326490dd2aa5aa2a7784 - TODO: check CVE-2018-6611 (soundlib/Load_stp.cpp in OpenMPT through 1.27.04.00, and libopenmpt ...) TODO: check CVE-2018-6610 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/38feb681dcfde7d224ac976d2afa6cc0555047b4 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/38feb681dcfde7d224ac976d2afa6cc0555047b4 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DSA number for p7zip update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 29c7821e by Salvatore Bonaccorso at 2018-02-04T21:24:12+01:00 Reserve DSA number for p7zip update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,7 @@ +[04 Feb 2018] DSA-4104-1 p7zip - security update + {CVE-2017-17969} + [jessie] - p7zip 9.20.1~dfsg.1-4.1+deb8u3 + [stretch] - p7zip 16.02+dfsg-3+deb9u1 [31 Jan 2018] DSA-4103-1 chromium-browser - security update {CVE-2017-15420 CVE-2017-15429 CVE-2018-6031 CVE-2018-6032 CVE-2018-6033 CVE-2018-6034 CVE-2018-6035 CVE-2018-6036 CVE-2018-6037 CVE-2018-6038 CVE-2018-6039 CVE-2018-6040 CVE-2018-6041 CVE-2018-6042 CVE-2018-6043 CVE-2018-6045 CVE-2018-6046 CVE-2018-6047 CVE-2018-6048 CVE-2018-6049 CVE-2018-6050 CVE-2018-6051 CVE-2018-6052 CVE-2018-6053 CVE-2018-6054} [stretch] - chromium-browser 64.0.3282.119-1~deb9u1 = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -52,8 +52,6 @@ openjdk-8/stable (jmm) -- openjpeg2 -- -p7zip (carnil) --- passenger/stable -- php-horde-image View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/29c7821e7b7a71a014287b078396f6f9c0fbbd69 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/29c7821e7b7a71a014287b078396f6f9c0fbbd69 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Cleanup note for CVE-2017-17969
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 01b91368 by Salvatore Bonaccorso at 2018-02-04T21:20:27+01:00 Cleanup note for CVE-2017-17969 The initial patch was anyway not working and subsequent discussions lead to a fix confirmed by the reporter. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -7234,7 +7234,7 @@ CVE-2017-17969 (Heap-based buffer overflow in the ...) {DLA-1268-1} - p7zip 16.02+dfsg-5 (bug #888297) NOTE: https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/ - NOTE: fixed in upstream 18.00-beta, backport available for testing in bug#888297 + NOTE: Fixed in upstream 18.00-beta. CVE-2018-3709 RESERVED CVE-2018-3708 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/01b91368db09fb81bd9c48cbc77fc521257b7666 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/01b91368db09fb81bd9c48cbc77fc521257b7666 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add reference to patch and upstream bug for CVE-2018-5950
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 178d6be1 by Salvatore Bonaccorso at 2018-02-04T20:56:18+01:00 Add reference to patch and upstream bug for CVE-2018-5950 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1854,6 +1854,8 @@ CVE-2017-18045 (JBMC DirectAdmin before 1.52, when the email_ftp_password_change CVE-2018-5950 (Cross-site scripting (XSS) vulnerability in the web UI in Mailman ...) - mailman 1:2.1.26-1 (bug #888201) NOTE: https://mail.python.org/pipermail/mailman-users/2018-February/083011.html + NOTE: Patch: https://launchpadlibrarian.net/355686141/options.patch + NOTE: https://bugs.launchpad.net/mailman/+bug/1747209 CVE-2018-5949 RESERVED CVE-2018-5948 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/178d6be17208407e014ad93ebbb9095cf3f93a9f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/178d6be17208407e014ad93ebbb9095cf3f93a9f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reference mailman advisory/announce for CVE-2018-5950
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e5e5ff7e by Salvatore Bonaccorso at 2018-02-04T20:54:42+01:00 Reference mailman advisory/announce for CVE-2018-5950 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1853,7 +1853,7 @@ CVE-2017-18045 (JBMC DirectAdmin before 1.52, when the email_ftp_password_change NOT-FOR-US: JBMC DirectAdmin CVE-2018-5950 (Cross-site scripting (XSS) vulnerability in the web UI in Mailman ...) - mailman 1:2.1.26-1 (bug #888201) - NOTE: https://www.mail-archive.com/mailman-users@python.org/msg70375.html + NOTE: https://mail.python.org/pipermail/mailman-users/2018-February/083011.html CVE-2018-5949 RESERVED CVE-2018-5948 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e5e5ff7e9686e37cd6187f7f24e5d8078b72b9f4 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e5e5ff7e9686e37cd6187f7f24e5d8078b72b9f4 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1269-1 for dokuwiki
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 397e4079 by Chris Lamb at 2018-02-04T10:33:42+00:00 Reserve DLA-1269-1 for dokuwiki - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[04 Feb 2018] DLA-1269-1 dokuwiki - security update + {CVE-2017-18123} + [wheezy] - dokuwiki 0.0.20120125b-2+deb7u2 [02 Feb 2018] DLA-1268-1 p7zip - security update {CVE-2017-17969} [wheezy] - p7zip 9.20.1~dfsg.1-4+deb7u3 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -14,8 +14,6 @@ clamav (Thorsten Alteholz) -- dojo -- -dokuwiki (Chris Lamb) --- dovecot (Thorsten Alteholz) NOTE: after applying the patch, login segfaults NOTE: maintainer and security team are looking into this View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/397e4079921fec066f544d68c5184fe9088524f4 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/397e4079921fec066f544d68c5184fe9088524f4 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e8e1f396 by Salvatore Bonaccorso at 2018-02-04T11:14:01+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,7 +1,7 @@ CVE-2018-6607 RESERVED CVE-2018-6606 (An issue was discovered in MalwareFox AntiMalware 2.74.0.150. Improper ...) - TODO: check + NOT-FOR-US: MalwareFox AntiMalware CVE-2018-6605 RESERVED CVE-2018-6604 @@ -33,7 +33,7 @@ CVE-2018-6594 (lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 generat NOTE: The issue is found as well in pycryptodome (fork from python-crypto) NOTE: PyCryptodome: https://github.com/Legrandin/pycryptodome/issues/90 CVE-2018-6593 (An issue was discovered in MalwareFox AntiMalware 2.74.0.150. Improper ...) - TODO: check + NOT-FOR-US: MalwareFox AntiMalware CVE-2018-6592 RESERVED CVE-2018-6591 @@ -8354,7 +8354,7 @@ CVE-2017-17705 CVE-2017-17704 (A door-unlocking issue was discovered on Software House iStar Ultra ...) NOT-FOR-US: Software House iStar Ultra devices CVE-2017-17703 (Synacor Zimbra Collaboration Suite (ZCS) before 8.8.3 has Persistent ...) - TODO: check + NOT-FOR-US: Zimbra CVE-2017-17702 RESERVED CVE-2018-3559 @@ -16380,7 +16380,7 @@ CVE-2018-0508 (Cross-site scripting vulnerability in epg search result viewer .. CVE-2018-0507 (Untrusted search path vulnerability in FLET'S VIRUS CLEAR Easy Setup ...) NOT-FOR-US: FLET'S VIRUS CLEAR CVE-2018-0506 (Nootka 1.4.4 and earlier allows remote attackers to execute arbitrary ...) - TODO: check + NOT-FOR-US: Nootka CVE-2018-0505 RESERVED CVE-2018-0504 @@ -42365,7 +42365,7 @@ CVE-2017-8785 (FastStone Image Viewer 6.2 has a Data from Faulting Address CVE-2017-8784 REJECTED CVE-2017-8783 (Synacor Zimbra Collaboration Suite (ZCS) before 8.7.10 has Persistent ...) - TODO: check + NOT-FOR-US: Zimbra CVE-2017-8782 (The readString function in util/read.c and util/old/read.c in libming ...) {DLA-980-1} - ming View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e8e1f3968b17e8047bca6d69a86c94cdf79cd8d1 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e8e1f3968b17e8047bca6d69a86c94cdf79cd8d1 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0596c286 by security tracker role at 2018-02-04T09:10:16+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,4 +1,26 @@ -CVE-2018-6596 [Security issue with timing attack on WEBHOOK_AUTHORIZATION] +CVE-2018-6607 + RESERVED +CVE-2018-6606 (An issue was discovered in MalwareFox AntiMalware 2.74.0.150. Improper ...) + TODO: check +CVE-2018-6605 + RESERVED +CVE-2018-6604 + RESERVED +CVE-2018-6603 + RESERVED +CVE-2018-6602 + RESERVED +CVE-2018-6601 + RESERVED +CVE-2018-6600 + RESERVED +CVE-2018-6599 + RESERVED +CVE-2018-6598 + RESERVED +CVE-2018-6597 + RESERVED +CVE-2018-6596 (webhooks/base.py in Anymail (aka django-anymail) before 1.2.1 is prone ...) - django-anymail 1.3-1 (bug #889450) NOTE: https://github.com/anymail/django-anymail/commit/db586ede1fbb41dce21310ea28ae15a1cf1286c5 (v1.3) NOTE: https://github.com/anymail/django-anymail/commit/c07998304b4a31df4c61deddcb03d3607a04691b (v1.2.x-branch) @@ -8331,8 +8353,8 @@ CVE-2017-17705 RESERVED CVE-2017-17704 (A door-unlocking issue was discovered on Software House iStar Ultra ...) NOT-FOR-US: Software House iStar Ultra devices -CVE-2017-17703 - RESERVED +CVE-2017-17703 (Synacor Zimbra Collaboration Suite (ZCS) before 8.8.3 has Persistent ...) + TODO: check CVE-2017-17702 RESERVED CVE-2018-3559 @@ -42342,8 +42364,8 @@ CVE-2017-8785 (FastStone Image Viewer 6.2 has a Data from Faulting Address NOT-FOR-US: FastStone Image Viewer CVE-2017-8784 REJECTED -CVE-2017-8783 - RESERVED +CVE-2017-8783 (Synacor Zimbra Collaboration Suite (ZCS) before 8.7.10 has Persistent ...) + TODO: check CVE-2017-8782 (The readString function in util/read.c and util/old/read.c in libming ...) {DLA-980-1} - ming View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0596c286e11179cda835ef9ab966911d1c331abe --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0596c286e11179cda835ef9ab966911d1c331abe You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-6188/python-django
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e91c6ac by Salvatore Bonaccorso at 2018-02-04T09:19:28+01:00 Add CVE-2018-6188/python-django - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1132,8 +1132,13 @@ CVE-2018-6196 (w3m through 0.5.3 is prone to an infinite recursion flaw in ...) NOTE: https://github.com/tats/w3m/commit/8354763b90490d4105695df52674d0fcef823e92 CVE-2018-6189 RESERVED -CVE-2018-6188 +CVE-2018-6188 [information leakage in AuthenticationForm] RESERVED + - python-django 1:1.11.10-1 + [stretch] - python-django (Issue introduced in 1.11.8 and 2.0) + [jessie] - python-django (Issue introduced in 1.11.8 and 2.0) + [wheezy] - python-django (Issue introduced in 1.11.8 and 2.0) + NOTE: https://www.djangoproject.com/weblog/2018/feb/01/security-releases/ CVE-2018-6187 (In Artifex MuPDF 1.12.0, there is a heap-based buffer overflow ...) - mupdf (bug #888464) [stretch] - mupdf (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3e91c6acc3d1ca48b05f3a53de0ad2638cb2a757 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3e91c6acc3d1ca48b05f3a53de0ad2638cb2a757 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-6596/django-anymail assigned
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8e33624c by Salvatore Bonaccorso at 2018-02-04T09:01:38+01:00 CVE-2018-6596/django-anymail assigned - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,8 +1,7 @@ -CVE-2018- [Security issue with timing attack on WEBHOOK_AUTHORIZATION] +CVE-2018-6596 [Security issue with timing attack on WEBHOOK_AUTHORIZATION] - django-anymail 1.3-1 (bug #889450) NOTE: https://github.com/anymail/django-anymail/commit/db586ede1fbb41dce21310ea28ae15a1cf1286c5 (v1.3) NOTE: https://github.com/anymail/django-anymail/commit/c07998304b4a31df4c61deddcb03d3607a04691b (v1.2.x-branch) - TODO: check if DSA warranted, is in contrib section CVE-2018-6595 RESERVED CVE-2018-6594 (lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 generates ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8e33624c62d959aa9d00c8a1add41dd6d5c43a2d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8e33624c62d959aa9d00c8a1add41dd6d5c43a2d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits