[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 27445bde by security tracker role at 2018-02-16T09:10:17+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,6 +1,22 @@ -CVE-2018-168 +CVE-2018-7180 + RESERVED +CVE-2018-7179 + RESERVED +CVE-2018-7178 + RESERVED +CVE-2018-7177 + RESERVED +CVE-2018-7176 (FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a ...) + TODO: check +CVE-2018-7175 (An issue was discovered in xpdf 4.00. A NULL pointer dereference in ...) + TODO: check +CVE-2018-7174 (An issue was discovered in xpdf 4.00. An infinite loop in XRef::Xref ...) + TODO: check +CVE-2018-7173 (A large loop in JBIG2Stream::readSymbolDictSeg in xpdf 4.00 allows an ...) + TODO: check +CVE-2018-168 (An improper input validation vulnerability exists in Jenkins versions ...) - jenkins -CVE-2018-167 +CVE-2018-167 (An improper authorization vulnerability exists in Jenkins versions ...) - jenkins CVE-2018-7172 RESERVED @@ -2357,8 +2373,8 @@ CVE-2017-18076 (In strategy.rb in OmniAuth before 1.3.2, the authenticity_token [experimental] - ruby-omniauth 1.6.1-1 - ruby-omniauth 1.3.1-2 (bug #888523) NOTE: https://github.com/omniauth/omniauth/pull/867 -CVE-2018-6324 - RESERVED +CVE-2018-6324 (F-Secure Radar (on-premises) before 2018-02-15 has an Unvalidated ...) + TODO: check CVE-2018-6323 (The elf_object_p function in elfcode.h in the Binary File Descriptor ...) - binutils 2.30-3 [stretch] - binutils (Minor issue) @@ -2378,8 +2394,8 @@ CVE-2018-6318 (In Sophos Tester Tool 3.2.0.7 Beta, the driver loads (in the cont NOT-FOR-US: Sophos Tester Tool CVE-2018-6317 (The remote management interface in Claymore Dual Miner 10.5 and ...) NOT-FOR-US: Claymore's Dual Ethereum -CVE-2018-6316 - RESERVED +CVE-2018-6316 (Ivanti Endpoint Security (formerly HEAT Endpoint Management and ...) + TODO: check CVE-2018-6315 (The outputSWF_TEXT_RECORD function (util/outputscript.c) in libming ...) - ming NOTE: https://github.com/libming/libming/issues/101 @@ -2666,8 +2682,8 @@ CVE-2018-6196 (w3m through 0.5.3 is prone to an infinite recursion flaw in ...) [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/88 NOTE: https://github.com/tats/w3m/commit/8354763b90490d4105695df52674d0fcef823e92 -CVE-2018-6189 - RESERVED +CVE-2018-6189 (F-Secure Radar (on-premises) before 2018-02-15 has XSS via vectors ...) + TODO: check CVE-2018-6188 (django.contrib.auth.forms.AuthenticationForm in Django 2.0 before ...) - python-django 1:1.11.10-1 [stretch] - python-django (Issue introduced in 1.11.8 and 2.0) @@ -3803,8 +3819,8 @@ CVE-2018-5769 RESERVED CVE-2018-5768 RESERVED -CVE-2018-5767 - RESERVED +CVE-2018-5767 (An issue was discovered on Tenda AC15 V15.03.1.16_multi devices. A ...) + TODO: check CVE-2018-5766 (In Libav through 12.2, there is an invalid memcpy in the av_packet_ref ...) - libav [jessie] - libav (Minor issue) @@ -4701,16 +4717,19 @@ CVE-2018-5382 RESERVED CVE-2018-5381 [fix infinite loop on certain invalid OPEN messages] RESERVED + {DSA-4115-1} - quagga (bug #890563) NOTE: https://www.quagga.net/security/Quagga-2018-1975.txt NOTE: https://git.savannah.gnu.org/cgit/quagga.git/commit/?id=ce07207c50a3d1f05d6dd49b5294282e59749787 CVE-2018-5380 [debug print of received NOTIFY data can over-read msg array] RESERVED + {DSA-4115-1} - quagga (bug #890563) NOTE: https://www.quagga.net/security/Quagga-2018-1550.txt NOTE: https://git.savannah.gnu.org/cgit/quagga.git/commit/?id=9e5251151894aefdf8e9392a2371615222119ad8 CVE-2018-5379 [Fix double free of unknown attribute] RESERVED + {DSA-4115-1} - quagga (bug #890563) NOTE: https://www.quagga.net/security/Quagga-2018-1114.txt NOTE: https://git.savannah.gnu.org/cgit/quagga.git/commit/?id=e69b535f92eafb599329bf725d9b4c6fd5d7fded @@ -26694,12 +26713,12 @@ CVE-2017-14539 (IrfanView 4.44 - 32bit allows attackers to cause a denial of ser NOT-FOR-US: IrfanView CVE-2017-14538 (XnView Classic for Windows Version 2.40 allows attackers to execute ...) NOT-FOR-US: XnView -CVE-2017-14537 - RESERVED -CVE-2017-14536 - RESERVED -CVE-2017-14535 - RESERVED +CVE-2017-14537 (trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter to ...) + TODO: check +CVE-2017-14536 (trixbox 2.8.0.4 has XSS via the PATH_INFO to /maint/index.php or ...) + TODO: check +CVE-2017-14535 (trixbox 2.8.0
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-7176/frontaccounting
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4215a6a4 by Salvatore Bonaccorso at 2018-02-16T10:44:32+01:00 Add CVE-2018-7176/frontaccounting - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -7,7 +7,7 @@ CVE-2018-7178 CVE-2018-7177 RESERVED CVE-2018-7176 (FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a ...) - TODO: check + - frontaccounting CVE-2018-7175 (An issue was discovered in xpdf 4.00. A NULL pointer dereference in ...) TODO: check CVE-2018-7174 (An issue was discovered in xpdf 4.00. An infinite loop in XRef::Xref ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4215a6a4466c08556070dcec4f292e2aee649f90 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4215a6a4466c08556070dcec4f292e2aee649f90 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add references for CVE-2018-717{3, 4, 5}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c13cb32b by Salvatore Bonaccorso at 2018-02-16T10:48:25+01:00 Add references for CVE-2018-717{3,4,5} - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -9,10 +9,16 @@ CVE-2018-7177 CVE-2018-7176 (FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a ...) - frontaccounting CVE-2018-7175 (An issue was discovered in xpdf 4.00. A NULL pointer dereference in ...) + - xpdf + NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=613 TODO: check CVE-2018-7174 (An issue was discovered in xpdf 4.00. An infinite loop in XRef::Xref ...) + - xpdf + NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=605 TODO: check CVE-2018-7173 (A large loop in JBIG2Stream::readSymbolDictSeg in xpdf 4.00 allows an ...) + - xpdf + NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=607 TODO: check CVE-2018-168 (An improper input validation vulnerability exists in Jenkins versions ...) - jenkins View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c13cb32b6f3c94513fa7545ac92227c51beedf58 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c13cb32b6f3c94513fa7545ac92227c51beedf58 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a36825a2 by Salvatore Bonaccorso at 2018-02-16T10:51:36+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -2380,7 +2380,7 @@ CVE-2017-18076 (In strategy.rb in OmniAuth before 1.3.2, the authenticity_token - ruby-omniauth 1.3.1-2 (bug #888523) NOTE: https://github.com/omniauth/omniauth/pull/867 CVE-2018-6324 (F-Secure Radar (on-premises) before 2018-02-15 has an Unvalidated ...) - TODO: check + NOT-FOR-US: F-Secure Radar CVE-2018-6323 (The elf_object_p function in elfcode.h in the Binary File Descriptor ...) - binutils 2.30-3 [stretch] - binutils (Minor issue) @@ -2401,7 +2401,7 @@ CVE-2018-6318 (In Sophos Tester Tool 3.2.0.7 Beta, the driver loads (in the cont CVE-2018-6317 (The remote management interface in Claymore Dual Miner 10.5 and ...) NOT-FOR-US: Claymore's Dual Ethereum CVE-2018-6316 (Ivanti Endpoint Security (formerly HEAT Endpoint Management and ...) - TODO: check + NOT-FOR-US: Ivanti Endpoint Security CVE-2018-6315 (The outputSWF_TEXT_RECORD function (util/outputscript.c) in libming ...) - ming NOTE: https://github.com/libming/libming/issues/101 @@ -2689,7 +2689,7 @@ CVE-2018-6196 (w3m through 0.5.3 is prone to an infinite recursion flaw in ...) NOTE: https://github.com/tats/w3m/issues/88 NOTE: https://github.com/tats/w3m/commit/8354763b90490d4105695df52674d0fcef823e92 CVE-2018-6189 (F-Secure Radar (on-premises) before 2018-02-15 has XSS via vectors ...) - TODO: check + NOT-FOR-US: F-Secure Radar CVE-2018-6188 (django.contrib.auth.forms.AuthenticationForm in Django 2.0 before ...) - python-django 1:1.11.10-1 [stretch] - python-django (Issue introduced in 1.11.8 and 2.0) @@ -3826,7 +3826,7 @@ CVE-2018-5769 CVE-2018-5768 RESERVED CVE-2018-5767 (An issue was discovered on Tenda AC15 V15.03.1.16_multi devices. A ...) - TODO: check + NOT-FOR-US: Tenda AC15 V15.03.1.16_multi devices CVE-2018-5766 (In Libav through 12.2, there is an invalid memcpy in the av_packet_ref ...) - libav [jessie] - libav (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a36825a2d979b18a532ee7f0832fae093d95b97a --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a36825a2d979b18a532ee7f0832fae093d95b97a You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b88d04d by Moritz Muehlenhoff at 2018-02-16T11:01:27+01:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -23071,6 +23071,7 @@ CVE-2017-15713 (Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x b - hadoop (bug #793644) CVE-2017-15712 RESERVED + NOT-FOR-US: Oozie CVE-2017-15711 REJECTED CVE-2017-15710 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2b88d04d4c772b57bcf7ae0d1d0abe89f5062c04 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2b88d04d4c772b57bcf7ae0d1d0abe89f5062c04 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] librsvg n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 50abe912 by Moritz Muehlenhoff at 2018-02-16T11:03:56+01:00 librsvg n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1330,7 +1330,7 @@ CVE-2018-142 (Security Onion Solutions Squert version 1.3.0 through 1.6.7 co NOT-FOR-US: Security Onion Solutions Squert CVE-2018-141 (GNOME librsvg version before commit ...) {DLA-1278-1} - - librsvg 2.40.20-1 (unimportant) + - librsvg (Specific to Windows) NOTE: Merge of changes: https://github.com/GNOME/librsvg/commit/c6ddf2ed4d768fd88adbea2b63f575cd523022ea NOTE: https://github.com/GNOME/librsvg/commit/4de19d9fdddf81773125b04a4defe1ffd0d3bfe0 CVE-2017-18174 (In the Linux kernel before 4.7, the amd_gpio_remove function in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/50abe912a2876ae039db725fa4d002d5c3e5c194 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/50abe912a2876ae039db725fa4d002d5c3e5c194 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: add and claim quagga
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 449a8203 by Thorsten Alteholz at 2018-02-16T11:56:10+01:00 add and claim quagga - - - - - ee4bae11 by Thorsten Alteholz at 2018-02-16T12:00:49+01:00 add quagga - - - - - 2 changed files: - data/dla-needed.txt - data/packages/lts-do-not-call Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -65,6 +65,8 @@ opencv (Thorsten Alteholz) -- openjdk-7 (Emilio Pozuelo) -- +quagga (Thorsten Alteholz) +-- suricata (Santiago R.R.) NOTE: Hard to tell whether the package is vulnerable. DetectFlow in detect.c NOTE: does not exist. Code seems to be in SigMatchSignatures instead. = data/packages/lts-do-not-call = --- a/data/packages/lts-do-not-call +++ b/data/packages/lts-do-not-call @@ -24,6 +24,7 @@ opencv no answer to https://lists.debian.org/debian-lts/2017/09/msg00028.html, a openssh no answer to https://lists.debian.org/debian-lts/2016/08/msg00102.html, all LTS uploads by LTS team php5 (once upon a time during Squeeze LTS) poppler no answer to https://lists.debian.org/debian-lts/2016/04/msg00128.html, all LTS uploads by LTS team +quagga maintainer is DM and can not do a security upload, all LTS uploads by LTS team radare2 https://lists.debian.org/debian-lts/2017/02/msg00076.html ruby1.8 https://lists.debian.org/debian-lts/2017/12/msg00090.html ruby1.9.1 https://lists.debian.org/debian-lts/2017/12/msg00090.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/50abe912a2876ae039db725fa4d002d5c3e5c194...ee4bae11c2b3700aa88294c4d8ca4fb770637494 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/50abe912a2876ae039db725fa4d002d5c3e5c194...ee4bae11c2b3700aa88294c4d8ca4fb770637494 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Update information for CVE-2018-7054/irssi
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 69e028ad by Salvatore Bonaccorso at 2018-02-16T15:17:34+01:00 Update information for CVE-2018-7054/irssi - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -266,7 +266,13 @@ CVE-2018-7055 (GroupViewProxyServlet in RoomWizard before 4.4.x allows SSRF via NOT-FOR-US: RoomWizard CVE-2018-7054 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. ...) - irssi + [jessie] - irssi (Vulnerable netsplit code introduced in 1.0.0) + [wheezy] - irssi (Vulnerable netsplit code introduced in 1.0.0) NOTE: https://irssi.org/security/irssi_sa_2018_02.txt + NOTE: Some netsplit related changes as introduced in 1.0.0 were reverted: + NOTE: https://github.com/irssi/irssi/commit/7605f67f95b6ee1ac26dd8fb7f3121f319497943 + NOTE: https://github.com/irssi/irssi/commit/fa8508404f4c4a02749cae5148662e2322c2abf0 + NOTE: https://github.com/irssi/irssi/commit/a4f99ae746efb121185fe76c392a64d743a9eb92 CVE-2018-7053 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. ...) - irssi NOTE: https://irssi.org/security/irssi_sa_2018_02.txt View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/69e028ad998fd3f1bd5e5c476c616e1a79d54a27 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/69e028ad998fd3f1bd5e5c476c616e1a79d54a27 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] not available for frontdesk first week of may
Antoine Beaupré pushed to branch master at Debian Security Tracker / security-tracker Commits: 93967387 by Antoine Beaupré at 2018-02-16T09:40:46-05:00 not available for frontdesk first week of may - - - - - 1 changed file: - org/lts-frontdesk.2018.txt Changes: = org/lts-frontdesk.2018.txt = --- a/org/lts-frontdesk.2018.txt +++ b/org/lts-frontdesk.2018.txt @@ -28,7 +28,7 @@ From 02-04 to 08-04:Chris Lamb From 09-04 to 15-04:Antoine Beaupré From 16-04 to 22-04:Markus Koschany From 23-04 to 29-04:Thorsten Alteholz -From 30-04 to 06-05:Antoine Beaupré +From 30-04 to 06-05: From 07-05 to 13-05:Ola Lundqvist From 14-05 to 20-05:Chris Lamb From 21-05 to 27-05:Markus Koschany View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/93967387ad09be8c64f099b117ba5fa78b46db00 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/93967387ad09be8c64f099b117ba5fa78b46db00 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] triage systemd and mr out of wheezy
Antoine Beaupré pushed to branch master at Debian Security Tracker / security-tracker Commits: 359c3a7a by Antoine Beaupré at 2018-02-16T10:40:43-05:00 triage systemd and mr out of wheezy mr follows triage in jessie systemd/CVE-2018-6954 is triaged like CVE-2013-4392 although I'm feel that wheezy *may* have support for tmpfiles.d - at least the manpage is there... considering how limited systemd support was in wheezy, however, i suspect it's fair to assume it's not largely used. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -486,6 +486,7 @@ CVE-2018-7032 (webcheckout in myrepos through 1.20171231 does not sanitize URLs [stretch] - myrepos (Minor issue) [jessie] - myrepos (Minor issue) - mr + [wheezy] - mr (Minor issue) CVE-2018-6956 RESERVED CVE-2018-6955 @@ -493,6 +494,7 @@ CVE-2018-6955 CVE-2018-6954 (systemd-tmpfiles in systemd through 237 mishandles symlinks present in ...) - systemd NOTE: https://github.com/systemd/systemd/issues/7986 + [wheezy] - systemd (/etc/tmpfiles.d not supported in Wheezy) CVE-2018-6953 (In CCN-lite 2, the Parser of NDNTLV does not verify whether a certain ...) NOT-FOR-US: CCN-lite 2 CVE-2018-6952 (A double free exists in the another_hunk function in pch.c in GNU patch ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/359c3a7a65318331ec2507fb547651299ea207a7 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/359c3a7a65318331ec2507fb547651299ea207a7 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: Add note for CVE-2018-7054
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c8f5f80 by Salvatore Bonaccorso at 2018-02-16T16:53:03+01:00 Add note for CVE-2018-7054 - - - - - 6a16572c by Salvatore Bonaccorso at 2018-02-16T16:53:56+01:00 Reorder entries for one CVE - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -269,10 +269,12 @@ CVE-2018-7054 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1. [jessie] - irssi (Vulnerable netsplit code introduced in 1.0.0) [wheezy] - irssi (Vulnerable netsplit code introduced in 1.0.0) NOTE: https://irssi.org/security/irssi_sa_2018_02.txt - NOTE: Some netsplit related changes as introduced in 1.0.0 were reverted: + NOTE: https://github.com/irssi/irssi/commit/e405330e04dc344797f00c12cf8fd7f63b17e0e4 + NOTE: Some (additional) netsplit related changes as introduced in 1.0.0 were reverted: NOTE: https://github.com/irssi/irssi/commit/7605f67f95b6ee1ac26dd8fb7f3121f319497943 NOTE: https://github.com/irssi/irssi/commit/fa8508404f4c4a02749cae5148662e2322c2abf0 NOTE: https://github.com/irssi/irssi/commit/a4f99ae746efb121185fe76c392a64d743a9eb92 + NOTE: But the CVE is specifically for the use-after-free issue. CVE-2018-7053 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. ...) - irssi NOTE: https://irssi.org/security/irssi_sa_2018_02.txt @@ -493,8 +495,8 @@ CVE-2018-6955 RESERVED CVE-2018-6954 (systemd-tmpfiles in systemd through 237 mishandles symlinks present in ...) - systemd - NOTE: https://github.com/systemd/systemd/issues/7986 [wheezy] - systemd (/etc/tmpfiles.d not supported in Wheezy) + NOTE: https://github.com/systemd/systemd/issues/7986 CVE-2018-6953 (In CCN-lite 2, the Parser of NDNTLV does not verify whether a certain ...) NOT-FOR-US: CCN-lite 2 CVE-2018-6952 (A double free exists in the another_hunk function in pch.c in GNU patch ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/359c3a7a65318331ec2507fb547651299ea207a7...6a16572c839bfd1381617ea8d7e4fe186fcbcf5e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/359c3a7a65318331ec2507fb547651299ea207a7...6a16572c839bfd1381617ea8d7e4fe186fcbcf5e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] add details on CVE-2018-7176
Antoine Beaupré pushed to branch master at Debian Security Tracker / security-tracker Commits: 0a904f21 by Antoine Beaupré at 2018-02-16T11:25:55-05:00 add details on CVE-2018-7176 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -6,8 +6,10 @@ CVE-2018-7178 RESERVED CVE-2018-7177 RESERVED -CVE-2018-7176 (FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a ...) - - frontaccounting +CVE-2018-7176 (FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php...) + - frontaccounting (bug #890604) + NOTE: https://securitywarrior9.blogspot.ca/2018/02/cross-site-request-forgery-front.html + [wheezy] - frontaccounting (unsupported in wheezy, already vulnerable to SQL injection in CVE-2014-3973) CVE-2018-7175 (An issue was discovered in xpdf 4.00. A NULL pointer dereference in ...) - xpdf NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=613 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0a904f215e8c93727dac3d43abbd83922a8803e9 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0a904f215e8c93727dac3d43abbd83922a8803e9 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: Sort entries
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8f12ef1c by Salvatore Bonaccorso at 2018-02-16T18:51:32+01:00 Sort entries - - - - - 475059f8 by Salvatore Bonaccorso at 2018-02-16T18:56:42+01:00 Add CVE-2018-7186/leptonlib, #890548 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,6 @@ +CVE-2018-7186 [stack buffer overflows] + - leptonlib (bug #890548) + NOTE: https://github.com/DanBloomberg/leptonica/commit/ee301cb2029db8a6289c5295daa42bba7715e99a CVE-2018-7180 RESERVED CVE-2018-7179 @@ -8,8 +11,8 @@ CVE-2018-7177 RESERVED CVE-2018-7176 (FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php...) - frontaccounting (bug #890604) - NOTE: https://securitywarrior9.blogspot.ca/2018/02/cross-site-request-forgery-front.html [wheezy] - frontaccounting (unsupported in wheezy, already vulnerable to SQL injection in CVE-2014-3973) + NOTE: https://securitywarrior9.blogspot.ca/2018/02/cross-site-request-forgery-front.html CVE-2018-7175 (An issue was discovered in xpdf 4.00. A NULL pointer dereference in ...) - xpdf NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=613 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/0a904f215e8c93727dac3d43abbd83922a8803e9...475059f83bc0bfb9f122837ab903e3e28d886afc --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/0a904f215e8c93727dac3d43abbd83922a8803e9...475059f83bc0bfb9f122837ab903e3e28d886afc You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add commit for CVE-2018-7053
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f0cef304 by Salvatore Bonaccorso at 2018-02-16T19:19:23+01:00 Add commit for CVE-2018-7053 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -283,6 +283,7 @@ CVE-2018-7054 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1. CVE-2018-7053 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. ...) - irssi NOTE: https://irssi.org/security/irssi_sa_2018_02.txt + NOTE: https://github.com/irssi/irssi/commit/84f03e01467b90a4251987b32b2813ee976b357c CVE-2018-7052 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. ...) - irssi NOTE: https://irssi.org/security/irssi_sa_2018_02.txt View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f0cef30447e78e80fb22e121e28be365174a532a --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f0cef30447e78e80fb22e121e28be365174a532a You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add commit for CVE-2018-7052
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 28141147 by Salvatore Bonaccorso at 2018-02-16T19:25:14+01:00 Add commit for CVE-2018-7052 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -287,6 +287,7 @@ CVE-2018-7053 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1. CVE-2018-7052 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. ...) - irssi NOTE: https://irssi.org/security/irssi_sa_2018_02.txt + NOTE: https://github.com/irssi/irssi/commit/5b5bfef03596d95079c728f65f523570dd7b03aa CVE-2018-7051 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. ...) - irssi NOTE: https://irssi.org/security/irssi_sa_2018_02.txt View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/28141147b003049dc36c206e44eac75b34e6639e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/28141147b003049dc36c206e44eac75b34e6639e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add commit for CVE-2018-7051
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 90c81087 by Salvatore Bonaccorso at 2018-02-16T19:26:54+01:00 Add commit for CVE-2018-7051 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -291,6 +291,7 @@ CVE-2018-7052 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1. CVE-2018-7051 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. ...) - irssi NOTE: https://irssi.org/security/irssi_sa_2018_02.txt + NOTE: https://github.com/irssi/irssi/commit/e32e9d63c67ab95ef0576154680a6c52334b97af CVE-2018-7050 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. A ...) - irssi NOTE: https://irssi.org/security/irssi_sa_2018_02.txt View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/90c810870e1052046fa4bb07685d82773051f60a --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/90c810870e1052046fa4bb07685d82773051f60a You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add prefixes
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 15a4d9d8 by Salvatore Bonaccorso at 2018-02-16T19:28:40+01:00 Add prefixes - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -274,7 +274,7 @@ CVE-2018-7054 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1. [jessie] - irssi (Vulnerable netsplit code introduced in 1.0.0) [wheezy] - irssi (Vulnerable netsplit code introduced in 1.0.0) NOTE: https://irssi.org/security/irssi_sa_2018_02.txt - NOTE: https://github.com/irssi/irssi/commit/e405330e04dc344797f00c12cf8fd7f63b17e0e4 + NOTE: Fixed by: https://github.com/irssi/irssi/commit/e405330e04dc344797f00c12cf8fd7f63b17e0e4 NOTE: Some (additional) netsplit related changes as introduced in 1.0.0 were reverted: NOTE: https://github.com/irssi/irssi/commit/7605f67f95b6ee1ac26dd8fb7f3121f319497943 NOTE: https://github.com/irssi/irssi/commit/fa8508404f4c4a02749cae5148662e2322c2abf0 @@ -283,15 +283,15 @@ CVE-2018-7054 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1. CVE-2018-7053 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. ...) - irssi NOTE: https://irssi.org/security/irssi_sa_2018_02.txt - NOTE: https://github.com/irssi/irssi/commit/84f03e01467b90a4251987b32b2813ee976b357c + NOTE: Fixed by: https://github.com/irssi/irssi/commit/84f03e01467b90a4251987b32b2813ee976b357c CVE-2018-7052 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. ...) - irssi NOTE: https://irssi.org/security/irssi_sa_2018_02.txt - NOTE: https://github.com/irssi/irssi/commit/5b5bfef03596d95079c728f65f523570dd7b03aa + NOTE: Fixed by: https://github.com/irssi/irssi/commit/5b5bfef03596d95079c728f65f523570dd7b03aa CVE-2018-7051 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. ...) - irssi NOTE: https://irssi.org/security/irssi_sa_2018_02.txt - NOTE: https://github.com/irssi/irssi/commit/e32e9d63c67ab95ef0576154680a6c52334b97af + NOTE: Fixed by: https://github.com/irssi/irssi/commit/e32e9d63c67ab95ef0576154680a6c52334b97af CVE-2018-7050 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. A ...) - irssi NOTE: https://irssi.org/security/irssi_sa_2018_02.txt View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/15a4d9d8b9fdf039b37584348a93f74b2d0e8f3f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/15a4d9d8b9fdf039b37584348a93f74b2d0e8f3f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] update NOTE CVE-2017-0916
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: d3b329ba by Abhijith PA at 2018-02-17T00:08:00+05:30 update NOTE CVE-2017-0916 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -67081,6 +67081,7 @@ CVE-2017-0916 [Critical Vulnerability with Command Injection via Webhooks] RESERVED - gitlab (bug #888508) NOTE: https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ +NOTE: https://gitlab.com/gitlab-org/gitlab-ce/commit/7fc0a6fc096768a5604d6dd24d7d952e53300c82 CVE-2017-0915 [Remote Code Execution Vulnerability in GitLab Projects Import] RESERVED - gitlab (bug #888508) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d3b329bad3ee4c1c346dc02ed2cfcbec406fefc0 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d3b329bad3ee4c1c346dc02ed2cfcbec406fefc0 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 3 commits: mark golang's CVE-2018-6574 as dla-needed and add relation to CVE-2017-15041
Antoine Beaupré pushed to branch master at Debian Security Tracker / security-tracker Commits: 7553fe97 by Antoine Beaupré at 2018-02-16T14:02:20-05:00 mark golang's CVE-2018-6574 as dla-needed and add relation to CVE-2017-15041 - - - - - 4755a0f6 by Antoine Beaupré at 2018-02-16T14:02:22-05:00 CVE-2018-6829 gnupg n/a, libgcrypt dla-needed as mentioned in the notes, GnuPG uses Elgamal correctly so it is not vulnerable. libgcrypt, however, is, so it should at least be checked in wheezy and others. - - - - - 4880f3ef by Antoine Beaupré at 2018-02-16T14:36:45-05:00 re-add leptonlib to dla-needed - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -854,11 +854,12 @@ CVE-2018-6830 CVE-2018-6829 (cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt ...) - libgcrypt20 - libgcrypt11 - - gnupg1 - - gnupg + - gnupg1 + - gnupg NOTE: https://github.com/weikengchen/attack-on-libgcrypt-elgamal NOTE: https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki NOTE: https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html + NOTE: GnuPG uses elgamal in hybrid mode so it is not affected CVE-2018-6828 RESERVED CVE-2018-6827 (VOBOT CLOCK before 0.99.30 devices do not verify X.509 certificates ...) @@ -1607,6 +1608,7 @@ CVE-2018-6574 (Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases - golang-1.7 - golang NOTE: https://github.com/golang/go/issues/23672 + NOTE: similar to CVE-2017-15041, which was fixed in wheezy, but no-dsa in jessie and ignored in stretch CVE-2018-6573 RESERVED CVE-2018-6572 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -25,6 +25,8 @@ gcc-4.7 (Roberto C. Sánchez) NOTE: Backport the retpoline support for spectre mitigation. NOTE: Do we want/need it on this gcc version as well? -- +golang +-- icu (Thorsten Alteholz) NOTE: 20171229: CVE-2017-15422 was reported via Google Code issue report in Chromium project; report is not visible to the public -- @@ -43,6 +45,12 @@ libav (Hugo Lefeuvre) NOTE: I am currently working on CVE triage but I will not be able to process the whole backlog until May. NOTE: Help is welcome, feel free to mail Hugo. -- +leptonlib + NOTE: #885704 fix is incomplete and may require a CVE + NOTE: see also https://lists.debian.org/1518730488.2617.129.ca...@decadent.org.uk +-- +libgcrypt11 +-- libmad (Kurt Roeckx) -- libreoffice View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d3b329bad3ee4c1c346dc02ed2cfcbec406fefc0...4880f3ef311538de940214f314c7d864d339568c --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d3b329bad3ee4c1c346dc02ed2cfcbec406fefc0...4880f3ef311538de940214f314c7d864d339568c You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-5735/bind9
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eef77605 by Salvatore Bonaccorso at 2018-02-16T20:48:32+01:00 Add CVE-2018-5735/bind9 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -3946,8 +3946,13 @@ CVE-2018-5737 RESERVED CVE-2018-5736 RESERVED -CVE-2018-5735 +CVE-2018-5735 [assertion failure in validator.c:1858] RESERVED + - bind9 1:9.9.3.dfsg.P2-1 (bug #889285) + NOTE: Issue similar/closely related issue to CVE-2017-3139 + NOTE: Mark as fixed version the 1:9.9.3.dfsg.P2-1 as the related code was + NOTE: added upstream in 9.9.3b1. The issue though does not affect bind9 upstream + NOTE: and is only triggered as described in #889285. CVE-2018-5734 RESERVED CVE-2018-5733 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eef7760508b8377e030936f0214261536f1625af --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eef7760508b8377e030936f0214261536f1625af You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Correct wording in note for CVE-2018-5735
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cc084e02 by Salvatore Bonaccorso at 2018-02-16T21:04:35+01:00 Correct wording in note for CVE-2018-5735 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -3949,7 +3949,7 @@ CVE-2018-5736 CVE-2018-5735 [assertion failure in validator.c:1858] RESERVED - bind9 1:9.9.3.dfsg.P2-1 (bug #889285) - NOTE: Issue similar/closely related issue to CVE-2017-3139 + NOTE: Issue similar/closely related to the CVE-2017-3139 issue in Red Hat. NOTE: Mark as fixed version the 1:9.9.3.dfsg.P2-1 as the related code was NOTE: added upstream in 9.9.3b1. The issue though does not affect bind9 upstream NOTE: and is only triggered as described in #889285. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cc084e0224b9156a074f06ad52b49f28639fd1f5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cc084e0224b9156a074f06ad52b49f28639fd1f5 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Update status for CVE-2018-6829/{gnupg, gnupg1}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 205e8413 by Salvatore Bonaccorso at 2018-02-16T21:30:36+01:00 Update status for CVE-2018-6829/{gnupg,gnupg1} The libgcrypt implementation in gnupg1/gnupg would still be affected but the GnuPG not using ElGamal for directly encrypting messages. As such mark with severity unimportant. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -854,12 +854,12 @@ CVE-2018-6830 CVE-2018-6829 (cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt ...) - libgcrypt20 - libgcrypt11 - - gnupg1 - - gnupg + - gnupg1 (unimportant) + - gnupg (unimportant) NOTE: https://github.com/weikengchen/attack-on-libgcrypt-elgamal NOTE: https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki NOTE: https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html - NOTE: GnuPG uses elgamal in hybrid mode so it is not affected + NOTE: GnuPG uses ElGamal in hybrid mode only. CVE-2018-6828 RESERVED CVE-2018-6827 (VOBOT CLOCK before 0.99.30 devices do not verify X.509 certificates ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/205e8413b32ec945f73cba1c06586c4cc23a00c5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/205e8413b32ec945f73cba1c06586c4cc23a00c5 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: handle non-URL explanations in contact-maintainers
Antoine Beaupré pushed to branch master at Debian Security Tracker / security-tracker Commits: fa78d4b3 by Antoine Beaupré at 2018-02-16T15:32:06-05:00 handle non-URL explanations in contact-maintainers - - - - - c0678b9e by Antoine Beaupré at 2018-02-16T15:32:07-05:00 irssi dla-needed w/ caveat - - - - - 2 changed files: - bin/contact-maintainers - data/dla-needed.txt Changes: = bin/contact-maintainers = --- a/bin/contact-maintainers +++ b/bin/contact-maintainers @@ -103,7 +103,7 @@ if args.lts and not args.force: continue if line.split()[0] == args.package: print "Maintainer(s) may not be contacted for LTS issues." -print("Please have a look at {}".format(line.split()[1])) +print("Reason: {}".format(" ".join(line.split()[1:]))) print("If you still want to run this script, run it with --force.") sys.exit(1) = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -30,6 +30,9 @@ golang icu (Thorsten Alteholz) NOTE: 20171229: CVE-2017-15422 was reported via Google Code issue report in Chromium project; report is not visible to the public -- +irssi + NOTE: give maintainer time to reply to https://lists.debian.org/87k1vcitzn@curie.anarc.at +-- krb5 NOTE: lts-do-not-call NOTE: Details not public. Yet. See https://lists.debian.org/msgid-search/20180208212643.GB7792@pisco.westfalen.local View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/205e8413b32ec945f73cba1c06586c4cc23a00c5...c0678b9e447262c93516b2d03e97ef1c82c708f3 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/205e8413b32ec945f73cba1c06586c4cc23a00c5...c0678b9e447262c93516b2d03e97ef1c82c708f3 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: plasma-workspace DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3572e849 by Moritz Muehlenhoff at 2018-02-16T21:42:40+01:00 plasma-workspace DSA - - - - - 31ea7598 by Moritz Muehlenhoff at 2018-02-16T21:42:58+01:00 another kernel spu fix - - - - - 3 changed files: - data/DSA/list - data/dsa-needed.txt - data/next-point-update.txt Changes: = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,6 @@ +[16 Feb 2018] DSA-4116-1 plasma-workspace - security update + {CVE-2018-6791} + [stretch] - plasma-workspace 4:5.8.6-2.1+deb9u1 [15 Feb 2018] DSA-4115-1 quagga - security update {CVE-2018-5379 CVE-2018-5380 CVE-2018-5381} [jessie] - quagga 0.99.23.1-1+deb8u5 = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -60,8 +60,6 @@ phpmyadmin/oldstable -- pjproject -- -plasma-workspace (jmm) --- plexus-utils -- plexus-utils2/oldstable = data/next-point-update.txt = --- a/data/next-point-update.txt +++ b/data/next-point-update.txt @@ -127,6 +127,8 @@ CVE-2018-5344 [stretch] - linux 4.9.80-1 CVE-2018-6927 [stretch] - linux 4.9.80-1 +CVE-2017-0861 + [stretch] - linux 4.9.80-1 CVE-2018-104 [stretch] - linux 4.9.80-1 CVE-2017-1000494 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/c0678b9e447262c93516b2d03e97ef1c82c708f3...31ea759859492b943fee7913d5b64ded445d34f3 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/c0678b9e447262c93516b2d03e97ef1c82c708f3...31ea759859492b943fee7913d5b64ded445d34f3 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] suricata no-dsa
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: de20b5d5 by Moritz Muehlenhoff at 2018-02-16T21:51:55+01:00 suricata no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -933,6 +933,8 @@ CVE-2018-6795 (PHP Scripts Mall Naukri Clone Script 3.0.3 has Stored XSS via eve NOT-FOR-US: PHP Scripts Mall Naukri Clone Script CVE-2018-6794 (Suricata before 4.1 is prone to an HTTP detection bypass vulnerability ...) - suricata 1:4.0.4-1 (bug #889842) + [stretch] - suricata (Minor issue) + [jessie] - suricata (Minor issue) NOTE: https://redmine.openinfosecfoundation.org/issues/2427 NOTE: https://github.com/OISF/suricata/pull/3202/commits/e1ef57c848bbe4e567d5d4b66d346a742e3f77a1 CVE-2018-6793 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/de20b5d566108248cf726b6742838d7b009b8f61 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/de20b5d566108248cf726b6742838d7b009b8f61 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: add polarssl, sox, wavpack to dla-needed.txt
Antoine Beaupré pushed to branch master at Debian Security Tracker / security-tracker Commits: 66d36bd2 by Antoine Beaupré at 2018-02-16T15:59:51-05:00 add polarssl, sox, wavpack to dla-needed.txt - - - - - 43dcbb7c by Antoine Beaupré at 2018-02-16T15:59:52-05:00 fix jessie triage for myrepos - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -497,6 +497,7 @@ CVE-2018-7032 (webcheckout in myrepos through 1.20171231 does not sanitize URLs [jessie] - myrepos (Minor issue) - mr [wheezy] - mr (Minor issue) + [jessie] - mr (Minor issue) CVE-2018-6956 RESERVED CVE-2018-6955 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -76,11 +76,17 @@ opencv (Thorsten Alteholz) -- openjdk-7 (Emilio Pozuelo) -- +polarssl +-- quagga (Thorsten Alteholz) -- +sox + NOTE: marked no-dsa/minor in stable. if worth an upload, consider also uploading to jessie/stretch as well since version numbers are very close +-- suricata (Santiago R.R.) NOTE: Hard to tell whether the package is vulnerable. DetectFlow in detect.c NOTE: does not exist. Code seems to be in SigMatchSignatures instead. NOTE: StreamTcpInlineDropInvalid function does not exist at all. Perhaps contact NOTE: upstream and ask for a clarification? -- +wavpack View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/de20b5d566108248cf726b6742838d7b009b8f61...43dcbb7ca87f7c9f6112f2969802f1cbf2c9ee0a --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/de20b5d566108248cf726b6742838d7b009b8f61...43dcbb7ca87f7c9f6112f2969802f1cbf2c9ee0a You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] add bind9 to dla-needed, already in progress
Antoine Beaupré pushed to branch master at Debian Security Tracker / security-tracker Commits: 9b060bc2 by Antoine Beaupré at 2018-02-16T16:04:27-05:00 add bind9 to dla-needed, already in progress - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -10,6 +10,9 @@ this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- +bind9 + NOTE: roberto was working on this on feb 7th: #889285 +-- dovecot (Thorsten Alteholz) NOTE: after applying the patch, login segfaults NOTE: maintainer and security team are looking into this View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9b060bc238431ee31dd353e5c0454f21817d3845 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9b060bc238431ee31dd353e5c0454f21817d3845 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0cf8f634 by security tracker role at 2018-02-16T21:10:15+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,4 +1,24 @@ -CVE-2018-7186 [stack buffer overflows] +CVE-2018-7190 + RESERVED +CVE-2018-7189 + RESERVED +CVE-2018-7188 (An XSS vulnerability (via an SVG image) in Tiki before 18 allows an ...) + TODO: check +CVE-2018-7187 (The "go get" implementation in Go 1.9.4, when the -insecure ...) + TODO: check +CVE-2018-7185 + RESERVED +CVE-2018-7184 + RESERVED +CVE-2018-7183 + RESERVED +CVE-2018-7182 + RESERVED +CVE-2018-7181 + RESERVED +CVE-2017-18190 (A localhost.localdomain whitelist entry in valid_host() in ...) + TODO: check +CVE-2018-7186 (Leptonica before 1.75.3 does not limit the number of characters in a %s ...) - leptonlib (bug #890548) NOTE: https://github.com/DanBloomberg/leptonica/commit/ee301cb2029db8a6289c5295daa42bba7715e99a CVE-2018-7180 @@ -9,7 +29,7 @@ CVE-2018-7178 RESERVED CVE-2018-7177 RESERVED -CVE-2018-7176 (FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a user account via admin/users.php...) +CVE-2018-7176 (FrontAccounting 2.4.3 suffers from a CSRF flaw, which leads to adding a ...) - frontaccounting (bug #890604) [wheezy] - frontaccounting (unsupported in wheezy, already vulnerable to SQL injection in CVE-2014-3973) NOTE: https://securitywarrior9.blogspot.ca/2018/02/cross-site-request-forgery-front.html @@ -529,10 +549,10 @@ CVE-2018-6946 RESERVED CVE-2018-6945 RESERVED -CVE-2018-6944 - RESERVED -CVE-2018-6943 - RESERVED +CVE-2018-6944 (core/lib/upload/um-file-upload.php in the UltimateMember plugin 2.0 for ...) + TODO: check +CVE-2018-6943 (core/lib/upload/um-image-upload.php in the UltimateMember plugin 2.0 ...) + TODO: check CVE-2018-6942 (An issue was discovered in FreeType 2 through 2.9. A NULL pointer ...) - freetype (bug #890450) [stretch] - freetype (Vulnerable code introduced later) @@ -571,11 +591,11 @@ CVE-2018-6929 CVE-2018-6928 (PHP Scripts Mall News Website Script 2.0.4 has SQL Injection via a ...) NOT-FOR-US: PHP Scripts Mall News Website Script CVE-2018-166 - RESERVED + REJECTED CVE-2018-165 - RESERVED + REJECTED CVE-2018-164 - RESERVED + REJECTED CVE-2017-18186 (An issue was discovered in QPDF before 7.0.0. There is an infinite loop ...) - qpdf 7.0.0-1 [stretch] - qpdf (Minor issue) @@ -646,7 +666,7 @@ CVE-2018-6915 CVE-2018-6914 RESERVED CVE-2018-163 - RESERVED + REJECTED CVE-2017-18179 (Progress Sitefinity 9.1 uses wrap_access_token as a non-expiring ...) NOT-FOR-US: Progress Sitefinity CVE-2017-18178 (Authenticate/SWT in Progress Sitefinity 9.1 has an open redirect issue ...) @@ -943,6 +963,7 @@ CVE-2018-6793 CVE-2018-6792 (Multiple SQL injection vulnerabilities in Saifor CVMS HUB 1.3.1 allow ...) NOT-FOR-US: Saifor CVMS HUB CVE-2018-6791 (An issue was discovered in soliduiserver/deviceserviceaction.cpp in KDE ...) + {DSA-4116-1} - plasma-workspace 4:5.12.0-2 - kde-runtime (Performs correct escaping) NOTE: https://bugs.kde.org/show_bug.cgi?id=389815 @@ -1922,12 +1943,12 @@ CVE-2017-18093 RESERVED CVE-2017-18092 RESERVED -CVE-2017-18091 - RESERVED -CVE-2017-18090 - RESERVED -CVE-2017-18089 - RESERVED +CVE-2017-18091 (The admin backupprogress action in Atlassian Fisheye and Crucible ...) + TODO: check +CVE-2017-18090 (Various resources in Atlassian Fisheye before version 4.5.1 (the fixed ...) + TODO: check +CVE-2017-18089 (The view review history resource in Atlassian Crucible before version ...) + TODO: check CVE-2017-18088 (Various plugin servlet resources in Atlassian Bitbucket Server before ...) NOT-FOR-US: Atlassian Bitbucket Server CVE-2017-18087 (The download commit resource in Atlassian Bitbucket Server from ...) @@ -18039,10 +18060,10 @@ CVE-2018-0518 RESERVED CVE-2018-0517 (Untrusted search path vulnerability in Anshin net security for Windows ...) NOT-FOR-US: Anshin net security for Windows -CVE-2018-0516 - RESERVED -CVE-2018-0515 - RESERVED +CVE-2018-0516 (Untrusted search path vulnerability in FLET'S v4 / v6 address ...) + TODO: check +CVE-2018-0515 (Untrusted search path vulnerability in "FLET'S Azukeru Backup Tool" ...) + TODO: check CVE-2018-0514 (MP Form Mail CGI eCommerce Edition Ver 2.0.13 and earlier allows ...) NOT-FOR-US: MP Form Mail CGI eCommerce Edition CVE-2018-0513 (Cross-site scripting
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: Sort entries for CVE-2018-7032
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ee9cb6d2 by Salvatore Bonaccorso at 2018-02-16T22:11:59+01:00 Sort entries for CVE-2018-7032 - - - - - d105be22 by Salvatore Bonaccorso at 2018-02-16T22:15:17+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -3,7 +3,7 @@ CVE-2018-7190 CVE-2018-7189 RESERVED CVE-2018-7188 (An XSS vulnerability (via an SVG image) in Tiki before 18 allows an ...) - TODO: check + NOT-FOR-US: Tiki CVE-2018-7187 (The "go get" implementation in Go 1.9.4, when the -insecure ...) TODO: check CVE-2018-7185 @@ -516,8 +516,8 @@ CVE-2018-7032 (webcheckout in myrepos through 1.20171231 does not sanitize URLs [stretch] - myrepos (Minor issue) [jessie] - myrepos (Minor issue) - mr - [wheezy] - mr (Minor issue) [jessie] - mr (Minor issue) + [wheezy] - mr (Minor issue) CVE-2018-6956 RESERVED CVE-2018-6955 @@ -550,9 +550,9 @@ CVE-2018-6946 CVE-2018-6945 RESERVED CVE-2018-6944 (core/lib/upload/um-file-upload.php in the UltimateMember plugin 2.0 for ...) - TODO: check + NOT-FOR-US: UltimateMember plugin for WordPress CVE-2018-6943 (core/lib/upload/um-image-upload.php in the UltimateMember plugin 2.0 ...) - TODO: check + NOT-FOR-US: UltimateMember plugin for WordPress CVE-2018-6942 (An issue was discovered in FreeType 2 through 2.9. A NULL pointer ...) - freetype (bug #890450) [stretch] - freetype (Vulnerable code introduced later) @@ -1944,11 +1944,11 @@ CVE-2017-18093 CVE-2017-18092 RESERVED CVE-2017-18091 (The admin backupprogress action in Atlassian Fisheye and Crucible ...) - TODO: check + NOT-FOR-US: Atlassian Fisheye and Crucible CVE-2017-18090 (Various resources in Atlassian Fisheye before version 4.5.1 (the fixed ...) - TODO: check + NOT-FOR-US: Atlassian Fisheye CVE-2017-18089 (The view review history resource in Atlassian Crucible before version ...) - TODO: check + NOT-FOR-US: Atlassian Crucible CVE-2017-18088 (Various plugin servlet resources in Atlassian Bitbucket Server before ...) NOT-FOR-US: Atlassian Bitbucket Server CVE-2017-18087 (The download commit resource in Atlassian Bitbucket Server from ...) @@ -18061,9 +18061,9 @@ CVE-2018-0518 CVE-2018-0517 (Untrusted search path vulnerability in Anshin net security for Windows ...) NOT-FOR-US: Anshin net security for Windows CVE-2018-0516 (Untrusted search path vulnerability in FLET'S v4 / v6 address ...) - TODO: check + NOT-FOR-US: FLET'S v4 / v6 address selection tool CVE-2018-0515 (Untrusted search path vulnerability in "FLET'S Azukeru Backup Tool" ...) - TODO: check + NOT-FOR-US: FLET'S Azukeru Backup Tool CVE-2018-0514 (MP Form Mail CGI eCommerce Edition Ver 2.0.13 and earlier allows ...) NOT-FOR-US: MP Form Mail CGI eCommerce Edition CVE-2018-0513 (Cross-site scripting vulnerability in MTS Simple Booking C, MTS Simple ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/0cf8f63449884d389524c8c870ef76e076878105...d105be2212baac6e351b2bbee188a3f96b8475b5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/0cf8f63449884d389524c8c870ef76e076878105...d105be2212baac6e351b2bbee188a3f96b8475b5 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2017-18190/cups
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 79e65275 by Salvatore Bonaccorso at 2018-02-16T22:20:57+01:00 Add CVE-2017-18190/cups Fixed in v2.2.2 upstream and the first version which landed in unstable was 2.2.3-2. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -17,7 +17,9 @@ CVE-2018-7182 CVE-2018-7181 RESERVED CVE-2017-18190 (A localhost.localdomain whitelist entry in valid_host() in ...) - TODO: check + - cups 2.2.3-2 + NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1048 + NOTE: https://github.com/apple/cups/commit/afa80cb2b457bf8d64f775bed307588610476c41 (v2.2.2) CVE-2018-7186 (Leptonica before 1.75.3 does not limit the number of characters in a %s ...) - leptonlib (bug #890548) NOTE: https://github.com/DanBloomberg/leptonica/commit/ee301cb2029db8a6289c5295daa42bba7715e99a View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/79e652750fe0b5edab36ebd4967aa0c6dc258f77 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/79e652750fe0b5edab36ebd4967aa0c6dc258f77 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1285-1 for bind9
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 20f9e904 by Roberto C. Sánchez at 2018-02-16T16:26:41-05:00 Reserve DLA-1285-1 for bind9 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[16 Feb 2018] DLA-1285-1 bind9 - security update + {CVE-2018-5735} + [wheezy] - bind9 9.8.4.dfsg.P1-6+nmu2+deb7u20 [15 Feb 2018] DLA-1284-1 leptonlib - security update {CVE-2018-3836} [wheezy] - leptonlib 1.69-3.1+deb7u1 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -10,9 +10,6 @@ this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- -bind9 - NOTE: roberto was working on this on feb 7th: #889285 --- dovecot (Thorsten Alteholz) NOTE: after applying the patch, login segfaults NOTE: maintainer and security team are looking into this View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/20f9e9047858236ebd9debb6b811092c1bff1c1b --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/20f9e9047858236ebd9debb6b811092c1bff1c1b You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add missing epoch for bind9 version
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 78177709 by Salvatore Bonaccorso at 2018-02-16T22:28:05+01:00 Add missing epoch for bind9 version - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,6 +1,6 @@ [16 Feb 2018] DLA-1285-1 bind9 - security update {CVE-2018-5735} - [wheezy] - bind9 9.8.4.dfsg.P1-6+nmu2+deb7u20 + [wheezy] - bind9 1:9.8.4.dfsg.P1-6+nmu2+deb7u20 [15 Feb 2018] DLA-1284-1 leptonlib - security update {CVE-2018-3836} [wheezy] - leptonlib 1.69-3.1+deb7u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/78177709c8782f3922f02208548a5fb65b0dca05 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/78177709c8782f3922f02208548a5fb65b0dca05 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] add wordpress to dla-needed, add details in the issue
Antoine Beaupré pushed to branch master at Debian Security Tracker / security-tracker Commits: 73ccae4c by Antoine Beaupré at 2018-02-16T16:33:14-05:00 add wordpress to dla-needed, add details in the issue this seems like a severe enough to warrant a patch, even though upstream isn't ready yet. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -2190,6 +2190,8 @@ CVE-2018-6389 (In WordPress through 4.9.2, unauthenticated attackers can cause a NOTE: https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html NOTE: https://thehackernews.com/2018/02/wordpress-dos-exploit.html NOTE: https://wpvulndb.com/vulnerabilities/9021 + NOTE: disputed by upstream as best fixed at the server level + NOTE: patch in progress in https://core.trac.wordpress.org/ticket/43308 CVE-2018-6388 (iBall iB-WRA150N 1.2.6 build 110401 Rel.47776n devices allow remote ...) NOT-FOR-US: iBall iB-WRA150N 1.2.6 build 110401 Rel.47776n devices CVE-2018-6387 (iBall iB-WRA150N 1.2.6 build 110401 Rel.47776n devices have a hardcoded ...) = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -90,3 +90,5 @@ suricata (Santiago R.R.) NOTE: upstream and ask for a clarification? -- wavpack +-- +wordpress View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/73ccae4c91a7881dffcd7471dfc7c4b8c3be76bb --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/73ccae4c91a7881dffcd7471dfc7c4b8c3be76bb You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1286-1 for quagga
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: dc3c321c by Thorsten Alteholz at 2018-02-16T23:32:19+01:00 Reserve DLA-1286-1 for quagga - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[16 Feb 2018] DLA-1286-1 quagga - security update + {CVE-2018-5379 CVE-2018-5380 CVE-2018-5381} + [wheezy] - quagga 0.99.22.4-1+wheezy3+deb7u3 [16 Feb 2018] DLA-1285-1 bind9 - security update {CVE-2018-5735} [wheezy] - bind9 1:9.8.4.dfsg.P1-6+nmu2+deb7u20 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -78,8 +78,6 @@ openjdk-7 (Emilio Pozuelo) -- polarssl -- -quagga (Thorsten Alteholz) --- sox NOTE: marked no-dsa/minor in stable. if worth an upload, consider also uploading to jessie/stretch as well since version numbers are very close -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dc3c321c00df16a939ad578e6744d99749d6a629 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dc3c321c00df16a939ad578e6744d99749d6a629 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] claim wavpack
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: ed9ecd83 by Thorsten Alteholz at 2018-02-16T23:40:19+01:00 claim wavpack - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -87,6 +87,6 @@ suricata (Santiago R.R.) NOTE: StreamTcpInlineDropInvalid function does not exist at all. Perhaps contact NOTE: upstream and ask for a clarification? -- -wavpack +wavpack (Thorsten Alteholz) -- wordpress View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ed9ecd830af63fe63e12018b74de7483fe7f8af6 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ed9ecd830af63fe63e12018b74de7483fe7f8af6 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add fixing version for unstable upload for CVE-2018-7186
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c81d2486 by Salvatore Bonaccorso at 2018-02-17T07:43:55+01:00 Add fixing version for unstable upload for CVE-2018-7186 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -21,7 +21,7 @@ CVE-2017-18190 (A localhost.localdomain whitelist entry in valid_host() in ...) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1048 NOTE: https://github.com/apple/cups/commit/afa80cb2b457bf8d64f775bed307588610476c41 (v2.2.2) CVE-2018-7186 (Leptonica before 1.75.3 does not limit the number of characters in a %s ...) - - leptonlib (bug #890548) + - leptonlib 1.75.3-2 (bug #890548) NOTE: https://github.com/DanBloomberg/leptonica/commit/ee301cb2029db8a6289c5295daa42bba7715e99a CVE-2018-7180 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c81d24862f32aeab733b9c878cc088fbc6f8b541 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c81d24862f32aeab733b9c878cc088fbc6f8b541 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Update CVE-2017-15041/golang
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 404be00d by Salvatore Bonaccorso at 2018-02-17T07:50:52+01:00 Update CVE-2017-15041/golang We decided to ignore the issue for stretch and newer golang versions. Do the same for src:golang in jessie. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -25191,7 +25191,7 @@ CVE-2017-15041 (Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" - golang-1.7 [stretch] - golang-1.7 (Minor issue) - golang - [jessie] - golang (Minor issue) + [jessie] - golang (Minor issue) NOTE: https://go.googlesource.com/go/+/a4544a0f8af001d1fb6df0e70750f570ec49ccf9%5E%21/ NOTE: https://github.com/golang/go/issues/22125 NOTE: https://golang.org/cl/68022 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/404be00d122546a4aedda6b52aaf1dacdb53d3fe --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/404be00d122546a4aedda6b52aaf1dacdb53d3fe You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits