[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2017-15130/dovecot
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: aebbde76 by Salvatore Bonaccorso at 2018-03-01T08:39:22+01:00 Add CVE-2017-15130/dovecot - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -26161,7 +26161,7 @@ CVE-2017-15131 (It was found that system umask policy is not being honored when NOTE: http://bugs.freedesktop.org/show_bug.cgi?id=102303 CVE-2017-15130 [TLS SNI config lookups are inefficient and can be used for DoS] RESERVED - - dovecot + - dovecot (bug #891820) NOTE: https://www.dovecot.org/list/dovecot-news/2018-February/000370.html NOTE: https://github.com/dovecot/core/commit/22311315b9f780211329c1522eb5aaa4faaa9391 NOTE: https://github.com/dovecot/core/commit/f3504763c27c2661716c0d1dbd3e0fc662107a21 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/aebbde76d01c6e688ee301b4b3a3cc5929bf43bc --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/aebbde76d01c6e688ee301b4b3a3cc5929bf43bc You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2017-14461/dovecot
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 905515b2 by Salvatore Bonaccorso at 2018-03-01T08:38:41+01:00 Add bug reference for CVE-2017-14461/dovecot - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -28427,7 +28427,7 @@ CVE-2017-14462 RESERVED CVE-2017-14461 [rfc822_parse_domain information leak vulnerability] RESERVED - - dovecot + - dovecot (bug #891819) NOTE: https://www.dovecot.org/list/dovecot-news/2018-February/000370.html NOTE: https://github.com/dovecot/core/commit/30dc856f7b97b75b0e0d69f5003d5d99a13249b4 NOTE: https://github.com/dovecot/core/commit/8d65e2345e1dbedb00b662ee0abd05be2e7e6b7e View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/905515b236ad23bdcc90bf4e0628ec135196c59f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/905515b236ad23bdcc90bf4e0628ec135196c59f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2017-12627/xerces-c
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d92c063c by Salvatore Bonaccorso at 2018-03-01T07:55:16+01:00 Add CVE-2017-12627/xerces-c - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -33975,8 +33975,11 @@ CVE-2017-12629 (Remote code execution occurs in Apache Solr before 7.1 with Apac NOTE: Patch disallowing XXE: https://github.com/apache/lucene-solr/commit/926cc4d65b6d2cc40ff07f76d50ddeda947e3cc4 CVE-2017-12628 (The JMX server embedded in Apache James, also used by the command line ...) NOT-FOR-US: Apache James -CVE-2017-12627 +CVE-2017-12627 [Apache Xerces-C DTD vulnerability processing external paths] RESERVED + - xerces-c + NOTE: https://svn.apache.org/viewvc?view=revision&revision=1819998 + NOTE: https://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt CVE-2017-12626 (Apache POI in versions prior to release 3.17 are vulnerable to Denial ...) - libapache-poi-java (bug #888651) [stretch] - libapache-poi-java (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d92c063cfdb4c186d18f545d93fb5aacb5426c39 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d92c063cfdb4c186d18f545d93fb5aacb5426c39 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add dovecot to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 30c54065 by Salvatore Bonaccorso at 2018-03-01T07:51:14+01:00 Add dovecot to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -20,6 +20,8 @@ chromium-browser/stable -- dokuwiki/oldstable -- +dovecot (carnil) +-- ffmpeg/stable Wait for next 3.2.x release -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/30c54065c2715500860339c621f396619b963740 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/30c54065c2715500860339c621f396619b963740 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Claim freexl in dla-needed.txt.
Bas Couwenberg pushed to branch master at Debian Security Tracker / security-tracker Commits: fb5770cb by Bas Couwenberg at 2018-03-01T07:47:40+01:00 Claim freexl in dla-needed.txt. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -18,7 +18,7 @@ dovecot (Thorsten Alteholz) elinks NOTE: 20180226: maintainer is on the security team (jmm), no notice sent (anarcat) -- -freexl +freexl (Bas Couwenberg) -- gcc-4.6 (Roberto C. Sánchez) NOTE: Backport the retpoline support for spectre mitigation. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fb5770cb73c7dd86ac3b9785607a4e776a5e9b78 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fb5770cb73c7dd86ac3b9785607a4e776a5e9b78 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add commits for CVE-2017-15130/dovecot
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ce4c20f5 by Salvatore Bonaccorso at 2018-03-01T07:40:48+01:00 Add commits for CVE-2017-15130/dovecot - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -26159,10 +26159,16 @@ CVE-2017-15131 (It was found that system umask policy is not being honored when NOTE: sessions. NOTE: Enforcements can be achieved e.g. by using pam_umask. NOTE: http://bugs.freedesktop.org/show_bug.cgi?id=102303 -CVE-2017-15130 +CVE-2017-15130 [TLS SNI config lookups are inefficient and can be used for DoS] RESERVED - dovecot NOTE: https://www.dovecot.org/list/dovecot-news/2018-February/000370.html + NOTE: https://github.com/dovecot/core/commit/22311315b9f780211329c1522eb5aaa4faaa9391 + NOTE: https://github.com/dovecot/core/commit/f3504763c27c2661716c0d1dbd3e0fc662107a21 + NOTE: https://github.com/dovecot/core/commit/02da33a59fddd51cc3b8d95989de95574b7332f1 + NOTE: https://github.com/dovecot/core/commit/390592e6af07e02064ebdbb1bbcf06528887370f + NOTE: https://github.com/dovecot/core/commit/bc27538d084e01a7a1aca3330e27aebfc0e311eb + NOTE: https://github.com/dovecot/core/commit/00016646cc32a3fa1cf54c22ed7388ed06bbc0f1 CVE-2017-15129 (A use-after-free vulnerability was found in network namespaces code ...) - linux 4.14.12-1 [stretch] - linux 4.9.80-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ce4c20f57f8e38ec305b87b8fdab822303918672 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ce4c20f57f8e38ec305b87b8fdab822303918672 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add commits for CVE-2017-14461/dovecot
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cebde0c7 by Salvatore Bonaccorso at 2018-03-01T07:37:37+01:00 Add commits for CVE-2017-14461/dovecot - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -28419,10 +28419,17 @@ CVE-2017-14463 RESERVED CVE-2017-14462 RESERVED -CVE-2017-14461 +CVE-2017-14461 [rfc822_parse_domain information leak vulnerability] RESERVED - dovecot NOTE: https://www.dovecot.org/list/dovecot-news/2018-February/000370.html + NOTE: https://github.com/dovecot/core/commit/30dc856f7b97b75b0e0d69f5003d5d99a13249b4 + NOTE: https://github.com/dovecot/core/commit/8d65e2345e1dbedb00b662ee0abd05be2e7e6b7e + NOTE: https://github.com/dovecot/core/commit/b72d864b8c34cb21076214c0b28101baec530141 + NOTE: https://github.com/dovecot/core/commit/e9b86842441a668b30796bff7d60828614570a1b + NOTE: https://github.com/dovecot/core/commit/f5cd17a27f0b666567747f8c921ebe1026970f11 + NOTE: https://github.com/dovecot/core/commit/18a7a161c8dae6f630770a3cbab7374a0c3dd732 + NOTE: https://github.com/dovecot/core/commit/0ed696987e5e5d44e971da2a10f6275b276ece34 CVE-2017-14460 (An exploitable overly permissive cross-domain (CORS) whitelist ...) - parity (bug #890550) CVE-2017-14459 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cebde0c7aa1affba6791dc0ae3f64c286f462d1a --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cebde0c7aa1affba6791dc0ae3f64c286f462d1a You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2017-14461/dovecot
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 050b517d by Salvatore Bonaccorso at 2018-03-01T07:19:16+01:00 Add CVE-2017-14461/dovecot - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -28421,6 +28421,8 @@ CVE-2017-14462 RESERVED CVE-2017-14461 RESERVED + - dovecot + NOTE: https://www.dovecot.org/list/dovecot-news/2018-February/000370.html CVE-2017-14460 (An exploitable overly permissive cross-domain (CORS) whitelist ...) - parity (bug #890550) CVE-2017-14459 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/050b517d6be35da63a293351918f14aa6af8cc4d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/050b517d6be35da63a293351918f14aa6af8cc4d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2017-15130/dovecot
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 139017b4 by Salvatore Bonaccorso at 2018-03-01T07:18:44+01:00 Add CVE-2017-15130/dovecot - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -26161,6 +26161,8 @@ CVE-2017-15131 (It was found that system umask policy is not being honored when NOTE: http://bugs.freedesktop.org/show_bug.cgi?id=102303 CVE-2017-15130 RESERVED + - dovecot + NOTE: https://www.dovecot.org/list/dovecot-news/2018-February/000370.html CVE-2017-15129 (A use-after-free vulnerability was found in network namespaces code ...) - linux 4.14.12-1 [stretch] - linux 4.9.80-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/139017b4b97b2fa954570dc7635e3a1471a61be6 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/139017b4b97b2fa954570dc7635e3a1471a61be6 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Apple bluetoothd NFUs
Paul Wise pushed to branch master at Debian Security Tracker / security-tracker Commits: 9777c9cd by Paul Wise at 2018-03-01T11:53:31+08:00 Apple bluetoothd NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -9106,6 +9106,8 @@ CVE-2018-4096 NOTE: Not covered by security support CVE-2018-4095 RESERVED + NOT-FOR-US: Apple bluetoothd + NOTE: https://blog.zimperium.com/cve-2018-4087-poc-escaping-sandbox-misleading-bluetoothd/ CVE-2018-4094 RESERVED CVE-2018-4093 @@ -9128,6 +9130,8 @@ CVE-2018-4088 NOTE: Not covered by security support CVE-2018-4087 RESERVED + NOT-FOR-US: Apple bluetoothd + NOTE: https://blog.zimperium.com/cve-2018-4087-poc-escaping-sandbox-misleading-bluetoothd/ CVE-2018-4086 RESERVED CVE-2018-4085 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9777c9cdb642a0b0ed0e04317f85ee5dd0e9ad4c --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9777c9cdb642a0b0ed0e04317f85ee5dd0e9ad4c You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] claim zsh in dla-needed.txt
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 103bac8d by Abhijith PA at 2018-03-01T09:04:17+05:30 claim zsh in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -104,4 +104,4 @@ wordpress -- xen -- -zsh +zsh (Abhijith PA) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/103bac8da3f6c1c21cb0104f5a762fba0b1eecf6 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/103bac8da3f6c1c21cb0104f5a762fba0b1eecf6 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new jenkins CVEs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ee2eb2ee by Moritz Muehlenhoff at 2018-02-28T23:44:54+01:00 new jenkins CVEs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,29 @@ +CVE-2018-1000103 + - jenkins +CVE-2018-1000102 + - jenkins +CVE-2018-1000114 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000113 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000112 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000111 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000110 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000109 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000108 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000107 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000106 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000105 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000104 + NOT-FOR-US: Jenkins plugin CVE-2018-7567 RESERVED CVE-2018-7566 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ee2eb2ee9431f890fccf9c193c05addfb9e32b96 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ee2eb2ee9431f890fccf9c193c05addfb9e32b96 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] bugs for jgraph and guacamole
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3b0e2c90 by Moritz Muehlenhoff at 2018-02-28T23:22:02+01:00
bugs for jgraph and guacamole
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -359,7 +359,7 @@ CVE-2017-18198 (print_iso9660_recurse in iso-info.c in GNU
libcdio before 1.0.0
- libcdio 1.0.0-1
NOTE: https://savannah.gnu.org/bugs/?52265
CVE-2017-18197 (In mxGraphViewImageReader.java in mxGraph before 3.7.6, the
...)
- - libjgraphx-java (low)
+ - libjgraphx-java (low; bug #891796)
[jessie] - libjgraphx-java (Minor issue)
[stretch] - libjgraphx-java (Minor issue)
NOTE: https://github.com/jgraph/mxgraph/issues/124
@@ -63110,7 +63110,7 @@ CVE-2017-3160 (After the Android platform is added to
Cordova the first time, or
CVE-2017-3159 (Apache Camel's camel-snakeyaml component is vulnerable to Java
object ...)
NOT-FOR-US: Apache Camel
CVE-2017-3158 (A race condition in Guacamole's terminal emulator in versions
0.9.5 ...)
- - guacamole-client
+ - guacamole-client (bug #891798)
- guacamole
CVE-2017-3157 (By exploiting the way Apache OpenOffice before 4.1.4 renders
embedded ...)
{DSA-3792-1 DLA-910-1}
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3b0e2c90968afd3267971e69b2b83e7a729fc875
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3b0e2c90968afd3267971e69b2b83e7a729fc875
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new guacamole issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b9a633eb by Moritz Muehlenhoff at 2018-02-28T23:18:17+01:00
new guacamole issue
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -63110,7 +63110,8 @@ CVE-2017-3160 (After the Android platform is added to
Cordova the first time, or
CVE-2017-3159 (Apache Camel's camel-snakeyaml component is vulnerable to Java
object ...)
NOT-FOR-US: Apache Camel
CVE-2017-3158 (A race condition in Guacamole's terminal emulator in versions
0.9.5 ...)
- TODO: check
+ - guacamole-client
+ - guacamole
CVE-2017-3157 (By exploiting the way Apache OpenOffice before 4.1.4 renders
embedded ...)
{DSA-3792-1 DLA-910-1}
- libreoffice 1:5.2.3-1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/b9a633ebb42d7f336592c00033015515cb12fdb2
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/b9a633ebb42d7f336592c00033015515cb12fdb2
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] libjgraphx-java no-dsa
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
dacd0aea by Moritz Muehlenhoff at 2018-02-28T23:11:10+01:00
libjgraphx-java no-dsa
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -359,9 +359,10 @@ CVE-2017-18198 (print_iso9660_recurse in iso-info.c in GNU
libcdio before 1.0.0
- libcdio 1.0.0-1
NOTE: https://savannah.gnu.org/bugs/?52265
CVE-2017-18197 (In mxGraphViewImageReader.java in mxGraph before 3.7.6, the
...)
- - libjgraphx-java
+ - libjgraphx-java (low)
+ [jessie] - libjgraphx-java (Minor issue)
+ [stretch] - libjgraphx-java (Minor issue)
NOTE: https://github.com/jgraph/mxgraph/issues/124
- TODO: check
CVE-2018-7443 (The ReadTIFFImage function in coders/tiff.c in ImageMagick
7.0.7-23 Q16 ...)
{DLA-1293-1}
- imagemagick (low; bug #891291)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/dacd0aea9d8d06805915327a3039cece4c7e6c16
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/dacd0aea9d8d06805915327a3039cece4c7e6c16
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d41afc2f by Moritz Muehlenhoff at 2018-02-28T23:10:10+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -26694,7 +26694,7 @@ CVE-2017-197 (On Darwin, user's trust preferences for root certificates were - golang-1.9 (OS X specific issue) NOTE: https://github.com/golang/go/issues/18141 CVE-2017-15011 (The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and ...) - TODO: check, can't make much sense of it, probably limited to Win32 + - qbittorrent (Only affects Windows) CVE-2017-15010 (A ReDoS (regular expression denial of service) flaw was found in the ...) - node-tough-cookie (bug #877660) NOTE: https://github.com/salesforce/tough-cookie/issues/92 @@ -35356,7 +35356,7 @@ CVE-2017-12132 (The DNS stub resolver in the GNU C Library (aka glibc or libc6) CVE-2017-12131 (The Easy Testimonials plugin 3.0.4 for WordPress has XSS in ...) NOT-FOR-US: Wordpress plugin CVE-2017-12130 (An exploitable NULL pointer dereference vulnerability exists in the ...) - TODO: check + NOT-FOR-US: tinysvcmdns CVE-2017-12129 RESERVED CVE-2017-12128 @@ -35423,7 +35423,7 @@ CVE-2017-12098 (An exploitable cross site scripting (XSS) vulnerability exists i - ruby-rails-admin NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0450 CVE-2017-12097 (An exploitable cross site scripting (XSS) vulnerability exists in the ...) - TODO: check + NOT-FOR-US: delayed_job_web rails gem CVE-2017-12096 (An exploitable vulnerability exists in the WiFi management of Circle ...) NOT-FOR-US: Circle of Disney CVE-2017-12095 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d41afc2f9655d43ead1c6442e16fc1deaa863c26 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d41afc2f9655d43ead1c6442e16fc1deaa863c26 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1296-1 for xmltooling
Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
79889edb by Markus Koschany at 2018-02-28T23:00:32+01:00
Reserve DLA-1296-1 for xmltooling
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
--- a/data/DLA/list
+++ b/data/DLA/list
@@ -1,3 +1,6 @@
+[28 Feb 2018] DLA-1296-1 xmltooling - security update
+ {CVE-2018-0489}
+ [wheezy] - xmltooling 1.4.2-5+deb7u3
[28 Feb 2018] DLA-1295-1 drupal7 - security update
{CVE-2017-6927 CVE-2017-6928 CVE-2017-6929 CVE-2017-6932}
[wheezy] - drupal7 7.14-2+deb7u17
=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -104,6 +104,4 @@ wordpress
--
xen
--
-xmltooling (Markus Koschany)
---
zsh
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/79889edb0f3ca4fc14a75d038bea675c12b017d3
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/79889edb0f3ca4fc14a75d038bea675c12b017d3
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] dla-needed: isc-dhcp, freexl
Antoine Beaupré pushed to branch master at Debian Security Tracker / security-tracker Commits: 7f11b833 by Antoine Beaupré at 2018-02-28T16:50:17-05:00 dla-needed: isc-dhcp, freexl - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -18,6 +18,8 @@ dovecot (Thorsten Alteholz) elinks NOTE: 20180226: maintainer is on the security team (jmm), no notice sent (anarcat) -- +freexl +-- gcc-4.6 (Roberto C. Sánchez) NOTE: Backport the retpoline support for spectre mitigation. NOTE: Coordinate with jmm who started the work for gcc-4.9 in jessie. @@ -28,6 +30,8 @@ gcc-4.7 (Roberto C. Sánchez) NOTE: Backport the retpoline support for spectre mitigation. NOTE: Do we want/need it on this gcc version as well? -- +isc-dhcp +-- icu (Thorsten Alteholz) NOTE: 20171229: CVE-2017-15422 was reported via Google Code issue report in Chromium project; report is not visible to the public -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7f11b833705475658b1417150edf96014075ac41 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7f11b833705475658b1417150edf96014075ac41 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 98449683 by Salvatore Bonaccorso at 2018-02-28T22:40:57+01:00 Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -287,7 +287,7 @@ CVE-2018-7470 (An issue was discovered in ImageMagick 7.0.7-22 Q16. The ...) NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/7305dacfcdf5e51c4f8d0ba9f77fa97792f8acf7 NOTE: webp support not enabled, see #806425 CVE-2018-7469 (PHP Scripts Mall Entrepreneur Job Portal Script 2.0.9 has XSS via the ...) - TODO: check + NOT-FOR-US: PHP Scripts Mall Entrepreneur Job Portal Script CVE-2018-7468 RESERVED CVE-2018-7467 (AxxonSoft Axxon Next has Directory Traversal via an initial /css//..%2f ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/98449683e62f46f1cbee45ac5184e53cdc4bc48f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/98449683e62f46f1cbee45ac5184e53cdc4bc48f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] dla-needed: zsh, no-dsa: roundcube
Antoine Beaupré pushed to branch master at Debian Security Tracker / security-tracker Commits: e9c7407c by Antoine Beaupré at 2018-02-28T16:38:38-05:00 dla-needed: zsh, no-dsa: roundcube - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -963,6 +963,7 @@ CVE-2018-171 [Permissions issue in enigma plugin allows exfiltration secret RESERVED - roundcube [stretch] - roundcube (Minor issue) + [wheezy] - roundcube (Minor issue) NOTE: https://github.com/roundcube/roundcubemail/issues/6173 NOTE: https://www.legacysecuritygroup.com/cve/references/02122018-roundcube-enigma.txt NOTE: Can be mitigated by moving home folder outside the scope of the webserver = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -102,3 +102,4 @@ xen -- xmltooling (Markus Koschany) -- +zsh View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e9c7407c65d974ba4ddd8c67f638be97312bf26b --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e9c7407c65d974ba4ddd8c67f638be97312bf26b You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] mark one php7.0 issue as ignored
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c4a7414c by Moritz Muehlenhoff at 2018-02-28T22:36:06+01:00
mark one php7.0 issue as ignored
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -50428,14 +50428,14 @@ CVE-2017-7273 (The cp_report_fixup function in
drivers/hid/hid-cypress.c in the
NOTE: Fixed by:
https://git.kernel.org/linus/1ebb71143758f45dc0fa76e2f48429e13b16d110
CVE-2017-7272 (PHP through 7.1.11 enables potential SSRF in applications that
accept ...)
{DLA-875-1}
- - php7.1 7.1.4-1
- - php7.0 7.0.18-1
+ - php7.1
+ - php7.0
+ [stretch] - php7.0 (Upstream patch breaks existing
applications, revisit if a new approach has been identified)
- php5
[jessie] - php5 (Never applied to PHP 5 by upstream, breaks
existing applications)
NOTE:
https://github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938d595a
NOTE: https://bugs.php.net/bug.php?id=74216
- NOTE: Fixed in 7.1.4 and 7.0.18
- TODO: Re-check php7.1, might not have been fixed up to 7.1.11
(completely)
+ NOTE: Fixed in 7.1.4 and 7.0.18, but were later reverted:
https://bugzilla.redhat.com/show_bug.cgi?id=1437837#c3
CVE-2017-7269 (Buffer overflow in the ScStoragePathFromUrl function in the
WebDAV ...)
NOT-FOR-US: Windows
CVE-2017-7268
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c4a7414c8491484e02b96376626bd738b2b94352
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c4a7414c8491484e02b96376626bd738b2b94352
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] mark libav as removed, code is affected
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 34eb09a2 by Moritz Muehlenhoff at 2018-02-28T22:33:13+01:00 mark libav as removed, code is affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -20,9 +20,8 @@ CVE-2018-7558 RESERVED CVE-2018-7557 (The decode_init function in libavcodec/utvideodec.c in FFmpeg through ...) - ffmpeg - - libav + - libav NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/7414d0bda7763f9bd69c26c068e482ab297c1c96 - TODO: check libav CVE-2018-7556 (LimeSurvey 2.6.x before 2.6.7, 2.7x.x before 2.73.1, and 3.x before ...) - limesurvey (bug #472802) CVE-2018-7555 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/34eb09a24d92c608b3783d9feb9f1c1c300dd6e6 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/34eb09a24d92c608b3783d9feb9f1c1c300dd6e6 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2014-10070/zsh
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b41ab1dd by Salvatore Bonaccorso at 2018-02-28T22:17:49+01:00 Add CVE-2014-10070/zsh - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -73,7 +73,8 @@ CVE-2014-10071 (In exec.c in zsh before 5.0.7, there is a buffer overflow for ve NOTE: https://sourceforge.net/p/zsh/code/ci/49a3086bb67575435251c70ee598e2fd406ef055 NOTE: Debian needed to add cherry-pick-9982ab6f-missing-changelog-entry CVE-2014-10070 (zsh before 5.0.7 allows evaluation of the initial values of integer ...) - TODO: check + - zsh 5.0.7-3 + NOTE: https://sourceforge.net/p/zsh/code/ci/546203a770cec329e73781c3c8ab1078390aee72 CVE-2018-7544 RESERVED CVE-2018-7543 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b41ab1dd35d10e7643964b99389c6e334cdafebf --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b41ab1dd35d10e7643964b99389c6e334cdafebf You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2014-10071/zsh
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a2764c55 by Salvatore Bonaccorso at 2018-02-28T22:13:47+01:00 Add CVE-2014-10071/zsh - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -69,7 +69,9 @@ CVE-2014-10072 (In utils.c in zsh before 5.0.6, there is a buffer overflow when - zsh 5.0.6-1 NOTE: https://sourceforge.net/p/zsh/code/ci/3e06aeabd8a9e8384ebaa8b08996cd1f64737210 CVE-2014-10071 (In exec.c in zsh before 5.0.7, there is a buffer overflow for very long ...) - TODO: check + - zsh 5.0.7-3 + NOTE: https://sourceforge.net/p/zsh/code/ci/49a3086bb67575435251c70ee598e2fd406ef055 + NOTE: Debian needed to add cherry-pick-9982ab6f-missing-changelog-entry CVE-2014-10070 (zsh before 5.0.7 allows evaluation of the initial values of integer ...) TODO: check CVE-2018-7544 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a2764c5546ada121015edcb6fea23131c82e3f7b --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a2764c5546ada121015edcb6fea23131c82e3f7b You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
9c52b872 by security tracker role at 2018-02-28T21:10:18+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,3 +1,21 @@
+CVE-2018-7567
+ RESERVED
+CVE-2018-7566
+ RESERVED
+CVE-2018-7565
+ RESERVED
+CVE-2018-7564
+ RESERVED
+CVE-2018-7563
+ RESERVED
+CVE-2018-7562
+ RESERVED
+CVE-2018-7561
+ RESERVED
+CVE-2018-7560
+ RESERVED
+CVE-2018-7559
+ RESERVED
CVE-2018-7558
RESERVED
CVE-2018-7557 (The decode_init function in libavcodec/utvideodec.c in FFmpeg
through ...)
@@ -266,8 +284,8 @@ CVE-2018-7470 (An issue was discovered in ImageMagick
7.0.7-22 Q16. The ...)
NOTE: ImageMagick-6:
https://github.com/ImageMagick/ImageMagick/commit/8130e12eb30685ef958f4e62fe624da393920be7
NOTE: ImageMagick-6:
https://github.com/ImageMagick/ImageMagick/commit/7305dacfcdf5e51c4f8d0ba9f77fa97792f8acf7
NOTE: webp support not enabled, see #806425
-CVE-2018-7469
- RESERVED
+CVE-2018-7469 (PHP Scripts Mall Entrepreneur Job Portal Script 2.0.9 has XSS
via the ...)
+ TODO: check
CVE-2018-7468
RESERVED
CVE-2018-7467 (AxxonSoft Axxon Next has Directory Traversal via an initial
/css//..%2f ...)
@@ -595,22 +613,22 @@ CVE-2017-18193 (fs/f2fs/extent_cache.c in the Linux
kernel before 4.13 mishandle
NOTE: Fixed by:
https://git.kernel.org/linus/dad48e73127ba10279ea33e6dbc8d3905c4d31c0
CVE-2017-6932 [SA-CORE-2018-001: External link injection on 404 pages when
linking to the current page]
RESERVED
- {DSA-4123-1}
+ {DSA-4123-1 DLA-1295-1}
- drupal7 7.57-1 (bug #891154)
NOTE: https://www.drupal.org/sa-core-2018-001
CVE-2017-6929 [SA-CORE-2018-001: jQuery vulnerability with untrusted domains]
RESERVED
- {DSA-4123-1}
+ {DSA-4123-1 DLA-1295-1}
- drupal7 7.57-1 (bug #891153)
NOTE: https://www.drupal.org/sa-core-2018-001
CVE-2017-6928 [SA-CORE-2018-001: Private file access bypass]
RESERVED
- {DSA-4123-1}
+ {DSA-4123-1 DLA-1295-1}
- drupal7 7.57-1 (bug #891152)
NOTE: https://www.drupal.org/sa-core-2018-001
CVE-2017-6927 [SA-CORE-2018-001: JavaScript cross-site scripting prevention is
incomplete]
RESERVED
- {DSA-4123-1}
+ {DSA-4123-1 DLA-1295-1}
- drupal8 (bug #756305)
- drupal7 7.57-1 (bug #891150)
NOTE: https://www.drupal.org/sa-core-2018-001
@@ -981,8 +999,8 @@ CVE-2018-7266
RESERVED
CVE-2018-7265 (Shimmie 2 2.6.0 allows an attacker to upload a crafted SVG file
that ...)
NOT-FOR-US: Shimmie
-CVE-2018-7264
- RESERVED
+CVE-2018-7264 (The Pictview image processing library embedded in the ActivePDF
...)
+ TODO: check
CVE-2004-2779 (id3_utf16_deserialize() in utf16.c in libid3tag through 0.15.1b
...)
- libid3tag 0.15.1b-5 (bug #304913)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=162647
@@ -16625,8 +16643,7 @@ CVE-2018-1305 (Security constraints defined by
annotations of Servlets in Apache
NOTE: https://svn.apache.org/r1824359 (8.0.x)
NOTE: https://svn.apache.org/r1823322 (7.0.x)
NOTE: https://svn.apache.org/r1824360 (7.0.x)
-CVE-2018-1304 [Security constraints mapped to context root are ignored]
- RESERVED
+CVE-2018-1304 (The URL pattern of "" (the empty string) which
exactly maps to the ...)
- tomcat9 (bug #802312)
- tomcat8 8.5.28-1
- tomcat8.0 (unimportant)
@@ -16682,8 +16699,7 @@ CVE-2018-1287 (In Apache JMeter 2.X and 3.X, when using
Distributed Test only (R
- jakarta-jmeter
NOTE: http://www.openwall.com/lists/oss-security/2018/02/11/2
NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=62039
-CVE-2018-1286
- RESERVED
+CVE-2018-1286 (In Apache OpenMeetings 3.0.0 - 4.0.1, CRUD operations on
privileged ...)
NOT-FOR-US: Apache OpenMeetings
CVE-2018-1285
RESERVED
@@ -19411,14 +19427,14 @@ CVE-2018-0488 (ARM mbed TLS before 1.3.22, before
2.1.10, and before 2.7.0, when
- polarssl
[wheezy] - polarssl (according to the upstream advisory
< 1.2.19 not affected)
NOTE:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01
-NOTE:
https://github.com/ARMmbed/mbedtls/commit/992b6872f3ca717282ae367749a47f006d337a87
-NOTE:
https://github.com/ARMmbed/mbedtls/commit/464147cadc694379b7717afb7b517fe05cdb323f
+ NOTE:
https://github.com/ARMmbed/mbedtls/commit/992b6872f3ca717282ae367749a47f006d337a87
+ NOTE:
https://github.com/ARMmbed/mbedtls/commit/464147cadc694379b7717afb7b517fe05cdb323f
CVE-2018-0487 (ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0
allows ...)
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2014-10072
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e25b918a by Salvatore Bonaccorso at 2018-02-28T22:07:34+01:00 Add CVE-2014-10072 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -48,7 +48,8 @@ CVE-2016-10714 (In zsh before 5.3, an off-by-one error resulted in undersized bu - zsh 5.3-1 NOTE: https://sourceforge.net/p/zsh/code/ci/a62e1640bcafbb82d86ea8d8ce057a83c4683d60 CVE-2014-10072 (In utils.c in zsh before 5.0.6, there is a buffer overflow when ...) - TODO: check + - zsh 5.0.6-1 + NOTE: https://sourceforge.net/p/zsh/code/ci/3e06aeabd8a9e8384ebaa8b08996cd1f64737210 CVE-2014-10071 (In exec.c in zsh before 5.0.7, there is a buffer overflow for very long ...) TODO: check CVE-2014-10070 (zsh before 5.0.7 allows evaluation of the initial values of integer ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e25b918a06069dd786adfda5021533d6c909d7c8 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e25b918a06069dd786adfda5021533d6c909d7c8 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2016-10714/zsh
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ce39ee67 by Salvatore Bonaccorso at 2018-02-28T21:56:24+01:00 Add CVE-2016-10714/zsh - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -45,7 +45,8 @@ CVE-2017-18205 (In builtin.c in zsh before 5.4, when sh compatibility mode is us NOTE: https://sourceforge.net/p/zsh/code/ci/eb783754bdb74377f3cea4ceca9c23a02ea1bf58 NOTE: no security impact CVE-2016-10714 (In zsh before 5.3, an off-by-one error resulted in undersized buffers ...) - TODO: check + - zsh 5.3-1 + NOTE: https://sourceforge.net/p/zsh/code/ci/a62e1640bcafbb82d86ea8d8ce057a83c4683d60 CVE-2014-10072 (In utils.c in zsh before 5.0.6, there is a buffer overflow when ...) TODO: check CVE-2014-10071 (In exec.c in zsh before 5.0.7, there is a buffer overflow for very long ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ce39ee671987937340d07e9190fe8eadf6e1ce02 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ce39ee671987937340d07e9190fe8eadf6e1ce02 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-5732: #891786
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4fc5059e by Salvatore Bonaccorso at 2018-02-28T21:46:28+01:00 Add bug reference for CVE-2018-5732: #891786 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5248,7 +5248,7 @@ CVE-2018-5733 [A malicious client can overflow a reference counter in ISC dhcpd] NOTE: https://kb.isc.org/article/AA-01567/75/CVE-2018-5733 CVE-2018-5732 [A specially constructed response from a malicious server can cause a buffer overflow in dhclient] RESERVED - - isc-dhcp + - isc-dhcp (bug #891786) NOTE: https://kb.isc.org/article/AA-01565/75/CVE-2018-5732 CVE-2018-105 (libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in ...) - curl 7.58.0-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4fc5059e2f746f9f54b627d834d6bf0664df53f5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4fc5059e2f746f9f54b627d834d6bf0664df53f5 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-7533: #891785
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dbc7c1b4 by Salvatore Bonaccorso at 2018-02-28T21:44:19+01:00 Add bug reference for CVE-2018-7533: #891785 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5244,7 +5244,7 @@ CVE-2018-5734 [A malformed request can trigger an assertion failure in badcache. NOTE: https://kb.isc.org/article/AA-01562/74/CVE-2018-5734 CVE-2018-5733 [A malicious client can overflow a reference counter in ISC dhcpd] RESERVED - - isc-dhcp + - isc-dhcp (bug #891785) NOTE: https://kb.isc.org/article/AA-01567/75/CVE-2018-5733 CVE-2018-5732 [A specially constructed response from a malicious server can cause a buffer overflow in dhclient] RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dbc7c1b4f307bb2d8f392a0115fec609643c0668 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dbc7c1b4f307bb2d8f392a0115fec609643c0668 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-5732/isc-dhcp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 69de3b78 by Salvatore Bonaccorso at 2018-02-28T21:43:30+01:00 Add CVE-2018-5732/isc-dhcp - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5246,8 +5246,10 @@ CVE-2018-5733 [A malicious client can overflow a reference counter in ISC dhcpd] RESERVED - isc-dhcp NOTE: https://kb.isc.org/article/AA-01567/75/CVE-2018-5733 -CVE-2018-5732 +CVE-2018-5732 [A specially constructed response from a malicious server can cause a buffer overflow in dhclient] RESERVED + - isc-dhcp + NOTE: https://kb.isc.org/article/AA-01565/75/CVE-2018-5732 CVE-2018-105 (libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in ...) - curl 7.58.0-1 [stretch] - curl 7.52.1-5+deb9u4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/69de3b78cd07ff7a618124491a1dac0f74872cec --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/69de3b78cd07ff7a618124491a1dac0f74872cec You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-5733/isc-dhcp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dec8c2d1 by Salvatore Bonaccorso at 2018-02-28T21:39:18+01:00 Add CVE-2018-5733/isc-dhcp - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5242,8 +5242,10 @@ CVE-2018-5734 [A malformed request can trigger an assertion failure in badcache. RESERVED - bind9 (Only affects Supported Preview Edition/Subscription Edition) NOTE: https://kb.isc.org/article/AA-01562/74/CVE-2018-5734 -CVE-2018-5733 +CVE-2018-5733 [A malicious client can overflow a reference counter in ISC dhcpd] RESERVED + - isc-dhcp + NOTE: https://kb.isc.org/article/AA-01567/75/CVE-2018-5733 CVE-2018-5732 RESERVED CVE-2018-105 (libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dec8c2d14501e8addd7518d9a241fb6df34158e7 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dec8c2d14501e8addd7518d9a241fb6df34158e7 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-5734/bind9
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0ff3fa0f by Salvatore Bonaccorso at 2018-02-28T21:34:00+01:00 Add CVE-2018-5734/bind9 This issue does not affect any released version but only the "Supported Preview Edition/Subscription Edition" versions of BIND. Cf. https://kb.isc.org/article/AA-01562/74/CVE-2018-5734 for details. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5238,8 +5238,10 @@ CVE-2018-5735 [assertion failure in validator.c:1858] NOTE: Mark as fixed version the 1:9.9.3.dfsg.P2-1 as the related code was NOTE: added upstream in 9.9.3b1. The issue though does not affect bind9 upstream NOTE: and is only triggered as described in #889285. -CVE-2018-5734 +CVE-2018-5734 [A malformed request can trigger an assertion failure in badcache.c] RESERVED + - bind9 (Only affects Supported Preview Edition/Subscription Edition) + NOTE: https://kb.isc.org/article/AA-01562/74/CVE-2018-5734 CVE-2018-5733 RESERVED CVE-2018-5732 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0ff3fa0f6d11f1a46d03390c9fd8c8d249f94f16 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0ff3fa0f6d11f1a46d03390c9fd8c8d249f94f16 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2017-18205/zsh
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 545dadba by Salvatore Bonaccorso at 2018-02-28T21:30:49+01:00 Add CVE-2017-18205/zsh - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -41,7 +41,9 @@ CVE-2017-18206 (In utils.c in zsh before 5.4, symlink expansion had a buffer ove - zsh 5.4.1-1 NOTE: https://sourceforge.net/p/zsh/code/ci/c7a9cf465dd620ef48d586026944d9bd7a0d5d6d CVE-2017-18205 (In builtin.c in zsh before 5.4, when sh compatibility mode is used, ...) - TODO: check + - zsh 5.4.1-1 (unimportant) + NOTE: https://sourceforge.net/p/zsh/code/ci/eb783754bdb74377f3cea4ceca9c23a02ea1bf58 + NOTE: no security impact CVE-2016-10714 (In zsh before 5.3, an off-by-one error resulted in undersized buffers ...) TODO: check CVE-2014-10072 (In utils.c in zsh before 5.0.6, there is a buffer overflow when ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/545dadbaa8e960779c6241cd3d0b531301ba5742 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/545dadbaa8e960779c6241cd3d0b531301ba5742 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reported bug for CVE-2017-17724, remove TODO item
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8b37baa2 by Salvatore Bonaccorso at 2018-02-28T21:28:25+01:00 Reported bug for CVE-2017-17724, remove TODO item - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -11205,11 +11205,10 @@ CVE-2017-17725 (In Exiv2 0.26, there is an integer overflow leading to a heap-ba NOTE: https://github.com/Exiv2/exiv2/pull/193 TODO: check CVE-2017-17724 (In Exiv2 0.26, there is a heap-based buffer over-read in the ...) - [experimental] - exiv2 + [experimental] - exiv2 (bug #891783) - exiv2 (Introduced in 0.26) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1524107 NOTE: https://github.com/Exiv2/exiv2/issues/210 - TODO: report against experimental CVE-2017-17723 (In Exiv2 0.26, there is a heap-based buffer over-read in the ...) - exiv2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1524104 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8b37baa2c6f345e5884ca0f036bd8ea552ad9bd0 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8b37baa2c6f345e5884ca0f036bd8ea552ad9bd0 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark CVE-2018-7548 as unimportant
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7e8ee755 by Salvatore Bonaccorso at 2018-02-28T21:27:37+01:00 Mark CVE-2018-7548 as unimportant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -28,8 +28,9 @@ CVE-2018-7549 (In params.c in zsh through 5.4.2, there is a crash during a copy NOTE: https://sourceforge.net/p/zsh/code/ci/c2cc8b0fbefc9868fa83537f5b6d90fc1ec438dd NOTE: no security impact CVE-2018-7548 (In subst.c in zsh through 5.4.2, there is a NULL pointer dereference ...) - - zsh + - zsh (unimportant) NOTE: https://sourceforge.net/p/zsh/code/ci/110b13e1090bc31ac1352b28adc2d02b6d25a102 + NOTE: no security impact CVE-2018-7547 (lyadmin 1.x has XSS via the config[WEB_SITE_TITLE] parameter to the ...) NOT-FOR-US: lyadmin CVE-2018-7546 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7e8ee755e133d2db540c42a61bd022830481bb73 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7e8ee755e133d2db540c42a61bd022830481bb73 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] one exiv issue n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 97066621 by Moritz Muehlenhoff at 2018-02-28T21:21:10+01:00 one exiv issue n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -11203,10 +11203,11 @@ CVE-2017-17725 (In Exiv2 0.26, there is an integer overflow leading to a heap-ba NOTE: https://github.com/Exiv2/exiv2/pull/193 TODO: check CVE-2017-17724 (In Exiv2 0.26, there is a heap-based buffer over-read in the ...) - - exiv2 + [experimental] - exiv2 + - exiv2 (Introduced in 0.26) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1524107 NOTE: https://github.com/Exiv2/exiv2/issues/210 - TODO: check + TODO: report against experimental CVE-2017-17723 (In Exiv2 0.26, there is a heap-based buffer over-read in the ...) - exiv2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1524104 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9706662102944553605bec9f0bd17d6a58181bd1 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9706662102944553605bec9f0bd17d6a58181bd1 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2017-18206/zsh
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 49fbf5e2 by Salvatore Bonaccorso at 2018-02-28T21:21:54+01:00 Add CVE-2017-18206/zsh - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -37,7 +37,8 @@ CVE-2018-7546 CVE-2018-7545 RESERVED CVE-2017-18206 (In utils.c in zsh before 5.4, symlink expansion had a buffer overflow. ...) - TODO: check + - zsh 5.4.1-1 + NOTE: https://sourceforge.net/p/zsh/code/ci/c7a9cf465dd620ef48d586026944d9bd7a0d5d6d CVE-2017-18205 (In builtin.c in zsh before 5.4, when sh compatibility mode is used, ...) TODO: check CVE-2016-10714 (In zsh before 5.3, an off-by-one error resulted in undersized buffers ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/49fbf5e23b95ba0b40e42de714ff2d41c3258126 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/49fbf5e23b95ba0b40e42de714ff2d41c3258126 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2016-7394/tikiwiki
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e3694b0 by Salvatore Bonaccorso at 2018-02-28T21:14:54+01:00 Add CVE-2016-7394/tikiwiki - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -77676,7 +77676,8 @@ CVE-2016-7395 (SkPath.cpp in Skia, as used in Google Chrome before 53.0.2785.89 - chromium-browser 53.0.2785.92-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-7394 (tiki wiki cms groupware <=15.2 has a xss vulnerability, allow ...) - TODO: check + - tikiwiki + NOTE: https://sourceforge.net/p/tikiwiki/code/59653/ CVE-2016-7391 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU ...) NOT-FOR-US: Nvidia Windows driver CVE-2016-7390 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2e3694b0d6289c5fd00fa6f8a41d18dabd0b03d3 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2e3694b0d6289c5fd00fa6f8a41d18dabd0b03d3 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2017-12098/ruby-rails-admin
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8f9e4741 by Salvatore Bonaccorso at 2018-02-28T21:14:17+01:00 Add CVE-2017-12098/ruby-rails-admin - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -35390,7 +35390,8 @@ CVE-2017-12100 CVE-2017-12099 RESERVED CVE-2017-12098 (An exploitable cross site scripting (XSS) vulnerability exists in the ...) - TODO: check + - ruby-rails-admin + NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0450 CVE-2017-12097 (An exploitable cross site scripting (XSS) vulnerability exists in the ...) TODO: check CVE-2017-12096 (An exploitable vulnerability exists in the WiFi management of Circle ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8f9e47418e177399e871abf8ca690a10308f282d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8f9e47418e177399e871abf8ca690a10308f282d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
23bfd857 by Salvatore Bonaccorso at 2018-02-28T21:13:42+01:00
Process NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -31,7 +31,7 @@ CVE-2018-7548 (In subst.c in zsh through 5.4.2, there is a
NULL pointer derefere
- zsh
NOTE:
https://sourceforge.net/p/zsh/code/ci/110b13e1090bc31ac1352b28adc2d02b6d25a102
CVE-2018-7547 (lyadmin 1.x has XSS via the config[WEB_SITE_TITLE] parameter to
the ...)
- TODO: check
+ NOT-FOR-US: lyadmin
CVE-2018-7546
RESERVED
CVE-2018-7545
@@ -3232,7 +3232,7 @@ CVE-2018-6483
CVE-2018-6482
RESERVED
CVE-2018-6481 (A buffer overflow vulnerability in the control protocol of Disk
Savvy ...)
- TODO: check
+ NOT-FOR-US: Disk Savvy Enterprise
CVE-2018-6480 (A type confusion issue was discovered in CCN-lite 2, leading to
a ...)
NOT-FOR-US: CCN-lite 2
CVE-2018-6479 (An issue was discovered on Netwave IP Camera devices. An ...)
@@ -15733,7 +15733,7 @@ CVE-2018-1418
CVE-2018-1417 (Under certain circumstances, a flaw in the J9 JVM (IBM Runtimes
for ...)
NOT-FOR-US: IBM Runtimes for Java Technology
CVE-2018-1416 (IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 is vulnerable to
...)
- TODO: check
+ NOT-FOR-US: IBM WebSphere Portal
CVE-2018-1415 (IBM Maximo Asset Management 7.6 is vulnerable to cross-site
scripting. ...)
NOT-FOR-US: IBM Maximo Asset Management
CVE-2018-1414 (IBM Maximo Asset Management 7.5 and 7.6 is vulnerable to SQL
...)
@@ -31510,7 +31510,7 @@ CVE-2017-13275
CVE-2017-13274
RESERVED
CVE-2017-13273 (In xt_qtaguid.c, there is a race condition due to insufficient
...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2017-13272
RESERVED
CVE-2017-13271
@@ -38875,7 +38875,7 @@ CVE-2017-10965 (An issue was discovered in Irssi before
1.0.4. When receiving me
CVE-2017-10964
RESERVED
CVE-2017-10963 (In Knox SDS IAM (Identity Access Management) and EMM
(Enterprise ...)
- TODO: check
+ NOT-FOR-US: Samsung
CVE-2017-10962 (REDCap before 7.5.1 has XSS via the query string. ...)
NOT-FOR-US: REDCap
CVE-2017-10961 (REDCap before 7.5.1 has CSRF in the deletion feature of the
File ...)
@@ -44729,7 +44729,7 @@ CVE-2017-8995
CVE-2017-8994 (A input validation vulnerability in HPE Operations
Orchestration ...)
NOT-FOR-US: HPE
CVE-2017-8993 (A Remote Cross-Site Scripting vulnerability in HPE Project and
...)
- TODO: check
+ NOT-FOR-US: HPE Project and Portfolio Management
CVE-2017-8992
RESERVED
CVE-2017-8991
@@ -65819,7 +65819,7 @@ CVE-2017-2168 (Cross-site scripting vulnerability in WP
Booking System Free vers
CVE-2017-2167 (Untrusted search path vulnerability in Installer for PrimeDrive
...)
NOT-FOR-US: PrimeDrive
CVE-2017-2166 (Open redirect vulnerability in GroupSession version 4.7.0 and
earlier ...)
- TODO: check
+ NOT-FOR-US: GroupSession
CVE-2017-2165 (GroupSession versions 4.6.4 and earlier allows remote
authenticated ...)
NOT-FOR-US: GroupSession
CVE-2017-2164 (Cross-site scripting vulnerability in SOY CMS with installer
1.8.12 ...)
@@ -73133,7 +73133,7 @@ CVE-2016-8743 (Apache HTTP Server, in all releases
prior to 2.2.32 and 2.4.25, w
NOTE: Fixed in 2.4.25.
NOTE: For 2.2 preparation is done in
http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x-merge-http-strict/
CVE-2016-8742 (The Windows installer that the Apache CouchDB team provides was
...)
- TODO: check
+ NOT-FOR-US: Windows installer for Apache CouchDB
CVE-2016-8741 (The Apache Qpid Broker for Java can be configured to use
different so ...)
- qpid-java (bug #840131)
CVE-2016-8740 (The mod_http2 module in the Apache HTTP Server 2.4.17 through
2.4.23, ...)
@@ -81235,7 +81235,7 @@ CVE-2016-6274
CVE-2016-6273 (The lmadmin component in Flexera FlexNet Publisher (aka Flex
License ...)
NOT-FOR-US: Flexera
CVE-2016-6272 (SQL injection vulnerability in EPIC MyChart allows remote
attackers to ...)
- TODO: check
+ NOT-FOR-US: EPIC MyChart
CVE-2016-6297 (Integer overflow in the php_stream_zip_opener function in ...)
{DSA-3631-1 DLA-628-1}
- php7.0 7.0.9-1
@@ -118491,7 +118491,7 @@ CVE-2015-2798 (SQL injection vulnerability in Joomla!
Component Contact Form Mak
CVE-2015-2797 (Stack-based buffer overflow in AirTies Air 6372, 5760, 5750,
5650TT, ...)
NOT-FOR-US: AirTies Air DSL modems
CVE-2015-2796 (Multiple cross-site scripting (XSS) vulnerabilities in
Project-Pier ...)
- TODO: check
+ NOT-FOR-US: Project-Pier ProjectPier-Core
CVE-2015-2795
RESERVED
CVE-2015-2794 (The installation wizard in DotNetNuke (DNN) before 7.4.1 allows
remote ...)
@@ -120554
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] lts: xen not affected by CVE-2018-7542
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: 66ae313e by Guido Günther at 2018-02-28T20:39:46+01:00 lts: xen not affected by CVE-2018-7542 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -59,6 +59,7 @@ CVE-2018-7538 CVE-2018-7542 (An issue was discovered in Xen 4.8.x through 4.10.x allowing x86 PVH ...) - xen [jessie] - xen (Vulnerable code introduced later) + [wheezy] - xen (Vulnerable code introduced later) NOTE: https://xenbits.xen.org/xsa/advisory-256.html CVE-2018-7541 (An issue was discovered in Xen through 4.10.x allowing guest OS users ...) - xen View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/66ae313e7d76cb05c2bc18a964cd5ee408cdfa18 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/66ae313e7d76cb05c2bc18a964cd5ee408cdfa18 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f531b506 by Moritz Muehlenhoff at 2018-02-28T19:19:40+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -2532,13 +2532,13 @@ CVE-2018-6643 CVE-2018-6642 RESERVED CVE-2018-6641 (An Arbitrary Free (Remote Code Execution) issue was discovered in ...) - TODO: check + NOT-FOR-US: Design Science MathType CVE-2018-6640 (A Heap Overflow (Remote Code Execution) issue was discovered in Design ...) - TODO: check + NOT-FOR-US: Design Science MathType CVE-2018-6639 (An out-of-bounds write (Remote Code Execution) issue was discovered in ...) - TODO: check + NOT-FOR-US: Design Science MathType CVE-2018-6638 (A stack-based buffer overflow (Remote Code Execution) issue was ...) - TODO: check + NOT-FOR-US: Design Science MathType CVE-2018-6637 RESERVED CVE-2018-6636 @@ -42316,7 +42316,7 @@ CVE-2017-9711 CVE-2017-9710 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9709 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-9708 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9707 @@ -43093,9 +43093,9 @@ CVE-2017-9428 (A directory traversal vulnerability exists in ...) CVE-2017-9427 (SQL injection vulnerability in BigTree CMS through 4.2.18 allows remote ...) NOT-FOR-US: BigTree CMS CVE-2017-9426 (ws.php in the Facetag extension 0.0.3 for Piwigo allows SQL injection ...) - TODO: check + NOT-FOR-US: Piwigo extension CVE-2017-9425 (The Facetag extension 0.0.3 for Piwigo allows XSS via the name ...) - TODO: check + NOT-FOR-US: Piwigo extension CVE-2017-9424 (IdeaBlade Breeze Breeze.Server.NET before 1.6.5 allows remote attackers ...) NOT-FOR-US: IdeaBlade Breeze Breeze.Server.NET CVE-2017-9423 @@ -43122,7 +43122,7 @@ CVE-2017-9416 (Directory traversal vulnerability in tools.file_open in Odoo 8.0, CVE-2017-9415 (Cross-site request forgery (CSRF) vulnerability in subsonic 6.1.1 ...) NOT-FOR-US: Subsonic CVE-2017-9414 (Cross-site request forgery (CSRF) vulnerability in the Subscribe to ...) - TODO: check + NOT-FOR-US: Subsonic CVE-2017-9413 (Multiple cross-site request forgery (CSRF) vulnerabilities in the ...) NOT-FOR-US: Subsonic CVE-2012-6705 (Cross Site Scripting (XSS) exists in Jamroom before 4.2.7 via the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f531b506c54f49166ecc110a660ea10cc84a9a6d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f531b506c54f49166ecc110a660ea10cc84a9a6d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
e6800e5d by Moritz Muehlenhoff at 2018-02-28T18:46:08+01:00
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -36584,13 +36584,13 @@ CVE-2017-11636 (GraphicsMagick 1.3.26 has a heap
overflow in the WriteRGBImage()
- graphicsmagick 1.3.26-4 (bug #870149)
NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/39961adf974c
CVE-2017-11635 (An issue was discovered on Wireless IP Camera 360 devices.
Attackers ...)
- TODO: check
+ NOT-FOR-US: Wireless IP Camera 360 devices
CVE-2017-11634 (An issue was discovered on Wireless IP Camera 360 devices.
Remote ...)
- TODO: check
+ NOT-FOR-US: Wireless IP Camera 360 devices
CVE-2017-11633 (An issue was discovered on Wireless IP Camera 360 devices.
Remote ...)
- TODO: check
+ NOT-FOR-US: Wireless IP Camera 360 devices
CVE-2017-11632 (An issue was discovered on Wireless IP Camera 360 devices. A
root ...)
- TODO: check
+ NOT-FOR-US: Wireless IP Camera 360 devices
CVE-2017-11631 (dapur/app/app_user/controller/status.php in Fiyo CMS 2.0.7 has
SQL ...)
NOT-FOR-US: Fiyo CMS
CVE-2017-11630 (dapur\apps\app_config\controller\backuper.php in Fiyo CMS
2.0.7 allows ...)
@@ -41055,7 +41055,7 @@ CVE-2017-10303 (Vulnerability in the Oracle Interaction
Center Intelligence comp
CVE-2017-10302 (Vulnerability in the Siebel UI Framework component of Oracle
Siebel ...)
NOT-FOR-US: Oracle
CVE-2017-10301 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction
Hub ...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2017-10300 (Vulnerability in the Siebel CRM Desktop component of Oracle
Siebel CRM ...)
NOT-FOR-US: Oracle
CVE-2017-10299 (Vulnerability in the Oracle Agile PLM component of Oracle
Supply Chain ...)
@@ -41118,7 +41118,7 @@ CVE-2017-10283 (Vulnerability in the MySQL Server
component of Oracle MySQL ...)
- mysql-5.5 (Only affects MySQL 5.6 and 5.7)
NOTE:
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL
CVE-2017-10282 (Vulnerability in the Core RDBMS component of Oracle Database
Server. ...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2017-10281 (Vulnerability in the Java SE, Java SE Embedded, JRockit
component of ...)
{DSA-4048-1 DSA-4015-1 DLA-1187-1}
- openjdk-9 9.0.1+11-1
@@ -41155,7 +41155,7 @@ CVE-2017-10274 (Vulnerability in the Java SE component
of Oracle Java SE ...)
- openjdk-6
[wheezy] - openjdk-6
CVE-2017-10273 (Vulnerability in the Oracle JDeveloper component of Oracle
Fusion ...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2017-10272 (Vulnerability in the Oracle Tuxedo component of Oracle Fusion
...)
NOT-FOR-US: Oracle
CVE-2017-10271 (Vulnerability in the Oracle WebLogic Server component of
Oracle Fusion ...)
@@ -41185,7 +41185,7 @@ CVE-2017-10264 (Vulnerability in the Siebel UI
Framework component of Oracle Sie
CVE-2017-10263 (Vulnerability in the Siebel UI Framework component of Oracle
Siebel ...)
NOT-FOR-US: Oracle
CVE-2017-10262 (Vulnerability in the Oracle Access Manager component of Oracle
Fusion ...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2017-10261 (Vulnerability in the XML Database component of Oracle Database
Server. ...)
NOT-FOR-US: Oracle
CVE-2017-10260 (Vulnerability in the Oracle Integrated Lights Out Manager
(ILOM) ...)
@@ -41732,7 +41732,7 @@ CVE-2017-10070 (Vulnerability in the PeopleSoft
Enterprise PRTL Interaction Hub
CVE-2017-10069 (Vulnerability in the Oracle Payment Interface component of
Oracle ...)
NOT-FOR-US: Oracle
CVE-2017-10068 (Vulnerability in the Oracle Business Intelligence Enterprise
Edition ...)
- TODO: check
+ NOT-FOR-US: Oracle
CVE-2017-10067 (Vulnerability in the Java SE component of Oracle Java SE ...)
{DSA-3954-1 DSA-3919-1 DLA-1073-1}
- openjdk-8 8u141-b15-1
@@ -50026,7 +50026,7 @@ CVE-2017-7353
CVE-2017-7352 (Stored Cross-site scripting (XSS) vulnerability in Pure Storage
Purity ...)
NOT-FOR-US: Pure Storage Purity
CVE-2017-7351 (A SQL injection issue exists in a file upload handler in REDCap
7.x ...)
- TODO: check
+ NOT-FOR-US: REDCap
CVE-2017-7350
RESERVED
CVE-2017-7349
@@ -53682,13 +53682,13 @@ CVE-2017-6203
CVE-2017-6202
RESERVED
CVE-2017-6201 (A Server Side Request Forgery vulnerability exists in the
install app ...)
- TODO: check
+ NOT-FOR-US: Sandstorm
CVE-2017-6200 (Sandstorm before build 0.203 allows remote attackers to read
any ...)
- TODO: check
+ NOT-FOR-US: Sandstorm
CVE-2017-6199 (A remote attacker could bypass the Sandstorm organization
restriction ...)
- TODO: check
+ NOT-FO
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Adding trafficserver (CVE-2017-7671, CVE-2017-5660)
Sebastien Delafond pushed to branch master at Debian Security Tracker / security-tracker Commits: 4d3acf8c by Sébastien Delafond at 2018-02-28T16:26:04+01:00 Adding trafficserver (CVE-2017-7671, CVE-2017-5660) - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -82,6 +82,9 @@ sqlite3/oldstable -- sssd/stable -- +trafficserver + 2018-02-28: Jean Baptiste Favre is proposing an update +-- tomcat7/oldstable -- tomcat8 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4d3acf8ce1f0f12fdffec93c94ea6a8e8e7e48c4 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4d3acf8ce1f0f12fdffec93c94ea6a8e8e7e48c4 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add note on mbedtls status
Sebastien Delafond pushed to branch master at Debian Security Tracker / security-tracker Commits: f68cdbf5 by Sébastien Delafond at 2018-02-28T16:19:17+01:00 Add note on mbedtls status - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -47,6 +47,7 @@ linux Wait until more issues have piled up -- mbedtls (seb) + 2018-02-28: James Cowgill is looking into preparing updates -- mercurial -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f68cdbf567fc2ce1aac28b37d390747d851dffa7 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f68cdbf567fc2ce1aac28b37d390747d851dffa7 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e7bef0e1 by Moritz Muehlenhoff at 2018-02-28T15:48:24+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -15714,7 +15714,7 @@ CVE-2018-1427 CVE-2018-1426 RESERVED CVE-2018-1425 (IBM Security Guardium Big Data Intelligence (SonarG) 3.1 uses weaker ...) - TODO: check + NOT-FOR-US: IBM Security Guardium Big Data Intelligence CVE-2018-1424 RESERVED CVE-2018-1423 @@ -15766,7 +15766,7 @@ CVE-2018-1401 (IBM WebSphere Portal 8.0, 8.5, and 9.0 is vulnerable to cross-sit CVE-2018-1400 RESERVED CVE-2018-1399 (IBM Daeja ViewONE Professional, Standard & Virtual 4.1.5 and 5.0 is ...) - TODO: check + NOT-FOR-US: IBM Daeja ViewONE Professional CVE-2018-1398 RESERVED CVE-2018-1397 @@ -81742,7 +81742,7 @@ CVE-2016-6232 (Directory traversal vulnerability in KArchive before 5.24, as use NOTE: https://lists.debian.org/debian-lts/2016/07/msg00144.html NOTE: Fix: https://git.reviewboard.kde.org/r/128185/ CVE-2016-6217 (Cross-site scripting (XSS) vulnerability in Sophos PureMessage for ...) - TODO: check + NOT-FOR-US: Sophos CVE-2016-6216 RESERVED CVE-2016-6215 @@ -139800,7 +139800,7 @@ CVE-2014-4707 (Huawei Campus S7700 with software V200R001C00SPC300, ...) CVE-2014-4706 (Huawei Campus S3700HI with software V200R001C00SPC300; Campus S5700 ...) NOT-FOR-US: Huawei CVE-2014-4705 (Multiple heap-based buffer overflows in the eSap software platform in ...) - TODO: check + NOT-FOR-US: eSap CVE-2014-4704 RESERVED CVE-2013-7388 (Heap-based buffer overflow in paintlib, as used in Trimble SketchUp ...) @@ -141182,7 +141182,7 @@ CVE-2014-4147 CVE-2014-4146 REJECTED CVE-2014-4145 (Microsoft Internet Explorer 11 allows remote attackers to execute ...) - TODO: check + NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4144 REJECTED CVE-2014-4143 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ...) @@ -141248,7 +141248,7 @@ CVE-2014-4114 (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, CVE-2014-4113 (win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 ...) NOT-FOR-US: Microsoft CVE-2014-4112 (Microsoft Internet Explorer 11 allows remote attackers to execute ...) - TODO: check + NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4111 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4110 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ...) @@ -141340,7 +141340,7 @@ CVE-2014-4068 (The Response Group Service in Microsoft Lync Server 2010 and 2013 CVE-2014-4067 (Microsoft Internet Explorer 10 and 11 allows remote attackers to ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4066 (Microsoft Internet Explorer 11 allows remote attackers to execute ...) - TODO: check + NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4065 (Microsoft Internet Explorer 6 through 11 allows remote attackers to ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2014-4064 (The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server ...) @@ -141607,7 +141607,7 @@ CVE-2014-3973 (Multiple SQL injection vulnerabilities in FrontAccounting (FA) be [squeeze] - frontaccounting (Minor issue) [wheezy] - frontaccounting (Minor issue) CVE-2014-3972 (Directory traversal vulnerability in Apexis APM-J601-WS cameras with ...) - TODO: check + NOT-FOR-US: Apexis cameras CVE-2014-3971 (The CmdAuthenticate::_authenticateX509 function in ...) - mongodb (X.509 certifictate authentication introduced in 2.6.x) NOTE: https://jira.mongodb.org/browse/SERVER-13753 @@ -142501,7 +142501,7 @@ CVE-2014-3631 (The assoc_array_gc function in the associative-array implementati NOTE: Introduced by https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b2a4df200d570b2c33a57e1ebfa5896e4bc81b69 (v3.13) NOTE: Fixed by http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=95389b08d93d5c06ec63ab49bd732b0069b7c35e CVE-2014-3630 (XML external entity (XXE) vulnerability in the Java XML processing ...) - TODO: check + NOT-FOR-US: Play framework CVE-2014-3629 (XML external entity (XXE) vulnerability in the XML Exchange module in ...) - qpid-cpp (low; bug #772794) [wheezy] - qpid-cpp (Minor issue) @@ -143769,7 +143769,7 @@ CVE-2014-3246 (SQL injection vulnerability in Collabtive 1.2 allows remote ...) CVE-2014-3245 RESERVED CVE-2014-3244 (XML external entity (XXE) vulnerability in the RSSDashlet dashlet in ...) -
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Unclaim freexl
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: f994e5ea by Markus Koschany at 2018-02-28T14:59:16+01:00 Unclaim freexl - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -18,8 +18,6 @@ dovecot (Thorsten Alteholz) elinks NOTE: 20180226: maintainer is on the security team (jmm), no notice sent (anarcat) -- -freexl (Markus Koschany) --- gcc-4.6 (Roberto C. Sánchez) NOTE: Backport the retpoline support for spectre mitigation. NOTE: Coordinate with jmm who started the work for gcc-4.9 in jessie. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f994e5ea0a477b5a2d368c40aa2861c7919ea8c7 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f994e5ea0a477b5a2d368c40aa2861c7919ea8c7 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-7328, Wheezy and Jessie and Stretch not affected
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: f30562e2 by Thorsten Alteholz at 2018-02-28T14:42:52+01:00 CVE-2018-7328, Wheezy and Jessie and Stretch not affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -668,8 +668,9 @@ CVE-2018-7329 (In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, ...) NOTE: https://www.wireshark.org/security/wnpa-sec-2018-06.html CVE-2018-7328 (In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, ...) - wireshark 2.4.5-1 (low) - [stretch] - wireshark (Minor issue) - [jessie] - wireshark (Minor issue) + [stretch] - wireshark (vulnerable code introduced later in v2.4.0) + [jessie] - wireshark (vulnerable code introduced later in v2.4.0) + [wheezy] - wireshark (vulnerable code introduced later in v2.4.0) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14421 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=69d09028c956f6e049145485ce9b3e2858789b2b NOTE: https://www.wireshark.org/security/wnpa-sec-2018-06.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f30562e264323bb6591c4f3c596644e680c713bd --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f30562e264323bb6591c4f3c596644e680c713bd You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Claim xmltooling and freexl in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 29b4dc8a by Markus Koschany at 2018-02-28T14:31:31+01:00 Claim xmltooling and freexl in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -18,6 +18,8 @@ dovecot (Thorsten Alteholz) elinks NOTE: 20180226: maintainer is on the security team (jmm), no notice sent (anarcat) -- +freexl (Markus Koschany) +-- gcc-4.6 (Roberto C. Sánchez) NOTE: Backport the retpoline support for spectre mitigation. NOTE: Coordinate with jmm who started the work for gcc-4.9 in jessie. @@ -99,3 +101,6 @@ wordpress NOTE: 20180221: Upstream still unsure how to fix (lamby) -- xen +-- +xmltooling (Markus Koschany) +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/29b4dc8a892ec617f53cab4fc9903ed71081faae --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/29b4dc8a892ec617f53cab4fc9903ed71081faae You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 5 commits: CVE-2018-7326, Wheezy and Jessie not affected
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: dc7a753f by Thorsten Alteholz at 2018-02-28T13:46:24+01:00 CVE-2018-7326, Wheezy and Jessie not affected - - - - - 7732df52 by Thorsten Alteholz at 2018-02-28T13:47:19+01:00 CVE-2018-7327, Wheezy and Jessie and Stretch not affected - - - - - a1e3c4a1 by Thorsten Alteholz at 2018-02-28T13:49:20+01:00 CVE-2018-7329, Wheezy and Jessie not affected - - - - - fe65d98d by Thorsten Alteholz at 2018-02-28T13:52:11+01:00 CVE-2018-7333, Wheezy and Jessie not affected - - - - - ec1b6e31 by Thorsten Alteholz at 2018-02-28T13:57:24+01:00 Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -632,7 +632,8 @@ CVE-2018-7334 (In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, the UMTS MAC dis CVE-2018-7333 (In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, ...) - wireshark 2.4.5-1 (low) [stretch] - wireshark (Minor issue) - [jessie] - wireshark (Minor issue) + [jessie] - wireshark (vulnerable code introduced later in v1.99.7) + [wheezy] - wireshark (vulnerable code introduced later in v1.99.7) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14449 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=bd6313181317bfe83842b27650b65f3c2b8d5dc9 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-06.html @@ -660,7 +661,8 @@ CVE-2018-7330 (In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, ...) CVE-2018-7329 (In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, ...) - wireshark 2.4.5-1 (low) [stretch] - wireshark (Minor issue) - [jessie] - wireshark (Minor issue) + [jessie] - wireshark (vulnerable code introduced later in v1.99.0) + [wheezy] - wireshark (vulnerable code introduced later in v1.99.0) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14423 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=d8a0cbc4f2979e0b1cadbe79f0b8b4ecb92477be NOTE: https://www.wireshark.org/security/wnpa-sec-2018-06.html @@ -673,15 +675,17 @@ CVE-2018-7328 (In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, ...) NOTE: https://www.wireshark.org/security/wnpa-sec-2018-06.html CVE-2018-7327 (In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, ...) - wireshark 2.4.5-1 (low) - [stretch] - wireshark (Minor issue) - [jessie] - wireshark (Minor issue) + [stretch] - wireshark (vulnerable code introduced later in v2.4.0) + [jessie] - wireshark (vulnerable code introduced later in v2.4.0) + [wheezy] - wireshark (vulnerable code introduced later in v2.4.0) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14420 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=563989f888e51258edb9a27db56124bdc33c9afe NOTE: https://www.wireshark.org/security/wnpa-sec-2018-06.html CVE-2018-7326 (In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, ...) - wireshark 2.4.5-1 (low) [stretch] - wireshark (Minor issue) - [jessie] - wireshark (Minor issue) + [jessie] - wireshark (vulnerable code introduced later in v1.99.0) + [wheezy] - wireshark (vulnerable code introduced later in v1.99.0) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14419 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=293b999425e998d6cde0d9149648e421ea7687d0 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-06.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/5080cb16f2d950b2585c31738415e48fb929a952...ec1b6e3112b0720a769b9be288b23c2ff153ce17 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/5080cb16f2d950b2585c31738415e48fb929a952...ec1b6e3112b0720a769b9be288b23c2ff153ce17 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1295-1 for drupal7
Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
5080cb16 by Markus Koschany at 2018-02-28T13:46:16+01:00
Reserve DLA-1295-1 for drupal7
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
--- a/data/DLA/list
+++ b/data/DLA/list
@@ -1,3 +1,6 @@
+[28 Feb 2018] DLA-1295-1 drupal7 - security update
+ {CVE-2017-6927 CVE-2017-6928 CVE-2017-6929 CVE-2017-6932}
+ [wheezy] - drupal7 7.14-2+deb7u17
[25 Feb 2018] DLA-1294-1 golang - security update
{CVE-2018-7187}
[wheezy] - golang 2:1.0.2-1.1+deb7u3
=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -15,8 +15,6 @@ dovecot (Thorsten Alteholz)
NOTE: maintainer and security team are looking into this
NOTE: probably no-dsa
--
-drupal7 (Markus Koschany)
---
elinks
NOTE: 20180226: maintainer is on the security team (jmm), no notice sent
(anarcat)
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/5080cb16f2d950b2585c31738415e48fb929a952
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/5080cb16f2d950b2585c31738415e48fb929a952
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Remove duplicate CVE-2018-1057 entry
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 16f93a66 by Salvatore Bonaccorso at 2018-02-28T13:41:32+01:00 Remove duplicate CVE-2018-1057 entry - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -36,8 +36,6 @@ CVE-2018-7546 RESERVED CVE-2018-7545 RESERVED -CVE-2018-1057 - RESERVED CVE-2017-18206 (In utils.c in zsh before 5.4, symlink expansion had a buffer overflow. ...) TODO: check CVE-2017-18205 (In builtin.c in zsh before 5.4, when sh compatibility mode is used, ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/16f93a66f0960c490e10f51b28b9b1afc2696204 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/16f93a66f0960c490e10f51b28b9b1afc2696204 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs / two ITPs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d9f626cf by Moritz Muehlenhoff at 2018-02-28T13:37:49+01:00 NFUs / two ITPs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -15807,7 +15807,7 @@ CVE-2018-1379 CVE-2018-1378 RESERVED CVE-2018-1377 (IBM Security Guardium Big Data Intelligence (SonarG) 3.1 stores user ...) - TODO: check + NOT-FOR-US: IBM Security Guardium Big Data Intelligence CVE-2018-1376 RESERVED CVE-2018-1375 @@ -15817,7 +15817,7 @@ CVE-2018-1374 CVE-2018-1373 RESERVED CVE-2018-1372 (IBM Security Guardium Big Data Intelligence (SonarG) 3.1 does not ...) - TODO: check + NOT-FOR-US: IBM Security Guardium Big Data Intelligence CVE-2018-1371 RESERVED CVE-2018-1370 @@ -18344,7 +18344,7 @@ CVE-2018-0910 CVE-2018-0909 RESERVED CVE-2018-0908 (Microsoft Identity Manager 2016 SP1 allows an attacker to gain ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-0907 RESERVED CVE-2018-0906 @@ -19324,11 +19324,11 @@ CVE-2018-0522 CVE-2018-0521 RESERVED CVE-2018-0520 (Cross-site request forgery (CSRF) vulnerability in FS010W firmware ...) - TODO: check + NOT-FOR-US: FS010W firmware CVE-2018-0519 (Cross-site scripting vulnerability in FS010W firmware FS010W_00_V1.3.0 ...) - TODO: check + NOT-FOR-US: FS010W firmware CVE-2018-0518 (LINE for iOS version 7.1.3 to 7.1.5 does not verify X.509 certificates ...) - TODO: check + NOT-FOR-US: LINE for iOS CVE-2018-0517 (Untrusted search path vulnerability in Anshin net security for Windows ...) NOT-FOR-US: Anshin net security for Windows CVE-2018-0516 (Untrusted search path vulnerability in FLET'S v4 / v6 address ...) @@ -21299,9 +21299,9 @@ CVE-2017-16820 (The csnmp_read_table function in snmp.c in the SNMP plugin in co [wheezy] - collectd (Vulnerable code not present) NOTE: https://github.com/collectd/collectd/issues/2291 CVE-2017-16814 (A Directory Traversal issue was discovered in the Foxit MobilePDF app ...) - TODO: check + NOT-FOR-US: Foxit CVE-2017-16813 (A denial-of-service issue was discovered in the Foxit MobilePDF app ...) - TODO: check + NOT-FOR-US: Foxit CVE-2017-16812 RESERVED CVE-2017-16811 @@ -24071,11 +24071,11 @@ CVE-2016-10517 (networking.c in Redis before 3.2.7 allows "Cross Protocol S CVE-2017-15863 (Cross Site Scripting (XSS) exists in the wp-noexternallinks plugin ...) NOT-FOR-US: WordPress plugin wp-noexternallinks CVE-2017-15862 (In all Qualcomm products with Android releases from CAF using the ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-15861 (In all Qualcomm products with Android releases from CAF using the ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-15860 (In all Qualcomm products with Android releases from CAF using the ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-15859 RESERVED NOT-FOR-US: Qualcomm component for Android @@ -24850,7 +24850,7 @@ CVE-2017-15520 CVE-2017-15519 RESERVED CVE-2017-15518 (All versions of OnCommand API Services prior to 2.1 and NetApp Service ...) - TODO: check + NOT-FOR-US: NetApp CVE-2017-15517 (AltaVault OST Plug-in versions prior to 1.2.2 may allow attackers to ...) NOT-FOR-US: AltaVault OST Plug-in CVE-2017-15516 (NetApp SnapCenter Server versions 1.1 through 2.x are susceptible to a ...) @@ -28354,13 +28354,13 @@ CVE-2017-14462 CVE-2017-14461 RESERVED CVE-2017-14460 (An exploitable overly permissive cross-domain (CORS) whitelist ...) - TODO: check + - parity (bug #890550) CVE-2017-14459 RESERVED CVE-2017-14458 RESERVED CVE-2017-14457 (An exploitable information leak/denial of service vulnerability exists ...) - TODO: check + - cpp-etherum (bug #860434) CVE-2017-14456 RESERVED CVE-2017-14455 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d9f626cfa456c82ac2d272f4d4f6f7bdd45c2d61 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d9f626cfa456c82ac2d272f4d4f6f7bdd45c2d61 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Readd CVE-2018-1057 RESERVED that got lost
Christoph Berg pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ae072fb3 by Christoph Berg at 2018-02-28T13:36:00+01:00
Readd CVE-2018-1057 RESERVED that got lost
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -17396,6 +17396,8 @@ CVE-2018-1058 [Security implications of using the
default search_path and public
NOTE:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=3d2aed664ee8271fd6c721ed0aa10168cda112ea
NOTE:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=582edc369cdbd348d68441fc50fa26a84afd0c1a
NOTE:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=5770172cb0c9df9e6ce27c507b449557e5b45124
+CVE-2018-1057
+ RESERVED
CVE-2018-1056 [heap buffer overflow while running advzip]
RESERVED
{DLA-1281-1}
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ae072fb3bf88d4ade0c34c339dcc4b7a0e96bbcb
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ae072fb3bf88d4ade0c34c339dcc4b7a0e96bbcb
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] puppet n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
94956833 by Moritz Muehlenhoff at 2018-02-28T13:16:15+01:00
puppet n/a
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -65543,9 +65543,9 @@ CVE-2017-2299 (Versions of the puppetlabs-apache module
prior to 1.11.1 and 2.1.
CVE-2017-2298 (The mcollective-sshkey-security plugin before 0.5.1 for Puppet
uses a ...)
NOT-FOR-US: mcollective-sshkey-security plugin
CVE-2017-2297 (Puppet Enterprise versions prior to 2016.4.5 and 2017.2.1 did
not ...)
- TODO: check
+ - puppet (Specific to Puppet Enterprise)
CVE-2017-2296 (In Puppet Enterprise 2017.1.x and 2017.2.1, using specially
formatted ...)
- TODO: check
+ - puppet (Specific to Puppet Enterprise)
CVE-2017-2295 (Versions of Puppet prior to 4.10.1 will deserialize data off
the wire ...)
{DSA-3862-1 DLA-1012-1}
- puppet 4.8.2-5 (bug #863212)
@@ -6,7 +6,7 @@ CVE-2017-2294 (Versions of Puppet Enterprise prior to
2016.4.5 or 2017.2.1 faile
- puppet (Doesn't affect Puppet as shipped in Debian)
NOTE: Puppet as shipped in Debian doesn't provide puppetdb yet
CVE-2017-2293 (Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1
shipped ...)
- TODO: check
+ - puppet (Specific to Puppet Enterprise)
CVE-2017-2292 (Versions of MCollective prior to 2.10.4 deserialized YAML from
agents ...)
- mcollective (bug #866711)
[jessie] - mcollective (Minor issue)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/94956833c30ebaa64bc3fb797dcabe316f0e9b93
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/94956833c30ebaa64bc3fb797dcabe316f0e9b93
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 62980471 by Moritz Muehlenhoff at 2018-02-28T12:59:59+01:00 NFUs - - - - - 2faae3ca by Moritz Muehlenhoff at 2018-02-28T13:00:35+01:00 Merge branch 'master' of https://salsa.debian.org/security-tracker-team/security-tracker - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -16491,7 +16491,7 @@ CVE-2017-17479 (In OpenJPEG 2.3.0, a stack-based buffer overflow was discovered NOTE: https://github.com/uclouvain/openjpeg/issues/1044 NOTE: Debian packaging does not build JPWL, has BUILD_JPWL:BOOL=OFF CVE-2017-17478 (An XSS issue was discovered in Designer Studio in Pegasystems Pega ...) - TODO: check + NOT-FOR-US: Pegasystems Pega Platform CVE-2017-17477 RESERVED CVE-2017-17475 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a ...) @@ -21422,13 +21422,13 @@ CVE-2017-16772 CVE-2017-16771 RESERVED CVE-2017-16770 (File and directory information exposure vulnerability in ...) - TODO: check + NOT-FOR-US: Synology Surveillance Station CVE-2017-16769 (Exposure of private information vulnerability in Photo Viewer in ...) - TODO: check + NOT-FOR-US: Synology Photo Station CVE-2017-16768 (Cross-site scripting (XSS) vulnerability in User Policy editor in ...) NOT-FOR-US: Synology MailPlus Server CVE-2017-16767 (Cross-site scripting (XSS) vulnerability in User Profile in Synology ...) - TODO: check + NOT-FOR-US: Synology Surveillance Station CVE-2017-16766 (An improper access control vulnerability in synodsmnotify in Synology ...) NOT-FOR-US: Synology DiskStation Manager CVE-2017-16765 (XSS exists on D-Link DWR-933 1.00(WW)B17 devices via cgi-bin/gui.cgi. ...) @@ -66597,7 +66597,7 @@ CVE-2017-1776 CVE-2017-1775 RESERVED CVE-2017-1774 (IBM Security Guardium Big Data Intelligence (SonarG) 3.1 discloses ...) - TODO: check + NOT-FOR-US: IBM Security Guardium Big Data Intelligence CVE-2017-1773 (IBM DataPower Gateways 7.1, 7,2, 7.5, and 7.6 could allow an attacker ...) NOT-FOR-US: IBM DataPower Gateways CVE-2017-1772 @@ -80333,9 +80333,9 @@ CVE-2016-6601 (Directory traversal vulnerability in the file download functional CVE-2016-6600 (Directory traversal vulnerability in the file upload functionality in ...) NOT-FOR-US: ZOHO WebNMS CVE-2016-6599 (BMC Track-It! 11.4 before Hotfix 3 exposes an unauthenticated .NET ...) - TODO: check + NOT-FOR-US: BMC Track-It! CVE-2016-6598 (BMC Track-It! 11.4 before Hotfix 3 exposes an unauthenticated .NET ...) - TODO: check + NOT-FOR-US: BMC Track-It! CVE-2016-6597 (Sophos EAS Proxy before 6.2.0 for Sophos Mobile Control, when Lotus ...) NOT-FOR-US: Sophos EAS Proxy NOTE: https://www.pallas.com/advisories/sophos_eas_open_reverse_proxy_vulnerability @@ -106787,7 +106787,7 @@ CVE-2015-6929 (Multiple cross-site scripting (XSS) vulnerabilities in Nokia Netw CVE-2015-6928 (classes/admin.class.php in CubeCart 5.2.12 through 5.2.16 and 6.x ...) NOT-FOR-US: CubeCart CVE-2015-6926 (The OpenID Single Sign-On authentication functionality in OXID eShop ...) - TODO: check + NOT-FOR-US: OXID eShop CVE-2015-6925 (wolfSSL (formerly CyaSSL) before 3.6.8 allows remote attackers to ...) - wolfssl 3.9.10+dfsg-1 (bug #801120) CVE-2015-6924 @@ -107837,7 +107837,7 @@ CVE-2015-6571 CVE-2015-6570 RESERVED CVE-2015-6569 (Race condition in the LoadBalancer module in the Atlassian Floodlight ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2015-6568 (Wolf CMS before 0.8.3.1 allows unrestricted file rename and PHP Code ...) NOT-FOR-US: Wolf CMS CVE-2015-6567 (Wolf CMS before 0.8.3.1 allows unrestricted file upload and PHP Code ...) @@ -113673,7 +113673,7 @@ CVE-2015-4463 (The file_manager component in eFront CMS before 3.6.15.5 allows r CVE-2015-4462 (Absolute path traversal vulnerability in the file_manager component of ...) NOT-FOR-US: eFront CMS CVE-2015-4461 (Absolute path traversal vulnerability in eFront CMS 3.6.15.4 and ...) - TODO: check + NOT-FOR-US: eFront CMS CVE-2015-4460 (Cross-site request forgery (CSRF) vulnerability in ...) NOT-FOR-US: C2Box CVE-2015-4459 @@ -113851,7 +113851,7 @@ CVE-2015-4402 CVE-2015-4401 RESERVED CVE-2015-4400 (Ring (formerly DoorBot) video doorbells allow remote attackers to ...) - TODO: check + NOT-FOR-US: Ring video doorbells CVE-2015-4399 RESERVED CVE-2015-4398 (Open redirect vulnerability in the Chaos tool suite (ctools) module ...) @@ -116024,9 +116024,9 @@ CVE-2015-3621 (Untrusted search path vulnerability in SAP Enterprise Central ... CVE-2015-3620 (Cross-site scripting (XSS) vulnerab
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-0489/xmltooling fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
84887876 by Salvatore Bonaccorso at 2018-02-28T12:47:58+01:00
CVE-2018-0489/xmltooling fixed in unstable
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -19385,7 +19385,7 @@ CVE-2018-0490
RESERVED
CVE-2018-0489 (Shibboleth XMLTooling-C before 1.6.4, as used in Shibboleth
Service ...)
{DSA-4126-1}
- - xmltooling
+ - xmltooling 1.6.4-1
NOTE: https://shibboleth.net/community/advisories/secadv_20180227.txt
NOTE: https://issues.shibboleth.net/jira/browse/CPPXT-128
CVE-2018-0488 (ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0,
when the ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/84887876eca3df110c1b8b20a4bb39d86627d202
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/84887876eca3df110c1b8b20a4bb39d86627d202
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-7548
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d34ebe0d by Salvatore Bonaccorso at 2018-02-28T12:47:06+01:00 Add CVE-2018-7548 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -28,7 +28,8 @@ CVE-2018-7549 (In params.c in zsh through 5.4.2, there is a crash during a copy NOTE: https://sourceforge.net/p/zsh/code/ci/c2cc8b0fbefc9868fa83537f5b6d90fc1ec438dd NOTE: no security impact CVE-2018-7548 (In subst.c in zsh through 5.4.2, there is a NULL pointer dereference ...) - TODO: check + - zsh + NOTE: https://sourceforge.net/p/zsh/code/ci/110b13e1090bc31ac1352b28adc2d02b6d25a102 CVE-2018-7547 (lyadmin 1.x has XSS via the config[WEB_SITE_TITLE] parameter to the ...) TODO: check CVE-2018-7546 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d34ebe0d8f4366b4767077453877deb810f754df --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d34ebe0d8f4366b4767077453877deb810f754df You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Update CVE-2018-7549 severity and demote to unimportant
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9796c907 by Salvatore Bonaccorso at 2018-02-28T12:17:23+01:00 Update CVE-2018-7549 severity and demote to unimportant Essentially a self-crash and denial of service against oneself. If one can be tricked into running a shell command one sends, a crash is least of the worries. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -24,8 +24,9 @@ CVE-2018-7551 (There is an invalid free in MiniPS::delete0 in minips.cpp that le CVE-2018-7550 RESERVED CVE-2018-7549 (In params.c in zsh through 5.4.2, there is a crash during a copy of an ...) - - zsh + - zsh (unimportant) NOTE: https://sourceforge.net/p/zsh/code/ci/c2cc8b0fbefc9868fa83537f5b6d90fc1ec438dd + NOTE: no security impact CVE-2018-7548 (In subst.c in zsh through 5.4.2, there is a NULL pointer dereference ...) TODO: check CVE-2018-7547 (lyadmin 1.x has XSS via the config[WEB_SITE_TITLE] parameter to the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9796c907ef0422e0f1d780d968a290e1dff43c2b --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9796c907ef0422e0f1d780d968a290e1dff43c2b You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-7549/zsh
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5385e8de by Salvatore Bonaccorso at 2018-02-28T11:24:24+01:00 Add CVE-2018-7549/zsh - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -24,7 +24,8 @@ CVE-2018-7551 (There is an invalid free in MiniPS::delete0 in minips.cpp that le CVE-2018-7550 RESERVED CVE-2018-7549 (In params.c in zsh through 5.4.2, there is a crash during a copy of an ...) - TODO: check + - zsh + NOTE: https://sourceforge.net/p/zsh/code/ci/c2cc8b0fbefc9868fa83537f5b6d90fc1ec438dd CVE-2018-7548 (In subst.c in zsh through 5.4.2, there is a NULL pointer dereference ...) TODO: check CVE-2018-7547 (lyadmin 1.x has XSS via the config[WEB_SITE_TITLE] parameter to the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5385e8de0d48939a2e69873f686068a2a4100a87 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5385e8de0d48939a2e69873f686068a2a4100a87 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add upstream commits fixing CVE-2018-04[87]
Sebastien Delafond pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d33e8eb5 by Sébastien Delafond at 2018-02-28T11:07:39+01:00
Add upstream commits fixing CVE-2018-04[87]
Thanks to James Cowgill for identifying them.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -19390,11 +19390,14 @@ CVE-2018-0488 (ARM mbed TLS before 1.3.22, before
2.1.10, and before 2.7.0, when
- polarssl
[wheezy] - polarssl (according to the upstream advisory
< 1.2.19 not affected)
NOTE:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01
+NOTE:
https://github.com/ARMmbed/mbedtls/commit/992b6872f3ca717282ae367749a47f006d337a87
+NOTE:
https://github.com/ARMmbed/mbedtls/commit/464147cadc694379b7717afb7b517fe05cdb323f
CVE-2018-0487 (ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0
allows ...)
- mbedtls 2.7.0-2 (bug #890288)
- polarssl
[wheezy] - polarssl (according to the upstream advisory
< 1.3.7 not affected)
NOTE:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01
+NOTE:
https://github.com/ARMmbed/mbedtls/commit/28a0c727957990ac655cbe40c7eb20b7ef01167d
CVE-2018-0486 (Shibboleth XMLTooling-C before 1.6.3, as used in Shibboleth
Service ...)
{DSA-4085-1 DLA-1242-1}
- xmltooling 1.6.3-1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d33e8eb5dc82b01f9ec22d97d8fd4bdc53f810b7
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d33e8eb5dc82b01f9ec22d97d8fd4bdc53f810b7
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c7480ab0 by Salvatore Bonaccorso at 2018-02-28T11:03:12+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -212,7 +212,7 @@ CVE-2018-7484 (An issue was discovered in PureVPN through 5.19.4.0 on Windows. T CVE-2018-7483 RESERVED CVE-2018-7482 (The K2 component 2.8.0 for Joomla! has Incorrect Access Control with ...) - TODO: check + NOT-FOR-US: K2 component for Joomla! CVE-2017-18200 (The f2fs implementation in the Linux kernel before 4.14 mishandles ...) - linux (Vulnerable code not present) CVE-2018-199 [AST-2018-003: Crash with an invalid SDP fmtp attribute] @@ -238,7 +238,7 @@ CVE-2018-7479 (YzmCMS 3.6 allows remote attackers to discover the full path via CVE-2018-7478 RESERVED CVE-2018-7477 (SQL Injection exists in PHP Scripts Mall School Management Script 3.0.4 ...) - TODO: check + NOT-FOR-US: PHP Scripts Mall School Management Script CVE-2018-7476 (controllers/admin/Linkage.php in dayrui FineCms 5.3.0 has Cross Site ...) NOT-FOR-US: FineCms CVE-2018-7475 @@ -263,7 +263,7 @@ CVE-2018-7469 CVE-2018-7468 RESERVED CVE-2018-7467 (AxxonSoft Axxon Next has Directory Traversal via an initial /css//..%2f ...) - TODO: check + NOT-FOR-US: AxxonSoft Axxon Next CVE-2018-7466 (install/installNewDB.php in TestLink through 1.9.16 allows remote ...) NOT-FOR-US: TestLink CVE-2018-7465 @@ -1257,7 +1257,7 @@ CVE-2018-168 (An improper input validation vulnerability exists in Jenkins v CVE-2018-167 (An improper authorization vulnerability exists in Jenkins versions ...) - jenkins CVE-2018-7172 (In index.php in WonderCMS 2.4.0, remote attackers can delete arbitrary ...) - TODO: check + NOT-FOR-US: WonderCMS CVE-2018-7171 RESERVED CVE-2018-7170 [Multiple authenticated ephemeral associations] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c7480ab0b93da80c6ad59283d020272952780e56 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c7480ab0b93da80c6ad59283d020272952780e56 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add new sam2p issues (CVE-2018-755{1, 2, 3, 4})
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
1b7169ca by Salvatore Bonaccorso at 2018-02-28T10:54:42+01:00
Add new sam2p issues (CVE-2018-755{1,2,3,4})
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -10,13 +10,17 @@ CVE-2018-7556 (LimeSurvey 2.6.x before 2.6.7, 2.7x.x before
2.73.1, and 3.x befo
CVE-2018-7555
RESERVED
CVE-2018-7554 (There is an invalid free in ReadImage in input-bmp.ci that
leads to a ...)
- TODO: check
+ - sam2p
+ NOTE: https://github.com/pts/sam2p/issues/29
CVE-2018-7553 (There is a heap-based buffer overflow in the pcxLoadRaster
function of ...)
- TODO: check
+ - sam2p
+ NOTE: https://github.com/pts/sam2p/issues/32
CVE-2018-7552 (There is an invalid free in Mapping::DoubleHash::clear in
mapping.cpp ...)
- TODO: check
+ - sam2p
+ NOTE: https://github.com/pts/sam2p/issues/30
CVE-2018-7551 (There is an invalid free in MiniPS::delete0 in minips.cpp that
leads to ...)
- TODO: check
+ - sam2p
+ NOTE: https://github.com/pts/sam2p/issues/28
CVE-2018-7550
RESERVED
CVE-2018-7549 (In params.c in zsh through 5.4.2, there is a crash during a
copy of an ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1b7169ca7087f1ee7627b298935b609521549051
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1b7169ca7087f1ee7627b298935b609521549051
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-7556/limesurvey, itp'ed, #472802
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0b8d24ef by Salvatore Bonaccorso at 2018-02-28T10:36:47+01:00 Add CVE-2018-7556/limesurvey, itp'ed, #472802 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -6,7 +6,7 @@ CVE-2018-7557 (The decode_init function in libavcodec/utvideodec.c in FFmpeg thr NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/7414d0bda7763f9bd69c26c068e482ab297c1c96 TODO: check libav CVE-2018-7556 (LimeSurvey 2.6.x before 2.6.7, 2.7x.x before 2.73.1, and 3.x before ...) - TODO: check + - limesurvey (bug #472802) CVE-2018-7555 RESERVED CVE-2018-7554 (There is an invalid free in ReadImage in input-bmp.ci that leads to a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0b8d24efe963b8e105d8839b28b4fd6e910d6cce --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0b8d24efe963b8e105d8839b28b4fd6e910d6cce You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-7557/ffmpeg
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b05e3c4 by Salvatore Bonaccorso at 2018-02-28T10:35:36+01:00 Add CVE-2018-7557/ffmpeg - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,7 +1,10 @@ CVE-2018-7558 RESERVED CVE-2018-7557 (The decode_init function in libavcodec/utvideodec.c in FFmpeg through ...) - TODO: check + - ffmpeg + - libav + NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/7414d0bda7763f9bd69c26c068e482ab297c1c96 + TODO: check libav CVE-2018-7556 (LimeSurvey 2.6.x before 2.6.7, 2.7x.x before 2.73.1, and 3.x before ...) TODO: check CVE-2018-7555 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3b05e3c421cf9545cfa12716c57c837167748216 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3b05e3c421cf9545cfa12716c57c837167748216 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9fa18d45 by security tracker role at 2018-02-28T09:10:21+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,45 @@ +CVE-2018-7558 + RESERVED +CVE-2018-7557 (The decode_init function in libavcodec/utvideodec.c in FFmpeg through ...) + TODO: check +CVE-2018-7556 (LimeSurvey 2.6.x before 2.6.7, 2.7x.x before 2.73.1, and 3.x before ...) + TODO: check +CVE-2018-7555 + RESERVED +CVE-2018-7554 (There is an invalid free in ReadImage in input-bmp.ci that leads to a ...) + TODO: check +CVE-2018-7553 (There is a heap-based buffer overflow in the pcxLoadRaster function of ...) + TODO: check +CVE-2018-7552 (There is an invalid free in Mapping::DoubleHash::clear in mapping.cpp ...) + TODO: check +CVE-2018-7551 (There is an invalid free in MiniPS::delete0 in minips.cpp that leads to ...) + TODO: check +CVE-2018-7550 + RESERVED +CVE-2018-7549 (In params.c in zsh through 5.4.2, there is a crash during a copy of an ...) + TODO: check +CVE-2018-7548 (In subst.c in zsh through 5.4.2, there is a NULL pointer dereference ...) + TODO: check +CVE-2018-7547 (lyadmin 1.x has XSS via the config[WEB_SITE_TITLE] parameter to the ...) + TODO: check +CVE-2018-7546 + RESERVED +CVE-2018-7545 + RESERVED +CVE-2018-1057 + RESERVED +CVE-2017-18206 (In utils.c in zsh before 5.4, symlink expansion had a buffer overflow. ...) + TODO: check +CVE-2017-18205 (In builtin.c in zsh before 5.4, when sh compatibility mode is used, ...) + TODO: check +CVE-2016-10714 (In zsh before 5.3, an off-by-one error resulted in undersized buffers ...) + TODO: check +CVE-2014-10072 (In utils.c in zsh before 5.0.6, there is a buffer overflow when ...) + TODO: check +CVE-2014-10071 (In exec.c in zsh before 5.0.7, there is a buffer overflow for very long ...) + TODO: check +CVE-2014-10070 (zsh before 5.0.7 allows evaluation of the initial values of integer ...) + TODO: check CVE-2018-7544 RESERVED CVE-2018-7543 @@ -162,8 +204,8 @@ CVE-2018-7484 (An issue was discovered in PureVPN through 5.19.4.0 on Windows. T NOT-FOR-US: PureVPN on Windows CVE-2018-7483 RESERVED -CVE-2018-7482 - RESERVED +CVE-2018-7482 (The K2 component 2.8.0 for Joomla! has Incorrect Access Control with ...) + TODO: check CVE-2017-18200 (The f2fs implementation in the Linux kernel before 4.14 mishandles ...) - linux (Vulnerable code not present) CVE-2018-199 [AST-2018-003: Crash with an invalid SDP fmtp attribute] @@ -188,8 +230,8 @@ CVE-2018-7479 (YzmCMS 3.6 allows remote attackers to discover the full path via NOT-FOR-US: YzmCMS CVE-2018-7478 RESERVED -CVE-2018-7477 - RESERVED +CVE-2018-7477 (SQL Injection exists in PHP Scripts Mall School Management Script 3.0.4 ...) + TODO: check CVE-2018-7476 (controllers/admin/Linkage.php in dayrui FineCms 5.3.0 has Cross Site ...) NOT-FOR-US: FineCms CVE-2018-7475 @@ -213,8 +255,8 @@ CVE-2018-7469 RESERVED CVE-2018-7468 RESERVED -CVE-2018-7467 - RESERVED +CVE-2018-7467 (AxxonSoft Axxon Next has Directory Traversal via an initial /css//..%2f ...) + TODO: check CVE-2018-7466 (install/installNewDB.php in TestLink through 1.9.16 allows remote ...) NOT-FOR-US: TestLink CVE-2018-7465 @@ -2476,14 +2518,14 @@ CVE-2018-6643 RESERVED CVE-2018-6642 RESERVED -CVE-2018-6641 - RESERVED -CVE-2018-6640 - RESERVED -CVE-2018-6639 - RESERVED -CVE-2018-6638 - RESERVED +CVE-2018-6641 (An Arbitrary Free (Remote Code Execution) issue was discovered in ...) + TODO: check +CVE-2018-6640 (A Heap Overflow (Remote Code Execution) issue was discovered in Design ...) + TODO: check +CVE-2018-6639 (An out-of-bounds write (Remote Code Execution) issue was discovered in ...) + TODO: check +CVE-2018-6638 (A stack-based buffer overflow (Remote Code Execution) issue was ...) + TODO: check CVE-2018-6637 RESERVED CVE-2018-6636 @@ -2817,7 +2859,7 @@ CVE-2018-6574 (Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases [stretch] - golang-1.7 (Minor issue) - golang [jessie] - golang (Minor issue) -[wheezy] - golang (Minor issue) + [wheezy] - golang (Minor issue) NOTE: https://github.com/golang/go/issues/23672 NOTE: https://go.googlesource.com/go/+/44821583bc16ff2508664fab94360bb856e9e9d6 NOTE: https://go.googlesource.com/go/+/867fb18b6d5bc73266b68c9a695558a04e060a8a @@ -17335,6 +17377,7 @@ CVE-2018-1060 CVE-2018-1059 RESERVED CVE-2018-1058 [Security implications of using the default search_
