[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-7651 assigned
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a208b668 by Salvatore Bonaccorso at 2018-03-04T08:47:13+01:00 CVE-2018-7651 assigned - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -6,7 +6,7 @@ CVE-2018- [Regular Expression Denial of Service] NOTE: https://github.com/moment/moment/issues/4163 NOTE: https://nodesecurity.io/advisories/532 NOTE: nodejs not covered by security support -CVE-2018- [Regular Expression Denial of Service vulnerability in the strict mode functionality] +CVE-2018-7651 [Regular Expression Denial of Service vulnerability in the strict mode functionality] - node-ssri (unimportant; bug #891980) NOTE: fixed in 5.2.2 NOTE: https://github.com/zkat/ssri/commit/d0ebcdc22cb5c8f47f89716d08b3518b2485d65d View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a208b668759ed42fbc90802f08ad2e52eada417d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a208b668759ed42fbc90802f08ad2e52eada417d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] mariadb-10.2 removed from the archive
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a5901229 by Salvatore Bonaccorso at 2018-03-04T08:46:10+01:00 mariadb-10.2 removed from the archive - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -25800,7 +25800,7 @@ CVE-2017-15367 CVE-2017-15366 (Before Thornberry NDoc version 8.0, laptop clients and the server have ...) NOT-FOR-US: Thornberry NDoc CVE-2017-15365 (sql/event_data_objects.cc in MariaDB before 10.1.30 and 10.2.x before ...) - - mariadb-10.2 (bug #884065) + - mariadb-10.2 (bug #884065) - mariadb-10.1 (bug #885345) [stretch] - mariadb-10.1 (Minor issue) - mariadb-10.0 @@ -41246,7 +41246,7 @@ CVE-2017-10385 (Vulnerability in the Oracle GlassFish Server component of Oracle - glassfish (Vulnerable code not included, see bug #853998) CVE-2017-10384 (Vulnerability in the MySQL Server component of Oracle MySQL ...) {DSA-4002-1 DLA-1141-1} - - mariadb-10.2 (bug #884065) + - mariadb-10.2 (bug #884065) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (bug #878402) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL @@ -41260,13 +41260,13 @@ CVE-2017-10380 (Vulnerability in the Java Advanced Management Console component NOT-FOR-US: Java Advanced Management Console CVE-2017-10379 (Vulnerability in the MySQL Server component of Oracle MySQL ...) {DSA-4002-1 DLA-1141-1} - - mariadb-10.2 (bug #884065) + - mariadb-10.2 (bug #884065) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (bug #878402) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10378 (Vulnerability in the MySQL Server component of Oracle MySQL ...) {DSA-4002-1 DLA-1141-1} - - mariadb-10.2 (bug #884065) + - mariadb-10.2 (bug #884065) - mariadb-10.1 10.1.29-1 [stretch] - mariadb-10.1 (Minor issue) - mariadb-10.0 @@ -41301,7 +41301,7 @@ CVE-2017-10367 (Vulnerability in the Oracle Hospitality Simphony component of Or CVE-2017-10366 (Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of ...) NOT-FOR-US: Oracle CVE-2017-10365 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - - mariadb-10.2 (bug #884065) + - mariadb-10.2 (bug #884065) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL @@ -41446,7 +41446,7 @@ CVE-2017-10322 (Vulnerability in the Oracle Common Applications Calendar compone CVE-2017-10321 (Vulnerability in the Core RDBMS component of Oracle Database Server. ...) NOT-FOR-US: Oracle CVE-2017-10320 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - - mariadb-10.2 (bug #884065) + - mariadb-10.2 (bug #884065) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL @@ -41536,7 +41536,7 @@ CVE-2017-10288 CVE-2017-10287 (Vulnerability in the PeopleSoft Enterprise FSCM component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-10286 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - - mariadb-10.2 (bug #884065) + - mariadb-10.2 (bug #884065) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL @@ -41605,7 +41605,7 @@ CVE-2017-10269 (Vulnerability in the Oracle Tuxedo component of Oracle Fusion .. NOT-FOR-US: Oracle CVE-2017-10268 (Vulnerability in the MySQL Server component of Oracle MySQL ...) {DSA-4002-1 DLA-1141-1} - - mariadb-10.2 (bug #884065) + - mariadb-10.2 (bug #884065) - mariadb-10.1 10.1.29-1 [stretch] - mariadb-10.1 (Minor issue) - mariadb-10.0 @@ -62088,7 +62088,7 @@ CVE-2017-3654 RESERVED CVE-2017-3653 (Vulnerability in the MySQL Server component of Oracle MySQL ...) {DSA-3955-1 DSA-3944-1 DSA-3922-1 DLA-1043-1} - - mariadb-10.2 (bug #884065) + - mariadb-10.2 (bug #884065) - mariadb-10.1 10.1.26-1 - mariadb-10.0 - mysql-5.7 5.7.20-1 (bug #868798) @@ -62131,7 +62131,7 @@ CVE-2017-3642 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3641 (Vulnerability in the MySQL Server component of Oracle MySQL ...) {DSA-3955-1 DSA-3944-1 DSA-3922-1 DLA-1043-1} - - mariadb-10.2
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Update CVE-2017-18174 information
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1bf89d19 by Salvatore Bonaccorso at 2018-03-04T08:35:17+01:00 Update CVE-2017-18174 information Rationale: in kernel-sec the conclusion was that the double-free issue is only introduced within the 4.11 release cycle and fixed in the same relase cycle, but not affecting 4.7 version. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -2950,11 +2950,8 @@ CVE-2018-141 (GNOME librsvg version before commit ...) NOTE: Merge of changes: https://github.com/GNOME/librsvg/commit/c6ddf2ed4d768fd88adbea2b63f575cd523022ea NOTE: https://github.com/GNOME/librsvg/commit/4de19d9fdddf81773125b04a4defe1ffd0d3bfe0 CVE-2017-18174 (In the Linux kernel before 4.7, the amd_gpio_remove function in ...) - - linux 4.11.6-1 - [stretch] - linux (Issue introduced later) - [jessie] - linux (Vulnerable code not present) - [wheezy] - linux (Vulnerable code not present) - NOTE: Fixed by: https://git.kernel.org/linus/8dca4a41f1ad65043a78c2338d9725f859c8d2c3 + - linux (Vulnerable code not present) + NOTE: double-free introduced and fixed in the 4.11 release cycle CVE-2017-18173 RESERVED CVE-2017-18172 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1bf89d19610a22b25b82f42d3acb6d2e21577e5e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1bf89d19610a22b25b82f42d3acb6d2e21577e5e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] correct note timestamp in dla-needed
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 4568bb36 by Abhijith PA at 2018-03-04T10:55:00+05:30 correct note timestamp in dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -104,4 +104,4 @@ wordpress xen -- zsh (Abhijith PA) - NOTE: 20180218: Upstream repository is temporarily offline (abhijith) + NOTE: 20180303: Upstream repository is temporarily offline (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4568bb3609b96f8583a8b779354913f6800a2edf --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4568bb3609b96f8583a8b779354913f6800a2edf You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] node-moment: old ReDoS: fixed
Paul Wise pushed to branch master at Debian Security Tracker / security-tracker Commits: 9622c154 by Paul Wise at 2018-03-04T06:44:55+08:00 node-moment: old ReDoS: fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -93613,7 +93613,7 @@ CVE-2016- [remote memory disclosure] NOTE: https://nodesecurity.io/advisories/67 NOTE: nodejs not covered by security support CVE-2016- [regular expression DoS] - - node-moment (unimportant) + - node-moment 2.13.0+ds-1 (unimportant) NOTE: fixed in 2.11.2 NOTE: https://github.com/moment/moment/pull/2939 NOTE: https://nodesecurity.io/advisories/55 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9622c1546d3e2b6ce8223eb8d9b8595b88f6ff9f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9622c1546d3e2b6ce8223eb8d9b8595b88f6ff9f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] node-moment ReDoS
Paul Wise pushed to branch master at Debian Security Tracker / security-tracker Commits: 591358c2 by Paul Wise at 2018-03-04T06:43:20+08:00 node-moment ReDoS - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,11 @@ +CVE-2018- [Regular Expression Denial of Service] + - node-moment 2.19.3+ds-1 (unimportant) + NOTE: fixed in 2.19.3 upstream + NOTE: https://github.com/moment/moment/commit/69ed9d44957fa6ab12b73d2ae29d286a857b80eb + NOTE: https://github.com/moment/moment/pull/4326 + NOTE: https://github.com/moment/moment/issues/4163 + NOTE: https://nodesecurity.io/advisories/532 + NOTE: nodejs not covered by security support CVE-2018- [Regular Expression Denial of Service vulnerability in the strict mode functionality] - node-ssri (unimportant; bug #891980) NOTE: fixed in 5.2.2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/591358c2b69ef3cfe19e46e1db9bdb472925ccb6 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/591358c2b69ef3cfe19e46e1db9bdb472925ccb6 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Fixup state for CVE-2017-18174 with kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2d540fd3 by Salvatore Bonaccorso at 2018-03-03T21:02:55+01:00 Fixup state for CVE-2017-18174 with kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -2942,10 +2942,11 @@ CVE-2018-141 (GNOME librsvg version before commit ...) NOTE: Merge of changes: https://github.com/GNOME/librsvg/commit/c6ddf2ed4d768fd88adbea2b63f575cd523022ea NOTE: https://github.com/GNOME/librsvg/commit/4de19d9fdddf81773125b04a4defe1ffd0d3bfe0 CVE-2017-18174 (In the Linux kernel before 4.7, the amd_gpio_remove function in ...) - - linux 4.7.2-1 + - linux 4.11.6-1 + [stretch] - linux (Issue introduced later) [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) - NOTE: Fixed by: https://git.kernel.org/linus/251e22abde21833b3d29577e4d8c7aaccd650eee + NOTE: Fixed by: https://git.kernel.org/linus/8dca4a41f1ad65043a78c2338d9725f859c8d2c3 CVE-2017-18173 RESERVED CVE-2017-18172 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2d540fd3cca58f50c2b5f2496657bfe687c7f09e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2d540fd3cca58f50c2b5f2496657bfe687c7f09e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Sync various issues with kernel-sec triage from benh
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 86548e12 by Salvatore Bonaccorso at 2018-03-03T21:00:17+01:00 Sync various issues with kernel-sec triage from benh - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -475,6 +475,8 @@ CVE-2018-7493 CVE-2017-18204 (The ocfs2_setattr function in fs/ocfs2/file.c in the Linux kernel ...) - linux 4.14.2-1 [stretch] - linux 4.9.65-1 + [jessie] - linux (Vulnerable code introduced later) + [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/28f5a8a7c033cbf3e32277f4cc9c6afd74f05300 CVE-2017-18203 (The dm_get_from_kobject function in drivers/md/dm.c in the Linux kernel ...) - linux 4.14.7-1 @@ -483,6 +485,8 @@ CVE-2017-18203 (The dm_get_from_kobject function in drivers/md/dm.c in the Linux CVE-2017-18202 (The __oom_reap_task_mm function in mm/oom_kill.c in the Linux kernel ...) - linux 4.14.7-1 [stretch] - linux 4.9.80-1 + [jessie] - linux (Vulnerable code not present) + [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/687cb0884a714ff484d038e9190edc874edcf146 CVE-2018-7492 (A NULL pointer dereference was found in the net/rds/rdma.c ...) - linux 4.14.7-1 @@ -545,6 +549,8 @@ CVE-2018-7481 RESERVED CVE-2018-7480 (The blkcg_init_queue function in block/blk-cgroup.c in the Linux ...) - linux 4.11.6-1 + [jessie] - linux (Issue introduced later) + [wheezy] - linux (Issue introduced later) NOTE: Fixed by: https://git.kernel.org/linus/9b54d816e00425c3a517514e0d677bb3cec49258 CVE-2018-7479 (YzmCMS 3.6 allows remote attackers to discover the full path via a ...) NOT-FOR-US: YzmCMS @@ -903,6 +909,8 @@ CVE-2017-18194 (SQL injection vulnerability in users/signup.php in the sig NOT-FOR-US: HamayeshNegar CMS CVE-2017-18193 (fs/f2fs/extent_cache.c in the Linux kernel before 4.13 mishandles ...) - linux 4.13.4-1 + [jessie] - linux (Vulnerable code not present) + [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/dad48e73127ba10279ea33e6dbc8d3905c4d31c0 CVE-2017-6932 (Drupal core 7.x versions before 7.57 has an external link injection ...) {DSA-4123-1 DLA-1295-1} @@ -1276,7 +1284,7 @@ CVE-2018-7275 CVE-2018-7274 (Yab Quarx through 2.4.3 is prone to multiple persistent cross-site ...) NOT-FOR-US: Yab Quarx CVE-2018-7273 (In the Linux kernel through 4.15.4, the floppy driver reveals the ...) - - linux + - linux 4.15.4-1 NOTE: https://lkml.org/lkml/2018/2/20/669 CVE-2018-7272 (The REST APIs in ForgeRock AM before 5.5.0 include SSOToken IDs as part ...) NOT-FOR-US: ForgeRock AM @@ -2935,6 +2943,8 @@ CVE-2018-141 (GNOME librsvg version before commit ...) NOTE: https://github.com/GNOME/librsvg/commit/4de19d9fdddf81773125b04a4defe1ffd0d3bfe0 CVE-2017-18174 (In the Linux kernel before 4.7, the amd_gpio_remove function in ...) - linux 4.7.2-1 + [jessie] - linux (Vulnerable code not present) + [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/251e22abde21833b3d29577e4d8c7aaccd650eee CVE-2017-18173 RESERVED @@ -50709,6 +50719,7 @@ CVE-2015-9017 CVE-2015-9016 [blk-mq: fix race between timeout and freeing request] RESERVED - linux 4.2.3-1 + [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/0048b4837affd153897ed183492070027aa9 (4.3-rc1) CVE-2015-9015 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/86548e12c22a72005809a66ed1bff369acb312fd --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/86548e12c22a72005809a66ed1bff369acb312fd You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark CVE-2018-6412 as unimportant
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f0022e75 by Salvatore Bonaccorso at 2018-03-03T20:55:34+01:00 Mark CVE-2018-6412 as unimportant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -3707,8 +3707,9 @@ CVE-2018-6414 CVE-2018-6413 RESERVED CVE-2018-6412 (In the function sbusfb_ioctl_helper() in drivers/video/fbdev/sbuslib.c ...) - - linux + - linux (unimportant) NOTE: https://marc.info/?l=linux-fbdev=151734425901499=2 + NOTE: The issue only affects SPARC systems. CVE-2018-6411 RESERVED CVE-2018-6410 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f0022e7554a879947c26fd158ba8d6ac27907b9e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f0022e7554a879947c26fd158ba8d6ac27907b9e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2017-11430: reference the upstream issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 74f27354 by Salvatore Bonaccorso at 2018-03-03T16:46:54+01:00 CVE-2017-11430: reference the upstream issue - - - - - bee5644a by Salvatore Bonaccorso at 2018-03-03T16:47:08+01:00 Add bug reference for node-ssri issue Since there is no CVE assigned use a Debian BTS bug as identifier. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,5 +1,5 @@ CVE-2018- [Regular Expression Denial of Service vulnerability in the strict mode functionality] - - node-ssri (unimportant) + - node-ssri (unimportant; bug #891980) NOTE: fixed in 5.2.2 NOTE: https://github.com/zkat/ssri/commit/d0ebcdc22cb5c8f47f89716d08b3518b2485d65d NOTE: https://github.com/zkat/ssri/issues/10 @@ -37673,6 +37673,7 @@ CVE-2017-11430 RESERVED - ruby-omniauth-saml NOTE: fixed in 1.10.0 + NOTE: https://github.com/omniauth/omniauth-saml/issues/156 NOTE: https://github.com/omniauth/omniauth-saml/pull/157 NOTE: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations NOTE: https://www.kb.cert.org/vuls/id/475445 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/26df51fa49ad00cb8e16ca17cc8d7a0e5c3c3231...bee5644a68d44b573910c3c87b267068ca9d20e0 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/26df51fa49ad00cb8e16ca17cc8d7a0e5c3c3231...bee5644a68d44b573910c3c87b267068ca9d20e0 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] node-ssri unimportant, nodejs not covered by security support
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 26df51fa by Salvatore Bonaccorso at 2018-03-03T16:37:33+01:00 node-ssri unimportant, nodejs not covered by security support - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,9 +1,10 @@ CVE-2018- [Regular Expression Denial of Service vulnerability in the strict mode functionality] - - node-ssri + - node-ssri (unimportant) NOTE: fixed in 5.2.2 NOTE: https://github.com/zkat/ssri/commit/d0ebcdc22cb5c8f47f89716d08b3518b2485d65d NOTE: https://github.com/zkat/ssri/issues/10 NOTE: https://nodesecurity.io/advisories/565 + NOTE: nodejs not covered by security support CVE-2018-1000115 [Insufficient Control of Network Message Volume] - memcached [stretch] - memcached (Minor issue; Debian defaults to listen only on localhost) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/26df51fa49ad00cb8e16ca17cc8d7a0e5c3c3231 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/26df51fa49ad00cb8e16ca17cc8d7a0e5c3c3231 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2017-18196/leptonlib jessie and wheezy not affected
Santiago R.R. pushed to branch master at Debian Security Tracker / security-tracker Commits: 06a9d7f0 by Santiago Ruano Rincón at 2018-03-03T16:18:08+01:00 Add CVE-2017-18196/leptonlib jessie and wheezy not affected Signed-off-by: Santiago Ruano Rincón santiag...@riseup.net - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -9933,6 +9933,8 @@ CVE-2018-7441 (Leptonica through 1.75.3 uses hardcoded /tmp pathnames, which mig NOTE: https://lists.debian.org/debian-lts/2018/02/msg00054.html CVE-2017-18196 (Leptonica 1.74.4 constructs unintended pathnames (containing duplicated ...) - leptonlib 1.74.4-2 (bug #885704) + [jessie] - leptonlib (Vulnerable code not present) + [wheezy] - leptonlib (Vulnerable code not present) CVE-2018-7440 (An issue was discovered in Leptonica through 1.75.3. The ...) - leptonlib 1.75.3-3 (bug #891932) [stretch] - leptonlib (Incomplete fix for CVE-2018-3836 not applied) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/06a9d7f00b6a4786589c0212fd14f5858567a19d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/06a9d7f00b6a4786589c0212fd14f5858567a19d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] npm serve NFU
Paul Wise pushed to branch master at Debian Security Tracker / security-tracker Commits: cb0e8f05 by Paul Wise at 2018-03-03T22:53:16+08:00 npm serve NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -10480,6 +10480,12 @@ CVE-2018-3713 RESERVED CVE-2018-3712 RESERVED + NOT-FOR-US: npm serve + NOTE: fixed in 6.4.9 upstream + NOTE: https://github.com/zeit/serve/commit/6adad6881c61991da61ebc857857c53409544575 + NOTE: https://github.com/zeit/serve/pull/316 + NOTE: https://hackerone.com/reports/307666 + NOTE: https://nodesecurity.io/advisories/561 CVE-2018-3711 RESERVED NOT-FOR-US: Fastify View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cb0e8f050f340348f702a30ed66b283c96f6f729 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cb0e8f050f340348f702a30ed66b283c96f6f729 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] electron details
Paul Wise pushed to branch master at Debian Security Tracker / security-tracker Commits: 329f9ae1 by Paul Wise at 2018-03-03T22:44:37+08:00 electron details - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5333,6 +5333,9 @@ CVE-2018-5800 RESERVED CVE-2018-106 (GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, ...) - electron (bug #842420) + NOTE: Linux is not affected + NOTE: https://electronjs.org/blog/protocol-handler-fix + NOTE: https://nodesecurity.io/advisories/563 CVE-2018-5799 RESERVED CVE-2018-5798 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/329f9ae119321fd9f7733528573922d1552b52e2 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/329f9ae119321fd9f7733528573922d1552b52e2 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] fastify NFU
Paul Wise pushed to branch master at Debian Security Tracker / security-tracker Commits: a2fdb27c by Paul Wise at 2018-03-03T22:41:39+08:00 fastify NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -10479,6 +10479,11 @@ CVE-2018-3712 RESERVED CVE-2018-3711 RESERVED + NOT-FOR-US: Fastify + NOTE: fixed in 0.38.0 upstream + NOTE: https://github.com/fastify/fastify/commit/fabd2a011f2ffbb877394abe699f549513ffbd76 + NOTE: https://hackerone.com/reports/303632 + NOTE: https://nodesecurity.io/advisories/564 CVE-2018-3710 [Remote Code Execution Vulnerability in GitLab Projects Import] RESERVED - gitlab (bug #888508) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a2fdb27cfadd78da7a9ffb1bb8ad746215e41e47 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a2fdb27cfadd78da7a9ffb1bb8ad746215e41e47 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] node-ssri ReDoS
Paul Wise pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e4f7bfa by Paul Wise at 2018-03-03T22:38:19+08:00 node-ssri ReDoS - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,9 @@ +CVE-2018- [Regular Expression Denial of Service vulnerability in the strict mode functionality] + - node-ssri + NOTE: fixed in 5.2.2 + NOTE: https://github.com/zkat/ssri/commit/d0ebcdc22cb5c8f47f89716d08b3518b2485d65d + NOTE: https://github.com/zkat/ssri/issues/10 + NOTE: https://nodesecurity.io/advisories/565 CVE-2018-1000115 [Insufficient Control of Network Message Volume] - memcached [stretch] - memcached (Minor issue; Debian defaults to listen only on localhost) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2e4f7bfaaba71994cddc64ad3ecb0927713365dd --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2e4f7bfaaba71994cddc64ad3ecb0927713365dd You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] node-hoek more details
Paul Wise pushed to branch master at Debian Security Tracker / security-tracker Commits: 48cc46ca by Paul Wise at 2018-03-03T22:32:27+08:00 node-hoek more details - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -10429,7 +10429,11 @@ CVE-2018-3729 CVE-2018-3728 [Prototype pollution in utilities function] RESERVED - node-hoek (unimportant) + NOTE: fixed in 4.2.1 + NOTE: https://github.com/hapijs/hoek/issues/230 + NOTE: https://hackerone.com/reports/310439 NOTE: https://snyk.io/vuln/npm:hoek:20180212 + NOTE: https://nodesecurity.io/advisories/566 NOTE: nodejs not covered by security support CVE-2018-3727 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/48cc46caf3f94df16212e65760e200a6f4fa7354 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/48cc46caf3f94df16212e65760e200a6f4fa7354 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] SAML NFU
Paul Wise pushed to branch master at Debian Security Tracker / security-tracker Commits: 18a003d7 by Paul Wise at 2018-03-03T22:24:27+08:00 SAML NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -916,6 +916,10 @@ CVE-2017-6927 (Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before NOTE: https://www.drupal.org/sa-core-2018-001 CVE-2018-7338 RESERVED + NOT-FOR-US: Duo Network Gateway + NOTE: https://duo.com/labs/psa/duo-psa-2017-003 + NOTE: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations + NOTE: https://www.kb.cert.org/vuls/id/475445 CVE-2018-7337 (In Wireshark 2.4.0 to 2.4.4, the DOCSIS protocol dissector could crash. ...) - wireshark 2.4.5-1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14446 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/18a003d799e9dfe75b1c143d51c190828b4dbe4f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/18a003d799e9dfe75b1c143d51c190828b4dbe4f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] SAML vulns
Paul Wise pushed to branch master at Debian Security Tracker / security-tracker Commits: bd5dbfd6 by Paul Wise at 2018-03-03T22:18:18+08:00 SAML vulns - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -19748,6 +19748,8 @@ CVE-2018-0489 (Shibboleth XMLTooling-C before 1.6.4, as used in Shibboleth Servi - xmltooling 1.6.4-1 NOTE: https://shibboleth.net/community/advisories/secadv_20180227.txt NOTE: https://issues.shibboleth.net/jira/browse/CPPXT-128 + NOTE: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations + NOTE: https://www.kb.cert.org/vuls/id/475445 CVE-2018-0488 (ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0, when the ...) - mbedtls 2.7.0-2 (bug #890287) - polarssl @@ -37638,12 +37640,28 @@ CVE-2017-11431 RESERVED CVE-2017-11430 RESERVED + - ruby-omniauth-saml + NOTE: fixed in 1.10.0 + NOTE: https://github.com/omniauth/omniauth-saml/pull/157 + NOTE: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations + NOTE: https://www.kb.cert.org/vuls/id/475445 CVE-2017-11429 RESERVED + NOT-FOR-US: Clever saml2-js + NOTE: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations + NOTE: https://nodesecurity.io/advisories/567 + NOTE: https://www.kb.cert.org/vuls/id/475445 CVE-2017-11428 RESERVED + - ruby-saml + NOTE: fixed in 1.7.0 + NOTE: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations + NOTE: https://www.kb.cert.org/vuls/id/475445 CVE-2017-11427 RESERVED + NOT-FOR-US: OneLogin python-saml + NOTE: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations + NOTE: https://www.kb.cert.org/vuls/id/475445 CVE-2017-11426 RESERVED CVE-2017-11425 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bd5dbfd67418cbd6cf4c5a539f34fb476db0020b --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bd5dbfd67418cbd6cf4c5a539f34fb476db0020b You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2017-7559, undertow: Link to patch, correct upstream bug
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f4fdf50 by Markus Koschany at 2018-03-03T15:13:04+01:00 CVE-2017-7559,undertow: Link to patch, correct upstream bug - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -49577,9 +49577,10 @@ CVE-2017-7559 (In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, a - undertow 1.4.23-1 (bug #885576) NOTE: CVE is for an incomplete fix of CVE-2017-2666 NOTE: Invalid characters were still allowed in the query string and path parameters. - NOTE: https://issues.jboss.org/browse/UNDERTOW-1251 + NOTE: https://issues.jboss.org/browse/UNDERTOW-1165 NOTE: https://issues.jboss.org/browse/UNDERTOW-1295 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1481665#c7 + NOTE: Fixed by https://github.com/undertow-io/undertow/commit/3436b03eda8b0b62c1855698c4d7c358add836c2 CVE-2017-7558 [sctp: out-of-bounds read in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info()] RESERVED - linux 4.12.13-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f4fdf50ae76103622200a2b20b412c686b4692f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f4fdf50ae76103622200a2b20b412c686b4692f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-1048, undertow: Link to patch
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d2e99abf by Markus Koschany at 2018-03-03T15:00:02+01:00 CVE-2018-1048,undertow: Link to patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -17798,6 +17798,7 @@ CVE-2018-1048 (It was found that the AJP connector in undertow, as shipped in Jb - undertow 1.4.22-1 (bug #891928) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1534343 NOTE: https://issues.jboss.org/browse/UNDERTOW-1245 + NOTE: Fixed by https://github.com/undertow-io/undertow/commit/1bc0c275aadf5835abfbd3835d5d78095c2f1cf5 CVE-2018-1047 (A flaw was found in Wildfly 9.x. A path traversal vulnerability ...) - undertow (bug #891929) NOTE: https://issues.jboss.org/browse/WFLY-9620 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d2e99abf4a243bb38becda8f5a5a58731efaf622 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d2e99abf4a243bb38becda8f5a5a58731efaf622 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add reference for CVE-2017-3144
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 055034a2 by Salvatore Bonaccorso at 2018-03-03T14:44:45+01:00 Add reference for CVE-2017-3144 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -63516,6 +63516,7 @@ CVE-2017-3144 [dhcp: omapi code doesn't free socket descriptors when empty messa [jessie] - isc-dhcp (Minor issue) [wheezy] - isc-dhcp (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1522918 + NOTE: https://bugs.isc.org/Public/Bug/Display.html?id=46767 NOTE: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=1a6b62fe17a42b00fa234d06b6dfde3d03451894 NOTE: Fixes for 4.3.6p1: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=99a25aedea02d9c259cb8fabf4be700fb32571a3 CVE-2017-3143 [An error in TSIG authentication can permit unauthorized dynamic updates] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/055034a2134fc64199cc9eaab2a7ca26029295c3 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/055034a2134fc64199cc9eaab2a7ca26029295c3 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Correct references to commits for isc-dhcp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f4a8548a by Salvatore Bonaccorso at 2018-03-03T14:40:27+01:00 Correct references to commits for isc-dhcp While triaging I swapped the two commits, and wrongly associated the one for CVE-2018-5732 with CVE-2018-5733 and viceversa. Reference the (yet) non-public bug reports. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5566,13 +5566,15 @@ CVE-2018-5733 [A malicious client can overflow a reference counter in ISC dhcpd] RESERVED - isc-dhcp (bug #891785) NOTE: https://kb.isc.org/article/AA-01567/75/CVE-2018-5733 - NOTE: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=c5931725b48b121d232df4ba9e45bc41e0ba114d (4.4.1) + NOTE: https://bugs.isc.org/Public/Bug/Display.html?id=47140 + NOTE: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=197b26f25309f947b97a83b8fdfc414b767798f8 (4.4.1) NOTE: Fixes for 4.3.6p1: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=99a25aedea02d9c259cb8fabf4be700fb32571a3 CVE-2018-5732 [A specially constructed response from a malicious server can cause a buffer overflow in dhclient] RESERVED - isc-dhcp (bug #891786) NOTE: https://kb.isc.org/article/AA-01565/75/CVE-2018-5732 - NOTE: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=197b26f25309f947b97a83b8fdfc414b767798f8 (4.4.1) + NOTE: https://bugs.isc.org/Public/Bug/Display.html?id=47139 + NOTE: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=c5931725b48b121d232df4ba9e45bc41e0ba114d (4.4.1) NOTE: Fixes for 4.3.6p1: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=99a25aedea02d9c259cb8fabf4be700fb32571a3 CVE-2018-105 (libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in ...) - curl 7.58.0-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f4a8548afc2e821a79e68cb21177d5fa5b42cd2d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f4a8548afc2e821a79e68cb21177d5fa5b42cd2d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add fixed version for glibc issues now that 2.27-1 entered unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8c236712 by Salvatore Bonaccorso at 2018-03-03T14:17:50+01:00 Add fixed version for glibc issues now that 2.27-1 entered unstable Exceptionally keep the experimental tagged entry, but thats not really needed as we only track unstable. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -3236,7 +3236,7 @@ CVE-2018-6552 RESERVED CVE-2018-6551 (The malloc implementation in the GNU C Library (aka glibc or libc6), ...) [experimental] - glibc 2.26.9000+20180127.7e23a7dd-0experimental0 - - glibc + - glibc 2.27-1 [stretch] - glibc (Minor issue) [jessie] - glibc (Issue introduced in 2.24, 2.26 only for i386) - eglibc (Issue introduced in 2.24 for powerpc, 2.26 only for i386) @@ -3536,7 +3536,7 @@ CVE-2017-18080 (The saveConfigureSecurity resource in Atlassian Bamboo before ve NOT-FOR-US: Atlassian Bamboo CVE-2018-6485 (An integer overflow in the implementation of the posix_memalign in ...) [experimental] - glibc 2.26.9000+20180127.7e23a7dd-0experimental0 - - glibc (bug #878159) + - glibc 2.27-1 (bug #878159) [stretch] - glibc (Minor issue) [jessie] - glibc (Minor issue) - eglibc View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8c236712e04dfbe2a55baa5c8c0b69b242593eb5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8c236712e04dfbe2a55baa5c8c0b69b242593eb5 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-7262
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8853f6c0 by Salvatore Bonaccorso at 2018-03-03T11:31:23+01:00 Add bug reference for CVE-2018-7262 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1297,7 +1297,7 @@ CVE-2018-7263 (The mad_decoder_run() function in decoder.c in Underbit libmad th TODO: clarify with MITRE why this CVE was additionally assigned CVE-2018-7262 [Malformed HTTP requests handled in rgw_civetweb.cc:RGW::init_env() can lead to NULL pointer dereference] RESERVED - - ceph + - ceph (bug #891963) NOTE: Original pull request: https://github.com/ceph/ceph/pull/20403 NOTE: Superseeded by: https://github.com/ceph/ceph/pull/20488 CVE-2018-7261 (There are multiple Persistent XSS vulnerabilities in Radiant CMS ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8853f6c07cc6a8e50280018619df58dd99c1cbb4 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8853f6c07cc6a8e50280018619df58dd99c1cbb4 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f9aafce9 by Salvatore Bonaccorso at 2018-03-03T10:25:14+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -652,7 +652,7 @@ CVE-2018-7443 (The ReadTIFFImage function in coders/tiff.c in ImageMagick 7.0.7- CVE-2018-7434 (zzcms 8.2 allows remote attackers to discover the full path via a ...) NOT-FOR-US: zzcms CVE-2018-7433 (The iThemes Security plugin before 6.9.1 for WordPress does not ...) - TODO: check + NOT-FOR-US: iThemes Security plugin for WordPress CVE-2018-7432 RESERVED CVE-2018-7431 @@ -3445,7 +3445,7 @@ CVE-2018-6492 CVE-2018-6491 RESERVED CVE-2018-6490 (Denial of Service vulnerability in Micro Focus Operations ...) - TODO: check + NOT-FOR-US: Micro Focus Operations Orchestration Software CVE-2018-6489 (XML External Entity (XXE) vulnerability in Micro Focus Project and ...) NOT-FOR-US: Micro Focus Project and Portfolio Management Center CVE-2018-6488 (Arbitrary Code Execution vulnerability in Micro Focus Universal CMDB, ...) @@ -16166,7 +16166,7 @@ CVE-2018-1375 CVE-2018-1374 RESERVED CVE-2018-1373 (IBM Security Guardium Big Data Intelligence (SonarG) 3.1 uses an ...) - TODO: check + NOT-FOR-US: IBM Security Guardium Big Data Intelligence CVE-2018-1372 (IBM Security Guardium Big Data Intelligence (SonarG) 3.1 does not ...) NOT-FOR-US: IBM Security Guardium Big Data Intelligence CVE-2018-1371 @@ -17404,9 +17404,9 @@ CVE-2018-1172 CVE-2018-1171 RESERVED CVE-2018-1170 (This vulnerability allows adjacent attackers to inject arbitrary ...) - TODO: check + NOT-FOR-US: Volkswagen Customer-Link App and HTC Customer-Link Bridge CVE-2018-1169 (This vulnerability allows remote attackers to execute arbitrary code ...) - TODO: check + NOT-FOR-US: Amazon Music Player CVE-2018-1168 (This vulnerability allows local attackers to escalate privileges on ...) NOT-FOR-US: ABB MicroSCADA CVE-2018-1167 @@ -43390,7 +43390,7 @@ CVE-2017-9461 (smbd in Samba before 4.4.10 and 4.5.x before 4.5.6 has a denial o NOTE: https://git.samba.org/?p=samba.git;a=commitdiff;h=10c3e3923022485c720f322ca4f0aca5d7501310 NOTE: https://bugzilla.samba.org/show_bug.cgi?id=12572 CVE-2017-9447 (In the web interface of Parallels Remote Application Server (RAS) 15.5 ...) - TODO: check + NOT-FOR-US: Parallels Remote Application Server CVE-2017-9446 RESERVED CVE-2017-9445 (In systemd through 233, certain sizes passed to dns_packet_new in ...) @@ -44074,7 +44074,7 @@ CVE-2017-9289 (Bram Korsten Note through 1.2.0 is vulnerable to a reflected XSS CVE-2017-9288 (The Raygun4WP plugin 1.8.0 for WordPress is vulnerable to a reflected ...) NOT-FOR-US: Wordpress plugin CVE-2017-9286 (The packaging of NextCloud in openSUSE used /srv/www/htdocs in an ...) - TODO: check + NOT-FOR-US: OpenSUSE specific packaging issue of NextCloud CVE-2017-9285 (NetIQ eDirectory before 9.0 SP4 did not enforce login restrictions ...) TODO: check CVE-2017-9284 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f9aafce95043d585c9b51e09509c12e551af5ddc --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f9aafce95043d585c9b51e09509c12e551af5ddc You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark CVE-2018-7440/leptonlib as fixed with unstable upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 620f9687 by Salvatore Bonaccorso at 2018-03-03T10:12:58+01:00 Mark CVE-2018-7440/leptonlib as fixed with unstable upload - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -9919,7 +9919,7 @@ CVE-2018-7441 (Leptonica through 1.75.3 uses hardcoded /tmp pathnames, which mig CVE-2017-18196 (Leptonica 1.74.4 constructs unintended pathnames (containing duplicated ...) - leptonlib 1.74.4-2 (bug #885704) CVE-2018-7440 (An issue was discovered in Leptonica through 1.75.3. The ...) - - leptonlib (bug #891932) + - leptonlib 1.75.3-3 (bug #891932) [stretch] - leptonlib (Incomplete fix for CVE-2018-3836 not applied) [jessie] - leptonlib (Incomplete fix for CVE-2018-3836 not applied) NOTE: https://github.com/DanBloomberg/leptonica/issues/303#issuecomment-366472212 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/620f9687ebca1d29baec7954d03f22ebd18e55df --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/620f9687ebca1d29baec7954d03f22ebd18e55df You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ee853802 by security tracker role at 2018-03-03T09:10:14+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -26430,6 +26430,7 @@ CVE-2017-15133 (A denial of service flaw was found in miekg-dns before 1.0.4. A NOTE: https://github.com/miekg/dns/issues/627 NOTE: https://github.com/miekg/dns/pull/631 CVE-2017-15132 (A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of ...) + {DSA-4130-1} - dovecot 1:2.2.34-1 (bug #888432) NOTE: Fixed by: https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch NOTE: Regression fix needed on top: https://github.com/dovecot/core/commit/a9b135760aea6d1790d447d351c56b78889dac22 @@ -26447,6 +26448,7 @@ CVE-2017-15131 (It was found that system umask policy is not being honored when NOTE: Enforcements can be achieved e.g. by using pam_umask. NOTE: http://bugs.freedesktop.org/show_bug.cgi?id=102303 CVE-2017-15130 (A denial of service flaw was found in dovecot before 2.2.34. An ...) + {DSA-4130-1} - dovecot 1:2.2.34-1 (bug #891820) NOTE: https://www.dovecot.org/list/dovecot-news/2018-February/000370.html NOTE: https://github.com/dovecot/core/commit/22311315b9f780211329c1522eb5aaa4faaa9391 @@ -28711,6 +28713,7 @@ CVE-2017-14463 CVE-2017-14462 RESERVED CVE-2017-14461 (A specially crafted email delivered over SMTP and passed on to Dovecot ...) + {DSA-4130-1} - dovecot 1:2.2.34-1 (bug #891819) NOTE: https://www.dovecot.org/list/dovecot-news/2018-February/000370.html NOTE: https://github.com/dovecot/core/commit/30dc856f7b97b75b0e0d69f5003d5d99a13249b4 @@ -67215,7 +67218,7 @@ CVE-2017-1656 RESERVED CVE-2017-1655 RESERVED -CVE-2017-1654 (IBM Spectrum Scale 4.1.1 and 4.2,0 - 4.2.3 could allow a local ...) +CVE-2017-1654 (IBM Spectrum Scale 4.1.1 and 4.2.0 - 4.2.3 could allow a local ...) TODO: check CVE-2017-1653 (IBM Jazz Foundation (IBM Rational Collaborative Lifecycle Management ...) NOT-FOR-US: IBM Jazz Foundation @@ -104222,20 +104225,20 @@ CVE-2015-7969 (Multiple memory leaks in Xen 4.0 through 4.6.x allow local guest NOTE: http://xenbits.xen.org/xsa/advisory-151.html CVE-2015-7968 RESERVED -CVE-2015-7967 - RESERVED -CVE-2015-7966 - RESERVED -CVE-2015-7965 - RESERVED -CVE-2015-7964 - RESERVED -CVE-2015-7963 - RESERVED -CVE-2015-7962 - RESERVED -CVE-2015-7961 - RESERVED +CVE-2015-7967 (SafeNet Authentication Service for Citrix Web Interface Agent uses a ...) + TODO: check +CVE-2015-7966 (SafeNet Authentication Service Windows Logon Agent uses a weak ACL for ...) + TODO: check +CVE-2015-7965 (SafeNet Authentication Service Windows Logon Agent uses a weak ACL for ...) + TODO: check +CVE-2015-7964 (SafeNet Authentication Service for NPS Agent uses a weak ACL for ...) + TODO: check +CVE-2015-7963 (SafeNet Authentication Service for AD FS Agent uses a weak ACL for ...) + TODO: check +CVE-2015-7962 (SafeNet Authentication Service for Outlook Web App Agent uses a weak ...) + TODO: check +CVE-2015-7961 (SafeNet Authentication Service Remote Web Workplace Agent uses a weak ...) + TODO: check CVE-2015-7960 REJECTED CVE-2015-7959 @@ -105360,12 +105363,12 @@ CVE-2015-7600 (Cisco VPN Client 5.x through 5.0.07.0440 uses weak permissions fo NOT-FOR-US: Cisco VPN Client CVE-2015-7599 (Integer overflow in the _authenticate function in svc_auth.c in Wind ...) NOT-FOR-US: Wind River VxWorks -CVE-2015-7598 - RESERVED -CVE-2015-7597 - RESERVED -CVE-2015-7596 - RESERVED +CVE-2015-7598 (SafeNet Authentication Service TokenValidator Proxy Agent uses a weak ...) + TODO: check +CVE-2015-7597 (SafeNet Authentication Service IIS Agent uses a weak ACL for ...) + TODO: check +CVE-2015-7596 (SafeNet Authentication Service End User Software Tools for Windows ...) + TODO: check CVE-2015-7595 REJECTED CVE-2015-7594 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ee8538023be193789f1e59f56223f15f716d202d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ee8538023be193789f1e59f56223f15f716d202d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] REserve DSA for linux regression update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 001e81a6 by Salvatore Bonaccorso at 2018-03-03T09:25:42+01:00 REserve DSA for linux regression update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,5 @@ +[03 Mar 2018] DSA-4120-2 linux - regression update + [stretch] - linux 4.9.82-1+deb9u3 [02 Mar 2018] DSA-4130-1 dovecot - security update {CVE-2017-14461 CVE-2017-15130 CVE-2017-15132} [jessie] - dovecot 1:2.2.13-12~deb8u4 = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -43,7 +43,7 @@ libmad -- libvpx -- -linux (carnil) +linux Wait until more issues have piled up -- mbedtls (seb) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/001e81a682d405dadfebce33abd3c5c20d6c6aff --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/001e81a682d405dadfebce33abd3c5c20d6c6aff You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-1000115/memcached
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b706d7fb by Salvatore Bonaccorso at 2018-03-03T09:02:37+01:00 Add CVE-2018-1000115/memcached - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,13 @@ +CVE-2018-1000115 [Insufficient Control of Network Message Volume] + - memcached + [stretch] - memcached (Minor issue; Debian defaults to listen only on localhost) + [jessie] - memcached (Minor issue; Debian defaults to listen only on localhost) + NOTE: Upstream 1.5.6 disables by default the UDP protocol + NOTE: https://github.com/memcached/memcached/commit/dbb7a8af90054bf4ef51f5814ef7ceb17d83d974 + NOTE: Documentation in memcached's config files clearly mentions the + NOTE: issues: "Specify which IP address to listen on. The default + NOTE: (upstream) is to listen on all IP addresses. [...] so make sure + NOTE: it's listening on a firewalled interface." CVE-2018-7650 RESERVED CVE-2018-7649 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b706d7fb309b2176e399b26f76c6c44de34dc98a --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b706d7fb309b2176e399b26f76c6c44de34dc98a You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits