[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-7651 assigned
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a208b668 by Salvatore Bonaccorso at 2018-03-04T08:47:13+01:00 CVE-2018-7651 assigned - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -6,7 +6,7 @@ CVE-2018- [Regular Expression Denial of Service] NOTE: https://github.com/moment/moment/issues/4163 NOTE: https://nodesecurity.io/advisories/532 NOTE: nodejs not covered by security support -CVE-2018- [Regular Expression Denial of Service vulnerability in the strict mode functionality] +CVE-2018-7651 [Regular Expression Denial of Service vulnerability in the strict mode functionality] - node-ssri (unimportant; bug #891980) NOTE: fixed in 5.2.2 NOTE: https://github.com/zkat/ssri/commit/d0ebcdc22cb5c8f47f89716d08b3518b2485d65d View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a208b668759ed42fbc90802f08ad2e52eada417d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a208b668759ed42fbc90802f08ad2e52eada417d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] mariadb-10.2 removed from the archive
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a5901229 by Salvatore Bonaccorso at 2018-03-04T08:46:10+01:00
mariadb-10.2 removed from the archive
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -25800,7 +25800,7 @@ CVE-2017-15367
CVE-2017-15366 (Before Thornberry NDoc version 8.0, laptop clients and the
server have ...)
NOT-FOR-US: Thornberry NDoc
CVE-2017-15365 (sql/event_data_objects.cc in MariaDB before 10.1.30 and 10.2.x
before ...)
- - mariadb-10.2 (bug #884065)
+ - mariadb-10.2 (bug #884065)
- mariadb-10.1 (bug #885345)
[stretch] - mariadb-10.1 (Minor issue)
- mariadb-10.0
@@ -41246,7 +41246,7 @@ CVE-2017-10385 (Vulnerability in the Oracle GlassFish
Server component of Oracle
- glassfish (Vulnerable code not included, see bug
#853998)
CVE-2017-10384 (Vulnerability in the MySQL Server component of Oracle MySQL
...)
{DSA-4002-1 DLA-1141-1}
- - mariadb-10.2 (bug #884065)
+ - mariadb-10.2 (bug #884065)
- mysql-5.7 5.7.20-1 (bug #878398)
- mysql-5.5 (bug #878402)
NOTE:
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL
@@ -41260,13 +41260,13 @@ CVE-2017-10380 (Vulnerability in the Java Advanced
Management Console component
NOT-FOR-US: Java Advanced Management Console
CVE-2017-10379 (Vulnerability in the MySQL Server component of Oracle MySQL
...)
{DSA-4002-1 DLA-1141-1}
- - mariadb-10.2 (bug #884065)
+ - mariadb-10.2 (bug #884065)
- mysql-5.7 5.7.20-1 (bug #878398)
- mysql-5.5 (bug #878402)
NOTE:
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL
CVE-2017-10378 (Vulnerability in the MySQL Server component of Oracle MySQL
...)
{DSA-4002-1 DLA-1141-1}
- - mariadb-10.2 (bug #884065)
+ - mariadb-10.2 (bug #884065)
- mariadb-10.1 10.1.29-1
[stretch] - mariadb-10.1 (Minor issue)
- mariadb-10.0
@@ -41301,7 +41301,7 @@ CVE-2017-10367 (Vulnerability in the Oracle Hospitality
Simphony component of Or
CVE-2017-10366 (Vulnerability in the PeopleSoft Enterprise PT PeopleTools
component of ...)
NOT-FOR-US: Oracle
CVE-2017-10365 (Vulnerability in the MySQL Server component of Oracle MySQL
...)
- - mariadb-10.2 (bug #884065)
+ - mariadb-10.2 (bug #884065)
- mysql-5.7 5.7.20-1 (bug #878398)
- mysql-5.5 (Only affects MySQL 5.7)
NOTE:
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL
@@ -41446,7 +41446,7 @@ CVE-2017-10322 (Vulnerability in the Oracle Common
Applications Calendar compone
CVE-2017-10321 (Vulnerability in the Core RDBMS component of Oracle Database
Server. ...)
NOT-FOR-US: Oracle
CVE-2017-10320 (Vulnerability in the MySQL Server component of Oracle MySQL
...)
- - mariadb-10.2 (bug #884065)
+ - mariadb-10.2 (bug #884065)
- mysql-5.7 5.7.20-1 (bug #878398)
- mysql-5.5 (Only affects MySQL 5.7)
NOTE:
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL
@@ -41536,7 +41536,7 @@ CVE-2017-10288
CVE-2017-10287 (Vulnerability in the PeopleSoft Enterprise FSCM component of
Oracle ...)
NOT-FOR-US: Oracle
CVE-2017-10286 (Vulnerability in the MySQL Server component of Oracle MySQL
...)
- - mariadb-10.2 (bug #884065)
+ - mariadb-10.2 (bug #884065)
- mysql-5.7 5.7.20-1 (bug #878398)
- mysql-5.5 (Only affects MySQL 5.6 and 5.7)
NOTE:
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL
@@ -41605,7 +41605,7 @@ CVE-2017-10269 (Vulnerability in the Oracle Tuxedo
component of Oracle Fusion ..
NOT-FOR-US: Oracle
CVE-2017-10268 (Vulnerability in the MySQL Server component of Oracle MySQL
...)
{DSA-4002-1 DLA-1141-1}
- - mariadb-10.2 (bug #884065)
+ - mariadb-10.2 (bug #884065)
- mariadb-10.1 10.1.29-1
[stretch] - mariadb-10.1 (Minor issue)
- mariadb-10.0
@@ -62088,7 +62088,7 @@ CVE-2017-3654
RESERVED
CVE-2017-3653 (Vulnerability in the MySQL Server component of Oracle MySQL ...)
{DSA-3955-1 DSA-3944-1 DSA-3922-1 DLA-1043-1}
- - mariadb-10.2 (bug #884065)
+ - mariadb-10.2 (bug #884065)
- mariadb-10.1 10.1.26-1
- mariadb-10.0
- mysql-5.7 5.7.20-1 (bug #868798)
@@ -62131,7 +62131,7 @@ CVE-2017-3642 (Vulnerability in the MySQL Server
component of Oracle MySQL ...)
- mysql-5.5 (Only affects MySQL 5.7)
CVE-2017-3641 (Vulnerability in the MySQL Server component of Oracle MySQL ...)
{DSA-3955-1 DSA-3944-1 DSA-3922-1 DLA-1043-1}
- - mariadb-10.2
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Update CVE-2017-18174 information
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1bf89d19 by Salvatore Bonaccorso at 2018-03-04T08:35:17+01:00 Update CVE-2017-18174 information Rationale: in kernel-sec the conclusion was that the double-free issue is only introduced within the 4.11 release cycle and fixed in the same relase cycle, but not affecting 4.7 version. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -2950,11 +2950,8 @@ CVE-2018-141 (GNOME librsvg version before commit ...) NOTE: Merge of changes: https://github.com/GNOME/librsvg/commit/c6ddf2ed4d768fd88adbea2b63f575cd523022ea NOTE: https://github.com/GNOME/librsvg/commit/4de19d9fdddf81773125b04a4defe1ffd0d3bfe0 CVE-2017-18174 (In the Linux kernel before 4.7, the amd_gpio_remove function in ...) - - linux 4.11.6-1 - [stretch] - linux (Issue introduced later) - [jessie] - linux (Vulnerable code not present) - [wheezy] - linux (Vulnerable code not present) - NOTE: Fixed by: https://git.kernel.org/linus/8dca4a41f1ad65043a78c2338d9725f859c8d2c3 + - linux (Vulnerable code not present) + NOTE: double-free introduced and fixed in the 4.11 release cycle CVE-2017-18173 RESERVED CVE-2017-18172 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1bf89d19610a22b25b82f42d3acb6d2e21577e5e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1bf89d19610a22b25b82f42d3acb6d2e21577e5e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] correct note timestamp in dla-needed
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 4568bb36 by Abhijith PA at 2018-03-04T10:55:00+05:30 correct note timestamp in dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -104,4 +104,4 @@ wordpress xen -- zsh (Abhijith PA) - NOTE: 20180218: Upstream repository is temporarily offline (abhijith) + NOTE: 20180303: Upstream repository is temporarily offline (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4568bb3609b96f8583a8b779354913f6800a2edf --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4568bb3609b96f8583a8b779354913f6800a2edf You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] node-moment: old ReDoS: fixed
Paul Wise pushed to branch master at Debian Security Tracker / security-tracker Commits: 9622c154 by Paul Wise at 2018-03-04T06:44:55+08:00 node-moment: old ReDoS: fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -93613,7 +93613,7 @@ CVE-2016- [remote memory disclosure] NOTE: https://nodesecurity.io/advisories/67 NOTE: nodejs not covered by security support CVE-2016- [regular expression DoS] - - node-moment (unimportant) + - node-moment 2.13.0+ds-1 (unimportant) NOTE: fixed in 2.11.2 NOTE: https://github.com/moment/moment/pull/2939 NOTE: https://nodesecurity.io/advisories/55 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9622c1546d3e2b6ce8223eb8d9b8595b88f6ff9f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9622c1546d3e2b6ce8223eb8d9b8595b88f6ff9f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] node-moment ReDoS
Paul Wise pushed to branch master at Debian Security Tracker / security-tracker Commits: 591358c2 by Paul Wise at 2018-03-04T06:43:20+08:00 node-moment ReDoS - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,11 @@ +CVE-2018- [Regular Expression Denial of Service] + - node-moment 2.19.3+ds-1 (unimportant) + NOTE: fixed in 2.19.3 upstream + NOTE: https://github.com/moment/moment/commit/69ed9d44957fa6ab12b73d2ae29d286a857b80eb + NOTE: https://github.com/moment/moment/pull/4326 + NOTE: https://github.com/moment/moment/issues/4163 + NOTE: https://nodesecurity.io/advisories/532 + NOTE: nodejs not covered by security support CVE-2018- [Regular Expression Denial of Service vulnerability in the strict mode functionality] - node-ssri (unimportant; bug #891980) NOTE: fixed in 5.2.2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/591358c2b69ef3cfe19e46e1db9bdb472925ccb6 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/591358c2b69ef3cfe19e46e1db9bdb472925ccb6 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Fixup state for CVE-2017-18174 with kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2d540fd3 by Salvatore Bonaccorso at 2018-03-03T21:02:55+01:00 Fixup state for CVE-2017-18174 with kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -2942,10 +2942,11 @@ CVE-2018-141 (GNOME librsvg version before commit ...) NOTE: Merge of changes: https://github.com/GNOME/librsvg/commit/c6ddf2ed4d768fd88adbea2b63f575cd523022ea NOTE: https://github.com/GNOME/librsvg/commit/4de19d9fdddf81773125b04a4defe1ffd0d3bfe0 CVE-2017-18174 (In the Linux kernel before 4.7, the amd_gpio_remove function in ...) - - linux 4.7.2-1 + - linux 4.11.6-1 + [stretch] - linux (Issue introduced later) [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) - NOTE: Fixed by: https://git.kernel.org/linus/251e22abde21833b3d29577e4d8c7aaccd650eee + NOTE: Fixed by: https://git.kernel.org/linus/8dca4a41f1ad65043a78c2338d9725f859c8d2c3 CVE-2017-18173 RESERVED CVE-2017-18172 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2d540fd3cca58f50c2b5f2496657bfe687c7f09e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2d540fd3cca58f50c2b5f2496657bfe687c7f09e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Sync various issues with kernel-sec triage from benh
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
86548e12 by Salvatore Bonaccorso at 2018-03-03T21:00:17+01:00
Sync various issues with kernel-sec triage from benh
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -475,6 +475,8 @@ CVE-2018-7493
CVE-2017-18204 (The ocfs2_setattr function in fs/ocfs2/file.c in the Linux
kernel ...)
- linux 4.14.2-1
[stretch] - linux 4.9.65-1
+ [jessie] - linux (Vulnerable code introduced later)
+ [wheezy] - linux (Vulnerable code introduced later)
NOTE: Fixed by:
https://git.kernel.org/linus/28f5a8a7c033cbf3e32277f4cc9c6afd74f05300
CVE-2017-18203 (The dm_get_from_kobject function in drivers/md/dm.c in the
Linux kernel ...)
- linux 4.14.7-1
@@ -483,6 +485,8 @@ CVE-2017-18203 (The dm_get_from_kobject function in
drivers/md/dm.c in the Linux
CVE-2017-18202 (The __oom_reap_task_mm function in mm/oom_kill.c in the Linux
kernel ...)
- linux 4.14.7-1
[stretch] - linux 4.9.80-1
+ [jessie] - linux (Vulnerable code not present)
+ [wheezy] - linux (Vulnerable code not present)
NOTE: Fixed by:
https://git.kernel.org/linus/687cb0884a714ff484d038e9190edc874edcf146
CVE-2018-7492 (A NULL pointer dereference was found in the net/rds/rdma.c ...)
- linux 4.14.7-1
@@ -545,6 +549,8 @@ CVE-2018-7481
RESERVED
CVE-2018-7480 (The blkcg_init_queue function in block/blk-cgroup.c in the
Linux ...)
- linux 4.11.6-1
+ [jessie] - linux (Issue introduced later)
+ [wheezy] - linux (Issue introduced later)
NOTE: Fixed by:
https://git.kernel.org/linus/9b54d816e00425c3a517514e0d677bb3cec49258
CVE-2018-7479 (YzmCMS 3.6 allows remote attackers to discover the full path
via a ...)
NOT-FOR-US: YzmCMS
@@ -903,6 +909,8 @@ CVE-2017-18194 (SQL injection vulnerability in
users/signup.php in the sig
NOT-FOR-US: HamayeshNegar CMS
CVE-2017-18193 (fs/f2fs/extent_cache.c in the Linux kernel before 4.13
mishandles ...)
- linux 4.13.4-1
+ [jessie] - linux (Vulnerable code not present)
+ [wheezy] - linux (Vulnerable code not present)
NOTE: Fixed by:
https://git.kernel.org/linus/dad48e73127ba10279ea33e6dbc8d3905c4d31c0
CVE-2017-6932 (Drupal core 7.x versions before 7.57 has an external link
injection ...)
{DSA-4123-1 DLA-1295-1}
@@ -1276,7 +1284,7 @@ CVE-2018-7275
CVE-2018-7274 (Yab Quarx through 2.4.3 is prone to multiple persistent
cross-site ...)
NOT-FOR-US: Yab Quarx
CVE-2018-7273 (In the Linux kernel through 4.15.4, the floppy driver reveals
the ...)
- - linux
+ - linux 4.15.4-1
NOTE: https://lkml.org/lkml/2018/2/20/669
CVE-2018-7272 (The REST APIs in ForgeRock AM before 5.5.0 include SSOToken IDs
as part ...)
NOT-FOR-US: ForgeRock AM
@@ -2935,6 +2943,8 @@ CVE-2018-141 (GNOME librsvg version before commit ...)
NOTE:
https://github.com/GNOME/librsvg/commit/4de19d9fdddf81773125b04a4defe1ffd0d3bfe0
CVE-2017-18174 (In the Linux kernel before 4.7, the amd_gpio_remove function
in ...)
- linux 4.7.2-1
+ [jessie] - linux (Vulnerable code not present)
+ [wheezy] - linux (Vulnerable code not present)
NOTE: Fixed by:
https://git.kernel.org/linus/251e22abde21833b3d29577e4d8c7aaccd650eee
CVE-2017-18173
RESERVED
@@ -50709,6 +50719,7 @@ CVE-2015-9017
CVE-2015-9016 [blk-mq: fix race between timeout and freeing request]
RESERVED
- linux 4.2.3-1
+ [wheezy] - linux (Vulnerable code not present)
NOTE: Fixed by:
https://git.kernel.org/linus/0048b4837affd153897ed183492070027aa9 (4.3-rc1)
CVE-2015-9015
RESERVED
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/86548e12c22a72005809a66ed1bff369acb312fd
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/86548e12c22a72005809a66ed1bff369acb312fd
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark CVE-2018-6412 as unimportant
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f0022e75 by Salvatore Bonaccorso at 2018-03-03T20:55:34+01:00 Mark CVE-2018-6412 as unimportant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -3707,8 +3707,9 @@ CVE-2018-6414 CVE-2018-6413 RESERVED CVE-2018-6412 (In the function sbusfb_ioctl_helper() in drivers/video/fbdev/sbuslib.c ...) - - linux + - linux (unimportant) NOTE: https://marc.info/?l=linux-fbdev=151734425901499=2 + NOTE: The issue only affects SPARC systems. CVE-2018-6411 RESERVED CVE-2018-6410 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f0022e7554a879947c26fd158ba8d6ac27907b9e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f0022e7554a879947c26fd158ba8d6ac27907b9e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2017-11430: reference the upstream issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 74f27354 by Salvatore Bonaccorso at 2018-03-03T16:46:54+01:00 CVE-2017-11430: reference the upstream issue - - - - - bee5644a by Salvatore Bonaccorso at 2018-03-03T16:47:08+01:00 Add bug reference for node-ssri issue Since there is no CVE assigned use a Debian BTS bug as identifier. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,5 +1,5 @@ CVE-2018- [Regular Expression Denial of Service vulnerability in the strict mode functionality] - - node-ssri (unimportant) + - node-ssri (unimportant; bug #891980) NOTE: fixed in 5.2.2 NOTE: https://github.com/zkat/ssri/commit/d0ebcdc22cb5c8f47f89716d08b3518b2485d65d NOTE: https://github.com/zkat/ssri/issues/10 @@ -37673,6 +37673,7 @@ CVE-2017-11430 RESERVED - ruby-omniauth-saml NOTE: fixed in 1.10.0 + NOTE: https://github.com/omniauth/omniauth-saml/issues/156 NOTE: https://github.com/omniauth/omniauth-saml/pull/157 NOTE: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations NOTE: https://www.kb.cert.org/vuls/id/475445 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/26df51fa49ad00cb8e16ca17cc8d7a0e5c3c3231...bee5644a68d44b573910c3c87b267068ca9d20e0 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/26df51fa49ad00cb8e16ca17cc8d7a0e5c3c3231...bee5644a68d44b573910c3c87b267068ca9d20e0 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] node-ssri unimportant, nodejs not covered by security support
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 26df51fa by Salvatore Bonaccorso at 2018-03-03T16:37:33+01:00 node-ssri unimportant, nodejs not covered by security support - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,9 +1,10 @@ CVE-2018- [Regular Expression Denial of Service vulnerability in the strict mode functionality] - - node-ssri + - node-ssri (unimportant) NOTE: fixed in 5.2.2 NOTE: https://github.com/zkat/ssri/commit/d0ebcdc22cb5c8f47f89716d08b3518b2485d65d NOTE: https://github.com/zkat/ssri/issues/10 NOTE: https://nodesecurity.io/advisories/565 + NOTE: nodejs not covered by security support CVE-2018-1000115 [Insufficient Control of Network Message Volume] - memcached [stretch] - memcached (Minor issue; Debian defaults to listen only on localhost) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/26df51fa49ad00cb8e16ca17cc8d7a0e5c3c3231 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/26df51fa49ad00cb8e16ca17cc8d7a0e5c3c3231 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2017-18196/leptonlib jessie and wheezy not affected
Santiago R.R. pushed to branch master at Debian Security Tracker / security-tracker Commits: 06a9d7f0 by Santiago Ruano Rincón at 2018-03-03T16:18:08+01:00 Add CVE-2017-18196/leptonlib jessie and wheezy not affected Signed-off-by: Santiago Ruano Rincón santiag...@riseup.net - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -9933,6 +9933,8 @@ CVE-2018-7441 (Leptonica through 1.75.3 uses hardcoded /tmp pathnames, which mig NOTE: https://lists.debian.org/debian-lts/2018/02/msg00054.html CVE-2017-18196 (Leptonica 1.74.4 constructs unintended pathnames (containing duplicated ...) - leptonlib 1.74.4-2 (bug #885704) + [jessie] - leptonlib (Vulnerable code not present) + [wheezy] - leptonlib (Vulnerable code not present) CVE-2018-7440 (An issue was discovered in Leptonica through 1.75.3. The ...) - leptonlib 1.75.3-3 (bug #891932) [stretch] - leptonlib (Incomplete fix for CVE-2018-3836 not applied) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/06a9d7f00b6a4786589c0212fd14f5858567a19d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/06a9d7f00b6a4786589c0212fd14f5858567a19d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] npm serve NFU
Paul Wise pushed to branch master at Debian Security Tracker / security-tracker Commits: cb0e8f05 by Paul Wise at 2018-03-03T22:53:16+08:00 npm serve NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -10480,6 +10480,12 @@ CVE-2018-3713 RESERVED CVE-2018-3712 RESERVED + NOT-FOR-US: npm serve + NOTE: fixed in 6.4.9 upstream + NOTE: https://github.com/zeit/serve/commit/6adad6881c61991da61ebc857857c53409544575 + NOTE: https://github.com/zeit/serve/pull/316 + NOTE: https://hackerone.com/reports/307666 + NOTE: https://nodesecurity.io/advisories/561 CVE-2018-3711 RESERVED NOT-FOR-US: Fastify View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cb0e8f050f340348f702a30ed66b283c96f6f729 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cb0e8f050f340348f702a30ed66b283c96f6f729 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] electron details
Paul Wise pushed to branch master at Debian Security Tracker / security-tracker Commits: 329f9ae1 by Paul Wise at 2018-03-03T22:44:37+08:00 electron details - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5333,6 +5333,9 @@ CVE-2018-5800 RESERVED CVE-2018-106 (GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, ...) - electron (bug #842420) + NOTE: Linux is not affected + NOTE: https://electronjs.org/blog/protocol-handler-fix + NOTE: https://nodesecurity.io/advisories/563 CVE-2018-5799 RESERVED CVE-2018-5798 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/329f9ae119321fd9f7733528573922d1552b52e2 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/329f9ae119321fd9f7733528573922d1552b52e2 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] fastify NFU
Paul Wise pushed to branch master at Debian Security Tracker / security-tracker Commits: a2fdb27c by Paul Wise at 2018-03-03T22:41:39+08:00 fastify NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -10479,6 +10479,11 @@ CVE-2018-3712 RESERVED CVE-2018-3711 RESERVED + NOT-FOR-US: Fastify + NOTE: fixed in 0.38.0 upstream + NOTE: https://github.com/fastify/fastify/commit/fabd2a011f2ffbb877394abe699f549513ffbd76 + NOTE: https://hackerone.com/reports/303632 + NOTE: https://nodesecurity.io/advisories/564 CVE-2018-3710 [Remote Code Execution Vulnerability in GitLab Projects Import] RESERVED - gitlab (bug #888508) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a2fdb27cfadd78da7a9ffb1bb8ad746215e41e47 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a2fdb27cfadd78da7a9ffb1bb8ad746215e41e47 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] node-ssri ReDoS
Paul Wise pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e4f7bfa by Paul Wise at 2018-03-03T22:38:19+08:00 node-ssri ReDoS - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,9 @@ +CVE-2018- [Regular Expression Denial of Service vulnerability in the strict mode functionality] + - node-ssri + NOTE: fixed in 5.2.2 + NOTE: https://github.com/zkat/ssri/commit/d0ebcdc22cb5c8f47f89716d08b3518b2485d65d + NOTE: https://github.com/zkat/ssri/issues/10 + NOTE: https://nodesecurity.io/advisories/565 CVE-2018-1000115 [Insufficient Control of Network Message Volume] - memcached [stretch] - memcached (Minor issue; Debian defaults to listen only on localhost) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2e4f7bfaaba71994cddc64ad3ecb0927713365dd --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2e4f7bfaaba71994cddc64ad3ecb0927713365dd You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] node-hoek more details
Paul Wise pushed to branch master at Debian Security Tracker / security-tracker Commits: 48cc46ca by Paul Wise at 2018-03-03T22:32:27+08:00 node-hoek more details - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -10429,7 +10429,11 @@ CVE-2018-3729 CVE-2018-3728 [Prototype pollution in utilities function] RESERVED - node-hoek (unimportant) + NOTE: fixed in 4.2.1 + NOTE: https://github.com/hapijs/hoek/issues/230 + NOTE: https://hackerone.com/reports/310439 NOTE: https://snyk.io/vuln/npm:hoek:20180212 + NOTE: https://nodesecurity.io/advisories/566 NOTE: nodejs not covered by security support CVE-2018-3727 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/48cc46caf3f94df16212e65760e200a6f4fa7354 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/48cc46caf3f94df16212e65760e200a6f4fa7354 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] SAML NFU
Paul Wise pushed to branch master at Debian Security Tracker / security-tracker Commits: 18a003d7 by Paul Wise at 2018-03-03T22:24:27+08:00 SAML NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -916,6 +916,10 @@ CVE-2017-6927 (Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before NOTE: https://www.drupal.org/sa-core-2018-001 CVE-2018-7338 RESERVED + NOT-FOR-US: Duo Network Gateway + NOTE: https://duo.com/labs/psa/duo-psa-2017-003 + NOTE: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations + NOTE: https://www.kb.cert.org/vuls/id/475445 CVE-2018-7337 (In Wireshark 2.4.0 to 2.4.4, the DOCSIS protocol dissector could crash. ...) - wireshark 2.4.5-1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14446 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/18a003d799e9dfe75b1c143d51c190828b4dbe4f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/18a003d799e9dfe75b1c143d51c190828b4dbe4f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] SAML vulns
Paul Wise pushed to branch master at Debian Security Tracker / security-tracker Commits: bd5dbfd6 by Paul Wise at 2018-03-03T22:18:18+08:00 SAML vulns - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -19748,6 +19748,8 @@ CVE-2018-0489 (Shibboleth XMLTooling-C before 1.6.4, as used in Shibboleth Servi - xmltooling 1.6.4-1 NOTE: https://shibboleth.net/community/advisories/secadv_20180227.txt NOTE: https://issues.shibboleth.net/jira/browse/CPPXT-128 + NOTE: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations + NOTE: https://www.kb.cert.org/vuls/id/475445 CVE-2018-0488 (ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0, when the ...) - mbedtls 2.7.0-2 (bug #890287) - polarssl @@ -37638,12 +37640,28 @@ CVE-2017-11431 RESERVED CVE-2017-11430 RESERVED + - ruby-omniauth-saml + NOTE: fixed in 1.10.0 + NOTE: https://github.com/omniauth/omniauth-saml/pull/157 + NOTE: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations + NOTE: https://www.kb.cert.org/vuls/id/475445 CVE-2017-11429 RESERVED + NOT-FOR-US: Clever saml2-js + NOTE: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations + NOTE: https://nodesecurity.io/advisories/567 + NOTE: https://www.kb.cert.org/vuls/id/475445 CVE-2017-11428 RESERVED + - ruby-saml + NOTE: fixed in 1.7.0 + NOTE: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations + NOTE: https://www.kb.cert.org/vuls/id/475445 CVE-2017-11427 RESERVED + NOT-FOR-US: OneLogin python-saml + NOTE: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations + NOTE: https://www.kb.cert.org/vuls/id/475445 CVE-2017-11426 RESERVED CVE-2017-11425 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bd5dbfd67418cbd6cf4c5a539f34fb476db0020b --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bd5dbfd67418cbd6cf4c5a539f34fb476db0020b You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2017-7559, undertow: Link to patch, correct upstream bug
Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2f4fdf50 by Markus Koschany at 2018-03-03T15:13:04+01:00
CVE-2017-7559,undertow: Link to patch, correct upstream bug
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -49577,9 +49577,10 @@ CVE-2017-7559 (In Undertow 2.x before 2.0.0.Alpha2,
1.4.x before 1.4.17.Final, a
- undertow 1.4.23-1 (bug #885576)
NOTE: CVE is for an incomplete fix of CVE-2017-2666
NOTE: Invalid characters were still allowed in the query string and
path parameters.
- NOTE: https://issues.jboss.org/browse/UNDERTOW-1251
+ NOTE: https://issues.jboss.org/browse/UNDERTOW-1165
NOTE: https://issues.jboss.org/browse/UNDERTOW-1295
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1481665#c7
+ NOTE: Fixed by
https://github.com/undertow-io/undertow/commit/3436b03eda8b0b62c1855698c4d7c358add836c2
CVE-2017-7558 [sctp: out-of-bounds read in inet_diag_msg_sctp{,l}addr_fill()
and sctp_get_sctp_info()]
RESERVED
- linux 4.12.13-1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f4fdf50ae76103622200a2b20b412c686b4692f
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f4fdf50ae76103622200a2b20b412c686b4692f
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-1048, undertow: Link to patch
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d2e99abf by Markus Koschany at 2018-03-03T15:00:02+01:00 CVE-2018-1048,undertow: Link to patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -17798,6 +17798,7 @@ CVE-2018-1048 (It was found that the AJP connector in undertow, as shipped in Jb - undertow 1.4.22-1 (bug #891928) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1534343 NOTE: https://issues.jboss.org/browse/UNDERTOW-1245 + NOTE: Fixed by https://github.com/undertow-io/undertow/commit/1bc0c275aadf5835abfbd3835d5d78095c2f1cf5 CVE-2018-1047 (A flaw was found in Wildfly 9.x. A path traversal vulnerability ...) - undertow (bug #891929) NOTE: https://issues.jboss.org/browse/WFLY-9620 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d2e99abf4a243bb38becda8f5a5a58731efaf622 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d2e99abf4a243bb38becda8f5a5a58731efaf622 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add reference for CVE-2017-3144
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 055034a2 by Salvatore Bonaccorso at 2018-03-03T14:44:45+01:00 Add reference for CVE-2017-3144 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -63516,6 +63516,7 @@ CVE-2017-3144 [dhcp: omapi code doesn't free socket descriptors when empty messa [jessie] - isc-dhcp (Minor issue) [wheezy] - isc-dhcp (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1522918 + NOTE: https://bugs.isc.org/Public/Bug/Display.html?id=46767 NOTE: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=1a6b62fe17a42b00fa234d06b6dfde3d03451894 NOTE: Fixes for 4.3.6p1: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=99a25aedea02d9c259cb8fabf4be700fb32571a3 CVE-2017-3143 [An error in TSIG authentication can permit unauthorized dynamic updates] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/055034a2134fc64199cc9eaab2a7ca26029295c3 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/055034a2134fc64199cc9eaab2a7ca26029295c3 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Correct references to commits for isc-dhcp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f4a8548a by Salvatore Bonaccorso at 2018-03-03T14:40:27+01:00 Correct references to commits for isc-dhcp While triaging I swapped the two commits, and wrongly associated the one for CVE-2018-5732 with CVE-2018-5733 and viceversa. Reference the (yet) non-public bug reports. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5566,13 +5566,15 @@ CVE-2018-5733 [A malicious client can overflow a reference counter in ISC dhcpd] RESERVED - isc-dhcp (bug #891785) NOTE: https://kb.isc.org/article/AA-01567/75/CVE-2018-5733 - NOTE: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=c5931725b48b121d232df4ba9e45bc41e0ba114d (4.4.1) + NOTE: https://bugs.isc.org/Public/Bug/Display.html?id=47140 + NOTE: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=197b26f25309f947b97a83b8fdfc414b767798f8 (4.4.1) NOTE: Fixes for 4.3.6p1: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=99a25aedea02d9c259cb8fabf4be700fb32571a3 CVE-2018-5732 [A specially constructed response from a malicious server can cause a buffer overflow in dhclient] RESERVED - isc-dhcp (bug #891786) NOTE: https://kb.isc.org/article/AA-01565/75/CVE-2018-5732 - NOTE: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=197b26f25309f947b97a83b8fdfc414b767798f8 (4.4.1) + NOTE: https://bugs.isc.org/Public/Bug/Display.html?id=47139 + NOTE: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=c5931725b48b121d232df4ba9e45bc41e0ba114d (4.4.1) NOTE: Fixes for 4.3.6p1: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=99a25aedea02d9c259cb8fabf4be700fb32571a3 CVE-2018-105 (libcurl 7.49.0 to and including 7.57.0 contains an out bounds read in ...) - curl 7.58.0-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f4a8548afc2e821a79e68cb21177d5fa5b42cd2d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f4a8548afc2e821a79e68cb21177d5fa5b42cd2d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add fixed version for glibc issues now that 2.27-1 entered unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8c236712 by Salvatore Bonaccorso at 2018-03-03T14:17:50+01:00 Add fixed version for glibc issues now that 2.27-1 entered unstable Exceptionally keep the experimental tagged entry, but thats not really needed as we only track unstable. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -3236,7 +3236,7 @@ CVE-2018-6552 RESERVED CVE-2018-6551 (The malloc implementation in the GNU C Library (aka glibc or libc6), ...) [experimental] - glibc 2.26.9000+20180127.7e23a7dd-0experimental0 - - glibc + - glibc 2.27-1 [stretch] - glibc (Minor issue) [jessie] - glibc (Issue introduced in 2.24, 2.26 only for i386) - eglibc (Issue introduced in 2.24 for powerpc, 2.26 only for i386) @@ -3536,7 +3536,7 @@ CVE-2017-18080 (The saveConfigureSecurity resource in Atlassian Bamboo before ve NOT-FOR-US: Atlassian Bamboo CVE-2018-6485 (An integer overflow in the implementation of the posix_memalign in ...) [experimental] - glibc 2.26.9000+20180127.7e23a7dd-0experimental0 - - glibc (bug #878159) + - glibc 2.27-1 (bug #878159) [stretch] - glibc (Minor issue) [jessie] - glibc (Minor issue) - eglibc View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8c236712e04dfbe2a55baa5c8c0b69b242593eb5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8c236712e04dfbe2a55baa5c8c0b69b242593eb5 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-7262
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8853f6c0 by Salvatore Bonaccorso at 2018-03-03T11:31:23+01:00 Add bug reference for CVE-2018-7262 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1297,7 +1297,7 @@ CVE-2018-7263 (The mad_decoder_run() function in decoder.c in Underbit libmad th TODO: clarify with MITRE why this CVE was additionally assigned CVE-2018-7262 [Malformed HTTP requests handled in rgw_civetweb.cc:RGW::init_env() can lead to NULL pointer dereference] RESERVED - - ceph + - ceph (bug #891963) NOTE: Original pull request: https://github.com/ceph/ceph/pull/20403 NOTE: Superseeded by: https://github.com/ceph/ceph/pull/20488 CVE-2018-7261 (There are multiple Persistent XSS vulnerabilities in Radiant CMS ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8853f6c07cc6a8e50280018619df58dd99c1cbb4 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8853f6c07cc6a8e50280018619df58dd99c1cbb4 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f9aafce9 by Salvatore Bonaccorso at 2018-03-03T10:25:14+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -652,7 +652,7 @@ CVE-2018-7443 (The ReadTIFFImage function in coders/tiff.c in ImageMagick 7.0.7- CVE-2018-7434 (zzcms 8.2 allows remote attackers to discover the full path via a ...) NOT-FOR-US: zzcms CVE-2018-7433 (The iThemes Security plugin before 6.9.1 for WordPress does not ...) - TODO: check + NOT-FOR-US: iThemes Security plugin for WordPress CVE-2018-7432 RESERVED CVE-2018-7431 @@ -3445,7 +3445,7 @@ CVE-2018-6492 CVE-2018-6491 RESERVED CVE-2018-6490 (Denial of Service vulnerability in Micro Focus Operations ...) - TODO: check + NOT-FOR-US: Micro Focus Operations Orchestration Software CVE-2018-6489 (XML External Entity (XXE) vulnerability in Micro Focus Project and ...) NOT-FOR-US: Micro Focus Project and Portfolio Management Center CVE-2018-6488 (Arbitrary Code Execution vulnerability in Micro Focus Universal CMDB, ...) @@ -16166,7 +16166,7 @@ CVE-2018-1375 CVE-2018-1374 RESERVED CVE-2018-1373 (IBM Security Guardium Big Data Intelligence (SonarG) 3.1 uses an ...) - TODO: check + NOT-FOR-US: IBM Security Guardium Big Data Intelligence CVE-2018-1372 (IBM Security Guardium Big Data Intelligence (SonarG) 3.1 does not ...) NOT-FOR-US: IBM Security Guardium Big Data Intelligence CVE-2018-1371 @@ -17404,9 +17404,9 @@ CVE-2018-1172 CVE-2018-1171 RESERVED CVE-2018-1170 (This vulnerability allows adjacent attackers to inject arbitrary ...) - TODO: check + NOT-FOR-US: Volkswagen Customer-Link App and HTC Customer-Link Bridge CVE-2018-1169 (This vulnerability allows remote attackers to execute arbitrary code ...) - TODO: check + NOT-FOR-US: Amazon Music Player CVE-2018-1168 (This vulnerability allows local attackers to escalate privileges on ...) NOT-FOR-US: ABB MicroSCADA CVE-2018-1167 @@ -43390,7 +43390,7 @@ CVE-2017-9461 (smbd in Samba before 4.4.10 and 4.5.x before 4.5.6 has a denial o NOTE: https://git.samba.org/?p=samba.git;a=commitdiff;h=10c3e3923022485c720f322ca4f0aca5d7501310 NOTE: https://bugzilla.samba.org/show_bug.cgi?id=12572 CVE-2017-9447 (In the web interface of Parallels Remote Application Server (RAS) 15.5 ...) - TODO: check + NOT-FOR-US: Parallels Remote Application Server CVE-2017-9446 RESERVED CVE-2017-9445 (In systemd through 233, certain sizes passed to dns_packet_new in ...) @@ -44074,7 +44074,7 @@ CVE-2017-9289 (Bram Korsten Note through 1.2.0 is vulnerable to a reflected XSS CVE-2017-9288 (The Raygun4WP plugin 1.8.0 for WordPress is vulnerable to a reflected ...) NOT-FOR-US: Wordpress plugin CVE-2017-9286 (The packaging of NextCloud in openSUSE used /srv/www/htdocs in an ...) - TODO: check + NOT-FOR-US: OpenSUSE specific packaging issue of NextCloud CVE-2017-9285 (NetIQ eDirectory before 9.0 SP4 did not enforce login restrictions ...) TODO: check CVE-2017-9284 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f9aafce95043d585c9b51e09509c12e551af5ddc --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f9aafce95043d585c9b51e09509c12e551af5ddc You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark CVE-2018-7440/leptonlib as fixed with unstable upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 620f9687 by Salvatore Bonaccorso at 2018-03-03T10:12:58+01:00 Mark CVE-2018-7440/leptonlib as fixed with unstable upload - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -9919,7 +9919,7 @@ CVE-2018-7441 (Leptonica through 1.75.3 uses hardcoded /tmp pathnames, which mig CVE-2017-18196 (Leptonica 1.74.4 constructs unintended pathnames (containing duplicated ...) - leptonlib 1.74.4-2 (bug #885704) CVE-2018-7440 (An issue was discovered in Leptonica through 1.75.3. The ...) - - leptonlib (bug #891932) + - leptonlib 1.75.3-3 (bug #891932) [stretch] - leptonlib (Incomplete fix for CVE-2018-3836 not applied) [jessie] - leptonlib (Incomplete fix for CVE-2018-3836 not applied) NOTE: https://github.com/DanBloomberg/leptonica/issues/303#issuecomment-366472212 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/620f9687ebca1d29baec7954d03f22ebd18e55df --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/620f9687ebca1d29baec7954d03f22ebd18e55df You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ee853802 by security tracker role at 2018-03-03T09:10:14+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -26430,6 +26430,7 @@ CVE-2017-15133 (A denial of service flaw was found in
miekg-dns before 1.0.4. A
NOTE: https://github.com/miekg/dns/issues/627
NOTE: https://github.com/miekg/dns/pull/631
CVE-2017-15132 (A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An
abort of ...)
+ {DSA-4130-1}
- dovecot 1:2.2.34-1 (bug #888432)
NOTE: Fixed by:
https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch
NOTE: Regression fix needed on top:
https://github.com/dovecot/core/commit/a9b135760aea6d1790d447d351c56b78889dac22
@@ -26447,6 +26448,7 @@ CVE-2017-15131 (It was found that system umask policy
is not being honored when
NOTE: Enforcements can be achieved e.g. by using pam_umask.
NOTE: http://bugs.freedesktop.org/show_bug.cgi?id=102303
CVE-2017-15130 (A denial of service flaw was found in dovecot before 2.2.34.
An ...)
+ {DSA-4130-1}
- dovecot 1:2.2.34-1 (bug #891820)
NOTE:
https://www.dovecot.org/list/dovecot-news/2018-February/000370.html
NOTE:
https://github.com/dovecot/core/commit/22311315b9f780211329c1522eb5aaa4faaa9391
@@ -28711,6 +28713,7 @@ CVE-2017-14463
CVE-2017-14462
RESERVED
CVE-2017-14461 (A specially crafted email delivered over SMTP and passed on to
Dovecot ...)
+ {DSA-4130-1}
- dovecot 1:2.2.34-1 (bug #891819)
NOTE:
https://www.dovecot.org/list/dovecot-news/2018-February/000370.html
NOTE:
https://github.com/dovecot/core/commit/30dc856f7b97b75b0e0d69f5003d5d99a13249b4
@@ -67215,7 +67218,7 @@ CVE-2017-1656
RESERVED
CVE-2017-1655
RESERVED
-CVE-2017-1654 (IBM Spectrum Scale 4.1.1 and 4.2,0 - 4.2.3 could allow a local
...)
+CVE-2017-1654 (IBM Spectrum Scale 4.1.1 and 4.2.0 - 4.2.3 could allow a local
...)
TODO: check
CVE-2017-1653 (IBM Jazz Foundation (IBM Rational Collaborative Lifecycle
Management ...)
NOT-FOR-US: IBM Jazz Foundation
@@ -104222,20 +104225,20 @@ CVE-2015-7969 (Multiple memory leaks in Xen 4.0
through 4.6.x allow local guest
NOTE: http://xenbits.xen.org/xsa/advisory-151.html
CVE-2015-7968
RESERVED
-CVE-2015-7967
- RESERVED
-CVE-2015-7966
- RESERVED
-CVE-2015-7965
- RESERVED
-CVE-2015-7964
- RESERVED
-CVE-2015-7963
- RESERVED
-CVE-2015-7962
- RESERVED
-CVE-2015-7961
- RESERVED
+CVE-2015-7967 (SafeNet Authentication Service for Citrix Web Interface Agent
uses a ...)
+ TODO: check
+CVE-2015-7966 (SafeNet Authentication Service Windows Logon Agent uses a weak
ACL for ...)
+ TODO: check
+CVE-2015-7965 (SafeNet Authentication Service Windows Logon Agent uses a weak
ACL for ...)
+ TODO: check
+CVE-2015-7964 (SafeNet Authentication Service for NPS Agent uses a weak ACL
for ...)
+ TODO: check
+CVE-2015-7963 (SafeNet Authentication Service for AD FS Agent uses a weak ACL
for ...)
+ TODO: check
+CVE-2015-7962 (SafeNet Authentication Service for Outlook Web App Agent uses a
weak ...)
+ TODO: check
+CVE-2015-7961 (SafeNet Authentication Service Remote Web Workplace Agent uses
a weak ...)
+ TODO: check
CVE-2015-7960
REJECTED
CVE-2015-7959
@@ -105360,12 +105363,12 @@ CVE-2015-7600 (Cisco VPN Client 5.x through
5.0.07.0440 uses weak permissions fo
NOT-FOR-US: Cisco VPN Client
CVE-2015-7599 (Integer overflow in the _authenticate function in svc_auth.c in
Wind ...)
NOT-FOR-US: Wind River VxWorks
-CVE-2015-7598
- RESERVED
-CVE-2015-7597
- RESERVED
-CVE-2015-7596
- RESERVED
+CVE-2015-7598 (SafeNet Authentication Service TokenValidator Proxy Agent uses
a weak ...)
+ TODO: check
+CVE-2015-7597 (SafeNet Authentication Service IIS Agent uses a weak ACL for
...)
+ TODO: check
+CVE-2015-7596 (SafeNet Authentication Service End User Software Tools for
Windows ...)
+ TODO: check
CVE-2015-7595
REJECTED
CVE-2015-7594
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ee8538023be193789f1e59f56223f15f716d202d
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ee8538023be193789f1e59f56223f15f716d202d
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] REserve DSA for linux regression update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
001e81a6 by Salvatore Bonaccorso at 2018-03-03T09:25:42+01:00
REserve DSA for linux regression update
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
--- a/data/DSA/list
+++ b/data/DSA/list
@@ -1,3 +1,5 @@
+[03 Mar 2018] DSA-4120-2 linux - regression update
+ [stretch] - linux 4.9.82-1+deb9u3
[02 Mar 2018] DSA-4130-1 dovecot - security update
{CVE-2017-14461 CVE-2017-15130 CVE-2017-15132}
[jessie] - dovecot 1:2.2.13-12~deb8u4
=
data/dsa-needed.txt
=
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -43,7 +43,7 @@ libmad
--
libvpx
--
-linux (carnil)
+linux
Wait until more issues have piled up
--
mbedtls (seb)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/001e81a682d405dadfebce33abd3c5c20d6c6aff
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/001e81a682d405dadfebce33abd3c5c20d6c6aff
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-1000115/memcached
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b706d7fb by Salvatore Bonaccorso at 2018-03-03T09:02:37+01:00 Add CVE-2018-1000115/memcached - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,13 @@ +CVE-2018-1000115 [Insufficient Control of Network Message Volume] + - memcached + [stretch] - memcached (Minor issue; Debian defaults to listen only on localhost) + [jessie] - memcached (Minor issue; Debian defaults to listen only on localhost) + NOTE: Upstream 1.5.6 disables by default the UDP protocol + NOTE: https://github.com/memcached/memcached/commit/dbb7a8af90054bf4ef51f5814ef7ceb17d83d974 + NOTE: Documentation in memcached's config files clearly mentions the + NOTE: issues: "Specify which IP address to listen on. The default + NOTE: (upstream) is to listen on all IP addresses. [...] so make sure + NOTE: it's listening on a firewalled interface." CVE-2018-7650 RESERVED CVE-2018-7649 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b706d7fb309b2176e399b26f76c6c44de34dc98a --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b706d7fb309b2176e399b26f76c6c44de34dc98a You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
