[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reference upstream commit for CVE-2018-580{0, 1, 2}/libraw
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6f5cc762 by Salvatore Bonaccorso at 2018-03-09T08:24:42+01:00 Reference upstream commit for CVE-2018-580{0,1,2}/libraw Note tha the upstream commit message is wrong saying 0.18.17 which is though defitively tagged as 0.18.7 and is after 0.18.6 release, the changelog is as well refering to 0.18.7 thus deducing that the upstream version 0.18.7 is correct to use. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -6075,14 +6075,17 @@ CVE-2018-5802 [Out-of-bounds read in kodak_radc_load_raw function internal/dcraw RESERVED - libraw 0.18.7-1 NOTE: https://packetstormsecurity.com/files/146172/secunia-libraw.txt + NOTE: https://github.com/LibRaw/LibRaw/commit/8682ad204392b914ab1cc6ebcca9c27c19c1a4b4 CVE-2018-5801 [NULL pointer dereference in LibRaw::unpack function src/libraw_cxx.cpp] RESERVED - libraw 0.18.7-1 NOTE: https://packetstormsecurity.com/files/146172/secunia-libraw.txt + NOTE: https://github.com/LibRaw/LibRaw/commit/8682ad204392b914ab1cc6ebcca9c27c19c1a4b4 CVE-2018-5800 [Heap-based buffer overflow in LibRaw::kodak_ycbcr_load_raw function in internal/dcraw_common.cpp] RESERVED - libraw 0.18.7-1 NOTE: https://packetstormsecurity.com/files/146172/secunia-libraw.txt + NOTE: https://github.com/LibRaw/LibRaw/commit/8682ad204392b914ab1cc6ebcca9c27c19c1a4b4 CVE-2018-106 (GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, ...) - electron (bug #842420) NOTE: Linux is not affected View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6f5cc76218c6c29dc90fe5321b282f1a7241e921 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6f5cc76218c6c29dc90fe5321b282f1a7241e921 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-7858/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4fd0a664 by Salvatore Bonaccorso at 2018-03-09T07:58:22+01:00 Add CVE-2018-7858/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -70,8 +70,11 @@ CVE-2018-7860 RESERVED CVE-2018-7859 RESERVED -CVE-2018-7858 +CVE-2018-7858 [cirrus: OOB access when updating vga display] RESERVED + - qemu + - qemu-kvm + NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2018-03/msg02174.html CVE-2018-7857 RESERVED CVE-2018-7856 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4fd0a664ebf2d4ce2c6816832528c9c391fe1a90 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4fd0a664ebf2d4ce2c6816832528c9c391fe1a90 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-580{0, 1, 2}/libraw
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e4eb12a by Salvatore Bonaccorso at 2018-03-09T07:56:54+01:00 Add CVE-2018-580{0,1,2}/libraw - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -6068,12 +6068,18 @@ CVE-2018-5803 [Missing length check of payload in net/sctp/sm_make_chunk.c:_sctp RESERVED - linux NOTE: Fixed by: https://git.kernel.org/linus/07f2c7ab6f8d0a7e7c5764c4e6cc9c52951b9d9c -CVE-2018-5802 +CVE-2018-5802 [Out-of-bounds read in kodak_radc_load_raw function internal/dcraw_common.cpp] RESERVED -CVE-2018-5801 + - libraw 0.18.7-1 + NOTE: https://packetstormsecurity.com/files/146172/secunia-libraw.txt +CVE-2018-5801 [NULL pointer dereference in LibRaw::unpack function src/libraw_cxx.cpp] RESERVED -CVE-2018-5800 + - libraw 0.18.7-1 + NOTE: https://packetstormsecurity.com/files/146172/secunia-libraw.txt +CVE-2018-5800 [Heap-based buffer overflow in LibRaw::kodak_ycbcr_load_raw function in internal/dcraw_common.cpp] RESERVED + - libraw 0.18.7-1 + NOTE: https://packetstormsecurity.com/files/146172/secunia-libraw.txt CVE-2018-106 (GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, ...) - electron (bug #842420) NOTE: Linux is not affected View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2e4eb12ade05d1817adf185f5f01d5ebba7009f4 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2e4eb12ade05d1817adf185f5f01d5ebba7009f4 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-1071/zsh
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e4bbf08 by Salvatore Bonaccorso at 2018-03-09T07:52:37+01:00 Add CVE-2018-1071/zsh - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -18487,8 +18487,10 @@ CVE-2018-1073 RESERVED CVE-2018-1072 RESERVED -CVE-2018-1071 +CVE-2018-1071 [Stack-based buffer overflow in exec.c:hashcmd()] RESERVED + - zsh + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1553531 CVE-2018-1070 RESERVED CVE-2018-1069 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9e4bbf08825aacc4890e5859699c9672361e7e4d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9e4bbf08825aacc4890e5859699c9672361e7e4d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 4 commits: Triage mp4v2 for LTS
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 0be7f76b by Chris Lamb at 2018-03-08T18:02:23-08:00 Triage mp4v2 for LTS - - - - - caa95732 by Chris Lamb at 2018-03-08T18:02:45-08:00 Triage libcdio for LTS - - - - - b709121e by Chris Lamb at 2018-03-08T18:04:45-08:00 Triage exempi for LTS - - - - - 2a127017 by Chris Lamb at 2018-03-08T18:05:18-08:00 data/dla-needed.txt: Add comment for exempi. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -17,6 +17,9 @@ dovecot (Thorsten Alteholz) elinks NOTE: 20180226: maintainer is on the security team (jmm), no notice sent (anarcat) -- +exempi + NOTE: 20180308: Not all upstream patches apply cleanly (lamby) +-- gcc-4.6 (Roberto C. Sánchez) NOTE: Backport the retpoline support for spectre mitigation. NOTE: Coordinate with jmm who started the work for gcc-4.9 in jessie. @@ -51,6 +54,8 @@ libav (Hugo Lefeuvre) NOTE: I am currently working on CVE triage but I will not be able to process the whole backlog until May. NOTE: Help is welcome, feel free to mail Hugo. -- +libcdio +-- libgcrypt11 -- libmad (Kurt Roeckx) @@ -69,6 +74,8 @@ ming (Hugo Lefeuvre) -- mingw-w64 -- +mp4v2 +-- mupdf (Hugo Lefeuvre) -- opencv (Thorsten Alteholz) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/0c791ef14632dff4cb4f32cf210e308db6e5205c...2a127017a6dc5efaf56540ff37ab78520b9a700a --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/0c791ef14632dff4cb4f32cf210e308db6e5205c...2a127017a6dc5efaf56540ff37ab78520b9a700a You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0c791ef1 by Salvatore Bonaccorso at 2018-03-08T22:40:07+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -7367,7 +7367,7 @@ CVE-2017-18026 (Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 NOTE: https://github.com/redmine/redmine/commit/9d797400eaec5f9fa7ba9507c82d9c18cb91d02e NOTE: upstream fixed in 3.2.9, 3.3.6 and 3.4.4 CVE-2018-5313 (A vulnerability allows local attackers to escalate privilege on Rapid ...) - TODO: check + NOT-FOR-US: Rapid Scada CVE-2017-1000415 (MatrixSSL version 3.7.2 has an incorrect UTCTime date range validation ...) - matrixssl [wheezy] - matrixssl (not supported in Wheezy) @@ -8648,11 +8648,11 @@ CVE-2018-4842 CVE-2018-4841 RESERVED CVE-2018-4840 (A vulnerability has been identified in Siemens DIGSI 4 (All versions ...) - TODO: check + NOT-FOR-US: Siemens CVE-2018-4839 (A vulnerability has been identified in Siemens DIGSI 4 (All versions ...) - TODO: check + NOT-FOR-US: Siemens CVE-2018-4838 (A vulnerability has been identified in Siemens EN100 Ethernet module ...) - TODO: check + NOT-FOR-US: Siemens CVE-2018-4837 (A vulnerability has been identified in TeleControl Server Basic ...) NOT-FOR-US: Siemens / TeleControl Server Basic CVE-2018-4836 (A vulnerability has been identified in TeleControl Server Basic ...) @@ -16802,9 +16802,9 @@ CVE-2018-1445 CVE-2018-1444 RESERVED CVE-2018-1443 (An XML parsing vulnerability affects IBM SAML-based single sign-on ...) - TODO: check + NOT-FOR-US: IBM CVE-2018-1442 (IBM Application Performance Management - Response Time Monitoring ...) - TODO: check + NOT-FOR-US: IBM CVE-2018-1441 RESERVED CVE-2018-1440 @@ -16914,7 +16914,7 @@ CVE-2018-1389 CVE-2018-1388 (GSKit V7 may disclose side channel information via discrepancies ...) NOT-FOR-US: IBM WebSphere MQ CVE-2018-1387 (IBM Application Performance Management for Monitoring Diagnostics ...) - TODO: check + NOT-FOR-US: IBM CVE-2018-1386 RESERVED CVE-2018-1385 @@ -17983,17 +17983,17 @@ CVE-2018-1222 CVE-2018-1221 RESERVED CVE-2018-1220 (EMC RSA Archer, versions prior to 6.2.0.8, contains a redirect ...) - TODO: check + NOT-FOR-US: EMC RSA Archer CVE-2018-1219 (EMC RSA Archer, versions prior to 6.2.0.8, contains an improper access ...) - TODO: check + NOT-FOR-US: EMC RSA Archer CVE-2018-1218 RESERVED CVE-2018-1217 RESERVED CVE-2018-1216 (A hard-coded password vulnerability was discovered in vApp Manager ...) - TODO: check + NOT-FOR-US: EMC CVE-2018-1215 (An arbitrary file upload vulnerability was discovered in vApp Manager ...) - TODO: check + NOT-FOR-US: EMC CVE-2018-1214 (Dell EMC SupportAssist Enterprise version 1.1 creates a local Windows ...) NOT-FOR-US: EMC CVE-2018-1213 @@ -18063,7 +18063,7 @@ CVE-2018-1184 (An issue was discovered in EMC RecoverPoint for Virtual Machines CVE-2018-1183 RESERVED CVE-2018-1182 (An issue was discovered in EMC RSA Identity Governance and Lifecycle ...) - TODO: check + NOT-FOR-US: EMC CVE-2018-1181 RESERVED CVE-2017-17447 @@ -50107,13 +50107,13 @@ CVE-2017-7643 (Proxifier for Mac before 2.19 allows local users to gain privileg CVE-2017-7642 (The sudo helper in the HashiCorp Vagrant VMware Fusion plugin (aka ...) NOT-FOR-US: HashiCorp Vagrant VMware Fusion plugin CVE-2017-7641 (QNAP NAS application Media Streaming add-on version 421.1.0.2, ...) - TODO: check + NOT-FOR-US: QNAP NAS application Media Streaming add-on CVE-2017-7640 (QNAP NAS application Media Streaming add-on version 421.1.0.2, ...) - TODO: check + NOT-FOR-US: QNAP NAS application Media Streaming add-on CVE-2017-7639 RESERVED CVE-2017-7638 (QNAP NAS application Media Streaming add-on version 421.1.0.2, ...) - TODO: check + NOT-FOR-US: QNAP NAS application Media Streaming add-on CVE-2017-7637 RESERVED CVE-2017-7636 @@ -50121,7 +50121,7 @@ CVE-2017-7636 CVE-2017-7635 RESERVED CVE-2017-7634 (Cross-site scripting (XSS) vulnerability in QNAP NAS application Media ...) - TODO: check + NOT-FOR-US: QNAP NAS application Media Streaming add-on CVE-2017-7633 (QNAP Qfinder Pro 6.1.0.0317 and earlier may expose sensitive ...) NOT-FOR-US: QNAP CVE-2017-7632 @@ -55023,7 +55023,7 @@ CVE-2017-6154 (On F5 BIG-IP systems running 13.0.0, 12.1.0 - 12.1.3.1, or 11.6.1 CVE-2017-6153 RESERVED CVE-2017-6152 (A local user on F5 BIG-IQ Centralized Management 5.1.0-5.2.0 with the ...) - TODO: check +
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add several new ming issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 61b46756 by Salvatore Bonaccorso at 2018-03-08T22:31:55+01:00 Add several new ming issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -21,29 +21,41 @@ CVE-2018-7879 CVE-2018-7878 RESERVED CVE-2018-7877 (There is a heap-based buffer overflow in the getString function of ...) - TODO: check + - ming + NOTE: https://github.com/libming/libming/issues/110 CVE-2018-7876 (In libming 0.4.8, a memory exhaustion vulnerability was found in the ...) - TODO: check + - ming + NOTE: https://github.com/libming/libming/issues/109 CVE-2018-7875 (There is a heap-based buffer over-read in the getString function of ...) - TODO: check + - ming + NOTE: https://github.com/libming/libming/issues/112 CVE-2018-7874 (An invalid memory address dereference was discovered in strlenext in ...) - TODO: check + - ming + NOTE: https://github.com/libming/libming/issues/115 CVE-2018-7873 (There is a heap-based buffer overflow in the getString function of ...) - TODO: check + - ming + NOTE: https://github.com/libming/libming/issues/111 CVE-2018-7872 (An invalid memory address dereference was discovered in the function ...) - TODO: check + - ming + NOTE: https://github.com/libming/libming/issues/114 CVE-2018-7871 (There is a heap-based buffer over-read in the getName function of ...) - TODO: check + - ming + NOTE: https://github.com/libming/libming/issues/120 CVE-2018-7870 (An invalid memory address dereference was discovered in getString in ...) - TODO: check + - ming + NOTE: https://github.com/libming/libming/issues/117 CVE-2018-7869 (There is a memory leak triggered in the function dcinit of ...) - TODO: check + - ming + NOTE: https://github.com/libming/libming/issues/119 CVE-2018-7868 (There is a heap-based buffer over-read in the getName function of ...) - TODO: check + - ming + NOTE: https://github.com/libming/libming/issues/113 CVE-2018-7867 (There is a heap-based buffer overflow in the getString function of ...) - TODO: check + - ming + NOTE: https://github.com/libming/libming/issues/116 CVE-2018-7866 (A NULL pointer dereference was discovered in newVar3 in ...) - TODO: check + - ming + NOTE: https://github.com/libming/libming/issues/118 CVE-2018-7865 RESERVED CVE-2018-7864 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/61b46756e619554abdcc54d603bbb84e7995ed89 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/61b46756e619554abdcc54d603bbb84e7995ed89 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-7757/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c8035ac8 by Salvatore Bonaccorso at 2018-03-08T22:23:56+01:00 Add CVE-2018-7757/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -261,7 +261,8 @@ CVE-2018-7759 CVE-2018-7758 RESERVED CVE-2018-7757 (Memory leak in the sas_smp_get_phy_events function in ...) - TODO: check + - linux + NOTE: Fixed by: https://git.kernel.org/linus/4a491b1ab11ca0556d2fda1ff1301e862a2d44c4 (4.16-rc1) CVE-2017-18222 (In the Linux kernel before 4.12, Hisilicon Network Subsystem (HNS) does ...) - linux 4.12.6-1 NOTE: Fixed by: https://git.kernel.org/linus/412b65d15a7f8a93794653968308fc100f2aa87c View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c8035ac8229862071fe88a2c760d96de23d77e86 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c8035ac8229862071fe88a2c760d96de23d77e86 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2017-18222/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ddf6d8fd by Salvatore Bonaccorso at 2018-03-08T22:18:48+01:00 Add CVE-2017-18222/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -263,7 +263,8 @@ CVE-2018-7758 CVE-2018-7757 (Memory leak in the sas_smp_get_phy_events function in ...) TODO: check CVE-2017-18222 (In the Linux kernel before 4.12, Hisilicon Network Subsystem (HNS) does ...) - TODO: check + - linux 4.12.6-1 + NOTE: Fixed by: https://git.kernel.org/linus/412b65d15a7f8a93794653968308fc100f2aa87c CVE-2018-7756 RESERVED CVE-2018-7755 (An issue was discovered in the fd_locked_ioctl function in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ddf6d8fd2c807de2e47b11d958b4c0712026c0ee --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ddf6d8fd2c807de2e47b11d958b4c0712026c0ee You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6fdbd0d2 by security tracker role at 2018-03-08T21:10:23+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,269 @@ +CVE-2018-7888 + RESERVED +CVE-2018-7887 + RESERVED +CVE-2018-7886 + RESERVED +CVE-2018-7885 + RESERVED +CVE-2018-7884 + RESERVED +CVE-2018-7883 + RESERVED +CVE-2018-7882 + RESERVED +CVE-2018-7881 + RESERVED +CVE-2018-7880 + RESERVED +CVE-2018-7879 + RESERVED +CVE-2018-7878 + RESERVED +CVE-2018-7877 (There is a heap-based buffer overflow in the getString function of ...) + TODO: check +CVE-2018-7876 (In libming 0.4.8, a memory exhaustion vulnerability was found in the ...) + TODO: check +CVE-2018-7875 (There is a heap-based buffer over-read in the getString function of ...) + TODO: check +CVE-2018-7874 (An invalid memory address dereference was discovered in strlenext in ...) + TODO: check +CVE-2018-7873 (There is a heap-based buffer overflow in the getString function of ...) + TODO: check +CVE-2018-7872 (An invalid memory address dereference was discovered in the function ...) + TODO: check +CVE-2018-7871 (There is a heap-based buffer over-read in the getName function of ...) + TODO: check +CVE-2018-7870 (An invalid memory address dereference was discovered in getString in ...) + TODO: check +CVE-2018-7869 (There is a memory leak triggered in the function dcinit of ...) + TODO: check +CVE-2018-7868 (There is a heap-based buffer over-read in the getName function of ...) + TODO: check +CVE-2018-7867 (There is a heap-based buffer overflow in the getString function of ...) + TODO: check +CVE-2018-7866 (A NULL pointer dereference was discovered in newVar3 in ...) + TODO: check +CVE-2018-7865 + RESERVED +CVE-2018-7864 + RESERVED +CVE-2018-7863 + RESERVED +CVE-2018-7862 + RESERVED +CVE-2018-7861 + RESERVED +CVE-2018-7860 + RESERVED +CVE-2018-7859 + RESERVED +CVE-2018-7858 + RESERVED +CVE-2018-7857 + RESERVED +CVE-2018-7856 + RESERVED +CVE-2018-7855 + RESERVED +CVE-2018-7854 + RESERVED +CVE-2018-7853 + RESERVED +CVE-2018-7852 + RESERVED +CVE-2018-7851 + RESERVED +CVE-2018-7850 + RESERVED +CVE-2018-7849 + RESERVED +CVE-2018-7848 + RESERVED +CVE-2018-7847 + RESERVED +CVE-2018-7846 + RESERVED +CVE-2018-7845 + RESERVED +CVE-2018-7844 + RESERVED +CVE-2018-7843 + RESERVED +CVE-2018-7842 + RESERVED +CVE-2018-7841 + RESERVED +CVE-2018-7840 + RESERVED +CVE-2018-7839 + RESERVED +CVE-2018-7838 + RESERVED +CVE-2018-7837 + RESERVED +CVE-2018-7836 + RESERVED +CVE-2018-7835 + RESERVED +CVE-2018-7834 + RESERVED +CVE-2018-7833 + RESERVED +CVE-2018-7832 + RESERVED +CVE-2018-7831 + RESERVED +CVE-2018-7830 + RESERVED +CVE-2018-7829 + RESERVED +CVE-2018-7828 + RESERVED +CVE-2018-7827 + RESERVED +CVE-2018-7826 + RESERVED +CVE-2018-7825 + RESERVED +CVE-2018-7824 + RESERVED +CVE-2018-7823 + RESERVED +CVE-2018-7822 + RESERVED +CVE-2018-7821 + RESERVED +CVE-2018-7820 + RESERVED +CVE-2018-7819 + RESERVED +CVE-2018-7818 + RESERVED +CVE-2018-7817 + RESERVED +CVE-2018-7816 + RESERVED +CVE-2018-7815 + RESERVED +CVE-2018-7814 + RESERVED +CVE-2018-7813 + RESERVED +CVE-2018-7812 + RESERVED +CVE-2018-7811 + RESERVED +CVE-2018-7810 + RESERVED +CVE-2018-7809 + RESERVED +CVE-2018-7808 + RESERVED +CVE-2018-7807 + RESERVED +CVE-2018-7806 + RESERVED +CVE-2018-7805 + RESERVED +CVE-2018-7804 + RESERVED +CVE-2018-7803 + RESERVED +CVE-2018-7802 + RESERVED +CVE-2018-7801 + RESERVED +CVE-2018-7800 + RESERVED +CVE-2018-7799 + RESERVED +CVE-2018-7798 + RESERVED +CVE-2018-7797 + RESERVED +CVE-2018-7796 + RESERVED +CVE-2018-7795 + RESERVED +CVE-2018-7794 + RESERVED +CVE-2018-7793 + RESERVED +CVE-2018-7792 + RESERVED +CVE-2018-7791 + RESERVED +CVE-2018-7790 + RESERVED +CVE-2018-7789 + RESERVED +CVE-2018-7788 + RESERVED +CVE-2018-7787 + RESERVED +CVE-2018-7786 + RESERVED +CVE-2018-7785 + RESERVED +CVE-2018-7784 + RESERVED +CVE-2018-7783 + RESERVED +CVE-2018-7782 + RESERVED +CVE-2018-7781 + RESERVED +CVE-2018-7780 + RESERVED +CVE-2018-7779 + RESERVED +CVE-2018-7778 + RESERVED +CVE-2018- + RESERVED +CVE-2018-7776 + RESERVED +CVE-2018-7775 + RESERVED +CVE-2018-7774 + RESERVED +CVE-2018-7773 +
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2015-8855
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 42c2802c by Salvatore Bonaccorso at 2018-03-08T22:08:51+01:00 Add fixed version for CVE-2015-8855 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -119310,7 +119310,7 @@ CVE-2015-3011 (Multiple cross-site scripting (XSS) vulnerabilities in the contac NOTE: owncloud-contacts fixed in 0.3.0.18+8.0.0+dfsg-1 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2015-001 CVE-2015-8855 (The semver package before 4.3.2 for Node.js allows attackers to cause ...) - - node-semver (unimportant) + - node-semver 5.3.0-1 (unimportant) NOTE: https://nodesecurity.io/advisories/semver_redos NOTE: https://github.com/npm/npm/releases/tag/v2.7.5 NOTE: libv8 is not covered by security support View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/42c2802ceb865bedfef91a7431f50dfe2b5fa489 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/42c2802ceb865bedfef91a7431f50dfe2b5fa489 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-7290, NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f7251faa by Salvatore Bonaccorso at 2018-03-08T22:01:45+01:00 Add CVE-2018-7290, NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1479,8 +1479,9 @@ CVE-2018-7292 RESERVED CVE-2018-7291 RESERVED -CVE-2018-7290 +CVE-2018-7290 [Stored XSS vulnerability] RESERVED + NOT-FOR-US: Tiki CVE-2018-7289 (An issue was discovered in armadito-windows-driver/src/communication.c ...) NOT-FOR-US: Armadito CVE-2018-7288 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f7251faab0ad42cddae0df8edd30567c2c4aac20 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f7251faab0ad42cddae0df8edd30567c2c4aac20 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Update reference for CVE-2018-7550
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 933990d8 by Salvatore Bonaccorso at 2018-03-08T21:58:15+01:00 Update reference for CVE-2018-7550 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -668,7 +668,7 @@ CVE-2018-7551 (There is an invalid free in MiniPS::delete0 in minips.cpp that le CVE-2018-7550 (The load_multiboot function in hw/i386/multiboot.c in Quick Emulator ...) - qemu (bug #892041) - qemu-kvm - NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-02/msg06890.html + NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2018-03/msg01885.html CVE-2018-7549 (In params.c in zsh through 5.4.2, there is a crash during a copy of an ...) - zsh (unimportant) NOTE: https://sourceforge.net/p/zsh/code/ci/c2cc8b0fbefc9868fa83537f5b6d90fc1ec438dd View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/933990d8b6bbcc192c4e1c4f96b5da11b121ab6f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/933990d8b6bbcc192c4e1c4f96b5da11b121ab6f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Fix note for CVE-2017-7427
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0f41ca59 by Salvatore Bonaccorso at 2018-03-08T21:57:32+01:00 Fix note for CVE-2017-7427 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -50702,7 +50702,7 @@ CVE-2017-7429 (The certificate upload in NetIQ eDirectory PKI plugin before 8.8. CVE-2017-7428 (NetIQ iManager 3.x before 3.0.3.1 has an issue in the renegotiation of ...) NOT-FOR-US: NetIQ iManager CVE-2017-7427 (Multiple cross site scripting attacks were found in the Identity ...) -0 NOT-FOR-US: NetIQ Identity Manager Plug-in, + NOT-FOR-US: NetIQ Identity Manager Plug-in CVE-2017-7426 (The NetIQ Identity Manager Plugins before 4.6.1 contained various XML ...) NOT-FOR-US: NetIQ Identity Manager Plugins CVE-2017-7425 (Multiple potential reflected XSS issues exist in NetIQ iManager ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0f41ca598e92201f43d7b5d7e51d8592690ec6ce --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0f41ca598e92201f43d7b5d7e51d8592690ec6ce You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f3127a92 by Moritz Muehlenhoff at 2018-03-08T21:46:00+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -592,7 +592,7 @@ CVE-2017-18208 (The madvise_willneed function in mm/madvise.c in the Linux kerne [stretch] - linux 4.9.80-1 NOTE: Fixed by: https://git.kernel.org/linus/6ea8d958a2c95a1d514015d4e29ba21a8c0a1a91 CVE-2017-18207 (** DISPUTED ** The Wave_read._read_fmt_chunk function in Lib/wave.py ...) - TODO: check + NOTE: Nonsense report for Python CVE-2018-1000103 - jenkins CVE-2018-1000102 @@ -1838,7 +1838,7 @@ CVE-2018-7208 (In the coff_pointerize_aux function in coffgen.c in the Binary Fi CVE-2018-7207 REJECTED CVE-2018-7206 (An issue was discovered in Project Jupyter JupyterHub OAuthenticator ...) - TODO: check + NOT-FOR-US: JupyterHub CVE-2018-7205 (** DISPUTED ** Reflected Cross-Site Scripting vulnerability in ...) NOT-FOR-US: Kentico CVE-2018-7204 (inc/logger.php in the Giribaz File Manager plugin before 5.0.2 for ...) @@ -26264,7 +26264,7 @@ CVE-2017-15368 (The wasm_dis function in libr/asm/arch/wasm/wasm.c in radare2 2. NOTE: https://github.com/radare/radare2/issues/8673 NOTE: https://github.com/radare/radare2/commit/52b1526443c1f433087928291d1c3d37a5600515 CVE-2017-15367 (Bacula-web before 8.0.0-rc2 is affected by multiple SQL Injection ...) - TODO: check + NOT-FOR-US: Bacula-Web CVE-2017-15366 (Before Thornberry NDoc version 8.0, laptop clients and the server have ...) NOT-FOR-US: Thornberry NDoc CVE-2017-15365 (sql/event_data_objects.cc in MariaDB before 10.1.30 and 10.2.x before ...) @@ -50702,7 +50702,7 @@ CVE-2017-7429 (The certificate upload in NetIQ eDirectory PKI plugin before 8.8. CVE-2017-7428 (NetIQ iManager 3.x before 3.0.3.1 has an issue in the renegotiation of ...) NOT-FOR-US: NetIQ iManager CVE-2017-7427 (Multiple cross site scripting attacks were found in the Identity ...) - TODO: check +0 NOT-FOR-US: NetIQ Identity Manager Plug-in, CVE-2017-7426 (The NetIQ Identity Manager Plugins before 4.6.1 contained various XML ...) NOT-FOR-US: NetIQ Identity Manager Plugins CVE-2017-7425 (Multiple potential reflected XSS issues exist in NetIQ iManager ...) @@ -54391,9 +54391,9 @@ CVE-2017-6298 (An issue was discovered in ytnef before 1.9.1. This is related to CVE-2017-6297 (The L2TP Client in MikroTik RouterOS versions 6.83.3 and 6.37.4 does ...) NOT-FOR-US: MikroTik RouterOS CVE-2017-6296 (NVIDIA TrustZone Software contains a TOCTOU issue in the DRM ...) - TODO: check + NOT-FOR-US: NVIDIA CVE-2017-6295 (NVIDIA TrustZone Software contains a vulnerability in the Keymaster ...) - TODO: check + NOT-FOR-US: NVIDIA CVE-2017-6294 RESERVED CVE-2017-6293 @@ -54415,11 +54415,11 @@ CVE-2017-6286 CVE-2017-6285 RESERVED CVE-2017-6284 (NVIDIA Security Engine contains a vulnerability in the Deterministic ...) - TODO: check + NOT-FOR-US: NVIDIA CVE-2017-6283 (NVIDIA Security Engine contains a vulnerability in the RSA function ...) - TODO: check + NOT-FOR-US: NVIDIA CVE-2017-6282 (NVIDIA Tegra kernel driver contains a vulnerability in NVMAP where an ...) - TODO: check + NOT-FOR-US: NVIDIA CVE-2017-6281 RESERVED CVE-2017-6280 (NVIDIA driver contains a possible out-of-bounds read vulnerability due ...) @@ -54431,7 +54431,7 @@ CVE-2017-6278 CVE-2017-6277 (NVIDIA Windows GPU Display Driver contains a vulnerability in the ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2017-6276 (NVIDIA mediaserver contains a vulnerability where it is possible a use ...) - TODO: check + NOT-FOR-US: NVIDIA CVE-2017-6275 (An information disclosure vulnerability exists in the Thermal Driver, ...) NOT-FOR-US: NVIDIA components for Android CVE-2017-6274 (An elevation of Privilege vulnerability exists in the Thermal Driver, ...) @@ -67790,7 +67790,7 @@ CVE-2017-1656 CVE-2017-1655 RESERVED CVE-2017-1654 (IBM Spectrum Scale 4.1.1 and 4.2.0 - 4.2.3 could allow a local ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1653 (IBM Jazz Foundation (IBM Rational Collaborative Lifecycle Management ...) NOT-FOR-US: IBM Jazz Foundation CVE-2017-1652 @@ -130639,7 +130639,7 @@ CVE-2014-8782 CVE-2014-8781 RESERVED CVE-2014-8780 (Cross-site scripting (XSS) vulnerability in Jease 2.11 allows remote ...) - TODO: check + NOT-FOR-US: Jease CVE-2014-8779 (Pexip Infinity before 8 uses the same SSH host keys across different ...) NOT-FOR-US: Pexip Infinity CVE-2014-8778 (Checkmarx CxSAST (formerly CxSuite) before 7.1.8 allows remote
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] exempi, libcdio, python-crypto, mp4v2 no-dsa
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0ca2d576 by Moritz Muehlenhoff at 2018-03-08T21:38:37+01:00 exempi, libcdio, python-crypto, mp4v2 no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -71,21 +71,28 @@ CVE-2018-7733 (An issue was discovered in YxtCMF 3.1. RbacController.class.php h CVE-2018-7732 (An issue was discovered in YxtCMF 3.1. SQL Injection exists in ...) NOT-FOR-US: YxtCMF CVE-2018-7731 (An issue was discovered in Exempi through 2.4.4. ...) - - exempi + - exempi (low) + [stretch] - exempi (Minor issue) [jessie] - exempi (Vulnerable code introduced later) [wheezy] - exempi (Vulnerable code introduced later) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=105247 NOTE: https://cgit.freedesktop.org/exempi/commit/?id=aabedb5e749dd59112a3fe1e8e08f2d934f5 CVE-2018-7730 (An issue was discovered in Exempi through 2.4.4. A certain case of a ...) - - exempi + - exempi (low) + [stretch] - exempi (Minor issue) + [jessie] - exempi (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=105204 NOTE: https://cgit.freedesktop.org/exempi/commit/?id=6cbd34025e5fd3ba47b29b602096e456507ce83b CVE-2018-7729 (An issue was discovered in Exempi through 2.4.4. There is a stack-based ...) - - exempi + - exempi (low) + [stretch] - exempi (Minor issue) + [jessie] - exempi (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=105206 NOTE: https://cgit.freedesktop.org/exempi/commit/?id=baa4b8a02c1ffab9645d13f0bfb1c0d10d311a0c CVE-2018-7728 (An issue was discovered in Exempi through 2.4.4. ...) - - exempi + - exempi (low) + [stretch] - exempi (Minor issue) + [jessie] - exempi (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=105205 NOTE: https://cgit.freedesktop.org/exempi/commit/?id=e163667a06a9b656a047b0ec660b871f29a83c9f CVE-2018-7727 (An issue was discovered in ZZIPlib 0.13.68. There is a memory leak ...) @@ -991,10 +998,14 @@ CVE-2018-7445 CVE-2018-7444 RESERVED CVE-2017-18199 (realloc_symlink in rock.c in GNU libcdio before 1.0.0 allows remote ...) - - libcdio 1.0.0-1 + - libcdio 1.0.0-1 (low) + [stretch] - libcdio (Minor issue) + [jessie] - libcdio (Minor issue) NOTE: https://savannah.gnu.org/bugs/?52264 CVE-2017-18198 (print_iso9660_recurse in iso-info.c in GNU libcdio before 1.0.0 allows ...) - - libcdio 1.0.0-1 + - libcdio 1.0.0-1 (low) + [stretch] - libcdio (Minor issue) + [jessie] - libcdio (Minor issue) NOTE: https://savannah.gnu.org/bugs/?52265 CVE-2017-18197 (In mxGraphViewImageReader.java in mxGraph before 3.7.6, the ...) {DLA-1299-1} @@ -1252,7 +1263,9 @@ CVE-2018-7341 CVE-2018-7340 RESERVED CVE-2018-7339 (The MP4Atom class in mp4atom.cpp in MP4v2 through 2.0.0 mishandles ...) - - mp4v2 + - mp4v2 (low) + [stretch] - mp4v2 (Minor issue) + [jessie] - mp4v2 (Minor issue) NOTE: https://github.com/pingsuewim/libmp4_bof CVE-2017-18194 (SQL injection vulnerability in users/signup.php in the signup ...) NOT-FOR-US: HamayeshNegar CMS @@ -1523,6 +1536,8 @@ CVE-2018-186 CVE-2018-185 [Out-of-bounds heap read in XAR parser] RESERVED - clamav 0.99.3~beta1+dfsg-1 + [stretch] - clamav (clamav is updated via -updates) + [jessie] - clamav (clamav is updated via -updates) NOTE: https://github.com/Cisco-Talos/clamav-devel/commit/d96a6b8bcc7439fa7e3876207aa0a8e79c8451b6 NOTE: http://www.openwall.com/lists/oss-security/2017/09/29/4 CVE-2018-184 @@ -3468,6 +3483,8 @@ CVE-2018-6594 (lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 generat {DLA-1283-1} - pycryptodome 3.4.11-1 (bug #889998) - python-crypto (bug #88) + [stretch] - python-crypto (Minor issue) + [jessie] - python-crypto (Minor issue) NOTE: PyCrypto: https://github.com/dlitz/pycrypto/issues/253 NOTE: The issue is found as well in pycryptodome (fork from python-crypto) NOTE: PyCryptodome: https://github.com/Legrandin/pycryptodome/issues/90 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0ca2d576c37ef6b5f56ec136fea4a3cde1e78852 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0ca2d576c37ef6b5f56ec136fea4a3cde1e78852 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Triage CVE-2018-7726 & CVE-2018-7727 (zziplib) for wheezy.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 4684c467 by Chris Lamb at 2018-03-08T07:08:54-08:00 Triage CVE-2018-7726 CVE-2018-7727 (zziplib) for wheezy. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -92,11 +92,13 @@ CVE-2018-7727 (An issue was discovered in ZZIPlib 0.13.68. There is a memory lea - zziplib (low) [stretch] - zziplib (Minor issue) [jessie] - zziplib (Minor issue) + [wheezy] - zziplib (Minor issue) NOTE: https://github.com/gdraheim/zziplib/issues/40 CVE-2018-7726 (An issue was discovered in ZZIPlib 0.13.68. There is a bus error caused ...) - zziplib (low) [stretch] - zziplib (Minor issue) [jessie] - zziplib (Minor issue) + [wheezy] - zziplib (Minor issue) NOTE: https://github.com/gdraheim/zziplib/issues/41 CVE-2018-7725 (An issue was discovered in ZZIPlib 0.13.68. An invalid memory address ...) - zziplib (low) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4684c4676f63df8a10eba562685a67241cd9e96f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4684c4676f63df8a10eba562685a67241cd9e96f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add upstream issue link note for CVE-2018-7712, CVE-2018-7713, CVE-2018-7714/opencv
Santiago R.R. pushed to branch master at Debian Security Tracker / security-tracker Commits: 090d6ca6 by Santiago R.R at 2018-03-08T14:35:20+01:00 Add upstream issue link note for CVE-2018-7712,CVE-2018-7713,CVE-2018-7714/opencv Signed-off-by: Santiago R.R santiag...@riseup.net - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -147,14 +147,17 @@ CVE-2018-7715 (PrivateVPN 2.0.31 for macOS suffers from a root privilege escalat CVE-2018-7714 (The validateInputImageSize function in ...) - opencv NOTE: https://github.com/xiaoqx/pocs/tree/master/opencv/dos-by-assert + NOTE: https://github.com/opencv/opencv/issues/10998 TODO: check CVE-2018-7713 (The validateInputImageSize function in ...) - opencv NOTE: https://github.com/xiaoqx/pocs/tree/master/opencv/dos-by-assert + NOTE: https://github.com/opencv/opencv/issues/10998 TODO: check CVE-2018-7712 (The validateInputImageSize function in ...) - opencv NOTE: https://github.com/xiaoqx/pocs/tree/master/opencv/dos-by-assert + NOTE: https://github.com/opencv/opencv/issues/10998 TODO: check CVE-2018-7710 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/090d6ca689b397b0b77e127a26de073f6090f9da --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/090d6ca689b397b0b77e127a26de073f6090f9da You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new adminer issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 52c94b09 by Moritz Muehlenhoff at 2018-03-08T12:04:48+01:00 new adminer issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -265,7 +265,7 @@ CVE-2018-7669 CVE-2018-7668 (TestLink through 1.9.16 allows remote attackers to read arbitrary ...) NOT-FOR-US: TestLink CVE-2018-7667 (Adminer through 4.3.1 has SSRF via the server parameter. ...) - TODO: check + - adminer CVE-2018-7666 (An issue was discovered in ClipBucket before 4.0.0 Release 4902. SQL ...) NOT-FOR-US: ClipBucket CVE-2018-7665 (An issue was discovered in ClipBucket before 4.0.0 Release 4902. A ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/52c94b09b6685f4017ca041b9209986a11296ae8 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/52c94b09b6685f4017ca041b9209986a11296ae8 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1f629490 by Moritz Muehlenhoff at 2018-03-08T11:38:12+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -237,7 +237,7 @@ CVE-2018-7677 CVE-2018-7676 RESERVED CVE-2018-7675 (In NetIQ Sentinel before 8.1.x, a Sentinel user is logged into the ...) - TODO: check + NOT-FOR-US: NetIQ Sentinel CVE-2018-7674 RESERVED CVE-2018-7673 @@ -907,7 +907,7 @@ CVE-2018-7475 CVE-2018-7474 RESERVED CVE-2018-7473 (Open redirect vulnerability in the SO Connect SO WIFI hotspot web ...) - TODO: check + NOT-FOR-US: SO Connect SO WIFI CVE-2018-7472 (INVT Studio 1.2 allows remote attackers to cause a denial of service ...) NOT-FOR-US: INVT Studio CVE-2018-7471 (KingView 7.5SP1 has an integer overflow during stgopenstorage API read ...) @@ -1647,7 +1647,7 @@ CVE-2018-7266 CVE-2018-7265 (Shimmie 2 2.6.0 allows an attacker to upload a crafted SVG file that ...) NOT-FOR-US: Shimmie CVE-2018-7264 (The Pictview image processing library embedded in the ActivePDF ...) - TODO: check + NOT-FOR-US: ActivePDF CVE-2004-2779 (id3_utf16_deserialize() in utf16.c in libid3tag through 0.15.1b ...) - libid3tag 0.15.1b-5 (bug #304913) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=162647 @@ -1822,7 +1822,7 @@ CVE-2018-7206 (An issue was discovered in Project Jupyter JupyterHub OAuthentica CVE-2018-7205 (** DISPUTED ** Reflected Cross-Site Scripting vulnerability in ...) NOT-FOR-US: Kentico CVE-2018-7204 (inc/logger.php in the Giribaz File Manager plugin before 5.0.2 for ...) - TODO: check + NOT-FOR-US: Wordpress plugin CVE-2018-7203 RESERVED CVE-2018-7202 @@ -2448,7 +2448,7 @@ CVE-2018-6949 CVE-2018-6948 (In CCN-lite 2, the function ccnl_prefix_to_str_detailed can cause a ...) NOT-FOR-US: CCN-lite 2 CVE-2018-6947 (An uninitialised stack variable in the nxfuse component that is part ...) - TODO: check + NOT-FOR-US: DokanFS CVE-2018-6946 RESERVED CVE-2018-6945 @@ -3184,7 +3184,7 @@ CVE-2018-6655 (PHP Scripts Mall Doctor Search Script 1.0.2 has Stored XSS via an CVE-2018-6654 (The Grammarly extension before 2018-02-02 for Chrome allows remote ...) NOT-FOR-US: Grammarly extension for Chrome CVE-2018-6653 (comforte SWAP 1049 through 1069 and 20.0.0 through 21.5.3 (as used in ...) - TODO: check + NOT-FOR-US: comforte SWAP CVE-2018-6652 RESERVED CVE-2018-6651 (In the uncurl_ws_accept function in uncurl.c in uncurl before 0.07, as ...) @@ -3473,7 +3473,7 @@ CVE-2018-6593 (An issue was discovered in MalwareFox AntiMalware 2.74.0.150. Imp CVE-2018-6592 (Unisys Stealth Windows endpoints before 3.3.016.1 allow local users to ...) NOT-FOR-US: Unisys Stealth Windows endpoints CVE-2018-6591 (Converse.js and Inverse.js through 3.3 allow remote attackers to obtain ...) - TODO: check + NOT-FOR-US: Converse.js CVE-2018-6590 RESERVED CVE-2018-6589 @@ -6680,7 +6680,7 @@ CVE-2018-5454 CVE-2018-5453 (An Improper Handling of Length Parameter Inconsistency issue was ...) NOT-FOR-US: Moxa CVE-2018-5452 (A Stack-based Buffer Overflow issue was discovered in Emerson Process ...) - TODO: check + NOT-FOR-US: Emerson Process Management ControlWave Micro Process Automation Controller CVE-2018-5451 RESERVED CVE-2018-5450 @@ -17053,7 +17053,7 @@ CVE-2018-1345 CVE-2018-1344 RESERVED CVE-2018-1343 (PAM exposure enabling unauthenticated access to remote host ...) - TODO: check + NOT-FOR-US: NetIQ CVE-2018-1342 (A Vulnerability exists on Admin Console where an attacker can upload ...) NOT-FOR-US: NetIQ Access Manager CVE-2018-1341 @@ -17400,7 +17400,7 @@ CVE-2018-1318 CVE-2018-1317 RESERVED CVE-2018-1316 (The ODE process deployment web service was sensible to deployment ...) - TODO: check + NOT-FOR-US: Apache ODE CVE-2018-1315 RESERVED CVE-2018-1314 @@ -21374,7 +21374,7 @@ CVE-2017-16924 (Remote Information Disclosure and Escalation of Privileges in .. CVE-2017-16923 (Command Injection vulnerability in app_data_center on Shenzhen Tenda ...) NOT-FOR-US: Shenzhen Tenda CVE-2017-16922 (In com.wowza.wms.timedtext.http.HTTPProviderCaptionFile in Wowza ...) - TODO: check + NOT-FOR-US: Wowza CVE-2017-16921 (In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including ...) {DSA-4066-1 DLA-1212-1} - otrs2 6.0.2-1 (bug #883774) @@ -25703,7 +25703,7 @@ CVE-2017-15521 CVE-2017-15520 REJECTED CVE-2017-15519 (Versions of SnapCenter 2.0 through 3.0.1 allow unauthenticated remote ...) - TODO: check + NOT-FOR-US: SnapCenter
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-7755/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d18c59b1 by Salvatore Bonaccorso at 2018-03-08T10:58:27+01:00 Add CVE-2018-7755/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,7 +1,8 @@ CVE-2018-7756 RESERVED CVE-2018-7755 (An issue was discovered in the fd_locked_ioctl function in ...) - TODO: check + - linux + NOTE: https://lkml.org/lkml/2018/3/7/1116 CVE-2018-7754 RESERVED CVE-2018-7751 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d18c59b1f9b211415318b434bb9cbd0922b8771d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d18c59b1f9b211415318b434bb9cbd0922b8771d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 692d1840 by Moritz Muehlenhoff at 2018-03-08T10:39:48+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -18769,33 +18769,33 @@ CVE-2017-17146 CVE-2017-17145 RESERVED CVE-2017-17144 (Backup feature of SIP module in Huawei DP300 V500R002C00; ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-17143 (SIP module in Huawei DP300 V500R002C00; V500R002C00SPC100; ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-17142 (SIP module in Huawei DP300 V500R002C00; V500R002C00SPC100; ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-17141 (Huawei S12700 V200R005C00; V200R006C00; V200R007C00; V200R007C01; ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-17140 (Huawei Enjoy 5s and Y6 Pro smartphones with software the versions ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-17139 (Huawei Mate 9 and Mate 9 pro smart phones with software the versions ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-17138 (PEM module of DP300 V500R002C00; IPS Module V500R001C00; V500R001C30; ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-17137 (PEM module of Huawei DP300 V500R002C00; IPS Module V500R001C00; ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-17136 (PEM module of Huawei DP300 V500R002C00; IPS Module V500R001C00; ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-17135 (PEM module of Huawei DP300 V500R002C00; IPS Module V500R001C00; ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-17134 (XML parser in Huawei DP300 V500R002C00; RP200 V500R002C00SPC200; ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-17133 (Huawei VP9660 V500R002C10 has a null pointer reference vulnerability ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-17132 (Huawei VP9660 V500R002C10 has a uncontrolled format string ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-17131 (Huawei DP300 V500R002C00; RP200 V500R002C00; V600R006C00; TE30 ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-17130 (The ff_free_picture_tables function in libavcodec/mpegpicture.c in ...) - libav NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1100 @@ -20878,41 +20878,41 @@ CVE-2018-0226 CVE-2018-0225 RESERVED CVE-2018-0224 (A vulnerability in the CLI of the Cisco StarOS operating system for ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0223 (A vulnerability in DesktopServlet in the web-based management interface ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0222 RESERVED CVE-2018-0221 (A vulnerability in specific CLI commands for the Cisco Identity ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0220 (A vulnerability in the web-based management interface of Cisco ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0219 (A vulnerability in the web-based management interface of Cisco Unified ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0218 (A vulnerability in the web-based user interface of the Cisco Secure ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0217 (A vulnerability in the CLI of the Cisco StarOS operating system for ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0216 (A vulnerability in the web-based management interface of Cisco Identity ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0215 (A vulnerability in the web-based management interface of Cisco Identity ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0214 (A vulnerability in certain CLI commands of Cisco Identity Services ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0213 (A vulnerability in the credential reset functionality for Cisco ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0212 (A vulnerability in the web-based management interface of Cisco Identity ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0211 (A vulnerability in specific CLI commands for the Cisco Identity ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0210 (A vulnerability in the web-based management interface of Cisco Data ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0209 (A vulnerability in the Simple Network Management Protocol (SNMP) ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0208 (A vulnerability in the web-based management interface of the (cloud ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0207 (A vulnerability in the web-based user interface of the Cisco Secure ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0206 (A vulnerability in the web-based management interface of Cisco Unified ...) NOT-FOR-US:
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4528b518 by security tracker role at 2018-03-08T09:10:23+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,9 @@ +CVE-2018-7756 + RESERVED +CVE-2018-7755 (An issue was discovered in the fd_locked_ioctl function in ...) + TODO: check +CVE-2018-7754 + RESERVED CVE-2018-7751 RESERVED CVE-2018-7750 @@ -28,7 +34,7 @@ CVE-2018-1000116 (NET-SNMP version 5.7.2 contains a heap corruption vulnerabilit NOTE: https://sourceforge.net/p/net-snmp/code/ci/f23bcd3ac6ddee5d0a48f9703007ccc738914791/ NOTE: Same patch/commit as #788964 (as used for fixing CVE-2015-5621) NOTE: adresses CVE-2018-1000116 as well. -CVE-2018-7753 [URI values with character entities not properly sanitized] +CVE-2018-7753 (An issue was discovered in Bleach 2.1.x before 2.1.3. Attributes that ...) - python-bleach 2.1.3-1 (bug #892252) [stretch] - python-bleach (Vulnerable code introduced later) [jessie] - python-bleach (Vulnerable code introduced later) @@ -109,7 +115,7 @@ CVE-2018-7720 (A cross-site request forgery (CSRF) vulnerability exists in Weste NOT-FOR-US: Western Bridge Cobub Razor CVE-2018-7719 RESERVED -CVE-2018-7752 [Stack buffer overflow in avc_parsers.c] +CVE-2018-7752 (GPAC through 0.7.1 has a Buffer Overflow in the gf_media_avc_read_sps ...) - gpac NOTE: https://github.com/gpac/gpac/issues/997 NOTE: https://github.com/gpac/gpac/commit/90dc7f853d31b0a4e9441cba97feccf36d8b69a4 @@ -229,8 +235,8 @@ CVE-2018-7677 RESERVED CVE-2018-7676 RESERVED -CVE-2018-7675 - RESERVED +CVE-2018-7675 (In NetIQ Sentinel before 8.1.x, a Sentinel user is logged into the ...) + TODO: check CVE-2018-7674 RESERVED CVE-2018-7673 @@ -713,10 +719,12 @@ CVE-2018-7644 (The XmlSecLibs library as used in the saml2 library in SimpleSAML NOTE: Fixed by: https://github.com/simplesamlphp/saml2/commit/88a9ae848c4b310b1c53b5700893d890999dd930 CVE-2018-7537 [Denial-of-service possibility in truncatechars_html and truncatewords_html template filters] RESERVED + {DLA-1303-1} - python-django 1:1.11.11-1 NOTE: https://www.djangoproject.com/weblog/2018/mar/06/security-releases/ CVE-2018-7536 [Denial-of-service possibility in urlize and urlizetrunc template filters] RESERVED + {DLA-1303-1} - python-django 1:1.11.11-1 NOTE: https://www.djangoproject.com/weblog/2018/mar/06/security-releases/ CVE-2018-7535 @@ -1933,7 +1941,7 @@ CVE-2018-7172 (In index.php in WonderCMS before 2.4.1, remote attackers can dele NOT-FOR-US: WonderCMS CVE-2018-7171 RESERVED -CVE-2018-7170 (nptd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows ...) +CVE-2018-7170 (ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows ...) - ntp - ntpsec (Issue not present) NOTE: http://www.kb.cert.org/vuls/id/961909 @@ -6009,6 +6017,7 @@ CVE-2018-5734 [A malformed request can trigger an assertion failure in badcache. NOTE: https://kb.isc.org/article/AA-01562/74/CVE-2018-5734 CVE-2018-5733 [A malicious client can overflow a reference counter in ISC dhcpd] RESERVED + {DSA-4133-1} - isc-dhcp 4.3.5-3.1 (bug #891785) NOTE: https://kb.isc.org/article/AA-01567/75/CVE-2018-5733 NOTE: https://bugs.isc.org/Public/Bug/Display.html?id=47140 @@ -6016,6 +6025,7 @@ CVE-2018-5733 [A malicious client can overflow a reference counter in ISC dhcpd] NOTE: Fixes for 4.3.6p1: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=99a25aedea02d9c259cb8fabf4be700fb32571a3 CVE-2018-5732 [A specially constructed response from a malicious server can cause a buffer overflow in dhclient] RESERVED + {DSA-4133-1} - isc-dhcp 4.3.5-3.1 (bug #891786) NOTE: https://kb.isc.org/article/AA-01565/75/CVE-2018-5732 NOTE: https://bugs.isc.org/Public/Bug/Display.html?id=47139 @@ -20867,42 +20877,42 @@ CVE-2018-0226 RESERVED CVE-2018-0225 RESERVED -CVE-2018-0224 - RESERVED -CVE-2018-0223 - RESERVED +CVE-2018-0224 (A vulnerability in the CLI of the Cisco StarOS operating system for ...) + TODO: check +CVE-2018-0223 (A vulnerability in DesktopServlet in the web-based management interface ...) + TODO: check CVE-2018-0222 RESERVED -CVE-2018-0221 - RESERVED -CVE-2018-0220 - RESERVED -CVE-2018-0219 - RESERVED -CVE-2018-0218 - RESERVED -CVE-2018-0217 - RESERVED -CVE-2018-0216 - RESERVED -CVE-2018-0215 - RESERVED -CVE-2018-0214 - RESERVED -CVE-2018-0213 - RESERVED -CVE-2018-0212 -