[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Take redmine in dsa-needed
Sebastien Delafond pushed to branch master at Debian Security Tracker / security-tracker Commits: 9aee0333 by Sébastien Delafond at 2018-04-13T06:23:59+02:00 Take redmine in dsa-needed - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -68,7 +68,7 @@ phpmyadmin/oldstable (abhijith) -- qemu/oldstable -- -redmine +redmine (seb) oldstable also affected, but might be worth EOLing Lucas Kanashiro proposed the update for stretch, needs review and possbile ack -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9aee033379a5556c707b4951b5fc46081611ae3d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9aee033379a5556c707b4951b5fc46081611ae3d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add and take corosync in dsa-needed
Sebastien Delafond pushed to branch master at Debian Security Tracker / security-tracker Commits: cdc3c011 by Sébastien Delafond at 2018-04-13T05:59:51+02:00 Add and take corosync in dsa-needed - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -19,6 +19,9 @@ asterisk/stable -- chromium-browser/stable -- +corosync/stable (seb) + 2018-04-13: Ferenc Wágner proposed debdiff, ack'ed for upload +-- dokuwiki/oldstable -- ffmpeg/stable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cdc3c011795477b417330f46944802713d79ad54 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cdc3c011795477b417330f46944802713d79ad54 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reference fix for CVE-2018-7456/tiff
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5b3b9881 by Salvatore Bonaccorso at 2018-04-13T05:16:27+02:00 Reference fix for CVE-2018-7456/tiff - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -6445,6 +6445,7 @@ CVE-2018-7456 (A NULL Pointer Dereference occurs in the function TIFFPrintDirect [jessie] - tiff (Can be fixed along in a future DSA) - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2778 + NOTE: https://gitlab.com/libtiff/libtiff/commit/be4c85b16e8801a16eec25e80eb9f3dd6a96731b CVE-2018-7455 (An out-of-bounds read in JPXStream::readTilePart in JPXStream.cc in ...) - xpdf (unimportant) NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3=654=819#p819 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5b3b9881ea88fb6ae7197982822f5a37874a10da --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5b3b9881ea88fb6ae7197982822f5a37874a10da You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Two CVEs for pcs fixed in unstable upload via new upstream version
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bf073759 by Salvatore Bonaccorso at 2018-04-13T05:08:57+02:00 Two CVEs for pcs fixed in unstable upload via new upstream version - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -24049,7 +24049,7 @@ CVE-2018-1087 RESERVED CVE-2018-1086 (pcs before versions 0.9.164 and 0.10 is vulnerable to a debug ...) {DSA-4169-1} - - pcs (bug #895313) + - pcs 0.9.164-1 (bug #895313) NOTE: http://www.openwall.com/lists/oss-security/2018/04/09/2 CVE-2018-1085 RESERVED @@ -24077,7 +24077,7 @@ CVE-2018-1080 [Mishandled ACL configuration in AAclAuthz.java reverses rules tha NOTE: https://pagure.io/freeipa/issue/7453 NOTE: https://review.gerrithub.io/#/c/404435/ CVE-2018-1079 (pcs before version 0.9.164 and 0.10 is vulnerable to a privilege ...) - - pcs (bug #895314) + - pcs 0.9.164-1 (bug #895314) [stretch] - pcs (Vulnerable code introduced in 0.9.157) NOTE: http://www.openwall.com/lists/oss-security/2018/04/09/2 CVE-2018-1078 (OpenDayLight version Carbon SR3 and earlier contain a vulnerability ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bf073759062a1a918194b2c279835bb7b1fc3991 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bf073759062a1a918194b2c279835bb7b1fc3991 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add fixed version for r-cran-readxl issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1939d1fb by Salvatore Bonaccorso at 2018-04-13T05:05:04+02:00 Add fixed version for r-cran-readxl issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -42273,10 +42273,10 @@ CVE-2017-12113 (An exploitable improper authorization vulnerability exists in .. CVE-2017-12112 (An exploitable improper authorization vulnerability exists in ...) - cpp-ethereum (bug #860434) CVE-2017-12111 (An exploitable out-of-bounds vulnerability exists in the xls_addCell ...) - - r-cran-readxl (bug #895564) + - r-cran-readxl 1.0.0-2 (bug #895564) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0463 CVE-2017-12110 (An exploitable integer overflow vulnerability exists in the ...) - - r-cran-readxl (bug #895564) + - r-cran-readxl 1.0.0-2 (bug #895564) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0462 CVE-2017-12109 RESERVED @@ -70839,7 +70839,7 @@ CVE-2017-2921 (An exploitable memory corruption vulnerability exists in the Webs CVE-2017-2920 (An memory corruption vulnerability exists in the .SVG parsing ...) NOT-FOR-US: Computerinsel Photoline CVE-2017-2919 (An exploitable stack based buffer overflow vulnerability exists in the ...) - - r-cran-readxl (bug #895564) + - r-cran-readxl 1.0.0-2 (bug #895564) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0426 CVE-2017-2918 RESERVED @@ -70885,10 +70885,10 @@ CVE-2017-2899 CVE-2017-2898 (An exploitable vulnerability exists in the signature verification of ...) NOT-FOR-US: Circle with Disney CVE-2017-2897 (An exploitable out-of-bounds write vulnerability exists in the ...) - - r-cran-readxl (bug #895564) + - r-cran-readxl 1.0.0-2 (bug #895564) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0404 CVE-2017-2896 (An exploitable out-of-bounds write vulnerability exists in the ...) - - r-cran-readxl (bug #895564) + - r-cran-readxl 1.0.0-2 (bug #895564) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0403 CVE-2017-2895 (An exploitable arbitrary memory read vulnerability exists in the MQTT ...) NOT-FOR-US: Cesanta Mongoose View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1939d1fb230f57809d20a33ae017be6417729df0 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1939d1fb230f57809d20a33ae017be6417729df0 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Remove todo for CVE-2018-383{7, 8, 9}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 987bb9e5 by Salvatore Bonaccorso at 2018-04-12T23:10:09+02:00 Remove todo for CVE-2018-383{7,8,9} - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -16143,21 +16143,18 @@ CVE-2018-3839 (An exploitable code execution vulnerability exists in the XCF ima - sdl-image1.2 1.2.12-8 NOTE: https://hg.libsdl.org/SDL_image/rev/fb643e371806910f1973abfdfe7f981e8dba60f5 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0521 - TODO: check fixing commit(s) CVE-2018-3838 (An exploitable information vulnerability exists in the XCF image ...) {DLA-1341-1} - libsdl2-image 2.0.3+dfsg1-1 - sdl-image1.2 1.2.12-8 NOTE: https://hg.libsdl.org/SDL_image/rev/c5f9cbb5d2bbcb2150ba0596ea56b49efeed660d NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0520 - TODO: check fixing commit(s) CVE-2018-3837 (An exploitable information disclosure vulnerability exists in the PCX ...) {DLA-1341-1} - libsdl2-image 2.0.3+dfsg1-1 - sdl-image1.2 1.2.12-8 NOTE: https://hg.libsdl.org/SDL_image/rev/2938fc80591abeae74b971cbdf966eff3213297e NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0519 - TODO: check fixing commit(s) CVE-2018-7442 (An issue was discovered in Leptonica through 1.75.3. The ...) - leptonlib [stretch] - leptonlib (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/987bb9e54033ffd61ef865ba8e7314e669dc77ec --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/987bb9e54033ffd61ef865ba8e7314e669dc77ec You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Record CVE-2018-383{7, 8, 9} which were already fixed with the sdl-image1.2/1.2.12-2+deb7u2 upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 740dd325 by Salvatore Bonaccorso at 2018-04-12T23:04:02+02:00 Record CVE-2018-383{7,8,9} which were already fixed with the sdl-image1.2/1.2.12-2+deb7u2 upload - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -16137,19 +16137,22 @@ CVE-2018-3841 RESERVED CVE-2018-3840 RESERVED -CVE-2018-3839 (An exploitable code execution vulnerability exists in the eCF image ...) +CVE-2018-3839 (An exploitable code execution vulnerability exists in the XCF image ...) + {DLA-1341-1} - libsdl2-image 2.0.3+dfsg1-1 - sdl-image1.2 1.2.12-8 NOTE: https://hg.libsdl.org/SDL_image/rev/fb643e371806910f1973abfdfe7f981e8dba60f5 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0521 TODO: check fixing commit(s) CVE-2018-3838 (An exploitable information vulnerability exists in the XCF image ...) + {DLA-1341-1} - libsdl2-image 2.0.3+dfsg1-1 - sdl-image1.2 1.2.12-8 NOTE: https://hg.libsdl.org/SDL_image/rev/c5f9cbb5d2bbcb2150ba0596ea56b49efeed660d NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0520 TODO: check fixing commit(s) CVE-2018-3837 (An exploitable information disclosure vulnerability exists in the PCX ...) + {DLA-1341-1} - libsdl2-image 2.0.3+dfsg1-1 - sdl-image1.2 1.2.12-8 NOTE: https://hg.libsdl.org/SDL_image/rev/2938fc80591abeae74b971cbdf966eff3213297e = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -10,7 +10,7 @@ [09 Apr 2018] DLA-1283-2 python-crypto - security update [wheezy] - python-crypto 2.6-4+deb7u8 [06 Apr 2018] DLA-1341-1 sdl-image1.2 - security update - {CVE-2017-12122 CVE-2017-14440 CVE-2017-14441 CVE-2017-14442 CVE-2017-14448 CVE-2017-14450} + {CVE-2017-12122 CVE-2017-14440 CVE-2017-14441 CVE-2017-14442 CVE-2017-14448 CVE-2017-14450 CVE-2018-3837 CVE-2018-3838 CVE-2018-3839} [wheezy] - sdl-image1.2 1.2.12-2+deb7u2 [06 Apr 2018] DLA-1340-1 sam2p - security update {CVE-2018-7487 CVE-2018-7551 CVE-2018-7552 CVE-2018-7553 CVE-2018-7554} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/740dd32571c65b4b20bd9ac52c9afe87af32f318 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/740dd32571c65b4b20bd9ac52c9afe87af32f318 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Record fixed version for sdl-image1.2 issues via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5380d2f4 by Salvatore Bonaccorso at 2018-04-12T23:00:16+02:00 Record fixed version for sdl-image1.2 issues via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -16139,19 +16139,19 @@ CVE-2018-3840 RESERVED CVE-2018-3839 (An exploitable code execution vulnerability exists in the eCF image ...) - libsdl2-image 2.0.3+dfsg1-1 - - sdl-image1.2 + - sdl-image1.2 1.2.12-8 NOTE: https://hg.libsdl.org/SDL_image/rev/fb643e371806910f1973abfdfe7f981e8dba60f5 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0521 TODO: check fixing commit(s) CVE-2018-3838 (An exploitable information vulnerability exists in the XCF image ...) - libsdl2-image 2.0.3+dfsg1-1 - - sdl-image1.2 + - sdl-image1.2 1.2.12-8 NOTE: https://hg.libsdl.org/SDL_image/rev/c5f9cbb5d2bbcb2150ba0596ea56b49efeed660d NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0520 TODO: check fixing commit(s) CVE-2018-3837 (An exploitable information disclosure vulnerability exists in the PCX ...) - libsdl2-image 2.0.3+dfsg1-1 - - sdl-image1.2 + - sdl-image1.2 1.2.12-8 NOTE: https://hg.libsdl.org/SDL_image/rev/2938fc80591abeae74b971cbdf966eff3213297e NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0519 TODO: check fixing commit(s) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5380d2f4d185b6f0bab85a2bb750441b084549c6 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5380d2f4d185b6f0bab85a2bb750441b084549c6 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-383{7, 8, 9} already fixed in unstable via libsdl2-image/2.0.3+dfsg1-1
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 08b75e88 by Salvatore Bonaccorso at 2018-04-12T22:58:07+02:00 CVE-2018-383{7,8,9} already fixed in unstable via libsdl2-image/2.0.3+dfsg1-1 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -16138,19 +16138,19 @@ CVE-2018-3841 CVE-2018-3840 RESERVED CVE-2018-3839 (An exploitable code execution vulnerability exists in the eCF image ...) - - libsdl2-image + - libsdl2-image 2.0.3+dfsg1-1 - sdl-image1.2 NOTE: https://hg.libsdl.org/SDL_image/rev/fb643e371806910f1973abfdfe7f981e8dba60f5 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0521 TODO: check fixing commit(s) CVE-2018-3838 (An exploitable information vulnerability exists in the XCF image ...) - - libsdl2-image + - libsdl2-image 2.0.3+dfsg1-1 - sdl-image1.2 NOTE: https://hg.libsdl.org/SDL_image/rev/c5f9cbb5d2bbcb2150ba0596ea56b49efeed660d NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0520 TODO: check fixing commit(s) CVE-2018-3837 (An exploitable information disclosure vulnerability exists in the PCX ...) - - libsdl2-image + - libsdl2-image 2.0.3+dfsg1-1 - sdl-image1.2 NOTE: https://hg.libsdl.org/SDL_image/rev/2938fc80591abeae74b971cbdf966eff3213297e NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0519 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/08b75e88eef25901f861a7b1caa02d74e6f42fcc --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/08b75e88eef25901f861a7b1caa02d74e6f42fcc You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reference fixing commits for CVE-2018-383{7, 8, 9}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7356315e by Salvatore Bonaccorso at 2018-04-12T22:55:13+02:00 Reference fixing commits for CVE-2018-383{7,8,9} - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -16140,16 +16140,19 @@ CVE-2018-3840 CVE-2018-3839 (An exploitable code execution vulnerability exists in the eCF image ...) - libsdl2-image - sdl-image1.2 + NOTE: https://hg.libsdl.org/SDL_image/rev/fb643e371806910f1973abfdfe7f981e8dba60f5 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0521 TODO: check fixing commit(s) CVE-2018-3838 (An exploitable information vulnerability exists in the XCF image ...) - libsdl2-image - sdl-image1.2 + NOTE: https://hg.libsdl.org/SDL_image/rev/c5f9cbb5d2bbcb2150ba0596ea56b49efeed660d NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0520 TODO: check fixing commit(s) CVE-2018-3837 (An exploitable information disclosure vulnerability exists in the PCX ...) - libsdl2-image - sdl-image1.2 + NOTE: https://hg.libsdl.org/SDL_image/rev/2938fc80591abeae74b971cbdf966eff3213297e NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0519 TODO: check fixing commit(s) CVE-2018-7442 (An issue was discovered in Leptonica through 1.75.3. The ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7356315e00d208855e3b9ea123c3859ddf45e10d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7356315e00d208855e3b9ea123c3859ddf45e10d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add source package information for CVE-2018-383{7, 8, 9}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5fe3fd83 by Salvatore Bonaccorso at 2018-04-12T22:47:00+02:00 Add source package information for CVE-2018-383{7,8,9} - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -16137,12 +16137,21 @@ CVE-2018-3841 RESERVED CVE-2018-3840 RESERVED -CVE-2018-3839 (An exploitable code execution vulnerability exists in the XCF image ...) - TODO: check +CVE-2018-3839 (An exploitable code execution vulnerability exists in the eCF image ...) + - libsdl2-image + - sdl-image1.2 + NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0521 + TODO: check fixing commit(s) CVE-2018-3838 (An exploitable information vulnerability exists in the XCF image ...) - TODO: check + - libsdl2-image + - sdl-image1.2 + NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0520 + TODO: check fixing commit(s) CVE-2018-3837 (An exploitable information disclosure vulnerability exists in the PCX ...) - TODO: check + - libsdl2-image + - sdl-image1.2 + NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0519 + TODO: check fixing commit(s) CVE-2018-7442 (An issue was discovered in Leptonica through 1.75.3. The ...) - leptonlib [stretch] - leptonlib (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5fe3fd83bc68a1d95735c3fb7c23d374d5e4f0cd --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5fe3fd83bc68a1d95735c3fb7c23d374d5e4f0cd You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 14ba3986 by Salvatore Bonaccorso at 2018-04-12T22:36:10+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -3,17 +3,17 @@ CVE-2018-10076 CVE-2018-10075 RESERVED CVE-2018-10073 (joyplus-cms 1.6.0 has XSS in manager/admin_vod.php via the keyword ...) - TODO: check + NOT-FOR-US: joyplus-cms CVE-2018-10072 (windrvr1260.sys in Jungo DriverWizard WinDriver 12.6.0 allows attackers ...) - TODO: check + NOT-FOR-US: WinDriver CVE-2018-10071 (windrvr1260.sys in Jungo DriverWizard WinDriver 12.6.0 allows attackers ...) - TODO: check + NOT-FOR-US: WinDriver CVE-2018-10070 RESERVED CVE-2018-10069 RESERVED CVE-2018-10068 (The jDownloads extension before 3.2.59 for Joomla! has XSS. ...) - TODO: check + NOT-FOR-US: jDownloads extension for Joomla! CVE-2018-10067 RESERVED CVE-2018-10066 @@ -23,7 +23,7 @@ CVE-2018-10065 CVE-2018-10064 RESERVED CVE-2018-10063 (The Convert Forms extension before 2.0.4 for Joomla! is vulnerable to ...) - TODO: check + NOT-FOR-US: Convert Forms extension for Joomla! CVE-2018-10062 RESERVED CVE-2018-10074 (The hi3660_stub_clk_probe function in ...) @@ -515,9 +515,9 @@ CVE-2018-9845 CVE-2018-9844 (The Iptanus WordPress File Upload plugin before 4.3.4 for WordPress ...) NOT-FOR-US: Iptanus WordPress File Upload plugin for WordPress CVE-2018-9843 (The REST API in CyberArk Password Vault Web Access before 9.9.5 and ...) - TODO: check + NOT-FOR-US: CyberArk Password Vault Web Access CVE-2018-9842 (CyberArk Password Vault before 9.7 allows remote attackers to obtain ...) - TODO: check + NOT-FOR-US: CyberArk Password Vault CVE-2018-9841 (The export function in libavfilter/vf_signature.c in FFmpeg through ...) - ffmpeg (low) [stretch] - ffmpeg (Can wait until the next ffmpeg 3.2.x release) @@ -2082,7 +2082,7 @@ CVE-2018-9157 (** DISPUTED ** An issue was discovered on AXIS M1033-W (IP camera CVE-2018-9156 (** DISPUTED ** An issue was discovered on AXIS P1354 (IP camera) ...) NOT-FOR-US: AXIS CVE-2018-9155 (Cross-site scripting (XSS) vulnerability in Open-AudIT Professional ...) - TODO: check + NOT-FOR-US: Open-AudIT Professional CVE-2018-9154 RESERVED CVE-2018-9153 @@ -2186,7 +2186,7 @@ CVE-2018-9120 (In Crea8social 2018.2, there is Stored Cross-Site Scripting via a CVE-2018-9119 (An attacker with physical access to a BrilliantTS FUZE card (MCU ...) NOT-FOR-US: BrilliantTS FUZE card CVE-2018-9118 (exports/download.php in the 99 Robots WP Background Takeover ...) - TODO: check + NOT-FOR-US: 99 Robots WP Background Takeover Advertisements plugin for WordPress CVE-2018-9117 (WireMock before 2.16.0 contains a vulnerability that allows a remote ...) NOT-FOR-US: WireMock CVE-2018-9116 (An XXE vulnerability within WireMock before 2.16.0 allows a remote ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/14ba3986c34172327474b8b894e8ae7b18dfeffd --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/14ba3986c34172327474b8b894e8ae7b18dfeffd You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add tracking bug for CVE-2017-11592
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dc2ef989 by Salvatore Bonaccorso at 2018-04-12T22:29:31+02:00 Add tracking bug for CVE-2017-11592 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -43663,7 +43663,7 @@ CVE-2017-11594 (Cross-site scripting (XSS) vulnerability in the Markdown parser CVE-2017-11593 (Cross-site scripting (XSS) vulnerability in the Markdown Preview Plus ...) NOT-FOR-US: Chrome extension Markdown Preview Plus CVE-2017-11592 (There is a Mismatched Memory Management Routines vulnerability in the ...) - [experimental] - exiv2 + [experimental] - exiv2 (bug #895568) - exiv2 (printTiffStructure introduced in 0.26) TODO: Report against experimental NOTE: https://github.com/Exiv2/exiv2/issues/56 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dc2ef989466c4ec3847c231b4230d29a4e9c158a --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dc2ef989466c4ec3847c231b4230d29a4e9c158a You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9960e818 by security tracker role at 2018-04-12T20:10:18+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,13 +1,41 @@ -CVE-2018-10074 [clk: hisilicon: hi3600: Fix potential NULL dereference in hi3660_stub_clk_probe()] +CVE-2018-10076 + RESERVED +CVE-2018-10075 + RESERVED +CVE-2018-10073 (joyplus-cms 1.6.0 has XSS in manager/admin_vod.php via the keyword ...) + TODO: check +CVE-2018-10072 (windrvr1260.sys in Jungo DriverWizard WinDriver 12.6.0 allows attackers ...) + TODO: check +CVE-2018-10071 (windrvr1260.sys in Jungo DriverWizard WinDriver 12.6.0 allows attackers ...) + TODO: check +CVE-2018-10070 + RESERVED +CVE-2018-10069 + RESERVED +CVE-2018-10068 (The jDownloads extension before 3.2.59 for Joomla! has XSS. ...) + TODO: check +CVE-2018-10067 + RESERVED +CVE-2018-10066 + RESERVED +CVE-2018-10065 + RESERVED +CVE-2018-10064 + RESERVED +CVE-2018-10063 (The Convert Forms extension before 2.0.4 for Joomla! is vulnerable to ...) + TODO: check +CVE-2018-10062 + RESERVED +CVE-2018-10074 (The hi3660_stub_clk_probe function in ...) - linux NOTE: Fixed by: https://git.kernel.org/linus/9903e41ae1f5d50c93f268ca3304d4d7c64b9311 (4.16-rc7) -CVE-2018-10061 [XSS because making certain htmlspecialchars calls without the ENT_QUOTES flag] +CVE-2018-10061 (Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars ...) - cacti 1.1.37+ds1-1 NOTE: https://github.com/Cacti/cacti/issues/1457 -CVE-2018-10060 [XSS related issue to use of the sanitize_uri function in lib/functions.php] +CVE-2018-10060 (Cacti before 1.1.37 has XSS because it does not properly reject ...) - cacti 1.1.37+ds1-1 NOTE: https://github.com/Cacti/cacti/issues/1457 -CVE-2018-10059 [XSS related issue in get_current_page] +CVE-2018-10059 (Cacti before 1.1.37 has XSS because the get_current_page function in ...) - cacti 1.1.37+ds1-1 NOTE: https://github.com/Cacti/cacti/issues/1457 CVE-2018-10058 @@ -486,10 +514,10 @@ CVE-2018-9845 - etherpad-lite (bug #576998) CVE-2018-9844 (The Iptanus WordPress File Upload plugin before 4.3.4 for WordPress ...) NOT-FOR-US: Iptanus WordPress File Upload plugin for WordPress -CVE-2018-9843 - RESERVED -CVE-2018-9842 - RESERVED +CVE-2018-9843 (The REST API in CyberArk Password Vault Web Access before 9.9.5 and ...) + TODO: check +CVE-2018-9842 (CyberArk Password Vault before 9.7 allows remote attackers to obtain ...) + TODO: check CVE-2018-9841 (The export function in libavfilter/vf_signature.c in FFmpeg through ...) - ffmpeg (low) [stretch] - ffmpeg (Can wait until the next ffmpeg 3.2.x release) @@ -2053,8 +2081,8 @@ CVE-2018-9157 (** DISPUTED ** An issue was discovered on AXIS M1033-W (IP camera NOT-FOR-US: AXIS CVE-2018-9156 (** DISPUTED ** An issue was discovered on AXIS P1354 (IP camera) ...) NOT-FOR-US: AXIS -CVE-2018-9155 - RESERVED +CVE-2018-9155 (Cross-site scripting (XSS) vulnerability in Open-AudIT Professional ...) + TODO: check CVE-2018-9154 RESERVED CVE-2018-9153 @@ -2157,8 +2185,8 @@ CVE-2018-9120 (In Crea8social 2018.2, there is Stored Cross-Site Scripting via a NOT-FOR-US: Crea8social CVE-2018-9119 (An attacker with physical access to a BrilliantTS FUZE card (MCU ...) NOT-FOR-US: BrilliantTS FUZE card -CVE-2018-9118 - RESERVED +CVE-2018-9118 (exports/download.php in the 99 Robots WP Background Takeover ...) + TODO: check CVE-2018-9117 (WireMock before 2.16.0 contains a vulnerability that allows a remote ...) NOT-FOR-US: WireMock CVE-2018-9116 (An XXE vulnerability within WireMock before 2.16.0 allows a remote ...) @@ -16009,8 +16037,8 @@ CVE-2018-3891 RESERVED CVE-2018-3890 RESERVED -CVE-2018-3889 - RESERVED +CVE-2018-3889 (A specially crafted PCX image processed via the application can lead ...) + TODO: check CVE-2018-3888 (A memory corruption vulnerability exists in the PCX-parsing ...) NOT-FOR-US: Computerinsel Photoline CVE-2018-3887 (A memory corruption vulnerability exists in the PCX-parsing ...) @@ -16051,8 +16079,8 @@ CVE-2018-3870 RESERVED CVE-2018-3869 RESERVED -CVE-2018-3868 - RESERVED +CVE-2018-3868 (A specially crafted TIFF image processed via the application can lead ...) + TODO: check CVE-2018-3867 RESERVED CVE-2018-3866 @@ -16063,10 +16091,10 @@ CVE-2018-3864 RESERVED CVE-2018-3863 RESERVED -CVE-2018-3862 - RESERVED -CVE-2018-3861 - RESERVED +CVE-2018-3862 (A specially crafted TIFF image processed via
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] The CVE was marked as no-dsa for Debian Security and there is no reason to…
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: ecc3fcae by Ola Lundqvist at 2018-04-12T21:59:31+02:00 The CVE was marked as no-dsa for Debian Security and there is no reason to believe why wheezy should be treated differently. Therefore marking as ignored and removing the package from dla-needed.txt. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -6510,6 +6510,7 @@ CVE-2012-6709 (ELinks 0.12 and Twibright Links 2.3 have Missing SSL Certificate - elinks (low; bug #891575) [stretch] - elinks (Minor issue) [jessie] - elinks (Minor issue) + [wheezy] - elinks (Minor issue) - links2 2.6-1 (bug #694658; bug #510417) NOTE: Patch proposed upstream (when using): http://lists.linuxfromscratch.org/pipermail/elinks-dev/2015-June/002099.html NOTE: tested links2 against badssl.com, no apparent issue back in wheezy = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -21,9 +21,6 @@ calibre cups NOTE: 20180318: not clear whether patch is fine, so no email to maintainer sent -- -elinks - NOTE: 20180226: maintainer is on the security team (jmm), no notice sent (anarcat) --- firebird2.5 NOTE: 20180411: no fix available upstream for CVE-2017-11509 NOTE: 20180412: see <capv8svxahya2kssyvztahsb7fk9cfvewhsuo5qhdxvr3uf2...@mail.gmail.com> (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ecc3fcae4e8db5ac6caa4a700cde97ab7ae23569 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ecc3fcae4e8db5ac6caa4a700cde97ab7ae23569 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] The CVE was marked as no-dsa for Debian Security and there is no reason to…
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: b1c3111a by Ola Lundqvist at 2018-04-12T21:51:42+02:00 The CVE was marked as no-dsa for Debian Security and there is no reason to believe why wheezy should be treated differently. Therefore marking as ignored and removing the package from dla-needed.txt. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -11364,6 +11364,7 @@ CVE-2018-5802 [Out-of-bounds read in kodak_radc_load_raw function internal/dcraw - libraw 0.18.7-1 [stretch] - libraw (Minor issue) [jessie] - libraw (Minor issue) + [wheezy] - libraw (Minor issue) NOTE: https://packetstormsecurity.com/files/146172/secunia-libraw.txt NOTE: https://github.com/LibRaw/LibRaw/commit/8682ad204392b914ab1cc6ebcca9c27c19c1a4b4 CVE-2018-5801 [NULL pointer dereference in LibRaw::unpack function src/libraw_cxx.cpp] @@ -11371,6 +11372,7 @@ CVE-2018-5801 [NULL pointer dereference in LibRaw::unpack function src/libraw_cx - libraw 0.18.7-1 [stretch] - libraw (Minor issue) [jessie] - libraw (Minor issue) + [wheezy] - libraw (Minor issue) NOTE: https://packetstormsecurity.com/files/146172/secunia-libraw.txt NOTE: https://github.com/LibRaw/LibRaw/commit/8682ad204392b914ab1cc6ebcca9c27c19c1a4b4 CVE-2018-5800 [Heap-based buffer overflow in LibRaw::kodak_ycbcr_load_raw function in internal/dcraw_common.cpp] @@ -11378,6 +11380,7 @@ CVE-2018-5800 [Heap-based buffer overflow in LibRaw::kodak_ycbcr_load_raw functi - libraw 0.18.7-1 [stretch] - libraw (Minor issue) [jessie] - libraw (Minor issue) + [wheezy] - libraw (Minor issue) NOTE: https://packetstormsecurity.com/files/146172/secunia-libraw.txt NOTE: https://github.com/LibRaw/LibRaw/commit/8682ad204392b914ab1cc6ebcca9c27c19c1a4b4 CVE-2018-106 (GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, ...) = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -58,9 +58,6 @@ libav (Hugo Lefeuvre) -- libmad (Kurt Roeckx) -- -libraw - NOTE: Only a subset of functions are present in Wheezy. --- libvorbis NOTE: Underlying reason for CVE-2017-14160 yet unclear, no upstream feedback on this issue. NOTE: Fixes for other CVEs applied upstream and in sid. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b1c3111a3688480350fbe773e816be8ab5fe31cf --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b1c3111a3688480350fbe773e816be8ab5fe31cf You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Follow jessie.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 20dbc9cb by Ola Lundqvist at 2018-04-12T21:47:06+02:00 Follow jessie. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5532,18 +5532,21 @@ CVE-2018-7714 (The validateInputImageSize function in ...) - opencv (low) [stretch] - opencv (Minor issue) [jessie] - opencv (Minor issue) + [wheezy] - opencv (Minor issue) NOTE: https://github.com/xiaoqx/pocs/tree/master/opencv/dos-by-assert NOTE: https://github.com/opencv/opencv/issues/10998 CVE-2018-7713 (The validateInputImageSize function in ...) - opencv (low) [stretch] - opencv (Minor issue) [jessie] - opencv (Minor issue) + [wheezy] - opencv (Minor issue) NOTE: https://github.com/xiaoqx/pocs/tree/master/opencv/dos-by-assert NOTE: https://github.com/opencv/opencv/issues/10998 CVE-2018-7712 (The validateInputImageSize function in ...) - opencv (low) [stretch] - opencv (Minor issue) [jessie] - opencv (Minor issue) + [wheezy] - opencv (Minor issue) NOTE: https://github.com/xiaoqx/pocs/tree/master/opencv/dos-by-assert NOTE: https://github.com/opencv/opencv/issues/10998 CVE-2018-7710 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/20dbc9cbf71ce113c46519b9107c08910c763278 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/20dbc9cbf71ce113c46519b9107c08910c763278 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-10074/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2fd95337 by Salvatore Bonaccorso at 2018-04-12T20:57:08+02:00 Add CVE-2018-10074/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,6 @@ +CVE-2018-10074 [clk: hisilicon: hi3600: Fix potential NULL dereference in hi3660_stub_clk_probe()] + - linux + NOTE: Fixed by: https://git.kernel.org/linus/9903e41ae1f5d50c93f268ca3304d4d7c64b9311 (4.16-rc7) CVE-2018-10061 [XSS because making certain htmlspecialchars calls without the ENT_QUOTES flag] - cacti 1.1.37+ds1-1 NOTE: https://github.com/Cacti/cacti/issues/1457 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2fd95337310349fa658c2a20cc992de17acd5ee3 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2fd95337310349fa658c2a20cc992de17acd5ee3 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark some questionable Apple CVE assignments as NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ae688ea7 by Moritz Muehlenhoff at 2018-04-12T20:52:58+02:00 Mark some questionable Apple CVE assignments as NFU No point in investigating this further, we can only assume that Apple staff is stupid and assigned internal ID duplicates to otherwise public issues They can prove us wrong by providing proper commit references! - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -36874,7 +36874,7 @@ CVE-2017-13848 (An issue was discovered in certain Apple products. macOS before CVE-2017-13847 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-13846 (An issue was discovered in certain Apple products. macOS before ...) - TODO: check, potentially PCRE + NOT-FOR-US: Potentially src:pcre3, but Apple doesn't play by the rules CVE-2017-13845 RESERVED CVE-2017-13844 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) @@ -58172,9 +58172,9 @@ CVE-2017-7004 (An issue was discovered in certain Apple products. iOS before 10. CVE-2017-7003 (An issue was discovered in certain Apple products. iOS before 10.3.2 ...) NOT-FOR-US: Apple CVE-2017-7002 (An issue was discovered in certain Apple products. iOS before 10.3.2 ...) - TODO: check + NOT-FOR-US: Potentially src:sqlite, but Apple doesn't play by the rules CVE-2017-7001 (An issue was discovered in certain Apple products. iOS before 10.3.2 ...) - TODO: check + NOT-FOR-US: Potentially src:sqlite, but Apple doesn't play by the rules CVE-2017-7000 (An issue was discovered in certain Apple products. iOS before 10.3.2 ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ae688ea7e4497386d4ae990c4a7991769f6605dd --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ae688ea7e4497386d4ae990c4a7991769f6605dd You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new r-cran-readxl issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 064fef0c by Moritz Muehlenhoff at 2018-04-12T20:50:40+02:00 new r-cran-readxl issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -42226,9 +42226,11 @@ CVE-2017-12113 (An exploitable improper authorization vulnerability exists in .. CVE-2017-12112 (An exploitable improper authorization vulnerability exists in ...) - cpp-ethereum (bug #860434) CVE-2017-12111 (An exploitable out-of-bounds vulnerability exists in the xls_addCell ...) - TODO: check, libxls is not packaged in Debian, but embedded in r-cran-readxl + - r-cran-readxl (bug #895564) + NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0463 CVE-2017-12110 (An exploitable integer overflow vulnerability exists in the ...) - TODO: check, libxls is not packaged in Debian, but embedded in r-cran-readxl + - r-cran-readxl (bug #895564) + NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0462 CVE-2017-12109 RESERVED CVE-2017-12108 @@ -70790,7 +70792,8 @@ CVE-2017-2921 (An exploitable memory corruption vulnerability exists in the Webs CVE-2017-2920 (An memory corruption vulnerability exists in the .SVG parsing ...) NOT-FOR-US: Computerinsel Photoline CVE-2017-2919 (An exploitable stack based buffer overflow vulnerability exists in the ...) - TODO: check, libxls is not packaged in Debian, but embedded in r-cran-readxl + - r-cran-readxl (bug #895564) + NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0426 CVE-2017-2918 RESERVED CVE-2017-2917 (An exploitable vulnerability exists in the notifications functionality ...) @@ -70835,9 +70838,11 @@ CVE-2017-2899 CVE-2017-2898 (An exploitable vulnerability exists in the signature verification of ...) NOT-FOR-US: Circle with Disney CVE-2017-2897 (An exploitable out-of-bounds write vulnerability exists in the ...) - TODO: check, libxls is not packaged in Debian, but embedded in r-cran-readxl + - r-cran-readxl (bug #895564) + NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0404 CVE-2017-2896 (An exploitable out-of-bounds write vulnerability exists in the ...) - TODO: check, libxls is not packaged in Debian, but embedded in r-cran-readxl + - r-cran-readxl (bug #895564) + NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0403 CVE-2017-2895 (An exploitable arbitrary memory read vulnerability exists in the MQTT ...) NOT-FOR-US: Cesanta Mongoose TODO: check smplayer, embeds it View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/064fef0cae91a3ce8d0ce4d5d15af8216b0ab562 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/064fef0cae91a3ce8d0ce4d5d15af8216b0ab562 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-1000168/nghttp2: #895566
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7a5713bb by Salvatore Bonaccorso at 2018-04-12T20:46:41+02:00 Add bug reference for CVE-2018-1000168/nghttp2: #895566 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -444,7 +444,7 @@ CVE-2018-9859 RESERVED CVE-2018-1000168 [Denial of service due to NULL pointer dereference] RESERVED - - nghttp2 + - nghttp2 (bug #895566) [jessie] - nghttp2 (Issue introduced in 1.10.0) NOTE: Affected versions: nghttp2 >= 1.10.0 and nghttp2 <= v1.31.0 NOTE: Fixed by: https://github.com/nghttp2/nghttp2/commit/b1bd6035e884b3d83748914a3b5f2a8e52a78a2f View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7a5713bba158dbb1a49d8b50ced3e5563395448c --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7a5713bba158dbb1a49d8b50ced3e5563395448c You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-1084/corosync
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d912e1ab by Salvatore Bonaccorso at 2018-04-12T20:45:46+02:00 Add CVE-2018-1084/corosync - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -24005,8 +24005,13 @@ CVE-2018-1086 [Debug parameter removal bypass, allowing information disclosure] CVE-2018-1085 RESERVED NOT-FOR-US: openshift-ansible -CVE-2018-1084 +CVE-2018-1084 [Integer overflow in exec/totemcrypto.c:authenticate_nss_2_3() function] RESERVED + - corosync + [jessie] - corosync (Vulnerable code introduced later) + NOTE: http://www.openwall.com/lists/oss-security/2018/04/12/2 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1552830 + NOTE: Fixed by: https://github.com/corosync/corosync/commit/fc1d5418533c1faf21616b282c2559bed7d361c4 CVE-2018-1083 (Zsh before version 5.4.2-test-1 is vulnerable to a buffer overflow in ...) {DLA-1335-1} - zsh 5.4.2-4 (low; bug #894043) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d912e1abb711bad9f8ac5f63b821847be9620f52 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d912e1abb711bad9f8ac5f63b821847be9620f52 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reference fix for CVE-2018-1000168
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 90ff32f8 by Salvatore Bonaccorso at 2018-04-12T20:39:47+02:00 Reference fix for CVE-2018-1000168 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -447,6 +447,7 @@ CVE-2018-1000168 [Denial of service due to NULL pointer dereference] - nghttp2 [jessie] - nghttp2 (Issue introduced in 1.10.0) NOTE: Affected versions: nghttp2 >= 1.10.0 and nghttp2 <= v1.31.0 + NOTE: Fixed by: https://github.com/nghttp2/nghttp2/commit/b1bd6035e884b3d83748914a3b5f2a8e52a78a2f NOTE: http://www.openwall.com/lists/oss-security/2018/04/12/4 CVE-2018-9858 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/90ff32f8d5544c8fe5a7628066a558dac7f86f92 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/90ff32f8d5544c8fe5a7628066a558dac7f86f92 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4dea2153 by Moritz Muehlenhoff at 2018-04-12T20:38:17+02:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -16,7 +16,7 @@ CVE-2018-10056 CVE-2018-10055 RESERVED CVE-2018-10054 (H2 1.4.197, as used in Datomic before 0.9.5697 and other products, ...) - TODO: check + NOT-FOR-US: H2 (different from src:python-h2) CVE-2018-10053 RESERVED CVE-2018-10052 (iScripts SupportDesk v4.3 has XSS via the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4dea2153f4e071329dbd71d7dd4ae1a1b6999faa --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4dea2153f4e071329dbd71d7dd4ae1a1b6999faa You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: qemu fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 182726ab by Moritz Muehlenhoff at 2018-04-12T20:34:57+02:00 qemu fixed - - - - - 165ad983 by Moritz Muehlenhoff at 2018-04-12T20:35:28+02:00 Merge branch master of salsa.debian.org:security-tracker-team/security-tracker - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5142,7 +5142,7 @@ CVE-2018-7860 CVE-2018-7859 RESERVED CVE-2018-7858 (Quick Emulator (aka QEMU), when built with the Cirrus CLGD 54xx VGA ...) - - qemu (bug #892497) + - qemu 1:2.12~rc3+dfsg-1 (bug #892497) [stretch] - qemu (Vulnerable code not present) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Vulnerable code not present) @@ -6090,7 +6090,7 @@ CVE-2018-7551 (There is an invalid free in MiniPS::delete0 in minips.cpp that le [jessie] - sam2p (Will be fixed via point release) NOTE: https://github.com/pts/sam2p/issues/28 CVE-2018-7550 (The load_multiboot function in hw/i386/multiboot.c in Quick Emulator ...) - - qemu (bug #892041) + - qemu 1:2.12~rc3+dfsg-1 (bug #892041) - qemu-kvm NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2018-03/msg01885.html CVE-2018-7549 (In params.c in zsh through 5.4.2, there is a crash during a copy of an ...) @@ -11796,7 +11796,7 @@ CVE-2018-5684 (In Libav through 12.2, there is an invalid memcpy call in the ... [jessie] - libav (Minor issue) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1110 CVE-2018-5683 (The vga_draw_text function in Qemu allows local OS guest privileged ...) - - qemu (bug #887392) + - qemu 1:2.12~rc3+dfsg-1 (bug #887392) [stretch] - qemu (Minor issue, can be fixed along in future DSA) [jessie] - qemu (Minor issue, can be fixed along in future DSA) [wheezy] - qemu (Minor issue, can be fixed along in next DLA) @@ -27971,7 +27971,7 @@ CVE-2017-16847 (Zoho ManageEngine Applications Manager 13 allows SQL injection v CVE-2017-16846 (Zoho ManageEngine Applications Manager 13 allows SQL injection via the ...) NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2017-16845 (hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values ...) - - qemu (bug #882136) + - qemu 1:2.12~rc3+dfsg-1 (bug #882136) [stretch] - qemu (Minor issue) [jessie] - qemu (Minor issue) [wheezy] - qemu (Can be fixed along in a future update) @@ -32942,7 +32942,7 @@ CVE-2017-15125 RESERVED NOT-FOR-US: Red Hat CloudForms CVE-2017-15124 (VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older ...) - - qemu (bug #884806) + - qemu 1:2.12~rc3+dfsg-1 (bug #884806) [stretch] - qemu (Can be fixed along in later update) [jessie] - qemu (Can be fixed along in later update) [wheezy] - qemu (Can be fixed along in later update) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/c324ddb9cccd6987c79abdeef62d799daa74e4fb...165ad983f458c3c1a6e2903650285170e2f791cf --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/c324ddb9cccd6987c79abdeef62d799daa74e4fb...165ad983f458c3c1a6e2903650285170e2f791cf You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-1000168/nghttp2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c324ddb9 by Salvatore Bonaccorso at 2018-04-12T20:34:03+02:00 Add CVE-2018-1000168/nghttp2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -442,8 +442,12 @@ CVE-2018-9860 (An issue was discovered in Botan 1.11.32 through 2.x before 2.6.0 NOTE: Bug introduced in 1.11.32, fixed in 2.6.0 CVE-2018-9859 RESERVED -CVE-2018-1000168 +CVE-2018-1000168 [Denial of service due to NULL pointer dereference] RESERVED + - nghttp2 + [jessie] - nghttp2 (Issue introduced in 1.10.0) + NOTE: Affected versions: nghttp2 >= 1.10.0 and nghttp2 <= v1.31.0 + NOTE: http://www.openwall.com/lists/oss-security/2018/04/12/4 CVE-2018-9858 RESERVED CVE-2018-9857 (PHP Scripts Mall Match Clone Script 1.0.4 has XSS via the search field ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c324ddb9cccd6987c79abdeef62d799daa74e4fb --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c324ddb9cccd6987c79abdeef62d799daa74e4fb You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add three new cacti CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 816700f8 by Salvatore Bonaccorso at 2018-04-12T20:27:55+02:00 Add three new cacti CVEs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,12 @@ +CVE-2018-10061 [XSS because making certain htmlspecialchars calls without the ENT_QUOTES flag] + - cacti 1.1.37+ds1-1 + NOTE: https://github.com/Cacti/cacti/issues/1457 +CVE-2018-10060 [XSS related issue to use of the sanitize_uri function in lib/functions.php] + - cacti 1.1.37+ds1-1 + NOTE: https://github.com/Cacti/cacti/issues/1457 +CVE-2018-10059 [XSS related issue in get_current_page] + - cacti 1.1.37+ds1-1 + NOTE: https://github.com/Cacti/cacti/issues/1457 CVE-2018-10058 RESERVED CVE-2018-10057 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/816700f87beddb305195b9dbff1d0ce3b9047b9c --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/816700f87beddb305195b9dbff1d0ce3b9047b9c You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Lucas Kanashiro proposed update for redmine (stretch)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b3f0644b by Salvatore Bonaccorso at 2018-04-12T20:16:55+02:00 Lucas Kanashiro proposed update for redmine (stretch) - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -67,6 +67,7 @@ qemu/oldstable -- redmine oldstable also affected, but might be worth EOLing + Lucas Kanashiro proposed the update for stretch, needs review and possbile ack -- ruby-loofah Georg Faerber proposed to prepare an update View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b3f0644b22fa71446924af0b1281dfb29b6aa740 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b3f0644b22fa71446924af0b1281dfb29b6aa740 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Take tomcat8 from dsa-needed
Sebastien Delafond pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f6178d1 by Sébastien Delafond at 2018-04-12T16:57:14+02:00 Take tomcat8 from dsa-needed - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -83,7 +83,8 @@ sssd/stable -- tomcat7/oldstable -- -tomcat8 +tomcat8 (seb) + 2018-04-11: Emmanuel Bourg submitted a debdiff -- tor -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f6178d1047b245f19d0e856211f860b492fb1c8 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f6178d1047b245f19d0e856211f860b492fb1c8 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add note for firebird2.5 re. mailing list thread.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: f8bd6f99 by Chris Lamb at 2018-04-12T15:44:38+01:00 Add note for firebird2.5 re. mailing list thread. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -26,6 +26,7 @@ elinks -- firebird2.5 NOTE: 20180411: no fix available upstream for CVE-2017-11509 + NOTE: 20180412: see <capv8svxahya2kssyvztahsb7fk9cfvewhsuo5qhdxvr3uf2...@mail.gmail.com> (lamby) -- gcc-4.6 (Roberto C. Sánchez) NOTE: 20180215: Backport the retpoline support for spectre mitigation. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f8bd6f9948b871f23b5b0f141177ec021b0e7aaa --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f8bd6f9948b871f23b5b0f141177ec021b0e7aaa You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DSA for poppler update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 400c8ebf by Salvatore Bonaccorso at 2018-04-12T15:24:04+02:00 Reserve DSA for poppler update - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,6 @@ +[12 Apr 2018] DSA-4079-2 poppler - regression update + {CVE-2017-9776} + [jessie] - poppler 0.26.5-2+deb8u4 [09 Apr 2018] DSA-4170-1 pjproject - security update {CVE-2017-16872 CVE-2017-16875 CVE-2018-198 CVE-2018-199} [stretch] - pjproject 2.5.5~dfsg-6+deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/400c8ebf11fa1d15648516d3f91342b70de5ccbc --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/400c8ebf11fa1d15648516d3f91342b70de5ccbc You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3d0a2323 by Moritz Muehlenhoff at 2018-04-12T15:18:33+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -27868,21 +27868,21 @@ CVE-2018-0025 CVE-2018-0024 RESERVED CVE-2018-0023 (JSNAPy is an open source python version of Junos Snapshot ...) - TODO: check + NOT-FOR-US: JSNAPy CVE-2018-0022 (A Junos device with VPLS routing-instances configured on one or more ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0021 (If all 64 digits of the connectivity association name (CKN) key or all ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0020 (Junos OS may be impacted by the receipt of a malformed BGP UPDATE ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0019 (A vulnerability in Junos OS SNMP MIB-II subagent daemon (mib2d) may ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0018 (On SRX Series devices during compilation of IDP policies, an attacker ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0017 (A vulnerability in the Network Address Translation - Protocol ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0016 (Receipt of a specially crafted Connectionless Network Protocol (CLNP) ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0015 (A malicious user with unrestricted access to the AppFormix application ...) NOT-FOR-US: AppFormix CVE-2018-0014 (Juniper Networks ScreenOS devices do not pad Ethernet packets with ...) @@ -32277,7 +32277,7 @@ CVE-2017-15329 (Huawei UMA V200R001C00 has a SQL injection vulnerability in the CVE-2017-15328 (Huawei HG8245H version earlier than V300R018C00SPC110 has an ...) NOT-FOR-US: Huawei CVE-2017-15327 (S12700 V200R005C00, V200R006C00, V200R006C01, V200R007C00, ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-15326 (DBS3900 TDD LTE V100R003C00, V100R004C10 have a weak encryption ...) NOT-FOR-US: Huawei CVE-2017-15325 (The Bdat driver of Prague smart phones with software versions earlier ...) @@ -35160,7 +35160,7 @@ CVE-2017-14461 (A specially crafted email delivered over SMTP and passed on to D CVE-2017-14460 (An exploitable overly permissive cross-domain (CORS) whitelist ...) - parity (bug #890550) CVE-2017-14459 (An exploitable OS Command Injection vulnerability exists in the ...) - TODO: check + NOT-FOR-US: Moxa CVE-2017-14458 RESERVED CVE-2017-14457 (An exploitable information leak/denial of service vulnerability exists ...) @@ -37508,9 +37508,9 @@ CVE-2017-13680 (Prior to SEP 12.1 RU6 MP9 SEP 14 RU1 Symantec Endpoint Pro CVE-2017-13679 (A denial of service (DoS) attack in Symantec Encryption Desktop before ...) NOT-FOR-US: Symantec CVE-2017-13678 (Stored XSS vulnerability in the Symantec Advanced Secure Gateway (ASG) ...) - TODO: check + NOT-FOR-US: Symantec CVE-2017-13677 (Denial-of-service (DoS) vulnerability in the Symantec Advanced Secure ...) - TODO: check + NOT-FOR-US: Symantec CVE-2017-13676 (Norton Remove Reinstall can be susceptible to a DLL preloading ...) NOT-FOR-US: Symantec CVE-2017-13675 (A denial of service (DoS) attack in Symantec Endpoint Encryption ...) @@ -45493,7 +45493,7 @@ CVE-2017-11013 (In android for MSM, Firefox OS for MSM, QRD Android, with all An CVE-2017-11012 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11011 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-11010 (In Android before 2018-01-05 on Qualcomm Snapdragon IoT, Snapdragon ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11009 @@ -53568,9 +53568,9 @@ CVE-2017-8277 (In all Qualcomm products with Android releases from CAF using the CVE-2017-8276 RESERVED CVE-2017-8275 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-8274 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-8273 (In all Qualcomm products with Android release from CAF using the Linux ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8272 (In all Qualcomm products with Android releases from CAF using the ...) @@ -53815,7 +53815,7 @@ CVE-2017-8156 (The outdoor unit of Customer Premise Equipment (CPE) product B233 CVE-2017-8155 (The outdoor unit of Customer Premise Equipment (CPE) product B2338-168 ...) NOT-FOR-US: Huawei CVE-2017-8154 (The Themes App Honor 8 Lite
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 07c0ce1b by Moritz Muehlenhoff at 2018-04-12T14:52:07+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -4441,7 +4441,7 @@ CVE-2018-8119 CVE-2018-8118 RESERVED CVE-2018-8117 (A security feature bypass vulnerability exists in the Microsoft ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-8116 (A denial of service vulnerability exists in the way that Windows ...) NOT-FOR-US: Microsoft CVE-2018-8115 @@ -8132,7 +8132,7 @@ CVE-2018-6907 CVE-2018-6906 RESERVED CVE-2018-6905 (The page module in TYPO3 before 8.7.11, and 9.1.0, has XSS via ...) - TODO: check + - typo3-src CVE-2018-6904 RESERVED CVE-2018-6903 @@ -8878,49 +8878,49 @@ CVE-2017-18148 CVE-2017-18147 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18146 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18145 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18144 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18143 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18142 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18141 RESERVED CVE-2017-18140 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18139 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18138 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18137 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18136 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18135 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18134 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18133 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18132 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18131 RESERVED CVE-2017-18130 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18129 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18128 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18127 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18126 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18125 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18124 RESERVED CVE-2018-6622 @@ -26033,7 +26033,7 @@ CVE-2018-0547 (Cross-site scripting vulnerability in WP All Import plugin prior CVE-2018-0546 (Cross-site scripting vulnerability in WP All Import plugin prior to ...) NOT-FOR-US: WP All Import plugin for WordPress CVE-2018-0545 (LXR version 1.0.0 to 2.3.0 allows remote attackers to execute ...) - TODO: check + NOT-FOR-US: LXR CVE-2018-0544 (Untrusted search path vulnerability in WinShot 1.53a and earlier ...) NOT-FOR-US: WinShot CVE-2018-0543 (Untrusted search path vulnerability in Jtrim 1.53c and earlier ...) View it on GitLab:
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b41b5cab by Moritz Muehlenhoff at 2018-04-12T14:43:23+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -10840,13 +10840,13 @@ CVE-2018-6005 (SQL Injection exists in the Realpin through 1.5.04 component for CVE-2018-6004 (SQL Injection exists in the File Download Tracker 3.0 component for ...) NOT-FOR-US: File Download Tracker component for Joomla! CVE-2017-18074 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm component for Android CVE-2017-18073 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm component for Android CVE-2017-18072 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm component for Android CVE-2017-18071 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm component for Android CVE-2017-18070 RESERVED CVE-2017-18069 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) @@ -17437,17 +17437,17 @@ CVE-2018-3596 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android CVE-2018-3595 RESERVED CVE-2018-3594 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-3593 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-3592 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-3591 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-3590 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-3589 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-3588 RESERVED CVE-2018-3587 @@ -24932,9 +24932,9 @@ CVE-2018-0990 (A remote code execution vulnerability exists in the way that the CVE-2018-0989 (An information disclosure vulnerability exists in the way that the ...) NOT-FOR-US: Microsoft CVE-2018-0988 (A remote code execution vulnerability exists in the way that the ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-0987 (An information disclosure vulnerability exists when the scripting ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-0986 (A remote code execution vulnerability exists when the Microsoft ...) NOT-FOR-US: Microsoft CVE-2018-0985 @@ -24946,57 +24946,57 @@ CVE-2018-0983 (Windows Storage Services in Windows 10 versions 1511, 1607, 1703 CVE-2018-0982 RESERVED CVE-2018-0981 (An information disclosure vulnerability exists in the way that the ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-0980 (A remote code execution vulnerability exists in the way that the ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-0979 (A remote code execution vulnerability exists in the way that the ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-0978 RESERVED CVE-2018-0977 (The Windows kernel mode driver in Windows 10 Gold, 1511, 1607, 1703, ...) NOT-FOR-US: Microsoft CVE-2018-0976 (A denial of service vulnerability exists in Remote Desktop Protocol ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-0975 (An information disclosure vulnerability exists in the Windows kernel ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-0974 (An information disclosure vulnerability exists in the Windows kernel ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-0973 (An information disclosure vulnerability exists in the Windows kernel ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-0972 (An information disclosure vulnerability exists in the Windows kernel ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-0971 (An information disclosure vulnerability exists in the Windows kernel ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-0970 (An information disclosure vulnerability exists in the Windows kernel ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-0969 (An information disclosure vulnerability exists in the Windows kernel ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-0968 (An information disclosure
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Fix syntax error for CVE-2017-12617 entry
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d21cbd57 by Salvatore Bonaccorso at 2018-04-12T14:21:36+02:00 Fix syntax error for CVE-2017-12617 entry - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -40768,9 +40768,9 @@ CVE-2017-12618 (Apache Portable Runtime Utility (APR-util) 1.6.0 and prior fail CVE-2017-12617 (When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to ...) {DLA-1166-1} - tomcat9 (Specific to running Tomcat on Windows) - - tomcat8 (Specific to running Tomcat on Windows) - - tomcat8.0 (Specific to running Tomcat on Windows) - - tomcat7 7 (Specific to running Tomcat on Windows) + - tomcat8 (Specific to running Tomcat on Windows) + - tomcat8.0 (Specific to running Tomcat on Windows) + - tomcat7 (Specific to running Tomcat on Windows) NOTE: https://svn.apache.org/r1809673 (8.5.x) NOTE: https://svn.apache.org/r1809675 (8.5.x) NOTE: https://svn.apache.org/r1809896 (8.5.x) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d21cbd57edca9d14eae726b5148584b582bb8452 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d21cbd57edca9d14eae726b5148584b582bb8452 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] One tomcat issue Windows-specific
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7aeed9b6 by Moritz Muehlenhoff at 2018-04-12T14:10:55+02:00 One tomcat issue Windows-specific - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -40767,12 +40767,10 @@ CVE-2017-12618 (Apache Portable Runtime Utility (APR-util) 1.6.0 and prior fail NOTE: https://github.com/apache/apr/commit/f672b565c825c34de9ee298b5bdc62c01cdd6147 CVE-2017-12617 (When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to ...) {DLA-1166-1} - - tomcat9 (bug #802312) - - tomcat8 8.5.23-1 - - tomcat8.0 (unimportant) - NOTE: tomcat8.0 builds only tomcat8.0-user and libtomcat8.0-java - - tomcat7 7.0.72-3 - NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API + - tomcat9 (Specific to running Tomcat on Windows) + - tomcat8 (Specific to running Tomcat on Windows) + - tomcat8.0 (Specific to running Tomcat on Windows) + - tomcat7 7 (Specific to running Tomcat on Windows) NOTE: https://svn.apache.org/r1809673 (8.5.x) NOTE: https://svn.apache.org/r1809675 (8.5.x) NOTE: https://svn.apache.org/r1809896 (8.5.x) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7aeed9b6c7574dd464e845e4e5877b0296c56bf1 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7aeed9b6c7574dd464e845e4e5877b0296c56bf1 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 27759e77 by Salvatore Bonaccorso at 2018-04-12T11:02:01+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -11,15 +11,15 @@ CVE-2018-10054 (H2 1.4.197, as used in Datomic before 0.9.5697 and other product CVE-2018-10053 RESERVED CVE-2018-10052 (iScripts SupportDesk v4.3 has XSS via the ...) - TODO: check + NOT-FOR-US: iScripts SupportDesk CVE-2018-10051 (iScripts SupportDesk v4.3 has XSS via the ...) - TODO: check + NOT-FOR-US: iScripts SupportDesk CVE-2018-10050 (iScripts eSwap v2.4 has SQL injection via the ...) - TODO: check + NOT-FOR-US: iScripts eSwap CVE-2018-10049 (iScripts eSwap v2.4 has XSS via the registration_settings.php txtDate ...) - TODO: check + NOT-FOR-US: iScripts eSwap CVE-2018-10048 (iScripts eSwap v2.4 has CSRF via registration_settings.php in the ...) - TODO: check + NOT-FOR-US: iScripts eSwap CVE-2018-10047 RESERVED CVE-2018-10046 @@ -4443,7 +4443,7 @@ CVE-2018-8118 CVE-2018-8117 (A security feature bypass vulnerability exists in the Microsoft ...) TODO: check CVE-2018-8116 (A denial of service vulnerability exists in the way that Windows ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-8115 RESERVED CVE-2018-8114 @@ -15988,11 +15988,11 @@ CVE-2018-3890 CVE-2018-3889 RESERVED CVE-2018-3888 (A memory corruption vulnerability exists in the PCX-parsing ...) - TODO: check + NOT-FOR-US: Computerinsel Photoline CVE-2018-3887 (A memory corruption vulnerability exists in the PCX-parsing ...) - TODO: check + NOT-FOR-US: Computerinsel Photoline CVE-2018-3886 (A memory corruption vulnerability exists in the PCX-parsing ...) - TODO: check + NOT-FOR-US: Computerinsel Photoline CVE-2018-3885 RESERVED CVE-2018-3884 @@ -24355,7 +24355,7 @@ CVE-2017-17310 CVE-2017-17309 RESERVED CVE-2017-17308 (SCCPX module in Huawei DP300 V500R002C00, RP200 V500R002C00, ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-17307 (Some Huawei Smartphones with software of VNS-L21AUTC555B141 have an ...) NOT-FOR-US: Huawei CVE-2017-17306 (Some Huawei Smartphones with software of VNS-L21AUTC555B141, ...) @@ -24834,103 +24834,103 @@ CVE-2018-1039 CVE-2018-1038 (The Windows kernel in Windows 7 SP1 and Windows Server 2008 R2 SP1 ...) NOT-FOR-US: Microsoft CVE-2018-1037 (An information disclosure vulnerability exists when Visual Studio ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-1036 RESERVED CVE-2018-1035 RESERVED CVE-2018-1034 (An elevation of privilege vulnerability exists when Microsoft ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-1033 RESERVED CVE-2018-1032 (An elevation of privilege vulnerability exists when Microsoft ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-1031 RESERVED CVE-2018-1030 (A remote code execution vulnerability exists in Microsoft Office ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-1029 (A remote code execution vulnerability exists in Microsoft Excel ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-1028 (A remote code execution vulnerability exists when the Office graphics ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-1027 (A remote code execution vulnerability exists in Microsoft Excel ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-1026 (A remote code execution vulnerability exists in Microsoft Office ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-1025 RESERVED CVE-2018-1024 RESERVED CVE-2018-1023 (A remote code execution vulnerability exists in the way that Microsoft ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-1022 RESERVED CVE-2018-1021 RESERVED CVE-2018-1020 (A remote code execution vulnerability exists when Internet Explorer ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-1019 (A remote code execution vulnerability exists in the way that the ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-1018 (A remote code execution vulnerability exists when Internet Explorer ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-1017 RESERVED CVE-2018-1016 (A remote code execution vulnerability exists when the Windows font ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-1015 (A remote code execution vulnerability exists when the Windows font ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-1014 (An elevation of privilege vulnerability exists when Microsoft ...) - TODO: check +
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bb94a5da by security tracker role at 2018-04-12T08:10:15+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,25 @@ +CVE-2018-10058 + RESERVED +CVE-2018-10057 + RESERVED +CVE-2018-10056 + RESERVED +CVE-2018-10055 + RESERVED +CVE-2018-10054 (H2 1.4.197, as used in Datomic before 0.9.5697 and other products, ...) + TODO: check +CVE-2018-10053 + RESERVED +CVE-2018-10052 (iScripts SupportDesk v4.3 has XSS via the ...) + TODO: check +CVE-2018-10051 (iScripts SupportDesk v4.3 has XSS via the ...) + TODO: check +CVE-2018-10050 (iScripts eSwap v2.4 has SQL injection via the ...) + TODO: check +CVE-2018-10049 (iScripts eSwap v2.4 has XSS via the registration_settings.php txtDate ...) + TODO: check +CVE-2018-10048 (iScripts eSwap v2.4 has CSRF via registration_settings.php in the ...) + TODO: check CVE-2018-10047 RESERVED CVE-2018-10046 @@ -404,8 +426,7 @@ CVE-2018-9862 (util.c in runV 1.0.0 for Docker mishandles a numeric username, wh TODO: check CVE-2018-9861 RESERVED -CVE-2018-9860 [An off by one error in TLS CBC decryption] - RESERVED +CVE-2018-9860 (An issue was discovered in Botan 1.11.32 through 2.x before 2.6.0. An ...) - botan 2.4.0-6 - botan1.10 (Issue introduced in 1.11.32) NOTE: https://github.com/randombit/botan/commit/ec222c99719c396a1f4756b2ca345dbbfbeb5ed5 @@ -4419,10 +4440,10 @@ CVE-2018-8119 RESERVED CVE-2018-8118 RESERVED -CVE-2018-8117 - RESERVED -CVE-2018-8116 - RESERVED +CVE-2018-8117 (A security feature bypass vulnerability exists in the Microsoft ...) + TODO: check +CVE-2018-8116 (A denial of service vulnerability exists in the way that Windows ...) + TODO: check CVE-2018-8115 RESERVED CVE-2018-8114 @@ -15966,12 +15987,12 @@ CVE-2018-3890 RESERVED CVE-2018-3889 RESERVED -CVE-2018-3888 - RESERVED -CVE-2018-3887 - RESERVED -CVE-2018-3886 - RESERVED +CVE-2018-3888 (A memory corruption vulnerability exists in the PCX-parsing ...) + TODO: check +CVE-2018-3887 (A memory corruption vulnerability exists in the PCX-parsing ...) + TODO: check +CVE-2018-3886 (A memory corruption vulnerability exists in the PCX-parsing ...) + TODO: check CVE-2018-3885 RESERVED CVE-2018-3884 @@ -24812,109 +24833,109 @@ CVE-2018-1039 RESERVED CVE-2018-1038 (The Windows kernel in Windows 7 SP1 and Windows Server 2008 R2 SP1 ...) NOT-FOR-US: Microsoft -CVE-2018-1037 - RESERVED +CVE-2018-1037 (An information disclosure vulnerability exists when Visual Studio ...) + TODO: check CVE-2018-1036 RESERVED CVE-2018-1035 RESERVED -CVE-2018-1034 - RESERVED +CVE-2018-1034 (An elevation of privilege vulnerability exists when Microsoft ...) + TODO: check CVE-2018-1033 RESERVED -CVE-2018-1032 - RESERVED +CVE-2018-1032 (An elevation of privilege vulnerability exists when Microsoft ...) + TODO: check CVE-2018-1031 RESERVED -CVE-2018-1030 - RESERVED -CVE-2018-1029 - RESERVED -CVE-2018-1028 - RESERVED -CVE-2018-1027 - RESERVED -CVE-2018-1026 - RESERVED +CVE-2018-1030 (A remote code execution vulnerability exists in Microsoft Office ...) + TODO: check +CVE-2018-1029 (A remote code execution vulnerability exists in Microsoft Excel ...) + TODO: check +CVE-2018-1028 (A remote code execution vulnerability exists when the Office graphics ...) + TODO: check +CVE-2018-1027 (A remote code execution vulnerability exists in Microsoft Excel ...) + TODO: check +CVE-2018-1026 (A remote code execution vulnerability exists in Microsoft Office ...) + TODO: check CVE-2018-1025 RESERVED CVE-2018-1024 RESERVED -CVE-2018-1023 - RESERVED +CVE-2018-1023 (A remote code execution vulnerability exists in the way that Microsoft ...) + TODO: check CVE-2018-1022 RESERVED CVE-2018-1021 RESERVED -CVE-2018-1020 - RESERVED -CVE-2018-1019 - RESERVED -CVE-2018-1018 - RESERVED +CVE-2018-1020 (A remote code execution vulnerability exists when Internet Explorer ...) + TODO: check +CVE-2018-1019 (A remote code execution vulnerability exists in the way that the ...) + TODO: check +CVE-2018-1018 (A remote code execution vulnerability exists when Internet Explorer ...) + TODO: check CVE-2018-1017 RESERVED -CVE-2018-1016 - RESERVED -CVE-2018-1015 - RESERVED -CVE-2018-1014 - RESERVED -CVE-2018-1013 - RESERVED -CVE-2018-1012 - RESERVED -CVE-2018-1011 - RESERVED -CVE-2018-1010 - RESERVED
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark rubygems as minor in wheezy
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 88592a57 by Brian May at 2018-04-12T16:39:03+10:00 Mark rubygems as minor in wheezy Considered not worth fixing. See the following threads on debian-lts: * https://lists.debian.org/debian-lts/2018/04/msg00015.html * https://lists.debian.org/debian-lts/2018/04/msg00042.html - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -7037,6 +7037,7 @@ CVE-2018-174 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 - ruby2.1 - ruby1.9.1 - rubygems + [wheezy] - rubygems (Minor issue) - jruby NOTE: https://github.com/rubygems/rubygems/commit/254e3d0ee873c008c0b74e8b8abcbdab4caa0a6d NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/ = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -83,10 +83,6 @@ qemu-kvm ruby1.9.1 (Santiago R.R.) NOTE: 20180402: Also vulnerable to CVE-2018-174. (lamby) -- -rubygems - NOTE: See https://lists.debian.org/debian-lts/2018/04/msg00015.html - NOTE: See https://lists.debian.org/debian-lts/2018/04/msg00042.html --- sharutils (Abhijith PA) NOTE: 20180318: no patch available yet, so no email to maintainer sent -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/88592a572dcd21aabff91448e8117c0548161a2e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/88592a572dcd21aabff91448e8117c0548161a2e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process CVE-2017-1513{7, 8} as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f3081ed by Salvatore Bonaccorso at 2018-04-12T08:14:09+02:00 Process CVE-2017-1513{7,8} as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -32836,8 +32836,10 @@ CVE-2017-15139 RESERVED CVE-2017-15138 RESERVED + NOT-FOR-US: atomic-openshift CVE-2017-15137 RESERVED + NOT-FOR-US: atomic-openshift CVE-2017-15136 (When registering and activating a new system with Red Hat Satellite 6 ...) NOT-FOR-US: Red Hat Satellite 6 CVE-2017-15135 (It was found that 389-ds-base since 1.3.6.1 up to and including ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f3081ed221817c7b1b9fff5aafcffaadb072072 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f3081ed221817c7b1b9fff5aafcffaadb072072 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits