[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] curl DSA
Alessandro Ghedini pushed to branch master at Debian Security Tracker / security-tracker Commits: 9451e95f by Alessandro Ghedini at 2018-03-14T21:14:40+00:00 curl DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,7 @@ +[14 Mar 2018] DSA-4136-1 curl - security update + {CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122} + [jessie] - curl 7.38.0-4+deb8u10 + [stretch] - curl 7.52.1-5+deb9u5 [13 Mar 2018] DSA-4135-1 samba - security update {CVE-2018-1050 CVE-2018-1057} [stretch] - samba 2:4.5.12+dfsg-2+deb9u2 = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -18,8 +18,6 @@ asterisk/stable -- chromium-browser/stable -- -curl (ghedo) --- dokuwiki/oldstable -- ffmpeg/stable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9451e95f2c9110027b1fced6dae4014172c6e65c --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9451e95f2c9110027b1fced6dae4014172c6e65c You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] curl DSA
Alessandro Ghedini pushed to branch master at Debian Security Tracker / security-tracker Commits: e850d820 by Alessandro Ghedini at 2018-01-26T09:48:02+00:00 curl DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,7 @@ +[26 Jan 2018] DSA-4098-1 curl - security update + {CVE-2018-105 CVE-2018-107} + [jessie] - curl 7.38.0-4+deb8u9 + [stretch] - curl 7.52.1-5+deb9u4 [25 Jan 2018] DSA-4097-1 poppler - security update {CVE-2017-1000456} [jessie] - poppler 0.26.5-2+deb8u3 = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -16,8 +16,6 @@ If needed, specify the release by adding a slash after the name of the source pa -- chromium-browser/stable -- -curl (ghedo) --- dovecot (carnil) holding back upload due to possible regression -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e850d8206643e11ddd0572ec5fbff1a2ad199438 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e850d8206643e11ddd0572ec5fbff1a2ad199438 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57040 - data/DSA
Author: ghedo Date: 2017-10-27 19:59:54 + (Fri, 27 Oct 2017) New Revision: 57040 Modified: data/DSA/list Log: Reserve DSA for curl Modified: data/DSA/list === --- data/DSA/list 2017-10-27 19:06:04 UTC (rev 57039) +++ data/DSA/list 2017-10-27 19:59:54 UTC (rev 57040) @@ -1,3 +1,7 @@ +[27 Oct 2017] DSA-4007-1 curl - security update + {CVE-2017-1000257} + [jessie] - curl 7.38.0-4+deb8u7 + [stretch] - curl 7.52.1-5+deb9u2 [24 Oct 2017] DSA-4006-1 mupdf - security update {CVE-2017-14685 CVE-2017-14686 CVE-2017-14687 CVE-2017-15587} [stretch] - mupdf 1.9a+ds1-4+deb9u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r43744 - data/CVE
Author: ghedo Date: 2016-08-03 12:34:13 + (Wed, 03 Aug 2016) New Revision: 43744 Modified: data/CVE/list Log: Add fixed versions for curl issues Modified: data/CVE/list === --- data/CVE/list 2016-08-03 12:27:47 UTC (rev 43743) +++ data/CVE/list 2016-08-03 12:34:13 UTC (rev 43744) @@ -3318,21 +3318,21 @@ RESERVED CVE-2016-5422 RESERVED -CVE-2016-5421 +CVE-2016-5421 [TLS session resumption client cert bypass] RESERVED - - curl + - curl 7.50.1-1 [wheezy] - curl (introduced in 7.32.0) NOTE: https://curl.haxx.se/docs/adv_20160803C.html NOTE: Fixed by https://curl.haxx.se/CVE-2016-5421.patch -CVE-2016-5420 +CVE-2016-5420 [Re-using connection with wrong client cert] RESERVED - - curl + - curl 7.50.1-1 NOTE: https://curl.haxx.se/docs/adv_20160803B.html NOTE: Fixed by https://curl.haxx.se/CVE-2016-5420.patch NOTE: Wheezy: vulnerable code is in lib/sslgen.c -CVE-2016-5419 +CVE-2016-5419 [TLS session resumption client cert bypass] RESERVED - - curl + - curl 7.50.1-1 NOTE: https://curl.haxx.se/docs/adv_20160803A.html NOTE: Fixed by https://curl.haxx.se/CVE-2016-5419.patch NOTE: Wheezy: vulnerable code is in lib/sslgen.c ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r43745 - data/DSA
Author: ghedo Date: 2016-08-03 12:34:17 + (Wed, 03 Aug 2016) New Revision: 43745 Modified: data/DSA/list Log: Reserve DSA for curl Modified: data/DSA/list === --- data/DSA/list 2016-08-03 12:34:13 UTC (rev 43744) +++ data/DSA/list 2016-08-03 12:34:17 UTC (rev 43745) @@ -1,3 +1,6 @@ +[03 Aug 2016] DSA-3638-1 curl - security update + {CVE-2016-5419 CVE-2016-5420 CVE-2016-5421} + [jessie] - curl 7.38.0-4+deb8u4 [31 Jul 2016] DSA-3637-1 chromium-browser - security update {CVE-2016-1704 CVE-2016-1705 CVE-2016-1706 CVE-2016-1707 CVE-2016-1708 CVE-2016-1709 CVE-2016-1710 CVE-2016-1711 CVE-2016-5127 CVE-2016-5128 CVE-2016-5129 CVE-2016-5130 CVE-2016-5131 CVE-2016-5132 CVE-2016-5133 CVE-2016-5134 CVE-2016-5135 CVE-2016-5136 CVE-2016-5137} [jessie] - chromium-browser 52.0.2743.82-1~deb8u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41730 - in data: . CVE DSA
Author: ghedo Date: 2016-05-14 17:42:50 + (Sat, 14 May 2016) New Revision: 41730 Modified: data/CVE/list data/DSA/list data/dsa-needed.txt Log: Reserve DSA for libidn Modified: data/CVE/list === --- data/CVE/list 2016-05-14 17:22:04 UTC (rev 41729) +++ data/CVE/list 2016-05-14 17:42:50 UTC (rev 41730) @@ -22397,6 +22397,7 @@ NOTE: http://www.openwall.com/lists/oss-security/2015/08/04/2 CVE-2015- [more to CVE-2015-2059] - libidn 1.32-1 + [jessie] - libidn 1.29-1+deb8u1 [squeeze] - libidn 1.15-2+deb6u2 NOTE: Introduced by fix for CVE-2015-2059 NOTE: https://lists.gnu.org/archive/html/help-libidn/2015-07/msg00026.html Modified: data/DSA/list === --- data/DSA/list 2016-05-14 17:22:04 UTC (rev 41729) +++ data/DSA/list 2016-05-14 17:42:50 UTC (rev 41730) @@ -1,3 +1,6 @@ +[14 May 2016] DSA-3578-1 libidn - security update + {CVE-2015-2059} + [jessie] - libidn 1.29-1+deb8u1 [14 May 2016] DSA-3577-1 jansson - security update {CVE-2016-4425} [jessie] - jansson 2.7-1+deb8u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-05-14 17:22:04 UTC (rev 41729) +++ data/dsa-needed.txt 2016-05-14 17:42:50 UTC (rev 41730) @@ -29,13 +29,6 @@ -- imagemagick (luciano) -- -libidn (ghedo) - Working debdiff for wheezy-security at - https://people.debian.org/~ghedo/libidn_1.25-2+deb7u1.diff - Work-in-progress debdiff for jessie-security at - https://people.debian.org/~ghedo/libidn_1.29-1+deb8u1.diff - Help is needed to fix it so that it doesn't FTBFS --- libxml2 (carnil) NOTE: waiting for libxml2 upstream's blessed patches -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41724 - data
Author: ghedo Date: 2016-05-14 16:33:48 + (Sat, 14 May 2016) New Revision: 41724 Modified: data/dsa-needed.txt Log: Retake libidn Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-05-14 16:33:03 UTC (rev 41723) +++ data/dsa-needed.txt 2016-05-14 16:33:48 UTC (rev 41724) @@ -29,7 +29,7 @@ -- imagemagick (luciano) -- -libidn +libidn (ghedo) Working debdiff for wheezy-security at https://people.debian.org/~ghedo/libidn_1.25-2+deb7u1.diff Work-in-progress debdiff for jessie-security at ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41723 - in data: . DSA
Author: ghedo Date: 2016-05-14 16:33:03 + (Sat, 14 May 2016) New Revision: 41723 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA for jansson Modified: data/DSA/list === --- data/DSA/list 2016-05-14 16:29:50 UTC (rev 41722) +++ data/DSA/list 2016-05-14 16:33:03 UTC (rev 41723) @@ -1,3 +1,6 @@ +[14 May 2016] DSA-3577-1 jansson - security update + {CVE-2016-4425} + [jessie] - jansson 2.7-1+deb8u1 [13 May 2016] DSA-3576-1 icedove - security update {CVE-2016-1979 CVE-2016-2805 CVE-2016-2807} [jessie] - icedove 38.8.0-1~deb8u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-05-14 16:29:50 UTC (rev 41722) +++ data/dsa-needed.txt 2016-05-14 16:33:03 UTC (rev 41723) @@ -29,8 +29,6 @@ -- imagemagick (luciano) -- -jansson (ghedo) --- libidn Working debdiff for wheezy-security at https://people.debian.org/~ghedo/libidn_1.25-2+deb7u1.diff ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41395 - in data: . DSA
Author: ghedo Date: 2016-05-03 18:10:16 + (Tue, 03 May 2016) New Revision: 41395 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA for openssl Modified: data/DSA/list === --- data/DSA/list 2016-05-03 17:49:07 UTC (rev 41394) +++ data/DSA/list 2016-05-03 18:10:16 UTC (rev 41395) @@ -1,3 +1,6 @@ +[03 May 2016] DSA-3566-1 openssl - security update + {CVE-2016-2105 CVE-2016-2106 CVE-2016-2107 CVE-2016-2108 CVE-2016-2109 CVE-2016-2176} + [jessie] - openssl 1.0.1k-3+deb8u5 [02 May 2016] DSA-3565-1 botan1.10 - security update {CVE-2015-5726 CVE-2015-5727 CVE-2015-7827 CVE-2016-2194 CVE-2016-2195 CVE-2016-2849} [jessie] - botan1.10 1.10.8-2+deb8u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-05-03 17:49:07 UTC (rev 41394) +++ data/dsa-needed.txt 2016-05-03 18:10:16 UTC (rev 41395) @@ -54,8 +54,6 @@ -- openjpeg2 (jmm) -- -openssl (ghedo) --- phpmyadmin (thijs) -- quagga ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41378 - data/CVE
Author: ghedo Date: 2016-05-03 14:34:38 + (Tue, 03 May 2016) New Revision: 41378 Modified: data/CVE/list Log: Update openssl issues Modified: data/CVE/list === --- data/CVE/list 2016-05-03 14:33:03 UTC (rev 41377) +++ data/CVE/list 2016-05-03 14:34:38 UTC (rev 41378) @@ -6297,9 +6297,9 @@ RESERVED CVE-2016-2177 RESERVED -CVE-2016-2176 +CVE-2016-2176 [EBCDIC overread] RESERVED - - openssl + - openssl (Only affects EBCDIC systems) NOTE: Fixed in master in https://git.openssl.org/?p=openssl.git;a=commit;h=ea96ad5a206b7b5f25dad230333e8ff032df3219 NOTE: https://www.openssl.org/news/secadv/20160503.txt CVE-2016-2175 @@ -6496,27 +6496,27 @@ {DSA-3548-1} - samba 2:4.3.7+dfsg-1 NOTE: https://www.samba.org/samba/security/CVE-2016-2110.html -CVE-2016-2109 +CVE-2016-2109 [ASN.1 BIO excessive memory allocation] RESERVED - openssl (low) NOTE: Fixed in master in https://git.openssl.org/?p=openssl.git;a=commit;h=c62981390d6cf9e3d612c489b8b77c2913b25807 NOTE: https://www.openssl.org/news/secadv/20160503.txt -CVE-2016-2108 +CVE-2016-2108 [Memory corruption in the ASN.1 encoder] RESERVED - openssl 1.0.2c-1 NOTE: https://www.openssl.org/news/secadv/20160503.txt -CVE-2016-2107 +CVE-2016-2107 [Padding oracle in AES-NI CBC MAC check] RESERVED - openssl NOTE: https://www.openssl.org/news/secadv/20160503.txt -CVE-2016-2106 +CVE-2016-2106 [EVP_EncryptUpdate overflow] RESERVED - - openssl + - openssl (low) NOTE: Fixed in master in https://git.openssl.org/?p=openssl.git;a=commit;h=3f3582139fbb259a1c3cbb0a25236500a409bf26 NOTE: https://www.openssl.org/news/secadv/20160503.txt -CVE-2016-2105 +CVE-2016-2105 [EVP_EncodeUpdate overflow] RESERVED - - openssl + - openssl (low) NOTE: Fixed in master in https://git.openssl.org/?p=openssl.git;a=commit;h=ee1e3cac2e83abc77bcc8ff98729ca1e10fcc920 NOTE: https://www.openssl.org/news/secadv/20160503.txt CVE-2016-2104 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41095 - in data: . DSA
Author: ghedo Date: 2016-04-23 22:13:46 + (Sat, 23 Apr 2016) New Revision: 41095 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA for imlib2 Modified: data/DSA/list === --- data/DSA/list 2016-04-23 17:55:09 UTC (rev 41094) +++ data/DSA/list 2016-04-23 22:13:46 UTC (rev 41095) @@ -1,3 +1,7 @@ +[23 Apr 2016] DSA-3555-1 imlib2 - security update + {CVE-2011-5326 CVE-2014-9771 CVE-2016-3993 CVE-2016-3994 CVE-2016-4024} + [wheezy] - imlib2 1.4.5-1+deb7u2 + [jessie] - imlib2 1.4.6-2+deb8u2 [21 Apr 2016] DSA-3554-1 xen - security update {CVE-2016-3158 CVE-2016-3159 CVE-2016-3960} [jessie] - xen 4.4.1-9+deb8u5 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-04-23 17:55:09 UTC (rev 41094) +++ data/dsa-needed.txt 2016-04-23 22:13:46 UTC (rev 41095) @@ -30,8 +30,6 @@ no-dsa bugs CVE-2014-8354 CVE-2014-8355 CVE-2014-8562 CVE-2014-8716 should be fixed along -- -imlib2 (ghedo) --- libgd2 carnil> Test packages: https://people.debian.org/~carnil/tmp/libgd2/ -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41089 - data/CVE
Author: ghedo Date: 2016-04-23 16:54:46 + (Sat, 23 Apr 2016) New Revision: 41089 Modified: data/CVE/list Log: Remove no-dsa tag from imlib2 issues (might as well fix them while I'm at it) Modified: data/CVE/list === --- data/CVE/list 2016-04-23 15:22:54 UTC (rev 41088) +++ data/CVE/list 2016-04-23 16:54:46 UTC (rev 41089) @@ -412,8 +412,6 @@ CVE-2011-5326 [divide-by-zero on 2x1 ellipse] RESERVED - imlib2 1.4.8-1 (bug #639414) - [jessie] - imlib2 (Minor issue) - [wheezy] - imlib2 (Minor issue) NOTE: https://git.enlightenment.org/legacy/imlib2.git/commit/?id=c94d83ccab15d5ef02f88d42dce38ed3f0892882 NOTE: http://www.openwall.com/lists/oss-security/2016/04/10/5 CVE-2016-3995 [Timing Attack Counter Measure AES] @@ -589,8 +587,6 @@ CVE-2016-3993 [off-by-one OOB read in __imlib_MergeUpdate] RESERVED - imlib2 1.4.8-1 (bug #819818) - [jessie] - imlib2 (Minor issue) - [wheezy] - imlib2 (Minor issue) NOTE: https://git.enlightenment.org/legacy/imlib2.git/commit/?id=ce94edca1ccfbe314cb7cd9453433fad404ec7ef NOTE: http://www.openwall.com/lists/oss-security/2016/04/09/5 CVE-2012- [Option -localhost seems to fail to restrict ipv6 access] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41079 - data/CVE
Author: ghedo Date: 2016-04-23 12:43:42 + (Sat, 23 Apr 2016) New Revision: 41079 Modified: data/CVE/list Log: imlib2 issues fixed in sid Modified: data/CVE/list === --- data/CVE/list 2016-04-23 12:43:33 UTC (rev 41078) +++ data/CVE/list 2016-04-23 12:43:42 UTC (rev 41079) @@ -238,7 +238,7 @@ NOT-FOR-US: Foxit Reader CVE-2016-4024 [integer overflow resulting in insufficient heap allocation] RESERVED - - imlib2 (bug #821732) + - imlib2 1.4.8-1 (bug #821732) NOTE: Upstream fix: https://git.enlightenment.org/legacy/imlib2.git/commit/?id=7eba2e4c8ac0e20838947f10f29d0efe1add8227 NOTE: http://www.openwall.com/lists/oss-security/2016/04/14/5 CVE-2016-4005 @@ -366,7 +366,7 @@ NOTE: http://www.openwall.com/lists/oss-security/2016/04/11/3 CVE-2011-5326 [divide-by-zero on 2x1 ellipse] RESERVED - - imlib2 (bug #639414) + - imlib2 1.4.8-1 (bug #639414) [jessie] - imlib2 (Minor issue) [wheezy] - imlib2 (Minor issue) NOTE: https://git.enlightenment.org/legacy/imlib2.git/commit/?id=c94d83ccab15d5ef02f88d42dce38ed3f0892882 @@ -387,7 +387,7 @@ TODO: vtk6, paraview, opencollada, xdmf, gettext appear to include the affected code CVE-2016-3994 [GIF loader: out-of-bounds read] RESERVED - - imlib2 (bug #785369) + - imlib2 1.4.8-1 (bug #785369) NOTE: https://git.enlightenment.org/legacy/imlib2.git/commit/?id=37a96801663b7b4cd3fbe56cc0eb8b6a17e766a8 NOTE: http://www.openwall.com/lists/oss-security/2016/04/09/6 CVE-2016- [Integer overflow in php_raw_url_encode] @@ -543,7 +543,7 @@ TODO: recheck versions CVE-2016-3993 [off-by-one OOB read in __imlib_MergeUpdate] RESERVED - - imlib2 (bug #819818) + - imlib2 1.4.8-1 (bug #819818) [jessie] - imlib2 (Minor issue) [wheezy] - imlib2 (Minor issue) NOTE: https://git.enlightenment.org/legacy/imlib2.git/commit/?id=ce94edca1ccfbe314cb7cd9453433fad404ec7ef ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41078 - data
Author: ghedo Date: 2016-04-23 12:43:33 + (Sat, 23 Apr 2016) New Revision: 41078 Modified: data/dsa-needed.txt Log: Take imlib2 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-04-23 12:27:16 UTC (rev 41077) +++ data/dsa-needed.txt 2016-04-23 12:43:33 UTC (rev 41078) @@ -30,7 +30,7 @@ no-dsa bugs CVE-2014-8354 CVE-2014-8355 CVE-2014-8562 CVE-2014-8716 should be fixed along -- -imlib2 (carnil) +imlib2 (ghedo) -- libgd2 carnil> Test packages: https://people.debian.org/~carnil/tmp/libgd2/ ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40098 - data/DSA
Author: ghedo Date: 2016-03-01 14:20:52 + (Tue, 01 Mar 2016) New Revision: 40098 Modified: data/DSA/list Log: Fix openssl version in jessie Modified: data/DSA/list === --- data/DSA/list 2016-03-01 14:13:51 UTC (rev 40097) +++ data/DSA/list 2016-03-01 14:20:52 UTC (rev 40098) @@ -1,7 +1,7 @@ [01 Mar 2016] DSA-3500-1 openssl - security update {CVE-2016-0702 CVE-2016-0705 CVE-2016-0797 CVE-2016-0798 CVE-2016-0799} [wheezy] - openssl 1.0.1e-2+deb7u20 - [jessie] - openssl 1.0.1k-3+deb8u3 + [jessie] - openssl 1.0.1k-3+deb8u4 [28 Feb 2016] DSA-3499-1 pillow - security update {CVE-2016-0740 CVE-2016-0775 CVE-2016-2533} [jessie] - pillow 2.6.1-2+deb8u2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40096 - data/DSA
Author: ghedo Date: 2016-03-01 14:13:43 + (Tue, 01 Mar 2016) New Revision: 40096 Modified: data/DSA/list Log: Reserve DSA for openssl Modified: data/DSA/list === --- data/DSA/list 2016-03-01 14:07:06 UTC (rev 40095) +++ data/DSA/list 2016-03-01 14:13:43 UTC (rev 40096) @@ -1,3 +1,7 @@ +[01 Mar 2016] DSA-3500-1 openssl - security update + {CVE-2016-0702 CVE-2016-0705 CVE-2016-0797 CVE-2016-0798 CVE-2016-0799} + [wheezy] - openssl 1.0.1e-2+deb7u20 + [jessie] - openssl 1.0.1k-3+deb8u3 [28 Feb 2016] DSA-3499-1 pillow - security update {CVE-2016-0740 CVE-2016-0775 CVE-2016-2533} [jessie] - pillow 2.6.1-2+deb8u2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40097 - data/CVE
Author: ghedo Date: 2016-03-01 14:13:51 + (Tue, 01 Mar 2016) New Revision: 40097 Modified: data/CVE/list Log: Update openssl issues Modified: data/CVE/list === --- data/CVE/list 2016-03-01 14:13:43 UTC (rev 40096) +++ data/CVE/list 2016-03-01 14:13:51 UTC (rev 40097) @@ -6178,7 +6178,7 @@ TODO: check CVE-2016-0801 (The Broadcom Wi-Fi driver in the kernel in Android 4.x before 4.4.4, ...) TODO: check -CVE-2016-0800 +CVE-2016-0800 [Cross-protocol attack on TLS using SSLv2 (DROWN)] RESERVED - openssl 1.0.0c-2 NOTE: 1.0.0c-2 dropped SSLv2 support @@ -6186,18 +6186,18 @@ NOTE: https://www.drownattack.com/ NOTE: GNUTLS never implemented SSLv2 NOTE: http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html -CVE-2016-0799 +CVE-2016-0799 [Memory issues in BIO_*printf functions] RESERVED - openssl NOTE: https://www.openssl.org/news/secadv/20160301.txt NOTE: Fixed in master in https://git.openssl.org/?p=openssl.git;a=commit;h=a801bf263849a2ef773e5bc0c86438cbba720835 NOTE: https://guidovranken.wordpress.com/2016/02/27/openssl-cve-2016-0799-heap-corruption-via-bio_printf/ -CVE-2016-0798 +CVE-2016-0798 [Memory leak in SRP database lookups] RESERVED - openssl NOTE: https://www.openssl.org/news/secadv/20160301.txt NOTE: Fixed in master in https://git.openssl.org/?p=openssl.git;a=commit;h=59a908f1e8380412a81392c468b83bf6071beb2a -CVE-2016-0797 +CVE-2016-0797 [BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption] RESERVED - openssl NOTE: https://www.openssl.org/news/secadv/20160301.txt @@ -6525,26 +6525,27 @@ - tomcat6 6.0.41-3 NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs NOTE: Fixed in 6.0.45, 7.0.68, 8.0.32, 9.0.0.M3 -CVE-2016-0705 +CVE-2016-0705 [Double-free in DSA code] RESERVED - openssl [squeeze] - openssl (vulnerable code not present) NOTE: Fixed in master in https://git.openssl.org/?p=openssl.git;a=commit;h=ab4a81f69ec88d06c9d8de15326b9296d7f498ed NOTE: https://www.openssl.org/news/secadv/20160301.txt -CVE-2016-0704 +CVE-2016-0704 [Bleichenbacher oracle in SSLv2] RESERVED - openssl 1.0.0c-2 NOTE: 1.0.0c-2 dropped SSLv2 support NOTE: https://www.openssl.org/news/secadv/20160301.txt -CVE-2016-0703 +CVE-2016-0703 [Divide-and-conquer session key recovery in SSLv2] RESERVED - openssl 1.0.0c-2 NOTE: 1.0.0c-2 dropped SSLv2 support NOTE: https://www.openssl.org/news/secadv/20160301.txt -CVE-2016-0702 +CVE-2016-0702 [Side channel attack on modular exponentiation] RESERVED - openssl NOTE: https://www.openssl.org/news/secadv/20160301.txt + NOTE: https://cachebleed.info CVE-2016-0701 (The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 ...) - openssl 1.0.2f-2 [jessie] - openssl (Only affects 1.0.2) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39230 - data/DSA
Author: ghedo Date: 2016-01-27 12:00:07 + (Wed, 27 Jan 2016) New Revision: 39230 Modified: data/DSA/list Log: Reserve DSA for curl Modified: data/DSA/list === --- data/DSA/list 2016-01-27 11:57:31 UTC (rev 39229) +++ data/DSA/list 2016-01-27 12:00:07 UTC (rev 39230) @@ -1,3 +1,6 @@ +[27 Jan 2016] DSA-3455-1 curl - security update + {CVE-2016-0755} + [jessie] - curl 7.38.0-4+deb8u3 [27 Jan 2016] DSA-3454-1 virtualbox - security update {CVE-2015-5307 CVE-2015-8104 CVE-2016-0495 CVE-2016-0592} [jessie] - virtualbox 4.3.36-dfsg-1+deb8u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39229 - data/CVE
Author: ghedo Date: 2016-01-27 11:57:31 + (Wed, 27 Jan 2016) New Revision: 39229 Modified: data/CVE/list Log: Add curl entries Modified: data/CVE/list === --- data/CVE/list 2016-01-27 09:40:52 UTC (rev 39228) +++ data/CVE/list 2016-01-27 11:57:31 UTC (rev 39229) @@ -3810,10 +3810,17 @@ RESERVED CVE-2016-0756 RESERVED -CVE-2016-0755 +CVE-2016-0755 [NTLM credentials not-checked for proxy connection re-use] RESERVED -CVE-2016-0754 + - curl 7.47.0-1 + [wheezy] - curl (Too intrusive to backport) + NOTE: http://curl.haxx.se/docs/adv_20160127A.html +CVE-2016-0754 [remote file name path traversal in curl tool for Windows] RESERVED + - curl (Windows only) + [jessie] - curl (Windows only) + [wheezy] - curl (Windows only) + NOTE: http://curl.haxx.se/docs/adv_20160127B.html CVE-2016-0753 [Possible Input Validation Circumvention in Active Model] RESERVED - rails ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r37513 - in data: . DSA
Author: ghedo Date: 2015-11-02 19:21:35 + (Mon, 02 Nov 2015) New Revision: 37513 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA for libvdpau Modified: data/DSA/list === --- data/DSA/list 2015-11-02 19:12:30 UTC (rev 37512) +++ data/DSA/list 2015-11-02 19:21:35 UTC (rev 37513) @@ -1,3 +1,5 @@ +[02 Nov 2015] DSA-3355-2 libvdpau - regression update + [jessie] - libvdpau 0.8-3+deb8u2 [02 Nov 2015] DSA-3390-1 xen - security update {CVE-2015-7835} [wheezy] - xen 4.1.4-3+deb7u9 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-11-02 19:12:30 UTC (rev 37512) +++ data/dsa-needed.txt 2015-11-02 19:21:35 UTC (rev 37513) @@ -38,10 +38,6 @@ https://people.debian.org/~ghedo/libidn_1.29-1+deb8u1.diff Help is needed to fix it so that it doesn't FTBFS -- -libvdpau (ghedo) - Regression in jessie from DSA-3355-1 (see #803410) - Maintainer already prepared the update --- libxml2 (gcs) -- linux ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r37508 - data
Author: ghedo Date: 2015-11-02 15:06:27 + (Mon, 02 Nov 2015) New Revision: 37508 Modified: data/dsa-needed.txt Log: Add and take libvdpau to dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-11-02 14:56:41 UTC (rev 37507) +++ data/dsa-needed.txt 2015-11-02 15:06:27 UTC (rev 37508) @@ -38,6 +38,10 @@ https://people.debian.org/~ghedo/libidn_1.29-1+deb8u1.diff Help is needed to fix it so that it doesn't FTBFS -- +libvdpau (ghedo) + Regression in jessie from DSA-3355-1 (see #803410) + Maintainer already prepared the update +-- libxml2 (gcs) -- linux ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r37085 - data/CVE
Author: ghedo Date: 2015-10-12 13:07:57 + (Mon, 12 Oct 2015) New Revision: 37085 Modified: data/CVE/list Log: Add unzip issues Modified: data/CVE/list === --- data/CVE/list 2015-10-12 13:02:05 UTC (rev 37084) +++ data/CVE/list 2015-10-12 13:07:57 UTC (rev 37085) @@ -282,10 +282,12 @@ RESERVED CVE-2015-7698 RESERVED -CVE-2015-7697 +CVE-2015-7697 [Infinite loop when extracting password-protected archive] RESERVED -CVE-2015-7696 + - unzip +CVE-2015-7696 [Heap buffer overflow when extracting password-protected archive] RESERVED + - unzip CVE-2015-7695 [ZF2015-08: Potential SQL injection vector using null byte for PDO (MsSql, SQLite)] RESERVED - zendframework 1.12.16+dfsg-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r37084 - data/CVE
Author: ghedo Date: 2015-10-12 13:02:05 + (Mon, 12 Oct 2015) New Revision: 37084 Modified: data/CVE/list Log: Add optipng issues Modified: data/CVE/list === --- data/CVE/list 2015-10-12 12:50:24 UTC (rev 37083) +++ data/CVE/list 2015-10-12 13:02:05 UTC (rev 37084) @@ -6,10 +6,12 @@ RESERVED CVE-2015-7805 RESERVED -CVE-2015-7802 +CVE-2015-7802 [Global buffer overflow] RESERVED -CVE-2015-7801 + - optipng +CVE-2015-7801 [Use after free] RESERVED + - optipng 0.7.5-1 CVE-2015-7800 RESERVED CVE-2015-7799 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r37082 - in data: CVE DSA
Author: ghedo Date: 2015-10-12 12:50:11 + (Mon, 12 Oct 2015) New Revision: 37082 Modified: data/CVE/list data/DSA/list Log: Remove workaround for zendframework issue Modified: data/CVE/list === --- data/CVE/list 2015-10-12 12:46:30 UTC (rev 37081) +++ data/CVE/list 2015-10-12 12:50:11 UTC (rev 37082) @@ -289,9 +289,6 @@ CVE-2015-7695 [ZF2015-08: Potential SQL injection vector using null byte for PDO (MsSql, SQLite)] RESERVED - zendframework 1.12.16+dfsg-1 - [jessie] - zendframework 1.12.9+dfsg-2+deb8u4 - [wheezy] - zendframework 1.11.13-1.1+deb7u4 - NOTE: workaround entry for DSA-3369-1 until/if CVE assigned NOTE: http://framework.zend.com/security/advisory/ZF2015-08 NOTE: https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2 CVE-2015-7694 Modified: data/DSA/list === --- data/DSA/list 2015-10-12 12:46:30 UTC (rev 37081) +++ data/DSA/list 2015-10-12 12:50:11 UTC (rev 37082) @@ -7,7 +7,7 @@ [wheezy] - freetype 2.4.9-1.1+deb7u2 [jessie] - freetype 2.5.2-3+deb8u1 [06 Oct 2015] DSA-3369-1 zendframework - security update - {CVE-2015-5723} + {CVE-2015-5723 CVE-2015-7695} [wheezy] - zendframework 1.11.13-1.1+deb7u4 [jessie] - zendframework 1.12.9+dfsg-2+deb8u4 [25 Sep 2015] DSA-3368-1 cyrus-sasl2 - security update ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r37083 - in data: CVE DSA
Author: ghedo Date: 2015-10-12 12:50:24 + (Mon, 12 Oct 2015) New Revision: 37083 Modified: data/CVE/list data/DSA/list Log: Remove workaround for twig issue Modified: data/CVE/list === --- data/CVE/list 2015-10-12 12:50:11 UTC (rev 37082) +++ data/CVE/list 2015-10-12 12:50:24 UTC (rev 37083) @@ -82,11 +82,9 @@ TODO: check CVE-2015-7765 (ZOHO ManageEngine OpManager 11.5 build 11600 and earlier uses a ...) TODO: check -CVE-2015-7809 [arbitrary code execution via the _self variable] +CVE-2015-7809 [sandbox issue] RESERVED - twig 1.20.0-1 - [jessie] - twig 1.16.2-1+deb8u1 - NOTE: Add jessie-tagged workaround item until CVE assigned NOTE: http://symfony.com/blog/security-release-twig-1-20-0 CVE-2015-7804 [Uninitialized pointer in phar_make_dirstream when zip entry filename is "/"] RESERVED Modified: data/DSA/list === --- data/DSA/list 2015-10-12 12:50:11 UTC (rev 37082) +++ data/DSA/list 2015-10-12 12:50:24 UTC (rev 37083) @@ -100,6 +100,7 @@ [wheezy] - php5 5.4.44-0+deb7u1 [jessie] - php5 5.6.12+dfsg-0+deb8u1 [26 Aug 2015] DSA-3343-1 twig - security update + {CVE-2015-7809} [jessie] - twig 1.16.2-1+deb8u1 [20 Aug 2015] DSA-3342-1 vlc - security update {CVE-2015-5949} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r37029 - data/CVE
Author: ghedo Date: 2015-10-06 21:44:22 + (Tue, 06 Oct 2015) New Revision: 37029 Modified: data/CVE/list Log: Mark temporary zendframework issue as fixed Modified: data/CVE/list === --- data/CVE/list 2015-10-06 21:44:13 UTC (rev 37028) +++ data/CVE/list 2015-10-06 21:44:22 UTC (rev 37029) @@ -272,6 +272,8 @@ NOTE: https://github.com/owncloud/core/commit/b05e178bbf884b120d1106e6a28f35aa50d6d06f CVE-2015- [ZF2015-08: Potential SQL injection vector using null byte for PDO (MsSql, SQLite)] - zendframework 1.12.16+dfsg-1 + [jessie] - zendframework 1.12.9+dfsg-2+deb8u4 + [wheezy] - zendframework 1.11.13-1.1+deb7u4 NOTE: http://framework.zend.com/security/advisory/ZF2015-08 NOTE: https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/09/30/6 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r37028 - in data: . DSA
Author: ghedo Date: 2015-10-06 21:44:13 + (Tue, 06 Oct 2015) New Revision: 37028 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA for freetype Modified: data/DSA/list === --- data/DSA/list 2015-10-06 21:26:34 UTC (rev 37027) +++ data/DSA/list 2015-10-06 21:44:13 UTC (rev 37028) @@ -1,3 +1,7 @@ +[06 Oct 2015] DSA-3370-1 freetype - security update + {CVE-2014-9745 CVE-2014-9746 CVE-2014-9747} + [wheezy] - freetype 2.4.9-1.1+deb7u2 + [jessie] - freetype 2.5.2-3+deb8u1 [06 Oct 2015] DSA-3369-1 zendframework - security update {CVE-2015-5723} [wheezy] - zendframework 1.11.13-1.1+deb7u4 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-10-06 21:26:34 UTC (rev 37027) +++ data/dsa-needed.txt 2015-10-06 21:44:13 UTC (rev 37028) @@ -24,9 +24,6 @@ -- elasticsearch -- -freetype (ghedo) - santiago (Santiago Ruano Rincón) proposed an update --- glibc (aurel32) some of the other no-dsa bugs could be fixed along -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r37026 - data/DSA
Author: ghedo Date: 2015-10-06 21:20:32 + (Tue, 06 Oct 2015) New Revision: 37026 Modified: data/DSA/list Log: Update date for zend DSA Modified: data/DSA/list === --- data/DSA/list 2015-10-06 21:19:13 UTC (rev 37025) +++ data/DSA/list 2015-10-06 21:20:32 UTC (rev 37026) @@ -1,4 +1,4 @@ -[04 Oct 2015] DSA-3369-1 zendframework - security update +[06 Oct 2015] DSA-3369-1 zendframework - security update {CVE-2015-5723} [wheezy] - zendframework 1.11.13-1.1+deb7u4 [jessie] - zendframework 1.12.9+dfsg-2+deb8u4 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r37025 - in data: . DSA
Author: ghedo Date: 2015-10-06 21:19:13 + (Tue, 06 Oct 2015) New Revision: 37025 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA for zendframework Modified: data/DSA/list === --- data/DSA/list 2015-10-06 21:10:25 UTC (rev 37024) +++ data/DSA/list 2015-10-06 21:19:13 UTC (rev 37025) @@ -1,3 +1,7 @@ +[04 Oct 2015] DSA-3369-1 zendframework - security update + {CVE-2015-5723} + [wheezy] - zendframework 1.11.13-1.1+deb7u4 + [jessie] - zendframework 1.12.9+dfsg-2+deb8u4 [25 Sep 2015] DSA-3368-1 cyrus-sasl2 - security update {CVE-2013-4122} [jessie] - cyrus-sasl2 2.1.26.dfsg1-13+deb8u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-10-06 21:10:25 UTC (rev 37024) +++ data/dsa-needed.txt 2015-10-06 21:19:13 UTC (rev 37025) @@ -92,6 +92,3 @@ -- yubiserver -- -zendframework (ghedo) - Maintainer prepared packages for jessie and wheezy --- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36981 - data
Author: ghedo Date: 2015-10-04 13:56:00 + (Sun, 04 Oct 2015) New Revision: 36981 Modified: data/dsa-needed.txt Log: Take freetype Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-10-04 13:48:15 UTC (rev 36980) +++ data/dsa-needed.txt 2015-10-04 13:56:00 UTC (rev 36981) @@ -24,7 +24,7 @@ -- elasticsearch -- -freetype +freetype (ghedo) santiago (Santiago Ruano Rincón) proposed an update -- glibc (aurel32) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36913 - data
Author: ghedo Date: 2015-09-30 11:03:20 + (Wed, 30 Sep 2015) New Revision: 36913 Modified: data/dsa-needed.txt Log: Add and take zendframework Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-09-30 10:59:28 UTC (rev 36912) +++ data/dsa-needed.txt 2015-09-30 11:03:20 UTC (rev 36913) @@ -82,3 +82,6 @@ -- yubiserver -- +zendframework (ghedo) + Maintainer prepared packages for jessie and wheezy +-- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36912 - data/CVE
Author: ghedo Date: 2015-09-30 10:59:28 + (Wed, 30 Sep 2015) New Revision: 36912 Modified: data/CVE/list Log: Add new temporary issue for zendframework Modified: data/CVE/list === --- data/CVE/list 2015-09-30 10:28:36 UTC (rev 36911) +++ data/CVE/list 2015-09-30 10:59:28 UTC (rev 36912) @@ -1,3 +1,7 @@ +CVE-2015- [ZF2014-06: SQL injection vector when manually quoting values for sqlsrv extension, using null byte] + - zendframework 1.12.16+dfsg-1 + NOTE: http://framework.zend.com/security/advisory/ZF2014-06 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/09/30/6 CVE-2015-7389 RESERVED CVE-2015-7388 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36691 - in data: . DSA
Author: ghedo Date: 2015-09-15 16:17:35 + (Tue, 15 Sep 2015) New Revision: 36691 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA for icu Modified: data/DSA/list === --- data/DSA/list 2015-09-15 16:10:10 UTC (rev 36690) +++ data/DSA/list 2015-09-15 16:17:35 UTC (rev 36691) @@ -1,3 +1,6 @@ +[15 Sep 2015] DSA-3360-1 icu - security update + {CVE-2015-1270} + [jessie] - icu 52.1-8+deb8u3 [13 Sep 2015] DSA-3359-1 virtualbox - security update {CVE-2015-2594} [wheezy] - virtualbox 4.1.40-dfsg-1+deb7u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-09-15 16:10:10 UTC (rev 36690) +++ data/dsa-needed.txt 2015-09-15 16:17:35 UTC (rev 36691) @@ -29,8 +29,6 @@ glibc (aurel32) some of the other no-dsa bugs could be fixed along -- -icu (ghedo) --- icedtea-web -- imagemagick/oldstable ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36582 - in data: . DSA
Author: ghedo Date: 2015-09-10 08:33:35 + (Thu, 10 Sep 2015) New Revision: 36582 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA for libvdpau Modified: data/DSA/list === --- data/DSA/list 2015-09-10 07:23:14 UTC (rev 36581) +++ data/DSA/list 2015-09-10 08:33:35 UTC (rev 36582) @@ -1,3 +1,7 @@ +[10 Sep 2015] DSA-3355-1 libvdpau - security update + {CVE-2015-5198 CVE-2015-5199 CVE-2015-5200} + [wheezy] - libvdpau 0.4.1-7+deb7u1 + [jessie] - libvdpau 0.8-3+deb8u1 [08 Sep 2015] DSA-3354-1 spice - security update {CVE-2015-3247} [jessie] - spice 0.12.5-1+deb8u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-09-10 07:23:14 UTC (rev 36581) +++ data/dsa-needed.txt 2015-09-10 08:33:35 UTC (rev 36582) @@ -42,9 +42,6 @@ https://people.debian.org/~ghedo/libidn_1.29-1+deb8u1.diff Help is needed to fix it so that it doesn't FTBFS -- -libvdpau (ghedo) - Maintainer will prepare updated packages for jessie and wheezy --- libxml2 -- linux ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36490 - in data: . DSA
Author: ghedo Date: 2015-09-05 14:32:30 + (Sat, 05 Sep 2015) New Revision: 36490 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA for openslp-dfsg Modified: data/DSA/list === --- data/DSA/list 2015-09-05 05:34:06 UTC (rev 36489) +++ data/DSA/list 2015-09-05 14:32:30 UTC (rev 36490) @@ -1,3 +1,7 @@ +[05 Sep 2015] DSA-3353-1 openslp-dfsg - security update + {CVE-2015-5177} + [wheezy] - openslp-dfsg 1.2.1-9+deb7u1 + [jessie] - openslp-dfsg 1.2.1-10+deb8u1 [04 Sep 2015] DSA-3352-1 screen - security update {CVE-2015-6806} [wheezy] - screen 4.1.0~20120320gitdb59704-7+deb7u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-09-05 05:34:06 UTC (rev 36489) +++ data/dsa-needed.txt 2015-09-05 14:32:30 UTC (rev 36490) @@ -52,8 +52,6 @@ -- mediawiki -- -openslp-dfsg (ghedo) --- openswan (corsac) NOTE: regression fix needed for CVE-2013-2053 (#743332) and CVE-2013-6466 (#744717) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36475 - data
Author: ghedo Date: 2015-09-04 09:30:07 + (Fri, 04 Sep 2015) New Revision: 36475 Modified: data/dsa-needed.txt Log: Take openslp-dfsg Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-09-04 09:10:12 UTC (rev 36474) +++ data/dsa-needed.txt 2015-09-04 09:30:07 UTC (rev 36475) @@ -52,7 +52,7 @@ -- mediawiki -- -openslp-dfsg +openslp-dfsg (ghedo) -- openswan (corsac) NOTE: regression fix needed for CVE-2013-2053 (#743332) and CVE-2013-6466 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36476 - data/CVE
Author: ghedo Date: 2015-09-04 09:30:17 + (Fri, 04 Sep 2015) New Revision: 36476 Modified: data/CVE/list Log: Set fixed version for CVE-2015-5177/openslp-dfsg Modified: data/CVE/list === --- data/CVE/list 2015-09-04 09:30:07 UTC (rev 36475) +++ data/CVE/list 2015-09-04 09:30:17 UTC (rev 36476) @@ -4034,7 +4034,7 @@ CVE-2015-5177 [double free in SLPDProcessMessage()] RESERVED {DLA-304-1} - - openslp-dfsg (bug #795429) + - openslp-dfsg 1.2.1-11 (bug #795429) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5177 CVE-2015-5176 (The PortletRequestDispatcher in PortletBridge, as used in Red Hat ...) NOT-FOR-US: PortletBridge component in JBoss Portal ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36473 - data
Author: ghedo Date: 2015-09-04 09:09:01 + (Fri, 04 Sep 2015) New Revision: 36473 Modified: data/dsa-needed.txt Log: Take libvdpau Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-09-04 08:38:29 UTC (rev 36472) +++ data/dsa-needed.txt 2015-09-04 09:09:01 UTC (rev 36473) @@ -42,7 +42,8 @@ https://people.debian.org/~ghedo/libidn_1.29-1+deb8u1.diff Help is needed to fix it so that it doesn't FTBFS -- -libvdpau +libvdpau (ghedo) + Maintainer will prepare updated packages for jessie and wheezy -- libxml2 -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36454 - data/CVE
Author: ghedo Date: 2015-09-03 13:31:41 + (Thu, 03 Sep 2015) New Revision: 36454 Modified: data/CVE/list Log: dnsval issue is fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2015-09-03 13:11:32 UTC (rev 36453) +++ data/CVE/list 2015-09-03 13:31:41 UTC (rev 36454) @@ -1,6 +1,6 @@ CVE-2015- [val_dane_check: usage DANE-TA(2) may bypass cert validation entirely] [experimental] - dnsval 2.1-1 - - dnsval (bug #797470) + - dnsval 2.0-2 (bug #797470) CVE-2015- [Memory corruption] - libvncserver 0.9.8-1 NOTE: https://github.com/LibVNC/libvncserver/commit/804335f9d296440bb708ca844f5d89b58b50b0c6 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36453 - data/CVE
Author: ghedo Date: 2015-09-03 13:11:32 + (Thu, 03 Sep 2015) New Revision: 36453 Modified: data/CVE/list Log: Add temporary dnsval issue Modified: data/CVE/list === --- data/CVE/list 2015-09-03 13:07:11 UTC (rev 36452) +++ data/CVE/list 2015-09-03 13:11:32 UTC (rev 36453) @@ -1,3 +1,6 @@ +CVE-2015- [val_dane_check: usage DANE-TA(2) may bypass cert validation entirely] + [experimental] - dnsval 2.1-1 + - dnsval (bug #797470) CVE-2015- [Memory corruption] - libvncserver 0.9.8-1 NOTE: https://github.com/LibVNC/libvncserver/commit/804335f9d296440bb708ca844f5d89b58b50b0c6 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36452 - data/CVE
Author: ghedo Date: 2015-09-03 13:07:11 + (Thu, 03 Sep 2015) New Revision: 36452 Modified: data/CVE/list Log: Mark CVE-2015-5723 as no-dsa Modified: data/CVE/list === --- data/CVE/list 2015-09-03 12:55:50 UTC (rev 36451) +++ data/CVE/list 2015-09-03 13:07:11 UTC (rev 36452) @@ -168,14 +168,19 @@ RESERVED CVE-2015-5723 [Security Misconfiguration Vulnerability in various Doctrine projects] RESERVED - - php-doctrine-annotations 1.2.7-1 - - php-doctrine-cache 1.4.2-1 - - php-doctrine-common 2.4.3-1 - - doctrine 2.4.8-1 - - aws-sdk-for-php + - php-doctrine-annotations 1.2.7-1 (low) + [jessie] - php-doctrine-annotations (Minor issue) + - php-doctrine-cache 1.4.2-1 (low) + [jessie] - php-doctrine-cache (Minor issue) [experimental] - php-doctrine-common 2.5.1-1 + - php-doctrine-common 2.4.3-1 (low) + [jessie] - php-doctrine-common (Minor issue) [experimental] - doctrine 2.5.1+dfsg-1 + - doctrine 2.4.8-1 (low) + [jessie] - doctrine (Minor issue) + [wheezy] - doctrine (Minor issue) [experimental] - aws-sdk-for-php 3.2.1-1 + - aws-sdk-for-php (Vulnerable code not present) NOTE: http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html NOTE: https://github.com/aws/aws-sdk-php/releases/tag/3.2.1 CVE-2015-6722 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36451 - data/CVE
Author: ghedo Date: 2015-09-03 12:55:50 + (Thu, 03 Sep 2015) New Revision: 36451 Modified: data/CVE/list Log: Add bug reference for libvdpau issues Modified: data/CVE/list === --- data/CVE/list 2015-09-03 12:43:21 UTC (rev 36450) +++ data/CVE/list 2015-09-03 12:55:50 UTC (rev 36451) @@ -3930,17 +3930,17 @@ RESERVED CVE-2015-5200 [vulnerability in trace functionality] RESERVED - - libvdpau + - libvdpau (bug #797895) NOTE: http://lists.x.org/archives/xorg-announce/2015-August/002630.html NOTE: http://cgit.freedesktop.org/~aplattner/libvdpau/commit/?id=d1f9c16b1a8187110e501c9116d21ffee25c0ba4 CVE-2015-5199 [directory traversal in dlopen] RESERVED - - libvdpau + - libvdpau (bug #797895) NOTE: http://lists.x.org/archives/xorg-announce/2015-August/002630.html NOTE: http://cgit.freedesktop.org/~aplattner/libvdpau/commit/?id=d1f9c16b1a8187110e501c9116d21ffee25c0ba4 CVE-2015-5198 [incorrect check for security transition] RESERVED - - libvdpau + - libvdpau (bug #797895) NOTE: http://lists.x.org/archives/xorg-announce/2015-August/002630.html NOTE: http://cgit.freedesktop.org/~aplattner/libvdpau/commit/?id=d1f9c16b1a8187110e501c9116d21ffee25c0ba4 CVE-2015-5197 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36450 - in data: . CVE
Author: ghedo Date: 2015-09-03 12:43:21 + (Thu, 03 Sep 2015) New Revision: 36450 Modified: data/CVE/list data/dsa-needed.txt Log: Mark CVE-2015-3206/pykerberos as no-dsa Modified: data/CVE/list === --- data/CVE/list 2015-09-03 09:10:11 UTC (rev 36449) +++ data/CVE/list 2015-09-03 12:43:21 UTC (rev 36450) @@ -9387,6 +9387,8 @@ RESERVED {DLA-265-2 DLA-265-1} - pykerberos 1.1.5-1 (bug #796195) + [jessie] - pykerberos (Too intrusive, may be fixed through a stable proposed-update) + [wheezy] - pykerberos (Too intrusive, may be fixed through a stable proposed-update) NOTE: CVE originally assigned for python-kerberos, pykerberos is a fork of the NOTE: former. NOTE: KDC verification support in pykerberos added in https://github.com/02strich/pykerberos/commit/02d13860b25fab58e739f0e000bed0067b7c6f9c Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-09-03 09:10:11 UTC (rev 36449) +++ data/dsa-needed.txt 2015-09-03 12:43:21 UTC (rev 36450) @@ -61,8 +61,6 @@ -- phpmyadmin (thijs) -- -pykerberos --- screen -- smarty3 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36388 - in data: . DSA
Author: ghedo Date: 2015-08-31 10:31:08 + (Mon, 31 Aug 2015) New Revision: 36388 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA for drupal7 Modified: data/DSA/list === --- data/DSA/list 2015-08-30 20:39:43 UTC (rev 36387) +++ data/DSA/list 2015-08-31 10:31:08 UTC (rev 36388) @@ -1,3 +1,7 @@ +[31 Aug 2015] DSA-3346-1 drupal7 - security update + {CVE-2015-6658 CVE-2015-6659 CVE-2015-6660 CVE-2015-6661 CVE-2015-6665} + [wheezy] - drupal7 7.14-2+deb7u11 + [jessie] - drupal7 7.32-1+deb8u5 [29 Aug 2015] DSA-3345-1 iceweasel - security update {CVE-2015-4497 CVE-2015-4498} [wheezy] - iceweasel 38.2.1esr-1~deb7u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-08-30 20:39:43 UTC (rev 36387) +++ data/dsa-needed.txt 2015-08-31 10:31:08 UTC (rev 36388) @@ -19,9 +19,6 @@ aptdaemon For jessie-security compat layer for PackageKit needs to be dropped -- -drupal7 (ghedo) - Maintainer prepared packages for wheezy and jessie --- eglibc (aurel32) some of the other no-dsa bugs could be fixed along -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36246 - data/CVE
Author: ghedo Date: 2015-08-21 12:42:15 + (Fri, 21 Aug 2015) New Revision: 36246 Modified: data/CVE/list Log: Add CVE request link for twig issue Modified: data/CVE/list === --- data/CVE/list 2015-08-21 12:36:22 UTC (rev 36245) +++ data/CVE/list 2015-08-21 12:42:15 UTC (rev 36246) @@ -31,6 +31,7 @@ CVE-2015- [arbitrary code execution via the _self variable] - twig 1.20.0-1 NOTE: http://symfony.com/blog/security-release-twig-1-20-0 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/08/21/3 CVE-2015- [use-after-free vulnerability in Decoder.cpp] - libpgf NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/08/19/14 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36244 - data
Author: ghedo Date: 2015-08-21 12:24:04 + (Fri, 21 Aug 2015) New Revision: 36244 Modified: data/dsa-needed.txt Log: Take drupal7 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-08-21 09:10:16 UTC (rev 36243) +++ data/dsa-needed.txt 2015-08-21 12:24:04 UTC (rev 36244) @@ -19,7 +19,8 @@ aptdaemon For jessie-security compat layer for PackageKit needs to be dropped -- -drupal7 +drupal7 (ghedo) + Maintainer prepared packages for wheezy and jessie -- eglibc (aurel32) some of the other no-dsa bugs could be fixed along ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36225 - data/CVE
Author: ghedo Date: 2015-08-20 19:32:09 + (Thu, 20 Aug 2015) New Revision: 36225 Modified: data/CVE/list Log: Update links to OpenSSL advisories Modified: data/CVE/list === --- data/CVE/list 2015-08-20 19:29:21 UTC (rev 36224) +++ data/CVE/list 2015-08-20 19:32:09 UTC (rev 36225) @@ -12904,11 +12904,11 @@ [jessie] - openssl (Vulnerable code not present) [wheezy] - openssl (Vulnerable code not present) [squeeze] - openssl (Vulnerable code not present) - NOTE: http://openssl.org/news/secadv_20150709.txt + NOTE: http://openssl.org/news/secadv/20150709.txt CVE-2015-1792 (The do_free_upto function in crypto/cms/cms_smime.c in OpenSSL before ...) {DSA-3287-1 DLA-247-1} - openssl 1.0.2b-1 - NOTE: http://openssl.org/news/secadv_20150611.txt + NOTE: http://openssl.org/news/secadv/20150611.txt CVE-2015-1791 (Race condition in the ssl3_get_new_session_ticket function in ...) {DSA-3287-1 DLA-247-1} - openssl 1.0.2b-1 @@ -12918,16 +12918,16 @@ CVE-2015-1790 (The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in OpenSSL ...) {DSA-3287-1 DLA-247-1} - openssl 1.0.2b-1 - NOTE: http://openssl.org/news/secadv_20150611.txt + NOTE: http://openssl.org/news/secadv/20150611.txt CVE-2015-1789 (The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL before ...) {DSA-3287-1 DLA-247-1} - openssl 1.0.2b-1 - NOTE: http://openssl.org/news/secadv_20150611.txt + NOTE: http://openssl.org/news/secadv/20150611.txt CVE-2015-1788 (The BN_GF2m_mod_inv function in crypto/bn/bn_gf2m.c in OpenSSL before ...) {DSA-3287-1} - openssl 1.0.2b-1 [squeeze] - openssl (Vulnerable code got introduced post 1.0.0) - NOTE: http://openssl.org/news/secadv_20150611.txt + NOTE: http://openssl.org/news/secadv/20150611.txt CVE-2015-1787 (The ssl3_get_client_key_exchange function in s3_srvr.c in OpenSSL ...) - openssl (Vulnerable version never in unstable) NOTE: did affect 1.0.2 (only in experimental) and 1.0.2a was uploaded to unstable @@ -22562,7 +22562,7 @@ CVE-2014-8176 (The dtls1_clear_queues function in ssl/d1_lib.c in OpenSSL before ...) {DSA-3287-1 DLA-247-1} - openssl 1.0.1h-1 - NOTE: http://openssl.org/news/secadv_20150611.txt + NOTE: http://openssl.org/news/secadv/20150611.txt CVE-2014-8175 (Red Hat JBoss Fuse before 6.2.0 allows remote authenticated users to ...) NOT-FOR-US: JBoss Fuse CVE-2014-8174 @@ -44093,7 +44093,7 @@ - openssl 1.0.1g-1 (bug #743883) [squeeze] - openssl (vulnerable code introduced in upstream commit 4817504) NOTE: fix: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db902 - NOTE: http://www.openssl.org/news/secadv_20140407.txt + NOTE: http://www.openssl.org/news/secadv/20140407.txt NOTE: system reboot is recommended after the upgrade CVE-2014-0159 (Buffer overflow in the GetStatistics64 remote procedure call (RPC) in ...) {DSA-2899-1} @@ -74677,7 +74677,7 @@ {DSA-2475-1} - openssl 1.0.1c-1 (bug #672452) NOTE: http://seclists.org/oss-sec/2012/q2/299 - NOTE: http://www.openssl.org/news/secadv_20120510.txt + NOTE: http://www.openssl.org/news/secadv/20120510.txt CVE-2012-2332 (SQL injection vulnerability in serendipity/serendipity_admin.php in ...) - serendipity (bug #671937; low) [squeeze] - serendipity (Minor issue) @@ -75270,7 +75270,7 @@ CVE-2012-2110 (The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL ...) {DSA-2454-1} - openssl 1.0.1a-1 - NOTE: http://www.openssl.org/news/secadv_20120419.txt + NOTE: http://www.openssl.org/news/secadv/20120419.txt CVE-2012-2109 (SQL injection vulnerability in wp-load.php in the BuddyPress plugin ...) NOT-FOR-US: wordpress buddypress plugin CVE-2012-2108 (Stack-based buffer overflow in the main function in util/lpci_main.c ...) @@ -81422,7 +81422,7 @@ CVE-2012-0050 (OpenSSL 0.9.8s and 1.0.0f does not properly support DTLS applications, ...) {DSA-2392-1} - openssl 1.0.0g-1 - NOTE: http://www.openssl.org/news/secadv_20120118.txt + NOTE: http://www.openssl.org/news/secadv/20120118.txt CVE-2012-0049 RESERVED {DSA-2524-1} @@ -96725,7 +96725,7 @@ - openoffice.org 1:3.2.1-11+squeeze2 CVE-2010-4252 (OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly ...) - openssl (configured with -DOPENSSL_NO_JPAKE; bug #606902) - NOTE: http://www.openssl.org/news/secadv_20101202.txt + NOTE: http://www.openssl.org/news/secadv/20101202.txt CVE-2010-4251 (The socket implementation in net/core/sock.c in the Linux kernel ...) - linux-2.6 2.6.32-22 CVE-2010-4250 (Memory leak in the inotify_init1 function
[Secure-testing-commits] r36219 - data
Author: ghedo Date: 2015-08-20 15:24:03 + (Thu, 20 Aug 2015) New Revision: 36219 Modified: data/dsa-needed.txt Log: Add vlc to dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-08-20 14:05:06 UTC (rev 36218) +++ data/dsa-needed.txt 2015-08-20 15:24:03 UTC (rev 36219) @@ -85,6 +85,8 @@ virtualbox Oracle hasn't released info on isolated patch yet -- +vlc/stable +-- wordpress/oldstable Maintainer prepared wheezy-security upload -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36220 - in data: . DSA
Author: ghedo Date: 2015-08-20 15:24:06 + (Thu, 20 Aug 2015) New Revision: 36220 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA for vlc Modified: data/DSA/list === --- data/DSA/list 2015-08-20 15:24:03 UTC (rev 36219) +++ data/DSA/list 2015-08-20 15:24:06 UTC (rev 36220) @@ -1,3 +1,6 @@ +[20 Aug 2015] DSA-3342-1 vlc - security update + {CVE-2015-5949} + [jessie] - vlc 2.2.0~rc2-2+deb8u1 [20 Aug 2015] DSA-3341-1 conntrack - security update {CVE-2015-6496} [wheezy] - conntrack 1:1.2.1-1+deb7u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-08-20 15:24:03 UTC (rev 36219) +++ data/dsa-needed.txt 2015-08-20 15:24:06 UTC (rev 36220) @@ -85,8 +85,6 @@ virtualbox Oracle hasn't released info on isolated patch yet -- -vlc/stable --- wordpress/oldstable Maintainer prepared wheezy-security upload -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36218 - data/CVE
Author: ghedo Date: 2015-08-20 14:05:06 + (Thu, 20 Aug 2015) New Revision: 36218 Modified: data/CVE/list Log: Add twig temporary issue Modified: data/CVE/list === --- data/CVE/list 2015-08-20 14:03:18 UTC (rev 36217) +++ data/CVE/list 2015-08-20 14:05:06 UTC (rev 36218) @@ -1,3 +1,6 @@ +CVE-2015- [arbitrary code execution via the _self variable] + - twig 1.20.0-1 + NOTE: http://symfony.com/blog/security-release-twig-1-20-0 CVE-2015- [use-after-free vulnerability in Decoder.cpp] - libpgf NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/08/19/14 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36203 - in data: . DSA
Author: ghedo Date: 2015-08-19 21:38:49 + (Wed, 19 Aug 2015) New Revision: 36203 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA for zendframework Modified: data/DSA/list === --- data/DSA/list 2015-08-19 21:32:58 UTC (rev 36202) +++ data/DSA/list 2015-08-19 21:38:49 UTC (rev 36203) @@ -1,3 +1,7 @@ +[19 Aug 2015] DSA-3340-1 zendframework - security update + {CVE-2015-5161} + [wheezy] - zendframework 1.11.13-1.1+deb7u3 + [jessie] - zendframework 1.12.9+dfsg-2+deb8u3 [19 Aug 2015] DSA-3339-1 openjdk-6 - security update {CVE-2015-2590 CVE-2015-2601 CVE-2015-2613 CVE-2015-2621 CVE-2015-2625 CVE-2015-2628 CVE-2015-2632 CVE-2015-2808 CVE-2015-4000 CVE-2015-4731 CVE-2015-4732 CVE-2015-4733 CVE-2015-4748 CVE-2015-4749 CVE-2015-4760} [wheezy] - openjdk-6 6b36-1.13.8-1~deb7u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-08-19 21:32:58 UTC (rev 36202) +++ data/dsa-needed.txt 2015-08-19 21:38:49 UTC (rev 36203) @@ -95,7 +95,3 @@ -- yubiserver -- -zendframework/oldstable - Maintainer prepared fix for wheezy-security - Might need fix for jessie as well --- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36147 - in data: . DSA
Author: ghedo Date: 2015-08-18 18:22:42 + (Tue, 18 Aug 2015) New Revision: 36147 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA for python-django Modified: data/DSA/list === --- data/DSA/list 2015-08-18 18:12:35 UTC (rev 36146) +++ data/DSA/list 2015-08-18 18:22:42 UTC (rev 36147) @@ -1,3 +1,7 @@ +[18 Aug 2015] DSA-3338-1 python-django - security update + {CVE-2015-5963 CVE-2015-5964} + [wheezy] - python-django 1.4.5-1+deb7u13 + [jessie] - python-django 1.7.7-1+deb8u2 [18 Aug 2015] DSA-3337-1 gdk-pixbuf - security update {CVE-2015-4491} [wheezy] - gdk-pixbuf 2.26.1-1+deb7u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-08-18 18:12:35 UTC (rev 36146) +++ data/dsa-needed.txt 2015-08-18 18:22:42 UTC (rev 36147) @@ -66,9 +66,6 @@ -- pykerberos -- -python-django (ghedo) - Maintainer prepared packages for {wheezy,jessie}-security --- qemu/stable -- smarty3 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36145 - data
Author: ghedo Date: 2015-08-18 17:51:18 + (Tue, 18 Aug 2015) New Revision: 36145 Modified: data/dsa-needed.txt Log: Add python-django to dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-08-18 17:51:16 UTC (rev 36144) +++ data/dsa-needed.txt 2015-08-18 17:51:18 UTC (rev 36145) @@ -66,6 +66,9 @@ -- pykerberos -- +python-django (ghedo) + Maintainer prepared packages for {wheezy,jessie}-security +-- qemu/stable -- smarty3 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36144 - data/CVE
Author: ghedo Date: 2015-08-18 17:51:16 + (Tue, 18 Aug 2015) New Revision: 36144 Modified: data/CVE/list Log: Add python-django issues Modified: data/CVE/list === --- data/CVE/list 2015-08-18 16:48:40 UTC (rev 36143) +++ data/CVE/list 2015-08-18 17:51:16 UTC (rev 36144) @@ -649,10 +649,14 @@ [wheezy] - mediawiki (Minor issues) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/08/12/6 -CVE-2015-5964 +CVE-2015-5964 [more to CVE-2015-5963] RESERVED -CVE-2015-5963 + - python-django + NOTE: https://www.djangoproject.com/weblog/2015/aug/18/security-releases/ +CVE-2015-5963 [Denial-of-service possibility in logout() view by filling session store] RESERVED + - python-django + NOTE: https://www.djangoproject.com/weblog/2015/aug/18/security-releases/ CVE-2015-5962 (Integer signedness error in the ...) NOT-FOR-US: Mozilla Firefox OS CVE-2015-5961 (The COPPA error page in the Accounts setup dialog in Mozilla Firefox ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36133 - data
Author: ghedo Date: 2015-08-18 08:55:43 + (Tue, 18 Aug 2015) New Revision: 36133 Modified: data/dsa-needed.txt Log: Update note about libidn debdiffs Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-08-18 08:54:12 UTC (rev 36132) +++ data/dsa-needed.txt 2015-08-18 08:55:43 UTC (rev 36133) @@ -43,7 +43,6 @@ Work-in-progress debdiff for jessie-security at https://people.debian.org/~ghedo/libidn_1.29-1+deb8u1.diff Help is needed to fix it so that it doesn't FTBFS - Both needs update for CVE-2015-2059 follow-up -- libxml2 -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36089 - data
Author: ghedo Date: 2015-08-15 20:51:42 + (Sat, 15 Aug 2015) New Revision: 36089 Modified: data/dsa-needed.txt Log: Re-add wordpress to dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-08-15 14:07:34 UTC (rev 36088) +++ data/dsa-needed.txt 2015-08-15 20:51:42 UTC (rev 36089) @@ -90,6 +90,9 @@ virtualbox Oracle hasn't released info on isolated patch yet -- +wordpress/oldstable + Maintainer prepared wheezy-security upload +-- wpa -- yubiserver ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36090 - data
Author: ghedo Date: 2015-08-15 20:51:45 + (Sat, 15 Aug 2015) New Revision: 36090 Modified: data/dsa-needed.txt Log: Add zendframework to dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-08-15 20:51:42 UTC (rev 36089) +++ data/dsa-needed.txt 2015-08-15 20:51:45 UTC (rev 36090) @@ -64,6 +64,8 @@ -- php5 new upstream 5.5.44 and 5.6.12 is available + might also want to look into backporting to wheezy fix for + https://bugs.php.net/bug.php?id=64938 -- phpmyadmin (thijs) -- @@ -97,3 +99,7 @@ -- yubiserver -- +zendframework/oldstable + Maintainer prepared fix for wheezy-security + Might need fix for jessie as well +-- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35963 - data
Author: ghedo Date: 2015-08-10 17:24:00 + (Mon, 10 Aug 2015) New Revision: 35963 Modified: data/dsa-needed.txt Log: Re-add icu to dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-08-10 16:50:21 UTC (rev 35962) +++ data/dsa-needed.txt 2015-08-10 17:24:00 UTC (rev 35963) @@ -27,6 +27,8 @@ glibc (aurel32) some of the other no-dsa bugs could be fixed along -- +icu (ghedo) +-- imagemagick/oldstable no-dsa bugs CVE-2014-8354 CVE-2014-8355 CVE-2014-8562 CVE-2014-8716 should be fixed along ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35960 - data/CVE
Author: ghedo Date: 2015-08-10 16:39:30 + (Mon, 10 Aug 2015) New Revision: 35960 Modified: data/CVE/list Log: imagemagick temporary issues fixed in experimental Modified: data/CVE/list === --- data/CVE/list 2015-08-10 15:34:29 UTC (rev 35959) +++ data/CVE/list 2015-08-10 16:39:30 UTC (rev 35960) @@ -1,6 +1,7 @@ NOTE: https://nodesecurity.io/advisories/serve-static-xss NOTE: https://github.com/expressjs/serve-index/issues/28 CVE-2015- [denial of service flaw in VICAR file processing] + [experimental] - imagemagick 8:6.9.1.2-1 - imagemagick (low) [jessie] - imagemagick (Minor issue) [wheezy] - imagemagick (Minor issue) @@ -10008,6 +10009,7 @@ NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26933 NOTE: http://trac.imagemagick.org/changeset/17856 CVE-2015- [denial of service flaw in PDB file processing] + [experimental] - imagemagick 8:6.9.1.2-1 - imagemagick (low) [jessie] - imagemagick (Minor issue) [wheezy] - imagemagick (Minor issue) @@ -10016,6 +10018,7 @@ NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26932 NOTE: http://trac.imagemagick.org/changeset/17855 CVE-2015- [denial of service flaw in MIFF file processing] + [experimental] - imagemagick 8:6.9.1.2-1 - imagemagick [jessie] - imagemagick (Minor issue) [wheezy] - imagemagick (Minor issue) @@ -10024,6 +10027,7 @@ NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26931 NOTE: http://trac.imagemagick.org/changeset/17854 CVE-2015- [denial of service flaw in HDR file processing] + [experimental] - imagemagick 8:6.9.1.2-1 - imagemagick [jessie] - imagemagick (Minor issue) [wheezy] - imagemagick (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35962 - data/CVE
Author: ghedo Date: 2015-08-10 16:50:21 + (Mon, 10 Aug 2015) New Revision: 35962 Modified: data/CVE/list Log: Add publicfile-installer issue Modified: data/CVE/list === --- data/CVE/list 2015-08-10 16:49:15 UTC (rev 35961) +++ data/CVE/list 2015-08-10 16:50:21 UTC (rev 35962) @@ -1,3 +1,5 @@ +CVE-2015- [publicfile-installer: insecure use of /tmp] + - publicfile-installer (bug #795062) CVE-2015- [net/http: broken trailers don't close a server connection] - golang NOTE: https://github.com/golang/go/issues/12027 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35937 - data/DSA
Author: ghedo Date: 2015-08-08 10:09:29 + (Sat, 08 Aug 2015) New Revision: 35937 Modified: data/DSA/list Log: Reserve DSA for opensaml2 Modified: data/DSA/list === --- data/DSA/list 2015-08-08 09:10:17 UTC (rev 35936) +++ data/DSA/list 2015-08-08 10:09:29 UTC (rev 35937) @@ -1,3 +1,6 @@ +[08 Aug 2015] DSA-3321-2 opensaml2 - security update + [wheezy] - opensaml2 2.4.3-4+deb7u1 + [jessie] - opensaml2 2.5.3-2+deb8u1 [07 Aug 2015] DSA-3330-1 activemq - security update {CVE-2014-3576} [wheezy] - activemq 5.6.0+dfsg-1+deb7u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35853 - data/CVE
Author: ghedo Date: 2015-08-02 18:16:55 + (Sun, 02 Aug 2015) New Revision: 35853 Modified: data/CVE/list Log: Add another link to temporary libidn issue Modified: data/CVE/list === --- data/CVE/list 2015-08-02 18:10:05 UTC (rev 35852) +++ data/CVE/list 2015-08-02 18:16:55 UTC (rev 35853) @@ -1,6 +1,7 @@ CVE-2015- [more to CVE-2015-2059] - libidn 1.32-1 NOTE: Introduced by fix for CVE-2015-2059 + NOTE: https://lists.gnu.org/archive/html/help-libidn/2015-07/msg00026.html NOTE: Patch: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=58c721ac2dc96bccd737f3f544f3a22a50477bbf NOTE: Testcase: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=c261018477f971d274dee305d27f8bff4afd4238 CVE-2015- [Sidekiq::Web lacks CSRF protection] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35852 - data/CVE
Author: ghedo Date: 2015-08-02 18:10:05 + (Sun, 02 Aug 2015) New Revision: 35852 Modified: data/CVE/list Log: Mark icu as affected by CVE-2015-1270 Modified: data/CVE/list === --- data/CVE/list 2015-08-02 17:58:30 UTC (rev 35851) +++ data/CVE/list 2015-08-02 18:10:05 UTC (rev 35852) @@ -12740,6 +12740,9 @@ - chromium-browser 44.0.2403.89-1 [wheezy] - chromium-browser [squeeze] - chromium-browser + - icu + NOTE: http://bugs.icu-project.org/trac/ticket/11696 + NOTE: Patch: http://bugs.icu-project.org/trac/changeset/37486/ CVE-2015-1269 (The DecodeHSTSPreloadRaw function in ...) {DSA-3315-1} - chromium-browser 43.0.2357.130-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35842 - data
Author: ghedo Date: 2015-08-02 09:46:45 + (Sun, 02 Aug 2015) New Revision: 35842 Modified: data/dsa-needed.txt Log: Update libidn note in dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-08-02 09:45:57 UTC (rev 35841) +++ data/dsa-needed.txt 2015-08-02 09:46:45 UTC (rev 35842) @@ -43,6 +43,7 @@ Work-in-progress debdiff for jessie-security at https://people.debian.org/~ghedo/libidn_1.29-1+deb8u1.diff Help is needed to fix it so that it doesn't FTBFS + Both needs update for CVE-2015-2059 follow-up -- libxml2 -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35841 - data/CVE
Author: ghedo Date: 2015-08-02 09:45:57 + (Sun, 02 Aug 2015) New Revision: 35841 Modified: data/CVE/list Log: Add new temporary libidn issue Modified: data/CVE/list === --- data/CVE/list 2015-08-02 09:10:19 UTC (rev 35840) +++ data/CVE/list 2015-08-02 09:45:57 UTC (rev 35841) @@ -1,3 +1,8 @@ +CVE-2015- [more to CVE-2015-2059] + - libidn 1.32-1 + NOTE: Introduced by fix for CVE-2015-2059 + NOTE: Patch: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=58c721ac2dc96bccd737f3f544f3a22a50477bbf + NOTE: Testcase: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=c261018477f971d274dee305d27f8bff4afd4238 CVE-2015- [Sidekiq::Web lacks CSRF protection] - ruby-sidekiq NOTE: https://github.com/mperham/sidekiq/pull/2422 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35825 - data/CVE
Author: ghedo Date: 2015-08-01 18:32:39 + (Sat, 01 Aug 2015) New Revision: 35825 Modified: data/CVE/list Log: Mark CVE-2011-4968/nginx as fixed Modified: data/CVE/list === --- data/CVE/list 2015-08-01 16:42:45 UTC (rev 35824) +++ data/CVE/list 2015-08-01 18:32:39 UTC (rev 35825) @@ -78075,7 +78075,7 @@ NOTE: https://github.com/jquery/jquery/commit/db9e023e62c1ff5d8f21ed9868ab6878da2005e9 CVE-2011-4968 [nginx http proxy module does not verify peer identity of https origin server] RESERVED - - nginx (low; bug #697940) + - nginx 1.9.1-1 (low; bug #697940) [jessie] - nginx (Minor issue) [squeeze] - nginx (Minor issue) [wheezy] - nginx (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35823 - data
Author: ghedo Date: 2015-08-01 16:42:43 + (Sat, 01 Aug 2015) New Revision: 35823 Modified: data/dsa-needed.txt Log: Take icedove Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-08-01 16:35:31 UTC (rev 35822) +++ data/dsa-needed.txt 2015-08-01 16:42:43 UTC (rev 35823) @@ -33,7 +33,7 @@ glibc (aurel32) some of the other no-dsa bugs could be fixed along -- -icedove +icedove (ghedo) -- imagemagick/oldstable no-dsa bugs CVE-2014-8354 CVE-2014-8355 CVE-2014-8562 CVE-2014-8716 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35824 - in data: . DSA
Author: ghedo Date: 2015-08-01 16:42:45 + (Sat, 01 Aug 2015) New Revision: 35824 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA for icedove Modified: data/DSA/list === --- data/DSA/list 2015-08-01 16:42:43 UTC (rev 35823) +++ data/DSA/list 2015-08-01 16:42:45 UTC (rev 35824) @@ -1,3 +1,7 @@ +[01 Aug 2015] DSA-3324-1 icedove - security update + {CVE-2015-2721 CVE-2015-2724 CVE-2015-2734 CVE-2015-2735 CVE-2015-2736 CVE-2015-2737 CVE-2015-2738 CVE-2015-2739 CVE-2015-2740 CVE-2015-4000} + [wheezy] - icedove 31.8.0-1~deb7u1 + [jessie] - icedove 31.8.0-1~deb8u1 [01 Aug 2015] DSA-3323-1 icu - security update {CVE-2014-8146 CVE-2014-8147 CVE-2015-4760} [wheezy] - icu 4.8.1.1-12+deb7u3 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-08-01 16:42:43 UTC (rev 35823) +++ data/dsa-needed.txt 2015-08-01 16:42:45 UTC (rev 35824) @@ -33,8 +33,6 @@ glibc (aurel32) some of the other no-dsa bugs could be fixed along -- -icedove (ghedo) --- imagemagick/oldstable no-dsa bugs CVE-2014-8354 CVE-2014-8355 CVE-2014-8562 CVE-2014-8716 should be fixed along ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35822 - in data: CVE DSA
Author: ghedo Date: 2015-08-01 16:35:31 + (Sat, 01 Aug 2015) New Revision: 35822 Modified: data/CVE/list data/DSA/list Log: Mark temprary icu issue as fixed Modified: data/CVE/list === --- data/CVE/list 2015-08-01 15:55:34 UTC (rev 35821) +++ data/CVE/list 2015-08-01 16:35:31 UTC (rev 35822) @@ -11320,6 +11320,8 @@ CVE-2014- [more to CVE-2014-6585] [experimental] - icu 55.1-1 - icu 52.1-10 (low; bug #778511) + [jessie] - icu 52.1-8+deb8u2 + [wheezy] - icu 4.8.1.1-12+deb7u3 [squeeze] - icu (All relevant changes already applied) NOTE: Patch: http://bugs.icu-project.org/trac/changeset/37086 NOTE: icu_4.4.1-8+squeeze3 already has the full patch except for the changes in source/layout/ContextualSubstSubtables.cpp which are commented out anyway... and the remaining if test is probably only meaningful when the backtrackClassArray call is uncommented. Modified: data/DSA/list === --- data/DSA/list 2015-08-01 15:55:34 UTC (rev 35821) +++ data/DSA/list 2015-08-01 16:35:31 UTC (rev 35822) @@ -1,5 +1,5 @@ [01 Aug 2015] DSA-3323-1 icu - security update - {CVE-2014-6585 CVE-2014-8146 CVE-2014-8147 CVE-2015-4760} + {CVE-2014-8146 CVE-2014-8147 CVE-2015-4760} [wheezy] - icu 4.8.1.1-12+deb7u3 [jessie] - icu 52.1-8+deb8u2 [31 Jul 2015] DSA-3322-1 ruby-rack - security update ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35820 - in data: . DSA
Author: ghedo Date: 2015-08-01 15:55:15 + (Sat, 01 Aug 2015) New Revision: 35820 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA for icu Modified: data/DSA/list === --- data/DSA/list 2015-08-01 05:39:30 UTC (rev 35819) +++ data/DSA/list 2015-08-01 15:55:15 UTC (rev 35820) @@ -1,3 +1,7 @@ +[01 Aug 2015] DSA-3323-1 icu - security update + {CVE-2014-6585 CVE-2014-8146 CVE-2014-8147 CVE-2015-4760} + [wheezy] - icu 4.8.1.1-12+deb7u3 + [jessie] - icu 52.1-8+deb8u2 [31 Jul 2015] DSA-3322-1 ruby-rack - security update {CVE-2015-3225} [wheezy] - ruby-rack 1.4.1-2.1+deb7u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-08-01 05:39:30 UTC (rev 35819) +++ data/dsa-needed.txt 2015-08-01 15:55:15 UTC (rev 35820) @@ -35,8 +35,6 @@ -- icedove -- -icu (ghedo) --- imagemagick/oldstable no-dsa bugs CVE-2014-8354 CVE-2014-8355 CVE-2014-8562 CVE-2014-8716 should be fixed along ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35805 - in data: . DSA
Author: ghedo Date: 2015-07-30 19:57:46 + (Thu, 30 Jul 2015) New Revision: 35805 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA for xmltooling Modified: data/DSA/list === --- data/DSA/list 2015-07-30 18:00:31 UTC (rev 35804) +++ data/DSA/list 2015-07-30 19:57:46 UTC (rev 35805) @@ -1,3 +1,7 @@ +[30 Jul 2015] DSA-3321-1 xmltooling - security update + {CVE-2015-0851} + [wheezy] - xmltooling 1.4.2-5+deb7u1 + [jessie] - xmltooling 1.5.3-2+deb8u1 [30 Jul 2015] DSA-3320-1 openafs - security update {CVE-2015-3282 CVE-2015-3283 CVE-2015-3284 CVE-2015-3285 CVE-2015-3287} [wheezy] - openafs 1.6.1-3+deb7u3 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-07-30 18:00:31 UTC (rev 35804) +++ data/dsa-needed.txt 2015-07-30 19:57:46 UTC (rev 35805) @@ -107,8 +107,5 @@ -- wpa -- -xmltooling (ghedo) - Maintainer prepared upload for jessie --- yubiserver -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35803 - data/CVE
Author: ghedo Date: 2015-07-30 15:31:24 + (Thu, 30 Jul 2015) New Revision: 35803 Modified: data/CVE/list Log: Add fixed version for libwmf issues Modified: data/CVE/list === --- data/CVE/list 2015-07-30 14:39:37 UTC (rev 35802) +++ data/CVE/list 2015-07-30 15:31:24 UTC (rev 35803) @@ -2432,10 +2432,10 @@ NOTE: Introduced in: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0a14842f5a3c0e88a1e59fac5c3025db39721f74 (v3.0-rc1) CVE-2015-4696 (Use-after-free vulnerability in libwmf 0.2.8.4 allows remote attackers ...) {DSA-3302-1 DLA-257-1} - - libwmf (bug #784192) + - libwmf 0.2.8.4-10.4 (bug #784192) CVE-2015-4695 (meta.h in libwmf 0.2.8.4 allows remote attackers to cause a denial of ...) {DSA-3302-1 DLA-257-1} - - libwmf (bug #784205) + - libwmf 0.2.8.4-10.4 (bug #784205) CVE-2015-4680 [insufficent CRL application] RESERVED - freeradius (bug #789623) @@ -2932,7 +2932,7 @@ NOTE: Fixed in 5.6.10 and 5.4.42 upstream CVE-2015-4588 (Heap-based buffer overflow in the DecodeImage function in libwmf ...) {DSA-3302-1 DLA-253-1} - - libwmf (bug #787644) + - libwmf 0.2.8.4-10.4 (bug #787644) CVE-2015-4556 [buffer overrun in CHICKEN Scheme's string-translate* procedure] RESERVED - chicken (bug #788833) @@ -14250,7 +14250,7 @@ [jessie] - pycode-browser (Minor issue) CVE-2015-0848 (Heap-based buffer overflow in libwmf 0.2.8.4 allows remote attackers ...) {DSA-3302-1 DLA-253-1} - - libwmf (bug #787644) + - libwmf 0.2.8.4-10.4 (bug #787644) CVE-2015-0847 (nbd-server.c in Network Block Device (nbd-server) before 3.11 does not ...) {DSA-3271-1 DLA-223-1} - nbd 1:3.10-1 (bug #784657) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35801 - data
Author: ghedo Date: 2015-07-30 13:43:44 + (Thu, 30 Jul 2015) New Revision: 35801 Modified: data/dsa-needed.txt Log: Untake libidn for now Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-07-30 13:27:59 UTC (rev 35800) +++ data/dsa-needed.txt 2015-07-30 13:43:44 UTC (rev 35801) @@ -41,7 +41,12 @@ -- libav/oldstable (jmm) -- -libidn (ghedo) +libidn + Working debdiff for wheezy-security at + https://people.debian.org/~ghedo/libidn_1.25-2+deb7u1.diff + Work-in-progress debdiff for jessie-security at + https://people.debian.org/~ghedo/libidn_1.29-1+deb8u1.diff + Help is needed to fix it so that it doesn't FTBFS -- libxml2 -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35798 - data
Author: ghedo Date: 2015-07-30 10:01:53 + (Thu, 30 Jul 2015) New Revision: 35798 Modified: data/dsa-needed.txt Log: Take xmltooling Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-07-30 09:54:30 UTC (rev 35797) +++ data/dsa-needed.txt 2015-07-30 10:01:53 UTC (rev 35798) @@ -102,7 +102,7 @@ -- wpa -- -xmltooling +xmltooling (ghedo) Maintainer prepared upload for jessie -- yubiserver ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35795 - data/CVE
Author: ghedo Date: 2015-07-30 09:37:12 + (Thu, 30 Jul 2015) New Revision: 35795 Modified: data/CVE/list Log: Remove link to opensaml2 patch for CVE-2015-0851 Not a security issue according to upstream. Modified: data/CVE/list === --- data/CVE/list 2015-07-30 09:15:43 UTC (rev 35794) +++ data/CVE/list 2015-07-30 09:37:12 UTC (rev 35795) @@ -14234,8 +14234,7 @@ RESERVED - xmltooling (bug #793855) NOTE: http://shibboleth.net/community/advisories/secadv_20150721.txt - NOTE: xmltooling: https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commitdiff;h=2d795c731e6729309044607154978696a87fd900 - NOTE: opensaml2: https://git.shibboleth.net/view/?p=cpp-opensaml.git;a=commitdiff;h=ec145bf31d59d23bbf63cdc39ffeb172ed29d67d + NOTE: Patch: https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commitdiff;h=2d795c731e6729309044607154978696a87fd900 NOTE: Initial advisory was listing the wrong CVE, updated later NOTE: opensaml2 will need binNMUs NOTE: [squeeze] partially affected (util/XMLHelper.cpp XMLHelper::getAttrInt method not present) (1.3.3.x) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35705 - data/CVE
Author: ghedo Date: 2015-07-25 14:41:32 + (Sat, 25 Jul 2015) New Revision: 35705 Modified: data/CVE/list Log: Temporary icu issue doesn't affect wheezy/squeeze Modified: data/CVE/list === --- data/CVE/list 2015-07-25 14:36:32 UTC (rev 35704) +++ data/CVE/list 2015-07-25 14:41:32 UTC (rev 35705) @@ -188,6 +188,8 @@ RESERVED CVE-2015- [more to CVE-2014-8146] - icu + [wheezy] - icu (Vulnerable code not present) + [squeeze] - icu (Vulnerable code not present) NOTE: https://bugs.mageia.org/show_bug.cgi?id=15852#c2 CVE-2015- [integer overflow] - freexl 1.0.2-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35685 - data
Author: ghedo Date: 2015-07-24 17:56:29 + (Fri, 24 Jul 2015) New Revision: 35685 Modified: data/dsa-needed.txt Log: Add xmltooling to dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-07-24 17:56:28 UTC (rev 35684) +++ data/dsa-needed.txt 2015-07-24 17:56:29 UTC (rev 35685) @@ -97,5 +97,8 @@ -- wpa -- +xmltooling + Maintainer prepared upload for jessie +-- yubiserver -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35686 - data
Author: ghedo Date: 2015-07-24 17:56:31 + (Fri, 24 Jul 2015) New Revision: 35686 Modified: data/dsa-needed.txt Log: Add squid and squid3 to dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-07-24 17:56:29 UTC (rev 35685) +++ data/dsa-needed.txt 2015-07-24 17:56:31 UTC (rev 35686) @@ -78,6 +78,11 @@ -- smarty3 -- +squid/oldstable +-- +squid3 + Maintainer prepared upload for jessie +-- t1utils/oldstable (ghedo) Patch applied for stable seems incomplete since similar code is in t1asm.c and t1disasm.c Security impact of #724571 might need to be checked as well ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35684 - data
Author: ghedo Date: 2015-07-24 17:56:28 + (Fri, 24 Jul 2015) New Revision: 35684 Modified: data/dsa-needed.txt Log: Add expat to dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-07-24 17:48:34 UTC (rev 35683) +++ data/dsa-needed.txt 2015-07-24 17:56:28 UTC (rev 35684) @@ -26,6 +26,9 @@ -- elasticsearch -- +expat + Maintainer prepared uploads for wheezy and jessie +-- glibc (aurel32) some of the other no-dsa bugs could be fixed along -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35683 - data/CVE
Author: ghedo Date: 2015-07-24 17:48:34 + (Fri, 24 Jul 2015) New Revision: 35683 Modified: data/CVE/list Log: Add xmltooling issue Modified: data/CVE/list === --- data/CVE/list 2015-07-24 16:27:24 UTC (rev 35682) +++ data/CVE/list 2015-07-24 17:48:34 UTC (rev 35683) @@ -1,3 +1,8 @@ +CVE-2015- [Shibboleth SP software crashes on well-formed but invalid XML] + - xmltooling + NOTE: http://shibboleth.net/community/advisories/secadv_20150721.txt + NOTE: The upstream advisory lists the wrong CVE + NOTE: opensaml2 will need binNMUs CVE-2015-5621 RESERVED CVE-2015-5620 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35614 - in data: . CVE DSA
Author: ghedo Date: 2015-07-22 09:27:49 + (Wed, 22 Jul 2015) New Revision: 35614 Modified: data/CVE/list data/DSA/list data/dsa-needed.txt Log: Reserve DSA for cacti Modified: data/CVE/list === --- data/CVE/list 2015-07-22 09:21:58 UTC (rev 35613) +++ data/CVE/list 2015-07-22 09:27:49 UTC (rev 35614) @@ -149,36 +149,48 @@ NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/06/7 CVE-2015- [SQL Injection in host_templates.php] - cacti 0.8.8e+ds1-1 + [jessie] - cacti 0.8.8b+dfsg-8+deb8u2 + [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6 [squeeze] - cacti 0.8.7g-1+squeeze7 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/18/4 NOTE: http://bugs.cacti.net/view.php?id=2584 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 CVE-2015- [SQL Injection in graph_templates.php] - cacti 0.8.8e+ds1-1 + [jessie] - cacti 0.8.8b+dfsg-8+deb8u2 + [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6 [squeeze] - cacti 0.8.7g-1+squeeze7 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/18/4 NOTE: http://bugs.cacti.net/view.php?id=2583 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 CVE-2015- [SQL Injection in data_templates.php] - cacti 0.8.8e+ds1-1 + [jessie] - cacti 0.8.8b+dfsg-8+deb8u2 + [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6 [squeeze] - cacti 0.8.7g-1+squeeze7 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/18/4 NOTE: http://bugs.cacti.net/view.php?id=2582 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 CVE-2015- [SQL Injection in cdef.php] - cacti 0.8.8e+ds1-1 + [jessie] - cacti 0.8.8b+dfsg-8+deb8u2 + [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6 [squeeze] - cacti 0.8.7g-1+squeeze7 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/18/4 NOTE: http://bugs.cacti.net/view.php?id=2580 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 CVE-2015- [SQL Injection Vulnerability in data sources] - cacti 0.8.8e+ds1-1 + [jessie] - cacti 0.8.8b+dfsg-8+deb8u2 + [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6 [squeeze] - cacti 0.8.7g-1+squeeze7 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/18/4 NOTE: http://bugs.cacti.net/view.php?id=2579 NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 CVE-2015- [SQL Injection Vulnerability in graph items and graph template items] - cacti 0.8.8e+ds1-1 + [jessie] - cacti 0.8.8b+dfsg-8+deb8u2 + [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6 [squeeze] - cacti 0.8.7g-1+squeeze7 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/18/4 NOTE: http://bugs.cacti.net/view.php?id=2574 Modified: data/DSA/list === --- data/DSA/list 2015-07-22 09:21:58 UTC (rev 35613) +++ data/DSA/list 2015-07-22 09:27:49 UTC (rev 35614) @@ -1,3 +1,7 @@ +[22 Jul 2015] DSA-3312-1 cacti - security update + {CVE-2015-4634} + [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6 + [jessie] - cacti 0.8.8b+dfsg-8+deb8u2 [20 Jul 2015] DSA-3311-1 mariadb-10.0 - security update {CVE-2015-0433 CVE-2015-0441 CVE-2015-0499 CVE-2015-0501 CVE-2015-0505 CVE-2015-2568 CVE-2015-2571 CVE-2015-2573 CVE-2015-3152} [jessie] - mariadb-10.0 10.0.20-0+deb8u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-07-22 09:21:58 UTC (rev 35613) +++ data/dsa-needed.txt 2015-07-22 09:27:49 UTC (rev 35614) @@ -21,9 +21,6 @@ aptdaemon For jessie-security compat layer for PackageKit needs to be dropped -- -cacti (ghedo) - Maintainer prepared uploads for wheezy and jessie --- eglibc (aurel32) some of the other no-dsa bugs could be fixed along -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35613 - data
Author: ghedo Date: 2015-07-22 09:21:58 + (Wed, 22 Jul 2015) New Revision: 35613 Modified: data/dsa-needed.txt Log: Take cacti Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-07-22 09:10:18 UTC (rev 35612) +++ data/dsa-needed.txt 2015-07-22 09:21:58 UTC (rev 35613) @@ -21,7 +21,7 @@ aptdaemon For jessie-security compat layer for PackageKit needs to be dropped -- -cacti +cacti (ghedo) Maintainer prepared uploads for wheezy and jessie -- eglibc (aurel32) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35603 - data/CVE
Author: ghedo Date: 2015-07-21 17:05:54 + (Tue, 21 Jul 2015) New Revision: 35603 Modified: data/CVE/list Log: Add new temporary icu issue related to CVE-2014-8146 Modified: data/CVE/list === --- data/CVE/list 2015-07-21 15:16:54 UTC (rev 35602) +++ data/CVE/list 2015-07-21 17:05:54 UTC (rev 35603) @@ -1,3 +1,6 @@ +CVE-2015- [more to CVE-2014-8146] + - icu + NOTE: https://bugs.mageia.org/show_bug.cgi?id=15852#c2 CVE-2015- [integer overflow] - freexl 1.0.2-1 [jessie] - freexl 1.0.0g-1+deb8u2 @@ -20034,7 +20037,6 @@ [wheezy] - chromium-browser (Vulnerable code not present) [squeeze] - chromium-browser (Not supported in Squeeze LTS) NOTE: Patch: http://bugs.icu-project.org/trac/changeset/37162 - NOTE: The upstream patch doesn't seem to properly fix the issue. CVE-2014-8145 (Multiple heap-based buffer overflows in Sound eXchange (SoX) 14.4.1 ...) {DSA-3112-1 DLA-128-1} - sox 14.4.1-5 (bug #773720) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35569 - data
Author: ghedo Date: 2015-07-19 09:58:28 + (Sun, 19 Jul 2015) New Revision: 35569 Modified: data/dsa-needed.txt Log: Add cacti to dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-07-19 09:56:48 UTC (rev 35568) +++ data/dsa-needed.txt 2015-07-19 09:58:28 UTC (rev 35569) @@ -21,6 +21,9 @@ aptdaemon For jessie-security compat layer for PackageKit needs to be dropped -- +cacti + Maintainer prepared uploads for wheezy and jessie +-- eglibc (aurel32) some of the other no-dsa bugs could be fixed along -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35568 - data/CVE
Author: ghedo Date: 2015-07-19 09:56:48 + (Sun, 19 Jul 2015) New Revision: 35568 Modified: data/CVE/list Log: Add temporary cacti issues Modified: data/CVE/list === --- data/CVE/list 2015-07-19 09:10:18 UTC (rev 35567) +++ data/CVE/list 2015-07-19 09:56:48 UTC (rev 35568) @@ -1,3 +1,33 @@ +CVE-2015- [SQL Injection in host_templates.php] + - cacti 0.8.8e+ds1-1 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/18/4 + NOTE: http://bugs.cacti.net/view.php?id=2584 + NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 +CVE-2015- [SQL Injection in graph_templates.php] + - cacti 0.8.8e+ds1-1 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/18/4 + NOTE: http://bugs.cacti.net/view.php?id=2583 + NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 +CVE-2015- [SQL Injection in data_templates.php] + - cacti 0.8.8e+ds1-1 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/18/4 + NOTE: http://bugs.cacti.net/view.php?id=2582 + NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 +CVE-2015- [SQL Injection in cdef.php] + - cacti 0.8.8e+ds1-1 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/18/4 + NOTE: http://bugs.cacti.net/view.php?id=2580 + NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 +CVE-2015- [SQL Injection Vulnerabilitie in data sources] + - cacti 0.8.8e+ds1-1 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/18/4 + NOTE: http://bugs.cacti.net/view.php?id=2579 + NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 +CVE-2015- [SQL Injection Vulnerabilitie in graph items and graph template items] + - cacti 0.8.8e+ds1-1 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/18/4 + NOTE: http://bugs.cacti.net/view.php?id=2574 + NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731 CVE-2015-5590 [Buffer overflow and stack smashing error in phar_fix_filepath] - php5 5.6.11+dfsg-1 NOTE: https://bugs.php.net/bug.php?id=69923 @@ -2103,7 +2133,7 @@ RESERVED CVE-2015-4635 RESERVED -CVE-2015-4634 +CVE-2015-4634 [SQL injection in graphs.php] RESERVED {DLA-278-1} - cacti 0.8.8e+ds1-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35557 - in data: . DSA
Author: ghedo Date: 2015-07-18 17:03:09 + (Sat, 18 Jul 2015) New Revision: 35557 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA for tidy Modified: data/DSA/list === --- data/DSA/list 2015-07-18 16:56:40 UTC (rev 35556) +++ data/DSA/list 2015-07-18 17:03:09 UTC (rev 35557) @@ -1,3 +1,7 @@ +[18 Jul 2015] DSA-3309-1 tidy - security update + {CVE-2015-5522 CVE-2015-5523} + [wheezy] - tidy 20091223cvs-1.2+deb7u1 + [jessie] - tidy 20091223cvs-1.4+deb8u1 [18 Jul 2015] DSA-3308-1 mysql-5.5 - security update {CVE-2015-2582 CVE-2015-2620 CVE-2015-2643 CVE-2015-2648 CVE-2015-4737 CVE-2015-4752} [wheezy] - mysql-5.5 5.5.44-0+deb7u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-07-18 16:56:40 UTC (rev 35556) +++ data/dsa-needed.txt 2015-07-18 17:03:09 UTC (rev 35557) @@ -77,8 +77,6 @@ Patch applied for stable seems incomplete since similar code is in t1asm.c and t1disasm.c Security impact of #724571 might need to be checked as well -- -tidy (ghedo) --- tiff3 -- tomcat6 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35503 - data
Author: ghedo Date: 2015-07-16 12:20:30 + (Thu, 16 Jul 2015) New Revision: 35503 Modified: data/dsa-needed.txt Log: Add libidn to dsa-needed and take it Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-07-16 12:20:27 UTC (rev 35502) +++ data/dsa-needed.txt 2015-07-16 12:20:30 UTC (rev 35503) @@ -35,6 +35,8 @@ -- libav/oldstable (jmm) -- +libidn (ghedo) +-- libxml2 -- linux ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35502 - data/CVE
Author: ghedo Date: 2015-07-16 12:20:27 + (Thu, 16 Jul 2015) New Revision: 35502 Modified: data/CVE/list Log: Reconsider CVE-2015-2059/libidn severity Modified: data/CVE/list === --- data/CVE/list 2015-07-16 11:51:36 UTC (rev 35501) +++ data/CVE/list 2015-07-16 12:20:27 UTC (rev 35502) @@ -11196,9 +11196,12 @@ NOTE: http://www.openwall.com/lists/oss-security/2015/02/09/13 CVE-2015-2059 RESERVED - - libidn 1.31-1 (unimportant) + - libidn 1.31-1 + NOTE: http://www.openwall.com/lists/oss-security/2015/02/23/25 NOTE: Patch: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=2e97c2796581c27213962c77f5a8571a598f9a2e - NOTE: Mis-use of an API (even if poorly documented) is hardly a security issue + NOTE: This could be attributed to a misuse of a (poorly documented) API + NOTE: but since upstream provided a patch it makes more sense to fix + NOTE: only libidn instead of every application using it CVE-2015-1545 (The deref_parseCtrl function in servers/slapd/overlays/deref.c in ...) {DSA-3209-1 DLA-203-1} - openldap 2.4.40-4 (bug #776988) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35498 - data
Author: ghedo Date: 2015-07-16 10:27:47 + (Thu, 16 Jul 2015) New Revision: 35498 Modified: data/dsa-needed.txt Log: Take tidy Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-07-16 09:52:19 UTC (rev 35497) +++ data/dsa-needed.txt 2015-07-16 10:27:47 UTC (rev 35498) @@ -73,7 +73,7 @@ Patch applied for stable seems incomplete since similar code is in t1asm.c and t1disasm.c Security impact of #724571 might need to be checked as well -- -tidy +tidy (ghedo) -- tiff3 -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35437 - data/CVE
Author: ghedo Date: 2015-07-12 16:39:16 + (Sun, 12 Jul 2015) New Revision: 35437 Modified: data/CVE/list Log: CVE-2015-2059/libidn fixed in sid Modified: data/CVE/list === --- data/CVE/list 2015-07-12 13:25:49 UTC (rev 35436) +++ data/CVE/list 2015-07-12 16:39:16 UTC (rev 35437) @@ -10874,7 +10874,7 @@ NOTE: http://www.openwall.com/lists/oss-security/2015/02/09/13 CVE-2015-2059 RESERVED - - libidn (unimportant) + - libidn 1.31-1 (unimportant) NOTE: Patch: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=2e97c2796581c27213962c77f5a8571a598f9a2e NOTE: Mis-use of an API (even if poorly documented) is hardly a security issue CVE-2015-1545 (The deref_parseCtrl function in servers/slapd/overlays/deref.c in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35428 - data/CVE
Author: ghedo Date: 2015-07-10 21:36:50 + (Fri, 10 Jul 2015) New Revision: 35428 Modified: data/CVE/list Log: CVE assigned for sogo CSRF issue Modified: data/CVE/list === --- data/CVE/list 2015-07-10 21:33:42 UTC (rev 35427) +++ data/CVE/list 2015-07-10 21:36:50 UTC (rev 35428) @@ -136,8 +136,6 @@ RESERVED CVE-2015-5396 RESERVED -CVE-2015-5395 - RESERVED CVE-2015-5394 RESERVED CVE-2015-5393 @@ -218,7 +216,7 @@ [squeeze] - hostapd (v0.7.0-v2.4 with CONFIG_WPS_NFC=y) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/08/3 NOTE: http://w1.fi/security/2015-5/ -CVE-2015- [CSRF] +CVE-2015-5395 [CSRF] - sogo NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/07/10 NOTE: http://www.sogo.nu/bugs/view.php?id=3246 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35427 - in data: CVE DSA
Author: ghedo Date: 2015-07-10 21:33:42 + (Fri, 10 Jul 2015) New Revision: 35427 Modified: data/CVE/list data/DSA/list Log: CVE assigned for pdns issue Modified: data/CVE/list === --- data/CVE/list 2015-07-10 21:10:14 UTC (rev 35426) +++ data/CVE/list 2015-07-10 21:33:42 UTC (rev 35427) @@ -227,13 +227,11 @@ - sogo NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/07/9 TODO: check -CVE-2015- [denial of service - incomplete fix for CVE-2015-1868] +CVE-2015-5470 [denial of service - incomplete fix for CVE-2015-1868] - pdns 3.4.5-1 - [jessie] - pdns 3.4.1-4+deb8u2 [wheezy] - pdns (3.2 and up affected) [squeeze] - pdns (3.2 and up affected) - pdns-recursor 3.7.3-1 - [jessie] - pdns-recursor 3.6.2-2+deb8u2 [wheezy] - pdns-recursor (3.5 and up affected) [squeeze] - pdns-recursor (3.5 and up affected) NOTE: http://www.openwall.com/lists/oss-security/2015/07/07/6 Modified: data/DSA/list === --- data/DSA/list 2015-07-10 21:10:14 UTC (rev 35426) +++ data/DSA/list 2015-07-10 21:33:42 UTC (rev 35427) @@ -1,6 +1,8 @@ [09 Jul 2015] DSA-3307-1 pdns-recursor - security update + {CVE-2015-5470} [jessie] - pdns-recursor 3.6.2-2+deb8u2 [09 Jul 2015] DSA-3306-1 pdns - security update + {CVE-2015-5470} [jessie] - pdns 3.4.1-4+deb8u2 [08 Jul 2015] DSA-3305-1 python-django - security update {CVE-2015-5143 CVE-2015-5144} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35401 - data/CVE
Author: ghedo Date: 2015-07-09 22:12:25 + (Thu, 09 Jul 2015) New Revision: 35401 Modified: data/CVE/list Log: Package sddm was accepted into the archive Modified: data/CVE/list === --- data/CVE/list 2015-07-09 22:05:53 UTC (rev 35400) +++ data/CVE/list 2015-07-09 22:12:25 UTC (rev 35401) @@ -21773,11 +21773,13 @@ - getmail4 4.44.0-1 (bug #766670) CVE-2014-7272 [multiple vulnerabilities in sddm] RESERVED - - sddm (bug #703519) + [experimental] - sddm 0.11.0-1 + - sddm 0.11.0-2 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=897788 CVE-2014-7271 [unauthenticated logins as sddm] RESERVED - - sddm (bug #703519) + [experimental] - sddm 0.11.0-1 + - sddm 0.11.0-2 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=897788 CVE-2014-7270 (Cross-site request forgery (CSRF) vulnerability on ASUS JAPAN RT-AC87U ...) NOT-FOR-US: ASUS routers ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35400 - data/CVE
Author: ghedo Date: 2015-07-09 22:05:53 + (Thu, 09 Jul 2015) New Revision: 35400 Modified: data/CVE/list Log: Mark temporary pdns issue as fixed in jessie Modified: data/CVE/list === --- data/CVE/list 2015-07-09 21:59:59 UTC (rev 35399) +++ data/CVE/list 2015-07-09 22:05:53 UTC (rev 35400) @@ -225,9 +225,11 @@ TODO: check CVE-2015- [denial of service - incomplete fix for CVE-2015-1868] - pdns 3.4.5-1 + [jessie] - pdns 3.4.1-4+deb8u2 [wheezy] - pdns (3.2 and up affected) [squeeze] - pdns (3.2 and up affected) - pdns-recursor 3.7.3-1 + [jessie] - pdns-recursor 3.6.2-2+deb8u2 [wheezy] - pdns-recursor (3.5 and up affected) [squeeze] - pdns-recursor (3.5 and up affected) NOTE: http://www.openwall.com/lists/oss-security/2015/07/07/6 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35399 - in data: . DSA
Author: ghedo Date: 2015-07-09 21:59:59 + (Thu, 09 Jul 2015) New Revision: 35399 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA for pdns and pdns-recursor Modified: data/DSA/list === --- data/DSA/list 2015-07-09 21:13:21 UTC (rev 35398) +++ data/DSA/list 2015-07-09 21:59:59 UTC (rev 35399) @@ -1,3 +1,9 @@ +[09 Jul 2015] DSA-3307-1 pdns-recursor - security update + {CVE-2015-1868} + [jessie] - pdns-recursor 3.6.2-2+deb8u2 +[09 Jul 2015] DSA-3306-1 pdns - security update + {CVE-2015-1868} + [jessie] - pdns 3.4.1-4+deb8u2 [08 Jul 2015] DSA-3305-1 python-django - security update {CVE-2015-5143 CVE-2015-5144} [wheezy] - python-django 1.4.5-1+deb7u12 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-07-09 21:13:21 UTC (rev 35398) +++ data/dsa-needed.txt 2015-07-09 21:59:59 UTC (rev 35399) @@ -52,10 +52,6 @@ NOTE: regression fix needed for CVE-2013-2053 (#743332) and CVE-2013-6466 (#744717) -- -pdns/stable (ghedo) - Follow-up patch for CVE-2015-1868 - Maintainer prepared uploads for pdns and pdns-recursor --- pdns/oldstable -- php5 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35389 - data
Author: ghedo Date: 2015-07-09 12:21:49 + (Thu, 09 Jul 2015) New Revision: 35389 Modified: data/dsa-needed.txt Log: Add pdns to dsa-needed and take it Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-07-09 11:53:20 UTC (rev 35388) +++ data/dsa-needed.txt 2015-07-09 12:21:49 UTC (rev 35389) @@ -52,6 +52,10 @@ NOTE: regression fix needed for CVE-2013-2053 (#743332) and CVE-2013-6466 (#744717) -- +pdns/stable (ghedo) + Follow-up patch for CVE-2015-1868 + Maintainer prepared uploads for pdns and pdns-recursor +-- pdns/oldstable -- php5 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35379 - in data: . DSA
Author: ghedo Date: 2015-07-08 22:03:20 + (Wed, 08 Jul 2015) New Revision: 35379 Modified: data/DSA/list data/dsa-needed.txt Log: Reserve DSA for python-django Modified: data/DSA/list === --- data/DSA/list 2015-07-08 21:46:20 UTC (rev 35378) +++ data/DSA/list 2015-07-08 22:03:20 UTC (rev 35379) @@ -1,3 +1,7 @@ +[08 Jul 2015] DSA-3305-1 python-django - security update + {CVE-2015-5143 CVE-2015-5144} + [wheezy] - python-django 1.4.5-1+deb7u12 + [jessie] - python-django 1.7.7-1+deb8u1 [07 Jul 2015] DSA-3304-1 bind9 - security update {CVE-2015-4620} [wheezy] - bind9 1:9.8.4.dfsg.P1-6+nmu2+deb7u5 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-07-08 21:46:20 UTC (rev 35378) +++ data/dsa-needed.txt 2015-07-08 22:03:20 UTC (rev 35379) @@ -61,9 +61,6 @@ -- pykerberos -- -python-django (ghedo) - lfaraone prepared jessie and wheezy updates --- smarty3 -- t1utils/oldstable (ghedo) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35377 - data/CVE
Author: ghedo Date: 2015-07-08 21:46:17 + (Wed, 08 Jul 2015) New Revision: 35377 Modified: data/CVE/list Log: Add python-django issues Modified: data/CVE/list === --- data/CVE/list 2015-07-08 21:10:15 UTC (rev 35376) +++ data/CVE/list 2015-07-08 21:46:17 UTC (rev 35377) @@ -678,12 +678,20 @@ NOT-FOR-US: Zoho ManageEngine SupportCenter Plus CVE-2015-5148 (SQL injection vulnerability in LivelyCart 1.2.0 allows remote ...) NOT-FOR-US: LivelyCart -CVE-2015-5145 +CVE-2015-5145 [denial-of-service possibility in URL validation] RESERVED -CVE-2015-5144 + - python-django + [jessie] - python-django (Vulnerable code not present) + [wheezy] - python-django (Vulnerable code not present) + NOTE: https://www.djangoproject.com/weblog/2015/jul/08/security-releases/ +CVE-2015-5144 [header injection possibility since validators accept newlines in input] RESERVED -CVE-2015-5143 + - python-django + NOTE: https://www.djangoproject.com/weblog/2015/jul/08/security-releases/ +CVE-2015-5143 [denial-of-service possibility by filling session store] RESERVED + - python-django + NOTE: https://www.djangoproject.com/weblog/2015/jul/08/security-releases/ CVE-2015-5142 RESERVED CVE-2015-5141 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35378 - data
Author: ghedo Date: 2015-07-08 21:46:20 + (Wed, 08 Jul 2015) New Revision: 35378 Modified: data/dsa-needed.txt Log: Add python-django to dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-07-08 21:46:17 UTC (rev 35377) +++ data/dsa-needed.txt 2015-07-08 21:46:20 UTC (rev 35378) @@ -61,6 +61,9 @@ -- pykerberos -- +python-django (ghedo) + lfaraone prepared jessie and wheezy updates +-- smarty3 -- t1utils/oldstable (ghedo) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35374 - data/CVE
Author: ghedo Date: 2015-07-08 09:54:31 + (Wed, 08 Jul 2015) New Revision: 35374 Modified: data/CVE/list Log: Add patch link for CVE-2015-2059/libidn Modified: data/CVE/list === --- data/CVE/list 2015-07-08 06:04:31 UTC (rev 35373) +++ data/CVE/list 2015-07-08 09:54:31 UTC (rev 35374) @@ -10649,6 +10649,7 @@ CVE-2015-2059 RESERVED - libidn (unimportant) + NOTE: Patch: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=2e97c2796581c27213962c77f5a8571a598f9a2e NOTE: Mis-use of an API (even if poorly documented) is hardly a security issue CVE-2015-1545 (The deref_parseCtrl function in servers/slapd/overlays/deref.c in ...) {DSA-3209-1 DLA-203-1} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits