[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] curl DSA
Alessandro Ghedini pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
9451e95f by Alessandro Ghedini at 2018-03-14T21:14:40+00:00
curl DSA
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
--- a/data/DSA/list
+++ b/data/DSA/list
@@ -1,3 +1,7 @@
+[14 Mar 2018] DSA-4136-1 curl - security update
+ {CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122}
+ [jessie] - curl 7.38.0-4+deb8u10
+ [stretch] - curl 7.52.1-5+deb9u5
[13 Mar 2018] DSA-4135-1 samba - security update
{CVE-2018-1050 CVE-2018-1057}
[stretch] - samba 2:4.5.12+dfsg-2+deb9u2
=
data/dsa-needed.txt
=
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -18,8 +18,6 @@ asterisk/stable
--
chromium-browser/stable
--
-curl (ghedo)
---
dokuwiki/oldstable
--
ffmpeg/stable
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/9451e95f2c9110027b1fced6dae4014172c6e65c
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/9451e95f2c9110027b1fced6dae4014172c6e65c
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] curl DSA
Alessandro Ghedini pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
e850d820 by Alessandro Ghedini at 2018-01-26T09:48:02+00:00
curl DSA
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
--- a/data/DSA/list
+++ b/data/DSA/list
@@ -1,3 +1,7 @@
+[26 Jan 2018] DSA-4098-1 curl - security update
+ {CVE-2018-105 CVE-2018-107}
+ [jessie] - curl 7.38.0-4+deb8u9
+ [stretch] - curl 7.52.1-5+deb9u4
[25 Jan 2018] DSA-4097-1 poppler - security update
{CVE-2017-1000456}
[jessie] - poppler 0.26.5-2+deb8u3
=
data/dsa-needed.txt
=
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -16,8 +16,6 @@ If needed, specify the release by adding a slash after the
name of the source pa
--
chromium-browser/stable
--
-curl (ghedo)
---
dovecot (carnil)
holding back upload due to possible regression
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/e850d8206643e11ddd0572ec5fbff1a2ad199438
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/e850d8206643e11ddd0572ec5fbff1a2ad199438
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57040 - data/DSA
Author: ghedo
Date: 2017-10-27 19:59:54 + (Fri, 27 Oct 2017)
New Revision: 57040
Modified:
data/DSA/list
Log:
Reserve DSA for curl
Modified: data/DSA/list
===
--- data/DSA/list 2017-10-27 19:06:04 UTC (rev 57039)
+++ data/DSA/list 2017-10-27 19:59:54 UTC (rev 57040)
@@ -1,3 +1,7 @@
+[27 Oct 2017] DSA-4007-1 curl - security update
+ {CVE-2017-1000257}
+ [jessie] - curl 7.38.0-4+deb8u7
+ [stretch] - curl 7.52.1-5+deb9u2
[24 Oct 2017] DSA-4006-1 mupdf - security update
{CVE-2017-14685 CVE-2017-14686 CVE-2017-14687 CVE-2017-15587}
[stretch] - mupdf 1.9a+ds1-4+deb9u1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r43744 - data/CVE
Author: ghedo Date: 2016-08-03 12:34:13 + (Wed, 03 Aug 2016) New Revision: 43744 Modified: data/CVE/list Log: Add fixed versions for curl issues Modified: data/CVE/list === --- data/CVE/list 2016-08-03 12:27:47 UTC (rev 43743) +++ data/CVE/list 2016-08-03 12:34:13 UTC (rev 43744) @@ -3318,21 +3318,21 @@ RESERVED CVE-2016-5422 RESERVED -CVE-2016-5421 +CVE-2016-5421 [TLS session resumption client cert bypass] RESERVED - - curl + - curl 7.50.1-1 [wheezy] - curl (introduced in 7.32.0) NOTE: https://curl.haxx.se/docs/adv_20160803C.html NOTE: Fixed by https://curl.haxx.se/CVE-2016-5421.patch -CVE-2016-5420 +CVE-2016-5420 [Re-using connection with wrong client cert] RESERVED - - curl + - curl 7.50.1-1 NOTE: https://curl.haxx.se/docs/adv_20160803B.html NOTE: Fixed by https://curl.haxx.se/CVE-2016-5420.patch NOTE: Wheezy: vulnerable code is in lib/sslgen.c -CVE-2016-5419 +CVE-2016-5419 [TLS session resumption client cert bypass] RESERVED - - curl + - curl 7.50.1-1 NOTE: https://curl.haxx.se/docs/adv_20160803A.html NOTE: Fixed by https://curl.haxx.se/CVE-2016-5419.patch NOTE: Wheezy: vulnerable code is in lib/sslgen.c ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r43745 - data/DSA
Author: ghedo
Date: 2016-08-03 12:34:17 + (Wed, 03 Aug 2016)
New Revision: 43745
Modified:
data/DSA/list
Log:
Reserve DSA for curl
Modified: data/DSA/list
===
--- data/DSA/list 2016-08-03 12:34:13 UTC (rev 43744)
+++ data/DSA/list 2016-08-03 12:34:17 UTC (rev 43745)
@@ -1,3 +1,6 @@
+[03 Aug 2016] DSA-3638-1 curl - security update
+ {CVE-2016-5419 CVE-2016-5420 CVE-2016-5421}
+ [jessie] - curl 7.38.0-4+deb8u4
[31 Jul 2016] DSA-3637-1 chromium-browser - security update
{CVE-2016-1704 CVE-2016-1705 CVE-2016-1706 CVE-2016-1707 CVE-2016-1708
CVE-2016-1709 CVE-2016-1710 CVE-2016-1711 CVE-2016-5127 CVE-2016-5128
CVE-2016-5129 CVE-2016-5130 CVE-2016-5131 CVE-2016-5132 CVE-2016-5133
CVE-2016-5134 CVE-2016-5135 CVE-2016-5136 CVE-2016-5137}
[jessie] - chromium-browser 52.0.2743.82-1~deb8u1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41730 - in data: . CVE DSA
Author: ghedo
Date: 2016-05-14 17:42:50 + (Sat, 14 May 2016)
New Revision: 41730
Modified:
data/CVE/list
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA for libidn
Modified: data/CVE/list
===
--- data/CVE/list 2016-05-14 17:22:04 UTC (rev 41729)
+++ data/CVE/list 2016-05-14 17:42:50 UTC (rev 41730)
@@ -22397,6 +22397,7 @@
NOTE: http://www.openwall.com/lists/oss-security/2015/08/04/2
CVE-2015- [more to CVE-2015-2059]
- libidn 1.32-1
+ [jessie] - libidn 1.29-1+deb8u1
[squeeze] - libidn 1.15-2+deb6u2
NOTE: Introduced by fix for CVE-2015-2059
NOTE:
https://lists.gnu.org/archive/html/help-libidn/2015-07/msg00026.html
Modified: data/DSA/list
===
--- data/DSA/list 2016-05-14 17:22:04 UTC (rev 41729)
+++ data/DSA/list 2016-05-14 17:42:50 UTC (rev 41730)
@@ -1,3 +1,6 @@
+[14 May 2016] DSA-3578-1 libidn - security update
+ {CVE-2015-2059}
+ [jessie] - libidn 1.29-1+deb8u1
[14 May 2016] DSA-3577-1 jansson - security update
{CVE-2016-4425}
[jessie] - jansson 2.7-1+deb8u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2016-05-14 17:22:04 UTC (rev 41729)
+++ data/dsa-needed.txt 2016-05-14 17:42:50 UTC (rev 41730)
@@ -29,13 +29,6 @@
--
imagemagick (luciano)
--
-libidn (ghedo)
- Working debdiff for wheezy-security at
- https://people.debian.org/~ghedo/libidn_1.25-2+deb7u1.diff
- Work-in-progress debdiff for jessie-security at
- https://people.debian.org/~ghedo/libidn_1.29-1+deb8u1.diff
- Help is needed to fix it so that it doesn't FTBFS
---
libxml2 (carnil)
NOTE: waiting for libxml2 upstream's blessed patches
--
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41724 - data
Author: ghedo Date: 2016-05-14 16:33:48 + (Sat, 14 May 2016) New Revision: 41724 Modified: data/dsa-needed.txt Log: Retake libidn Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-05-14 16:33:03 UTC (rev 41723) +++ data/dsa-needed.txt 2016-05-14 16:33:48 UTC (rev 41724) @@ -29,7 +29,7 @@ -- imagemagick (luciano) -- -libidn +libidn (ghedo) Working debdiff for wheezy-security at https://people.debian.org/~ghedo/libidn_1.25-2+deb7u1.diff Work-in-progress debdiff for jessie-security at ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41723 - in data: . DSA
Author: ghedo
Date: 2016-05-14 16:33:03 + (Sat, 14 May 2016)
New Revision: 41723
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA for jansson
Modified: data/DSA/list
===
--- data/DSA/list 2016-05-14 16:29:50 UTC (rev 41722)
+++ data/DSA/list 2016-05-14 16:33:03 UTC (rev 41723)
@@ -1,3 +1,6 @@
+[14 May 2016] DSA-3577-1 jansson - security update
+ {CVE-2016-4425}
+ [jessie] - jansson 2.7-1+deb8u1
[13 May 2016] DSA-3576-1 icedove - security update
{CVE-2016-1979 CVE-2016-2805 CVE-2016-2807}
[jessie] - icedove 38.8.0-1~deb8u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2016-05-14 16:29:50 UTC (rev 41722)
+++ data/dsa-needed.txt 2016-05-14 16:33:03 UTC (rev 41723)
@@ -29,8 +29,6 @@
--
imagemagick (luciano)
--
-jansson (ghedo)
---
libidn
Working debdiff for wheezy-security at
https://people.debian.org/~ghedo/libidn_1.25-2+deb7u1.diff
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41395 - in data: . DSA
Author: ghedo
Date: 2016-05-03 18:10:16 + (Tue, 03 May 2016)
New Revision: 41395
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA for openssl
Modified: data/DSA/list
===
--- data/DSA/list 2016-05-03 17:49:07 UTC (rev 41394)
+++ data/DSA/list 2016-05-03 18:10:16 UTC (rev 41395)
@@ -1,3 +1,6 @@
+[03 May 2016] DSA-3566-1 openssl - security update
+ {CVE-2016-2105 CVE-2016-2106 CVE-2016-2107 CVE-2016-2108 CVE-2016-2109
CVE-2016-2176}
+ [jessie] - openssl 1.0.1k-3+deb8u5
[02 May 2016] DSA-3565-1 botan1.10 - security update
{CVE-2015-5726 CVE-2015-5727 CVE-2015-7827 CVE-2016-2194 CVE-2016-2195
CVE-2016-2849}
[jessie] - botan1.10 1.10.8-2+deb8u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2016-05-03 17:49:07 UTC (rev 41394)
+++ data/dsa-needed.txt 2016-05-03 18:10:16 UTC (rev 41395)
@@ -54,8 +54,6 @@
--
openjpeg2 (jmm)
--
-openssl (ghedo)
---
phpmyadmin (thijs)
--
quagga
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41378 - data/CVE
Author: ghedo
Date: 2016-05-03 14:34:38 + (Tue, 03 May 2016)
New Revision: 41378
Modified:
data/CVE/list
Log:
Update openssl issues
Modified: data/CVE/list
===
--- data/CVE/list 2016-05-03 14:33:03 UTC (rev 41377)
+++ data/CVE/list 2016-05-03 14:34:38 UTC (rev 41378)
@@ -6297,9 +6297,9 @@
RESERVED
CVE-2016-2177
RESERVED
-CVE-2016-2176
+CVE-2016-2176 [EBCDIC overread]
RESERVED
- - openssl
+ - openssl (Only affects EBCDIC systems)
NOTE: Fixed in master in
https://git.openssl.org/?p=openssl.git;a=commit;h=ea96ad5a206b7b5f25dad230333e8ff032df3219
NOTE: https://www.openssl.org/news/secadv/20160503.txt
CVE-2016-2175
@@ -6496,27 +6496,27 @@
{DSA-3548-1}
- samba 2:4.3.7+dfsg-1
NOTE: https://www.samba.org/samba/security/CVE-2016-2110.html
-CVE-2016-2109
+CVE-2016-2109 [ASN.1 BIO excessive memory allocation]
RESERVED
- openssl (low)
NOTE: Fixed in master in
https://git.openssl.org/?p=openssl.git;a=commit;h=c62981390d6cf9e3d612c489b8b77c2913b25807
NOTE: https://www.openssl.org/news/secadv/20160503.txt
-CVE-2016-2108
+CVE-2016-2108 [Memory corruption in the ASN.1 encoder]
RESERVED
- openssl 1.0.2c-1
NOTE: https://www.openssl.org/news/secadv/20160503.txt
-CVE-2016-2107
+CVE-2016-2107 [Padding oracle in AES-NI CBC MAC check]
RESERVED
- openssl
NOTE: https://www.openssl.org/news/secadv/20160503.txt
-CVE-2016-2106
+CVE-2016-2106 [EVP_EncryptUpdate overflow]
RESERVED
- - openssl
+ - openssl (low)
NOTE: Fixed in master in
https://git.openssl.org/?p=openssl.git;a=commit;h=3f3582139fbb259a1c3cbb0a25236500a409bf26
NOTE: https://www.openssl.org/news/secadv/20160503.txt
-CVE-2016-2105
+CVE-2016-2105 [EVP_EncodeUpdate overflow]
RESERVED
- - openssl
+ - openssl (low)
NOTE: Fixed in master in
https://git.openssl.org/?p=openssl.git;a=commit;h=ee1e3cac2e83abc77bcc8ff98729ca1e10fcc920
NOTE: https://www.openssl.org/news/secadv/20160503.txt
CVE-2016-2104
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41095 - in data: . DSA
Author: ghedo
Date: 2016-04-23 22:13:46 + (Sat, 23 Apr 2016)
New Revision: 41095
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA for imlib2
Modified: data/DSA/list
===
--- data/DSA/list 2016-04-23 17:55:09 UTC (rev 41094)
+++ data/DSA/list 2016-04-23 22:13:46 UTC (rev 41095)
@@ -1,3 +1,7 @@
+[23 Apr 2016] DSA-3555-1 imlib2 - security update
+ {CVE-2011-5326 CVE-2014-9771 CVE-2016-3993 CVE-2016-3994 CVE-2016-4024}
+ [wheezy] - imlib2 1.4.5-1+deb7u2
+ [jessie] - imlib2 1.4.6-2+deb8u2
[21 Apr 2016] DSA-3554-1 xen - security update
{CVE-2016-3158 CVE-2016-3159 CVE-2016-3960}
[jessie] - xen 4.4.1-9+deb8u5
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2016-04-23 17:55:09 UTC (rev 41094)
+++ data/dsa-needed.txt 2016-04-23 22:13:46 UTC (rev 41095)
@@ -30,8 +30,6 @@
no-dsa bugs CVE-2014-8354 CVE-2014-8355 CVE-2014-8562 CVE-2014-8716
should be fixed along
--
-imlib2 (ghedo)
---
libgd2
carnil> Test packages: https://people.debian.org/~carnil/tmp/libgd2/
--
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41089 - data/CVE
Author: ghedo Date: 2016-04-23 16:54:46 + (Sat, 23 Apr 2016) New Revision: 41089 Modified: data/CVE/list Log: Remove no-dsa tag from imlib2 issues (might as well fix them while I'm at it) Modified: data/CVE/list === --- data/CVE/list 2016-04-23 15:22:54 UTC (rev 41088) +++ data/CVE/list 2016-04-23 16:54:46 UTC (rev 41089) @@ -412,8 +412,6 @@ CVE-2011-5326 [divide-by-zero on 2x1 ellipse] RESERVED - imlib2 1.4.8-1 (bug #639414) - [jessie] - imlib2 (Minor issue) - [wheezy] - imlib2 (Minor issue) NOTE: https://git.enlightenment.org/legacy/imlib2.git/commit/?id=c94d83ccab15d5ef02f88d42dce38ed3f0892882 NOTE: http://www.openwall.com/lists/oss-security/2016/04/10/5 CVE-2016-3995 [Timing Attack Counter Measure AES] @@ -589,8 +587,6 @@ CVE-2016-3993 [off-by-one OOB read in __imlib_MergeUpdate] RESERVED - imlib2 1.4.8-1 (bug #819818) - [jessie] - imlib2 (Minor issue) - [wheezy] - imlib2 (Minor issue) NOTE: https://git.enlightenment.org/legacy/imlib2.git/commit/?id=ce94edca1ccfbe314cb7cd9453433fad404ec7ef NOTE: http://www.openwall.com/lists/oss-security/2016/04/09/5 CVE-2012- [Option -localhost seems to fail to restrict ipv6 access] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41079 - data/CVE
Author: ghedo Date: 2016-04-23 12:43:42 + (Sat, 23 Apr 2016) New Revision: 41079 Modified: data/CVE/list Log: imlib2 issues fixed in sid Modified: data/CVE/list === --- data/CVE/list 2016-04-23 12:43:33 UTC (rev 41078) +++ data/CVE/list 2016-04-23 12:43:42 UTC (rev 41079) @@ -238,7 +238,7 @@ NOT-FOR-US: Foxit Reader CVE-2016-4024 [integer overflow resulting in insufficient heap allocation] RESERVED - - imlib2 (bug #821732) + - imlib2 1.4.8-1 (bug #821732) NOTE: Upstream fix: https://git.enlightenment.org/legacy/imlib2.git/commit/?id=7eba2e4c8ac0e20838947f10f29d0efe1add8227 NOTE: http://www.openwall.com/lists/oss-security/2016/04/14/5 CVE-2016-4005 @@ -366,7 +366,7 @@ NOTE: http://www.openwall.com/lists/oss-security/2016/04/11/3 CVE-2011-5326 [divide-by-zero on 2x1 ellipse] RESERVED - - imlib2 (bug #639414) + - imlib2 1.4.8-1 (bug #639414) [jessie] - imlib2 (Minor issue) [wheezy] - imlib2 (Minor issue) NOTE: https://git.enlightenment.org/legacy/imlib2.git/commit/?id=c94d83ccab15d5ef02f88d42dce38ed3f0892882 @@ -387,7 +387,7 @@ TODO: vtk6, paraview, opencollada, xdmf, gettext appear to include the affected code CVE-2016-3994 [GIF loader: out-of-bounds read] RESERVED - - imlib2 (bug #785369) + - imlib2 1.4.8-1 (bug #785369) NOTE: https://git.enlightenment.org/legacy/imlib2.git/commit/?id=37a96801663b7b4cd3fbe56cc0eb8b6a17e766a8 NOTE: http://www.openwall.com/lists/oss-security/2016/04/09/6 CVE-2016- [Integer overflow in php_raw_url_encode] @@ -543,7 +543,7 @@ TODO: recheck versions CVE-2016-3993 [off-by-one OOB read in __imlib_MergeUpdate] RESERVED - - imlib2 (bug #819818) + - imlib2 1.4.8-1 (bug #819818) [jessie] - imlib2 (Minor issue) [wheezy] - imlib2 (Minor issue) NOTE: https://git.enlightenment.org/legacy/imlib2.git/commit/?id=ce94edca1ccfbe314cb7cd9453433fad404ec7ef ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41078 - data
Author: ghedo Date: 2016-04-23 12:43:33 + (Sat, 23 Apr 2016) New Revision: 41078 Modified: data/dsa-needed.txt Log: Take imlib2 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-04-23 12:27:16 UTC (rev 41077) +++ data/dsa-needed.txt 2016-04-23 12:43:33 UTC (rev 41078) @@ -30,7 +30,7 @@ no-dsa bugs CVE-2014-8354 CVE-2014-8355 CVE-2014-8562 CVE-2014-8716 should be fixed along -- -imlib2 (carnil) +imlib2 (ghedo) -- libgd2 carnil> Test packages: https://people.debian.org/~carnil/tmp/libgd2/ ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40098 - data/DSA
Author: ghedo
Date: 2016-03-01 14:20:52 + (Tue, 01 Mar 2016)
New Revision: 40098
Modified:
data/DSA/list
Log:
Fix openssl version in jessie
Modified: data/DSA/list
===
--- data/DSA/list 2016-03-01 14:13:51 UTC (rev 40097)
+++ data/DSA/list 2016-03-01 14:20:52 UTC (rev 40098)
@@ -1,7 +1,7 @@
[01 Mar 2016] DSA-3500-1 openssl - security update
{CVE-2016-0702 CVE-2016-0705 CVE-2016-0797 CVE-2016-0798 CVE-2016-0799}
[wheezy] - openssl 1.0.1e-2+deb7u20
- [jessie] - openssl 1.0.1k-3+deb8u3
+ [jessie] - openssl 1.0.1k-3+deb8u4
[28 Feb 2016] DSA-3499-1 pillow - security update
{CVE-2016-0740 CVE-2016-0775 CVE-2016-2533}
[jessie] - pillow 2.6.1-2+deb8u2
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40096 - data/DSA
Author: ghedo
Date: 2016-03-01 14:13:43 + (Tue, 01 Mar 2016)
New Revision: 40096
Modified:
data/DSA/list
Log:
Reserve DSA for openssl
Modified: data/DSA/list
===
--- data/DSA/list 2016-03-01 14:07:06 UTC (rev 40095)
+++ data/DSA/list 2016-03-01 14:13:43 UTC (rev 40096)
@@ -1,3 +1,7 @@
+[01 Mar 2016] DSA-3500-1 openssl - security update
+ {CVE-2016-0702 CVE-2016-0705 CVE-2016-0797 CVE-2016-0798 CVE-2016-0799}
+ [wheezy] - openssl 1.0.1e-2+deb7u20
+ [jessie] - openssl 1.0.1k-3+deb8u3
[28 Feb 2016] DSA-3499-1 pillow - security update
{CVE-2016-0740 CVE-2016-0775 CVE-2016-2533}
[jessie] - pillow 2.6.1-2+deb8u2
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40097 - data/CVE
Author: ghedo Date: 2016-03-01 14:13:51 + (Tue, 01 Mar 2016) New Revision: 40097 Modified: data/CVE/list Log: Update openssl issues Modified: data/CVE/list === --- data/CVE/list 2016-03-01 14:13:43 UTC (rev 40096) +++ data/CVE/list 2016-03-01 14:13:51 UTC (rev 40097) @@ -6178,7 +6178,7 @@ TODO: check CVE-2016-0801 (The Broadcom Wi-Fi driver in the kernel in Android 4.x before 4.4.4, ...) TODO: check -CVE-2016-0800 +CVE-2016-0800 [Cross-protocol attack on TLS using SSLv2 (DROWN)] RESERVED - openssl 1.0.0c-2 NOTE: 1.0.0c-2 dropped SSLv2 support @@ -6186,18 +6186,18 @@ NOTE: https://www.drownattack.com/ NOTE: GNUTLS never implemented SSLv2 NOTE: http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html -CVE-2016-0799 +CVE-2016-0799 [Memory issues in BIO_*printf functions] RESERVED - openssl NOTE: https://www.openssl.org/news/secadv/20160301.txt NOTE: Fixed in master in https://git.openssl.org/?p=openssl.git;a=commit;h=a801bf263849a2ef773e5bc0c86438cbba720835 NOTE: https://guidovranken.wordpress.com/2016/02/27/openssl-cve-2016-0799-heap-corruption-via-bio_printf/ -CVE-2016-0798 +CVE-2016-0798 [Memory leak in SRP database lookups] RESERVED - openssl NOTE: https://www.openssl.org/news/secadv/20160301.txt NOTE: Fixed in master in https://git.openssl.org/?p=openssl.git;a=commit;h=59a908f1e8380412a81392c468b83bf6071beb2a -CVE-2016-0797 +CVE-2016-0797 [BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption] RESERVED - openssl NOTE: https://www.openssl.org/news/secadv/20160301.txt @@ -6525,26 +6525,27 @@ - tomcat6 6.0.41-3 NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs NOTE: Fixed in 6.0.45, 7.0.68, 8.0.32, 9.0.0.M3 -CVE-2016-0705 +CVE-2016-0705 [Double-free in DSA code] RESERVED - openssl [squeeze] - openssl (vulnerable code not present) NOTE: Fixed in master in https://git.openssl.org/?p=openssl.git;a=commit;h=ab4a81f69ec88d06c9d8de15326b9296d7f498ed NOTE: https://www.openssl.org/news/secadv/20160301.txt -CVE-2016-0704 +CVE-2016-0704 [Bleichenbacher oracle in SSLv2] RESERVED - openssl 1.0.0c-2 NOTE: 1.0.0c-2 dropped SSLv2 support NOTE: https://www.openssl.org/news/secadv/20160301.txt -CVE-2016-0703 +CVE-2016-0703 [Divide-and-conquer session key recovery in SSLv2] RESERVED - openssl 1.0.0c-2 NOTE: 1.0.0c-2 dropped SSLv2 support NOTE: https://www.openssl.org/news/secadv/20160301.txt -CVE-2016-0702 +CVE-2016-0702 [Side channel attack on modular exponentiation] RESERVED - openssl NOTE: https://www.openssl.org/news/secadv/20160301.txt + NOTE: https://cachebleed.info CVE-2016-0701 (The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 ...) - openssl 1.0.2f-2 [jessie] - openssl (Only affects 1.0.2) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39230 - data/DSA
Author: ghedo
Date: 2016-01-27 12:00:07 + (Wed, 27 Jan 2016)
New Revision: 39230
Modified:
data/DSA/list
Log:
Reserve DSA for curl
Modified: data/DSA/list
===
--- data/DSA/list 2016-01-27 11:57:31 UTC (rev 39229)
+++ data/DSA/list 2016-01-27 12:00:07 UTC (rev 39230)
@@ -1,3 +1,6 @@
+[27 Jan 2016] DSA-3455-1 curl - security update
+ {CVE-2016-0755}
+ [jessie] - curl 7.38.0-4+deb8u3
[27 Jan 2016] DSA-3454-1 virtualbox - security update
{CVE-2015-5307 CVE-2015-8104 CVE-2016-0495 CVE-2016-0592}
[jessie] - virtualbox 4.3.36-dfsg-1+deb8u1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39229 - data/CVE
Author: ghedo Date: 2016-01-27 11:57:31 + (Wed, 27 Jan 2016) New Revision: 39229 Modified: data/CVE/list Log: Add curl entries Modified: data/CVE/list === --- data/CVE/list 2016-01-27 09:40:52 UTC (rev 39228) +++ data/CVE/list 2016-01-27 11:57:31 UTC (rev 39229) @@ -3810,10 +3810,17 @@ RESERVED CVE-2016-0756 RESERVED -CVE-2016-0755 +CVE-2016-0755 [NTLM credentials not-checked for proxy connection re-use] RESERVED -CVE-2016-0754 + - curl 7.47.0-1 + [wheezy] - curl (Too intrusive to backport) + NOTE: http://curl.haxx.se/docs/adv_20160127A.html +CVE-2016-0754 [remote file name path traversal in curl tool for Windows] RESERVED + - curl (Windows only) + [jessie] - curl (Windows only) + [wheezy] - curl (Windows only) + NOTE: http://curl.haxx.se/docs/adv_20160127B.html CVE-2016-0753 [Possible Input Validation Circumvention in Active Model] RESERVED - rails ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r37513 - in data: . DSA
Author: ghedo
Date: 2015-11-02 19:21:35 + (Mon, 02 Nov 2015)
New Revision: 37513
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA for libvdpau
Modified: data/DSA/list
===
--- data/DSA/list 2015-11-02 19:12:30 UTC (rev 37512)
+++ data/DSA/list 2015-11-02 19:21:35 UTC (rev 37513)
@@ -1,3 +1,5 @@
+[02 Nov 2015] DSA-3355-2 libvdpau - regression update
+ [jessie] - libvdpau 0.8-3+deb8u2
[02 Nov 2015] DSA-3390-1 xen - security update
{CVE-2015-7835}
[wheezy] - xen 4.1.4-3+deb7u9
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2015-11-02 19:12:30 UTC (rev 37512)
+++ data/dsa-needed.txt 2015-11-02 19:21:35 UTC (rev 37513)
@@ -38,10 +38,6 @@
https://people.debian.org/~ghedo/libidn_1.29-1+deb8u1.diff
Help is needed to fix it so that it doesn't FTBFS
--
-libvdpau (ghedo)
- Regression in jessie from DSA-3355-1 (see #803410)
- Maintainer already prepared the update
---
libxml2 (gcs)
--
linux
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r37508 - data
Author: ghedo Date: 2015-11-02 15:06:27 + (Mon, 02 Nov 2015) New Revision: 37508 Modified: data/dsa-needed.txt Log: Add and take libvdpau to dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-11-02 14:56:41 UTC (rev 37507) +++ data/dsa-needed.txt 2015-11-02 15:06:27 UTC (rev 37508) @@ -38,6 +38,10 @@ https://people.debian.org/~ghedo/libidn_1.29-1+deb8u1.diff Help is needed to fix it so that it doesn't FTBFS -- +libvdpau (ghedo) + Regression in jessie from DSA-3355-1 (see #803410) + Maintainer already prepared the update +-- libxml2 (gcs) -- linux ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r37085 - data/CVE
Author: ghedo Date: 2015-10-12 13:07:57 + (Mon, 12 Oct 2015) New Revision: 37085 Modified: data/CVE/list Log: Add unzip issues Modified: data/CVE/list === --- data/CVE/list 2015-10-12 13:02:05 UTC (rev 37084) +++ data/CVE/list 2015-10-12 13:07:57 UTC (rev 37085) @@ -282,10 +282,12 @@ RESERVED CVE-2015-7698 RESERVED -CVE-2015-7697 +CVE-2015-7697 [Infinite loop when extracting password-protected archive] RESERVED -CVE-2015-7696 + - unzip +CVE-2015-7696 [Heap buffer overflow when extracting password-protected archive] RESERVED + - unzip CVE-2015-7695 [ZF2015-08: Potential SQL injection vector using null byte for PDO (MsSql, SQLite)] RESERVED - zendframework 1.12.16+dfsg-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r37084 - data/CVE
Author: ghedo Date: 2015-10-12 13:02:05 + (Mon, 12 Oct 2015) New Revision: 37084 Modified: data/CVE/list Log: Add optipng issues Modified: data/CVE/list === --- data/CVE/list 2015-10-12 12:50:24 UTC (rev 37083) +++ data/CVE/list 2015-10-12 13:02:05 UTC (rev 37084) @@ -6,10 +6,12 @@ RESERVED CVE-2015-7805 RESERVED -CVE-2015-7802 +CVE-2015-7802 [Global buffer overflow] RESERVED -CVE-2015-7801 + - optipng +CVE-2015-7801 [Use after free] RESERVED + - optipng 0.7.5-1 CVE-2015-7800 RESERVED CVE-2015-7799 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r37082 - in data: CVE DSA
Author: ghedo
Date: 2015-10-12 12:50:11 + (Mon, 12 Oct 2015)
New Revision: 37082
Modified:
data/CVE/list
data/DSA/list
Log:
Remove workaround for zendframework issue
Modified: data/CVE/list
===
--- data/CVE/list 2015-10-12 12:46:30 UTC (rev 37081)
+++ data/CVE/list 2015-10-12 12:50:11 UTC (rev 37082)
@@ -289,9 +289,6 @@
CVE-2015-7695 [ZF2015-08: Potential SQL injection vector using null byte for
PDO (MsSql, SQLite)]
RESERVED
- zendframework 1.12.16+dfsg-1
- [jessie] - zendframework 1.12.9+dfsg-2+deb8u4
- [wheezy] - zendframework 1.11.13-1.1+deb7u4
- NOTE: workaround entry for DSA-3369-1 until/if CVE assigned
NOTE: http://framework.zend.com/security/advisory/ZF2015-08
NOTE:
https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2
CVE-2015-7694
Modified: data/DSA/list
===
--- data/DSA/list 2015-10-12 12:46:30 UTC (rev 37081)
+++ data/DSA/list 2015-10-12 12:50:11 UTC (rev 37082)
@@ -7,7 +7,7 @@
[wheezy] - freetype 2.4.9-1.1+deb7u2
[jessie] - freetype 2.5.2-3+deb8u1
[06 Oct 2015] DSA-3369-1 zendframework - security update
- {CVE-2015-5723}
+ {CVE-2015-5723 CVE-2015-7695}
[wheezy] - zendframework 1.11.13-1.1+deb7u4
[jessie] - zendframework 1.12.9+dfsg-2+deb8u4
[25 Sep 2015] DSA-3368-1 cyrus-sasl2 - security update
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r37083 - in data: CVE DSA
Author: ghedo
Date: 2015-10-12 12:50:24 + (Mon, 12 Oct 2015)
New Revision: 37083
Modified:
data/CVE/list
data/DSA/list
Log:
Remove workaround for twig issue
Modified: data/CVE/list
===
--- data/CVE/list 2015-10-12 12:50:11 UTC (rev 37082)
+++ data/CVE/list 2015-10-12 12:50:24 UTC (rev 37083)
@@ -82,11 +82,9 @@
TODO: check
CVE-2015-7765 (ZOHO ManageEngine OpManager 11.5 build 11600 and earlier uses a
...)
TODO: check
-CVE-2015-7809 [arbitrary code execution via the _self variable]
+CVE-2015-7809 [sandbox issue]
RESERVED
- twig 1.20.0-1
- [jessie] - twig 1.16.2-1+deb8u1
- NOTE: Add jessie-tagged workaround item until CVE assigned
NOTE: http://symfony.com/blog/security-release-twig-1-20-0
CVE-2015-7804 [Uninitialized pointer in phar_make_dirstream when zip entry
filename is "/"]
RESERVED
Modified: data/DSA/list
===
--- data/DSA/list 2015-10-12 12:50:11 UTC (rev 37082)
+++ data/DSA/list 2015-10-12 12:50:24 UTC (rev 37083)
@@ -100,6 +100,7 @@
[wheezy] - php5 5.4.44-0+deb7u1
[jessie] - php5 5.6.12+dfsg-0+deb8u1
[26 Aug 2015] DSA-3343-1 twig - security update
+ {CVE-2015-7809}
[jessie] - twig 1.16.2-1+deb8u1
[20 Aug 2015] DSA-3342-1 vlc - security update
{CVE-2015-5949}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r37029 - data/CVE
Author: ghedo Date: 2015-10-06 21:44:22 + (Tue, 06 Oct 2015) New Revision: 37029 Modified: data/CVE/list Log: Mark temporary zendframework issue as fixed Modified: data/CVE/list === --- data/CVE/list 2015-10-06 21:44:13 UTC (rev 37028) +++ data/CVE/list 2015-10-06 21:44:22 UTC (rev 37029) @@ -272,6 +272,8 @@ NOTE: https://github.com/owncloud/core/commit/b05e178bbf884b120d1106e6a28f35aa50d6d06f CVE-2015- [ZF2015-08: Potential SQL injection vector using null byte for PDO (MsSql, SQLite)] - zendframework 1.12.16+dfsg-1 + [jessie] - zendframework 1.12.9+dfsg-2+deb8u4 + [wheezy] - zendframework 1.11.13-1.1+deb7u4 NOTE: http://framework.zend.com/security/advisory/ZF2015-08 NOTE: https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/09/30/6 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r37028 - in data: . DSA
Author: ghedo
Date: 2015-10-06 21:44:13 + (Tue, 06 Oct 2015)
New Revision: 37028
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA for freetype
Modified: data/DSA/list
===
--- data/DSA/list 2015-10-06 21:26:34 UTC (rev 37027)
+++ data/DSA/list 2015-10-06 21:44:13 UTC (rev 37028)
@@ -1,3 +1,7 @@
+[06 Oct 2015] DSA-3370-1 freetype - security update
+ {CVE-2014-9745 CVE-2014-9746 CVE-2014-9747}
+ [wheezy] - freetype 2.4.9-1.1+deb7u2
+ [jessie] - freetype 2.5.2-3+deb8u1
[06 Oct 2015] DSA-3369-1 zendframework - security update
{CVE-2015-5723}
[wheezy] - zendframework 1.11.13-1.1+deb7u4
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2015-10-06 21:26:34 UTC (rev 37027)
+++ data/dsa-needed.txt 2015-10-06 21:44:13 UTC (rev 37028)
@@ -24,9 +24,6 @@
--
elasticsearch
--
-freetype (ghedo)
- santiago (Santiago Ruano Rincón) proposed an update
---
glibc (aurel32)
some of the other no-dsa bugs could be fixed along
--
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r37026 - data/DSA
Author: ghedo
Date: 2015-10-06 21:20:32 + (Tue, 06 Oct 2015)
New Revision: 37026
Modified:
data/DSA/list
Log:
Update date for zend DSA
Modified: data/DSA/list
===
--- data/DSA/list 2015-10-06 21:19:13 UTC (rev 37025)
+++ data/DSA/list 2015-10-06 21:20:32 UTC (rev 37026)
@@ -1,4 +1,4 @@
-[04 Oct 2015] DSA-3369-1 zendframework - security update
+[06 Oct 2015] DSA-3369-1 zendframework - security update
{CVE-2015-5723}
[wheezy] - zendframework 1.11.13-1.1+deb7u4
[jessie] - zendframework 1.12.9+dfsg-2+deb8u4
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r37025 - in data: . DSA
Author: ghedo
Date: 2015-10-06 21:19:13 + (Tue, 06 Oct 2015)
New Revision: 37025
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA for zendframework
Modified: data/DSA/list
===
--- data/DSA/list 2015-10-06 21:10:25 UTC (rev 37024)
+++ data/DSA/list 2015-10-06 21:19:13 UTC (rev 37025)
@@ -1,3 +1,7 @@
+[04 Oct 2015] DSA-3369-1 zendframework - security update
+ {CVE-2015-5723}
+ [wheezy] - zendframework 1.11.13-1.1+deb7u4
+ [jessie] - zendframework 1.12.9+dfsg-2+deb8u4
[25 Sep 2015] DSA-3368-1 cyrus-sasl2 - security update
{CVE-2013-4122}
[jessie] - cyrus-sasl2 2.1.26.dfsg1-13+deb8u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2015-10-06 21:10:25 UTC (rev 37024)
+++ data/dsa-needed.txt 2015-10-06 21:19:13 UTC (rev 37025)
@@ -92,6 +92,3 @@
--
yubiserver
--
-zendframework (ghedo)
- Maintainer prepared packages for jessie and wheezy
---
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36981 - data
Author: ghedo Date: 2015-10-04 13:56:00 + (Sun, 04 Oct 2015) New Revision: 36981 Modified: data/dsa-needed.txt Log: Take freetype Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-10-04 13:48:15 UTC (rev 36980) +++ data/dsa-needed.txt 2015-10-04 13:56:00 UTC (rev 36981) @@ -24,7 +24,7 @@ -- elasticsearch -- -freetype +freetype (ghedo) santiago (Santiago Ruano Rincón) proposed an update -- glibc (aurel32) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36913 - data
Author: ghedo Date: 2015-09-30 11:03:20 + (Wed, 30 Sep 2015) New Revision: 36913 Modified: data/dsa-needed.txt Log: Add and take zendframework Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-09-30 10:59:28 UTC (rev 36912) +++ data/dsa-needed.txt 2015-09-30 11:03:20 UTC (rev 36913) @@ -82,3 +82,6 @@ -- yubiserver -- +zendframework (ghedo) + Maintainer prepared packages for jessie and wheezy +-- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36912 - data/CVE
Author: ghedo Date: 2015-09-30 10:59:28 + (Wed, 30 Sep 2015) New Revision: 36912 Modified: data/CVE/list Log: Add new temporary issue for zendframework Modified: data/CVE/list === --- data/CVE/list 2015-09-30 10:28:36 UTC (rev 36911) +++ data/CVE/list 2015-09-30 10:59:28 UTC (rev 36912) @@ -1,3 +1,7 @@ +CVE-2015- [ZF2014-06: SQL injection vector when manually quoting values for sqlsrv extension, using null byte] + - zendframework 1.12.16+dfsg-1 + NOTE: http://framework.zend.com/security/advisory/ZF2014-06 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/09/30/6 CVE-2015-7389 RESERVED CVE-2015-7388 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36691 - in data: . DSA
Author: ghedo
Date: 2015-09-15 16:17:35 + (Tue, 15 Sep 2015)
New Revision: 36691
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA for icu
Modified: data/DSA/list
===
--- data/DSA/list 2015-09-15 16:10:10 UTC (rev 36690)
+++ data/DSA/list 2015-09-15 16:17:35 UTC (rev 36691)
@@ -1,3 +1,6 @@
+[15 Sep 2015] DSA-3360-1 icu - security update
+ {CVE-2015-1270}
+ [jessie] - icu 52.1-8+deb8u3
[13 Sep 2015] DSA-3359-1 virtualbox - security update
{CVE-2015-2594}
[wheezy] - virtualbox 4.1.40-dfsg-1+deb7u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2015-09-15 16:10:10 UTC (rev 36690)
+++ data/dsa-needed.txt 2015-09-15 16:17:35 UTC (rev 36691)
@@ -29,8 +29,6 @@
glibc (aurel32)
some of the other no-dsa bugs could be fixed along
--
-icu (ghedo)
---
icedtea-web
--
imagemagick/oldstable
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36582 - in data: . DSA
Author: ghedo
Date: 2015-09-10 08:33:35 + (Thu, 10 Sep 2015)
New Revision: 36582
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA for libvdpau
Modified: data/DSA/list
===
--- data/DSA/list 2015-09-10 07:23:14 UTC (rev 36581)
+++ data/DSA/list 2015-09-10 08:33:35 UTC (rev 36582)
@@ -1,3 +1,7 @@
+[10 Sep 2015] DSA-3355-1 libvdpau - security update
+ {CVE-2015-5198 CVE-2015-5199 CVE-2015-5200}
+ [wheezy] - libvdpau 0.4.1-7+deb7u1
+ [jessie] - libvdpau 0.8-3+deb8u1
[08 Sep 2015] DSA-3354-1 spice - security update
{CVE-2015-3247}
[jessie] - spice 0.12.5-1+deb8u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2015-09-10 07:23:14 UTC (rev 36581)
+++ data/dsa-needed.txt 2015-09-10 08:33:35 UTC (rev 36582)
@@ -42,9 +42,6 @@
https://people.debian.org/~ghedo/libidn_1.29-1+deb8u1.diff
Help is needed to fix it so that it doesn't FTBFS
--
-libvdpau (ghedo)
- Maintainer will prepare updated packages for jessie and wheezy
---
libxml2
--
linux
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36490 - in data: . DSA
Author: ghedo
Date: 2015-09-05 14:32:30 + (Sat, 05 Sep 2015)
New Revision: 36490
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA for openslp-dfsg
Modified: data/DSA/list
===
--- data/DSA/list 2015-09-05 05:34:06 UTC (rev 36489)
+++ data/DSA/list 2015-09-05 14:32:30 UTC (rev 36490)
@@ -1,3 +1,7 @@
+[05 Sep 2015] DSA-3353-1 openslp-dfsg - security update
+ {CVE-2015-5177}
+ [wheezy] - openslp-dfsg 1.2.1-9+deb7u1
+ [jessie] - openslp-dfsg 1.2.1-10+deb8u1
[04 Sep 2015] DSA-3352-1 screen - security update
{CVE-2015-6806}
[wheezy] - screen 4.1.0~20120320gitdb59704-7+deb7u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2015-09-05 05:34:06 UTC (rev 36489)
+++ data/dsa-needed.txt 2015-09-05 14:32:30 UTC (rev 36490)
@@ -52,8 +52,6 @@
--
mediawiki
--
-openslp-dfsg (ghedo)
---
openswan (corsac)
NOTE: regression fix needed for CVE-2013-2053 (#743332) and CVE-2013-6466
(#744717)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36475 - data
Author: ghedo Date: 2015-09-04 09:30:07 + (Fri, 04 Sep 2015) New Revision: 36475 Modified: data/dsa-needed.txt Log: Take openslp-dfsg Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-09-04 09:10:12 UTC (rev 36474) +++ data/dsa-needed.txt 2015-09-04 09:30:07 UTC (rev 36475) @@ -52,7 +52,7 @@ -- mediawiki -- -openslp-dfsg +openslp-dfsg (ghedo) -- openswan (corsac) NOTE: regression fix needed for CVE-2013-2053 (#743332) and CVE-2013-6466 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36476 - data/CVE
Author: ghedo
Date: 2015-09-04 09:30:17 + (Fri, 04 Sep 2015)
New Revision: 36476
Modified:
data/CVE/list
Log:
Set fixed version for CVE-2015-5177/openslp-dfsg
Modified: data/CVE/list
===
--- data/CVE/list 2015-09-04 09:30:07 UTC (rev 36475)
+++ data/CVE/list 2015-09-04 09:30:17 UTC (rev 36476)
@@ -4034,7 +4034,7 @@
CVE-2015-5177 [double free in SLPDProcessMessage()]
RESERVED
{DLA-304-1}
- - openslp-dfsg (bug #795429)
+ - openslp-dfsg 1.2.1-11 (bug #795429)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5177
CVE-2015-5176 (The PortletRequestDispatcher in PortletBridge, as used in Red
Hat ...)
NOT-FOR-US: PortletBridge component in JBoss Portal
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36473 - data
Author: ghedo Date: 2015-09-04 09:09:01 + (Fri, 04 Sep 2015) New Revision: 36473 Modified: data/dsa-needed.txt Log: Take libvdpau Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-09-04 08:38:29 UTC (rev 36472) +++ data/dsa-needed.txt 2015-09-04 09:09:01 UTC (rev 36473) @@ -42,7 +42,8 @@ https://people.debian.org/~ghedo/libidn_1.29-1+deb8u1.diff Help is needed to fix it so that it doesn't FTBFS -- -libvdpau +libvdpau (ghedo) + Maintainer will prepare updated packages for jessie and wheezy -- libxml2 -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36454 - data/CVE
Author: ghedo Date: 2015-09-03 13:31:41 + (Thu, 03 Sep 2015) New Revision: 36454 Modified: data/CVE/list Log: dnsval issue is fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2015-09-03 13:11:32 UTC (rev 36453) +++ data/CVE/list 2015-09-03 13:31:41 UTC (rev 36454) @@ -1,6 +1,6 @@ CVE-2015- [val_dane_check: usage DANE-TA(2) may bypass cert validation entirely] [experimental] - dnsval 2.1-1 - - dnsval (bug #797470) + - dnsval 2.0-2 (bug #797470) CVE-2015- [Memory corruption] - libvncserver 0.9.8-1 NOTE: https://github.com/LibVNC/libvncserver/commit/804335f9d296440bb708ca844f5d89b58b50b0c6 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36453 - data/CVE
Author: ghedo Date: 2015-09-03 13:11:32 + (Thu, 03 Sep 2015) New Revision: 36453 Modified: data/CVE/list Log: Add temporary dnsval issue Modified: data/CVE/list === --- data/CVE/list 2015-09-03 13:07:11 UTC (rev 36452) +++ data/CVE/list 2015-09-03 13:11:32 UTC (rev 36453) @@ -1,3 +1,6 @@ +CVE-2015- [val_dane_check: usage DANE-TA(2) may bypass cert validation entirely] + [experimental] - dnsval 2.1-1 + - dnsval (bug #797470) CVE-2015- [Memory corruption] - libvncserver 0.9.8-1 NOTE: https://github.com/LibVNC/libvncserver/commit/804335f9d296440bb708ca844f5d89b58b50b0c6 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36452 - data/CVE
Author: ghedo Date: 2015-09-03 13:07:11 + (Thu, 03 Sep 2015) New Revision: 36452 Modified: data/CVE/list Log: Mark CVE-2015-5723 as no-dsa Modified: data/CVE/list === --- data/CVE/list 2015-09-03 12:55:50 UTC (rev 36451) +++ data/CVE/list 2015-09-03 13:07:11 UTC (rev 36452) @@ -168,14 +168,19 @@ RESERVED CVE-2015-5723 [Security Misconfiguration Vulnerability in various Doctrine projects] RESERVED - - php-doctrine-annotations 1.2.7-1 - - php-doctrine-cache 1.4.2-1 - - php-doctrine-common 2.4.3-1 - - doctrine 2.4.8-1 - - aws-sdk-for-php + - php-doctrine-annotations 1.2.7-1 (low) + [jessie] - php-doctrine-annotations (Minor issue) + - php-doctrine-cache 1.4.2-1 (low) + [jessie] - php-doctrine-cache (Minor issue) [experimental] - php-doctrine-common 2.5.1-1 + - php-doctrine-common 2.4.3-1 (low) + [jessie] - php-doctrine-common (Minor issue) [experimental] - doctrine 2.5.1+dfsg-1 + - doctrine 2.4.8-1 (low) + [jessie] - doctrine (Minor issue) + [wheezy] - doctrine (Minor issue) [experimental] - aws-sdk-for-php 3.2.1-1 + - aws-sdk-for-php (Vulnerable code not present) NOTE: http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vulnerability_in_various_doctrine_projects.html NOTE: https://github.com/aws/aws-sdk-php/releases/tag/3.2.1 CVE-2015-6722 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36451 - data/CVE
Author: ghedo Date: 2015-09-03 12:55:50 + (Thu, 03 Sep 2015) New Revision: 36451 Modified: data/CVE/list Log: Add bug reference for libvdpau issues Modified: data/CVE/list === --- data/CVE/list 2015-09-03 12:43:21 UTC (rev 36450) +++ data/CVE/list 2015-09-03 12:55:50 UTC (rev 36451) @@ -3930,17 +3930,17 @@ RESERVED CVE-2015-5200 [vulnerability in trace functionality] RESERVED - - libvdpau + - libvdpau (bug #797895) NOTE: http://lists.x.org/archives/xorg-announce/2015-August/002630.html NOTE: http://cgit.freedesktop.org/~aplattner/libvdpau/commit/?id=d1f9c16b1a8187110e501c9116d21ffee25c0ba4 CVE-2015-5199 [directory traversal in dlopen] RESERVED - - libvdpau + - libvdpau (bug #797895) NOTE: http://lists.x.org/archives/xorg-announce/2015-August/002630.html NOTE: http://cgit.freedesktop.org/~aplattner/libvdpau/commit/?id=d1f9c16b1a8187110e501c9116d21ffee25c0ba4 CVE-2015-5198 [incorrect check for security transition] RESERVED - - libvdpau + - libvdpau (bug #797895) NOTE: http://lists.x.org/archives/xorg-announce/2015-August/002630.html NOTE: http://cgit.freedesktop.org/~aplattner/libvdpau/commit/?id=d1f9c16b1a8187110e501c9116d21ffee25c0ba4 CVE-2015-5197 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36450 - in data: . CVE
Author: ghedo
Date: 2015-09-03 12:43:21 + (Thu, 03 Sep 2015)
New Revision: 36450
Modified:
data/CVE/list
data/dsa-needed.txt
Log:
Mark CVE-2015-3206/pykerberos as no-dsa
Modified: data/CVE/list
===
--- data/CVE/list 2015-09-03 09:10:11 UTC (rev 36449)
+++ data/CVE/list 2015-09-03 12:43:21 UTC (rev 36450)
@@ -9387,6 +9387,8 @@
RESERVED
{DLA-265-2 DLA-265-1}
- pykerberos 1.1.5-1 (bug #796195)
+ [jessie] - pykerberos (Too intrusive, may be fixed through a
stable proposed-update)
+ [wheezy] - pykerberos (Too intrusive, may be fixed through a
stable proposed-update)
NOTE: CVE originally assigned for python-kerberos, pykerberos is a fork
of the
NOTE: former.
NOTE: KDC verification support in pykerberos added in
https://github.com/02strich/pykerberos/commit/02d13860b25fab58e739f0e000bed0067b7c6f9c
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2015-09-03 09:10:11 UTC (rev 36449)
+++ data/dsa-needed.txt 2015-09-03 12:43:21 UTC (rev 36450)
@@ -61,8 +61,6 @@
--
phpmyadmin (thijs)
--
-pykerberos
---
screen
--
smarty3
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36388 - in data: . DSA
Author: ghedo
Date: 2015-08-31 10:31:08 + (Mon, 31 Aug 2015)
New Revision: 36388
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA for drupal7
Modified: data/DSA/list
===
--- data/DSA/list 2015-08-30 20:39:43 UTC (rev 36387)
+++ data/DSA/list 2015-08-31 10:31:08 UTC (rev 36388)
@@ -1,3 +1,7 @@
+[31 Aug 2015] DSA-3346-1 drupal7 - security update
+ {CVE-2015-6658 CVE-2015-6659 CVE-2015-6660 CVE-2015-6661 CVE-2015-6665}
+ [wheezy] - drupal7 7.14-2+deb7u11
+ [jessie] - drupal7 7.32-1+deb8u5
[29 Aug 2015] DSA-3345-1 iceweasel - security update
{CVE-2015-4497 CVE-2015-4498}
[wheezy] - iceweasel 38.2.1esr-1~deb7u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2015-08-30 20:39:43 UTC (rev 36387)
+++ data/dsa-needed.txt 2015-08-31 10:31:08 UTC (rev 36388)
@@ -19,9 +19,6 @@
aptdaemon
For jessie-security compat layer for PackageKit needs to be dropped
--
-drupal7 (ghedo)
- Maintainer prepared packages for wheezy and jessie
---
eglibc (aurel32)
some of the other no-dsa bugs could be fixed along
--
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36246 - data/CVE
Author: ghedo Date: 2015-08-21 12:42:15 + (Fri, 21 Aug 2015) New Revision: 36246 Modified: data/CVE/list Log: Add CVE request link for twig issue Modified: data/CVE/list === --- data/CVE/list 2015-08-21 12:36:22 UTC (rev 36245) +++ data/CVE/list 2015-08-21 12:42:15 UTC (rev 36246) @@ -31,6 +31,7 @@ CVE-2015- [arbitrary code execution via the _self variable] - twig 1.20.0-1 NOTE: http://symfony.com/blog/security-release-twig-1-20-0 + NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/08/21/3 CVE-2015- [use-after-free vulnerability in Decoder.cpp] - libpgf NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/08/19/14 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36244 - data
Author: ghedo Date: 2015-08-21 12:24:04 + (Fri, 21 Aug 2015) New Revision: 36244 Modified: data/dsa-needed.txt Log: Take drupal7 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-08-21 09:10:16 UTC (rev 36243) +++ data/dsa-needed.txt 2015-08-21 12:24:04 UTC (rev 36244) @@ -19,7 +19,8 @@ aptdaemon For jessie-security compat layer for PackageKit needs to be dropped -- -drupal7 +drupal7 (ghedo) + Maintainer prepared packages for wheezy and jessie -- eglibc (aurel32) some of the other no-dsa bugs could be fixed along ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36225 - data/CVE
Author: ghedo
Date: 2015-08-20 19:32:09 + (Thu, 20 Aug 2015)
New Revision: 36225
Modified:
data/CVE/list
Log:
Update links to OpenSSL advisories
Modified: data/CVE/list
===
--- data/CVE/list 2015-08-20 19:29:21 UTC (rev 36224)
+++ data/CVE/list 2015-08-20 19:32:09 UTC (rev 36225)
@@ -12904,11 +12904,11 @@
[jessie] - openssl (Vulnerable code not present)
[wheezy] - openssl (Vulnerable code not present)
[squeeze] - openssl (Vulnerable code not present)
- NOTE: http://openssl.org/news/secadv_20150709.txt
+ NOTE: http://openssl.org/news/secadv/20150709.txt
CVE-2015-1792 (The do_free_upto function in crypto/cms/cms_smime.c in OpenSSL
before ...)
{DSA-3287-1 DLA-247-1}
- openssl 1.0.2b-1
- NOTE: http://openssl.org/news/secadv_20150611.txt
+ NOTE: http://openssl.org/news/secadv/20150611.txt
CVE-2015-1791 (Race condition in the ssl3_get_new_session_ticket function in
...)
{DSA-3287-1 DLA-247-1}
- openssl 1.0.2b-1
@@ -12918,16 +12918,16 @@
CVE-2015-1790 (The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in
OpenSSL ...)
{DSA-3287-1 DLA-247-1}
- openssl 1.0.2b-1
- NOTE: http://openssl.org/news/secadv_20150611.txt
+ NOTE: http://openssl.org/news/secadv/20150611.txt
CVE-2015-1789 (The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL
before ...)
{DSA-3287-1 DLA-247-1}
- openssl 1.0.2b-1
- NOTE: http://openssl.org/news/secadv_20150611.txt
+ NOTE: http://openssl.org/news/secadv/20150611.txt
CVE-2015-1788 (The BN_GF2m_mod_inv function in crypto/bn/bn_gf2m.c in OpenSSL
before ...)
{DSA-3287-1}
- openssl 1.0.2b-1
[squeeze] - openssl (Vulnerable code got introduced post
1.0.0)
- NOTE: http://openssl.org/news/secadv_20150611.txt
+ NOTE: http://openssl.org/news/secadv/20150611.txt
CVE-2015-1787 (The ssl3_get_client_key_exchange function in s3_srvr.c in
OpenSSL ...)
- openssl (Vulnerable version never in unstable)
NOTE: did affect 1.0.2 (only in experimental) and 1.0.2a was uploaded
to unstable
@@ -22562,7 +22562,7 @@
CVE-2014-8176 (The dtls1_clear_queues function in ssl/d1_lib.c in OpenSSL
before ...)
{DSA-3287-1 DLA-247-1}
- openssl 1.0.1h-1
- NOTE: http://openssl.org/news/secadv_20150611.txt
+ NOTE: http://openssl.org/news/secadv/20150611.txt
CVE-2014-8175 (Red Hat JBoss Fuse before 6.2.0 allows remote authenticated
users to ...)
NOT-FOR-US: JBoss Fuse
CVE-2014-8174
@@ -44093,7 +44093,7 @@
- openssl 1.0.1g-1 (bug #743883)
[squeeze] - openssl (vulnerable code introduced in
upstream commit 4817504)
NOTE: fix:
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db902
- NOTE: http://www.openssl.org/news/secadv_20140407.txt
+ NOTE: http://www.openssl.org/news/secadv/20140407.txt
NOTE: system reboot is recommended after the upgrade
CVE-2014-0159 (Buffer overflow in the GetStatistics64 remote procedure call
(RPC) in ...)
{DSA-2899-1}
@@ -74677,7 +74677,7 @@
{DSA-2475-1}
- openssl 1.0.1c-1 (bug #672452)
NOTE: http://seclists.org/oss-sec/2012/q2/299
- NOTE: http://www.openssl.org/news/secadv_20120510.txt
+ NOTE: http://www.openssl.org/news/secadv/20120510.txt
CVE-2012-2332 (SQL injection vulnerability in
serendipity/serendipity_admin.php in ...)
- serendipity (bug #671937; low)
[squeeze] - serendipity (Minor issue)
@@ -75270,7 +75270,7 @@
CVE-2012-2110 (The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in
OpenSSL ...)
{DSA-2454-1}
- openssl 1.0.1a-1
- NOTE: http://www.openssl.org/news/secadv_20120419.txt
+ NOTE: http://www.openssl.org/news/secadv/20120419.txt
CVE-2012-2109 (SQL injection vulnerability in wp-load.php in the BuddyPress
plugin ...)
NOT-FOR-US: wordpress buddypress plugin
CVE-2012-2108 (Stack-based buffer overflow in the main function in
util/lpci_main.c ...)
@@ -81422,7 +81422,7 @@
CVE-2012-0050 (OpenSSL 0.9.8s and 1.0.0f does not properly support DTLS
applications, ...)
{DSA-2392-1}
- openssl 1.0.0g-1
- NOTE: http://www.openssl.org/news/secadv_20120118.txt
+ NOTE: http://www.openssl.org/news/secadv/20120118.txt
CVE-2012-0049
RESERVED
{DSA-2524-1}
@@ -96725,7 +96725,7 @@
- openoffice.org 1:3.2.1-11+squeeze2
CVE-2010-4252 (OpenSSL before 1.0.0c, when J-PAKE is enabled, does not
properly ...)
- openssl (configured with -DOPENSSL_NO_JPAKE; bug
#606902)
- NOTE: http://www.openssl.org/news/secadv_20101202.txt
+ NOTE: http://www.openssl.org/news/secadv/20101202.txt
CVE-2010-4251 (The socket implementation in net/core/sock.c in the Linux
kernel ...)
- linux-2.6 2.6.32-22
CVE-2010-4250 (Memory leak in the inotify_init1 function
[Secure-testing-commits] r36219 - data
Author: ghedo Date: 2015-08-20 15:24:03 + (Thu, 20 Aug 2015) New Revision: 36219 Modified: data/dsa-needed.txt Log: Add vlc to dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-08-20 14:05:06 UTC (rev 36218) +++ data/dsa-needed.txt 2015-08-20 15:24:03 UTC (rev 36219) @@ -85,6 +85,8 @@ virtualbox Oracle hasn't released info on isolated patch yet -- +vlc/stable +-- wordpress/oldstable Maintainer prepared wheezy-security upload -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36220 - in data: . DSA
Author: ghedo
Date: 2015-08-20 15:24:06 + (Thu, 20 Aug 2015)
New Revision: 36220
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA for vlc
Modified: data/DSA/list
===
--- data/DSA/list 2015-08-20 15:24:03 UTC (rev 36219)
+++ data/DSA/list 2015-08-20 15:24:06 UTC (rev 36220)
@@ -1,3 +1,6 @@
+[20 Aug 2015] DSA-3342-1 vlc - security update
+ {CVE-2015-5949}
+ [jessie] - vlc 2.2.0~rc2-2+deb8u1
[20 Aug 2015] DSA-3341-1 conntrack - security update
{CVE-2015-6496}
[wheezy] - conntrack 1:1.2.1-1+deb7u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2015-08-20 15:24:03 UTC (rev 36219)
+++ data/dsa-needed.txt 2015-08-20 15:24:06 UTC (rev 36220)
@@ -85,8 +85,6 @@
virtualbox
Oracle hasn't released info on isolated patch yet
--
-vlc/stable
---
wordpress/oldstable
Maintainer prepared wheezy-security upload
--
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36218 - data/CVE
Author: ghedo Date: 2015-08-20 14:05:06 + (Thu, 20 Aug 2015) New Revision: 36218 Modified: data/CVE/list Log: Add twig temporary issue Modified: data/CVE/list === --- data/CVE/list 2015-08-20 14:03:18 UTC (rev 36217) +++ data/CVE/list 2015-08-20 14:05:06 UTC (rev 36218) @@ -1,3 +1,6 @@ +CVE-2015- [arbitrary code execution via the _self variable] + - twig 1.20.0-1 + NOTE: http://symfony.com/blog/security-release-twig-1-20-0 CVE-2015- [use-after-free vulnerability in Decoder.cpp] - libpgf NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/08/19/14 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36203 - in data: . DSA
Author: ghedo
Date: 2015-08-19 21:38:49 + (Wed, 19 Aug 2015)
New Revision: 36203
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA for zendframework
Modified: data/DSA/list
===
--- data/DSA/list 2015-08-19 21:32:58 UTC (rev 36202)
+++ data/DSA/list 2015-08-19 21:38:49 UTC (rev 36203)
@@ -1,3 +1,7 @@
+[19 Aug 2015] DSA-3340-1 zendframework - security update
+ {CVE-2015-5161}
+ [wheezy] - zendframework 1.11.13-1.1+deb7u3
+ [jessie] - zendframework 1.12.9+dfsg-2+deb8u3
[19 Aug 2015] DSA-3339-1 openjdk-6 - security update
{CVE-2015-2590 CVE-2015-2601 CVE-2015-2613 CVE-2015-2621 CVE-2015-2625
CVE-2015-2628 CVE-2015-2632 CVE-2015-2808 CVE-2015-4000 CVE-2015-4731
CVE-2015-4732 CVE-2015-4733 CVE-2015-4748 CVE-2015-4749 CVE-2015-4760}
[wheezy] - openjdk-6 6b36-1.13.8-1~deb7u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2015-08-19 21:32:58 UTC (rev 36202)
+++ data/dsa-needed.txt 2015-08-19 21:38:49 UTC (rev 36203)
@@ -95,7 +95,3 @@
--
yubiserver
--
-zendframework/oldstable
- Maintainer prepared fix for wheezy-security
- Might need fix for jessie as well
---
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36147 - in data: . DSA
Author: ghedo
Date: 2015-08-18 18:22:42 + (Tue, 18 Aug 2015)
New Revision: 36147
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA for python-django
Modified: data/DSA/list
===
--- data/DSA/list 2015-08-18 18:12:35 UTC (rev 36146)
+++ data/DSA/list 2015-08-18 18:22:42 UTC (rev 36147)
@@ -1,3 +1,7 @@
+[18 Aug 2015] DSA-3338-1 python-django - security update
+ {CVE-2015-5963 CVE-2015-5964}
+ [wheezy] - python-django 1.4.5-1+deb7u13
+ [jessie] - python-django 1.7.7-1+deb8u2
[18 Aug 2015] DSA-3337-1 gdk-pixbuf - security update
{CVE-2015-4491}
[wheezy] - gdk-pixbuf 2.26.1-1+deb7u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2015-08-18 18:12:35 UTC (rev 36146)
+++ data/dsa-needed.txt 2015-08-18 18:22:42 UTC (rev 36147)
@@ -66,9 +66,6 @@
--
pykerberos
--
-python-django (ghedo)
- Maintainer prepared packages for {wheezy,jessie}-security
---
qemu/stable
--
smarty3
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36145 - data
Author: ghedo
Date: 2015-08-18 17:51:18 + (Tue, 18 Aug 2015)
New Revision: 36145
Modified:
data/dsa-needed.txt
Log:
Add python-django to dsa-needed
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2015-08-18 17:51:16 UTC (rev 36144)
+++ data/dsa-needed.txt 2015-08-18 17:51:18 UTC (rev 36145)
@@ -66,6 +66,9 @@
--
pykerberos
--
+python-django (ghedo)
+ Maintainer prepared packages for {wheezy,jessie}-security
+--
qemu/stable
--
smarty3
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36144 - data/CVE
Author: ghedo Date: 2015-08-18 17:51:16 + (Tue, 18 Aug 2015) New Revision: 36144 Modified: data/CVE/list Log: Add python-django issues Modified: data/CVE/list === --- data/CVE/list 2015-08-18 16:48:40 UTC (rev 36143) +++ data/CVE/list 2015-08-18 17:51:16 UTC (rev 36144) @@ -649,10 +649,14 @@ [wheezy] - mediawiki (Minor issues) [squeeze] - mediawiki (Not supported in Squeeze LTS) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/08/12/6 -CVE-2015-5964 +CVE-2015-5964 [more to CVE-2015-5963] RESERVED -CVE-2015-5963 + - python-django + NOTE: https://www.djangoproject.com/weblog/2015/aug/18/security-releases/ +CVE-2015-5963 [Denial-of-service possibility in logout() view by filling session store] RESERVED + - python-django + NOTE: https://www.djangoproject.com/weblog/2015/aug/18/security-releases/ CVE-2015-5962 (Integer signedness error in the ...) NOT-FOR-US: Mozilla Firefox OS CVE-2015-5961 (The COPPA error page in the Accounts setup dialog in Mozilla Firefox ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36133 - data
Author: ghedo Date: 2015-08-18 08:55:43 + (Tue, 18 Aug 2015) New Revision: 36133 Modified: data/dsa-needed.txt Log: Update note about libidn debdiffs Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-08-18 08:54:12 UTC (rev 36132) +++ data/dsa-needed.txt 2015-08-18 08:55:43 UTC (rev 36133) @@ -43,7 +43,6 @@ Work-in-progress debdiff for jessie-security at https://people.debian.org/~ghedo/libidn_1.29-1+deb8u1.diff Help is needed to fix it so that it doesn't FTBFS - Both needs update for CVE-2015-2059 follow-up -- libxml2 -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36089 - data
Author: ghedo Date: 2015-08-15 20:51:42 + (Sat, 15 Aug 2015) New Revision: 36089 Modified: data/dsa-needed.txt Log: Re-add wordpress to dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-08-15 14:07:34 UTC (rev 36088) +++ data/dsa-needed.txt 2015-08-15 20:51:42 UTC (rev 36089) @@ -90,6 +90,9 @@ virtualbox Oracle hasn't released info on isolated patch yet -- +wordpress/oldstable + Maintainer prepared wheezy-security upload +-- wpa -- yubiserver ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36090 - data
Author: ghedo Date: 2015-08-15 20:51:45 + (Sat, 15 Aug 2015) New Revision: 36090 Modified: data/dsa-needed.txt Log: Add zendframework to dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-08-15 20:51:42 UTC (rev 36089) +++ data/dsa-needed.txt 2015-08-15 20:51:45 UTC (rev 36090) @@ -64,6 +64,8 @@ -- php5 new upstream 5.5.44 and 5.6.12 is available + might also want to look into backporting to wheezy fix for + https://bugs.php.net/bug.php?id=64938 -- phpmyadmin (thijs) -- @@ -97,3 +99,7 @@ -- yubiserver -- +zendframework/oldstable + Maintainer prepared fix for wheezy-security + Might need fix for jessie as well +-- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35963 - data
Author: ghedo Date: 2015-08-10 17:24:00 + (Mon, 10 Aug 2015) New Revision: 35963 Modified: data/dsa-needed.txt Log: Re-add icu to dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-08-10 16:50:21 UTC (rev 35962) +++ data/dsa-needed.txt 2015-08-10 17:24:00 UTC (rev 35963) @@ -27,6 +27,8 @@ glibc (aurel32) some of the other no-dsa bugs could be fixed along -- +icu (ghedo) +-- imagemagick/oldstable no-dsa bugs CVE-2014-8354 CVE-2014-8355 CVE-2014-8562 CVE-2014-8716 should be fixed along ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35960 - data/CVE
Author: ghedo Date: 2015-08-10 16:39:30 + (Mon, 10 Aug 2015) New Revision: 35960 Modified: data/CVE/list Log: imagemagick temporary issues fixed in experimental Modified: data/CVE/list === --- data/CVE/list 2015-08-10 15:34:29 UTC (rev 35959) +++ data/CVE/list 2015-08-10 16:39:30 UTC (rev 35960) @@ -1,6 +1,7 @@ NOTE: https://nodesecurity.io/advisories/serve-static-xss NOTE: https://github.com/expressjs/serve-index/issues/28 CVE-2015- [denial of service flaw in VICAR file processing] + [experimental] - imagemagick 8:6.9.1.2-1 - imagemagick (low) [jessie] - imagemagick (Minor issue) [wheezy] - imagemagick (Minor issue) @@ -10008,6 +10009,7 @@ NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26933 NOTE: http://trac.imagemagick.org/changeset/17856 CVE-2015- [denial of service flaw in PDB file processing] + [experimental] - imagemagick 8:6.9.1.2-1 - imagemagick (low) [jessie] - imagemagick (Minor issue) [wheezy] - imagemagick (Minor issue) @@ -10016,6 +10018,7 @@ NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26932 NOTE: http://trac.imagemagick.org/changeset/17855 CVE-2015- [denial of service flaw in MIFF file processing] + [experimental] - imagemagick 8:6.9.1.2-1 - imagemagick [jessie] - imagemagick (Minor issue) [wheezy] - imagemagick (Minor issue) @@ -10024,6 +10027,7 @@ NOTE: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=26931 NOTE: http://trac.imagemagick.org/changeset/17854 CVE-2015- [denial of service flaw in HDR file processing] + [experimental] - imagemagick 8:6.9.1.2-1 - imagemagick [jessie] - imagemagick (Minor issue) [wheezy] - imagemagick (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35962 - data/CVE
Author: ghedo Date: 2015-08-10 16:50:21 + (Mon, 10 Aug 2015) New Revision: 35962 Modified: data/CVE/list Log: Add publicfile-installer issue Modified: data/CVE/list === --- data/CVE/list 2015-08-10 16:49:15 UTC (rev 35961) +++ data/CVE/list 2015-08-10 16:50:21 UTC (rev 35962) @@ -1,3 +1,5 @@ +CVE-2015- [publicfile-installer: insecure use of /tmp] + - publicfile-installer (bug #795062) CVE-2015- [net/http: broken trailers don't close a server connection] - golang NOTE: https://github.com/golang/go/issues/12027 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35937 - data/DSA
Author: ghedo
Date: 2015-08-08 10:09:29 + (Sat, 08 Aug 2015)
New Revision: 35937
Modified:
data/DSA/list
Log:
Reserve DSA for opensaml2
Modified: data/DSA/list
===
--- data/DSA/list 2015-08-08 09:10:17 UTC (rev 35936)
+++ data/DSA/list 2015-08-08 10:09:29 UTC (rev 35937)
@@ -1,3 +1,6 @@
+[08 Aug 2015] DSA-3321-2 opensaml2 - security update
+ [wheezy] - opensaml2 2.4.3-4+deb7u1
+ [jessie] - opensaml2 2.5.3-2+deb8u1
[07 Aug 2015] DSA-3330-1 activemq - security update
{CVE-2014-3576}
[wheezy] - activemq 5.6.0+dfsg-1+deb7u1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35853 - data/CVE
Author: ghedo Date: 2015-08-02 18:16:55 + (Sun, 02 Aug 2015) New Revision: 35853 Modified: data/CVE/list Log: Add another link to temporary libidn issue Modified: data/CVE/list === --- data/CVE/list 2015-08-02 18:10:05 UTC (rev 35852) +++ data/CVE/list 2015-08-02 18:16:55 UTC (rev 35853) @@ -1,6 +1,7 @@ CVE-2015- [more to CVE-2015-2059] - libidn 1.32-1 NOTE: Introduced by fix for CVE-2015-2059 + NOTE: https://lists.gnu.org/archive/html/help-libidn/2015-07/msg00026.html NOTE: Patch: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=58c721ac2dc96bccd737f3f544f3a22a50477bbf NOTE: Testcase: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=c261018477f971d274dee305d27f8bff4afd4238 CVE-2015- [Sidekiq::Web lacks CSRF protection] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35852 - data/CVE
Author: ghedo
Date: 2015-08-02 18:10:05 + (Sun, 02 Aug 2015)
New Revision: 35852
Modified:
data/CVE/list
Log:
Mark icu as affected by CVE-2015-1270
Modified: data/CVE/list
===
--- data/CVE/list 2015-08-02 17:58:30 UTC (rev 35851)
+++ data/CVE/list 2015-08-02 18:10:05 UTC (rev 35852)
@@ -12740,6 +12740,9 @@
- chromium-browser 44.0.2403.89-1
[wheezy] - chromium-browser
[squeeze] - chromium-browser
+ - icu
+ NOTE: http://bugs.icu-project.org/trac/ticket/11696
+ NOTE: Patch: http://bugs.icu-project.org/trac/changeset/37486/
CVE-2015-1269 (The DecodeHSTSPreloadRaw function in ...)
{DSA-3315-1}
- chromium-browser 43.0.2357.130-1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35842 - data
Author: ghedo Date: 2015-08-02 09:46:45 + (Sun, 02 Aug 2015) New Revision: 35842 Modified: data/dsa-needed.txt Log: Update libidn note in dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-08-02 09:45:57 UTC (rev 35841) +++ data/dsa-needed.txt 2015-08-02 09:46:45 UTC (rev 35842) @@ -43,6 +43,7 @@ Work-in-progress debdiff for jessie-security at https://people.debian.org/~ghedo/libidn_1.29-1+deb8u1.diff Help is needed to fix it so that it doesn't FTBFS + Both needs update for CVE-2015-2059 follow-up -- libxml2 -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35841 - data/CVE
Author: ghedo Date: 2015-08-02 09:45:57 + (Sun, 02 Aug 2015) New Revision: 35841 Modified: data/CVE/list Log: Add new temporary libidn issue Modified: data/CVE/list === --- data/CVE/list 2015-08-02 09:10:19 UTC (rev 35840) +++ data/CVE/list 2015-08-02 09:45:57 UTC (rev 35841) @@ -1,3 +1,8 @@ +CVE-2015- [more to CVE-2015-2059] + - libidn 1.32-1 + NOTE: Introduced by fix for CVE-2015-2059 + NOTE: Patch: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=58c721ac2dc96bccd737f3f544f3a22a50477bbf + NOTE: Testcase: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=c261018477f971d274dee305d27f8bff4afd4238 CVE-2015- [Sidekiq::Web lacks CSRF protection] - ruby-sidekiq NOTE: https://github.com/mperham/sidekiq/pull/2422 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35825 - data/CVE
Author: ghedo Date: 2015-08-01 18:32:39 + (Sat, 01 Aug 2015) New Revision: 35825 Modified: data/CVE/list Log: Mark CVE-2011-4968/nginx as fixed Modified: data/CVE/list === --- data/CVE/list 2015-08-01 16:42:45 UTC (rev 35824) +++ data/CVE/list 2015-08-01 18:32:39 UTC (rev 35825) @@ -78075,7 +78075,7 @@ NOTE: https://github.com/jquery/jquery/commit/db9e023e62c1ff5d8f21ed9868ab6878da2005e9 CVE-2011-4968 [nginx http proxy module does not verify peer identity of https origin server] RESERVED - - nginx (low; bug #697940) + - nginx 1.9.1-1 (low; bug #697940) [jessie] - nginx (Minor issue) [squeeze] - nginx (Minor issue) [wheezy] - nginx (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35823 - data
Author: ghedo Date: 2015-08-01 16:42:43 + (Sat, 01 Aug 2015) New Revision: 35823 Modified: data/dsa-needed.txt Log: Take icedove Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-08-01 16:35:31 UTC (rev 35822) +++ data/dsa-needed.txt 2015-08-01 16:42:43 UTC (rev 35823) @@ -33,7 +33,7 @@ glibc (aurel32) some of the other no-dsa bugs could be fixed along -- -icedove +icedove (ghedo) -- imagemagick/oldstable no-dsa bugs CVE-2014-8354 CVE-2014-8355 CVE-2014-8562 CVE-2014-8716 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35824 - in data: . DSA
Author: ghedo
Date: 2015-08-01 16:42:45 + (Sat, 01 Aug 2015)
New Revision: 35824
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA for icedove
Modified: data/DSA/list
===
--- data/DSA/list 2015-08-01 16:42:43 UTC (rev 35823)
+++ data/DSA/list 2015-08-01 16:42:45 UTC (rev 35824)
@@ -1,3 +1,7 @@
+[01 Aug 2015] DSA-3324-1 icedove - security update
+ {CVE-2015-2721 CVE-2015-2724 CVE-2015-2734 CVE-2015-2735 CVE-2015-2736
CVE-2015-2737 CVE-2015-2738 CVE-2015-2739 CVE-2015-2740 CVE-2015-4000}
+ [wheezy] - icedove 31.8.0-1~deb7u1
+ [jessie] - icedove 31.8.0-1~deb8u1
[01 Aug 2015] DSA-3323-1 icu - security update
{CVE-2014-8146 CVE-2014-8147 CVE-2015-4760}
[wheezy] - icu 4.8.1.1-12+deb7u3
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2015-08-01 16:42:43 UTC (rev 35823)
+++ data/dsa-needed.txt 2015-08-01 16:42:45 UTC (rev 35824)
@@ -33,8 +33,6 @@
glibc (aurel32)
some of the other no-dsa bugs could be fixed along
--
-icedove (ghedo)
---
imagemagick/oldstable
no-dsa bugs CVE-2014-8354 CVE-2014-8355 CVE-2014-8562 CVE-2014-8716
should be fixed along
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35822 - in data: CVE DSA
Author: ghedo
Date: 2015-08-01 16:35:31 + (Sat, 01 Aug 2015)
New Revision: 35822
Modified:
data/CVE/list
data/DSA/list
Log:
Mark temprary icu issue as fixed
Modified: data/CVE/list
===
--- data/CVE/list 2015-08-01 15:55:34 UTC (rev 35821)
+++ data/CVE/list 2015-08-01 16:35:31 UTC (rev 35822)
@@ -11320,6 +11320,8 @@
CVE-2014- [more to CVE-2014-6585]
[experimental] - icu 55.1-1
- icu 52.1-10 (low; bug #778511)
+ [jessie] - icu 52.1-8+deb8u2
+ [wheezy] - icu 4.8.1.1-12+deb7u3
[squeeze] - icu (All relevant changes already applied)
NOTE: Patch: http://bugs.icu-project.org/trac/changeset/37086
NOTE: icu_4.4.1-8+squeeze3 already has the full patch except for the
changes in source/layout/ContextualSubstSubtables.cpp which are commented out
anyway... and the remaining if test is probably only meaningful when the
backtrackClassArray call is uncommented.
Modified: data/DSA/list
===
--- data/DSA/list 2015-08-01 15:55:34 UTC (rev 35821)
+++ data/DSA/list 2015-08-01 16:35:31 UTC (rev 35822)
@@ -1,5 +1,5 @@
[01 Aug 2015] DSA-3323-1 icu - security update
- {CVE-2014-6585 CVE-2014-8146 CVE-2014-8147 CVE-2015-4760}
+ {CVE-2014-8146 CVE-2014-8147 CVE-2015-4760}
[wheezy] - icu 4.8.1.1-12+deb7u3
[jessie] - icu 52.1-8+deb8u2
[31 Jul 2015] DSA-3322-1 ruby-rack - security update
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35820 - in data: . DSA
Author: ghedo
Date: 2015-08-01 15:55:15 + (Sat, 01 Aug 2015)
New Revision: 35820
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA for icu
Modified: data/DSA/list
===
--- data/DSA/list 2015-08-01 05:39:30 UTC (rev 35819)
+++ data/DSA/list 2015-08-01 15:55:15 UTC (rev 35820)
@@ -1,3 +1,7 @@
+[01 Aug 2015] DSA-3323-1 icu - security update
+ {CVE-2014-6585 CVE-2014-8146 CVE-2014-8147 CVE-2015-4760}
+ [wheezy] - icu 4.8.1.1-12+deb7u3
+ [jessie] - icu 52.1-8+deb8u2
[31 Jul 2015] DSA-3322-1 ruby-rack - security update
{CVE-2015-3225}
[wheezy] - ruby-rack 1.4.1-2.1+deb7u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2015-08-01 05:39:30 UTC (rev 35819)
+++ data/dsa-needed.txt 2015-08-01 15:55:15 UTC (rev 35820)
@@ -35,8 +35,6 @@
--
icedove
--
-icu (ghedo)
---
imagemagick/oldstable
no-dsa bugs CVE-2014-8354 CVE-2014-8355 CVE-2014-8562 CVE-2014-8716
should be fixed along
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35805 - in data: . DSA
Author: ghedo
Date: 2015-07-30 19:57:46 + (Thu, 30 Jul 2015)
New Revision: 35805
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA for xmltooling
Modified: data/DSA/list
===
--- data/DSA/list 2015-07-30 18:00:31 UTC (rev 35804)
+++ data/DSA/list 2015-07-30 19:57:46 UTC (rev 35805)
@@ -1,3 +1,7 @@
+[30 Jul 2015] DSA-3321-1 xmltooling - security update
+ {CVE-2015-0851}
+ [wheezy] - xmltooling 1.4.2-5+deb7u1
+ [jessie] - xmltooling 1.5.3-2+deb8u1
[30 Jul 2015] DSA-3320-1 openafs - security update
{CVE-2015-3282 CVE-2015-3283 CVE-2015-3284 CVE-2015-3285 CVE-2015-3287}
[wheezy] - openafs 1.6.1-3+deb7u3
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2015-07-30 18:00:31 UTC (rev 35804)
+++ data/dsa-needed.txt 2015-07-30 19:57:46 UTC (rev 35805)
@@ -107,8 +107,5 @@
--
wpa
--
-xmltooling (ghedo)
- Maintainer prepared upload for jessie
---
yubiserver
--
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35803 - data/CVE
Author: ghedo
Date: 2015-07-30 15:31:24 + (Thu, 30 Jul 2015)
New Revision: 35803
Modified:
data/CVE/list
Log:
Add fixed version for libwmf issues
Modified: data/CVE/list
===
--- data/CVE/list 2015-07-30 14:39:37 UTC (rev 35802)
+++ data/CVE/list 2015-07-30 15:31:24 UTC (rev 35803)
@@ -2432,10 +2432,10 @@
NOTE: Introduced in:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0a14842f5a3c0e88a1e59fac5c3025db39721f74
(v3.0-rc1)
CVE-2015-4696 (Use-after-free vulnerability in libwmf 0.2.8.4 allows remote
attackers ...)
{DSA-3302-1 DLA-257-1}
- - libwmf (bug #784192)
+ - libwmf 0.2.8.4-10.4 (bug #784192)
CVE-2015-4695 (meta.h in libwmf 0.2.8.4 allows remote attackers to cause a
denial of ...)
{DSA-3302-1 DLA-257-1}
- - libwmf (bug #784205)
+ - libwmf 0.2.8.4-10.4 (bug #784205)
CVE-2015-4680 [insufficent CRL application]
RESERVED
- freeradius (bug #789623)
@@ -2932,7 +2932,7 @@
NOTE: Fixed in 5.6.10 and 5.4.42 upstream
CVE-2015-4588 (Heap-based buffer overflow in the DecodeImage function in
libwmf ...)
{DSA-3302-1 DLA-253-1}
- - libwmf (bug #787644)
+ - libwmf 0.2.8.4-10.4 (bug #787644)
CVE-2015-4556 [buffer overrun in CHICKEN Scheme's string-translate* procedure]
RESERVED
- chicken (bug #788833)
@@ -14250,7 +14250,7 @@
[jessie] - pycode-browser (Minor issue)
CVE-2015-0848 (Heap-based buffer overflow in libwmf 0.2.8.4 allows remote
attackers ...)
{DSA-3302-1 DLA-253-1}
- - libwmf (bug #787644)
+ - libwmf 0.2.8.4-10.4 (bug #787644)
CVE-2015-0847 (nbd-server.c in Network Block Device (nbd-server) before 3.11
does not ...)
{DSA-3271-1 DLA-223-1}
- nbd 1:3.10-1 (bug #784657)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35801 - data
Author: ghedo Date: 2015-07-30 13:43:44 + (Thu, 30 Jul 2015) New Revision: 35801 Modified: data/dsa-needed.txt Log: Untake libidn for now Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-07-30 13:27:59 UTC (rev 35800) +++ data/dsa-needed.txt 2015-07-30 13:43:44 UTC (rev 35801) @@ -41,7 +41,12 @@ -- libav/oldstable (jmm) -- -libidn (ghedo) +libidn + Working debdiff for wheezy-security at + https://people.debian.org/~ghedo/libidn_1.25-2+deb7u1.diff + Work-in-progress debdiff for jessie-security at + https://people.debian.org/~ghedo/libidn_1.29-1+deb8u1.diff + Help is needed to fix it so that it doesn't FTBFS -- libxml2 -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35798 - data
Author: ghedo Date: 2015-07-30 10:01:53 + (Thu, 30 Jul 2015) New Revision: 35798 Modified: data/dsa-needed.txt Log: Take xmltooling Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-07-30 09:54:30 UTC (rev 35797) +++ data/dsa-needed.txt 2015-07-30 10:01:53 UTC (rev 35798) @@ -102,7 +102,7 @@ -- wpa -- -xmltooling +xmltooling (ghedo) Maintainer prepared upload for jessie -- yubiserver ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35795 - data/CVE
Author: ghedo Date: 2015-07-30 09:37:12 + (Thu, 30 Jul 2015) New Revision: 35795 Modified: data/CVE/list Log: Remove link to opensaml2 patch for CVE-2015-0851 Not a security issue according to upstream. Modified: data/CVE/list === --- data/CVE/list 2015-07-30 09:15:43 UTC (rev 35794) +++ data/CVE/list 2015-07-30 09:37:12 UTC (rev 35795) @@ -14234,8 +14234,7 @@ RESERVED - xmltooling (bug #793855) NOTE: http://shibboleth.net/community/advisories/secadv_20150721.txt - NOTE: xmltooling: https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commitdiff;h=2d795c731e6729309044607154978696a87fd900 - NOTE: opensaml2: https://git.shibboleth.net/view/?p=cpp-opensaml.git;a=commitdiff;h=ec145bf31d59d23bbf63cdc39ffeb172ed29d67d + NOTE: Patch: https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commitdiff;h=2d795c731e6729309044607154978696a87fd900 NOTE: Initial advisory was listing the wrong CVE, updated later NOTE: opensaml2 will need binNMUs NOTE: [squeeze] partially affected (util/XMLHelper.cpp XMLHelper::getAttrInt method not present) (1.3.3.x) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35705 - data/CVE
Author: ghedo Date: 2015-07-25 14:41:32 + (Sat, 25 Jul 2015) New Revision: 35705 Modified: data/CVE/list Log: Temporary icu issue doesn't affect wheezy/squeeze Modified: data/CVE/list === --- data/CVE/list 2015-07-25 14:36:32 UTC (rev 35704) +++ data/CVE/list 2015-07-25 14:41:32 UTC (rev 35705) @@ -188,6 +188,8 @@ RESERVED CVE-2015- [more to CVE-2014-8146] - icu + [wheezy] - icu (Vulnerable code not present) + [squeeze] - icu (Vulnerable code not present) NOTE: https://bugs.mageia.org/show_bug.cgi?id=15852#c2 CVE-2015- [integer overflow] - freexl 1.0.2-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35685 - data
Author: ghedo Date: 2015-07-24 17:56:29 + (Fri, 24 Jul 2015) New Revision: 35685 Modified: data/dsa-needed.txt Log: Add xmltooling to dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-07-24 17:56:28 UTC (rev 35684) +++ data/dsa-needed.txt 2015-07-24 17:56:29 UTC (rev 35685) @@ -97,5 +97,8 @@ -- wpa -- +xmltooling + Maintainer prepared upload for jessie +-- yubiserver -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35686 - data
Author: ghedo Date: 2015-07-24 17:56:31 + (Fri, 24 Jul 2015) New Revision: 35686 Modified: data/dsa-needed.txt Log: Add squid and squid3 to dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-07-24 17:56:29 UTC (rev 35685) +++ data/dsa-needed.txt 2015-07-24 17:56:31 UTC (rev 35686) @@ -78,6 +78,11 @@ -- smarty3 -- +squid/oldstable +-- +squid3 + Maintainer prepared upload for jessie +-- t1utils/oldstable (ghedo) Patch applied for stable seems incomplete since similar code is in t1asm.c and t1disasm.c Security impact of #724571 might need to be checked as well ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35684 - data
Author: ghedo Date: 2015-07-24 17:56:28 + (Fri, 24 Jul 2015) New Revision: 35684 Modified: data/dsa-needed.txt Log: Add expat to dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-07-24 17:48:34 UTC (rev 35683) +++ data/dsa-needed.txt 2015-07-24 17:56:28 UTC (rev 35684) @@ -26,6 +26,9 @@ -- elasticsearch -- +expat + Maintainer prepared uploads for wheezy and jessie +-- glibc (aurel32) some of the other no-dsa bugs could be fixed along -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35683 - data/CVE
Author: ghedo Date: 2015-07-24 17:48:34 + (Fri, 24 Jul 2015) New Revision: 35683 Modified: data/CVE/list Log: Add xmltooling issue Modified: data/CVE/list === --- data/CVE/list 2015-07-24 16:27:24 UTC (rev 35682) +++ data/CVE/list 2015-07-24 17:48:34 UTC (rev 35683) @@ -1,3 +1,8 @@ +CVE-2015- [Shibboleth SP software crashes on well-formed but invalid XML] + - xmltooling + NOTE: http://shibboleth.net/community/advisories/secadv_20150721.txt + NOTE: The upstream advisory lists the wrong CVE + NOTE: opensaml2 will need binNMUs CVE-2015-5621 RESERVED CVE-2015-5620 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35614 - in data: . CVE DSA
Author: ghedo
Date: 2015-07-22 09:27:49 + (Wed, 22 Jul 2015)
New Revision: 35614
Modified:
data/CVE/list
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA for cacti
Modified: data/CVE/list
===
--- data/CVE/list 2015-07-22 09:21:58 UTC (rev 35613)
+++ data/CVE/list 2015-07-22 09:27:49 UTC (rev 35614)
@@ -149,36 +149,48 @@
NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/07/06/7
CVE-2015- [SQL Injection in host_templates.php]
- cacti 0.8.8e+ds1-1
+ [jessie] - cacti 0.8.8b+dfsg-8+deb8u2
+ [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6
[squeeze] - cacti 0.8.7g-1+squeeze7
NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/07/18/4
NOTE: http://bugs.cacti.net/view.php?id=2584
NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731
CVE-2015- [SQL Injection in graph_templates.php]
- cacti 0.8.8e+ds1-1
+ [jessie] - cacti 0.8.8b+dfsg-8+deb8u2
+ [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6
[squeeze] - cacti 0.8.7g-1+squeeze7
NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/07/18/4
NOTE: http://bugs.cacti.net/view.php?id=2583
NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731
CVE-2015- [SQL Injection in data_templates.php]
- cacti 0.8.8e+ds1-1
+ [jessie] - cacti 0.8.8b+dfsg-8+deb8u2
+ [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6
[squeeze] - cacti 0.8.7g-1+squeeze7
NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/07/18/4
NOTE: http://bugs.cacti.net/view.php?id=2582
NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731
CVE-2015- [SQL Injection in cdef.php]
- cacti 0.8.8e+ds1-1
+ [jessie] - cacti 0.8.8b+dfsg-8+deb8u2
+ [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6
[squeeze] - cacti 0.8.7g-1+squeeze7
NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/07/18/4
NOTE: http://bugs.cacti.net/view.php?id=2580
NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731
CVE-2015- [SQL Injection Vulnerability in data sources]
- cacti 0.8.8e+ds1-1
+ [jessie] - cacti 0.8.8b+dfsg-8+deb8u2
+ [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6
[squeeze] - cacti 0.8.7g-1+squeeze7
NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/07/18/4
NOTE: http://bugs.cacti.net/view.php?id=2579
NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731
CVE-2015- [SQL Injection Vulnerability in graph items and graph template
items]
- cacti 0.8.8e+ds1-1
+ [jessie] - cacti 0.8.8b+dfsg-8+deb8u2
+ [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6
[squeeze] - cacti 0.8.7g-1+squeeze7
NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/07/18/4
NOTE: http://bugs.cacti.net/view.php?id=2574
Modified: data/DSA/list
===
--- data/DSA/list 2015-07-22 09:21:58 UTC (rev 35613)
+++ data/DSA/list 2015-07-22 09:27:49 UTC (rev 35614)
@@ -1,3 +1,7 @@
+[22 Jul 2015] DSA-3312-1 cacti - security update
+ {CVE-2015-4634}
+ [wheezy] - cacti 0.8.8a+dfsg-5+deb7u6
+ [jessie] - cacti 0.8.8b+dfsg-8+deb8u2
[20 Jul 2015] DSA-3311-1 mariadb-10.0 - security update
{CVE-2015-0433 CVE-2015-0441 CVE-2015-0499 CVE-2015-0501 CVE-2015-0505
CVE-2015-2568 CVE-2015-2571 CVE-2015-2573 CVE-2015-3152}
[jessie] - mariadb-10.0 10.0.20-0+deb8u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2015-07-22 09:21:58 UTC (rev 35613)
+++ data/dsa-needed.txt 2015-07-22 09:27:49 UTC (rev 35614)
@@ -21,9 +21,6 @@
aptdaemon
For jessie-security compat layer for PackageKit needs to be dropped
--
-cacti (ghedo)
- Maintainer prepared uploads for wheezy and jessie
---
eglibc (aurel32)
some of the other no-dsa bugs could be fixed along
--
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35613 - data
Author: ghedo Date: 2015-07-22 09:21:58 + (Wed, 22 Jul 2015) New Revision: 35613 Modified: data/dsa-needed.txt Log: Take cacti Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-07-22 09:10:18 UTC (rev 35612) +++ data/dsa-needed.txt 2015-07-22 09:21:58 UTC (rev 35613) @@ -21,7 +21,7 @@ aptdaemon For jessie-security compat layer for PackageKit needs to be dropped -- -cacti +cacti (ghedo) Maintainer prepared uploads for wheezy and jessie -- eglibc (aurel32) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35603 - data/CVE
Author: ghedo
Date: 2015-07-21 17:05:54 + (Tue, 21 Jul 2015)
New Revision: 35603
Modified:
data/CVE/list
Log:
Add new temporary icu issue related to CVE-2014-8146
Modified: data/CVE/list
===
--- data/CVE/list 2015-07-21 15:16:54 UTC (rev 35602)
+++ data/CVE/list 2015-07-21 17:05:54 UTC (rev 35603)
@@ -1,3 +1,6 @@
+CVE-2015- [more to CVE-2014-8146]
+ - icu
+ NOTE: https://bugs.mageia.org/show_bug.cgi?id=15852#c2
CVE-2015- [integer overflow]
- freexl 1.0.2-1
[jessie] - freexl 1.0.0g-1+deb8u2
@@ -20034,7 +20037,6 @@
[wheezy] - chromium-browser (Vulnerable code not present)
[squeeze] - chromium-browser (Not supported in Squeeze
LTS)
NOTE: Patch: http://bugs.icu-project.org/trac/changeset/37162
- NOTE: The upstream patch doesn't seem to properly fix the issue.
CVE-2014-8145 (Multiple heap-based buffer overflows in Sound eXchange (SoX)
14.4.1 ...)
{DSA-3112-1 DLA-128-1}
- sox 14.4.1-5 (bug #773720)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35569 - data
Author: ghedo Date: 2015-07-19 09:58:28 + (Sun, 19 Jul 2015) New Revision: 35569 Modified: data/dsa-needed.txt Log: Add cacti to dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-07-19 09:56:48 UTC (rev 35568) +++ data/dsa-needed.txt 2015-07-19 09:58:28 UTC (rev 35569) @@ -21,6 +21,9 @@ aptdaemon For jessie-security compat layer for PackageKit needs to be dropped -- +cacti + Maintainer prepared uploads for wheezy and jessie +-- eglibc (aurel32) some of the other no-dsa bugs could be fixed along -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35568 - data/CVE
Author: ghedo
Date: 2015-07-19 09:56:48 + (Sun, 19 Jul 2015)
New Revision: 35568
Modified:
data/CVE/list
Log:
Add temporary cacti issues
Modified: data/CVE/list
===
--- data/CVE/list 2015-07-19 09:10:18 UTC (rev 35567)
+++ data/CVE/list 2015-07-19 09:56:48 UTC (rev 35568)
@@ -1,3 +1,33 @@
+CVE-2015- [SQL Injection in host_templates.php]
+ - cacti 0.8.8e+ds1-1
+ NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/07/18/4
+ NOTE: http://bugs.cacti.net/view.php?id=2584
+ NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731
+CVE-2015- [SQL Injection in graph_templates.php]
+ - cacti 0.8.8e+ds1-1
+ NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/07/18/4
+ NOTE: http://bugs.cacti.net/view.php?id=2583
+ NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731
+CVE-2015- [SQL Injection in data_templates.php]
+ - cacti 0.8.8e+ds1-1
+ NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/07/18/4
+ NOTE: http://bugs.cacti.net/view.php?id=2582
+ NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731
+CVE-2015- [SQL Injection in cdef.php]
+ - cacti 0.8.8e+ds1-1
+ NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/07/18/4
+ NOTE: http://bugs.cacti.net/view.php?id=2580
+ NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731
+CVE-2015- [SQL Injection Vulnerabilitie in data sources]
+ - cacti 0.8.8e+ds1-1
+ NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/07/18/4
+ NOTE: http://bugs.cacti.net/view.php?id=2579
+ NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731
+CVE-2015- [SQL Injection Vulnerabilitie in graph items and graph template
items]
+ - cacti 0.8.8e+ds1-1
+ NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/07/18/4
+ NOTE: http://bugs.cacti.net/view.php?id=2574
+ NOTE: http://svn.cacti.net/viewvc?view=rev&revision=7731
CVE-2015-5590 [Buffer overflow and stack smashing error in phar_fix_filepath]
- php5 5.6.11+dfsg-1
NOTE: https://bugs.php.net/bug.php?id=69923
@@ -2103,7 +2133,7 @@
RESERVED
CVE-2015-4635
RESERVED
-CVE-2015-4634
+CVE-2015-4634 [SQL injection in graphs.php]
RESERVED
{DLA-278-1}
- cacti 0.8.8e+ds1-1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35557 - in data: . DSA
Author: ghedo
Date: 2015-07-18 17:03:09 + (Sat, 18 Jul 2015)
New Revision: 35557
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA for tidy
Modified: data/DSA/list
===
--- data/DSA/list 2015-07-18 16:56:40 UTC (rev 35556)
+++ data/DSA/list 2015-07-18 17:03:09 UTC (rev 35557)
@@ -1,3 +1,7 @@
+[18 Jul 2015] DSA-3309-1 tidy - security update
+ {CVE-2015-5522 CVE-2015-5523}
+ [wheezy] - tidy 20091223cvs-1.2+deb7u1
+ [jessie] - tidy 20091223cvs-1.4+deb8u1
[18 Jul 2015] DSA-3308-1 mysql-5.5 - security update
{CVE-2015-2582 CVE-2015-2620 CVE-2015-2643 CVE-2015-2648 CVE-2015-4737
CVE-2015-4752}
[wheezy] - mysql-5.5 5.5.44-0+deb7u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2015-07-18 16:56:40 UTC (rev 35556)
+++ data/dsa-needed.txt 2015-07-18 17:03:09 UTC (rev 35557)
@@ -77,8 +77,6 @@
Patch applied for stable seems incomplete since similar code is in t1asm.c
and t1disasm.c
Security impact of #724571 might need to be checked as well
--
-tidy (ghedo)
---
tiff3
--
tomcat6
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35503 - data
Author: ghedo Date: 2015-07-16 12:20:30 + (Thu, 16 Jul 2015) New Revision: 35503 Modified: data/dsa-needed.txt Log: Add libidn to dsa-needed and take it Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-07-16 12:20:27 UTC (rev 35502) +++ data/dsa-needed.txt 2015-07-16 12:20:30 UTC (rev 35503) @@ -35,6 +35,8 @@ -- libav/oldstable (jmm) -- +libidn (ghedo) +-- libxml2 -- linux ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35502 - data/CVE
Author: ghedo
Date: 2015-07-16 12:20:27 + (Thu, 16 Jul 2015)
New Revision: 35502
Modified:
data/CVE/list
Log:
Reconsider CVE-2015-2059/libidn severity
Modified: data/CVE/list
===
--- data/CVE/list 2015-07-16 11:51:36 UTC (rev 35501)
+++ data/CVE/list 2015-07-16 12:20:27 UTC (rev 35502)
@@ -11196,9 +11196,12 @@
NOTE: http://www.openwall.com/lists/oss-security/2015/02/09/13
CVE-2015-2059
RESERVED
- - libidn 1.31-1 (unimportant)
+ - libidn 1.31-1
+ NOTE: http://www.openwall.com/lists/oss-security/2015/02/23/25
NOTE: Patch:
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=2e97c2796581c27213962c77f5a8571a598f9a2e
- NOTE: Mis-use of an API (even if poorly documented) is hardly a
security issue
+ NOTE: This could be attributed to a misuse of a (poorly documented) API
+ NOTE: but since upstream provided a patch it makes more sense to fix
+ NOTE: only libidn instead of every application using it
CVE-2015-1545 (The deref_parseCtrl function in servers/slapd/overlays/deref.c
in ...)
{DSA-3209-1 DLA-203-1}
- openldap 2.4.40-4 (bug #776988)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35498 - data
Author: ghedo Date: 2015-07-16 10:27:47 + (Thu, 16 Jul 2015) New Revision: 35498 Modified: data/dsa-needed.txt Log: Take tidy Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-07-16 09:52:19 UTC (rev 35497) +++ data/dsa-needed.txt 2015-07-16 10:27:47 UTC (rev 35498) @@ -73,7 +73,7 @@ Patch applied for stable seems incomplete since similar code is in t1asm.c and t1disasm.c Security impact of #724571 might need to be checked as well -- -tidy +tidy (ghedo) -- tiff3 -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35437 - data/CVE
Author: ghedo Date: 2015-07-12 16:39:16 + (Sun, 12 Jul 2015) New Revision: 35437 Modified: data/CVE/list Log: CVE-2015-2059/libidn fixed in sid Modified: data/CVE/list === --- data/CVE/list 2015-07-12 13:25:49 UTC (rev 35436) +++ data/CVE/list 2015-07-12 16:39:16 UTC (rev 35437) @@ -10874,7 +10874,7 @@ NOTE: http://www.openwall.com/lists/oss-security/2015/02/09/13 CVE-2015-2059 RESERVED - - libidn (unimportant) + - libidn 1.31-1 (unimportant) NOTE: Patch: http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=2e97c2796581c27213962c77f5a8571a598f9a2e NOTE: Mis-use of an API (even if poorly documented) is hardly a security issue CVE-2015-1545 (The deref_parseCtrl function in servers/slapd/overlays/deref.c in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35428 - data/CVE
Author: ghedo Date: 2015-07-10 21:36:50 + (Fri, 10 Jul 2015) New Revision: 35428 Modified: data/CVE/list Log: CVE assigned for sogo CSRF issue Modified: data/CVE/list === --- data/CVE/list 2015-07-10 21:33:42 UTC (rev 35427) +++ data/CVE/list 2015-07-10 21:36:50 UTC (rev 35428) @@ -136,8 +136,6 @@ RESERVED CVE-2015-5396 RESERVED -CVE-2015-5395 - RESERVED CVE-2015-5394 RESERVED CVE-2015-5393 @@ -218,7 +216,7 @@ [squeeze] - hostapd (v0.7.0-v2.4 with CONFIG_WPS_NFC=y) NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/08/3 NOTE: http://w1.fi/security/2015-5/ -CVE-2015- [CSRF] +CVE-2015-5395 [CSRF] - sogo NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/07/07/10 NOTE: http://www.sogo.nu/bugs/view.php?id=3246 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35427 - in data: CVE DSA
Author: ghedo
Date: 2015-07-10 21:33:42 + (Fri, 10 Jul 2015)
New Revision: 35427
Modified:
data/CVE/list
data/DSA/list
Log:
CVE assigned for pdns issue
Modified: data/CVE/list
===
--- data/CVE/list 2015-07-10 21:10:14 UTC (rev 35426)
+++ data/CVE/list 2015-07-10 21:33:42 UTC (rev 35427)
@@ -227,13 +227,11 @@
- sogo
NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2015/07/07/9
TODO: check
-CVE-2015- [denial of service - incomplete fix for CVE-2015-1868]
+CVE-2015-5470 [denial of service - incomplete fix for CVE-2015-1868]
- pdns 3.4.5-1
- [jessie] - pdns 3.4.1-4+deb8u2
[wheezy] - pdns (3.2 and up affected)
[squeeze] - pdns (3.2 and up affected)
- pdns-recursor 3.7.3-1
- [jessie] - pdns-recursor 3.6.2-2+deb8u2
[wheezy] - pdns-recursor (3.5 and up affected)
[squeeze] - pdns-recursor (3.5 and up affected)
NOTE: http://www.openwall.com/lists/oss-security/2015/07/07/6
Modified: data/DSA/list
===
--- data/DSA/list 2015-07-10 21:10:14 UTC (rev 35426)
+++ data/DSA/list 2015-07-10 21:33:42 UTC (rev 35427)
@@ -1,6 +1,8 @@
[09 Jul 2015] DSA-3307-1 pdns-recursor - security update
+ {CVE-2015-5470}
[jessie] - pdns-recursor 3.6.2-2+deb8u2
[09 Jul 2015] DSA-3306-1 pdns - security update
+ {CVE-2015-5470}
[jessie] - pdns 3.4.1-4+deb8u2
[08 Jul 2015] DSA-3305-1 python-django - security update
{CVE-2015-5143 CVE-2015-5144}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35401 - data/CVE
Author: ghedo Date: 2015-07-09 22:12:25 + (Thu, 09 Jul 2015) New Revision: 35401 Modified: data/CVE/list Log: Package sddm was accepted into the archive Modified: data/CVE/list === --- data/CVE/list 2015-07-09 22:05:53 UTC (rev 35400) +++ data/CVE/list 2015-07-09 22:12:25 UTC (rev 35401) @@ -21773,11 +21773,13 @@ - getmail4 4.44.0-1 (bug #766670) CVE-2014-7272 [multiple vulnerabilities in sddm] RESERVED - - sddm (bug #703519) + [experimental] - sddm 0.11.0-1 + - sddm 0.11.0-2 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=897788 CVE-2014-7271 [unauthenticated logins as sddm] RESERVED - - sddm (bug #703519) + [experimental] - sddm 0.11.0-1 + - sddm 0.11.0-2 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=897788 CVE-2014-7270 (Cross-site request forgery (CSRF) vulnerability on ASUS JAPAN RT-AC87U ...) NOT-FOR-US: ASUS routers ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35400 - data/CVE
Author: ghedo Date: 2015-07-09 22:05:53 + (Thu, 09 Jul 2015) New Revision: 35400 Modified: data/CVE/list Log: Mark temporary pdns issue as fixed in jessie Modified: data/CVE/list === --- data/CVE/list 2015-07-09 21:59:59 UTC (rev 35399) +++ data/CVE/list 2015-07-09 22:05:53 UTC (rev 35400) @@ -225,9 +225,11 @@ TODO: check CVE-2015- [denial of service - incomplete fix for CVE-2015-1868] - pdns 3.4.5-1 + [jessie] - pdns 3.4.1-4+deb8u2 [wheezy] - pdns (3.2 and up affected) [squeeze] - pdns (3.2 and up affected) - pdns-recursor 3.7.3-1 + [jessie] - pdns-recursor 3.6.2-2+deb8u2 [wheezy] - pdns-recursor (3.5 and up affected) [squeeze] - pdns-recursor (3.5 and up affected) NOTE: http://www.openwall.com/lists/oss-security/2015/07/07/6 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35399 - in data: . DSA
Author: ghedo
Date: 2015-07-09 21:59:59 + (Thu, 09 Jul 2015)
New Revision: 35399
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA for pdns and pdns-recursor
Modified: data/DSA/list
===
--- data/DSA/list 2015-07-09 21:13:21 UTC (rev 35398)
+++ data/DSA/list 2015-07-09 21:59:59 UTC (rev 35399)
@@ -1,3 +1,9 @@
+[09 Jul 2015] DSA-3307-1 pdns-recursor - security update
+ {CVE-2015-1868}
+ [jessie] - pdns-recursor 3.6.2-2+deb8u2
+[09 Jul 2015] DSA-3306-1 pdns - security update
+ {CVE-2015-1868}
+ [jessie] - pdns 3.4.1-4+deb8u2
[08 Jul 2015] DSA-3305-1 python-django - security update
{CVE-2015-5143 CVE-2015-5144}
[wheezy] - python-django 1.4.5-1+deb7u12
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2015-07-09 21:13:21 UTC (rev 35398)
+++ data/dsa-needed.txt 2015-07-09 21:59:59 UTC (rev 35399)
@@ -52,10 +52,6 @@
NOTE: regression fix needed for CVE-2013-2053 (#743332) and CVE-2013-6466
(#744717)
--
-pdns/stable (ghedo)
- Follow-up patch for CVE-2015-1868
- Maintainer prepared uploads for pdns and pdns-recursor
---
pdns/oldstable
--
php5
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35389 - data
Author: ghedo Date: 2015-07-09 12:21:49 + (Thu, 09 Jul 2015) New Revision: 35389 Modified: data/dsa-needed.txt Log: Add pdns to dsa-needed and take it Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-07-09 11:53:20 UTC (rev 35388) +++ data/dsa-needed.txt 2015-07-09 12:21:49 UTC (rev 35389) @@ -52,6 +52,10 @@ NOTE: regression fix needed for CVE-2013-2053 (#743332) and CVE-2013-6466 (#744717) -- +pdns/stable (ghedo) + Follow-up patch for CVE-2015-1868 + Maintainer prepared uploads for pdns and pdns-recursor +-- pdns/oldstable -- php5 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35379 - in data: . DSA
Author: ghedo
Date: 2015-07-08 22:03:20 + (Wed, 08 Jul 2015)
New Revision: 35379
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA for python-django
Modified: data/DSA/list
===
--- data/DSA/list 2015-07-08 21:46:20 UTC (rev 35378)
+++ data/DSA/list 2015-07-08 22:03:20 UTC (rev 35379)
@@ -1,3 +1,7 @@
+[08 Jul 2015] DSA-3305-1 python-django - security update
+ {CVE-2015-5143 CVE-2015-5144}
+ [wheezy] - python-django 1.4.5-1+deb7u12
+ [jessie] - python-django 1.7.7-1+deb8u1
[07 Jul 2015] DSA-3304-1 bind9 - security update
{CVE-2015-4620}
[wheezy] - bind9 1:9.8.4.dfsg.P1-6+nmu2+deb7u5
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2015-07-08 21:46:20 UTC (rev 35378)
+++ data/dsa-needed.txt 2015-07-08 22:03:20 UTC (rev 35379)
@@ -61,9 +61,6 @@
--
pykerberos
--
-python-django (ghedo)
- lfaraone prepared jessie and wheezy updates
---
smarty3
--
t1utils/oldstable (ghedo)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35377 - data/CVE
Author: ghedo Date: 2015-07-08 21:46:17 + (Wed, 08 Jul 2015) New Revision: 35377 Modified: data/CVE/list Log: Add python-django issues Modified: data/CVE/list === --- data/CVE/list 2015-07-08 21:10:15 UTC (rev 35376) +++ data/CVE/list 2015-07-08 21:46:17 UTC (rev 35377) @@ -678,12 +678,20 @@ NOT-FOR-US: Zoho ManageEngine SupportCenter Plus CVE-2015-5148 (SQL injection vulnerability in LivelyCart 1.2.0 allows remote ...) NOT-FOR-US: LivelyCart -CVE-2015-5145 +CVE-2015-5145 [denial-of-service possibility in URL validation] RESERVED -CVE-2015-5144 + - python-django + [jessie] - python-django (Vulnerable code not present) + [wheezy] - python-django (Vulnerable code not present) + NOTE: https://www.djangoproject.com/weblog/2015/jul/08/security-releases/ +CVE-2015-5144 [header injection possibility since validators accept newlines in input] RESERVED -CVE-2015-5143 + - python-django + NOTE: https://www.djangoproject.com/weblog/2015/jul/08/security-releases/ +CVE-2015-5143 [denial-of-service possibility by filling session store] RESERVED + - python-django + NOTE: https://www.djangoproject.com/weblog/2015/jul/08/security-releases/ CVE-2015-5142 RESERVED CVE-2015-5141 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35378 - data
Author: ghedo Date: 2015-07-08 21:46:20 + (Wed, 08 Jul 2015) New Revision: 35378 Modified: data/dsa-needed.txt Log: Add python-django to dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-07-08 21:46:17 UTC (rev 35377) +++ data/dsa-needed.txt 2015-07-08 21:46:20 UTC (rev 35378) @@ -61,6 +61,9 @@ -- pykerberos -- +python-django (ghedo) + lfaraone prepared jessie and wheezy updates +-- smarty3 -- t1utils/oldstable (ghedo) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35374 - data/CVE
Author: ghedo
Date: 2015-07-08 09:54:31 + (Wed, 08 Jul 2015)
New Revision: 35374
Modified:
data/CVE/list
Log:
Add patch link for CVE-2015-2059/libidn
Modified: data/CVE/list
===
--- data/CVE/list 2015-07-08 06:04:31 UTC (rev 35373)
+++ data/CVE/list 2015-07-08 09:54:31 UTC (rev 35374)
@@ -10649,6 +10649,7 @@
CVE-2015-2059
RESERVED
- libidn (unimportant)
+ NOTE: Patch:
http://git.savannah.gnu.org/cgit/libidn.git/commit/?id=2e97c2796581c27213962c77f5a8571a598f9a2e
NOTE: Mis-use of an API (even if poorly documented) is hardly a
security issue
CVE-2015-1545 (The deref_parseCtrl function in servers/slapd/overlays/deref.c
in ...)
{DSA-3209-1 DLA-203-1}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
