from:"Brian May"

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark rubygems as minor in wheezy

2018-04-11 Thread Brian May

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
88592a57 by Brian May at 2018-04-12T16:39:03+10:00
Mark rubygems as minor in wheezy

Considered not worth fixing. See the following threads on debian-lts:

* https://lists.debian.org/debian-lts/2018/04/msg00015.html
* https://lists.debian.org/debian-lts/2018/04/msg00042.html

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -7037,6 +7037,7 @@ CVE-2018-174 (RubyGems version Ruby 2.2 series: 2.2.9 
and earlier, Ruby 2.3 
- ruby2.1 
- ruby1.9.1 
- rubygems 
+   [wheezy] - rubygems  (Minor issue)
- jruby 
NOTE: 
https://github.com/rubygems/rubygems/commit/254e3d0ee873c008c0b74e8b8abcbdab4caa0a6d
NOTE: 
https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/


=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -83,10 +83,6 @@ qemu-kvm
 ruby1.9.1 (Santiago R.R.)
   NOTE: 20180402: Also vulnerable to CVE-2018-174. (lamby)
 --
-rubygems
-  NOTE: See https://lists.debian.org/debian-lts/2018/04/msg00015.html
-  NOTE: See https://lists.debian.org/debian-lts/2018/04/msg00042.html
---
 sharutils (Abhijith PA)
   NOTE: 20180318: no patch available yet, so no email to maintainer sent
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/88592a572dcd21aabff91448e8117c0548161a2e

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/88592a572dcd21aabff91448e8117c0548161a2e
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add references to mailing list posts for rubygems

2018-04-11 Thread Brian May

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
062fb559 by Brian May at 2018-04-11T17:03:50+10:00
Add references to mailing list posts for rubygems

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -85,6 +85,8 @@ ruby1.9.1 (Santiago R.R.)
   NOTE: 20180402: Also vulnerable to CVE-2018-174. (lamby)
 --
 rubygems
+  NOTE: See https://lists.debian.org/debian-lts/2018/04/msg00015.html
+  NOTE: See https://lists.debian.org/debian-lts/2018/04/msg00042.html
 --
 sharutils (Abhijith PA)
   NOTE: 20180318: no patch available yet, so no email to maintainer sent



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/062fb559a1fbbc5909337685c8ebaa9cdffe1e30

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/062fb559a1fbbc5909337685c8ebaa9cdffe1e30
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Annotate CVE-2018-6594

2018-04-10 Thread Brian May

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
fd006adc by Brian May at 2018-04-10T17:02:13+10:00
Annotate CVE-2018-6594

* Mark no-dsa in wheezy.
* Add comment about why this isn't being fixed upstream.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -8659,11 +8659,14 @@ CVE-2018-6594 (lib/Crypto/PublicKey/ElGamal.py in 
PyCrypto through 2.6.1 generat
- python-crypto  (bug #88)
[stretch] - python-crypto  (Minor issue)
[jessie] - python-crypto  (Minor issue)
+   [wheezy] - python-crypto  (Minor issue)
NOTE: PyCrypto: https://github.com/dlitz/pycrypto/issues/253
NOTE: The issue is found as well in pycryptodome (fork from 
python-crypto)
NOTE: PyCryptodome: https://github.com/Legrandin/pycryptodome/issues/90
NOTE: PyCrytpodome: 
https://github.com/Legrandin/pycryptodome/commit/99c27a3b9e8a884bbde0e88c63234b669d4398d8
 (3.4.10)
NOTE: See further discussion as per 
https://github.com/Legrandin/pycryptodome/issues/90#issuecomment-362783537
+   NOTE: Upstream feels that this is not a vulnerability in 
pycryptodome/python-crypto,
+   NOTE: but in an application using it in an insecure manner.
 CVE-2018-6593 (An issue was discovered in MalwareFox AntiMalware 2.74.0.150. 
Improper ...)
NOT-FOR-US: MalwareFox AntiMalware
 CVE-2018-6592 (Unisys Stealth 3.3 Windows endpoints before 3.3.016.1 allow 
local ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/fd006adcdd7c86fc658b4efabf17327a7e8100d6

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/fd006adcdd7c86fc658b4efabf17327a7e8100d6
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1342-1 for ldap-account-manager

2018-04-09 Thread Brian May

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8868e848 by Brian May at 2018-04-09T17:29:20+10:00
Reserve DLA-1342-1 for ldap-account-manager

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
--- a/data/DLA/list
+++ b/data/DLA/list
@@ -1,3 +1,6 @@
+[09 Apr 2018] DLA-1342-1 ldap-account-manager - security update
+   {CVE-2018-8763}
+   [wheezy] - ldap-account-manager 3.7-2+deb7u1
 [09 Apr 2018] DLA-1283-2 python-crypto - security update
[wheezy] - python-crypto 2.6-4+deb7u8
 [06 Apr 2018] DLA-1341-1 sdl-image1.2 - security update


=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -57,8 +57,6 @@ lame (Hugo Lefeuvre)
   NOTE: 20180317: Patch available and tested. However I am probably not going 
to upload it since the security team is not
   NOTE: interested in patching Jessie and I evaluate regression risks as non 
negligible.
 --
-ldap-account-manager (Brian May)
---
 leptonlib
   NOTE: more issues like previous ones
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/8868e84863c07f81edb7f8a61d67151be5ca0ede

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/8868e84863c07f81edb7f8a61d67151be5ca0ede
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] No csrf support in wheezy; not affected by CVE-2018-8764

2018-04-09 Thread Brian May

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7cb3fc9d by Brian May at 2018-04-09T17:22:49+10:00
No csrf support in wheezy; not affected by CVE-2018-8764

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -2590,6 +2590,7 @@ CVE-2018-8764 (Roland Gruber Softwareentwicklung LDAP 
Account Manager before 6.3
- ldap-account-manager 6.3-1
[stretch] - ldap-account-manager 5.5-1+deb9u1
[jessie] - ldap-account-manager  (Issue introduced later)
+   [wheezy] - ldap-account-manager  (Issue introduced later)
NOTE: https://www.ldap-account-manager.org/lamcms/node/354
NOTE: 
https://github.com/LDAPAccountManager/lam/commit/993751c7ff0faa07b7c028295152cf9c20349688
 CVE-2018-8763 (Roland Gruber Softwareentwicklung LDAP Account Manager before 
6.3 has ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/7cb3fc9d37197515b8e35e88304cb682f30c6a1c

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/7cb3fc9d37197515b8e35e88304cb682f30c6a1c
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] python-crypto / DLA-1283-2

2018-04-09 Thread Brian May

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
4285bbaa by Brian May at 2018-04-09T17:08:21+10:00
python-crypto / DLA-1283-2

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
--- a/data/DLA/list
+++ b/data/DLA/list
@@ -1,3 +1,5 @@
+[09 Apr 2018] DLA-1283-2 python-crypto - security update
+   [wheezy] - python-crypto 2.6-4+deb7u8
 [06 Apr 2018] DLA-1341-1 sdl-image1.2 - security update
{CVE-2017-12122 CVE-2017-14440 CVE-2017-14441 CVE-2017-14442 
CVE-2017-14448 CVE-2017-14450}
[wheezy] - sdl-image1.2 1.2.12-2+deb7u2
@@ -169,7 +171,6 @@
{CVE-2018-3836}
[wheezy] - leptonlib 1.69-3.1+deb7u1
 [15 Feb 2018] DLA-1283-1 python-crypto - security update
-   {CVE-2018-6594}
[wheezy] - python-crypto 2.6-4+deb7u8
 [13 Feb 2018] DLA-1282-1 graphicsmagick - security update
{CVE-2018-6799}


=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -101,10 +101,6 @@ patch
   NOTE: 20180407: of a rabbit-hole with respect all the newer "safe_" foo. I 
suspect if we can just avoid calling
   NOTE: 20180407: make_tempfile (from src/util.c) and safe_unlink (from 
src/safe.c) then we can avoid most of this. (lamby)
 --
-python-crypto
-  NOTE: Incomplete fix for CVE-2018-6594.
-  NOTE: See https://lists.debian.org/debian-lts/2018/02/msg00069.html
---
 qemu
 --
 qemu-kvm



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/4285bbaaa3bc5ffccf9d943e48c2957062be08cb

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/4285bbaaa3bc5ffccf9d943e48c2957062be08cb
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Fixes for CVE-2018-8763 may be incomplete

2018-04-05 Thread Brian May

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
bf7a5506 by Brian May at 2018-04-06T16:42:13+10:00
Fixes for CVE-2018-8763 may be incomplete

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1508,6 +1508,7 @@ CVE-2018-8763 (Roland Gruber Softwareentwicklung LDAP 
Account Manager before 6.3
NOTE: 
https://github.com/LDAPAccountManager/lam/commit/16fc7f7e8603c5cb7c129cfbf97fc572b9b8740c
NOTE: 
https://github.com/LDAPAccountManager/lam/commit/d4f0d6db966af4dd7d83c978125635f03895b81a
NOTE: https://www.ldap-account-manager.org/lamcms/node/354
+   NOTE: Patches may be incomplete, see 
https://sourceforge.net/p/lam/bugs/196/
 CVE-2018-8762
RESERVED
 CVE-2018-8761 (protected\apps\member\controller\shopcarController.php in Yxcms 
...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/bf7a55065c7621a316f2ba09a4f53ef1114c2ed5

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/bf7a55065c7621a316f2ba09a4f53ef1114c2ed5
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Take ldap-account-manager

2018-04-04 Thread Brian May

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
0acbc544 by Brian May at 2018-04-04T16:49:54+10:00
Take ldap-account-manager

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -53,7 +53,7 @@ lame (Hugo Lefeuvre)
   NOTE: 20180317: Patch available and tested. However I am probably not going 
to upload it since the security team is not
   NOTE: interested in patching Jessie and I evaluate regression risks as non 
negligible.
 --
-ldap-account-manager
+ldap-account-manager (Brian May)
 --
 leptonlib
   NOTE: more issues like previous ones



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/0acbc54499e1d0a6978632375de50acdf0e6d41d

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/0acbc54499e1d0a6978632375de50acdf0e6d41d
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add part 2 of patch for CVE-2017-11613

2018-03-17 Thread Brian May

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
94061894 by Brian May at 2018-03-18T11:50:06+11:00
Add part 2 of patch for CVE-2017-11613

Upstream patch for this was insufficient, added reworked version.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -40033,7 +40033,8 @@ CVE-2017-11613 (In LibTIFF 4.0.8, there is a denial of 
service vulnerability in 
NOTE: 
https://gist.github.com/dazhouzhou/1a3b7400547f23fe316db303ab9b604f
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2724
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1475530
-   NOTE: Upstream fix: 
https://gitlab.com/libtiff/libtiff/commit/3719385a3fac5cfb20b487619a5f08abbf967cf8
+   NOTE: Upstream fix 1/2: 
https://gitlab.com/libtiff/libtiff/commit/3719385a3fac5cfb20b487619a5f08abbf967cf8
+   NOTE: Upstream fix 2/2: 
https://gitlab.com/libtiff/libtiff/commit/7a092f8af2568d61993a8cc2e7a35a998d7d37be
 CVE-2017-11612 (In Joomla! before 3.7.4, inadequate filtering of potentially 
malicious ...)
NOT-FOR-US: Joomla!
 CVE-2016-10401 (ZyXEL PK5001Z devices have zyad5001 as the su password, which 
makes it ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/9406189451ecfe96ca953716a313d22b8abe9538

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/9406189451ecfe96ca953716a313d22b8abe9538
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add link to upstream fix for CVE-2017-11613

2018-03-13 Thread Brian May

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
92764e47 by Brian May at 2018-03-14T17:03:55+11:00
Add link to upstream fix for CVE-2017-11613

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -38535,6 +38535,7 @@ CVE-2017-11613 (In LibTIFF 4.0.8, there is a denial of 
service vulnerability in 
NOTE: 
https://gist.github.com/dazhouzhou/1a3b7400547f23fe316db303ab9b604f
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2724
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1475530
+   NOTE: Upstream fix: 
https://gitlab.com/libtiff/libtiff/commit/3719385a3fac5cfb20b487619a5f08abbf967cf8
 CVE-2017-11612 (In Joomla! before 3.7.4, inadequate filtering of potentially 
malicious ...)
NOT-FOR-US: Joomla!
 CVE-2016-10401 (ZyXEL PK5001Z devices have zyad5001 as the su password, which 
makes it ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/92764e4739e5c85f48fe4024a92f550f3630d077

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/92764e4739e5c85f48fe4024a92f550f3630d077
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark postgresql-9.1 CVE-2018-1058 as minor in wheezy

2018-03-12 Thread Brian May

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c5f9ebda by Brian May at 2018-03-13T08:03:23+11:00
Mark postgresql-9.1 CVE-2018-1058 as minor in wheezy

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -19000,6 +19000,7 @@ CVE-2018-1058 (A flaw was found in the way Postgresql 
allowed a user to modify t
[jessie] - postgresql-9.4  (Minor issue; documentation update 
for recommendations)
- postgresql-9.1 
[jessie] - postgresql-9.1  (postgresql-9.1 in jessie is 
PL/Perl only)
+   [wheezy] - postgresql-9.1  (Minor issue)
NOTE: 
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=3d2aed664ee8271fd6c721ed0aa10168cda112ea
NOTE: 
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=582edc369cdbd348d68441fc50fa26a84afd0c1a
NOTE: 
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=5770172cb0c9df9e6ce27c507b449557e5b45124


=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -84,9 +84,6 @@ openjdk-7 (Emilio Pozuelo)
 php5
   NOTE: 20180226: consider reviewing the backlog of issues fixed in jessie to 
see if it is worth fixing a few DOS in the backlog (anarcat)
 --
-postgresql-9.1
-  NOTE: 20180227: confirm jessie's diagnostic (N/A) and see if it applies to 
wheezy. maintainer not contacted yet.
---
 python-crypto
   NOTE: Incomplete fix for CVE-2018-6594.
   NOTE: See https://lists.debian.org/debian-lts/2018/02/msg00069.html



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c5f9ebda154d6ba8d4df17bd05affeff34cd7184

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c5f9ebda154d6ba8d4df17bd05affeff34cd7184
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1303-1 for python-django

2018-03-07 Thread Brian May

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9dfbe2c3 by Brian May at 2018-03-08T17:09:45+11:00
Reserve DLA-1303-1 for python-django

- - - - -


1 changed file:

- data/DLA/list


Changes:

=
data/DLA/list
=
--- a/data/DLA/list
+++ b/data/DLA/list
@@ -1,3 +1,6 @@
+[08 Mar 2018] DLA-1303-1 python-django - security update
+   {CVE-2018-7536 CVE-2018-7537}
+   [wheezy] - python-django 1.4.22-1+deb7u4
 [07 Mar 2018] DLA-1302-1 leptonlib - security update
{CVE-2018-7186 CVE-2018-7440}
[wheezy] - leptonlib 1.69-3.1+deb7u2



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/9dfbe2c3ef2e6cf360ff52db075ac2906490c259

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/9dfbe2c3ef2e6cf360ff52db075ac2906490c259
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add reference to CVE-2018-7456

2018-03-05 Thread Brian May

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
cd00ba7d by Brian May at 2018-03-06T07:55:00+11:00
Add reference to CVE-2018-7456

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -95,7 +95,7 @@ ruby1.9.1 (Emilio Pozuelo)
 rubygems (Emilio Pozuelo)
 --
 tiff
-  NOTE: incomplete fix of CVE-2017-18013
+  NOTE: incomplete fix of CVE-2017-18013, see CVE-2018-7456.
 --
 tomcat7 (Markus Koschany)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/cd00ba7d73df96fa0e3e0f33506940a9d6eb3843

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/cd00ba7d73df96fa0e3e0f33506940a9d6eb3843
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Remove libreoffice regression details - wheezy LTS

2018-03-05 Thread Brian May

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
78b64794 by Brian May at 2018-03-06T07:48:42+11:00
Remove libreoffice regression details - wheezy LTS

I attempted to reproduce this issue - which is presumably a regression
from fixing CVE-2017-3157 (it could also be CVE-2017-7870 which was also
fixed in the same release). I created a file with a chart in Libreoffice
sheet in Wheezy, and then upgraded to the security release version of
libreoffice. I couldn't reproduce the issue, charts worked perfectly.

I also attempted to look up other reports of the same issue and failed.
As a result, I suspect this regression was a once off, maybe related to
the specific file or the computer it was being run on.

It could also be related to the graphics card driver being used.

Not removing libreoffice entry, because there are two CVEs still
requiring attention.

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -61,8 +61,6 @@ libgcrypt11
 libmad (Kurt Roeckx)
 --
 libreoffice
-  NOTE: regression update, see:
-  NOTE: https://lists.debian.org/debian-lts/2017/05/msg00012.html
 --
 libvorbis (Guido Günther)
   NOTE: Underlying reason for CVE-2017-14160 yet unclear, no upstream feedback 
on this issue.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/78b64794f0695b073041f36fc09a692e12e16ac7

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/78b64794f0695b073041f36fc09a692e12e16ac7
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Re-add python-crypto to dla-needed

2018-03-04 Thread Brian May

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
b4e12069 by Brian May at 2018-03-05T08:01:02+11:00
Re-add python-crypto to dla-needed

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -86,6 +86,10 @@ php5
 postgresql-9.1
   NOTE: 20180227: confirm jessie's diagnostic (N/A) and see if it applies to 
wheezy. maintainer not contacted yet.
 --
+python-crypto
+  NOTE: Incomplete fix for CVE-2018-6594.
+  NOTE: See https://lists.debian.org/debian-lts/2018/02/msg00069.html
+--
 ruby1.9.1 (Emilio Pozuelo)
 --
 rubygems (Emilio Pozuelo)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/b4e1206932357e0799c9ba3e35122b6798205965

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/b4e1206932357e0799c9ba3e35122b6798205965
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1283-1 for python-crypto

2018-02-14 Thread Brian May

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
343971b6 by Brian May at 2018-02-15T18:30:28+11:00
Reserve DLA-1283-1 for python-crypto

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
--- a/data/DLA/list
+++ b/data/DLA/list
@@ -1,3 +1,6 @@
+[15 Feb 2018] DLA-1283-1 python-crypto - security update
+   {CVE-2018-6594}
+   [wheezy] - python-crypto 2.6-4+deb7u8
 [13 Feb 2018] DLA-1282-1 graphicsmagick - security update
{CVE-2018-6799}
[wheezy] - graphicsmagick 1.3.16-1.1+deb7u18


=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -58,8 +58,6 @@ opencv (Thorsten Alteholz)
 --
 openjdk-7 (Emilio Pozuelo)
 --
-python-crypto (Brian May)
---
 suricata (Santiago R.R.)
   NOTE: Hard to tell whether the package is vulnerable. DetectFlow in detect.c
   NOTE: does not exist. Code seems to be in SigMatchSignatures instead.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/343971b672d8d01e26549c5329d0b5233084bf70

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/343971b672d8d01e26549c5329d0b5233084bf70
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Update krb5 in dla-needed.txt

2018-02-11 Thread Brian May

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
cafc63f7 by Brian May at 2018-02-12T17:41:02+11:00
Update krb5 in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -24,6 +24,7 @@ icu
 --
 krb5
   NOTE: lts-do-not-call
+  NOTE: Details not public. Yet. See 
https://lists.debian.org/msgid-search/20180208212643.GB7792@pisco.westfalen.local
 --
 lame (Hugo Lefeuvre)
   NOTE: Couldn't reproduce CVE-2017-{69-72}, but successfully reproduced 
CVE-2017-150{18,45,46}



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/cafc63f7662bd45b7ada581f8f6627c537228bbe

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/cafc63f7662bd45b7ada581f8f6627c537228bbe
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Claim python-crypto

2018-02-08 Thread Brian May

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1d53a0d3 by Brian May at 2018-02-09T16:31:13+11:00
Claim python-crypto

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -58,7 +58,7 @@ opencv (Thorsten Alteholz)
 --
 openjdk-7 (Emilio Pozuelo)
 --
-python-crypto
+python-crypto (Brian May)
 --
 tomcat-native (Markus Koschany)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1d53a0d3c8e07af754570068cca6c6a974543178

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1d53a0d3c8e07af754570068cca6c6a974543178
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark python2.7 and python2.6 no-dsa for CVE-2018-1000030

2018-02-07 Thread Brian May

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ca900181 by Brian May at 2018-02-08T07:57:33+11:00
Mark python2.7 and python2.6 no-dsa for CVE-2018-130

This has already been done for Jessie and Stretch. Plus upstream thinks
this isn't a security issue.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1269,7 +1269,9 @@ CVE-2018-130 [Heap-Buffer-Overflow and 
Heap-Use-After-Free in Objects/fileob
- python2.7 2.7.14-5
[stretch] - python2.7  (Minor issue)
[jessie] - python2.7  (Minor issue)
+   [wheezy] - python2.7  (Minor issue)
- python2.6 
+   [wheezy] - python2.6  (Minor issue)
NOTE: Original report: https://bugs.python.org/issue31530
NOTE: 
https://bugs.python.org/file47157/0001-stop-crashes-when-iterating-over-a-file-on-multiple-.patch
NOTE: which was followed by a pull request to fix the issue:


=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -64,10 +64,6 @@ openjdk-7 (Emilio Pozuelo)
 --
 python-crypto
 --
-python2.6
---
-python2.7 (Abhijith PA)
---
 simplesamlphp (Abhijith PA)
 --
 tomcat-native (Markus Koschany)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ca9001819334d39944f89b8799ea63c07b0bc502

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ca9001819334d39944f89b8799ea63c07b0bc502
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark CVE-2017-17669 ignored in wheezy

2018-02-06 Thread Brian May

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7bdaf165 by Brian May at 2018-02-07T18:01:04+11:00
Mark CVE-2017-17669 ignored in wheezy

This issue is already marked ignored in Jessie and Stretch. There
doesn't seem to be much point fixing it in Wheezy.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -13458,6 +13458,7 @@ CVE-2017-17669 (There is a heap-based buffer over-read 
in the ...)
- exiv2  (bug #886006)
[stretch] - exiv2  (Minor issue)
[jessie] - exiv2  (Minor issue)
+   [wheezy] - exiv2  (Minor issue)
NOTE: https://github.com/Exiv2/exiv2/issues/187
 CVE-2017-17668
RESERVED


=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -17,9 +17,6 @@ dovecot (Thorsten Alteholz)
   NOTE: maintainer and security team are looking into this
   NOTE: probably no-dsa
 --
-exiv2 (Brian May)
-  NOTE: 20180101: built wheezy version with ASAN in jessie and confirmed that 
CVE-2017-17669 applies to wheezy version
---
 icu
   NOTE: 20171229: CVE-2017-15422 was reported via Google Code issue report in 
Chromium project; report is not visible to the public
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/7bdaf165e9c6f1830608b9ef94a68a2dff91938f

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/7bdaf165e9c6f1830608b9ef94a68a2dff91938f
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark dojo minor issue in wheezy

2018-02-06 Thread Brian May

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c92cd284 by Brian May at 2018-02-07T17:52:29+11:00
Mark dojo minor issue in wheezy

Sanitization of HTMl needs to happen server side, not client side.
Hence I don't consider this bug a security issue.  See
https://lists.debian.org/debian-lts/2018/02/msg00019.html for full
explanation.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -575,6 +575,7 @@ CVE-2018-6562
RESERVED
 CVE-2018-6561 (dijit.Editor in Dojo Toolkit 1.13 allows XSS via the onload 
attribute ...)
- dojo 
+   [wheezy] - dojo  (Minor issue)
NOTE: https://github.com/imsebao/404team/blob/master/dijit_editor_xss.md
 CVE-2018-6560 (In dbus-proxy/flatpak-proxy.c in Flatpak before 0.8.9, and 
0.9.x and ...)
- flatpak 0.10.3-1 (bug #42)


=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -12,8 +12,6 @@ 
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
 --
 clamav (Thorsten Alteholz)
 --
-dojo
---
 dovecot (Thorsten Alteholz)
   NOTE: after applying the patch, login segfaults
   NOTE: maintainer and security team are looking into this



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c92cd28471b90afd554ace9f48fb85b906ce8fdf

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c92cd28471b90afd554ace9f48fb85b906ce8fdf
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1244-1 for ca-certificates

2018-01-15 Thread Brian May

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
521680a4 by Brian May at 2018-01-16T07:33:12+11:00
Reserve DLA-1244-1 for ca-certificates

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
--- a/data/DLA/list
+++ b/data/DLA/list
@@ -1,3 +1,5 @@
+[16 Jan 2018] DLA-1244-1 ca-certificates - security update
+   [wheezy] - ca-certificates 20130119+deb7u2
 [15 Jan 2018] DLA-1243-1 xbmc - security update
{CVE-2017-8314}
[wheezy] - xbmc 2:11.0~git20120510.82388d5-1+deb7u1


=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -10,10 +10,6 @@ this list is updated have a look at
 https://wiki.debian.org/LTS/Development#Triage_new_security_issues
 
 --
-ca-certificates (Brian May)
-  NOTE: 20170719: maintainer will handle the upload, see 
https://lists.debian.org/d0b9674a-ac5b-5cc9-1982-fb6f36155...@pbandjelly.org
-  NOTE: 20171013: pinged maintainer: 
https://lists.debian.org/87efpuc95w@curie.anarc.at (anarcat)
---
 couchdb (Thorsten Alteholz)
   NOTE: Only in wheezy, we are on our own.
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/521680a494f94a2cd549b1034b0378c2590ef02d

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/521680a494f94a2cd549b1034b0378c2590ef02d
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Claim ca-certificates

2018-01-14 Thread Brian May

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
0bba4034 by Brian May at 2018-01-15T07:53:45+11:00
Claim ca-certificates

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -10,7 +10,7 @@ this list is updated have a look at
 https://wiki.debian.org/LTS/Development#Triage_new_security_issues
 
 --
-ca-certificates
+ca-certificates (Brian May)
   NOTE: 20170719: maintainer will handle the upload, see 
https://lists.debian.org/d0b9674a-ac5b-5cc9-1982-fb6f36155...@pbandjelly.org
   NOTE: 20171013: pinged maintainer: 
https://lists.debian.org/87efpuc95w@curie.anarc.at (anarcat)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/0bba40347619f68fe4d72f372e7819d802ba9254

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/0bba40347619f68fe4d72f372e7819d802ba9254
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Take exiv2

2018-01-11 Thread Brian May

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
6952d7a6 by Brian May at 2018-01-12T14:53:59+11:00
Take exiv2

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -17,7 +17,7 @@ ca-certificates
 couchdb (Thorsten Alteholz)
   NOTE: Only in wheezy, we are on our own.
 --
-exiv2
+exiv2 (Brian May)
   NOTE: 20180101: built wheezy version with ASAN in jessie and confirmed that 
CVE-2017-17669 applies to wheezy version
 --
 icu



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/6952d7a693139d8c0dadc719cfabde8137ffcc1f

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/6952d7a693139d8c0dadc719cfabde8137ffcc1f
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Replace with http link to email

2018-01-09 Thread Brian May

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d1b0403d by Brian May at 2018-01-10T17:47:39+11:00
Replace with http link to email

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -54,7 +54,7 @@ opencv (Thorsten Alteholz)
 --
 poco
   NOTE: Is library; only reverse dependancy in wheezy is sitplus.
-  NOTE: 20180109: Maintainer working on it, see <20180109084423.GT17182@vis>
+  NOTE: 20180109: Maintainer working on it, see 
http://lists.debian.org/20180109084423.GT17182@vis
 --
 smarty3 (Chris Lamb)
   NOTE: 20180108: Maintainer will take care of it, but ping in 6d. (lamby)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d1b0403d16d1a97889089610ba6932bfb5b6e0c8

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d1b0403d16d1a97889089610ba6932bfb5b6e0c8
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1238-1 for awstats

2018-01-09 Thread Brian May

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
558f3663 by Brian May at 2018-01-10T16:55:38+11:00
Reserve DLA-1238-1 for awstats

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
--- a/data/DLA/list
+++ b/data/DLA/list
@@ -1,3 +1,6 @@
+[10 Jan 2018] DLA-1238-1 awstats - security update
+   {CVE-2017-1000501}
+   [wheezy] - awstats 7.0~dfsg-7+deb7u1
 [09 Jan 2018] DLA-1237-1 plexus-utils2 - security update
{CVE-2017-1000487}
[wheezy] - plexus-utils2 2.0.5-1+deb7u1


=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -10,8 +10,6 @@ this list is updated have a look at
 https://wiki.debian.org/LTS/Development#Triage_new_security_issues
 
 --
-awstats (Brian May)
---
 ca-certificates
   NOTE: 20170719: maintainer will handle the upload, see 
https://lists.debian.org/d0b9674a-ac5b-5cc9-1982-fb6f36155...@pbandjelly.org
   NOTE: 20171013: pinged maintainer: 
https://lists.debian.org/87efpuc95w@curie.anarc.at (anarcat)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/558f366328a1036b915d853845fa213abd827e62

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/558f366328a1036b915d853845fa213abd827e62
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add details for poco

2018-01-08 Thread Brian May

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
4258c7b5 by Brian May at 2018-01-09T08:08:35+11:00
Add details for poco

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -57,6 +57,7 @@ plexus-utils (Markus Koschany)
 plexus-utils2 (Markus Koschany)
 --
 poco
+  NOTE: Is library; only reverse dependancy in wheezy is sitplus.
 --
 smarty3 (Chris Lamb)
   NOTE: 20180108: Maintainer will take care of it, but ping in 6d. (lamby)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/4258c7b5aa7b6912a2d156e9b9535b57834fdc3d

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/4258c7b5aa7b6912a2d156e9b9535b57834fdc3d
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Update wordpress information

2018-01-08 Thread Brian May

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
acd4972f by Brian May at 2018-01-09T07:53:20+11:00
Update wordpress information

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -70,5 +70,9 @@ tiff (Roberto C. Sánchez)
 tiff3 (Roberto C. Sánchez)
 --
 wordpress
-  NOTE: 2017-12-25: Fix requires migrating users from MD5 -> bcrypt. (lamby)
+  NOTE: CVE-2012-6707: Fix requires migrating users from MD5 -> bcrypt. (lamby)
+  NOTE: This needs an upstream fix first, to ensure we don't implement a
+  NOTE: solution that is incompatable with other distributions. (Brian)
+  NOTE: 2018-08-09: Upstream bug opened 6 years ago and no chages to upstream
+  NOTE: bug in 7 weeks.
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/acd4972ff2095a2dd980ce31a0b46473cbf8b2bc

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/acd4972ff2095a2dd980ce31a0b46473cbf8b2bc
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Claim awstats

2018-01-07 Thread Brian May

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
75b6a50e by Brian May at 2018-01-08T17:55:27+11:00
Claim awstats

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -10,7 +10,7 @@ this list is updated have a look at
 https://wiki.debian.org/LTS/Development#Triage_new_security_issues
 
 --
-awstats
+awstats (Brian May)
 --
 ca-certificates
   NOTE: 20170719: maintainer will handle the upload, see 
https://lists.debian.org/d0b9674a-ac5b-5cc9-1982-fb6f36155...@pbandjelly.org



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/75b6a50e7b0543c1ae642ed8c0aebd47b0c9e858

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/75b6a50e7b0543c1ae642ed8c0aebd47b0c9e858
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58556 - data/CVE

2017-12-13 Thread Brian May

Author: bam
Date: 2017-12-14 05:24:38 + (Thu, 14 Dec 2017)
New Revision: 58556

Modified:
   data/CVE/list
Log:
CVE-2017-11613 add reference to redhat bug

Modified: data/CVE/list
===
--- data/CVE/list   2017-12-14 04:51:04 UTC (rev 58555)
+++ data/CVE/list   2017-12-14 05:24:38 UTC (rev 58556)
@@ -20343,6 +20343,7 @@
- tiff3 
NOTE: 
https://gist.github.com/dazhouzhou/1a3b7400547f23fe316db303ab9b604f
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2724
+   NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1475530
 CVE-2017-11612 (In Joomla! before 3.7.4, inadequate filtering of potentially 
malicious ...)
NOT-FOR-US: Joomla!
 CVE-2016-10401 (ZyXEL PK5001Z devices have zyad5001 as the su password, which 
makes it ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58555 - data/CVE

2017-12-13 Thread Brian May

Author: bam
Date: 2017-12-14 04:51:04 + (Thu, 14 Dec 2017)
New Revision: 58555

Modified:
   data/CVE/list
Log:
Update reference to upstream bug for CVE-2017-11613

Modified: data/CVE/list
===
--- data/CVE/list   2017-12-13 22:07:37 UTC (rev 58554)
+++ data/CVE/list   2017-12-14 04:51:04 UTC (rev 58555)
@@ -20342,7 +20342,7 @@
- tiff  (bug #869823)
- tiff3 
NOTE: 
https://gist.github.com/dazhouzhou/1a3b7400547f23fe316db303ab9b604f
-   NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2762
+   NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2724
 CVE-2017-11612 (In Joomla! before 3.7.4, inadequate filtering of potentially 
malicious ...)
NOT-FOR-US: Joomla!
 CVE-2016-10401 (ZyXEL PK5001Z devices have zyad5001 as the su password, which 
makes it ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58509 - data/CVE

2017-12-12 Thread Brian May

Author: bam
Date: 2017-12-13 06:31:00 + (Wed, 13 Dec 2017)
New Revision: 58509

Modified:
   data/CVE/list
Log:
Created and referenced upstream bug for CVE-2017-11613

Modified: data/CVE/list
===
--- data/CVE/list   2017-12-13 06:17:30 UTC (rev 58508)
+++ data/CVE/list   2017-12-13 06:31:00 UTC (rev 58509)
@@ -20069,6 +20069,7 @@
NOTE: Red Hat marked this NOTABUG: 
https://bugzilla.redhat.com/show_bug.cgi?id=1475530
NOTE: NOTABUG in RHEL context only means in most cases that Red Hat 
does not intent
NOTE: to address this issue.
+   NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2762
 CVE-2017-11612 (In Joomla! before 3.7.4, inadequate filtering of potentially 
malicious ...)
NOT-FOR-US: Joomla!
 CVE-2016-10401 (ZyXEL PK5001Z devices have zyad5001 as the su password, which 
makes it ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58510 - in data: . CVE

2017-12-12 Thread Brian May

Author: bam
Date: 2017-12-13 06:31:15 + (Wed, 13 Dec 2017)
New Revision: 58510

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
Mark tiff3 in wheezy as not vulnerable to CVE-2017-9935

Modified: data/CVE/list
===
--- data/CVE/list   2017-12-13 06:31:00 UTC (rev 58509)
+++ data/CVE/list   2017-12-13 06:31:15 UTC (rev 58510)
@@ -23264,6 +23264,7 @@
 CVE-2017-9935 (In LibTIFF 4.0.8, there is a heap-based buffer overflow in the 
...)
- tiff  (bug #866109)
- tiff3 
+   [wheezy] - tiff3  (does not build vulnerable tiff2pdf)
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2704
 CVE-2017-9934 (Missing CSRF token checks and improper input validation in 
Joomla! CMS ...)
NOT-FOR-US: Joomla

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-12-13 06:31:00 UTC (rev 58509)
+++ data/dla-needed.txt 2017-12-13 06:31:15 UTC (rev 58510)
@@ -97,10 +97,6 @@
   NOTE: 20171118: At least CVE-2017-16797 is present. (lamby)
   NOTE: 20171210: likely to be turned into a pkg with limited sec support
 --
-tiff3 (Brian May)
-  NOTE: CVE-2017-9935: no upstream fix -- Brian May 2017-11-06
-  NOTE: CVE-2017-11613: no upstream fix, "not a bug" according to RH -- 
anarcat 2017-10-24
---
 tor
 --
 wireshark (Thorsten Alteholz)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58503 - in data: . DLA

2017-12-12 Thread Brian May

Author: bam
Date: 2017-12-12 21:16:41 + (Tue, 12 Dec 2017)
New Revision: 58503

Modified:
   data/DLA/list
   data/dla-needed.txt
Log:
Reserve DLA-1206-1 for tiff

Modified: data/DLA/list
===
--- data/DLA/list   2017-12-12 21:12:19 UTC (rev 58502)
+++ data/DLA/list   2017-12-12 21:16:41 UTC (rev 58503)
@@ -1,3 +1,6 @@
+[13 Dec 2017] DLA-1206-1 tiff - security update
+   {CVE-2017-9935}
+   [wheezy] - tiff 4.0.2-6+deb7u17
 [12 Dec 2017] DLA-1205-1 simplesamlphp - security update
{CVE-2017-12867 CVE-2017-12868 CVE-2017-12869 CVE-2017-12872 
CVE-2017-12873 CVE-2017-12874}
[wheezy] - simplesamlphp 1.9.2-1+deb7u1

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-12-12 21:12:19 UTC (rev 58502)
+++ data/dla-needed.txt 2017-12-12 21:16:41 UTC (rev 58503)
@@ -97,10 +97,6 @@
   NOTE: 20171118: At least CVE-2017-16797 is present. (lamby)
   NOTE: 20171210: likely to be turned into a pkg with limited sec support
 --
-tiff (Brian May)
-  NOTE: CVE-2017-9935: no upstream fix -- Brian May 2017-11-06
-  NOTE: CVE-2017-11613: no upstream fix, "not a bug" according to RH -- 
anarcat 2017-10-24
---
 tiff3 (Brian May)
   NOTE: CVE-2017-9935: no upstream fix -- Brian May 2017-11-06
   NOTE: CVE-2017-11613: no upstream fix, "not a bug" according to RH -- 
anarcat 2017-10-24


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57519 - data

2017-11-09 Thread Brian May

Author: bam
Date: 2017-11-10 06:42:22 + (Fri, 10 Nov 2017)
New Revision: 57519

Modified:
   data/dla-needed.txt
Log:
Take tiff

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-10 05:27:39 UTC (rev 57518)
+++ data/dla-needed.txt 2017-11-10 06:42:22 UTC (rev 57519)
@@ -102,11 +102,11 @@
 suricata
   NOTE: 2017-10-27: At a quick glance, I can't see that this is vulnerable. 
--lamby
 --
-tiff
+tiff (Brian May)
   NOTE: CVE-2017-9935: no upstream fix -- Brian May 2017-11-06
   NOTE: CVE-2017-11613: no upstream fix, "not a bug" according to RH -- 
anarcat 2017-10-24
 --
-tiff3
+tiff3 (Brian May)
   NOTE: CVE-2017-9935: no upstream fix -- Brian May 2017-11-06
   NOTE: CVE-2017-11613: no upstream fix, "not a bug" according to RH -- 
anarcat 2017-10-24
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57433 - data

2017-11-07 Thread Brian May

Author: bam
Date: 2017-11-08 06:20:13 + (Wed, 08 Nov 2017)
New Revision: 57433

Modified:
   data/dla-needed.txt
Log:
Clarify 2 CVEs open for tiff, only one marked NOTABUG

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-08 06:09:22 UTC (rev 57432)
+++ data/dla-needed.txt 2017-11-08 06:20:13 UTC (rev 57433)
@@ -109,7 +109,8 @@
   NOTE: 2017-10-27: At a quick glance, I can't see that this is vulnerable. 
--lamby
 --
 tiff
-  NOTE: no upstream fix, CVE-2017-11613 "not a bug" according to RH -- anarcat 
2017-10-24
+  NOTE: CVE-2017-9935: no upstream fix -- Brian May 2017-11-06
+  NOTE: CVE-2017-11613: no upstream fix, "not a bug" according to RH -- 
anarcat 2017-10-24
 --
 tiff3
   NOTE: CVE-2017-9935: no upstream fix -- Brian May 2017-11-06


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57356 - in data: . CVE

2017-11-05 Thread Brian May

Author: bam
Date: 2017-11-06 04:39:52 + (Mon, 06 Nov 2017)
New Revision: 57356

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
Mark pngcrush no-DSA

It is already no-DSA for Stretch and Jessie.

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-06 04:26:08 UTC (rev 57355)
+++ data/CVE/list   2017-11-06 04:39:52 UTC (rev 57356)
@@ -81325,6 +81325,7 @@
- pngcrush  (bug #874109)
[stretch] - pngcrush  (Minor issue)
[jessie] - pngcrush  (Minor issue)
+   [wheezy] - pngcrush  (Minor issue)
NOTE: 
http://sourceforge.net/p/pmt/code/ci/e8ae5a842e86324f0bee91f4d98245fddb8ea5dd 
(1.7.87)
 CVE-2015-7697 (Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of 
...)
{DSA-3386-1 DLA-330-1}

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-11-06 04:26:08 UTC (rev 57355)
+++ data/dla-needed.txt 2017-11-06 04:39:52 UTC (rev 57356)
@@ -79,10 +79,6 @@
   NOTE: I assume Kurt Roeckx will take care of it again.
   NOTE: 1.0.1t-1+deb7u3 by Kurt Roeckx, DLA number already reserved, but 
upload missing
 --
-pngcrush
-  NOTE: CVE-2015-7700: the problematic call to png_free_data() is present
-  NOTE: in wheezy but it's not clear to me where the other call to free() is.
---
 poppler (Emilio Pozuelo)
   NOTE: not fixed in sid yet so did not ping maintainer
   NOTE: drawForm is doForm1 in wheezy


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r56852 - in data: . DLA

2017-10-19 Thread Brian May

Author: bam
Date: 2017-10-19 07:11:06 + (Thu, 19 Oct 2017)
New Revision: 56852

Modified:
   data/DLA/list
   data/dla-needed.txt
Log:
Another security update for graphicsmagick

Modified: data/DLA/list
===
--- data/DLA/list   2017-10-19 07:10:59 UTC (rev 56851)
+++ data/DLA/list   2017-10-19 07:11:06 UTC (rev 56852)
@@ -1,3 +1,6 @@
+[19 Oct 2017] DLA-1140-1 graphicsmagick - security update
+   {CVE-2017-13737 CVE-2017-15277}
+   [wheezy] - graphicsmagick 1.3.16-1.1+deb7u11
 [19 Oct 2017] DLA-1139-1 imagemagick - security update
{CVE-2017-15277 CVE-2017-15281}
[wheezy] - imagemagick 8:6.7.7.10-5+deb7u18

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-10-19 07:10:59 UTC (rev 56851)
+++ data/dla-needed.txt 2017-10-19 07:11:06 UTC (rev 56852)
@@ -30,8 +30,6 @@
 --
 golang
 --
-graphicsmagick (Brian May)
---
 icedove
   NOTE: Guido Gunter has promised to handle this once a version is available 
for sid.
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r56851 - data

2017-10-19 Thread Brian May

Author: bam
Date: 2017-10-19 07:10:59 + (Thu, 19 Oct 2017)
New Revision: 56851

Modified:
   data/dla-needed.txt
Log:
Reclaim graphicsmagic again

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-10-19 05:24:03 UTC (rev 56850)
+++ data/dla-needed.txt 2017-10-19 07:10:59 UTC (rev 56851)
@@ -30,7 +30,7 @@
 --
 golang
 --
-graphicsmagick
+graphicsmagick (Brian May)
 --
 icedove
   NOTE: Guido Gunter has promised to handle this once a version is available 
for sid.


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r56565 - in data: . DLA

2017-10-10 Thread Brian May

Author: bam
Date: 2017-10-10 07:34:52 + (Tue, 10 Oct 2017)
New Revision: 56565

Modified:
   data/DLA/list
   data/dla-needed.txt
Log:
wheezy update of graphicsmagick

Modified: data/DLA/list
===
--- data/DLA/list   2017-10-10 06:04:41 UTC (rev 56564)
+++ data/DLA/list   2017-10-10 07:34:52 UTC (rev 56565)
@@ -1,3 +1,6 @@
+[10 Oct 2017] DLA-1130-1 graphicsmagick - security update
+   {CVE-2017-14103 CVE-2017-14314 CVE-2017-14504 CVE-2017-14733 
CVE-2017-14994 CVE-2017-14997}
+   [wheezy] - graphicsmagick 1.3.16-1.1+deb7u10
 [08 Oct 2017] DLA-1129-1 qemu - security update
{CVE-2017-14167 CVE-2017-15038}
[wheezy] - qemu 1.1.2+dfsg-6+deb7u24

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-10-10 06:04:41 UTC (rev 56564)
+++ data/dla-needed.txt 2017-10-10 07:34:52 UTC (rev 56565)
@@ -39,8 +39,6 @@
 --
 golang
 --
-graphicsmagick (Brian May)
---
 imagemagick (Roberto C. Sánchez)
 --
 lame (Hugo Lefeuvre)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r55987 - tools/git-migration

2017-09-21 Thread Brian May

Author: bam
Date: 2017-09-21 22:25:01 + (Thu, 21 Sep 2017)
New Revision: 55987

Modified:
   tools/git-migration/AUTHORS.txt
Log:
Change my preferred email address

I also updated my alioth email address, which appears to have been the
source for this data.

Modified: tools/git-migration/AUTHORS.txt
===
--- tools/git-migration/AUTHORS.txt 2017-09-21 21:19:20 UTC (rev 55986)
+++ tools/git-migration/AUTHORS.txt 2017-09-21 22:25:01 UTC (rev 55987)
@@ -16,7 +16,7 @@
 atomo64-guest = Raphael Geissert 
 aurel32 = Aurelien Jarno 
 aw-guest = Arne Wichmann 
-bam = Brian May 
+bam = Brian May 
 baruch = Baruch Even 
 benh = Ben Hutchings 
 bertagaz-guest = Bert Agaz 


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r55530 - data

2017-09-07 Thread Brian May

Author: bam
Date: 2017-09-07 07:31:16 + (Thu, 07 Sep 2017)
New Revision: 55530

Modified:
   data/dla-needed.txt
Log:
Take graphicsmagick

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-09-07 06:06:05 UTC (rev 55529)
+++ data/dla-needed.txt 2017-09-07 07:31:16 UTC (rev 55530)
@@ -61,7 +61,7 @@
   NOTE: wheezy version. I cannot reproduce it, needs to find a way to check
   NOTE: whether wheezy version is affected. (kanashiro)
 --
-graphicsmagick
+graphicsmagick (Brian May)
 --
 imagemagick
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r55503 - data

2017-09-06 Thread Brian May

Author: bam
Date: 2017-09-06 07:29:13 + (Wed, 06 Sep 2017)
New Revision: 55503

Modified:
   data/dla-needed.txt
Log:
Add note to simplesamlphp

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-09-06 07:03:17 UTC (rev 55502)
+++ data/dla-needed.txt 2017-09-06 07:29:13 UTC (rev 55503)
@@ -155,6 +155,8 @@
   NOTE: test package available, see 
https://lists.debian.org/87h8wkzyos@curie.anarc.at
 --
 simplesamlphp
+  NOTE: 2017-09-04: Maintainer will handle this.
+  NOTE: https://lists.debian.org/debian-lts/2017/09/msg00010.html
 --
 sox
   NOTE: No patches. Contacted upstream. Waiting for feedback


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r55502 - data/CVE

2017-09-06 Thread Brian May

Author: bam
Date: 2017-09-06 07:03:17 + (Wed, 06 Sep 2017)
New Revision: 55502

Modified:
   data/CVE/list
Log:
Add links to upstream fixes

Modified: data/CVE/list
===
--- data/CVE/list   2017-09-06 06:57:12 UTC (rev 55501)
+++ data/CVE/list   2017-09-06 07:03:17 UTC (rev 55502)
@@ -242,14 +242,17 @@
[jessie] - asterisk  (Vulnerable code not present; issue 
introduced in 13.15)
[wheezy] - asterisk  (Vulnerable code not present; issue 
introduced in 13.15)
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27152
+   NOTE: Fix: https://gerrit.asterisk.org/#/q/topic:ASTERISK-27152
 CVE-2017-14100 (In Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x 
before ...)
{DSA-3964-1}
- asterisk 1:13.17.1~dfsg-1 (bug #873908)
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27103
+   NOTE: Fix: https://gerrit.asterisk.org/#/q/topic:ASTERISK-27103
 CVE-2017-14099 (In res/res_rtp_asterisk.c in Asterisk 11.x before 11.25.2, 
13.x before ...)
{DSA-3964-1}
- asterisk 1:13.17.1~dfsg-1 (bug #873907)
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27013
+   NOTE: Fix: https://gerrit.asterisk.org/#/q/topic:ASTERISK-27013
 CVE-2017-14077
RESERVED
 CVE-2017-14076 (SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the id 
...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r51565 - in data: . CVE

2017-05-12 Thread Brian May

Author: bam
Date: 2017-05-12 07:19:46 + (Fri, 12 May 2017)
New Revision: 51565

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
Update potrace information

CVE-2016-8686 was marked no-dsa for wheezy, so that comment in
dla-needed.txt is no longer applicable. However there is now
CVE-2017-7263 open, so not removing the entry.

Modified: data/CVE/list
===
--- data/CVE/list   2017-05-12 06:20:08 UTC (rev 51564)
+++ data/CVE/list   2017-05-12 07:19:46 UTC (rev 51565)
@@ -27322,8 +27322,7 @@
[wheezy] - potrace  (Minor issue)
NOTE: 
https://blogs.gentoo.org/ago/2016/08/29/potrace-memory-allocation-failure
NOTE: http://potrace.sourceforge.net/ChangeLog claims that it's fixed 
in 1.14
-   NOTE: There's no public repository so patch is hard to extract.
-   NOTE: I asked the patch to the upstream author. -- Raphael Hertzog
+   NOTE: but see https://lists.debian.org/debian-lts/2017/05/msg00032.html
 CVE-2016-8685 (The findnext function in decompose.c in potrace 1.13 allows 
remote ...)
{DLA-889-1}
- potrace 1.13-3 (bug #843861)

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-05-12 06:20:08 UTC (rev 51564)
+++ data/dla-needed.txt 2017-05-12 07:19:46 UTC (rev 51565)
@@ -89,8 +89,6 @@
 postgresql-8.4
 --
 potrace
-  NOTE: Upstream is not going to fix CVE-2016-8686 since it believes it is not
-  NOTE: a bug (see #843861).
 --
 putty
   NOTE: 2017-04-14: CVE-2017-6542 is only exploitable by a malicious server


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r51566 - data

2017-05-12 Thread Brian May

Author: bam
Date: 2017-05-12 07:19:52 + (Fri, 12 May 2017)
New Revision: 51566

Modified:
   data/dla-needed.txt
Log:
mysql-connector-python update comments

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-05-12 07:19:46 UTC (rev 51565)
+++ data/dla-needed.txt 2017-05-12 07:19:52 UTC (rev 51566)
@@ -74,7 +74,10 @@
   NOTE: upload the new version for Wheezy as well.
 --
 mysql-connector-python
-  NOTE: Brian May is one of the maintainers
+  NOTE: No patch to apply. Upstream has released new upstream version 2.1.6
+  NOTE: with claimed fixes. Diff from prior version is 2198 lines long and
+  NOTE: has 8 different bugs fixed. Only 2 reverse dependancies:
+  NOTE: mysql-utilities and mysql-workbench.
 --
 mysql-workbench
   NOTE: maintainer contacted 20170429


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r51525 - in data: . CVE

2017-05-11 Thread Brian May

Author: bam
Date: 2017-05-11 07:01:10 + (Thu, 11 May 2017)
New Revision: 51525

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
Mark binutils no-dsa for wheezy

These are minor issues only. See
https://lists.debian.org/debian-lts/2017/05/msg00031.html

Modified: data/CVE/list
===
--- data/CVE/list   2017-05-11 06:45:58 UTC (rev 51524)
+++ data/CVE/list   2017-05-11 07:01:10 UTC (rev 51525)
@@ -1170,26 +1170,31 @@
 CVE-2017-8397 (The Binary File Descriptor (BFD) library (aka libbfd), as 
distributed ...)
- binutils 2.28-5
[jessie] - binutils  (Minor issue)
+   [wheezy] - binutils  (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21434
NOTE: Fixed by: 
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=04b31182bf3f8a1a76e995bdfb4c009b9cb2
 CVE-2017-8396 (The Binary File Descriptor (BFD) library (aka libbfd), as 
distributed ...)
- binutils 2.28-5
[jessie] - binutils  (Minor issue)
+   [wheezy] - binutils  (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21432
NOTE: Fixed by: 
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a941291cab71b9ac356e1c03968c177c03e602ab
 CVE-2017-8395 (The Binary File Descriptor (BFD) library (aka libbfd), as 
distributed ...)
- binutils 2.28-5
[jessie] - binutils  (Minor issue)
+   [wheezy] - binutils  (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21431
NOTE: Fixed by: 
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e63d123268f23a4cbc45ee55fb6dbc7d84729da3
 CVE-2017-8394 (The Binary File Descriptor (BFD) library (aka libbfd), as 
distributed ...)
- binutils 2.28-5
[jessie] - binutils  (Minor issue)
+   [wheezy] - binutils  (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21414
NOTE: Fixed by: 
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7eacd66b086cabb1daab20890d5481894d4f56b2
 CVE-2017-8393 (The Binary File Descriptor (BFD) library (aka libbfd), as 
distributed ...)
- binutils 2.28-5
[jessie] - binutils  (Minor issue)
+   [wheezy] - binutils  (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21412
NOTE: Fixed by: 
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bce964aa6c777d236fbd641f2bc7bb931cfe4bf3
 CVE-2017-8392 (The Binary File Descriptor (BFD) library (aka libbfd), as 
distributed ...)

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-05-11 06:45:58 UTC (rev 51524)
+++ data/dla-needed.txt 2017-05-11 07:01:10 UTC (rev 51525)
@@ -15,9 +15,6 @@
 --
 bind9 (Thorsten Alteholz)
 --
-binutils
-  NOTE: Marked no-dsa in Jessie.
---
 ca-certificates
   NOTE: maintainer will handle the upload, see 
https://lists.debian.org/1acb8e97-8c9f-8b54-348c-0c12f53a8...@pbandjelly.org
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r51478 - data

2017-05-10 Thread Brian May

Author: bam
Date: 2017-05-10 07:36:28 + (Wed, 10 May 2017)
New Revision: 51478

Modified:
   data/dla-needed.txt
Log:
Add comment to binutils entry

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-05-10 07:31:49 UTC (rev 51477)
+++ data/dla-needed.txt 2017-05-10 07:36:28 UTC (rev 51478)
@@ -16,6 +16,7 @@
 bind9 (Thorsten Alteholz)
 --
 binutils
+  NOTE: Marked no-dsa in Jessie.
 --
 ca-certificates
   NOTE: maintainer will handle the upload, see 
https://lists.debian.org/1acb8e97-8c9f-8b54-348c-0c12f53a8...@pbandjelly.org


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r51477 - data

2017-05-10 Thread Brian May

Author: bam
Date: 2017-05-10 07:31:49 + (Wed, 10 May 2017)
New Revision: 51477

Modified:
   data/dla-needed.txt
Log:
Add comment for eglibc

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-05-10 06:33:27 UTC (rev 51476)
+++ data/dla-needed.txt 2017-05-10 07:31:49 UTC (rev 51477)
@@ -21,6 +21,7 @@
   NOTE: maintainer will handle the upload, see 
https://lists.debian.org/1acb8e97-8c9f-8b54-348c-0c12f53a8...@pbandjelly.org
 --
 eglibc
+  NOTE: Patch available, however not yet applied upstream.
 --
 firefox-esr (Emilio Pozuelo)
   NOTE: no update needed yet, but next update will be for ESR 52 as ESR 45 is 
now


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r51404 - in data: . CVE

2017-05-08 Thread Brian May

Author: bam
Date: 2017-05-08 07:29:50 + (Mon, 08 May 2017)
New Revision: 51404

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
Unclaim xbmc and add links to debian-lts posts

Modified: data/CVE/list
===
--- data/CVE/list   2017-05-08 06:35:10 UTC (rev 51403)
+++ data/CVE/list   2017-05-08 07:29:50 UTC (rev 51404)
@@ -7798,6 +7798,8 @@
NOTE: http://seclists.org/fulldisclosure/2017/Feb/27
NOTE: http://trac.kodi.tv/ticket/17314
NOTE: https://lists.debian.org/debian-lts/2017/04/msg00025.html
+   NOTE: https://lists.debian.org/debian-lts/2017/04/msg00055.html (and 
followups)
+   NOTE: https://lists.debian.org/debian-lts/2017/05/msg6.html
 CVE-2017-5681 (The RSA-CRT implementation in the Intel QuickAssist Technology 
(QAT) ...)
NOT-FOR-US: Intel QuickAssist Technology (QAT) Engine
 CVE-2017-6056 (It was discovered that a programming error in the processing of 
HTTPS ...)

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-05-08 06:35:10 UTC (rev 51403)
+++ data/dla-needed.txt 2017-05-08 07:29:50 UTC (rev 51404)
@@ -116,7 +116,7 @@
 --
 wordpress (Chris Lamb)
 --
-xbmc (Brian May)
+xbmc
   NOTE: Reproduced: https://lists.debian.org/debian-lts/2017/04/msg00025.html
   NOTE: no upstream fix, may require refactoring
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r51349 - data

2017-05-05 Thread Brian May

Author: bam
Date: 2017-05-05 07:31:27 + (Fri, 05 May 2017)
New Revision: 51349

Modified:
   data/dla-needed.txt
Log:
Remove Heimdal from dla-needed.txt

Since I marked it no-dsa.

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-05-05 07:30:11 UTC (rev 51348)
+++ data/dla-needed.txt 2017-05-05 07:31:27 UTC (rev 51349)
@@ -31,9 +31,6 @@
 gnome-shell (Emilio Pozuelo)
   NOTE: Emilio Pozuelo is one of the uploaders
 --
-heimdal
-  NOTE: Brian May is the maintainer
---
 icu (Thorsten Alteholz)
 --
 jasper (Thorsten Alteholz)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r51348 - data/CVE

2017-05-05 Thread Brian May

Author: bam
Date: 2017-05-05 07:30:11 + (Fri, 05 May 2017)
New Revision: 51348

Modified:
   data/CVE/list
Log:
Attempts to fix Heimdal in wheezy/Jessie unsuccessful

Modified: data/CVE/list
===
--- data/CVE/list   2017-05-05 06:21:06 UTC (rev 51347)
+++ data/CVE/list   2017-05-05 07:30:11 UTC (rev 51348)
@@ -5831,8 +5831,10 @@
 CVE-2017-6594 [transit path validation]
RESERVED
- heimdal 7.1.0+dfsg-12
-   [jessie] - heimdal  (Minor issue, can be fixed via point 
release)
+   [jessie] - heimdal  (Minor issue)
+   [wheezy] - heimdal  (Minor issue)
NOTE: 
https://github.com/heimdal/heimdal/commit/b1e699103f08d6a0ca46a122193c9da65f6cf837
+   NOTE: See https://lists.debian.org/debian-lts/2017/05/msg00010.html
 CVE-2017-6593
RESERVED
 CVE-2017-6592


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r50389 - in data: . CVE

2017-04-05 Thread Brian May

Author: bam
Date: 2017-04-05 22:03:30 + (Wed, 05 Apr 2017)
New Revision: 50389

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
Claim XBMC and link to my findings

Modified: data/CVE/list
===
--- data/CVE/list   2017-04-05 21:10:14 UTC (rev 50388)
+++ data/CVE/list   2017-04-05 22:03:30 UTC (rev 50389)
@@ -4113,6 +4113,7 @@
- xbmc 
NOTE: http://seclists.org/fulldisclosure/2017/Feb/27
NOTE: http://trac.kodi.tv/ticket/17314
+   NOTE: https://lists.debian.org/debian-lts/2017/04/msg00025.html
 CVE-2017-5681 (The RSA-CRT implementation in the Intel QuickAssist Technology 
(QAT) ...)
NOT-FOR-US: Intel QuickAssist Technology (QAT) Engine
 CVE-2017-6056 (It was discovered that a programming error in the processing of 
HTTPS ...)

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-04-05 21:10:14 UTC (rev 50388)
+++ data/dla-needed.txt 2017-04-05 22:03:30 UTC (rev 50389)
@@ -131,9 +131,8 @@
   NOTE: See email sent to debian-lts mailing list:
   NOTE: https://lists.debian.org/debian-lts/2017/03/msg00046.html
 --
-xbmc
-  NOTE: under reserve, could not reproduce with 2:12.3+dfsg1-3ubuntu1, which 
is newer than the Wheezy version
-  NOTE: no mail to maintainer yet
+xbmc (Brian May)
+  NOTE: Reproduced: https://lists.debian.org/debian-lts/2017/04/msg00025.html
 --
 xen
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r50274 - data

2017-04-03 Thread Brian May

Author: bam
Date: 2017-04-03 07:24:28 + (Mon, 03 Apr 2017)
New Revision: 50274

Modified:
   data/dla-needed.txt
Log:
Unclaiming web2py

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-04-03 07:05:24 UTC (rev 50273)
+++ data/dla-needed.txt 2017-04-03 07:24:28 UTC (rev 50274)
@@ -116,7 +116,12 @@
   NOTE: issue is no-dsa in jessie but code is similar so uploading to s-p-u 
might make sense
   NOTE: to not diverge between Jessie and Wheezy
 --
-web2py (Brian May)
+web2py
+  NOTE: Unclear if these bugs have been fixed or when.
+  NOTE: No response to upstream bug report:
+  NOTE: https://github.com/web2py/web2py/issues/1585
+  NOTE: See email sent to debian-lts mailing list:
+  NOTE: https://lists.debian.org/debian-lts/2017/03/msg00046.html
 --
 xbmc
   NOTE: under reserve, could not reproduce with 2:12.3+dfsg1-3ubuntu1, which 
is newer than the Wheezy version


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r49732 - in data: . DLA

2017-03-17 Thread Brian May

Author: bam
Date: 2017-03-17 08:38:18 + (Fri, 17 Mar 2017)
New Revision: 49732

Modified:
   data/DLA/list
   data/dla-needed.txt
Log:
Reserve DLA for calibre

Modified: data/DLA/list
===
--- data/DLA/list   2017-03-17 08:35:24 UTC (rev 49731)
+++ data/DLA/list   2017-03-17 08:38:18 UTC (rev 49732)
@@ -1,3 +1,6 @@
+[17 Mar 2017] DLA-859-1 calibre - security update
+   {CVE-2016-10187}
+   [wheezy] - calibre 0.8.51+dfsg1-0.1+deb7u1
 [17 Mar 2017] DLA-858-1 wireshark - security update
{CVE-2017-5596 CVE-2017-5597 CVE-2017-6467 CVE-2017-6468 CVE-2017-6469 
CVE-2017-6470 CVE-2017-6471 CVE-2017-6472 CVE-2017-6473 CVE-2017-6474}
[wheezy] - wireshark 1.12.1+g01b65bf-4+deb8u6~deb7u7

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-03-17 08:35:24 UTC (rev 49731)
+++ data/dla-needed.txt 2017-03-17 08:38:18 UTC (rev 49732)
@@ -19,11 +19,6 @@
   NOTE: I suggest to wait for more important issues. CVE-2016-7837 has a rather
   NOTE: low impact.
 --
-calibre (Brian May)
-  NOTE: We will need to investigate the issue much further.
-  NOTE: In particular, it seems likely that there are more undocumented but
-  NOTE: public security issues in Calibre. See for example bug #853004.
---
 cgiemail (Jonas Meurer)
   NOTE: 2017-03-10: Sent a mail to the cPanel security team and asked them to
   NOTE: share their security fixes for cgiemail. -- Jonas Meurer


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r49550 - in data: . CVE

2017-03-09 Thread Brian May

Author: bam
Date: 2017-03-10 06:45:42 + (Fri, 10 Mar 2017)
New Revision: 49550

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
Update libpodofo information

Modified: data/CVE/list
===
--- data/CVE/list   2017-03-10 05:58:49 UTC (rev 49549)
+++ data/CVE/list   2017-03-10 06:45:42 UTC (rev 49550)
@@ -2574,6 +2574,7 @@
[wheezy] - libpodofo  (Minor issue)
NOTE: 
https://blogs.gentoo.org/ago/2017/02/01/podofo-signed-integer-overflow-in-pdfparser-cpp
NOTE: 
https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936
+   NOTE: Proposed fix: 
https://sourceforge.net/p/podofo/mailman/message/35692197/
 CVE-2017-5852 (The PoDoFo::PdfPage::GetInheritedKeyFromObject function in ...)
- libpodofo  (bug #854600)
[jessie] - libpodofo  (Minor issue)

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-03-10 05:58:49 UTC (rev 49549)
+++ data/dla-needed.txt 2017-03-10 06:45:42 UTC (rev 49550)
@@ -61,7 +61,9 @@
   NOTE: Pinged on 2017-02-06 
https://github.com/libical/libical/issues/253#issuecomment-277580552 (lamby)
 --
 libpodofo
-  NOTE: 20170226: No patches available.
+  NOTE: 20170310: No patches available.
+  NOTE: Proposed patch for CVE-2017-5853, which is marked no-dsa.
+  NOTE: https://sourceforge.net/p/podofo/mailman/message/35692197/
 --
 libreoffice (Balint Reczey)
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r49525 - data

2017-03-08 Thread Brian May

Author: bam
Date: 2017-03-09 06:12:08 + (Thu, 09 Mar 2017)
New Revision: 49525

Modified:
   data/dla-needed.txt
Log:
Claiming web2py

Maintainer has had plenty of time to respond. Plus it is a DPMT
maintained package and I am in that team.

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-03-09 03:22:56 UTC (rev 49524)
+++ data/dla-needed.txt 2017-03-09 06:12:08 UTC (rev 49525)
@@ -118,8 +118,7 @@
 --
 tzdata (Emilio Pozuelo)
 --
-web2py
-  NOTE: added 2017-02-25, please give maintainer some time to respond
+web2py (Brian May)
 --
 wget (Chris Lamb)
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r49499 - data

2017-03-07 Thread Brian May

Author: bam
Date: 2017-03-08 06:08:08 + (Wed, 08 Mar 2017)
New Revision: 49499

Modified:
   data/dla-needed.txt
Log:
Add link to report I made on mcollective

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-03-08 05:52:43 UTC (rev 49498)
+++ data/dla-needed.txt 2017-03-08 06:08:08 UTC (rev 49499)
@@ -76,6 +76,7 @@
 linux
 --
 mcollective
+  NOTE: See https://lists.debian.org/debian-lts/2017/03/msg8.html
 --
 mp3splt
   NOTE: 2017-02-28: No patch available. Reproducer doesn't work with Debian


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r49473 - in data: . DLA

2017-03-07 Thread Brian May

Author: bam
Date: 2017-03-07 09:06:24 + (Tue, 07 Mar 2017)
New Revision: 49473

Modified:
   data/DLA/list
   data/dla-needed.txt
Log:
Reserve DLA for texlive

Modified: data/DLA/list
===
--- data/DLA/list   2017-03-07 08:06:23 UTC (rev 49472)
+++ data/DLA/list   2017-03-07 09:06:24 UTC (rev 49473)
@@ -1,3 +1,6 @@
+[07 Mar 2017] DLA-847-1 texlive-base - security update
+   {CVE-2016-10243}
+   [wheezy] - texlive-base 2012.20120611-5+deb7u1
 [06 Mar 2017] DLA-846-1 libzip-ruby - security update
{CVE-2017-5946}
[wheezy] - libzip-ruby 0.9.4-1+deb7u1

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-03-07 08:06:23 UTC (rev 49472)
+++ data/dla-needed.txt 2017-03-07 09:06:24 UTC (rev 49473)
@@ -113,8 +113,6 @@
 --
 suricata (Chris Lamb)
 --
-texlive-base (Brian May)
---
 tzdata (Emilio Pozuelo)
 --
 vim (James McCoy)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r49471 - data

2017-03-06 Thread Brian May

Author: bam
Date: 2017-03-07 06:21:34 + (Tue, 07 Mar 2017)
New Revision: 49471

Modified:
   data/dla-needed.txt
Log:
Claim texlive-base

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-03-07 05:31:31 UTC (rev 49470)
+++ data/dla-needed.txt 2017-03-07 06:21:34 UTC (rev 49471)
@@ -113,7 +113,7 @@
 --
 suricata (Chris Lamb)
 --
-texlive-base
+texlive-base (Brian May)
 --
 tzdata (Emilio Pozuelo)
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r49428 - data/CVE

2017-03-05 Thread Brian May

Author: bam
Date: 2017-03-06 06:56:51 + (Mon, 06 Mar 2017)
New Revision: 49428

Modified:
   data/CVE/list
Log:
Add link to upstream BTS for web2py issues

Modified: data/CVE/list
===
--- data/CVE/list   2017-03-06 05:52:47 UTC (rev 49427)
+++ data/CVE/list   2017-03-06 06:56:51 UTC (rev 49428)
@@ -32560,10 +32560,13 @@
NOTE: Fixed by: 
https://github.com/libarchive/libarchive/commit/fd7e0c02e272913a0a8b6d492c7260dfca0b1408
 (v3.2.1)
 CVE-2016-4808 (Web2py versions 2.14.5 and below was affected by CSRF (Cross 
Site ...)
- web2py  (bug #856127)
+   NOTE: https://github.com/web2py/web2py/issues/1585
 CVE-2016-4807 (Web2py versions 2.14.5 and below was affected by Reflected XSS 
...)
- web2py  (bug #856127)
+   NOTE: https://github.com/web2py/web2py/issues/1585
 CVE-2016-4806 (Web2py versions 2.14.5 and below was affected by Local File 
Inclusion ...)
- web2py  (bug #856127)
+   NOTE: https://github.com/web2py/web2py/issues/1585
 CVE-2016-4803 (CRLF injection vulnerability in the send email functionality in 
dotCMS ...)
NOT-FOR-US: dotCMS
 CVE-2016-4802 (Multiple untrusted search path vulnerabilities in cURL and 
libcurl ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r49383 - in data: . CVE

2017-03-02 Thread Brian May

Author: bam
Date: 2017-03-03 06:43:04 + (Fri, 03 Mar 2017)
New Revision: 49383

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
Add extra information concerning zoneminder

Modified: data/CVE/list
===
--- data/CVE/list   2017-03-03 05:52:53 UTC (rev 49382)
+++ data/CVE/list   2017-03-03 06:43:04 UTC (rev 49383)
@@ -2470,6 +2470,7 @@
NOTE: http://www.openwall.com/lists/oss-security/2017/01/27/2
 CVE-2017-5595 (A file disclosure and inclusion vulnerability exists in ...)
- zoneminder  (bug #854733)
+   NOTE: Check 
https://github.com/ZoneMinder/ZoneMinder/commit/8b19fca9927cdec07cc9dd09bdcf2496a5ae69b3
 CVE-2017-5594 (An issue was discovered in Pagekit CMS before 1.0.11. In this 
...)
NOT-FOR-US: Pagekit CMS
 CVE-2017-5593 (An incorrect implementation of "XEP-0280: Message 
Carbons" in multiple ...)

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-03-03 05:52:53 UTC (rev 49382)
+++ data/dla-needed.txt 2017-03-03 06:43:04 UTC (rev 49383)
@@ -117,6 +117,10 @@
 xorg-server (Emilio Pozuelo)
 --
 zoneminder
+  NOTE: Sql injection and session fixation vulerability fixes:
+  NOTE: https://github.com/ZoneMinder/ZoneMinder/pull/1764/files
+  NOTE: No CVE assigned.
+
 --
 zziplib
   NOTE: added 2017-02-25, please give maintainer some time to respond


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r47322 - in data: . DLA

2016-12-21 Thread Brian May

Author: bam
Date: 2016-12-22 06:28:23 + (Thu, 22 Dec 2016)
New Revision: 47322

Modified:
   data/DLA/list
   data/dla-needed.txt
Log:
Mark phpmyadmin as fixed

Modified: data/DLA/list
===
--- data/DLA/list   2016-12-22 06:02:49 UTC (rev 47321)
+++ data/DLA/list   2016-12-22 06:28:23 UTC (rev 47322)
@@ -1,3 +1,6 @@
+[22 Dec 2016] DLA-757-1 phpmyadmin - security update
+   {CVE-2016-4412 CVE-2016-6626 CVE-2016-9849 CVE-2016-9850 CVE-2016-9861 
CVE-2016-9864 CVE-2016-9865}
+   [wheezy] - phpmyadmin 4:3.4.11.1-2+deb7u7
 [21 Dec 2016] DLA-756-1 imagemagick - security update
{CVE-2016-7799 CVE-2016-8707 CVE-2016-8862 CVE-2016-8866 CVE-2016-9556}
[wheezy] - imagemagick 8:6.7.7.10-5+deb7u10

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-12-22 06:02:49 UTC (rev 47321)
+++ data/dla-needed.txt 2016-12-22 06:28:23 UTC (rev 47322)
@@ -89,8 +89,6 @@
 --
 php5
 --
-phpmyadmin (Brian May)
---
 postgres-common
 --
 potrace


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r46802 - data

2016-12-05 Thread Brian May

Author: bam
Date: 2016-12-05 21:17:46 + (Mon, 05 Dec 2016)
New Revision: 46802

Modified:
   data/dla-needed.txt
Log:
Take phpmyadmin

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-12-05 21:10:13 UTC (rev 46801)
+++ data/dla-needed.txt 2016-12-05 21:17:46 UTC (rev 46802)
@@ -92,7 +92,7 @@
 --
 php5 (Thorsten Alteholz)
 --
-phpmyadmin
+phpmyadmin (Brian May)
 --
 potrace
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r46613 - data/CVE

2016-11-27 Thread Brian May

Author: bam
Date: 2016-11-28 06:24:13 + (Mon, 28 Nov 2016)
New Revision: 46613

Modified:
   data/CVE/list
Log:
Add links to upstream Asterisk security advisories

Modified: data/CVE/list
===
--- data/CVE/list   2016-11-28 06:16:38 UTC (rev 46612)
+++ data/CVE/list   2016-11-28 06:24:13 UTC (rev 46613)
@@ -76629,15 +76629,19 @@
RESERVED
 CVE-2014-2289 (res/res_pjsip_exten_state.c in the PJSIP channel driver in 
Asterisk ...)
- asterisk  (Only affects Asterisk 12.x)
+   NOTE: http://downloads.asterisk.org/pub/security/AST-2014-004.html
 CVE-2014-2288 (The PJSIP channel driver in Asterisk Open Source 12.x before 
12.1.1, ...)
- asterisk  (Only affects Asterisk 12.x)
+   NOTE: http://downloads.asterisk.org/pub/security/AST-2014-003.html
 CVE-2014-2287 (channels/chan_sip.c in Asterisk Open Source 1.8.x before 
1.8.26.1, ...)
- asterisk 1:11.8.1~dfsg-1 (bug #741313)
[squeeze] - asterisk  (Unsupported in squeeze-lts)
+   NOTE: http://downloads.asterisk.org/pub/security/AST-2014-002.html
 CVE-2014-2286 (main/http.c in Asterisk Open Source 1.8.x before 1.8.26.1, 
11.8.x ...)
{DLA-455-1}
- asterisk 1:11.8.1~dfsg-1 (bug #741313)
[squeeze] - asterisk  (Unsupported in squeeze-lts)
+   NOTE: http://downloads.asterisk.org/pub/security/AST-2014-001.html
 CVE-2014-2283 (epan/dissectors/packet-rlc in the RLC dissector in Wireshark 
1.8.x ...)
{DSA-2871-1}
- wireshark 1.10.6-1


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r46503 - in data: . DLA

2016-11-23 Thread Brian May

Author: bam
Date: 2016-11-24 06:23:47 + (Thu, 24 Nov 2016)
New Revision: 46503

Modified:
   data/DLA/list
   data/dla-needed.txt
Log:
Reserve DLA for CVE-2016-9179 fix

Modified: data/DLA/list
===
--- data/DLA/list   2016-11-24 05:52:52 UTC (rev 46502)
+++ data/DLA/list   2016-11-24 06:23:47 UTC (rev 46503)
@@ -1,3 +1,6 @@
+[24 Nov 2016] DLA-719-1 lynx-cur - security update
+   {CVE-2016-9179}
+   [wheezy] - lynx-cur 2.8.8dev.12-2+deb7u1
 [22 Nov 2016] DLA-718-1 vim - security update
{CVE-2016-1248}
[wheezy] - vim 2:7.3.547-7+deb7u1

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-11-24 05:52:52 UTC (rev 46502)
+++ data/dla-needed.txt 2016-11-24 06:23:47 UTC (rev 46503)
@@ -65,13 +65,6 @@
 --
 linux
 --
-lynx-cur (Brian May)
-  NOTE: Version available for testing.
-  NOTE: See https://people.debian.org/~bam/debian/pool/main/l/lynx-cur/
-  NOTE: Waiting for upstream 2.8.9dev12 which should fix a minor issue
-  NOTE: (obsolete warning messsage to user).
-  NOTE: See https://lists.debian.org/debian-lts/2016/11/msg00088.html
---
 maradns
   Dariusz Dwornikowski  has expressed an interest in
   helping out with these CVEs.


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r46265 - data

2016-11-16 Thread Brian May

Author: bam
Date: 2016-11-17 06:56:40 + (Thu, 17 Nov 2016)
New Revision: 46265

Modified:
   data/dla-needed.txt
Log:
Document current lynx-cur status

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-11-17 06:15:32 UTC (rev 46264)
+++ data/dla-needed.txt 2016-11-17 06:56:40 UTC (rev 46265)
@@ -69,6 +69,11 @@
 linux
 --
 lynx-cur (Brian May)
+  NOTE: Version available for testing.
+  NOTE: See https://people.debian.org/~bam/debian/pool/main/l/lynx-cur/
+  NOTE: Waiting for upstream 2.8.9dev12 which should fix a minor issue
+  NOTE: (obsolete warning messsage to user).
+  NOTE: See https://lists.debian.org/debian-lts/2016/11/msg00088.html
 --
 ming
   NOTE: No upstream fix yet (2016-11-15) for any of the CVEs:


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r46175 - data

2016-11-13 Thread Brian May

Author: bam
Date: 2016-11-14 06:53:10 + (Mon, 14 Nov 2016)
New Revision: 46175

Modified:
   data/dla-needed.txt
Log:
Claim lynx-cur

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-11-14 06:40:40 UTC (rev 46174)
+++ data/dla-needed.txt 2016-11-14 06:53:10 UTC (rev 46175)
@@ -59,7 +59,7 @@
 --
 linux
 --
-lynx-cur
+lynx-cur (Brian May)
 --
 ming
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r46174 - in data: . DLA

2016-11-13 Thread Brian May

Author: bam
Date: 2016-11-14 06:40:40 + (Mon, 14 Nov 2016)
New Revision: 46174

Modified:
   data/DLA/list
   data/dla-needed.txt
Log:
python-django update

Modified: data/DLA/list
===
--- data/DLA/list   2016-11-14 05:34:12 UTC (rev 46173)
+++ data/DLA/list   2016-11-14 06:40:40 UTC (rev 46174)
@@ -1,3 +1,6 @@
+[14 Nov 2016] DLA-706-1 python-django - security update
+   {CVE-2016-9014}
+   [wheezy] - python-django 1.4.22-1+deb7u2
 [07 Nov 2016] DLA-705-1 python-imaging - security update
{CVE-2016-9189 CVE-2016-9190}
[wheezy] - python-imaging 1.1.7-4+deb7u3

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-11-14 05:34:12 UTC (rev 46173)
+++ data/dla-needed.txt 2016-11-14 06:40:40 UTC (rev 46174)
@@ -89,8 +89,6 @@
 --
 potrace
 --
-python-django (Brian May)
---
 sendmail
 --
 sudo (Balint Reczey)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r46053 - data/CVE

2016-11-07 Thread Brian May

Author: bam
Date: 2016-11-07 21:59:46 + (Mon, 07 Nov 2016)
New Revision: 46053

Modified:
   data/CVE/list
Log:
CVE-2016-9013 not worth fixing in Wheezy

- is not?\194?\160triggered by normal usage, and cannot be triggered by a 
malicious user.
- is documented, and can be overridden:


Modified: data/CVE/list
===
--- data/CVE/list   2016-11-07 21:31:52 UTC (rev 46052)
+++ data/CVE/list   2016-11-07 21:59:46 UTC (rev 46053)
@@ -615,6 +615,7 @@
RESERVED
- python-django  (bug #842856)
[jessie] - python-django  (Minor issue; can be updated via 
point release)
+   [wheezy] - python-django  (Minor issue; specific to Oracle)
NOTE: 
https://www.djangoproject.com/weblog/2016/nov/01/security-releases/
NOTE: 
https://github.com/django/django/commit/da7910d4834726eca596af0a830762fa5fb2dfd9
 CVE-2016-9012


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r45953 - data

2016-11-03 Thread Brian May

Author: bam
Date: 2016-11-03 21:00:26 + (Thu, 03 Nov 2016)
New Revision: 45953

Modified:
   data/dla-needed.txt
Log:
Claim python-django

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-11-03 20:03:22 UTC (rev 45952)
+++ data/dla-needed.txt 2016-11-03 21:00:26 UTC (rev 45953)
@@ -90,7 +90,7 @@
   NOTE: wait for upstream releasing more information about it. Shall
   NOTE: we maybe remove this entry?
 --
-python-django
+python-django (Brian May)
 --
 sendmail
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r45392 - in data: . DLA

2016-10-17 Thread Brian May

Author: bam
Date: 2016-10-17 07:43:31 + (Mon, 17 Oct 2016)
New Revision: 45392

Modified:
   data/DLA/list
   data/dla-needed.txt
Log:
Reserve DLA-659-1 for systemd

Modified: data/DLA/list
===
--- data/DLA/list   2016-10-16 21:10:11 UTC (rev 45391)
+++ data/DLA/list   2016-10-17 07:43:31 UTC (rev 45392)
@@ -1,3 +1,6 @@
+[17 Oct 2016] DLA-659-1 systemd - security update
+   {CVE-2016-7796}
+   [wheezy] - systemd 44-11+deb7u5
 [16 Oct 2016] DLA-658-1 icedove - security update
[wheezy] - icedove 45.4.0-1~deb7u1
 [16 Oct 2016] DLA-657-1 libarchive - security update

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-10-16 21:10:11 UTC (rev 45391)
+++ data/dla-needed.txt 2016-10-17 07:43:31 UTC (rev 45392)
@@ -97,9 +97,6 @@
 --
 spip (Jonas Meurer)
 --
-systemd (Brian May)
-  NOTE: No crash, "just" breaking notifications, see #839607
---
 tiff (Emilio Pozuelo)
 --
 tiff3


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r45196 - data

2016-10-10 Thread Brian May

Author: bam
Date: 2016-10-10 21:15:13 + (Mon, 10 Oct 2016)
New Revision: 45196

Modified:
   data/dla-needed.txt
Log:
Claim systemd


Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-10-10 21:10:11 UTC (rev 45195)
+++ data/dla-needed.txt 2016-10-10 21:15:13 UTC (rev 45196)
@@ -80,7 +80,7 @@
   NOTE: patch for CVE-2016-2115 has been removed intentionally in version 
2:3.6.6-6+deb7u10
   NOTE: so maybe this is 
 --
-systemd
+systemd (Brian May)
   NOTE: No crash, "just" breaking notifications, see #839607
 --
 tiff (Emilio Pozuelo)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r45194 - in data: . DLA

2016-10-10 Thread Brian May

Author: bam
Date: 2016-10-10 20:58:28 + (Mon, 10 Oct 2016)
New Revision: 45194

Modified:
   data/DLA/list
   data/dla-needed.txt
Log:
Reserve DLA-651-1 for graphicsmagick

Modified: data/DLA/list
===
--- data/DLA/list   2016-10-10 20:41:49 UTC (rev 45193)
+++ data/DLA/list   2016-10-10 20:58:28 UTC (rev 45194)
@@ -1,3 +1,6 @@
+[11 Oct 2016] DLA-651-1 graphicsmagick - security update
+   {CVE-2016-7446 CVE-2016-7447 CVE-2016-7449 CVE-2016-7800}
+   [wheezy] - graphicsmagick 1.3.16-1.1+deb7u4
 [09 Oct 2016] DLA-650-1 mat - security update
[wheezy] - mat 0.3.2-1+deb7u1
 [06 Oct 2016] DLA-649-1 python-django - security update

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-10-10 20:41:49 UTC (rev 45193)
+++ data/dla-needed.txt 2016-10-10 20:58:28 UTC (rev 45194)
@@ -19,8 +19,6 @@
 --
 ghostscript (Roberto C. Sánchez)
 --
-graphicsmagick (Brian May)
---
 icedove (Guido Günther)
 --
 icu (Roberto C. Sánchez)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r44744 - data

2016-09-19 Thread Brian May

Author: bam
Date: 2016-09-19 21:34:07 + (Mon, 19 Sep 2016)
New Revision: 44744

Modified:
   data/dla-needed.txt
Log:
Claim graphicsmagick


Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-09-19 21:10:19 UTC (rev 44743)
+++ data/dla-needed.txt 2016-09-19 21:34:07 UTC (rev 44744)
@@ -20,7 +20,7 @@
 --
 gcc-mingw-w64 (Stephen Kitt)
 --
-graphicsmagick
+graphicsmagick (Brian May)
 --
 icu (Roberto C. Sánchez)
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r44602 - in data: . DLA

2016-09-15 Thread Brian May

Author: bam
Date: 2016-09-15 07:57:47 + (Thu, 15 Sep 2016)
New Revision: 44602

Modified:
   data/DLA/list
   data/dla-needed.txt
Log:
Reserve DLA-621-1 for autotrace

Modified: data/DLA/list
===
--- data/DLA/list   2016-09-15 07:55:28 UTC (rev 44601)
+++ data/DLA/list   2016-09-15 07:57:47 UTC (rev 44602)
@@ -1,3 +1,6 @@
+[15 Sep 2016] DLA-621-1 autotrace - security update
+   {CVE-2016-7392}
+   [wheezy] - autotrace 0.31.1-16+deb7u1
 [13 Sep 2016] DLA-620-1 libphp-adodb - security update
{CVE-2016-4855 CVE-2016-7405}
[wheezy] - libphp-adodb 5.15-1+deb7u1

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-09-15 07:55:28 UTC (rev 44601)
+++ data/dla-needed.txt 2016-09-15 07:57:47 UTC (rev 44602)
@@ -11,9 +11,6 @@
 --
 asterisk (Thorsten Alteholz)
 --
-autotrace (Brian May)
- NOTE: Reproducible with valgrind on Wheezy
---
 chicken
  NOTE: See report 87twdrpcyx@prune.linuxpenguins.xyz
  NOTE: Wheezy probably vulnerable however upstream patch is too invasive.


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r44536 - data

2016-09-12 Thread Brian May

Author: bam
Date: 2016-09-12 21:58:51 + (Mon, 12 Sep 2016)
New Revision: 44536

Modified:
   data/dla-needed.txt
Log:
Add summary of my chicken research


Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-09-12 21:10:12 UTC (rev 44535)
+++ data/dla-needed.txt 2016-09-12 21:58:51 UTC (rev 44536)
@@ -15,6 +15,9 @@
  NOTE: Reproducible with valgrind on Wheezy
 --
 chicken
+ NOTE: See report 87twdrpcyx@prune.linuxpenguins.xyz
+ NOTE: Wheezy probably vulnerable however upstream patch is too invasive.
+ NOTE: Needs somebody with Scheme/C experience.
 --
 gcc-mingw-w64 (Stephen Kitt)
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r44515 - data

2016-09-11 Thread Brian May

Author: bam
Date: 2016-09-11 22:18:10 + (Sun, 11 Sep 2016)
New Revision: 44515

Modified:
   data/dla-needed.txt
Log:
Claim autotrace


Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-09-11 21:43:00 UTC (rev 44514)
+++ data/dla-needed.txt 2016-09-11 22:18:10 UTC (rev 44515)
@@ -11,7 +11,7 @@
 --
 asterisk (Thorsten Alteholz)
 --
-autotrace
+autotrace (Brian May)
  NOTE: Reproducible with valgrind on Wheezy
 --
 chicken


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r44377 - data

2016-09-06 Thread Brian May

Author: bam
Date: 2016-09-06 21:48:04 + (Tue, 06 Sep 2016)
New Revision: 44377

Modified:
   data/dla-needed.txt
Log:
Remove matrixssl from dla-needed.txt

As per email 
CABY6=0mdovum1vkzmxiau7rs5jysjv8mybinutz4fze11es...@mail.gmail.com

Matrixssl is seldom used and only supports SSLv3. Also we cannot reproduce the
security vulnerabilities and they now have been marked .

Hence removing matrixssl from the TODO list.


Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-09-06 21:10:13 UTC (rev 44376)
+++ data/dla-needed.txt 2016-09-06 21:48:04 UTC (rev 44377)
@@ -38,9 +38,6 @@
   is not available yet. It will be available in next upstream release (already
   in upstream roadmap).
 --
-matrixssl
-  NOTE: the bignum implementation is in crypto/peersec/mpi.c
---
 mingw32 (Stephen Kitt)
 --
 openssl


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r43978 - data/CVE

2016-08-15 Thread Brian May

Author: bam
Date: 2016-08-15 08:20:09 + (Mon, 15 Aug 2016)
New Revision: 43978

Modified:
   data/CVE/list
Log:
Add prerequisite patch for CVE-2015-8834


Modified: data/CVE/list
===
--- data/CVE/list   2016-08-14 10:57:58 UTC (rev 43977)
+++ data/CVE/list   2016-08-15 08:20:09 UTC (rev 43978)
@@ -9993,6 +9993,7 @@
- wordpress 4.2.2+dfsg-1
NOTE: https://wordpress.org/news/2015/05/wordpress-4-2-2/
NOTE: Follow-up patch from 4.2.1 -> 4.2.2 for wp-includes/wp-db.php 
seems not applied
+   NOTE: This looks like a required patch: 
https://github.com/WordPress/WordPress/commit/a3a76fe665dfb62508a66542390a93445f1f7a59
NOTE: Changes in wp-includes/wp-db.php: 
https://github.com/WordPress/WordPress/commit/db8f915ee6c236ee2f39e76781bf42367e3f1490
NOTE: https://core.trac.wordpress.org/changeset/32387/
 CVE-2016-3661


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r43908 - data

2016-08-10 Thread Brian May

Author: bam
Date: 2016-08-10 08:02:33 + (Wed, 10 Aug 2016)
New Revision: 43908

Modified:
   data/dla-needed.txt
Log:
twisted marked no-dsa, removing from dla-needed


Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-08-10 07:58:31 UTC (rev 43907)
+++ data/dla-needed.txt 2016-08-10 08:02:33 UTC (rev 43908)
@@ -92,11 +92,6 @@
 --
 tiff3 (Markus Koschany)
 --
-twisted (Brian May)
-  NOTE: https://twistedmatrix.com/trac/ticket/8623
---
-twisted-web
---
 wireshark (Balint Reczey)
 --
 wordpress


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r43906 - data/CVE

2016-08-10 Thread Brian May

Author: bam
Date: 2016-08-10 07:57:30 + (Wed, 10 Aug 2016)
New Revision: 43906

Modified:
   data/CVE/list
Log:
Make twisted-web no-dsa in wheezy


Modified: data/CVE/list
===
--- data/CVE/list   2016-08-10 04:50:11 UTC (rev 43905)
+++ data/CVE/list   2016-08-10 07:57:30 UTC (rev 43906)
@@ -3890,6 +3890,7 @@
[jessie] - twisted  (Minor issue)
[wheezy] - twisted  (For wheezy affected file twcgi.py is 
in src:twisted-web)
- twisted-web 
+   [wheezy] - twisted-web  (Minor issue)
NOTE: https://twistedmatrix.com/trac/ticket/8623
NOTE: 
https://github.com/twisted/twisted/commit/bcac75e6180c9eee4337322c109eb5d1cac51165
 CVE-2016-1000108


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r43886 - data/DLA

2016-08-09 Thread Brian May

Author: bam
Date: 2016-08-09 08:32:56 + (Tue, 09 Aug 2016)
New Revision: 43886

Modified:
   data/DLA/list
Log:
Reserve DLA-590-1 for python-django

Modified: data/DLA/list
===
--- data/DLA/list   2016-08-09 08:11:00 UTC (rev 43885)
+++ data/DLA/list   2016-08-09 08:32:56 UTC (rev 43886)
@@ -1,3 +1,5 @@
+[09 Aug 2016] DLA-590-1 python-django - security update
+   [wheezy] - python-django 1.4.22-1
 [08 Aug 2016] DLA-589-1 mupdf - security update
{CVE-2016-6525}
[wheezy] - mupdf 0.9-2+deb7u3


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r43736 - data

2016-08-03 Thread Brian May

Author: bam
Date: 2016-08-03 08:34:13 + (Wed, 03 Aug 2016)
New Revision: 43736

Modified:
   data/dla-needed.txt
Log:
Claim twisted


Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-08-03 07:15:11 UTC (rev 43735)
+++ data/dla-needed.txt 2016-08-03 08:34:13 UTC (rev 43736)
@@ -98,7 +98,7 @@
 --
 tiff3 (Markus Koschany)
 --
-twisted
+twisted (Brian May)
   NOTE: https://twistedmatrix.com/trac/ticket/8623
 --
 wireshark (Balint Reczey)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r43482 - data/CVE

2016-07-26 Thread Brian May

Author: bam
Date: 2016-07-26 08:57:04 + (Tue, 26 Jul 2016)
New Revision: 43482

Modified:
   data/CVE/list
Log:
Temp CVE was fixed in wheezy LTS


Modified: data/CVE/list
===
--- data/CVE/list   2016-07-26 06:29:30 UTC (rev 43481)
+++ data/CVE/list   2016-07-26 08:57:04 UTC (rev 43482)
@@ -28205,7 +28205,7 @@
 CVE-2015- [Stack buffer overflow when printing bad bytes in Intel Hex 
objects]
- binutils 2.25.90.20151125-1
[jessie] - binutils  (Minor issue)
-   [wheezy] - binutils  (Minor issue)
+   [wheezy] - binutils 2.22-8+deb7u3
[squeeze] - binutils 2.20.1-16+deb6u2
NOTE: workaround entry for DLA 324-1-1 until/if CVE assigned
- gdb 


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r43251 - in data: . DLA

2016-07-18 Thread Brian May

Author: bam
Date: 2016-07-18 08:40:35 + (Mon, 18 Jul 2016)
New Revision: 43251

Modified:
   data/DLA/list
   data/dla-needed.txt
Log:
Reserve DLA-552-1 for binutils

Modified: data/DLA/list
===
--- data/DLA/list   2016-07-18 06:47:05 UTC (rev 43250)
+++ data/DLA/list   2016-07-18 08:40:35 UTC (rev 43251)
@@ -1,3 +1,6 @@
+[18 Jul 2016] DLA-552-1 binutils - security update
+   {CVE-2016-2226 CVE-2016-4487 CVE-2016-4488 CVE-2016-4489 CVE-2016-4490 
CVE-2016-4492 CVE-2016-4493 CVE-2016-6131}
+   [wheezy] - binutils 2.22-8+deb7u3
 [17 Jul 2016] DLA-551-1 phpmyadmin - security update
{CVE-2016-5731 CVE-2016-5733 CVE-2016-5739}
[wheezy] - phpmyadmin 4:3.4.11.1-2+deb7u5

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-07-18 06:47:05 UTC (rev 43250)
+++ data/dla-needed.txt 2016-07-18 08:40:35 UTC (rev 43251)
@@ -11,8 +11,6 @@
 --
 asterisk (Thorsten Alteholz)
 --
-binutils (Brian May)
---
 cacti (Emilio Pozuelo)
   NOTE: Maintainer wants to review changes; see 
https://lists.debian.org/<5724f47d.6090...@debian.org>
   NOTE: debdiff sent to maintainer: 
https://lists.debian.org/debian-lts/2016/06/msg00127.html


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r43006 - data

2016-07-04 Thread Brian May

Author: bam
Date: 2016-07-05 06:51:33 + (Tue, 05 Jul 2016)
New Revision: 43006

Modified:
   data/dla-needed.txt
Log:
Claim binutils


Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-07-05 06:22:47 UTC (rev 43005)
+++ data/dla-needed.txt 2016-07-05 06:51:33 UTC (rev 43006)
@@ -11,7 +11,7 @@
 --
 asterisk (Thorsten Alteholz)
 --
-binutils
+binutils (Brian May)
 --
 binutils-h8300-hms
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r42995 - in data: . DLA

2016-07-04 Thread Brian May

Author: bam
Date: 2016-07-04 09:31:29 + (Mon, 04 Jul 2016)
New Revision: 42995

Modified:
   data/DLA/list
   data/dla-needed.txt
Log:
Reserve DLA-542-1 for pidgin

Modified: data/DLA/list
===
--- data/DLA/list   2016-07-04 09:10:11 UTC (rev 42994)
+++ data/DLA/list   2016-07-04 09:31:29 UTC (rev 42995)
@@ -1,3 +1,6 @@
+[04 Jul 2016] DLA-542-1 pidgin - security update
+   {CVE-2016-2365 CVE-2016-2366 CVE-2016-2367 CVE-2016-2368 CVE-2016-2369 
CVE-2016-2370 CVE-2016-2371 CVE-2016-2372 CVE-2016-2373 CVE-2016-2374 
CVE-2016-2375 CVE-2016-2376 CVE-2016-2377 CVE-2016-2378 CVE-2016-2380 
CVE-2016-4323}
+   [wheezy] - pidgin 2.10.10-1~deb7u2
 [01 Jul 2016] DLA-541-1 libvirt - security update
{CVE-2016-5008}
[wheezy] - libvirt 0.9.12.3-1+deb7u2

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-07-04 09:10:11 UTC (rev 42994)
+++ data/dla-needed.txt 2016-07-04 09:31:29 UTC (rev 42995)
@@ -81,8 +81,6 @@
 --
 phpmyadmin (Ola Lundqvist)
 --
-pidgin (Brian May)
---
 quagga
   NOTE: see dsa-needed's notes.
   NOTE: Maintainer's answer: 
https://lists.debian.org/msgid-search/878tzv6pru@mid.deneb.enyo.de


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r42763 - data

2016-06-24 Thread Brian May

Author: bam
Date: 2016-06-24 07:55:57 + (Fri, 24 Jun 2016)
New Revision: 42763

Modified:
   data/dla-needed.txt
Log:
Grab pidgin

No, not grabbing hold of a pigeon. Just a universal chat client.


Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-06-24 06:39:28 UTC (rev 42762)
+++ data/dla-needed.txt 2016-06-24 07:55:57 UTC (rev 42763)
@@ -62,7 +62,7 @@
   NOTE: Kurt Roeckx considers CVE-2016-2177 and CVE-2016-2178 to be low
   NOTE: priority issues and will fix them after the next release of OpenSSL.
 --
-pidgin
+pidgin (Brian May)
 --
 php5 (Thorsten Alteholz)
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r42739 - data

2016-06-23 Thread Brian May

Author: bam
Date: 2016-06-23 07:55:08 + (Thu, 23 Jun 2016)
New Revision: 42739

Modified:
   data/dla-needed.txt
Log:
Unclaim openssl


Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-06-23 06:51:44 UTC (rev 42738)
+++ data/dla-needed.txt 2016-06-23 07:55:08 UTC (rev 42739)
@@ -54,12 +54,13 @@
   NOTE: maintainer would like help working on the updates but will handle the 
updates himself
   NOTE: 20160518175636.ga29...@roeckx.be
 --
-openssl (Brian May)
+openssl
   NOTE: For CVE-2016-2177, some parts of the upstream patch do not apply
   NOTE: because the wheezy version is completely missing the checks being
   NOTE: fixed!  Those checks should probably be added by cherry-picking
   NOTE: additional upstream changes.
-  NOTE: Feel free to offer Brian assistance or take-over if desired.
+  NOTE: Kurt Roeckx considers CVE-2016-2177 and CVE-2016-2178 to be low
+  NOTE: priority issues and will fix them after the next release of OpenSSL.
 --
 php5 (Thorsten Alteholz)
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r42597 - in data: . DLA

2016-06-17 Thread Brian May

Author: bam
Date: 2016-06-17 08:30:00 + (Fri, 17 Jun 2016)
New Revision: 42597

Modified:
   data/DLA/list
   data/dla-needed.txt
Log:
Reserve DLA-517-1 for imagemagick

Modified: data/DLA/list
===
--- data/DLA/list   2016-06-17 08:22:01 UTC (rev 42596)
+++ data/DLA/list   2016-06-17 08:30:00 UTC (rev 42597)
@@ -1,3 +1,6 @@
+[17 Jun 2016] DLA-517-1 imagemagick - security update
+   {CVE-2016-4563}
+   [wheezy] - imagemagick 8:6.7.7.10-5+deb7u7
 [16 Jun 2016] DLA-516-1 linux - security update
{CVE-2016-0821 CVE-2016-1583 CVE-2016-2143 CVE-2016-2184 CVE-2016-2185 
CVE-2016-2186 CVE-2016-2187 CVE-2016-3134 CVE-2016-3136 CVE-2016-3137 
CVE-2016-3138 CVE-2016-3140 CVE-2016-3157 CVE-2016-3672 CVE-2016-3951 
CVE-2016-3955 CVE-2016-3961 CVE-2016-4482 CVE-2016-4485 CVE-2016-4486 
CVE-2016-4565 CVE-2016-4569 CVE-2016-4578 CVE-2016-4580 CVE-2016-4913 
CVE-2016-5243 CVE-2016-5244}
[wheezy] - linux 3.2.81-1

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-06-17 08:22:01 UTC (rev 42596)
+++ data/dla-needed.txt 2016-06-17 08:30:00 UTC (rev 42597)
@@ -30,8 +30,6 @@
 icu (Roberto C. Sánchez)
   NOTE: check comments on CVE-2016-0494 as well
 --
-imagemagick (Brian May)
---
 libjackson-json-java
 --
 libspring-java


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r42596 - data

2016-06-17 Thread Brian May

Author: bam
Date: 2016-06-17 08:22:01 + (Fri, 17 Jun 2016)
New Revision: 42596

Modified:
   data/dla-needed.txt
Log:
Claim openssl. For now...


Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-06-17 06:46:12 UTC (rev 42595)
+++ data/dla-needed.txt 2016-06-17 08:22:01 UTC (rev 42596)
@@ -51,11 +51,12 @@
   NOTE: maintainer would like help working on the updates but will handle the 
updates himself
   NOTE: 20160518175636.ga29...@roeckx.be
 --
-openssl
+openssl (Brian May)
   NOTE: For CVE-2016-2177, some parts of the upstream patch do not apply
   NOTE: because the wheezy version is completely missing the checks being
   NOTE: fixed!  Those checks should probably be added by cherry-picking
   NOTE: additional upstream changes.
+  NOTE: Feel free to offer Brian assistance or take-over if desired.
 --
 php5 (Thorsten Alteholz)
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r42436 - in data: . DLA

2016-06-10 Thread Brian May

Author: bam
Date: 2016-06-10 10:03:27 + (Fri, 10 Jun 2016)
New Revision: 42436

Modified:
   data/DLA/list
   data/dla-needed.txt
Log:
Reserve DLA-510-1 for p7zip

Modified: data/DLA/list
===
--- data/DLA/list   2016-06-10 09:10:13 UTC (rev 42435)
+++ data/DLA/list   2016-06-10 10:03:27 UTC (rev 42436)
@@ -1,3 +1,6 @@
+[10 Jun 2016] DLA-510-1 p7zip - security update
+   {CVE-2016-2335}
+   [wheezy] - p7zip 9.20.1~dfsg.1-4+deb7u2
 [09 Jun 2016] DLA-509-1 samba - security update
[wheezy] - samba 2:3.6.6-6+deb7u10
 [08 Jun 2016] DLA-508-1 expat - security update

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-06-10 09:10:13 UTC (rev 42435)
+++ data/dla-needed.txt 2016-06-10 10:03:27 UTC (rev 42436)
@@ -61,9 +61,6 @@
   NOTE: fixed!  Those checks should probably be added by cherry-picking
   NOTE: additional upstream changes.
 --
-p7zip (Brian May)
-  NOTE: CPP/7zip/Archive/Udf/UdfIn.cpp line 261?
---
 php5 (Thorsten Alteholz)
 --
 qemu


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r42386 - data

2016-06-07 Thread Brian May

Author: bam
Date: 2016-06-07 22:15:23 + (Tue, 07 Jun 2016)
New Revision: 42386

Modified:
   data/dla-needed.txt
Log:
Claim imagemagick


Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-06-07 21:10:12 UTC (rev 42385)
+++ data/dla-needed.txt 2016-06-07 22:15:23 UTC (rev 42386)
@@ -30,7 +30,7 @@
 icu (Roberto C. Sánchez)
   NOTE: check comments on CVE-2016-0494 as well
 --
-imagemagick
+imagemagick (Brian May)
 --
 libjackson-json-java
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r42242 - data

2016-06-02 Thread Brian May

Author: bam
Date: 2016-06-02 07:33:15 + (Thu, 02 Jun 2016)
New Revision: 42242

Modified:
   data/dla-needed.txt
Log:
Claim p7zip


Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-06-02 07:29:05 UTC (rev 42241)
+++ data/dla-needed.txt 2016-06-02 07:33:15 UTC (rev 42242)
@@ -61,7 +61,7 @@
   NOTE: maintainer would like help working on the updates but will handle the 
updates himself
   NOTE: 20160518175636.ga29...@roeckx.be
 --
-p7zip
+p7zip (Brian May)
   NOTE: CPP/7zip/Archive/Udf/UdfIn.cpp line 261?
 --
 php5 (Thorsten Alteholz)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r42241 - data/CVE

2016-06-02 Thread Brian May

Author: bam
Date: 2016-06-02 07:29:05 + (Thu, 02 Jun 2016)
New Revision: 42241

Modified:
   data/CVE/list
Log:
Clarify wheezy is broken


Modified: data/CVE/list
===
--- data/CVE/list   2016-06-02 07:27:38 UTC (rev 42240)
+++ data/CVE/list   2016-06-02 07:29:05 UTC (rev 42241)
@@ -364,6 +364,7 @@
- tiff3  (unimportant)
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2552
NOTE: confirmed this still crashes with latest CVS, version v4.0.6
+   NOTE: also confirmed this crashes v4.0.2 in wheezy
 CVE-2016-5101
RESERVED
 CVE-2016-5100


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r42240 - data/CVE

2016-06-02 Thread Brian May

Author: bam
Date: 2016-06-02 07:27:38 + (Thu, 02 Jun 2016)
New Revision: 42240

Modified:
   data/CVE/list
Log:
No upstream fix for this


Modified: data/CVE/list
===
--- data/CVE/list   2016-06-02 06:21:58 UTC (rev 42239)
+++ data/CVE/list   2016-06-02 07:27:38 UTC (rev 42240)
@@ -363,6 +363,7 @@
[jessie] - tiff  (Minor issue)
- tiff3  (unimportant)
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2552
+   NOTE: confirmed this still crashes with latest CVS, version v4.0.6
 CVE-2016-5101
RESERVED
 CVE-2016-5100


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r42229 - data

2016-06-01 Thread Brian May

Author: bam
Date: 2016-06-01 22:28:05 + (Wed, 01 Jun 2016)
New Revision: 42229

Modified:
   data/dla-needed.txt
Log:
Take xen


Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-06-01 21:10:08 UTC (rev 42228)
+++ data/dla-needed.txt 2016-06-01 22:28:05 UTC (rev 42229)
@@ -103,7 +103,7 @@
 --
 wordpress
 --
-xen
+xen (Brian May)
   Update prepared by credativ ready here: 
https://people.debian.org/~zobel/xen-lts/
   Just need review, upload and DLA.
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41944 - in data: . DLA

2016-05-22 Thread Brian May

Author: bam
Date: 2016-05-23 02:14:38 + (Mon, 23 May 2016)
New Revision: 41944

Modified:
   data/DLA/list
   data/dla-needed.txt
Log:
Reserve DLA-486-1 for imagemagick

Modified: data/DLA/list
===
--- data/DLA/list   2016-05-22 21:26:15 UTC (rev 41943)
+++ data/DLA/list   2016-05-23 02:14:38 UTC (rev 41944)
@@ -1,3 +1,6 @@
+[23 May 2016] DLA-486-1 imagemagick - security update
+   {CVE-2016-3714 CVE-2016-3715 CVE-2016-3716 CVE-2016-3717 CVE-2016-3718}
+   [wheezy] - imagemagick 8:6.7.7.10-5+deb7u5
 [22 May 2016] DLA-485-1 extplorer - security update
{CVE-2015-5660}
[wheezy] - extplorer 2.1.0b6+dfsg.3-4+deb7u3

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-05-22 21:26:15 UTC (rev 41943)
+++ data/dla-needed.txt 2016-05-23 02:14:38 UTC (rev 41944)
@@ -31,9 +31,6 @@
 icu (Roberto C. Sánchez)
   NOTE: check comments on CVE-2016-0494 as well
 --
-imagemagick (Brian May)
-  NOTE: several high profile vulnerabilities
---
 libjackson-json-java
 --
 libspring-java


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41822 - data

2016-05-17 Thread Brian May

Author: bam
Date: 2016-05-17 23:31:52 + (Tue, 17 May 2016)
New Revision: 41822

Modified:
   data/dla-needed.txt
Log:
Claim imagemagick


Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-05-17 22:37:22 UTC (rev 41821)
+++ data/dla-needed.txt 2016-05-17 23:31:52 UTC (rev 41822)
@@ -36,7 +36,7 @@
 icu (Roberto C. Sánchez)
   NOTE: check comments on CVE-2016-0494 as well
 --
-imagemagick
+imagemagick (Brian May)
   NOTE: several high profile vulnerabilities
 --
 libjackson-json-java


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

1 2 >

1 - 100 of 130 matches

Mail list logo