[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] DSA-4167-1 sharutils
Luciano Bello pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3f190df2 by Luciano Bello at 2018-04-05T12:47:02-04:00
DSA-4167-1 sharutils
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
--- a/data/DSA/list
+++ b/data/DSA/list
@@ -1,3 +1,7 @@
+[05 Apr 2018] DSA-4167-1 sharutils - security update
+ {CVE-2018-197}
+ [jessie] - sharutils 4.14-2+deb8u1
+ [stretch] - sharutils 1:4.15.2-2+deb9u1
[04 Apr 2018] DSA-4166-1 openjdk-7 - security update
{CVE-2018-2579 CVE-2018-2588 CVE-2018-2599 CVE-2018-2602 CVE-2018-2603
CVE-2018-2618 CVE-2018-2629 CVE-2018-2633 CVE-2018-2634 CVE-2018-2637
CVE-2018-2641 CVE-2018-2663 CVE-2018-2677 CVE-2018-2678}
[jessie] - openjdk-7 7u171-2.6.13-1~deb8u1
=
data/dsa-needed.txt
=
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -80,10 +80,6 @@ ruby2.1/oldstable
--
ruby2.3/stable
--
-sharutils (luciano)
- Maintainer proposed debdiff for review for stretch-security.
- Pending request back for jessie-security
---
squirrelmail/oldstable
--
sqlite3/oldstable
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3f190df282237a6e9f1edca0768dc90b4465c613
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3f190df282237a6e9f1edca0768dc90b4465c613
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] DSA-4165-1 ldap-account-manager
Luciano Bello pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
bff98c48 by Luciano Bello at 2018-04-03T21:30:28-04:00
DSA-4165-1 ldap-account-manager
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
--- a/data/DSA/list
+++ b/data/DSA/list
@@ -1,3 +1,7 @@
+[03 Apr 2018] DSA-4165-1 ldap-account-manager - security update
+ {CVE-2018-8763 CVE-2018-8764}
+ [jessie] - ldap-account-manager 4.7.1-1+deb8u1
+ [stretch] - ldap-account-manager 5.5-1+deb9u1
[03 Apr 2018] DSA-4164-1 apache2 - security update
{CVE-2017-15710 CVE-2017-15715 CVE-2018-1283 CVE-2018-1301
CVE-2018-1303 CVE-2018-1312}
[jessie] - apache2 2.4.10-10+deb8u12
=
data/dsa-needed.txt
=
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -34,8 +34,6 @@ graphicsmagick
imagemagick
Wait until more issues have piled up
--
-ldap-account-manager
---
libav/oldstable
We can ship the next libav 11.x point release when available
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/bff98c4874b2868878e57ea241667888f087a452
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/bff98c4874b2868878e57ea241667888f087a452
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: DSA-4160-1 python-django
Luciano Bello pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
6793b723 by Luciano Bello at 2018-04-01T08:48:24-04:00
DSA-4160-1 python-django
- - - - -
57e712be by Luciano Bello at 2018-04-01T09:10:40-04:00
merge
- - - - -
3 changed files:
- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -4083,10 +4083,12 @@ CVE-2018-7537 (An issue was discovered in Django 2.0
before 2.0.3, 1.11 before .
{DLA-1303-1}
- python-django 1:1.11.11-1
NOTE:
https://www.djangoproject.com/weblog/2018/mar/06/security-releases/
+ NOTE: Patch
https://github.com/django/django/commit/a91436360b79a6ff995c3e5018bcc666dfaf1539
CVE-2018-7536 (An issue was discovered in Django 2.0 before 2.0.3, 1.11 before
...)
{DLA-1303-1}
- python-django 1:1.11.11-1
NOTE:
https://www.djangoproject.com/weblog/2018/mar/06/security-releases/
+ NOTE: Patch
https://github.com/django/django/commit/abf89d729f210c692a50e0ad3f75fb6bec6fae16
CVE-2018-7535
RESERVED
CVE-2018-7534
=
data/DSA/list
=
--- a/data/DSA/list
+++ b/data/DSA/list
@@ -1,3 +1,7 @@
+[01 Apr 2018] DSA-4161-1 python-django - security update
+ {CVE-2018-7536 CVE-2018-7537}
+ [jessie] - python-django 1.7.11-1+deb8u3
+ [stretch] - python-django 1:1.10.7-2+deb9u1
[01 Apr 2018] DSA-4160-1 libevt - security update
{CVE-2018-8754}
[stretch] - libevt 20170120-1+deb9u1
=
data/dsa-needed.txt
=
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -68,10 +68,6 @@ phpmyadmin/oldstable (abhijith)
--
pjproject
--
-python-django (luciano)
- Brian May proposed a debdiff for jessie-security, needs review and ack.
- stretch-security update needed as well to be done.
---
qemu/oldstable
--
redmine
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/0ffe8e5f7844732121150cade15131c2310e4dca...57e712bebb7d7f8f55758f0c394e2d665a1593d1
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/0ffe8e5f7844732121150cade15131c2310e4dca...57e712bebb7d7f8f55758f0c394e2d665a1593d1
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: DSA-4152-1 mupdf
Luciano Bello pushed to branch master at Debian Security Tracker / security-tracker Commits: ee9a7dc8 by Luciano Bello at 2018-03-27T13:37:41-04:00 DSA-4152-1 mupdf - - - - - 0bb94c73 by Luciano Bello at 2018-03-27T15:48:38-04:00 Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -50,8 +50,6 @@ linux -- mercurial -- -mupdf (luciano) --- net-snmp/oldstable (carnil) lamby prepared an update for jessie -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/850ad4a172fdf2a69d7478202861d066c445d04f...0bb94c737c69b2c4f3054839756b5c225eef71a8 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/850ad4a172fdf2a69d7478202861d066c445d04f...0bb94c737c69b2c4f3054839756b5c225eef71a8 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] +mupdf and +sharutils : luciano
Luciano Bello pushed to branch master at Debian Security Tracker / security-tracker Commits: ae5d8751 by Luciano Bello at 2018-03-25T20:58:08-04:00 +mupdf and +sharutils : luciano - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -45,6 +45,8 @@ linux -- mercurial -- +mupdf (luciano) +-- openjdk-7/oldstable (jmm) -- openjpeg2 (luciano) @@ -79,7 +81,7 @@ ruby-loofah -- ruby2.1/oldstable -- -sharutils +sharutils (luciano) Maintainer proposed debdiff for review for stretch-security. Pending request back for jessie-security -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ae5d875143f4ac606e9134880057a5686f97e88d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ae5d875143f4ac606e9134880057a5686f97e88d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] unify error message generation: librelp and rsyslog
Luciano Bello pushed to branch master at Debian Security Tracker / security-tracker Commits: fbf74ec9 by Luciano Bello at 2018-03-22T21:12:54-04:00 unify error message generation: librelp and rsyslog - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -355,6 +355,10 @@ CVE-2018-8778 RESERVED CVE-2018-8777 RESERVED +CVE-2018- [unify error message generation] + - librelp + - rsyslog + NOTE: Patch https://github.com/rsyslog/librelp/commit/2cfe657672636aa5d7d2a14cfcb0a6ab9d1f00cf CVE-2018- [Multiple vulnerabilities in CiviCRM] - civicrm 4.7.30+dfsg-1 (bug #887330) NOTE: https://civicrm.org/blog/dev-team/security-release-civicrm-4726-and-4633-monthly-release-4727 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fbf74ec90c9a2412b7514b55d2302e3daf4b2ce0 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fbf74ec90c9a2412b7514b55d2302e3daf4b2ce0 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] dsa-needed.txt: python-django (luciano)
Luciano Bello pushed to branch master at Debian Security Tracker / security-tracker Commits: deedb57c by Luciano Bello at 2018-03-21T09:42:14-04:00 dsa-needed.txt: python-django (luciano) - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -70,7 +70,7 @@ plexus-utils2/oldstable (jmm) polarssl (seb) James Cowgill ported the full set of patches against 1.3.9 in jessie -- -python-django +python-django (luciano) Brian May proposed a debdiff for jessie-security, needs review and ack. stretch-security update needed as well to be done. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/deedb57c9b2584280cc0275228623f029d7db4ce --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/deedb57c9b2584280cc0275228623f029d7db4ce You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] libpodofo (bug #892520)
Luciano Bello pushed to branch master at Debian Security Tracker / security-tracker Commits: ee86e78d by Luciano Bello at 2018-03-10T00:34:58-05:00 libpodofo (bug #892520) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,11 +1,11 @@ CVE-2018-8002 (In PoDoFo 0.9.5, there exists an infinite loop vulnerability in ...) - - libpodofo + - libpodofo (bug #892520) NOTE: PoC https://bugzilla.redhat.com/show_bug.cgi?id=1548930 CVE-2018-8001 (In PoDoFo 0.9.5, there exists a heap-based buffer over-read ...) - - libpodofo + - libpodofo (bug #892520) NOTE: PoC https://bugzilla.redhat.com/show_bug.cgi?id=1549469 CVE-2018-8000 (In PoDoFo 0.9.5, there exists a heap-based buffer overflow ...) - - libpodofo + - libpodofo (bug #892520) NOTE: PoC https://bugzilla.redhat.com/show_bug.cgi?id=1548918 CVE-2018-7999 (In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference ...) TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ee86e78dfb88cc7c7c6b4b346c7095d8710d6e5f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ee86e78dfb88cc7c7c6b4b346c7095d8710d6e5f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2018-6916: kfreebsd-10
Luciano Bello pushed to branch master at Debian Security Tracker / security-tracker Commits: 240db507 by Luciano Bello at 2018-03-09T23:48:41-05:00 CVE-2018-6916: kfreebsd-10 - - - - - a7711a92 by Luciano Bello at 2018-03-10T00:15:24-05:00 CVE-2018-8000-8002: libpodofo - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,9 +1,12 @@ CVE-2018-8002 (In PoDoFo 0.9.5, there exists an infinite loop vulnerability in ...) - TODO: check + - libpodofo + NOTE: PoC https://bugzilla.redhat.com/show_bug.cgi?id=1548930 CVE-2018-8001 (In PoDoFo 0.9.5, there exists a heap-based buffer over-read ...) - TODO: check + - libpodofo + NOTE: PoC https://bugzilla.redhat.com/show_bug.cgi?id=1549469 CVE-2018-8000 (In PoDoFo 0.9.5, there exists a heap-based buffer overflow ...) - TODO: check + - libpodofo + NOTE: PoC https://bugzilla.redhat.com/show_bug.cgi?id=1548918 CVE-2018-7999 (In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference ...) TODO: check CVE-2018-7998 (In libvips before 8.6.3, a NULL function pointer dereference ...) @@ -3121,7 +3124,8 @@ CVE-2018-6918 CVE-2018-6917 RESERVED CVE-2018-6916 (In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p7, 10.4-STABLE, ...) - TODO: check + - kfreebsd-10 (low) + NOTE: Patch https://www.freebsd.org/security/patches/SA-18:01/ipsec-10.patch CVE-2018-6915 RESERVED CVE-2018-6914 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/65e99cea307d2e3d0fa0da73b24141842cc0d282...a7711a92c9bdc6e6d9057d844f197b084b3eb917 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/65e99cea307d2e3d0fa0da73b24141842cc0d282...a7711a92c9bdc6e6d9057d844f197b084b3eb917 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2018-7652: NOT-FOR-US: Zonemaster Web GUI
Luciano Bello pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e743078 by Luciano Bello at 2018-03-04T22:00:11-05:00 CVE-2018-7652: NOT-FOR-US: Zonemaster Web GUI - - - - - ea3ccaff by Luciano Bello at 2018-03-04T22:45:04-05:00 CVE-2018-7567 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -15,7 +15,8 @@ CVE-2018-7654 (On 3CX 15.5.6354.2 devices, the parameter "file" in the CVE-2018-7653 (In YzmCMS 3.6, index.php has XSS via the a, c, or m parameter. ...) NOT-FOR-US: YzmCMS CVE-2018-7652 (lib/Zonemaster/GUI/Dancer/Export.pm in Zonemaster Web GUI before 1.0.11 ...) - TODO: check + NOT-FOR-US: Zonemaster Web GUI + NOTE: The source (1.0.7) is in Salsa, but never uploaded: https://salsa.debian.org/perl-team/modules/packages/zonemaster-gui CVE-2017-18213 (In Exponent CMS before 2.4.1 Patch #6, certain admin users can elevate ...) NOT-FOR-US: Exponent CMS CVE-2017-18214 [Regular Expression Denial of Service] @@ -307,7 +308,10 @@ CVE-2018-1000105 CVE-2018-1000104 NOT-FOR-US: Jenkins plugin CVE-2018-7567 (In the Admin Package Manager in Open Ticket Request System (OTRS) 5.0.0 ...) - TODO: check + - otrs2 6.0.2-1 + [stretch] - otrs2 (non-free not supported) + NOTE: PoC https://0day.today/exploit/29938 + NOTE: According with the reporter, affects "5.0.0 through 5.0.24 and 6.0.0 through 6.0.1". CVE-2018-7566 [ALSA: seq: Fix racy pool initializations] RESERVED - linux View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/b7f549729d2c08c63c729930246f3338338582f7...ea3ccaffa640a6995000841234a0b584d425c5b5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/b7f549729d2c08c63c729930246f3338338582f7...ea3ccaffa640a6995000841234a0b584d425c5b5 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] DSA-4109-1 ruby-omniauth
Luciano Bello pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f940aae2 by Luciano Bello at 2018-02-09T21:04:55-05:00
DSA-4109-1 ruby-omniauth
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
--- a/data/DSA/list
+++ b/data/DSA/list
@@ -1,3 +1,7 @@
+[09 Feb 2018] DSA-4109-1 ruby-omniauth - security update
+ {CVE-2017-18076}
+ [jessie] - ruby-omniauth 1.2.1-1+deb8u1
+ [stretch] - ruby-omniauth 1.3.1-1+deb9u1
[09 Feb 2018] DSA-4108-1 mailman - security update
{CVE-2018-5950}
[jessie] - mailman 2.1.18-2+deb8u2
=
data/dsa-needed.txt
=
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -80,8 +80,6 @@ redmine
--
ruby2.1/oldstable
--
-ruby-omniauth (luciano)
---
simplesamlphp (abhijith)
--
sqlite3/oldstable
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/f940aae2d89ae0136d50ee98fe82a11ca0e7c694
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/f940aae2d89ae0136d50ee98fe82a11ca0e7c694
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] wrong link
Luciano Bello pushed to branch master at Debian Security Tracker / security-tracker Commits: 08a50d31 by Luciano Bello at 2018-02-08T18:44:01-05:00 wrong link - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -174,7 +174,7 @@ CVE-2018-6789 [buffer overflow] RESERVED - exim4 NOTE: http://www.openwall.com/lists/oss-security/2018/02/07/2 - NOTE: https://exim.org/security/CVE-2018-6789.txt + NOTE: https://exim.org/static/doc/security/CVE-2018-6789.txt CVE-2018-6788 (In Jiangmin Antivirus 16.0.0.100, the driver file (KVFG.sys) allows ...) NOT-FOR-US: Jiangmin Antivirus CVE-2018-6787 (In Jiangmin Antivirus 16.0.0.100, the driver file (KVFG.sys) allows ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/08a50d313b26caaac02c823a47625c16e78b6309 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/08a50d313b26caaac02c823a47625c16e78b6309 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] DSA-4105-1 mpv - security update
Luciano Bello pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
74f50d49 by Luciano Bello at 2018-02-06T21:14:38-05:00
DSA-4105-1 mpv - security update
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
--- a/data/DSA/list
+++ b/data/DSA/list
@@ -1,3 +1,6 @@
+[06 Feb 2018] DSA-4105-1 mpv - security update
+ {CVE-2018-6360}
+ [stretch] - mpv 0.23.0-2+deb9u1
[04 Feb 2018] DSA-4104-1 p7zip - security update
{CVE-2017-17969}
[jessie] - p7zip 9.20.1~dfsg.1-4.1+deb8u3
=
data/dsa-needed.txt
=
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -44,8 +44,6 @@ mailman
--
mercurial
--
-mpv (luciano)
---
openjdk-7/oldstable (jmm)
--
openjdk-8/stable (jmm)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/74f50d4995e8c01eada0fe6caacab6237df7e9e1
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/74f50d4995e8c01eada0fe6caacab6237df7e9e1
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] dsa-needed.txt: mpv (luciano)
Luciano Bello pushed to branch master at Debian Security Tracker / security-tracker Commits: ab6c8b14 by Luciano Bello at 2018-02-06T13:09:52-05:00 dsa-needed.txt: mpv (luciano) - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -44,7 +44,7 @@ mailman -- mercurial -- -mpv +mpv (luciano) -- openjdk-7/oldstable (jmm) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ab6c8b14b636b6635e8adc5ff4da1492fd15a83c --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ab6c8b14b636b6635e8adc5ff4da1492fd15a83c You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-0508 to 10: NFU
Luciano Bello pushed to branch master at Debian Security Tracker / security-tracker Commits: c1309e66 by Luciano Bello at 2018-02-04T22:06:29-05:00 CVE-2018-0508 to 10: NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -16398,11 +16398,11 @@ CVE-2018-0512 CVE-2018-0511 (Cross-site scripting vulnerability in WP Retina 2x prior to version ...) NOT-FOR-US: WP Retina CVE-2018-0510 (Buffer overflow in epg search result viewer (kkcald) 0.7.19 and ...) - TODO: check + NOT-FOR-US: kkcal CVE-2018-0509 (Cross-site request forgery (CSRF) vulnerability in epg search result ...) - TODO: check + NOT-FOR-US: kkcal CVE-2018-0508 (Cross-site scripting vulnerability in epg search result viewer ...) - TODO: check + NOT-FOR-US: kkcal CVE-2018-0507 (Untrusted search path vulnerability in FLET'S VIRUS CLEAR Easy Setup & ...) NOT-FOR-US: FLET'S VIRUS CLEAR CVE-2018-0506 (Nootka 1.4.4 and earlier allows remote attackers to execute arbitrary ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c1309e66c41c1e6311163d5d3faa7aa65d30a53e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c1309e66c41c1e6311163d5d3faa7aa65d30a53e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2018-6548: chromium-browser
Luciano Bello pushed to branch master at Debian Security Tracker / security-tracker Commits: c6864d05 by Luciano Bello at 2018-02-04T21:35:58-05:00 CVE-2018-6548: chromium-browser <unfixed> - - - - - 9d6005e5 by Luciano Bello at 2018-02-04T21:49:04-05:00 CVE-2018-6317: NFU - - - - - e939cb82 by Luciano Bello at 2018-02-04T21:51:25-05:00 CVE-2018-5261: NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -184,6 +184,10 @@ CVE-2017-18121 (The consentAdmin module in SimpleSAMLphp through 1.14.15 is vuln CVE-2018-6549 RESERVED CVE-2018-6548 (A use-after-free issue was discovered in libwebm through 2018-02-02. If ...) + - chromium-browser + [wheezy] - chromium-browser (Not supported in wheezy LTS) + NOTE: https://bugs.chromium.org/p/webm/issues/detail?id=1493 + NOTE: https://github.com/dwfault/PoCs/blob/master/libwebm%20Vp9HeaderParser%20UAF%20by%20PrintVP9Info/libwebm%20Vp9HeaderParser%20UAF%20by%20PrintVP9Info.md TODO: check CVE-2018-6547 RESERVED @@ -883,7 +887,7 @@ CVE-2018-6319 (In Sophos Tester Tool 3.2.0.7 Beta, the driver accepts a special CVE-2018-6318 (In Sophos Tester Tool 3.2.0.7 Beta, the driver loads (in the context ...) NOT-FOR-US: Sophos Tester Tool CVE-2018-6317 (The remote management interface in Claymore Dual Miner 10.5 and ...) - TODO: check + NOT-FOR-US: Claymore's Dual Ethereum CVE-2018-6316 RESERVED CVE-2018-6315 (The outputSWF_TEXT_RECORD function (util/outputscript.c) in libming ...) @@ -3595,7 +3599,7 @@ CVE-2018-5263 (The StackIdeas EasyDiscuss (aka com_easydiscuss) extension before CVE-2018-5262 (A stack-based buffer overflow in Flexense DiskBoss 8.8.16 and earlier ...) NOT-FOR-US: Flexense DiskBoss CVE-2018-5261 (An issue was discovered in Flexense DiskBoss 8.8.16 and earlier. Due ...) - TODO: check + NOT-FOR-US: Flexense DiskBoss CVE-2018-5260 RESERVED CVE-2018-5259 (Discuz! DiscuzX X3.4 allows remote authenticated users to bypass ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/886db6a37a59fb415b84eecb27307f3661d8d126...e939cb82604c723baf9e167c3486df5e2deea89a --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/886db6a37a59fb415b84eecb27307f3661d8d126...e939cb82604c723baf9e167c3486df5e2deea89a You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] DSA-4094-2 smarty3
Luciano Bello pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
09d3216b by Luciano Bello at 2018-01-30T12:45:59-05:00
DSA-4094-2 smarty3
- - - - -
1 changed file:
- data/DSA/list
Changes:
=
data/DSA/list
=
--- a/data/DSA/list
+++ b/data/DSA/list
@@ -1,3 +1,6 @@
+[30 Jan 2018] DSA-4094-2 smarty3 - security update
+ {CVE-2017-1000480}
+ [jessie] - smarty3 3.1.21-1+deb8u2
[28 Jan 2018] DSA-4101-1 wireshark - security update
{CVE-2018-5334 CVE-2018-5335 CVE-2018-5336}
[jessie] - wireshark 1.12.1+g01b65bf-4+deb8u13
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/09d3216b45db80f885e32fa83c8727650e52e930
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/09d3216b45db80f885e32fa83c8727650e52e930
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] ruby-omniauth (luciano)
Luciano Bello pushed to branch master at Debian Security Tracker / security-tracker Commits: 0da18462 by Luciano Bello at 2018-01-27T16:33:22-05:00 ruby-omniauth (luciano) - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -62,6 +62,8 @@ redmine -- ruby2.1/oldstable -- +ruby-omniauth (luciano) +-- simplesamlphp -- sqlite3/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0da18462d9c32fe795d87069c0a13f95319b15b0 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0da18462d9c32fe795d87069c0a13f95319b15b0 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-0486 fixed in xmltooling 1.6.3-1
Luciano Bello pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d3406990 by Luciano Bello at 2018-01-23T21:20:14-05:00
CVE-2018-0486 fixed in xmltooling 1.6.3-1
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -14874,7 +14874,7 @@ CVE-2018-0487
RESERVED
CVE-2018-0486 (Shibboleth XMLTooling-C before 1.6.3, as used in Shibboleth
Service ...)
{DSA-4085-1 DLA-1242-1}
- - xmltooling
+ - xmltooling 1.6.3-1
[stretch] - xmltooling (Xerces is configured to disallow
DTD use)
NOTE: https://shibboleth.net/community/advisories/secadv_20180112.txt
NOTE: Fixed upstream in 1.6.3 to workaround bug independent of if
parser already
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d34069901d262353bb400093ba73478fad8ffeeb
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d34069901d262353bb400093ba73478fad8ffeeb
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2017-8373 and CVE-2017-8372 are the same issue
Luciano Bello pushed to branch master at Debian Security Tracker / security-tracker Commits: e2db9347 by Luciano Bello at 2018-01-22T21:23:33-05:00 CVE-2017-8373 and CVE-2017-8372 are the same issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -41246,10 +41246,12 @@ CVE-2017-8374 (The mad_bit_skip function in bit.c in Underbit MAD libmad 0.15.1b CVE-2017-8373 (The mad_layer_III function in layer3.c in Underbit MAD libmad 0.15.1b ...) - libmad 0.15.1b-4 NOTE: Addressed by patch from #508133 + NOTE: Duplicate with CVE-2017-8372 CVE-2017-8372 (The mad_layer_III function in layer3.c in Underbit MAD libmad 0.15.1b, ...) - libmad 0.15.1b-4 (unimportant) NOTE: https://blogs.gentoo.org/ago/2017/04/30/libmad-assertion-failure-in-layer3-c/ NOTE: Addressed by patch from #508133 + NOTE: Duplicate with CVE-2017-8373 CVE-2017-8371 (Schneider Electric StruxureWare Data Center Expert before 7.4.0 uses ...) NOT-FOR-US: Schneider Electric CVE-2017-8370 (IrfanView version 4.44 (32bit) with FPX Plugin 4.45 allows remote ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e2db9347564198d1044ded729fe46732c257a0ed --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e2db9347564198d1044ded729fe46732c257a0ed You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] DSA-4094-1 smarty3
Luciano Bello pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
62c1bb19 by Luciano Bello at 2018-01-22T17:37:17-05:00
DSA-4094-1 smarty3
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
--- a/data/DSA/list
+++ b/data/DSA/list
@@ -1,3 +1,7 @@
+[22 Jan 2018] DSA-4094-1 smarty3 - security update
+ {CVE-2017-1000480}
+ [jessie] - smarty3 3.1.21-1+deb8u1
+ [stretch] - smarty3 3.1.31+20161214.1.c7d42e4+selfpack1-2+deb9u1
[21 Jan 2018] DSA-4093-1 openocd - security update
{CVE-2018-5704}
[jessie] - openocd 0.8.0-4+deb7u1
=
data/dsa-needed.txt
=
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -60,9 +60,6 @@ salt
--
simplesamlphp
--
-smarty3 (luciano)
- Maintainer preparing updates for jessie- and stretch-security
---
sqlite3/oldstable
--
sssd/stable
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/62c1bb1938981cc562fafc2973bcaf9d86f09257
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/62c1bb1938981cc562fafc2973bcaf9d86f09257
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: DSA-4093-1 openocd
Luciano Bello pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3ff1995a by Luciano Bello at 2018-01-21T21:22:45-05:00
DSA-4093-1 openocd
- - - - -
da33fcf7 by Luciano Bello at 2018-01-22T17:21:42-05:00
Merge branch 'master' of
salsa.debian.org:security-tracker-team/security-tracker
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
--- a/data/DSA/list
+++ b/data/DSA/list
@@ -1,3 +1,7 @@
+[21 Jan 2018] DSA-4093-1 openocd - security update
+ {CVE-2018-5704}
+ [jessie] - openocd 0.8.0-4+deb7u1
+ [stretch] - openocd 0.9.0-1+deb8u1
[19 Jan 2018] DSA-4092-1 awstats - security update
{CVE-2017-1000501}
[jessie] - awstats 7.2+dfsg-1+deb8u1
=
data/dsa-needed.txt
=
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -38,8 +38,6 @@ openjdk-8/stable (jmm)
--
openjpeg2
--
-openocd (luciano)
---
passenger/stable
--
php-horde-image
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/b3fc0e73e0d65360b3f212019d033cd2b910709b...da33fcf7f095abcb47a62911d907c3b8eaba8f0e
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/b3fc0e73e0d65360b3f212019d033cd2b910709b...da33fcf7f095abcb47a62911d907c3b8eaba8f0e
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: dsa-needed: openocd (luciano)
Luciano Bello pushed to branch master at Debian Security Tracker / security-tracker Commits: f3a2a408 by Luciano Bello at 2018-01-19T11:01:49-05:00 dsa-needed: openocd (luciano) - - - - - ab6c80b3 by Luciano Bello at 2018-01-19T11:02:09-05:00 Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -38,6 +38,8 @@ openjdk-8/stable (jmm) -- openjpeg2 -- +openocd (luciano) +-- passenger/stable -- php-horde-image View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/b0a2e7d326b94019ad338494f483946f7893f979...ab6c80b3ee8be14f98a822eb1fd7ea36806fdbd4 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/b0a2e7d326b94019ad338494f483946f7893f979...ab6c80b3ee8be14f98a822eb1fd7ea36806fdbd4 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: fd until 20-05
Luciano Bello pushed to branch master at Debian Security Tracker / security-tracker Commits: 46283705 by Luciano Bello at 2018-01-15T21:27:46-05:00 fd until 20-05 - - - - - fc1725a3 by Luciano Bello at 2018-01-15T21:28:10-05:00 Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker - - - - - 1 changed file: - org/security-frontdesk.2018.txt Changes: = org/security-frontdesk.2018.txt = --- a/org/security-frontdesk.2018.txt +++ b/org/security-frontdesk.2018.txt @@ -1,23 +1,23 @@ From 01-01 to 07-01: From 08-01 to 14-01: -From 15-01 to 21-01: -From 22-01 to 28-01: -From 29-01 to 04-02: -From 05-02 to 11-02: -From 12-02 to 18-02: -From 19-02 to 25-02: -From 26-02 to 04-03: -From 05-03 to 11-03: -From 12-03 to 18-03: -From 19-03 to 25-03: -From 26-03 to 01-04: -From 02-04 to 08-04: -From 09-04 to 15-04: -From 16-04 to 22-04: -From 23-04 to 29-04: -From 30-04 to 06-05: -From 07-05 to 13-05: -From 14-05 to 20-05: +From 15-01 to 21-01: luciano +From 22-01 to 28-01: gilbert +From 29-01 to 04-02: geissert +From 05-02 to 11-02: corsac +From 12-02 to 18-02: thijs +From 19-02 to 25-02: fw +From 26-02 to 04-03: seb +From 05-03 to 11-03: jmm +From 12-03 to 18-03: carnil +From 19-03 to 25-03: luciano +From 26-03 to 01-04: gilbert +From 02-04 to 08-04: geissert +From 09-04 to 15-04: corsac +From 16-04 to 22-04: thijs +From 23-04 to 29-04: fw +From 30-04 to 06-05: seb +From 07-05 to 13-05: jmm +From 14-05 to 20-05: carnil From 21-05 to 27-05: From 28-05 to 03-06: From 04-06 to 10-06: View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/699ef605c758669ef0ec2cb148664c600f219069...fc1725a3a1e35cb4c8541951cee9e9dffee3e678 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/699ef605c758669ef0ec2cb148664c600f219069...fc1725a3a1e35cb4c8541951cee9e9dffee3e678 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58259 - data
Author: luciano Date: 2017-12-05 04:07:33 + (Tue, 05 Dec 2017) New Revision: 58259 Modified: data/embedded-code-copies Log: libutils and skia in firefox and others Modified: data/embedded-code-copies === --- data/embedded-code-copies 2017-12-05 04:02:19 UTC (rev 58258) +++ data/embedded-code-copies 2017-12-05 04:07:33 UTC (rev 58259) @@ -2263,6 +2263,20 @@ libunwind - android-platform-external-libunwind (fork) +libutils (not in Debian) + - android-platform-system-core (embed) + - firefox (embed) + - firefox-esr (embed) + - icedove (embed) + - thunderbird (embed) + +skia (not in Debian) + - firefox-esr (embed) + - firefox (embed) + - qtwebengine-opensource-src (embed) + - icedove (embed) + - thunderbird (embed) + jsilver (removed from stretch and later): - android-platform-external-jsilver (fork) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58258 - data/CVE
Author: luciano Date: 2017-12-05 04:02:19 + (Tue, 05 Dec 2017) New Revision: 58258 Modified: data/CVE/list Log: revisiting some nfu Modified: data/CVE/list === --- data/CVE/list 2017-12-04 22:34:40 UTC (rev 58257) +++ data/CVE/list 2017-12-05 04:02:19 UTC (rev 58258) @@ -50595,9 +50595,15 @@ CVE-2017-0843 (An elevation of privilege vulnerability in the MediaTek ccci. Product: ...) TODO: check CVE-2017-0842 (An elevation of privilege vulnerability in the Android system ...) - TODO: check + NOT-FOR-US: Fluoride Bluetooth stack in Android CVE-2017-0841 (A remote code execution vulnerability in the Android system ...) - TODO: check + - android-platform-system-core (unimportant) + - firefox + - firefox-esr + - icedove + - thunderbird + TODO: Vulnerable code exists in firefox/firefox-esr and thunderbird/icedove but not sure if affected + NOTE: Fixed by https://android.googlesource.com/platform/system/core/+/47efc676c849e3abf32001d66e2d6eb887e83c48%5E!/ CVE-2017-0840 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0839 (An information disclosure vulnerability in the Android media framework ...) @@ -50617,9 +50623,9 @@ CVE-2017-0832 (A remote code execution vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0831 (An elevation of privilege vulnerability in the Android framework ...) - TODO: check + NOT-FOR-US: Android CVE-2017-0830 (An elevation of privilege vulnerability in the Android framework ...) - TODO: check + NOT-FOR-US: Android CVE-2017-0829 (An elevation of privilege vulnerability in the Motorola bootloader. ...) NOT-FOR-US: Motorola bootloader CVE-2017-0828 (An elevation of privilege vulnerability in the Huawei bootloader. ...) @@ -50633,9 +50639,10 @@ CVE-2017-0824 (An elevation of privilege vulnerability in the Broadcom wifi driver. ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0823 (An information disclosure vulnerability in the Android system (rild). ...) - NOT-FOR-US: Android + NOT-FOR-US: Android (rild) CVE-2017-0822 (An elevation of privilege vulnerability in the Android system ...) - NOT-FOR-US: Android + - android-framework-23 (unimportant) + NOTE: Fixed by https://android.googlesource.com/platform/frameworks/base/+/c574568aaede7f652432deb7707f20ae54bbdf9a CVE-2017-0821 RESERVED CVE-2017-0820 (A vulnerability in the Android media framework (n/a). Product: ...) @@ -50726,7 +50733,7 @@ NOT-FOR-US: Android NOTE: https://www.armis.com/blueborne/ CVE-2017-0780 (A denial of service vulnerability in the Android runtime (android ...) - NOT-FOR-US: Android + NOT-FOR-US: Android messaging CVE-2017-0779 (A information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-0778 (A information disclosure vulnerability in the Android media framework ...) @@ -50780,9 +50787,10 @@ CVE-2017-0754 RESERVED CVE-2017-0753 (A remote code execution vulnerability in the Android libraries ...) - NOT-FOR-US: Android + NOT-FOR-US: Android (libgdx) CVE-2017-0752 (A elevation of privilege vulnerability in the Android framework ...) - NOT-FOR-US: Android + - android-framework-23 (unimportant) + NOTE: Fixed by https://android.googlesource.com/platform/frameworks/base/+/6ca2eccdbbd4f11698bd5312812b4d171ff3c8ce%5E%21/ CVE-2017-0751 RESERVED NOT-FOR-US: Google drivers for Android @@ -50947,9 +50955,14 @@ CVE-2017-0673 (A remote code execution vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0672 (A denial of service vulnerability in the Android libraries. Product: ...) - NOT-FOR-US: Android + - firefox-esr + - firefox 54.0-1 + - qtwebengine-opensource-src + - icedove + - thunderbird CVE-2017-0671 (A remote code execution vulnerability in the Android libraries. ...) NOT-FOR-US: Android + NOTE: Not publicly available CVE-2017-0670 (A denial of service vulnerability in the Android framework. Product: ...) NOT-FOR-US: Android CVE-2017-0669 (A information disclosure vulnerability in the Android framework. ...) @@ -64251,7 +64264,7 @@ CVE-2016-6025 (The Configuration Manager in IBM Sterling Secure Proxy (SSP) 3.4.2 ...) NOT-FOR-US: IBM CVE-2016-6024 (IBM Jazz technology based products might divulge information that ...) - TODO: check + NOT-FOR-US: IBM CVE-2016-6023 (Directory traversal vulnerability in the Configuration Manager in IBM ...) NOT-FOR-US: IBM CVE-2016-6022 (IBM Quality Manager (RQM) 4.0, 5.0, and 6.0 are vuln
[Secure-testing-commits] r58042 - data/CVE
Author: luciano Date: 2017-11-27 02:25:28 + (Mon, 27 Nov 2017) New Revision: 58042 Modified: data/CVE/list Log: NOT-FOR-US: Android media framework Modified: data/CVE/list === --- data/CVE/list 2017-11-27 00:56:14 UTC (rev 58041) +++ data/CVE/list 2017-11-27 02:25:28 UTC (rev 58042) @@ -47261,31 +47261,31 @@ CVE-2017-0860 (An elevation of privilege vulnerability in the Android system ...) TODO: check CVE-2017-0859 (Another vulnerability in the Android media framework (n/a). Product: ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0858 (Another vulnerability in the Android media framework (n/a). Product: ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0857 (Another vulnerability in the Android media framework (n/a). Product: ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0856 RESERVED CVE-2017-0855 RESERVED CVE-2017-0854 (An information disclosure vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0853 (An information disclosure vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0852 (A denial of service vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0851 (An information disclosure vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0850 (An information disclosure vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0849 (An information disclosure vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0848 (An information disclosure vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0847 (An elevation of privilege vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0846 RESERVED CVE-2017-0845 (A denial of service vulnerability in the Android framework ...) @@ -47299,23 +47299,23 @@ CVE-2017-0841 (A remote code execution vulnerability in the Android system ...) TODO: check CVE-2017-0840 (An information disclosure vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0839 (An information disclosure vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0838 (An elevation of privilege vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0837 RESERVED CVE-2017-0836 (A remote code execution vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0835 (A remote code execution vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0834 (A remote code execution vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0833 (A remote code execution vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0832 (A remote code execution vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-0831 (An elevation of privilege vulnerability in the Android framework ...) TODO: check CVE-2017-0830 (An elevation of privilege vulnerability in the Android framework ...) @@ -93730,7 +93730,7 @@ NOTE: https://github.com/Dolibarr/dolibarr/issues/2857 NOTE: https://github.com/GPCsolutions/dolibarr/commit/a7f6bbd316e9b96216e9b2c7a065c9251c9a8907 CVE-2015-3934 (Multiple SQL injection vulnerabilities in Fiyo CMS 2.0_1.9.1 allow ...) - TODO: check + NOT-FOR-US: Fiyo CMS CVE-2015-3933 (Multiple SQL injection vulnerabilities in inc/lib/User.class.php in ...) NOT-FOR-US: MetalGenix GeniXCMS CVE-2015-3932 (Netlock Mokka before 2.7.8.1204 allows remote attackers to perform XML ...) @@ -122765,7 +122765,7 @@ CVE-2014-3151 RESERVED CVE-2014-3150 (Livebox 1.1 allows remote authenticated users to upload arbitrary ...) - TODO: check + NOT-FOR-US: Livebox CVE-2014-3149 (Cross-site scripting (XSS) vulnerability in Invision Power IP.Board ...) NOT-FOR-US: Invision Power IP.Board CVE-2014-3148 (Cross-site scripting (XSS) vulnerability in libahttp/err.c in OkCupid ...)
[Secure-testing-commits] r58028 - data/CVE
Author: luciano Date: 2017-11-26 04:06:22 + (Sun, 26 Nov 2017) New Revision: 58028 Modified: data/CVE/list Log: CVE-2017-16942: libsndfile Modified: data/CVE/list === --- data/CVE/list 2017-11-25 23:36:41 UTC (rev 58027) +++ data/CVE/list 2017-11-26 04:06:22 UTC (rev 58028) @@ -3,7 +3,10 @@ CVE-2017-16945 RESERVED CVE-2017-16942 (In libsndfile 1.0.25 (fixed in 1.0.26), a divide-by-zero error exists ...) - TODO: check + - libsndfile 1.0.27-1 + [jessie] - libsndfile (Minor issue) + [wheezy] - libsndfile (Minor issue) + NOTE: https://github.com/erikd/libsndfile/issues/341 CVE-2017-16944 (The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 ...) - exim4 (bug #882671) [jessie] - exim4 (ESMTP CHUNKING extension introduced in 4.88) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58027 - data/CVE
Author: luciano Date: 2017-11-25 23:36:41 + (Sat, 25 Nov 2017) New Revision: 58027 Modified: data/CVE/list Log: CVE-2017-16946: NFU Modified: data/CVE/list === --- data/CVE/list 2017-11-25 21:10:15 UTC (rev 58026) +++ data/CVE/list 2017-11-25 23:36:41 UTC (rev 58027) @@ -1,5 +1,5 @@ CVE-2017-16946 (The admin_edit function in app/Controller/UsersController.php in MISP ...) - TODO: check + NOT-FOR-US: MISP CVE-2017-16945 RESERVED CVE-2017-16942 (In libsndfile 1.0.25 (fixed in 1.0.26), a divide-by-zero error exists ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58006 - data/CVE
Author: luciano Date: 2017-11-24 22:13:48 + (Fri, 24 Nov 2017) New Revision: 58006 Modified: data/CVE/list Log: CVE-2017-16879: #882620 Modified: data/CVE/list === --- data/CVE/list 2017-11-24 22:00:33 UTC (rev 58005) +++ data/CVE/list 2017-11-24 22:13:48 UTC (rev 58006) @@ -226,7 +226,7 @@ NOTE: https://github.com/Exiv2/exiv2/issues/175 NOTE: Can't seem to reproduce this in wheezy. CVE-2017-16879 (Stack-based buffer overflow in the _nc_write_entry function in ...) - - ncurses + - ncurses (bug #882620) NOTE: PoC https://packetstormsecurity.com/files/download/145045/tic-overflow.tgz CVE-2017-16878 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58005 - data/CVE
Author: luciano Date: 2017-11-24 22:00:33 + (Fri, 24 Nov 2017) New Revision: 58005 Modified: data/CVE/list Log: CVE-2017-16879: ncurses Modified: data/CVE/list === --- data/CVE/list 2017-11-24 21:10:14 UTC (rev 58004) +++ data/CVE/list 2017-11-24 22:00:33 UTC (rev 58005) @@ -226,7 +226,8 @@ NOTE: https://github.com/Exiv2/exiv2/issues/175 NOTE: Can't seem to reproduce this in wheezy. CVE-2017-16879 (Stack-based buffer overflow in the _nc_write_entry function in ...) - TODO: check + - ncurses + NOTE: PoC https://packetstormsecurity.com/files/download/145045/tic-overflow.tgz CVE-2017-16878 RESERVED CVE-2017-16877 (ZEIT Next.js before 2.4.1 has directory traversal under the /_next and ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58002 - data/CVE
Author: luciano Date: 2017-11-24 21:02:57 + (Fri, 24 Nov 2017) New Revision: 58002 Modified: data/CVE/list Log: CVE-2017-16935: NFU Modified: data/CVE/list === --- data/CVE/list 2017-11-24 20:46:26 UTC (rev 58001) +++ data/CVE/list 2017-11-24 21:02:57 UTC (rev 58002) @@ -9,7 +9,7 @@ CVE-2017-16936 (Directory Traversal vulnerability in app_data_center on Shenzhen Tenda ...) NOT-FOR-US: Shenzhen Tenda CVE-2017-16935 (Ametys before 4.0.3 requires authentication only for URIs containing a ...) - TODO: check + NOT-FOR-US: Ametys CMS CVE-2017-16934 (The web server on DBL DBLTek devices allows remote attackers to execute ...) NOT-FOR-US: DBL DBLTek devices CVE-2017-16933 (etc/initsystem/prepare-dirs in Icinga 2.x through 2.8.0 has a chown ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58001 - data/CVE
Author: luciano Date: 2017-11-24 20:46:26 + (Fri, 24 Nov 2017) New Revision: 58001 Modified: data/CVE/list Log: CVE-2017-16936: NFU Modified: data/CVE/list === --- data/CVE/list 2017-11-24 19:44:55 UTC (rev 58000) +++ data/CVE/list 2017-11-24 20:46:26 UTC (rev 58001) @@ -7,7 +7,7 @@ CVE-2017-16937 RESERVED CVE-2017-16936 (Directory Traversal vulnerability in app_data_center on Shenzhen Tenda ...) - TODO: check + NOT-FOR-US: Shenzhen Tenda CVE-2017-16935 (Ametys before 4.0.3 requires authentication only for URIs containing a ...) TODO: check CVE-2017-16934 (The web server on DBL DBLTek devices allows remote attackers to execute ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57533 - data/DSA
Author: luciano
Date: 2017-11-10 20:49:22 + (Fri, 10 Nov 2017)
New Revision: 57533
Modified:
data/DSA/list
Log:
DSA-4006-2
Modified: data/DSA/list
===
--- data/DSA/list 2017-11-10 20:46:53 UTC (rev 57532)
+++ data/DSA/list 2017-11-10 20:49:22 UTC (rev 57533)
@@ -1,3 +1,7 @@
+[10 Nov 2017] DSA-4006-2 mupdf - security update
+ {CVE-2017-15587}
+ [jessie] - mupdf 1.5-1+deb8u3
+ [stretch] - mupdf 1.9a+ds1-4+deb9u2
[09 Nov 2017] DSA-4030-1 roundcube - security update
{CVE-2017-16651}
[stretch] - roundcube 1.2.3+dfsg.1-4+deb9u1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57505 - data/CVE
Author: luciano
Date: 2017-11-09 16:41:21 + (Thu, 09 Nov 2017)
New Revision: 57505
Modified:
data/CVE/list
Log:
mupdf issues: pocs not effective in jessie
Modified: data/CVE/list
===
--- data/CVE/list 2017-11-09 16:16:04 UTC (rev 57504)
+++ data/CVE/list 2017-11-09 16:41:21 UTC (rev 57505)
@@ -5453,19 +5453,20 @@
CVE-2017-14687 (Artifex MuPDF 1.11 allows attackers to cause a denial of
service or ...)
{DSA-4006-1 DLA-1164-1}
- mupdf 1.11+ds1-1.1 (bug #877379)
+ [jessie] - mupdf (poc not effective)
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698558
NOTE: Fixed by:
http://git.ghostscript.com/?p=mupdf.git;h=2b16dbd8f73269cb15ca61ece75cf8d2d196ed28
CVE-2017-14686 (Artifex MuPDF 1.11 allows attackers to execute arbitrary code
or cause ...)
{DSA-4006-1}
- mupdf 1.11+ds1-1.1 (bug #877379)
- [jessie] - mupdf (vulnerable code not present)
+ [jessie] - mupdf (vulnerable code not present, poc not
effective)
[wheezy] - mupdf (vulnerable code not present)
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698540
NOTE: Fixed by:
http://git.ghostscript.com/?p=mupdf.git;h=0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1
CVE-2017-14685 (Artifex MuPDF 1.11 allows attackers to cause a denial of
service or ...)
{DSA-4006-1}
- mupdf 1.11+ds1-1.1 (bug #877379)
- [jessie] - mupdf (vulnerable code not present)
+ [jessie] - mupdf (vulnerable code not present, poc not
effective)
[wheezy] - mupdf (vulnerable code not present)
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698539
NOTE: Fixed by:
http://git.ghostscript.com/?p=mupdf.git;h=ab1a420613dec93c686acbee2c165274e922f82a
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57325 - data
Author: luciano Date: 2017-11-04 22:15:53 + (Sat, 04 Nov 2017) New Revision: 57325 Modified: data/embedded-code-copies Log: revert r57324 Modified: data/embedded-code-copies === --- data/embedded-code-copies 2017-11-04 22:02:55 UTC (rev 57324) +++ data/embedded-code-copies 2017-11-04 22:15:53 UTC (rev 57325) @@ -250,9 +250,6 @@ - heimdal (embed) - netatalk (fork) -kopanocore - - https://github.com/ahupp/python-magic/blob/master/magic.py (embed; bug #877849) - grip (which pkg is the origin?) - libcdaudio - grip @@ -346,9 +343,6 @@ - iceweasel (embed) - heimdal (embed; bug #559616) -sqlmap - - https://github.com/ahupp/python-magic/blob/master/magic.py (embed; bug #877849) - util-linux - loop-aes-utils (embed) NOTE: contains code from util-linux' mount in the mount-aes-udeb @@ -620,9 +614,6 @@ rar - unrar-nonfree (embed) -relatorio - - https://github.com/ahupp/python-magic/blob/master/magic.py (embed; bug #877849) - unrar-free (maybe this code is derived from the original rar, too?) - clamav (embed) NOTE: seems to be disabled in default config @@ -1479,9 +1470,6 @@ - zope2.11 (embed; bug #555358) - twill (embed; bug #555339) -peframe - - https://github.com/ahupp/python-magic/blob/master/magic.py (embed; bug #877849) - pexpect - duplicity 0.6.06-1 (embed; bug #555359) - hplip (embed; bug #555361) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57326 - data
Author: luciano Date: 2017-11-04 22:25:48 + (Sat, 04 Nov 2017) New Revision: 57326 Modified: data/embedded-code-copies Log: embed python-magic (as in libmagic) Modified: data/embedded-code-copies === --- data/embedded-code-copies 2017-11-04 22:15:53 UTC (rev 57325) +++ data/embedded-code-copies 2017-11-04 22:25:48 UTC (rev 57326) @@ -1465,6 +1465,12 @@ - python-mechanize (embed) - twill (embed) +python-magic (as in libmagic; itp: #877849) + - kopanocore (embed) + - sqlmap (embed) + - relatorio (embed) + - peframe (embed) + python-mechanize - zope2.10 (embed; bug #555357) - zope2.11 (embed; bug #555358) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57324 - data
Author: luciano Date: 2017-11-04 22:02:55 + (Sat, 04 Nov 2017) New Revision: 57324 Modified: data/embedded-code-copies Log: embed python-magic, not the package. but the itp Modified: data/embedded-code-copies === --- data/embedded-code-copies 2017-11-04 21:18:35 UTC (rev 57323) +++ data/embedded-code-copies 2017-11-04 22:02:55 UTC (rev 57324) @@ -250,6 +250,9 @@ - heimdal (embed) - netatalk (fork) +kopanocore + - https://github.com/ahupp/python-magic/blob/master/magic.py (embed; bug #877849) + grip (which pkg is the origin?) - libcdaudio - grip @@ -343,6 +346,9 @@ - iceweasel (embed) - heimdal (embed; bug #559616) +sqlmap + - https://github.com/ahupp/python-magic/blob/master/magic.py (embed; bug #877849) + util-linux - loop-aes-utils (embed) NOTE: contains code from util-linux' mount in the mount-aes-udeb @@ -614,6 +620,9 @@ rar - unrar-nonfree (embed) +relatorio + - https://github.com/ahupp/python-magic/blob/master/magic.py (embed; bug #877849) + unrar-free (maybe this code is derived from the original rar, too?) - clamav (embed) NOTE: seems to be disabled in default config @@ -1470,6 +1479,9 @@ - zope2.11 (embed; bug #555358) - twill (embed; bug #555339) +peframe + - https://github.com/ahupp/python-magic/blob/master/magic.py (embed; bug #877849) + pexpect - duplicity 0.6.06-1 (embed; bug #555359) - hplip (embed; bug #555361) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57272 - data/CVE
Author: luciano Date: 2017-11-02 23:55:38 + (Thu, 02 Nov 2017) New Revision: 57272 Modified: data/CVE/list Log: CVE-2015-7686: #868170 Modified: data/CVE/list === --- data/CVE/list 2017-11-02 22:55:17 UTC (rev 57271) +++ data/CVE/list 2017-11-02 23:55:38 UTC (rev 57272) @@ -81257,7 +81257,7 @@ CVE-2015-7687 (Use-after-free vulnerability in OpenSMTPD before 5.7.2 allows remote ...) - opensmtpd 5.7.3p1-1 (bug #800787) CVE-2015-7686 (Algorithmic complexity vulnerability in Address.pm in the ...) - - libemail-address-perl (unimportant) + - libemail-address-perl (bug #868170; unimportant) [jessie] - libemail-address-perl (Minor issue) [wheezy] - libemail-address-perl (Minor issue) [squeeze] - libemail-address-perl (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57126 - data/CVE
Author: luciano
Date: 2017-10-30 02:02:10 + (Mon, 30 Oct 2017)
New Revision: 57126
Modified:
data/CVE/list
Log:
DSA-4006-1: some issues not affecting jessie
Modified: data/CVE/list
===
--- data/CVE/list 2017-10-29 21:41:18 UTC (rev 57125)
+++ data/CVE/list 2017-10-30 02:02:10 UTC (rev 57126)
@@ -4262,11 +4262,14 @@
CVE-2017-14686 (Artifex MuPDF 1.11 allows attackers to execute arbitrary code
or cause ...)
{DSA-4006-1}
- mupdf 1.11+ds1-1.1 (bug #877379)
+ [jessie] - mupdf (vulnerable code not present)
+ [wheezy] - mupdf (vulnerable code not present)
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698540
NOTE: Fixed by:
http://git.ghostscript.com/?p=mupdf.git;h=0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1
CVE-2017-14685 (Artifex MuPDF 1.11 allows attackers to cause a denial of
service or ...)
{DSA-4006-1}
- mupdf 1.11+ds1-1.1 (bug #877379)
+ [jessie] - mupdf (vulnerable code not present)
[wheezy] - mupdf (vulnerable code not present)
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698539
NOTE: Fixed by:
http://git.ghostscript.com/?p=mupdf.git;h=ab1a420613dec93c686acbee2c165274e922f82a
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56940 - in data: . DSA
Author: luciano
Date: 2017-10-24 15:32:09 + (Tue, 24 Oct 2017)
New Revision: 56940
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
mupdf DSA
Modified: data/DSA/list
===
--- data/DSA/list 2017-10-24 13:53:36 UTC (rev 56939)
+++ data/DSA/list 2017-10-24 15:32:09 UTC (rev 56940)
@@ -1,3 +1,6 @@
+[24 Oct 2017] DSA-4006-1 mupdf - security update
+ {CVE-2017-14685 CVE-2017-14686 CVE-2017-14687 CVE-2017-15587}
+ [stretch] - mupdf 1.9a+ds1-4+deb9u1
[20 Oct 2017] DSA-4005-1 openjfx - security update
{CVE-2017-10086 CVE-2017-10114}
[stretch] - openjfx 8u141-b14-3~deb9u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-10-24 13:53:36 UTC (rev 56939)
+++ data/dsa-needed.txt 2017-10-24 15:32:09 UTC (rev 56940)
@@ -34,8 +34,6 @@
linux
Wait until more issues have piled up
--
-mupdf (luciano)
---
openjdk-7/oldstable (jmm)
--
openjdk-8/stable (jmm)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56823 - data
Author: luciano Date: 2017-10-18 15:00:21 + (Wed, 18 Oct 2017) New Revision: 56823 Modified: data/dsa-needed.txt Log: dsa-needed: mupdf (luciano) Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-10-18 14:45:39 UTC (rev 56822) +++ data/dsa-needed.txt 2017-10-18 15:00:21 UTC (rev 56823) @@ -38,7 +38,7 @@ linux Wait until more issues have piled up -- -mupdf +mupdf (luciano) -- mysql-5.5/oldstable -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56033 - data/CVE
Author: luciano Date: 2017-09-22 21:13:32 + (Fri, 22 Sep 2017) New Revision: 56033 Modified: data/CVE/list Log: CVE-2017-14266: tcpreplay Modified: data/CVE/list === --- data/CVE/list 2017-09-22 21:10:17 UTC (rev 56032) +++ data/CVE/list 2017-09-22 21:13:32 UTC (rev 56033) @@ -1157,7 +1157,8 @@ CVE-2017-14267 (EE 4GEE WiFi MBB (before EE60_00_05.00_31) devices have CSRF, related ...) NOT-FOR-US: EE 4GEE WiFi MBB CVE-2017-14266 (tcprewrite in Tcpreplay 3.4.4 has a Heap-Based Buffer Overflow ...) - TODO: check + - tcpreplay 3.4.4-3 + NOTE: Fixed by http://launchpadlibrarian.net/270778908/tcpreplay_3.4.4-2_3.4.4-3.diff.gz CVE-2017-14265 (A Stack-based Buffer Overflow was discovered in xtrans_interpolate in ...) - libraw NOTE: https://github.com/LibRaw/LibRaw/issues/99 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55168 - in data: . DSA
Author: luciano
Date: 2017-08-28 20:44:43 + (Mon, 28 Aug 2017)
New Revision: 55168
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
DSA-3957-1 ffmpeg
Modified: data/DSA/list
===
--- data/DSA/list 2017-08-28 19:26:06 UTC (rev 55167)
+++ data/DSA/list 2017-08-28 20:44:43 UTC (rev 55168)
@@ -1,3 +1,6 @@
+[28 Aug 2017] DSA-3957-1 ffmpeg - security update
+ {CVE-2017-9608 CVE-2017-9993 CVE-2017-11399 CVE-2017-11665
CVE-2017-11719}
+ [stretch] - ffmpeg 7:3.2.7-1~deb9u1
[27 Aug 2017] DSA-3956-1 connman - security update
{CVE-2017-12865}
[jessie] - connman 1.21-1.2+deb8u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-08-28 19:26:06 UTC (rev 55167)
+++ data/dsa-needed.txt 2017-08-28 20:44:43 UTC (rev 55168)
@@ -28,9 +28,6 @@
Existing applications might rely on existing behaviour, monitor in unstable
for a
month
--
-ffmpeg/stable (luciano)
- The maintainer will upload 3.2.7 in early September
---
ghostscript (carnil)
--
gnupg/oldstable
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55165 - data
Author: luciano Date: 2017-08-28 19:22:01 + (Mon, 28 Aug 2017) New Revision: 55165 Modified: data/dsa-needed.txt Log: ffmpeg: dsa-needed.txt Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-08-28 19:04:08 UTC (rev 55164) +++ data/dsa-needed.txt 2017-08-28 19:22:01 UTC (rev 55165) @@ -28,7 +28,7 @@ Existing applications might rely on existing behaviour, monitor in unstable for a month -- -ffmpeg/stable +ffmpeg/stable (luciano) The maintainer will upload 3.2.7 in early September -- ghostscript (carnil) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55135 - in data: . DSA
Author: luciano
Date: 2017-08-27 22:19:53 + (Sun, 27 Aug 2017)
New Revision: 55135
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
connman DSA
Modified: data/DSA/list
===
--- data/DSA/list 2017-08-27 21:27:14 UTC (rev 55134)
+++ data/DSA/list 2017-08-27 22:19:53 UTC (rev 55135)
@@ -1,3 +1,7 @@
+[27 Aug 2017] DSA-3956-1 connman - security update
+ {CVE-2017-12865}
+ [jessie] - connman 1.21-1.2+deb8u1
+ [stretch] - connman 1.33-3+deb9u1
[26 Aug 2017] DSA-3955-1 mariadb-10.1 - security update
{CVE-2017-3636 CVE-2017-3641 CVE-2017-3653}
[stretch] - mariadb-10.1 10.1.26-0+deb9u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-08-27 21:27:14 UTC (rev 55134)
+++ data/dsa-needed.txt 2017-08-27 22:19:53 UTC (rev 55135)
@@ -14,8 +14,6 @@
--
389-ds-base (fw)
--
-connman (luciano)
---
curl (ghedo)
--
db/oldstable
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r55134 - data/CVE
Author: luciano Date: 2017-08-27 21:27:14 + (Sun, 27 Aug 2017) New Revision: 55134 Modified: data/CVE/list Log: nfu: Replibit Modified: data/CVE/list === --- data/CVE/list 2017-08-27 21:10:16 UTC (rev 55133) +++ data/CVE/list 2017-08-27 21:27:14 UTC (rev 55134) @@ -3,7 +3,7 @@ CVE-2017-13708 RESERVED CVE-2017-13707 (Privilege escalation in Replibit Backup Manager earlier than version ...) - TODO: check + NOT-FOR-US: Replibit CVE-2017-13706 RESERVED CVE-2017-13709 (In FlightGear before version 2017.3.1, Main/logger.cxx in the FGLogger ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54998 - in data: . DSA
Author: luciano
Date: 2017-08-23 15:39:04 + (Wed, 23 Aug 2017)
New Revision: 54998
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
aodh DSA
Modified: data/DSA/list
===
--- data/DSA/list 2017-08-23 15:36:09 UTC (rev 54997)
+++ data/DSA/list 2017-08-23 15:39:04 UTC (rev 54998)
@@ -1,3 +1,6 @@
+[23 Aug 2017] DSA-3953-1 aodh - security update
+ {CVE-2017-12440}
+ [stretch] - aodh 3.0.0-4+deb9u1
[23 Aug 2017] DSA-3952-1 libxml2 - security update
{CVE-2017-0663 CVE-2017-7375 CVE-2017-7376 CVE-2017-9047 CVE-2017-9048
CVE-2017-9049 CVE-2017-9050}
[jessie] - libxml2 2.9.1+dfsg1-5+deb8u5
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-08-23 15:36:09 UTC (rev 54997)
+++ data/dsa-needed.txt 2017-08-23 15:39:04 UTC (rev 54998)
@@ -14,9 +14,6 @@
--
389-ds-base (fw)
--
-aodh (luciano)
- Maintainer sumitted the fix to team. Waiting for upload.
---
connman (luciano)
--
curl (ghedo)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54997 - data
Author: luciano Date: 2017-08-23 15:36:09 + (Wed, 23 Aug 2017) New Revision: 54997 Modified: data/dsa-needed.txt Log: connman patch ported to jessie and stretch Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-08-23 13:40:12 UTC (rev 54996) +++ data/dsa-needed.txt 2017-08-23 15:36:09 UTC (rev 54997) @@ -17,6 +17,8 @@ aodh (luciano) Maintainer sumitted the fix to team. Waiting for upload. -- +connman (luciano) +-- curl (ghedo) -- db/oldstable ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54955 - data
Author: luciano Date: 2017-08-22 00:34:52 + (Tue, 22 Aug 2017) New Revision: 54955 Modified: data/dsa-needed.txt Log: the update of ffmpeg Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-08-21 21:44:19 UTC (rev 54954) +++ data/dsa-needed.txt 2017-08-22 00:34:52 UTC (rev 54955) @@ -31,7 +31,8 @@ Existing applications might rely on existing behaviour, monitor in unstable for a month -- -ffmpeg/stable (luciano) +ffmpeg/stable + The maintainer will upload 3.2.7 in early September -- ghostscript (carnil) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54954 - in data: . DSA
Author: luciano
Date: 2017-08-21 21:44:19 + (Mon, 21 Aug 2017)
New Revision: 54954
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
DSA-3950-1: libraw
Modified: data/DSA/list
===
--- data/DSA/list 2017-08-21 21:25:35 UTC (rev 54953)
+++ data/DSA/list 2017-08-21 21:44:19 UTC (rev 54954)
@@ -1,3 +1,7 @@
+[21 Aug 2017] DSA-3950-1 libraw - security update
+ {CVE-2017-6886 CVE-2017-6887}
+ [jessie] - libraw 0.16.0-9+deb8u3
+ [stretch] - libraw 0.17.2-6+deb9u1
[21 Aug 2017] DSA-3949-1 augeas - security update
{CVE-2017-7555}
[jessie] - augeas 1.2.0-0.2+deb8u2
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-08-21 21:25:35 UTC (rev 54953)
+++ data/dsa-needed.txt 2017-08-21 21:44:19 UTC (rev 54954)
@@ -51,8 +51,6 @@
libav/oldstable
several issues unfixed upstream
--
-libraw (luciano)
---
libvpx/oldstable
--
libxml-libxml-perl (carnil)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54945 - data
Author: luciano Date: 2017-08-21 19:18:22 + (Mon, 21 Aug 2017) New Revision: 54945 Modified: data/dsa-needed.txt Log: aodh DSA Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-08-21 19:09:53 UTC (rev 54944) +++ data/dsa-needed.txt 2017-08-21 19:18:22 UTC (rev 54945) @@ -14,6 +14,9 @@ -- 389-ds-base (fw) -- +aodh (luciano) + Maintainer sumitted the fix to team. Waiting for upload. +-- curl (ghedo) -- db/oldstable ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54941 - data/CVE
Author: luciano Date: 2017-08-21 17:37:33 + (Mon, 21 Aug 2017) New Revision: 54941 Modified: data/CVE/list Log: CVE-2017-7206: ffmpeg Modified: data/CVE/list === --- data/CVE/list 2017-08-21 17:28:22 UTC (rev 54940) +++ data/CVE/list 2017-08-21 17:37:33 UTC (rev 54941) @@ -17176,7 +17176,7 @@ CVE-2017-7206 (The ff_h2645_extract_rbsp function in libavcodec in libav 9.21 allows ...) - libav [jessie] - libav (Vulnerable code not present) - - ffmpeg (bug #872517) + - ffmpeg (bug #872517; Previous patches mitigated the issue) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1002 NOTE: https://git.libav.org/?p=libav.git;a=commit;h=83b2b34d06e74cc8775ba3d833f9782505e17539 CVE-2017-7205 (A Cross-Site Scripting (XSS) was discovered in GamePanelX-V3 3.0.12. ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54832 - data/CVE
Author: luciano Date: 2017-08-18 03:41:54 + (Fri, 18 Aug 2017) New Revision: 54832 Modified: data/CVE/list Log: CVE-2017-7206: #872517 Modified: data/CVE/list === --- data/CVE/list 2017-08-18 02:15:07 UTC (rev 54831) +++ data/CVE/list 2017-08-18 03:41:54 UTC (rev 54832) @@ -16919,7 +16919,7 @@ CVE-2017-7206 (The ff_h2645_extract_rbsp function in libavcodec in libav 9.21 allows ...) - libav [jessie] - libav (Vulnerable code not present) - - ffmpeg + - ffmpeg (bug #872517) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1002 NOTE: https://git.libav.org/?p=libav.git;a=commit;h=83b2b34d06e74cc8775ba3d833f9782505e17539 CVE-2017-7205 (A Cross-Site Scripting (XSS) was discovered in GamePanelX-V3 3.0.12. ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54831 - data
Author: luciano Date: 2017-08-18 02:15:07 + (Fri, 18 Aug 2017) New Revision: 54831 Modified: data/dsa-needed.txt Log: dsa-needed: ffmpeg (luciano) Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-08-18 02:07:15 UTC (rev 54830) +++ data/dsa-needed.txt 2017-08-18 02:15:07 UTC (rev 54831) @@ -30,7 +30,7 @@ Existing applications might rely on existing behaviour, monitor in unstable for a month -- -ffmpeg/stable +ffmpeg/stable (luciano) -- ghostscript (carnil) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54830 - data/CVE
Author: luciano Date: 2017-08-18 02:07:15 + (Fri, 18 Aug 2017) New Revision: 54830 Modified: data/CVE/list Log: CVE-2017-9608: ffmpeg Modified: data/CVE/list === --- data/CVE/list 2017-08-18 01:49:16 UTC (rev 54829) +++ data/CVE/list 2017-08-18 02:07:15 UTC (rev 54830) @@ -9182,9 +9182,10 @@ NOT-FOR-US: Blackcat CMS CVE-2017-9608 [NULL pointer exception] RESERVED - - ffmpeg + - ffmpeg 7:3.3.3-1 NOTE: http://www.openwall.com/lists/oss-security/2017/08/14/1 - TODO: check + NOTE: https://github.com/FFmpeg/FFmpeg/commit/611b35627488a8d0763e75c25ee0875c5b7987dd + NOTE: https://github.com/FFmpeg/FFmpeg/commit/0a709e2a10b8288a0cc383547924ecfe285cef89 CVE-2017-9607 RESERVED CVE-2017-9606 (Infotecs ViPNet Client and Coordinator before 4.3.2-42442 allow local ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54829 - data/CVE
Author: luciano Date: 2017-08-18 01:49:16 + (Fri, 18 Aug 2017) New Revision: 54829 Modified: data/CVE/list Log: looks to me that ffmpeg is affected by CVE-2017-7206 Modified: data/CVE/list === --- data/CVE/list 2017-08-18 01:32:55 UTC (rev 54828) +++ data/CVE/list 2017-08-18 01:49:16 UTC (rev 54829) @@ -16918,7 +16918,7 @@ CVE-2017-7206 (The ff_h2645_extract_rbsp function in libavcodec in libav 9.21 allows ...) - libav [jessie] - libav (Vulnerable code not present) - - ffmpeg + - ffmpeg NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1002 NOTE: https://git.libav.org/?p=libav.git;a=commit;h=83b2b34d06e74cc8775ba3d833f9782505e17539 CVE-2017-7205 (A Cross-Site Scripting (XSS) was discovered in GamePanelX-V3 3.0.12. ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54828 - data/CVE
Author: luciano Date: 2017-08-18 01:32:55 + (Fri, 18 Aug 2017) New Revision: 54828 Modified: data/CVE/list Log: nfu: cisco Modified: data/CVE/list === --- data/CVE/list 2017-08-17 21:10:14 UTC (rev 54827) +++ data/CVE/list 2017-08-18 01:32:55 UTC (rev 54828) @@ -17965,53 +17965,53 @@ CVE-2017-6791 RESERVED CVE-2017-6790 (A vulnerability in the Session Initiation Protocol (SIP) on the Cisco ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-6789 RESERVED CVE-2017-6788 (The WebLaunch functionality of Cisco AnyConnect Secure Mobility Client ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-6787 RESERVED CVE-2017-6786 (A vulnerability in Cisco Elastic Services Controller could allow an ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-6785 (A vulnerability in configuration modification permissions validation ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-6784 (A vulnerability in the web interface of the Cisco RV340, RV345, and ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-6783 (A vulnerability in SNMP polling for the Cisco Web Security Appliance ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-6782 (A vulnerability in the administrative web interface of Cisco Prime ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-6781 (A vulnerability in the management of shell user accounts for Cisco ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-6780 RESERVED CVE-2017-6779 RESERVED CVE-2017-6778 (A vulnerability in the Elastic Services Controller (ESC) web interface ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-6777 (A vulnerability in the ConfD server of the Cisco Elastic Services ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-6776 (A vulnerability in the web framework of Cisco Elastic Services ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-6775 (A vulnerability in the CLI of Cisco ASR 5000 Series Aggregated ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-6774 (A vulnerability in Cisco ASR 5000 Series Aggregated Services Routers ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-6773 (A vulnerability in the CLI of Cisco ASR 5000 Series Aggregated ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-6772 (A vulnerability in Cisco Elastic Services Controller (ESC) could allow ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-6771 (A vulnerability in the AutoVNF automation tool of the Cisco Ultra ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-6770 (Cisco IOS 12.0 through 15.6, Adaptive Security Appliance (ASA) Software ...) NOT-FOR-US: Cisco CVE-2017-6769 (A vulnerability in the web-based management interface of the Cisco ...) NOT-FOR-US: Cisco CVE-2017-6768 (A vulnerability in the build procedure for certain executable system ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-6767 (A vulnerability in Cisco Application Policy Infrastructure Controller ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-6766 (A vulnerability in the Secure Sockets Layer (SSL) Decryption and ...) NOT-FOR-US: Cisco CVE-2017-6765 (A vulnerability in the web-based management interface of Cisco Adaptive ...) @@ -18125,7 +18125,7 @@ CVE-2017-6711 (A vulnerability in the Ultra Automation Service (UAS) of the Cisco ...) NOT-FOR-US: Cisco CVE-2017-6710 (A vulnerability in the Cisco Virtual Network Function (VNF) Element ...) - TODO: check + NOT-FOR-US: Cisco CVE-2017-6709 (A vulnerability in the AutoVNF tool for the Cisco Ultra Services ...) NOT-FOR-US: Cisco CVE-2017-6708 (A vulnerability in the symbolic link (symlink) creation functionality ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54765 - bin
Author: luciano Date: 2017-08-15 12:52:49 + (Tue, 15 Aug 2017) New Revision: 54765 Modified: bin/src2bin_text.py Log: bug when a single bin Modified: bin/src2bin_text.py === --- bin/src2bin_text.py 2017-08-15 12:32:13 UTC (rev 54764) +++ bin/src2bin_text.py 2017-08-15 12:52:49 UTC (rev 54765) @@ -27,7 +27,9 @@ return bins def getBin(srcPkg): -return [ i for i in soappy_query(default_url,'binary_names',source=srcPkg)] +bins = soappy_query(default_url,'binary_names',source=srcPkg) +if type(bins) == str: bins = [bins] +return [ i for i in bins] def word_wrap(string, width=80, ind1=0, ind2=0, prefix=''): """ word wrapping function. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54706 - bin
Author: luciano
Date: 2017-08-12 21:48:59 + (Sat, 12 Aug 2017)
New Revision: 54706
Added:
bin/src2bin_text.py
Log:
script to include the list of binary packages in the DSA
Added: bin/src2bin_text.py
===
--- bin/src2bin_text.py (rev 0)
+++ bin/src2bin_text.py 2017-08-12 21:48:59 UTC (rev 54706)
@@ -0,0 +1,69 @@
+#!/usr/bin/env python2
+
+import sys
+import os
+import fileinput
+
+ca_path = '/etc/ssl/ca-debian'
+if os.path.isdir(ca_path):
+os.environ['SSL_CERT_DIR'] = ca_path
+
+default_url = 'https://packages.qa.debian.org/cgi-bin/soap-alpha.cgi'
+
+def soappy_query(url, method, **kwargs):
+import SOAPpy
+
+ws = SOAPpy.SOAPProxy(url)
+return getattr(ws, method)(**kwargs)
+
+def joinEN(words):
+if len(words) == 1: return words[0]
+if len(words) == 2: return ' and '.join(words)
+if len(words) >= 3: return ', '.join(words[:-1]+ ['and %s' % words[-1]])
+
+def filterPkg(bins,rms):
+for rm in rms:
+bins = filter(lambda x: not x.endswith('-%s' % rm), bins)
+return bins
+
+def getBin(srcPkg):
+return [ i for i in soappy_query(default_url,'binary_names',source=srcPkg)]
+
+def word_wrap(string, width=80, ind1=0, ind2=0, prefix=''):
+""" word wrapping function.
+string: the string to wrap
+width: the column number to wrap at
+prefix: prefix each line with this string (goes before any indentation)
+ind1: number of characters to indent the first line
+ind2: number of characters to indent the rest of the lines
+"""
+string = prefix + ind1 * " " + string
+newstring = ""
+while len(string) > width:
+# find position of nearest whitespace char to the left of "width"
+marker = width - 1
+while not string[marker].isspace():
+marker = marker - 1
+
+# remove line from original string and add it to the new string
+newline = string[0:marker] + "\n"
+newstring = newstring + newline
+string = prefix + ind2 * " " + string[marker + 1:]
+
+return newstring + string
+
+def change(line, toRemove):
+srcPkg = line[35:-11]
+bins = filterPkg(getBin(srcPkg),toRemove)
+return joinEN(bins)
+
+if __name__ == '__main__':
+exclude = []
+if '-x' in sys.argv:
+ i = sys.argv.index('-x')
+ exclude = sys.argv[i+1:]
+ sys.argv = sys.argv[:i]
+for line in fileinput.input():
+ if 'We recommend that you upgrade your' in line:
+line = word_wrap("%s: %s.\n" %
(line[:-2],change(line,exclude)),width=73)
+ print line,
Property changes on: bin/src2bin_text.py
___
Added: svn:executable
+ *
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54683 - data
Author: luciano Date: 2017-08-12 15:49:31 + (Sat, 12 Aug 2017) New Revision: 54683 Modified: data/dsa-needed.txt Log: libraw: dsa needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-08-12 15:47:07 UTC (rev 54682) +++ data/dsa-needed.txt 2017-08-12 15:49:31 UTC (rev 54683) @@ -43,7 +43,7 @@ -- libmspack -- -libraw +libraw (luciano) -- libvpx -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53766 - data/CVE
Author: luciano Date: 2017-07-22 00:18:30 + (Sat, 22 Jul 2017) New Revision: 53766 Modified: data/CVE/list Log: tor apparmor issue: the note Modified: data/CVE/list === --- data/CVE/list 2017-07-22 00:15:46 UTC (rev 53765) +++ data/CVE/list 2017-07-22 00:18:30 UTC (rev 53766) @@ -28,6 +28,7 @@ - tor (bug #869153) [stretch] - tor (Minor issue) [jessie] - tor + NOTE: https://twitter.com/pissquark/status/888142796414226432 CVE-2017- [endless loop in ReadTXTImage] - imagemagick (bug #869210) NOTE: https://github.com/ImageMagick/ImageMagick/issues/591 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53765 - data/CVE
Author: luciano Date: 2017-07-22 00:15:46 + (Sat, 22 Jul 2017) New Revision: 53765 Modified: data/CVE/list Log: tor apparmor issue: bug number Modified: data/CVE/list === --- data/CVE/list 2017-07-22 00:13:59 UTC (rev 53764) +++ data/CVE/list 2017-07-22 00:15:46 UTC (rev 53765) @@ -25,7 +25,7 @@ CVE-2017-11506 RESERVED CVE-2017- [Tor in stretch silently scraps apparmor] - - tor + - tor (bug #869153) [stretch] - tor (Minor issue) [jessie] - tor CVE-2017- [endless loop in ReadTXTImage] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53764 - data/CVE
Author: luciano Date: 2017-07-22 00:13:59 + (Sat, 22 Jul 2017) New Revision: 53764 Modified: data/CVE/list Log: tor apparmor issue Modified: data/CVE/list === --- data/CVE/list 2017-07-21 21:42:49 UTC (rev 53763) +++ data/CVE/list 2017-07-22 00:13:59 UTC (rev 53764) @@ -24,6 +24,10 @@ RESERVED CVE-2017-11506 RESERVED +CVE-2017- [Tor in stretch silently scraps apparmor] + - tor + [stretch] - tor (Minor issue) + [jessie] - tor CVE-2017- [endless loop in ReadTXTImage] - imagemagick (bug #869210) NOTE: https://github.com/ImageMagick/ImageMagick/issues/591 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49547 - data/CVE
Author: luciano
Date: 2017-03-10 04:33:09 + (Fri, 10 Mar 2017)
New Revision: 49547
Modified:
data/CVE/list
Log:
DSA-3806-1: pidgin
Modified: data/CVE/list
===
--- data/CVE/list 2017-03-10 04:03:18 UTC (rev 49546)
+++ data/CVE/list 2017-03-10 04:33:09 UTC (rev 49547)
@@ -10991,7 +10991,9 @@
RESERVED
CVE-2017-2640 [Out-of-bounds write when stripping xml]
RESERVED
+ {DSA-3806-1}
- pidgin 2.12.0-1
+ [jessie] - pidgin 2.11.0-0+deb8u2
NOTE: https://www.pidgin.im/news/security/?id=109
NOTE: https://bitbucket.org/pidgin/main/commits/b2fc9e774cb9
CVE-2017-2639
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49539 - data/DSA
Author: luciano
Date: 2017-03-10 03:36:42 + (Fri, 10 Mar 2017)
New Revision: 49539
Modified:
data/DSA/list
Log:
DSA-3806-1 CVE-2017-2640 pidgin
Modified: data/DSA/list
===
--- data/DSA/list 2017-03-09 16:04:41 UTC (rev 49538)
+++ data/DSA/list 2017-03-10 03:36:42 UTC (rev 49539)
@@ -1,3 +1,6 @@
+[10 Mar 2017] DSA-3806-1 pidgin - security update
+ {CVE-2017-2640}
+ [jessie] - pidgin 2.11.0-0+deb8u2
[08 Mar 2017] DSA-3805-1 firefox-esr - security update
{CVE-2017-5398 CVE-2017-5400 CVE-2017-5401 CVE-2017-5402 CVE-2017-5404
CVE-2017-5405 CVE-2017-5407 CVE-2017-5408 CVE-2017-5410}
[jessie] - firefox-esr 45.8.0esr-1~deb8u1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49107 - data
Author: luciano Date: 2017-02-22 05:28:03 + (Wed, 22 Feb 2017) New Revision: 49107 Modified: data/embedded-code-copies Log: gitsome embeds xonsh Modified: data/embedded-code-copies === --- data/embedded-code-copies 2017-02-21 21:10:12 UTC (rev 49106) +++ data/embedded-code-copies 2017-02-22 05:28:03 UTC (rev 49107) @@ -3241,3 +3241,7 @@ zendframework - icingaweb2 (embed) NOTE: Cf. #814143 + +gitsome + - xonsh (old-version; bug #855544) + NOTE: and #855545 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48786 - in data: . DSA
Author: luciano
Date: 2017-02-09 01:41:32 + (Thu, 09 Feb 2017)
New Revision: 48786
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
php5 DSA
Modified: data/DSA/list
===
--- data/DSA/list 2017-02-09 01:33:50 UTC (rev 48785)
+++ data/DSA/list 2017-02-09 01:41:32 UTC (rev 48786)
@@ -1,3 +1,6 @@
+[08 Feb 2017] DSA-3783-1 php5 - security update
+ {CVE-2016-10158 CVE-2016-10159 CVE-2016-10160 CVE-2016-10161}
+ [jessie] - php5 5.6.30+dfsg-0+deb8u1
[08 Feb 2017] DSA-3782-1 openjdk-7 - security update
{CVE-2016-5546 CVE-2016-5547 CVE-2016-5548 CVE-2016-5552 CVE-2017-3231
CVE-2017-3241 CVE-2017-3252 CVE-2017-3253 CVE-2017-3260 CVE-2017-3261
CVE-2017-3272 CVE-2017-3289}
[jessie] - openjdk-7 7u121-2.6.8-2~deb8u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-02-09 01:33:50 UTC (rev 48785)
+++ data/dsa-needed.txt 2017-02-09 01:41:32 UTC (rev 48786)
@@ -30,10 +30,6 @@
linux
wait until more issues have piled up
--
-php5 (luciano)
- Maintainer proposed debdiff, which needs review and ack
- (Missing Closes for open bugs)
---
phpmyadmin
--
qemu
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48785 - data/CVE
Author: luciano Date: 2017-02-09 01:33:50 + (Thu, 09 Feb 2017) New Revision: 48785 Modified: data/CVE/list Log: CVE-2016-10167 and CVE-2016-10168 Modified: data/CVE/list === --- data/CVE/list 2017-02-09 01:00:32 UTC (rev 48784) +++ data/CVE/list 2017-02-09 01:33:50 UTC (rev 48785) @@ -1095,6 +1095,7 @@ - php7.1 7.1.1-1 (unimportant) - php7.0 7.0.15-1 (unimportant) - php5 (unimportant) + [jessie] - php5 (embedded gd2 library not used) NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73868 NOTE: Fixed in PHP 7.1.1, 7.0.15, 5.6.30 - libgd2 2.2.4-1 @@ -1106,6 +1107,7 @@ - php7.1 7.1.1-1 (unimportant) - php7.0 7.0.15-1 (unimportant) - php5 (unimportant) + [jessie] - php5 (embedded gd2 library not used) NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73869 NOTE: Fixed in PHP 7.1.1, 7.0.15, 5.6.30 - libgd2 2.2.4-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48784 - data/CVE
Author: luciano Date: 2017-02-09 01:00:32 + (Thu, 09 Feb 2017) New Revision: 48784 Modified: data/CVE/list Log: CVE-2017-0381 Modified: data/CVE/list === --- data/CVE/list 2017-02-08 22:36:17 UTC (rev 48783) +++ data/CVE/list 2017-02-09 01:00:32 UTC (rev 48784) @@ -13801,6 +13801,7 @@ - opus 1.2~alpha2-1 (bug #851612) [jessie] - opus (Minor issue, https://bugs.debian.org/851612#10) NOTE: Fixed by: https://github.com/xiph/opus/commit/79e8f527b0344b0897a65be35e77f7885bd99409 (v1.2-alpha) + NOTE: https://git.xiph.org/?p=opus.git;a=commitdiff;h=70a3d641b CVE-2016-9804 (In BlueZ 5.42, a buffer overflow was observed in "commands_dump" ...) - bluez (bug #847837) [jessie] - bluez (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48744 - data/CVE
Author: luciano Date: 2017-02-07 00:55:46 + (Tue, 07 Feb 2017) New Revision: 48744 Modified: data/CVE/list Log: gnome-keyring minor issue Modified: data/CVE/list === --- data/CVE/list 2017-02-06 22:19:55 UTC (rev 48743) +++ data/CVE/list 2017-02-07 00:55:46 UTC (rev 48744) @@ -26,6 +26,9 @@ RESERVED CVE-2016-10200 RESERVED +CVE-2017- [gnome-keyring lives on after ssh session stops] + - gnome-keyring (low; bug #395572) + [jessie] - gnome-keyring (Minor issue) CVE-2017- [information leak in error messages] - libapache2-mod-auth-openidc 2.1.5-1 NOTE: https://github.com/pingidentity/mod_auth_openidc/issues/212 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48668 - data
Author: luciano Date: 2017-02-02 20:11:40 + (Thu, 02 Feb 2017) New Revision: 48668 Modified: data/dsa-needed.txt Log: php5 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-02-02 17:37:29 UTC (rev 48667) +++ data/dsa-needed.txt 2017-02-02 20:11:40 UTC (rev 48668) @@ -36,7 +36,7 @@ -- openjdk-7 (jmm) -- -php5 +php5 (luciano) Maintainer proposed debdiff, which needs review and ack (Missing Closes for open bugs) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47413 - in data: . DSA
Author: luciano
Date: 2016-12-24 21:01:42 + (Sat, 24 Dec 2016)
New Revision: 47413
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
DSA 3746-1
Modified: data/DSA/list
===
--- data/DSA/list 2016-12-24 17:18:58 UTC (rev 47412)
+++ data/DSA/list 2016-12-24 21:01:42 UTC (rev 47413)
@@ -1,3 +1,6 @@
+[24 Dec 2016] DSA-3746-1 graphicsmagick - security update
+ {CVE-2015-8808 CVE-2016-2317 CVE-2016-2318 CVE-2016-3714 CVE-2016-3715
CVE-2016-5118 CVE-2016-5240 CVE-2016-7800 CVE-2016-7996 CVE-2016-7997
CVE-2016-8682 CVE-2016-8683 CVE-2016-8684 CVE-2016-9830}
+ [jessie] - graphicsmagick 1.3.20-3+deb8u2
[24 Dec 2016] DSA-3745-1 squid3 - security update
{CVE-2016-10002}
[jessie] - squid3 3.4.8-6+deb8u4
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2016-12-24 17:18:58 UTC (rev 47412)
+++ data/dsa-needed.txt 2016-12-24 21:01:42 UTC (rev 47413)
@@ -17,9 +17,6 @@
dcmtk (seb)
Gert Wollny preparing update for CVE-2015-8979 (remote stack buffer overflow)
--
-graphicsmagick (luciano)
- gcs is fixing many issues. It will be ready soon.
---
jasper (jmm)
--
libcrypto++ (seb)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47189 - data
Author: luciano Date: 2016-12-18 03:23:46 + (Sun, 18 Dec 2016) New Revision: 47189 Modified: data/dsa-needed.txt Log: graphicsmagick Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-12-17 21:35:59 UTC (rev 47188) +++ data/dsa-needed.txt 2016-12-18 03:23:46 UTC (rev 47189) @@ -18,7 +18,7 @@ Maintainer prepared an update -- graphicsmagick (luciano) - gcs proposed a debdiff, needs review/ack + gcs is fixing many issues. It will be ready soon. -- jasper (jmm) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46794 - data/CVE
Author: luciano Date: 2016-12-05 17:56:35 + (Mon, 05 Dec 2016) New Revision: 46794 Modified: data/CVE/list Log: easy TODOs Modified: data/CVE/list === --- data/CVE/list 2016-12-05 17:29:37 UTC (rev 46793) +++ data/CVE/list 2016-12-05 17:56:35 UTC (rev 46794) @@ -7322,7 +7322,7 @@ CVE-2016-9156 RESERVED CVE-2016-9155 (The following SIEMENS branded IP Camera Models CCMW3025, CVMW3025-IR, ...) - TODO: check + NOT-FOR-US: Siemens CVE-2016-9154 RESERVED CVE-2016-9153 @@ -8085,7 +8085,7 @@ CVE-2016-8890 RESERVED CVE-2016-8889 (In Bitcoin Knots v0.11.0.ljr20150711 through v0.13.0.knots20160814 ...) - TODO: check + NOT-FOR-US: Bitcoin Knots CVE-2016- RESERVED CVE-2016-8879 (The thumbnail shell extension plugin (FoxitThumbnailHndlr_x86.dll) in ...) @@ -8224,21 +8224,21 @@ CVE-2016-8813 RESERVED CVE-2016-8812 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA GeForce ...) - TODO: check + NOT-FOR-US: Nvidia Windows driver CVE-2016-8811 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU ...) - TODO: check + NOT-FOR-US: Nvidia Windows driver CVE-2016-8810 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU ...) - TODO: check + NOT-FOR-US: Nvidia Windows driver CVE-2016-8809 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU ...) - TODO: check + NOT-FOR-US: Nvidia Windows driver CVE-2016-8808 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU ...) - TODO: check + NOT-FOR-US: Nvidia Windows driver CVE-2016-8807 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU ...) - TODO: check + NOT-FOR-US: Nvidia Windows driver CVE-2016-8806 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU ...) - TODO: check + NOT-FOR-US: Nvidia Windows driver CVE-2016-8805 (For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU ...) - TODO: check + NOT-FOR-US: Nvidia Windows driver CVE-2016-8804 RESERVED CVE-2016-8803 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46793 - data/CVE
Author: luciano Date: 2016-12-05 17:29:37 + (Mon, 05 Dec 2016) New Revision: 46793 Modified: data/CVE/list Log: easy TODOs Modified: data/CVE/list === --- data/CVE/list 2016-12-05 17:14:48 UTC (rev 46792) +++ data/CVE/list 2016-12-05 17:29:37 UTC (rev 46793) @@ -5754,17 +5754,18 @@ CVE-2016-9568 RESERVED CVE-2016-9567 (The mDNIe system service on Samsung Mobile S7 devices with M(6.0) ...) - TODO: check + NOT-FOR-US: Samsung CVE-2016-9566 RESERVED CVE-2016-9565 RESERVED CVE-2016-9564 (Buffer overflow in send_redirect() in Boa Webserver 0.92r allows ...) - TODO: check + - boa (the vuln was removed in 0.93.14) + NOTE: http://www.ljcusack.io/cve-2016-9564-stack-based-buffer-overflow-in-boa-0-dot-92r CVE-2016-9563 (BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated ...) - TODO: check + NOT-FOR-US: SAP CVE-2016-9562 (SAP NetWeaver AS JAVA 7.4 allows remote attackers to cause a Denial of ...) - TODO: check + NOT-FOR-US: SAP CVE-2016-9561 RESERVED CVE-2016-9554 @@ -6146,7 +6147,7 @@ - linux 4.8.11-1 NOTE: Fixed by: https://git.kernel.org/linus/bf911e985d6bbaa328c20c3e05f4eb03de11fdd6 (4.9-rc4) CVE-2016-9481 (In framework/modules/core/controllers/expCommentController.php of ...) - TODO: check + NOT-FOR-US: Exponent CMS CVE-2016-9480 (libdwarf 2016-10-21 allows context-dependent attackers to obtain ...) - dwarfutils 20161124-1 [jessie] - dwarfutils (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46792 - data/CVE
Author: luciano Date: 2016-12-05 17:14:48 + (Mon, 05 Dec 2016) New Revision: 46792 Modified: data/CVE/list Log: CVE-2016-9752 and CVE-2016-9751 Modified: data/CVE/list === --- data/CVE/list 2016-12-05 16:45:42 UTC (rev 46791) +++ data/CVE/list 2016-12-05 17:14:48 UTC (rev 46792) @@ -4179,9 +4179,11 @@ CVE-2016-9753 RESERVED CVE-2016-9752 (In Serendipity before 2.0.5, an attacker can bypass SSRF protection by ...) - TODO: check + NOT-FOR-US: Serendipity CVE-2016-9751 (Cross-site scripting (XSS) vulnerability in the search results front ...) - TODO: check + - piwigo + [squeeze] - piwigo (Unsupported in squeeze-lts) + NOTE: Request to mark the package as unsupported in #779104 CVE-2016-9750 RESERVED CVE-2016-9749 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46727 - data/CVE
Author: luciano
Date: 2016-12-03 04:28:41 + (Sat, 03 Dec 2016)
New Revision: 46727
Modified:
data/CVE/list
Log:
linux issues
Modified: data/CVE/list
===
--- data/CVE/list 2016-12-03 03:11:19 UTC (rev 46726)
+++ data/CVE/list 2016-12-03 04:28:41 UTC (rev 46727)
@@ -5224,6 +5224,12 @@
RESERVED
CVE-2017-0381
RESERVED
+CVE-2016-9794 [Linux kernel: ALSA: use-after-free in,kill_fasync]
+ - linux
+ NOTE: http://seclists.org/oss-sec/2016/q4/576
+CVE-2016-9793 [Linux: signed overflows for SO_{SND|RCV}BUFFORCE]
+ - linux
+ NOTE: http://seclists.org/oss-sec/2016/q4/574
CVE-2016-9775 [tomcat8: privilege escalation during package removal]
{DLA-729-1 DLA-728-1}
- tomcat8 8.5.8-2 (bug #845385)
@@ -37783,6 +37789,10 @@
NOTE:
http://sourceforge.net/p/gdcm/gdcm/ci/92cd6d7fe0d01c61cf68ac4ef65ef388ee252415/
NOTE:
http://sourceforge.net/p/gdcm/gdcm/ci/9cbca25ff7f20c432b61eb9f4cae43a946502b66/
NOTE:
http://sourceforge.net/p/gdcm/gdcm/ci/e0dd1114c82d372dd905c029ddbee4e81ed01a89/
+CVE-2012-6704 [Linux: signed overflows for SO_SNDBUF and SO_RCVBUF that
affects "before 3.5" kernels]
+ - linux 3.16.36-1+deb8u1
+ NOTE: TODO
+ NOTE: http://seclists.org/oss-sec/2016/q4/574
CVE-2012-6703 (Integer overflow in the snd_compr_allocate_buffer function in
...)
- linux 3.8.11-1
[wheezy] - linux (Vulnerable code not present)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46726 - in data: . DLA
Author: luciano
Date: 2016-12-03 03:11:19 + (Sat, 03 Dec 2016)
New Revision: 46726
Modified:
data/DLA/list
data/dla-needed.txt
Log:
rolling back, DLA was already released
Modified: data/DLA/list
===
--- data/DLA/list 2016-12-03 02:54:16 UTC (rev 46725)
+++ data/DLA/list 2016-12-03 03:11:19 UTC (rev 46726)
@@ -1,6 +1,3 @@
-[02 Dec 2016] DLA-733-1 imagemagick - security update
- {CVE-2014-8354 CVE-2014-8355 CVE-2014-8562 CVE-2014-8716 CVE-2014-9805
CVE-2014-9807 CVE-2014-9808 CVE-2014-9809 CVE-2014-9810 CVE-2014-9811
CVE-2014-9812 CVE-2014-9813 CVE-2014-9814 CVE-2014-9815 CVE-2014-9817
CVE-2014-9818 CVE-2014-9819 CVE-2014-9821 CVE-2014-9822 CVE-2014-9823
CVE-2014-9824 CVE-2014-9826 CVE-2014-9828 CVE-2014-9829 CVE-2014-9830
CVE-2014-9831 CVE-2014-9832 CVE-2014-9833 CVE-2014-9834 CVE-2014-9835
CVE-2014-9836 CVE-2014-9837 CVE-2014-9838 CVE-2014-9841 CVE-2014-9843
CVE-2014-9844 CVE-2014-9845 CVE-2014-9846 CVE-2014-9847 CVE-2014-9848
CVE-2014-9849 CVE-2014-9851 CVE-2014-9853 CVE-2014-9854 CVE-2015-8900
CVE-2015-8901 CVE-2015-8902 CVE-2015-8903}
- [wheezy] - imagemagick 8:6.7.7.10-5+deb7u8
[02 Dec 2016] DLA-732-1 monit - security update
{CVE-2016-7067}
[wheezy] - monit 1:5.4-2+deb7u1
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-12-03 02:54:16 UTC (rev 46725)
+++ data/dla-needed.txt 2016-12-03 03:11:19 UTC (rev 46726)
@@ -24,6 +24,8 @@
NOTE: 20161026: Still awaiting a response from the package maintainer and/or
upstream (#838694)
NOTE: 20161123: Upstream now has a ticket for this, but is still private.
--
+imagemagick
+--
jasper (Thorsten Alteholz)
--
libav (Hugo Lefeuvre)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46725 - in data: . DLA
Author: luciano
Date: 2016-12-03 02:54:16 + (Sat, 03 Dec 2016)
New Revision: 46725
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-733-1 for imagemagick
Modified: data/DLA/list
===
--- data/DLA/list 2016-12-03 02:40:09 UTC (rev 46724)
+++ data/DLA/list 2016-12-03 02:54:16 UTC (rev 46725)
@@ -1,3 +1,6 @@
+[02 Dec 2016] DLA-733-1 imagemagick - security update
+ {CVE-2014-8354 CVE-2014-8355 CVE-2014-8562 CVE-2014-8716 CVE-2014-9805
CVE-2014-9807 CVE-2014-9808 CVE-2014-9809 CVE-2014-9810 CVE-2014-9811
CVE-2014-9812 CVE-2014-9813 CVE-2014-9814 CVE-2014-9815 CVE-2014-9817
CVE-2014-9818 CVE-2014-9819 CVE-2014-9821 CVE-2014-9822 CVE-2014-9823
CVE-2014-9824 CVE-2014-9826 CVE-2014-9828 CVE-2014-9829 CVE-2014-9830
CVE-2014-9831 CVE-2014-9832 CVE-2014-9833 CVE-2014-9834 CVE-2014-9835
CVE-2014-9836 CVE-2014-9837 CVE-2014-9838 CVE-2014-9841 CVE-2014-9843
CVE-2014-9844 CVE-2014-9845 CVE-2014-9846 CVE-2014-9847 CVE-2014-9848
CVE-2014-9849 CVE-2014-9851 CVE-2014-9853 CVE-2014-9854 CVE-2015-8900
CVE-2015-8901 CVE-2015-8902 CVE-2015-8903}
+ [wheezy] - imagemagick 8:6.7.7.10-5+deb7u8
[02 Dec 2016] DLA-732-1 monit - security update
{CVE-2016-7067}
[wheezy] - monit 1:5.4-2+deb7u1
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-12-03 02:40:09 UTC (rev 46724)
+++ data/dla-needed.txt 2016-12-03 02:54:16 UTC (rev 46725)
@@ -24,8 +24,6 @@
NOTE: 20161026: Still awaiting a response from the package maintainer and/or
upstream (#838694)
NOTE: 20161123: Upstream now has a ticket for this, but is still private.
--
-imagemagick (luciano)
---
jasper (Thorsten Alteholz)
--
libav (Hugo Lefeuvre)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46724 - data
Author: luciano Date: 2016-12-03 02:40:09 + (Sat, 03 Dec 2016) New Revision: 46724 Modified: data/dla-needed.txt Log: DLA: imagemagick Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-12-02 21:10:23 UTC (rev 46723) +++ data/dla-needed.txt 2016-12-03 02:40:09 UTC (rev 46724) @@ -24,7 +24,7 @@ NOTE: 20161026: Still awaiting a response from the package maintainer and/or upstream (#838694) NOTE: 20161123: Upstream now has a ticket for this, but is still private. -- -imagemagick +imagemagick (luciano) -- jasper (Thorsten Alteholz) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46607 - data/CVE
Author: luciano Date: 2016-11-27 20:19:27 + (Sun, 27 Nov 2016) New Revision: 46607 Modified: data/CVE/list Log: CVE-2014-9842: imagemagick wheezy not-affected Modified: data/CVE/list === --- data/CVE/list 2016-11-27 20:07:43 UTC (rev 46606) +++ data/CVE/list 2016-11-27 20:19:27 UTC (rev 46607) @@ -14882,7 +14882,8 @@ CVE-2014-9842 [memory leak in psd handling] RESERVED - imagemagick 8:6.8.9.9-4 (bug #773834) - [wheezy] - imagemagick (Minor issue) + [wheezy] - imagemagick + NOTE: Leak in a code path that does not exist in this version. CVE-2014-9843 [Fixed boundary checks in DecodePSDPixels] RESERVED - imagemagick 8:6.8.9.9-4 (bug #773834) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46603 - in data: . DSA
Author: luciano
Date: 2016-11-27 16:39:44 + (Sun, 27 Nov 2016)
New Revision: 46603
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
DSA-3725-1 icu
Modified: data/DSA/list
===
--- data/DSA/list 2016-11-27 11:05:48 UTC (rev 46602)
+++ data/DSA/list 2016-11-27 16:39:44 UTC (rev 46603)
@@ -1,6 +1,9 @@
[26 Nov 2016] DSA-3726-1 imagemagick - security update
{CVE-2016-7799 CVE-2016-7906 CVE-2016-8677 CVE-2016-8862 CVE-2016-9556
CVE-2016-9559}
[jessie] - imagemagick 8:6.8.9.9-5+deb8u6
+[27 Nov 2016] DSA-3725-1 icu - security update
+ {CVE-2014-9911 CVE-2015-2632 CVE-2015-4844 CVE-2016-0494 CVE-2016-6293
CVE-2016-7415}
+ [jessie] - icu 52.1-8+deb8u4
[24 Nov 2016] DSA-3724-1 gst-plugins-good0.10 - security update
{CVE-2016-9634 CVE-2016-9635 CVE-2016-9636}
[jessie] - gst-plugins-good0.10 0.10.31-3+nmu4+deb8u2
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2016-11-27 11:05:48 UTC (rev 46602)
+++ data/dsa-needed.txt 2016-11-27 16:39:44 UTC (rev 46603)
@@ -21,11 +21,6 @@
hdf5 (seb)
Gilles Filippini prepared a debdiff. Will review and ack a bit later.
--
-icu (luciano)
- NOTE: In trying to address CVE-2016-7415 for wheezy/lts, I (Roberto C.
Sanchez)
- have been unable to reproduce the crash as described in the PHP bug report
- gcs proposed debdiff to review for upload
---
jasper (jmm)
--
libical
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46589 - data
Author: luciano Date: 2016-11-27 05:15:56 + (Sun, 27 Nov 2016) New Revision: 46589 Modified: data/dsa-needed.txt Log: icu Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-11-27 04:46:40 UTC (rev 46588) +++ data/dsa-needed.txt 2016-11-27 05:15:56 UTC (rev 46589) @@ -18,7 +18,7 @@ -- graphicsmagick (luciano) -- -icu +icu (luciano) NOTE: In trying to address CVE-2016-7415 for wheezy/lts, I (Roberto C. Sanchez) have been unable to reproduce the crash as described in the PHP bug report gcs proposed debdiff to review for upload ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46588 - data/DSA
Author: luciano
Date: 2016-11-27 04:46:40 + (Sun, 27 Nov 2016)
New Revision: 46588
Modified:
data/DSA/list
Log:
ARggg.. I accidentally released it as 3726 instead of 3725. I will probably use
3725 tomorrow. Sorry :(
Modified: data/DSA/list
===
--- data/DSA/list 2016-11-27 04:32:26 UTC (rev 46587)
+++ data/DSA/list 2016-11-27 04:46:40 UTC (rev 46588)
@@ -1,5 +1,5 @@
-[26 Nov 2016] DSA-3725-1 imagemagick - security update
- {CVE-2016-7799 CVE-2016-7906 CVE-2016-8677}
+[26 Nov 2016] DSA-3726-1 imagemagick - security update
+ {CVE-2016-7799 CVE-2016-7906 CVE-2016-8677 CVE-2016-8862 CVE-2016-9556
CVE-2016-9559}
[jessie] - imagemagick 8:6.8.9.9-5+deb8u6
[24 Nov 2016] DSA-3724-1 gst-plugins-good0.10 - security update
{CVE-2016-9634 CVE-2016-9635 CVE-2016-9636}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46587 - in data: . CVE DSA
Author: luciano
Date: 2016-11-27 04:32:26 + (Sun, 27 Nov 2016)
New Revision: 46587
Modified:
data/CVE/list
data/DSA/list
data/dsa-needed.txt
Log:
DSA imagemagick
Modified: data/CVE/list
===
--- data/CVE/list 2016-11-26 21:47:15 UTC (rev 46586)
+++ data/CVE/list 2016-11-27 04:32:26 UTC (rev 46587)
@@ -629,24 +629,26 @@
NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs in
Jessie
CVE-2016- [mat file out of bound]
- imagemagick 8:6.9.6.2+dfsg-2 (bug #845246)
+ [jessie] - imagemagick 8:6.8.9.9-5+deb8u6
NOTE: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1545366
NOTE: https://github.com/ImageMagick/ImageMagick/issues/131
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/b173a35239785c51c9a0e9d59eb6ce24c455
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/f3b483e8b054c50149912523b4773687e18afe25
- TODO: check
CVE-2016- [Add check for invalid mat file]
- imagemagick (bug #845244)
+ [jessie] - imagemagick 8:6.8.9.9-5+deb8u6
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/8a370f9ab120faf182aa160900ba692ba8e2bcf0
- TODO: check
CVE-2016-9559 [null pointer passed as argument 2, which is declared to never
be null]
RESERVED
- imagemagick 8:6.9.6.5+dfsg-1 (bug #845243)
+ [jessie] - imagemagick 8:6.8.9.9-5+deb8u6
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/1c795ce9fe1d6feac8bc36c2e6c5ba7110b671b1
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/b61d35eaccc0a7ddeff8a1c3abfcd0a43ccf210b
(master)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/298
CVE-2016-9556 [Heap buffer overflow in heap-buffer-overflow in IsPixelGray]
RESERVED
- imagemagick 8:6.9.6.5+dfsg-1 (bug #845242)
+ [jessie] - imagemagick 8:6.8.9.9-5+deb8u6
NOTE: https://github.com/ImageMagick/ImageMagick/issues/301
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/174de08d7c81ce147689f3b1c73fadd6bf1c023c
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/ce98a7acbcfca7f0a178f4b1e7b957e419e0cc99
(master)
@@ -659,23 +661,25 @@
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/4ec444f4eab88cf4bec664fafcf9cab50bc5ff6a
CVE-2016- [Suspend exception processing if there are too many exceptions]
- imagemagick 8:6.9.6.2+dfsg-2 (bug #845213)
+ [jessie] - imagemagick 8:6.8.9.9-5+deb8u6
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/0474237508f39c4f783208123431815f1ededb76
CVE-2016- [Fix out of bound read in viff file handling]
- imagemagick (bug #845212)
+ [jessie] - imagemagick 8:6.8.9.9-5+deb8u6
NOTE: https://github.com/ImageMagick/ImageMagick/issues/129
NOTE: https://bugs.launchpad.net/ubuntu/+source/imagemagick/+bug/1545183
- TODO: check
CVE-2016- [Better check for bufferoverflow for TIFF handling]
- imagemagick (bug #845202)
- TODO: check
+ [jessie] - imagemagick 8:6.8.9.9-5+deb8u6
CVE-2016- [Check validity of extend during TIFF file reading]
- imagemagick (bug #845198)
- TODO: check
+ [jessie] - imagemagick 8:6.8.9.9-5+deb8u6
CVE-2016- [Check return of write function]
- imagemagick (bug #845196)
- TODO: check
+ [jessie] - imagemagick 8:6.8.9.9-5+deb8u6
CVE-2016- [Imagemagick (jessie and older) buffer overflow]
- imagemagick 8:6.9.6.2+dfsg-2 (bug #845195)
+ [jessie] - imagemagick 8:6.8.9.9-5+deb8u6
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/58cf5bf4fade82e3b510e8f3463a967278a3e410
CVE-2016-9448 [invalid read of size 1 in TIFFFetchNormalTag]
RESERVED
@@ -2921,6 +2925,7 @@
CVE-2016-8862 [imagemagick: memory allocation failure in AcquireMagickMemory
(memory.c)]
RESERVED
- imagemagick 8:6.9.6.6+dfsg-1 (bug #845634)
+ [jessie] - imagemagick 8:6.8.9.9-5+deb8u6
NOTE:
https://blogs.gentoo.org/ago/2016/10/17/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c/
NOTE: Fixed by:
https://github.com/ImageMagick/ImageMagick/commit/aea6c6507f55632829e6432f8177a084a57c9fcc
NOTE: The initial patch was initiall meant to be incomplete and
resulted in CVE-2016-8866. So when fixing
Modified: data/DSA/list
===
--- data/DSA/list 2016-11-26 21:47:15 UTC (rev 46586)
+++ data/DSA/list 2016-11-27 04:32:26 UTC (rev 46587)
@@ -1,3 +1,6 @@
+[26 Nov 2016] DSA-3725-1 imagemagick - security update
+ {CVE-2016-7799 CVE-2016-7906 CVE-2016-8677}
+ [jessie] - imagemagick 8:6.8.9.9-5+deb8u6
[24 Nov 2016] DSA-3724-1 gst-plugins-good0.10 - security update
{CVE-2016-9634 CVE-2016-9635 CVE-2016-9636}
[jessie] - gst-plugins-good0.10 0.1
[Secure-testing-commits] r46571 - bin
Author: luciano
Date: 2016-11-26 04:09:19 + (Sat, 26 Nov 2016)
New Revision: 46571
Modified:
bin/sign-advisory.sh
Log:
bin/sign-advisory.sh: just sign
Modified: bin/sign-advisory.sh
===
--- bin/sign-advisory.sh2016-11-26 04:06:22 UTC (rev 46570)
+++ bin/sign-advisory.sh2016-11-26 04:09:19 UTC (rev 46571)
@@ -51,5 +51,3 @@
# keep headers, and sign the content
{ head -n $(($n - 1)) $dsa ; tail -n +$n $dsa | gpg --clearsign ; } >|
$signed_dsa
-
-cat $signed_dsa | ssh security-master.debian.org "cat - | /usr/lib/sendmail
-ti"
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46570 - bin data data/DSA
Author: luciano
Date: 2016-11-26 04:06:22 + (Sat, 26 Nov 2016)
New Revision: 46570
Modified:
bin/sign-advisory.sh
data/DSA/list
data/dsa-needed.txt
Log:
rolling back.
Modified: bin/sign-advisory.sh
===
--- bin/sign-advisory.sh2016-11-26 02:53:33 UTC (rev 46569)
+++ bin/sign-advisory.sh2016-11-26 04:06:22 UTC (rev 46570)
@@ -51,3 +51,5 @@
# keep headers, and sign the content
{ head -n $(($n - 1)) $dsa ; tail -n +$n $dsa | gpg --clearsign ; } >|
$signed_dsa
+
+cat $signed_dsa | ssh security-master.debian.org "cat - | /usr/lib/sendmail
-ti"
Modified: data/DSA/list
===
--- data/DSA/list 2016-11-26 02:53:33 UTC (rev 46569)
+++ data/DSA/list 2016-11-26 04:06:22 UTC (rev 46570)
@@ -1,6 +1,3 @@
-[25 Nov 2016] DSA-3725-1 imagemagick - security update
- {CVE-2016-7799 CVE-2016-7906}
- [jessie] - imagemagick 8:6.8.9.9-5+deb8u6
[24 Nov 2016] DSA-3724-1 gst-plugins-good0.10 - security update
{CVE-2016-9634 CVE-2016-9635 CVE-2016-9636}
[jessie] - gst-plugins-good0.10 0.10.31-3+nmu4+deb8u2
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2016-11-26 02:53:33 UTC (rev 46569)
+++ data/dsa-needed.txt 2016-11-26 04:06:22 UTC (rev 46570)
@@ -22,6 +22,9 @@
NOTE: In trying to address CVE-2016-7415 for wheezy/lts, I (Roberto C.
Sanchez)
have been unable to reproduce the crash as described in the PHP bug report
--
+imagemagick (luciano)
+ Needs to be sponsored.
+--
jasper (jmm)
--
libical
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46569 - in data: . DSA
Author: luciano
Date: 2016-11-26 02:53:33 + (Sat, 26 Nov 2016)
New Revision: 46569
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
imagemagick DSA
Modified: data/DSA/list
===
--- data/DSA/list 2016-11-25 22:49:29 UTC (rev 46568)
+++ data/DSA/list 2016-11-26 02:53:33 UTC (rev 46569)
@@ -1,3 +1,6 @@
+[25 Nov 2016] DSA-3725-1 imagemagick - security update
+ {CVE-2016-7799 CVE-2016-7906}
+ [jessie] - imagemagick 8:6.8.9.9-5+deb8u6
[24 Nov 2016] DSA-3724-1 gst-plugins-good0.10 - security update
{CVE-2016-9634 CVE-2016-9635 CVE-2016-9636}
[jessie] - gst-plugins-good0.10 0.10.31-3+nmu4+deb8u2
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2016-11-25 22:49:29 UTC (rev 46568)
+++ data/dsa-needed.txt 2016-11-26 02:53:33 UTC (rev 46569)
@@ -22,9 +22,6 @@
NOTE: In trying to address CVE-2016-7415 for wheezy/lts, I (Roberto C.
Sanchez)
have been unable to reproduce the crash as described in the PHP bug report
--
-imagemagick (luciano)
- Needs to be sponsored.
---
jasper (jmm)
--
libical
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46545 - data
Author: luciano Date: 2016-11-25 16:32:21 + (Fri, 25 Nov 2016) New Revision: 46545 Modified: data/dsa-needed.txt Log: imagemagick Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-11-25 15:56:53 UTC (rev 46544) +++ data/dsa-needed.txt 2016-11-25 16:32:21 UTC (rev 46545) @@ -22,6 +22,9 @@ NOTE: In trying to address CVE-2016-7415 for wheezy/lts, I (Roberto C. Sanchez) have been unable to reproduce the crash as described in the PHP bug report -- +imagemagick (luciano) + Needs to be sponsored. +-- jasper (jmm) -- libical ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46143 - data/CVE
Author: luciano Date: 2016-11-12 18:34:58 + (Sat, 12 Nov 2016) New Revision: 46143 Modified: data/CVE/list Log: maradns Modified: data/CVE/list === --- data/CVE/list 2016-11-12 06:37:52 UTC (rev 46142) +++ data/CVE/list 2016-11-12 18:34:58 UTC (rev 46143) @@ -1,3 +1,6 @@ +CVE-2016- [maradns: Remote crash in MaraDNS 2.0.13 and git master] + - maradns (bug #844121) + NOTE: CVE Request: http://seclists.org/oss-sec/2016/q4/411 CVE-2016- [tiffcrop: heap buffer overflow via writeBufferToSeparateStrips] - tiff (bug #844057) [jessie] - tiff (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45444 - data/CVE
Author: luciano Date: 2016-10-19 01:29:56 + (Wed, 19 Oct 2016) New Revision: 45444 Modified: data/CVE/list Log: imagemagick issue without CVE id Modified: data/CVE/list === --- data/CVE/list 2016-10-18 21:36:33 UTC (rev 45443) +++ data/CVE/list 2016-10-19 01:29:56 UTC (rev 45444) @@ -1,3 +1,6 @@ +CVE-2016- [imagemagick: memory allocation failure in AcquireMagickMemory (memory.c)] + - imagemagick + NOTE: https://blogs.gentoo.org/ago/2016/10/17/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c/ CVE-2016- [tor DoS] - tor 0.2.8.9-1 [jessie] - tor 0.2.5.12-3 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44876 - in data: . DSA
Author: luciano
Date: 2016-09-24 19:17:21 + (Sat, 24 Sep 2016)
New Revision: 44876
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
DSA 3676-1
Modified: data/DSA/list
===
--- data/DSA/list 2016-09-24 18:43:44 UTC (rev 44875)
+++ data/DSA/list 2016-09-24 19:17:21 UTC (rev 44876)
@@ -1,3 +1,6 @@
+[24 Sep 2016] DSA-3676-1 unadf - security update
+ {CVE-2016-1243 CVE-2016-1244}
+ [jessie] - unadf 0.7.11a-3+deb8u1
[23 Sep 2016] DSA-3673-2 openssl - regression update
[jessie] - openssl 1.0.1t-1+deb8u5
[23 Sep 2016] DSA-3675-1 imagemagick - security update
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2016-09-24 18:43:44 UTC (rev 44875)
+++ data/dsa-needed.txt 2016-09-24 19:17:21 UTC (rev 44876)
@@ -38,8 +38,6 @@
--
tiff
--
-unadf (luciano)
---
wordpress
Maintainer is preparing an update which need review and ack
--
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44594 - data
Author: luciano Date: 2016-09-15 02:46:22 + (Thu, 15 Sep 2016) New Revision: 44594 Modified: data/dsa-needed.txt Log: unadf: dsa-needed Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-09-14 21:10:12 UTC (rev 44593) +++ data/dsa-needed.txt 2016-09-15 02:46:22 UTC (rev 44594) @@ -42,3 +42,5 @@ -- tiff -- +unadf (luciano) +-- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44067 - data
Author: luciano Date: 2016-08-19 19:54:16 + (Fri, 19 Aug 2016) New Revision: 44067 Modified: data/dla-needed.txt Log: CVE-2016-2839 is not affecting firefox-esr in wheezy Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-08-19 19:43:23 UTC (rev 44066) +++ data/dla-needed.txt 2016-08-19 19:54:16 UTC (rev 44067) @@ -15,8 +15,6 @@ -- cracklib2 (Chris Lamb) -- -firefox-esr --- gnupg (Santiago R.R.) -- icu (Roberto C. Sánchez) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42382 - in data: . DSA
Author: luciano
Date: 2016-06-07 16:21:14 + (Tue, 07 Jun 2016)
New Revision: 42382
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
DSA-3597-1: expat
Modified: data/DSA/list
===
--- data/DSA/list 2016-06-07 14:36:51 UTC (rev 42381)
+++ data/DSA/list 2016-06-07 16:21:14 UTC (rev 42382)
@@ -1,3 +1,6 @@
+[07 Jun 2016] DSA-3597-1 expat - security update
+ {CVE-2012-6702 CVE-2016-5300}
+ [jessie] - expat 2.1.0-6+deb8u3
[06 Jun 2016] DSA-3596-1 spice - security update
{CVE-2016-0749 CVE-2016-2150}
[jessie] - spice 0.12.5-1+deb8u3
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2016-06-07 14:36:51 UTC (rev 42381)
+++ data/dsa-needed.txt 2016-06-07 16:21:14 UTC (rev 42382)
@@ -14,8 +14,6 @@
--
389-ds-base
--
-expat (luciano)
---
graphicsmagick (luciano)
--
icu
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42326 - data/CVE
Author: luciano
Date: 2016-06-05 13:50:22 + (Sun, 05 Jun 2016)
New Revision: 42326
Modified:
data/CVE/list
Log:
CVE-2013-0340 is unfixed
Modified: data/CVE/list
===
--- data/CVE/list 2016-06-05 13:38:35 UTC (rev 42325)
+++ data/CVE/list 2016-06-05 13:50:22 UTC (rev 42326)
@@ -86304,8 +86304,9 @@
CVE-2013-0341 [external entity expansion]
REJECTED
CVE-2013-0340 (expat 2.1.0 and earlier does not properly handle entities
expansion ...)
- - expat 2.1.1-1 (unimportant)
+ - expat (unimportant)
NOTE: Expat provides API to mitigate expansion attacks, ultimately
under control of the app using Expat
+ NOTE:
https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0340.html
CVE-2013-0339 (libxml2 through 2.9.1 does not properly handle external
entities ...)
{DSA-2652-1}
- libxml2 2.8.0+dfsg1-7+nmu1 (bug #702260)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42325 - data/CVE
Author: luciano
Date: 2016-06-05 13:38:35 + (Sun, 05 Jun 2016)
New Revision: 42325
Modified:
data/CVE/list
Log:
CVE-2013-0340 does not affect 2.1.1 or larger
Modified: data/CVE/list
===
--- data/CVE/list 2016-06-05 12:47:48 UTC (rev 42324)
+++ data/CVE/list 2016-06-05 13:38:35 UTC (rev 42325)
@@ -86304,7 +86304,7 @@
CVE-2013-0341 [external entity expansion]
REJECTED
CVE-2013-0340 (expat 2.1.0 and earlier does not properly handle entities
expansion ...)
- - expat (unimportant)
+ - expat 2.1.1-1 (unimportant)
NOTE: Expat provides API to mitigate expansion attacks, ultimately
under control of the app using Expat
CVE-2013-0339 (libxml2 through 2.9.1 does not properly handle external
entities ...)
{DSA-2652-1}
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42324 - data/CVE
Author: luciano
Date: 2016-06-05 12:47:48 + (Sun, 05 Jun 2016)
New Revision: 42324
Modified:
data/CVE/list
Log:
typo
Modified: data/CVE/list
===
--- data/CVE/list 2016-06-05 12:44:26 UTC (rev 42323)
+++ data/CVE/list 2016-06-05 12:47:48 UTC (rev 42324)
@@ -199,7 +199,7 @@
- mat (bug #826101)
NOTE: https://labs.riseup.net/code/issues/11067
NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2016/06/02/5
-CVE-2016-5239 [mageMagick,GraphicsMagick: Gnuplot delegate vulnerability
allowing command injection]
+CVE-2016-5239 [ImageMagick, GraphicsMagick: Gnuplot delegate vulnerability
allowing command injection]
RESERVED
{DSA-3580-1 DLA-486-1 DLA-484-1}
- graphicsmagick 1.3.24-1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42322 - data
Author: luciano Date: 2016-06-05 12:42:12 + (Sun, 05 Jun 2016) New Revision: 42322 Modified: data/dsa-needed.txt Log: expat and graphicsmagick Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-06-05 11:25:08 UTC (rev 42321) +++ data/dsa-needed.txt 2016-06-05 12:42:12 UTC (rev 42322) @@ -14,8 +14,10 @@ -- 389-ds-base -- -graphicsmagick +expat (luciano) -- +graphicsmagick (luciano) +-- icu -- libpdfbox-java ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
