[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add links to patches for sam2p.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 57fcd8e2 by Markus Koschany at 2018-04-07T00:02:31+02:00 Add links to patches for sam2p. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5514,6 +5514,11 @@ CVE-2018-7554 (There is an invalid free in ReadImage in input-bmp.ci that leads {DLA-1340-1} - sam2p NOTE: https://github.com/pts/sam2p/issues/29 + NOTE: https://github.com/pts/sam2p/commit/a6621e996f976912252018be8a8836ee6a966ee3 + NOTE: https://github.com/pts/sam2p/commit/118cb8102b767df4100d8a14184e44b33a822861 + NOTE: https://github.com/pts/sam2p/commit/1e43ec5fe34b009cb43f90a9d562442ca347cd75 + NOTE: https://github.com/pts/sam2p/commit/beea3bd8dd05a731fddfa447ff0bad19fe32c973 + NOTE: https://github.com/pts/sam2p/commit/47378716ab03d6b39ee959c949df551c643942f1 CVE-2018-7553 (There is a heap-based buffer overflow in the pcxLoadRaster function of ...) {DLA-1340-1} - sam2p @@ -5522,6 +5527,7 @@ CVE-2018-7552 (There is an invalid free in Mapping::DoubleHash::clear in mapping {DLA-1340-1} - sam2p NOTE: https://github.com/pts/sam2p/issues/30 + NOTE: CVE-2018-7554 patches will address this issue too. CVE-2018-7551 (There is an invalid free in MiniPS::delete0 in minips.cpp that leads to ...) {DLA-1340-1} - sam2p View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/57fcd8e2685d474e26eccfe278c1647a5b8abf98 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/57fcd8e2685d474e26eccfe278c1647a5b8abf98 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Open issues in sam2p/Jessie will be fixed via point update.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 6af5effc by Markus Koschany at 2018-04-06T23:59:08+02:00 Open issues in sam2p/Jessie will be fixed via point update. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5513,22 +5513,18 @@ CVE-2018-7555 CVE-2018-7554 (There is an invalid free in ReadImage in input-bmp.ci that leads to a ...) {DLA-1340-1} - sam2p - [jessie] - sam2p (Consider removal in next point release) NOTE: https://github.com/pts/sam2p/issues/29 CVE-2018-7553 (There is a heap-based buffer overflow in the pcxLoadRaster function of ...) {DLA-1340-1} - sam2p - [jessie] - sam2p (Consider removal in next point release) NOTE: https://github.com/pts/sam2p/issues/32 CVE-2018-7552 (There is an invalid free in Mapping::DoubleHash::clear in mapping.cpp ...) {DLA-1340-1} - sam2p - [jessie] - sam2p (Consider removal in next point release) NOTE: https://github.com/pts/sam2p/issues/30 CVE-2018-7551 (There is an invalid free in MiniPS::delete0 in minips.cpp that leads to ...) {DLA-1340-1} - sam2p - [jessie] - sam2p (Consider removal in next point release) NOTE: https://github.com/pts/sam2p/issues/28 CVE-2018-7550 (The load_multiboot function in hw/i386/multiboot.c in Quick Emulator ...) - qemu (bug #892041) @@ -5740,7 +5736,6 @@ CVE-2018-7488 CVE-2018-7487 (There is a heap-based buffer overflow in the LoadPCX function of ...) {DLA-1340-1} - sam2p - [jessie] - sam2p (Consider removal in next point release) NOTE: https://github.com/pts/sam2p/issues/18 CVE-2018-7486 (Blue River Mura CMS before v7.0.7029 supports inline function calls ...) NOT-FOR-US: Blue River Mura CMS View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6af5effc3ef3e5a8e15f811a82f23b96849f2e54 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6af5effc3ef3e5a8e15f811a82f23b96849f2e54 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark CVE-2018-8088, libslf4j-java as ignored for all suites.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 523969c7 by Markus Koschany at 2018-04-06T23:57:17+02:00 Mark CVE-2018-8088,libslf4j-java as ignored for all suites. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -4035,8 +4035,10 @@ CVE-2018-8090 CVE-2018-8089 RESERVED CVE-2018-8088 (org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before ...) - {DLA-1342-1} - libslf4j-java 1.7.25-3 (bug #893684) + [stretch] - libslf4j-java (slf4j-ext module is not built by default) + [jessie] - libslf4j-java (slf4j-ext module is not built by default) + [wheezy] - libslf4j-java (slf4j-ext module is not built by default) NOTE: https://github.com/qos-ch/slf4j/commit/d2b27fba88e983f921558da27fc29b5f5d269405 NOTE: https://jira.qos.ch/browse/SLF4J-430 NOTE: https://jira.qos.ch/browse/SLF4J-431 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/523969c7065bb1b792ba570cf462bd47583cfbc9 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/523969c7065bb1b792ba570cf462bd47583cfbc9 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Revert DLA for libslf4j-java.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c4cb1830 by Markus Koschany at 2018-04-06T23:52:59+02:00 Revert DLA for libslf4j-java. On second thought this is only a minor issue for Debian because we do not build the slf4-ext module by default. So only for customized private packages this might be a concern. - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,6 +1,3 @@ -[06 Apr 2018] DLA-1342-1 libslf4j-java - security update - {CVE-2018-8088} - [wheezy] - libslf4j-java 1.6.5-1+deb7u1 [06 Apr 2018] DLA-1341-1 sdl-image1.2 - security update {CVE-2017-12122 CVE-2017-14440 CVE-2017-14441 CVE-2017-14442 CVE-2017-14448 CVE-2017-14450} [wheezy] - sdl-image1.2 1.2.12-2+deb7u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c4cb18301f8c2af7c747209e83b24265ba3d93ea --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c4cb18301f8c2af7c747209e83b24265ba3d93ea You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1342-1 for libslf4j-java
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 091ff6ba by Markus Koschany at 2018-04-06T20:26:01+02:00 Reserve DLA-1342-1 for libslf4j-java - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[06 Apr 2018] DLA-1342-1 libslf4j-java - security update + {CVE-2018-8088} + [wheezy] - libslf4j-java 1.6.5-1+deb7u1 [06 Apr 2018] DLA-1341-1 sdl-image1.2 - security update {CVE-2017-12122 CVE-2017-14440 CVE-2017-14441 CVE-2017-14442 CVE-2017-14448 CVE-2017-14450} [wheezy] - sdl-image1.2 1.2.12-2+deb7u2 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -81,8 +81,6 @@ libraw -- libreoffice -- -libslf4j-java (Markus Koschany) --- libvorbis NOTE: Underlying reason for CVE-2017-14160 yet unclear, no upstream feedback on this issue. NOTE: Fixes for other CVEs applied upstream and in sid. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/091ff6ba42b3d87e206304b83a650ee3d4b2f965 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/091ff6ba42b3d87e206304b83a650ee3d4b2f965 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1341-1 for sdl-image1.2
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3a704aab by Markus Koschany at 2018-04-06T20:23:58+02:00 Reserve DLA-1341-1 for sdl-image1.2 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[06 Apr 2018] DLA-1341-1 sdl-image1.2 - security update + {CVE-2017-12122 CVE-2017-14440 CVE-2017-14441 CVE-2017-14442 CVE-2017-14448 CVE-2017-14450} + [wheezy] - sdl-image1.2 1.2.12-2+deb7u2 [06 Apr 2018] DLA-1340-1 sam2p - security update {CVE-2018-7487 CVE-2018-7551 CVE-2018-7552 CVE-2018-7553 CVE-2018-7554} [wheezy] - sam2p 0.49.1-1+deb7u3 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -113,8 +113,6 @@ ruby1.9.1 (Santiago R.R.) -- rubygems -- -sdl-image1.2 (Markus Koschany) --- sharutils (Abhijith PA) NOTE: 20180318: no patch available yet, so no email to maintainer sent -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3a704aab9e54f4097b14565839f0dfe7e6a89afa --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3a704aab9e54f4097b14565839f0dfe7e6a89afa You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1340-1 for sam2p
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 6b19d69b by Markus Koschany at 2018-04-06T20:19:24+02:00 Reserve DLA-1340-1 for sam2p - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[06 Apr 2018] DLA-1340-1 sam2p - security update + {CVE-2018-7487 CVE-2018-7551 CVE-2018-7552 CVE-2018-7553 CVE-2018-7554} + [wheezy] - sam2p 0.49.1-1+deb7u3 [03 Apr 2018] DLA-1339-1 openjdk-7 - security update {CVE-2018-2579 CVE-2018-2588 CVE-2018-2599 CVE-2018-2602 CVE-2018-2603 CVE-2018-2618 CVE-2018-2629 CVE-2018-2633 CVE-2018-2634 CVE-2018-2637 CVE-2018-2641 CVE-2018-2663 CVE-2018-2677 CVE-2018-2678} [wheezy] - openjdk-7 7u171-2.6.13-1~deb7u1 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -113,8 +113,6 @@ ruby1.9.1 (Santiago R.R.) -- rubygems -- -sam2p (Markus Koschany) --- sdl-image1.2 (Markus Koschany) -- sharutils (Abhijith PA) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6b19d69bfff5399626d958865e297028be2e24d6 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6b19d69bfff5399626d958865e297028be2e24d6 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Claim sam2p and sdl-image1.2 in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 86cc6f7c by Markus Koschany at 2018-03-31T23:21:53+02:00 Claim sam2p and sdl-image1.2 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -110,9 +110,9 @@ ruby-rack-protection -- ruby1.9.1 (Santiago R.R.) -- -sam2p +sam2p (Markus Koschany) -- -sdl-image1.2 +sdl-image1.2 (Markus Koschany) -- sharutils NOTE: 20180318: no patch available yet, so no email to maintainer sent View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/86cc6f7c992d74e5f626b7abb62a9185b341bc34 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/86cc6f7c992d74e5f626b7abb62a9185b341bc34 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1335-1 for zsh
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: b617d0fb by Markus Koschany at 2018-03-31T23:04:21+02:00 Reserve DLA-1335-1 for zsh - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[31 Mar 2018] DLA-1335-1 zsh - security update + {CVE-2018-1071 CVE-2018-1083} + [wheezy] - zsh 4.3.17-1+deb7u2 [31 Mar 2018] DLA-1334-1 mosquitto - security update {CVE-2017-7651 CVE-2017-7652} [wheezy] - mosquitto 0.15-2+deb7u3 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -141,5 +141,3 @@ wordpress NOTE: 20180221: Upstream still unsure how to fix (lamby) NOTE: 20180311: Upstream still unsure how to fix. <https://core.trac.wordpress.org/ticket/43308> (lamby) -- -zsh (Markus Koschany) --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b617d0fb61af66947894adfbcca70c4badeebd53 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b617d0fb61af66947894adfbcca70c4badeebd53 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Claim zsh in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c3489e8 by Markus Koschany at 2018-03-30T16:50:44+02:00 Claim zsh in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -157,5 +157,5 @@ wordpress NOTE: 20180221: Upstream still unsure how to fix (lamby) NOTE: 20180311: Upstream still unsure how to fix. <https://core.trac.wordpress.org/ticket/43308> (lamby) -- -zsh +zsh (Markus Koschany) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3c3489e837b1f781fff22c82e4ad3b4a7bf6512f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3c3489e837b1f781fff22c82e4ad3b4a7bf6512f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1328-1 for xerces-c
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3248d6a1 by Markus Koschany at 2018-03-29T23:07:27+02:00 Reserve DLA-1328-1 for xerces-c - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[29 Mar 2018] DLA-1328-1 xerces-c - security update + {CVE-2017-12627} + [wheezy] - xerces-c 3.1.1-3+deb7u5 [29 Mar 2018] DLA-1327-1 thunderbird - security update {CVE-2018-5125 CVE-2018-5127 CVE-2018-5129 CVE-2018-5144 CVE-2018-5145 CVE-2018-5146} [wheezy] - thunderbird 1:52.7.0-1~deb7u1 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -165,7 +165,5 @@ wordpress NOTE: 20180221: Upstream still unsure how to fix (lamby) NOTE: 20180311: Upstream still unsure how to fix. <https://core.trac.wordpress.org/ticket/43308> (lamby) -- -xerces-c (Markus Koschany) --- zsh -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3248d6a1d2551617bf80c140b8dfbf9e19c9395f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3248d6a1d2551617bf80c140b8dfbf9e19c9395f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1326-1 for php5
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: b4c3125c by Markus Koschany at 2018-03-29T18:20:03+02:00 Reserve DLA-1326-1 for php5 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[29 Mar 2018] DLA-1326-1 php5 - security update + {CVE-2018-7584} + [wheezy] - php5 5.4.45-0+deb7u13 [28 Mar 2018] DLA-1325-1 drupal7 - security update {CVE-2018-7600} [wheezy] - drupal7 7.14-2+deb7u18 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -123,9 +123,6 @@ openjdk-7 (Emilio Pozuelo) -- openssl -- -php5 (Markus Koschany) - NOTE: 20180226: consider reviewing the backlog of issues fixed in jessie to see if it is worth fixing a few DOS in the backlog (anarcat) --- python-crypto NOTE: Incomplete fix for CVE-2018-6594. NOTE: See https://lists.debian.org/debian-lts/2018/02/msg00069.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b4c3125c5d6df039a98566b7cb0ef0e96184b47f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b4c3125c5d6df039a98566b7cb0ef0e96184b47f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: Claim php5 and xerces-c in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 22267189 by Markus Koschany at 2018-03-29T15:45:28+02:00 Claim php5 and xerces-c in dla-needed.txt - - - - - 4cadc807 by Markus Koschany at 2018-03-29T15:54:02+02:00 Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -123,7 +123,7 @@ openjdk-7 (Emilio Pozuelo) -- openssl -- -php5 +php5 (Markus Koschany) NOTE: 20180226: consider reviewing the backlog of issues fixed in jessie to see if it is worth fixing a few DOS in the backlog (anarcat) -- python-crypto @@ -169,7 +169,7 @@ wordpress NOTE: 20180221: Upstream still unsure how to fix (lamby) NOTE: 20180311: Upstream still unsure how to fix. <https://core.trac.wordpress.org/ticket/43308> (lamby) -- -xerces-c +xerces-c (Markus Koschany) -- zsh -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/3df4a2711e9e8f37b99050f16c7837230dbfc286...4cadc80747c3a17b5355e358605e2c6b87d42847 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/3df4a2711e9e8f37b99050f16c7837230dbfc286...4cadc80747c3a17b5355e358605e2c6b87d42847 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1325-1 for drupal7
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 8ef22ba5 by Markus Koschany at 2018-03-28T23:00:45+02:00 Reserve DLA-1325-1 for drupal7 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[28 Mar 2018] DLA-1325-1 drupal7 - security update + {CVE-2018-7600} + [wheezy] - drupal7 7.14-2+deb7u18 [28 Mar 2018] DLA-1324-1 libdatetime-timezone-perl - new upstream version [wheezy] - libdatetime-timezone-perl 1:1.58-1+2018d [28 Mar 2018] DLA-1323-1 tzdata - new upstream version = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -22,8 +22,6 @@ cups dovecot (Thorsten Alteholz) NOTE: test package at: https://people.debian.org/~alteholz/packages/wheezy-lts/dovecot/ -- -drupal7 (Markus Koschany) --- elinks NOTE: 20180226: maintainer is on the security team (jmm), no notice sent (anarcat) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8ef22ba589ecd426f896557d0f1aa30144220d6e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8ef22ba589ecd426f896557d0f1aa30144220d6e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1322-1 for graphicsmagick
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 57f37441 by Markus Koschany at 2018-03-28T14:28:32+02:00 Reserve DLA-1322-1 for graphicsmagick - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[28 Mar 2018] DLA-1322-1 graphicsmagick - security update + {CVE-2017-18219 CVE-2017-18220 CVE-2017-18229 CVE-2017-18230 CVE-2017-18231 CVE-2018-9018} + [wheezy] - graphicsmagick 1.3.16-1.1+deb7u19 [27 Mar 2018] DLA-1321-1 firefox-esr - security update {CVE-2018-5148} [wheezy] - firefox-esr 52.7.3esr-1~deb7u1 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -37,8 +37,6 @@ gcc-4.7 (Roberto C. Sánchez) NOTE: Backport the retpoline support for spectre mitigation. NOTE: Do we want/need it on this gcc version as well? -- -graphicsmagick (Markus Koschany) --- graphite2 (Abhijith PA) NOTE: 20180317: Unable to reproduce with given POC. Waiting for upstream comment -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/57f374410c1dc6a3dbb4a404cb6e1116d0e4df91 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/57f374410c1dc6a3dbb4a404cb6e1116d0e4df91 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Claim drupal in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 95c522c7 by Markus Koschany at 2018-03-28T00:25:14+02:00 Claim drupal in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -22,6 +22,8 @@ cups dovecot (Thorsten Alteholz) NOTE: test package at: https://people.debian.org/~alteholz/packages/wheezy-lts/dovecot/ -- +drupal (Markus Koschany) +-- elinks NOTE: 20180226: maintainer is on the security team (jmm), no notice sent (anarcat) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/95c522c7f61b6888250ba5a58c3c2caf62d56c07 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/95c522c7f61b6888250ba5a58c3c2caf62d56c07 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-9018, graphicsmagick: Link to patch.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 8bce1369 by Markus Koschany at 2018-03-27T23:45:24+02:00 CVE-2018-9018,graphicsmagick: Link to patch. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -116,6 +116,7 @@ CVE-2018-9019 CVE-2018-9018 (In GraphicsMagick 1.3.28, there is a divide-by-zero in the ReadMNGImage ...) - graphicsmagick NOTE: https://sourceforge.net/p/graphicsmagick/bugs/554/ + NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/84040fada1ee CVE-2018-9017 (dsmall v20180320 allows XSS via the member search box at the ...) NOT-FOR-US: dsmall CVE-2018-9016 (dsmall v20180320 allows XSS via the main page search box at the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8bce13698e993752abebe14b0c95a773f6d18af1 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8bce13698e993752abebe14b0c95a773f6d18af1 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add xerces-c to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 00bd27a8 by Markus Koschany at 2018-03-25T20:01:48+02:00 Add xerces-c to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -174,5 +174,7 @@ wordpress NOTE: 20180221: Upstream still unsure how to fix (lamby) NOTE: 20180311: Upstream still unsure how to fix. <https://core.trac.wordpress.org/ticket/43308> (lamby) -- +xerces-c +-- zsh -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/00bd27a8fd772562ff7f18020c2827386b10f766 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/00bd27a8fd772562ff7f18020c2827386b10f766 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add zsh to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 82dbeead by Markus Koschany at 2018-03-25T19:53:14+02:00 Add zsh to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -174,3 +174,5 @@ wordpress NOTE: 20180221: Upstream still unsure how to fix (lamby) NOTE: 20180311: Upstream still unsure how to fix. <https://core.trac.wordpress.org/ticket/43308> (lamby) -- +zsh +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/82dbeead786b4bb2a4acc1d2ff1f952d5042d39a --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/82dbeead786b4bb2a4acc1d2ff1f952d5042d39a You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: Add libvncserver to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: bdb34531 by Markus Koschany at 2018-03-25T19:49:06+02:00 Add libvncserver to dla-needed.txt - - - - - 885ebc89 by Markus Koschany at 2018-03-25T19:49:25+02:00 Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -88,6 +88,8 @@ libreoffice -- libslf4j-java (Markus Koschany) -- +libvncserver +-- libvorbis NOTE: Underlying reason for CVE-2017-14160 yet unclear, no upstream feedback on this issue. NOTE: Fixes for other CVEs applied upstream and in sid. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/4e6e6ce335d7746443154630a2b83b43f736b08f...885ebc8984eebcefc8f9d0a1dc849f7b2330b17a --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/4e6e6ce335d7746443154630a2b83b43f736b08f...885ebc8984eebcefc8f9d0a1dc849f7b2330b17a You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add ruby-rack-protection to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 342c27b7 by Markus Koschany at 2018-03-25T19:44:37+02:00 Add ruby-rack-protection to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -139,6 +139,8 @@ ruby1.9.1 (Santiago R.R.) -- rubygems (Santiago R.R.) -- +ruby-rack-protection +-- sam2p -- samba (Holger Levsen) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/342c27b77456b5252aef6b3080e2f36c4fb193e5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/342c27b77456b5252aef6b3080e2f36c4fb193e5 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-1000140, librelp: Wheezy is not affected.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 487c454e by Markus Koschany at 2018-03-25T19:37:52+02:00 CVE-2018-1000140,librelp: Wheezy is not affected. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -137,6 +137,7 @@ CVE-2018-1000141 (I, Librarian version 4.9 and earlier contains an Incorrect Acc NOTE: https://github.com/mkucej/i-librarian/issues/124 CVE-2018-1000140 (rsyslog librelp version 1.2.14 and earlier contains a Buffer Overflow ...) - librelp 1.2.15-1 + [wheezy] - librelp (vulnerable code not present) NOTE: Fixed by: https://github.com/rsyslog/librelp/commit/2cfe657672636aa5d7d2a14cfcb0a6ab9d1f00cf CVE-2018-1000139 (I, Librarian version 4.8 and earlier contains a Cross Site Scripting ...) - i-librarian (bug #649291) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/487c454e51e0751e3d2ebede2987055147c4863a --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/487c454e51e0751e3d2ebede2987055147c4863a You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add ldap-account-manager to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 14963d74 by Markus Koschany at 2018-03-25T19:27:38+02:00 Add ldap-account-manager to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -62,6 +62,8 @@ lame (Hugo Lefeuvre) NOTE: 20180317: Patch available and tested. However I am probably not going to upload it since the security team is not NOTE: interested in patching Jessie and I evaluate regression risks as non negligible. -- +ldap-account-manager +-- leptonlib NOTE: more issues like previous ones -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/14963d7417e5efc1ad6f6cf0a3d7c1cef1de56a9 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/14963d7417e5efc1ad6f6cf0a3d7c1cef1de56a9 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add apache2 to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 7548310f by Markus Koschany at 2018-03-25T19:21:53+02:00 Add apache2 to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -10,6 +10,8 @@ this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- +apache2 +-- calibre NOTE: Instead of replacing pickle with json, maybe disable bookmarking NOTE: completely and invest the time to fix the Jessie version instead? View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7548310f8ba18d39de423f2b1a2048420a6c453a --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7548310f8ba18d39de423f2b1a2048420a6c453a You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add net-snmp to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 687ab774 by Markus Koschany at 2018-03-24T23:59:26+01:00 Add net-snmp to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -114,6 +114,8 @@ mosquitto (Chris Lamb) -- mp4v2 -- +net-snmp +-- opencv -- openjdk-7 (Emilio Pozuelo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/687ab7748fd93464968bbbebe1c4b2bbed8a6bda --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/687ab7748fd93464968bbbebe1c4b2bbed8a6bda You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add sam2p to dla-needed.txt.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 2757cd01 by Markus Koschany at 2018-03-24T23:50:48+01:00 Add sam2p to dla-needed.txt. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -133,6 +133,8 @@ ruby1.9.1 (Santiago R.R.) -- rubygems (Santiago R.R.) -- +sam2p +-- samba (Holger Levsen) -- sdl-image1.2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2757cd01340a095508260e426e05d1398e16cd29 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2757cd01340a095508260e426e05d1398e16cd29 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Triage radare2 for Wheezy.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 7c3eb811 by Markus Koschany at 2018-03-24T23:40:43+01:00 Triage radare2 for Wheezy. CVE-2018-8808 most like does not affect Wheezy, the code is different but I cannot verify it at the moment hence I am going to mark it as no-dsa for now. CVE-2018-8809: very similar to CVE-2018-8808. Code is quite different. CVE-2018-8810: not-affected, vulnerable code is not present. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -390,12 +390,15 @@ CVE-2018-8811 (Cross-site request forgery (CSRF) vulnerability in ...) NOT-FOR-US: OpenCMS CVE-2018-8810 (In radare2 2.4.0, there is a heap-based buffer over-read in the ...) - radare2 + [wheezy] - radare2 (vulnerable code not present) NOTE: https://github.com/radare/radare2/issues/9727 CVE-2018-8809 (In radare2 2.4.0, there is a heap-based buffer over-read in the ...) - radare2 + [wheezy] - radare2 (minor issue, likely not even affected) NOTE: https://github.com/radare/radare2/issues/9726 CVE-2018-8808 (In radare2 2.4.0, there is a heap-based buffer over-read in the ...) - radare2 + [wheezy] - radare2 (minor issue, likely not even affected) NOTE: https://github.com/radare/radare2/issues/9725 CVE-2018-8807 (In libming 0.4.8, these is a use-after-free in the function ...) - ming View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7c3eb811575e18b2ffbedb0585f9ae13c973feb0 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7c3eb811575e18b2ffbedb0585f9ae13c973feb0 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add libslf4j-java to dla-needed.txt and claim it.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ce2ad0d0 by Markus Koschany at 2018-03-24T18:18:42+01:00 Add libslf4j-java to dla-needed.txt and claim it. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -82,6 +82,8 @@ libraw -- libreoffice -- +libslf4j-java (Markus Koschany) +-- libvorbis NOTE: Underlying reason for CVE-2017-14160 yet unclear, no upstream feedback on this issue. NOTE: Fixes for other CVEs applied upstream and in sid. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ce2ad0d0e6c7366b59762f5d901668d77cd981f5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ce2ad0d0e6c7366b59762f5d901668d77cd981f5 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Claim graphicsmagick in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 326e67ef by Markus Koschany at 2018-03-24T18:00:01+01:00 Claim graphicsmagick in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -34,7 +34,7 @@ gcc-4.7 (Roberto C. Sánchez) NOTE: Backport the retpoline support for spectre mitigation. NOTE: Do we want/need it on this gcc version as well? -- -graphicsmagick +graphicsmagick (Markus Koschany) -- graphite2 (Abhijith PA) NOTE: 20180317: Unable to reproduce with given POC. Waiting for upstream comment View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/326e67efe3684b0141a9ac860e09587052a8ed03 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/326e67efe3684b0141a9ac860e09587052a8ed03 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1316-1 for freeplane
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: de6972d1 by Markus Koschany at 2018-03-24T17:16:44+01:00 Reserve DLA-1316-1 for freeplane - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[24 Mar 2018] DLA-1316-1 freeplane - security update + {CVE-2018-169} + [wheezy] - freeplane 1.1.3-2+deb7u1 [24 Mar 2018] DLA-1315-1 libvirt - security update {CVE-2018-1064 CVE-2018-5748} [wheezy] - libvirt 0.9.12.3-1+deb7u3 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -24,8 +24,6 @@ elinks -- firefox-esr -- -freeplane (Markus Koschany) --- gcc-4.6 (Roberto C. Sánchez) NOTE: Backport the retpoline support for spectre mitigation. NOTE: Coordinate with jmm who started the work for gcc-4.9 in jessie. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/de6972d15131428fe1d649295bdbbbe9f0ae0320 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/de6972d15131428fe1d649295bdbbbe9f0ae0320 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-5748, libvirt: Remove postponed entry.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ff677e39 by Markus Koschany at 2018-03-24T16:05:47+01:00 CVE-2018-5748,libvirt: Remove postponed entry. Will be fixed soon. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -8837,7 +8837,6 @@ CVE-2018-5748 (qemu/qemu_monitor.c in libvirt allows attackers to cause a denial - libvirt 4.0.0-1 (bug #887700) [stretch] - libvirt 3.0.0-4+deb9u2 [jessie] - libvirt 1.2.9-9+deb8u5 - [wheezy] - libvirt (Can be fixed in a later update) NOTE: https://www.redhat.com/archives/libvir-list/2017-December/msg00749.html NOTE: https://libvirt.org/git/?p=libvirt.git;a=commit;h=bc251ea91bcfddd2622fce6bce701a438b2e7276 CVE-2018-5747 (In Long Range Zip (aka lrzip) 0.631, there is a use-after-free in the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ff677e39ec44381c1ae5e2a8df11cde1a43d7953 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ff677e39ec44381c1ae5e2a8df11cde1a43d7953 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1315-1 for libvirt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 26eaca47 by Markus Koschany at 2018-03-24T15:52:57+01:00 Reserve DLA-1315-1 for libvirt - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[24 Mar 2018] DLA-1315-1 libvirt - security update + {CVE-2018-1064 CVE-2018-5748} + [wheezy] - libvirt 0.9.12.3-1+deb7u3 [23 Mar 2018] DLA-1314-1 simplesamlphp - security update {CVE-2018-7711} [wheezy] - simplesamlphp 1.9.2-1+deb7u4 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -84,8 +84,6 @@ libraw -- libreoffice -- -libvirt (Markus Koschany) --- libvorbis NOTE: Underlying reason for CVE-2017-14160 yet unclear, no upstream feedback on this issue. NOTE: Fixes for other CVEs applied upstream and in sid. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/26eaca477a15e764e04af75d062093669459da1c --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/26eaca477a15e764e04af75d062093669459da1c You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add slurm-llnl to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0f8b1a4c by Markus Koschany at 2018-03-23T23:41:28+01:00 Add slurm-llnl to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -142,6 +142,8 @@ sdl-image1.2 sharutils NOTE: 20180318: no patch available yet, so no email to maintainer sent -- +slurm-llnl +-- squirrelmail NOTE: 20180318: no patch available yet, so no email to maintainer sent -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0f8b1a4c76512472a6775f3f1c1dc433d5a4f6b0 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0f8b1a4c76512472a6775f3f1c1dc433d5a4f6b0 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add sdl-image1.2 to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 659296cd by Markus Koschany at 2018-03-23T23:28:51+01:00 Add sdl-image1.2 to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -137,6 +137,8 @@ rubygems (Santiago R.R.) -- samba (Holger Levsen) -- +sdl-image1.2 +-- sharutils NOTE: 20180318: no patch available yet, so no email to maintainer sent -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/659296cda55b7ce96965102325846dedad71a1c2 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/659296cda55b7ce96965102325846dedad71a1c2 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add mosquitto to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 26bfaf7a by Markus Koschany at 2018-03-23T23:11:07+01:00 Add mosquitto to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -112,6 +112,8 @@ ming (Hugo Lefeuvre) -- mingw-w64 -- +mosquitto +-- mp4v2 -- opencv View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/26bfaf7a43999e49d6ccfd5b89a9ec49c1dae988 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/26bfaf7a43999e49d6ccfd5b89a9ec49c1dae988 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add memcached to dla-needed.txt with NOTES.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 5aaebbda by Markus Koschany at 2018-03-23T22:56:23+01:00 Add memcached to dla-needed.txt with NOTES. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -92,6 +92,12 @@ libvorbis -- linux -- +memcached + NOTE: The Wheezy version supports the ascii protocol but the specific + NOTE: make_ascii_get_suffix function for the fix does not exist. Without a + NOTE: reproducer I cannot decide whether this version is vulnerable or not. + NOTE: Upstream should be contacted. +-- mercurial NOTE: 20180315: The patch to CVE-2016-1000116 added in 2.2.2-4+deb7u5 makes NOTE: 20180315: the testsuite fail nondeterminstically. You will need to apply View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5aaebbdaf697375e0d89f7d11ade316594110024 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5aaebbdaf697375e0d89f7d11ade316594110024 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add libraw to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3f14fdb9 by Markus Koschany at 2018-03-23T22:20:12+01:00 Add libraw to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -79,6 +79,9 @@ libpodofo NOTE: maybe a dupe NOTE: 20180318: no patch available yet, so no email to maintainer sent -- +libraw + NOTE: Only a subset of functions are present in Wheezy. +-- libreoffice -- libvirt (Markus Koschany) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3f14fdb931ff4fc9e3754c7cea3d843d479eb5c4 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3f14fdb931ff4fc9e3754c7cea3d843d479eb5c4 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-8945, binutils: Mark as no-dsa for Wheezy.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c4cf8a0f by Markus Koschany at 2018-03-23T21:02:27+01:00 CVE-2018-8945,binutils: Mark as no-dsa for Wheezy. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -7,6 +7,7 @@ CVE-2018-8945 (The bfd_section_from_shdr function in elf.c in the Binary File .. - binutils (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) + [wheezy] - binutils (Minor issue) CVE-2018-8944 (PHPOK 4.8.338 has an arbitrary file upload vulnerability. ...) NOT-FOR-US: PHPOK CVE-2018-8943 (There is a SQL injection in the PHPSHE 1.6 userbank parameter. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c4cf8a0f9250667416f2f08d88ff469b996085fb --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c4cf8a0f9250667416f2f08d88ff469b996085fb You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Claim freeplane in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 90174779 by Markus Koschany at 2018-03-22T23:50:06+01:00 Claim freeplane in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -24,6 +24,8 @@ elinks -- firefox-esr -- +freeplane (Markus Koschany) +-- gcc-4.6 (Roberto C. Sánchez) NOTE: Backport the retpoline support for spectre mitigation. NOTE: Coordinate with jmm who started the work for gcc-4.9 in jessie. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/901747795567fb3e0a44680433630d7f34657b55 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/901747795567fb3e0a44680433630d7f34657b55 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-1000069, freeplane: Link to patch
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 80713b31 by Markus Koschany at 2018-03-22T23:42:10+01:00 CVE-2018-169,freeplane: Link to patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -4347,6 +4347,7 @@ CVE-2018-170 (Bitmessage PyBitmessage version v0.6.2 (and introduced in or a CVE-2018-169 (FreePlane version 1.5.9 and earlier contains a XML External Entity ...) - freeplane 1.6.6-1 (bug #893663) NOTE: https://www.freeplane.org/wiki/index.php/XML_External_Entity_vulnerability_in_map_parser + NOTE: https://github.com/freeplane/freeplane/commit/a5dce7f9f CVE-2018-7279 (A remote code execution issue was discovered in AlienVault USM and ...) NOT-FOR-US: AlienVault CVE-2018-7278 (An issue was discovered on RLE Protocol Converter FDS-PC / FDS-PC-DP ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/80713b318b194062f6d635981c1961f46f4dc1a3 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/80713b318b194062f6d635981c1961f46f4dc1a3 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add ipython to dla-needed.txt with some notes.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ec4d7534 by Markus Koschany at 2018-03-22T00:14:59+01:00 Add ipython to dla-needed.txt with some notes. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -46,6 +46,15 @@ graphite2 (Abhijith PA) -- imagemagick -- +ipython + NOTE: The Wheezy version lacks the security and sanitization feature hence + NOTE: the vulnerable code is not present. Ipython's notebook might be still + NOTE: affected though. Due to the absence of sanitization a fix is probably too + NOTE: intrusive. I suggest to fix the Jessie version instead, which contains basic + NOTE: sanitization and then recommend to Wheezy users to not use Ipython's notebook + NOTE: with untrusted content and upgrade to Jessie. Please double-check all + NOTE: this. +-- isc-dhcp (Thorsten Alteholz) -- jruby (Santiago R.R.) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ec4d75340152bda2045d4b04399686d56dedcdf5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ec4d75340152bda2045d4b04399686d56dedcdf5 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-8768, Ipython: Mark as no-dsa for Wheezy.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: df5770da by Markus Koschany at 2018-03-22T00:09:12+01:00 CVE-2018-8768,Ipython: Mark as no-dsa for Wheezy. Ipython in Wheezy lacks sanitization of untrusted HTML completely which means in theory this CVE does not apply. However due to the absence of sanitization it is recommended not to use Ipython's notebook with untrusted content. This issue is no-dsa because it cannot be determined if Wheezy is still affected, a fix appears to be to intrusive though. We recommend to upgrade to a newer version instead. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -339,10 +339,17 @@ CVE-2017-18239 (A time-sensitive equality check on the JWT signature in the ...) CVE-2018-8768 (In Jupyter Notebook before 5.4.1, a maliciously forged notebook file ...) - jupyter-notebook (bug #893436) - ipython 5.1.0-2 + [wheezy] - Ipython (requires implementation of sanitization first, see NOTES) NOTE: After the reupload of ipython to Debian as 4.1.2-1 via experimental NOTE: src:ipython does not provide anymore the Notebook NOTE: http://www.openwall.com/lists/oss-security/2018/03/15/2 NOTE: Fixed by: https://github.com/jupyter/notebook/commit/4e79ebb49acac722b37b03f1fe811e67590d3831 + NOTE: Ipython in Wheezy lacks sanitization of untrusted HTML completely + NOTE: which means in theory this CVE does not apply. However due to the absence of + NOTE: sanitization it is recommended not to use Ipython's notebook with untrusted + NOTE: content. This issue is no-dsa because it cannot be determined if Ipython + NOTE: in Wheezy is still affected, a fix appears to be to intrusive though. We recommend to + NOTE: upgrade to a newer version instead. CVE-2018-8741 (A directory traversal flaw in SquirrelMail 1.4.22 allows an ...) - squirrelmail (bug #893202) NOTE: http://www.openwall.com/lists/oss-security/2018/03/17/2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/df5770da68ddd2066ac3eedf7e41cfc71caf618f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/df5770da68ddd2066ac3eedf7e41cfc71caf618f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-7752, gpac: Wheezy is not affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 262a374d by Markus Koschany at 2018-03-21T21:10:39+01:00 CVE-2018-7752,gpac: Wheezy is not affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -2638,6 +2638,7 @@ CVE-2018-7719 RESERVED CVE-2018-7752 (GPAC through 0.7.1 has a Buffer Overflow in the gf_media_avc_read_sps ...) - gpac (bug #892526) + [wheezy] - gpac (vulnerable code not present) NOTE: https://github.com/gpac/gpac/issues/997 NOTE: https://github.com/gpac/gpac/commit/90dc7f853d31b0a4e9441cba97feccf36d8b69a4 NOTE: CVE is for the issue in av_parsers.c and fixed in same commit as View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/262a374dc212af71748a946f7fdfe61c607e711e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/262a374dc212af71748a946f7fdfe61c607e711e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add calibre to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 14fc52cd by Markus Koschany at 2018-03-21T20:28:43+01:00 Add calibre to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -15,6 +15,10 @@ adminer (Chris Lamb) NOTE: 20181603: No patch/upstream info for CVE-2018-7667 yet. (lamby) NOTE: 20181903: Still patch/upstream info for CVE-2018-7667. (lamby) -- +calibre + NOTE: Instead of replacing pickle with json, maybe disable bookmarking + NOTE: completely and invest the time to fix the Jessie version instead? +-- cups NOTE: 20180318: not clear whether patch is fine, so no email to maintainer sent -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/14fc52cd39706e2f6e51cb5169555cc136674760 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/14fc52cd39706e2f6e51cb5169555cc136674760 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-1063, policycoreutils: Mark as no-dsa in Wheezy.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ac162dce by Markus Koschany at 2018-03-21T20:03:10+01:00 CVE-2018-1063,policycoreutils: Mark as no-dsa in Wheezy. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -20946,6 +20946,7 @@ CVE-2018-1063 (Context relabeling of filesystems is vulnerable to symbolic link - policycoreutils [stretch] - policycoreutils (Minor issue) [jessie] - policycoreutils (Minor issue) + [wheezy] - policycoreutils (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1550122 NOTE: Mitigation by removing any symbolic link in /tmp and /var/tmp directories NOTE: before relabeling the file system. Futhtermore only triggerable at View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ac162dce26f5a42dd3aea8ab2025652eb01685b6 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ac162dce26f5a42dd3aea8ab2025652eb01685b6 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1310-1 for exempi
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 50088b93 by Markus Koschany at 2018-03-21T15:08:31+01:00 Reserve DLA-1310-1 for exempi - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[21 Mar 2018] DLA-1310-1 exempi - security update + {CVE-2017-18233 CVE-2017-18234 CVE-2017-18236 CVE-2017-18238 CVE-2018-7728 CVE-2018-7730} + [wheezy] - exempi 2.2.0-1+deb7u1 [18 Mar 2018] DLA-1309-1 curl - security update {CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122} [wheezy] - curl 7.26.0-1+wheezy25 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -23,9 +23,6 @@ dovecot (Thorsten Alteholz) elinks NOTE: 20180226: maintainer is on the security team (jmm), no notice sent (anarcat) -- -exempi (Markus Koschany) - NOTE: 20180308: Not all upstream patches apply cleanly (lamby) --- firefox-esr -- gcc-4.6 (Roberto C. Sánchez) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/50088b9398b36ec815a482143b16a768c13461d6 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/50088b9398b36ec815a482143b16a768c13461d6 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] exempi: Three CVE do not affect Wheezy
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 6d26708a by Markus Koschany at 2018-03-21T15:06:58+01:00 exempi: Three CVE do not affect Wheezy - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -372,6 +372,7 @@ CVE-2017-18238 (An issue was discovered in Exempi before 2.4.4. The ...) NOTE: https://cgit.freedesktop.org/exempi/commit/?id=886cd1d2314755adb1f4cdb99c16ff00830f0331 CVE-2017-18237 (An issue was discovered in Exempi before 2.4.3. The ...) - exempi 2.4.3-1 + [wheezy] - exempi (vulnerable code not present) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=101914 NOTE: https://cgit.freedesktop.org/exempi/commit/?id=f19d0107fbae1fb41836cd110d4425e407e64048 CVE-2017-18236 (An issue was discovered in Exempi before 2.4.4. The ...) @@ -380,6 +381,7 @@ CVE-2017-18236 (An issue was discovered in Exempi before 2.4.4. The ...) NOTE: https://cgit.freedesktop.org/exempi/commit/?id=fe59605d3520bf2ca4e0a963d194f10e9fee5806 CVE-2017-18235 (An issue was discovered in Exempi before 2.4.3. The VPXChunk class in ...) - exempi 2.4.3-1 + [wheezy] - exempi (vulnerable code not present) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=101913 NOTE: https://cgit.freedesktop.org/exempi/commit/?id=9e76a7782a54a242f18d609e7ba32bf1c430a5e4 CVE-2017-18234 (An issue was discovered in Exempi before 2.4.3. It allows remote ...) @@ -2595,6 +2597,7 @@ CVE-2018-7729 (An issue was discovered in Exempi through 2.4.4. There is a stack - exempi 2.4.5-1 (low; bug #892782) [stretch] - exempi (Minor issue) [jessie] - exempi (Minor issue) + [wheezy] - exempi (vulnerable code not present) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=105206 NOTE: https://cgit.freedesktop.org/exempi/commit/?id=baa4b8a02c1ffab9645d13f0bfb1c0d10d311a0c CVE-2018-7728 (An issue was discovered in Exempi through 2.4.4. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6d26708ac794cc62e335f15407e31e9965f6fd4f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6d26708ac794cc62e335f15407e31e9965f6fd4f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-1000069, freeplane: bug filed
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b9e5a8c by Markus Koschany at 2018-03-21T00:27:57+01:00 CVE-2018-169,freeplane: bug filed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -4073,7 +4073,7 @@ CVE-2018-171 (roundcube version 1.3.4 and earlier contains an Insecure Permi CVE-2018-170 (Bitmessage PyBitmessage version v0.6.2 (and introduced in or after ...) NOT-FOR-US: PyBitmessage CVE-2018-169 (FreePlane version 1.5.9 and earlier contains a XML External Entity ...) - - freeplane 1.6.6-1 + - freeplane 1.6.6-1 (bug #893669) NOTE: https://www.freeplane.org/wiki/index.php/XML_External_Entity_vulnerability_in_map_parser CVE-2018-7279 (A remote code execution issue was discovered in AlienVault USM and ...) NOT-FOR-US: AlienVault View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3b9e5a8c40d15d95e1f16f3dac6a3f4ea8d91823 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3b9e5a8c40d15d95e1f16f3dac6a3f4ea8d91823 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Claim libvirt in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 962441f2 by Markus Koschany at 2018-03-21T00:14:08+01:00 Claim libvirt in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -76,6 +76,8 @@ libpodofo -- libreoffice -- +libvirt (Markus Koschany) +-- libvorbis NOTE: Underlying reason for CVE-2017-14160 yet unclear, no upstream feedback on this issue. NOTE: Fixes for other CVEs applied upstream and in sid. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/962441f28fdbd1254a46be619b742bcea5921847 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/962441f28fdbd1254a46be619b742bcea5921847 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add imagemagick to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 694bc770 by Markus Koschany at 2018-03-21T00:08:20+01:00 Add imagemagick to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -43,6 +43,8 @@ graphicsmagick graphite2 (Abhijith PA) NOTE: 20180317: Unable to reproduce with given POC. Waiting for upstream comment -- +imagemagick +-- isc-dhcp (Thorsten Alteholz) -- jruby (Santiago R.R.) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/694bc7708d81893d3dc330ca50ef1e1313ca6235 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/694bc7708d81893d3dc330ca50ef1e1313ca6235 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2017-12196, undertow: One more patch.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: bbd0dced by Markus Koschany at 2018-03-19T23:32:50+01:00 CVE-2017-12196,undertow: One more patch. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -38509,6 +38509,7 @@ CVE-2017-12196 [Client can use bogus uri in Digest authentication] - undertow NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1503055 NOTE: Fixed by https://github.com/undertow-io/undertow/commit/facb33a5cedaf4b7b96d3840a08210370a806870 + NOTE: See also https://github.com/undertow-io/undertow/commit/8804170ce3186bdd83b486959399ec7ac0f59d0f CVE-2017-12195 RESERVED NOT-FOR-US: OpenShift View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bbd0dcedcf61af795717bba9569c8bf4e989d3a7 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bbd0dcedcf61af795717bba9569c8bf4e989d3a7 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2017-12196, undertow: Add link to patch.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: a0db03e6 by Markus Koschany at 2018-03-19T23:26:53+01:00 CVE-2017-12196,undertow: Add link to patch. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -38508,6 +38508,7 @@ CVE-2017-12196 [Client can use bogus uri in Digest authentication] RESERVED - undertow NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1503055 + NOTE: Fixed by https://github.com/undertow-io/undertow/commit/facb33a5cedaf4b7b96d3840a08210370a806870 CVE-2017-12195 RESERVED NOT-FOR-US: OpenShift View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a0db03e6473b12deb1b7cb6a5e393c9113f95f6b --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a0db03e6473b12deb1b7cb6a5e393c9113f95f6b You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Claim exempi in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 879a8f5b by Markus Koschany at 2018-03-10T13:18:45+01:00 Claim exempi in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -17,7 +17,7 @@ dovecot (Thorsten Alteholz) elinks NOTE: 20180226: maintainer is on the security team (jmm), no notice sent (anarcat) -- -exempi +exempi (Markus Koschany) NOTE: 20180308: Not all upstream patches apply cleanly (lamby) -- gcc-4.6 (Roberto C. Sánchez) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/879a8f5bbd78eba7f2c6ec7de55d14ec5ad98cd7 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/879a8f5bbd78eba7f2c6ec7de55d14ec5ad98cd7 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1301-1 for tomcat7
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d5802577 by Markus Koschany at 2018-03-06T13:02:37+01:00 Reserve DLA-1301-1 for tomcat7 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[06 Mar 2018] DLA-1301-1 tomcat7 - security update + {CVE-2018-1304 CVE-2018-1305} + [wheezy] - tomcat7 7.0.28-4+deb7u18 [05 Mar 2018] DLA-1300-1 xen - security update {CVE-2018-7540 CVE-2018-7541} [wheezy] - xen 4.1.6.lts1-13 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -99,8 +99,6 @@ rubygems (Emilio Pozuelo) tiff NOTE: incomplete fix of CVE-2017-18013, see CVE-2018-7456. -- -tomcat7 (Markus Koschany) --- wireshark (Thorsten Alteholz) -- wordpress View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d5802577c18726e9ad3f494ec647b6778fc14552 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d5802577c18726e9ad3f494ec647b6778fc14552 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Remove imagemagick from dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e315bc5 by Markus Koschany at 2018-03-05T19:51:37+01:00 Remove imagemagick from dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -33,8 +33,6 @@ gcc-4.7 (Roberto C. Sánchez) icu (Thorsten Alteholz) NOTE: 20171229: CVE-2017-15422 was reported via Google Code issue report in Chromium project; report is not visible to the public -- -imagemagick (Markus Koschany) --- isc-dhcp (Thorsten Alteholz) -- jruby (Emilio Pozuelo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3e315bc54b0eab657f32b97b55e6c5c10adf807e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3e315bc54b0eab657f32b97b55e6c5c10adf807e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2017-18209, CVE-2017-18211, imagemagick: Wheezy is not affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 58a7fe93 by Markus Koschany at 2018-03-05T19:50:40+01:00 CVE-2017-18209,CVE-2017-18211,imagemagick: Wheezy is not affected The vulnerable code in "magick/opencl.c" does not exist. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -257,6 +257,7 @@ CVE-2017-18211 (In ImageMagick 7.0.7, a NULL pointer dereference vulnerability w - imagemagick 8:6.9.9.34+dfsg-3 (low) [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (Minor issue) + [wheezy] - imagemagick (vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/792 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/96c2fab85e1699c87080271254c5a01387805564 NOTE: https://github.com/ImageMagick/ImageMagick/commit/22eec833cd72b5abab2627fcacc27d2dfb6aa6e7 @@ -270,6 +271,7 @@ CVE-2017-18209 (In the GetOpenCLCachedFilesDirectory function in magick/opencl.c - imagemagick 8:6.9.9.34+dfsg-3 (low) [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (Minor issue) + [wheezy] - imagemagick (vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/790 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/6ac2858a87df6d645813e43928b4f01a3169ad3f NOTE: https://github.com/ImageMagick/ImageMagick/commit/cca91aa1861818342e3d072bb0fad7dc4ffac24a View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/58a7fe93dbc246a7f771cb8652e67f8a9dc6c5e7 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/58a7fe93dbc246a7f771cb8652e67f8a9dc6c5e7 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2017-7559, undertow: Link to patch, correct upstream bug
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f4fdf50 by Markus Koschany at 2018-03-03T15:13:04+01:00 CVE-2017-7559,undertow: Link to patch, correct upstream bug - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -49577,9 +49577,10 @@ CVE-2017-7559 (In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, a - undertow 1.4.23-1 (bug #885576) NOTE: CVE is for an incomplete fix of CVE-2017-2666 NOTE: Invalid characters were still allowed in the query string and path parameters. - NOTE: https://issues.jboss.org/browse/UNDERTOW-1251 + NOTE: https://issues.jboss.org/browse/UNDERTOW-1165 NOTE: https://issues.jboss.org/browse/UNDERTOW-1295 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1481665#c7 + NOTE: Fixed by https://github.com/undertow-io/undertow/commit/3436b03eda8b0b62c1855698c4d7c358add836c2 CVE-2017-7558 [sctp: out-of-bounds read in inet_diag_msg_sctp{,l}addr_fill() and sctp_get_sctp_info()] RESERVED - linux 4.12.13-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f4fdf50ae76103622200a2b20b412c686b4692f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f4fdf50ae76103622200a2b20b412c686b4692f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-1048, undertow: Link to patch
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d2e99abf by Markus Koschany at 2018-03-03T15:00:02+01:00 CVE-2018-1048,undertow: Link to patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -17798,6 +17798,7 @@ CVE-2018-1048 (It was found that the AJP connector in undertow, as shipped in Jb - undertow 1.4.22-1 (bug #891928) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1534343 NOTE: https://issues.jboss.org/browse/UNDERTOW-1245 + NOTE: Fixed by https://github.com/undertow-io/undertow/commit/1bc0c275aadf5835abfbd3835d5d78095c2f1cf5 CVE-2018-1047 (A flaw was found in Wildfly 9.x. A path traversal vulnerability ...) - undertow (bug #891929) NOTE: https://issues.jboss.org/browse/WFLY-9620 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d2e99abf4a243bb38becda8f5a5a58731efaf622 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d2e99abf4a243bb38becda8f5a5a58731efaf622 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2018-1047, wildfly/undertow: Add link to pull request
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 95bdbe58 by Markus Koschany at 2018-03-02T20:25:40+01:00 CVE-2018-1047,wildfly/undertow: Add link to pull request - - - - - 9b4cc6d2 by Markus Koschany at 2018-03-02T20:26:48+01:00 Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker - - - - - 4710fae5 by Markus Koschany at 2018-03-02T20:27:16+01:00 CVE-2017-7559,undertow: Fixed in 1.4.23-1. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -17736,6 +17736,8 @@ CVE-2018-1047 (A flaw was found in Wildfly 9.x. A path traversal vulnerability . - undertow (bug #891929) NOTE: https://issues.jboss.org/browse/WFLY-9620 NOTE: https://developer.jboss.org/thread/276826 + NOTE: Fixed by https://github.com/wildfly/wildfly/pull/10748 + NOTE: It looks more like an issue in WildFly. Not 100% sure though. TODO: check, issue in undertow or WildFly? CVE-2018-1046 RESERVED @@ -49505,7 +49507,7 @@ CVE-2017-7560 (It was found that rhnsd PID files are created as world-writable t NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1480550 NOTE: Introduced by: https://github.com/spacewalkproject/spacewalk/commit/75d9c00b96ab430221c5c7668baebebc74ddd67e CVE-2017-7559 (In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and ...) - - undertow (bug #885576) + - undertow 1.4.23-1 (bug #885576) NOTE: CVE is for an incomplete fix of CVE-2017-2666 NOTE: Invalid characters were still allowed in the query string and path parameters. NOTE: https://issues.jboss.org/browse/UNDERTOW-1251 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/f6dd99b0c59554e0f0a8073f6bb13b1903897810...4710fae5b46bb4b53bf7e464996b8c58ed3417d6 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/f6dd99b0c59554e0f0a8073f6bb13b1903897810...4710fae5b46bb4b53bf7e464996b8c58ed3417d6 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Claim tomcat7 in dla-needed.txt.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 93b99053 by Markus Koschany at 2018-03-02T00:35:20+01:00 Claim tomcat7 in dla-needed.txt. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -98,6 +98,8 @@ simplesamlphp tiff NOTE: incomplete fix of CVE-2017-18013 -- +tomcat7 (Markus Koschany) +-- wireshark (Thorsten Alteholz) -- wordpress View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/93b99053729ce62b77e167defef64ec2e4d5e4db --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/93b99053729ce62b77e167defef64ec2e4d5e4db You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Claim imagemagick in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ac3d2c33 by Markus Koschany at 2018-03-02T00:05:57+01:00 Claim imagemagick in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -35,6 +35,8 @@ isc-dhcp (Thorsten Alteholz) icu (Thorsten Alteholz) NOTE: 20171229: CVE-2017-15422 was reported via Google Code issue report in Chromium project; report is not visible to the public -- +imagemagick (Markus Koschany) +-- jruby (Emilio Pozuelo) -- krb5 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ac3d2c337f68fea205980d361e8efac1c1102d6d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ac3d2c337f68fea205980d361e8efac1c1102d6d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1296-1 for xmltooling
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 79889edb by Markus Koschany at 2018-02-28T23:00:32+01:00 Reserve DLA-1296-1 for xmltooling - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[28 Feb 2018] DLA-1296-1 xmltooling - security update + {CVE-2018-0489} + [wheezy] - xmltooling 1.4.2-5+deb7u3 [28 Feb 2018] DLA-1295-1 drupal7 - security update {CVE-2017-6927 CVE-2017-6928 CVE-2017-6929 CVE-2017-6932} [wheezy] - drupal7 7.14-2+deb7u17 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -104,6 +104,4 @@ wordpress -- xen -- -xmltooling (Markus Koschany) --- zsh View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/79889edb0f3ca4fc14a75d038bea675c12b017d3 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/79889edb0f3ca4fc14a75d038bea675c12b017d3 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Unclaim freexl
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: f994e5ea by Markus Koschany at 2018-02-28T14:59:16+01:00 Unclaim freexl - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -18,8 +18,6 @@ dovecot (Thorsten Alteholz) elinks NOTE: 20180226: maintainer is on the security team (jmm), no notice sent (anarcat) -- -freexl (Markus Koschany) --- gcc-4.6 (Roberto C. Sánchez) NOTE: Backport the retpoline support for spectre mitigation. NOTE: Coordinate with jmm who started the work for gcc-4.9 in jessie. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f994e5ea0a477b5a2d368c40aa2861c7919ea8c7 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f994e5ea0a477b5a2d368c40aa2861c7919ea8c7 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Claim xmltooling and freexl in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 29b4dc8a by Markus Koschany at 2018-02-28T14:31:31+01:00 Claim xmltooling and freexl in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -18,6 +18,8 @@ dovecot (Thorsten Alteholz) elinks NOTE: 20180226: maintainer is on the security team (jmm), no notice sent (anarcat) -- +freexl (Markus Koschany) +-- gcc-4.6 (Roberto C. Sánchez) NOTE: Backport the retpoline support for spectre mitigation. NOTE: Coordinate with jmm who started the work for gcc-4.9 in jessie. @@ -99,3 +101,6 @@ wordpress NOTE: 20180221: Upstream still unsure how to fix (lamby) -- xen +-- +xmltooling (Markus Koschany) +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/29b4dc8a892ec617f53cab4fc9903ed71081faae --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/29b4dc8a892ec617f53cab4fc9903ed71081faae You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1295-1 for drupal7
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 5080cb16 by Markus Koschany at 2018-02-28T13:46:16+01:00 Reserve DLA-1295-1 for drupal7 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[28 Feb 2018] DLA-1295-1 drupal7 - security update + {CVE-2017-6927 CVE-2017-6928 CVE-2017-6929 CVE-2017-6932} + [wheezy] - drupal7 7.14-2+deb7u17 [25 Feb 2018] DLA-1294-1 golang - security update {CVE-2018-7187} [wheezy] - golang 2:1.0.2-1.1+deb7u3 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -15,8 +15,6 @@ dovecot (Thorsten Alteholz) NOTE: maintainer and security team are looking into this NOTE: probably no-dsa -- -drupal7 (Markus Koschany) --- elinks NOTE: 20180226: maintainer is on the security team (jmm), no notice sent (anarcat) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5080cb16f2d950b2585c31738415e48fb929a952 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5080cb16f2d950b2585c31738415e48fb929a952 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Claim drupal7 in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: a38252b9 by Markus Koschany at 2018-02-24T14:00:53+01:00 Claim drupal7 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -15,7 +15,7 @@ dovecot (Thorsten Alteholz) NOTE: maintainer and security team are looking into this NOTE: probably no-dsa -- -drupal7 +drupal7 (Markus Koschany) -- gcc-4.6 (Roberto C. Sánchez) NOTE: Backport the retpoline support for spectre mitigation. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a38252b9555333b7aff401a968722d2dc5d32455 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a38252b9555333b7aff401a968722d2dc5d32455 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Remove polarssl from dla-needed.txt.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 9763c9c0 by Markus Koschany at 2018-02-19T20:13:00+01:00 Remove polarssl from dla-needed.txt. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -76,8 +76,6 @@ opencv (Thorsten Alteholz) -- openjdk-7 (Emilio Pozuelo) -- -polarssl (Markus Koschany) --- suricata (Santiago R.R.) NOTE: Hard to tell whether the package is vulnerable. DetectFlow in detect.c NOTE: does not exist. Code seems to be in SigMatchSignatures instead. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9763c9c0c64129fd94fdb25b84e95e195b47a0ef --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9763c9c0c64129fd94fdb25b84e95e195b47a0ef You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2017-18187, polarssl: Wheezy is not affected.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: fbed816b by Markus Koschany at 2018-02-19T20:11:31+01:00 CVE-2017-18187,polarssl: Wheezy is not affected. The vulnerable function and code are not present. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -598,6 +598,7 @@ CVE-2017-18188 (OpenRC opentmpfiles through 0.1.3, when the fs.protected_hardlin CVE-2017-18187 (In ARM mbed TLS before 2.7.0, there is a bounds-check bypass through an ...) - mbedtls 2.7.0-2 - polarssl + [wheezy] - polarssl (vulnerable code not present) NOTE: https://github.com/ARMmbed/mbedtls/commit/83c9f495ffe70c7dd280b41fdfd4881485a3bc28 CVE-2018-7032 (webcheckout in myrepos through 1.20171231 does not sanitize URLs that ...) - myrepos (bug #840014) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fbed816b973269288e107f9bc0eae52dcc462dce --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fbed816b973269288e107f9bc0eae52dcc462dce You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Claim polarssl in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 4555ca2d by Markus Koschany at 2018-02-17T20:53:19+01:00 Claim polarssl in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -76,7 +76,7 @@ opencv (Thorsten Alteholz) -- openjdk-7 (Emilio Pozuelo) -- -polarssl +polarssl (Markus Koschany) -- suricata (Santiago R.R.) NOTE: Hard to tell whether the package is vulnerable. DetectFlow in detect.c View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4555ca2db4fdd6d3d19b3f8c52abffb83a806bea --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4555ca2db4fdd6d3d19b3f8c52abffb83a806bea You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark CVE-2018-0487 and CVE-2018-0488 as not affected in Wheezy.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ad74543a by Markus Koschany at 2018-02-17T20:51:56+01:00 Mark CVE-2018-0487 and CVE-2018-0488 as not affected in Wheezy. According to the upstream advisory the version in Wheezy is not affected. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -18142,10 +18142,12 @@ CVE-2018-0489 CVE-2018-0488 (ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0, when the ...) - mbedtls 2.7.0-2 (bug #890287) - polarssl + [wheezy] - polarssl (according to the upstream advisory < 1.2.19 not affected) NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01 CVE-2018-0487 (ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0 allows ...) - mbedtls 2.7.0-2 (bug #890288) - polarssl + [wheezy] - polarssl (according to the upstream advisory < 1.3.7 not affected) NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01 CVE-2018-0486 (Shibboleth XMLTooling-C before 1.6.3, as used in Shibboleth Service ...) {DSA-4085-1 DLA-1242-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ad74543a143dff1085532399c8531436365dfb4d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ad74543a143dff1085532399c8531436365dfb4d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2017-18189, sox: Issue in Wheezy was fixed by DLA-1197-1
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: dc7cf2ea by Markus Koschany at 2018-02-17T20:33:46+01:00 CVE-2017-18189,sox: Issue in Wheezy was fixed by DLA-1197-1 This issue was already fixed with DLA-1197-1. See 0012-xa-validate-channel-count.patch - - - - - a880765c by Markus Koschany at 2018-02-17T20:35:03+01:00 Remove sox from dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -332,6 +332,7 @@ CVE-2018-7050 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1. NOTE: https://irssi.org/security/irssi_sa_2018_02.txt NOTE: Fixed by: https://github.com/irssi/irssi/commit/e91da9e4098e449dc36eaa15354aff67650e7703 CVE-2017-18189 (In the startread function in xa.c in Sound eXchange (SoX) through ...) + {DLA-1197-1} - sox 14.4.2-2 (bug #881121) [stretch] - sox (Minor issue) [jessie] - sox (Minor issue) = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -78,9 +78,6 @@ openjdk-7 (Emilio Pozuelo) -- polarssl -- -sox (Markus Koschany) - NOTE: marked no-dsa/minor in stable. if worth an upload, consider also uploading to jessie/stretch as well since version numbers are very close --- suricata (Santiago R.R.) NOTE: Hard to tell whether the package is vulnerable. DetectFlow in detect.c NOTE: does not exist. Code seems to be in SigMatchSignatures instead. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d2718c8de263b66cbffc4326847841daf8604cf7...a880765c7f092b70416f67c97b43af1919f5802b --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d2718c8de263b66cbffc4326847841daf8604cf7...a880765c7f092b70416f67c97b43af1919f5802b You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Claim sox in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d2718c8d by Markus Koschany at 2018-02-17T18:54:12+01:00 Claim sox in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -78,7 +78,7 @@ openjdk-7 (Emilio Pozuelo) -- polarssl -- -sox +sox (Markus Koschany) NOTE: marked no-dsa/minor in stable. if worth an upload, consider also uploading to jessie/stretch as well since version numbers are very close -- suricata (Santiago R.R.) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d2718c8de263b66cbffc4326847841daf8604cf7 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d2718c8de263b66cbffc4326847841daf8604cf7 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2017-17722, exiv2: Wheezy is not affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: be93f941 by Markus Koschany at 2018-02-15T23:07:32+01:00 CVE-2017-17722,exiv2: Wheezy is not affected The vulnerable code is not present. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -9874,6 +9874,7 @@ CVE-2017-17723 (In Exiv2 0.26, there is a heap-based buffer over-read in the ... TODO: check CVE-2017-17722 (In Exiv2 0.26, there is a reachable assertion in the readHeader ...) - exiv2 + [wheezy] - exiv2 (vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1524116 NOTE: https://github.com/Exiv2/exiv2/issues/228 TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/be93f94161f112912f4d4628ad49ebabf7c5f3e7 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/be93f94161f112912f4d4628ad49ebabf7c5f3e7 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1281-1 for advancecomp
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3782ebf8 by Markus Koschany at 2018-02-13T14:46:28+01:00 Reserve DLA-1281-1 for advancecomp - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[13 Feb 2018] DLA-1281-1 advancecomp - security update + {CVE-2018-1056} + [wheezy] - advancecomp 1.15-1+deb7u1 [12 Feb 2018] DLA-1280-1 pound - security update {CVE-2016-10711} [wheezy] - pound 2.6-2+deb7u2 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -10,8 +10,6 @@ this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- -advancecomp (Markus Koschany) --- dovecot (Thorsten Alteholz) NOTE: after applying the patch, login segfaults NOTE: maintainer and security team are looking into this View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3782ebf8ef0f24d31fa25954bab288c1e4839150 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3782ebf8ef0f24d31fa25954bab288c1e4839150 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Update CVE-2016-10711 information.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: f63ed4d2 by Markus Koschany at 2018-02-12T22:42:32+01:00 Update CVE-2016-10711 information. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1636,7 +1636,8 @@ CVE-2016-10711 (Apsis Pound before 2.8a allows request smuggling via crafted hea NOTE: http://www.apsis.ch/pound/pound_list/archive/2016/2016-10/1477235279000 NOTE: https://www.suse.com/de-de/security/cve/CVE-2016-10711/ NOTE: Fixed by https://build.opensuse.org/request/show/571084 - NOTE: Check for corresponding upstream commit + NOTE: Confirmed that the SUSE patch is the security relevant diff between + NOTE: version 2.7 and 2.8a CVE-2018-6375 RESERVED CVE-2018-6374 (The GUI component (aka PulseUI) in Pulse Secure Desktop Linux clients ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f63ed4d2275669b0666e1236560e82c145d721d2 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f63ed4d2275669b0666e1236560e82c145d721d2 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: Claim advancecomp in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c6be0fd6 by Markus Koschany at 2018-02-12T22:39:16+01:00 Claim advancecomp in dla-needed.txt - - - - - 87d3c1c7 by Markus Koschany at 2018-02-12T22:41:08+01:00 Reserve DLA-1280-1 for pound - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[12 Feb 2018] DLA-1280-1 pound - security update + {CVE-2016-10711} + [wheezy] - pound 2.6-2+deb7u2 [12 Feb 2018] DLA-1279-1 clamav - security update {CVE-2017-6419 CVE-2017-11423} [wheezy] - clamav 0.99.2+dfsg-0+deb7u5 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -10,6 +10,8 @@ this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- +advancecomp (Markus Koschany) +-- dovecot (Thorsten Alteholz) NOTE: after applying the patch, login segfaults NOTE: maintainer and security team are looking into this @@ -59,8 +61,6 @@ opencv (Thorsten Alteholz) -- openjdk-7 (Emilio Pozuelo) -- -pound (Markus Koschany) --- python-crypto (Brian May) -- suricata View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/fe6b5ce9df8d4da2ea8ffa959694411d0a07988f...87d3c1c7bb4952cfd78863a25d2eb212c388bfb8 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/fe6b5ce9df8d4da2ea8ffa959694411d0a07988f...87d3c1c7bb4952cfd78863a25d2eb212c388bfb8 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add suricata to dla-needed.txt.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a368ae6 by Markus Koschany at 2018-02-11T19:41:25+01:00 Add suricata to dla-needed.txt. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -68,3 +68,9 @@ pound (Markus Koschany) -- python-crypto (Brian May) -- +suricata + NOTE: Hard to tell whether the package is vulnerable. DetectFlow in detect.c + NOTE: does not exist. Code seems to be in SigMatchSignatures instead. + NOTE: StreamTcpInlineDropInvalid function does not exist at all. Perhaps contact + NOTE: upstream and ask for a clarification? +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4a368ae6ff436fb85f08e40e613b8d5640e2a80e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4a368ae6ff436fb85f08e40e613b8d5640e2a80e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-6836, wireshark: Mark as no-dsa for Wheezy.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 944452ba by Markus Koschany at 2018-02-11T19:18:12+01:00 CVE-2018-6836, wireshark: Mark as no-dsa for Wheezy. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -127,6 +127,7 @@ CVE-2018-6837 RESERVED CVE-2018-6836 (The netmonrec_comment_destroy function in wiretap/netmon.c in Wireshark ...) - wireshark + [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14397 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=28960d79cca262ac6b974f339697b299a1e28fef CVE-2018-6835 (node/hooks/express/apicalls.js in Etherpad Lite before v1.6.3 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/944452ba535b7f87df3646f72ce41daafcf21d4e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/944452ba535b7f87df3646f72ce41daafcf21d4e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add librsvg to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: f8aa9d3d by Markus Koschany at 2018-02-11T19:16:41+01:00 Add librsvg to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -46,6 +46,8 @@ libreoffice NOTE: regression update, see: NOTE: https://lists.debian.org/debian-lts/2017/05/msg00012.html -- +librsvg +-- libvorbis (Guido Günther) NOTE: Underlying reason for CVE-2017-14160 yet unclear, no upstream feedback on this issue. NOTE: Fixes for other CVEs applied upstream and in sid. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f8aa9d3d9907123e321386ddea3ac29422d3a6c2 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f8aa9d3d9907123e321386ddea3ac29422d3a6c2 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1276-1 for tomcat-native
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: e0e46b3a by Markus Koschany at 2018-02-11T18:42:26+01:00 Reserve DLA-1276-1 for tomcat-native - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[11 Feb 2018] DLA-1276-1 tomcat-native - security update + {CVE-2017-15698} + [wheezy] - tomcat-native 1.1.24-1+deb7u1 [10 Feb 2018] DLA-1275-1 uwsgi - security update {CVE-2018-6758} [wheezy] - uwsgi 1.2.3+dfsg-5+deb7u2 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -66,5 +66,3 @@ pound (Markus Koschany) -- python-crypto (Brian May) -- -tomcat-native (Markus Koschany) --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e0e46b3a89f01a0e9ca98c257d72c87e30577873 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e0e46b3a89f01a0e9ca98c257d72c87e30577873 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add leptonlib to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 90ff0d6f by Markus Koschany at 2018-02-10T23:19:51+01:00 Add leptonlib to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -32,6 +32,8 @@ lame (Hugo Lefeuvre) NOTE: 20180125: Fabian showed interest in porting lame to libsndfile and submitted a patch draft for Jessie. NOTE: I'll test it, submit the update for Jessie and backport the result to Wheezy on time. -- +leptonlib +-- libav (Hugo Lefeuvre) NOTE: 20180118: Diego Biurrun (from the libav team) was working on patches, but encountered personal issues and had to stop. NOTE: It is unlikely that he will start again in the next weeks. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/90ff0d6f43db0af5f8b609452780e54145268e12 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/90ff0d6f43db0af5f8b609452780e54145268e12 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add audacity to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: db14a2de by Markus Koschany at 2018-02-10T22:52:13+01:00 Add audacity to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -10,6 +10,8 @@ this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- +audacity +-- clamav (Thorsten Alteholz) -- dovecot (Thorsten Alteholz) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/db14a2debb9b47d69c6ef7e418ee953e7cbcd68d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/db14a2debb9b47d69c6ef7e418ee953e7cbcd68d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2016-2541, audacity: Wheezy is not affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 1091e88e by Markus Koschany at 2018-02-10T22:40:04+01:00 CVE-2016-2541,audacity: Wheezy is not affected This version builds against the system library of libmad. The embedded code copy was apparently removed. Not sure if Debian's system library is vulnerable or if this issue is already reported as one of the open CVEs against libmad. - - - - - 6dda1438 by Markus Koschany at 2018-02-10T22:51:17+01:00 Is CVE-2017-8373 and CVE-2017-8372 related to CVE-2016-2541? - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -44304,6 +44304,7 @@ CVE-2017-8373 (The mad_layer_III function in layer3.c in Underbit MAD libmad 0.1 NOTE: https://blogs.gentoo.org/ago/2017/04/30/libmad-heap-based-buffer-overflow-in-mad_layer_iii-layer3-c/ NOTE: The patch from #508133 applied in 0.15.1b-4 only partially fixed it NOTE: "Duplicate with"/basically same as CVE-2017-8372 + NOTE: Is this related to CVE-2016-2541? CVE-2017-8372 (The mad_layer_III function in layer3.c in Underbit MAD libmad 0.15.1b, ...) - libmad 0.15.1b-9 (bug #287519) NOTE: https://blogs.gentoo.org/ago/2017/04/30/libmad-assertion-failure-in-layer3-c/ @@ -91329,6 +91330,7 @@ CVE-2016-3171 (Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x b NOTE: http://www.openwall.com/lists/oss-security/2016/02/24/19 CVE-2016-2541 (Audacity before 2.1.2 allows remote attackers to cause a denial of ...) - audacity 2.1.2-1 + [wheezy] - audacity (vulnerable code not present) NOTE: http://wiki.audacityteam.org/wiki/Release_Notes_2.1.2 NOTE: https://github.com/audacity/audacity/commit/85026f98958a8dcc09188be24a8db0385988e23f CVE-2016-2540 (Audacity before 2.1.2 allows remote attackers to cause a denial of ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/45070c03a838aa510e0aee109341015dd5b9a239...6dda1438a4e2a8bbea92cdea54f41e8b33064c79 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/45070c03a838aa510e0aee109341015dd5b9a239...6dda1438a4e2a8bbea92cdea54f41e8b33064c79 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-1056, advancecomp: Add link to upstream bug ticket.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 45070c03 by Markus Koschany at 2018-02-10T22:18:16+01:00 CVE-2018-1056,advancecomp: Add link to upstream bug ticket. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -15309,6 +15309,7 @@ CVE-2018-1057 CVE-2018-1056 [heap buffer overflow while running advzip] RESERVED - advancecomp (bug #889270) + NOTE: https://sourceforge.net/p/advancemame/bugs/259/ CVE-2018-1055 REJECTED CVE-2018-1054 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/45070c03a838aa510e0aee109341015dd5b9a239 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/45070c03a838aa510e0aee109341015dd5b9a239 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2016-10711, pound: Remove ignored tag for Wheezy
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: f6fc29a8 by Markus Koschany at 2018-02-10T21:57:35+01:00 CVE-2016-10711,pound: Remove ignored tag for Wheezy - - - - - 496cd274 by Markus Koschany at 2018-02-10T21:58:27+01:00 Add pound to dla-needed.txt - - - - - 58201dd1 by Markus Koschany at 2018-02-10T21:59:43+01:00 Add more information for CVE-2016-10711 - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1517,8 +1517,10 @@ CVE-2017-1000506 (Mautic version 2.11.0 and earlier contains a Cross Site Script NOT-FOR-US: Mautic CVE-2016-10711 (Apsis Pound before 2.8a allows request smuggling via crafted headers, a ...) - pound (bug #888786) - [wheezy] - pound (Minor issue) NOTE: http://www.apsis.ch/pound/pound_list/archive/2016/2016-10/1477235279000 + NOTE: https://www.suse.com/de-de/security/cve/CVE-2016-10711/ + NOTE: Fixed by https://build.opensuse.org/request/show/571084 + NOTE: Check for corresponding upstream commit CVE-2018-6375 RESERVED CVE-2018-6374 (The GUI component (aka PulseUI) in Pulse Secure Desktop Linux clients ...) = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -58,6 +58,8 @@ opencv (Thorsten Alteholz) -- openjdk-7 (Emilio Pozuelo) -- +pound (Markus Koschany) +-- python-crypto (Brian May) -- tomcat-native (Markus Koschany) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/59d19d0c8d63ec1790fdb1dbcd6874ea71253f7e...58201dd18568fe3bbdc3d4594d09b9855c00f48b --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/59d19d0c8d63ec1790fdb1dbcd6874ea71253f7e...58201dd18568fe3bbdc3d4594d09b9855c00f48b You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1275-1 for uwsgi
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 59d19d0c by Markus Koschany at 2018-02-10T21:20:46+01:00 Reserve DLA-1275-1 for uwsgi - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[10 Feb 2018] DLA-1275-1 uwsgi - security update + {CVE-2018-6758} + [wheezy] - uwsgi 1.2.3+dfsg-5+deb7u2 [10 Feb 2018] DLA-1274-1 exim4 - security update {CVE-2018-6789} [wheezy] - exim4 4.80-7+deb7u6 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -62,5 +62,3 @@ python-crypto (Brian May) -- tomcat-native (Markus Koschany) -- -uwsgi (Markus Koschany) --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/59d19d0c8d63ec1790fdb1dbcd6874ea71253f7e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/59d19d0c8d63ec1790fdb1dbcd6874ea71253f7e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2017-10689, puppet: Wheezy is not affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a6fea42 by Markus Koschany at 2018-02-09T23:59:23+01:00 CVE-2017-10689,puppet: Wheezy is not affected There is no support for minitar in this version. Vulnerable code not present. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -37321,6 +37321,7 @@ CVE-2017-10690 (In previous versions of Puppet Agent it was possible for the age TODO: check CVE-2017-10689 (In previous versions of Puppet Agent it was possible to install a ...) - puppet + [wheezy] - puppet (vulnerable code not present) NOTE: https://puppet.com/security/cve/CVE-2017-10689 NOTE: https://tickets.puppetlabs.com/browse/PUP-7866 NOTE: https://github.com/puppetlabs/puppet/commit/17d9e02da3882e44c1876e2805cf9708481715ee View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4a6fea4241d795f7368f3ad60c8116abe52d0e53 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4a6fea4241d795f7368f3ad60c8116abe52d0e53 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add exim4 to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: cb0a0347 by Markus Koschany at 2018-02-09T22:46:41+01:00 Add exim4 to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -17,6 +17,10 @@ dovecot (Thorsten Alteholz) NOTE: maintainer and security team are looking into this NOTE: probably no-dsa -- +exim4 + NOTE: 20180209: Currently not known if Wheezy is affected. Check again in six + NOTE: days when the patch will be made public. +-- graphicsmagick (Roberto C. Sánchez) -- icu View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cb0a0347b22c4e7e9d408bc7542896ac7b2223ac --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cb0a0347b22c4e7e9d408bc7542896ac7b2223ac You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: Add bug reference for libspring-java.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ea68d0fa by Markus Koschany at 2018-02-09T22:09:19+01:00 Add bug reference for libspring-java. - - - - - 34b4e68e by Markus Koschany at 2018-02-09T22:10:56+01:00 Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -14772,7 +14772,7 @@ CVE-2018-1200 RESERVED CVE-2018-1199 [Security bypass with static resources] RESERVED - - libspring-java + - libspring-java (bug #890001) - libspring-security-java (bug #582181) NOTE: https://pivotal.io/security/cve-2018-1199 CVE-2018-1198 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/e172e2c1cbae3122e74977d3f78581eb632b12c2...34b4e68e03016979145f4c6fdde8306e0d56e6ed --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/e172e2c1cbae3122e74977d3f78581eb632b12c2...34b4e68e03016979145f4c6fdde8306e0d56e6ed You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-6764, libvirt: Mark as no-dsa for Wheezy.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c2ab85ff by Markus Koschany at 2018-02-09T21:41:34+01:00 CVE-2018-6764,libvirt: Mark as no-dsa for Wheezy. The affected hostname code is not present in Wheezy but there are similar functions like gethostname which might be vulnerable too. I assume the same as Salvatore in Debian bug 889839 and mark it as affected but not as important enough to fix. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -258,6 +258,7 @@ CVE-2018-6764 [guest could inject executable code via libnss_dns.so loaded by li - libvirt 4.0.0-2 (bug #889839) [stretch] - libvirt (Minor issue) [jessie] - libvirt (Minor issue) + [wheezy] - libvirt (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1541444 NOTE: https://libvirt.org/git/?p=libvirt.git;a=commit;h=759b4d1b0fe5f4d84d98b99153dfa7ac289dd167 CVE-2018-6759 (The bfd_get_debug_link_info_1 function in opncls.c in the Binary File ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c2ab85fff94cdfe5ac64e82c6dc72b880198ca3b --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c2ab85fff94cdfe5ac64e82c6dc72b880198ca3b You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-6872, binutils: Mark as ignored for Wheezy. Minor issue.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 480b50cd by Markus Koschany at 2018-02-09T21:00:39+01:00 CVE-2018-6872,binutils: Mark as ignored for Wheezy. Minor issue. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -2,6 +2,7 @@ CVE-2018-6872 (The elf_parse_notes function in elf.c in the Binary File Descript - binutils 2.30-4 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) + [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22788 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commit;h=ef135d4314fd4c2d7da66b9d7b59af4a85b0f7e6 CVE-2018-6871 (LibreOffice through 6.0.1 allows remote attackers to read arbitrary ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/480b50cd33af44fb40edaa32b18aa60cd2f98b59 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/480b50cd33af44fb40edaa32b18aa60cd2f98b59 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-1041, libjboss-remoting-java: Unimportant leaf package.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 377635d1 by Markus Koschany at 2018-02-08T23:12:57+01:00 CVE-2018-1041,libjboss-remoting-java: Unimportant leaf package. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -15282,6 +15282,7 @@ CVE-2018-1042 (Moodle 3.x has Server Side Request Forgery in the filepicker. ... CVE-2018-1041 [High CPU Denial of Service] RESERVED - libjboss-remoting-java + [wheezy] - libjboss-remoting-java (unimportant leaf package) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1530457 CVE-2017-17380 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/377635d125847b5d2692b2d2633f7a925488128c --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/377635d125847b5d2692b2d2633f7a925488128c You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-6791, kde-runtime: Wheezy is not affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: d22440f3 by Markus Koschany at 2018-02-08T00:28:22+01:00 CVE-2018-6791,kde-runtime: Wheezy is not affected This version already uses the expandMacrosShellQuote function. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -76,6 +76,7 @@ CVE-2018-6792 (Multiple SQL injection vulnerabilities in Saifor CVMS HUB 1.3.1 a CVE-2018-6791 (An issue was discovered in soliduiserver/deviceserviceaction.cpp in KDE ...) - plasma-workspace - kde-runtime + [wheezy] - kde-runtime (vulnerable code not present) NOTE: https://bugs.kde.org/show_bug.cgi?id=389815 NOTE: https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57 (Plasma/5.12) NOTE: https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212 (Plasma/5.8) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d22440f3c24aa70cb992625a01a75a0e1c027fed --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d22440f3c24aa70cb992625a01a75a0e1c027fed You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-1000035, unzip: Wheezy builds with fortified source.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 03f4cf05 by Markus Koschany at 2018-02-07T22:00:46+01:00 CVE-2018-135,unzip: Wheezy builds with fortified source. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -636,6 +636,7 @@ CVE-2018-135 [Heap-based buffer overflow in password protected ZIP archives] - unzip (bug #889838) [stretch] - unzip (Harmless crash, builds with fortified source) [jessie] - unzip (Harmless crash, builds with fortified source) + [wheezy] - unzip (Harmless crash, builds with fortified source) NOTE: https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html CVE-2018-134 [Multiple vulnerabilities in the LZMA compression algorithm] RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/03f4cf05eea1314a92155387bc722d6ce25daf9d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/03f4cf05eea1314a92155387bc722d6ce25daf9d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Do not ignore CVE-2017-15698 and claim tomcat-native in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 327b8417 by Markus Koschany at 2018-02-07T21:42:27+01:00 Do not ignore CVE-2017-15698 and claim tomcat-native in dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -22066,7 +22066,6 @@ CVE-2017-15699 TODO: check, this is possibly specific to AMQ Interconnect as used by Red Hat JBoss, although based on Apache Qpid project CVE-2017-15698 (When parsing the AIA-Extension field of a client certificate, Apache ...) - tomcat-native 1.2.16-1 - [wheezy] - tomcat-native (Minor issue) NOTE: https://lists.apache.org/thread.html/6eb0a53e5827d97db1a05c736d01101fec21202a5b8fc77bb0eaaed8@%3Cannounce.tomcat.apache.org%3E NOTE: http://svn.apache.org/r1815200 NOTE: http://svn.apache.org/r1815218 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -70,5 +70,7 @@ python2.7 (Abhijith PA) -- simplesamlphp (Abhijith PA) -- +tomcat-native (Markus Koschany) +-- uwsgi (Markus Koschany) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/327b8417d07b7c82b6643ef94b277cbe86fd070b --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/327b8417d07b7c82b6643ef94b277cbe86fd070b You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2017-16612, wayland: Wheezy is not affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: bd6ffbea by Markus Koschany at 2018-02-07T21:20:49+01:00 CVE-2017-16612,wayland: Wheezy is not affected - - - - - a4373032 by Markus Koschany at 2018-02-07T21:21:20+01:00 Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -19470,6 +19470,7 @@ CVE-2017-16612 (libXcursor before 1.1.15 has various integer overflows that coul - wayland (bug #889681) [stretch] - wayland (Minor issue) [jessie] - wayland (Minor issue) + [wheezy] - wayland (vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/11/28/6 NOTE: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8 NOTE: https://marc.info/?l=freedesktop-xorg-announce&m=151188036018262&w=2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d5f4533c9099f12a4156bc45314339a60f020b18...a43730321341a37d678b90076e01d8402b67b2c3 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d5f4533c9099f12a4156bc45314339a60f020b18...a43730321341a37d678b90076e01d8402b67b2c3 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add graphicsmagick to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 13055315 by Markus Koschany at 2018-02-07T16:06:48+01:00 Add graphicsmagick to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -17,6 +17,8 @@ dovecot (Thorsten Alteholz) NOTE: maintainer and security team are looking into this NOTE: probably no-dsa -- +graphicsmagick +-- icu NOTE: 20171229: CVE-2017-15422 was reported via Google Code issue report in Chromium project; report is not visible to the public -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/130553158b3f4c26e790138d5771eb0b2cfc7dd9 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/130553158b3f4c26e790138d5771eb0b2cfc7dd9 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-6759, binutils: Ignored in Wheezy. Minor issue.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: b55d397e by Markus Koschany at 2018-02-07T16:08:22+01:00 CVE-2018-6759,binutils: Ignored in Wheezy. Minor issue. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -109,6 +109,7 @@ CVE-2018-6759 (The bfd_get_debug_link_info_1 function in opncls.c in the Binary - binutils [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) + [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22794 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=64e234d417d5685a4aec0edc618114d9991c031b CVE-2018-6757 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b55d397e512e74dd13b3be9a6f8e7b786f38b5c3 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b55d397e512e74dd13b3be9a6f8e7b786f38b5c3 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Claim uwsgi in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 787098d2 by Markus Koschany at 2018-02-07T15:33:14+01:00 Claim uwsgi in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -68,3 +68,5 @@ python2.7 (Abhijith PA) -- simplesamlphp (Abhijith PA) -- +uwsgi (Markus Koschany) +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/787098d2e2170570b22444e9bda2ff65261b24cb --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/787098d2e2170570b22444e9bda2ff65261b24cb You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: libmad: Kurt Roeckx will take care of it
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 2a4c55c3 by Markus Koschany at 2018-01-30T22:16:54+01:00 libmad: Kurt Roeckx will take care of it - - - - - 5ce9e38f by Markus Koschany at 2018-01-30T22:17:39+01:00 Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -36,7 +36,7 @@ libav (Hugo Lefeuvre) NOTE: I am currently working on CVE triage but I will not be able to process the whole backlog until May. NOTE: Help is welcome, feel free to mail Hugo. -- -libmad +libmad (Kurt Roeckx) -- libreoffice (Emilio Pozuelo) NOTE: regression update, see: View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/6e8db41bd1ec3d90af3a5848fdb5aed3ab4f6e6b...5ce9e38fe28ef03af45b311a080bd1ee3e9fb9c3 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/6e8db41bd1ec3d90af3a5848fdb5aed3ab4f6e6b...5ce9e38fe28ef03af45b311a080bd1ee3e9fb9c3 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits