[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] chromium not-affected by VP9 issues
Michael Gilbert pushed to branch master at Debian Security Tracker / security-tracker Commits: 7c868a63 by Michael Gilbert at 2018-02-11T03:43:35+00:00 chromium not-affected by VP9 issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -944,10 +944,7 @@ CVE-2017-18121 (The consentAdmin module in SimpleSAMLphp through 1.14.15 is vuln CVE-2018-6549 RESERVED CVE-2018-6548 (A use-after-free issue was discovered in libwebm through 2018-02-02. If ...) - - chromium-browser - [stretch] - chromium-browser (Wait until this lands in a Chromium release) - [jessie] - chromium-browser (End of life, see DSA 4020) - [wheezy] - chromium-browser (Not supported in wheezy LTS) + - chromium-browser (chromium is built with support for VP9 disabled in debian) NOTE: https://bugs.chromium.org/p/webm/issues/detail?id=1493 NOTE: https://github.com/dwfault/PoCs/blob/master/libwebm%20Vp9HeaderParser%20UAF%20by%20PrintVP9Info/libwebm%20Vp9HeaderParser%20UAF%20by%20PrintVP9Info.md CVE-2018-6547 @@ -1380,10 +1377,7 @@ CVE-2018-6408 (An issue was discovered on Conceptronic CIPCAMPTIWL V3 0.61.30.21 CVE-2018-6407 (An issue was discovered on Conceptronic CIPCAMPTIWL V3 0.61.30.21 ...) NOT-FOR-US: CIPCAMPTIWL devices CVE-2018-6406 (The function ParseVP9SuperFrameIndex in common/libwebm_util.cc in ...) - - chromium-browser - [stretch] - chromium-browser (Wait until this lands in a Chromium release) - [jessie] - chromium-browser (End of life, see DSA 4020) - [wheezy] - chromium-browser (Not supported in wheezy LTS) + - chromium-browser (chromium is built with support for VP9 disabled in debian) NOTE: https://bugs.chromium.org/p/webm/issues/detail?id=1492 NOTE: https://github.com/dwfault/PoCs/blob/master/libwebm%20ParseVP9SuperFrameIndex%20memory%20corruption/libwebm%20ParseVP9SuperFrameIndex%20OOB%20read.md CVE-2018-6405 (In the ReadDCMImage function in coders/dcm.c in ImageMagick before ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7c868a631dc8768eab552ca5010afe9bb5638dd5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7c868a631dc8768eab552ca5010afe9bb5638dd5 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58487 - in data: . DSA
Author: mgilbert Date: 2017-12-12 11:14:40 + (Tue, 12 Dec 2017) New Revision: 58487 Modified: data/DSA/list data/dsa-needed.txt Log: chromium dsa Modified: data/DSA/list === --- data/DSA/list 2017-12-12 10:18:26 UTC (rev 58486) +++ data/DSA/list 2017-12-12 11:14:40 UTC (rev 58487) @@ -1,3 +1,6 @@ +[12 Dec 2017] DSA-4064-1 chromium-browser - security update + {CVE-2017-15407 CVE-2017-15408 CVE-2017-15409 CVE-2017-15410 CVE-2017-15411 CVE-2017-15413 CVE-2017-15415 CVE-2017-15416 CVE-2017-15417 CVE-2017-15418 CVE-2017-15419 CVE-2017-15420 CVE-2017-15423 CVE-2017-15424 CVE-2017-15425 CVE-2017-15426 CVE-2017-15427} + [stretch] - chromium-browser 63.0.3239.84-1~deb9u1 [11 Dec 2017] DSA-4063-1 pdns-recursor - security update {CVE-2017-15120} [stretch] - pdns-recursor 4.0.4-1+deb9u3 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-12-12 10:18:26 UTC (rev 58486) +++ data/dsa-needed.txt 2017-12-12 11:14:40 UTC (rev 58487) @@ -16,8 +16,6 @@ -- asterisk -- -chromium-browser --- graphicsmagick -- libav/oldstable ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57450 - data/DSA
Author: mgilbert Date: 2017-11-08 12:12:17 + (Wed, 08 Nov 2017) New Revision: 57450 Modified: data/DSA/list Log: chromium dsa Modified: data/DSA/list === --- data/DSA/list 2017-11-08 10:34:40 UTC (rev 57449) +++ data/DSA/list 2017-11-08 12:12:17 UTC (rev 57450) @@ -1,3 +1,6 @@ +[08 Nov 2017] DSA-4024-1 chromium-browser - security update + {CVE-2017-15398 CVE-2017-15399} + [stretch] - chromium-browser 62.0.3202.89-1~deb9u1 [07 Nov 2017] DSA-4023-1 slurm-llnl - security update {CVE-2017-15566} [stretch] - slurm-llnl 16.05.9-1+deb9u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57428 - data/CVE
Author: mgilbert Date: 2017-11-08 01:46:06 + (Wed, 08 Nov 2017) New Revision: 57428 Modified: data/CVE/list Log: nfus Modified: data/CVE/list === --- data/CVE/list 2017-11-08 00:15:45 UTC (rev 57427) +++ data/CVE/list 2017-11-08 01:46:06 UTC (rev 57428) @@ -17,9 +17,9 @@ CVE-2017-16637 (In Vectura Perfect Privacy VPN Manager v1.10.10 and v1.10.11, when ...) NOT-FOR-US: Vectura Perfect Privacy VPN Manager CVE-2017-16636 (In Bludit v1.5.2 and v2.0.1, an XSS vulnerability is located in the new ...) - TODO: check + NOT-FOR-US: Bludit CVE-2017-16635 (In TinyWebGallery v2.4, an XSS vulnerability is located in the ...) - TODO: check + NOT-FOR-US: TinyWebGallery CVE-2017-16634 RESERVED CVE-2017-16633 @@ -7342,7 +7342,7 @@ CVE-2017-14017 (An Uncontrolled Search Path Element issue was discovered in Progea ...) NOT-FOR-US: Progea Movicon CVE-2017-14016 (A Stack-based Buffer Overflow issue was discovered in Advantech ...) - TODO: check + NOT-FOR-US: Advantech CVE-2017-14015 RESERVED CVE-2017-14014 @@ -11185,7 +11185,7 @@ CVE-2017-12720 RESERVED CVE-2017-12719 (An Untrusted Pointer Dereference issue was discovered in Advantech ...) - TODO: check + NOT-FOR-US: Advantech CVE-2017-12718 RESERVED CVE-2017-12717 (An Uncontrolled Search Path Element issue was discovered in Advantech ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57389 - data/CVE
Author: mgilbert Date: 2017-11-07 02:36:56 + (Tue, 07 Nov 2017) New Revision: 57389 Modified: data/CVE/list Log: nfus Modified: data/CVE/list === --- data/CVE/list 2017-11-06 22:07:48 UTC (rev 57388) +++ data/CVE/list 2017-11-07 02:36:56 UTC (rev 57389) @@ -133,11 +133,11 @@ CVE-2017-16566 RESERVED CVE-2017-16565 (Cross-Site Request Forgery (CSRF) in /cgi-bin/login on Vonage ...) - TODO: check + NOT-FOR-US: Vonage CVE-2017-16564 (Stored Cross-site scripting (XSS) vulnerability in /cgi-bin/config2 on ...) - TODO: check + NOT-FOR-US: Vonage CVE-2017-16563 (Cross-Site Request Forgery (CSRF) in the Basic Settings screen on ...) - TODO: check + NOT-FOR-US: Vonage CVE-2017-16562 RESERVED CVE-2017-16561 @@ -1417,7 +1417,7 @@ CVE-2017-16002 RESERVED CVE-2017-16001 (In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) ...) - TODO: check + NOT-FOR-US: VMware CVE-2017-16000 (SQL injection vulnerability in the EyesOfNetwork web interface (aka ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-15999 (In the "NQ Contacts Backup & Restore" application 1.1 for Android, no ...) @@ -15392,7 +15392,7 @@ CVE-2017-11178 (In FineCMS through 2017-07-11, application/core/controller/style.php ...) NOT-FOR-US: FineCMS CVE-2017-11177 (TRITON AP-EMAIL 8.2 before 8.2 IB does not properly restrict file ...) - TODO: check + NOT-FOR-US: TRITON CVE-2017-11176 (The mq_notify function in the Linux kernel through 4.11.9 does not set ...) {DSA-3945-1 DSA-3927-1 DLA-1099-1} - linux 4.11.11-1 @@ -15757,11 +15757,11 @@ CVE-2017-11123 RESERVED CVE-2017-11122 (On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56, an attacker can ...) - TODO: check + NOT-FOR-US: Broadcom CVE-2017-11121 (On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, ...) - TODO: check + NOT-FOR-US: Broadcom CVE-2017-11120 (On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, ...) - TODO: check + NOT-FOR-US: Broadcom CVE-2017-9 (The chk_mem_access function in cpu/nes6502/nes6502.c in libnosefart.a ...) - xine-lib-1.2 (it is built with --disable-nosefart) - xine-lib (it is built with --disable-nosefart) @@ -26909,7 +26909,7 @@ CVE-2017-7426 RESERVED CVE-2017-7425 (Multiple potential reflected XSS issues exist in NetIQ iManager ...) - TODO: check + NOT-FOR-US: NetIQ CVE-2017-7424 (A Path Traversal (CWE-22) vulnerability in esfadmingui in Micro Focus ...) NOT-FOR-US: Micro Focus CVE-2017-7423 (A Cross-Site Request Forgery (CWE-352) vulnerability in esfadmingui in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57354 - in data: . CVE DSA
Author: mgilbert Date: 2017-11-05 21:57:41 + (Sun, 05 Nov 2017) New Revision: 57354 Modified: data/CVE/list data/DSA/list data/dsa-needed.txt Log: chromium dsa Modified: data/CVE/list === --- data/CVE/list 2017-11-05 21:45:13 UTC (rev 57353) +++ data/CVE/list 2017-11-05 21:57:41 UTC (rev 57354) @@ -34344,8 +34344,7 @@ CVE-2017-5130 RESERVED - libxml2 (bug #88) - - chromium-browser 62.0.3202.75-1 - [wheezy] - chromium-browser (Not supported in Wheezy) + - chromium-browser (uses system libxml2) NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=722079 (not public) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=783026 (not public) NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=897dffbae322b46b83f99a607d527058a72c51ed Modified: data/DSA/list === --- data/DSA/list 2017-11-05 21:45:13 UTC (rev 57353) +++ data/DSA/list 2017-11-05 21:57:41 UTC (rev 57354) @@ -1,3 +1,6 @@ +[05 Nov 2017] DSA-4020-1 chromium-browser - security update + {CVE-2017-5124 CVE-2017-5125 CVE-2017-5126 CVE-2017-5127 CVE-2017-5128 CVE-2017-5129 CVE-2017-5131 CVE-2017-5132 CVE-2017-5133 CVE-2017-15386 CVE-2017-15387 CVE-2017-15388 CVE-2017-15389 CVE-2017-15390 CVE-2017-15391 CVE-2017-15392 CVE-2017-15393 CVE-2017-15394 CVE-2017-15395 CVE-2017-15396} + [stretch] - chromium-browser 62.0.3202.75-1~deb9u1 [05 Nov 2017] DSA-4019-1 imagemagick - security update {CVE-2017-9500 CVE-2017-11446 CVE-2017-11523 CVE-2017-11533 CVE-2017-11535 CVE-2017-11537 CVE-2017-11639 CVE-2017-11640 CVE-2017-12428 CVE-2017-12431 CVE-2017-12432 CVE-2017-12434 CVE-2017-12587 CVE-2017-12640 CVE-2017-12671 CVE-2017-13139 CVE-2017-13140 CVE-2017-13141 CVE-2017-13142 CVE-2017-13143 CVE-2017-13144 CVE-2017-13145} [stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u2 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-11-05 21:45:13 UTC (rev 57353) +++ data/dsa-needed.txt 2017-11-05 21:57:41 UTC (rev 57354) @@ -14,8 +14,6 @@ -- 389-ds-base (fw) -- -chromium-browser --- graphicsmagick -- jackson-databind ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r56222 - in data: . DSA
Author: mgilbert Date: 2017-09-28 12:40:46 + (Thu, 28 Sep 2017) New Revision: 56222 Modified: data/DSA/list data/dsa-needed.txt Log: chromium dsa Modified: data/DSA/list === --- data/DSA/list 2017-09-28 12:00:34 UTC (rev 56221) +++ data/DSA/list 2017-09-28 12:40:46 UTC (rev 56222) @@ -1,3 +1,6 @@ +[28 Sep 2017] DSA-3985-1 chromium-browser - security update + {CVE-2017-5111 CVE-2017-5112 CVE-2017-5113 CVE-2017-5114 CVE-2017-5115 CVE-2017-5116 CVE-2017-5117 CVE-2017-5118 CVE-2017-5119 CVE-2017-5120 CVE-2017-5121 CVE-2017-5122} + [stretch] - chromium-browser 61.0.3163.100-1~deb9u1 [26 Sep 2017] DSA-3984-1 git - security update [jessie] - git 1:2.1.4-2.1+deb8u5 [stretch] - git 1:2.11.0-3+deb9u2 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-09-28 12:00:34 UTC (rev 56221) +++ data/dsa-needed.txt 2017-09-28 12:40:46 UTC (rev 56222) @@ -17,8 +17,6 @@ asterisk Maintainer proposed update, needs review and ack for upload -- -chromium-browser --- curl (ghedo) -- ghostscript (carnil) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49702 - in data: . DSA
Author: mgilbert Date: 2017-03-15 12:17:38 + (Wed, 15 Mar 2017) New Revision: 49702 Modified: data/DSA/list data/dsa-needed.txt Log: chromium dsa Modified: data/DSA/list === --- data/DSA/list 2017-03-15 09:10:13 UTC (rev 49701) +++ data/DSA/list 2017-03-15 12:17:38 UTC (rev 49702) @@ -1,3 +1,6 @@ +[15 Mar 2017] DSA-3810-1 chromium-browser - security update + {CVE-2017-5029 CVE-2017-5030 CVE-2017-5031 CVE-2017-5032 CVE-2017-5033 CVE-2017-5034 CVE-2017-5035 CVE-2017-5036 CVE-2017-5037 CVE-2017-5038 CVE-2017-5039 CVE-2017-5040 CVE-2017-5041 CVE-2017-5042 CVE-2017-5043 CVE-2017-5044 CVE-2017-5045 CVE-2017-5046} + [jessie] - chromium-browser 57.0.2987.98-1~deb8u1 [14 Mar 2017] DSA-3809-1 mariadb-10.0 - security update {CVE-2017-3302 CVE-2017-3313} [jessie] - mariadb-10.0 10.0.30-0+deb8u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-03-15 09:10:13 UTC (rev 49701) +++ data/dsa-needed.txt 2017-03-15 12:17:38 UTC (rev 49702) @@ -16,8 +16,6 @@ -- 389-ds-base (fw) -- -chromium-browser --- graphicsmagick -- icedove ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49228 - data/CVE
Author: mgilbert Date: 2017-02-26 04:41:10 + (Sun, 26 Feb 2017) New Revision: 49228 Modified: data/CVE/list Log: stretch no-dsa for policykit, busybox issues Modified: data/CVE/list === --- data/CVE/list 2017-02-26 04:18:42 UTC (rev 49227) +++ data/CVE/list 2017-02-26 04:41:10 UTC (rev 49228) @@ -38441,6 +38441,7 @@ NOTE: Upstream confirmed it does not affect squid 2.7.x CVE-2016-2568 (pkexec, when used with --user nonpriv, allows local users to escape to ...) - policykit-1 (bug #816062; bug #812512) + [stretch] - policykit-1 (Minor issue) [jessie] - policykit-1 (Minor issue) [wheezy] - policykit-1 (Minor issue) NOTE: Restricting ioctl on the kernel side seems the better approach @@ -40064,11 +40065,13 @@ NOT-FOR-US: OpenShift CVE-2016-2148 (Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox ...) - busybox (bug #818497) + [stretch] - busybox (Minor issue) [jessie] - busybox (Minor issue) [wheezy] - busybox (Minor issue) NOTE: https://git.busybox.net/busybox/commit/?id=352f79acbd759c14399e39baef21fc4ffe180ac2 CVE-2016-2147 (Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 ...) - busybox (bug #818499) + [stretch] - busybox (Minor issue) [jessie] - busybox (Minor issue) [wheezy] - busybox (Minor issue) NOTE: https://git.busybox.net/busybox/commit/?id=d474ffc68290e0a83651c4432eeabfa62cd51e87 @@ -49087,6 +49090,7 @@ NOTE: http://git.ganeti.org/?p=ganeti.git;a=commit;h=201fcb916b8164c78f4ed8e0c9cfc0227a78684c CVE-2015- [busybox: pointer misuse unziping files] - busybox (bug #803097) + [stretch] - busybox (Minor issue) [jessie] - busybox (Minor issue) [wheezy] - busybox (Minor issue) [squeeze] - busybox 1:1.17.1-8+deb6u11 @@ -56146,6 +56150,7 @@ CVE-2011-5325 [Directory traversal via crafted tar file which contains a symlink pointing outside of the current directory] RESERVED - busybox (bug #802702) + [stretch] - busybox (Minor issue) [jessie] - busybox (Minor issue) [wheezy] - busybox (Minor issue) [squeeze] - busybox (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49226 - in data: . CVE DSA
Author: mgilbert Date: 2017-02-26 02:15:40 + (Sun, 26 Feb 2017) New Revision: 49226 Modified: data/CVE/list data/DSA/list data/dsa-needed.txt Log: bind dsa Modified: data/CVE/list === --- data/CVE/list 2017-02-26 00:58:23 UTC (rev 49225) +++ data/CVE/list 2017-02-26 02:15:40 UTC (rev 49226) @@ -27138,6 +27138,7 @@ NOTE: https://gitlab.labs.nic.cz/labs/knot/issues/464 CVE-2016-6170 (ISC BIND through 9.9.9-P1, 9.10.x through 9.10.4-P1, and 9.11.x ...) - bind9 (bug #830810) + [stretch] - bind9 (Minor issue) [jessie] - bind9 (Minor issue) [wheezy] - bind9 (Minor issue) NOTE: Fixed by https://github.com/sischkg/xfer-limit/blob/master/bind-9.10.3-xfer-limit-0.0.1.patch Modified: data/DSA/list === --- data/DSA/list 2017-02-26 00:58:23 UTC (rev 49225) +++ data/DSA/list 2017-02-26 02:15:40 UTC (rev 49226) @@ -1,3 +1,6 @@ +[26 Feb 2017] DSA-3795-1 bind9 - security update + {CVE-2017-3135} + [jessie] - bind9 1:9.9.5.dfsg-9+deb8u10 [25 Feb 2017] DSA-3794-1 munin - security update {CVE-2017-6188} [jessie] - munin 2.0.25-1+deb8u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-02-26 00:58:23 UTC (rev 49225) +++ data/dsa-needed.txt 2017-02-26 02:15:40 UTC (rev 49226) @@ -18,10 +18,6 @@ sf is working on an update, but needs extra testing due to invasive changes upload ack'ed -- -bind9 - carnil: prepared tentative update, sent to mgilbert and team - Testpackages: https://people.debian.org/~carnil/tmp/bind9/ --- graphicsmagick -- icedove ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49065 - data/CVE
Author: mgilbert Date: 2017-02-20 01:11:59 + (Mon, 20 Feb 2017) New Revision: 49065 Modified: data/CVE/list Log: bind fixed Modified: data/CVE/list === --- data/CVE/list 2017-02-19 21:10:12 UTC (rev 49064) +++ data/CVE/list 2017-02-20 01:11:59 UTC (rev 49065) @@ -8271,7 +8271,7 @@ RESERVED CVE-2017-3135 [Assertion failure when using DNS64 and RPZ can lead to crash] RESERVED - - bind9 (bug #855520) + - bind9 1:9.10.3.dfsg.P4-12 (bug #855520) NOTE: https://kb.isc.org/article/AA-01453 NOTE: Fixed by https://bugzilla.redhat.com/attachment.cgi?id=1248550 (diff between bind-9.9.9-P5 and bind-9.9.9-P6) CVE-2017-3134 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48728 - data/CVE
Author: mgilbert Date: 2017-02-05 21:37:52 + (Sun, 05 Feb 2017) New Revision: 48728 Modified: data/CVE/list Log: new irssi issues, one also present in jessie Modified: data/CVE/list === --- data/CVE/list 2017-02-05 21:28:56 UTC (rev 48727) +++ data/CVE/list 2017-02-05 21:37:52 UTC (rev 48728) @@ -1,3 +1,10 @@ +CVE-2017- [irssi memory leak] + - irssi + [jessie] - irssi (support for sasl not present) + NOTE: http://www.openwall.com/lists/oss-security/2017/02/05/8 +CVE-2017- [irssi missing null terminator] + - irssi + NOTE: http://www.openwall.com/lists/oss-security/2017/02/05/8 CVE-2016-10206 - zoneminder (bug #854272) [jessie] - zoneminder (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48583 - data/CVE
Author: mgilbert Date: 2017-01-31 01:27:58 + (Tue, 31 Jan 2017) New Revision: 48583 Modified: data/CVE/list Log: chromium linked to ffmpeg Modified: data/CVE/list === --- data/CVE/list 2017-01-31 01:17:35 UTC (rev 48582) +++ data/CVE/list 2017-01-31 01:27:58 UTC (rev 48583) @@ -2076,12 +2076,12 @@ [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5025 RESERVED - - chromium-browser + - chromium-browser 44.0.2403.157-1 [wheezy] - chromium-browser (Not supported in Wheezy) - ffmpeg CVE-2017-5024 RESERVED - - chromium-browser + - chromium-browser 44.0.2403.157-1 [wheezy] - chromium-browser (Not supported in Wheezy) - ffmpeg CVE-2017-5023 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48582 - data/DSA
Author: mgilbert Date: 2017-01-31 01:17:35 + (Tue, 31 Jan 2017) New Revision: 48582 Modified: data/DSA/list Log: add missing chromium cve Modified: data/DSA/list === --- data/DSA/list 2017-01-31 00:56:47 UTC (rev 48581) +++ data/DSA/list 2017-01-31 01:17:35 UTC (rev 48582) @@ -1,5 +1,5 @@ [31 Jan 2017] DSA-3776-1 chromium-browser - security update - {CVE-2017-5006 CVE-2017-5007 CVE-2017-5008 CVE-2017-5009 CVE-2017-5010 CVE-2017-5012 CVE-2017-5013 CVE-2017-5014 CVE-2017-5015 CVE-2017-5016 CVE-2017-5017 CVE-2017-5018 CVE-2017-5019 CVE-2017-5020 CVE-2017-5021 CVE-2017-5022 CVE-2017-5023 CVE-2017-5024 CVE-2017-5025 CVE-2017-5026} + {CVE-2017-5006 CVE-2017-5007 CVE-2017-5008 CVE-2017-5009 CVE-2017-5010 CVE-2017-5011 CVE-2017-5012 CVE-2017-5013 CVE-2017-5014 CVE-2017-5015 CVE-2017-5016 CVE-2017-5017 CVE-2017-5018 CVE-2017-5019 CVE-2017-5020 CVE-2017-5021 CVE-2017-5022 CVE-2017-5023 CVE-2017-5024 CVE-2017-5025 CVE-2017-5026} [jessie] - chromium-browser 56.0.2924.76-1~deb8u1 [29 Jan 2017] DSA-3775-1 tcpdump - security update {CVE-2016-7922 CVE-2016-7923 CVE-2016-7924 CVE-2016-7925 CVE-2016-7926 CVE-2016-7927 CVE-2016-7928 CVE-2016-7929 CVE-2016-7930 CVE-2016-7931 CVE-2016-7932 CVE-2016-7933 CVE-2016-7934 CVE-2016-7935 CVE-2016-7936 CVE-2016-7937 CVE-2016-7938 CVE-2016-7939 CVE-2016-7940 CVE-2016-7973 CVE-2016-7974 CVE-2016-7975 CVE-2016-7983 CVE-2016-7984 CVE-2016-7985 CVE-2016-7986 CVE-2016-7992 CVE-2016-7993 CVE-2016-8574 CVE-2016-8575 CVE-2017-5202 CVE-2017-5203 CVE-2017-5204 CVE-2017-5205 CVE-2017-5341 CVE-2017-5342 CVE-2017-5482 CVE-2017-5483 CVE-2017-5484 CVE-2017-5485 CVE-2017-5486} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48581 - in data: . DSA
Author: mgilbert Date: 2017-01-31 00:56:47 + (Tue, 31 Jan 2017) New Revision: 48581 Modified: data/DSA/list data/dsa-needed.txt Log: chromium dsa Modified: data/DSA/list === --- data/DSA/list 2017-01-30 23:55:28 UTC (rev 48580) +++ data/DSA/list 2017-01-31 00:56:47 UTC (rev 48581) @@ -1,3 +1,6 @@ +[31 Jan 2017] DSA-3776-1 chromium-browser - security update + {CVE-2017-5006 CVE-2017-5007 CVE-2017-5008 CVE-2017-5009 CVE-2017-5010 CVE-2017-5012 CVE-2017-5013 CVE-2017-5014 CVE-2017-5015 CVE-2017-5016 CVE-2017-5017 CVE-2017-5018 CVE-2017-5019 CVE-2017-5020 CVE-2017-5021 CVE-2017-5022 CVE-2017-5023 CVE-2017-5024 CVE-2017-5025 CVE-2017-5026} + [jessie] - chromium-browser 56.0.2924.76-1~deb8u1 [29 Jan 2017] DSA-3775-1 tcpdump - security update {CVE-2016-7922 CVE-2016-7923 CVE-2016-7924 CVE-2016-7925 CVE-2016-7926 CVE-2016-7927 CVE-2016-7928 CVE-2016-7929 CVE-2016-7930 CVE-2016-7931 CVE-2016-7932 CVE-2016-7933 CVE-2016-7934 CVE-2016-7935 CVE-2016-7936 CVE-2016-7937 CVE-2016-7938 CVE-2016-7939 CVE-2016-7940 CVE-2016-7973 CVE-2016-7974 CVE-2016-7975 CVE-2016-7983 CVE-2016-7984 CVE-2016-7985 CVE-2016-7986 CVE-2016-7992 CVE-2016-7993 CVE-2016-8574 CVE-2016-8575 CVE-2017-5202 CVE-2017-5203 CVE-2017-5204 CVE-2017-5205 CVE-2017-5341 CVE-2017-5342 CVE-2017-5482 CVE-2017-5483 CVE-2017-5484 CVE-2017-5485 CVE-2017-5486} [jessie] - tcpdump 4.9.0-1~deb8u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2017-01-30 23:55:28 UTC (rev 48580) +++ data/dsa-needed.txt 2017-01-31 00:56:47 UTC (rev 48581) @@ -21,8 +21,6 @@ John Lightsey from cPanel provided patches for 4 vulnerabilities. CVEs asked on oss-sec. -- -chromium-browser --- graphicsmagick -- icedove ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48268 - data/CVE
Author: mgilbert Date: 2017-01-22 06:55:59 + (Sun, 22 Jan 2017) New Revision: 48268 Modified: data/CVE/list Log: bind issue not fixed in experimental Modified: data/CVE/list === --- data/CVE/list 2017-01-21 21:10:12 UTC (rev 48267) +++ data/CVE/list 2017-01-22 06:55:59 UTC (rev 48268) @@ -24551,7 +24551,6 @@ NOTE: https://gitlab.labs.nic.cz/labs/knot/merge_requests/541 NOTE: https://gitlab.labs.nic.cz/labs/knot/issues/464 CVE-2016-6170 (ISC BIND through 9.9.9-P1, 9.10.x through 9.10.4-P1, and 9.11.x ...) - [experimental] - bind9 1:9.10.4-P5-1 - bind9 (bug #830810) [jessie] - bind9 (Minor issue) [wheezy] - bind9 (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47660 - data
Author: mgilbert Date: 2017-01-02 00:46:13 + (Mon, 02 Jan 2017) New Revision: 47660 Modified: data/embedded-code-copies Log: qtwebengine embeds chromium (its third party too) Modified: data/embedded-code-copies === --- data/embedded-code-copies 2017-01-01 23:56:04 UTC (rev 47659) +++ data/embedded-code-copies 2017-01-02 00:46:13 UTC (rev 47660) @@ -3232,3 +3232,6 @@ glm - warzone2100 (embed) + +chromium-browser + - qtwebengine-opensource-src ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46977 - in data: . CVE DSA
Author: mgilbert Date: 2016-12-11 20:53:33 + (Sun, 11 Dec 2016) New Revision: 46977 Modified: data/CVE/list data/DSA/list data/embedded-code-copies Log: clarify chromium ffmpeg issue (package in unstable now uses system ffmpeg) Modified: data/CVE/list === --- data/CVE/list 2016-12-11 20:53:15 UTC (rev 46976) +++ data/CVE/list 2016-12-11 20:53:33 UTC (rev 46977) @@ -22901,7 +22901,7 @@ NOTE: libv8 not covered by security support CVE-2016-5199 [heap corruption in ffmpeg] RESERVED - - chromium-browser + - chromium-browser 44.0.2403.157-1 [wheezy] - chromium-browser (Not supported in Wheezy) - ffmpeg 7:3.2-1 - libav Modified: data/DSA/list === --- data/DSA/list 2016-12-11 20:53:15 UTC (rev 46976) +++ data/DSA/list 2016-12-11 20:53:33 UTC (rev 46977) @@ -1,5 +1,5 @@ [11 Dec 2016] DSA-3731-1 chromium-browser - security update - {CVE-2016-5181 CVE-2016-5182 CVE-2016-5183 CVE-2016-5184 CVE-2016-5185 CVE-2016-5186 CVE-2016-5187 CVE-2016-5188 CVE-2016-5189 CVE-2016-5190 CVE-2016-5191 CVE-2016-5192 CVE-2016-5193 CVE-2016-5194 CVE-2016-5198 CVE-2016-5200 CVE-2016-5201 CVE-2016-5202 CVE-2016-5203 CVE-2016-5204 CVE-2016-5205 CVE-2016-5206 CVE-2016-5207 CVE-2016-5208 CVE-2016-5209 CVE-2016-5210 CVE-2016-5211 CVE-2016-5212 CVE-2016-5213 CVE-2016-5214 CVE-2016-5215 CVE-2016-5216 CVE-2016-5217 CVE-2016-5218 CVE-2016-5219 CVE-2016-5220 CVE-2016-5221 CVE-2016-5222 CVE-2016-5223 CVE-2016-5224 CVE-2016-5225 CVE-2016-5226 CVE-2016-9650 CVE-2016-9651 CVE-2016-9652} + {CVE-2016-5181 CVE-2016-5182 CVE-2016-5183 CVE-2016-5184 CVE-2016-5185 CVE-2016-5186 CVE-2016-5187 CVE-2016-5188 CVE-2016-5189 CVE-2016-5190 CVE-2016-5191 CVE-2016-5192 CVE-2016-5193 CVE-2016-5194 CVE-2016-5198 CVE-2016-5199 CVE-2016-5200 CVE-2016-5201 CVE-2016-5202 CVE-2016-5203 CVE-2016-5204 CVE-2016-5205 CVE-2016-5206 CVE-2016-5207 CVE-2016-5208 CVE-2016-5209 CVE-2016-5210 CVE-2016-5211 CVE-2016-5212 CVE-2016-5213 CVE-2016-5214 CVE-2016-5215 CVE-2016-5216 CVE-2016-5217 CVE-2016-5218 CVE-2016-5219 CVE-2016-5220 CVE-2016-5221 CVE-2016-5222 CVE-2016-5223 CVE-2016-5224 CVE-2016-5225 CVE-2016-5226 CVE-2016-9650 CVE-2016-9651 CVE-2016-9652} [jessie] - chromium-browser 55.0.2883.75-1~deb8u1 [11 Dec 2016] DSA-3730-1 icedove - security update {CVE-2016-5290 CVE-2016-5291 CVE-2016-5296 CVE-2016-5297 CVE-2016-9066 CVE-2016-9074 CVE-2016-9079} Modified: data/embedded-code-copies === --- data/embedded-code-copies 2016-12-11 20:53:15 UTC (rev 46976) +++ data/embedded-code-copies 2016-12-11 20:53:33 UTC (rev 46977) @@ -373,7 +373,7 @@ TODO: gimp-gap (potentially using ffmpeg code as well) - avifile 1:0.7.48~20090503.ds-1 (embed; bug #538750) - audacity 1.3.7-2 (embed; bug #512278) - - chromium-browser (fork; bug #763632) + - chromium-browser 44.0.2403.157-1 (fork; bug #763632) - libav faad2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46976 - in data: . DSA
Author: mgilbert Date: 2016-12-11 20:53:15 + (Sun, 11 Dec 2016) New Revision: 46976 Modified: data/DSA/list data/dsa-needed.txt Log: chromium dsa Modified: data/DSA/list === --- data/DSA/list 2016-12-11 19:21:31 UTC (rev 46975) +++ data/DSA/list 2016-12-11 20:53:15 UTC (rev 46976) @@ -1,3 +1,6 @@ +[11 Dec 2016] DSA-3731-1 chromium-browser - security update + {CVE-2016-5181 CVE-2016-5182 CVE-2016-5183 CVE-2016-5184 CVE-2016-5185 CVE-2016-5186 CVE-2016-5187 CVE-2016-5188 CVE-2016-5189 CVE-2016-5190 CVE-2016-5191 CVE-2016-5192 CVE-2016-5193 CVE-2016-5194 CVE-2016-5198 CVE-2016-5200 CVE-2016-5201 CVE-2016-5202 CVE-2016-5203 CVE-2016-5204 CVE-2016-5205 CVE-2016-5206 CVE-2016-5207 CVE-2016-5208 CVE-2016-5209 CVE-2016-5210 CVE-2016-5211 CVE-2016-5212 CVE-2016-5213 CVE-2016-5214 CVE-2016-5215 CVE-2016-5216 CVE-2016-5217 CVE-2016-5218 CVE-2016-5219 CVE-2016-5220 CVE-2016-5221 CVE-2016-5222 CVE-2016-5223 CVE-2016-5224 CVE-2016-5225 CVE-2016-5226 CVE-2016-9650 CVE-2016-9651 CVE-2016-9652} + [jessie] - chromium-browser 55.0.2883.75-1~deb8u1 [11 Dec 2016] DSA-3730-1 icedove - security update {CVE-2016-5290 CVE-2016-5291 CVE-2016-5296 CVE-2016-5297 CVE-2016-9066 CVE-2016-9074 CVE-2016-9079} [jessie] - icedove 1:45.5.1-1~deb8u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-12-11 19:21:31 UTC (rev 46975) +++ data/dsa-needed.txt 2016-12-11 20:53:15 UTC (rev 46976) @@ -14,8 +14,6 @@ -- 389-ds-base (fw) -- -chromium-browser --- graphicsmagick (luciano) -- jasper (jmm) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46296 - data/CVE
Author: mgilbert Date: 2016-11-18 02:22:54 + (Fri, 18 Nov 2016) New Revision: 46296 Modified: data/CVE/list Log: nfus Modified: data/CVE/list === --- data/CVE/list 2016-11-18 02:22:36 UTC (rev 46295) +++ data/CVE/list 2016-11-18 02:22:54 UTC (rev 46296) @@ -8125,7 +8125,7 @@ CVE-2016-6653 (The MariaDB audit_plugin component in Pivotal Cloud Foundry (PCF) ...) TODO: check CVE-2016-6652 (SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 ...) - TODO: check + NOT-FOR-US: Pivotal Spring Data CVE-2016-6651 (The UAA /oauth/token endpoint in Pivotal Cloud Foundry (PCF) before ...) NOT-FOR-US: Pivotal CVE-2016-6650 @@ -8137,9 +8137,9 @@ CVE-2016-6647 (Cross-site scripting (XSS) vulnerability in EMC ViPR SRM before 4.0.1 ...) NOT-FOR-US: EMC CVE-2016-6646 (The vApp Managers web application in EMC Unisphere for VMAX Virtual ...) - TODO: check + NOT-FOR-US: VMAX CVE-2016-6645 (The vApp Managers web application in EMC Unisphere for VMAX Virtual ...) - TODO: check + NOT-FOR-US: VMAX CVE-2016-6644 (EMC Documentum D2 4.5 before patch 15 and 4.6 before patch 03 allows ...) NOT-FOR-US: EMC CVE-2016-6643 (Cross-site scripting (XSS) vulnerability in EMC ViPR SRM before 3.7.2 ...) @@ -8151,7 +8151,7 @@ CVE-2016-6640 RESERVED CVE-2016-6639 (Cloud Foundry PHP Buildpack (aka php-buildpack) before 4.3.18 and PHP ...) - TODO: check + NOT-FOR-US: Pivotal CVE-2016-6638 RESERVED CVE-2016-6637 (Multiple cross-site request forgery (CSRF) vulnerabilities in Pivotal ...) @@ -8732,7 +8732,7 @@ CVE-2016-6551 RESERVED CVE-2016-6550 (The U by BB&T app 1.5.4 and earlier for iOS does not properly verify ...) - TODO: check + NOT-FOR-US: BB&T CVE-2016-6549 RESERVED CVE-2016-6548 @@ -9066,43 +9066,43 @@ CVE-2016-6456 RESERVED CVE-2016-6455 (A vulnerability in the Slowpath of StarOS for Cisco ASR 5500 Series ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6454 (A cross-site request forgery (CSRF) vulnerability in the web interface ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6453 (A vulnerability in the web framework code of Cisco Identity Services ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6452 (A vulnerability in the web-based graphical user interface (GUI) of ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6451 (Multiple vulnerabilities in the web framework code of the Cisco Prime ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6450 RESERVED CVE-2016-6449 RESERVED CVE-2016-6448 (A vulnerability in the Session Description Protocol (SDP) parser of ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6447 (A vulnerability in Cisco Meeting Server and Meeting App could allow an ...) NOT-FOR-US: Cisco Meeting Server and Meeting App CVE-2016-6446 (A vulnerability in Web Bridge for Cisco Meeting Server could allow an ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6445 (A vulnerability in the Extensible Messaging and Presence Protocol ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6444 (A vulnerability in Cisco Meeting Server could allow an unauthenticated, ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6443 (A vulnerability in the Cisco Prime Infrastructure and Evolved ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6442 (A vulnerability in Cisco Finesse Agent and Supervisor Desktop Software ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6441 (A vulnerability in the Transaction Language 1 (TL1) code of Cisco ASR ...) NOT-FOR-US: Cisco ASR 900 Series Aggregation Services Routers CVE-2016-6440 (The Cisco Unified Communications Manager (CUCM) may be vulnerable to ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6439 (A vulnerability in the detection engine reassembly of HTTP packets for ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6438 (A vulnerability in Cisco IOS XE Software running on Cisco cBR-8 ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6437 (A vulnerability in the SSL session cache management of Cisco Wide Area ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6436 (Cross-site scripting (XSS) vulnerability in HostScan Engine 3.0.08062 ...) NOT-FOR-US: Cisco CVE-2016-6435 (The web console in Cisco Firepower Management Center 6.0.1 allows ...) @@ -9112,39 +9112,39 @@ CVE-2016-6433 (The Threat Management Console in Cisco Firepower Management Center ...) NOT-FOR-US: Cisco CVE-2016-6432 (A vulnerability in the Identity Firewall feature of Cisco ASA Software ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6431 (A vulnerability in the local Certificate Authority (CA) feature of ...) - TODO: check +
[Secure-testing-commits] r46295 - data/CVE
Author: mgilbert Date: 2016-11-18 02:22:36 + (Fri, 18 Nov 2016) New Revision: 46295 Modified: data/CVE/list Log: new android issues Modified: data/CVE/list === --- data/CVE/list 2016-11-17 21:42:00 UTC (rev 46294) +++ data/CVE/list 2016-11-18 02:22:36 UTC (rev 46295) @@ -7938,55 +7938,55 @@ CVE-2016-6697 RESERVED CVE-2016-6696 (sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c in a Qualcomm QDSP6v2 ...) - TODO: check + - android (bug #459219) CVE-2016-6695 (sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c in a Qualcomm QDSP6v2 ...) - TODO: check + - android (bug #459219) CVE-2016-6694 (sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c in a Qualcomm QDSP6v2 ...) - TODO: check + - android (bug #459219) CVE-2016-6693 (sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c in a Qualcomm QDSP6v2 ...) - TODO: check + - android (bug #459219) CVE-2016-6692 (drivers/video/msm/mdss/mdss_mdp_pp.c in the Qualcomm MDSS driver in ...) - TODO: check + - android (bug #459219) CVE-2016-6691 (service/jni/com_android_server_wifi_Gbk2Utf.cpp in the Qualcomm Wi-Fi ...) - TODO: check + - android (bug #459219) CVE-2016-6690 (The sound driver in the kernel in Android before 2016-10-05 on Nexus ...) - TODO: check + - android (bug #459219) CVE-2016-6689 (Binder in the kernel in Android before 2016-10-05 on Nexus devices ...) - TODO: check + - android (bug #459219) CVE-2016-6688 (The NVIDIA profiler in Android before 2016-10-05 on Nexus 9 devices ...) - TODO: check + - android (bug #459219) CVE-2016-6687 (The NVIDIA profiler in Android before 2016-10-05 on Nexus 9 devices ...) - TODO: check + - android (bug #459219) CVE-2016-6686 (The NVIDIA profiler in Android before 2016-10-05 on Nexus 9 devices ...) - TODO: check + - android (bug #459219) CVE-2016-6685 (The kernel in Android before 2016-10-05 on Nexus 6P devices allows ...) - TODO: check + - android (bug #459219) CVE-2016-6684 (The kernel in Android before 2016-10-05 on Nexus 5, Nexus 5X, Nexus 6, ...) - TODO: check + - android (bug #459219) CVE-2016-6683 (The kernel in Android before 2016-10-05 on Nexus devices allows ...) - TODO: check + - android (bug #459219) CVE-2016-6682 (drivers/misc/qcom/qdsp6v2/audio_utils.c in a Qualcomm QDSP6v2 driver ...) - TODO: check + - android (bug #459219) CVE-2016-6681 (drivers/misc/qcom/qdsp6v2/audio_utils.c in a Qualcomm QDSP6v2 driver ...) - TODO: check + - android (bug #459219) CVE-2016-6680 (CORE/HDD/src/wlan_hdd_wext.c in the Qualcomm Wi-Fi driver in Android ...) - TODO: check + - android (bug #459219) CVE-2016-6679 (CORE/HDD/src/wlan_hdd_hostapd.c in the Qualcomm Wi-Fi driver in ...) - TODO: check + - android (bug #459219) CVE-2016-6678 (The Motorola USBNet driver in Android before 2016-10-05 on Nexus 6 ...) - TODO: check + - android (bug #459219) CVE-2016-6677 (The NVIDIA GPU driver in Android before 2016-10-05 on Nexus 9 devices ...) - TODO: check + - android (bug #459219) CVE-2016-6676 (Off-by-one error in CORE/HDD/src/wlan_hdd_cfg.c in the Qualcomm Wi-Fi ...) - TODO: check + - android (bug #459219) CVE-2016-6675 (Off-by-one error in CORE/HDD/src/wlan_hdd_hostapd.c in the Qualcomm ...) - TODO: check + - android (bug #459219) CVE-2016-6674 (system_server in Android before 2016-10-05 on Nexus devices allows ...) - TODO: check + - android (bug #459219) CVE-2016-6673 (The NVIDIA camera driver in Android before 2016-10-05 on Nexus 9 ...) - TODO: check + - android (bug #459219) CVE-2016-6672 (The Synaptics touchscreen driver in Android before 2016-10-05 on Nexus ...) - TODO: check + - android (bug #459219) CVE-2015-8950 (arch/arm64/mm/dma-mapping.c in the Linux kernel before 4.0.3, as used ...) - linux 4.0.4-1 [jessie] - linux 3.16.7-ckt17-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46257 - data/CVE
Author: mgilbert Date: 2016-11-17 01:39:04 + (Thu, 17 Nov 2016) New Revision: 46257 Modified: data/CVE/list Log: nfus Modified: data/CVE/list === --- data/CVE/list 2016-11-16 21:21:15 UTC (rev 46256) +++ data/CVE/list 2016-11-17 01:39:04 UTC (rev 46257) @@ -1887,7 +1887,7 @@ CVE-2016-8662 RESERVED CVE-2016-8661 (Little Snitch version 3.0 through 3.6.1 suffer from a buffer overflow ...) - TODO: check + NOT-FOR-US: Little Snitch CVE-2016-8657 RESERVED CVE-2016-8656 @@ -2182,13 +2182,13 @@ CVE-2016-8584 RESERVED CVE-2016-8583 (Multiple GET parameters in the vulnerability scan scheduler of ...) - TODO: check + NOT-FOR-US: AlienVault CVE-2016-8582 (A vulnerability exists in gauge.php of AlienVault OSSIM and USM before ...) - TODO: check + NOT-FOR-US: AlienVault CVE-2016-8581 (A persistent XSS vulnerability exists in the User-Agent header of the ...) - TODO: check + NOT-FOR-US: AlienVault CVE-2016-8580 (PHP object injection vulnerabilities exist in multiple widget files in ...) - TODO: check + NOT-FOR-US: AlienVault CVE-2016-8579 (docker2aci <= 0.12.3 has an infinite loop when handling local images ...) - golang-github-appc-docker2aci 0.12.3+dfsg-2 (bug #840711) NOTE: https://github.com/appc/docker2aci/issues/203 @@ -2968,7 +2968,7 @@ - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) CVE-2016-8285 (Unspecified vulnerability in the PeopleSoft Enterprise HCM component ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-8284 (Unspecified vulnerability in Oracle MySQL 5.6.31 and earlier and ...) - mysql-5.7 5.7.15-1 - mysql-5.6 5.6.34-1 (bug #841049) @@ -2985,7 +2985,7 @@ CVE-2016-8282 RESERVED CVE-2016-8281 (Unspecified vulnerability in the Oracle Platform Security for Java ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-1000244 RESERVED CVE-2016-1000243 @@ -3261,7 +3261,7 @@ CVE-2016-8204 RESERVED CVE-2016-8203 (A memory corruption in the IPsec code path of Brocade NetIron OS on ...) - TODO: check + NOT-FOR-US: Brocade CVE-2016-8202 RESERVED CVE-2016-8201 @@ -4075,7 +4075,7 @@ CVE-2016-8101 (The updater subsystem in Intel SSD Toolbox before 3.3.7 allows local ...) NOT-FOR-US: Intel SSD Toolbox CVE-2016-8100 (Intel Integrated Performance Primitives (aka IPP) Cryptography before ...) - TODO: check + NOT-FOR-US: Intel CVE-2016-8099 RESERVED CVE-2016-8098 @@ -4460,9 +4460,9 @@ CVE-2016-7961 RESERVED CVE-2016-7960 (Siemens SIMATIC STEP 7 (TIA Portal) before 14 uses an improper format ...) - TODO: check + NOT-FOR-US: Siemens CVE-2016-7959 (Siemens SIMATIC STEP 7 (TIA Portal) before 14 improperly stores ...) - TODO: check + NOT-FOR-US: Siemens CVE-2016-7958 RESERVED CVE-2016-7957 @@ -4764,7 +4764,7 @@ CVE-2016-7852 (Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC ...) NOT-FOR-US: Adobe CVE-2016-7851 (Adobe Connect version 9.5.6 and earlier does not adequately validate ...) - TODO: check + NOT-FOR-US: Adobe CVE-2016-7850 RESERVED CVE-2016-7849 @@ -5681,11 +5681,11 @@ CVE-2016-7438 RESERVED CVE-2016-7437 (SAP Netweaver 7.40 improperly logs (1) DUI and (2) DUJ events in the ...) - TODO: check + NOT-FOR-US: SAP Netweaver CVE-2016-7436 RESERVED CVE-2016-7435 (The (1) SCTC_REFRESH_EXPORT_TAB_COMP, (2) SCTC_REFRESH_CHECK_ENV, and ...) - TODO: check + NOT-FOR-US: SAP Netweaver CVE-2016-7434 RESERVED CVE-2016-7433 @@ -5828,7 +5828,7 @@ CVE-2016-7403 RESERVED CVE-2016-7402 (SAP ASE 16.0 SP02 PL03 and prior versions allow attackers who own ...) - TODO: check + NOT-FOR-US: SAP ASE CVE-2016-7401 (The cookie parsing code in Django before 1.8.15 and 1.9.x before ...) {DSA-3678-1 DLA-649-1} - python-django 1:1.10-1 (low) @@ -6134,155 +6134,155 @@ CVE-2016-7257 RESERVED CVE-2016-7256 (atmfd.dll in the Windows font library in Microsoft Windows Vista SP2, ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-7255 (The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-7254 (Microsoft SQL Server 2012 SP2 and 2012 SP3 does not properly perform a ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-7253 (The agent in Microsoft SQL Server 2012 SP2, 2012 SP3, 2014 SP1, 2014 ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-7252 (Microsoft SQL Server 2016 mishandles the FILESTREAM path, which allows ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-7251 (Cross-site scripting (XSS) vulnerability in the MDS API in Microsoft ...) -
[Secure-testing-commits] r44966 - in data: CVE DSA
Author: mgilbert Date: 2016-10-02 15:27:58 + (Sun, 02 Oct 2016) New Revision: 44966 Modified: data/CVE/list data/DSA/list Log: chromium dsa Modified: data/CVE/list === --- data/CVE/list 2016-10-02 00:43:33 UTC (rev 44965) +++ data/CVE/list 2016-10-02 15:27:58 UTC (rev 44966) @@ -10247,14 +10247,15 @@ RESERVED CVE-2016-5178 RESERVED - - chromium-browser + - chromium-browser 53.0.2785.143-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5177 RESERVED - - chromium-browser + - chromium-browser 53.0.2785.143-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5176 (Google Chrome before 53.0.2785.113 allows remote attackers to bypass ...) - TODO: check + - chromium-browser 53.0.2785.113-1 + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2016-5175 (Multiple unspecified vulnerabilities in Google Chrome before ...) {DSA-3667-1} - chromium-browser 53.0.2785.113-1 Modified: data/DSA/list === --- data/DSA/list 2016-10-02 00:43:33 UTC (rev 44965) +++ data/DSA/list 2016-10-02 15:27:58 UTC (rev 44966) @@ -1,3 +1,6 @@ +[02 Oct 2016] DSA-3683-1 chromium-browser - security update + {CVE-2016-5177 CVE-2016-5178} + [jessie] - chromium-browser 53.0.2785.143-1~deb8u1 [01 Oct 2016] DSA-3681-2 wordpress - regression update [jessie] - wordpress 4.1+dfsg-1+deb8u11 [30 Sep 2016] DSA-3682-1 c-ares - security update @@ -47,7 +50,7 @@ {CVE-2016-6893} [jessie] - mailman 1:2.1.18-2+deb8u1 [15 Sep 2016] DSA-3667-1 chromium-browser - security update - {CVE-2016-5170 CVE-2016-5171 CVE-2016-5172 CVE-2016-5173 CVE-2016-5174 CVE-2016-5175 CVE-2016-7395} + {CVE-2016-5170 CVE-2016-5171 CVE-2016-5172 CVE-2016-5173 CVE-2016-5174 CVE-2016-5175 CVE-2016-5176 CVE-2016-7395 CVE-2016-7549} [jessie] - chromium-browser 53.0.2785.113-1~deb8u1 [14 Sep 2016] DSA-3666-1 mysql-5.5 - security update {CVE-2016-6662} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44596 - in data: . DSA
Author: mgilbert Date: 2016-09-15 04:41:01 + (Thu, 15 Sep 2016) New Revision: 44596 Modified: data/DSA/list data/dsa-needed.txt Log: chromium dsa Modified: data/DSA/list === --- data/DSA/list 2016-09-15 03:12:45 UTC (rev 44595) +++ data/DSA/list 2016-09-15 04:41:01 UTC (rev 44596) @@ -1,3 +1,6 @@ +[15 Sep 2016] DSA-3667-1 chromium-browser - security update + {CVE-2016-5170 CVE-2016-5171 CVE-2016-5172 CVE-2016-5173 CVE-2016-5174 CVE-2016-5175 CVE-2016-7395} + [jessie] - chromium-browser 53.0.2785.113-1~deb8u1 [14 Sep 2016] DSA-3666-1 mysql-5.5 - security update {CVE-2016-6662} [jessie] - mysql-5.5 5.5.52-0+deb8u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-09-15 03:12:45 UTC (rev 44595) +++ data/dsa-needed.txt 2016-09-15 04:41:01 UTC (rev 44596) @@ -14,8 +14,6 @@ -- 389-ds-base -- -chromium-browser --- graphicsmagick (luciano) -- icu ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44352 - in data: . DSA
Author: mgilbert Date: 2016-09-05 23:17:19 + (Mon, 05 Sep 2016) New Revision: 44352 Modified: data/DSA/list data/dsa-needed.txt Log: chromium dsa Modified: data/DSA/list === --- data/DSA/list 2016-09-05 21:10:14 UTC (rev 44351) +++ data/DSA/list 2016-09-05 23:17:19 UTC (rev 44352) @@ -1,3 +1,6 @@ +[05 Sep 2016] DSA-3660-1 chromium-browser - security update + {CVE-2016-5147 CVE-2016-5148 CVE-2016-5149 CVE-2016-5150 CVE-2016-5151 CVE-2016-5152 CVE-2016-5153 CVE-2016-5154 CVE-2016-5155 CVE-2016-5156 CVE-2016-5157 CVE-2016-5158 CVE-2016-5159 CVE-2016-5160 CVE-2016-5161 CVE-2016-5162 CVE-2016-5163 CVE-2016-5164 CVE-2016-5165 CVE-2016-5166 CVE-2016-5167} + [jessie] - chromium-browser 53.0.2785.89-1~deb8u1 [04 Sep 2016] DSA-3659-1 linux - security update {CVE-2016-5696 CVE-2016-6136 CVE-2016-6480 CVE-2016-6828} [jessie] - linux 3.16.36-1+deb8u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-09-05 21:10:14 UTC (rev 44351) +++ data/dsa-needed.txt 2016-09-05 23:17:19 UTC (rev 44352) @@ -17,8 +17,6 @@ bogofilter Needs to have updated lexer_v3.c after the flex update -- -chromium-browser --- graphicsmagick (luciano) -- icu ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r44189 - data/CVE
Author: mgilbert Date: 2016-08-27 21:11:35 + (Sat, 27 Aug 2016) New Revision: 44189 Modified: data/CVE/list Log: nfus Modified: data/CVE/list === --- data/CVE/list 2016-08-27 21:10:12 UTC (rev 44188) +++ data/CVE/list 2016-08-27 21:11:35 UTC (rev 44189) @@ -21,7 +21,7 @@ NOTE: fault outcomes. NOTE: Debian does not include INPUTRC by default in /etc/sudoers CVE-2016-7089 (WatchGuard RapidStream appliances allow local users to gain privileges ...) - TODO: check + NOT-FOR-US: WatchGuard CVE-2016-7088 RESERVED CVE-2016-7087 @@ -379,7 +379,7 @@ CVE-2016-6910 RESERVED CVE-2016-6909 (Buffer overflow in the Cookie parser in Fortinet FortiOS 4.x before ...) - TODO: check + NOT-FOR-US: Fortinet CVE-2016-6908 RESERVED CVE-2016-6907 @@ -2017,7 +2017,7 @@ CVE-2016-6370 RESERVED CVE-2016-6369 (Cisco AnyConnect Secure Mobility Client before 4.2.05015 and 4.3.x ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6368 RESERVED CVE-2016-6367 (Cisco Adaptive Security Appliance (ASA) Software before 8.4(1) on ASA ...) @@ -2736,7 +2736,7 @@ RESERVED - lepton 1.2.1-1 (bug #831814) CVE-2016-6231 (Kaspersky Safe Browser iOS before 1.7.0 does not verify X.509 ...) - TODO: check + NOT-FOR-US: Kaspersky CVE-2016-6230 RESERVED CVE-2016-6229 @@ -4430,7 +4430,7 @@ CVE-2016-5682 RESERVED CVE-2016-5681 (Stack-based buffer overflow in dws/api/Login on D-Link DIR-850L B1 ...) - TODO: check + NOT-FOR-US: D-Link CVE-2016-5680 RESERVED CVE-2016-5679 @@ -4446,7 +4446,7 @@ CVE-2016-5674 RESERVED CVE-2016-5673 (UltraVNC Repeater before 1300 does not restrict destination IP ...) - TODO: check + NOT-FOR-US: UltraVNC CVE-2016-5672 (Intel Crosswalk before 19.49.514.5, 20.x before 20.50.533.11, 21.x ...) - crosswalk (bug #775876) CVE-2016-5671 (Multiple cross-site request forgery (CSRF) vulnerabilities on Crestron ...) @@ -4886,29 +4886,29 @@ CVE-2016-5477 (Unspecified vulnerability in the Oracle GlassFish Server component in ...) - glassfish (Full application server not packaged) CVE-2016-5476 (Unspecified vulnerability in the Oracle Retail Integration Bus ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5475 (Unspecified vulnerability in the Oracle Retail Service Backbone ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5474 (Unspecified vulnerability in the Oracle Retail Service Backbone ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5473 (Unspecified vulnerability in the Oracle Agile PLM component in Oracle ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5472 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5471 (Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local ...) - TODO: check + NOT-FOR-US: Solaris CVE-2016-5470 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5469 (Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5468 (Unspecified vulnerability in the Siebel UI Framework component in ...) NOT-FOR-US: Oracle Siebel CRM CVE-2016-5467 (Unspecified vulnerability in the PeopleSoft Enterprise FSCM component ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5466 (Unspecified vulnerability in the Siebel Core - Server Framework ...) NOT-FOR-US: Oracle Siebel CRM CVE-2016-5465 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5464 (Unspecified vulnerability in the Siebel UI Framework component in ...) NOT-FOR-US: Oracle Siebel CRM CVE-2016-5463 (Unspecified vulnerability in the Siebel UI Framework component in ...) @@ -4922,33 +4922,33 @@ CVE-2016-5459 (Unspecified vulnerability in the Siebel Core - Common Components ...) NOT-FOR-US: Oracle Siebel CRM CVE-2016-5458 (Unspecified vulnerability in the Oracle Communications EAGLE ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5457 (Unspecified vulnerability in the ILOM component in Oracle Sun Systems ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5456 (Unspecified vulnerability in the Siebel Core - Server Framework ...) NOT-FOR-US: Oracle Siebel CRM CVE-2016-5455 (Unspecified vulnerability in the Oracle Communications Messaging ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5454 (Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-5453 (Unspecified vulnerability in the ILOM component in Oracle Sun Systems ...
[Secure-testing-commits] r44123 - data/CVE
Author: mgilbert Date: 2016-08-24 23:57:31 + (Wed, 24 Aug 2016) New Revision: 44123 Modified: data/CVE/list Log: nfus Modified: data/CVE/list === --- data/CVE/list 2016-08-24 21:10:14 UTC (rev 44122) +++ data/CVE/list 2016-08-24 23:57:31 UTC (rev 44123) @@ -1541,7 +1541,7 @@ CVE-2016-6495 RESERVED CVE-2016-6493 (Citrix XenApp 6.x before 6.5 HRP07 and 7.x before 7.9 and Citrix ...) - TODO: check + NOT-FOR-US: Citrix CVE-2016- [bruteforcable challenge responses in unprotected logfile] - mongodb 1:2.6.12-1 (bug #833087) [wheezy] - mongodb 1:2.0.6-1.1+deb7u1 @@ -1917,23 +1917,23 @@ CVE-2016-6368 RESERVED CVE-2016-6367 (Cisco Adaptive Security Appliance (ASA) Software before 8.4(1) on ASA ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6366 (Buffer overflow in Cisco Adaptive Security Appliance (ASA) Software ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6365 (Cross-site scripting (XSS) vulnerability in Cisco Firepower Management ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6364 (The User Data Services (UDS) API implementation in Cisco Unified ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6363 (The rate-limit feature in the 802.11 protocol implementation on Cisco ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6362 (Cisco Aironet 1800, 2800, and 3800 devices with software before ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6361 (The Aggregated MAC Protocol Data Unit (AMPDU) implementation on Cisco ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6360 RESERVED CVE-2016-6359 (Cross-site scripting (XSS) vulnerability in Cisco Transport Gateway ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6358 RESERVED CVE-2016-6357 @@ -1941,7 +1941,7 @@ CVE-2016-6356 RESERVED CVE-2016-6355 (Memory leak in Cisco IOS XR 5.1.x through 5.1.3, 5.2.x through 5.2.5, ...) - TODO: check + NOT-FOR-US: Cisco CVE-2016-6353 RESERVED CVE-2016-6348 @@ -2255,7 +2255,7 @@ - xen NOTE: http://xenbits.xen.org/xsa/advisory-182.html CVE-2016-6257 (The firmware in Lenovo Ultraslim dongles, as used with Lenovo Liteon ...) - TODO: check + NOT-FOR-US: Lenovo CVE-2016-6256 RESERVED CVE-2016-6254 (Heap-based buffer overflow in the parse_packet function in network.c ...) @@ -2735,7 +2735,7 @@ CVE-2016-6205 RESERVED CVE-2016-6204 (Cross-site scripting (XSS) vulnerability in the integrated web server ...) - TODO: check + NOT-FOR-US: Siemens CVE-2016-6203 RESERVED CVE-2016-6202 @@ -2753,9 +2753,9 @@ CVE-2016-6194 RESERVED CVE-2016-6193 (Buffer overflow in the Wi-Fi driver in Huawei P8 smartphones with ...) - TODO: check + NOT-FOR-US: Huawei CVE-2016-6192 (Buffer overflow in the Wi-Fi driver in Huawei P8 smartphones with ...) - TODO: check + NOT-FOR-US: Huawei CVE-2016-126 RESERVED CVE-2016-125 @@ -2936,7 +2936,7 @@ CVE-2016-6179 RESERVED CVE-2016-6178 (Huawei NE40E and CX600 devices with software before V800R007SPH017; ...) - TODO: check + NOT-FOR-US: Huawei CVE-2016-6177 RESERVED CVE-2016-6176 @@ -2951,7 +2951,7 @@ CVE-2016-6175 RESERVED CVE-2016-6174 (applications/core/modules/front/system/content.php in Invision Power ...) - TODO: check + NOT-FOR-US: Inivision CVE-2016-6169 RESERVED CVE-2016-6168 @@ -3031,23 +3031,23 @@ CVE-2016-6154 RESERVED CVE-2016-6152 (CA eHealth 6.2.x and 6.3.x before 6.3.2.13 allows remote authenticated ...) - TODO: check + NOT-FOR-US: eHealth CVE-2016-6151 (CA eHealth 6.2.x allows remote authenticated users to cause a denial ...) - TODO: check + NOT-FOR-US: eHealth CVE-2016-6150 (The multi-tenant database container feature in SAP HANA does not ...) - TODO: check + NOT-FOR-US: SAP HANA CVE-2016-6149 (SAP HANA SPS09 1.00.091.00.14186593 allows local users to obtain ...) - TODO: check + NOT-FOR-US: SAP HANA CVE-2016-6148 (SAP HANA DB 1.00.73.00.389160 allows remote attackers to cause a ...) - TODO: check + NOT-FOR-US: SAP HANA CVE-2016-6147 (An unspecified interface in SAP TREX 7.10 Revision 63 allows remote ...) - TODO: check + NOT-FOR-US: SAP TREX CVE-2016-6146 RESERVED CVE-2016-6145 (The SQL interface in SAP HANA provides different error messages for ...) - TODO: check + NOT-FOR-US: SAP HANA CVE-2016-6144 (The SQL interface in SAP HANA before Revision 102 does not limit the ...) - TODO: check + NOT-FOR-US: SAP HANA CVE-2016-6143 RESERVED CVE-2016-6142 @@ -3055,11 +3055,11 @@ CVE-2016-6141 RESERVED CVE-2016-6140 (SAP TREX 7.10 Revision 63 allows remote attackers to write to ...) - T
[Secure-testing-commits] r43874 - in data: . DSA
Author: mgilbert Date: 2016-08-09 01:03:56 + (Tue, 09 Aug 2016) New Revision: 43874 Modified: data/DSA/list data/dsa-needed.txt Log: chromium dsa Modified: data/DSA/list === --- data/DSA/list 2016-08-08 21:10:14 UTC (rev 43873) +++ data/DSA/list 2016-08-09 01:03:56 UTC (rev 43874) @@ -1,3 +1,6 @@ +[09 Aug 2016] DSA-3645-1 chromium-browser - security update + {CVE-2016-5139 CVE-2016-5140 CVE-2016-5141 CVE-2016-5142 CVE-2016-5143 CVE-2016-5144 CVE-2016-5146} + [jessie] - chromium-browser 52.0.2743.116-1~deb8u1 [08 Aug 2016] DSA-3644-1 fontconfig - security update {CVE-2016-5384} [jessie] - fontconfig 2.11.0-6.3+deb8u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-08-08 21:10:14 UTC (rev 43873) +++ data/dsa-needed.txt 2016-08-09 01:03:56 UTC (rev 43874) @@ -14,8 +14,6 @@ -- 389-ds-base -- -chromium-browser --- flex let this settle a bit to assess need of further possible fixes -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r43682 - in data: . DSA
Author: mgilbert Date: 2016-07-31 20:48:42 + (Sun, 31 Jul 2016) New Revision: 43682 Modified: data/DSA/list data/dsa-needed.txt Log: chromium dsa Modified: data/DSA/list === --- data/DSA/list 2016-07-31 20:31:46 UTC (rev 43681) +++ data/DSA/list 2016-07-31 20:48:42 UTC (rev 43682) @@ -1,3 +1,6 @@ +[31 Jul 2016] DSA-3637-1 chromium-browser - security update + {CVE-2016-1704 CVE-2016-1705 CVE-2016-1706 CVE-2016-1707 CVE-2016-1708 CVE-2016-1709 CVE-2016-1710 CVE-2016-1711 CVE-2016-5127 CVE-2016-5128 CVE-2016-5129 CVE-2016-5130 CVE-2016-5131 CVE-2016-5132 CVE-2016-5133 CVE-2016-5134 CVE-2016-5135 CVE-2016-5136 CVE-2016-5137} + [jessie] - chromium-browser 52.0.2743.82-1~deb8u1 [30 Jul 2016] DSA-3636-1 collectd - security update {CVE-2016-6254} [jessie] - collectd 5.4.1-6+deb8u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-07-31 20:31:46 UTC (rev 43681) +++ data/dsa-needed.txt 2016-07-31 20:48:42 UTC (rev 43682) @@ -14,8 +14,6 @@ -- 389-ds-base -- -chromium-browser --- flex let this settle a bit to assess need of further possible fixes -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42313 - data/DSA
Author: mgilbert Date: 2016-06-04 19:29:44 + (Sat, 04 Jun 2016) New Revision: 42313 Modified: data/DSA/list Log: add missing chromium CVE Modified: data/DSA/list === --- data/DSA/list 2016-06-04 19:29:33 UTC (rev 42312) +++ data/DSA/list 2016-06-04 19:29:44 UTC (rev 42313) @@ -1,5 +1,5 @@ [04 Jun 2016] DSA-3594-1 chromium-browser - security update - {CVE-2016-1696 CVE-2016-1697 CVE-2016-1698 CVE-2016-1699 CVE-2016-1700 CVE-2016-1701 CVE-2016-1702} + {CVE-2016-1696 CVE-2016-1697 CVE-2016-1698 CVE-2016-1699 CVE-2016-1700 CVE-2016-1701 CVE-2016-1702 CVE-2016-1703} [jessie] - chromium-browser 51.0.2704.79-1~deb8u1 [02 Jun 2016] DSA-3593-1 libxml2 - security update {CVE-2015-8806 CVE-2016-1762 CVE-2016-1833 CVE-2016-1834 CVE-2016-1835 CVE-2016-1836 CVE-2016-1837 CVE-2016-1838 CVE-2016-1839 CVE-2016-1840 CVE-2016-2073 CVE-2016-3627 CVE-2016-3705 CVE-2016-4447 CVE-2016-4449 CVE-2016-4483} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42312 - data/CVE
Author: mgilbert Date: 2016-06-04 19:29:33 + (Sat, 04 Jun 2016) New Revision: 42312 Modified: data/CVE/list Log: nfus Modified: data/CVE/list === --- data/CVE/list 2016-06-04 17:54:52 UTC (rev 42311) +++ data/CVE/list 2016-06-04 19:29:33 UTC (rev 42312) @@ -2197,7 +2197,7 @@ CVE-2016-4501 (Environmental Systems Corporation (ESC) 8832 Data Controller 3.02 and ...) NOT-FOR-US: Environmental Systems Corporation CVE-2016-4500 (Moxa UC-7408 LX-Plus devices allow remote authenticated users to write ...) - TODO: check + NOT-FOR-US: Moxa CVE-2016-4499 (Heap-based buffer overflow in Panasonic FPWIN Pro 5.x through 7.x ...) NOT-FOR-US: Panasonic FPWIN Pro CVE-2016-4498 (Panasonic FPWIN Pro 5.x through 7.x before 7.130 accesses an ...) @@ -8341,13 +8341,13 @@ CVE-2016-2354 (The Bluetooth functionality in Lemur Vehicle Monitors BlueDriver ...) NOT-FOR-US: Lemur Vehicle Monitors BlueDriver CVE-2016-2353 (The Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows ...) - TODO: check + NOT-FOR-US: Accellion CVE-2016-2352 (The Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allows ...) - TODO: check + NOT-FOR-US: Accellion CVE-2016-2351 (SQL injection vulnerability in home/seos/courier/security_key2.api on ...) - TODO: check + NOT-FOR-US: Accellion CVE-2016-2350 (Multiple cross-site scripting (XSS) vulnerabilities on the Accellion ...) - TODO: check + NOT-FOR-US: Accellion CVE-2016-2349 RESERVED CVE-2016-2348 @@ -8358,7 +8358,7 @@ - lhasa 0.3.1-1 NOTE: http://www.talosintel.com/reports/TALOS-2016-0095/ CVE-2016-2346 (Allround Automations PL/SQL Developer 11 before 11.0.6 relies on ...) - TODO: check + NOT-FOR-US: Allround Automations CVE-2016-2345 (Stack-based buffer overflow in dwrcs.exe in the dwmrcs daemon in ...) NOT-FOR-US: SolarWinds DameWare Mini Remote Control CVE-2016-2344 (Stack-based buffer overflow in manager.exe in Backburner Manager in ...) @@ -8373,7 +8373,7 @@ CVE-2016-2341 RESERVED CVE-2016-2340 (The AMF framework in Granite Data Services 3.1.1-SNAPSHOT allows ...) - TODO: check + NOT-FOR-US: Granite CVE-2016-2339 RESERVED CVE-2016-2338 @@ -8391,11 +8391,11 @@ - p7zip 15.14.1+dfsg-2 (bug #824160) NOTE: http://www.talosintel.com/reports/TALOS-2016-0093/ CVE-2016-2333 (SysLINK SL-1000 Machine-to-Machine (M2M) Modular Gateway devices with ...) - TODO: check + NOT-FOR-US: SysLINK CVE-2016-2332 (flu.cgi in the web interface on SysLINK SL-1000 Machine-to-Machine ...) - TODO: check + NOT-FOR-US: SysLINK CVE-2016-2331 (The web interface on SysLINK SL-1000 Machine-to-Machine (M2M) Modular ...) - TODO: check + NOT-FOR-US: SysLINK CVE-2016-2385 (Heap-based buffer overflow in the encode_msg function in encode_msg.c ...) {DSA-3535-1} - kamailio 4.3.4-2 (bug #815178) @@ -8599,11 +8599,11 @@ NOTE: FIX http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/44ed8318ba6a TODO: check other versions (newest 1.3.23 is vulnerable according to reporter) CVE-2016-2311 (Black Box AlertWerks ServSensor with firmware before SP473, AlertWerks ...) - TODO: check + NOT-FOR-US: AlertWerks CVE-2016-2310 RESERVED CVE-2016-2309 (iRZ RUH2 before 2b does not validate firmware patches, which allows ...) - TODO: check + NOT-FOR-US: iRZ RUH2 CVE-2016-2308 RESERVED CVE-2016-2307 @@ -8625,17 +8625,17 @@ CVE-2016-2299 (SQL injection vulnerability in Ecava IntegraXor before 5.0 build 4522 ...) NOT-FOR-US: Ecava IntegraXor CVE-2016-2298 (Meteocontrol WEB'log Basic 100, Light, Pro, and Pro Unlimited allows ...) - TODO: check + NOT-FOR-US: Meteocontrol CVE-2016-2297 (Meteocontrol WEB'log Basic 100, Light, Pro, and Pro Unlimited allows ...) - TODO: check + NOT-FOR-US: Meteocontrol CVE-2016-2296 (Meteocontrol WEB'log Basic 100, Light, Pro, and Pro Unlimited does not ...) - TODO: check + NOT-FOR-US: Meteocontrol CVE-2016-2295 (Moxa MiiNePort_E1_4641 devices with firmware 1.1.10 Build 09120714, ...) - TODO: check + NOT-FOR-US: Moxa CVE-2016-2294 (The AXM-NET module in Accuenergy Acuvim II NET Firmware 3.08 and ...) - TODO: check + NOT-FOR-US: Acuvim CVE-2016-2293 (The AXM-NET module in Accuenergy Acuvim II NET Firmware 3.08 and ...) - TODO: check + NOT-FOR-US: Acuvim CVE-2016-2292 (Stack-based buffer overflow in Pro-face GP-Pro EX EX-ED before ...) NOT-FOR-US: Pro-face CVE-2016-2291 (Pro-face GP-Pro EX EX-ED before 4.05.000, PFXEXEDV before 4.05.000, ...) @@ -8644,15 +8644,15 @@ NOT-FOR-US: Pro-face CVE-2016-2289 (Directory traversal vulnerability in ICONICS WebHMI 9 and earlier ...) NOT-FOR-US: ICONICS WebHMI
[Secure-testing-commits] r42311 - data/DSA
Author: mgilbert Date: 2016-06-04 17:54:52 + (Sat, 04 Jun 2016) New Revision: 42311 Modified: data/DSA/list Log: chromium dsa Modified: data/DSA/list === --- data/DSA/list 2016-06-04 15:27:11 UTC (rev 42310) +++ data/DSA/list 2016-06-04 17:54:52 UTC (rev 42311) @@ -1,3 +1,6 @@ +[04 Jun 2016] DSA-3594-1 chromium-browser - security update + {CVE-2016-1696 CVE-2016-1697 CVE-2016-1698 CVE-2016-1699 CVE-2016-1700 CVE-2016-1701 CVE-2016-1702} + [jessie] - chromium-browser 51.0.2704.79-1~deb8u1 [02 Jun 2016] DSA-3593-1 libxml2 - security update {CVE-2015-8806 CVE-2016-1762 CVE-2016-1833 CVE-2016-1834 CVE-2016-1835 CVE-2016-1836 CVE-2016-1837 CVE-2016-1838 CVE-2016-1839 CVE-2016-1840 CVE-2016-2073 CVE-2016-3627 CVE-2016-3705 CVE-2016-4447 CVE-2016-4449 CVE-2016-4483} [jessie] - libxml2 2.9.1+dfsg1-5+deb8u2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r42207 - data/CVE
Author: mgilbert Date: 2016-06-01 03:59:54 + (Wed, 01 Jun 2016) New Revision: 42207 Modified: data/CVE/list Log: nfus Modified: data/CVE/list === --- data/CVE/list 2016-06-01 02:57:12 UTC (rev 42206) +++ data/CVE/list 2016-06-01 03:59:54 UTC (rev 42207) @@ -989,9 +989,9 @@ CVE-2010-5326 (The Invoker Servlet on SAP NetWeaver Application Server Java ...) NOT-FOR-US: SAP CVE-2016-4785 (The integrated web server in the EN100 Ethernet module before 4.27 on ...) - TODO: check + NOT-FOR-US: Siemens CVE-2016-4784 (The integrated web server in the EN100 Ethernet module before 4.27 on ...) - TODO: check + NOT-FOR-US: Siemens CVE-2016-4783 (Cross-site scripting (XSS) vulnerability in Lenovo SHAREit before ...) NOT-FOR-US: Lenovo CVE-2016-4782 (Lenovo SHAREit before 3.5.98_ww on Android before 4.2 allows remote ...) @@ -1590,7 +1590,7 @@ CVE-2016-4522 RESERVED CVE-2016-4521 (Sixnet BT-5xxx and BT-6xxx M2M devices before 3.8.21 and 3.9.x before ...) - TODO: check + NOT-FOR-US: Sixnet CVE-2016-4520 RESERVED CVE-2016-4519 @@ -1620,17 +1620,17 @@ CVE-2016-4507 RESERVED CVE-2016-4506 (Cross-site request forgery (CSRF) vulnerability on Resource Data ...) - TODO: check + NOT-FOR-US: Resource Data Management CVE-2016-4505 (Resource Data Management (RDM) Intuitive 650 TDB Controller devices ...) - TODO: check + NOT-FOR-US: Resource Data Management CVE-2016-4504 RESERVED CVE-2016-4503 RESERVED CVE-2016-4502 (Environmental Systems Corporation (ESC) 8832 Data Controller 3.02 and ...) - TODO: check + NOT-FOR-US: Environmental Systems Corporation CVE-2016-4501 (Environmental Systems Corporation (ESC) 8832 Data Controller 3.02 and ...) - TODO: check + NOT-FOR-US: Environmental Systems Corporation CVE-2016-4500 RESERVED CVE-2016-4499 (Heap-based buffer overflow in Panasonic FPWIN Pro 5.x through 7.x ...) @@ -2673,7 +2673,7 @@ CVE-2016-4119 RESERVED CVE-2016-4118 (Untrusted search path vulnerability in the add-in installer in Adobe ...) - TODO: check + NOT-FOR-US: Adobe CVE-2016-4117 (Adobe Flash Player 21.0.0.226 and earlier allows remote attackers to ...) NOT-FOR-US: Adobe Flash Player CVE-2016-4116 (Unspecified vulnerability in Adobe Flash Player 21.0.0.213 and ...) @@ -2739,7 +2739,7 @@ - gitlab (bug #823290) NOTE: https://about.gitlab.com/2016/05/02/cve-2016-4340-patches/ CVE-2016-4087 (Huawei S12700 switches with software before V200R008C00SPC500 and ...) - TODO: check + NOT-FOR-US: Huawei CVE-2016-4086 RESERVED CVE-2016-4075 @@ -4050,9 +4050,9 @@ CVE-2016-3682 RESERVED CVE-2016-3681 (Buffer overflow in the Wi-Fi driver in Huawei Mate 8 NXT-AL before ...) - TODO: check + NOT-FOR-US: Huawei CVE-2016-3680 (Buffer overflow in the Wi-Fi driver in Huawei Mate 8 NXT-AL before ...) - TODO: check + NOT-FOR-US: Huawei CVE-2016-3679 (Multiple unspecified vulnerabilities in Google V8 before 4.9.385.33, ...) - libv8 (unimportant) NOTE: libv8 not covered by security support @@ -4096,7 +4096,7 @@ CVE-2016-3665 RESERVED CVE-2016-3664 (Trend Micro Mobile Security for iOS before 3.2.1188 does not verify ...) - TODO: check + NOT-FOR-US: Trend Micro CVE-2016-3663 RESERVED CVE-2016-3662 @@ -4219,7 +4219,7 @@ CVE-2016-3629 RESERVED CVE-2016-3628 (Buffer overflow in tibemsd in the server in TIBCO Enterprise Message ...) - TODO: check + NOT-FOR-US: TIBCO CVE-2016-3626 RESERVED CVE-2016-3625 [Out-of-bounds Read occurred in tif_read.c:545 or tif_read.c:402 or tif_read.c:560 in tiff2bw] @@ -4669,7 +4669,7 @@ CVE-2016-3429 (Unspecified vulnerability in the Oracle Retail Xstore Point of Service ...) NOT-FOR-US: Oracle Retail CVE-2016-3428 (Unspecified vulnerability in the Oracle Agile Engineering Data ...) - TODO: check + NOT-FOR-US: Oracle CVE-2016-3427 (Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; ...) {DSA-3558-1 DLA-451-1} - openjdk-8 8u91-b14-1 @@ -5166,9 +5166,9 @@ CVE-2016-3189 RESERVED CVE-2016-3188 (The _prepopulate_request_walk function in the Prepopulate module ...) - TODO: check + NOT-FOR-US: Prepopulate module for Drupal CVE-2016-3187 (The Prepopulate module 7.x-2.x before 7.x-2.1 for Drupal allows remote ...) - TODO: check + NOT-FOR-US: Prepopulate module for Drupal CVE-2016-3186 (Buffer overflow in the readextension function in gif2tiff.c in LibTIFF ...) - tiff (bug #819972) [jessie] - tiff (Minor issue) @@ -5299,7 +5299,7 @@ CVE-2016-3127 RESERVED CVE-2016-3126 (Cross-site scripting (XSS) vulnerability in the Management Console in ...) - TODO: check +
[Secure-testing-commits] r42206 - in data: . DSA
Author: mgilbert Date: 2016-06-01 02:57:12 + (Wed, 01 Jun 2016) New Revision: 42206 Modified: data/DSA/list data/dsa-needed.txt Log: chromium dsa Modified: data/DSA/list === --- data/DSA/list 2016-06-01 00:57:08 UTC (rev 42205) +++ data/DSA/list 2016-06-01 02:57:12 UTC (rev 42206) @@ -1,3 +1,6 @@ +[01 Jun 2016] DSA-3590-1 chromium-browser - security update + {CVE-2016-1667 CVE-2016-1668 CVE-2016-1669 CVE-2016-1670 CVE-2016-1672 CVE-2016-1673 CVE-2016-1674 CVE-2016-1675 CVE-2016-1676 CVE-2016-1677 CVE-2016-1678 CVE-2016-1679 CVE-2016-1680 CVE-2016-1681 CVE-2016-1682 CVE-2016-1683 CVE-2016-1684 CVE-2016-1685 CVE-2016-1686 CVE-2016-1687 CVE-2016-1688 CVE-2016-1689 CVE-2016-1690 CVE-2016-1691 CVE-2016-1692 CVE-2016-1693 CVE-2016-1694 CVE-2016-1695} + [jessie] - chromium-browser 51.0.2704.63-1~deb8u1 [30 May 2016] DSA-3589-1 gdk-pixbuf - security update {CVE-2015-7552 CVE-2015-8875} [jessie] - gdk-pixbuf 2.31.1-2+deb8u5 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-06-01 00:57:08 UTC (rev 42205) +++ data/dsa-needed.txt 2016-06-01 02:57:12 UTC (rev 42206) @@ -14,8 +14,6 @@ -- 389-ds-base -- -chromium-browser --- graphicsmagick -- icu ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r41347 - data/DSA
Author: mgilbert Date: 2016-05-02 12:25:13 + (Mon, 02 May 2016) New Revision: 41347 Modified: data/DSA/list Log: chromium dsa Modified: data/DSA/list === --- data/DSA/list 2016-05-02 05:37:26 UTC (rev 41346) +++ data/DSA/list 2016-05-02 12:25:13 UTC (rev 41347) @@ -1,3 +1,5 @@ +[02 May 2016] DSA-3564-1 chromium-browser - security update + {CVE-2016-1660 CVE-2016-1661 CVE-2016-1662 CVE-2016-1663 CVE-2016-1664 CVE-2016-1665 CVE-2016-1666} [01 May 2016] DSA-3563-1 poppler - security update {CVE-2015-8868} [jessie] - poppler 0.26.5-2+deb8u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40952 - in data: . DSA
Author: mgilbert Date: 2016-04-15 11:58:41 + (Fri, 15 Apr 2016) New Revision: 40952 Modified: data/DSA/list data/dsa-needed.txt Log: chromium dsa Modified: data/DSA/list === --- data/DSA/list 2016-04-15 09:10:16 UTC (rev 40951) +++ data/DSA/list 2016-04-15 11:58:41 UTC (rev 40952) @@ -1,3 +1,6 @@ +[15 Apr 2016] DSA-3549-1 chromium-browser - security update + {CVE-2016-1651 CVE-2016-1652 CVE-2016-1653 CVE-2016-1654 CVE-2016-1655 CVE-2016-1657 CVE-2016-1658 CVE-2016-1659} + [jessie] - chromium-browser 50.0.2661.75-1~deb8u1 [14 Apr 2016] DSA-3548-2 samba - regression update [jessie] - samba 2:4.2.10+dfsg-0+deb8u2 [13 Apr 2016] DSA-3548-1 samba - security update Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-04-15 09:10:16 UTC (rev 40951) +++ data/dsa-needed.txt 2016-04-15 11:58:41 UTC (rev 40952) @@ -19,8 +19,6 @@ -- botan1.10 -- -chromium-browser --- extplorer/oldstable (Thorsten Alteholz) NOTE: .debdiff sent to the Security Team, waiting for feedback -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40583 - data/DSA
Author: mgilbert Date: 2016-03-26 04:17:56 + (Sat, 26 Mar 2016) New Revision: 40583 Modified: data/DSA/list Log: fix typo Modified: data/DSA/list === --- data/DSA/list 2016-03-26 03:26:21 UTC (rev 40582) +++ data/DSA/list 2016-03-26 04:17:56 UTC (rev 40583) @@ -1,6 +1,6 @@ -[25 Mar 2016] DSA-3531-1 chromum-browser - security update +[25 Mar 2016] DSA-3531-1 chromium-browser - security update {CVE-2016-1646 CVE-2016-1647 CVE-2016-1648 CVE-2016-1649 CVE-2016-1650} - [jessie] - chromum-browser 49.0.2623.108-1~deb8u1 + [jessie] - chromium-browser 49.0.2623.108-1~deb8u1 [25 Mar 2016] DSA-3530-1 tomcat6 - security update {CVE-2013-4286 CVE-2013-4322 CVE-2013-4590 CVE-2014-0033 CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119 CVE-2014-0227 CVE-2014-0230 CVE-2014-7810 CVE-2015-5174 CVE-2015-5345 CVE-2015-5346 CVE-2015-5351 CVE-2016-0706 CVE-2016-0714 CVE-2016-0763} [wheezy] - tomcat6 6.0.45+dfsg-1~deb7u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40582 - data/DSA
Author: mgilbert Date: 2016-03-26 03:26:21 + (Sat, 26 Mar 2016) New Revision: 40582 Modified: data/DSA/list Log: chromium dsa Modified: data/DSA/list === --- data/DSA/list 2016-03-25 21:10:11 UTC (rev 40581) +++ data/DSA/list 2016-03-26 03:26:21 UTC (rev 40582) @@ -1,3 +1,6 @@ +[25 Mar 2016] DSA-3531-1 chromum-browser - security update + {CVE-2016-1646 CVE-2016-1647 CVE-2016-1648 CVE-2016-1649 CVE-2016-1650} + [jessie] - chromum-browser 49.0.2623.108-1~deb8u1 [25 Mar 2016] DSA-3530-1 tomcat6 - security update {CVE-2013-4286 CVE-2013-4322 CVE-2013-4590 CVE-2014-0033 CVE-2014-0075 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119 CVE-2014-0227 CVE-2014-0230 CVE-2014-7810 CVE-2015-5174 CVE-2015-5345 CVE-2015-5346 CVE-2015-5351 CVE-2016-0706 CVE-2016-0714 CVE-2016-0763} [wheezy] - tomcat6 6.0.45+dfsg-1~deb7u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40316 - data/CVE
Author: mgilbert Date: 2016-03-11 02:39:38 + (Fri, 11 Mar 2016) New Revision: 40316 Modified: data/CVE/list Log: nfus Modified: data/CVE/list === --- data/CVE/list 2016-03-10 22:38:47 UTC (rev 40315) +++ data/CVE/list 2016-03-11 02:39:38 UTC (rev 40316) @@ -8803,17 +8803,17 @@ CVE-2016-0135 RESERVED CVE-2016-0134 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0133 (The USB Mass Storage Class driver in Microsoft Windows Vista SP2, ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0132 (Microsoft .NET Framework 2.0 SP2, 3.0 SP2, 3.5, 3.5.1, 4.5.2, 4.6, and ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0131 RESERVED CVE-2016-0130 (Microsoft Edge allows remote attackers to execute arbitrary code or ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0129 (Microsoft Edge allows remote attackers to execute arbitrary code or ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0128 RESERVED CVE-2016-0127 @@ -8821,75 +8821,75 @@ CVE-2016-0126 RESERVED CVE-2016-0125 (Microsoft Edge mishandles the Referer policy, which allows remote ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0124 (Microsoft Edge allows remote attackers to execute arbitrary code or ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0123 (Microsoft Edge allows remote attackers to execute arbitrary code or ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0122 RESERVED CVE-2016-0121 (The Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0120 (The Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0119 RESERVED CVE-2016-0118 (The PDF library in Microsoft Windows 10 Gold and 1511 allows remote ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0117 (The PDF library in Microsoft Windows 8.1, Windows Server 2012 Gold and ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0116 (Microsoft Edge allows remote attackers to execute arbitrary code or ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0115 RESERVED CVE-2016-0114 (Microsoft Internet Explorer 11 allows remote attackers to execute ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0113 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0112 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0111 (Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0110 (Microsoft Internet Explorer 10 through 11 and Microsoft Edge allow ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0109 (Microsoft Internet Explorer 11 and Microsoft Edge allow remote ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0108 (Microsoft Internet Explorer 11 allows remote attackers to execute ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0107 (Microsoft Internet Explorer 9 through 11 allows remote attackers to ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0106 (Microsoft Internet Explorer 11 allows remote attackers to execute ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0105 (Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0104 (Microsoft Internet Explorer 10 allows remote attackers to execute ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0103 (Microsoft Internet Explorer 11 allows remote attackers to execute ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0102 (Microsoft Internet Explorer 11 and Microsoft Edge allow remote ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0101 (Microsoft Windows Server 2008 R2 SP1, Windows 7 SP1, Windows 8.1, ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0100 (Microsoft Windows Vista SP2 and Server 2008 SP2 mishandle library ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0099 (The Secondary Logon Service in Microsoft Windows Vista SP2, Windows ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0098 (Microsoft Windows Server 2008 R2 SP1, Windows 7 SP1, Windows 8.1, ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0097 RESERVED CVE-2016-0096 (The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2016-0095 (The ker
[Secure-testing-commits] r40299 - in data: . DSA
Author: mgilbert Date: 2016-03-10 13:42:31 + (Thu, 10 Mar 2016) New Revision: 40299 Modified: data/DSA/list data/dsa-needed.txt Log: chromium dsa Modified: data/DSA/list === --- data/DSA/list 2016-03-10 13:33:01 UTC (rev 40298) +++ data/DSA/list 2016-03-10 13:42:31 UTC (rev 40299) @@ -1,3 +1,6 @@ +[10 Mar 2016] DSA-3513-1 chromium-browser - security update + {CVE-2016-1643 CVE-2016-1644 CVE-2016-1645} + [jessie] - chromium-browser 49.0.2623.87-1~deb8u1 [09 Mar 2016] DSA-3512-1 libotr - security update {CVE-2016-2851} [wheezy] - libotr 3.2.1-1+deb7u2 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-03-10 13:33:01 UTC (rev 40298) +++ data/dsa-needed.txt 2016-03-10 13:42:31 UTC (rev 40299) @@ -21,8 +21,6 @@ -- botan1.10 -- -chromium-browser --- exim4 NOTE: maintainer and upstream pinged about possible issues in original patch -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40276 - in data: CVE DSA
Author: mgilbert Date: 2016-03-09 20:36:50 + (Wed, 09 Mar 2016) New Revision: 40276 Modified: data/CVE/list data/DSA/list Log: bind dsa Modified: data/CVE/list === --- data/CVE/list 2016-03-09 18:58:03 UTC (rev 40275) +++ data/CVE/list 2016-03-09 20:36:50 UTC (rev 40276) @@ -2569,6 +2569,9 @@ NOTE: http://www.openwall.com/lists/oss-security/2016/01/29/2 NOTE: Introduced by: http://git.qemu.org/?p=qemu.git;a=commit;h=fc3d8e1138cd0c843d6fd75272633a31be6554ef (v2.3.0-rc2) CVE-2016-2088 + - bind9 + [wheezy] - bind9 (introduced in bind 9.10) + [jessie] - bind9 (introduced in bind 9.10) RESERVED CVE-2016-2087 RESERVED @@ -4905,8 +4908,10 @@ CVE-2016-1287 (Buffer overflow in the IKEv1 and IKEv2 implementations in Cisco ASA ...) NOT-FOR-US: Cisco ASA CVE-2016-1286 + - bind9 RESERVED CVE-2016-1285 + - bind9 RESERVED CVE-2016-1284 (rdataset.c in ISC BIND 9 Supported Preview Edition 9.9.8-S before ...) - bind9 (Only Supported Preview Edition/Subscription Edition) Modified: data/DSA/list === --- data/DSA/list 2016-03-09 18:58:03 UTC (rev 40275) +++ data/DSA/list 2016-03-09 20:36:50 UTC (rev 40276) @@ -1,3 +1,7 @@ +[09 Mar 2016] DSA-3511-1 bind9 - security update + {CVE-2016-1285 CVE-2016-1286} + [wheezy] - bind9 9.8.4.dfsg.P1-6+nmu2+deb7u10 + [jessie] - bind9 9.9.5.dfsg-9+deb8u6 [09 Mar 2016] DSA-3510-1 iceweasel - security update {CVE-2016-1950 CVE-2016-1952 CVE-2016-1954 CVE-2016-1957 CVE-2016-1958 CVE-2016-1960 CVE-2016-1961 CVE-2016-1962 CVE-2016-1964 CVE-2016-1965 CVE-2016-1966 CVE-2016-1974 CVE-2016-1977 CVE-2016-2790 CVE-2016-2791 CVE-2016-2792 CVE-2016-2793 CVE-2016-2794 CVE-2016-2795 CVE-2016-2796 CVE-2016-2797 CVE-2016-2798 CVE-2016-2799 CVE-2016-2800 CVE-2016-2801 CVE-2016-2802} [wheezy] - iceweasel 38.7.0esr-1~deb7u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40219 - data/CVE
Author: mgilbert Date: 2016-03-08 05:26:32 + (Tue, 08 Mar 2016) New Revision: 40219 Modified: data/CVE/list Log: nfus Modified: data/CVE/list === --- data/CVE/list 2016-03-08 05:24:05 UTC (rev 40218) +++ data/CVE/list 2016-03-08 05:26:32 UTC (rev 40219) @@ -1335,7 +1335,7 @@ CVE-2016-2399 RESERVED CVE-2016-2398 (Comcast XFINITY Home Security System does not properly maintain ...) - TODO: check + NOT-FOR-US: XFINITY CVE-2016-2397 (The cliserver implementation in Dell SonicWALL GMS, Analyzer, and UMA ...) NOT-FOR-US: Dell CVE-2016-2396 (The GMS ViewPoint (GMSVP) web application in Dell SonicWALL GMS, ...) @@ -1791,9 +1791,9 @@ CVE-2016-2280 RESERVED CVE-2016-2279 (Cross-site scripting (XSS) vulnerability in the web server in Rockwell ...) - TODO: check + NOT-FOR-US: CompactLogix CVE-2016-2278 (Schneider Electric Struxureware Building Operations Automation Server ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2016-2277 RESERVED CVE-2016-2276 @@ -2005,7 +2005,7 @@ CVE-2016-2215 RESERVED CVE-2016-2214 (Cross-site scripting (XSS) vulnerability in an unspecified portal ...) - TODO: check + NOT-FOR-US: Huawei CVE-2016-2212 RESERVED CVE-2016-2211 @@ -2643,7 +2643,7 @@ [squeeze] - python-django (Only affects 1.9) NOTE: https://www.djangoproject.com/weblog/2016/feb/01/releases-192-and-189/ CVE-2016-2046 (Cross-site scripting (XSS) vulnerability in the UserPortal page in ...) - TODO: check + NOT-FOR-US: SOPHOS CVE-2016-2045 (Cross-site scripting (XSS) vulnerability in the SQL editor in ...) - phpmyadmin 4:4.5.4-1 [squeeze] - phpmyadmin (vulnerable code not present) @@ -3051,7 +3051,7 @@ NOTE: https://bugs.linuxfoundation.org/show_bug.cgi?id=1336 NOTE: http://bzr.linuxfoundation.org/loggerhead/openprinting/cups-filters/revision/7431 CVE-2016-1926 (Cross-site scripting (XSS) vulnerability in the charts module in ...) - TODO: check + NOT-FOR-US: Greenbone Security Assistant CVE-2016-1921 RESERVED CVE-2016-1918 @@ -3065,7 +3065,7 @@ CVE-2016-1914 RESERVED CVE-2016-1913 (Multiple cross-site scripting (XSS) vulnerabilities in the Redhen ...) - TODO: check + NOT-FOR-US: Redhen module for Drupal CVE-2016-1912 (Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ...) - dolibarr 3.5.8+dfsg1-1 (bug #812496) [jessie] - dolibarr (Minor issue) @@ -3075,7 +3075,7 @@ CVE-2016-1910 (The User Management Engine (UME) in SAP NetWeaver 7.4 allows attackers ...) NOT-FOR-US: SAP CVE-2016-1909 (FortiOS 4.x before 4.3.17 and 5.0.x before 5.0.8 has a hardcoded ...) - TODO: check + NOT-FOR-US: FortiOS CVE-2015-8775 RESERVED CVE-2015-8774 @@ -4042,7 +4042,7 @@ CVE-2016-1566 RESERVED CVE-2016-1565 (Cross-site scripting (XSS) vulnerability in the Field Group module ...) - TODO: check + NOT-FOR-US: Field Group module for Drupal CVE-2015-8768 RESERVED NOT-FOR-US: Click package manager @@ -4050,9 +4050,9 @@ CVE-2015-8766 (Multiple cross-site scripting (XSS) vulnerabilities in ...) TODO: check CVE-2015-8765 (Intel McAfee ePolicy Orchestrator (ePO) 4.6.9 and earlier, 5.0.x, ...) - TODO: check + NOT-FOR-US: McAfee CVE-2015-8761 (The Values module 7.x-1.x before 7.x-1.2 for Drupal does not properly ...) - TODO: check + NOT-FOR-US: Values module for Drupal CVE-2015-8760 (The Flvplayer component in TYPO3 6.2.x before 6.2.16 allows remote ...) TODO: check CVE-2015-8759 (Cross-site scripting (XSS) vulnerability in the typoLink function in ...) @@ -4066,9 +4066,9 @@ CVE-2015-8755 (Multiple cross-site scripting (XSS) vulnerabilities in unspecified ...) TODO: check CVE-2015-8754 (The Mollom module 6.x-2.7 before 6.x-2.15 for Drupal allows remote ...) - TODO: check + NOT-FOR-US: Mollom module for Drupal CVE-2015-8753 (SAP Afaria 7.0.6001.5 allows remote attackers to bypass authorization ...) - TODO: check + NOT-FOR-US: SAP Afaria CVE-2015-8752 RESERVED CVE-2016-1714 [nvram: OOB r/w access in processing firmware configurations] @@ -4324,17 +4324,17 @@ [jessie] - owncloud 7.0.4+dfsg-4~deb8u4 NOTE: https://owncloud.org/security/advisory/?id=oc-sa-2016-001 CVE-2016-1493 (Intel Driver Update Utility before 2.4 retrieves driver updates in ...) - TODO: check + NOT-FOR-US: Intel Driver Update Utility CVE-2016-1492 (The Wifi hotspot in Lenovo SHAREit before 3.5.48_ww for Android, when ...) - TODO: check + NOT-FOR-US: Lenovo CVE-2016-1491 (The Wifi hotspot in Lenovo SHAREit before 3.2.0 for Windows, when ...) - TODO: check + NOT-FOR-US: Lenovo CVE-2016-1490 (The Wifi hotspot in Lenovo SHAREit befor
[Secure-testing-commits] r40183 - in data: . DSA
Author: mgilbert Date: 2016-03-05 20:58:57 + (Sat, 05 Mar 2016) New Revision: 40183 Modified: data/DSA/list data/dsa-needed.txt Log: chromium dsa Modified: data/DSA/list === --- data/DSA/list 2016-03-05 20:53:13 UTC (rev 40182) +++ data/DSA/list 2016-03-05 20:58:57 UTC (rev 40183) @@ -1,3 +1,6 @@ +[05 Mar 2016] DSA-3507-1 chromium-browser - security update + {CVE-2015-8126 CVE-2016-1630 CVE-2016-1631 CVE-2016-1632 CVE-2016-1633 CVE-2016-1634 CVE-2016-1635 CVE-2016-1636 CVE-2016-1637 CVE-2016-1638 CVE-2016-1639 CVE-2016-1640 CVE-2016-1641 CVE-2016-1642} + [jessie] - chromium-browser 49.0.2623.75-1~deb8u1 [04 Mar 2016] DSA-3506-1 libav - security update {CVE-2016-1897 CVE-2016-1898 CVE-2016-2326} [wheezy] - libav 6:0.8.17-2 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-03-05 20:53:13 UTC (rev 40182) +++ data/dsa-needed.txt 2016-03-05 20:58:57 UTC (rev 40183) @@ -21,8 +21,6 @@ -- botan1.10 -- -chromium-browser --- exim4 -- gosa/oldstable (Mike Gabriel) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40039 - data/CVE
Author: mgilbert Date: 2016-02-28 23:43:04 + (Sun, 28 Feb 2016) New Revision: 40039 Modified: data/CVE/list Log: openjpeg issues in chromium Modified: data/CVE/list === --- data/CVE/list 2016-02-28 23:42:55 UTC (rev 40038) +++ data/CVE/list 2016-02-28 23:43:04 UTC (rev 40039) @@ -2954,6 +2954,7 @@ [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-1628 (pi.c in OpenJPEG, as used in PDFium in Google Chrome before ...) {DSA-3486-1} + - openjpeg - chromium-browser 48.0.2564.116-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) @@ -2964,6 +2965,7 @@ [squeeze] - chromium-browser (Not supported in Squeeze LTS) CVE-2016-1626 (The opj_pi_update_decode_poc function in pi.c in OpenJPEG, as used in ...) {DSA-3486-1} + - openjpeg - chromium-browser 48.0.2564.116-1 [wheezy] - chromium-browser (Not supported in Wheezy) [squeeze] - chromium-browser (Not supported in Squeeze LTS) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r40038 - data/CVE
Author: mgilbert Date: 2016-02-28 23:42:55 + (Sun, 28 Feb 2016) New Revision: 40038 Modified: data/CVE/list Log: wine issue Modified: data/CVE/list === --- data/CVE/list 2016-02-28 22:32:11 UTC (rev 40037) +++ data/CVE/list 2016-02-28 23:42:55 UTC (rev 40038) @@ -1,3 +1,9 @@ +CVE-2016- [unsafe use of /tmp] + - wine (low; bug #816034) + - wine-development (low; bug #816034) + [wheezy] - wine (Minor issue) + [jessie] - wine (Minor issue) + [jessie] - wine-development (Minor issue) CVE-2016- [remote memory disclosure] - node-ws 1.0.1+ds1.e6ddaae4-1 (unimportant) NOTE: fixed in 1.0.1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39801 - data/DSA
Author: mgilbert Date: 2016-02-21 21:45:04 + (Sun, 21 Feb 2016) New Revision: 39801 Modified: data/DSA/list Log: chromium dsa Modified: data/DSA/list === --- data/DSA/list 2016-02-21 21:10:12 UTC (rev 39800) +++ data/DSA/list 2016-02-21 21:45:04 UTC (rev 39801) @@ -1,3 +1,6 @@ +[21 Feb 2016] DSA-3486-1 chromium-browser - security update + {CVE-2016-1622 CVE-2016-1623 CVE-2016-1624 CVE-2016-1625 CVE-2016-1626 CVE-2016-1627 CVE-2016-1628 CVE-2016-1629} + [jessie] - chromium-browser 48.0.2564.116-1~deb8u1 [20 Feb 2016] DSA-3485-1 didiwiki - security update {CVE-2013-7448} [wheezy] - didiwiki 0.5-11+deb7u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39231 - in data: . DSA
Author: mgilbert Date: 2016-01-27 12:57:35 + (Wed, 27 Jan 2016) New Revision: 39231 Modified: data/DSA/list data/dsa-needed.txt Log: chromium dsa Modified: data/DSA/list === --- data/DSA/list 2016-01-27 12:00:07 UTC (rev 39230) +++ data/DSA/list 2016-01-27 12:57:35 UTC (rev 39231) @@ -1,3 +1,6 @@ +[27 Jan 2016] DSA-3456-1 chromium-browser - security update + {CVE-2015-6792 CVE-2016-1612 CVE-2016-1613 CVE-2016-1614 CVE-2016-1615 CVE-2016-1616 CVE-2016-1617 CVE-2016-1618 CVE-2016-1619 CVE-2016-1620} + [jessie] - chromium-browser 48.0.2564.82-1~deb8u1 [27 Jan 2016] DSA-3455-1 curl - security update {CVE-2016-0755} [jessie] - curl 7.38.0-4+deb8u3 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-01-27 12:00:07 UTC (rev 39230) +++ data/dsa-needed.txt 2016-01-27 12:57:35 UTC (rev 39231) @@ -22,8 +22,6 @@ cacti Maintainer proposed debdiffs, needs review and ack -- -chromium-browser --- icedtea-web -- iceweasel (jmm) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r39006 - data/CVE
Author: mgilbert Date: 2016-01-18 22:47:24 + (Mon, 18 Jan 2016) New Revision: 39006 Modified: data/CVE/list Log: chromium issue fixed Modified: data/CVE/list === --- data/CVE/list 2016-01-18 21:10:17 UTC (rev 39005) +++ data/CVE/list 2016-01-18 22:47:24 UTC (rev 39006) @@ -9944,7 +9944,7 @@ CVE-2015-6793 RESERVED CVE-2015-6792 (The MIDI subsystem in Google Chrome before 47.0.2526.106 does not ...) - - chromium-browser + - chromium-browser 47.0.2526.111-1 [wheezy] - chromium-browser [squeeze] - chromium-browser NOTE: http://googlechromereleases.blogspot.de/2015/12/stable-channel-update_15.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38810 - in data: . DSA
Author: mgilbert Date: 2016-01-10 03:19:48 + (Sun, 10 Jan 2016) New Revision: 38810 Modified: data/DSA/list data/dsa-needed.txt Log: xscreensaver dsa Modified: data/DSA/list === --- data/DSA/list 2016-01-09 21:10:12 UTC (rev 38809) +++ data/DSA/list 2016-01-10 03:19:48 UTC (rev 38810) @@ -1,3 +1,7 @@ +[09 Jan 2016] DSA-3438-1 xscreensaver - security update + {CVE-2015-8025} + [wheezy] - xscreensaver 5.15-3+deb7u1 + [jessie] - xscreensaver 5.30-1+deb8u1 [09 Jan 2016] DSA-3437-1 gnutls26 - security update {CVE-2015-7575} [wheezy] - gnutls26 2.12.20-8+deb7u5 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-01-09 21:10:12 UTC (rev 38809) +++ data/dsa-needed.txt 2016-01-10 03:19:48 UTC (rev 38810) @@ -88,5 +88,3 @@ wordpress Maintainer sent debdiffs for wheezy- and jessie-security pending for review and ack -- -xscreensaver (anarcat) - mgilbert mentioned in bug report to take care of the DSA ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38437 - data/CVE
Author: mgilbert Date: 2015-12-19 21:43:52 + (Sat, 19 Dec 2015) New Revision: 38437 Modified: data/CVE/list Log: nfus Modified: data/CVE/list === --- data/CVE/list 2015-12-19 21:38:58 UTC (rev 38436) +++ data/CVE/list 2015-12-19 21:43:52 UTC (rev 38437) @@ -127,11 +127,11 @@ CVE-2015-8603 RESERVED CVE-2015-8602 (The Token Insert Entity module 7.x-1.x before 7.x-1.1 for Drupal does ...) - TODO: check + NOT-FOR-US: Token Insert Entity module for Drupal CVE-2015-8601 (The Chat Room module 7.x-2.x before 7.x-2.2 for Drupal does not ...) - TODO: check + NOT-FOR-US: Chat Room module for Drupal CVE-2015-8600 (The SysAdminWebTool servlets in SAP Mobile Platform allow remote ...) - TODO: check + NOT-FOR-US: SAP CVE-2015-8599 RESERVED CVE-2015-8598 @@ -4231,7 +4231,7 @@ NOTE: http://www.openwall.com/lists/oss-security/2015/10/13/6 NOTE: (unreplied so far) CVE-2015-7808 (The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 ...) - TODO: check + NOT-FOR-US: vBulletin CVE-2015-7807 RESERVED CVE-2015-7806 @@ -5327,7 +5327,7 @@ CVE-2015-7395 (IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 ...) NOT-FOR-US: IBM CVE-2015-7394 (The datastor kernel module in F5 BIG-IP Analytics, APM, ASM, Link ...) - TODO: check + NOT-FOR-US: BIG-IQ CVE-2015-7393 RESERVED CVE-2015-7392 (Heap-based buffer overflow in the parse_string function in ...) @@ -5440,7 +5440,7 @@ CVE-2015-7349 RESERVED CVE-2015-7348 (Cross-site scripting (XSS) vulnerability in zTree 3.5.19.1 and ...) - TODO: check + NOT-FOR-US: zTree CVE-2015-7347 RESERVED CVE-2015-7346 @@ -5491,9 +5491,9 @@ CVE-2015-7324 RESERVED CVE-2015-7323 (The Secure Meeting (Pulse Collaboration) in Pulse Connect Secure ...) - TODO: check + NOT-FOR-US: Pulse Connect Secure CVE-2015-7322 (The Secure Meeting (Pulse Collaboration) in Pulse Connect Secure ...) - TODO: check + NOT-FOR-US: Pulse Connect Secure CVE-2015-7321 RESERVED CVE-2015-7320 (Multiple cross-site scripting (XSS) vulnerabilities in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38422 - data/CVE
Author: mgilbert Date: 2015-12-18 23:28:25 + (Fri, 18 Dec 2015) New Revision: 38422 Modified: data/CVE/list Log: nfus Modified: data/CVE/list === --- data/CVE/list 2015-12-18 21:55:08 UTC (rev 38421) +++ data/CVE/list 2015-12-18 23:28:25 UTC (rev 38422) @@ -393,15 +393,15 @@ CVE-2015-8582 RESERVED CVE-2015-8581 (The EjbObjectInputStream class in Apache TomEE allows remote attackers ...) - TODO: check + NOT-FOR-US: Apache TomEE CVE-2015-8580 (Multiple use-after-free vulnerabilities in the (1) Print method and ...) - TODO: check + NOT-FOR-US: Foxit CVE-2015-8579 (Kaspersky Total Security 2015 15.0.2.361 allocates memory with Read, ...) - TODO: check + NOT-FOR-US: Kaspersky CVE-2015-8578 (AVG Internet Security 2015 allocates memory with Read, Write, Execute ...) - TODO: check + NOT-FOR-US: AVG CVE-2015-8577 (The Buffer Overflow Protection (BOP) feature in McAfee VirusScan ...) - TODO: check + NOT-FOR-US: McAfee CVE-2015-8576 RESERVED CVE-2015-8574 @@ -413,28 +413,28 @@ [squeeze] - xen (Unsupported in Squeeze LTS) NOTE: http://xenbits.xen.org/xsa/advisory-166.html CVE-2015-8572 (Multiple buffer overflows in Autodesk Design Review (ADR) before 2013 ...) - TODO: check + NOT-FOR-US: Autodesk CVE-2015-8571 (Integer overflow in Autodesk Design Review (ADR) before 2013 Hotfix 2 ...) - TODO: check + NOT-FOR-US: Autodesk CVE-2015-8570 (The password reset functionality in Lepide Active Directory Self ...) - TODO: check + NOT-FOR-US: Lepide CVE-2015-8575 [sco_sock_bind issue] RESERVED - linux - linux-2.6 NOTE: pstream commit (not yet in Linus tree): http://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=5233252fce714053f0151680933571a2da9cbfb4 CVE-2015-8566 (The Session package 1.x before 1.3.1 for Joomla! Framework allows ...) - TODO: check + NOT-FOR-US: Session package for Joomla CVE-2015-8565 (Directory traversal vulnerability in Joomla! 3.2.0 through 3.3.x and ...) - TODO: check + NOT-FOR-US: Joomla CVE-2015-8564 (Directory traversal vulnerability in Joomla! 3.4.x before 3.4.6 allows ...) - TODO: check + NOT-FOR-US: Joomla CVE-2015-8563 (Cross-site request forgery (CSRF) vulnerability in the com_templates ...) - TODO: check + NOT-FOR-US: Joomla CVE-2015-8562 (Joomla! 1.5.x, 2.x, and 3.x before 3.4.6 allow remote attackers to ...) - TODO: check + NOT-FOR-US: Joomla CVE-2015-8561 (The F1BookView ActiveX control in F1 Bookview in Schneider Electric ...) - TODO: check + NOT-FOR-US: F1BookView CVE-2015-8555 [information leak in legacy x86 FPU/XMM initialization] RESERVED - xen @@ -2279,7 +2279,7 @@ CVE-2015-8421 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 ...) NOT-FOR-US: Adobe Flash CVE-2015-8420 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2015-8419 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before ...) NOT-FOR-US: Adobe Flash CVE-2015-8418 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before ...) @@ -2295,7 +2295,7 @@ CVE-2015-8413 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 ...) NOT-FOR-US: Adobe Flash CVE-2015-8412 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2015-8411 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 ...) NOT-FOR-US: Adobe Flash CVE-2015-8410 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 ...) @@ -2424,9 +2424,9 @@ CVE-2015-8359 RESERVED CVE-2015-8358 (Directory traversal vulnerability in the bitrix.mpbuilder module ...) - TODO: check + NOT-FOR-US: Bitrix CVE-2015-8357 (Directory traversal vulnerability in the bitrix.xscan module before ...) - TODO: check + NOT-FOR-US: Bitrix CVE-2015-8356 RESERVED CVE-2015-8355 @@ -2756,7 +2756,7 @@ CVE-2015-8248 RESERVED CVE-2015-8247 (Cross-site scripting (XSS) vulnerability in synnefoclient in Synnefo ...) - TODO: check + NOT-FOR-US: Synnefo CVE-2015-8246 RESERVED CVE-2015-8245 @@ -3716,7 +3716,7 @@ CVE-2015-7919 RESERVED CVE-2015-7918 (Multiple buffer overflows in the F1BookView ActiveX control in F1 ...) - TODO: check + NOT-FOR-US: F1BookView CVE-2015-7917 RESERVED CVE-2015-7916 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38341 - data/DSA
Author: mgilbert Date: 2015-12-16 03:04:55 + (Wed, 16 Dec 2015) New Revision: 38341 Modified: data/DSA/list Log: new libv8 issue was fixed in chromium dsa Modified: data/DSA/list === --- data/DSA/list 2015-12-15 22:33:39 UTC (rev 38340) +++ data/DSA/list 2015-12-16 03:04:55 UTC (rev 38341) @@ -6,7 +6,7 @@ {CVE-2015-8560} [jessie] - cups-filters 1.0.61-5+deb8u3 [14 Dec 2015] DSA-3418-1 chromium-browser - security update - {CVE-2015-6788 CVE-2015-6789 CVE-2015-6790 CVE-2015-6791} + {CVE-2015-6788 CVE-2015-6789 CVE-2015-6790 CVE-2015-6791 CVE-2015-8548} [jessie] - chromium-browser 47.0.2526.80-1~deb8u1 [14 Dec 2015] DSA-3417-1 bouncycastle - security update {CVE-2015-7940} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38291 - data/CVE
Author: mgilbert Date: 2015-12-15 03:25:08 + (Tue, 15 Dec 2015) New Revision: 38291 Modified: data/CVE/list Log: chromium issue fixed Modified: data/CVE/list === --- data/CVE/list 2015-12-15 03:05:47 UTC (rev 38290) +++ data/CVE/list 2015-12-15 03:25:08 UTC (rev 38291) @@ -9206,7 +9206,7 @@ NOTE: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b6878d9e03043695dbf3fa1caa6dfc09db225b16 (v4.2-rc6) NOTE: http://www.openwall.com/lists/oss-security/2015/07/28/2 CVE-2015- [chromium url spoofing issue] - - chromium-browser (low) + - chromium-browser 47.0.2526.73-1 (low) [jessie] - chromium-browser (minor issue) [wheezy] - chromium-browser [squeeze] - chromium-browser ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38290 - data/CVE
Author: mgilbert Date: 2015-12-15 03:05:47 + (Tue, 15 Dec 2015) New Revision: 38290 Modified: data/CVE/list Log: nfus Modified: data/CVE/list === --- data/CVE/list 2015-12-15 02:11:56 UTC (rev 38289) +++ data/CVE/list 2015-12-15 03:05:47 UTC (rev 38290) @@ -16,7 +16,7 @@ NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/12/14/6 TODO: check CVE-2015-8548 (Multiple unspecified vulnerabilities in Google V8 before 4.7.80.23, as ...) - TODO: check + - chromium-browser 47.0.2526.80-1 CVE-2015-8546 RESERVED CVE-2015-8545 @@ -1146,11 +1146,11 @@ CVE-2015-8508 RESERVED CVE-2015-8507 (mediaserver in Android 6.0 before 2015-12-01 allows remote attackers ...) - TODO: check + - android (bug #459219) CVE-2015-8506 (mediaserver in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-01 ...) - TODO: check + - android (bug #459219) CVE-2015-8505 (mediaserver in Android before 5.1.1 LMY48Z allows remote attackers to ...) - TODO: check + - android (bug #459219) CVE-2015-8503 RESERVED CVE-2015-8502 @@ -1194,7 +1194,7 @@ CVE-2015-8483 RESERVED CVE-2015-8482 (Blue Coat Unified Agent before 4.6.2 does not prevent modification of ...) - TODO: check + NOT-FOR-US: Blue Coat Unified Agent CVE-2015-8481 RESERVED CVE-2015-8504 [vnc: avoid floating point exception] @@ -1608,11 +1608,12 @@ CVE-2016-0001 RESERVED CVE-2015-8480 (The VideoFramePool::PoolImpl::CreateFrame function in ...) - TODO: check + - chromium-browser 47.0.2526.73-1 CVE-2015-8479 (Use-after-free vulnerability in the ...) - TODO: check + - chromium-browser 47.0.2526.73-1 CVE-2015-8478 (Multiple unspecified vulnerabilities in Google V8 before 4.7.80.23, as ...) - TODO: check + - chromium-browser 47.0.2526-73-1 +- libv8 CVE-2015-8475 RESERVED CVE-2015-8471 @@ -1685,119 +1686,119 @@ CVE-2015-8458 RESERVED CVE-2015-8457 (Stack-based buffer overflow in Adobe Flash Player before 18.0.0.268 ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2015-8456 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2015-8455 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2015-8454 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2015-8453 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2015-8452 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2015-8451 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2015-8450 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2015-8449 (Use-after-free vulnerability in the MovieClip object implementation in ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2015-8448 (Use-after-free vulnerability in the DisplacementMapFilter object ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2015-8447 (Use-after-free vulnerability in the Color object implementation in ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2015-8446 (Heap-based buffer overflow in Adobe Flash Player before 18.0.0.268 and ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2015-8445 (Integer overflow in the Shader filter implementation in Adobe Flash ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2015-8444 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2015-8443 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2015-8442 (Use-after-free vulnerability in the MovieClip object implementation in ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2015-8441 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.268 ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2015-8440 (Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2015-8439 (The SharedObject object implementation in Adobe Flash Player before ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2015-8438 (Heap-based buffer overflow in Adobe Flash Player before 18.0.0.268 and ...) - TODO: check + NOT-FOR-US: Adobe Flash CVE-2015-8437 (Use-after-free vulnerability in the Selection object implementation in ...) - TODO
[Secure-testing-commits] r38289 - data/DSA
Author: mgilbert Date: 2015-12-15 02:11:56 + (Tue, 15 Dec 2015) New Revision: 38289 Modified: data/DSA/list Log: chromium dsa Modified: data/DSA/list === --- data/DSA/list 2015-12-14 21:18:47 UTC (rev 38288) +++ data/DSA/list 2015-12-15 02:11:56 UTC (rev 38289) @@ -1,3 +1,6 @@ +[14 Dec 2015] DSA-3418-1 chromium-browser - security update + {CVE-2015-6788 CVE-2015-6789 CVE-2015-6790 CVE-2015-6791} + [jessie] - chromium-browser 47.0.2526.80-1~deb8u1 [14 Dec 2015] DSA-3417-1 bouncycastle - security update {CVE-2015-7940} [wheezy] - bouncycastle 1.44+dfsg-3.1+deb7u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r38197 - in data: . CVE DSA
Author: mgilbert Date: 2015-12-10 01:59:58 + (Thu, 10 Dec 2015) New Revision: 38197 Modified: data/CVE/list data/DSA/list data/dsa-needed.txt Log: chromium dsa Modified: data/CVE/list === --- data/CVE/list 2015-12-09 21:45:33 UTC (rev 38196) +++ data/CVE/list 2015-12-10 01:59:58 UTC (rev 38197) @@ -5501,9 +5501,7 @@ [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-6783 (The FindStartOffsetOfFileInZipFile function in crazy_linker_zip.cpp in ...) - - chromium-browser 47.0.2526.73-1 - [wheezy] - chromium-browser - [squeeze] - chromium-browser + - chromium-browser (android only) CVE-2015-6782 (The Document::open function in WebKit/Source/core/dom/Document.cpp in ...) - chromium-browser 47.0.2526.73-1 [wheezy] - chromium-browser Modified: data/DSA/list === --- data/DSA/list 2015-12-09 21:45:33 UTC (rev 38196) +++ data/DSA/list 2015-12-10 01:59:58 UTC (rev 38197) @@ -1,3 +1,6 @@ +[09 Dec 2015] DSA-3415-1 chromium-browser - security update + {CVE-2015-1302 CVE-2015-6764 CVE-2015-6765 CVE-2015-6766 CVE-2015-6767 CVE-2015-6768 CVE-2015-6769 CVE-2015-6770 CVE-2015-6771 CVE-2015-6772 CVE-2015-6773 CVE-2015-6774 CVE-2015-6775 CVE-2015-6776 CVE-2015-6777 CVE-2015-6778 CVE-2015-6779 CVE-2015-6780 CVE-2015-6781 CVE-2015-6782 CVE-2015-6784 CVE-2015-6785 CVE-2015-6786} + [jessie] - chromium-browser 47.0.2526.73-1~deb8u1 [09 Dec 2015] DSA-3414-1 xen - security update {CVE-2015-3259 CVE-2015-3340 CVE-2015-5307 CVE-2015-6654 CVE-2015-7311 CVE-2015-7812 CVE-2015-7813 CVE-2015-7814 CVE-2015-7969 CVE-2015-7970 CVE-2015-7971 CVE-2015-7972 CVE-2015-8104} [jessie] - xen 4.4.1-9+deb8u3 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-12-09 21:45:33 UTC (rev 38196) +++ data/dsa-needed.txt 2015-12-10 01:59:58 UTC (rev 38197) @@ -19,8 +19,6 @@ aptdaemon For jessie-security compat layer for PackageKit needs to be dropped -- -chromium-browser --- icedtea-web -- imagemagick/oldstable ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r37206 - in data: . DSA
Author: mgilbert Date: 2015-10-21 03:18:48 + (Wed, 21 Oct 2015) New Revision: 37206 Modified: data/DSA/list data/dsa-needed.txt Log: chromium dsa Modified: data/DSA/list === --- data/DSA/list 2015-10-20 21:10:11 UTC (rev 37205) +++ data/DSA/list 2015-10-21 03:18:48 UTC (rev 37206) @@ -1,3 +1,6 @@ +[20 Oct 2015] DSA-3376-1 chromium-browser - security update + {CVE-2015-1303 CVE-2015-1304 CVE-2015-6755 CVE-2015-6756 CVE-2015-6757 CVE-2015-6758 CVE-2015-6759 CVE-2015-6760 CVE-2015-6761 CVE-2015-6762 CVE-2015-6763} + [jessie] - chromium-browser 46.0.2490.71-1~deb8u1 [19 Oct 2015] DSA-3375-1 wordpress - security update {CVE-2015-5714 CVE-2015-5715} [jessie] - wordpress 4.1+dfsg-1+deb8u5 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-10-20 21:10:11 UTC (rev 37205) +++ data/dsa-needed.txt 2015-10-21 03:18:48 UTC (rev 37206) @@ -19,8 +19,6 @@ aptdaemon For jessie-security compat layer for PackageKit needs to be dropped -- -chromium-browser/stable (mgilbert) --- elasticsearch -- freeimage ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36869 - data/CVE
Author: mgilbert Date: 2015-09-27 18:28:41 + (Sun, 27 Sep 2015) New Revision: 36869 Modified: data/CVE/list Log: mark chromium SOP issues as no-dsa Modified: data/CVE/list === --- data/CVE/list 2015-09-27 18:21:44 UTC (rev 36868) +++ data/CVE/list 2015-09-27 18:28:41 UTC (rev 36869) @@ -16935,6 +16935,7 @@ CVE-2015-1304 RESERVED - chromium-browser 45.0.2454.101-1 + [jessie] - chromium-browser (minor issue) [wheezy] - chromium-browser [squeeze] - chromium-browser - libv8-3.14 (unimportant) @@ -16942,6 +16943,7 @@ CVE-2015-1303 RESERVED - chromium-browser 45.0.2454.101-1 + [jessie] - chromium-browser (minor issue) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1302 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36868 - data/CVE
Author: mgilbert Date: 2015-09-27 18:21:44 + (Sun, 27 Sep 2015) New Revision: 36868 Modified: data/CVE/list Log: nfus Modified: data/CVE/list === --- data/CVE/list 2015-09-27 17:20:12 UTC (rev 36867) +++ data/CVE/list 2015-09-27 18:21:44 UTC (rev 36868) @@ -1873,9 +1873,9 @@ CVE-2015-6549 RESERVED CVE-2015-6548 (Multiple SQL injection vulnerabilities in a PHP script in the ...) - TODO: check + NOT-FOR-US: Symantec Web Gateway CVE-2015-6547 (The management console on Symantec Web Gateway (SWG) appliances with ...) - TODO: check + NOT-FOR-US: Semantec Web Gateway CVE-2015-6546 RESERVED CVE-2015-6545 (Cross-site request forgery (CSRF) vulnerability in ajax.php in Cerb ...) @@ -2100,9 +2100,9 @@ CVE-2015-6476 RESERVED CVE-2015-6475 (Multiple cross-site scripting (XSS) vulnerabilities in IBC Solar ...) - TODO: check + NOT-FOR-US: ServeMaster CVE-2015-6474 (IBC Solar ServeMaster TLP+ and Danfoss TLX Pro+ allow remote attackers ...) - TODO: check + NOT-FOR-US: ServeMaster CVE-2015-6473 RESERVED CVE-2015-6472 @@ -2110,11 +2110,11 @@ CVE-2015-6471 RESERVED CVE-2015-6470 (Resource Data Management Data Manager before 2.2 allows remote ...) - TODO: check + NOT-FOR-US: Resource Data Manager CVE-2015-6469 (The interpreter in IBC Solar ServeMaster TLP+ and Danfoss TLX Pro+ ...) - TODO: check + NOT-FOR-US: ServerMaster CVE-2015-6468 (Cross-site request forgery (CSRF) vulnerability in Resource Data ...) - TODO: check + NOT-FOR-US: Resource Data Manager CVE-2015-6467 RESERVED CVE-2015-6466 (Cross-site scripting (XSS) vulnerability in the Diagnosis Ping feature ...) @@ -2130,19 +2130,19 @@ CVE-2015-6461 RESERVED CVE-2015-6460 (Multiple heap-based buffer overflows in 3S-Smart CODESYS Gateway ...) - TODO: check + NOT-FOR-US: CODESYS Gateway Server CVE-2015-6459 (Absolute path traversal vulnerability in the download feature in ...) - TODO: check + NOT-FOR-US: FileDownloadServlet CVE-2015-6458 RESERVED CVE-2015-6457 RESERVED CVE-2015-6456 (GE Digital Energy MDS PulseNET and MDS PulseNET Enterprise before ...) - TODO: check + NOT-FOR-US: PulseNET CVE-2015-6455 RESERVED CVE-2015-6454 (Everest PeakHMI before 8.7.0.2, when the video server is used, allows ...) - TODO: check + NOT-FOR-US: PeakHMI CVE-2015-6453 RESERVED CVE-2015-6452 @@ -2438,31 +2438,31 @@ CVE-2015-6307 RESERVED CVE-2015-6306 (Cisco AnyConnect Secure Mobility Client 4.1(8) on OS X and Linux does ...) - TODO: check + NOT-FOR-US: Cisco CVE-2015-6305 (Untrusted search path vulnerability in the ...) - TODO: check + NOT-FOR-US: Cisco CVE-2015-6304 (Cross-site request forgery (CSRF) vulnerability in Cisco TelePresence ...) - TODO: check + NOT-FOR-US: Cisco CVE-2015-6303 (The Cisco Spark application 2015-07-04 for mobile operating systems ...) - TODO: check + NOT-FOR-US: Cisco CVE-2015-6302 (The RADIUS functionality on Cisco Wireless LAN Controller (WLC) ...) - TODO: check + NOT-FOR-US: Cisco CVE-2015-6301 (The DHCPv6 server in Cisco IOS on ASR 9000 devices with software 5.2.0 ...) - TODO: check + NOT-FOR-US: Cisco CVE-2015-6300 (Cisco Secure Access Control Server (ACS) Solution Engine 5.7(0.15) ...) - TODO: check + NOT-FOR-US: Cisco CVE-2015-6299 (SQL injection vulnerability in the web interface in Cisco Unity ...) - TODO: check + NOT-FOR-US: Cisco CVE-2015-6298 RESERVED CVE-2015-6297 (The DHCPv6 server in Cisco IOS on ASR 9000 devices with software 5.2.0 ...) - TODO: check + NOT-FOR-US: Cisco CVE-2015-6296 (Cisco Prime Network Registrar (CPNR) 8.1(3.3), 8.2(3), and 8.3(2) has ...) - TODO: check + NOT-FOR-US: Cisco CVE-2015-6295 (Cisco NX-OS 6.1(2)I3(4) and 7.0(3)I1(1) on Nexus 9000 (N9K) devices ...) - TODO: check + NOT-FOR-US: Cisco CVE-2015-6294 (Cisco IOS 15.2(3)E and earlier and IOS XE 3.6(2)E and earlier allow ...) - TODO: check + NOT-FOR-US: Cisco CVE-2015-6293 RESERVED CVE-2015-6292 @@ -2549,7 +2549,8 @@ CVE-2015-6253 RESERVED CVE-2014-9743 (Cross-site scripting (XSS) vulnerability in the httpd_HtmlError ...) - TODO: check + - vlc 2.2.1-4 + NOTE: might be fixed earlier, but this was the version checked CVE-2015-6526 (The perf_callchain_user_64 function in arch/powerpc/perf/callchain.c ...) - linux 4.1.3-1 [jessie] - linux 3.16.7-ckt11-1 @@ -2569,7 +2570,7 @@ CVE-2015-6239 RESERVED CVE-2015-6238 (Multiple cross-site scripting (XSS) vulnerabilities in the Google ...) - TODO: check + NOT-FOR-US: Google Analyticator plugin for WordPress CVE-2015-6237 RESERVED CV
[Secure-testing-commits] r36838 - data/CVE
Author: mgilbert Date: 2015-09-25 20:45:45 + (Fri, 25 Sep 2015) New Revision: 36838 Modified: data/CVE/list Log: nfus and a few already fixed chromium issues Modified: data/CVE/list === --- data/CVE/list 2015-09-25 16:27:12 UTC (rev 36837) +++ data/CVE/list 2015-09-25 20:45:45 UTC (rev 36838) @@ -44,7 +44,7 @@ CVE-2015-7315 RESERVED CVE-2015-7310 (McAfee Enterprise Security Manager (ESM), Enterprise Security ...) - TODO: check + NOT-FOR-US: McAfee CVE-2015-7309 (The theme editor in Bolt before 2.2.5 does not check the file ...) TODO: check CVE-2015-7314 @@ -194,7 +194,7 @@ CVE-2015-7244 RESERVED CVE-2015-7243 (Buffer overflow in Boxoft WAV to MP3 Converter allows remote attackers ...) - TODO: check + NOT-FOR-US: Boxoft CVE-2015-7242 RESERVED CVE-2015-7241 @@ -202,11 +202,11 @@ CVE-2015-7240 RESERVED CVE-2015-7239 (SQL injection vulnerability in the BP_FIND_JOBS_WITH_PROGRAM function ...) - TODO: check + NOT-FOR-US: J2EE CVE-2015-7238 (The Secondary server in Threat Intelligence Exchange (TIE) before ...) - TODO: check + NOT-FOR-US: TIE CVE-2015-7237 (Directory traversal vulnerability in the remote log viewing ...) - TODO: check + NOT-FOR-US: McAfee CVE-2015-7235 (Multiple SQL injection vulnerabilities in dex_reservations.php in the ...) NOT-FOR-US: CP Reservation Calendar plugin for WordPress CVE-2015-7234 (The OSF module 7.x-3.x before 7.x-3.1 for Drupal, when the OSF ...) @@ -760,29 +760,29 @@ CVE-2015-6974 RESERVED CVE-2015-6973 (Multiple cross-site request forgery (CSRF) vulnerabilities in Ignite ...) - TODO: check + NOT-FOR-US: Openfire CVE-2015-6972 (Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime ...) - TODO: check + NOT-FOR-US: Openfire CVE-2015-6971 RESERVED CVE-2015-6970 RESERVED CVE-2015-6969 (Cross-site scripting (XSS) vulnerability in js/2k11.min.js in the 2k11 ...) - TODO: check + NOT-FOR-US: Serendipity CVE-2015-6968 (Multiple incomplete blacklist vulnerabilities in the ...) - TODO: check + NOT-FOR-US: Serendipity CVE-2015-6967 (Unrestricted file upload vulnerability in the My Image plugin in ...) - TODO: check + NOT-FOR-US: Nibbleblog CVE-2015-6966 (Multiple cross-site request forgery (CSRF) vulnerabilities in ...) - TODO: check + NOT-FOR-US: Nibbleblog CVE-2015-6965 (Multiple cross-site request forgery (CSRF) vulnerabilities in the ...) - TODO: check + NOT-FOR-US: Contact Form Generator plugin for WordPress CVE-2015-6964 RESERVED CVE-2015-6963 RESERVED CVE-2015-6962 (SQL injection vulnerability in the web application in Farol allows ...) - TODO: check + NOT-FOR-US: Farol CVE-2015-7236 [remote triggerable use-after-free in rpcbind] RESERVED {DSA-3366-1 DLA-311-1} @@ -834,7 +834,7 @@ CVE-2015-6941 RESERVED CVE-2015-6940 (The GetResource servlet in Pentaho Business Analytics (BA) Suite ...) - TODO: check + NOT-FOR-US: Pentaho CVE-2015- [ross-site scripting vulnerability in the user list table] - wordpress 4.3.1+dfsg-1 (bug #799140) NOTE: https://github.com/WordPress/WordPress/commit/f91a5fd10ea7245e5b41e288624819a37adf290a @@ -847,7 +847,7 @@ [experimental] - bouncycastle 1.51-1 NOTE: http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html CVE-2015-6939 (Cross-site scripting (XSS) vulnerability in the login module in ...) - TODO: check + NOT-FOR-US: Joomla CVE-2015-6936 RESERVED CVE-2015-6935 @@ -857,7 +857,7 @@ CVE-2015-6933 RESERVED CVE-2015-6932 (VMware vCenter Server 5.5 before u3 and 6.0 before u1 does not verify ...) - TODO: check + NOT-FOR-US: VMware CVE-2015-6931 RESERVED CVE-2014-9745 (The parse_encoding function in type1/t1load.c in FreeType before 2.5.3 ...) @@ -871,7 +871,7 @@ CVE-2015-6930 RESERVED CVE-2015-6929 (Multiple cross-site scripting (XSS) vulnerabilities in Nokia Networks ...) - TODO: check + NOT-FOR-US: Nokia CVE-2015-6928 RESERVED CVE-2015-6926 @@ -1102,7 +1102,7 @@ CVE-2015-6829 (Multiple SQL injection vulnerabilities in the getip function in ...) NOT-FOR-US: getip function in wp-limit-login-attempts.php in the WP Limit Login Attempts plugin for WordPress CVE-2015-6828 (The tweet_info function in class/__functions.php in the SecureMoz ...) - TODO: check + NOT-FOR-US: SecureMoz plugin CVE-2015-6827 (Cross-site request forgery (CSRF) vulnerability in Auto-Exchanger ...) NOT-FOR-US: Auto-Exchanger CVE-2015-6826 (The ff_rv34_decode_init_thread_copy function in libavcodec/rv34.c in ...) @@ -1154,9 +1154,9 @@ CVE-2015-6809 (Multiple cross-site scripting (XSS)
[Secure-testing-commits] r36458 - data/CVE
Author: mgilbert Date: 2015-09-03 22:48:27 + (Thu, 03 Sep 2015) New Revision: 36458 Modified: data/CVE/list Log: chromium fixed Modified: data/CVE/list === --- data/CVE/list 2015-09-03 19:19:12 UTC (rev 36457) +++ data/CVE/list 2015-09-03 22:48:27 UTC (rev 36458) @@ -15424,67 +15424,67 @@ CVE-2015-1301 RESERVED {DSA-3351-1} - - chromium-browser (low) + - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1300 RESERVED {DSA-3351-1} - - chromium-browser (low) + - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1299 RESERVED {DSA-3351-1} - - chromium-browser (low) + - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1298 RESERVED {DSA-3351-1} - - chromium-browser (low) + - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1297 RESERVED {DSA-3351-1} - - chromium-browser (low) + - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1296 RESERVED {DSA-3351-1} - - chromium-browser (low) + - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1295 RESERVED {DSA-3351-1} - - chromium-browser (low) + - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1294 RESERVED {DSA-3351-1} - - chromium-browser (low) + - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1293 RESERVED {DSA-3351-1} - - chromium-browser (low) + - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1292 RESERVED {DSA-3351-1} - - chromium-browser (low) + - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1291 RESERVED {DSA-3351-1} - - chromium-browser (low) + - chromium-browser 45.0.2454.85-1 (low) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1290 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r36431 - in data: . DSA
Author: mgilbert Date: 2015-09-03 03:04:02 + (Thu, 03 Sep 2015) New Revision: 36431 Modified: data/DSA/list data/dsa-needed.txt Log: chromium dsa Modified: data/DSA/list === --- data/DSA/list 2015-09-02 21:23:49 UTC (rev 36430) +++ data/DSA/list 2015-09-03 03:04:02 UTC (rev 36431) @@ -1,3 +1,6 @@ +[02 Sep 2015] DSA-3350-1 chromium-browser - security update + {CVE-2015-1291 CVE-2015-1292 CVE-2015-1293 CVE-2015-1294 CVE-2015-1295 CVE-2015-1296 CVE-2015-1297 CVE-2015-1298 CVE-2015-1299 CVE-2015-1300 CVE-2015-1301} + [jessie] - chromium-browser 45.0.2454.85-1~deb8u1 [02 Sep 2015] DSA-3349-1 qemu-kvm - security update {CVE-2015-5165 CVE-2015-5745} [wheezy] - qemu-kvm 1.1.2+dfsg-6+deb7u9 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-09-02 21:23:49 UTC (rev 36430) +++ data/dsa-needed.txt 2015-09-03 03:04:02 UTC (rev 36431) @@ -19,8 +19,6 @@ aptdaemon For jessie-security compat layer for PackageKit needs to be dropped -- -chromium-browser --- eglibc (aurel32) some of the other no-dsa bugs could be fixed along -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35943 - data
Author: mgilbert Date: 2015-08-09 02:57:38 + (Sun, 09 Aug 2015) New Revision: 35943 Modified: data/embedded-code-copies Log: chromium will be switching back to embedded srtp Modified: data/embedded-code-copies === --- data/embedded-code-copies 2015-08-08 14:11:44 UTC (rev 35942) +++ data/embedded-code-copies 2015-08-09 02:57:38 UTC (rev 35943) @@ -2791,8 +2791,8 @@ NOTE: upstream scrypt does not provide a shared library/API srtp - - chromium-browser (modified-embed) - NOTE: discussed in #770659 + - chromium-browser (embed) + NOTE: http://crbug.com/501318 - qutecom - asterisk (embed) - gst-plugins-bad1.0 (embed) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35715 - data/CVE
Author: mgilbert Date: 2015-07-26 03:29:57 + (Sun, 26 Jul 2015) New Revision: 35715 Modified: data/CVE/list Log: add an unfixed chromium issue Modified: data/CVE/list === --- data/CVE/list 2015-07-25 22:36:14 UTC (rev 35714) +++ data/CVE/list 2015-07-26 03:29:57 UTC (rev 35715) @@ -1,3 +1,9 @@ +CVE-2015- [chromium url spoofing issue] + - chromium-browser (low) + [jessie] - chromium-browser (minor issue) + [wheezy] - chromium-browser + [squeeze] - chromium-browser + NOTE: http://crbug.com/497588 CVE-2015- [Shibboleth SP software crashes on well-formed but invalid XML] - xmltooling NOTE: http://shibboleth.net/community/advisories/secadv_20150721.txt ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35714 - data/CVE
Author: mgilbert Date: 2015-07-25 22:36:14 + (Sat, 25 Jul 2015) New Revision: 35714 Modified: data/CVE/list Log: more nfus Modified: data/CVE/list === --- data/CVE/list 2015-07-25 21:37:10 UTC (rev 35713) +++ data/CVE/list 2015-07-25 22:36:14 UTC (rev 35714) @@ -466,19 +466,19 @@ CVE-2015-5458 (Session fixation vulnerability in fileupload.php in PivotX before ...) NOT-FOR-US: PivotX CVE-2015-5457 (PivotX before 2.3.11 does not validate the new file extension when ...) - TODO: check + NOT-FOR-US: PivotX CVE-2015-5456 (Cross-site scripting (XSS) vulnerability in the form method in ...) - TODO: check + NOT-FOR-US: PivotX CVE-2015-5455 (Cross-site scripting (XSS) vulnerability in X-Cart 4.5.0 and earlier ...) - TODO: check + NOT-FOR-US: X-cart CVE-2015-5454 (Cross-site scripting (XSS) vulnerability in Nucleus CMS 3.65 allows ...) - TODO: check + NOT-FOR-US: Nucleus CMS CVE-2015-5453 (Watchguard XCS 9.2 and 10.0 before build 150522 allow remote ...) - TODO: check + NOT-FOR-US: Watchguard XCS CVE-2015-5452 (SQL injection vulnerability in Watchguard XCS 9.2 and 10.0 before ...) - TODO: check + NOT-FOR-US: Watchguard XCS CVE-2014-9741 (Multiple cross-site scripting (XSS) vulnerabilities in ESRI ArcGIS for ...) - TODO: check + NOT-FOR-US: ArcGIS CVE-2015-5451 RESERVED CVE-2015-5450 @@ -606,7 +606,7 @@ CVE-2015-5387 RESERVED CVE-2015-5386 (Siemens SICAM MIC devices with firmware before 2404 allow remote ...) - TODO: check + NOT-FOR-US: Siemens CVE-2015-5385 RESERVED CVE-2015-5384 @@ -626,13 +626,13 @@ CVE-2015-5375 RESERVED CVE-2015-5374 (The EN100 module with firmware before 4.25 for Siemens SIPROTEC 4 and ...) - TODO: check + NOT-FOR-US: Siemens CVE-2015-5373 RESERVED CVE-2015-5372 RESERVED CVE-2015-5371 (The AuthenticationFilter class in SolarWinds Storage Manager allows ...) - TODO: check + NOT-FOR-US: SolarWinds CVE-2015-5370 RESERVED CVE-2015-5369 @@ -642,13 +642,13 @@ CVE-2015-5367 RESERVED CVE-2014-9740 (Cross-site scripting (XSS) vulnerability in the Rules Link module ...) - TODO: check + NOT-FOR-US: Rules Link module for Drupal CVE-2014-9739 (Cross-site scripting (XSS) vulnerability in the Node Field module ...) - TODO: check + NOT-FOR-US: Node Field module for Drupal CVE-2014-9738 (Multiple cross-site scripting (XSS) vulnerabilities in the Tournament ...) - TODO: check + NOT-FOR-US: Tournament module for Drupal CVE-2014-9737 (Open redirect vulnerability in the Language Switcher Dropdown module ...) - TODO: check + NOT-FOR-US: Language Switcher Dropdown module for Drupal CVE-2014-9736 RESERVED CVE-2013-7442 @@ -731,19 +731,19 @@ CVE-2015-5365 (Cross-site scripting (XSS) vulnerability in Zurmo CRM 3.0.2 allows ...) NOT-FOR-US: Zurmo CRM CVE-2015-5363 (The SRX Network Security Daemon (nsd) in Juniper SRX Series services ...) - TODO: check + NOT-FOR-US: Juniper CVE-2015-5362 (The BFD daemon in Juniper Junos OS 12.1X44 before 12.1X44-D50, 12.1X46 ...) - TODO: check + NOT-FOR-US: Juniper CVE-2015-5361 RESERVED CVE-2015-5360 (IPv6 sendd in Juniper Junos 12.1X44 before 12.1X44-D51, 12.1X46 before ...) - TODO: check + NOT-FOR-US: Juniper CVE-2015-5359 (Juniper Junos OS 12.1X44 before 12.1X44-D50, 12.1X46 before ...) - TODO: check + NOT-FOR-US: Juniper CVE-2015-5358 (Juniper Junos OS 12.1X44 before 12.1X44-D50, 12.1X46 before ...) - TODO: check + NOT-FOR-US: Juniper CVE-2015-5357 (The Juniper EX4600, QFX3500, QFX3600, and QFX5100 switches with Junos ...) - TODO: check + NOT-FOR-US: Juniper CVE-2015-5356 (Cross-site scripting (XSS) vulnerability in admin/filebrowser.php in ...) NOT-FOR-US: GetSimple CMS CVE-2015-5355 (Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS ...) @@ -1232,9 +1232,9 @@ CVE-2015-5122 (Use-after-free vulnerability in the DisplayObject class in the ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5121 (Adobe Shockwave Player before 12.1.9.159 allows attackers to execute ...) - TODO: check + NOT-FOR-US: Shockwave CVE-2015-5120 (Adobe Shockwave Player before 12.1.9.159 allows attackers to execute ...) - TODO: check + NOT-FOR-US: Shockwave CVE-2015-5119 (Use-after-free vulnerability in the ByteArray class in the ...) NOT-FOR-US: Adobe Flash Player CVE-2015-5118 (Heap-based buffer overflow in Adobe Flash Player before 13.0.0.302 and ...) @@ -1312,7 +1312,7 @@ CVE-2015-5082 RESERVED CVE-2015-5080 (The Management Interface in Citrix NetScaler Application Delivery ...) - TODO: check + NOT-FOR-US: Citrix CVE-2015-5079 RESERVED
[Secure-testing-commits] r35713 - data/DSA
Author: mgilbert Date: 2015-07-25 21:37:10 + (Sat, 25 Jul 2015) New Revision: 35713 Modified: data/DSA/list Log: fix missing fixed chromium CVEs Modified: data/DSA/list === --- data/DSA/list 2015-07-25 21:10:15 UTC (rev 35712) +++ data/DSA/list 2015-07-25 21:37:10 UTC (rev 35713) @@ -6,7 +6,7 @@ [wheezy] - openjdk-7 7u79-2.5.6-1~deb7u1 [jessie] - openjdk-7 7u79-2.5.6-1~deb8u1 [23 Jul 2015] DSA-3315-1 chromium-browser - security update - {CVE-2015-1270 CVE-2015-1271 CVE-2015-1272 CVE-2015-1273 CVE-2015-1274 CVE-2015-1276 CVE-2015-1277 CVE-2015-1278 CVE-2015-1279 CVE-2015-1280 CVE-2015-1281 CVE-2015-1282 CVE-2015-1283 CVE-2015-1284 CVE-2015-1285 CVE-2015-1286 CVE-2015-1287 CVE-2015-1288 CVE-2015-1289} + {CVE-2015-1266 CVE-2015-1267 CVE-2015-1268 CVE-2015-1269 CVE-2015-1270 CVE-2015-1271 CVE-2015-1272 CVE-2015-1273 CVE-2015-1274 CVE-2015-1276 CVE-2015-1277 CVE-2015-1278 CVE-2015-1279 CVE-2015-1280 CVE-2015-1281 CVE-2015-1282 CVE-2015-1283 CVE-2015-1284 CVE-2015-1285 CVE-2015-1286 CVE-2015-1287 CVE-2015-1288 CVE-2015-1289} [jessie] - chromium-browser 44.0.2403.89-1~deb8u1 [23 Jul 2015] DSA-3314-1 typo3-sec - end of life [wheezy] - typo3-src ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35711 - data/CVE
Author: mgilbert Date: 2015-07-25 20:49:45 + (Sat, 25 Jul 2015) New Revision: 35711 Modified: data/CVE/list Log: some nfus Modified: data/CVE/list === --- data/CVE/list 2015-07-25 15:34:55 UTC (rev 35710) +++ data/CVE/list 2015-07-25 20:49:45 UTC (rev 35711) @@ -34,9 +34,9 @@ NOTE: https://core.trac.wordpress.org/changeset/33359 TODO: check affected versions CVE-2015-5611 (Unspecified vulnerability in Uconnect 15.26.1, as used in certain Fiat ...) - TODO: check + NOT-FOR-US: Uconnect CVE-2015-5610 (The RSM (aka RSMWinService) service in SolarWinds N-Able N-Central ...) - TODO: check + NOT-FOR-US: SolarWinds CVE-2015-5609 RESERVED CVE-2015-5608 @@ -275,9 +275,9 @@ RESERVED NOT-FOR-US: WordPress plugin paid-memberships-pro CVE-2015-5530 (Multiple cross-site request forgery (CSRF) vulnerabilities in Free ...) - TODO: check + NOT-FOR-US: Free Reprintables CVE-2015-5529 (Multiple cross-site scripting (XSS) vulnerabilities in Free ...) - TODO: check + NOT-FOR-US: Free Reprintables CVE-2015-5528 (Cross-site scripting (XSS) vulnerability in the save_order function in ...) NOT-FOR-US: save_order function in class-floating-social-bar.php in the Floating Social Bar plugin for WordPress CVE-2015- [d-i uses preseed data from DHCP when installing from DVD] @@ -303,11 +303,11 @@ - elasticsearch 1.6.1+dfsg-1 (bug #792617) NOTE: https://www.elastic.co/blog/elasticsearch-1-7-0-and-1-6-1-released#security CVE-2015-5521 (Cross-site scripting (XSS) vulnerability in BlackCat CMS 1.1.2 allows ...) - TODO: check + NOT-FOR-US: BlackCat CMS CVE-2015-5520 (Cross-site scripting (XSS) vulnerability in the Users module in ...) - TODO: check + NOT-FOR-US: BlackCat CMS CVE-2015-5519 (Cross-site scripting (XSS) vulnerability in the applyConvolution demo ...) - TODO: check + NOT-FOR-US: WideImage CVE-2015-5518 RESERVED CVE-2015-5517 @@ -425,7 +425,7 @@ CVE-2015-5465 RESERVED CVE-2015-5464 (Unspecified vulnerability on the Gemalto SafeNet Luna HSM has unknown ...) - TODO: check + NOT-FOR-US: Gemalto CVE-2015-5463 RESERVED CVE-2015-5462 @@ -460,11 +460,11 @@ CVE-2015-5461 (Open redirect vulnerability in the Redirect function in ...) NOT-FOR-US: Redirect function in stageshow_redirect.php in the StageShow plugin for WordPress CVE-2015-5460 (Cross-site scripting (XSS) vulnerability in ...) - TODO: check + NOT-FOR-US: Snorby CVE-2015-5459 (SQL injection vulnerability in the AdvanceSearch.class in ...) - TODO: check + NOT-FOR-US: Password Manager Pro CVE-2015-5458 (Session fixation vulnerability in fileupload.php in PivotX before ...) - TODO: check + NOT-FOR-US: PivotX CVE-2015-5457 (PivotX before 2.3.11 does not validate the new file extension when ...) TODO: check CVE-2015-5456 (Cross-site scripting (XSS) vulnerability in the form method in ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35662 - in data: CVE DSA
Author: mgilbert Date: 2015-07-23 22:53:34 + (Thu, 23 Jul 2015) New Revision: 35662 Modified: data/CVE/list data/DSA/list Log: chromium dsa Modified: data/CVE/list === --- data/CVE/list 2015-07-23 21:10:14 UTC (rev 35661) +++ data/CVE/list 2015-07-23 22:53:34 UTC (rev 35662) @@ -12353,7 +12353,6 @@ [squeeze] - chromium-browser CVE-2015-1276 (Use-after-free vulnerability in ...) - chromium-browser 44.0.2403.89-1 - - chromium-browser [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1275 (Cross-site scripting (XSS) vulnerability in ...) @@ -12380,22 +12379,18 @@ [squeeze] - chromium-browser CVE-2015-1269 (The DecodeHSTSPreloadRaw function in ...) - chromium-browser 43.0.2357.130-1 - [jessie] - chromium-browser (minor issue) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1268 (bindings/scripts/v8_types.py in Blink, as used in Google Chrome before ...) - chromium-browser 43.0.2357.130-1 - [jessie] - chromium-browser (minor issue) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1267 (Blink, as used in Google Chrome before 43.0.2357.130, does not ...) - chromium-browser 43.0.2357.130-1 - [jessie] - chromium-browser (minor issue) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1266 (content/browser/webui/content_web_ui_controller_factory.cc in Google ...) - chromium-browser 43.0.2357.130-1 - [jessie] - chromium-browser (minor issue) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1265 (Multiple unspecified vulnerabilities in Google Chrome before ...) Modified: data/DSA/list === --- data/DSA/list 2015-07-23 21:10:14 UTC (rev 35661) +++ data/DSA/list 2015-07-23 22:53:34 UTC (rev 35662) @@ -1,3 +1,6 @@ +[23 Jul 2015] DSA-3315-1 chromium-browser - security update + {CVE-2015-1270 CVE-2015-1271 CVE-2015-1272 CVE-2015-1273 CVE-2015-1274 CVE-2015-1276 CVE-2015-1277 CVE-2015-1278 CVE-2015-1279 CVE-2015-1280 CVE-2015-1281 CVE-2015-1282 CVE-2015-1283 CVE-2015-1284 CVE-2015-1285 CVE-2015-1286 CVE-2015-1287 CVE-2015-1288 CVE-2015-1289} + [jessie] - chromium-browser 44.0.2403.89-1~deb8u1 [23 Jul 2015] DSA-3314-1 typo3-sec - end of life [wheezy] - typo3-src [23 Jul 2015] DSA-3313-1 linux - security update ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35177 - in data: . CVE
Author: mgilbert Date: 2015-06-26 22:24:02 + (Fri, 26 Jun 2015) New Revision: 35177 Modified: data/CVE/list data/dsa-needed.txt Log: new chromium issues are all minor Modified: data/CVE/list === --- data/CVE/list 2015-06-26 18:35:07 UTC (rev 35176) +++ data/CVE/list 2015-06-26 22:24:02 UTC (rev 35177) @@ -10536,21 +10536,25 @@ CVE-2015-1269 RESERVED - chromium-browser 43.0.2357.130-1 + [jessie] - chromium-browser (minor issue) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1268 RESERVED - chromium-browser 43.0.2357.130-1 + [jessie] - chromium-browser (minor issue) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1267 RESERVED - chromium-browser 43.0.2357.130-1 + [jessie] - chromium-browser (minor issue) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1266 RESERVED - chromium-browser 43.0.2357.130-1 + [jessie] - chromium-browser (minor issue) [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2015-1265 (Multiple unspecified vulnerabilities in Google Chrome before ...) Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-06-26 18:35:07 UTC (rev 35176) +++ data/dsa-needed.txt 2015-06-26 22:24:02 UTC (rev 35177) @@ -19,8 +19,6 @@ aptdaemon For jessie-security compat layer for PackageKit needs to be dropped -- -chromium-browser --- eglibc (aurel32) some of the other no-dsa bugs could be fixed along -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35027 - data/CVE
Author: mgilbert Date: 2015-06-19 04:56:27 + (Fri, 19 Jun 2015) New Revision: 35027 Modified: data/CVE/list Log: add bug number Modified: data/CVE/list === --- data/CVE/list 2015-06-18 23:29:08 UTC (rev 35026) +++ data/CVE/list 2015-06-19 04:56:27 UTC (rev 35027) @@ -1,5 +1,5 @@ CVE-2015- [chromium hotword nacl blob downloading] - - chromium-browser 43.0.2357.124-1 + - chromium-browser 43.0.2357.124-1 (bug #786909) [jessie] - chromium-browser (a non-issue for incredibly so many reasons, see my comments at https://lwn.net/Articles/648392) [wheezy] - chromium-browser (introduced in chromium 43) NOTE: I plan to fix it during the dsa for the next round of chromium issues ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r35026 - data/CVE
Author: mgilbert Date: 2015-06-18 23:29:08 + (Thu, 18 Jun 2015) New Revision: 35026 Modified: data/CVE/list Log: chromium blob issue Modified: data/CVE/list === --- data/CVE/list 2015-06-18 21:10:16 UTC (rev 35025) +++ data/CVE/list 2015-06-18 23:29:08 UTC (rev 35026) @@ -1,3 +1,8 @@ +CVE-2015- [chromium hotword nacl blob downloading] + - chromium-browser 43.0.2357.124-1 + [jessie] - chromium-browser (a non-issue for incredibly so many reasons, see my comments at https://lwn.net/Articles/648392) + [wheezy] - chromium-browser (introduced in chromium 43) + NOTE: I plan to fix it during the dsa for the next round of chromium issues CVE-2015- [denial of service in glob_()] - pure-ftpd NOTE: https://github.com/jedisct1/pure-ftpd/commit/0627004e23a24108785dc1506c5767392b90f807 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r34404 - in data: . DSA
Author: mgilbert Date: 2015-05-22 04:15:45 + (Fri, 22 May 2015) New Revision: 34404 Modified: data/DSA/list data/dsa-needed.txt Log: chromium dsa Modified: data/DSA/list === --- data/DSA/list 2015-05-22 03:39:37 UTC (rev 34403) +++ data/DSA/list 2015-05-22 04:15:45 UTC (rev 34404) @@ -1,3 +1,6 @@ +[22 May 2015] DSA-3267-1 chromium-browser - security update + {CVE-2015-1251 CVE-2015-1252 CVE-2015-1253 CVE-2015-1254 CVE-2015-1255 CVE-2015-1256 CVE-2015-1257 CVE-2015-1258 CVE-2015-1259 CVE-2015-1260 CVE-2015-1261 CVE-2015-1262 CVE-2015-1263 CVE-2015-1264 CVE-2015-1265} + [jessie] - chromium-browser 43.0.2357.65-1~deb8u1 [21 May 2015] DSA-3266-1 fuse - security update {CVE-2015-3202} [wheezy] - fuse 2.9.0-2+deb7u2 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-05-22 03:39:37 UTC (rev 34403) +++ data/dsa-needed.txt 2015-05-22 04:15:45 UTC (rev 34404) @@ -14,8 +14,6 @@ -- asterisk -- -chromium-browser/stable --- eglibc (aurel32) some of the other no-dsa bugs could be fixed along -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33990 - in data: . DSA
Author: mgilbert Date: 2015-05-01 02:31:16 + (Fri, 01 May 2015) New Revision: 33990 Modified: data/DSA/list data/dsa-needed.txt Log: chromium dsa Modified: data/DSA/list === --- data/DSA/list 2015-04-30 22:49:53 UTC (rev 33989) +++ data/DSA/list 2015-05-01 02:31:16 UTC (rev 33990) @@ -1,3 +1,6 @@ +[30 Apr 2015] DSA-3242-1 chromium-browser - security update + {CVE-2015-1243 CVE-2015-1250} + [jessie] - chromium-browser 42.0.2311.135-1~deb8u1 [29 Apr 2015] DSA-3241-1 elasticsearch - security update {CVE-2015-3337} [jessie] - elasticsearch 1.0.3+dfsg-5+deb8u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-04-30 22:49:53 UTC (rev 33989) +++ data/dsa-needed.txt 2015-05-01 02:31:16 UTC (rev 33990) @@ -14,8 +14,6 @@ -- asterisk -- -chromium-browser/stable --- eglibc (aurel32) some of the other no-dsa bugs could be fixed along -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r33875 - in data: CVE DSA
Author: mgilbert Date: 2015-04-27 01:28:09 + (Mon, 27 Apr 2015) New Revision: 33875 Modified: data/CVE/list data/DSA/list Log: allocate chromium dsa Modified: data/CVE/list === --- data/CVE/list 2015-04-27 00:58:50 UTC (rev 33874) +++ data/CVE/list 2015-04-27 01:28:09 UTC (rev 33875) @@ -161,9 +161,7 @@ - libv8-3.14 (unimportant) NOTE: libv8 not covered by security support CVE-2015-3335 (The NaClSandbox::InitializeLayerTwoSandbox function in ...) - - chromium-browser 42.0.2311.90-1 - [wheezy] - chromium-browser - [squeeze] - chromium-browser + - chromium-browser (native client support not built) CVE-2015-3334 (browser/ui/website_settings/website_settings.cc in Google Chrome ...) - chromium-browser 42.0.2311.90-1 [wheezy] - chromium-browser Modified: data/DSA/list === --- data/DSA/list 2015-04-27 00:58:50 UTC (rev 33874) +++ data/DSA/list 2015-04-27 01:28:09 UTC (rev 33875) @@ -1,3 +1,6 @@ +[26 Apr 2015] DSA-3238-1 chromium-browser - security update + {CVE-2015-1235 CVE-2015-1236 CVE-2015-1237 CVE-2015-1238 CVE-2015-1240 CVE-2015-1241 CVE-2015-1242 CVE-2015-1244 CVE-2015-1245 CVE-2015-1246 CVE-2015-1247 CVE-2015-1248 CVE-2015-1249 CVE-2015- CVE-2015-3334 CVE-2015-3336} + [jessie] - chromium-browser 42.0.2311.90-1~deb8u1 [26 Apr 2015] DSA-3237-1 linux - security update {CVE-2014-8159 CVE-2014-9715 CVE-2015-2041 CVE-2015-2042 CVE-2015-2150 CVE-2015-2830 CVE-2015-2922 CVE-2015-3331 CVE-2015-3339} [wheezy] - linux 3.2.68-1+deb7u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32874 - in data: . DSA
Author: mgilbert Date: 2015-03-15 04:38:30 + (Sun, 15 Mar 2015) New Revision: 32874 Modified: data/DSA/list data/dsa-needed.txt Log: icu dsa Modified: data/DSA/list === --- data/DSA/list 2015-03-14 21:58:32 UTC (rev 32873) +++ data/DSA/list 2015-03-15 04:38:30 UTC (rev 32874) @@ -1,3 +1,6 @@ +[15 Mar 2015] DSA-3187-1 icu - security update + {CVE-2013-1569 CVE-2013-2383 CVE-2013-2384 CVE-2013-2419 CVE-2014-6585 CVE-2014-6591 CVE-2014-7923 CVE-2014-7926 CVE-2014-7940 CVE-2014-9654} + [wheezy] - icu 4.8.1.1-12+deb7u2 [13 Mar 2015] DSA-3186-1 nss - security update {CVE-2014-1569} [wheezy] - nss 2:3.14.5-1+deb7u4 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-03-14 21:58:32 UTC (rev 32873) +++ data/dsa-needed.txt 2015-03-15 04:38:30 UTC (rev 32874) @@ -21,8 +21,6 @@ -- gnutls26 (carnil) -- -icu (mgilbert) --- imagemagick no-dsa bugs CVE-2014-8354 CVE-2014-8355 CVE-2014-8562 CVE-2014-8716 should be fixed along ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32681 - data/CVE
Author: mgilbert Date: 2015-03-07 05:07:12 + (Sat, 07 Mar 2015) New Revision: 32681 Modified: data/CVE/list Log: nfus Modified: data/CVE/list === --- data/CVE/list 2015-03-06 21:10:16 UTC (rev 32680) +++ data/CVE/list 2015-03-07 05:07:12 UTC (rev 32681) @@ -7,7 +7,7 @@ CVE-2015-2210 RESERVED CVE-2015-2209 (DLGuard 4.5 allows remote attackers to obtain the installation path ...) - TODO: check + NOT-FOR-US: DLGuard CVE-2015-2208 RESERVED CVE-2015-2207 @@ -351,7 +351,7 @@ CVE-2015-2081 RESERVED CVE-2014-9685 (Multiple cross-site scripting (XSS) vulnerabilities in Vanilla Forums ...) - TODO: check + NOT-FOR-US: Vanilla Forums CVE-2015- [potential application crash due to overread in fnmatch] - glibc (bug #779587) - eglibc @@ -3993,11 +3993,11 @@ CVE-2015-0894 RESERVED CVE-2015-0893 (Cross-site scripting (XSS) vulnerability in Maroyaka CGI Maroyaka ...) - TODO: check + NOT-FOR-US: Maroyaka CVE-2015-0892 (Cross-site scripting (XSS) vulnerability in Maroyaka CGI Maroyaka ...) - TODO: check + NOT-FOR-US: Maroyaka CVE-2015-0891 (Cross-site scripting (XSS) vulnerability in Maroyaka CGI Maroyaka ...) - TODO: check + NOT-FOR-US: Maroyaka CVE-2015-0890 (The BestWebSoft Google Captcha (aka reCAPTCHA) plugin before 1.13 for ...) NOT-FOR-US: BestWebSoft plugin for WordPress CVE-2015-0889 (KENT-WEB Joyful Note before 5.3 allows remote attackers to delete ...) @@ -6249,9 +6249,9 @@ CVE-2014-9284 RESERVED CVE-2014-9283 (The BestWebSoft Captcha plugin before 4.0.7 for WordPress allows ...) - TODO: check + NOT-FOR-US: BestWebSoft plugin for WordPress CVE-2014-9282 (Directory traversal vulnerability in the Speed Root Explorer ...) - TODO: check + NOT-FOR-US: Speed Root Explorer CVE-2014-9268 (The AdView.AdViewer.1 ActiveX control in Autodesk Design Review (ADR) ...) NOT-FOR-US: Autodesk Design Review CVE-2014-9267 (Heap-based buffer overflow in the PTC IsoView ActiveX control allows ...) @@ -7636,7 +7636,7 @@ CVE-2015-0168 RESERVED CVE-2015-0167 (Cross-site scripting (XSS) vulnerability in textAngular-sanitize.js in ...) - TODO: check + NOT-FOR-US: textAngular CVE-2015-0166 RESERVED CVE-2015-0165 @@ -8135,7 +8135,7 @@ CVE-2014-8922 RESERVED CVE-2014-8921 (The IBM Notes Traveler Companion application 1.0 and 1.1 before ...) - TODO: check + NOT-FOR-US: IBM Notes Traveler Companion CVE-2014-8920 (Buffer overflow in the Data Transfer Program in IBM i Access 5770-XE1 ...) NOT-FOR-US: IBM CVE-2014-8919 @@ -8734,7 +8734,7 @@ CVE-2014-8618 RESERVED CVE-2014-8617 (Cross-site scripting (XSS) vulnerability in the Web Action Quarantine ...) - TODO: check + NOT-FOR-US: FortiMail CVE-2014-8616 RESERVED CVE-2014-8615 @@ -9275,7 +9275,7 @@ CVE-2014-8488 (Cross-site scripting (XSS) vulnerability in the administrator panel in ...) NOT-FOR-US: yourls CVE-2014-8487 (Kony Management (aka Enterprise Mobile Management or EMM) 1.2 and ...) - TODO: check + NOT-FOR-US: Kony Management CVE-2014-8486 RESERVED CVE-2014-8482 @@ -10873,7 +10873,7 @@ [squeeze] - chromium-browser - icu 52.1-7.1 (bug #776265) CVE-2014-7922 (The GoogleAuthUtil.getToken method in the Google Play services SDK ...) - TODO: check + NOT-FOR-US: Google Play CVE-2014-7921 RESERVED CVE-2014-7920 @@ -10958,7 +10958,7 @@ CVE-2014-7897 RESERVED CVE-2014-7896 (Multiple cross-site scripting (XSS) vulnerabilities in HP XP P9000 ...) - TODO: check + NOT-FOR-US: HP CVE-2014-7895 RESERVED CVE-2014-7894 @@ -10984,7 +10984,7 @@ CVE-2014-7884 RESERVED CVE-2014-7883 (HP Universal CMDB (UCMDB) Probe 9.05, 10.01, and 10.11 enables the ...) - TODO: check + NOT-FOR-US: HP CVE-2014-7882 (Unspecified vulnerability in HP SiteScope 11.1x and 11.2x allows ...) NOT-FOR-US: HP SiteScope CVE-2014-7881 (Cross-site scripting (XSS) vulnerability in the server in HP Insight ...) @@ -14670,13 +14670,13 @@ CVE-2014-6305 RESERVED CVE-2014-6304 (The Form Controls CSS file in PNMsoft Sequence Kinetics before 7.7 ...) - TODO: check + NOT-FOR-US: PNMsoft CVE-2014-6303 (The Monitoring Administration pages in PNMsoft Sequence Kinetics ...) - TODO: check + NOT-FOR-US: PNMsoft CVE-2014-6302 (The Monitoring Administration pages in PNMsoft Sequence Kinetics ...) - TODO: check + NOT-FOR-US: PNMsoft CVE-2014-6301 (Multiple cross-site scripting (XSS) vulnerabilities in the ...) - TODO: check + NOT-FOR-US: PNMsoft CVE-2014-6300 (Cross-site scripting (XSS) vulnerability in the micro history ...) - phpmyadmin 4:4.2.8.1-1 NOTE: http://www.phpmya
[Secure-testing-commits] r32393 - in data: CVE DSA
Author: mgilbert Date: 2015-02-22 05:18:33 + (Sun, 22 Feb 2015) New Revision: 32393 Modified: data/CVE/list data/DSA/list Log: allocate dsa for e2fsprogs Modified: data/CVE/list === --- data/CVE/list 2015-02-22 05:01:07 UTC (rev 32392) +++ data/CVE/list 2015-02-22 05:18:33 UTC (rev 32393) @@ -1014,7 +1014,6 @@ CVE-2015-1572 [potential buffer overflow in closefs()] RESERVED - e2fsprogs (bug #778948) - [wheezy] - e2fsprogs (Minor issue) NOTE: https://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=49d0fe2a14f2a23da2fe299643379b8c1d37df73 CVE-2015-1571 (The CAPWAP DTLS protocol implementation in Fortinet FortiOS 5.0 Patch ...) NOT-FOR-US: Fortinet FortiOS @@ -6723,7 +6722,6 @@ CVE-2015-0247 (Heap-based buffer overflow in openfs.c in the libext2fs library in ...) {DLA-153-1} - e2fsprogs 1.42.12-1 - [wheezy] - e2fsprogs (Minor issue) NOTE: https://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=f66e6ce4 CVE-2015-0246 REJECTED Modified: data/DSA/list === --- data/DSA/list 2015-02-22 05:01:07 UTC (rev 32392) +++ data/DSA/list 2015-02-22 05:18:33 UTC (rev 32393) @@ -1,3 +1,6 @@ +[22 Feb 2015] DSA-3166-1 e2fsprogs - security update + {CVE-2015-0247 CVE-2015-1572} + [wheezy] - e2fsprogs 1.42.5-1.1+deb7u1 [21 Feb 2015] DSA-3165-1 xdg-utils - security update {CVE-2015-1877} [wheezy] - xdg-utils 1.1.0~rc1+git20111210-6+deb7u3 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32392 - in data: . DSA
Author: mgilbert Date: 2015-02-22 05:01:07 + (Sun, 22 Feb 2015) New Revision: 32392 Modified: data/DSA/list data/dsa-needed.txt Log: xdg-utils dsa Modified: data/DSA/list === --- data/DSA/list 2015-02-22 03:02:04 UTC (rev 32391) +++ data/DSA/list 2015-02-22 05:01:07 UTC (rev 32392) @@ -1,3 +1,6 @@ +[21 Feb 2015] DSA-3165-1 xdg-utils - security update + {CVE-2015-1877} + [wheezy] - xdg-utils 1.1.0~rc1+git20111210-6+deb7u3 [21 Feb 2015] DSA-3164-1 typo3-src - security update [wheezy] - typo3-src 4.5.19+dfsg1-5+wheezy4 [19 Feb 2015] DSA-3163-1 libreoffice - security update Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-02-22 03:02:04 UTC (rev 32391) +++ data/dsa-needed.txt 2015-02-22 05:01:07 UTC (rev 32392) @@ -81,6 +81,4 @@ -- unace -- -xdg-utils (carnil) --- zendframework ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32391 - data/CVE
Author: mgilbert Date: 2015-02-22 03:02:04 + (Sun, 22 Feb 2015) New Revision: 32391 Modified: data/CVE/list Log: document the fact that there is still ongoing work for CVE-2005-4890 Modified: data/CVE/list === --- data/CVE/list 2015-02-22 02:43:31 UTC (rev 32390) +++ data/CVE/list 2015-02-22 03:02:04 UTC (rev 32391) @@ -1,3 +1,6 @@ +CVE-2005- [more related to CVE-2005-4890] + - shadow (unimportant; bug #628843) + NOTE: only affects the su executable, so if you use sudo you're not affected CVE-2015- [TYPO3-CORE-SA-2015-001: Authentication Bypass] - typo3-src 4.5.40+dfsg1-1 (bug #778870) [squeeze] - typo3-src (Unsupported in squeeze-lts) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32390 - data/CVE
Author: mgilbert Date: 2015-02-22 02:43:31 + (Sun, 22 Feb 2015) New Revision: 32390 Modified: data/CVE/list Log: mark shadow issue as unimportant Modified: data/CVE/list === --- data/CVE/list 2015-02-22 02:04:01 UTC (rev 32389) +++ data/CVE/list 2015-02-22 02:43:31 UTC (rev 32390) @@ -38530,10 +38530,7 @@ NOTE: for incomplete fix for CVE-2013-0167 CVE-2013-4235 [TOCTOU race conditions by copying and removing directory trees] RESERVED - - shadow - [jessie] - shadow (Minor issue) - [wheezy] - shadow (Minor issue) - [squeeze] - shadow (Minor issue) + - shadow (unimportant; bug #778950) CVE-2013-4234 (Multiple heap-based buffer overflows in the (1) abc_MIDI_drum and (2) ...) {DSA-2751-1} - libmodplug 1:0.8.8.4-4 (bug #719462) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32389 - data/CVE
Author: mgilbert Date: 2015-02-22 02:04:01 + (Sun, 22 Feb 2015) New Revision: 32389 Modified: data/CVE/list Log: e2fsprogs bug Modified: data/CVE/list === --- data/CVE/list 2015-02-21 21:25:12 UTC (rev 32388) +++ data/CVE/list 2015-02-22 02:04:01 UTC (rev 32389) @@ -1010,7 +1010,7 @@ NOTE: http://www.openwall.com/lists/oss-security/2015/02/12/2 CVE-2015-1572 [potential buffer overflow in closefs()] RESERVED - - e2fsprogs + - e2fsprogs (bug #778948) [wheezy] - e2fsprogs (Minor issue) NOTE: https://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?id=49d0fe2a14f2a23da2fe299643379b8c1d37df73 CVE-2015-1571 (The CAPWAP DTLS protocol implementation in Fortinet FortiOS 5.0 Patch ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32253 - in data: . CVE
Author: mgilbert Date: 2015-02-16 02:57:06 + (Mon, 16 Feb 2015) New Revision: 32253 Modified: data/CVE/list data/dsa-needed.txt Log: take icu dsa Modified: data/CVE/list === --- data/CVE/list 2015-02-15 22:02:16 UTC (rev 32252) +++ data/CVE/list 2015-02-16 02:57:06 UTC (rev 32253) @@ -1,3 +1,5 @@ +CVE-2014- [more to CVE-2014-6585] + - icu (low; bug #778511) CVE-2015-1607 [memcpy with overlapping ranges, resulting from incorrect bitwise left shifts] [experimental] - gnupg2 2.1.2-1 - gnupg2 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-02-15 22:02:16 UTC (rev 32252) +++ data/dsa-needed.txt 2015-02-16 02:57:06 UTC (rev 32253) @@ -21,7 +21,7 @@ -- freetype -- -icu +icu (mgilbert) -- imagemagick no-dsa bugs CVE-2014-8354 CVE-2014-8355 CVE-2014-8562 CVE-2014-8716 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r32225 - data/CVE
Author: mgilbert Date: 2015-02-14 04:14:44 + (Sat, 14 Feb 2015) New Revision: 32225 Modified: data/CVE/list Log: bug submitted for kfreebsd Modified: data/CVE/list === --- data/CVE/list 2015-02-13 23:56:41 UTC (rev 32224) +++ data/CVE/list 2015-02-14 04:14:44 UTC (rev 32225) @@ -10674,7 +10674,7 @@ CVE-2014-7250 (The TCP stack in 4.3BSD Net/2, as used in FreeBSD 5.4, NetBSD possibly ...) - kfreebsd-8 - kfreebsd-9 - - kfreebsd-10 + - kfreebsd-10 (bug #778367) CVE-2014-7249 (Buffer overflow on the Allied Telesis AR440S, AR441S, AR442S, AR745, ...) NOT-FOR-US: Allied Telesis CVE-2014-7248 (Cross-site scripting (XSS) vulnerability in IPA iLogScanner 4.0 allows ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31882 - data/CVE
Author: mgilbert Date: 2015-01-31 23:18:24 + (Sat, 31 Jan 2015) New Revision: 31882 Modified: data/CVE/list Log: end-of-life tags for chromium in wheezy Modified: data/CVE/list === --- data/CVE/list 2015-01-31 22:08:46 UTC (rev 31881) +++ data/CVE/list 2015-01-31 23:18:24 UTC (rev 31882) @@ -709,6 +709,7 @@ TODO: check in which version the issue was introduced exactly CVE-2015-1346 (Multiple unspecified vulnerabilities in Google V8 before 3.30.33.15, ...) - chromium-browser 40.0.2214.91-1 + [wheezy] - chromium-browser [squeeze] - chromium-browser - libv8-3.14 (unimportant; bug #773671) NOTE: libv8 not covered by security support @@ -956,6 +957,7 @@ RESERVED CVE-2015-1205 (Multiple unspecified vulnerabilities in Google Chrome before ...) - chromium-browser 40.0.2214.91-1 + [wheezy] - chromium-browser [squeeze] - chromium-browser - icu (bug #776719) CVE-2015-1203 [stack allocation with an attacker-controlled size -- modules/access/ftp.c] @@ -8286,42 +8288,54 @@ RESERVED CVE-2014-7948 (The AppCacheUpdateJob::URLFetcher::OnResponseStarted function in ...) - chromium-browser 40.0.2214.91-1 + [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7947 (OpenJPEG before r2944, as used in PDFium in Google Chrome before ...) - chromium-browser 40.0.2214.91-1 + [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7946 (The RenderTable::simplifiedNormalFlowLayout function in ...) - chromium-browser 40.0.2214.91-1 + [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7945 (OpenJPEG before r2908, as used in PDFium in Google Chrome before ...) - chromium-browser 40.0.2214.91-1 + [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7944 (The sycc422_to_rgb function in fxcodec/codec/fx_codec_jpx_opj.cpp in ...) - chromium-browser 40.0.2214.91-1 + [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7943 (Skia, as used in Google Chrome before 40.0.2214.91, allows remote ...) - chromium-browser 40.0.2214.91-1 + [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7942 (The Fonts implementation in Google Chrome before 40.0.2214.91 does not ...) - chromium-browser 40.0.2214.91-1 + [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7941 (The SelectionOwner::ProcessTarget function in ...) - chromium-browser 40.0.2214.91-1 + [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7940 (The collator implementation in i18n/ucol.cpp in International ...) - chromium-browser 40.0.2214.91-1 + [wheezy] - chromium-browser [squeeze] - chromium-browser - icu (bug #776265) CVE-2014-7939 (Google Chrome before 40.0.2214.91, when the Harmony proxy in Google V8 ...) - chromium-browser 40.0.2214.91-1 + [wheezy] - chromium-browser [squeeze] - chromium-browser - libv8-3.14 (unimportant; bug #773671) NOTE: libv8 not covered by security support CVE-2014-7938 (The Fonts implementation in Google Chrome before 40.0.2214.91 allows ...) - chromium-browser 40.0.2214.91-1 + [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7937 (Multiple off-by-one errors in libavcodec/vorbisdec.c in FFmpeg before ...) - chromium-browser 40.0.2214.91-1 + [wheezy] - chromium-browser [squeeze] - chromium-browser - ffmpeg 7:2.4.2-1 [squeeze] - ffmpeg @@ -8330,15 +8344,19 @@ NOTE: libav: needed CVE-2014-7936 (Use-after-free vulnerability in the ZoomBubbleView::Close function in ...) - chromium-browser 40.0.2214.91-1 + [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7935 (Use-after-free vulnerability in browser/speech/tts_message_filter.cc ...) - chromium-browser 40.0.2214.91-1 + [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7934 (Use-after-free vulnerability in the DOM implementation in Blink, as ...) - chromium-browser 40.0.2214.91-1 + [wheezy] - chromium-browser [squeeze] - chromium-browser CVE-2014-7933 (Use-after-free vulnerability in the matroska_read_seek function in ...) - chromium-browser 40.0.2214.91-1 + [wheezy] - chromium-browser [squeeze] - chromium-browser - ffmpeg 7:2.5.1-1 [squeeze] - ffmpeg @@ -8348,40 +8366,50 @@ NOTE: libav: https://git.libav.org/?p=libav.git;a=commit;h=490a3ebf36821b81f73e34ad3f554cb523dd2682 CVE-2014-7932 (Use-after-free vulnerability in the Element::detach function in ...) - chromium-browser 40.0.2214.91-1 +
[Secure-testing-commits] r31881 - in data: . DSA
Author: mgilbert Date: 2015-01-31 22:08:46 + (Sat, 31 Jan 2015) New Revision: 31881 Modified: data/DSA/list data/dsa-needed.txt Log: chromium end of life Modified: data/DSA/list === --- data/DSA/list 2015-01-31 21:38:13 UTC (rev 31880) +++ data/DSA/list 2015-01-31 22:08:46 UTC (rev 31881) @@ -1,3 +1,5 @@ +[31 Jan 2015] DSA-3148-1 chromium-browser - end of life + [wheezy] - chromium-browser [30 Jan 2015] DSA-3147-1 openjdk-6 - security update {CVE-2014-3566 CVE-2014-6585 CVE-2014-6587 CVE-2014-6591 CVE-2014-6593 CVE-2014-6601 CVE-2015-0383 CVE-2015-0395 CVE-2015-0407 CVE-2015-0408 CVE-2015-0410 CVE-2015-0412} [wheezy] - openjdk-6 6b34-1.13.6-1~deb7u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-01-31 21:38:13 UTC (rev 31880) +++ data/dsa-needed.txt 2015-01-31 22:08:46 UTC (rev 31881) @@ -14,9 +14,6 @@ -- asterisk -- -chromium-browser (mgilbert) - to be EOLed --- condor -- imagemagick ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31880 - data/CVE
Author: mgilbert Date: 2015-01-31 21:38:13 + (Sat, 31 Jan 2015) New Revision: 31880 Modified: data/CVE/list Log: wpa info Modified: data/CVE/list === --- data/CVE/list 2015-01-31 21:10:16 UTC (rev 31879) +++ data/CVE/list 2015-01-31 21:38:13 UTC (rev 31880) @@ -5127,7 +5127,8 @@ RESERVED - wpa - wpasupplicant - TODO: check + NOTE: likely to be REJECTed + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0210 CVE-2015-0209 RESERVED CVE-2015-0208 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31875 - data/CVE
Author: mgilbert Date: 2015-01-31 17:01:40 + (Sat, 31 Jan 2015) New Revision: 31875 Modified: data/CVE/list Log: another icu issue Modified: data/CVE/list === --- data/CVE/list 2015-01-31 16:20:57 UTC (rev 31874) +++ data/CVE/list 2015-01-31 17:01:40 UTC (rev 31875) @@ -953,6 +953,7 @@ CVE-2015-1205 (Multiple unspecified vulnerabilities in Google Chrome before ...) - chromium-browser 40.0.2214.91-1 [squeeze] - chromium-browser + - icu (bug #776719) CVE-2015-1203 [stack allocation with an attacker-controlled size -- modules/access/ftp.c] RESERVED NOTE: VLC issue disputed by upstream, see bug #775866 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31874 - data/DSA
Author: mgilbert Date: 2015-01-31 16:20:57 + (Sat, 31 Jan 2015) New Revision: 31874 Modified: data/DSA/list Log: add missing cve ids to requests dsa Modified: data/DSA/list === --- data/DSA/list 2015-01-31 16:10:37 UTC (rev 31873) +++ data/DSA/list 2015-01-31 16:20:57 UTC (rev 31874) @@ -2,6 +2,7 @@ {CVE-2014-3566 CVE-2014-6585 CVE-2014-6587 CVE-2014-6591 CVE-2014-6593 CVE-2014-6601 CVE-2015-0383 CVE-2015-0395 CVE-2015-0407 CVE-2015-0408 CVE-2015-0410 CVE-2015-0412} [wheezy] - openjdk-6 6b34-1.13.6-1~deb7u1 [30 Jan 2015] DSA-3146-1 requests - security update + {CVE-2014-1829 CVE-2014-1830} [wheezy] - requests 0.12.1-1+deb7u1 [30 Jan 2015] DSA-3145-1 privoxy - security update {CVE-2015-1381 CVE-2015-1382} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31676 - data/CVE
Author: mgilbert Date: 2015-01-26 04:03:54 + (Mon, 26 Jan 2015) New Revision: 31676 Modified: data/CVE/list Log: some perl triage Modified: data/CVE/list === --- data/CVE/list 2015-01-26 02:54:03 UTC (rev 31675) +++ data/CVE/list 2015-01-26 04:03:54 UTC (rev 31676) @@ -2674,10 +2674,7 @@ [squeeze] - libsndfile (Minor issue) [wheezy] - libsndfile (Minor issue) CVE-2014- [a2p: buffer overflow] - - perl (low; bug #769606) - [jessie] - perl (Minor issue) - [squeeze] - perl (Minor issue) - [wheezy] - perl (Minor issue) + - perl (unimportant; bug #769606) CVE-2014-9486 REJECTED CVE-2014-9497 [Buffer overflow] @@ -55031,7 +55028,7 @@ RESERVED CVE-2012-3878 [Perl require Directive Path Subversion Arbitrary Module / File Loading Weakness] RESERVED - - perl + - perl (unimportant; bug #776270) NOTE: http://osvdb.org/show/osvdb/106565 CVE-2012-3877 RESERVED @@ -67479,7 +67476,7 @@ NOT-FOR-US: perl Batch::BatchRun CPAN module CVE-2011-4116 RESERVED - - perl (unimportant) + - perl (unimportant; bug #776268) NOTE: http://thread.gmane.org/gmane.comp.security.oss.general/6174/focus=6177 CVE-2011-4115 RESERVED @@ -75261,8 +75258,9 @@ {DSA-2223-1} - doctrine 1.2.4-1 (bug #622674) CVE-2010-4777 (The Perl_reg_numbered_buff_fetch function in Perl 5.10.0, 5.12.0, ...) - - perl (unimportant; bug #628836) + - perl 5.20.1-1 (unimportant; bug #628836) NOTE: Only affects Perl builds with enabled assertions, i.e. the debugperl binary from perl-debug + NOTE: likely fixed sometime around 5.18, but 5.20 was the version checked CVE-2009-5063 (Memory leak in the embedded_profile_len function in pngwutil.c in ...) - libpng 1.2.39-1 (unimportant) CVE-2006-7244 (Memory leak in pngwutil.c in libpng 1.2.13beta1, and other versions ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31675 - data/CVE
Author: mgilbert Date: 2015-01-26 02:54:03 + (Mon, 26 Jan 2015) New Revision: 31675 Modified: data/CVE/list Log: more icu issues Modified: data/CVE/list === --- data/CVE/list 2015-01-26 02:30:42 UTC (rev 31674) +++ data/CVE/list 2015-01-26 02:54:03 UTC (rev 31675) @@ -7887,6 +7887,7 @@ RESERVED - chromium-browser 40.0.2214.91-1 [squeeze] - chromium-browser + - icu (bug #776265) CVE-2014-7939 RESERVED - chromium-browser 40.0.2214.91-1 @@ -7943,6 +7944,7 @@ RESERVED - chromium-browser 40.0.2214.91-1 [squeeze] - chromium-browser + - icu (bug #776265) CVE-2014-7925 RESERVED - chromium-browser 40.0.2214.91-1 @@ -7955,6 +7957,7 @@ RESERVED - chromium-browser 40.0.2214.91-1 [squeeze] - chromium-browser + - icu (bug #776265) CVE-2014-7922 RESERVED CVE-2014-7921 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31674 - data/CVE
Author: mgilbert Date: 2015-01-26 02:30:42 + (Mon, 26 Jan 2015) New Revision: 31674 Modified: data/CVE/list Log: new icu bug number Modified: data/CVE/list === --- data/CVE/list 2015-01-26 02:27:38 UTC (rev 31673) +++ data/CVE/list 2015-01-26 02:30:42 UTC (rev 31674) @@ -10955,7 +10955,7 @@ - openjdk-6 - openjdk-7 7u75-2.5.4-1 - openjdk-8 - - icu (bug #775884) + - icu (bug #776264) CVE-2014-6584 (Unspecified vulnerability in the Integrated Lights Out Manager (ILOM) ...) TODO: check CVE-2014-6583 (Unspecified vulnerability in the Oracle Marketing component in Oracle ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31673 - data/CVE
Author: mgilbert Date: 2015-01-26 02:27:38 + (Mon, 26 Jan 2015) New Revision: 31673 Modified: data/CVE/list Log: one icu issue not yet fixed Modified: data/CVE/list === --- data/CVE/list 2015-01-26 01:38:15 UTC (rev 31672) +++ data/CVE/list 2015-01-26 02:27:38 UTC (rev 31673) @@ -10955,7 +10955,7 @@ - openjdk-6 - openjdk-7 7u75-2.5.4-1 - openjdk-8 - - icu 52.1-7 (bug #775884) + - icu (bug #775884) CVE-2014-6584 (Unspecified vulnerability in the Integrated Lights Out Manager (ILOM) ...) TODO: check CVE-2014-6583 (Unspecified vulnerability in the Oracle Marketing component in Oracle ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31672 - data/CVE
Author: mgilbert Date: 2015-01-26 01:38:15 + (Mon, 26 Jan 2015) New Revision: 31672 Modified: data/CVE/list Log: minizip uploaded Modified: data/CVE/list === --- data/CVE/list 2015-01-25 22:57:15 UTC (rev 31671) +++ data/CVE/list 2015-01-26 01:38:15 UTC (rev 31672) @@ -2607,7 +2607,7 @@ NOTE: CVE request: http://seclists.org/oss-sec/2014/q4/1035 CVE-2014-9485 [miniunzip directory traversal] RESERVED - - minizip (low; bug #774321) + - minizip 1.1-5 (low; bug #774321) CVE-2014-9426 (** DISPUTED ** The apprentice_load function in libmagic/apprentice.c ...) - file (PHP specific modification in libmagic/apprentice.c) - php5 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31545 - data/CVE
Author: mgilbert Date: 2015-01-19 21:54:40 + (Mon, 19 Jan 2015) New Revision: 31545 Modified: data/CVE/list Log: ruby-devise issue fixed prior to initial upload Modified: data/CVE/list === --- data/CVE/list 2015-01-19 21:10:15 UTC (rev 31544) +++ data/CVE/list 2015-01-19 21:54:40 UTC (rev 31545) @@ -46995,7 +46995,7 @@ CVE-2013-0234 (Cross-site scripting (XSS) vulnerability in the Twitter widget in Elgg ...) - elgg (bug #526197) CVE-2013-0233 (Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, ...) - - ruby-devise (bug #691525) + - ruby-devise 3.4.1-1 CVE-2013-0232 (includes/functions.php in ZoneMinder Video Server 1.24.0, 1.25.0, and ...) {DSA-2640-1} - zoneminder 1.25.0-4 (bug #698910) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31522 - in data: . DSA
Author: mgilbert Date: 2015-01-19 04:02:13 + (Mon, 19 Jan 2015) New Revision: 31522 Modified: data/DSA/list data/dsa-needed.txt Log: xdg-utils dsa Modified: data/DSA/list === --- data/DSA/list 2015-01-18 21:10:16 UTC (rev 31521) +++ data/DSA/list 2015-01-19 04:02:13 UTC (rev 31522) @@ -1,3 +1,6 @@ +[18 Jan 2015] DSA-3131-1 xdg-utils - security update + {CVE-2014-9622} + [wheezy] - xdg-utils 1.1.0~rc1+git20111210-6+deb7u2 [16 Jan 2015] DSA-3130-1 lsyncd - security update {CVE-2014-8990} [wheezy] - lsyncd 2.0.7-3+deb7u1 Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2015-01-18 21:10:16 UTC (rev 31521) +++ data/dsa-needed.txt 2015-01-19 04:02:13 UTC (rev 31522) @@ -81,8 +81,6 @@ -- wireshark -- -xdg-utils --- xen -- zendframework ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31507 - data/CVE
Author: mgilbert Date: 2015-01-18 18:59:14 + (Sun, 18 Jan 2015) New Revision: 31507 Modified: data/CVE/list Log: matplotlib issue Modified: data/CVE/list === --- data/CVE/list 2015-01-18 16:43:35 UTC (rev 31506) +++ data/CVE/list 2015-01-18 18:59:14 UTC (rev 31507) @@ -1,3 +1,5 @@ +CVE-2013- [matplotlib buffer overrun] + - matplotlib (low; bug #775691) CVE-2015-1160 RESERVED CVE-2015-1159 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31189 - data/CVE
Author: mgilbert Date: 2015-01-08 00:40:53 + (Thu, 08 Jan 2015) New Revision: 31189 Modified: data/CVE/list Log: cpio issue Modified: data/CVE/list === --- data/CVE/list 2015-01-07 21:14:25 UTC (rev 31188) +++ data/CVE/list 2015-01-08 00:40:53 UTC (rev 31189) @@ -1,3 +1,5 @@ +CVE-2015- [cpio directory traversal] + - cpio (low; bug #774669) CVE-2015- [CHM decompression: pointer arithmetic overflow] - libmspack (bug #774726) CVE-2015- [CHM decompression: division by zero] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31131 - data/CVE
Author: mgilbert Date: 2015-01-04 20:26:19 + (Sun, 04 Jan 2015) New Revision: 31131 Modified: data/CVE/list Log: old libsndfile issue fixed a while ago Modified: data/CVE/list === --- data/CVE/list 2015-01-04 18:55:11 UTC (rev 31130) +++ data/CVE/list 2015-01-04 20:26:19 UTC (rev 31131) @@ -85020,7 +85020,7 @@ CVE-2009-4836 (Eval injection vulnerability in system/services/init.php in Movie PHP ...) NOT-FOR-US: Movie PHP Script CVE-2009-4835 (The (1) htk_read_header, (2) alaw_init, (3) ulaw_init, (4) pcm_init, ...) - - libsndfile (unimportant; bug #530831) + - libsndfile 1.0.21-3 (unimportant; bug #530831) NOTE: application crash only, so not security-relevant CVE-2010-1723 (Directory traversal vulnerability in the iNetLanka Contact Us Draw ...) NOT-FOR-US: com_drawroot component for joomla! ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31130 - data
Author: mgilbert Date: 2015-01-04 18:55:11 + (Sun, 04 Jan 2015) New Revision: 31130 Modified: data/embedded-code-copies Log: remove wine-unstable Modified: data/embedded-code-copies === --- data/embedded-code-copies 2015-01-04 17:26:07 UTC (rev 31129) +++ data/embedded-code-copies 2015-01-04 18:55:11 UTC (rev 31130) @@ -2893,10 +2893,7 @@ - wine (bug #675559) NOTE: wine: has a lot of source files that share the same names as the files NOTE: in libmspack, but they are entirely different implementations. - - wine-unstable (bug #675561) + - wine-development (bug #675561) NOTE: wine: has a lot of source files that share the same names as the files NOTE: in libmspack, but they are entirely different implementations. - - wine-development - NOTE: wine: has a lot of source files that share the same names as the files - NOTE: in libmspack, but they are entirely different implementations. - calibre (embed; bug #675562) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r31094 - data/CVE
Author: mgilbert Date: 2015-01-02 19:18:19 + (Fri, 02 Jan 2015) New Revision: 31094 Modified: data/CVE/list Log: xdg-utils fixed Modified: data/CVE/list === --- data/CVE/list 2015-01-02 18:56:51 UTC (rev 31093) +++ data/CVE/list 2015-01-02 19:18:19 UTC (rev 31094) @@ -2874,7 +2874,7 @@ NOTE: http://github.com/mantisbt/mantisbt/commit/5f0b150b NOTE: http://www.mantisbt.org/bugs/view.php?id=17742 CVE-2013- [xdg-open RCE] - - xdg-utils (bug #773085) + - xdg-utils 1.1.0~rc1+git20111210-7.2 (bug #773085) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=66670 CVE-2014-8991 (pip 1.3 through 1.5.6 allows local users to cause a denial of service ...) - python-pip 1.5.6-4 (bug #725847) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits