[Secure-testing-commits] r46406 - in data: . CVE
Author: opal Date: 2016-11-21 21:33:12 + (Mon, 21 Nov 2016) New Revision: 46406 Modified: data/CVE/list data/dla-needed.txt Log: Nss triaged. Modified: data/CVE/list === --- data/CVE/list 2016-11-21 21:18:48 UTC (rev 46405) +++ data/CVE/list 2016-11-21 21:33:12 UTC (rev 46406) @@ -2478,7 +2478,7 @@ CVE-2016-8635 RESERVED - nss - TODO: check + NOTE: Further info: https://access.redhat.com/security/cve/cve-2016-8635 CVE-2016-8634 RESERVED - foreman (bug #663101) Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-11-21 21:18:48 UTC (rev 46405) +++ data/dla-needed.txt 2016-11-21 21:33:12 UTC (rev 46406) @@ -9,6 +9,8 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- +nss +-- asterisk -- dokuwiki ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46407 - data
Author: opal Date: 2016-11-21 21:42:38 + (Mon, 21 Nov 2016) New Revision: 46407 Modified: data/dla-needed.txt Log: Mcabber traiaged. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-11-21 21:33:12 UTC (rev 46406) +++ data/dla-needed.txt 2016-11-21 21:42:38 UTC (rev 46407) @@ -80,6 +80,8 @@ -- moin (Markus Koschany) -- +mcabber +-- monit -- mysql-connector-python ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46408 - in data: . CVE
Author: opal Date: 2016-11-21 22:05:28 + (Mon, 21 Nov 2016) New Revision: 46408 Modified: data/CVE/list data/dla-needed.txt Log: ntp triaged. Modified: data/CVE/list === --- data/CVE/list 2016-11-21 21:42:38 UTC (rev 46407) +++ data/CVE/list 2016-11-21 22:05:28 UTC (rev 46408) @@ -557,10 +557,14 @@ RESERVED - ntp 1:4.2.8p9+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/NtpBug3119 + NOTE: Can be considered for a non-dsa for LTS as it is about a service + NOTE: not normally enabled. Should be judged in more details. CVE-2016-9310 RESERVED - ntp 1:4.2.8p9+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/NtpBug3118 + NOTE: Can be considered for a non-dsa for LTS as it is about a problem + NOTE: where things are not configured according to recommentation. Should be judged in more details. CVE-2016-9309 RESERVED CVE-2016-9308 @@ -6231,21 +6235,25 @@ RESERVED - ntp 1:4.2.8p9+dfsg-1 NOTE: http://support.ntp.org/bin/view/Main/NtpBug3082 + NOTE: Only possible to trigger from hosts in allow mrulist query. CVE-2016-7433 RESERVED - ntp 1:4.2.8p9+dfsg-1 + [wheezy] - ntp (Minor problem) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3067 CVE-2016-7432 RESERVED CVE-2016-7431 RESERVED - ntp 1:4.2.8p9+dfsg-1 + [wheezy] - ntp (Vulnerable code introduced later) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3102 CVE-2016-7430 RESERVED CVE-2016-7429 RESERVED - ntp 1:4.2.8p9+dfsg-1 + [wheezy] - nto (Minor issue, only possible if rp_filter is 0) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3072 CVE-2016-7428 RESERVED Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-11-21 21:42:38 UTC (rev 46407) +++ data/dla-needed.txt 2016-11-21 22:05:28 UTC (rev 46408) @@ -82,6 +82,8 @@ -- mcabber -- +ntp +-- monit -- mysql-connector-python ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46409 - data
Author: opal Date: 2016-11-21 22:17:26 + (Mon, 21 Nov 2016) New Revision: 46409 Modified: data/dla-needed.txt Log: maradns triaged. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-11-21 22:05:28 UTC (rev 46408) +++ data/dla-needed.txt 2016-11-21 22:17:26 UTC (rev 46409) @@ -84,6 +84,8 @@ -- ntp -- +maradns +-- monit -- mysql-connector-python ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46410 - data
Author: opal Date: 2016-11-21 22:21:15 + (Mon, 21 Nov 2016) New Revision: 46410 Modified: data/dla-needed.txt Log: qemu triaged. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-11-21 22:17:26 UTC (rev 46409) +++ data/dla-needed.txt 2016-11-21 22:21:15 UTC (rev 46410) @@ -86,6 +86,8 @@ -- maradns -- +qemu +-- monit -- mysql-connector-python ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46411 - data
Author: opal Date: 2016-11-21 22:24:47 + (Mon, 21 Nov 2016) New Revision: 46411 Modified: data/dla-needed.txt Log: qemu note and xen triaged. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-11-21 22:21:15 UTC (rev 46410) +++ data/dla-needed.txt 2016-11-21 22:24:47 UTC (rev 46411) @@ -87,7 +87,11 @@ maradns -- qemu + Is credativ contacted about this? -- +xen + Is credativ contacted about this? +-- monit -- mysql-connector-python ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46413 - data
Author: opal Date: 2016-11-21 22:55:35 + (Mon, 21 Nov 2016) New Revision: 46413 Modified: data/dla-needed.txt Log: Qemu not vulnerable. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-11-21 22:30:01 UTC (rev 46412) +++ data/dla-needed.txt 2016-11-21 22:55:35 UTC (rev 46413) @@ -86,9 +86,6 @@ -- maradns -- -qemu - Is credativ contacted about this? --- xen Is credativ contacted about this? -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46459 - data
Author: opal Date: 2016-11-22 19:48:20 + (Tue, 22 Nov 2016) New Revision: 46459 Modified: data/dla-needed.txt Log: Small update. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-11-22 19:08:00 UTC (rev 46458) +++ data/dla-needed.txt 2016-11-22 19:48:20 UTC (rev 46459) @@ -71,6 +71,8 @@ NOTE: See https://lists.debian.org/debian-lts/2016/11/msg00088.html -- maradns + Dariusz Dwornikowski has expressed an interest in + helping out with these CVEs. -- mcabber (Chris Lamb) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46514 - data
Author: opal Date: 2016-11-24 20:23:03 + (Thu, 24 Nov 2016) New Revision: 46514 Modified: data/dla-needed.txt Log: Updates. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-11-24 20:12:39 UTC (rev 46513) +++ data/dla-needed.txt 2016-11-24 20:23:03 UTC (rev 46514) @@ -66,8 +66,8 @@ linux -- maradns - Dariusz Dwornikowski has expressed an interest in - helping out with these CVEs. + NOTE: Dariusz Dwornikowski has expressed an interest in + NOTE: helping out with these CVEs. -- mcabber (Chris Lamb) NOTE: Just waiting (a bit) for CVE assignment. @@ -77,6 +77,8 @@ NOTE: https://github.com/libming/libming/issues/51 NOTE: https://github.com/libming/libming/issues/52 NOTE: https://github.com/libming/libming/issues/53 + NOTE: From Adrian Bunk: ming is orphaned and noone intends to adopt it + NOTE: (see #838773), so please go ahead. -- monit -- @@ -107,3 +109,4 @@ NOTE: https://anonscm.debian.org/cgit/pkg-java/tomcat7.git/log/?h=wheezy NOTE: 20161123: I'm currently working on three new CVEs which were disclosed yesterday. -- +hdf5 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46517 - in data: . CVE
Author: opal Date: 2016-11-24 21:12:34 + (Thu, 24 Nov 2016) New Revision: 46517 Modified: data/CVE/list data/dla-needed.txt Log: Triaging. Modified: data/CVE/list === --- data/CVE/list 2016-11-24 21:10:11 UTC (rev 46516) +++ data/CVE/list 2016-11-24 21:12:34 UTC (rev 46517) @@ -31,6 +31,7 @@ CVE-2016-9633 - w3m 0.5.3-33 [jessie] - w3m (Minor issue) + [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/23 CVE-2016-9632 - w3m 0.5.3-33 @@ -68,14 +69,17 @@ CVE-2016-9624 - w3m 0.5.3-33 [jessie] - w3m (Minor issue) + [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/35 CVE-2016-9623 - w3m 0.5.3-33 [jessie] - w3m (Minor issue) + [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/33 CVE-2016-9622 - w3m 0.5.3-33 [jessie] - w3m (Minor issue) + [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/32 CVE-2016-9621 - w3m 0.5.3-33 @@ -889,9 +893,11 @@ NOTE: https://github.com/vadz/libtiff/commit/5ad9d8016fbb60109302d558f7edb2cb2a3bb8e3 CVE-2016-9539 [Out-of-bounds read in readContigTilesIntoBuffer()] - tiff 4.0.7-1 + [wheezy] - tiff (Minor issue) NOTE: https://github.com/vadz/libtiff/commit/ae9365db1b271b62b35ce018eac8799b1d5e8a53 CVE-2016-9538 [Integer overflow leads to reading undefined buffer in readContigStripsIntoBuffer()] - tiff 4.0.7-1 + [wheezy] - tiff (Minor issue) NOTE: https://github.com/vadz/libtiff/commit/43c0b81a818640429317c80fea1e66771e85024b#diff-c8b4b355f9b5c06d585b23138e1c185f CVE-2016-9537 [Out-of-bounds write vulnerabilities in tools/tiffcrop.c] - tiff 4.0.7-1 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-11-24 21:10:11 UTC (rev 46516) +++ data/dla-needed.txt 2016-11-24 21:12:34 UTC (rev 46517) @@ -110,3 +110,14 @@ NOTE: 20161123: I'm currently working on three new CVEs which were disclosed yesterday. -- hdf5 +-- +xen +-- +lxc + NOTE: A privilege escalation of this should be seen as a problem. +-- +w3m +-- +tiff +-- +libsoap-lite-perl ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46558 - in data: . CVE
Author: opal Date: 2016-11-25 20:50:25 + (Fri, 25 Nov 2016) New Revision: 46558 Modified: data/CVE/list data/dla-needed.txt Log: W3M issues considered as minor. Modified: data/CVE/list === --- data/CVE/list 2016-11-25 19:59:49 UTC (rev 46557) +++ data/CVE/list 2016-11-25 20:50:25 UTC (rev 46558) @@ -101,35 +101,43 @@ CVE-2016-9632 - w3m 0.5.3-33 [jessie] - w3m (Minor issue) + [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/43 CVE-2016-9631 - w3m 0.5.3-33 [jessie] - w3m (Minor issue) + [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/42 CVE-2016-9630 - w3m 0.5.3-33 [jessie] - w3m (Minor issue) + [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/41 CVE-2016-9629 - w3m 0.5.3-33 [jessie] - w3m (Minor issue) + [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/40 CVE-2016-9628 - w3m 0.5.3-33 [jessie] - w3m (Minor issue) + [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/39 CVE-2016-9627 - w3m 0.5.3-33 [jessie] - w3m (Minor issue) + [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/38 NOTE: https://github.com/tats/w3m/commit/0c3f5d0e0d9269ad47b8f4b061d7818993913189 CVE-2016-9626 - w3m 0.5.3-33 [jessie] - w3m (Minor issue) + [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/37 CVE-2016-9625 - w3m 0.5.3-33 [jessie] - w3m (Minor issue) + [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/36 CVE-2016-9624 - w3m 0.5.3-33 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-11-25 19:59:49 UTC (rev 46557) +++ data/dla-needed.txt 2016-11-25 20:50:25 UTC (rev 46558) @@ -100,7 +100,5 @@ -- tzdata (Emilio Pozuelo) -- -w3m --- xen -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46559 - data
Author: opal Date: 2016-11-25 20:51:34 + (Fri, 25 Nov 2016) New Revision: 46559 Modified: data/dla-needed.txt Log: Comment on xen. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-11-25 20:50:25 UTC (rev 46558) +++ data/dla-needed.txt 2016-11-25 20:51:34 UTC (rev 46559) @@ -101,4 +101,5 @@ tzdata (Emilio Pozuelo) -- xen + NOTE: May need further triaging. -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46561 - data
Author: opal Date: 2016-11-25 20:59:03 + (Fri, 25 Nov 2016) New Revision: 46561 Modified: data/dla-needed.txt Log: nss vulnerable. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-11-25 20:58:13 UTC (rev 46560) +++ data/dla-needed.txt 2016-11-25 20:59:03 UTC (rev 46561) @@ -75,6 +75,8 @@ mysql-connector-python NOTE: see http://bugs.debian.org/841677 for current discussion -- +nss +-- ntp -- openssl ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46562 - data/DLA
Author: opal Date: 2016-11-25 21:03:43 + (Fri, 25 Nov 2016) New Revision: 46562 Modified: data/DLA/list Log: Reserve DLA-722-1 for irssi Modified: data/DLA/list === --- data/DLA/list 2016-11-25 20:59:03 UTC (rev 46561) +++ data/DLA/list 2016-11-25 21:03:43 UTC (rev 46562) @@ -1,3 +1,6 @@ +[25 Nov 2016] DLA-722-1 irssi - security update + {CVE-2016-7553} + [wheezy] - irssi 0.8.15-5+deb7u1 [25 Nov 2016] DLA-721-1 libgc - security update {CVE-2016-9427} [wheezy] - libgc 1:7.1-9.1+deb7u1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46585 - data/CVE
Author: opal Date: 2016-11-26 20:02:32 + (Sat, 26 Nov 2016) New Revision: 46585 Modified: data/CVE/list Log: W3m minor issue. Modified: data/CVE/list === --- data/CVE/list 2016-11-26 18:59:38 UTC (rev 46584) +++ data/CVE/list 2016-11-26 20:02:32 UTC (rev 46585) @@ -529,6 +529,7 @@ RESERVED - w3m 0.5.3-30 [jessie] - w3m (Minor issue) + [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/29 NOTE: To be rejected, duplicate of CVE-2016-9429 CVE-2016-9560 [stack-based buffer overflow in jpc_tsfb_getbands2 (jpc_tsfb.c)] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r46980 - org
Author: opal Date: 2016-12-11 21:58:22 + (Sun, 11 Dec 2016) New Revision: 46980 Modified: org/lts-frontdesk.2016.txt Log: Assigning myself to front desk work. Modified: org/lts-frontdesk.2016.txt === --- org/lts-frontdesk.2016.txt 2016-12-11 21:19:00 UTC (rev 46979) +++ org/lts-frontdesk.2016.txt 2016-12-11 21:58:22 UTC (rev 46980) @@ -61,5 +61,5 @@ From 28-11 to 04-12:Guido Günther From 05-12 to 11-12:Chris Lamb From 12-12 to 18-12:Markus Koschany -From 19-12 to 25-12: -From 26-12 to 01-01: +From 19-12 to 25-12:Ola Lundqvist +From 26-12 to 01-01:Ola Lundqvist ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47235 - in data: . CVE
Author: opal Date: 2016-12-19 21:23:16 + (Mon, 19 Dec 2016) New Revision: 47235 Modified: data/CVE/list data/dla-needed.txt Log: Samba vulnerable. Modified: data/CVE/list === --- data/CVE/list 2016-12-19 21:10:11 UTC (rev 47234) +++ data/CVE/list 2016-12-19 21:23:16 UTC (rev 47235) @@ -33117,6 +33117,7 @@ {DSA-3740-1} - samba 2:4.5.2+dfsg-2 NOTE: https://www.samba.org/samba/security/CVE-2016-2125.html + NOTE: Patch (with some more) here: https://download.samba.org/pub/samba/patches/security/samba-4.3.12-security-20016-12-19.patch CVE-2016-2124 RESERVED CVE-2016-2123 [Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer Overflow Remote Code Execution Vulnerability] Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-12-19 21:10:11 UTC (rev 47234) +++ data/dla-needed.txt 2016-12-19 21:23:16 UTC (rev 47235) @@ -97,6 +97,8 @@ -- qemu-kvm (Hugo Lefeuvre) -- +samba +-- squid3 -- tiff ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47259 - data
Author: opal Date: 2016-12-20 21:24:00 + (Tue, 20 Dec 2016) New Revision: 47259 Modified: data/dla-needed.txt Log: Vulnerable package. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-12-20 21:10:11 UTC (rev 47258) +++ data/dla-needed.txt 2016-12-20 21:24:00 UTC (rev 47259) @@ -91,6 +91,8 @@ -- phpmyadmin (Brian May) -- +postgres-common +-- potrace -- python-bottle ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47260 - in data: . CVE
Author: opal Date: 2016-12-20 22:17:41 + (Tue, 20 Dec 2016) New Revision: 47260 Modified: data/CVE/list data/dla-needed.txt Log: Libgd2 information. Modified: data/CVE/list === --- data/CVE/list 2016-12-20 21:24:00 UTC (rev 47259) +++ data/CVE/list 2016-12-20 22:17:41 UTC (rev 47260) @@ -435,8 +435,11 @@ RESERVED {DSA-3732-1} - libgd2 2.2.2-29-g3c2b605-1 + NOTE: This problem could be seen as a programmer fault but the fix is easy and + NOTE: the effect is rather dramatic so it should be fixed anyway. NOTE: https://github.com/libgd/libgd/commit/77f619d48259383628c3ec4654b1ad578e9eb40e (gd-2.2.2) NOTE: Scope of CVE is only the missing "color < 0" test in older versions. + NOTE: GD release info: https://libgd.github.io/release-2.2.2.html - php7.0 7.0.13-1 (unimportant) - php5 (unimportant) NOTE: Fixed in PHP 5.6.28, 7.0.13 and 7.1.0 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-12-20 21:24:00 UTC (rev 47259) +++ data/dla-needed.txt 2016-12-20 22:17:41 UTC (rev 47260) @@ -36,6 +36,11 @@ libdbd-mysql-perl (Chris Lamb) NOTE: Jessie has almost identical code, would be great to fix as well -- +libgd2 + NOTE: Php is vulnerable but uses system libgd so as soon as libgd is fixed the problem + NOTE: is solved for php too. So when libgd2 is updated, please update the information + NOTE: for this CVE also for php. +-- libical -- libxml-twig-perl ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47303 - data/CVE
Author: opal Date: 2016-12-21 21:43:53 + (Wed, 21 Dec 2016) New Revision: 47303 Modified: data/CVE/list Log: No dsa for icinga. Modified: data/CVE/list === --- data/CVE/list 2016-12-21 21:21:36 UTC (rev 47302) +++ data/CVE/list 2016-12-21 21:43:53 UTC (rev 47303) @@ -8602,11 +8602,13 @@ {DLA-751-1} - nagios3 [jessie] - nagios3 (Minor issue) + [wheezy] - nagios3 (Minor issue) NOTE: https://github.com/NagiosEnterprises/nagioscore/commit/c29557dec91eba2306f5fb11b8da4474ba63f8c4 NOTE: https://legalhackers.com/advisories/Nagios-Exploit-Root-PrivEsc-CVE-2016-9566.html NOTE: nagios < 3.5 is not vulnerable through the regular logfile, but through the debug logfile - icinga [jessie] - icinga (Minor issue) + [wheezy] - icinga (Minor issue) NOTE: https://dev.icinga.com/issues/13709 NOTE: https://github.com/Icinga/icinga-core/commit/a0eb8471673b6b1e9b37e1b7b91151aa00bedb65 NOTE: https://github.com/Icinga/icinga-core/commit/e0f55bc9b17ef1db9aed7393fc34576a5b9501f0 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47304 - data/CVE
Author: opal Date: 2016-12-21 21:47:34 + (Wed, 21 Dec 2016) New Revision: 47304 Modified: data/CVE/list Log: No dsa for openssh. Same as triaged for jessie. Modified: data/CVE/list === --- data/CVE/list 2016-12-21 21:43:53 UTC (rev 47303) +++ data/CVE/list 2016-12-21 21:47:34 UTC (rev 47304) @@ -477,6 +477,7 @@ RESERVED - openssh (low; bug #848717) [jessie] - openssh (Minor issue) + [wheezy] - openssh (Minor issue) NOTE: Fixed in upstream 7.4: https://www.openssh.com/txt/release-7.4 NOTE: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor.c.diff?r1=1.165&r2=1.166 NOTE: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/monitor.h.diff?r1=1.19&r2=1.20 @@ -485,6 +486,7 @@ RESERVED - openssh (low; bug #848716) [jessie] - openssh (Minor issue) + [wheezy] - openssh (Minor issue) NOTE: Fixed in upstream 7.4: https://www.openssh.com/txt/release-7.4 NOTE: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/authfile.c.diff?r1=1.121&r2=1.122 CVE-2016-10010 [sshd(8): When privilege separation is disabled, forwarded Unix-domain sockets would be created by sshd(8) with the privileges of 'root'] @@ -497,6 +499,7 @@ RESERVED - openssh (low; bug #848714) [jessie] - openssh (Minor issue) + [wheezy] - openssh (Minor issue) NOTE: Fixed in upstream 7.4: https://www.openssh.com/txt/release-7.4 NOTE: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/ssh-agent.c.diff?r1=1.214&r2=1.215 CVE-2016-9998 (SPIP 3.1.x suffer from a Reflected Cross Site Scripting Vulnerability ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47305 - data/CVE
Author: opal Date: 2016-12-21 22:07:21 + (Wed, 21 Dec 2016) New Revision: 47305 Modified: data/CVE/list Log: Start of apache2 triage. Modified: data/CVE/list === --- data/CVE/list 2016-12-21 21:47:34 UTC (rev 47304) +++ data/CVE/list 2016-12-21 22:07:21 UTC (rev 47305) @@ -11275,6 +11275,10 @@ RESERVED - apache2 NOTE: https://lists.apache.org/thread.html/139862b41c0dfd5e6e00ad89c00119f9faf0dd41a2f927da9c9a4076@%3Cannounce.httpd.apache.org%3E + NOTE: https://httpd.apache.org/security/vulnerabilities_24.html + NOTE: The fix is not fully backwards compatible so upstream have + NOTE: created a new option to control this behaviour. This means that + NOTE: if this is fixed the security advisory need to mention this. NOTE: Affects: 2.2.0 to 2.4.23. NOTE: Fixed in 2.4.25. CVE-2016-8742 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47362 - in data: . CVE
Author: opal Date: 2016-12-22 21:37:00 + (Thu, 22 Dec 2016) New Revision: 47362 Modified: data/CVE/list data/dla-needed.txt Log: exim4 is vulnerable. Modified: data/CVE/list === --- data/CVE/list 2016-12-22 21:31:31 UTC (rev 47361) +++ data/CVE/list 2016-12-22 21:37:00 UTC (rev 47362) @@ -561,6 +561,7 @@ - exim4 NOTE: https://bugs.exim.org/show_bug.cgi?id=1996 NOTE: http://www.openwall.com/lists/oss-security/2016/12/16/1 + NOTE: The vulnerability is confirmed to affect at least wheezy. CVE-2016-9961 RESERVED {DSA-3735-1 DLA-750-1} Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-12-22 21:31:31 UTC (rev 47361) +++ data/dla-needed.txt 2016-12-22 21:37:00 UTC (rev 47362) @@ -15,6 +15,10 @@ botan1.10 NOTE: Jessie has almost identical code. Looks hard to exploit but worth fixing. -- +exim4 + NOTE: The information about CVE-2016-9963 is not public. However the + NOTE: vulnerability is confirmed to exist in oldstable. +-- graphicsmagick NOTE: seems only a single memory/CPU DOS at this point, maybe wait for more issues? NOTE: DLA-547-1 also did not fix CVE-2016-5240 so should be included in next upload. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47363 - data
Author: opal Date: 2016-12-22 22:22:13 + (Thu, 22 Dec 2016) New Revision: 47363 Modified: data/dla-needed.txt Log: Some more are vulnerable. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-12-22 21:37:00 UTC (rev 47362) +++ data/dla-needed.txt 2016-12-22 22:22:13 UTC (rev 47363) @@ -27,10 +27,14 @@ -- hdf5 (Thorsten Alteholz) -- +ikiwiki +-- libav (Hugo Lefeuvre) NOTE: Upstream should provide new point-releases fixing open security issues in the next months. NOTE: Lots of CVEs are open, this is going to take some time. (See debian-lts ML) -- +libcrypto++ +-- libdbd-mysql-perl (Chris Lamb) NOTE: Jessie has almost identical code, would be great to fix as well -- @@ -103,6 +107,8 @@ -- shutter (Christoph Biedl) -- +spip +-- squid3 -- tiff ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47397 - in data: . CVE
Author: opal Date: 2016-12-23 22:24:20 + (Fri, 23 Dec 2016) New Revision: 47397 Modified: data/CVE/list data/dla-needed.txt Log: Some triaging conclusions. Modified: data/CVE/list === --- data/CVE/list 2016-12-23 22:00:36 UTC (rev 47396) +++ data/CVE/list 2016-12-23 22:24:20 UTC (rev 47397) @@ -1875,6 +1875,7 @@ RESERVED - libspring-java 4.3.5-1 (bug #849167) [jessie] - libspring-java (Minor issue) + [wheezy] - libspring-java (Minor issue) NOTE: https://pivotal.io/security/cve-2016-9878 NOTE: Fixed by: https://github.com/spring-projects/spring-framework/commit/e2d6e709c3c65a4951eb096843ee75d5200cfcad (4.3.x branch) NOTE: Fixed by: https://github.com/spring-projects/spring-framework/commit/43bf008fbcd0d7945e2fcd5e30039bc4d74c7a98 (4.2.x branch) Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-12-23 22:00:36 UTC (rev 47396) +++ data/dla-needed.txt 2016-12-23 22:24:20 UTC (rev 47397) @@ -87,7 +87,7 @@ WIP in git: git clone git.debian.org:/git/collab-maint/debian-lts/php5.git -b debian/wheezy Left some status notes in the changelog. -- -postgres-common +postgresql-common -- potrace -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47399 - data
Author: opal Date: 2016-12-23 22:36:23 + (Fri, 23 Dec 2016) New Revision: 47399 Modified: data/dla-needed.txt Log: tarantool Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-12-23 22:31:49 UTC (rev 47398) +++ data/dla-needed.txt 2016-12-23 22:36:23 UTC (rev 47399) @@ -109,6 +109,8 @@ -- squid3 -- +tarantool +-- tiff NOTE: Please work in the git repo accessible to all DD (branch master-wheezy): NOTE: https://anonscm.debian.org/cgit/collab-maint/tiff.git/log/?id=refs/heads/master-wheezy ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47415 - in data: . CVE
Author: opal Date: 2016-12-24 22:21:42 + (Sat, 24 Dec 2016) New Revision: 47415 Modified: data/CVE/list data/dla-needed.txt Log: Tarantool not vulnerable in stable and oldstable. Modified: data/CVE/list === --- data/CVE/list 2016-12-24 21:10:11 UTC (rev 47414) +++ data/CVE/list 2016-12-24 22:21:42 UTC (rev 47415) @@ -10690,6 +10690,8 @@ CVE-2016-9037 [Out of bounds access in xrow_header_decode()] RESERVED - tarantool 1.7.2.385.g952d79e-1 + [jessie] - tarantool (Not vulnerable) + [wheezy] - tarantool (Not vulnerable) NOTE: https://github.com/tarantool/tarantool/issues/1992 NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0255/ CVE-2016-9036 [Invalid handling of map16 format in mp_check()] @@ -10697,6 +10699,8 @@ - msgpuck (bug #849212) NOTE: https://github.com/rtsisyk/msgpuck/issues/12 - tarantool 1.7.2.385.g952d79e-1 + [jessie] - tarantool (Not vulnerable) + [wheezy] - tarantool (Not vulnerable) NOTE: https://github.com/tarantool/tarantool/issues/1991 NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0254/ CVE-2016-9035 (An exploitable buffer overflow exists in the Joyent SmartOS ...) Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-12-24 21:10:11 UTC (rev 47414) +++ data/dla-needed.txt 2016-12-24 22:21:42 UTC (rev 47415) @@ -110,8 +110,6 @@ -- squid3 -- -tarantool --- tiff NOTE: Please work in the git repo accessible to all DD (branch master-wheezy): NOTE: https://anonscm.debian.org/cgit/collab-maint/tiff.git/log/?id=refs/heads/master-wheezy ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47416 - data
Author: opal Date: 2016-12-24 22:36:01 + (Sat, 24 Dec 2016) New Revision: 47416 Modified: data/dla-needed.txt Log: Some information from the maintainer. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-12-24 22:21:42 UTC (rev 47415) +++ data/dla-needed.txt 2016-12-24 22:36:01 UTC (rev 47416) @@ -33,6 +33,9 @@ hdf5 (Thorsten Alteholz) -- ikiwiki + NOTE: The maintainer (Simon) think we shall de-prioritize this one until we + NOTE: have got information from the stable security team. The problem is not + NOTE: very important according to the maintainer. -- imagemagick NOTE: CVE-2016-8677 and CVE-2016-9559 are not major issues but as they were ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47448 - in data: . CVE
Author: opal Date: 2016-12-26 18:39:39 + (Mon, 26 Dec 2016) New Revision: 47448 Modified: data/CVE/list data/dla-needed.txt Log: Curl. Modified: data/CVE/list === --- data/CVE/list 2016-12-26 18:11:27 UTC (rev 47447) +++ data/CVE/list 2016-12-26 18:39:39 UTC (rev 47448) @@ -8601,6 +8601,8 @@ [jessie] - curl (Minor issue) NOTE: https://curl.haxx.se/docs/adv_20161221A.html NOTE: Fixed by: https://github.com/curl/curl/commit/3ab3c16db6a5674f53cf23d56512a405fde0b2c9 + NOTE: There are no known vulnerable applications but as this is a + NOTE: library it should be fixed as we do not know the full impact. CVE-2016-9585 RESERVED NOT-FOR-US: JMX endpoint of Red Hat JBoss EAP 5 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-12-26 18:11:27 UTC (rev 47447) +++ data/dla-needed.txt 2016-12-26 18:39:39 UTC (rev 47448) @@ -20,6 +20,8 @@ botan1.10 NOTE: Jessie has almost identical code. Looks hard to exploit but worth fixing. -- +curl +-- graphicsmagick NOTE: seems only a single memory/CPU DOS at this point, maybe wait for more issues? NOTE: DLA-547-1 also did not fix CVE-2016-5240 so should be included in next upload. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47450 - data
Author: opal Date: 2016-12-26 18:47:06 + (Mon, 26 Dec 2016) New Revision: 47450 Modified: data/dla-needed.txt Log: libphp-phpmailer Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-12-26 18:44:24 UTC (rev 47449) +++ data/dla-needed.txt 2016-12-26 18:47:06 UTC (rev 47450) @@ -50,6 +50,10 @@ -- libical -- +libphp-phpmailer + NOTE: According to the release note this is a critial vulnerability so it + NOTE: should have high priority. +-- libxml-twig-perl NOTE: no upstream fix yet for expand_external_ents but new no_xxe flag in 3.50 NOTE: could be backported (2016-12-13) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47506 - data
Author: opal Date: 2016-12-27 19:13:25 + (Tue, 27 Dec 2016) New Revision: 47506 Modified: data/dla-needed.txt Log: Python crypto. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-12-27 18:52:45 UTC (rev 47505) +++ data/dla-needed.txt 2016-12-27 19:13:25 UTC (rev 47506) @@ -103,6 +103,8 @@ -- potrace -- +python-crypto +-- samba -- shutter (Christoph Biedl) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47529 - data/CVE
Author: opal Date: 2016-12-28 20:44:12 + (Wed, 28 Dec 2016) New Revision: 47529 Modified: data/CVE/list Log: Tagged same was for wheezy as for jessie. Modified: data/CVE/list === --- data/CVE/list 2016-12-28 18:30:08 UTC (rev 47528) +++ data/CVE/list 2016-12-28 20:44:12 UTC (rev 47529) @@ -10717,6 +10717,7 @@ RESERVED - libxml2 (bug #849198) [jessie] - libxml2 (Minor issue) + [wheezy] - libxml2 (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1408302 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=769658 CVE-2016-9595 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47533 - data/CVE
Author: opal Date: 2016-12-28 22:07:32 + (Wed, 28 Dec 2016) New Revision: 47533 Modified: data/CVE/list Log: Mark tigervnc as not affected when closing the bug. Modified: data/CVE/list === --- data/CVE/list 2016-12-28 22:00:51 UTC (rev 47532) +++ data/CVE/list 2016-12-28 22:07:32 UTC (rev 47533) @@ -72944,7 +72944,7 @@ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1151312 NOTE: Patch applied in Red Hat https://bugzilla.redhat.com/attachment.cgi?id=946490 CVE-2014-8240 (Integer overflow in TigerVNC allows remote VNC servers to cause a ...) - - tigervnc (bug #849479) + - tigervnc (Vulnerable code not present as it was fixed in first upload) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1151307 NOTE: Patch https://bugzilla.redhat.com/attachment.cgi?id=947578 is not applied CVE-2014-8086 (Race condition in the ext4_file_write_iter function in fs/ext4/file.c ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47567 - in data: . CVE
Author: opal Date: 2016-12-29 21:38:07 + (Thu, 29 Dec 2016) New Revision: 47567 Modified: data/CVE/list data/dla-needed.txt Log: Notes about apache2. Modified: data/CVE/list === --- data/CVE/list 2016-12-29 21:37:23 UTC (rev 47566) +++ data/CVE/list 2016-12-29 21:38:07 UTC (rev 47567) @@ -13581,8 +13581,11 @@ NOTE: The fix is not fully backwards compatible so upstream have NOTE: created a new option to control this behaviour. This means that NOTE: if this is fixed the security advisory need to mention this. + NOTE: The fix is invasive and should require some extra testing before reaching + NOTE: stable and old-stable. NOTE: Affects: 2.2.0 to 2.4.23. NOTE: Fixed in 2.4.25. + NOTE: For 2.2 preparation is done in http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x-merge-http-strict/ CVE-2016-8742 RESERVED CVE-2016-8741 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-12-29 21:37:23 UTC (rev 47566) +++ data/dla-needed.txt 2016-12-29 21:38:07 UTC (rev 47567) @@ -15,6 +15,8 @@ NOTE: be mentioned very clearly in the DLA sent out. Also that this change NOTE: is not fully backwards compatible. Upstream is preparing NOTE: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x-merge-http-strict/ + NOTE: This change is invasive and need extra testing. We should + NOTE: wait until it has been fixed in one of stable and sid. -- asterisk (Markus Koschany) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47568 - in data: . CVE
Author: opal Date: 2016-12-29 21:43:38 + (Thu, 29 Dec 2016) New Revision: 47568 Modified: data/CVE/list data/dla-needed.txt Log: Imagemagick not vulnerable according to latest information. Modified: data/CVE/list === --- data/CVE/list 2016-12-29 21:38:07 UTC (rev 47567) +++ data/CVE/list 2016-12-29 21:43:38 UTC (rev 47568) @@ -11417,6 +11417,7 @@ RESERVED {DSA-3726-1} - imagemagick 8:6.9.6.5+dfsg-1 (bug #845243) + [wheezy] - imagemagick 8:6.7.7.10-5+deb7u10 NOTE: https://github.com/ImageMagick/ImageMagick/commit/1c795ce9fe1d6feac8bc36c2e6c5ba7110b671b1 NOTE: https://github.com/ImageMagick/ImageMagick/commit/b61d35eaccc0a7ddeff8a1c3abfcd0a43ccf210b (master) NOTE: https://github.com/ImageMagick/ImageMagick/issues/298 @@ -13996,6 +13997,7 @@ RESERVED {DSA-3726-1} - imagemagick 8:6.9.6.2+dfsg-1 (bug #845206) + [wheezy] - imagemagick 8:6.7.7.10-5+deb7u10 NOTE: https://blogs.gentoo.org/ago/2016/10/07/imagemagick-memory-allocate-failure-in-acquirequantumpixels-quantum-c/ NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/6e48aa92ff4e6e95424300ecd52a9ea453c19c60 CVE-2016-8676 [Issue that remains after addressing CVE-2016-8675 with e5b019725f53b79159931d3a7317107cbbfd0860] Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-12-29 21:38:07 UTC (rev 47567) +++ data/dla-needed.txt 2016-12-29 21:43:38 UTC (rev 47568) @@ -36,10 +36,6 @@ NOTE: have got information from the stable security team. The problem is not NOTE: very important according to the maintainer. -- -imagemagick (Emilio Pozuelo) - NOTE: CVE-2016-8677 and CVE-2016-9559 are not major issues but as they were - NOTE: fixed in jessie it is probably worth fixing in wheezy too. --- libav (Hugo Lefeuvre) NOTE: Upstream should provide new point-releases fixing open security issues in the next months. NOTE: Lots of CVEs are open, this is going to take some time. (See debian-lts ML) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47569 - data
Author: opal Date: 2016-12-29 22:19:13 + (Thu, 29 Dec 2016) New Revision: 47569 Modified: data/dla-needed.txt Log: Swiftmailer vulnerable. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-12-29 21:43:38 UTC (rev 47568) +++ data/dla-needed.txt 2016-12-29 22:19:13 UTC (rev 47569) @@ -36,6 +36,8 @@ NOTE: have got information from the stable security team. The problem is not NOTE: very important according to the maintainer. -- +imagemagick (Emilio Pozuelo) +-- libav (Hugo Lefeuvre) NOTE: Upstream should provide new point-releases fixing open security issues in the next months. NOTE: Lots of CVEs are open, this is going to take some time. (See debian-lts ML) @@ -46,6 +48,10 @@ NOTE: According to the release note this is a critial vulnerability so it NOTE: should have high priority. -- +libphp-swiftmailer + NOTE: According to the release note this is a critial vulnerability so it + NOTE: should have high priority. +-- libxml-twig-perl NOTE: no upstream fix yet for expand_external_ents but new no_xxe flag in 3.50 NOTE: could be backported (2016-12-13) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47606 - data
Author: opal Date: 2016-12-30 22:13:42 + (Fri, 30 Dec 2016) New Revision: 47606 Modified: data/dla-needed.txt Log: Looks like a serious vulnerability. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2016-12-30 21:54:04 UTC (rev 47605) +++ data/dla-needed.txt 2016-12-30 22:13:42 UTC (rev 47606) @@ -106,6 +106,11 @@ -- python-crypto (Chris Lamb) -- +rabbitmq-server + NOTE: It remains to investigate if this applies to the 2.x branch in + NOTE: oldstable as well. It should as SSL support was added already in 1.x + NOTE: branch. +-- samba (Guido Günther) -- tiff ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47629 - data/CVE
Author: opal Date: 2016-12-31 20:52:34 + (Sat, 31 Dec 2016) New Revision: 47629 Modified: data/CVE/list Log: No dsa for wheezy too. Modified: data/CVE/list === --- data/CVE/list 2016-12-31 19:58:13 UTC (rev 47628) +++ data/CVE/list 2016-12-31 20:52:34 UTC (rev 47629) @@ -2246,6 +2246,7 @@ - libpng1.6 1.6.27-1 (bug #849799) - libpng [jessie] - libpng (Minor issue) + [wheezy] - libpng (Minor issue) NOTE: Fixed in 1.0.67, 1.2.57, 1.4.20, 1.5.28, 1.6.27 NOTE: https://sourceforge.net/p/libpng/code/ci/243d4e5f3fe71740d52a53cf3dd77cc83a3430ba NOTE: https://sourceforge.net/p/libpng/code/ci/812768d7a9c97345d454634496b25ed415eb (libpng16) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47655 - data/DLA
Author: opal Date: 2017-01-01 23:05:16 + (Sun, 01 Jan 2017) New Revision: 47655 Modified: data/DLA/list Log: Reserve DLA-775-1 for hplip Modified: data/DLA/list === --- data/DLA/list 2017-01-01 22:58:51 UTC (rev 47654) +++ data/DLA/list 2017-01-01 23:05:16 UTC (rev 47655) @@ -1,3 +1,6 @@ +[02 Jan 2017] DLA-775-1 hplip - security update + {CVE-2015-0839} + [wheezy] - hplip 3.12.6-3.1+deb7u2 [01 Jan 2017] DLA-774-1 postgresql-common - security update {CVE-2016-1255} [wheezy] - postgresql-common 134wheezy5 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47656 - data/CVE
Author: opal Date: 2017-01-01 23:12:23 + (Sun, 01 Jan 2017) New Revision: 47656 Modified: data/CVE/list Log: Mark as no-dsa just as in jessie. Modified: data/CVE/list === --- data/CVE/list 2017-01-01 23:05:16 UTC (rev 47655) +++ data/CVE/list 2017-01-01 23:12:23 UTC (rev 47656) @@ -116,6 +116,7 @@ CVE-2016-10091 [stack-based buffer overflows in cmd_* functions] - unrtf 0.21.9-clean-3 (bug #849705) [jessie] - unrtf (Minor issue) + [wheezy] - unrtf (Minor issue) NOTE: http://hg.savannah.gnu.org/hgweb/unrtf/rev/3b16893a6406 CVE-2016-10085 (admin/languages.php in Piwigo through 2.8.3 allows remote authenticated ...) - piwigo @@ -128,6 +129,7 @@ CVE-2016-10081 (/usr/bin/shutter in Shutter through 0.93.1 allows user-assisted remote ...) - shutter (bug #849777) [jessie] - shutter (Minor issue) + [wheezy] - shutter (Minor issue) NOTE: https://bugs.launchpad.net/shutter/+bug/1652600 CVE-2016-10080 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47835 - org
Author: opal Date: 2017-01-08 21:33:56 + (Sun, 08 Jan 2017) New Revision: 47835 Modified: org/lts-frontdesk.2017.txt Log: Allocated myself for LTS frontdesk duty. Modified: org/lts-frontdesk.2017.txt === --- org/lts-frontdesk.2017.txt 2017-01-08 10:36:43 UTC (rev 47834) +++ org/lts-frontdesk.2017.txt 2017-01-08 21:33:56 UTC (rev 47835) @@ -14,7 +14,7 @@ From 02-01 to 08-01:Chris Lamb From 09-01 to 15-01:Thorsten Alteholz From 16-01 to 22-01:Markus Koschany -From 23-01 to 29-01: +From 23-01 to 29-01:Ola Lundqvist From 30-01 to 05-02:Guido Günther From 06-02 to 12-02:Markus Koschany From 13-02 to 19-02:Chris Lamb @@ -22,18 +22,18 @@ From 27-02 to 05-03: From 06-03 to 12-03:Markus Koschany From 13-03 to 19-03:Chris Lamb -From 20-03 to 26-03: +From 20-03 to 26-03:Ola Lundqvist From 27-03 to 02-04:Guido Günther From 03-04 to 09-04:Chris Lamb From 10-04 to 16-04:Markus Koschany -From 17-04 to 23-04: +From 17-04 to 23-04:Ola Lundqvist From 24-04 to 30-04:Thorsten Alteholz From 01-05 to 07-05:Markus Koschany From 08-05 to 14-05:Chris Lamb -From 15-05 to 21-05: +From 15-05 to 21-05:Ola Lundqvist From 22-05 to 28-05: From 29-05 to 04-06:Guido Günther -From 05-06 to 11-06: +From 05-06 to 11-06:Ola Lundqvist From 12-06 to 18-06:Chris Lamb From 19-06 to 25-06: From 26-06 to 02-07:Thorsten Alteholz @@ -43,23 +43,23 @@ From 24-07 to 30-07: From 31-07 to 06-08: From 07-08 to 13-08:Chris Lamb -From 14-08 to 20-08: +From 14-08 to 20-08:Ola Lundqvist From 21-08 to 27-08:Thorsten Alteholz From 28-08 to 03-09: -From 04-09 to 10-09: +From 04-09 to 10-09:Ola Lundqvist From 11-09 to 17-09:Chris Lamb From 18-09 to 24-09: From 25-09 to 01-10: -From 02-10 to 08-10: +From 02-10 to 08-10:Ola Lundqvist From 09-10 to 15-10:Chris Lamb From 16-10 to 22-10: From 23-10 to 29-10:Thorsten Alteholz From 30-10 to 05-11: -From 06-11 to 12-11: +From 06-11 to 12-11:Ola Lundqvist From 13-11 to 19-11:Chris Lamb From 20-11 to 26-11: From 27-11 to 03-12:Chris Lamb From 04-12 to 10-12:Thorsten Alteholz -From 11-12 to 17-12: +From 11-12 to 17-12:Ola Lundqvist From 18-12 to 24-12: From 25-12 to 31-12: ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47836 - in data: . CVE
Author: opal Date: 2017-01-08 22:13:07 + (Sun, 08 Jan 2017) New Revision: 47836 Modified: data/CVE/list data/dla-needed.txt Log: Some notes after investigation. Modified: data/CVE/list === --- data/CVE/list 2017-01-08 21:33:56 UTC (rev 47835) +++ data/CVE/list 2017-01-08 22:13:07 UTC (rev 47836) @@ -12737,7 +12737,10 @@ RESERVED CVE-2016-9318 (libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and ...) - libxml2 (bug #844581) - NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=772726 + NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=772726#c15 + NOTE: tentative patch available but not blessed by upstream yet (2016-12-13) + NOTE: For stable and oldstable it is probably not worth the effort to fix this problem. + NOTE: The reason is that the correction is to introduce a new option that can be specified if this new behaviour is wanted. It is not enforced by default. CVE-2016-9317 RESERVED CVE-2016-9316 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-08 21:33:56 UTC (rev 47835) +++ data/dla-needed.txt 2017-01-08 22:13:07 UTC (rev 47836) @@ -48,6 +48,7 @@ jasper (Thorsten Alteholz) -- jbig2dec + NOTE: No known solution as of 2017-01-08. -- libav (Hugo Lefeuvre) NOTE: Upstream should provide new point-releases fixing open security issues in the next months. @@ -64,8 +65,6 @@ NOTE: could be backported (2016-12-13) -- libxml2 - NOTE: tentative patch available but not blessed by upstream yet (2016-12-13) - NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=772726#c15 -- linux NOTE: if CVE-2016-8649 (lxc issue) is to be fixed in wheezy, it ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r47837 - in data: . CVE
Author: opal Date: 2017-01-08 22:24:56 + (Sun, 08 Jan 2017) New Revision: 47837 Modified: data/CVE/list data/dla-needed.txt Log: Mark CVE-2016-8649 no-dsa just as for jessie. Modified: data/CVE/list === --- data/CVE/list 2017-01-08 22:13:07 UTC (rev 47836) +++ data/CVE/list 2017-01-08 22:24:56 UTC (rev 47837) @@ -14828,6 +14828,7 @@ RESERVED - lxc 1:2.0.6-1 (bug #845465) [jessie] - lxc (Minor issue) + [wheezy] - lxc (Minor issue) NOTE: Fixed by: https://github.com/lxc/lxc/commit/81f466d05f2a89cb4f122ef7f593ff3f279b165c NOTE: Details: https://launchpad.net/bugs/1639345 NOTE: To be complete this needs as well changes to src:linux Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-08 22:13:07 UTC (rev 47836) +++ data/dla-needed.txt 2017-01-08 22:24:56 UTC (rev 47837) @@ -67,13 +67,7 @@ libxml2 -- linux - NOTE: if CVE-2016-8649 (lxc issue) is to be fixed in wheezy, it - NOTE: needs changes in linux as well. -- -lxc - NOTE: A privilege escalation of this should be seen as a problem. - NOTE: this was marked no-dsa in jessie, and requires changes to linux --- ming (Balint Reczey) NOTE: No upstream fix yet (2016-11-15) for any of the CVEs: NOTE: https://github.com/libming/libming/issues/51 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48003 - data
Author: opal Date: 2017-01-13 21:13:57 + (Fri, 13 Jan 2017) New Revision: 48003 Modified: data/dla-needed.txt Log: The CVE was reassigned to another package. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-13 21:10:23 UTC (rev 48002) +++ data/dla-needed.txt 2017-01-13 21:13:57 UTC (rev 48003) @@ -21,8 +21,6 @@ botan1.10 (Hugo Lefeuvre) NOTE: Jessie has almost identical code. Looks hard to exploit but worth fixing. -- -ghostscript --- graphicsmagick NOTE: seems only a single memory/CPU DOS at this point, maybe wait for more issues? NOTE: DLA-547-1 also did not fix CVE-2016-5240 so should be included in next upload. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48004 - in data: . CVE
Author: opal Date: 2017-01-13 21:22:41 + (Fri, 13 Jan 2017) New Revision: 48004 Modified: data/CVE/list data/dla-needed.txt Log: Marking CVE-2016-9318 as no-dsa for wheezy. No-one objected to my statement. Modified: data/CVE/list === --- data/CVE/list 2017-01-13 21:13:57 UTC (rev 48003) +++ data/CVE/list 2017-01-13 21:22:41 UTC (rev 48004) @@ -13152,6 +13152,7 @@ RESERVED CVE-2016-9318 (libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and ...) - libxml2 (bug #844581) + [wheezy] - libxml2 (Minor issue) NOTE: Upstream Bug: https://bugzilla.gnome.org/show_bug.cgi?id=772726 NOTE: Tentative patch available but not blessed by upstream yet (2016-12-13) (cf. comment #15) NOTE: For wheezy it is probably not worth the effort to fix this problem. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-13 21:13:57 UTC (rev 48003) +++ data/dla-needed.txt 2017-01-13 21:22:41 UTC (rev 48004) @@ -57,8 +57,6 @@ NOTE: no upstream fix yet for expand_external_ents but new no_xxe flag in 3.50 NOTE: could be backported (2016-12-13) -- -libxml2 --- linux -- ming (Balint Reczey) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48005 - in data: . CVE
Author: opal Date: 2017-01-13 21:28:02 + (Fri, 13 Jan 2017) New Revision: 48005 Modified: data/CVE/list data/dla-needed.txt Log: Marked as no-dsa following jessie. Modified: data/CVE/list === --- data/CVE/list 2017-01-13 21:22:41 UTC (rev 48004) +++ data/CVE/list 2017-01-13 21:28:02 UTC (rev 48005) @@ -335,6 +335,7 @@ CVE-2017- [multiple new security issues] - w3m 0.5.3-34 (bug #850432) [jessie] - w3m (Minor issues) + [wheezy] - w3m (Minor issues) CVE-2016-10134 [SQL injection vulnerabilities in "Latest data"] - zabbix 1:3.0.4+dfsg-1 (bug #850936) NOTE: https://support.zabbix.com/browse/ZBX-11023 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-13 21:22:41 UTC (rev 48004) +++ data/dla-needed.txt 2017-01-13 21:28:02 UTC (rev 48005) @@ -100,8 +100,6 @@ NOTE: Please work in the git repo accessible to all DD (branch master-wheezy): NOTE: https://anonscm.debian.org/cgit/collab-maint/tiff.git/log/?id=refs/heads/master-wheezy -- -w3m --- xrdp NOTE: Dominik George (maintainer) will take care of the issue: NOTE: https://lists.debian.org/debian-lts/2016/12/msg00135.html ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48006 - data
Author: opal Date: 2017-01-13 21:31:26 + (Fri, 13 Jan 2017) New Revision: 48006 Modified: data/dla-needed.txt Log: Claiming icoutils. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-13 21:28:02 UTC (rev 48005) +++ data/dla-needed.txt 2017-01-13 21:31:26 UTC (rev 48006) @@ -27,7 +27,7 @@ NOTE: Incomplete/Incorrect fix as per https://lists.debian.org/debian-lts/2016/12/msg00077.html NOTE: Subject of announce mail also contained typo (DLA-574-1 vs. DLA-547-1) -- -icoutils +icoutils (Ola Lundqvist) -- ikiwiki NOTE: The maintainer (Simon) think we shall de-prioritize this one until we ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48007 - data/CVE
Author: opal Date: 2017-01-13 21:40:35 + (Fri, 13 Jan 2017) New Revision: 48007 Modified: data/CVE/list Log: Added a small note about icoutils. Modified: data/CVE/list === --- data/CVE/list 2017-01-13 21:31:26 UTC (rev 48006) +++ data/CVE/list 2017-01-13 21:40:35 UTC (rev 48007) @@ -884,6 +884,7 @@ NOTE: Fixed by: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1a108713ac26215c7568353f6e02e727e6d4b24a NOTE: CVE for "the separate vulnerability fixed by the introduction of the "size >= sizeof(uint16_t)*2" test in NOTE: 1a108713ac26215c7568353f6e02e727e6d4b24a" + NOTE: http://seclists.org/oss-sec/2017/q1/56 CVE-2017-5332 RESERVED - icoutils 0.31.1-1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48062 - in data: . CVE
Author: opal Date: 2017-01-14 19:46:38 + (Sat, 14 Jan 2017) New Revision: 48062 Modified: data/CVE/list data/dla-needed.txt Log: Marking CVE-2016-10062 no-dsa for wheezy following jessie. Modified: data/CVE/list === --- data/CVE/list 2017-01-14 18:52:04 UTC (rev 48061) +++ data/CVE/list 2017-01-14 19:46:38 UTC (rev 48062) @@ -12670,6 +12670,7 @@ RESERVED - imagemagick (bug #849439) [jessie] - imagemagick (Minor issue) + [wheezy] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/196 NOTE: https://github.com/ImageMagick/ImageMagick/issues/352 NOTE: http://www.openwall.com/lists/oss-security/2016/12/20/3 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-14 18:52:04 UTC (rev 48061) +++ data/dla-needed.txt 2017-01-14 19:46:38 UTC (rev 48062) @@ -34,10 +34,6 @@ NOTE: have got information from the stable security team. The problem is not NOTE: very important according to the maintainer. -- -imagemagick - NOTE: still no fix for CVE-2016-10062 - NOTE: see the git repo --- jasper (Thorsten Alteholz) -- jbig2dec ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48139 - in data: . DLA
Author: opal Date: 2017-01-17 20:40:37 + (Tue, 17 Jan 2017) New Revision: 48139 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-789-1 for icoutils Modified: data/DLA/list === --- data/DLA/list 2017-01-17 20:24:09 UTC (rev 48138) +++ data/DLA/list 2017-01-17 20:40:37 UTC (rev 48139) @@ -1,3 +1,6 @@ +[17 Jan 2017] DLA-789-1 icoutils - security update + {CVE-2017-5208 CVE-2017-5331 CVE-2017-5332 CVE-2017-5333} + [wheezy] - icoutils 0.29.1-5deb7u1 [16 Jan 2017] DLA-788-1 pdns-recursor - security update {CVE-2016-9139} [wheezy] - pdns-recursor 3.3-3+deb7u2 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-17 20:24:09 UTC (rev 48138) +++ data/dla-needed.txt 2017-01-17 20:40:37 UTC (rev 48139) @@ -25,8 +25,6 @@ NOTE: Subject of announce mail also contained typo (DLA-574-1 vs. DLA-547-1) NOTE: update available for testing in: https://lists.debian.org/87inpe4wgu@curie.anarc.at -- -icoutils (Ola Lundqvist) --- ikiwiki NOTE: The maintainer (Simon) think we shall de-prioritize this one until we NOTE: have got information from the stable security team. The problem is not ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48240 - in data: . CVE
Author: opal Date: 2017-01-20 21:50:34 + (Fri, 20 Jan 2017) New Revision: 48240 Modified: data/CVE/list data/dla-needed.txt Log: Mark as no-dsa just as in jessie. Modified: data/CVE/list === --- data/CVE/list 2017-01-20 21:46:27 UTC (rev 48239) +++ data/CVE/list 2017-01-20 21:50:34 UTC (rev 48240) @@ -4276,6 +4276,7 @@ RESERVED - chicken (low; bug #851278) [jessie] - chicken (Minor issue) + [wheezy] - chicken (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2016/12/14/18 NOTE: https://github.com/ashinn/irregex/commit/a16ffc86eca15fca9e40607d41de3cea9cf868f1 NOTE: For chicken vulnerable code in ./irregex-core.scm Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-20 21:46:27 UTC (rev 48239) +++ data/dla-needed.txt 2017-01-20 21:50:34 UTC (rev 48240) @@ -15,9 +15,6 @@ -- bind9 (Thorsten Alteholz) -- -chicken - NOTE: I would set this as like in Jessie, but please recheck --- graphicsmagick (Antoine Beaupré) NOTE: seems only a single memory/CPU DOS at this point, maybe wait for more issues? NOTE: DLA-547-1 also did not fix CVE-2016-5240 so should be included in next upload. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48288 - data
Author: opal Date: 2017-01-22 21:36:49 + (Sun, 22 Jan 2017) New Revision: 48288 Modified: data/dla-needed.txt Log: Claiming php-gettext. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-22 21:31:14 UTC (rev 48287) +++ data/dla-needed.txt 2017-01-22 21:36:49 UTC (rev 48288) @@ -85,7 +85,7 @@ WIP in git: git clone git.debian.org:/git/collab-maint/debian-lts/php5.git -b debian/wheezy Left some status notes in the changelog. -- -php-gettext +php-gettext (Ola Lundqvist) -- potrace (Hugo Lefeuvre) NOTE: Try to reproduce CVE-2016-8685/cherry pick the patch from Stretch. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48291 - data/CVE
Author: opal Date: 2017-01-22 21:48:53 + (Sun, 22 Jan 2017) New Revision: 48291 Modified: data/CVE/list Log: Marking CVE-2016-6175 as no-dsa for wheezy. Modified: data/CVE/list === --- data/CVE/list 2017-01-22 21:43:57 UTC (rev 48290) +++ data/CVE/list 2017-01-22 21:48:53 UTC (rev 48291) @@ -24509,6 +24509,7 @@ CVE-2016-6175 RESERVED - php-gettext (bug #851771) + [wheezy] - php-gettext (Minor issue) NOTE: https://bugs.launchpad.net/php-gettext/+bug/1606184 NOTE: https://kmkz-web-blog.blogspot.cz/2016/07/advisory-cve-2016-6175.html CVE-2016-6174 (applications/core/modules/front/system/content.php in Invision Power ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48308 - data
Author: opal Date: 2017-01-23 20:32:09 + (Mon, 23 Jan 2017) New Revision: 48308 Modified: data/dla-needed.txt Log: Added some more packages to dla-needed. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-23 20:30:54 UTC (rev 48307) +++ data/dla-needed.txt 2017-01-23 20:32:09 UTC (rev 48308) @@ -15,6 +15,13 @@ -- bind9 (Thorsten Alteholz) -- +cgiemail +-- +glassfish + NOTE: Needs further triaging as there is very little information on many of + NOTE: the issues. However one of them looks like a major problem so the + NOTE: package needs a DLA. +-- graphicsmagick (Antoine Beaupré) NOTE: seems only a single memory/CPU DOS at this point, maybe wait for more issues? NOTE: DLA-547-1 also did not fix CVE-2016-5240 so should be included in next upload. @@ -37,6 +44,8 @@ NOTE: No known solution as of 2017-01-20. NOTE: 2017-01-20: Pinged upstream: https://bugs.ghostscript.com/show_bug.cgi?id=697457#c4 -- +kbg-bot +-- libav (Hugo Lefeuvre) NOTE: Upstream should provide new point-releases fixing open security issues in the next months. NOTE: Lots of CVEs are open, this is going to take some time. (See debian-lts ML) @@ -98,6 +107,10 @@ NOTE: Please work in the git repo accessible to all DD (branch master-wheezy): NOTE: https://anonscm.debian.org/cgit/collab-maint/tiff.git/log/?id=refs/heads/master-wheezy -- +qemu + NOTE: Need further triaging as some of the issues looks minor. However at + NOTE: least one issue looks major so it needs a DLA. +-- wordpress -- xen ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48309 - data
Author: opal Date: 2017-01-23 21:03:36 + (Mon, 23 Jan 2017) New Revision: 48309 Modified: data/dla-needed.txt Log: Further triaging done. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-23 20:32:09 UTC (rev 48308) +++ data/dla-needed.txt 2017-01-23 21:03:36 UTC (rev 48309) @@ -44,7 +44,7 @@ NOTE: No known solution as of 2017-01-20. NOTE: 2017-01-20: Pinged upstream: https://bugs.ghostscript.com/show_bug.cgi?id=697457#c4 -- -kbg-bot +kgb-bot -- libav (Hugo Lefeuvre) NOTE: Upstream should provide new point-releases fixing open security issues in the next months. @@ -63,6 +63,8 @@ -- linux -- +mcollective +-- ming (Balint Reczey) NOTE: No upstream fix yet (2016-11-15) for any of the CVEs: NOTE: https://github.com/libming/libming/issues/51 @@ -111,6 +113,8 @@ NOTE: Need further triaging as some of the issues looks minor. However at NOTE: least one issue looks major so it needs a DLA. -- +qemu-kvm +-- wordpress -- xen ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48432 - data/CVE
Author: opal Date: 2017-01-26 20:07:44 + (Thu, 26 Jan 2017) New Revision: 48432 Modified: data/CVE/list Log: Marking CVE-2017-5495 for quagga as no dsa-following jessie. Modified: data/CVE/list === --- data/CVE/list 2017-01-26 19:56:55 UTC (rev 48431) +++ data/CVE/list 2017-01-26 20:07:44 UTC (rev 48432) @@ -397,6 +397,7 @@ CVE-2017-5495 (All versions of Quagga, 0.93 through 1.1.0, are vulnerable to an ...) - quagga (bug #852454) [jessie] - quagga (Minor issue) + [wheezy] - quagga (Minor issue) NOTE: http://savannah.nongnu.org/forum/forum.php?forum_id=8783 NOTE: http://mirror.easyname.at/nongnu//quagga/quagga-1.1.1.changelog.txt NOTE: Fixed by: http://git.savannah.gnu.org/cgit/quagga.git/commit/?id=b7ceefea77a246fe5c1dcd1b91bf6079d1b97c02 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48433 - data
Author: opal Date: 2017-01-26 20:18:24 + (Thu, 26 Jan 2017) New Revision: 48433 Modified: data/dla-needed.txt Log: Openjdk need a dla. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-26 20:07:44 UTC (rev 48432) +++ data/dla-needed.txt 2017-01-26 20:18:24 UTC (rev 48433) @@ -50,6 +50,8 @@ NOTE: Upstream should provide new point-releases fixing open security issues in the next months. NOTE: Lots of CVEs are open, this is going to take some time. (See debian-lts ML) -- +libgd2 +-- libical NOTE: No known solution as of 2017-01-16. -- @@ -68,6 +70,8 @@ mysql-connector-python NOTE: see http://bugs.debian.org/841677 for current discussion -- +openjdk-7 +-- openssl NOTE: jessie is marked as the issue is minor enough to wait NOTE: for the next round of updates (last check: 2017-01-16) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48461 - data/CVE
Author: opal Date: 2017-01-27 21:22:07 + (Fri, 27 Jan 2017) New Revision: 48461 Modified: data/CVE/list Log: Marking CVE-2015-8980 as no-dsa following jessie. Modified: data/CVE/list === --- data/CVE/list 2017-01-27 21:21:08 UTC (rev 48460) +++ data/CVE/list 2017-01-27 21:22:07 UTC (rev 48461) @@ -4851,6 +4851,7 @@ RESERVED - php-gettext (bug #851770) [jessie] - php-gettext (Minor issue) + [wheezy] - php-gettext (Minor issue) - phpmyadmin 4:4.6.6-1 (unimportant) NOTE: For phpmyadmin, unimportant, since embeds lib but does not use in exploitable way NOTE: http://seclists.org/fulldisclosure/2016/Aug/76 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48462 - data
Author: opal Date: 2017-01-27 21:35:17 + (Fri, 27 Jan 2017) New Revision: 48462 Modified: data/dla-needed.txt Log: Removed php-gettext as both CVEs were marked as no-dsa. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-27 21:22:07 UTC (rev 48461) +++ data/dla-needed.txt 2017-01-27 21:35:17 UTC (rev 48462) @@ -76,8 +76,6 @@ NOTE: jessie is marked as the issue is minor enough to wait NOTE: for the next round of updates (last check: 2017-01-16) -- -php-gettext (Ola Lundqvist) --- php5 (Roberto C. Sánchez) Next upload: ASAP (we're behind jessie) WIP in git: git clone git.debian.org:/git/collab-maint/debian-lts/php5.git -b debian/wheezy ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48463 - data/CVE
Author: opal Date: 2017-01-27 21:41:19 + (Fri, 27 Jan 2017) New Revision: 48463 Modified: data/CVE/list Log: Marked tiff issue as not reproducible as the previous fix was not necesary. Modified: data/CVE/list === --- data/CVE/list 2017-01-27 21:35:17 UTC (rev 48462) +++ data/CVE/list 2017-01-27 21:41:19 UTC (rev 48463) @@ -7208,6 +7208,7 @@ NOTE: http://www.openwall.com/lists/oss-security/2014/11/03/5 CVE-2016- [heap-based buffer overflow in TIFFFillStrip (tif_read.c)] - tiff 4.0.7-2 (bug #846837) + [wheezy] - tiff3 (Unreproducible) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2608 NOTE: https://github.com/vadz/libtiff/commit/9a72a69e035ee70ff5c41541c8c61cd97990d018 CVE-2016- [tiffcrop: divide-by-zero in readSeparateStripsIntoBuffer when BitsPerSample is missing] ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48484 - data
Author: opal Date: 2017-01-28 20:04:06 + (Sat, 28 Jan 2017) New Revision: 48484 Modified: data/dla-needed.txt Log: Tcpdump need an update. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-28 20:02:08 UTC (rev 48483) +++ data/dla-needed.txt 2017-01-28 20:04:06 UTC (rev 48484) @@ -88,6 +88,10 @@ -- slurm-llnl -- +tcpdump + NOTE: I can prepare packages for wheezy as well if you need, but I'm not yet + NOTE: familiar with how to get them uploaded to wheezy-lts. +-- qemu (Guido Günther) NOTE: Need further triaging as some of the issues looks minor. However at NOTE: least one issue looks major so it needs a DLA. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48495 - in data: . CVE
Author: opal Date: 2017-01-28 21:04:20 + (Sat, 28 Jan 2017) New Revision: 48495 Modified: data/CVE/list data/dla-needed.txt Log: Some more packages needs to be worked on. Modified: data/CVE/list === --- data/CVE/list 2017-01-28 20:55:51 UTC (rev 48494) +++ data/CVE/list 2017-01-28 21:04:20 UTC (rev 48495) @@ -34553,6 +34553,7 @@ RESERVED - mongodb 1:3.2.11-1 [jessie] - mongodb (Minor issue) + [wheezy] - mongodb (Minor issue) NOTE: https://jira.mongodb.org/browse/SERVER-24378 NOTE: Marking as fixed with the first 3.x based version in unstable NOTE: This issue though affect only 2.4 (and possibly older), or 2.6 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-28 20:55:51 UTC (rev 48494) +++ data/dla-needed.txt 2017-01-28 21:04:20 UTC (rev 48495) @@ -18,6 +18,8 @@ -- cgiemail -- +calibre +-- glassfish NOTE: Needs further triaging as there is very little information on many of NOTE: the issues. However one of them looks like a major problem so the @@ -67,6 +69,8 @@ -- mcollective -- +mysql-5.5 +-- mysql-connector-python NOTE: see http://bugs.debian.org/841677 for current discussion -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48496 - in data: . CVE
Author: opal Date: 2017-01-28 21:12:31 + (Sat, 28 Jan 2017) New Revision: 48496 Modified: data/CVE/list data/dla-needed.txt Log: Found some more after triaging. Modified: data/CVE/list === --- data/CVE/list 2017-01-28 21:04:20 UTC (rev 48495) +++ data/CVE/list 2017-01-28 21:12:31 UTC (rev 48496) @@ -7260,6 +7260,7 @@ CVE-2016- [heap-based buffer overflow in TIFFFillStrip (tif_read.c)] - tiff 4.0.7-2 (bug #846837) [wheezy] - tiff3 (Unreproducible) +[wheezy] - tiff 4.0.2-6+deb7u9 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2608 NOTE: https://github.com/vadz/libtiff/commit/9a72a69e035ee70ff5c41541c8c61cd97990d018 CVE-2016- [tiffcrop: divide-by-zero in readSeparateStripsIntoBuffer when BitsPerSample is missing] Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-28 21:04:20 UTC (rev 48495) +++ data/dla-needed.txt 2017-01-28 21:12:31 UTC (rev 48496) @@ -92,6 +92,8 @@ -- slurm-llnl -- +svgsalamander +-- tcpdump NOTE: I can prepare packages for wheezy as well if you need, but I'm not yet NOTE: familiar with how to get them uploaded to wheezy-lts. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48497 - data
Author: opal Date: 2017-01-28 21:13:06 + (Sat, 28 Jan 2017) New Revision: 48497 Modified: data/dla-needed.txt Log: Wireshark also need some more work. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-28 21:12:31 UTC (rev 48496) +++ data/dla-needed.txt 2017-01-28 21:13:06 UTC (rev 48497) @@ -104,6 +104,8 @@ -- qemu-kvm (Guido Günther) -- +wireshark +-- wordpress (Markus Koschany) -- xen ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48498 - data
Author: opal Date: 2017-01-28 21:16:55 + (Sat, 28 Jan 2017) New Revision: 48498 Modified: data/dla-needed.txt Log: Further information added. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-28 21:13:06 UTC (rev 48497) +++ data/dla-needed.txt 2017-01-28 21:16:55 UTC (rev 48498) @@ -19,6 +19,9 @@ cgiemail -- calibre + NOTE: We will need to investigate the issue much further. + NOTE: In particular, it seems likely that there are more undocumented but + NOTE: public security issues in Calibre. See for example bug #853004. -- glassfish NOTE: Needs further triaging as there is very little information on many of ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48539 - data
Author: opal Date: 2017-01-29 20:35:01 + (Sun, 29 Jan 2017) New Revision: 48539 Modified: data/dla-needed.txt Log: Need a DLA. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-29 18:40:07 UTC (rev 48538) +++ data/dla-needed.txt 2017-01-29 20:35:01 UTC (rev 48539) @@ -89,6 +89,8 @@ NOTE: Upstream is not going to fix CVE-2016-8686 since it believes it is not NOTE: a bug (see #843861). -- +ruby-archive-tar-minitar +-- slurm-llnl NOTE: the patch from upstream uses new members of the struct batch_job_launch_msg_t NOTE: from my point of view backporting the introduction of these new members to this old ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48579 - in data: . DLA
Author: opal Date: 2017-01-30 22:03:48 + (Mon, 30 Jan 2017) New Revision: 48579 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-809-1 for tcpdump Modified: data/DLA/list === --- data/DLA/list 2017-01-30 21:22:09 UTC (rev 48578) +++ data/DLA/list 2017-01-30 22:03:48 UTC (rev 48579) @@ -1,3 +1,6 @@ +[30 Jan 2017] DLA-809-1 tcpdump - security update + {CVE-2016-7922 CVE-2016-7923 CVE-2016-7924 CVE-2016-7925 CVE-2016-7926 CVE-2016-7927 CVE-2016-7928 CVE-2016-7929 CVE-2016-7930 CVE-2016-7931 CVE-2016-7932 CVE-2016-7933 CVE-2016-7934 CVE-2016-7935 CVE-2016-7936 CVE-2016-7937 CVE-2016-7938 CVE-2016-7939 CVE-2016-7940 CVE-2016-7973 CVE-2016-7974 CVE-2016-7975 CVE-2016-7983 CVE-2016-7984 CVE-2016-7985 CVE-2016-7986 CVE-2016-7992 CVE-2016-7993 CVE-2016-8574 CVE-2016-8575 CVE-2017-5202 CVE-2017-5203 CVE-2017-5204 CVE-2017-5205 CVE-2017-5341 CVE-2017-5342 CVE-2017-5482 CVE-2017-5483 CVE-2017-5484 CVE-2017-5485 CVE-2017-5486} + [wheezy] - tcpdump 4.9.0-1~deb7u1 [30 Jan 2017] DLA-808-1 ruby-archive-tar-minitar - security update {CVE-2016-10173} [wheezy] - ruby-archive-tar-minitar 0.5.2-2+deb7u1 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-01-30 21:22:09 UTC (rev 48578) +++ data/dla-needed.txt 2017-01-30 22:03:48 UTC (rev 48579) @@ -98,10 +98,6 @@ -- svgsalamander -- -tcpdump - NOTE: I can prepare packages for wheezy as well if you need, but I'm not yet - NOTE: familiar with how to get them uploaded to wheezy-lts. --- qemu (Guido Günther) NOTE: Need further triaging as some of the issues looks minor. However at NOTE: least one issue looks major so it needs a DLA. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48867 - data/CVE
Author: opal Date: 2017-02-12 22:15:44 + (Sun, 12 Feb 2017) New Revision: 48867 Modified: data/CVE/list Log: Updated tigervnc version info. Modified: data/CVE/list === --- data/CVE/list 2017-02-12 21:53:35 UTC (rev 48866) +++ data/CVE/list 2017-02-12 22:15:44 UTC (rev 48867) @@ -258,7 +258,7 @@ RESERVED CVE-2016-10207 [tigervnc: vnc server can crash when TLS handshake terminates early] RESERVED - - tigervnc + - tigervnc 1.7.0-1 NOTE: https://github.com/TigerVNC/tigervnc/commit/8aa4bc53206c2430bbf0c8f4b642f59a379ee649 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1023012 CVE-2016-10200 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49310 - in data: . CVE
Author: opal Date: 2017-02-28 20:48:50 + (Tue, 28 Feb 2017) New Revision: 49310 Modified: data/CVE/list data/dla-needed.txt Log: Some investigation results. Modified: data/CVE/list === --- data/CVE/list 2017-02-28 19:55:45 UTC (rev 49309) +++ data/CVE/list 2017-02-28 20:48:50 UTC (rev 49310) @@ -114438,6 +114438,7 @@ CVE-2013-1430 (An issue was discovered in xrdp before 0.9.1. When successfully logging ...) - xrdp 0.9.1~2016121126+git5171fa7-1 [jessie] - xrdp (Minor issue) + [wheezy] - xrdp (Minor issue) NOTE: https://github.com/neutrinolabs/xrdp/pull/497 NOTE: When successfully logging in using RDP into a xrdp session, the file NOTE: ~/.vnc/sesman_${username}_passwd is created. Its content is the Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-02-28 19:55:45 UTC (rev 49309) +++ data/dla-needed.txt 2017-02-28 20:48:50 UTC (rev 49310) @@ -64,7 +64,7 @@ libreoffice (Balint Reczey) -- libxml-twig-perl - NOTE: no upstream fix yet (as of 2017-01-20) for expand_external_ents + NOTE: no upstream fix yet (as of 2017-02-28) for expand_external_ents NOTE: but new no_xxe flag in 3.50 that could be backported NOTE: 2016-12-13: Upstream ping here: https://rt.cpan.org/Public/Bug/Display.html?id=118097#txn-1690223 NOTE: 2017-01-20: Ping upstream by private email -- Raphael Hertzog @@ -118,10 +118,6 @@ -- xen -- -xrdp - NOTE: Dominik George (maintainer) will take care of the issue: - NOTE: https://lists.debian.org/debian-lts/2016/12/msg00135.html --- zoneminder -- zziplib ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49311 - data
Author: opal Date: 2017-02-28 20:56:30 + (Tue, 28 Feb 2017) New Revision: 49311 Modified: data/dla-needed.txt Log: Minor update after checking. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-02-28 20:48:50 UTC (rev 49310) +++ data/dla-needed.txt 2017-02-28 20:56:30 UTC (rev 49311) @@ -76,7 +76,7 @@ mcollective -- mp3splt - NOTE: 2017-02-25: No patch available. Reproducer doesn't work with Debian + NOTE: 2017-02-28: No patch available. Reproducer doesn't work with Debian NOTE: packages (tested on Stretch, Jessie and Wheezy). It's claimed to NOTE: work with build flag '-fsanitize=address', which I wasn't able to NOTE: verify either. For more details, see the discussion at ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49312 - in data: . CVE
Author: opal Date: 2017-02-28 21:04:54 + (Tue, 28 Feb 2017) New Revision: 49312 Modified: data/CVE/list data/dla-needed.txt Log: Marked a few CVEs as no-dsa for wheezy following jessie. Modified: data/CVE/list === --- data/CVE/list 2017-02-28 20:56:30 UTC (rev 49311) +++ data/CVE/list 2017-02-28 21:04:54 UTC (rev 49312) @@ -1890,6 +1890,7 @@ CVE-2017- [podofo: NULL pointer dereference in PdfInfo::GuessFormat (pdfinfo.cpp)] - libpodofo (bug #854605) [jessie] - libpodofo (Minor issue) + [wheezy] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfinfoguessformat-pdfinfo-cpp/ NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2017/02/02/21 @@ -1897,30 +1898,35 @@ RESERVED - libpodofo 0.9.4-1 (bug #854599) [jessie] - libpodofo (Minor issue) + [wheezy] - libpodofo (Minor issue) NOTE: https://sourceforge.net/p/podofo/mailman/message/34205419/ NOTE: https://sourceforge.net/p/podofo/code/1672 CVE-2017-5855 [NULL pointer dereference in PoDoFo::PdfParser::ReadXRefSubsection] RESERVED - libpodofo (bug #854603) [jessie] - libpodofo (Minor issue) + [wheezy] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-podofopdfparserreadxrefsubsection-pdfparser-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 CVE-2017-5854 [NULL pointer dereference in PdfOutputStream.cpp] RESERVED - libpodofo (bug #854602) [jessie] - libpodofo (Minor issue) + [wheezy] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfoutputstream-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 CVE-2017-5853 [Signed integer overflow in PdfParser.cpp] RESERVED - libpodofo (bug #854601) [jessie] - libpodofo (Minor issue) + [wheezy] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-signed-integer-overflow-in-pdfparser-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 CVE-2017-5852 [Infinite loop in PoDoFo::PdfPage::GetInheritedKeyFromObject] RESERVED - libpodofo (bug #854600) [jessie] - libpodofo (Minor issue) + [wheezy] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-infinite-loop-in-podofopdfpagegetinheritedkeyfromobject-pdfpage-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 CVE-2017-5849 [Out-of-Bound read and write issues in put1bitbwtile() and putgreytile()] Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-02-28 20:56:30 UTC (rev 49311) +++ data/dla-needed.txt 2017-02-28 21:04:54 UTC (rev 49312) @@ -52,11 +52,7 @@ NOTE: Pinged on 2017-02-06 https://github.com/libical/libical/issues/253#issuecomment-277580552 (lamby) -- libpodofo - NOTE: CVE-2017-5854 does not crash but the NULL check is missing - NOTE: CVE-2017-5855 does not crash since the Wheezy code being different - NOTE: CVE-2017-5852, CVE-2017-5853 crash in Wheezy - NOTE: CVE-2015-8981 Wheezy is affected, patch is straightforward. - NOTE: 20170226: No patches available for other issues. + NOTE: 20170226: No patches available. -- libquicktime (Balint Reczey) NOTE: added 2017-02-25, please give maintainer some time to respond ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49314 - data/CVE
Author: opal Date: 2017-02-28 21:11:12 + (Tue, 28 Feb 2017) New Revision: 49314 Modified: data/CVE/list Log: Marked a CVE as no-dsa for wheezy following jessie. Modified: data/CVE/list === --- data/CVE/list 2017-02-28 21:10:11 UTC (rev 49313) +++ data/CVE/list 2017-02-28 21:11:12 UTC (rev 49314) @@ -974,6 +974,7 @@ CVE-2017- [XSA-207: memory leak when destroying guest without PT devices] - xen (bug #856229) [jessie] - xen (Minor issue) + [wheezy] - xen (Minor issue) NOTE: https://xenbits.xen.org/xsa/advisory-207.html CVE-2017-5994 [out-of-bounds access in vrend_create_vertex_elements_state] RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49350 - data
Author: opal Date: 2017-03-01 22:38:06 + (Wed, 01 Mar 2017) New Revision: 49350 Modified: data/dla-needed.txt Log: Claiming icoutils. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-01 22:03:02 UTC (rev 49349) +++ data/dla-needed.txt 2017-03-01 22:38:06 UTC (rev 49350) @@ -32,7 +32,7 @@ NOTE: maintainer currenlty planx to rename to thunderbird with the next NOTE: upstream version (#851989). Jessie / Wheezy should do the same. -- -icoutils +icoutils (Ola Lundqvist) NOTE: added 2017-02-25, please give maintainer some time to respond -- jasper (Thorsten Alteholz) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49523 - data
Author: opal Date: 2017-03-08 22:26:06 + (Wed, 08 Mar 2017) New Revision: 49523 Modified: data/dla-needed.txt Log: Added some information about zziplib. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-08 22:10:56 UTC (rev 49522) +++ data/dla-needed.txt 2017-03-08 22:26:06 UTC (rev 49523) @@ -143,4 +143,5 @@ -- zziplib NOTE: added 2017-02-25, please give maintainer some time to respond + NOTE: No patch available 2017-03-08. -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49654 - in data: . DLA
Author: opal Date: 2017-03-13 19:59:31 + (Mon, 13 Mar 2017) New Revision: 49654 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-854-1 for icoutils Modified: data/DLA/list === --- data/DLA/list 2017-03-13 19:25:22 UTC (rev 49653) +++ data/DLA/list 2017-03-13 19:59:31 UTC (rev 49654) @@ -1,3 +1,6 @@ +[13 Mar 2017] DLA-854-1 icoutils - security update + {CVE-2017-6009 CVE-2017-6010 CVE-2017-6011} + [wheezy] - icoutils 0.29.1-5deb7u2 [11 Mar 2017] DLA-853-1 pidgin - security update {CVE-2017-2640} [wheezy] - pidgin 2.10.10-1~deb7u3 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-13 19:25:22 UTC (rev 49653) +++ data/dla-needed.txt 2017-03-13 19:59:31 UTC (rev 49654) @@ -36,9 +36,6 @@ NOTE: maintainer currenlty planx to rename to thunderbird with the next NOTE: upstream version (#851989). Jessie / Wheezy should do the same. -- -icoutils (Ola Lundqvist) - NOTE: added 2017-02-25, please give maintainer some time to respond --- imagemagick (Roberto C. Sánchez) -- jasper (Thorsten Alteholz) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49689 - data
Author: opal Date: 2017-03-14 21:08:59 + (Tue, 14 Mar 2017) New Revision: 49689 Modified: data/dla-needed.txt Log: Claim audiofile and add more information on r-base. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-14 20:19:20 UTC (rev 49688) +++ data/dla-needed.txt 2017-03-14 21:08:59 UTC (rev 49689) @@ -10,7 +10,7 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- -audiofile +audiofile (Ola Lundqvist) -- bluez NOTE: I suggest to wait for more important issues. CVE-2016-7837 has a rather @@ -107,6 +107,7 @@ qemu-kvm (Guido Günther) -- r-base (Ola Lundqvist) + NOTE: Maintainer is working on a fix. At least for stable. -- radare2 (Thorsten Alteholz) -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49691 - data
Author: opal Date: 2017-03-14 21:47:54 + (Tue, 14 Mar 2017) New Revision: 49691 Modified: data/dla-needed.txt Log: Work progress update. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-14 21:10:14 UTC (rev 49690) +++ data/dla-needed.txt 2017-03-14 21:47:54 UTC (rev 49691) @@ -11,6 +11,9 @@ -- audiofile (Ola Lundqvist) + NOTE: There are quite a few CVEs so it will take a little longer time than + NOTE: an usual update. The work progress is reported here: + NOTE: http://inguza.com/report/debian-long-term-support-work-2017-march -- bluez NOTE: I suggest to wait for more important issues. CVE-2016-7837 has a rather ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49752 - in data: . DLA
Author: opal Date: 2017-03-17 21:50:04 + (Fri, 17 Mar 2017) New Revision: 49752 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-861-1 for r-base Modified: data/DLA/list === --- data/DLA/list 2017-03-17 21:10:13 UTC (rev 49751) +++ data/DLA/list 2017-03-17 21:50:04 UTC (rev 49752) @@ -1,3 +1,6 @@ +[17 Mar 2017] DLA-861-1 r-base - security update + {CVE-2016-8714} + [wheezy] - r-base 2.15.1-4+deb7u1 [17 Mar 2017] DLA-860-1 wordpress - security update {CVE-2017-6814 CVE-2017-6815 CVE-2017-6816} [wheezy] - wordpress 3.6.1+dfsg-1~deb7u14 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-17 21:10:13 UTC (rev 49751) +++ data/dla-needed.txt 2017-03-17 21:50:04 UTC (rev 49752) @@ -104,9 +104,6 @@ -- qemu-kvm (Guido Günther) -- -r-base (Ola Lundqvist) - NOTE: Maintainer is working on a fix. At least for stable. --- radare2 (Thorsten Alteholz) -- sane-backends (Jörg Frings-Fürst) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49861 - data
Author: opal Date: 2017-03-20 21:44:08 + (Mon, 20 Mar 2017) New Revision: 49861 Modified: data/dla-needed.txt Log: Added erlang to dla needed. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-20 21:10:12 UTC (rev 49860) +++ data/dla-needed.txt 2017-03-20 21:44:08 UTC (rev 49861) @@ -25,6 +25,9 @@ -- chicken -- +erlang + NOTE: Upstream was notified 2017-03-20 that the patches were not merged to master. +-- gdk-pixbuf (Emilio Pozuelo) -- git ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49862 - in data: . CVE
Author: opal Date: 2017-03-20 22:20:36 + (Mon, 20 Mar 2017) New Revision: 49862 Modified: data/CVE/list data/dla-needed.txt Log: Apng2gif input. Modified: data/CVE/list === --- data/CVE/list 2017-03-20 21:44:08 UTC (rev 49861) +++ data/CVE/list 2017-03-20 22:20:36 UTC (rev 49862) @@ -499,10 +499,13 @@ RESERVED CVE-2017-6962 (An issue was discovered in apng2gif 1.7. There is an integer overflow ...) - apng2gif (bug #854447) + NOTE: Reproduduction failed on wheezy, jessie and sid. CVE-2017-6961 (An issue was discovered in apng2gif 1.7. There is improper sanitization ...) - apng2gif (bug #854441) + NOTE: Reproduduction failed on wheezy, jessie and sid. CVE-2017-6960 (An issue was discovered in apng2gif 1.7. There ...) - apng2gif (bug #854367) + NOTE: Reproduced on wheezy, jessie and sid. CVE-2017-6959 RESERVED CVE-2017-6958 (An XSS vulnerability in the MantisBT Source Integration Plugin (before ...) Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-20 21:44:08 UTC (rev 49861) +++ data/dla-needed.txt 2017-03-20 22:20:36 UTC (rev 49862) @@ -10,6 +10,8 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- +apng2gif +-- audiofile (Ola Lundqvist) NOTE: There are quite a few CVEs so it will take a little longer time than NOTE: an usual update. The work progress is reported here: ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49864 - data
Author: opal Date: 2017-03-20 22:29:51 + (Mon, 20 Mar 2017) New Revision: 49864 Modified: data/dla-needed.txt Log: Putty vulnerable. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-20 22:22:41 UTC (rev 49863) +++ data/dla-needed.txt 2017-03-20 22:29:51 UTC (rev 49864) @@ -109,6 +109,8 @@ NOTE: Upstream is not going to fix CVE-2016-8686 since it believes it is not NOTE: a bug (see #843861). -- +putty +-- qbittorrent -- qemu (Guido Günther) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49901 - data/CVE
Author: opal Date: 2017-03-21 19:20:18 + (Tue, 21 Mar 2017) New Revision: 49901 Modified: data/CVE/list Log: Marked as no-dsa following jessie. Modified: data/CVE/list === --- data/CVE/list 2017-03-21 19:13:24 UTC (rev 49900) +++ data/CVE/list 2017-03-21 19:20:18 UTC (rev 49901) @@ -21,6 +21,7 @@ CVE-2017-7207 (The mem_get_bits_rectangle function in Artifex Software, Inc. ...) - ghostscript (bug #858350) [jessie] - ghostscript (Minor issue) + [wheezy] - ghostscript (Minor issue) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=309eca4e0a31ea70dcc844812691439312dad091 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697676 CVE-2017-7206 (The ff_h2645_extract_rbsp function in libavcodec in libav 9.21 allows ...) @@ -4117,6 +4118,7 @@ RESERVED - libapache-poi-java (bug #858301) [jessie] - libapache-poi-java (Minor issue) + [wheezy] - libapache-poi-java (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/03/20/9 CVE-2017-5643 (Apache Camel's Validation Component is vulnerable against SSRF via ...) NOT-FOR-US: Apache Camel ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49903 - data
Author: opal Date: 2017-03-21 19:33:37 + (Tue, 21 Mar 2017) New Revision: 49903 Modified: data/dla-needed.txt Log: Xrdp and erlang updates. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-21 19:30:37 UTC (rev 49902) +++ data/dla-needed.txt 2017-03-21 19:33:37 UTC (rev 49903) @@ -29,6 +29,8 @@ -- erlang NOTE: Upstream was notified 2017-03-20 that the patches were not merged to master. + NOTE: Maintainer have expressed an interest in preparing the package but would like + NOTE: someone else to issue the DLA. -- gdk-pixbuf (Emilio Pozuelo) -- @@ -138,6 +140,8 @@ -- xen -- +xrdp +-- zoneminder NOTE: Sql injection and session fixation vulerability fixes: NOTE: https://github.com/ZoneMinder/ZoneMinder/pull/1764/files ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49905 - data
Author: opal Date: 2017-03-21 19:40:12 + (Tue, 21 Mar 2017) New Revision: 49905 Modified: data/dla-needed.txt Log: pcre3 vulnerable. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-21 19:35:32 UTC (rev 49904) +++ data/dla-needed.txt 2017-03-21 19:40:12 UTC (rev 49905) @@ -101,6 +101,8 @@ -- partclone -- +pcre3 +-- php5 (Markus Koschany) NOTE: only one issue at the time of writing (CVE-2016-7478) NOTE: backported patch available, but maybe wait for more issues? ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49906 - data
Author: opal Date: 2017-03-21 20:01:49 + (Tue, 21 Mar 2017) New Revision: 49906 Modified: data/dla-needed.txt Log: More packages found vulnerable. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-21 19:40:12 UTC (rev 49905) +++ data/dla-needed.txt 2017-03-21 20:01:49 UTC (rev 49906) @@ -17,6 +17,8 @@ NOTE: an usual update. The work progress is reported here: NOTE: http://inguza.com/report/debian-long-term-support-work-2017-march -- +binutils +-- bluez NOTE: I suggest to wait for more important issues. CVE-2016-7837 has a rather NOTE: low impact. @@ -56,6 +58,8 @@ NOTE: Going to backport new upstream release, need to wait until Jessie NOTE: has the backported version. See https://lists.debian.org/20170321095305.gealjx62cc4xe...@home.ouaza.com -- +jhead +-- libav (Hugo Lefeuvre) NOTE: Upstream should provide new point-releases fixing open security issues in the next months. NOTE: Lots of CVEs are open, this is going to take some time. (See debian-lts ML) @@ -86,6 +90,8 @@ -- libytnef (Thorsten Alteholz) -- +libxslt +-- linux -- mcollective @@ -115,6 +121,8 @@ -- putty -- +python3.2 +-- qbittorrent -- qemu (Guido Günther) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49935 - in data: . CVE
Author: opal Date: 2017-03-22 18:41:13 + (Wed, 22 Mar 2017) New Revision: 49935 Modified: data/CVE/list data/dla-needed.txt Log: wheezy not affected by CVE-2016-10253 Modified: data/CVE/list === --- data/CVE/list 2017-03-22 17:54:38 UTC (rev 49934) +++ data/CVE/list 2017-03-22 18:41:13 UTC (rev 49935) @@ -121,6 +121,7 @@ RESERVED CVE-2016-10253 (An issue was discovered in Erlang/OTP 18.x. Erlang's generation of ...) - erlang (bug #858313) + [wheezy] - erlang (Vulnerable code not present) NOTE: https://github.com/erlang/otp/pull/1108 CVE-2017-7184 (The linux-image-* package 4.8.0.41.52 for the Linux kernel on Ubuntu ...) - linux Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-22 17:54:38 UTC (rev 49934) +++ data/dla-needed.txt 2017-03-22 18:41:13 UTC (rev 49935) @@ -29,11 +29,6 @@ -- chicken -- -erlang - NOTE: Upstream was notified 2017-03-20 that the patches were not merged to master. - NOTE: Maintainer have expressed an interest in preparing the package but would like - NOTE: someone else to issue the DLA. --- gdk-pixbuf (Emilio Pozuelo) -- git (Raphaël Hertzog) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49936 - data/CVE
Author: opal Date: 2017-03-22 19:02:01 + (Wed, 22 Mar 2017) New Revision: 49936 Modified: data/CVE/list Log: Marked two CVE as no-dsa following jessie. Modified: data/CVE/list === --- data/CVE/list 2017-03-22 18:41:13 UTC (rev 49935) +++ data/CVE/list 2017-03-22 19:02:01 UTC (rev 49936) @@ -16,6 +16,7 @@ RESERVED - elfutils 0.168-0.2 (low) [jessie] - elfutils (Minor issue) + [wheezy] - elfutils (Minor issue) NOTE: 0.168-0.2 first version uploaded to unstable NOTE: https://blogs.gentoo.org/ago/2016/11/04/elfutils-memory-allocation-failure-in-__libelf_set_rawdata_wrlock-elf_getdata-c/ NOTE: https://git.fedorahosted.org/cgit/elfutils.git/commit/?id=09ec02ec7f7e6913d10943148e2a898264345b07 @@ -23,6 +24,7 @@ RESERVED - elfutils 0.168-0.2 (low) [jessie] - elfutils (Minor issue) + [wheezy] - elfutils (Minor issue) NOTE: 0.168-0.2 first version uploaded to unstable NOTE: https://blogs.gentoo.org/ago/2016/11/04/elfutils-memory-allocation-failure-in-allocate_elf-common-h/ NOTE: https://git.fedorahosted.org/cgit/elfutils.git/commit/?id=191000fdedba3fafe4d5b8cddad3f3318b49c3fb ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49937 - data
Author: opal Date: 2017-03-22 19:06:32 + (Wed, 22 Mar 2017) New Revision: 49937 Modified: data/dla-needed.txt Log: Polarssl. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-22 19:02:01 UTC (rev 49936) +++ data/dla-needed.txt 2017-03-22 19:06:32 UTC (rev 49937) @@ -109,6 +109,8 @@ NOTE: backported patch available, but maybe wait for more issues? NOTE: -- 2017-02-20 Antoine Beaupre -- +polarssl +-- potrace (Hugo Lefeuvre) NOTE: Try to reproduce CVE-2016-8685/cherry pick the patch from Stretch. NOTE: Upstream is not going to fix CVE-2016-8686 since it believes it is not ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49940 - in data: . CVE
Author: opal Date: 2017-03-22 20:01:39 + (Wed, 22 Mar 2017) New Revision: 49940 Modified: data/CVE/list data/dla-needed.txt Log: Triaging for ntp. Modified: data/CVE/list === --- data/CVE/list 2017-03-22 19:52:32 UTC (rev 49939) +++ data/CVE/list 2017-03-22 20:01:39 UTC (rev 49940) @@ -1781,6 +1781,7 @@ CVE-2017-6462 [Buffer Overflow in DPTS Clock] RESERVED - ntp + [wheezy] - ntp (Minor issue) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3388 CVE-2017-6461 REJECTED @@ -1795,7 +1796,10 @@ CVE-2017-6458 [Potential Overflows in ctl_put() functions] RESERVED - ntp + [wheezy] - ntp (Minor issue) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3379 + NOTE: The vulnerability can only be triggered by adding very long + NOTE: variable names (200 bytes or more) in ntpd.conf file. CVE-2017-6457 REJECTED CVE-2017-6456 @@ -1815,6 +1819,7 @@ CVE-2017-6451 [Improper use of snprintf() in mx4200_send()] RESERVED - ntp + [wheezy] - ntp (Vulnerable code not enabled at build time) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3378 CVE-2017-6450 RESERVED Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-22 19:52:32 UTC (rev 49939) +++ data/dla-needed.txt 2017-03-22 20:01:39 UTC (rev 49940) @@ -100,6 +100,9 @@ NOTE: https://blogs.gentoo.org/ago/2017/01/29/mp3splt-invalid-free-in-free_options-options_manager-c/ NOTE: -- Jonas Meurer -- +ntp + NOTE: The maintainer have done security updates in the past. +-- partclone -- pcre3 (Antoine Beaupré) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49941 - data
Author: opal Date: 2017-03-22 20:06:58 + (Wed, 22 Mar 2017) New Revision: 49941 Modified: data/dla-needed.txt Log: Described that mysql-5.5 update is needed but that it should be synced between jessie and wheezy. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-22 20:01:39 UTC (rev 49940) +++ data/dla-needed.txt 2017-03-22 20:06:58 UTC (rev 49941) @@ -100,6 +100,10 @@ NOTE: https://blogs.gentoo.org/ago/2017/01/29/mp3splt-invalid-free-in-free_options-options_manager-c/ NOTE: -- Jonas Meurer -- +mysql-5.5 + NOTE: Oracle will fix CVE-2017-3305 in the next Oracle CPU as promised. + NOTE: Wheezy and jessie versions follow each other so a sync is needed. +-- ntp NOTE: The maintainer have done security updates in the past. -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49942 - in data: . CVE
Author: opal Date: 2017-03-22 20:19:23 + (Wed, 22 Mar 2017) New Revision: 49942 Modified: data/CVE/list data/dla-needed.txt Log: More information about polarssl vulnerability. Modified: data/CVE/list === --- data/CVE/list 2017-03-22 20:06:58 UTC (rev 49941) +++ data/CVE/list 2017-03-22 20:19:23 UTC (rev 49942) @@ -12274,7 +12274,9 @@ RESERVED - mbedtls 2.4.2-1 (bug #857560) - polarssl (bug #857561) + [wheezy] - polarssl (Vulnerable code not present) NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-01 + NOTE: Wheezy do not have any elliptic curve functionality. Jessie is affected however. CVE-2017-2783 RESERVED CVE-2017-2782 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-22 20:06:58 UTC (rev 49941) +++ data/dla-needed.txt 2017-03-22 20:19:23 UTC (rev 49942) @@ -116,8 +116,6 @@ NOTE: backported patch available, but maybe wait for more issues? NOTE: -- 2017-02-20 Antoine Beaupre -- -polarssl --- potrace (Hugo Lefeuvre) NOTE: Try to reproduce CVE-2016-8685/cherry pick the patch from Stretch. NOTE: Upstream is not going to fix CVE-2016-8686 since it believes it is not ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49971 - data
Author: opal Date: 2017-03-23 18:37:11 + (Thu, 23 Mar 2017) New Revision: 49971 Modified: data/dla-needed.txt Log: Samba need an update. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-23 17:57:17 UTC (rev 49970) +++ data/dla-needed.txt 2017-03-23 18:37:11 UTC (rev 49971) @@ -129,6 +129,8 @@ -- qemu-kvm (Guido Günther) -- +samba +-- sane-backends (Jörg Frings-Fürst) -- slurm-llnl ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49974 - in data: . CVE
Author: opal Date: 2017-03-23 19:14:13 + (Thu, 23 Mar 2017) New Revision: 49974 Modified: data/CVE/list data/dla-needed.txt Log: Triaging for libvpx. Modified: data/CVE/list === --- data/CVE/list 2017-03-23 18:42:41 UTC (rev 49973) +++ data/CVE/list 2017-03-23 19:14:13 UTC (rev 49974) @@ -17457,6 +17457,8 @@ CVE-2017-0393 (A denial of service vulnerability in libvpx in Mediaserver could ...) - libvpx 1.6.1-1 NOTE: probably fixed earlier, but this was the version checked + NOTE: The wheezy source is confirmed (by code inspection) to be vulnerable. + NOTE: https://android.googlesource.com/platform/external/libvpx/+/6886e8e0a9db2dbad723dc37a548233e004b33bc CVE-2017-0392 (A denial of service vulnerability in VBRISeeker.cpp in libstagefright ...) NOT-FOR-US: libstagefright CVE-2017-0391 (A denial of service vulnerability in decoder/ihevcd_decode.c in ...) @@ -27341,10 +27343,13 @@ NOT-FOR-US: Android Mediaserver CVE-2016-6712 (A remote denial of service vulnerability in libvpx in Mediaserver in ...) - libvpx 1.6.1-1 + [wheezy] - libvpx (Vulnerable code not present) NOTE: probably fixed earlier, but this was the version checked CVE-2016-6711 (A remote denial of service vulnerability in libvpx in Mediaserver in ...) - libvpx 1.6.1-1 NOTE: probably fixed earlier, but this was the version checked + NOTE: Wheezy is confirmed (by code inspection) to have vulnerable source. + NOTE: https://android.googlesource.com/platform/external/libvpx/+/063be1485e0099bc81ace3a08b0ec9186dcad693 CVE-2016-6710 (An information disclosure vulnerability in the download manager in ...) NOT-FOR-US: Android CVE-2016-6709 (An information disclosure vulnerability in Conscrypt and BoringSSL in ...) @@ -37368,6 +37373,7 @@ NOT-FOR-US: Android CVE-2016-3881 (The decoder_peek_si_internal function in vp9/vp9_dx_iface.c in libvpx ...) - libvpx 1.6.1-1 + [wheezy] - libvpx (Vulnerable source not present) NOTE: probably fixed earlier, but this was the version checked CVE-2016-3880 (Multiple buffer overflows in rtsp/ASessionDescription.cpp in ...) NOT-FOR-US: libstagefright @@ -41470,8 +41476,7 @@ CVE-2016-2465 (The Qualcomm video driver in Android before 2016-06-01 on Nexus 5, 5X, ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-2464 (libvpx in libwebm in mediaserver in Android 4.x before 4.4.4, 5.0.x ...) - - libvpx 1.6.1-1 - NOTE: probably fixed earlier, but this was the version checked + - libvpx (Vulnerable source not present) CVE-2016-2463 (Multiple integer overflows in the h264dec component in libstagefright ...) NOT-FOR-US: libstagefright CVE-2016-2462 (OpenSSLCipher.java in Conscrypt in Android 6.x before 2016-05-01 ...) Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-23 18:42:41 UTC (rev 49973) +++ data/dla-needed.txt 2017-03-23 19:14:13 UTC (rev 49974) @@ -75,6 +75,9 @@ libreoffice (Emilio Pozuelo) NOTE: Rene (maintainer) is working on the patch since the proposed one seems to be incomplete -- +libvpx + NOTE: The CVEs needs further triaging. +-- libxml-twig-perl NOTE: no upstream fix yet (as of 2017-02-28) for expand_external_ents NOTE: but new no_xxe flag in 3.50 that could be backported ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r49977 - in data: . DLA
Author: opal Date: 2017-03-23 20:46:32 + (Thu, 23 Mar 2017) New Revision: 49977 Modified: data/DLA/list data/dla-needed.txt Log: Reserve DLA-867-1 for audiofile Modified: data/DLA/list === --- data/DLA/list 2017-03-23 20:10:46 UTC (rev 49976) +++ data/DLA/list 2017-03-23 20:46:32 UTC (rev 49977) @@ -1,3 +1,6 @@ +[23 Mar 2017] DLA-867-1 audiofile - security update + {CVE-2017-6829 CVE-2017-6830 CVE-2017-6831 CVE-2017-6832 CVE-2017-6833 CVE-2017-6834 CVE-2017-6835 CVE-2017-6836 CVE-2017-6837 CVE-2017-6838 CVE-2017-6839} + [wheezy] - audiofile 0.3.4-2+deb7u1 [23 Mar 2017] DLA-866-1 libxslt - security update {CVE-2017-5029} [wheezy] - libxslt 1.1.26-14.1+deb7u3 Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-23 20:10:46 UTC (rev 49976) +++ data/dla-needed.txt 2017-03-23 20:46:32 UTC (rev 49977) @@ -12,11 +12,6 @@ -- apng2gif -- -audiofile (Ola Lundqvist) - NOTE: There are quite a few CVEs so it will take a little longer time than - NOTE: an usual update. The work progress is reported here: - NOTE: http://inguza.com/report/debian-long-term-support-work-2017-march --- binutils -- bluez ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50008 - data/CVE
Author: opal Date: 2017-03-24 21:27:25 + (Fri, 24 Mar 2017) New Revision: 50008 Modified: data/CVE/list Log: Added missing entries. Modified: data/CVE/list === --- data/CVE/list 2017-03-24 21:18:58 UTC (rev 50007) +++ data/CVE/list 2017-03-24 21:27:25 UTC (rev 50008) @@ -1026,13 +1026,13 @@ NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-global-buffer-overflow-in-decodesample-ima-cpp NOTE: https://github.com/mpruett/audiofile/pull/43/commits/25eb00ce913452c2e614548d7df93070bf0d066f CVE-2017-6828 (Heap-based buffer overflow in the readValue function in FileHandle.cpp ...) - {DSA-3814-1} + {DSA-3814-1 DLA-867-1} - audiofile 0.3.6-4 (bug #857651) NOTE: https://github.com/mpruett/audiofile/issues/31 NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-readvalue-filehandle-cpp NOTE: https://github.com/mpruett/audiofile/commit/c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 CVE-2017-6827 (Heap-based buffer overflow in the MSADPCM::initializeCoefficients ...) - {DSA-3814-1} + {DSA-3814-1 DLA-867-1} - audiofile 0.3.6-4 (bug #857651) NOTE: https://github.com/mpruett/audiofile/issues/32 NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-msadpcminitializecoefficients-msadpcm-cpp ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50009 - data/CVE
Author: opal Date: 2017-03-24 21:31:54 + (Fri, 24 Mar 2017) New Revision: 50009 Modified: data/CVE/list Log: Marked as no-dsa following jessie. Modified: data/CVE/list === --- data/CVE/list 2017-03-24 21:27:25 UTC (rev 50008) +++ data/CVE/list 2017-03-24 21:31:54 UTC (rev 50009) @@ -2008,28 +2008,34 @@ CVE-2017-6440 (The parse_data_node function in bplist.c in libimobiledevice libplist ...) - libplist (bug #858055) [jessie] - libplist (Minor issue) + [wheezy] - libplist (Minor issue) NOTE: https://github.com/libimobiledevice/libplist/issues/99 CVE-2017-6439 (Heap-based buffer overflow in the parse_string_node function in ...) - libplist 1.12+git+1+e37ca00-0.1 [jessie] - libplist (Minor issue) + [wheezy] - libplist (Minor issue) NOTE: https://github.com/libimobiledevice/libplist/issues/95 NOTE: https://github.com/libimobiledevice/libplist/commit/32ee5213fe64f1e10ec76c1ee861ee6f233120dd CVE-2017-6438 (Heap-based buffer overflow in the parse_unicode_node function in ...) - libplist [jessie] - libplist (Minor issue) + [wheezy] - libplist (Minor issue) NOTE: https://github.com/libimobiledevice/libplist/issues/98 CVE-2017-6437 (The base64encode function in base64.c in libimobiledevice libplist ...) - libplist [jessie] - libplist (Minor issue) + [wheezy] - libplist (Minor issue) NOTE: https://github.com/libimobiledevice/libplist/issues/100 CVE-2017-6436 (The parse_string_node function in bplist.c in libimobiledevice ...) - libplist 1.12+git+1+e37ca00-0.1 [jessie] - libplist (Minor issue) + [wheezy] - libplist (Minor issue) NOTE: https://github.com/libimobiledevice/libplist/issues/94 NOTE: https://github.com/libimobiledevice/libplist/commit/32ee5213fe64f1e10ec76c1ee861ee6f233120dd CVE-2017-6435 (The parse_string_node function in bplist.c in libimobiledevice ...) - libplist 1.12+git+1+e37ca00-0.1 [jessie] - libplist (Minor issue) + [wheezy] - libplist (Minor issue) NOTE: https://github.com/libimobiledevice/libplist/issues/93 NOTE: https://github.com/libimobiledevice/libplist/commit/fbd8494d5e4e46bf2e90cb6116903e404374fb56 CVE-2017-6434 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50057 - data
Author: opal Date: 2017-03-25 21:43:53 + (Sat, 25 Mar 2017) New Revision: 50057 Modified: data/dla-needed.txt Log: Triaging work. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-25 20:43:04 UTC (rev 50056) +++ data/dla-needed.txt 2017-03-25 21:43:53 UTC (rev 50057) @@ -13,6 +13,10 @@ apng2gif NOTE: 24031017: No upstream patch available yet. Have pinged bug#. -- +apparmor +-- +apt-cacher +-- binutils (Antoine Beaupré) -- bluez @@ -129,6 +133,8 @@ NOTE: from my point of view backporting the introduction of these new members to this old NOTE: version is way to invasive and such this should be marked as -- +tiff +-- tzdata (Emilio Pozuelo) -- web2py (Brian May) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50058 - data
Author: opal Date: 2017-03-25 21:47:50 + (Sat, 25 Mar 2017) New Revision: 50058 Modified: data/dla-needed.txt Log: Triaging work. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-25 21:43:53 UTC (rev 50057) +++ data/dla-needed.txt 2017-03-25 21:47:50 UTC (rev 50058) @@ -28,6 +28,8 @@ -- chicken -- +firebird2.5 +-- firefox-esr (Emilio Pozuelo) NOTE: no update needed yet, but next update will be for ESR 52 as ESR 45 is now NOTE: EOL. I have already started to look at ESR 52 to anticipate any problems ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50059 - data
Author: opal Date: 2017-03-25 21:53:20 + (Sat, 25 Mar 2017) New Revision: 50059 Modified: data/dla-needed.txt Log: Some update. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-25 21:47:50 UTC (rev 50058) +++ data/dla-needed.txt 2017-03-25 21:53:20 UTC (rev 50059) @@ -102,7 +102,7 @@ NOTE: Wheezy and jessie versions follow each other so a sync is needed. -- ntp - NOTE: The maintainer have done security updates in the past. + NOTE: The maintainer will handle this security update. -- partclone -- ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50075 - data
Author: opal Date: 2017-03-26 20:17:57 + (Sun, 26 Mar 2017) New Revision: 50075 Modified: data/dla-needed.txt Log: One small note. Modified: data/dla-needed.txt === --- data/dla-needed.txt 2017-03-26 19:40:37 UTC (rev 50074) +++ data/dla-needed.txt 2017-03-26 20:17:57 UTC (rev 50075) @@ -29,6 +29,8 @@ chicken -- firebird2.5 + NOTE: The maintainer has told that he will not work on this update so + NOTE: feel free to take this one. -- firefox-esr (Emilio Pozuelo) NOTE: no update needed yet, but next update will be for ESR 52 as ESR 45 is now ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits