from:"Paul Wise"

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] node-moment: old ReDoS: fixed

2018-03-03 Thread Paul Wise

Paul Wise pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9622c154 by Paul Wise at 2018-03-04T06:44:55+08:00
node-moment: old ReDoS: fixed

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -93613,7 +93613,7 @@ CVE-2016- [remote memory disclosure]
NOTE: https://nodesecurity.io/advisories/67
NOTE: nodejs not covered by security support
 CVE-2016- [regular expression DoS]
-   - node-moment  (unimportant)
+   - node-moment 2.13.0+ds-1 (unimportant)
NOTE: fixed in 2.11.2
NOTE: https://github.com/moment/moment/pull/2939
NOTE: https://nodesecurity.io/advisories/55



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/9622c1546d3e2b6ce8223eb8d9b8595b88f6ff9f

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/9622c1546d3e2b6ce8223eb8d9b8595b88f6ff9f
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] node-moment ReDoS

2018-03-03 Thread Paul Wise

Paul Wise pushed to branch master at Debian Security Tracker / security-tracker


Commits:
591358c2 by Paul Wise at 2018-03-04T06:43:20+08:00
node-moment ReDoS

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,3 +1,11 @@
+CVE-2018- [Regular Expression Denial of Service]
+   - node-moment 2.19.3+ds-1 (unimportant)
+   NOTE: fixed in 2.19.3 upstream
+   NOTE: 
https://github.com/moment/moment/commit/69ed9d44957fa6ab12b73d2ae29d286a857b80eb
+   NOTE: https://github.com/moment/moment/pull/4326
+   NOTE: https://github.com/moment/moment/issues/4163
+   NOTE: https://nodesecurity.io/advisories/532
+   NOTE: nodejs not covered by security support
 CVE-2018- [Regular Expression Denial of Service vulnerability in the 
strict mode functionality]
- node-ssri  (unimportant; bug #891980)
NOTE: fixed in 5.2.2



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/591358c2b69ef3cfe19e46e1db9bdb472925ccb6

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/591358c2b69ef3cfe19e46e1db9bdb472925ccb6
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] npm serve NFU

2018-03-03 Thread Paul Wise

Paul Wise pushed to branch master at Debian Security Tracker / security-tracker


Commits:
cb0e8f05 by Paul Wise at 2018-03-03T22:53:16+08:00
npm serve NFU

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -10480,6 +10480,12 @@ CVE-2018-3713
RESERVED
 CVE-2018-3712
RESERVED
+   NOT-FOR-US: npm serve
+   NOTE: fixed in 6.4.9 upstream
+   NOTE: 
https://github.com/zeit/serve/commit/6adad6881c61991da61ebc857857c53409544575
+   NOTE: https://github.com/zeit/serve/pull/316
+   NOTE: https://hackerone.com/reports/307666
+   NOTE: https://nodesecurity.io/advisories/561
 CVE-2018-3711
RESERVED
NOT-FOR-US: Fastify



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/cb0e8f050f340348f702a30ed66b283c96f6f729

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/cb0e8f050f340348f702a30ed66b283c96f6f729
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] electron details

2018-03-03 Thread Paul Wise

Paul Wise pushed to branch master at Debian Security Tracker / security-tracker


Commits:
329f9ae1 by Paul Wise at 2018-03-03T22:44:37+08:00
electron details

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -5333,6 +5333,9 @@ CVE-2018-5800
RESERVED
 CVE-2018-106 (GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 
and earlier, ...)
- electron  (bug #842420)
+   NOTE: Linux is not affected
+   NOTE: https://electronjs.org/blog/protocol-handler-fix
+   NOTE: https://nodesecurity.io/advisories/563
 CVE-2018-5799
RESERVED
 CVE-2018-5798



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/329f9ae119321fd9f7733528573922d1552b52e2

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/329f9ae119321fd9f7733528573922d1552b52e2
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] fastify NFU

2018-03-03 Thread Paul Wise

Paul Wise pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a2fdb27c by Paul Wise at 2018-03-03T22:41:39+08:00
fastify NFU

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -10479,6 +10479,11 @@ CVE-2018-3712
RESERVED
 CVE-2018-3711
RESERVED
+   NOT-FOR-US: Fastify
+   NOTE: fixed in 0.38.0 upstream
+   NOTE: 
https://github.com/fastify/fastify/commit/fabd2a011f2ffbb877394abe699f549513ffbd76
+   NOTE: https://hackerone.com/reports/303632
+   NOTE: https://nodesecurity.io/advisories/564
 CVE-2018-3710 [Remote Code Execution Vulnerability in GitLab Projects Import]
RESERVED
- gitlab  (bug #888508)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a2fdb27cfadd78da7a9ffb1bb8ad746215e41e47

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a2fdb27cfadd78da7a9ffb1bb8ad746215e41e47
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] node-ssri ReDoS

2018-03-03 Thread Paul Wise

Paul Wise pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2e4f7bfa by Paul Wise at 2018-03-03T22:38:19+08:00
node-ssri ReDoS

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,3 +1,9 @@
+CVE-2018- [Regular Expression Denial of Service vulnerability in the 
strict mode functionality]
+   - node-ssri 
+   NOTE: fixed in 5.2.2
+   NOTE: 
https://github.com/zkat/ssri/commit/d0ebcdc22cb5c8f47f89716d08b3518b2485d65d
+   NOTE: https://github.com/zkat/ssri/issues/10
+   NOTE: https://nodesecurity.io/advisories/565
 CVE-2018-1000115 [Insufficient Control of Network Message Volume]
- memcached 
[stretch] - memcached  (Minor issue; Debian defaults to listen 
only on localhost)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2e4f7bfaaba71994cddc64ad3ecb0927713365dd

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2e4f7bfaaba71994cddc64ad3ecb0927713365dd
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] node-hoek more details

2018-03-03 Thread Paul Wise

Paul Wise pushed to branch master at Debian Security Tracker / security-tracker


Commits:
48cc46ca by Paul Wise at 2018-03-03T22:32:27+08:00
node-hoek more details

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -10429,7 +10429,11 @@ CVE-2018-3729
 CVE-2018-3728 [Prototype pollution in utilities function]
RESERVED
- node-hoek  (unimportant)
+   NOTE: fixed in 4.2.1
+   NOTE: https://github.com/hapijs/hoek/issues/230
+   NOTE: https://hackerone.com/reports/310439
NOTE: https://snyk.io/vuln/npm:hoek:20180212
+   NOTE: https://nodesecurity.io/advisories/566
NOTE: nodejs not covered by security support
 CVE-2018-3727
RESERVED



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/48cc46caf3f94df16212e65760e200a6f4fa7354

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/48cc46caf3f94df16212e65760e200a6f4fa7354
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] SAML NFU

2018-03-03 Thread Paul Wise

Paul Wise pushed to branch master at Debian Security Tracker / security-tracker


Commits:
18a003d7 by Paul Wise at 2018-03-03T22:24:27+08:00
SAML NFU

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -916,6 +916,10 @@ CVE-2017-6927 (Drupal 8.4.x versions before 8.4.5 and 
Drupal 7.x versions before
NOTE: https://www.drupal.org/sa-core-2018-001
 CVE-2018-7338
RESERVED
+   NOT-FOR-US: Duo Network Gateway
+   NOTE: https://duo.com/labs/psa/duo-psa-2017-003
+   NOTE: 
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
+   NOTE: https://www.kb.cert.org/vuls/id/475445
 CVE-2018-7337 (In Wireshark 2.4.0 to 2.4.4, the DOCSIS protocol dissector 
could crash. ...)
- wireshark 2.4.5-1
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14446



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/18a003d799e9dfe75b1c143d51c190828b4dbe4f

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/18a003d799e9dfe75b1c143d51c190828b4dbe4f
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] SAML vulns

2018-03-03 Thread Paul Wise

Paul Wise pushed to branch master at Debian Security Tracker / security-tracker


Commits:
bd5dbfd6 by Paul Wise at 2018-03-03T22:18:18+08:00
SAML vulns

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -19748,6 +19748,8 @@ CVE-2018-0489 (Shibboleth XMLTooling-C before 1.6.4, as 
used in Shibboleth Servi
- xmltooling 1.6.4-1
NOTE: https://shibboleth.net/community/advisories/secadv_20180227.txt
NOTE: https://issues.shibboleth.net/jira/browse/CPPXT-128
+   NOTE: 
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
+   NOTE: https://www.kb.cert.org/vuls/id/475445
 CVE-2018-0488 (ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0, 
when the ...)
- mbedtls 2.7.0-2 (bug #890287)
- polarssl 
@@ -37638,12 +37640,28 @@ CVE-2017-11431
RESERVED
 CVE-2017-11430
RESERVED
+   - ruby-omniauth-saml 
+   NOTE: fixed in 1.10.0
+   NOTE: https://github.com/omniauth/omniauth-saml/pull/157
+   NOTE: 
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
+   NOTE: https://www.kb.cert.org/vuls/id/475445
 CVE-2017-11429
RESERVED
+   NOT-FOR-US: Clever saml2-js
+   NOTE: 
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
+   NOTE: https://nodesecurity.io/advisories/567
+   NOTE: https://www.kb.cert.org/vuls/id/475445
 CVE-2017-11428
RESERVED
+   - ruby-saml 
+   NOTE: fixed in 1.7.0
+   NOTE: 
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
+   NOTE: https://www.kb.cert.org/vuls/id/475445
 CVE-2017-11427
RESERVED
+   NOT-FOR-US: OneLogin python-saml
+   NOTE: 
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
+   NOTE: https://www.kb.cert.org/vuls/id/475445
 CVE-2017-11426
RESERVED
 CVE-2017-11425



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/bd5dbfd67418cbd6cf4c5a539f34fb476db0020b

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/bd5dbfd67418cbd6cf4c5a539f34fb476db0020b
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Apple bluetoothd NFUs

2018-02-28 Thread Paul Wise

Paul Wise pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9777c9cd by Paul Wise at 2018-03-01T11:53:31+08:00
Apple bluetoothd NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -9106,6 +9106,8 @@ CVE-2018-4096
NOTE: Not covered by security support
 CVE-2018-4095
RESERVED
+   NOT-FOR-US: Apple bluetoothd
+   NOTE: 
https://blog.zimperium.com/cve-2018-4087-poc-escaping-sandbox-misleading-bluetoothd/
 CVE-2018-4094
RESERVED
 CVE-2018-4093
@@ -9128,6 +9130,8 @@ CVE-2018-4088
NOTE: Not covered by security support
 CVE-2018-4087
RESERVED
+   NOT-FOR-US: Apple bluetoothd
+   NOTE: 
https://blog.zimperium.com/cve-2018-4087-poc-escaping-sandbox-misleading-bluetoothd/
 CVE-2018-4086
RESERVED
 CVE-2018-4085



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/9777c9cdb642a0b0ed0e04317f85ee5dd0e9ad4c

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/9777c9cdb642a0b0ed0e04317f85ee5dd0e9ad4c
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Drop ceph-deploy ITP

2018-02-04 Thread Paul Wise

Paul Wise pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7f79ad4f by Paul Wise at 2018-02-05T12:09:15+08:00
Drop ceph-deploy ITP

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -111787,7 +111787,7 @@ CVE-2015- [XSS in group administration]
[jessie] - php-horde 5.2.1+debian0-2+deb8u1
NOTE: 
https://github.com/horde/horde/commit/dae5277746abe613de0cacc004e95e9ed9d78220
 CVE-2015-4053 (The admin command in ceph-deploy before 1.5.25 uses 
world-readable ...)
-   - ceph-deploy  (bug #694013)
+   - ceph-deploy 
NOTE: http://tracker.ceph.com/issues/11694
 CVE-2015-4049 (Unisys Libra 43xx, 63xx, and 83xx, and FS600 class systems with 
...)
NOT-FOR-US: Unisys Libra
@@ -114929,7 +114929,7 @@ CVE-2015-4085 (Directory traversal vulnerability in 
node/hooks/express/tests.js 
 CVE-2015-3297 (Directory traversal vulnerability in node/utils/Minify.js in 
Etherpad ...)
- etherpad-lite  (bug #576998)
 CVE-2015-3010 (ceph-deploy before 1.5.23 uses weak permissions (644) for ...)
-   - ceph-deploy  (bug #694013)
+   - ceph-deploy 
NOTE: http://www.openwall.com/lists/oss-security/2015/04/09/9
 CVE-2015-3405 (ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 
4.3.12 ...)
{DSA-3223-1 DLA-192-1}



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/7f79ad4fe74a65117386ddd37731949e684a4721

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/7f79ad4fe74a65117386ddd37731949e684a4721
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] ceph-deploy accepted into Debian

2018-02-04 Thread Paul Wise

Paul Wise pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1c6c4f57 by Paul Wise at 2018-02-05T12:07:51+08:00
ceph-deploy accepted into Debian

First version uploaded is newer than the fixed version 1.5.25

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -111787,7 +111787,7 @@ CVE-2015- [XSS in group administration]
[jessie] - php-horde 5.2.1+debian0-2+deb8u1
NOTE: 
https://github.com/horde/horde/commit/dae5277746abe613de0cacc004e95e9ed9d78220
 CVE-2015-4053 (The admin command in ceph-deploy before 1.5.25 uses 
world-readable ...)
-   - ceph-deploy  (bug #694013)
+   - ceph-deploy  (bug #694013)
NOTE: http://tracker.ceph.com/issues/11694
 CVE-2015-4049 (Unisys Libra 43xx, 63xx, and 83xx, and FS600 class systems with 
...)
NOT-FOR-US: Unisys Libra
@@ -114929,7 +114929,7 @@ CVE-2015-4085 (Directory traversal vulnerability in 
node/hooks/express/tests.js 
 CVE-2015-3297 (Directory traversal vulnerability in node/utils/Minify.js in 
Etherpad ...)
- etherpad-lite  (bug #576998)
 CVE-2015-3010 (ceph-deploy before 1.5.23 uses weak permissions (644) for ...)
-   - ceph-deploy  (bug #694013)
+   - ceph-deploy  (bug #694013)
NOTE: http://www.openwall.com/lists/oss-security/2015/04/09/9
 CVE-2015-3405 (ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 
4.3.12 ...)
{DSA-3223-1 DLA-192-1}



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1c6c4f579c19ece2064bba9d613533e8cc6a848f

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1c6c4f579c19ece2064bba9d613533e8cc6a848f
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Convert URLs from http to https where it seems safe to do so

2018-01-17 Thread Paul Wise

Paul Wise pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2bd89708 by Paul Wise at 2018-01-17T18:18:16+08:00
Convert URLs from http to https where it seems safe to do so

- - - - -


7 changed files:

- bin/compare-testing-status
- bin/tracker_service.py
- doc/security-team.d.o/contact
- doc/security-team.d.o/security_tracker
- doc/soriano.txt
- lib/python/nvd.py
- org/TODO


Changes:

=
bin/compare-testing-status
=
--- a/bin/compare-testing-status
+++ b/bin/compare-testing-status
@@ -135,7 +135,7 @@ sub print_hash {
foreach my $dbug (@dbugs) {
if ( ! $seen_dbug{$dbug} ) {
$seen_dbug{$dbug} = 1;
-   print_both(" "x15 . 
"http://bugs.debian.org/$dbug\n;);
+   print_both(" "x15 . 
"https://bugs.debian.org/$dbug\n;);
}
}
}
@@ -182,7 +182,7 @@ sub issue2string {
$desc = $result->[0]->[0];
 
if ( $issue =~ /^CVE-\d{4}-\d{4,}/ ) {
-   $url = "http://cve.mitre.org/cgi-bin/cvename.cgi?name=; . 
$issue ;
+   $url = "https://cve.mitre.org/cgi-bin/cvename.cgi?name=; . 
$issue ;
return "$issue: $url\n";
}
elsif ( $issue =~ /^DTSA-/ ) {
@@ -238,11 +238,11 @@ More information:
 More information about which security issues affect Debian can be found in the 
 security tracker:
 
-   http://security-tracker.debian.net/tracker/
+   https://security-tracker.debian.org/tracker/
 
 A list of all known unfixed security issues is at
 
-   http://security-tracker.debian.net/tracker/status/release/testing
+   https://security-tracker.debian.org/tracker/status/release/testing
 
 EOF
 #


=
bin/tracker_service.py
=
--- a/bin/tracker_service.py
+++ b/bin/tracker_service.py
@@ -608,7 +608,7 @@ response, do not forget to let us know how to get a hold of 
you."""),
  P("""Helping out: We welcome people who wish to join us in 
tracking
 issues. The process is designed to be easy to learn and participate,
 please read our """,
-   A("http://security-team.debian.org/security_tracker.html;,
+   A("https://security-team.debian.org/security_tracker.html;,
  "Introduction"),
""" to get familiar with how things work.  Join us on
 our mailing list, and on IRC and request to be added to the Salsa """,


=
doc/security-team.d.o/contact
=
--- a/doc/security-team.d.o/contact
+++ b/doc/security-team.d.o/contact
@@ -18,7 +18,7 @@ IRC Channel
 ---
 
 We hang-out in the #debian-security channel on OFTC
-(http://www.oftc.net/), stop by if you'd like. We can also add you to
+(https://www.oftc.net/), stop by if you'd like. We can also add you to
 the Alioth project so you have SVN write permission, and you can test
 drive it on the testing issues for however long you like to get an idea
 or feel comfortable (and hey, it really helps!).


=
doc/security-team.d.o/security_tracker
=
--- a/doc/security-team.d.o/security_tracker
+++ b/doc/security-team.d.o/security_tracker
@@ -57,7 +57,7 @@ also syncs that file with other lists like `data/DSA/list` and
 `data/DTSA/list`.
 
 These automatic commits as well as all git commits are notified via either the 
[secure-testing-commits mailing 
list](https://lists.alioth.debian.org/mailman/listinfo/secure-testing-commits),
-or via the Irker IRC bot in the #debian-security channel on the [OFTC IRC 
network](http://www.oftc.net/). For example, the bot
+or via the Irker IRC bot in the #debian-security channel on the [OFTC IRC 
network](https://www.oftc.net/). For example, the bot
 could say in the channel:
 
 17:14  [security-tracker] sectracker role account pushed pushed 
1 new commit to master: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/37b0fb27...2bf425d5


=
doc/soriano.txt
=
--- a/doc/soriano.txt
+++ b/doc/soriano.txt
@@ -86,7 +86,7 @@ PTS interface
 
 The PTS fetches bug counts from this URL:
 
-  http://security-tracker.debian.org/tracker/data/pts/1
+  https://security-tracker.debian.org/tracker/data/pts/1
 
 Code updates
 


=
lib/python/nvd.py
=
--- a/lib/python/nvd.py
+++ b/lib/python/nvd.py
@@ -16,7 +16,7 @@
 # Foundation, Inc., 51 Fran

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] redmine: RCE

2018-01-09 Thread Paul Wise

Paul Wise pushed to branch master at Debian Security Tracker / security-tracker


Commits:
0ccd9c96 by Paul Wise at 2018-01-10T11:32:42+08:00
redmine: RCE

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,3 +1,8 @@
+CVE-2018- [Remote command execution through mercurial adapter]
+   - redmine 
+   [wheezy] - redmine  (Not supported wheezy LTS)
+   NOTE: https://www.redmine.org/issues/27516 (private)
+   NOTE: upstream fixed in 3.2.9, 3.3.6 and 3.4.4
 CVE-2018-5313
RESERVED
 CVE-2017-1000415 (MatrixSSL version 3.7.2 has an incorrect UTCTime date range 
validation ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/0ccd9c96f37e10afa078fc69dffcbea7879eb310

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/0ccd9c96f37e10afa078fc69dffcbea7879eb310
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58349 - data

2017-12-07 Thread Paul Wise

Author: pabs
Date: 2017-12-08 05:48:14 + (Fri, 08 Dec 2017)
New Revision: 58349

Modified:
   data/embedded-code-copies
Log:
Convert (embedded) to (embed)

(embed) is the correct keyword for the format.

Modified: data/embedded-code-copies
===
--- data/embedded-code-copies   2017-12-08 05:48:06 UTC (rev 58348)
+++ data/embedded-code-copies   2017-12-08 05:48:14 UTC (rev 58349)
@@ -3322,7 +3322,7 @@
- flightgear  (embed)
 
 flite
-   - flightgear  (embedded)
+   - flightgear  (embed)
NOTE: seems to declare linking with system shared library, but build 
logs suspiciously still build embedded copy.
 
 sox
@@ -3338,7 +3338,7 @@
- praat  (embed)
 
 libxls (not packaged in Debian, http://libxls.sourceforge.net/)
-   - r-cran-readxl  (embedded)
+   - r-cran-readxl  (embed)
 
 woff2 (ITP: #883828)
- webkit2gtk 2.20-1 (embed)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58348 - data

2017-12-07 Thread Paul Wise

Author: pabs
Date: 2017-12-08 05:48:06 + (Fri, 08 Dec 2017)
New Revision: 58348

Modified:
   data/embedded-code-copies
Log:
List packages that embed woff2 or brotli

Modified: data/embedded-code-copies
===
--- data/embedded-code-copies   2017-12-07 21:43:17 UTC (rev 58347)
+++ data/embedded-code-copies   2017-12-08 05:48:06 UTC (rev 58348)
@@ -3339,3 +3339,29 @@
 
 libxls (not packaged in Debian, http://libxls.sourceforge.net/)
- r-cran-readxl  (embedded)
+
+woff2 (ITP: #883828)
+   - webkit2gtk 2.20-1 (embed)
+   - chromium-browser  (embed)
+   - firefox  (embed)
+   - firefox-esr  (embed)
+   - icedove  (embed)
+   - thunderbird  (embed)
+   - qtwebengine-opensource-src  (embed)
+   - qtwebkit-opensource-src  (embed)
+   - texlive-bin  (embed)
+
+brotli
+   - webkit2gtk  (embed)
+   - chromium-browser  (embed)
+   - firefox  (embed)
+   - firefox-esr  (embed)
+   - icedove  (embed)
+   - thunderbird  (embed)
+   - qtwebengine-opensource-src  (embed)
+   - qtwebkit-opensource-src  (embed)
+   - texlive-bin  (embed)
+   - rr  (embed)
+   - h2o  (embed)
+   - hhvm  (embed)
+   - apitrace  (embed)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58046 - bin

2017-11-26 Thread Paul Wise

Author: pabs
Date: 2017-11-27 06:38:47 + (Mon, 27 Nov 2017)
New Revision: 58046

Modified:
   bin/tracker_service.py
Log:
Switch web search links to DuckDuckGo

Disconnect Search just redirects to DuckDuckGo now.

Also rename the functions from disconnect to web_search
in case of future changes to the usual web search engine.

Modified: bin/tracker_service.py
===
--- bin/tracker_service.py  2017-11-27 06:38:40 UTC (rev 58045)
+++ bin/tracker_service.py  2017-11-27 06:38:47 UTC (rev 58046)
@@ -398,7 +398,7 @@
   "/",
   self.make_github_issues_ref(url, 
bug.name, 'issues'),
   ", ",
-  self.make_disconnect_bug_ref(url, 
bug.name, 'web search'),
+  self.make_web_search_bug_ref(url, 
bug.name, 'web search'),
   ", ",
   
A(url.absolute('http://oss-security.openwall.org/wiki/vendors'), 'more'),
   ")")
@@ -1537,8 +1537,8 @@
 return url.absolute("https://github.com/search;, type="Code", q='"%s"' 
% name)
 def url_github_issues_bug(self, url, name):
 return url.absolute("https://github.com/search;, type="Issues", 
q='"%s"' % name)
-def url_disconnect_bug(self, url, name):
-return url.absolute("https://search.disconnect.me/searchTerms/search;, 
query='"%s"' % name)
+def url_web_search_bug(self, url, name):
+return url.absolute("https://duckduckgo.com/html;, q='"%s"' % name)
 
 def url_dsa(self, url, dsa, re_dsa=re.compile(r'^DSA-(\d+)(?:-\d+)?$')):
 match = re_dsa.match(dsa)
@@ -1674,10 +1674,10 @@
 name = cve
 return A(self.url_github_issues_bug(url, cve), name)
 
-def make_disconnect_bug_ref(self, url, cve, name=None):
+def make_web_search_bug_ref(self, url, cve, name=None):
 if name is None:
 name = cve
-return A(self.url_disconnect_bug(url, cve), name)
+return A(self.url_web_search_bug(url, cve), name)
 
 def make_dsa_ref(self, url, dsa, name=None):
 if name is None:


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58045 - bin

2017-11-26 Thread Paul Wise

Author: pabs
Date: 2017-11-27 06:38:40 + (Mon, 27 Nov 2017)
New Revision: 58045

Modified:
   bin/tracker_service.py
Log:
Update links to CVEs at the NIST NVD website

The current URLs redirect to the new URLs.

Modified: bin/tracker_service.py
===
--- bin/tracker_service.py  2017-11-27 04:31:20 UTC (rev 58044)
+++ bin/tracker_service.py  2017-11-27 06:38:40 UTC (rev 58045)
@@ -1505,8 +1505,7 @@
 return url.absolute("https://cve.mitre.org/cgi-bin/cvename.cgi;,
 name=name)
 def url_nvd(self, url, name):
-return url.absolute("https://web.nvd.nist.gov/view/vuln/detail;,
-vulnId=name)
+return url.absolute("https://nvd.nist.gov/vuln/detail/%s; % name)
 def url_cert_bug(self, url, name):
 return url.absolute("https://www.kb.cert.org/vuls/byid;, 
searchview='', query=name)
 def url_lwn_bug(self, url, name):


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58044 - data/CVE

2017-11-26 Thread Paul Wise

Author: pabs
Date: 2017-11-27 04:31:20 + (Mon, 27 Nov 2017)
New Revision: 58044

Modified:
   data/CVE/list
Log:
mistune: XSS already had a CVE

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-27 04:14:21 UTC (rev 58043)
+++ data/CVE/list   2017-11-27 04:31:20 UTC (rev 58044)
@@ -1,6 +1,3 @@
-CVE-2017- [XSS vulnerability]
-   - mistune 0.8-1
-   NOTE: 
https://github.com/lepture/mistune/commit/d6f0b6402299bf5a380e7b4e77bd80e8736630fe
 CVE-2017-16947
RESERVED
 CVE-2017-16946 (The admin_edit function in app/Controller/UsersController.php 
in MISP ...)
@@ -4023,6 +4020,7 @@
- mistune 0.8-1 (bug #879098)
[stretch] - mistune  (Minor issue)
NOTE: https://github.com/lepture/mistune/pull/140
+   NOTE: 
https://github.com/lepture/mistune/commit/d6f0b6402299bf5a380e7b4e77bd80e8736630fe
 CVE-2017-15611 (In Octopus before 3.17.7, an authenticated user who was 
explicitly ...)
NOT-FOR-US: Octopus Deploy
 CVE-2017-15610 (An issue was discovered in Octopus before 3.17.7. When the 
special ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r58043 - data/CVE

2017-11-26 Thread Paul Wise

Author: pabs
Date: 2017-11-27 04:14:21 + (Mon, 27 Nov 2017)
New Revision: 58043

Modified:
   data/CVE/list
Log:
mistune: two vulnerabilities

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-27 02:25:28 UTC (rev 58042)
+++ data/CVE/list   2017-11-27 04:14:21 UTC (rev 58043)
@@ -1,3 +1,6 @@
+CVE-2017- [XSS vulnerability]
+   - mistune 0.8-1
+   NOTE: 
https://github.com/lepture/mistune/commit/d6f0b6402299bf5a380e7b4e77bd80e8736630fe
 CVE-2017-16947
RESERVED
 CVE-2017-16946 (The admin_edit function in app/Controller/UsersController.php 
in MISP ...)
@@ -273,6 +276,8 @@
NOT-FOR-US: ZEIT Next.js
 CVE-2017-16876
RESERVED
+   - mistune 0.8.1-1
+   NOTE: 
https://github.com/lepture/mistune/commit/5f06d724bc05580e7f203db2d4a4905fc1127f98
 CVE-2017-16875 (An issue was discovered in Teluu pjproject (pjlib and 
pjlib-util) in ...)
- pjproject 2.7.1~dfsg-1
NOTE: https://trac.pjsip.org/repos/ticket/2055


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57855 - data/CVE

2017-11-20 Thread Paul Wise

Author: pabs
Date: 2017-11-20 15:56:49 + (Mon, 20 Nov 2017)
New Revision: 57855

Modified:
   data/CVE/list
Log:
busybox: autocompletion escape sequence vulnerability

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-20 15:54:54 UTC (rev 57854)
+++ data/CVE/list   2017-11-20 15:56:49 UTC (rev 57855)
@@ -1244,8 +1244,11 @@
NOTE: The wheezy version gives an assert before the vulnerability can 
be triggered. Due to this
NOTE: the severity of the wheezy version is low even though the 
vulnerable code is still present.
NOTE: The patch is trivial so it may be worth fixing in combination 
with some other fix.
-CVE-2017-16544
+CVE-2017-16544 [missing terminal escape sequence filtering in autocompletion]
RESERVED
+   - busybox 
+   NOTE: 
https://www.twistlock.com/2017/11/20/cve-2017-16544-busybox-autocompletion-vulnerability/
+   NOTE: 
https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8
 CVE-2017-16543 (Zoho ManageEngine Applications Manager 13 allows SQL injection 
via ...)
NOT-FOR-US: Zoho
 CVE-2017-16542 (Zoho ManageEngine Applications Manager 13 allows 
Post-authentication ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r57601 - data/CVE

2017-11-13 Thread Paul Wise

Author: pabs
Date: 2017-11-13 13:57:10 + (Mon, 13 Nov 2017)
New Revision: 57601

Modified:
   data/CVE/list
Log:
redmine: email reminder issue

Modified: data/CVE/list
===
--- data/CVE/list   2017-11-13 13:44:27 UTC (rev 57600)
+++ data/CVE/list   2017-11-13 13:57:10 UTC (rev 57601)
@@ -1,3 +1,10 @@
+CVE-2017- [Email reminders reveal information about inaccessible issues]
+   - redmine 
+   [wheezy] - redmine  (Not supported wheezy LTS)
+   NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories
+   NOTE: https://www.redmine.org/issues/25713 (private)
+   NOTE: upstream fixed in 3.2.7, 3.3.4 and 3.4.0
+   NOTE: 
https://github.com/redmine/redmine/commit/0f09f161f64f4190a52166675ff380a15b72a8bc
 CVE-2017-16801
RESERVED
 CVE-2017-16800


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r56781 - data/CVE

2017-10-17 Thread Paul Wise

Author: pabs
Date: 2017-10-17 10:30:29 + (Tue, 17 Oct 2017)
New Revision: 56781

Modified:
   data/CVE/list
Log:
redmine: multiple vulnerabilities

Modified: data/CVE/list
===
--- data/CVE/list   2017-10-17 09:24:09 UTC (rev 56780)
+++ data/CVE/list   2017-10-17 10:30:29 UTC (rev 56781)
@@ -1,3 +1,46 @@
+CVE-2017- [Multiple XSS vulnerabilities]
+   - redmine 
+   NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories
+   NOTE: https://www.redmine.org/issues/27186 (private)
+   NOTE: upstream fixed in 3.2.8, 3.3.5 and 3.4.3
+   NOTE: 
https://github.com/redmine/redmine/commit/94f7cfbf990028348b9262578acbc53a94fce448
+   NOTE: 
https://github.com/redmine/redmine/commit/56c8ee0440d8555aa7822d947ba9091c8a791508
+   NOTE: 
https://github.com/redmine/redmine/commit/1a0976417975a128b0a932ba1552c37e9414953b
+   NOTE: 
https://github.com/redmine/redmine/commit/273dd9cb3bcfb1e0a0b90570b3b34eafa07d67aa
+CVE-2017- [Improper markup sanitization in wiki content]
+   - redmine 
+   NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories
+   NOTE: https://www.redmine.org/issues/25503 (private)
+   NOTE: upstream fixed in 3.2.6 and 3.3.3
+CVE-2017- [Use redirect on /account/lost_password to prevent password 
reset tokens in referers]
+   - redmine 
+   NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories
+   NOTE: https://www.redmine.org/issues/24416 (private)
+   NOTE: upstream fixed in 3.2.6 and 3.3.3
+CVE-2017- [Redmine.pm doesn't check that the repository module is enabled 
on project]
+   - redmine 
+   NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories
+   NOTE: https://www.redmine.org/issues/24307 (private)
+   NOTE: upstream fixed in 3.2.6 and 3.3.3
+CVE-2017- [Stored XSS with SVG attachments]
+   - redmine 
+   NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories
+   NOTE: https://www.redmine.org/issues/24199 (private)
+   NOTE: upstream fixed in 3.2.6 and 3.3.3
+CVE-2017- [Information leak when rendering Time Entry on activity view]
+   - redmine 
+   NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories
+   NOTE: https://www.redmine.org/issues/23803 (private)
+   NOTE: upstream fixed in 3.2.6 and 3.3.3
+CVE-2017- [Information leak when rendering Wiki links]
+   - redmine 
+   NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories
+   NOTE: https://www.redmine.org/issues/23793 (private)
+   NOTE: upstream fixed in 3.2.6 and 3.3.3
+CVE-2017- [Persistent XSS vulnerabilities in text formatting (Textile and 
Markdown) and project homepage]
+   - redmine 3.2.3-1
+   NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories
+   NOTE: upstream fixed in 3.2.3
 CVE-2017-15513
RESERVED
 CVE-2017-15512


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r55886 - data/DLA

2017-09-18 Thread Paul Wise

Author: pabs
Date: 2017-09-19 02:28:13 + (Tue, 19 Sep 2017)
New Revision: 55886

Modified:
   data/DLA/list
Log:
Fix ipsec-tools version for DLA-1044-1 CVE-2016-10396 fix

Suggested-by: ex-parrot
Suggested-in: #debian-security
Confirmed-by: debsnap ipsec-tools --first 1:0.8.0-14+deb7u1 --last 
1:0.8.0-14+deb7u3

Modified: data/DLA/list
===
--- data/DLA/list   2017-09-18 21:10:17 UTC (rev 55885)
+++ data/DLA/list   2017-09-19 02:28:13 UTC (rev 55886)
@@ -163,7 +163,7 @@
[wheezy] - graphicsmagick 1.3.16-1.1+deb7u8
 [29 Jul 2017] DLA-1044-1 ipsec-tools - security update
{CVE-2016-10396}
-   [wheezy] - ipsec-tools 1:0.8.0-14+deb7u1
+   [wheezy] - ipsec-tools 1:0.8.0-14+deb7u2
 [29 Jul 2017] DLA-841-2 apache2 - regression update
{CVE-2016-8743}
[wheezy] - apache2 2.2.22-13+deb7u11


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r55708 - data/CVE

2017-09-12 Thread Paul Wise

Author: pabs
Date: 2017-09-13 01:26:21 + (Wed, 13 Sep 2017)
New Revision: 55708

Modified:
   data/CVE/list
Log:
BlueBourne NFUs

Modified: data/CVE/list
===
--- data/CVE/list   2017-09-12 21:16:58 UTC (rev 55707)
+++ data/CVE/list   2017-09-13 01:26:21 UTC (rev 55708)
@@ -16122,6 +16122,8 @@
RESERVED
 CVE-2017-8628
RESERVED
+   NOT-FOR-US: Microsoft Windows
+   NOTE: https://www.armis.com/blueborne/
 CVE-2017-8627 (Windows Subsystem for Linux in Windows 10 1703, allows a denial 
of ...)
NOT-FOR-US: Microsoft
 CVE-2017-8626
@@ -38627,14 +38629,22 @@
NOT-FOR-US: Broadcom driver for Android
 CVE-2017-0785
RESERVED
+   NOT-FOR-US: Android
+   NOTE: https://www.armis.com/blueborne/
 CVE-2017-0784 (A elevation of privilege vulnerability in the Android system 
(nfc). ...)
NOT-FOR-US: Android
 CVE-2017-0783
RESERVED
+   NOT-FOR-US: Android
+   NOTE: https://www.armis.com/blueborne/
 CVE-2017-0782
RESERVED
+   NOT-FOR-US: Android
+   NOTE: https://www.armis.com/blueborne/
 CVE-2017-0781
RESERVED
+   NOT-FOR-US: Android
+   NOTE: https://www.armis.com/blueborne/
 CVE-2017-0780 (A denial of service vulnerability in the Android runtime 
(android ...)
NOT-FOR-US: Android
 CVE-2017-0779 (A information disclosure vulnerability in the Android media 
framework ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r55589 - data/CVE

2017-09-09 Thread Paul Wise

Author: pabs
Date: 2017-09-09 06:31:30 + (Sat, 09 Sep 2017)
New Revision: 55589

Modified:
   data/CVE/list
Log:
u-boot: two issues

Modified: data/CVE/list
===
--- data/CVE/list   2017-09-09 05:30:24 UTC (rev 55588)
+++ data/CVE/list   2017-09-09 06:31:30 UTC (rev 55589)
@@ -32465,8 +32465,12 @@
RESERVED
 CVE-2017-3226
RESERVED
+   - u-boot 
+   NOTE: https://www.kb.cert.org/vuls/id/166743
 CVE-2017-3225
RESERVED
+   - u-boot 
+   NOTE: https://www.kb.cert.org/vuls/id/166743
 CVE-2017-3224 [OSPF implementation improperly determines LSA recency 
(VU#793496)]
RESERVED
- quagga  (low; bug #871617)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r55410 - data/CVE

2017-09-03 Thread Paul Wise

Author: pabs
Date: 2017-09-03 13:01:12 + (Sun, 03 Sep 2017)
New Revision: 55410

Modified:
   data/CVE/list
Log:
kanboard CVE list fixes

Modified: data/CVE/list
===
--- data/CVE/list   2017-09-03 12:58:01 UTC (rev 55409)
+++ data/CVE/list   2017-09-03 13:01:12 UTC (rev 55410)
@@ -3528,6 +3528,7 @@
- kanboard  (bug #790814)
 CVE-2017-12850 (An authenticated standard user could reset the password of 
other users ...)
- kanboard  (bug #790814)
+   NOTE: 
https://github.com/kanboard/kanboard/commit/88dd6abbf3f519897f2f6280e95c9eec9123a4ae
 CVE-2017-12849
RESERVED
 CVE-2017-12848
@@ -110675,7 +110676,7 @@
 CVE-2014-3925 (sosreport in Red Hat sos 1.7 and earlier on Red Hat Enterprise 
Linux ...)
- sosreport  (RedHat-specific issue)
 CVE-2014-3920 (Cross-site request forgery (CSRF) vulnerability in Kanboard 
before ...)
-   NOT-FOR-US: Kanboard
+   - kanboard  (bug #790814)
 CVE-2014-3919
RESERVED
 CVE-2014-3918


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54234 - data/CVE

2017-08-03 Thread Paul Wise

Author: pabs
Date: 2017-08-03 18:58:56 + (Thu, 03 Aug 2017)
New Revision: 54234

Modified:
   data/CVE/list
Log:
CVE-2017-12133: glibc use-after-free in error path in clntudp_call

Modified: data/CVE/list
===
--- data/CVE/list   2017-08-03 15:07:39 UTC (rev 54233)
+++ data/CVE/list   2017-08-03 18:58:56 UTC (rev 54234)
@@ -573,8 +573,12 @@
RESERVED
 CVE-2017-12134
RESERVED
-CVE-2017-12133
+CVE-2017-12133 [Use-after-free in error path in clntudp_call]
RESERVED
+   - glibc 
+   - eglibc 
+   NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21115
+   NOTE: 
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d42eed4a044e5e10dfb885cf9891c2518a72a491
 CVE-2017-12132 (The DNS stub resolver in the GNU C Library (aka glibc or 
libc6) before ...)
- glibc 
- eglibc 


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r53642 - data/CVE

2017-07-18 Thread Paul Wise

Author: pabs
Date: 2017-07-19 02:41:16 + (Wed, 19 Jul 2017)
New Revision: 53642

Modified:
   data/CVE/list
Log:
gsoap: CVE-2017-9765

Modified: data/CVE/list
===
--- data/CVE/list   2017-07-18 22:33:40 UTC (rev 53641)
+++ data/CVE/list   2017-07-19 02:41:16 UTC (rev 53642)
@@ -4065,6 +4065,9 @@
NOTE: 
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=d6e888400ba64de3147da4c23edf389b
 CVE-2017-9765
RESERVED
+   - gsoap 2.8.48-1
+   NOTE: 
http://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-third-party-code-impacts-millions
+   NOTE: 
https://www.genivia.com/changelog.html#Version_2.8.48_upd_(06/21/2017)
 CVE-2017-9764
RESERVED
 CVE-2017-9780 (In Flatpak before 0.8.7, a third-party app repository could 
include ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r52857 - data

2017-06-23 Thread Paul Wise

Author: pabs
Date: 2017-06-24 02:42:32 + (Sat, 24 Jun 2017)
New Revision: 52857

Modified:
   data/embedded-code-copies
Log:
glibc embeds unicode-data

Modified: data/embedded-code-copies
===
--- data/embedded-code-copies   2017-06-23 21:10:23 UTC (rev 52856)
+++ data/embedded-code-copies   2017-06-24 02:42:32 UTC (rev 52857)
@@ -1709,6 +1709,9 @@
- boost1.61  (embed; bug #834560)
- boost1.62  (embed; bug #852764)
- boost1.63  (embed; bug #852763)
+   - glibc  (modified-embed)
+   NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21533
+   NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=14095
 
 feedparser
- rawdog 2.19-1 (embed; bug #383422)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r50744 - data

2017-04-17 Thread Paul Wise

Author: pabs
Date: 2017-04-18 04:15:29 + (Tue, 18 Apr 2017)
New Revision: 50744

Modified:
   data/embedded-code-copies
Log:
typo

Modified: data/embedded-code-copies
===
--- data/embedded-code-copies   2017-04-18 04:13:48 UTC (rev 50743)
+++ data/embedded-code-copies   2017-04-18 04:15:29 UTC (rev 50744)
@@ -3248,7 +3248,7 @@
 youtube-dl
- encuentro  (bug #859589)
 
-libwebp (not packaged, no ITP)
+libwebm (not packaged, no ITP)
- libopenglrecorder  (modified-embed)
NOTE: not yet in Debian
NOTE: modifications are that it is stripped down


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r50743 - data

2017-04-17 Thread Paul Wise

Author: pabs
Date: 2017-04-18 04:13:48 + (Tue, 18 Apr 2017)
New Revision: 50743

Modified:
   data/embedded-code-copies
Log:
several packages embed libwebp

Modified: data/embedded-code-copies
===
--- data/embedded-code-copies   2017-04-18 03:40:16 UTC (rev 50742)
+++ data/embedded-code-copies   2017-04-18 04:13:48 UTC (rev 50743)
@@ -3247,3 +3247,15 @@
 
 youtube-dl
- encuentro  (bug #859589)
+
+libwebp (not packaged, no ITP)
+   - libopenglrecorder  (modified-embed)
+   NOTE: not yet in Debian
+   NOTE: modifications are that it is stripped down
+   - sludge  (modified-embed)
+   NOTE: modifications are that it is stripped down
+   - libvpx  (embed)
+   - chromium-browser  (embed)
+   NOTE: 2 copies, one via a libvpx embed
+   - qtwebengine-opensource-src (embed)
+   NOTE: via chromium embed: 2 copies, one via a libvpx embed


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r50422 - data/CVE

2017-04-06 Thread Paul Wise

Author: pabs
Date: 2017-04-06 22:49:23 + (Thu, 06 Apr 2017)
New Revision: 50422

Modified:
   data/CVE/list
Log:
New mediawiki issues fixed in unstable

Modified: data/CVE/list
===
--- data/CVE/list   2017-04-06 22:45:15 UTC (rev 50421)
+++ data/CVE/list   2017-04-06 22:49:23 UTC (rev 50422)
@@ -18941,48 +18941,49 @@
RESERVED
 CVE-2017-0372
RESERVED
-   - mediawiki 
+   - mediawiki 1:1.27.2-1
NOTE: 
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html
 CVE-2017-0371
RESERVED
 CVE-2017-0370
RESERVED
-   - mediawiki 
+   - mediawiki 1:1.27.2-1
NOTE: 
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html
 CVE-2017-0369
RESERVED
+   - mediawiki 1:1.27.2-1
NOTE: 
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html
 CVE-2017-0368
RESERVED
-   - mediawiki 
+   - mediawiki 1:1.27.2-1
NOTE: 
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html
 CVE-2017-0367
RESERVED
-   - mediawiki 
+   - mediawiki 1:1.27.2-1
NOTE: 
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html
 CVE-2017-0366
RESERVED
-   - mediawiki 
+   - mediawiki 1:1.27.2-1
NOTE: 
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html
 CVE-2017-0365
RESERVED
-   - mediawiki 
+   - mediawiki 1:1.27.2-1
NOTE: 
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html
 CVE-2017-0364
RESERVED
-   - mediawiki 
+   - mediawiki 1:1.27.2-1
NOTE: 
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html
 CVE-2017-0363
RESERVED
-   - mediawiki 
+   - mediawiki 1:1.27.2-1
NOTE: 
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html
 CVE-2017-0362
RESERVED
-   - mediawiki 
+   - mediawiki 1:1.27.2-1
NOTE: 
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html
 CVE-2017-0361
RESERVED
-   - mediawiki 
+   - mediawiki 1:1.27.2-1
NOTE: 
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html
 CVE-2017-0360 (file_open in Tryton 3.x and 4.x through 4.2.2 allows remote ...)
{DSA-3826-1 DLA-882-1}


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r50421 - data/CVE

2017-04-06 Thread Paul Wise

Author: pabs
Date: 2017-04-06 22:45:15 + (Thu, 06 Apr 2017)
New Revision: 50421

Modified:
   data/CVE/list
Log:
New mediawiki issues

Modified: data/CVE/list
===
--- data/CVE/list   2017-04-06 21:03:43 UTC (rev 50420)
+++ data/CVE/list   2017-04-06 22:45:15 UTC (rev 50421)
@@ -18941,28 +18941,49 @@
RESERVED
 CVE-2017-0372
RESERVED
+   - mediawiki 
+   NOTE: 
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html
 CVE-2017-0371
RESERVED
 CVE-2017-0370
RESERVED
+   - mediawiki 
+   NOTE: 
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html
 CVE-2017-0369
RESERVED
+   NOTE: 
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html
 CVE-2017-0368
RESERVED
+   - mediawiki 
+   NOTE: 
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html
 CVE-2017-0367
RESERVED
+   - mediawiki 
+   NOTE: 
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html
 CVE-2017-0366
RESERVED
+   - mediawiki 
+   NOTE: 
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html
 CVE-2017-0365
RESERVED
+   - mediawiki 
+   NOTE: 
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html
 CVE-2017-0364
RESERVED
+   - mediawiki 
+   NOTE: 
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html
 CVE-2017-0363
RESERVED
+   - mediawiki 
+   NOTE: 
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html
 CVE-2017-0362
RESERVED
+   - mediawiki 
+   NOTE: 
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html
 CVE-2017-0361
RESERVED
+   - mediawiki 
+   NOTE: 
https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html
 CVE-2017-0360 (file_open in Tryton 3.x and 4.x through 4.2.2 allows remote ...)
{DSA-3826-1 DLA-882-1}
- tryton-server 4.2.1-2


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r50365 - data

2017-04-05 Thread Paul Wise

Author: pabs
Date: 2017-04-05 06:17:33 + (Wed, 05 Apr 2017)
New Revision: 50365

Modified:
   data/embedded-code-copies
Log:
encuentro embeds youtube-dl

Modified: data/embedded-code-copies
===
--- data/embedded-code-copies   2017-04-05 06:12:18 UTC (rev 50364)
+++ data/embedded-code-copies   2017-04-05 06:17:33 UTC (rev 50365)
@@ -3244,3 +3244,6 @@
 
 gitsome
- xonsh  (old-version; bug #855544; bug #855545)
+
+youtube-dl
+   - encuentro  (bug #859589)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r50157 - bin

2017-03-28 Thread Paul Wise

Author: pabs
Date: 2017-03-29 05:20:21 + (Wed, 29 Mar 2017)
New Revision: 50157

Modified:
   bin/tracker_service.py
Log:
Fix typo

Modified: bin/tracker_service.py
===
--- bin/tracker_service.py  2017-03-29 04:48:56 UTC (rev 50156)
+++ bin/tracker_service.py  2017-03-29 05:20:21 UTC (rev 50157)
@@ -1525,7 +1525,7 @@
 % (int(y), int(number)))
 return None
 
-def url_dla(self, url, dla, re_dsa=re.compile(r'^DLA-(\d+)(?:-\d+)?$')):
+def url_dla(self, url, dla, re_dla=re.compile(r'^DLA-(\d+)(?:-\d+)?$')):
 match = re_dla.match(dla)
 if match:
 # We must determine the year because there is no generic URL.


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r50156 - bin

2017-03-28 Thread Paul Wise

Author: pabs
Date: 2017-03-29 04:48:56 + (Wed, 29 Mar 2017)
New Revision: 50156

Modified:
   bin/tracker_service.py
Log:
Link to DLA details on www.d.o from the Source field (Closes: #761945)

Modified: bin/tracker_service.py
===
--- bin/tracker_service.py  2017-03-29 04:46:57 UTC (rev 50155)
+++ bin/tracker_service.py  2017-03-29 04:48:56 UTC (rev 50156)
@@ -397,7 +397,7 @@
 elif source == 'DTSA':
 source_xref = 'Debian Testing Security Team'
 elif source == 'DLA':
-source_xref = 'Debian LTS Team'
+source_xref = self.make_dla_ref(url, bug.name, 'Debian LTS')
 elif source == 'TEMP':
 source_xref = (
 'Automatically generated temporary name.  Not for external reference.')
@@ -1525,6 +1525,18 @@
 % (int(y), int(number)))
 return None
 
+def url_dla(self, url, dla, re_dsa=re.compile(r'^DLA-(\d+)(?:-\d+)?$')):
+match = re_dla.match(dla)
+if match:
+# We must determine the year because there is no generic URL.
+(number,) = match.groups()
+for (date,) in self.db.cursor().execute(
+"SELECT release_date FROM bugs WHERE name = ?", (dla,)):
+(y, m, d) = date.split('-')
+return url.absolute("https://www.debian.org/security/%d/dla-%d;
+% (int(y), int(number)))
+return None
+
 def url_debian_bug(self, url, debian):
 return url.absolute("https://bugs.debian.org/cgi-bin/bugreport.cgi;,
 bug=str(debian))
@@ -1649,6 +1661,15 @@
 else:
 return name
 
+def make_dla_ref(self, url, dla, name=None):
+if name is None:
+name = dla
+u = self.url_dla(url, dla)
+if u:
+return A(u, name)
+else:
+return name
+
 def make_source_code_ref(self, url, pkg, name=None):
 if name is None:
 name = pkg


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r49760 - data/CVE

2017-03-18 Thread Paul Wise

Author: pabs
Date: 2017-03-18 10:34:25 + (Sat, 18 Mar 2017)
New Revision: 49760

Modified:
   data/CVE/list
Log:
CVE-2016-4657: not NFU as it works on Nintendo Switch too

See: https://www.youtube.com/watch?v=xkdPjbaLngE

Modified: data/CVE/list
===
--- data/CVE/list   2017-03-18 09:49:10 UTC (rev 49759)
+++ data/CVE/list   2017-03-18 10:34:25 UTC (rev 49760)
@@ -34674,7 +34674,8 @@
- libxml2 2.9.4+dfsg1-2.1 (bug #840553)
NOTE: Fixed by: 
https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b
 CVE-2016-4657 (WebKit in Apple iOS before 9.3.5 allows remote attackers to 
execute ...)
-   NOT-FOR-US: Webkit as used by Apple
+   TODO: check
+   NOTE: https://www.youtube.com/watch?v=xkdPjbaLngE
 CVE-2016-4656 (The kernel in Apple iOS before 9.3.5 allows attackers to 
execute ...)
NOT-FOR-US: Apple
 CVE-2016-4655 (The kernel in Apple iOS before 9.3.5 allows attackers to obtain 
...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r49060 - bin

2017-02-19 Thread Paul Wise

Author: pabs
Date: 2017-02-19 09:49:09 + (Sun, 19 Feb 2017)
New Revision: 49060

Modified:
   bin/compare-nvd-cve
Log:
Avoid hard-coding the list of years since 2002

Calculate the range based on the current year.

Modified: bin/compare-nvd-cve
===
--- bin/compare-nvd-cve 2017-02-19 09:35:23 UTC (rev 49059)
+++ bin/compare-nvd-cve 2017-02-19 09:49:09 UTC (rev 49060)
@@ -45,26 +45,10 @@
 close $fh;
 
 #
-# Fetched from http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2016.xml.gz
+# Fetched from https://nvd.nist.gov/download.aspx
 #
-for my $cvelist
-(
- "nvdcve-2.0-2016.xml",
- "nvdcve-2.0-2015.xml",
- "nvdcve-2.0-2014.xml",
- "nvdcve-2.0-2013.xml",
- "nvdcve-2.0-2012.xml",
- "nvdcve-2.0-2011.xml",
- "nvdcve-2.0-2010.xml",
- "nvdcve-2.0-2009.xml",
- "nvdcve-2.0-2008.xml",
- "nvdcve-2.0-2007.xml",
- "nvdcve-2.0-2006.xml",
- "nvdcve-2.0-2005.xml",
- "nvdcve-2.0-2004.xml",
- "nvdcve-2.0-2003.xml",
- "nvdcve-2.0-2002.xml",
-) {
+for my $year (reverse 2002 .. (gmtime())[5]+1900) {
+my $cvelist = "nvdcve-2.0-$year.xml";
 print STDERR "Loading $cvelist\n" if $debug;
 my $ref = XMLin("data/nvd2/" . $cvelist);
 for my $cve (sort {$b cmp $a} keys %{$ref->{entry}}) {


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r49056 - /

2017-02-19 Thread Paul Wise

Author: pabs
Date: 2017-02-19 09:02:19 + (Sun, 19 Feb 2017)
New Revision: 49056

Modified:
   Makefile
Log:
Use the local mirror instead

Modified: Makefile
===
--- Makefile2017-02-18 21:10:13 UTC (rev 49055)
+++ Makefile2017-02-19 09:02:19 UTC (rev 49056)
@@ -5,7 +5,7 @@
 # Adjust these if necessary.  The architecture selection is rather
 # arbitrary at the moment.  More architectures can be added later.
 
-MIRROR = http://ftp.de.debian.org/debian/
+MIRROR = http://debian.csail.mit.edu/debian/
 squeeze_ARCHS = amd64 armel i386 ia64 mips mipsel powerpc s390 sparc 
kfreebsd-i386 kfreebsd-amd64
 squeeze_LTS_ARCHS = amd64 i386
 wheezy_ARCHS = amd64 armel armhf i386


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r49057 - /

2017-02-19 Thread Paul Wise

Author: pabs
Date: 2017-02-19 09:02:25 + (Sun, 19 Feb 2017)
New Revision: 49057

Modified:
   TODO.gitmigration
Log:
Correct a domain name typo

Modified: TODO.gitmigration
===
--- TODO.gitmigration   2017-02-19 09:02:19 UTC (rev 49056)
+++ TODO.gitmigration   2017-02-19 09:02:25 UTC (rev 49057)
@@ -41,7 +41,7 @@
 to the svn repository in recent years?)
 - get the DD acl applied (then point above only applies to -guest users)
 
-team-security.debian.org website
+security-team.debian.org website
 
 - move this file to git
 - ping federico3 to update the codebase for security-metrics.d.n (uses git-svn)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48788 - data/CVE

2017-02-08 Thread Paul Wise

Author: pabs
Date: 2017-02-09 05:43:46 + (Thu, 09 Feb 2017)
New Revision: 48788

Modified:
   data/CVE/list
Log:
CVE-2016-9244 (Ticketbleed): NFU: proprietary F5 TLS stack

Modified: data/CVE/list
===
--- data/CVE/list   2017-02-09 04:59:58 UTC (rev 48787)
+++ data/CVE/list   2017-02-09 05:43:46 UTC (rev 48788)
@@ -15828,6 +15828,8 @@
RESERVED
 CVE-2016-9244
RESERVED
+   NOT-FOR-US: F5 TLS stack
+   NOTE: https://ticketbleed.com/
 CVE-2016-9243 [HKDF might return an empty byte-string]
RESERVED
- python-cryptography 1.5.3-1


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48787 - data/CVE

2017-02-08 Thread Paul Wise

Author: pabs
Date: 2017-02-09 04:59:58 + (Thu, 09 Feb 2017)
New Revision: 48787

Modified:
   data/CVE/list
Log:
CVE-2016-6271 is from src:bzrtp and has an upstream patch

Modified: data/CVE/list
===
--- data/CVE/list   2017-02-09 01:41:32 UTC (rev 48786)
+++ data/CVE/list   2017-02-09 04:59:58 UTC (rev 48787)
@@ -25366,7 +25366,8 @@
NOTE: 
http://git.php.net/?p=php-src.git;a=commit;h=0218acb7e756a469099c4ccfb22bce6c2bd1ef87
NOTE: Fixed in 7.0.9, 5.6.24, 5.5.38
 CVE-2016-6271 (The Bzrtp library (aka libbzrtp) 1.0.x before 1.0.4 allows ...)
-   TODO: check
+   - bzrtp 
+   NOTE: Fixed by: 
https://github.com/BelledonneCommunications/bzrtp/commit/bbb1e6e2f467ee4bd7b9a8c800e4f07343d7d99b
 CVE-2016-6270 (The handle_certificate function in ...)
NOT-FOR-US: Trend Micro
 CVE-2016-6269 (Multiple directory traversal vulnerabilities in Trend Micro 
Smart ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48464 - data

2017-01-27 Thread Paul Wise

Author: pabs
Date: 2017-01-28 06:42:24 + (Sat, 28 Jan 2017)
New Revision: 48464

Modified:
   data/embedded-code-copies
Log:
More boost versions that have unicode-data copies

Modified: data/embedded-code-copies
===
--- data/embedded-code-copies   2017-01-27 21:41:19 UTC (rev 48463)
+++ data/embedded-code-copies   2017-01-28 06:42:24 UTC (rev 48464)
@@ -1707,6 +1707,8 @@
- boost1.58  (embed; bug #823582)
- boost1.60  (embed; bug #823585)
- boost1.61  (embed; bug #834560)
+   - boost1.62  (embed; bug #852764)
+   - boost1.63  (embed; bug #852763)
 
 feedparser
- rawdog 2.19-1 (embed; bug #383422)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r48211 - data/CVE

2017-01-19 Thread Paul Wise

Author: pabs
Date: 2017-01-20 02:10:39 + (Fri, 20 Jan 2017)
New Revision: 48211

Modified:
   data/CVE/list
Log:
Linux: kvm: use-after-free issue while creating devices

Reported-by: hexa-
Reported-in: #debian-security

Modified: data/CVE/list
===
--- data/CVE/list   2017-01-19 21:46:29 UTC (rev 48210)
+++ data/CVE/list   2017-01-20 02:10:39 UTC (rev 48211)
@@ -1,3 +1,9 @@
+CVE-2016-10150 [kvm: use-after-free issue while creating devices]
+   - linux 
+   NOTE: CVE request: 
http://www.openwall.com/lists/oss-security/2017/01/18/10
+   NOTE: CVE assignment: 
http://www.openwall.com/lists/oss-security/2017/01/19/6
+   NOTE: patch: 
https://git.kernel.org/linus/a0f1d21c1ccb1da66629627a74059dd7f5ac9c61
+   NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1414506
 CVE-2016-10148 (The wp_ajax_update_plugin function in ...)
- wordpress 4.6.1+dfsg-1
[jessie] - wordpress  (wp_ajax_update_plugin function 
introduced in 4.2)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r47120 - data/CVE

2016-12-15 Thread Paul Wise

Author: pabs
Date: 2016-12-16 03:36:32 + (Fri, 16 Dec 2016)
New Revision: 47120

Modified:
   data/CVE/list
Log:
Add another reference for the apport bug

Modified: data/CVE/list
===
--- data/CVE/list   2016-12-15 21:45:31 UTC (rev 47119)
+++ data/CVE/list   2016-12-16 03:36:32 UTC (rev 47120)
@@ -35,18 +35,21 @@
NOTE: apport only in experimental, so we cannot track this in 
security-tracker
NOTE: add it, as we have an explicit (bug) reference for apport
NOTE: https://bugs.launchpad.net/apport/+bug/1648806
+   NOTE: https://donncha.is/2016/12/compromising-ubuntu-desktop/
 CVE-2016-9950
RESERVED
[experimental] - apport 2.20.4-1 (bug #848213)
NOTE: apport only in experimental, so we cannot track this in 
security-tracker
NOTE: add it, as we have an explicit (bug) reference for apport
NOTE: https://bugs.launchpad.net/apport/+bug/1648806
+   NOTE: https://donncha.is/2016/12/compromising-ubuntu-desktop/
 CVE-2016-9949
RESERVED
[experimental] - apport 2.20.4-1 (bug #848213)
NOTE: apport only in experimental, so we cannot track this in 
security-tracker
NOTE: add it, as we have an explicit (bug) reference for apport
NOTE: https://bugs.launchpad.net/apport/+bug/1648806
+   NOTE: https://donncha.is/2016/12/compromising-ubuntu-desktop/
 CVE-2016-9948
RESERVED
 CVE-2016-9947


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r47083 - data/CVE

2016-12-14 Thread Paul Wise

Author: pabs
Date: 2016-12-15 03:38:42 + (Thu, 15 Dec 2016)
New Revision: 47083

Modified:
   data/CVE/list
Log:
one more nvidia source package

Modified: data/CVE/list
===
--- data/CVE/list   2016-12-15 03:13:46 UTC (rev 47082)
+++ data/CVE/list   2016-12-15 03:38:42 UTC (rev 47083)
@@ -10422,6 +10422,7 @@
RESERVED
- nvidia-graphics-drivers  (bug #848195)
- nvidia-graphics-drivers-legacy-340xx  (bug #848196)
+   - nvidia-graphics-drivers-legacy-304xx  (bug #848197)
NOTE: http://nvidia.custhelp.com/app/answers/detail/a_id/4278
 CVE-2016-8825
RESERVED


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r47082 - data/CVE

2016-12-14 Thread Paul Wise

Author: pabs
Date: 2016-12-15 03:13:46 + (Thu, 15 Dec 2016)
New Revision: 47082

Modified:
   data/CVE/list
Log:
most: CVE-2016-1253: fixed in unstable

Modified: data/CVE/list
===
--- data/CVE/list   2016-12-15 03:11:45 UTC (rev 47081)
+++ data/CVE/list   2016-12-15 03:13:46 UTC (rev 47082)
@@ -36223,7 +36223,7 @@
RESERVED
 CVE-2016-1253 [shell injection attack using LZMA-compressed files]
RESERVED
-   - most  (bug #848132)
+   - most 5.0.0a-3 (bug #848132)
 CVE-2016-1252
RESERVED
{DSA-3733-1}


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r47081 - data/CVE

2016-12-14 Thread Paul Wise

Author: pabs
Date: 2016-12-15 03:11:45 + (Thu, 15 Dec 2016)
New Revision: 47081

Modified:
   data/CVE/list
Log:
nvidia-graphics-drivers DoS

Modified: data/CVE/list
===
--- data/CVE/list   2016-12-15 00:53:45 UTC (rev 47080)
+++ data/CVE/list   2016-12-15 03:11:45 UTC (rev 47081)
@@ -10418,8 +10418,11 @@
RESERVED
 CVE-2016-8827
RESERVED
-CVE-2016-8826
+CVE-2016-8826 [DoS via GPU interrupt storm]
RESERVED
+   - nvidia-graphics-drivers  (bug #848195)
+   - nvidia-graphics-drivers-legacy-340xx  (bug #848196)
+   NOTE: http://nvidia.custhelp.com/app/answers/detail/a_id/4278
 CVE-2016-8825
RESERVED
 CVE-2016-8824


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r47040 - data/CVE

2016-12-13 Thread Paul Wise

Author: pabs
Date: 2016-12-14 03:02:54 + (Wed, 14 Dec 2016)
New Revision: 47040

Modified:
   data/CVE/list
Log:
New Firefox issues fixed

Modified: data/CVE/list
===
--- data/CVE/list   2016-12-13 23:09:49 UTC (rev 47039)
+++ data/CVE/list   2016-12-14 03:02:54 UTC (rev 47040)
@@ -131,30 +131,65 @@
RESERVED
 CVE-2016-9905
RESERVED
+   - firefox-esr 45.6.0esr-1
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9905
 CVE-2016-9904
RESERVED
+   - firefox 50.1.0-1
+   - firefox-esr 45.6.0esr-1
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9904
 CVE-2016-9903
RESERVED
+   - firefox 50.1.0-1
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9903
 CVE-2016-9902
RESERVED
+   - firefox 50.1.0-1
+   - firefox-esr 45.6.0esr-1
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9902
 CVE-2016-9901
RESERVED
+   - firefox 50.1.0-1
+   - firefox-esr 45.6.0esr-1
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9901
 CVE-2016-9900
RESERVED
+   - firefox 50.1.0-1
+   - firefox-esr 45.6.0esr-1
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9900
 CVE-2016-9899
RESERVED
+   - firefox 50.1.0-1
+   - firefox-esr 45.6.0esr-1
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9899
 CVE-2016-9898
RESERVED
+   - firefox 50.1.0-1
+   - firefox-esr 45.6.0esr-1
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9898
 CVE-2016-9897
RESERVED
+   - firefox 50.1.0-1
+   - firefox-esr 45.6.0esr-1
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9897
 CVE-2016-9896
RESERVED
+   - firefox 50.1.0-1
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9896
 CVE-2016-9895
RESERVED
+   - firefox 50.1.0-1
+   - firefox-esr 45.6.0esr-1
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9895
 CVE-2016-9894
RESERVED
+   - firefox 50.1.0-1
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9894
 CVE-2016-9893
RESERVED
+   - firefox 50.1.0-1
+   - firefox-esr 45.6.0esr-1
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9893
 CVE-2017-3729
RESERVED
 CVE-2017-3728
@@ -9756,6 +9791,8 @@
RESERVED
 CVE-2016-9080
RESERVED
+   - firefox 50.1.0-1
+   NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/#CVE-2016-9080
 CVE-2016-9079 [SVG Animation Remote Code Execution]
RESERVED
{DSA-3730-1 DSA-3728-1 DLA-730-1}


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r46836 - data/CVE

2016-12-06 Thread Paul Wise

Author: pabs
Date: 2016-12-06 22:25:20 + (Tue, 06 Dec 2016)
New Revision: 46836

Modified:
   data/CVE/list
Log:
roundcube: Command Execution via Email

Modified: data/CVE/list
===
--- data/CVE/list   2016-12-06 21:19:53 UTC (rev 46835)
+++ data/CVE/list   2016-12-06 22:25:20 UTC (rev 46836)
@@ -158,6 +158,9 @@
RESERVED
 CVE-2017-3150
RESERVED
+CVE-2016- [Command Execution via Email]
+   - roundcube 
+   NOTE: 
https://blog.ripstech.com/2016/roundcube-command-execution-via-email/
 CVE-2016-9866
RESERVED
 CVE-2016-9865


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r46804 - data/CVE

2016-12-05 Thread Paul Wise

Author: pabs
Date: 2016-12-06 05:26:16 + (Tue, 06 Dec 2016)
New Revision: 46804

Modified:
   data/CVE/list
Log:
New Linux local root exploit

Modified: data/CVE/list
===
--- data/CVE/list   2016-12-06 05:19:45 UTC (rev 46803)
+++ data/CVE/list   2016-12-06 05:26:16 UTC (rev 46804)
@@ -9401,8 +9401,11 @@
 CVE-2016-8656
RESERVED
NOT-FOR-US: Red Hat JBoss; jbossas init script
-CVE-2016-8655
+CVE-2016-8655 [af_packet.c race condition (local root)]
RESERVED
+   - linux 
+   NOTE: http://seclists.org/oss-sec/2016/q4/607
+   NOTE: 
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c
 CVE-2016-8654 [Heap-based buffer overflow in QMFB code in JPC codec]
RESERVED
- jasper 


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r46669 - data/CVE

2016-11-30 Thread Paul Wise

Author: pabs
Date: 2016-12-01 01:58:57 + (Thu, 01 Dec 2016)
New Revision: 46669

Modified:
   data/CVE/list
Log:
New Firefox CVE

Modified: data/CVE/list
===
--- data/CVE/list   2016-11-30 22:03:43 UTC (rev 46668)
+++ data/CVE/list   2016-12-01 01:58:57 UTC (rev 46669)
@@ -3152,6 +3152,9 @@
RESERVED
 CVE-2016-9079
RESERVED
+   - firefox 
+   NOTE: Fixed in Firefox 50.0.2 upstream
+   - firefox-esr 45.5.1esr-1
 CVE-2016-9078 [data: URL can inherit wrong origin after an HTTP redirect]
RESERVED
- firefox 


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r45534 - data/CVE

2016-10-23 Thread Paul Wise

Author: pabs
Date: 2016-10-24 03:15:26 + (Mon, 24 Oct 2016)
New Revision: 45534

Modified:
   data/CVE/list
Log:
Drammer was assigned CVE-2016-6728

Modified: data/CVE/list
===
--- data/CVE/list   2016-10-23 21:24:05 UTC (rev 45533)
+++ data/CVE/list   2016-10-24 03:15:26 UTC (rev 45534)
@@ -5790,6 +5790,7 @@
RESERVED
 CVE-2016-6728
RESERVED
+   NOTE: https://www.vusec.net/projects/drammer/
 CVE-2016-6727
RESERVED
 CVE-2016-6726


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r44663 - data

2016-09-16 Thread Paul Wise

Author: pabs
Date: 2016-09-17 02:08:48 + (Sat, 17 Sep 2016)
New Revision: 44663

Modified:
   data/embedded-code-copies
Log:
libsquish now accepted

Modified: data/embedded-code-copies
===
--- data/embedded-code-copies   2016-09-17 01:21:05 UTC (rev 44662)
+++ data/embedded-code-copies   2016-09-17 02:08:48 UTC (rev 44663)
@@ -3067,7 +3067,7 @@
 liblemon (ITP: #833548)
- cufflinks  (embed)
 
-libsquish (ITP: #836247)
+libsquish
- 0ad  (embed; bug #838055)
- kodi  (modified-embed; bug #838051)
- mame  (modified-embed; bug #838052)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r44662 - data

2016-09-16 Thread Paul Wise

Author: pabs
Date: 2016-09-17 01:21:05 + (Sat, 17 Sep 2016)
New Revision: 44662

Modified:
   data/embedded-code-copies
Log:
Add bug numbers for libsquish embedded code copies

Suggested-by: Wookey 
Suggested-in: <20160917010345.gv7...@mail.wookware.org>

Modified: data/embedded-code-copies
===
--- data/embedded-code-copies   2016-09-16 21:10:16 UTC (rev 44661)
+++ data/embedded-code-copies   2016-09-17 01:21:05 UTC (rev 44662)
@@ -3068,12 +3068,12 @@
- cufflinks  (embed)
 
 libsquish (ITP: #836247)
-   - 0ad  (embed)
-   - kodi  (modified-embed)
-   - mame  (modified-embed)
-   - nvidia-texture-tools  (modified-embed)
-   - openimageio  (modified-embed)
-   - spring  (embed)
+   - 0ad  (embed; bug #838055)
+   - kodi  (modified-embed; bug #838051)
+   - mame  (modified-embed; bug #838052)
+   - nvidia-texture-tools  (modified-embed; bug #838056)
+   - openimageio  (modified-embed; bug #838053)
+   - spring  (embed; bug #838054)
- xbmc  (modified-embed)
 
 node-ms (not packaged, no ITP as per 2016-09-09)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r44595 - data

2016-09-14 Thread Paul Wise

Author: pabs
Date: 2016-09-15 03:12:45 + (Thu, 15 Sep 2016)
New Revision: 44595

Modified:
   data/embedded-code-copies
Log:
quesoglc removed use of embedded glew in 0.7.2-2

Modified: data/embedded-code-copies
===
--- data/embedded-code-copies   2016-09-15 02:46:22 UTC (rev 44594)
+++ data/embedded-code-copies   2016-09-15 03:12:45 UTC (rev 44595)
@@ -783,7 +783,7 @@
- quesoglc 0.7.2-2 (embed)
 
 glew
-   - quesoglc  (embed; bug #489341)
+   - quesoglc 0.7.2-2 (embed; bug #489341)
NOTE: waiting on GLEW_MX version of glew (see bug #474488)
- trigger 0.5.2.1-2 (embed)
NOTE: http://lists.debian.org/debian-devel-games/2009/12/msg7.html


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r44500 - data

2016-09-11 Thread Paul Wise

Author: pabs
Date: 2016-09-11 07:13:30 + (Sun, 11 Sep 2016)
New Revision: 44500

Modified:
   data/embedded-code-copies
Log:
gridengine embeds tcsh (see #833995)

Modified: data/embedded-code-copies
===
--- data/embedded-code-copies   2016-09-11 03:44:06 UTC (rev 44499)
+++ data/embedded-code-copies   2016-09-11 07:13:30 UTC (rev 44500)
@@ -3165,3 +3165,6 @@
 
 libgetopt++
- libsass  (embed)
+
+tcsh
+   - gridengine  (embed)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r44399 - data

2016-09-07 Thread Paul Wise

Author: pabs
Date: 2016-09-08 01:35:50 + (Thu, 08 Sep 2016)
New Revision: 44399

Modified:
   data/embedded-code-copies
Log:
Update information about Android forks of various things

Modified: data/embedded-code-copies
===
--- data/embedded-code-copies   2016-09-08 01:34:29 UTC (rev 44398)
+++ data/embedded-code-copies   2016-09-08 01:35:50 UTC (rev 44399)
@@ -2225,8 +2225,17 @@
 libselinux
- dpkg 1.15.6 (static)
- ia32-libs  (embed)
-   - android-platform-external-libselinux  (fork; bug #793611)
+   - android-platform-external-libselinux  (fork)
 
+libunwind
+   - android-platform-external-libunwind  (fork)
+
+jsilver (removed from stretch and later):
+   - android-platform-external-jsilver  (fork)
+
+doclava (not in Debian)
+   - android-platform-external-doclava  (fork)
+
 xinha (ITP: #479708)
- horde3 
- serendipity 


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r44398 - data/CVE

2016-09-07 Thread Paul Wise

Author: pabs
Date: 2016-09-08 01:34:29 + (Thu, 08 Sep 2016)
New Revision: 44398

Modified:
   data/CVE/list
Log:
android-platform-external-libunwind has not fixed CVE-2015-3239

Modified: data/CVE/list
===
--- data/CVE/list   2016-09-07 19:03:52 UTC (rev 44397)
+++ data/CVE/list   2016-09-08 01:34:29 UTC (rev 44398)
@@ -38370,6 +38370,7 @@
 CVE-2015-3239 (Off-by-one error in the dwarf_to_unw_regnum function in ...)
{DLA-271-1}
- libunwind 1.1-4 (low; bug #790830)
+   - android-platform-external-libunwind 
[jessie] - libunwind  (Minor issue)
[wheezy] - libunwind  (Minor issue)
NOTE: http://savannah.nongnu.org/bugs/?45276


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r44283 - data

2016-09-02 Thread Paul Wise

Author: pabs
Date: 2016-09-03 03:27:47 + (Sat, 03 Sep 2016)
New Revision: 44283

Modified:
   data/embedded-code-copies
Log:
Update libsquish embedded-code-copies information

See-also: <20160902115618.gz32...@mail.wookware.org>

Modified: data/embedded-code-copies
===
--- data/embedded-code-copies   2016-09-02 21:10:12 UTC (rev 44282)
+++ data/embedded-code-copies   2016-09-03 03:27:47 UTC (rev 44283)
@@ -3053,12 +3053,12 @@
 
 libsquish (ITP: #836247)
- 0ad  (embed)
-   - kodi  (embed)
-   - mame  (embed)
-   - nvidia-texture-tools  (embed)
-   - openimageio  (embed)
+   - kodi  (modified-embed)
+   - mame  (modified-embed)
+   - nvidia-texture-tools  (modified-embed)
+   - openimageio  (modified-embed)
- spring  (embed)
-   - xbmc  (embed)
+   - xbmc  (modified-embed)
 
 node-ms
- node-debug  (embed)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r44249 - data

2016-08-31 Thread Paul Wise

Author: pabs
Date: 2016-09-01 02:34:06 + (Thu, 01 Sep 2016)
New Revision: 44249

Modified:
   data/embedded-code-copies
Log:
libsquish is embedded in several packages

Modified: data/embedded-code-copies
===
--- data/embedded-code-copies   2016-08-31 21:48:55 UTC (rev 44248)
+++ data/embedded-code-copies   2016-09-01 02:34:06 UTC (rev 44249)
@@ -3051,3 +3051,11 @@
 liblemon (ITP: #833548)
- cufflinks  (embed)
 
+libsquish (ITP: #836247)
+   - 0ad  (embed)
+   - kodi  (embed)
+   - mame  (embed)
+   - nvidia-texture-tools  (embed)
+   - openimageio  (embed)
+   - spring  (embed)
+   - xbmc  (embed)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r43276 - data/CVE

2016-07-19 Thread Paul Wise

Author: pabs
Date: 2016-07-19 10:46:00 + (Tue, 19 Jul 2016)
New Revision: 43276

Modified:
   data/CVE/list
Log:
CVE-2016-5080 is NFU: Objective Systems Inc. ASN1C compiler

Modified: data/CVE/list
===
--- data/CVE/list   2016-07-19 10:04:26 UTC (rev 43275)
+++ data/CVE/list   2016-07-19 10:46:00 UTC (rev 43276)
@@ -3614,6 +3614,8 @@
RESERVED
 CVE-2016-5080
RESERVED
+   NOT-FOR-US: Objective Systems Inc. ASN1C compiler
+   NOTE: 
https://github.com/programa-stic/security-advisories/tree/master/ObjSys/CVE-2016-5080
 CVE-2016-5079
RESERVED
 CVE-2016-5078


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r43223 - bin

2016-07-15 Thread Paul Wise

Author: pabs
Date: 2016-07-15 15:06:37 + (Fri, 15 Jul 2016)
New Revision: 43223

Modified:
   bin/tracker_service.py
Log:
testing.pl is gone, update links to it to qa.d.o/excuses.php

Modified: bin/tracker_service.py
===
--- bin/tracker_service.py  2016-07-15 15:06:19 UTC (rev 43222)
+++ bin/tracker_service.py  2016-07-15 15:06:37 UTC (rev 43223)
@@ -1536,7 +1536,7 @@
 def url_pts(self, url, package):
 return url.absolute("https://tracker.debian.org/pkg/%s; % package)
 def url_testing_status(self, url, package):
-return url.absolute("https://release.debian.org/migration/testing.pl;,
+return url.absolute("https://qa.debian.org/excuses.php;,
 package=package)
 def url_source_package(self, url, package, full=False):
 if full:


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r42559 - data

2016-06-15 Thread Paul Wise

Author: pabs
Date: 2016-06-16 01:25:14 + (Thu, 16 Jun 2016)
New Revision: 42559

Modified:
   data/embedded-code-copies
Log:
cgit embeds git

Modified: data/embedded-code-copies
===
--- data/embedded-code-copies   2016-06-16 01:23:01 UTC (rev 42558)
+++ data/embedded-code-copies   2016-06-16 01:25:14 UTC (rev 42559)
@@ -3036,3 +3036,6 @@
 
 bubblewrap
- flatpak  (embed; bug #824647)
+
+git
+   - cgit  (embed)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r42558 - data/CVE

2016-06-15 Thread Paul Wise

Author: pabs
Date: 2016-06-16 01:23:01 + (Thu, 16 Jun 2016)
New Revision: 42558

Modified:
   data/CVE/list
Log:
CVE-2016-2315: also fixed in cgit 1.0+git2.8.3-1 (bug #827405)

Reported-by: victory on #debian-security

Modified: data/CVE/list
===
--- data/CVE/list   2016-06-15 21:10:10 UTC (rev 42557)
+++ data/CVE/list   2016-06-16 01:23:01 UTC (rev 42558)
@@ -9203,6 +9203,7 @@
 CVE-2016-2315 (revision.c in git before 2.7.4 uses an incorrect integer data 
type, ...)
{DSA-3521-1}
- git 1:2.7.0-1 (bug #818318)
+   - cgit 1.0+git2.8.3-1 (bug #827405)
NOTE: 
https://github.com/git/git/commit/34fa79a6cde56d6d428ab0d3160cb094ebad3305 
(v2.7.0-rc0)
 CVE-2016-2314 (GlobespanVirata ftpd 1.0, as used on Huawei SmartAX MT882 
devices ...)
NOT-FOR-US: Huawei


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r42525 - data/CVE

2016-06-14 Thread Paul Wise

Author: pabs
Date: 2016-06-14 12:16:13 + (Tue, 14 Jun 2016)
New Revision: 42525

Modified:
   data/CVE/list
Log:
CVE-2016-4010 is NFU (Magento)

Thanks-to: Sander Bos

Modified: data/CVE/list
===
--- data/CVE/list   2016-06-14 12:12:46 UTC (rev 42524)
+++ data/CVE/list   2016-06-14 12:16:13 UTC (rev 42525)
@@ -4198,6 +4198,9 @@
RESERVED
 CVE-2016-4010
RESERVED
+   NOT-FOR-US: Magento
+   NOTE: https://magento.com/security/patches/magento-206-security-update
+   NOTE: 
http://www.netanelrub.in/2016/05/17/magento-unauthenticated-remote-code-execution/
 CVE-2016-4007 (Multiple unspecified vulnerabilities in the 
obs-service-extract_file ...)
NOT-FOR-US: obs-service-extract_file
 CVE-2015-8850


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r42523 - data

2016-06-14 Thread Paul Wise

Author: pabs
Date: 2016-06-14 12:08:24 + (Tue, 14 Jun 2016)
New Revision: 42523

Modified:
   data/embedded-code-copies
Log:
edk2 copy of openssl is apparently modified

Reported-by: vorlon on #debian-devel

Modified: data/embedded-code-copies
===
--- data/embedded-code-copies   2016-06-14 11:54:39 UTC (rev 42522)
+++ data/embedded-code-copies   2016-06-14 12:08:24 UTC (rev 42523)
@@ -2555,7 +2555,7 @@
 
 openssl
- ia32-libs  (embed)
-   - edk2  (embed)
+   - edk2  (modified-embed)
 
 pam
- ia32-libs  (embed)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r42521 - data

2016-06-14 Thread Paul Wise

Author: pabs
Date: 2016-06-14 09:46:12 + (Tue, 14 Jun 2016)
New Revision: 42521

Modified:
   data/embedded-code-copies
Log:
edk2 embeds openssl

Reported-by: sarnold on #debian-security
See-also: 
https://sources.debian.net/src/edk2/unstable/CryptoPkg/Library/OpensslLib/openssl-1.0.2g/

Modified: data/embedded-code-copies
===
--- data/embedded-code-copies   2016-06-14 09:10:11 UTC (rev 42520)
+++ data/embedded-code-copies   2016-06-14 09:46:12 UTC (rev 42521)
@@ -2555,6 +2555,7 @@
 
 openssl
- ia32-libs  (embed)
+   - edk2  (embed)
 
 pam
- ia32-libs  (embed)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r42500 - bin

2016-06-13 Thread Paul Wise

Author: pabs
Date: 2016-06-13 07:51:32 + (Mon, 13 Jun 2016)
New Revision: 42500

Modified:
   bin/tracker_service.py
Log:
Link to the CERT database too since they update before Mitre/NVD these days

Modified: bin/tracker_service.py
===
--- bin/tracker_service.py  2016-06-13 07:42:58 UTC (rev 42499)
+++ bin/tracker_service.py  2016-06-13 07:51:32 UTC (rev 42500)
@@ -359,6 +359,8 @@
   self.make_nvd_ref(url, bug.name,
 'NVD'),
   "; ",
+  self.make_cert_bug_ref(url, bug.name, 
'CERT'),
+  ", ",
   self.make_lwn_bug_ref(url, bug.name, 
'LWN'),
   ", ",
   self.make_osssec_bug_ref(url, bug.name, 
'oss-sec'),
@@ -1477,6 +1479,8 @@
 def url_nvd(self, url, name):
 return url.absolute("https://web.nvd.nist.gov/view/vuln/detail;,
 vulnId=name)
+def url_cert_bug(self, url, name):
+return url.absolute("https://www.kb.cert.org/vuls/byid;, 
searchview='', query=name)
 def url_lwn_bug(self, url, name):
 return url.absolute("https://lwn.net/Search/DoSearch;, words=name)
 def url_osssec_bug(self, url, name):
@@ -1561,6 +1565,11 @@
 name = cve
 return A(self.url_nvd(url, cve), name)
 
+def make_cert_bug_ref(self, url, cve, name=None):
+if name is None:
+name = cve
+return A(self.url_cert_bug(url, cve), name)
+
 def make_lwn_bug_ref(self, url, cve, name=None):
 if name is None:
 name = cve


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r42497 - data/CVE

2016-06-13 Thread Paul Wise

Author: pabs
Date: 2016-06-13 06:37:40 + (Mon, 13 Jun 2016)
New Revision: 42497

Modified:
   data/CVE/list
Log:
Add writeup for CVE-2016-1681 (aka PDFium)

Modified: data/CVE/list
===
--- data/CVE/list   2016-06-13 05:04:12 UTC (rev 42496)
+++ data/CVE/list   2016-06-13 06:37:40 UTC (rev 42497)
@@ -11416,6 +11416,7 @@
{DSA-3590-1}
- chromium-browser 51.0.2704.63-1
[wheezy] - chromium-browser  (Not supported in Wheezy)
+   NOTE: http://blog.talosintel.com/2016/06/pdfium.html
 CVE-2016-1680 (Use-after-free vulnerability in ports/SkFontHost_FreeType.cpp 
in Skia, ...)
{DSA-3590-1}
- chromium-browser 51.0.2704.63-1


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r42429 - data/CVE

2016-06-09 Thread Paul Wise

Author: pabs
Date: 2016-06-10 04:06:55 + (Fri, 10 Jun 2016)
New Revision: 42429

Modified:
   data/CVE/list
Log:
wget: new issue: CVE-2016-4971 fixed in 1.18

Modified: data/CVE/list
===
--- data/CVE/list   2016-06-09 21:10:11 UTC (rev 42428)
+++ data/CVE/list   2016-06-10 04:06:55 UTC (rev 42429)
@@ -1194,6 +1194,10 @@
RESERVED
 CVE-2016-4971
RESERVED
+   - wget 
+   NOTE: fixed in 1.18
+   NOTE: http://lists.gnu.org/archive/html/info-gnu/2016-06/msg4.html
+   NOTE: 
http://git.savannah.gnu.org/cgit/wget.git/commit/?id=e996e322ffd42aaa051602da182d03178d0f13e1
 CVE-2016-4970
RESERVED
 CVE-2016-4969


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r42367 - data

2016-06-07 Thread Paul Wise

Author: pabs
Date: 2016-06-07 06:41:17 + (Tue, 07 Jun 2016)
New Revision: 42367

Modified:
   data/embedded-code-copies
Log:
flatpak embeds bubblewrap

Modified: data/embedded-code-copies
===
--- data/embedded-code-copies   2016-06-07 06:18:44 UTC (rev 42366)
+++ data/embedded-code-copies   2016-06-07 06:41:17 UTC (rev 42367)
@@ -3032,3 +3032,6 @@
 libhtp
- suricata  (embed)
NOTE: See #772551
+
+bubblewrap
+   - flatpak  (embed; bug #824647)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r42298 - data/CVE

2016-06-03 Thread Paul Wise

Author: pabs
Date: 2016-06-04 02:50:54 + (Sat, 04 Jun 2016)
New Revision: 42298

Modified:
   data/CVE/list
Log:
CVE-2015-2575: actually in mysql-connector-java, fixed in unstable

Reported-by: tyhicks in #debian-security

Modified: data/CVE/list
===
--- data/CVE/list   2016-06-03 21:10:08 UTC (rev 42297)
+++ data/CVE/list   2016-06-04 02:50:54 UTC (rev 42298)
@@ -33635,7 +33635,7 @@
 CVE-2015-2576 (Unspecified vulnerability in the MySQL Utilities component in 
Oracle ...)
NOT-FOR-US: MySQL Utilities component of MySQL on Windows
 CVE-2015-2575 (Unspecified vulnerability in the MySQL Connectors component in 
Oracle ...)
-   NOT-FOR-US: MySQL Connector/J
+   - mysql-connector-java 5.1.37-1
 CVE-2015-2574 (Unspecified vulnerability in Oracle Sun Solaris 10 allows local 
users ...)
NOT-FOR-US: Oracle Sun Solaris
 CVE-2015-2573 (Unspecified vulnerability in Oracle MySQL Server 5.5.41 and 
earlier, ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41800 - data

2016-05-17 Thread Paul Wise

Author: pabs
Date: 2016-05-17 13:06:13 + (Tue, 17 May 2016)
New Revision: 41800

Modified:
   data/embedded-code-copies
Log:
icdiff is a fork of the Python difflib

Suggested-by: Sascha Steinbiss 
Suggested-in: <0631beae-19fc-455c-b555-4cead4627...@steinbiss.name>

Modified: data/embedded-code-copies
===
--- data/embedded-code-copies   2016-05-17 13:05:58 UTC (rev 41799)
+++ data/embedded-code-copies   2016-05-17 13:06:13 UTC (rev 41800)
@@ -1600,6 +1600,8 @@
- sphinx  (embed; bug #609485)
NOTE: embeds only lib2to3.pgen2 in sphinx.pycode.pygen2
- vegastrike-data  (embed; bug #555630)
+   - icdiff  (fork)
+NOTE: core functionality based on Python difflib code with changed 
output format
 
 argparse
- twill  (embed; bug #555347)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41799 - data

2016-05-17 Thread Paul Wise

Author: pabs
Date: 2016-05-17 13:05:58 + (Tue, 17 May 2016)
New Revision: 41799

Modified:
   data/embedded-code-copies
Log:
Update python versions

Modified: data/embedded-code-copies
===
--- data/embedded-code-copies   2016-05-17 12:33:43 UTC (rev 41798)
+++ data/embedded-code-copies   2016-05-17 13:05:58 UTC (rev 41799)
@@ -1493,8 +1493,10 @@
- sphinx  (embed)
- python-nltk  (embed)
 
-python2.5
-   - python2.4  (old-version)
+python2.7
+   - python2.4  (old-version)
+   - python2.5  (old-version)
+   - python2.6  (old-version)
- jython  (embed)
NOTE: embeds many stdlib modules
- python-django  (embed; bug #555419)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41794 - data

2016-05-17 Thread Paul Wise

Author: pabs
Date: 2016-05-17 10:46:43 + (Tue, 17 May 2016)
New Revision: 41794

Modified:
   data/embedded-code-copies
Log:
The copy of zlib in rsync is modified

Modified: data/embedded-code-copies
===
--- data/embedded-code-copies   2016-05-17 09:21:28 UTC (rev 41793)
+++ data/embedded-code-copies   2016-05-17 10:46:43 UTC (rev 41794)
@@ -117,7 +117,7 @@
 zlib (lots of apps embed a copy, but link dynamically, but there are a few 
exceptions)
- dpkg 1.15.6 (static)
NOTE: see 18196.48620.491996.624...@davenant.relativity.greenend.org.uk 
on debian-devel for discussion
-   - rsync  (embed)
+   - rsync  (modified-embed)
- cherokee  (embed)
NOTE: somehow derived code base
- mono  (embed)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41548 - data/CVE

2016-05-08 Thread Paul Wise

Author: pabs
Date: 2016-05-09 05:06:13 + (Mon, 09 May 2016)
New Revision: 41548

Modified:
   data/CVE/list
Log:
Update info for CVE-2014-1909

Modified: data/CVE/list
===
--- data/CVE/list   2016-05-09 04:27:32 UTC (rev 41547)
+++ data/CVE/list   2016-05-09 05:06:13 UTC (rev 41548)
@@ -59626,7 +59626,8 @@
- parcimonie 0.8.1-1 (bug #738134)
 CVE-2014-1909 (Integer signedness error in system/core/adb/adb_client.c in 
Android ...)
- android-tools 4.2.2+git20130529-5.1 (bug #770513)
-   - android-platform-system-core 
+   - android-platform-system-core 1:6.0.0+r26-1~stage1
+   NOTE: 
http://www.droidsec.org/advisories/2014/02/04/two-security-issues-found-in-the-android-sdk-tools.html
 CVE-2014-1896 (The (1) do_send and (2) do_recv functions in io.c in libvchan 
in Xen ...)
- xen 4.4.0-1
[squeeze] - xen  (Only affects 4.2 and later)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41546 - in data: . CVE

2016-05-08 Thread Paul Wise

Author: pabs
Date: 2016-05-09 04:04:40 + (Mon, 09 May 2016)
New Revision: 41546

Modified:
   data/CVE/list
   data/embedded-code-copies
Log:
adb got moved from android-tools to android-platform-system-core

Modified: data/CVE/list
===
--- data/CVE/list   2016-05-08 21:10:12 UTC (rev 41545)
+++ data/CVE/list   2016-05-09 04:04:40 UTC (rev 41546)
@@ -59616,6 +59616,7 @@
- parcimonie 0.8.1-1 (bug #738134)
 CVE-2014-1909 (Integer signedness error in system/core/adb/adb_client.c in 
Android ...)
- android-tools 4.2.2+git20130529-5.1 (bug #770513)
+   - android-platform-system-core 
 CVE-2014-1896 (The (1) do_send and (2) do_recv functions in io.c in libvchan 
in Xen ...)
- xen 4.4.0-1
[squeeze] - xen  (Only affects 4.2 and later)
@@ -86893,6 +86894,7 @@
 CVE-2012-5564 (android-tools 4.1.1 in Android Debug Bridge (ADB) allows local 
users ...)
- android-tools  (bug #688280)
[jessie] - android-tools  (Minor issue)
+   - android-platform-system-core 
 CVE-2012-5563 (OpenStack Keystone, as used in OpenStack Folsom 2012.2, does 
not ...)
- keystone  (Folsom branch not packaged yet)
 CVE-2012-5562

Modified: data/embedded-code-copies
===
--- data/embedded-code-copies   2016-05-08 21:10:12 UTC (rev 41545)
+++ data/embedded-code-copies   2016-05-09 04:04:40 UTC (rev 41546)
@@ -3021,3 +3021,6 @@
 
 lua5.3
- freedroidrpg  (embed)
+
+android-platform-system-core
+   - android-tools  (old-version)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41500 - data

2016-05-07 Thread Paul Wise

Author: pabs
Date: 2016-05-07 06:17:16 + (Sat, 07 May 2016)
New Revision: 41500

Modified:
   data/embedded-code-copies
Log:
Update unicode-data embeds

Modified: data/embedded-code-copies
===
--- data/embedded-code-copies   2016-05-07 04:55:41 UTC (rev 41499)
+++ data/embedded-code-copies   2016-05-07 06:17:16 UTC (rev 41500)
@@ -1695,6 +1695,8 @@
- boost1.49  (embed)
- boost1.54  (embed; bug #751880)
- boost1.55  (embed; bug #751881)
+   - boost1.58  (embed; bug #823582)
+   - boost1.60  (embed; bug #823585)
 
 feedparser
- rawdog 2.19-1 (embed; bug #383422)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41366 - data/CVE

2016-05-03 Thread Paul Wise

Author: pabs
Date: 2016-05-03 06:10:44 + (Tue, 03 May 2016)
New Revision: 41366

Modified:
   data/CVE/list
Log:
Add bug for gitlab CVE-2016-4340

Modified: data/CVE/list
===
--- data/CVE/list   2016-05-03 05:51:42 UTC (rev 41365)
+++ data/CVE/list   2016-05-03 06:10:44 UTC (rev 41366)
@@ -672,7 +672,7 @@
RESERVED
 CVE-2016-4340 [Privilege escalation via "impersonate" feature]
RESERVED
-   - gitlab 
+   - gitlab  (bug #823290)
NOTE: https://about.gitlab.com/2016/05/02/cve-2016-4340-patches/
 CVE-2016-4087
RESERVED


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41268 - data/CVE

2016-04-28 Thread Paul Wise

Author: pabs
Date: 2016-04-29 01:51:15 + (Fri, 29 Apr 2016)
New Revision: 41268

Modified:
   data/CVE/list
Log:
Upcoming gitlab security issue

Modified: data/CVE/list
===
--- data/CVE/list   2016-04-28 21:10:12 UTC (rev 41267)
+++ data/CVE/list   2016-04-29 01:51:15 UTC (rev 41268)
@@ -1,3 +1,7 @@
+CVE-2016-4340
+   - gitlab 
+   NOTE: 
https://about.gitlab.com/2016/04/28/gitlab-major-security-update-for-cve-2016-4340/
+   TODO: check
 CVE-2016-4087
RESERVED
 CVE-2016-4086


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41133 - bin

2016-04-24 Thread Paul Wise

Author: pabs
Date: 2016-04-25 05:54:27 + (Mon, 25 Apr 2016)
New Revision: 41133

Modified:
   bin/tracker_service.py
Log:
Quote searches on disconnect.me

Modified: bin/tracker_service.py
===
--- bin/tracker_service.py  2016-04-25 05:48:58 UTC (rev 41132)
+++ bin/tracker_service.py  2016-04-25 05:54:27 UTC (rev 41133)
@@ -1507,7 +1507,7 @@
 def url_github_issues_bug(self, url, name):
 return url.absolute("https://github.com/search;, type="Issues", 
q='"%s"' % name)
 def url_disconnect_bug(self, url, name):
-return url.absolute("https://search.disconnect.me/searchTerms/search;, 
query=name)
+return url.absolute("https://search.disconnect.me/searchTerms/search;, 
query='"%s"' % name)
 
 def url_dsa(self, url, dsa, re_dsa=re.compile(r'^DSA-(\d+)(?:-\d+)?$')):
 match = re_dsa.match(dsa)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41132 - data/CVE

2016-04-24 Thread Paul Wise

Author: pabs
Date: 2016-04-25 05:48:58 + (Mon, 25 Apr 2016)
New Revision: 41132

Modified:
   data/CVE/list
Log:
CVE-2014-1677: NFU

Modified: data/CVE/list
===
--- data/CVE/list   2016-04-25 05:35:04 UTC (rev 41131)
+++ data/CVE/list   2016-04-25 05:48:58 UTC (rev 41132)
@@ -58826,8 +58826,10 @@
- open-xchange  (bug #269329)
 CVE-2014-1678
RESERVED
-CVE-2014-1677
+CVE-2014-1677 [Technicolor TC7200 - Credentials Disclosure]
RESERVED
+   NOT-FOR-US: Technicolor TC7200
+   NOTE: https://www.exploit-db.com/exploits/31894/
 CVE-2014-1676
RESERVED
 CVE-2014-1675


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41131 - data/CVE

2016-04-24 Thread Paul Wise

Author: pabs
Date: 2016-04-25 05:35:04 + (Mon, 25 Apr 2016)
New Revision: 41131

Modified:
   data/CVE/list
Log:
A couple of forgotten roundcube issues

Modified: data/CVE/list
===
--- data/CVE/list   2016-04-25 05:04:32 UTC (rev 41130)
+++ data/CVE/list   2016-04-25 05:35:04 UTC (rev 41131)
@@ -31058,10 +31058,18 @@
NOT-FOR-US: ZeusCart
 CVE-2015-2182 (Multiple cross-site scripting (XSS) vulnerabilities in ZeusCart 
4 ...)
NOT-FOR-US: ZeusCart
-CVE-2015-2181
+CVE-2015-2181 [buffer overflows in the roundcube DBMail driver for the 
password plugin]
RESERVED
-CVE-2015-2180
+   - roundcube 
+   NOTE: http://trac.roundcube.net/ticket/1490261
+   NOTE: http://advisories.mageia.org/MGASA-2015-0400.html
+   NOTE: http://lists.opensuse.org/opensuse-updates/2015-07/msg00032.html
+CVE-2015-2180 [execute arbitrary shell commands as root from the roundcube 
DBMail driver for the password plugin]
RESERVED
+   - roundcube 
+   NOTE: http://trac.roundcube.net/ticket/1490261
+   NOTE: http://advisories.mageia.org/MGASA-2015-0400.html
+   NOTE: http://lists.opensuse.org/opensuse-updates/2015-07/msg00032.html
 CVE-2015-2179
RESERVED
 CVE-2015-2178


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41130 - bin

2016-04-24 Thread Paul Wise

Author: pabs
Date: 2016-04-25 05:04:32 + (Mon, 25 Apr 2016)
New Revision: 41130

Modified:
   bin/tracker_service.py
Log:
Link CVEs to the LWN search interface

Modified: bin/tracker_service.py
===
--- bin/tracker_service.py  2016-04-24 21:10:17 UTC (rev 41129)
+++ bin/tracker_service.py  2016-04-25 05:04:32 UTC (rev 41130)
@@ -359,6 +359,8 @@
   self.make_nvd_ref(url, bug.name,
 'NVD'),
   "; ",
+  self.make_lwn_bug_ref(url, bug.name, 
'LWN'),
+  ", ",
   self.make_osssec_bug_ref(url, bug.name, 
'oss-sec'),
   ", ",
   self.make_fulldisc_bug_ref(url, 
bug.name, 'fulldisc'),
@@ -1475,6 +1477,8 @@
 def url_nvd(self, url, name):
 return url.absolute("https://web.nvd.nist.gov/view/vuln/detail;,
 vulnId=name)
+def url_lwn_bug(self, url, name):
+return url.absolute("https://lwn.net/Search/DoSearch;, words=name)
 def url_osssec_bug(self, url, name):
 return url.absolute("https://marc.info/;, l="oss-security", s=name)
 def url_fulldesc_bug(self, url, name):
@@ -1557,6 +1561,11 @@
 name = cve
 return A(self.url_nvd(url, cve), name)
 
+def make_lwn_bug_ref(self, url, cve, name=None):
+if name is None:
+name = cve
+return A(self.url_lwn_bug(url, cve), name)
+
 def make_osssec_bug_ref(self, url, cve, name=None):
 if name is None:
 name = cve


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r41107 - check-external

2016-04-24 Thread Paul Wise

Author: pabs
Date: 2016-04-24 09:37:32 + (Sun, 24 Apr 2016)
New Revision: 41107

Modified:
   check-external/sources.ini
Log:
Another potential data source: samba

Modified: check-external/sources.ini
===
--- check-external/sources.ini  2016-04-24 09:10:12 UTC (rev 41106)
+++ check-external/sources.ini  2016-04-24 09:37:32 UTC (rev 41107)
@@ -117,3 +117,9 @@
 url = http://webkitgtk.org/security/{id}.html
 match = WSA-[0-9]{4,}-[0-9]{4,}
 select = match
+
+[samba]
+download = https://www.samba.org/samba/history/security.html
+match = CVE-[0-9]{4,}-[0-9]+
+select = match
+url = https://www.samba.org/samba/security/{id}.html


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r40780 - bin

2016-04-06 Thread Paul Wise

Author: pabs
Date: 2016-04-06 09:47:34 + (Wed, 06 Apr 2016)
New Revision: 40780

Modified:
   bin/tracker_service.py
Log:
Drop links to OSVDB

OSVDB is now closed officially:

https://blog.osvdb.org/2016/04/05/osvdb-fin/

Modified: bin/tracker_service.py
===
--- bin/tracker_service.py  2016-04-06 09:36:04 UTC (rev 40779)
+++ bin/tracker_service.py  2016-04-06 09:47:34 UTC (rev 40780)
@@ -365,8 +365,6 @@
   ", ",
   self.make_bugtraq_bug_ref(url, bug.name, 
'bugtraq'),
   ", ",
-  self.make_osvdb_bug_ref(url, bug.name, 
'OSVDB'),
-  ", ",
   self.make_edb_bug_ref(url, bug.name, 
'EDB'),
   ", ",
   self.make_metasploit_bug_ref(url, 
bug.name, 'Metasploit'),
@@ -1483,8 +1481,6 @@
 return url.absolute("https://marc.info/;, l="full-disclosure", s=name)
 def url_bugtraq_bug(self, url, name):
 return url.absolute("https://marc.info/;, l="bugtraq", s=name)
-def url_osvdb_bug(self, url, name):
-return url.absoluteDict("https://osvdb.org/search/search;, 
{"search[refid]": name})
 def url_edb_bug(self, url, name):
 name = name[len('CVE-'):] if name.startswith('CVE-') else name
 return url.absolute("https://www.exploit-db.com/search/;, 
action="search", cve=name)
@@ -1576,11 +1572,6 @@
 name = cve
 return A(self.url_bugtraq_bug(url, cve), name)
 
-def make_osvdb_bug_ref(self, url, cve, name=None):
-if name is None:
-name = cve
-return A(self.url_osvdb_bug(url, cve), name)
-
 def make_edb_bug_ref(self, url, cve, name=None):
 if name is None:
 name = cve


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r40734 - data

2016-04-03 Thread Paul Wise

Author: pabs
Date: 2016-04-03 15:45:50 + (Sun, 03 Apr 2016)
New Revision: 40734

Modified:
   data/embedded-code-copies
Log:
freedroidrpg embeds lua5.3

Modified: data/embedded-code-copies
===
--- data/embedded-code-copies   2016-04-03 15:41:05 UTC (rev 40733)
+++ data/embedded-code-copies   2016-04-03 15:45:50 UTC (rev 40734)
@@ -3013,3 +3013,6 @@
- spades  (embed)
- ossim  (embed)
- gnudatalanguage  (embed)
+
+lua5.3
+   - freedroidrpg  (embed)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r40667 - data

2016-03-30 Thread Paul Wise

Author: pabs
Date: 2016-03-31 02:53:37 + (Thu, 31 Mar 2016)
New Revision: 40667

Modified:
   data/embedded-code-copies
Log:
libgzstream accepted

Modified: data/embedded-code-copies
===
--- data/embedded-code-copies   2016-03-30 21:10:14 UTC (rev 40666)
+++ data/embedded-code-copies   2016-03-31 02:53:37 UTC (rev 40667)
@@ -2995,7 +2995,7 @@
- sks-ecc  (embed)
NOTE: there are probably more
 
-libgzstream (itp: #819532)
+libgzstream
- k3d  (embed)
- freecad  (embed)
- lyx  (embed)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r40656 - data

2016-03-30 Thread Paul Wise

Author: pabs
Date: 2016-03-30 08:14:19 + (Wed, 30 Mar 2016)
New Revision: 40656

Modified:
   data/embedded-code-copies
Log:
gzstream ITP

Modified: data/embedded-code-copies
===
--- data/embedded-code-copies   2016-03-30 06:10:48 UTC (rev 40655)
+++ data/embedded-code-copies   2016-03-30 08:14:19 UTC (rev 40656)
@@ -2995,7 +2995,7 @@
- sks-ecc  (embed)
NOTE: there are probably more
 
-gzstream (not packaged in Debian: 
http://www.cs.unc.edu/Research/compgeom/gzstream/)
+gzstream (ITP: #819532)
- k3d  (embed)
- freecad  (embed)
- lyx  (embed)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r40655 - data

2016-03-30 Thread Paul Wise

Author: pabs
Date: 2016-03-30 06:10:48 + (Wed, 30 Mar 2016)
New Revision: 40655

Modified:
   data/embedded-code-copies
Log:
Document gzstream embedded code copies

Reported-in: <20160329200151.ga7...@jwilk.net>

Modified: data/embedded-code-copies
===
--- data/embedded-code-copies   2016-03-30 05:42:20 UTC (rev 40654)
+++ data/embedded-code-copies   2016-03-30 06:10:48 UTC (rev 40655)
@@ -2994,3 +2994,22 @@
- wolfssl  (modified-embed)
- sks-ecc  (embed)
NOTE: there are probably more
+
+gzstream (not packaged in Debian: 
http://www.cs.unc.edu/Research/compgeom/gzstream/)
+   - k3d  (embed)
+   - freecad  (embed)
+   - lyx  (embed)
+   - texlive-bin  (embed)
+   - iqtree  (embed)
+   - paraview  (embed)
+   - sga  (embed)
+   - vtk6  (embed)
+   - filo  (embed)
+   - bedtools  (embed)
+   - freefoam  (embed)
+   - tulip  (embed)
+   - xdmf  (embed)
+   - ticcutils  (embed)
+   - spades  (embed)
+   - ossim  (embed)
+   - gnudatalanguage  (embed)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r40514 - bin

2016-03-22 Thread Paul Wise

Author: pabs
Date: 2016-03-22 06:20:02 + (Tue, 22 Mar 2016)
New Revision: 40514

Modified:
   bin/tracker_service.py
Log:
Link to the bugtraq mailing list archive search too

Modified: bin/tracker_service.py
===
--- bin/tracker_service.py  2016-03-22 05:57:16 UTC (rev 40513)
+++ bin/tracker_service.py  2016-03-22 06:20:02 UTC (rev 40514)
@@ -364,6 +364,8 @@
   ", ",
   self.make_fulldisc_bug_ref(url, 
bug.name, 'fulldisc'),
   ", ",
+  self.make_bugtraq_bug_ref(url, bug.name, 
'bugtraq'),
+  ", ",
   self.make_osvdb_bug_ref(url, bug.name, 
'OSVDB'),
   ", ",
   self.make_edb_bug_ref(url, bug.name, 
'EDB'),
@@ -1480,6 +1482,8 @@
 return url.absolute("https://marc.info/;, l="oss-security", s=name)
 def url_fulldesc_bug(self, url, name):
 return url.absolute("https://marc.info/;, l="full-disclosure", s=name)
+def url_bugtraq_bug(self, url, name):
+return url.absolute("https://marc.info/;, l="bugtraq", s=name)
 def url_osvdb_bug(self, url, name):
 return url.absoluteDict("https://osvdb.org/search/search;, 
{"search[refid]": name})
 def url_edb_bug(self, url, name):
@@ -1568,6 +1572,11 @@
 name = cve
 return A(self.url_fulldesc_bug(url, cve), name)
 
+def make_bugtraq_bug_ref(self, url, cve, name=None):
+if name is None:
+name = cve
+return A(self.url_bugtraq_bug(url, cve), name)
+
 def make_osvdb_bug_ref(self, url, cve, name=None):
 if name is None:
 name = cve


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r40285 - data/CVE

2016-03-09 Thread Paul Wise

Author: pabs
Date: 2016-03-10 00:58:44 + (Thu, 10 Mar 2016)
New Revision: 40285

Modified:
   data/CVE/list
Log:
Add note about CVE-2016-1531

Suggested-by: Snader_LB on #debian-security

Modified: data/CVE/list
===
--- data/CVE/list   2016-03-09 22:10:35 UTC (rev 40284)
+++ data/CVE/list   2016-03-10 00:58:44 UTC (rev 40285)
@@ -4389,6 +4389,7 @@
RESERVED
- exim4 4.86.2-1
NOTE: 
https://lists.exim.org/lurker/message/20160302.191005.a72d8433.en.html
+   NOTE: Debian security team have concerns about the patch, are talking 
to upstream
 CVE-2016-1530
RESERVED
 CVE-2016-1529


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r40252 - in data: CVE DLA

2016-03-08 Thread Paul Wise

Author: pabs
Date: 2016-03-09 05:09:26 + (Wed, 09 Mar 2016)
New Revision: 40252

Modified:
   data/CVE/list
   data/DLA/list
Log:
Fix some epochs and version numbers

Suggested-by: Stephen Quintero 
Suggested-in:

[Secure-testing-commits] r40125 - bin

2016-03-02 Thread Paul Wise

Author: pabs
Date: 2016-03-02 15:30:29 + (Wed, 02 Mar 2016)
New Revision: 40125

Modified:
   bin/tracker_service.py
Log:
https for more of the CVE links

Modified: bin/tracker_service.py
===
--- bin/tracker_service.py  2016-03-02 15:23:22 UTC (rev 40124)
+++ bin/tracker_service.py  2016-03-02 15:30:29 UTC (rev 40125)
@@ -1476,17 +1476,17 @@
 def url_fulldesc_bug(self, url, name):
 return url.absolute("https://marc.info/;, l="full-disclosure", s=name)
 def url_osvdb_bug(self, url, name):
-return url.absoluteDict("http://osvdb.org/search/search;, 
{"search[refid]": name})
+return url.absoluteDict("https://osvdb.org/search/search;, 
{"search[refid]": name})
 def url_edb_bug(self, url, name):
 name = name[len('CVE-'):] if name.startswith('CVE-') else name
-return url.absolute("http://www.exploit-db.com/search/;, 
action="search", cve=name)
+return url.absolute("https://www.exploit-db.com/search/;, 
action="search", cve=name)
 def url_metasploit_bug(self, url, name):
 return url.absolute("https://www.rapid7.com/db/search;, q=name)
 def url_rhbug(self, url, name):
 return url.absolute("https://bugzilla.redhat.com/show_bug.cgi;,
 id=name)
 def url_ubuntu_bug(self, url, name):
-return 
url.absolute("http://people.canonical.com/~ubuntu-security/cve/%s; % name)
+return 
url.absolute("https://people.canonical.com/~ubuntu-security/cve/%s; % name)
 def url_gentoo_bug(self, url, name):
 return url.absolute("https://bugs.gentoo.org/show_bug.cgi;, id=name)
 def url_suse_bug(self, url, name):


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r40100 - bin check-external

2016-03-01 Thread Paul Wise

Author: pabs
Date: 2016-03-01 14:30:06 + (Tue, 01 Mar 2016)
New Revision: 40100

Modified:
   bin/add-dsa-needed.sh
   bin/embedded-cleanup
   bin/gen-DSA
   bin/inject-embedded-code-copies
   bin/reserved-but-public
   bin/split-by-year
   check-external/lookup.sh
   check-external/update.sh
Log:
https for links to the GNU license list.

Modified: bin/add-dsa-needed.sh
===
--- bin/add-dsa-needed.sh   2016-03-01 14:25:57 UTC (rev 40099)
+++ bin/add-dsa-needed.sh   2016-03-01 14:30:06 UTC (rev 40100)
@@ -15,7 +15,7 @@
 #GNU General Public License for more details.
 #
 #You should have received a copy of the GNU General Public License
-#along with this file.  If not, see .
+#along with this file.  If not, see .
 
 
 set -eu

Modified: bin/embedded-cleanup
===
--- bin/embedded-cleanup2016-03-01 14:25:57 UTC (rev 40099)
+++ bin/embedded-cleanup2016-03-01 14:30:06 UTC (rev 40100)
@@ -15,7 +15,7 @@
 #GNU General Public License for more details.
 #
 #You should have received a copy of the GNU General Public License
-#along with this file.  If not, see .
+#along with this file.  If not, see .
 
 
 set -e

Modified: bin/gen-DSA
===
--- bin/gen-DSA 2016-03-01 14:25:57 UTC (rev 40099)
+++ bin/gen-DSA 2016-03-01 14:30:06 UTC (rev 40100)
@@ -15,7 +15,7 @@
 #GNU General Public License for more details.
 #
 #You should have received a copy of the GNU General Public License
-#along with this file.  If not, see .
+#along with this file.  If not, see .
 
 
 set -e

Modified: bin/inject-embedded-code-copies
===
--- bin/inject-embedded-code-copies 2016-03-01 14:25:57 UTC (rev 40099)
+++ bin/inject-embedded-code-copies 2016-03-01 14:30:06 UTC (rev 40100)
@@ -14,7 +14,7 @@
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with this program.  If not, see .
+# along with this program.  If not, see .
 
 import os
 import sys

Modified: bin/reserved-but-public
===
--- bin/reserved-but-public 2016-03-01 14:25:57 UTC (rev 40099)
+++ bin/reserved-but-public 2016-03-01 14:30:06 UTC (rev 40100)
@@ -15,7 +15,7 @@
 #GNU General Public License for more details.
 #
 #You should have received a copy of the GNU General Public License
-#along with this file.  If not, see .
+#along with this file.  If not, see .
 
 
 set -eu

Modified: bin/split-by-year
===
--- bin/split-by-year   2016-03-01 14:25:57 UTC (rev 40099)
+++ bin/split-by-year   2016-03-01 14:30:06 UTC (rev 40100)
@@ -15,7 +15,7 @@
 #GNU General Public License for more details.
 #
 #You should have received a copy of the GNU General Public License
-#along with this file.  If not, see .
+#along with this file.  If not, see .
 
 
 set -eu

Modified: check-external/lookup.sh
===
--- check-external/lookup.sh2016-03-01 14:25:57 UTC (rev 40099)
+++ check-external/lookup.sh2016-03-01 14:30:06 UTC (rev 40100)
@@ -15,7 +15,7 @@
 #GNU General Public License for more details.
 #
 #You should have received a copy of the GNU General Public License
-#along with this file.  If not, see .
+#along with this file.  If not, see .
 
 
 set -e

Modified: check-external/update.sh
===
--- check-external/update.sh2016-03-01 14:25:57 UTC (rev 40099)
+++ check-external/update.sh2016-03-01 14:30:06 UTC (rev 40100)
@@ -15,7 +15,7 @@
 #GNU General Public License for more details.
 #
 #You should have received a copy of the GNU General Public License
-#along with this file.  If not, see .
+#along with this file.  If not, see .
 
 
 set -e


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r40101 - templates

2016-03-01 Thread Paul Wise

Author: pabs
Date: 2016-03-01 14:30:15 + (Tue, 01 Mar 2016)
New Revision: 40101

Modified:
   templates/lts-no-dsa.txt
   templates/lts-update-planned.txt
Log:
https for links to the LTS development page

Modified: templates/lts-no-dsa.txt
===
--- templates/lts-no-dsa.txt2016-03-01 14:30:06 UTC (rev 40100)
+++ templates/lts-no-dsa.txt2016-03-01 14:30:15 UTC (rev 40101)
@@ -22,7 +22,7 @@
 
 If you want to work on such an update, you're welcome to do so. Please
 try to follow the workflow we have defined here:
-http://wiki.debian.org/LTS/Development
+https://wiki.debian.org/LTS/Development
 
 If that workflow is a burden to you, feel free to just prepare an
 updated source package and send it to debian-...@lists.debian.org

Modified: templates/lts-update-planned.txt
===
--- templates/lts-update-planned.txt2016-03-01 14:30:06 UTC (rev 40100)
+++ templates/lts-update-planned.txt2016-03-01 14:30:15 UTC (rev 40101)
@@ -17,7 +17,7 @@
 Would you like to take care of this yourself?
 
 If yes, please follow the workflow we have defined here:
-http://wiki.debian.org/LTS/Development
+https://wiki.debian.org/LTS/Development
 
 If that workflow is a burden to you, feel free to just prepare an
 updated source package and send it to debian-...@lists.debian.org


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r40099 - /

2016-03-01 Thread Paul Wise

Author: pabs
Date: 2016-03-01 14:25:57 + (Tue, 01 Mar 2016)
New Revision: 40099

Modified:
   TODO.gitmigration
Log:
git migration: cgit webinterface works now

Modified: TODO.gitmigration
===
--- TODO.gitmigration   2016-03-01 14:20:52 UTC (rev 40098)
+++ TODO.gitmigration   2016-03-01 14:25:57 UTC (rev 40099)
@@ -40,8 +40,6 @@
 - migrate (active) users (maybe based on only the ones which commited
 to the svn repository in recent years?)
 - get the DD acl applied (then point above only applies to -guest users)
-- cgit webinterface does not yet show the repository at
-  http://anonscm.debian.org/cgit/debian-security/debian-security.git [works]
 
 team-security.debian.org website
 


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r40094 - data/CVE

2016-03-01 Thread Paul Wise

Author: pabs
Date: 2016-03-01 14:06:23 + (Tue, 01 Mar 2016)
New Revision: 40094

Modified:
   data/CVE/list
Log:
A blog post about CVE-2016-0800

Modified: data/CVE/list
===
--- data/CVE/list   2016-03-01 14:03:58 UTC (rev 40093)
+++ data/CVE/list   2016-03-01 14:06:23 UTC (rev 40094)
@@ -6184,6 +6184,7 @@
NOTE: https://www.openssl.org/news/secadv/20160301.txt
NOTE: https://www.drownattack.com/
NOTE: GNUTLS never implemented SSLv2
+   NOTE: 
http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html
 CVE-2016-0799
RESERVED
- openssl 


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

1 2 3 >

1 - 100 of 275 matches

Mail list logo