Source: mariadb-5.5
Version: 5.5.39-1
Severity: grave
Tags: security upstream
Hi
Oracle has released the October CPU, see
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html#AppendixMSQL
As MariaDB 5.5 and MySQL 5.5 have same code basis all of the MySQL 5.5
issues might
close 765507 7.32-1
thanks
Sorry for the reopen, tried to mark it with the fixed control command (vs.
notfound) to get the version tracking information right.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact
Hi Otto,
On Tue, Oct 21, 2014 at 10:06:58PM +0300, Otto Kekäläinen wrote:
MariaDB has now pubished this page that tracks CVE (Oracle issued and
others) to MariaDB releases, also post-release:
https://mariadb.com/kb/en/mariadb/development/security/
Thanks for this notice, that indeed are great
-Debian: https://bugs.debian.org/763922
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=1149044
Forwarded: not-needed
Author: Chad Vizino cviz...@adaptivecomputing.com
Reviewed-by: Salvatore Bonaccorso car...@debian.org
Last-Update: 2014-10-21
--- a/src/cmds/pbs_track.c
+++ b/src/cmds
Short note for this bug: I have also asked upstream if they can
review/comment the patch also for this much older version we have in
Debian.
Regards,
Salvatore
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact
)
+
+ -- Salvatore Bonaccorso car...@debian.org Sat, 25 Oct 2014 13:18:37 +0200
+
torque (2.4.16+dfsg-1.4) unstable; urgency=high
* Non-maintainer upload by the Security Team.
diff -Nru torque-2.4.16+dfsg/debian/patches/CVE-2014-3684.patch torque-2.4.16+dfsg/debian/patches/CVE-2014-3684.patch
--- torque
Control: retitle -1 tnftp: CVE-2014-8517: ftp(1) can be made execute arbitrary
commands by malicious webserver
Hi,
On Tue, Oct 28, 2014 at 11:15:44PM +0100, Moritz Muehlenhoff wrote:
Package: tnftp
Severity: grave
Tags: security
Please see
Source: torque
Severity: serious
Justification: end-of-life branch from upstream, low maintenance in Debian
Hi
I discussed this with Moritz Muehlenhoff, but bringing this now up to
discussion. Note that debian-release@l.d.o and the openmpi and
pbs-drmaa maintainers are X-Debbugs-CC'ed on this
Hi Bastien,
On Wed, Oct 29, 2014 at 03:22:24PM +0100, Bastien ROUCARIES wrote:
package: imagemagick
version: 8:6.6.0.4-3
severity: serious
control: tag -1 + security
This is a bug for tracking :
TEMP-000-77B6EF buffer overflow in PCX and DCM coder
TEMP-000-3CE5AC Off-by-one count
Hi Julien,
On Fri, Oct 31, 2014 at 02:07:25PM +0100, Julien Cristau wrote:
On Thu, Oct 30, 2014 at 22:27:53 +0100, Salvatore Bonaccorso wrote:
pbs-drmaa as reverse dependency of torque is easy as it is a leaf
package. The more complicated one would be openmpi which would need to
drop
Package: aircrack-ng
Version: 1:1.2-0~beta3-1
Severity: grave
Tags: security upstream
Hi,
the following vulnerabilities were published for aircrack-ng.
CVE-2014-8321[0]:
GPS stack overflow
CVE-2014-8322[1]:
tcp_test stack overflow
CVE-2014-8323[2]:
buddy-ng missing checkin data format
On Fri, Oct 17, 2014 at 09:40:13AM +0200, Salvatore Bonaccorso wrote:
Source: mysql-5.5
Version: 5.5.23-2
Severity: grave
Tags: security upstream fixed-upstream
Hi
Please see:
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html#AppendixMSQL
*ping*?
Regards
hey Clint,
On Thu, Nov 06, 2014 at 05:36:55AM +0100, Clint Byrum wrote:
Sorry Salvatore, I think at least a couple of us have been preoccupied
with the OpenStack summit in Paris the last few weeks. I'll try to make
some time to update unstable ASAP.
Ok and thanks for your status update!
Source: freeipa
Version: 4.0.4-2
Severity: grave
Tags: security upstream patch
Hi,
the following vulnerability was published for freeipa.
CVE-2014-7828[0]:
password not required when OTP in use
See [1] for details and upstream ticket[2].
If you fix the vulnerability please also make sure to
Source: python-requests-kerberos
Version: 0.5-1
Severity: grave
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for python-requests-kerberos.
CVE-2014-8650[0]:
does not handle mutual authentication
If you fix the vulnerability please also make sure to
Control: severity -1 important
Hi,
On Sat, Nov 08, 2014 at 02:50:44PM +0800, 積丹尼 Dan Jacobson wrote:
Package: reportbug
Version: 6.6.0
Severity: grave
$ reportbug --template apt-show-versions
Traceback (most recent call last):
File /usr/bin/reportbug, line 38, in module
from
Hi Dan,
On Sun, Nov 09, 2014 at 04:23:01AM +0800, 積丹尼 Dan Jacobson wrote:
# set openssl
# apt-cache policy $@
openssl:
Installed: 1.0.2~beta3-1
Candidate: 1.0.2~beta3-1
Version table:
*** 1.0.2~beta3-1 0
990 http://ftp.tw.debian.org/debian/ experimental/main i386 Packages
Hi
Just one data-point for now: Looking at the build log this looks to me
(at first glance) as a dependency problem in libmoosex-storage-perl. In
0.48 upstream MooseX::Storage switched from JSON::Any to JSON::MaybeXS.
Regards,
Salvatore
--
To UNSUBSCRIBE, email to
Hi,
On Sun, Nov 09, 2014 at 10:44:05AM +0100, Salvatore Bonaccorso wrote:
Just one data-point for now: Looking at the build log this looks to me
(at first glance) as a dependency problem in libmoosex-storage-perl. In
0.48 upstream MooseX::Storage switched from JSON::Any to JSON::MaybeXS
Source: gnutls28
Version: 3.3.8-3
Severity: grave
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for gnutls28.
CVE-2014-8564[0]:
Heap corruption when generating key ID for ECC (GNUTLS-SA-2014-5)
| An out-of-bounds memory write flaw was found in the
Hi Julien,
On Sat, Nov 01, 2014 at 07:09:04PM +0100, Julien Cristau wrote:
On Sat, Nov 1, 2014 at 16:46:12 +0100, Salvatore Bonaccorso wrote:
Hi Julien,
On Fri, Oct 31, 2014 at 02:07:25PM +0100, Julien Cristau wrote:
On Thu, Oct 30, 2014 at 22:27:53 +0100, Salvatore Bonaccorso wrote
Hi Aurelien
Not maintainer here, just for reference, see
https://bugs.debian.org/765663
Regarads,
Salvatore
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Control: reassign -1 libvirt-daemon-system/1.2.9-3
Hi Lucas,
On Fri, Nov 14, 2014 at 01:39:47PM +0100, Lucas Nussbaum wrote:
Package: libsys-virt-perl
Version: 1.2.9-1
Severity: serious
User: debian...@lists.debian.org
Usertags: instest-20141114 instest
Hi,
While testing the
Source: wordpress
Version: 3.6.1+dfsg-1
Severity: grave
Tags: security upstream fixed-upstream
Hi
Setting this as severity grave as it is mentioned as critical update.
See https://wordpress.org/news/2014/11/wordpress-4-0-1/ for details.
There are no CVEs assigned yet for these issues.
Regards,
Source: drupal7
Version: 7.14-2
Severity: serious
Tags: security upstream
Control: fixed -1 7.14-2+deb7u8
Hi Gunnar,
Opening this bug as serious (RC) as we have the fix already in
wheezy-security but also should go to jessie.
CVE-2014-9015 and CVE-2014-9016 are assigned for
close 770469 7.32-1+deb8u1
thanks
This was fixed with the 7.32-1+deb8u1 upload to unstable.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Source: resteasy
Version: 3.0.6-1
Severity: grave
Tags: security upstream
Hi,
the following vulnerability was published for resteasy. I have choosen
severity grave due to what is described in Red Hat's bugzilla about
the issue, but I don't know jboss/resteasy/... well enough, so feel
free to
Hi Tobi,
On Sun, Nov 23, 2014 at 04:57:28PM +0100, Tobias Frost wrote:
After testing and looks that it is working, I will upload it to
DELAYED/5.
Please let me know if I should cancel it or delay it further.
Please note that there is ongoing work by the maintainer asking for a
pre-approval on
Source: libksba
Version: 1.3.1-1
Severity: grave
Tags: security upstream patch fixed-upstream
Hi all,
Today a new upstream release for Libksba was announced, addressing in
particular the following:
Impact of the security bug
==
By using special crafted S/MIME
)
+
+ -- Salvatore Bonaccorso car...@debian.org Tue, 25 Nov 2014 16:43:46 +0100
+
libksba (1.2.0-2) unstable; urgency=low
* Build for multi-arch.
diff -Nru
libksba-1.2.0/debian/patches/0001-Fix-buffer-overflow-in-ksba_oid_to_str.patch
libksba-1.2.0/debian/patches/0001-Fix-buffer-overflow
Control: retitle -1 wordpress: CVE-2014-9031 CVE-2014-9032 CVE-2014-9033
CVE-2014-9034 CVE-2014-9035 CVE-2014-9036 CVE-2014-9037 CVE-2014-9038
CVE-2014-9039 (issues fixed in 4.0.1 security release)
Hi,
On Fri, Nov 21, 2014 at 08:19:03AM +0100, Salvatore Bonaccorso wrote:
Source: wordpress
Source: lnav
Version: 0.7.1-1
Severity: serious
Justification: FTBFS
lnav/0.7.1-1 uploaded to experimental FTBFS on mips, powerpc and
s390x.
https://buildd.debian.org/status/fetch.php?pkg=lnavarch=mipsver=0.7.1-1stamp=1417091917
Source: util-linux
Version: 2.25.2-3
Severity: grave
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for util-linux.
CVE-2014-9114[0]:
blkid command injection
I'm a bit undecided about the severity, so have choosen grave for now,
but important might
Control: found -1 1.5.23-1.1
Hi Antonio
On Thu, Nov 27, 2014 at 11:09:08PM +, Antonio Radici wrote:
notfound 771125 mutt/1.5.23-1.1
thanks
It seems that the bug is not reproducible on the latest version in
unstable/testing.
It should, the reproducer works here for me, have you 'set
Source: antiword
Version: 0.37-6
Severity: grave
Tags: security upstream patch
Hi,
the following vulnerability was published for antiword.
CVE-2014-8123[0]:
buffer overflow of atPPSlist[].szName[]
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities
Jurica,
On Wed, Dec 03, 2014 at 04:10:05PM +, Jurica Stanojkovic wrote:
Hello,
I have found that upstream commit 17bd6e2 brakes build on Debian big-endian
architectures.
https://github.com/tstack/lnav/commit/17bd6e234ac2432073912b940a17a3b97675b8f9
I this commit is reverted,
Source: jasper
Version: 1.900.1-7
Severity: grave
Tags: security upstream
Hi,
the following vulnerability was published for jasper.
CVE-2014-9029[0]:
heap-based buffer overflows
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities Exposures) id in your
check in COC, RGN and QCC
+marker segment decoders. (Closes: #772036)
+
+ -- Salvatore Bonaccorso car...@debian.org Fri, 05 Dec 2014 08:39:16 +0100
+
jasper (1.900.1-debian1-2.1) unstable; urgency=medium
* Non-maintainer upload (acked by maintainer)
diff -Nru jasper-1.900.1-debian1/debian
Hey Roland!
On Fri, Dec 05, 2014 at 11:43:20AM +0100, Roland Stigge wrote:
Hi Salvatore!
Thanks for working on this!
Welcome!
Thanks for quick feedback. I interpret the above that it's just fine,
so I will move the package from delayed prepferably directly to the
archive. (I will also take
Source: bind9
Version: 1:9.8.4.dfsg.P1-6
Severity: grave
Tags: security upstream fixed-upstream
Control: fixed -1 1:9.8.4.dfsg.P1-6+nmu2+deb7u3
Hi,
the following vulnerability was published for bind9.
CVE-2014-8500[0]:
A Defect in Delegation Handling Can Be Exploited to Crash BIND
For
Hi,
On Wed, Dec 10, 2014 at 11:20:36PM +0100, Kurt Roeckx wrote:
On Wed, Dec 10, 2014 at 10:59:20PM +0100, Yves-Alexis Perez wrote:
[WB-team: we have an issue with the unbound amd64 build for DSA 3097-1,
so I'm adding you to the loop, see below]
On mer., 2014-12-10 at 16:46 -0500,
Source: docker.io
Version: 1.3.2~dfsg1-1
Severity: grave
Tags: security upstream fixed-upstream
Hi,
the following vulnerabilities were published for docker.io.
CVE-2014-9356[0]:
Path traversal during processing of absolute symlinks
CVE-2014-9357[1]:
Escalation of privileges during
Hi Scott,
On Thu, Dec 11, 2014 at 07:09:11AM -0500, Scott Kitterman wrote:
On December 11, 2014 6:37:51 AM EST, Moritz Muehlenhoff j...@inutil.org
wrote:
Package: pyyaml
Severity: grave
Tags: security
Hi,
CVE-2014-9130 from libyaml also affects pyyaml. I'm attaching a short
reproducer.
Hi,
On Thu, Dec 11, 2014 at 07:15:17AM +0100, Moritz Muehlenhoff wrote:
Package: cpio
Severity: grave
Tags: security
Hi,
please see http://seclists.org/fulldisclosure/2014/Nov/74
for the original report.
Patches:
http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=746f3ff6
Hi Andreas,
Sorry, I cannot check it right now myself, but could you have a look at
http://www.openwall.com/lists/oss-security/2014/12/15/3 . Apparently
the initial patch had an issue, and there is also a followup on this.
Regards,
Salvatore
--
To UNSUBSCRIBE, email to
Hi,
On Tue, Dec 16, 2014 at 08:59:56AM +0100, Moritz Muehlenhoff wrote:
Also http://subversion.apache.org/security/CVE-2014-8108-advisory.txt
Have cloned the bugreport to #773315, since versions affected for
CVE-2014-8108 are different.
Regards,
Salvatore
--
To UNSUBSCRIBE, email to
Source: heirloom-mailx
Version: 12.4-2
Severity: grave
Tags: security upstream
Justification: user security hole
Control: fixed -1 12.5-2+deb7u1
Hi,
the following vulnerabilities were published for heirloom-mailx.
* CVE-2004-2771[0]
* CVE-2014-7844[1]
If you fix the vulnerabilities please
Source: jasper
Version: 1.900.1-7
Severity: grave
Tags: security upstream
Hi,
the following vulnerabilities were published for jasper.
CVE-2014-8137[0]:
double-free in in jas_iccattrval_destroy()
CVE-2014-8138[1]:
heap overflow in jp2_decode()
If you fix the vulnerabilities please also make
Hi Roland,
I will try to work again (as for the previous update) on the
wheezy-security update. As the patches will be mostly the same I could
also do again the unstable upload too. Just let me know!
Regards,
Salvatore
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a
Source: ntp
Version: 1:4.2.6.p2+dfsg-1
Severity: grave
Tags: security upstream fixed-upstream
Hi,
the following vulnerabilities were published for ntp.
CVE-2014-9293[0]:
automatic generation of weak default key in config_auth()
CVE-2014-9294[1]:
ntp-keygen uses weak random number generator and
Hi Hilko,
On Fri, Dec 19, 2014 at 01:46:22PM +0100, Hilko Bengen wrote:
* Salvatore Bonaccorso:
the following vulnerabilities were published for heirloom-mailx.
* CVE-2004-2771[0]
* CVE-2014-7844[1]
I cannot update the package right now. If somebody wants to do prepare
an NMU
Control: tags -1 + patch
Hi Roland,
On Sat, Dec 20, 2014 at 06:08:54AM +0100, Salvatore Bonaccorso wrote:
I will try to work again (as for the previous update) on the
wheezy-security update. As the patches will be mostly the same I could
also do again the unstable upload too. Just let me know
close 773610 1.6.17dfsg-4+deb7u8
thanks
This was fixed with the 1.6.17dfsg-4+deb7u8 upload.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Hi Willi,
On Sun, Dec 14, 2014 at 10:10:58AM +0100, Willi Mann wrote:
Hi Dave,
does 0.21.7 solve both security issues reported? If yes, could point
send me the individual patches that fix these issues? The Debian branch
for the next stable distribution is already frozen, so I cannot fix
Control: tags -1 + patch
Hi Willi
Attached are two patches separated per CVEs.
Regards,
Salvatore
Description: CVE-2014-9274: out-of-bounds memory access
UnRTF allows remote attackers to cause a denial of service (crash) and
possibly execute arbitrary code as demonstrated by a file containing
Hi Willi,
On Sun, Dec 21, 2014 at 10:02:08PM +0100, Willi Mann wrote:
Hi Salvatore,
we were working in parallel unfortunately, as I prepared the same
patches in the morning. However, I also added 2 patches by
Fabian Keil. I'll upload tomorrow in the evening, you can have a look at
Don't
Source: sox
Version: 14.3.1-1
Severity: grave
Tags: security upstream
Hi,
the following vulnerability was published for sox.
CVE-2014-8145[0]:
two heap-based buffer overflows
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities Exposures) id in your
Source: unzip
Version: 6.0-4
Severity: grave
Tags: security upstream
Hi,
the following vulnerabilities were published for unzip.
(disclaimer I was not yet able to verify any of those, but oCert
advisory claims to affect all unzip = 6.0).
CVE-2014-8139[0]:
CRC32 heap overflow
CVE-2014-8140[1]:
Hi Pascal,
On Mon, Dec 22, 2014 at 11:06:20AM -0500, Pascal Giard wrote:
On Mon, Dec 22, 2014 at 10:55 AM, Salvatore Bonaccorso
car...@debian.org wrote:
Source: sox
Version: 14.3.1-1
Severity: grave
Tags: security upstream
Hi,
the following vulnerability was published for sox
Hi Roland,
On Tue, Dec 23, 2014 at 12:14:36PM +0100, Roland Stigge wrote:
Yes, that would be good!
Thanks for confirming, and it's done already (also unblocked by Ivo
De Decker).
Regards,
Salvatore
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of
Source: glance
Version: 2014.1.3-5
Severity: serious
Tags: security upstream
Hi
Setting this to serious/RC since this probably should go as well to
jessie (please let me know if you disagree on severity). From [1]:
[1] http://www.openwall.com/lists/oss-security/2014/12/23/2
Masahito Muroi
Control: tags -1 + patch
Control: found -1 5.1.4+dfsg-4
Hi Dominic,
On Tue, Dec 30, 2014 at 02:56:31AM +0100, Moritz Muehlenhoff wrote:
Source: movabletype-opensource
Severity: grave
Tags: security
Hi,
please see https://movabletype.org/news/2014/12/6.0.6.html
Attaches is the extracted
Control: reopen -1
Hi Mike
I played around today for checking the xdg-open issue also for wheezy,
and noticed that the approach introduces a regression.
Steps for reproducing the issue:
$ xdg-mime default chromium.desktop x-scheme-handler/http
$ xdg-mime query default x-scheme-handler/http
Control: tags -1 upstream fixed-upstream
Control: retitle -1 mariadb-10.0: CVE-2015-0411 CVE-2015-0382 CVE-2015-0381
CVE-2015-0432 CVE-2014-6568 CVE-2015-0374
Hi Otto,
On Fri, Jan 23, 2015 at 08:46:46AM +0200, Otto Kekäläinen wrote:
I started to search information about this 2 days ago, but so
Hi James,
On Thu, Jan 22, 2015 at 01:48:46PM +, James Page wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 21/01/15 19:14, Salvatore Bonaccorso wrote:
For wheezy-security I'm just building the package with imported
version 5.5.41 to resolve the issues. Can say more
Source: tiff
Version: 4.0.3-12
Severity: grave
Tags: security upstream
Hi,
Two more CVEs were assigned for tiff:
CVE-2014-9655[0] and CVE-2015-1547[1].
More information and reproducers are given in [2], the ones for
CVE-2014-9655 should be fixed already upstream.
If you fix the
Source: python-django
Version: 1.7.1-1
Severity: grave
Tags: security upstream fixed-upstream
Hi,
the following vulnerabilities were published for python-django.
CVE-2015-0219[0]:
WSGI header spoofing via underscore/dash conflation
CVE-2015-0220[1]:
Mitigated possible XSS attack via
Hi MySQL maintainers,
For wheezy-security I'm just building the package with imported
version 5.5.41 to resolve the issues. Can say more if build suceeds.
Regards,
Salvatore
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact
Hi!
On Tue, Jan 20, 2015 at 09:47:26PM +0100, Yves-Alexis Perez wrote:
CVEs should follow soon. Also, I guess Wheezy and Jessie are affected too, so
a
DSA might be needed.
They were assigned now:
http://www.openwall.com/lists/oss-security/2015/01/20/11
Regards,
Salvatore
--
To
.
+CVE-2015-1182: Denial of service and possible remote code execution
+using crafted certificates. (Closes: #775776)
+
+ -- Salvatore Bonaccorso car...@debian.org Wed, 21 Jan 2015 22:09:05 +0100
+
polarssl (1.3.9-2) unstable; urgency=medium
* Disabled POLARSSL_SSL_PROTO_SSL3 at compile time
+using crafted certificates. (Closes: #775776)
+
+ -- Salvatore Bonaccorso car...@debian.org Wed, 21 Jan 2015 20:58:06 +0100
+
polarssl (1.2.9-1~deb7u4) wheezy-security; urgency=low
* CVE-2014-8628
diff -Nru polarssl-1.2.9/debian/patches/CVE-2015-1182.patch
polarssl-1.2.9/debian/patches/CVE
Hi Debian MySQL maintainers,
Preliminary packages built for the wheezy-security update are now in
https://people.debian.org/~carnil/tmp/mysql-5.5/
If you additionally can test these too, that would be great.
Regards,
Salvatore
--
To UNSUBSCRIBE, email to
Source: polarssl
Version: 1.3.9-2
Severity: grave
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for polarssl.
CVE-2015-1182[0]:
Remote attack using crafted certificates
If you fix the vulnerability please also make sure to include the
CVE (Common
in jpc_dec_process_sot().
+(Closes: #775970)
+ * Add 08-CVE-2014-8158.patch patch.
+CVE-2014-8158: unrestricted stack memory use in jpc_qmfb.c (Closes:
#775970)
+
+ -- Salvatore Bonaccorso car...@debian.org Thu, 22 Jan 2015 16:39:58 +0100
+
jasper (1.900.1-13+deb7u2) wheezy-security; urgency
Source: mysql-5.5
Version: 5.5.23-2
Severity: grave
Tags: security upstream patch fixed-upstream
Hi
As usual at this time of the year, there was a new Oracle Patch Update
including updates for MySQL, see:
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html#AppendixMSQL
Source: mariadb-10.0
Version: 10.0.15-3
Severity: grave
Tags: security
Hi MariaDB maintainers!
As you might have seen there is a new Oracle Patch Update including
updates for MySQL 5.5. I'm filling this bug to just have it
double-checked as mariadb.com does not list yet new versions afaics:
Source: vala-0.26
Version: 0.26.1-1
Severity: grave
Tags: security upstream patch fixed-upstream
Control: fixed -1 0.26.2-1
Hi,
the following vulnerability was published for vala-0.26.
CVE-2014-8154[0]:
Heap-buffer overflow in vala-gstreamer bindings at Gst.MapInfo()
If you fix the
Control: retitle -1 matplotlib: CVE-2013-1424: printf buffer overrun
Hi,
On Sun, Jan 18, 2015 at 01:44:36PM -0500, Michael Gilbert wrote:
package: src:matplotlib
version: 0.99.3-1
severity: serious
tag: security, patch
Matt Giuca reported a matplotlib buffer overrun to the private
Control: retitle -1 ha: CVE-2015-1198: directory traversal vulnerabilities
Hi,
This has been assigned CVE-2015-1198 by MITRE.
Regards,
Salvatore
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
of service and possible remote code execution
+using crafted certificates. (Closes: #775776)
+
+ -- Salvatore Bonaccorso car...@debian.org Wed, 21 Jan 2015 22:09:05 +0100
+
polarssl (1.3.9-2) unstable; urgency=medium
* Disabled POLARSSL_SSL_PROTO_SSL3 at compile time to prevent potential
diff -Nru
.patch patch.
+CVE-2014-8157: dec-numtiles off-by-one check in jpc_dec_process_sot().
+(Closes: #775970)
+ * Add 08-CVE-2014-8158.patch patch.
+CVE-2014-8158: unrestricted stack memory use in jpc_qmfb.c (Closes: #775970)
+
+ -- Salvatore Bonaccorso car...@debian.org Thu, 22 Jan 2015 17:09
Hi,
On Wed, Feb 11, 2015 at 11:10:24PM +0100, Jiri Horner wrote:
Problem is caused by name collision in local variables, which are
apparently not very local in this case (maybe also dash problem?)
Just an additional comment on this: It looks actually as intended that
the initial value is
Hi Otto,
On Mon, Jan 26, 2015 at 09:03:28PM +0200, Otto Kekäläinen wrote:
The page https://mariadb.com/kb/en/security/ has updated and includes
info about these latest CVEs.
It seems most issues were fixed in 5.5.41/10.0.16.
One was for 5.5.39/10.0.13.
10.0.16 hasn't been yet released,
Hi Otto,
On Tue, Jan 27, 2015 at 09:20:51PM +0200, Otto Kekäläinen wrote:
2015-01-27 8:09 GMT+02:00 Salvatore Bonaccorso car...@debian.org:
Thanks for the update and checking with upstream regarding the two
other CVEs. 10.0.16 seems now avaiable[1] (even though not yet
announced
Hi Otto,
On Tue, Jan 27, 2015 at 10:01:09AM +0200, Otto Kekäläinen wrote:
Here is the reply from a MariaDB core developer:
2015-01-26 21:39 GMT+02:00 Sergei Golubchik s...@mariadb.org:
Hi, Otto!
On Jan 26, Otto Kekäläinen wrote:
Hello Sergei!
The page
Hi Ondřej,
On Thu, Jan 29, 2015 at 01:23:46PM +0100, Ondřej Surý wrote:
given this thread:
http://lists.alioth.debian.org/pipermail/pkg-gridengine-devel/2014-October/thread.html
and no response here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703256
I would suggest that
Source: tiff
Version: 4.0.3-12
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
the following vulnerabilities were published for tiff.
CVE-2014-8127[0]:
various out-of-bound reads
CVE-2014-8128[1]:
various out-of-bounds write
CVE-2014-8129[2]:
various out-of-bound
Control: retitle -1 linux-image-3.16.0-4-686-pae: chown removes
security.capability xattr on other users' files (CVE-2015-1350)
Hi,
In http://www.openwall.com/lists/oss-security/2015/01/24/5 there was
a CVE assignment for this issue, CVE-2015-1350.
Regards,
Salvatore
--
To UNSUBSCRIBE, email
Control: retitle -1 patch: directory traversal via file rename
Hi Jonathan,
On Thu, Jan 22, 2015 at 09:56:20PM +, Jonathan Wiltshire wrote:
On Thu, Jan 22, 2015 at 09:49:39PM +, Jonathan Wiltshire wrote:
This issue was assigned CVE-2015-1196. If you upload fixed packages, please
Source: gridengine
Version: 6.2u5-7.3
Severity: serious
Justification: possibly not fit for the release
Hi
I wonder if in the light of #693722[1] and given the last three
uploads for gridengine were NMU, if gridengine should possibly not be
shipped with jessie.
[1]
Hi
Just a quick note, a removal from jessie in any case will also affect
the logol package which has a Depends on libdrmaa-java:
cut-cut-cut-cut-cut-cut-
$ dak rm -n -R -s testing gridengine
Will remove the following packages from testing:
Hi,
On Sat, Jan 24, 2015 at 10:50:11AM +0100, Salvatore Bonaccorso wrote:
Control: retitle -1 patch: directory traversal via file rename
Hi Jonathan,
On Thu, Jan 22, 2015 at 09:56:20PM +, Jonathan Wiltshire wrote:
On Thu, Jan 22, 2015 at 09:49:39PM +, Jonathan Wiltshire wrote
Hi Otto,
On Fri, Jan 23, 2015 at 08:46:46AM +0200, Otto Kekäläinen wrote:
I started to search information about this 2 days ago, but so far I
haven't found any indication that these would affect MariaDB, though I
haven't got the definitive final reply from mariadb devs confirming so
either.
Hi!
On Sat, Jan 24, 2015 at 11:17:03AM +0100, László Böszörményi (GCS) wrote:
On Sat, Jan 24, 2015 at 11:04 AM, Salvatore Bonaccorso
car...@debian.org wrote:
On Sat, Jan 24, 2015 at 10:50:11AM +0100, Salvatore Bonaccorso wrote:
and the directory traversal via file rename does not seem
Source: privoxy
Version: 3.0.21-5
Severity: grave
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerabilities were published for privoxy.
CVE-2015-1380[0]:
denial of service
CVE-2015-1381[1]:
multiple segmentation faults and memory leaks in the pcrs code
CVE-2015-1382[2]:
Hi Andreas,
On Sat, Jan 10, 2015 at 12:37:55PM +0100, Andreas Beckmann wrote:
Followup-For: Bug #698375
Hi,
adjusted Salvatore's patch to also run
dpkg-maintscript-helper rm_conffile on initial package install.
Verified that the upgrade path works.
NMU uploaded to DELAYED/2.
Thanks for
Source: freetype
Version: 2.5.2-2
Severity: grave
Tags: security upstream fixed-upstream
Hi,
the following vulnerabilities were published for freetype. I filled
this as RC since at least one seems to allow code execution. Could
you help identify which also affect wheezy?
CVE-2014-9656[0]:
| The
Control: reopen -1
Hi Dominic
Note this issue only affects Movable Type versions 6.0.6, 5.2.11
and 5.18. It does not affect versions 6.0.5, 5.2.10, 5.17 and prior
versions.
Netanel Rubin, the discoverer of the issue confirmed to me that the
information there seem just not correct, since he
-2014-6272-in-Libevent-2.0.patch.
+CVE-2014-6272: potential heap overflow in buffer/bufferevent APIs
+(Closes: #774645)
+
+ -- Salvatore Bonaccorso car...@debian.org Wed, 07 Jan 2015 12:43:40 +0100
+
libevent (2.0.21-stable-1.1) unstable; urgency=low
* Non-maintainer upload.
diff -Nru
Hi Anibal,
On Wed, Jan 07, 2015 at 11:18:15PM +1100, Aníbal Monsalve Salazar wrote:
On Wed, 2015-01-07 13:10:51 +0100, Salvatore Bonaccorso wrote:
Please find attached debdiff for unstable. I have *not* uploaded it to
any delayed queue so far. Are you working on the update yourself
1001 - 1100 of 3898 matches
Mail list logo