.
@@ -91,7 +93,11 @@
NOTE: Upstream is not going to fix CVE-2016-8686 since it believes it is not
NOTE: a bug (see #843861).
--
-putty (Jonas Meurer)
+putty
+ NOTE: 2017-04-14: CVE-2017-6542 is only exploitable by a malicious server
+ NOTE: with SSH agent forwarding enabled. In this case, the
)
--
-libical
+libical (Jonas Meurer)
NOTE: No known solution as of 2017-01-16.
NOTE: Pinged on 2017-02-06
https://github.com/libical/libical/issues/253#issuecomment-277580552 (lamby)
--
@@ -109,7 +109,7 @@
NOTE: Upstream is not going to fix CVE-2016-8686 since it believes it is not
NOTE: a
-needed.txt 2017-03-24 11:41:39 UTC (rev 49991)
@@ -18,10 +18,6 @@
NOTE: I suggest to wait for more important issues. CVE-2016-7837 has a rather
NOTE: low impact.
--
-cgiemail (Jonas Meurer)
- NOTE: 2017-03-10: Sent a mail to the cPanel security team and asked them to
- NOTE: share their security
@@
NOTE:
https://blogs.gentoo.org/ago/2017/01/29/mp3splt-invalid-free-in-free_options-options_manager-c/
NOTE: -- Jonas Meurer
--
-munin (Jonas Meurer)
---
mupdf
NOTE: added 2017-02-25, please give maintainer some time to respond
:10:13 UTC (rev 49357)
+++ data/dla-needed.txt 2017-03-02 09:23:25 UTC (rev 49358)
@@ -79,6 +79,8 @@
NOTE:
https://blogs.gentoo.org/ago/2017/01/29/mp3splt-invalid-free-in-free_options-options_manager-c/
NOTE: -- Jonas Meurer
--
+munin (Jonas Meurer)
+--
mupdf
NOTE: added 2017-02-25
-01 15:37:32 UTC (rev 49340)
+++ data/dla-needed.txt 2017-03-01 17:15:43 UTC (rev 49341)
@@ -16,6 +16,8 @@
NOTE: public security issues in Calibre. See for example bug #853004.
--
cgiemail (Jonas Meurer)
+ NOTE: 2017-03-10: Sent a mail to the cPanel security team and asked them to
+ NOTE
discussion at
NOTE:
https://blogs.gentoo.org/ago/2017/01/29/mp3splt-invalid-free-in-free_options-options_manager-c/
- NOTE: for expected output with the reproducer. -- Jonas Meurer
+ NOTE: -- Jonas Meurer
--
mupdf
NOTE: added 2017-02-25, please give m
://blogs.gentoo.org/ago/2017/01/29/mp3splt-invalid-free-in-free_options-options_manager-c/
NOTE: for expected output with the reproducer. -- Jonas Meurer
--
-munin (Jonas Meurer)
- NOTE: upstream did not comment on patch yet
---
mupdf
NOTE: added 2017-02-25, please give maintainer some time to
available. Reproducer doesn't work with Debian
+ NOTE: packages (tested on Stretch, Jessie and Wheezy). See the comments at
+ NOTE:
https://blogs.gentoo.org/ago/2017/01/29/mp3splt-invalid-free-in-free_options-options_manager-c/
+ NOTE: for expected output with the reproducer. -- Jonas M
:17:09 UTC (rev 49151)
+++ data/dla-needed.txt 2017-02-23 18:10:45 UTC (rev 49152)
@@ -84,7 +84,7 @@
NOTE: 170206: No patch available. Unclear how reproducer is supposed to work
NOTE: because the file format cannot be detected.
--
-munin
+munin (Jonas Meurer)
NOTE: upstream did not comment
(rev 49072)
@@ -37,8 +37,6 @@
NOTE: Subject of announce mail also contained typo (DLA-574-1 vs. DLA-547-1)
NOTE: update available for testing in:
https://lists.debian.org/87inpe4wgu@curie.anarc.at
--
-gtk-vnc (Jonas Meurer)
---
icedove
NOTE: maintainer currenlty planx to rename to
-02-17 22:27:08 UTC (rev 49039)
+++ data/dla-needed.txt 2017-02-17 23:02:57 UTC (rev 49040)
@@ -23,7 +23,7 @@
NOTE: In particular, it seems likely that there are more undocumented but
NOTE: public security issues in Calibre. See for example bug #853004.
--
-cgiemail
+cgiemail (Jonas Meurer
===
--- data/dla-needed.txt 2017-01-25 21:10:12 UTC (rev 48381)
+++ data/dla-needed.txt 2017-01-25 21:18:29 UTC (rev 48382)
@@ -91,8 +91,6 @@
NOTE: jessie is marked as the issue is minor enough to wait
NOTE: for the next round of updates (last check: 2017-01-16)
--
-pdns (Jonas
(Jonas Meurer)
--
-pdns-recursor (Jonas Meurer)
---
php5 (Roberto C. Sánchez)
Next upload: ASAP (we're behind jessie)
WIP in git: git clone git.debian.org:/git/collab-maint/debian-lts/php5.git
-b debian/wheezy
___
Secure-testing-commits ma
2017-01-16 13:02:15 UTC (rev 48104)
+++ data/dla-needed.txt 2017-01-16 16:01:32 UTC (rev 48105)
@@ -82,9 +82,9 @@
NOTE: jessie is marked as the issue is minor enough to wait
NOTE: for the next round of updates
--
-pdns
+pdns (Jonas Meurer)
--
-pdns-recursor
+pdns-recursor (Jonas Meurer
marked as the issue is minor enough to wait
NOTE: for the next round of updates
--
-otrs2 (Jonas Meurer)
---
pdns
--
pdns-recursor
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org
Biedl)
--
-spip (Jonas Meurer)
---
squid3
--
tarantool
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
:54:14 UTC (rev 47392)
+++ data/dla-needed.txt 2016-12-23 20:58:46 UTC (rev 47393)
@@ -78,7 +78,7 @@
NOTE: jessie is marked as the issue is minor enough to wait
NOTE: for the next round of updates
--
-otrs2
+otrs2 (Jonas Meurer)
--
pgpdump (Christoph Biedl)
--
@@ -101,7 +101,7
Author: mejo
Date: 2016-12-12 19:43:58 + (Mon, 12 Dec 2016)
New Revision: 47005
Modified:
data/DLA/list
Log:
Reserve DLA-732-3 for monit regression update
Modified: data/DLA/list
===
--- data/DLA/list 2016-12-12 18:19:49
Author: mejo
Date: 2016-12-06 15:19:25 + (Tue, 06 Dec 2016)
New Revision: 46828
Modified:
data/DLA/list
Log:
data/DLA/list: Remove CVE-2016-7067 from DLA-732-2 entry
Modified: data/DLA/list
===
--- data/DLA/list 2016-12-
Author: mejo
Date: 2016-12-06 14:31:36 + (Tue, 06 Dec 2016)
New Revision: 46827
Modified:
data/CVE/list
Log:
CVE-2016-4484/cryptsetup: mark as no-dsa for wheezy
Modified: data/CVE/list
===
--- data/CVE/list 2016-12-06 13
Author: mejo
Date: 2016-12-06 13:57:33 + (Tue, 06 Dec 2016)
New Revision: 46826
Modified:
data/DLA/list
Log:
Reserve DLA-732-2 for monit regression update
Modified: data/DLA/list
===
--- data/DLA/list 2016-12-06 12:57:24
: ming is orphaned and noone intends to adopt it
NOTE: (see #838773), so please go ahead.
--
-monit (Jonas Meurer)
---
mysql-connector-python
NOTE: see http://bugs.debian.org/841677 for current discussion
--
___
Secure-testing-commits mailing list
UTC (rev 46658)
+++ data/dla-needed.txt 2016-11-30 11:57:30 UTC (rev 46659)
@@ -72,7 +72,7 @@
NOTE: From Adrian Bunk: ming is orphaned and noone intends to adopt it
NOTE: (see #838773), so please go ahead.
--
-monit
+monit (Jonas Meurer)
--
mysql-connector-python
NOTE: see http
Author: mejo
Date: 2016-11-08 10:33:41 + (Tue, 08 Nov 2016)
New Revision: 46059
Modified:
data/CVE/list
Log:
CVE-2016-9179/lynx: add link to report
Modified: data/CVE/list
===
--- data/CVE/list 2016-11-08 09:26:09 UTC (r
(rev 46006)
@@ -63,8 +63,6 @@
--
lynx-cur
--
-memcached (Jonas Meurer)
---
monit
--
mysql-5.5
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing
Author: mejo
Date: 2016-11-05 14:12:04 + (Sat, 05 Nov 2016)
New Revision: 46005
Modified:
data/CVE/list
Log:
CVE-2013-7291/memcached: remove no-dsa tag for wheezy
Modified: data/CVE/list
===
--- data/CVE/list 2016-11-05
:31 UTC (rev 45997)
+++ data/dla-needed.txt 2016-11-05 12:04:40 UTC (rev 45998)
@@ -63,7 +63,7 @@
--
linux
--
-memcached
+memcached (Jonas Meurer)
--
monit
--
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
45905)
@@ -93,12 +93,6 @@
--
sendmail
--
-spip (Jonas Meurer)
- NOTE: contacted the upstream team after advice to do so on IRC. They
- NOTE: still maintain a 2.1 branch themselves and want to look into
- NOTE: backporting the fixes. We should wait for a response for a few
- NOTE: days before we
Author: mejo
Date: 2016-11-02 20:37:59 + (Wed, 02 Nov 2016)
New Revision: 45903
Modified:
data/CVE/list
Log:
Update info for open SPIP CVEs in data/CVE/list
Modified: data/CVE/list
===
--- data/CVE/list 2016-11-02 20:36:
UTC (rev 45889)
+++ data/dla-needed.txt 2016-11-02 14:24:04 UTC (rev 45890)
@@ -92,7 +92,7 @@
--
sendmail
--
-spip
+spip (Jonas Meurer)
NOTE: contacted the upstream team after advice to do so on IRC. They
NOTE: still maintain a 2.1 branch themselves and want to look into
NOTE
UTC (rev 45715)
+++ data/dla-needed.txt 2016-10-28 15:42:07 UTC (rev 45716)
@@ -72,7 +72,11 @@
qemu-kvm (Guido Günther)
NOTE: need to be updated with qemu
--
-spip (Jonas Meurer)
+spip
+ NOTE: contacted the upstream team after advice to do so on IRC. They
+ NOTE: still maintain a 2.1 branch
(rev 45408)
@@ -38,8 +38,6 @@
--
kdepimlibs
--
-libarchive (Jonas Meurer)
---
libass (Markus Koschany)
--
libav (Hugo Lefeuvre)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org
-16 19:39:34 UTC (rev 45389)
+++ data/dla-needed.txt 2016-10-16 20:42:17 UTC (rev 45390)
@@ -40,7 +40,7 @@
--
libass (Markus Koschany)
--
-libarchive
+libarchive (Jonas Meurer)
--
libav (Hugo Lefeuvre)
NOTE: Upstream will provide new point-releases fixing open security issues
in the next
)
@@ -44,8 +44,6 @@
NOTE: Upstream will provide new point-releases fixing open security issues
in the next months.
NOTE: (See debian-lts ML)
--
-libdbd-mysql-perl (Jonas Meurer)
---
libical (Ola Lundqvist)
NOTE: issues are currently not public, but
https://marc.info/?l=oss-security&a
@@
--
mingw32 (Stephen Kitt)
--
-mpg123 (Jonas Meurer)
- NOTE: The crash.mp3 reproducer works on wheezy
---
nspr (Ola Lundqvist)
NOTE: No need to contact maintainer, Mike already opted out with firefox-esr
--
___
Secure-testing-commits mailing list
Secure
1.4.22-1+deb7u1
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2016-10-09 14:01:20 UTC (rev 45160)
+++ data/dla-needed.txt 2016-10-09 15:43:03 UTC (rev 45161)
@@ -50,11 +50,6 @@
--
linux (Ben Hutchings)
--
-mat (Jonas Meurer
Meurer)
--
libical (Ola Lundqvist)
NOTE: issues are currently not public, but
@@ -53,7 +53,7 @@
--
mingw32 (Stephen Kitt)
--
-mpg123
+mpg123 (Jonas Meurer)
NOTE: The crash.mp3 reproducer works on wheezy
--
nspr
___
Secure-testing-commits
next release of OpenSSL.
--
-pdns (Jonas Meurer)
- NOTE: already have a patch, upstream is just waiting for some doc in 3.x to
close
- NOTE: the issue and public announce the fix
(https://github.com/PowerDNS/pdns/issues/4128),
- NOTE: waiting for this as well.
---
php5 (Thorsten Alteholz
Kanashiro)
+pdns (Jonas Meurer)
NOTE: already have a patch, upstream is just waiting for some doc in 3.x to
close
NOTE: the issue and public announce the fix
(https://github.com/PowerDNS/pdns/issues/4128),
NOTE: waiting for this as well
vulnerable however upstream patch is too invasive.
NOTE: Needs somebody with Scheme/C experience.
--
-curl (Jonas Meurer)
---
dropbear (Chris Lamb)
--
gcc-mingw-w64 (Stephen Kitt)
___
Secure-testing-commits mailing list
Secure-testing-commits
:35 UTC (rev 44614)
+++ data/dla-needed.txt 2016-09-15 17:25:08 UTC (rev 44615)
@@ -16,7 +16,7 @@
NOTE: Wheezy probably vulnerable however upstream patch is too invasive.
NOTE: Needs somebody with Scheme/C experience.
--
-curl
+curl (Jonas Meurer)
--
dropbear
@@
inspircd (Chris Lamb)
NOTE: Looking at the code wheezy is affected
--
-libarchive (Jonas Meurer)
- NOTE: reproducer works on Wheezy
---
libgd2 (Thorsten Alteholz)
--
libical (Ola Lundqvist)
___
Secure-testing-commits mailing list
Secure-testing-commits
Author: mejo
Date: 2016-09-10 13:38:47 + (Sat, 10 Sep 2016)
New Revision: 44484
Modified:
data/CVE/list
Log:
Add further information about CVE-2015-8915 (libarchive) to data/CVE/list
Modified: data/CVE/list
===
--- data/CVE/li
Author: mejo
Date: 2016-09-10 12:08:33 + (Sat, 10 Sep 2016)
New Revision: 44481
Modified:
data/CVE/list
Log:
Add further information about CVE-2016-7166 (libarchive) to data/CVE/list
Modified: data/CVE/list
===
--- data/CVE/li
23:06:37 UTC (rev 44429)
+++ data/dla-needed.txt 2016-09-08 23:14:29 UTC (rev 44430)
@@ -23,7 +23,7 @@
inspircd (Chris Lamb)
NOTE: Looking at the code wheezy is affected
--
-libarchive
+libarchive (Jonas Meurer)
NOTE: reproducer works on Wheezy
--
libgd2 (Thorsten Alteholz
Author: mejo
Date: 2016-09-06 21:53:48 + (Tue, 06 Sep 2016)
New Revision: 44379
Modified:
data/DLA/list
Log:
data/DLA/list: remove accidently added second entry for CVE-2016-6129
Modified: data/DLA/list
===
--- data/DLA/list
-06 21:48:04 UTC (rev 44377)
+++ data/dla-needed.txt 2016-09-06 21:52:27 UTC (rev 44378)
@@ -27,8 +27,6 @@
https://marc.info/?l=oss-security&m=146685931517961&w=2 claims
that 0.47 & 1.0 are affected and wheezy has 0.48.
--
-libtomcrypt (Jonas Meurer)
---
linux (Ben Hutchings)
-
-04 20:47:50 UTC (rev 44320)
+++ data/dla-needed.txt 2016-09-04 20:51:27 UTC (rev 44321)
@@ -29,7 +29,7 @@
https://marc.info/?l=oss-security&m=146685931517961&w=2 claims
that 0.47 & 1.0 are affected and wheezy has 0.48.
--
-libtomcrypt
+libtomcrypt (Jonas Meurer)
--
linux (B
:47 UTC (rev 44283)
+++ data/dla-needed.txt 2016-09-03 07:36:09 UTC (rev 44284)
@@ -27,7 +27,7 @@
--
mactelnet (Thorsten Alteholz)
--
-mat
+mat (Jonas Meurer)
NOTE: the fix for this issue:
https://security-tracker.debian.org/tracker/TEMP-0826101-4D75EC
is not available yet. It will be
available in next upstream release (already
in upstream roadmap).
--
-mupdf (Jonas Meurer)
---
nettle (Ola Lundqvist)
NOTE: Original patch had some unintended side effects:
https://lists.lysator.liu.se/pipermail/nettle-bugs/2016/003104.html
UTC (rev 43808)
+++ data/dla-needed.txt 2016-08-06 11:35:08 UTC (rev 43809)
@@ -43,7 +43,7 @@
--
mongodb (Ola Lundqvist)
--
-mupdf
+mupdf (Jonas Meurer)
--
nettle (Ola Lundqvist)
NOTE: Original patch had some unintended side effects:
https://lists.lysator.liu.se/pipermail/nettle-bugs/2016
:50 UTC (rev 43753)
@@ -33,9 +33,6 @@
https://marc.info/?l=oss-security&m=146685931517961&w=2 claims
that 0.47 & 1.0 are affected and wheezy has 0.48.
--
-libsys-syslog-perl (Jonas Meurer)
- NOTE: was not fixed with DLA-565-1. Can be fixed similar to Jessie.
---
libupnp (B
/dla-needed.txt 2016-08-02 21:28:39 UTC (rev 43724)
+++ data/dla-needed.txt 2016-08-02 21:51:18 UTC (rev 43725)
@@ -31,7 +31,7 @@
https://marc.info/?l=oss-security&m=146685931517961&w=2 claims
that 0.47 & 1.0 are affected and wheezy has 0.48.
--
-libsys-syslog-perl
+libsys-syslog
54 matches
Mail list logo
