Author: apo
Date: 2017-07-30 18:13:21 + (Sun, 30 Jul 2017)
New Revision: 54086
Modified:
data/CVE/list
Log:
CVE-2017-6259,CVE-2017-6257,nvidia-graphics-drivers: end-of-life for Wheezy
Non-free is not supported
Modified: data/CVE/list
Author: apo
Date: 2017-07-30 16:35:39 + (Sun, 30 Jul 2017)
New Revision: 54080
Modified:
data/dla-needed.txt
Log:
Add php5 to dla-needed.txt
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-07-30 16:03:08 UTC
Author: apo
Date: 2017-07-30 17:39:13 + (Sun, 30 Jul 2017)
New Revision: 54083
Modified:
data/dla-needed.txt
Log:
Add freerdp to dla-needed.txt
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-07-30 16:58:26
===
--- data/dla-needed.txt 2017-07-30 14:12:17 UTC (rev 54075)
+++ data/dla-needed.txt 2017-07-30 15:01:47 UTC (rev 54076)
@@ -36,8 +36,6 @@
freeradius
NOTE: CVE-2017-10983 is in fr_dhcp_decode since fr_dhcp_decode_options
doesn't exist yet
--
-graphicsmagick (Markus Koschany
Author: apo
Date: 2017-07-30 16:37:40 + (Sun, 30 Jul 2017)
New Revision: 54081
Modified:
data/CVE/list
Log:
CVE-2017-11628,php5: Add link to patch
Modified: data/CVE/list
===
--- data/CVE/list 2017-07-30 16:35:39 UTC
UTC (rev 54157)
+++ data/dla-needed.txt 2017-08-01 08:03:00 UTC (rev 54158)
@@ -38,7 +38,7 @@
freeradius
NOTE: CVE-2017-10983 is in fr_dhcp_decode since fr_dhcp_decode_options
doesn't exist yet
--
-freerdp
+freerdp (Markus Koschany)
--
imagemagick (Roberto C. Sánchez)
NOTE: 20170726
nce I have decided to add it here.
+--
spice
NOTE: CVE-2017-7506 already fixed in jessie. Can take patch there.
NOTE: (Markus Koschany) Patch from Jessie does not apply. Function
___
Secure-testing-commits mailing list
Secure-testing-comm
Author: apo
Date: 2017-08-02 12:31:57 + (Wed, 02 Aug 2017)
New Revision: 54200
Modified:
data/CVE/list
Log:
Mark timidity issues as no-dsa for Wheezy.
Minor issue. No sponsor appears to use it. Follow Jessie and Stretch.
Modified: data/CVE/list
Author: apo
Date: 2017-08-05 13:28:46 + (Sat, 05 Aug 2017)
New Revision: 54317
Modified:
data/dla-needed.txt
Log:
Add clamav to dla-needed.txt
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-08-05 13:08:06 UTC
Author: apo
Date: 2017-08-03 12:20:43 + (Thu, 03 Aug 2017)
New Revision: 54227
Modified:
data/CVE/list
Log:
CVE-2017-11721,ioquake3: Mark as end-of-life in Wheezy
Games are not supported
Modified: data/CVE/list
===
---
Author: apo
Date: 2017-08-03 12:49:35 + (Thu, 03 Aug 2017)
New Revision: 54229
Modified:
data/CVE/list
Log:
CVE-2017-11548,libao: Mark as no-dsa for Wheezy
Minor issue, follow Jessie and Stretch
Modified: data/CVE/list
===
Author: apo
Date: 2017-08-06 23:28:30 + (Sun, 06 Aug 2017)
New Revision: 54369
Modified:
data/CVE/list
Log:
Mark ledger issues as no-dsa for Wheezy
Follow Jessie and Stretch. Minor issue.
Modified: data/CVE/list
===
---
Author: apo
Date: 2017-08-07 00:43:45 + (Mon, 07 Aug 2017)
New Revision: 54370
Modified:
data/CVE/list
Log:
Mark soundtouch issues as no-dsa in Wheezy.
Modified: data/CVE/list
===
--- data/CVE/list 2017-08-06
2017-05-14 17:40:50 UTC (rev 51623)
+++ data/dla-needed.txt 2017-05-14 20:53:19 UTC (rev 51624)
@@ -45,6 +45,8 @@
jbig2dec (Thorsten Alteholz)
NOTE: 20170510, one CVE is missing a patch
--
+libarchive (Markus Koschany)
+--
libav
NOTE: Diego Biurrun (from the libav team) is working
21:45:29 UTC (rev 51593)
+++ data/dla-needed.txt 2017-05-12 22:38:16 UTC (rev 51594)
@@ -114,7 +114,9 @@
NOTE: in coordination with the sec team, waiting for a possible
NOTE: coordinated release
--
-tiff (Markus Koschany)
+tiff
+ NOTE: https://people.debian.org/~apo/tiff/tiff.debdiff
+ NOTE
)
@@ -113,10 +113,6 @@
rzip
NOTE: 2017-05-09: No patch
--
-squirrelmail (Markus Koschany)
- NOTE: in coordination with the sec team, waiting for a possible
- NOTE: coordinated release
---
tiff
NOTE: https://people.debian.org/~apo/tiff/tiff.debdiff
NOTE: Waiting for more issues until
: maintainer asked for a review
--
-libtirpc (Markus Koschany)
---
linux
--
mcollective
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing
CVE-2017-2633 and CVE-2016-9602 (and related CVEs)
NOTE: version fixing cirrus related issues up for testing
--
-rpcbind (Markus Koschany)
---
rzip
NOTE: 2017-05-09: No patch
--
___
Secure-testing-commits mailing list
Secure-testing-commits
Author: apo
Date: 2017-05-11 20:50:41 + (Thu, 11 May 2017)
New Revision: 51552
Modified:
data/CVE/list
Log:
CVE-2016-10371,tiff,tiff3: Mark tiff3 no-dsa in Wheezy
tiff3: tools are not built but could be fixed later when more serious issues
arise. Add link to fixing commit.
Modified:
(rev 51552)
+++ data/dla-needed.txt 2017-05-11 20:51:07 UTC (rev 51553)
@@ -113,7 +113,7 @@
NOTE: in coordination with the sec team, waiting for a possible
NOTE: coordinated release
--
-tiff3
+tiff (Markus Koschany)
--
trafficserver
NOTE: maintainer contacted 2017-04-26
(rev 51493)
+++ data/dla-needed.txt 2017-05-10 12:45:15 UTC (rev 51494)
@@ -29,6 +29,8 @@
NOTE: EOL. I have already started to look at ESR 52 to anticipate any
problems.
NOTE: Patches for ESR 52 on wheezy sent to maintainer.
--
+git (Markus Koschany)
+--
icu (Thorsten Alteholz)
NOTE
started to look at ESR 52 to anticipate any
problems.
NOTE: Patches for ESR 52 on wheezy sent to maintainer.
--
-git (Markus Koschany)
---
icu (Thorsten Alteholz)
NOTE: Update from Roberto C. Sánchez: the problem appears to be related to
algorithm
NOTE: for the reverse fill of a Unicode text
Author: apo
Date: 2017-05-10 19:35:00 + (Wed, 10 May 2017)
New Revision: 51514
Modified:
data/DLA/list
Log:
Reserve DLA-924-2 for tomcat7
Modified: data/DLA/list
===
--- data/DLA/list 2017-05-10 19:21:59 UTC (rev
@@
NOTE: this is about https://www.sudo.ws/repos/sudo/raw-rev/15a46f4007dd
NOTE: which might well be fixed once more issues piled up
--
-tomcat7 (Markus Koschany)
---
trafficserver
NOTE: maintainer contacted 2017-04-26
NOTE: reproducer doesn't crash server in a test VM - ?
--anarcat
:45 UTC (rev 52919)
+++ data/dla-needed.txt 2017-06-26 12:41:53 UTC (rev 52920)
@@ -28,7 +28,7 @@
eglibc
NOTE: Patch available, however not yet applied upstream.
--
-graphite2
+graphite2 (Markus Koschany)
--
icedove (Guido Günther)
--
___
Secure
: Trying to reproduce CVE-2017-9461 in the wheezy version
--
-smb4k (Markus Koschany)
- NOTE: https://lists.debian.org/debian-lts/2017/06/msg00078.html
---
sudo
NOTE: this is about https://www.sudo.ws/repos/sudo/raw-rev/15a46f4007dd
NOTE: which might well be fixed once more issues piled up
-05-22 21:20:08 UTC (rev 51853)
+++ data/dla-needed.txt 2017-05-22 21:21:14 UTC (rev 51854)
@@ -39,7 +39,10 @@
--
kde4libs
--
-libarchive (Markus Koschany)
+libarchive
+ NOTE: I suggest to wait for more issues. Could not find more information
+ NOTE: about the undetermined CVEs. Debdiff
:59 UTC (rev 51972)
+++ data/dla-needed.txt 2017-05-26 11:59:58 UTC (rev 51973)
@@ -126,8 +126,7 @@
wireshark
NOTE: maintainer *may* take care of this, as previously
--
-wordpress
- NOTE: 2017-05-15: no fix yet beyond "change your Apache config"
+wordpress (Markus Koschany)
--
xb
(rev 51972)
@@ -24,8 +24,6 @@
eglibc
NOTE: Patch available, however not yet applied upstream.
--
-graphicsmagick (Markus Koschany)
---
imagemagick (Roberto C. Sánchez)
NOTE: 20170524, packages are prepared and a call for testing was sent to
debian-lts@l.d.o
:33:59 UTC (rev 51804)
+++ data/dla-needed.txt 2017-05-21 21:40:20 UTC (rev 51805)
@@ -24,7 +24,7 @@
eglibc
NOTE: Patch available, however not yet applied upstream.
--
-graphicsmagick
+graphicsmagick (Markus Koschany)
--
firefox-esr (Emilio Pozuelo)
NOTE: no update needed yet, but next
:47:34 UTC (rev 51689)
@@ -71,10 +71,6 @@
NOTE:
https://blogs.gentoo.org/ago/2017/01/29/mp3splt-invalid-free-in-free_options-options_manager-c/
NOTE: -- Jonas Meurer
--
-mysql-connector-java (Markus Koschany)
- NOTE: waiting for new release in unstable. After a few days of testing we can
Author: apo
Date: 2017-05-30 20:52:17 + (Tue, 30 May 2017)
New Revision: 52131
Modified:
data/DLA/list
data/dla-needed.txt
Log:
Reserve DLA-969-1 for tiff
Modified: data/DLA/list
===
--- data/DLA/list 2017-05-30
Author: apo
Date: 2017-05-30 20:51:45 + (Tue, 30 May 2017)
New Revision: 52130
Modified:
data/CVE/list
Log:
Remove no-dsa tag for CVE-2016-3658,Wheezy
Will be fixed in an upcoming security update.
Modified: data/CVE/list
2017-06-02 12:32:25 UTC (rev 52234)
@@ -112,8 +112,6 @@
wireshark
NOTE: maintainer *may* take care of this, as previously
--
-wordpress (Markus Koschany)
---
xbmc
NOTE: Reproduced: https://lists.debian.org/debian-lts/2017/04/msg00025.html
NOTE: no upstream fix, may require refactoring
21:10:13 UTC (rev 52428)
+++ data/dla-needed.txt 2017-06-08 21:33:04 UTC (rev 52429)
@@ -104,6 +104,9 @@
NOTE: Trying to reproduce CVE-2017-9461 in the wheezy version
--
smb4k (Markus Koschany)
+ NOTE: I have backported the patch to Wheezy but something is wrong with it
+ NOTE: and I haven't
UTC (rev 52429)
+++ data/dla-needed.txt 2017-06-08 21:34:07 UTC (rev 52430)
@@ -123,7 +123,7 @@
NOTE: two leaks (CVE-2017-9403, CVE-2017-9404). Might be worth waiting until
NOTE: more issues piled up
--
-tomcat7
+tomcat7 (Markus Koschany)
--
tor
:00:05 UTC (rev 52593)
+++ data/dla-needed.txt 2017-06-15 20:24:55 UTC (rev 52594)
@@ -117,9 +117,7 @@
NOTE: Trying to reproduce CVE-2017-9461 in the wheezy version
--
smb4k (Markus Koschany)
- NOTE: I have backported the patch to Wheezy but something is wrong with it
- NOTE: and I haven't
: https://github.com/ZoneMinder/ZoneMinder/pull/1764/files
NOTE: No CVE assigned.
--
-zookeeper (Markus Koschany)
---
zziplib (Thorsten Alteholz)
--
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http
UTC (rev 52619)
+++ data/dla-needed.txt 2017-06-16 17:27:23 UTC (rev 52620)
@@ -38,6 +38,8 @@
NOTE: other no-dsa CVE issue open that might be worth fixing
NOTE: jessie has the same version
--
+jython (Markus Koschany)
+--
libarchive
NOTE: I suggest to wait for more issues. Could not find
:05 UTC (rev 52544)
+++ data/dla-needed.txt 2017-06-13 22:25:26 UTC (rev 52545)
@@ -145,7 +145,7 @@
NOTE: https://github.com/ZoneMinder/ZoneMinder/pull/1764/files
NOTE: No CVE assigned.
--
-zookeeper
+zookeeper (Markus Koschany)
--
zziplib (Thorsten Alteholz
Author: apo
Date: 2017-06-13 22:24:05 + (Tue, 13 Jun 2017)
New Revision: 52544
Modified:
data/CVE/list
data/dla-needed.txt
Log:
CVE-2017-3469,mysql-workbench: Mark as no-dsa for Wheezy
Follow Jessie. According to the CVE description the vulnerability is difficult
to exploit.
Author: apo
Date: 2017-06-15 22:00:55 + (Thu, 15 Jun 2017)
New Revision: 52599
Modified:
data/CVE/list
data/dla-needed.txt
Log:
CVE-2017-6542,putty: no-dsa for Wheezy
The issue is only exploitable when SSH agent forwarding is enabled (disabled by
default) AND the attacker has been able
Author: apo
Date: 2017-06-15 21:34:52 + (Thu, 15 Jun 2017)
New Revision: 52596
Modified:
data/CVE/list
data/dla-needed.txt
Log:
CVE-2017-5666,mp3splt: no-dsa for Wheezy
Follow Jessie.
Modified: data/CVE/list
===
---
Author: apo
Date: 2017-06-16 10:37:35 + (Fri, 16 Jun 2017)
New Revision: 52614
Modified:
data/CVE/list
Log:
CVE-2017-2666,CVE-2017-2670: Update status of undertow
Modified: data/CVE/list
===
--- data/CVE/list
Author: apo
Date: 2017-06-18 21:29:36 + (Sun, 18 Jun 2017)
New Revision: 52700
Modified:
data/CVE/list
Log:
CVE-2017-9735,jetty: Add link to missing patch
Modified: data/CVE/list
===
--- data/CVE/list 2017-06-18
Author: apo
Date: 2017-06-18 11:28:21 + (Sun, 18 Jun 2017)
New Revision: 52694
Modified:
data/dla-needed.txt
Log:
Remove jython from dla-needed.txt again.
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-06-18
UTC (rev 52694)
+++ data/dla-needed.txt 2017-06-18 11:56:45 UTC (rev 52695)
@@ -36,9 +36,9 @@
NOTE: other no-dsa CVE issue open that might be worth fixing
NOTE: jessie has the same version
--
-jetty
+jetty (Markus Koschany)
--
-jetty8
+jetty8 (Markus Koschany)
--
kdepim
Author: apo
Date: 2017-05-07 19:04:02 + (Sun, 07 May 2017)
New Revision: 51382
Modified:
data/CVE/list
Log:
Mark CVE-2017-7483,rxvt as no-dsa.
Appears to be too minor. A possible candidate if a more serious issue does
arise in the future.
Modified: data/CVE/list
Author: apo
Date: 2017-05-07 19:17:52 + (Sun, 07 May 2017)
New Revision: 51383
Modified:
data/dla-needed.txt
Log:
Add imagemagick to dla-needed.txt
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-05-07
Author: apo
Date: 2017-05-07 21:17:07 + (Sun, 07 May 2017)
New Revision: 51396
Modified:
data/DLA/list
Log:
Reserve DLA-933-1 for roundcube
Modified: data/DLA/list
===
--- data/DLA/list 2017-05-07 21:10:11 UTC (rev
Author: apo
Date: 2017-05-07 20:59:51 + (Sun, 07 May 2017)
New Revision: 51394
Modified:
data/CVE/list
Log:
CVE-2017-8804,eglibc: Note proposed patch
Modified: data/CVE/list
===
--- data/CVE/list 2017-05-07 20:43:38
Author: apo
Date: 2017-05-07 19:25:58 + (Sun, 07 May 2017)
New Revision: 51385
Modified:
data/CVE/list
Log:
Mark two binutils CVE as no-dsa in Wheezy
objdump is a development tool hence the impact on production systems is rather
low
Modified: data/CVE/list
Author: apo
Date: 2017-05-07 20:09:31 + (Sun, 07 May 2017)
New Revision: 51390
Modified:
data/dla-needed.txt
Log:
Add wordpress to dla-needed.txt
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-05-07 19:59:48
Author: apo
Date: 2017-05-07 19:58:59 + (Sun, 07 May 2017)
New Revision: 51388
Modified:
data/CVE/list
Log:
CVE-2017-8295,wordpress: Add bug reference
Modified: data/CVE/list
===
--- data/CVE/list 2017-05-07 19:47:17
:39:17 UTC (rev 51380)
+++ data/dla-needed.txt 2017-05-07 18:53:57 UTC (rev 51381)
@@ -57,6 +57,8 @@
NOTE: -- Jonas Meurer
--
mysql-connector-java (Markus Koschany)
+ NOTE: waiting for new release in unstable. After a few days of testing we can
+ NOTE: upload the new version for Wheezy as well
Author: apo
Date: 2017-05-07 20:26:16 + (Sun, 07 May 2017)
New Revision: 51392
Modified:
data/CVE/list
data/dla-needed.txt
Log:
Update status of imagemagick in dla-needed.txt
Modified: data/CVE/list
===
--- data/CVE/list
2017-05-07 19:17:52 UTC (rev 51383)
+++ data/dla-needed.txt 2017-05-07 19:19:09 UTC (rev 51384)
@@ -45,6 +45,8 @@
libpodofo
NOTE: maintainer asked for a review
--
+libtirpc (Markus Koschany)
+--
linux
--
mcollective
@@ -93,6 +95,8 @@
--
radicale (Thorsten Alteholz)
--
+rpcbind (Markus
Author: apo
Date: 2017-05-07 19:47:17 + (Sun, 07 May 2017)
New Revision: 51387
Modified:
data/CVE/list
Log:
Add more information about CVE-2017-8295,wordpress
Modified: data/CVE/list
===
--- data/CVE/list 2017-05-07
Author: apo
Date: 2017-04-29 20:40:44 + (Sat, 29 Apr 2017)
New Revision: 51194
Modified:
data/dla-needed.txt
Log:
Add libpodofo to dla-needed.txt again
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-04-29
Author: apo
Date: 2017-04-29 23:41:44 + (Sat, 29 Apr 2017)
New Revision: 51197
Modified:
data/dla-needed.txt
Log:
libpodofo: Note that maintainer asked for a review
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt
UTC (rev 52121)
+++ data/dla-needed.txt 2017-05-30 19:02:48 UTC (rev 52122)
@@ -89,7 +89,7 @@
qemu-kvm (Guido Günther)
NOTE: Investigating CVE-2017-2633
--
-smb4k
+smb4k (Markus Koschany)
--
sudo (Ben Hutchings)
--
___
Secure-testing-commits
(Markus Koschany)
- NOTE: maintainer asked for a review
---
libxml2 (Thorsten Alteholz)
NOTE: 20170528, patches suggested but not accepted, bugs not yet public
--
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
Author: apo
Date: 2017-09-22 19:41:14 + (Fri, 22 Sep 2017)
New Revision: 56029
Modified:
data/CVE/list
Log:
libexif,CVE-2017-7544: no-dsa for Wheezy
Wheezy is vulnerable but the issue (out-of-bound read) is minor. Can be fixed
when more important issues arise.
Modified: data/CVE/list
Author: apo
Date: 2017-09-22 21:07:22 + (Fri, 22 Sep 2017)
New Revision: 56031
Modified:
data/dla-needed.txt
Log:
Add nautilus to dla-needed.txt
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-09-22 20:19:47
Author: apo
Date: 2017-09-22 23:16:33 + (Fri, 22 Sep 2017)
New Revision: 56036
Modified:
data/CVE/list
Log:
libstruts1.2-java,CVE-2016-6795,CVE-2016-8738: end-of-life for Wheezy
Ignore open security issues for libstruts1.2-java and mark them EOL because
this package is used
by nobody and
UTC (rev 56010)
+++ data/dla-needed.txt 2017-09-22 11:24:05 UTC (rev 56011)
@@ -142,6 +142,8 @@
NOTE: CVE-2015-7700: the problematic call to png_free_data() is present
NOTE: in wheezy but it's not clear to me where the other call to free() is.
--
+poppler (Markus Koschany)
+--
qemu (Guido
Author: apo
Date: 2017-09-22 11:41:43 + (Fri, 22 Sep 2017)
New Revision: 56012
Modified:
data/CVE/list
Log:
poppler,CVE-2017-14520,CVE-2017-14518: Wheezy is not affected
Vulnerable code is not present.
Modified: data/CVE/list
Author: apo
Date: 2017-09-22 17:56:21 + (Fri, 22 Sep 2017)
New Revision: 56022
Modified:
data/CVE/list
Log:
binutils,CVE-2017-14529: no-dsa/ignored for Wheezy
Vulnerable code is present but issue is of minor importance. Follow
Jessie/Stretch which is also in line with our privious
Author: apo
Date: 2017-09-22 18:23:13 + (Fri, 22 Sep 2017)
New Revision: 56023
Modified:
data/CVE/list
Log:
kannel,CVE-2017-14609: no-dsa for Wheezy
I think it is sensible to follow Jessie/Stretch in this case. The exploit is
limited to non-root local users and requires that someone
Author: apo
Date: 2017-09-22 18:35:24 + (Fri, 22 Sep 2017)
New Revision: 56027
Modified:
data/dla-needed.txt
Log:
Add wordpress to dla-needed.txt
CVEs were requested. It is likely that the Wheezy version will be affected
again. More information will follow soon.
Modified:
Author: apo
Date: 2017-09-22 18:39:54 + (Fri, 22 Sep 2017)
New Revision: 56028
Modified:
data/CVE/list
Log:
libsndfile,CVE-2017-14634: no-dsa for Wheezy
Divide by zero
Modified: data/CVE/list
===
--- data/CVE/list
://wiki.debian.org/LTS/Development#Triage_new_security_issues
--
-asterisk (Markus Koschany)
---
botan1.10
--
ca-certificates
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin
Author: apo
Date: 2017-10-05 10:00:49 + (Thu, 05 Oct 2017)
New Revision: 56425
Modified:
data/CVE/list
Log:
asterisk,CVE-2017-14099,CVE-2017-14603: Ignored for Wheezy
The strictrtp option is disabled by default in Wheezy. This makes it impossible
to exploit the vulnerability. The patch is
:09 UTC (rev 56427)
+++ data/dla-needed.txt 2017-10-05 13:10:25 UTC (rev 56428)
@@ -147,7 +147,7 @@
NOTE: 2017-08-28: Contacted maintainer since most NOTE: issues affect
Jessie/Stretch as well
--
-wordpress
+wordpress (Markus Koschany)
--
xbmc
NOTE: Reproduced: https://lists.debian.org
2017-08-30 18:09:18 UTC (rev 55252)
+++ data/dla-needed.txt 2017-08-30 18:13:17 UTC (rev 55253)
@@ -44,9 +44,6 @@
exiv2
NOTE: 20170702, no upstream fix yet, so no need to bother maintainer yet,
sent email later
--
-faad2 (Markus Koschany)
- NOTE: 20170702, no upstream fix yet, so no need
UTC (rev 55646)
+++ data/dla-needed.txt 2017-09-11 04:59:25 UTC (rev 55647)
@@ -10,7 +10,7 @@
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
--
-asterisk
+asterisk (Markus Koschany)
--
bzr
NOTE: Maintainer prefer if LTS team handle the LTS part. He will handle
stable
(rev 55643)
@@ -50,10 +50,6 @@
fontforge
NOTE: 20170826: no upstream fix yet
--
-freerdp (Markus Koschany)
- NOTE: I need to contact upstream because only half of the patch applies to
- NOTE: Wheezy.
---
gdk-pixbuf (Emilio Pozuelo)
NOTE: There are old no-dsa CVE that should be handled
Author: apo
Date: 2017-09-25 23:18:45 + (Mon, 25 Sep 2017)
New Revision: 56139
Modified:
data/CVE/list
Log:
glassfish,CVE-2012-3155: end-of-life for Wheezy
Glassfish was never fully packaged for Debian and security issues can only be
resolved by updating to the latest upstream version
Author: apo
Date: 2017-09-24 18:32:16 + (Sun, 24 Sep 2017)
New Revision: 56100
Modified:
data/CVE/list
Log:
p3scan,CVE-2017-14681: no-dsa for Wheezy
Same reasoning as for kannel. Requires a second exploit for the daemon. Low
popcon, orphaned package, no sponsor uses it.
Modified:
Author: apo
Date: 2017-09-24 20:04:43 + (Sun, 24 Sep 2017)
New Revision: 56102
Modified:
data/dla-needed.txt
Log:
Add libsndfile to dla-needed.txt
Vulnerable code is present and the issue is reproducible with the reproducer
from
https://github.com/erikd/libsndfile/issues/317
Modified:
Author: apo
Date: 2017-09-24 19:08:44 + (Sun, 24 Sep 2017)
New Revision: 56101
Modified:
data/CVE/list
Log:
Add bug number for p3scan vulnerability
Modified: data/CVE/list
===
--- data/CVE/list 2017-09-24 18:32:16 UTC
Author: apo
Date: 2017-09-24 20:31:08 + (Sun, 24 Sep 2017)
New Revision: 56103
Modified:
data/CVE/list
Log:
Add bug number for libsndfile issues
Modified: data/CVE/list
===
--- data/CVE/list 2017-09-24 20:04:43 UTC
@@
--
tiff3
--
-tomcat7 (Markus Koschany)
---
trafficserver
--
wireshark
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
Author: apo
Date: 2017-09-24 17:50:22 + (Sun, 24 Sep 2017)
New Revision: 56099
Modified:
data/CVE/list
Log:
nvidia-graphics-drivers: end-of-life for Wheezy, non-free is not supported
Modified: data/CVE/list
===
---
Author: apo
Date: 2017-09-24 21:43:41 + (Sun, 24 Sep 2017)
New Revision: 56106
Modified:
data/CVE/list
Log:
otrs2,CVE-2017-14635: Add link to possible fix for Wheezy
Modified: data/CVE/list
===
--- data/CVE/list
Author: apo
Date: 2017-09-24 21:44:04 + (Sun, 24 Sep 2017)
New Revision: 56107
Modified:
data/dla-needed.txt
Log:
Add otrs2 to dla-needed.txt
Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-09-24 21:43:41 UTC
Author: apo
Date: 2017-09-24 21:36:42 + (Sun, 24 Sep 2017)
New Revision: 56105
Modified:
data/CVE/list
Log:
otrs2,CVE-2017-14635: Add link to possible fixing commit
I have investigated all commits between version 5.0.22 and 5.0.23. This one
looks like the fix but I'm not totally sure.
UTC (rev 56090)
+++ data/dla-needed.txt 2017-09-24 14:04:42 UTC (rev 56091)
@@ -155,6 +155,8 @@
--
tiff3
--
+tomcat7 (Markus Koschany)
+--
trafficserver
--
wireshark
___
Secure-testing-commits mailing list
Secure-testing-commits
UTC (rev 56204)
+++ data/dla-needed.txt 2017-09-27 20:32:48 UTC (rev 56205)
@@ -91,7 +91,7 @@
openexr
NOTE: 20170902: CVE-2017-12596: bug reported upstream but no response yet
(lamby)
--
-otrs2
+otrs2 (Markus Koschany)
--
phamm
NOTE: no upstream fixed yet, therefore maintainers not yet
UTC (rev 56202)
@@ -104,8 +104,6 @@
NOTE: CVE-2015-7700: the problematic call to png_free_data() is present
NOTE: in wheezy but it's not clear to me where the other call to free() is.
--
-poppler (Markus Koschany)
---
qemu (Guido Günther)
NOTE: 20170831: at first glance nothing critical
-needed.txt 2017-09-30 18:42:57 UTC (rev 56289)
+++ data/dla-needed.txt 2017-09-30 18:43:51 UTC (rev 56290)
@@ -92,8 +92,6 @@
openexr
NOTE: 20170902: CVE-2017-12596: bug reported upstream but no response yet
(lamby)
--
-otrs2 (Markus Koschany)
---
phamm
NOTE: no upstream fixed yet, therefore
Author: apo
Date: 2017-09-30 18:46:35 + (Sat, 30 Sep 2017)
New Revision: 56291
Modified:
data/CVE/list
Log:
otrs2: CVE-2014-1695,CVE-2014-2553,CVE-2014-2554 remove no-dsa flag
Will be fixed with 3.3.18-1~deb7u1
Modified: data/CVE/list
:06 UTC (rev 55027)
+++ data/dla-needed.txt 2017-08-24 13:10:47 UTC (rev 55028)
@@ -42,7 +42,7 @@
--
fontforge (Thorsten Alteholz)
--
-freeradius
+freeradius (Markus Koschany)
NOTE: CVE-2017-10983 is in fr_dhcp_decode since fr_dhcp_decode_options
doesn't exist yet
--
freerdp (Markus Koschany
Author: apo
Date: 2017-08-26 22:50:46 + (Sat, 26 Aug 2017)
New Revision: 55117
Modified:
data/dla-needed.txt
Log:
Revert 55113 and 55115. minidjvu and jbigkit are still marked
as vulnerable. Should be rechecked again.
Modified: data/dla-needed.txt
UTC (rev 55128)
+++ data/dla-needed.txt 2017-08-27 18:15:56 UTC (rev 55129)
@@ -121,7 +121,7 @@
NOTE: mysql-utilities and mysql-workbench.
NOTE: 20170810: Wait for more issues (see ML:
https://lists.debian.org/debian-lts/2017/08/msg00039.html)
--
-openexr
+openexr (Markus Koschany)
NOTE
upstream because only half of the patch applies to
NOTE: Wheezy.
--
-git (Markus Koschany)
---
gnupg
--
graphicsmagick (Thorsten Alteholz)
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http
Author: apo
Date: 2017-08-25 15:49:08 + (Fri, 25 Aug 2017)
New Revision: 55074
Modified:
data/CVE/list
Log:
CVE-2017-10982,freeradius: Wheezy is not affected
The function fr_dhcp_decode_options does not exist in this version.
Modified: data/CVE/list
Author: apo
Date: 2017-08-25 16:03:35 + (Fri, 25 Aug 2017)
New Revision: 55076
Modified:
data/CVE/list
Log:
Revert 55074.
On second thought CVE-2017-10982 is relevant for Wheezy because similar code
can be
found in fr_dhcp_decode
Modified: data/CVE/list
55076)
+++ data/dla-needed.txt 2017-08-25 16:35:50 UTC (rev 55077)
@@ -42,9 +42,6 @@
--
fontforge (Thorsten Alteholz)
--
-freeradius (Markus Koschany)
- NOTE: CVE-2017-10983 is in fr_dhcp_decode since fr_dhcp_decode_options
doesn't exist yet
---
freerdp (Markus Koschany)
NOTE: I need
UTC (rev 55081)
+++ data/dla-needed.txt 2017-08-25 19:14:36 UTC (rev 55082)
@@ -37,7 +37,7 @@
exiv2
NOTE: 20170702, no upstream fix yet, so no need to bother maintainer yet,
sent email later
--
-faad2
+faad2 (Markus Koschany)
NOTE: 20170702, no upstream fix yet, so no need to bother
501 - 600 of 799 matches
Mail list logo