Author: carnil Date: 2017-01-14 14:09:52 +0000 (Sat, 14 Jan 2017) New Revision: 48033
Modified: data/CVE/list Log: Record more fixes from 8.7 release Modified: data/CVE/list =================================================================== --- data/CVE/list 2017-01-14 14:06:38 UTC (rev 48032) +++ data/CVE/list 2017-01-14 14:09:52 UTC (rev 48033) @@ -1088,7 +1088,7 @@ CVE-2016-10091 [stack-based buffer overflows in cmd_* functions] RESERVED - unrtf 0.21.9-clean-3 (bug #849705) - [jessie] - unrtf <no-dsa> (Minor issue) + [jessie] - unrtf 0.21.5-3+deb8u1 [wheezy] - unrtf <no-dsa> (Minor issue) NOTE: http://hg.savannah.gnu.org/hgweb/unrtf/rev/3b16893a6406 CVE-2016-10085 (admin/languages.php in Piwigo through 2.8.3 allows remote authenticated ...) @@ -3238,7 +3238,7 @@ RESERVED - libpng1.6 1.6.27-1 (bug #849799) - libpng <removed> - [jessie] - libpng <no-dsa> (Minor issue) + [jessie] - libpng 1.2.50-2+deb8u3 [wheezy] - libpng <no-dsa> (Minor issue) NOTE: Fixed in 1.0.67, 1.2.57, 1.4.20, 1.5.28, 1.6.27 NOTE: https://sourceforge.net/p/libpng/code/ci/243d4e5f3fe71740d52a53cf3dd77cc83a3430ba @@ -11974,7 +11974,7 @@ CVE-2016-9579 [RGW server DoS via request with invalid HTTP Origin header] RESERVED - ceph 10.2.5-2 (bug #849048) - [jessie] - ceph <no-dsa> (Minor issue, can be fixed via point release) + [jessie] - ceph 0.80.7-2+deb8u2 NOTE: http://tracker.ceph.com/issues/18187 CVE-2016-9578 RESERVED @@ -12387,63 +12387,63 @@ NOTE: Fixed by (later followed up): https://cgit.freedesktop.org/gstreamer/gst-plugins-good/commit/?id=153a8ae752c90d07190ef45803422a4f71ea8bff CVE-2016-9633 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-33 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/23 CVE-2016-9632 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-33 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/43 CVE-2016-9631 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-33 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/42 CVE-2016-9630 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-33 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/41 CVE-2016-9629 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-33 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/40 CVE-2016-9628 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-33 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/39 CVE-2016-9627 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-33 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/38 NOTE: https://github.com/tats/w3m/commit/0c3f5d0e0d9269ad47b8f4b061d7818993913189 CVE-2016-9626 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-33 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/37 CVE-2016-9625 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-33 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/36 CVE-2016-9624 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-33 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/35 CVE-2016-9623 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-33 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/33 CVE-2016-9622 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-33 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/32 CVE-2016-9621 @@ -12938,86 +12938,86 @@ NOTE: http://www.openwall.com/lists/oss-security/2016/11/18/8 CVE-2016-9443 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-30 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/28 CVE-2016-9442 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-30 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/commit/d43527cfa0dbb3ccefec4a6f7b32c1434739aa29 CVE-2016-9441 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-30 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/24 CVE-2016-9440 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-30 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/22 CVE-2016-9439 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-33 (bug #844726) - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/20 CVE-2016-9438 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-30 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/18 CVE-2016-9437 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-30 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/17 CVE-2016-9436 [problem fixed by the new "tagname[0] = '\0'" line in parsetagx.c] RESERVED - w3m 0.5.3-30 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/16 NOTE: Fixed by: https://github.com/tats/w3m/commit/33509cc81ec5f2ba44eb6fd98bd5c1b5873e46bd CVE-2016-9435 [for the problem fixed by the new conditional PUSH_ENV(HTML_DL) call in file.c] RESERVED - w3m 0.5.3-30 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/16 NOTE: Fixed by: https://github.com/tats/w3m/commit/33509cc81ec5f2ba44eb6fd98bd5c1b5873e46bd CVE-2016-9434 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-30 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/15 CVE-2016-9433 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-30 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/14 CVE-2016-9432 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-30 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/13 CVE-2016-9431 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-30 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/10 CVE-2016-9430 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-30 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/7 CVE-2016-9429 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-30 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/29 CVE-2016-9428 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-30 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/26 CVE-2016-9427 (Integer overflow vulnerability in bdwgc before 2016-09-27 allows ...) @@ -13031,27 +13031,27 @@ NOTE: Fixed by https://github.com/ivmai/bdwgc/commit/552ad0834672fed86ada6430150ef9ebdd3f54d7 CVE-2016-9426 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-30 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/25 CVE-2016-9425 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-30 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/21 CVE-2016-9424 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-30 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/12 CVE-2016-9423 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-30 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/9 CVE-2016-9422 (An issue was discovered in the Tatsuya Kinoshita w3m fork before ...) - w3m 0.5.3-30 - [jessie] - w3m <no-dsa> (Minor issue) + [jessie] - w3m 0.5.3-19+deb8u1 [wheezy] - w3m <no-dsa> (Minor issue) NOTE: https://github.com/tats/w3m/issues/8 CVE-2016-9401 [popd controlled free] @@ -14163,7 +14163,7 @@ RESERVED {DLA-688-1} - cairo 1.14.6-1.1 (bug #842289) - [jessie] - cairo <no-dsa> (Minor issue) + [jessie] - cairo 1.14.0-2.1+deb8u2 NOTE: Upstream bug: https://bugs.freedesktop.org/show_bug.cgi?id=98165 NOTE: Proposed patch upstream: https://bugs.freedesktop.org/attachment.cgi?id=127421 CVE-2016-9030 @@ -15388,7 +15388,7 @@ CVE-2016-8626 [RGW Denial of Service by sending POST object with null conditions] RESERVED - ceph 10.2.5-1 (bug #844200) - [jessie] - ceph <no-dsa> (Minor issue, can be fixed via point release) + [jessie] - ceph 0.80.7-2+deb8u2 NOTE: http://tracker.ceph.com/issues/17635 CVE-2016-8625 RESERVED @@ -18291,7 +18291,7 @@ CVE-2016-7796 (The manager_dispatch_notify_fd function in systemd allows local users ...) {DLA-659-1} - systemd 231-9 (bug #839607) - [jessie] - systemd <no-dsa> (Proposed to be fixed via point release) + [jessie] - systemd 215-17+deb8u6 NOTE: https://github.com/systemd/systemd/issues/4234#issuecomment-250441246 NOTE: Fixed by: https://github.com/systemd/systemd/pull/4240 CVE-2016-7795 (The manager_invoke_notify_message function in systemd 231 and earlier ...) @@ -20497,7 +20497,7 @@ NOTE: https://www.sudo.ws/repos/sudo/rev/a826cd7787e9 CVE-2016-7031 (The RGW code in Ceph before 10.0.1, when authenticated-read ACL is ...) - ceph 10.2.5-1 (bug #838026) - [jessie] - ceph <no-dsa> (Minor issue) + [jessie] - ceph 0.80.7-2+deb8u2 NOTE: http://tracker.ceph.com/issues/13207 NOTE: https://github.com/ceph/ceph/pull/6057 NOTE: https://github.com/ceph/ceph/pull/11045 @@ -22367,7 +22367,7 @@ RESERVED {DLA-773-1} - python-crypto 2.6.1-7 (bug #849495) - [jessie] - python-crypto <no-dsa> (Minor issue) + [jessie] - python-crypto 2.6.1-5+deb8u1 NOTE: https://github.com/dlitz/pycrypto/issues/176 NOTE: Fixed by: https://github.com/dlitz/pycrypto/commit/8dbe0dc3eea5c689d4f76b37b93fe216cf1f00d4 NOTE: All users of pycrypto's AES module in Debian that allow the mode @@ -27885,7 +27885,7 @@ NOTE: Fixed by: http://git.imagemagick.org/repos/ImageMagick/commit/c20de102cc57f3739a8870f79e728e3b0bea18c0 CVE-2016-5009 (The handle_command function in mon/Monitor.cc in Ceph allows remote ...) - ceph 10.2.5-1 (bug #829661) - [jessie] - ceph <no-dsa> (Minor issue) + [jessie] - ceph 0.80.7-2+deb8u2 NOTE: http://tracker.ceph.com/issues/16297 NOTE: https://github.com/ceph/ceph/pull/9700 NOTE: https://github.com/ceph/ceph/commit/957ece7e95d8f8746191fd9629622d4457d690d6 @@ -30929,7 +30929,7 @@ CVE-2016-4021 (The read_binary function in buffer.c in pgpdump before 0.30 allows ...) {DLA-768-1} - pgpdump 0.31-0.1 (bug #773747) - [jessie] - pgpdump <no-dsa> (Minor issue) + [jessie] - pgpdump 0.28-1+deb8u1 NOTE: https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-030.txt NOTE: https://github.com/kazu-yamamoto/pgpdump/pull/16 CVE-2016-4019 @@ -40248,7 +40248,7 @@ RESERVED {DLA-774-1} - postgresql-common 178 - [jessie] - postgresql-common <no-dsa> (Will be fixed via point release) + [jessie] - postgresql-common 165+deb8u2 NOTE: Fix: https://anonscm.debian.org/cgit/pkg-postgresql/postgresql-common.git/commit/?id=c8989206ec360f199400c74f129f7b4cb878c1ee NOTE: Testsuite update: https://anonscm.debian.org/cgit/pkg-postgresql/postgresql-common.git/commit/?id=30f0e4200cfc358b4536bf5d1f6c48abb779d438 CVE-2016-1254 [TROVE-2016-12-002] @@ -40261,7 +40261,7 @@ RESERVED {DLA-745-1} - most 5.0.0a-3 (bug #848132) - [jessie] - most <no-dsa> (Minor issue; will be fixed via point release) + [jessie] - most 5.0.0a-2.3+deb8u1 CVE-2016-1252 RESERVED {DSA-3733-1} @@ -64780,7 +64780,7 @@ - libfcgi 2.4.0-8.3 (bug #681591) [wheezy] - libfcgi 2.4.0-8.1+deb7u1 - libfcgi-perl 0.78-2 (bug #815840) - [jessie] - libfcgi-perl <no-dsa> (Minor issue) + [jessie] - libfcgi-perl 0.77-1+deb8u1 [wheezy] - libfcgi-perl <no-dsa> (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2015/02/06/4 CVE-2015-8837 (Stack-based buffer overflow in the isofs_real_readdir function in ...) @@ -67243,7 +67243,7 @@ CVE-2015-0854 (App/HelperFunctions.pm in Shutter through 0.93.1 allows user-assisted ...) {DLA-769-1} - shutter 0.93.1-1 (low; bug #798862) - [jessie] - shutter <no-dsa> (Minor issue) + [jessie] - shutter 0.92-0.1+deb8u1 [squeeze] - shutter <no-dsa> (Minor issue) NOTE: https://bugs.launchpad.net/shutter/+bug/1495163 CVE-2015-0853 [insecure use of os.system()] @@ -67320,7 +67320,7 @@ RESERVED {DLA-775-1} - hplip 3.15.11+repack0-1 (bug #787353; bug #796015) - [jessie] - hplip <no-dsa> (Minor issue) + [jessie] - hplip 3.14.6-1+deb8u1 [squeeze] - hplip <no-dsa> (Minor issue) NOTE: http://seclists.org/oss-sec/2015/q2/581 NOTE: https://bugs.launchpad.net/bugs/1432516 _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits