[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new zabbix issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a97e7b08 by Moritz Muehlenhoff at 2018-04-13T19:22:51+02:00 new zabbix issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -71129,7 +71129,8 @@ CVE-2017-2828 (An exploitable command injection vulnerability exists in the web CVE-2017-2827 (An exploitable command injection vulnerability exists in the web ...) NOT-FOR-US: Foscam C1 Indoor HD Camera CVE-2017-2826 (An information disclosure vulnerability exists in the iConfig proxy ...) - TODO: check + - zabbix + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2017-0327 CVE-2017-2825 RESERVED {DSA-3937-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a97e7b08a56297aca7ffdd2d2cfcee3e39437ef5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a97e7b08a56297aca7ffdd2d2cfcee3e39437ef5 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b1baac97 by Moritz Muehlenhoff at 2018-04-13T19:17:27+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -486,7 +486,7 @@ CVE-2018-9864 (The WP Live Chat Support plugin before 8.0.06 for WordPress has s CVE-2018-9863 RESERVED CVE-2018-9862 (util.c in runV 1.0.0 for Docker mishandles a numeric username, which ...) - TODO: check + NOT-FOR-US: runV for Docker CVE-2018-9861 RESERVED CVE-2018-9860 (An issue was discovered in Botan 1.11.32 through 2.x before 2.6.0. An ...) @@ -2342,8 +2342,8 @@ CVE-2018-7600 (Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5 CVE-2018-9057 (aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform ...) NOT-FOR-US: HashiCorp Terraform Amazon Web Services CVE-2018-9056 (Systems with microprocessors utilizing speculative execution may allow ...) + NOTE: Hardware side channel attack NOTE: http://www.cs.ucr.edu/~nael/pubs/asplos18.pdf - TODO: check CVE-2018-9055 (JasPer 2.0.14 allows denial of service via a reachable assertion in the ...) - jasper (unimportant) NOTE: https://github.com/mdadams/jasper/issues/172 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b1baac97113df971face5bedf2cd8c51a0cd15c8 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b1baac97113df971face5bedf2cd8c51a0cd15c8 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new smplayer issues (sid only)
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 20711209 by Moritz Muehlenhoff at 2018-04-13T17:24:35+02:00 new smplayer issues (sid only) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -70852,11 +70852,15 @@ CVE-2017-2923 [Heap-based buffer overflow in the read_biff_next_record function] NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0430 NOTE: https://www.gaia-gis.it/fossil/freexl/ci/40c17539ea56f0d8 CVE-2017-2922 (An exploitable memory corruption vulnerability exists in the Websocket ...) - NOT-FOR-US: Cesanta Mongoose - TODO: check smplayer, embeds it + - smplayer + [stretch] - smplayer (Vulnerable code not present) + [jessie] - smplayer (Vulnerable code not present) + [wheezy] - smplayer (Vulnerable code not present) CVE-2017-2921 (An exploitable memory corruption vulnerability exists in the Websocket ...) - NOT-FOR-US: Cesanta Mongoose - TODO: check smplayer, embeds it + - smplayer + [stretch] - smplayer (Vulnerable code not present) + [jessie] - smplayer (Vulnerable code not present) + [wheezy] - smplayer (Vulnerable code not present) CVE-2017-2920 (An memory corruption vulnerability exists in the .SVG parsing ...) NOT-FOR-US: Computerinsel Photoline CVE-2017-2919 (An exploitable stack based buffer overflow vulnerability exists in the ...) @@ -70881,8 +70885,10 @@ CVE-2017-2911 (An exploitable vulnerability exists in the remote control ...) CVE-2017-2910 RESERVED CVE-2017-2909 (An infinite loop programming error exists in the DNS server ...) - NOT-FOR-US: Cesanta Mongoose - TODO: check smplayer, embeds it + - smplayer + [stretch] - smplayer (Vulnerable code not present) + [jessie] - smplayer (Vulnerable code not present) + [wheezy] - smplayer (Vulnerable code not present) CVE-2017-2908 RESERVED CVE-2017-2907 @@ -70912,20 +70918,30 @@ CVE-2017-2896 (An exploitable out-of-bounds write vulnerability exists in the .. - r-cran-readxl 1.0.0-2 (bug #895564) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0403 CVE-2017-2895 (An exploitable arbitrary memory read vulnerability exists in the MQTT ...) - NOT-FOR-US: Cesanta Mongoose - TODO: check smplayer, embeds it + - smplayer + [stretch] - smplayer (Vulnerable code not present) + [jessie] - smplayer (Vulnerable code not present) + [wheezy] - smplayer (Vulnerable code not present) CVE-2017-2894 (An exploitable stack buffer overflow vulnerability exists in the MQTT ...) - NOT-FOR-US: Cesanta Mongoose - TODO: check smplayer, embeds it + - smplayer + [stretch] - smplayer (Vulnerable code not present) + [jessie] - smplayer (Vulnerable code not present) + [wheezy] - smplayer (Vulnerable code not present) CVE-2017-2893 (An exploitable NULL pointer dereference vulnerability exists in the ...) - NOT-FOR-US: Cesanta Mongoose - TODO: check smplayer, embeds it + - smplayer + [stretch] - smplayer (Vulnerable code not present) + [jessie] - smplayer (Vulnerable code not present) + [wheezy] - smplayer (Vulnerable code not present) CVE-2017-2892 (An exploitable arbitrary memory read vulnerability exists in the MQTT ...) - NOT-FOR-US: Cesanta Mongoose - TODO: check smplayer, embeds it + - smplayer + [stretch] - smplayer (Vulnerable code not present) + [jessie] - smplayer (Vulnerable code not present) + [wheezy] - smplayer (Vulnerable code not present) CVE-2017-2891 (An exploitable use-after-free vulnerability exists in the HTTP server ...) - NOT-FOR-US: Cesanta Mongoose - TODO: check smplayer, embeds it + - smplayer + [stretch] - smplayer (Vulnerable code not present) + [jessie] - smplayer (Vulnerable code not present) + [wheezy] - smplayer (Vulnerable code not present) CVE-2017-2890 (An exploitable vulnerability exists in the /api/CONFIG/restore ...) NOT-FOR-US: Circle with Disney CVE-2017-2889 (An exploitable Denial of Service vulnerability exists in the API ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/207112092feb38f9e312039947eea9c9f7c54d84 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/207112092feb38f9e312039947eea9c9f7c54d84 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6f43a5ca by Moritz Muehlenhoff at 2018-04-13T17:09:59+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -132900,7 +132900,7 @@ CVE-2014-9565 (Cross-site request forgery (CSRF) vulnerability in IBM Flex Syste CVE-2014-9564 (CRLF injection vulnerability in IBM Flex System EN6131 40Gb Ethernet ...) NOT-FOR-US: IBM CVE-2014-9563 (CRLF injection vulnerability in the web-based management (WBM) ...) - TODO: check + NOT-FOR-US: Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone CVE-2014-9562 (Cross-site scripting (XSS) vulnerability in display_dialog.php in M2 ...) NOT-FOR-US: M2 OptimalSite CVE-2014-9561 (Cross-site scripting (XSS) vulnerability in redir_last_post_list.php ...) @@ -137665,9 +137665,9 @@ CVE-2014-8424 (ARRIS VAP2500 before FW08.41 does not properly validate passwords CVE-2014-8423 (Unspecified vulnerability in the management portal in ARRIS VAP2500 ...) NOT-FOR-US: ARRIS VAP2500 CVE-2014-8422 (The web-based management (WBM) interface in Unify (former Siemens) ...) - TODO: check + NOT-FOR-US: Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone CVE-2014-8421 (Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone IP V3 ...) - TODO: check + NOT-FOR-US: Unify (former Siemens) OpenStage SIP and OpenScape Desk Phone CVE-2014-8420 (The ViewPoint web application in Dell SonicWALL Global Management ...) NOT-FOR-US: Dell SonicWALL CVE-2014-8419 (Wibu-Systems CodeMeter Runtime before 5.20 uses weak permissions (read ...) @@ -149463,7 +149463,7 @@ CVE-2014-3628 (Cross-site scripting (XSS) vulnerability in the Admin UI Plugin / CVE-2014-3627 (The YARN NodeManager daemon in Apache Hadoop 0.23.0 through 0.23.11 ...) NOT-FOR-US: Apache Hadoop CVE-2014-3626 (The Grails Resource Plugin often has to exchange URIs for resources ...) - TODO: check + NOT-FOR-US: Grails Resource Plugin CVE-2014-3625 (Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 ...) - libspring-java 3.2.13-1 (bug #769698) [jessie] - libspring-java (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6f43a5ca6e7cda3b56baf8269e41ac3f490c645e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6f43a5ca6e7cda3b56baf8269e41ac3f490c645e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark some questionable Apple CVE assignments as NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ae688ea7 by Moritz Muehlenhoff at 2018-04-12T20:52:58+02:00 Mark some questionable Apple CVE assignments as NFU No point in investigating this further, we can only assume that Apple staff is stupid and assigned internal ID duplicates to otherwise public issues They can prove us wrong by providing proper commit references! - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -36874,7 +36874,7 @@ CVE-2017-13848 (An issue was discovered in certain Apple products. macOS before CVE-2017-13847 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-13846 (An issue was discovered in certain Apple products. macOS before ...) - TODO: check, potentially PCRE + NOT-FOR-US: Potentially src:pcre3, but Apple doesn't play by the rules CVE-2017-13845 RESERVED CVE-2017-13844 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) @@ -58172,9 +58172,9 @@ CVE-2017-7004 (An issue was discovered in certain Apple products. iOS before 10. CVE-2017-7003 (An issue was discovered in certain Apple products. iOS before 10.3.2 ...) NOT-FOR-US: Apple CVE-2017-7002 (An issue was discovered in certain Apple products. iOS before 10.3.2 ...) - TODO: check + NOT-FOR-US: Potentially src:sqlite, but Apple doesn't play by the rules CVE-2017-7001 (An issue was discovered in certain Apple products. iOS before 10.3.2 ...) - TODO: check + NOT-FOR-US: Potentially src:sqlite, but Apple doesn't play by the rules CVE-2017-7000 (An issue was discovered in certain Apple products. iOS before 10.3.2 ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ae688ea7e4497386d4ae990c4a7991769f6605dd --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ae688ea7e4497386d4ae990c4a7991769f6605dd You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new r-cran-readxl issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 064fef0c by Moritz Muehlenhoff at 2018-04-12T20:50:40+02:00 new r-cran-readxl issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -42226,9 +42226,11 @@ CVE-2017-12113 (An exploitable improper authorization vulnerability exists in .. CVE-2017-12112 (An exploitable improper authorization vulnerability exists in ...) - cpp-ethereum (bug #860434) CVE-2017-12111 (An exploitable out-of-bounds vulnerability exists in the xls_addCell ...) - TODO: check, libxls is not packaged in Debian, but embedded in r-cran-readxl + - r-cran-readxl (bug #895564) + NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0463 CVE-2017-12110 (An exploitable integer overflow vulnerability exists in the ...) - TODO: check, libxls is not packaged in Debian, but embedded in r-cran-readxl + - r-cran-readxl (bug #895564) + NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0462 CVE-2017-12109 RESERVED CVE-2017-12108 @@ -70790,7 +70792,8 @@ CVE-2017-2921 (An exploitable memory corruption vulnerability exists in the Webs CVE-2017-2920 (An memory corruption vulnerability exists in the .SVG parsing ...) NOT-FOR-US: Computerinsel Photoline CVE-2017-2919 (An exploitable stack based buffer overflow vulnerability exists in the ...) - TODO: check, libxls is not packaged in Debian, but embedded in r-cran-readxl + - r-cran-readxl (bug #895564) + NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0426 CVE-2017-2918 RESERVED CVE-2017-2917 (An exploitable vulnerability exists in the notifications functionality ...) @@ -70835,9 +70838,11 @@ CVE-2017-2899 CVE-2017-2898 (An exploitable vulnerability exists in the signature verification of ...) NOT-FOR-US: Circle with Disney CVE-2017-2897 (An exploitable out-of-bounds write vulnerability exists in the ...) - TODO: check, libxls is not packaged in Debian, but embedded in r-cran-readxl + - r-cran-readxl (bug #895564) + NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0404 CVE-2017-2896 (An exploitable out-of-bounds write vulnerability exists in the ...) - TODO: check, libxls is not packaged in Debian, but embedded in r-cran-readxl + - r-cran-readxl (bug #895564) + NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0403 CVE-2017-2895 (An exploitable arbitrary memory read vulnerability exists in the MQTT ...) NOT-FOR-US: Cesanta Mongoose TODO: check smplayer, embeds it View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/064fef0cae91a3ce8d0ce4d5d15af8216b0ab562 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/064fef0cae91a3ce8d0ce4d5d15af8216b0ab562 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4dea2153 by Moritz Muehlenhoff at 2018-04-12T20:38:17+02:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -16,7 +16,7 @@ CVE-2018-10056 CVE-2018-10055 RESERVED CVE-2018-10054 (H2 1.4.197, as used in Datomic before 0.9.5697 and other products, ...) - TODO: check + NOT-FOR-US: H2 (different from src:python-h2) CVE-2018-10053 RESERVED CVE-2018-10052 (iScripts SupportDesk v4.3 has XSS via the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4dea2153f4e071329dbd71d7dd4ae1a1b6999faa --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4dea2153f4e071329dbd71d7dd4ae1a1b6999faa You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: qemu fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 182726ab by Moritz Muehlenhoff at 2018-04-12T20:34:57+02:00 qemu fixed - - - - - 165ad983 by Moritz Muehlenhoff at 2018-04-12T20:35:28+02:00 Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5142,7 +5142,7 @@ CVE-2018-7860 CVE-2018-7859 RESERVED CVE-2018-7858 (Quick Emulator (aka QEMU), when built with the Cirrus CLGD 54xx VGA ...) - - qemu (bug #892497) + - qemu 1:2.12~rc3+dfsg-1 (bug #892497) [stretch] - qemu (Vulnerable code not present) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Vulnerable code not present) @@ -6090,7 +6090,7 @@ CVE-2018-7551 (There is an invalid free in MiniPS::delete0 in minips.cpp that le [jessie] - sam2p (Will be fixed via point release) NOTE: https://github.com/pts/sam2p/issues/28 CVE-2018-7550 (The load_multiboot function in hw/i386/multiboot.c in Quick Emulator ...) - - qemu (bug #892041) + - qemu 1:2.12~rc3+dfsg-1 (bug #892041) - qemu-kvm NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2018-03/msg01885.html CVE-2018-7549 (In params.c in zsh through 5.4.2, there is a crash during a copy of an ...) @@ -11796,7 +11796,7 @@ CVE-2018-5684 (In Libav through 12.2, there is an invalid memcpy call in the ... [jessie] - libav (Minor issue) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1110 CVE-2018-5683 (The vga_draw_text function in Qemu allows local OS guest privileged ...) - - qemu (bug #887392) + - qemu 1:2.12~rc3+dfsg-1 (bug #887392) [stretch] - qemu (Minor issue, can be fixed along in future DSA) [jessie] - qemu (Minor issue, can be fixed along in future DSA) [wheezy] - qemu (Minor issue, can be fixed along in next DLA) @@ -27971,7 +27971,7 @@ CVE-2017-16847 (Zoho ManageEngine Applications Manager 13 allows SQL injection v CVE-2017-16846 (Zoho ManageEngine Applications Manager 13 allows SQL injection via the ...) NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2017-16845 (hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values ...) - - qemu (bug #882136) + - qemu 1:2.12~rc3+dfsg-1 (bug #882136) [stretch] - qemu (Minor issue) [jessie] - qemu (Minor issue) [wheezy] - qemu (Can be fixed along in a future update) @@ -32942,7 +32942,7 @@ CVE-2017-15125 RESERVED NOT-FOR-US: Red Hat CloudForms CVE-2017-15124 (VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older ...) - - qemu (bug #884806) + - qemu 1:2.12~rc3+dfsg-1 (bug #884806) [stretch] - qemu (Can be fixed along in later update) [jessie] - qemu (Can be fixed along in later update) [wheezy] - qemu (Can be fixed along in later update) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/c324ddb9cccd6987c79abdeef62d799daa74e4fb...165ad983f458c3c1a6e2903650285170e2f791cf --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/c324ddb9cccd6987c79abdeef62d799daa74e4fb...165ad983f458c3c1a6e2903650285170e2f791cf You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3d0a2323 by Moritz Muehlenhoff at 2018-04-12T15:18:33+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -27868,21 +27868,21 @@ CVE-2018-0025 CVE-2018-0024 RESERVED CVE-2018-0023 (JSNAPy is an open source python version of Junos Snapshot ...) - TODO: check + NOT-FOR-US: JSNAPy CVE-2018-0022 (A Junos device with VPLS routing-instances configured on one or more ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0021 (If all 64 digits of the connectivity association name (CKN) key or all ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0020 (Junos OS may be impacted by the receipt of a malformed BGP UPDATE ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0019 (A vulnerability in Junos OS SNMP MIB-II subagent daemon (mib2d) may ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0018 (On SRX Series devices during compilation of IDP policies, an attacker ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0017 (A vulnerability in the Network Address Translation - Protocol ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0016 (Receipt of a specially crafted Connectionless Network Protocol (CLNP) ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-0015 (A malicious user with unrestricted access to the AppFormix application ...) NOT-FOR-US: AppFormix CVE-2018-0014 (Juniper Networks ScreenOS devices do not pad Ethernet packets with ...) @@ -32277,7 +32277,7 @@ CVE-2017-15329 (Huawei UMA V200R001C00 has a SQL injection vulnerability in the CVE-2017-15328 (Huawei HG8245H version earlier than V300R018C00SPC110 has an ...) NOT-FOR-US: Huawei CVE-2017-15327 (S12700 V200R005C00, V200R006C00, V200R006C01, V200R007C00, ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-15326 (DBS3900 TDD LTE V100R003C00, V100R004C10 have a weak encryption ...) NOT-FOR-US: Huawei CVE-2017-15325 (The Bdat driver of Prague smart phones with software versions earlier ...) @@ -35160,7 +35160,7 @@ CVE-2017-14461 (A specially crafted email delivered over SMTP and passed on to D CVE-2017-14460 (An exploitable overly permissive cross-domain (CORS) whitelist ...) - parity (bug #890550) CVE-2017-14459 (An exploitable OS Command Injection vulnerability exists in the ...) - TODO: check + NOT-FOR-US: Moxa CVE-2017-14458 RESERVED CVE-2017-14457 (An exploitable information leak/denial of service vulnerability exists ...) @@ -37508,9 +37508,9 @@ CVE-2017-13680 (Prior to SEP 12.1 RU6 MP9 & SEP 14 RU1 Symantec Endpoint Pro CVE-2017-13679 (A denial of service (DoS) attack in Symantec Encryption Desktop before ...) NOT-FOR-US: Symantec CVE-2017-13678 (Stored XSS vulnerability in the Symantec Advanced Secure Gateway (ASG) ...) - TODO: check + NOT-FOR-US: Symantec CVE-2017-13677 (Denial-of-service (DoS) vulnerability in the Symantec Advanced Secure ...) - TODO: check + NOT-FOR-US: Symantec CVE-2017-13676 (Norton Remove & Reinstall can be susceptible to a DLL preloading ...) NOT-FOR-US: Symantec CVE-2017-13675 (A denial of service (DoS) attack in Symantec Endpoint Encryption ...) @@ -45493,7 +45493,7 @@ CVE-2017-11013 (In android for MSM, Firefox OS for MSM, QRD Android, with all An CVE-2017-11012 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11011 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-11010 (In Android before 2018-01-05 on Qualcomm Snapdragon IoT, Snapdragon ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11009 @@ -53568,9 +53568,9 @@ CVE-2017-8277 (In all Qualcomm products with Android releases from CAF using the CVE-2017-8276 RESERVED CVE-2017-8275 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-8274 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-8273 (In all Qualcomm products with Android release from CAF using the Linux ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8272 (In all Qualcomm products with Android releases from CAF using the ...) @@ -53815,7 +53815,7 @@ CVE-2017-8156 (The outdoor unit of Customer Premise Equipment (CPE) product B233 CVE-2017-8155 (The outdoor unit of Customer Premise Equipment (CPE) product B2338-168 ...) NOT-FOR-US: Huawei CVE-2017-8154 (The Themes App Hono
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 07c0ce1b by Moritz Muehlenhoff at 2018-04-12T14:52:07+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -4441,7 +4441,7 @@ CVE-2018-8119 CVE-2018-8118 RESERVED CVE-2018-8117 (A security feature bypass vulnerability exists in the Microsoft ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-8116 (A denial of service vulnerability exists in the way that Windows ...) NOT-FOR-US: Microsoft CVE-2018-8115 @@ -8132,7 +8132,7 @@ CVE-2018-6907 CVE-2018-6906 RESERVED CVE-2018-6905 (The page module in TYPO3 before 8.7.11, and 9.1.0, has XSS via ...) - TODO: check + - typo3-src CVE-2018-6904 RESERVED CVE-2018-6903 @@ -8878,49 +8878,49 @@ CVE-2017-18148 CVE-2017-18147 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18146 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18145 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18144 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18143 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18142 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18141 RESERVED CVE-2017-18140 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18139 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18138 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18137 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18136 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18135 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18134 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18133 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18132 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18131 RESERVED CVE-2017-18130 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18129 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18128 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18127 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18126 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18125 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18124 RESERVED CVE-2018-6622 @@ -26033,7 +26033,7 @@ CVE-2018-0547 (Cross-site scripting vulnerability in WP All Import plugin prior CVE-2018-0546 (Cross-site scripting vulnerability in WP All Import plugin prior to ...) NOT-FOR-US: WP All Import plugin for WordPress CVE-2018-0545 (LXR version 1.0.0 to 2.3.0 allows remote attackers to execute ...) - TODO: check + NOT-FOR-US: LXR CVE-2018-0544 (Untrusted search path vulnerability in WinShot 1.53a and earlier ...) NOT-FOR-US: WinShot CVE-2018-0543 (Untrusted search path vulnerability in Jtrim 1.53c and earlier ...) View it on GitLab: https://salsa.debian.org
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b41b5cab by Moritz Muehlenhoff at 2018-04-12T14:43:23+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -10840,13 +10840,13 @@ CVE-2018-6005 (SQL Injection exists in the Realpin through 1.5.04 component for CVE-2018-6004 (SQL Injection exists in the File Download Tracker 3.0 component for ...) NOT-FOR-US: File Download Tracker component for Joomla! CVE-2017-18074 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm component for Android CVE-2017-18073 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm component for Android CVE-2017-18072 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm component for Android CVE-2017-18071 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm component for Android CVE-2017-18070 RESERVED CVE-2017-18069 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) @@ -17437,17 +17437,17 @@ CVE-2018-3596 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android CVE-2018-3595 RESERVED CVE-2018-3594 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-3593 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-3592 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-3591 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-3590 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-3589 (In Android before security patch level 2018-04-05 on Qualcomm ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-3588 RESERVED CVE-2018-3587 @@ -24932,9 +24932,9 @@ CVE-2018-0990 (A remote code execution vulnerability exists in the way that the CVE-2018-0989 (An information disclosure vulnerability exists in the way that the ...) NOT-FOR-US: Microsoft CVE-2018-0988 (A remote code execution vulnerability exists in the way that the ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-0987 (An information disclosure vulnerability exists when the scripting ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-0986 (A remote code execution vulnerability exists when the Microsoft ...) NOT-FOR-US: Microsoft CVE-2018-0985 @@ -24946,57 +24946,57 @@ CVE-2018-0983 (Windows Storage Services in Windows 10 versions 1511, 1607, 1703 CVE-2018-0982 RESERVED CVE-2018-0981 (An information disclosure vulnerability exists in the way that the ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-0980 (A remote code execution vulnerability exists in the way that the ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-0979 (A remote code execution vulnerability exists in the way that the ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-0978 RESERVED CVE-2018-0977 (The Windows kernel mode driver in Windows 10 Gold, 1511, 1607, 1703, ...) NOT-FOR-US: Microsoft CVE-2018-0976 (A denial of service vulnerability exists in Remote Desktop Protocol ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-0975 (An information disclosure vulnerability exists in the Windows kernel ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-0974 (An information disclosure vulnerability exists in the Windows kernel ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-0973 (An information disclosure vulnerability exists in the Windows kernel ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-0972 (An information disclosure vulnerability exists in the Windows kernel ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-0971 (An information disclosure vulnerability exists in the Windows kernel ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-0970 (An information disclosure vulnerability exists in the Windows kernel ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-0969 (An information disclosure vulnerability exists in the Windows kernel ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-0968 (An information disclosure
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] One tomcat issue Windows-specific
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7aeed9b6 by Moritz Muehlenhoff at 2018-04-12T14:10:55+02:00 One tomcat issue Windows-specific - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -40767,12 +40767,10 @@ CVE-2017-12618 (Apache Portable Runtime Utility (APR-util) 1.6.0 and prior fail NOTE: https://github.com/apache/apr/commit/f672b565c825c34de9ee298b5bdc62c01cdd6147 CVE-2017-12617 (When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to ...) {DLA-1166-1} - - tomcat9 (bug #802312) - - tomcat8 8.5.23-1 - - tomcat8.0 (unimportant) - NOTE: tomcat8.0 builds only tomcat8.0-user and libtomcat8.0-java - - tomcat7 7.0.72-3 - NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API + - tomcat9 (Specific to running Tomcat on Windows) + - tomcat8 (Specific to running Tomcat on Windows) + - tomcat8.0 (Specific to running Tomcat on Windows) + - tomcat7 7 (Specific to running Tomcat on Windows) NOTE: https://svn.apache.org/r1809673 (8.5.x) NOTE: https://svn.apache.org/r1809675 (8.5.x) NOTE: https://svn.apache.org/r1809896 (8.5.x) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7aeed9b6c7574dd464e845e4e5877b0296c56bf1 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7aeed9b6c7574dd464e845e4e5877b0296c56bf1 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] openmpt no-dsa
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8deaa4e1 by Moritz Muehlenhoff at 2018-04-11T18:30:46+02:00 openmpt no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -25,6 +25,7 @@ CVE-2018-10018 RESERVED CVE-2018-10017 (soundlib/Snd_fx.cpp in OpenMPT before 1.27.07.00 and libopenmpt before ...) - libopenmpt 0.3.8-1 (bug #895406) + [stretch] - libopenmpt (Minor issue) NOTE: https://github.com/OpenMPT/openmpt/commit/492022c7297ede682161d9c0ec2de15526424e76 CVE-2018-10016 (Netwide Assembler (NASM) 2.14rc0 has a division-by-zero vulnerability ...) - nasm (bug #895408) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8deaa4e13c9ec87ac6c77ae3697d7c076773eaba --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8deaa4e13c9ec87ac6c77ae3697d7c076773eaba You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] openmpt fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 73ed0c65 by Moritz Muehlenhoff at 2018-04-11T18:29:51+02:00 openmpt fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -24,7 +24,7 @@ CVE-2018-9990 CVE-2018-10018 RESERVED CVE-2018-10017 (soundlib/Snd_fx.cpp in OpenMPT before 1.27.07.00 and libopenmpt before ...) - - libopenmpt (bug #895406) + - libopenmpt 0.3.8-1 (bug #895406) NOTE: https://github.com/OpenMPT/openmpt/commit/492022c7297ede682161d9c0ec2de15526424e76 CVE-2018-10016 (Netwide Assembler (NASM) 2.14rc0 has a division-by-zero vulnerability ...) - nasm (bug #895408) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/73ed0c65b39ff6f5938646c93f2edb57c1cac2c6 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/73ed0c65b39ff6f5938646c93f2edb57c1cac2c6 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new kfreebsd issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f29344b2 by Moritz Muehlenhoff at 2018-04-11T16:34:42+02:00 new kfreebsd issue NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -74770,7 +74770,9 @@ CVE-2017-1083 CVE-2017-1082 RESERVED CVE-2017-1081 (In FreeBSD before 11.0-STABLE, 11.0-RELEASE-p10, 10.3-STABLE, and ...) - TODO: check + - kfreebsd-10 (unimportant) + NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-17:04.ipfilter.asc + NOTE: kfreebsd not covered by security support CVE-2017-1080 RESERVED CVE-2017-1079 @@ -116545,7 +116547,7 @@ CVE-2015-5726 (The BER decoder in Botan 0.10.x before 1.10.10 and 1.11.x before NOTE: Fixed in 1.11.19 and 1.10.10, affected all previous versions of 1.10 and 1.11 NOTE: http://botan.randombit.net/security.html CVE-2015-5725 (SQL injection vulnerability in the offset method in the Active Record ...) - TODO: check + NOT-FOR-US: CodeIgniter CVE-2014-9742 (The Miller-Rabin primality check in Botan before 1.10.8 and 1.11.x ...) {DLA-449-1} - botan1.10 1.10.8-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f29344b2c93e39b331a98e28edc9e85f9557ae73 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f29344b2c93e39b331a98e28edc9e85f9557ae73 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a209a309 by Moritz Muehlenhoff at 2018-04-11T14:05:57+02:00 NFUs - - - - - bdd1de62 by Moritz Muehlenhoff at 2018-04-11T14:06:15+02:00 Merge branch 'master' of https://salsa.debian.org/security-tracker-team/security-tracker - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -34562,7 +34562,7 @@ CVE-2017-14613 CVE-2017-14612 RESERVED CVE-2017-14611 (SSRF (Server Side Request Forgery) in Cockpit 0.13.0 allows remote ...) - TODO: check + NOT-FOR-US: Cockpit CMS (different from src:cockpit) CVE-2017-14610 (bareos-dir, bareos-fd, and bareos-sd in bareos-core in Bareos 16.2.6 ...) - bareos (bug #877334) [stretch] - bareos (Minor issue) @@ -35415,7 +35415,7 @@ CVE-2017-14324 (In ImageMagick 7.0.7-1 Q16, a memory leak vulnerability was foun NOTE: https://github.com/ImageMagick/ImageMagick/issues/739 NOTE: https://github.com/ImageMagick/ImageMagick/commit/399631650b38eaf21c2f3c306b8b74e66be6a0d2 CVE-2017-14323 (SSRF (Server Side Request Forgery) in getRemoteImage.php in Ueditor in ...) - TODO: check + NOT-FOR-US: Onethink CVE-2017-14322 (The function in charge to check whether the user is already logged in ...) NOT-FOR-US: Interspire Email Marketer CVE-2017-14321 (Multiple cross-site scripting (XSS) vulnerabilities in the ...) @@ -76328,7 +76328,7 @@ CVE-2017-0433 (An elevation of privilege vulnerability in the Synaptics touchscr CVE-2017-0432 (An elevation of privilege vulnerability in the MediaTek driver could ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0431 (An elevation of privilege vulnerability in Qualcomm closed source ...) - TODO: check + NOT-FOR-US: Qualcomm component for Android CVE-2017-0430 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0429 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) @@ -80988,7 +80988,7 @@ CVE-2016-8484 (An elevation of privilege vulnerability in Qualcomm closed source CVE-2016-8483 (An information disclosure vulnerability in the Qualcomm power driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-8482 (An elevation of privilege vulnerability in the NVIDIA GPU driver. ...) - TODO: check + NOT-FOR-US: NVIDIA driver for Android CVE-2016-8481 (An elevation of privilege vulnerability in the Qualcomm sound driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2016-8480 (An elevation of privilege vulnerability in the Qualcomm Secure ...) @@ -153773,7 +153773,7 @@ CVE-2014-2075 (TIBCO Enterprise Administrator 1.0.0 and Enterprise Administrator CVE-2014-2074 RESERVED CVE-2014-2073 (Stack-based buffer overflow in Dassault Systemes CATIA V5-6R2013 ...) - TODO: check + NOT-FOR-US: Dassault Systemes Catia CVE-2014-2072 RESERVED NOT-FOR-US: Dassault Systemes Catia @@ -154041,7 +154041,7 @@ CVE-2014-1952 CVE-2014-1951 RESERVED CVE-2014-1946 (OpenDocMan 1.2.7 and earlier does not properly validate allowed ...) - TODO: check + NOT-FOR-US: OpenDocMan CVE-2014-1945 (SQL injection vulnerability in ajax_udf.php in OpenDocMan before ...) NOT-FOR-US: OpenDocMan CVE-2014-1944 (Cross-site scripting (XSS) vulnerability in Ilch CMS 2.0 and earlier ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/2c32160880a776e48f7b1051d5c59106598d85f2...bdd1de62c2618453a8f9dccf14f810930d5a8893 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/2c32160880a776e48f7b1051d5c59106598d85f2...bdd1de62c2618453a8f9dccf14f810930d5a8893 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] ffmpeg postponed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7d862a4c by Moritz Muehlenhoff at 2018-04-11T13:17:58+02:00 ffmpeg postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -60,9 +60,10 @@ CVE-2018-10003 CVE-2018-10002 RESERVED CVE-2018-10001 (The decode_init function in libavcodec/utvideodec.c in FFmpeg through ...) - - ffmpeg + - ffmpeg (low) + [stretch] - ffmpeg (Can wait until the next ffmpeg 3.2.x release) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=47b7c68ae54560e2308bdb6be4fb076c73b93081 - TODO: check libav + - libav CVE-2018-1 (The Video Downloader professional extension before 2018-04-05 for ...) NOT-FOR-US: The Video Downloader professional extension for Chrome CVE-2017-18260 (Dolibarr ERP/CRM is affected by multiple SQL injection vulnerabilities ...) @@ -389,6 +390,7 @@ CVE-2018-9842 CVE-2018-9841 (The export function in libavfilter/vf_signature.c in FFmpeg through ...) - ffmpeg (low) [stretch] - ffmpeg (Can wait until the next ffmpeg 3.2.x release) + - libav NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=35eeff30caf34df835206f1c12bcf4b7c2bd6758 CVE-2018-9840 (The Open Whisper Signal app before 2.23.2 for iOS allows physically ...) NOT-FOR-US: Open Whisper Signal app for iOS View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7d862a4cbfda5a8fb372e3174e6a8d9ef6fe676f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7d862a4cbfda5a8fb372e3174e6a8d9ef6fe676f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs (concludes external check)
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 72f095ef by Moritz Muehlenhoff at 2018-04-11T11:03:51+02:00 NFUs (concludes external check) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -23270,8 +23270,10 @@ CVE-2018-1275 [Address partial fix for CVE-2018-1270] NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1565307 CVE-2018-1274 RESERVED + NOT-FOR-US: Spring Data Commons CVE-2018-1273 RESERVED + NOT-FOR-US: Spring Data Commons CVE-2018-1272 (Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior ...) - libspring-java (bug #895114) NOTE: https://pivotal.io/security/cve-2018-1272 @@ -56076,6 +56078,7 @@ CVE-2017-7535 - foreman (bug #663101) CVE-2017-7534 RESERVED + NOT-FOR-US: OpenShift CVE-2017-7533 (Race condition in the fsnotify implementation in the Linux kernel ...) {DSA-3945-1 DSA-3927-1} - linux 4.12.6-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/72f095efe793f2602331a0657dbb733dc1dea9a5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/72f095efe793f2602331a0657dbb733dc1dea9a5 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] dolibarr up for removal in jessie
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c89fa18e by Moritz Muehlenhoff at 2018-04-11T10:54:48+02:00 dolibarr up for removal in jessie - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -61,8 +61,10 @@ CVE-2018-1 (The Video Downloader professional extension before 2018-04-05 fo NOT-FOR-US: The Video Downloader professional extension for Chrome CVE-2017-18260 (Dolibarr ERP/CRM is affected by multiple SQL injection vulnerabilities ...) - dolibarr + [jessie] - dolibarr (Scheduled for removal) CVE-2017-18259 (Dolibarr ERP/CRM is affected by stored Cross-Site Scripting (XSS) in ...) - dolibarr + [jessie] - dolibarr (Scheduled for removal) CVE-2018-9989 (ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer ...) - mbedtls 2.8.0-1 - polarssl View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c89fa18e67ca193ede3b53afc567f922fc2bd86b --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c89fa18e67ca193ede3b53afc567f922fc2bd86b You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Android issue actually affecting mainline
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e62dad6 by Moritz Muehlenhoff at 2018-04-10T13:56:08+02:00 Android issue actually affecting mainline - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -38138,7 +38138,8 @@ CVE-2017-13222 (An information disclosure vulnerability in the Upstream kernel k CVE-2017-13221 (An elevation of privilege vulnerability in the Upstream kernel wifi ...) NOT-FOR-US: Android kernel component (no source release, no apparently not affecting mainline) CVE-2017-13220 (An elevation of privilege vulnerability in the Upstream kernel bluez. ...) - NOT-FOR-US: Android kernel component (no source release, no apparently not affecting mainline) + - linux 4.0.2-1 + NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=51bda2bca53b CVE-2017-13219 (A denial of service vulnerability in the Upstream kernel synaptics ...) NOT-FOR-US: Android kernel component (no source release, no apparently not affecting mainline) CVE-2017-13218 (Access to CNTVCT_EL0 could be used for side channel attacks. This ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5e62dad600a9a2285ac4710066fcffcdce79c505 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5e62dad600a9a2285ac4710066fcffcdce79c505 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] pjproject DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5f37b581 by Moritz Muehlenhoff at 2018-04-09T22:49:36+02:00 pjproject DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,6 @@ +[09 Apr 2018] DSA-4170-1 pjproject - security update + {CVE-2017-16872 CVE-2017-16875 CVE-2018-198 CVE-2018-199} + [stretch] - pjproject 2.5.5~dfsg-6+deb9u1 [09 Apr 2018] DSA-4169-1 pcs - security update {CVE-2018-1086} [stretch] - pcs 0.9.155+dfsg-2+deb9u1 = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -63,9 +63,6 @@ phpmyadmin/oldstable (abhijith) available for testing http://159.65.202.84:9001/phpmyadmin/ https://mentors.debian.net/debian/pool/main/p/phpmyadmin/phpmyadmin_4.2.12-2+deb8u3.dsc -- -pjproject - berni is working on updates --- qemu/oldstable -- redmine View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5f37b581262358447d6da556c61a65554a625f06 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5f37b581262358447d6da556c61a65554a625f06 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] mariadb/mysql postponed until next micro releases
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f41d7aba by Moritz Muehlenhoff at 2018-04-09T22:45:08+02:00 mariadb/mysql postponed until next micro releases libraw, add wordpress to dsa-needed guacamole, nmap, cfitsio no-dsa jquery, pjproject ignored for jessie - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -161,8 +161,12 @@ CVE-2018-9840 CVE-2018-9839 RESERVED CVE-2018-1000166 [Unsafe use of sprintf() can allow a remote unauthenticated attacker to execute arbitrary code] + - cfitsio 3.430-1 (low; bug #892458) + [stretch] - cfitsio (Minor issue) + [jessie] - cfitsio (Minor issue) - cfitsio 3.430-1 (bug #892458) NOTE: https://github.com/astropy/astropy/pull/7274 + NOTE: Mitigated to a crash due to hardened build flags CVE-2018-1000164 [Improper neutralization of CRLF Sequences http/wsgi.py:process_headers() can allow an attacker to cause a server to return arbitrary HTTP headers] - gunicorn 19.5.0-1 NOTE: https://epadillas.github.io/2018/04/02/http-header-splitting-in-gunicorn-19.4.5 @@ -170,6 +174,8 @@ CVE-2018-1000164 [Improper neutralization of CRLF Sequences http/wsgi.py:process NOTE: https://github.com/benoitc/gunicorn/commit/5263a4ef2a63c62216680876f3813959839608ff CVE-2018-1000161 [directory traversal in the way the non-default http-fetch script sanitized URLs] - nmap 7.70+dfsg1-1 + [stretch] - nmap (Minor issue) + [jessie] - nmap (Minor issue) CVE-2018-1000157 REJECTED CVE-2018-9838 (The caml_ba_deserialize function in byterun/bigarray.c in the standard ...) @@ -5977,12 +5983,16 @@ CVE-2017-18200 (The f2fs implementation in the Linux kernel before 4.14 mishandl - linux (Vulnerable code not present) CVE-2018-199 (Teluu PJSIP version 2.7.1 and earlier contains a Access of ...) - pjproject 2.7.2~dfsg-1 + [jessie] - pjproject (Minor issue) NOTE: http://downloads.asterisk.org/pub/security/AST-2018-003.html NOTE: https://trac.pjsip.org/repos/ticket/2092 + NOTE: In jessie Asterisk doesn't use pjproject for SIP (only for ICE, STUN and TURN) CVE-2018-198 (Teluu PJSIP version 2.7.1 and earlier contains a Integer Overflow ...) - pjproject 2.7.2~dfsg-1 + [jessie] - pjproject (Minor issue) NOTE: http://downloads.asterisk.org/pub/security/AST-2018-002.html NOTE: https://trac.pjsip.org/repos/ticket/2093 + NOTE: In jessie Asterisk doesn't use pjproject for SIP (only for ICE, STUN and TURN) CVE-2018-1000101 (Mingw-w64 version 5.0.3 and earlier contains an Improper Null ...) - mingw-w64 (low) [stretch] - mingw-w64 (Minor issue) @@ -10994,16 +11004,22 @@ CVE-2018-5803 [Missing length check of payload in net/sctp/sm_make_chunk.c:_sctp CVE-2018-5802 [Out-of-bounds read in kodak_radc_load_raw function internal/dcraw_common.cpp] RESERVED - libraw 0.18.7-1 + [stretch] - libraw (Minor issue) + [jessie] - libraw (Minor issue) NOTE: https://packetstormsecurity.com/files/146172/secunia-libraw.txt NOTE: https://github.com/LibRaw/LibRaw/commit/8682ad204392b914ab1cc6ebcca9c27c19c1a4b4 CVE-2018-5801 [NULL pointer dereference in LibRaw::unpack function src/libraw_cxx.cpp] RESERVED - libraw 0.18.7-1 + [stretch] - libraw (Minor issue) + [jessie] - libraw (Minor issue) NOTE: https://packetstormsecurity.com/files/146172/secunia-libraw.txt NOTE: https://github.com/LibRaw/LibRaw/commit/8682ad204392b914ab1cc6ebcca9c27c19c1a4b4 CVE-2018-5800 [Heap-based buffer overflow in LibRaw::kodak_ycbcr_load_raw function in internal/dcraw_common.cpp] RESERVED - libraw 0.18.7-1 + [stretch] - libraw (Minor issue) + [jessie] - libraw (Minor issue) NOTE: https://packetstormsecurity.com/files/146172/secunia-libraw.txt NOTE: https://github.com/LibRaw/LibRaw/commit/8682ad204392b914ab1cc6ebcca9c27c19c1a4b4 CVE-2018-106 (GitHub Electron versions 1.8.2-beta.3 and earlier, 1.7.10 and earlier, ...) @@ -11100,6 +6,7 @@ CVE-2016-10707 (jQuery 3.0.0-rc.1 is vulnerable to Denial of Service (DoS) due t NOTE: Only 3.0.0-rc1 affected: https://github.com/jquery/jquery/issues/3133#issuecomment-358978489 CVE-2015-9251 (jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks ...) - jquery 3.1.1-1 + [jessie] - jquery (Too intrusive to backport) [wheezy] - jquery (Too invasive to fix) NOTE: https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc NOTE: https://github.com/jquery/jquery/issues/2432 @@ -11108,6 +11125,7 @@ CVE-2015-9251 (jQuery before 3.0.0 is vulnerable
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] ffmpeg postponed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 543da59f by Moritz Muehlenhoff at 2018-04-08T13:00:58+02:00 ffmpeg postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -25,9 +25,9 @@ CVE-2018-9843 CVE-2018-9842 RESERVED CVE-2018-9841 (The export function in libavfilter/vf_signature.c in FFmpeg through ...) - - ffmpeg + - ffmpeg (low) + [stretch] - ffmpeg (Can wait until the next ffmpeg 3.2.x release) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=35eeff30caf34df835206f1c12bcf4b7c2bd6758 - TODO: check details and libav CVE-2018-9840 RESERVED CVE-2018-9839 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/543da59f3ff1f2aa381ad5bc8db7e690f795231d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/543da59f3ff1f2aa381ad5bc8db7e690f795231d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] add note on libevt
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 239f8511 by Moritz Muehlenhoff at 2018-04-08T12:59:18+02:00 add note on libevt - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -2596,6 +2596,7 @@ CVE-2018-8754 (The libevt_record_values_read_event() function in ...) {DSA-4160-1} - libevt 20180317-1 (bug #893431) NOTE: https://github.com/libyal/libevt/commit/444ca3ce7853538c577e0ec3f6146d2d65780734 + NOTE: Impact limited to OOB read, not write CVE-2018-8753 RESERVED CVE-2018-8752 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/239f851135e6fb3447124de8261b2e964aff9fb0 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/239f851135e6fb3447124de8261b2e964aff9fb0 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] wordpress fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f64b1adb by Moritz Muehlenhoff at 2018-04-08T12:33:24+02:00 wordpress fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -39,13 +39,13 @@ CVE-2018-9838 (The caml_ba_deserialize function in byterun/bigarray.c in the sta NOTE: https://caml.inria.fr/mantis/view.php?id=7765 NOTE: Before 4.06.0+beta1 the code is present in otherlibs/bigarray/bigarray_stubs.c CVE-2018- [wordpress: Don't treat localhost as same host by default] - - wordpress (bug #895034) + - wordpress 4.9.5+dfsg1-1 (bug #895034) NOTE: https://core.trac.wordpress.org/changeset/42894 CVE-2018- [wordpress: Use safe redirects when redirecting the login page if SSL is forced] - - wordpress (bug #895034) + - wordpress 4.9.5+dfsg1-1 (bug #895034) NOTE: https://core.trac.wordpress.org/changeset/42892 CVE-2018- [wordpress: Make sure the version string is correctly escaped for use in generator tags] - - wordpress (bug #895034) + - wordpress 4.9.5+dfsg1-1 (bug #895034) NOTE: https://core.trac.wordpress.org/changeset/42893 CVE-2018-9837 RESERVED @@ -9151,12 +9151,13 @@ CVE-2018-6391 (A cross-site request forgery web vulnerability has been discovere CVE-2018-6390 (The WStr::assign function in kso.dll in Kingsoft WPS Office 10.1.0.7106 ...) NOT-FOR-US: Kingsoft WPS Office CVE-2018-6389 (In WordPress through 4.9.2, unauthenticated attackers can cause a ...) - - wordpress + - wordpress (unimportant) NOTE: https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html NOTE: https://thehackernews.com/2018/02/wordpress-dos-exploit.html NOTE: https://wpvulndb.com/vulnerabilities/9021 NOTE: disputed by upstream as best fixed at the server level NOTE: patch in progress in https://core.trac.wordpress.org/ticket/43308 + NOTE: Architectual limitation, marginal impact CVE-2018-6388 (iBall iB-WRA150N 1.2.6 build 110401 Rel.47776n devices allow remote ...) NOT-FOR-US: iBall iB-WRA150N 1.2.6 build 110401 Rel.47776n devices CVE-2018-6387 (iBall iB-WRA150N 1.2.6 build 110401 Rel.47776n devices have a hardcoded ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f64b1adb6a85f8584530f33cd85e59ec6f4fed2e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f64b1adb6a85f8584530f33cd85e59ec6f4fed2e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: new wordpress issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ca620181 by Moritz Muehlenhoff at 2018-04-06T14:55:53+02:00 new wordpress issues - - - - - 002fd63e by Moritz Muehlenhoff at 2018-04-06T15:02:36+02:00 Merge branch 'master' of https://salsa.debian.org/security-tracker-team/security-tracker - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,12 @@ +CVE-2018- [wordpress: Don't treat localhost as same host by default] + - wordpress (bug #895034) + NOTE: https://core.trac.wordpress.org/changeset/42894 +CVE-2018- [wordpres: Use safe redirects when redirecting the login page if SSL is forced] + - wordpress (bug #895034) + NOTE: https://core.trac.wordpress.org/changeset/42892 +CVE-2018- [wordpres: Make sure the version string is correctly escaped for use in generator tags] + - wordpress (bug #895034) + NOTE: https://core.trac.wordpress.org/changeset/42893 CVE-2018-9837 RESERVED CVE-2018-9836 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/453eb7521a76a37250f5bea1ffb5c8ba210eb5ae...002fd63ec9ef58204c0e44d2f3937a5705ba9419 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/453eb7521a76a37250f5bea1ffb5c8ba210eb5ae...002fd63ec9ef58204c0e44d2f3937a5705ba9419 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] patch fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 137e6b17 by Moritz Muehlenhoff at 2018-04-06T13:35:54+02:00 patch fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -129183,6 +129183,7 @@ CVE-2018-1000156 [input validation vulnerability when processing patch files] NOTE: https://rachelbythebay.com/w/2018/04/05/bangpatch/ NOTE: https://twitter.com/kurtseifried/status/982028968877436928 NOTE: This CVE is specifically for GNU patch and relates to CVE-2015-1418 + NOTE: http://git.savannah.gnu.org/cgit/patch.git/commit/?id=123eaff0d5d1aebe128295959435b9ca5909c26d NOTE: Respective patch in FreeBSD: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:18.bsdpatch.asc NOTE: Respective patch in OpenBSD: https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/013_patch.patch.sig CVE-2015-1417 (The inet module in FreeBSD 10.2x before 10.2-PRERELEASE, ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/137e6b17d079abc9c23ddf57b87463b37c5169a9 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/137e6b17d079abc9c23ddf57b87463b37c5169a9 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] mcollective fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 05ae370f by Moritz Muehlenhoff at 2018-04-06T12:32:33+02:00 mcollective fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -71785,7 +71785,7 @@ CVE-2017-2294 (Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 faile CVE-2017-2293 (Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 shipped ...) - puppet (Specific to Puppet Enterprise) CVE-2017-2292 (Versions of MCollective prior to 2.10.4 deserialized YAML from agents ...) - - mcollective (bug #866711) + - mcollective 2.12.0+dfsg-1 (bug #866711) [jessie] - mcollective (Minor issue) [wheezy] - mcollective (Minor issue) NOTE: https://puppet.com/security/cve/cve-2017-2292 @@ -98909,7 +98909,7 @@ CVE-2016-2841 (The ne2000_receive function in the NE2000 NIC emulation support . NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1303106 NOTE: http://www.openwall.com/lists/oss-security/2016/03/02/8 CVE-2016-2788 (MCollective 2.7.0 and 2.8.x before 2.8.9, as used in Puppet ...) - - mcollective (bug #850968) + - mcollective 2.12.0+dfsg-1 (bug #850968) [jessie] - mcollective (Minor issue) [wheezy] - mcollective (Minor issue) NOTE: https://puppet.com/security/cve/cve-2016-2788 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/05ae370f8ce7f681de2c133bb119ad0522fabba6 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/05ae370f8ce7f681de2c133bb119ad0522fabba6 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 81f5f9d2 by Moritz Muehlenhoff at 2018-04-06T12:06:29+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1019,7 +1019,7 @@ CVE-2016-10719 CVE-2018-9330 RESERVED CVE-2018-9329 (The Bitdefender Antivirus 6.2.19.890 component, as configured for AV ...) - TODO: check + NOT-FOR-US: Bitdefender Antivirus CVE-2018-9328 (PHP Scripts Mall Redbus Clone Script 3.0.6 has XSS via the ter_from ...) NOT-FOR-US: PHP Scripts Mall Redbus Clone Script CVE-2018-9327 @@ -16258,7 +16258,7 @@ CVE-2018-3626 (Edger8r tool in the Intel SGX SDK before version 2.1.2 (Linux) an CVE-2018-3625 RESERVED CVE-2018-3624 (Buffer overflow in ETWS processing module Intel XMM71xx, XMM72xx, ...) - TODO: check + NOT-FOR-US: Intel CVE-2018-3623 RESERVED CVE-2018-3622 @@ -34485,29 +34485,29 @@ CVE-2017-14475 CVE-2017-14474 RESERVED CVE-2017-14473 (An exploitable access control vulnerability exists in the data, ...) - TODO: check + NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14472 (An exploitable access control vulnerability exists in the data, ...) - TODO: check + NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14471 (An exploitable access control vulnerability exists in the data, ...) - TODO: check + NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14470 (An exploitable access control vulnerability exists in the data, ...) - TODO: check + NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14469 (An exploitable access control vulnerability exists in the data, ...) - TODO: check + NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14468 (An exploitable access control vulnerability exists in the data, ...) - TODO: check + NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14467 (An exploitable access control vulnerability exists in the data, ...) - TODO: check + NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14466 (An exploitable access control vulnerability exists in the data, ...) - TODO: check + NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14465 (An exploitable access control vulnerability exists in the data, ...) - TODO: check + NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14464 (An exploitable access control vulnerability exists in the data, ...) - TODO: check + NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14463 (An exploitable access control vulnerability exists in the data, ...) - TODO: check + NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14462 (An exploitable access control vulnerability exists in the data, ...) - TODO: check + NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14461 (A specially crafted email delivered over SMTP and passed on to Dovecot ...) {DSA-4130-1 DLA-1333-1} - dovecot 1:2.2.34-1 (bug #891819) @@ -41597,21 +41597,21 @@ CVE-2017-12097 (An exploitable cross site scripting (XSS) vulnerability exists i CVE-2017-12096 (An exploitable vulnerability exists in the WiFi management of Circle ...) NOT-FOR-US: Circle of Disney CVE-2017-12095 (An exploitable vulnerability exists in the WiFi Access Point feature ...) - TODO: check + NOT-FOR-US: Circle of Disney CVE-2017-12094 (An exploitable vulnerability exists in the WiFi Channel parsing of ...) NOT-FOR-US: Circle with Disney CVE-2017-12093 (An exploitable insufficient resource pool vulnerability exists in the ...) - TODO: check + NOT-FOR-US: Allen Bradley Micrologix CVE-2017-12092 RESERVED CVE-2017-12091 REJECTED CVE-2017-12090 (An exploitable denial of service vulnerability exists in the ...) - TODO: check + NOT-FOR-US: Allen Bradley Micrologix CVE-2017-12089 (An exploitable denial of service vulnerability exists in the program ...) - TODO: check + NOT-FOR-US: Allen Bradley Micrologix CVE-2017-12088 (An exploitable denial of service vulnerability exists in the Ethernet ...) - TODO: check + NOT-FOR-US: Allen Bradley Micrologix CVE-2017-12087 RESERVED - shairport-sync 3.1.4-1 (unimportant; bug #882508) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/81f5f9d2a0261e059ecc75da47bf6760fe2d8e7b --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/81f5f9d2a0261e059ecc75da47bf6760fe2d8e7b You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] historic OBS issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f614ef87 by Moritz Muehlenhoff at 2018-04-05T21:26:02+02:00 historic OBS issue resolved some TODOs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5786,17 +5786,14 @@ CVE-2018-7175 (An issue was discovered in xpdf 4.00. A NULL pointer dereference - xpdf (unimportant) NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=613 NOTE: src:xpdf switched to use system poppler libary in 3.02-3 - TODO: check, poppler CVE-2018-7174 (An issue was discovered in xpdf 4.00. An infinite loop in XRef::Xref ...) - xpdf (unimportant) NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=605 NOTE: src:xpdf switched to use system poppler libary in 3.02-3 - TODO: check, poppler CVE-2018-7173 (A large loop in JBIG2Stream::readSymbolDictSeg in xpdf 4.00 allows an ...) - xpdf (unimportant) NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=607 NOTE: src:xpdf switched to use system poppler libary in 3.02-3 - TODO: check, poppler CVE-2018-168 (An improper input validation vulnerability exists in Jenkins versions ...) - jenkins CVE-2018-167 (An improper authorization vulnerability exists in Jenkins versions ...) @@ -44664,7 +44661,6 @@ CVE-2017-10689 (In previous versions of Puppet Agent it was possible to install NOTE: https://tickets.puppetlabs.com/browse/PUP-7866 NOTE: https://github.com/puppetlabs/puppet/commit/17d9e02da3882e44c1876e2805cf9708481715ee NOTE: https://github.com/puppetlabs/puppet/commit/983154f7e29a2a50d416d889a6fed012b9b12399 - TODO: check, similar issue might be in ruby-puppet-forge CVE-2017-10688 (In LibTIFF 4.0.8, there is a assertion abort in the ...) {DSA-3903-1 DLA-1022-1} - tiff 4.0.8-3 (bug #866611) @@ -200148,7 +200144,7 @@ CVE-2011-3180 (kiwi before 4.98.08, as used in SUSE Studio Onsite 1.2 before 1.2 CVE-2011-3179 (The server process in Novell Messenger 2.1 and 2.2.x before 2.2.1, and ...) NOT-FOR-US: Novell Messenger CVE-2011-3178 (In the web ui of the openbuildservice before 2.3.0 a code injection of ...) - TODO: check + - open-build-service (Fixed before initial upload to Debian) CVE-2011-3177 (The YaST2 network created files with world readable permissions which ...) NOT-FOR-US: YaST CVE-2011-3176 (Stack-based buffer overflow in the Preboot Service in Novell ZENworks ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f614ef87624d442799ccdbe7d59adc43a4311714 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f614ef87624d442799ccdbe7d59adc43a4311714 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 331c35ec by Moritz Muehlenhoff at 2018-04-05T15:20:04+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -36573,73 +36573,73 @@ CVE-2017-13309 CVE-2017-13308 RESERVED CVE-2017-13307 (A elevation of privilege vulnerability in the Upstream kernel pci ...) - TODO: check + NOT-FOR-US: Android kernel (no source release, so apparently not in mainline) CVE-2017-13306 (A elevation of privilege vulnerability in the Upstream kernel mnh ...) - TODO: check + NOT-FOR-US: Android kernel (no source release, so apparently not in mainline) CVE-2017-13305 (A information disclosure vulnerability in the Upstream kernel ...) - TODO: check + NOT-FOR-US: Android kernel (no source release, so apparently not in mainline) CVE-2017-13304 (A information disclosure vulnerability in the Upstream kernel mnh_sm ...) - TODO: check + NOT-FOR-US: Android kernel (no source release, so apparently not in mainline) CVE-2017-13303 (A information disclosure vulnerability in the Broadcom bcmdhd driver. ...) NOT-FOR-US: Broadcom components for Android CVE-2017-13302 (A denial of service vulnerability in the Android system (system ui). ...) - TODO: check + NOT-FOR-US: Android CVE-2017-13301 (A denial of service vulnerability in the Android system (system ui). ...) - TODO: check + NOT-FOR-US: Android CVE-2017-13300 (A denial of service vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-13299 (A other vulnerability in the Android media framework (libavc). ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-13298 (A information disclosure vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-13297 (A information disclosure vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-13296 (A information disclosure vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-13295 (A denial of service vulnerability in the Android framework (package ...) - TODO: check + NOT-FOR-US: Android CVE-2017-13294 (A information disclosure vulnerability in the Android framework (aosp ...) NOT-FOR-US: Android framework (aosp email application) CVE-2017-13293 (In the nfc_hci_cmd_received() function of core.c, there is a possible ...) - TODO: check + NOT-FOR-US: Android kernel (no source release, so apparently not in mainline) CVE-2017-13292 (In wl_get_assoc_ies of wl_cfg80211.c, there is a possible out of ...) - TODO: check + NOT-FOR-US: Broadcom components for Android CVE-2017-13291 (In avrc_ctrl_pars_vendor_rsp of avrc_pars_ct.cc, there is a possible ...) - TODO: check + NOT-FOR-US: Android CVE-2017-13290 (In sdp_server_handle_client_req of sdp_server.cc, there is an out of ...) - TODO: check + NOT-FOR-US: Android CVE-2017-13289 (In writeToParcel and createFromParcel of RttManager.java, there is a ...) - TODO: check + NOT-FOR-US: Android CVE-2017-13288 (In writeToParcel and readFromParcel of PeriodicAdvertisingReport.java, ...) - TODO: check + NOT-FOR-US: Android CVE-2017-13287 (In createFromParcel of VerifyCredentialResponse.java, there is a ...) - TODO: check + NOT-FOR-US: Android CVE-2017-13286 (In writeToParcel and readFromParcel of OutputConfiguration.java, there ...) - TODO: check + NOT-FOR-US: Android CVE-2017-13285 (In SvoxSsmlParser and startElement of svox_ssml_parser.cpp, there is a ...) - TODO: check + NOT-FOR-US: Android CVE-2017-13284 (In config_set_string of config.cc, it is possible to pair a second BT ...) - TODO: check + NOT-FOR-US: Android CVE-2017-13283 (In avrc_ctrl_pars_vendor_rsp of bluetooth avrcp_ctrl, there is a ...) - TODO: check + NOT-FOR-US: Android CVE-2017-13282 (In avrc_ctrl_pars_vendor_rsp of avrc_pars_ct.cc, there is a possible ...) - TODO: check + NOT-FOR-US: Android CVE-2017-13281 (In avrc_pars_browsing_cmd of avrc_pars_tg.cc, there is a possible ...) - TODO: check + NOT-FOR-US: Android CVE-2017-13280 (In the FrameSequence_gif::FrameSequence_gif function of ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-13279 (In M3UParser::parse of M3UParser.cpp, there is a memory resource ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-13278 (In MediaPlayerService::Client::notify of MediaPlayerService.cpp, there
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] exiv n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4ae9c04f by Moritz Muehlenhoff at 2018-04-05T15:10:57+02:00 exiv n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -31,20 +31,19 @@ CVE-2018-9308 CVE-2018-9307 (dsmall v20180320 allows XSS via the pdr_sn parameter to ...) NOT-FOR-US: dsmall CVE-2018-9306 (In Exiv2 0.26, an out-of-bounds read in IptcData::printStructure in ...) - - exiv2 + [experimental] - exiv2 + - exiv2 (Vulnerable code introduced after 0.25) NOTE: https://github.com/Exiv2/exiv2/issues/263 - TODO: check CVE-2018-9305 (In Exiv2 0.26, an out-of-bounds read in IptcData::printStructure in ...) - - exiv2 + [experimental] - exiv2 + - exiv2 (Vulnerable code introduced after 0.25) NOTE: https://github.com/Exiv2/exiv2/issues/263 - TODO: check CVE-2018-9304 (In Exiv2 0.26, a divide by zero in BigTiffImage::printIFD in ...) - - exiv2 + - exiv2 (Vulnerable code introduced after 0.26) NOTE: https://github.com/Exiv2/exiv2/issues/262 - TODO: check CVE-2018-9303 (In Exiv2 0.26, an assertion failure in BigTiffImage::readData in ...) - - exiv2 - TODO: check + - exiv2 (Vulnerable code introduced after 0.26) + NOTE: https://github.com/Exiv2/exiv2/issues/262 CVE-2018-9302 RESERVED CVE-2018-9301 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4ae9c04fc5ee52996677e535805d7feb6a082851 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4ae9c04fc5ee52996677e535805d7feb6a082851 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs posted to oss-sec
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 95decbba by Moritz Muehlenhoff at 2018-04-05T13:12:28+02:00 NFUs posted to oss-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,27 @@ +CVE-2018-1000142 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000143 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000144 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000145 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000146 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000147 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000148 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000149 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000150 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000151 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000152 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000153 + NOT-FOR-US: Jenkins plugin CVE-2018-9310 RESERVED CVE-2018-9309 (An issue was discovered in zzcms 8.2. It allows SQL injection via the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/95decbbadc17243c43e3167a5d1c91db94b6a22f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/95decbbadc17243c43e3167a5d1c91db94b6a22f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new webkit issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 32044344 by Moritz Muehlenhoff at 2018-04-04T23:42:27+02:00 new webkit issue NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -55944,7 +55944,9 @@ CVE-2017-7155 (An issue was discovered in certain Apple products. macOS before . CVE-2017-7154 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-7153 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - TODO: check + - webkit2gtk 2.18.6-1 (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0002.html + NOTE: Not covered by security support CVE-2017-7152 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-7151 @@ -56150,7 +56152,7 @@ CVE-2017-7073 CVE-2017-7072 (An issue was discovered in certain Apple products. iOS before 11 is ...) NOT-FOR-US: Apple CVE-2017-7071 (An issue was discovered in certain Apple products. Safari before 10.1 ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-7070 (An issue was discovered in certain Apple products. macOS before ...) NOT-FOR-US: Apple CVE-2017-7069 (An issue was discovered in certain Apple products. iOS before 10.3.3 ...) @@ -56341,7 +56343,7 @@ CVE-2017-7006 (An issue was discovered in certain Apple products. iOS before 10. NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7005 (An issue was discovered in certain Apple products. iOS before 10.3.2 ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-7004 (An issue was discovered in certain Apple products. iOS before 10.3.2 ...) NOT-FOR-US: Apple CVE-2017-7003 (An issue was discovered in certain Apple products. iOS before 10.3.2 ...) @@ -144279,7 +144281,7 @@ CVE-2014-4961 CVE-2014-4960 (Multiple SQL injection vulnerabilities in models\gallery.php in ...) NOT-FOR-US: Joomla! component CVE-2014-4959 (**DISPUTED** SQL injection vulnerability in SQLiteDatabase.java in the ...) - TODO: check + NOT-FOR-US: Disputed Android issue CVE-2014-4958 (Cross-site scripting (XSS) vulnerability in Telerik UI for ASP.NET ...) NOT-FOR-US: Telerik UI for ASP.NET AJAX RadEditor Control CVE-2014-4957 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3204434407b428688ac13da532388d05a5aad5e7 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3204434407b428688ac13da532388d05a5aad5e7 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a3d0ad7f by Moritz Muehlenhoff at 2018-04-04T23:38:48+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -43564,7 +43564,7 @@ CVE-2017-11077 CVE-2017-11076 RESERVED CVE-2017-11075 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-11074 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11073 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) @@ -55293,9 +55293,9 @@ CVE-2016-10301 CVE-2016-10300 RESERVED CVE-2016-10299 (An elevation of privilege vulnerability in Qualcomm closed source ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2016-10298 (An elevation of privilege vulnerability in Qualcomm closed source ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2016-10297 (In TrustZone in all Android releases from CAF using the Linux kernel, ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10296 (An information disclosure vulnerability in the Qualcomm shared memory ...) @@ -55356,21 +55356,21 @@ CVE-2015-9016 [blk-mq: fix race between timeout and freeing request] [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/0048b4837affd153897ed183492070027aa9 (4.3-rc1) CVE-2015-9015 (An elevation of privilege vulnerability in Qualcomm closed source ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2015-9014 (An elevation of privilege vulnerability in Qualcomm closed source ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2015-9013 (An elevation of privilege vulnerability in Qualcomm closed source ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2015-9012 (An elevation of privilege vulnerability in Qualcomm closed source ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2015-9011 (An elevation of privilege vulnerability in Qualcomm closed source ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2015-9010 (An elevation of privilege vulnerability in Qualcomm closed source ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2015-9009 (An elevation of privilege vulnerability in Qualcomm closed source ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2015-9008 (An elevation of privilege vulnerability in Qualcomm closed source ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2015-9007 (In TrustZone in all Android releases from CAF using the Linux kernel, ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9006 (In Resource Power Manager (RPM) in all Android releases from CAF using ...) @@ -55393,7 +55393,7 @@ CVE-2014-9955 (An elevation of privilege vulnerability in Qualcomm closed source CVE-2014-9954 (An elevation of privilege vulnerability in Qualcomm closed source ...) NOT-FOR-US: Qualcomm component for Android CVE-2014-9953 (An elevation of privilege vulnerability in Qualcomm closed source ...) - TODO: check + NOT-FOR-US: Qualcomm component for Android CVE-2014-9952 (In the Secure File System in all Android releases from CAF using the ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9951 (In TrustZone in all Android releases from CAF using the Linux kernel, ...) @@ -55891,19 +55891,19 @@ CVE-2017-7175 (NfSen before 1.3.8 allows remote attackers to execute arbitrary O CVE-2017-7174 (The user-account creation feature in Chef Manage 2.1.0 through 2.4.4 ...) NOT-FOR-US: Chef Manage CVE-2017-7173 (An issue was discovered in certain Apple products. macOS before ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-7172 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-7171 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-7170 (An issue was discovered in certain Apple products. macOS before ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-7169 RESERVED CVE-2017-7168 RESERVED CVE-2017-7167 (An issue was discovered in certain Apple products. Xcode before 9.2 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-7166 RESERVED CVE-2017-7165 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) @@ -55912,7 +55912,7
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: Mark some questionable Apple CVE assignments as NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5ae5b8e0 by Moritz Muehlenhoff at 2018-04-04T23:29:29+02:00 Mark some questionable Apple CVE assignments as NFU - No point in investigating this further, we can only assume that Apple staff is stupid and assigned internal ID duplicates to otherwise public issues They can prove us wrong by providing proper commit references! - - - - - 81a0add7 by Moritz Muehlenhoff at 2018-04-04T23:31:49+02:00 Merge branch 'master' of https://salsa.debian.org/security-tracker-team/security-tracker - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -35115,15 +35115,15 @@ CVE-2017-13818 (An issue was discovered in certain Apple products. macOS before CVE-2017-13817 (An out-of-bounds read issue was discovered in certain Apple products. ...) NOT-FOR-US: Apple CVE-2017-13816 (An issue was discovered in certain Apple products. macOS before ...) - TODO: check, potentially libarchive + NOT-FOR-US: Potentially src:libarchive, but Apple doesn't play by the rules CVE-2017-13815 (An issue was discovered in certain Apple products. macOS before ...) - TODO: check, potentially file + NOT-FOR-US: Potentially src:file, but Apple doesn't play by the rules CVE-2017-13814 (An issue was discovered in certain Apple products. macOS before ...) NOT-FOR-US: Apple CVE-2017-13813 (An issue was discovered in certain Apple products. macOS before ...) - TODO: check, potentially libarchive + NOT-FOR-US: Potentially src:libarchive, but Apple doesn't play by the rules CVE-2017-13812 (An issue was discovered in certain Apple products. macOS before ...) - TODO: check, potentially libarchive + NOT-FOR-US: Potentially src:libarchive, but Apple doesn't play by the rules CVE-2017-13811 (An issue was discovered in certain Apple products. macOS before ...) NOT-FOR-US: Apple CVE-2017-13810 (An issue was discovered in certain Apple products. macOS before ...) @@ -55992,25 +55992,25 @@ CVE-2017-7132 (An issue was discovered in certain Apple products. macOS before . CVE-2017-7131 (An issue was discovered in certain Apple products. iOS before 11 is ...) NOT-FOR-US: Apple CVE-2017-7130 (An issue was discovered in certain Apple products. iOS before 11 is ...) - TODO: check, potentially sqlite + NOT-FOR-US: Potentially src:sqlite, but Apple doesn't play by the rules CVE-2017-7129 (An issue was discovered in certain Apple products. iOS before 11 is ...) - TODO: check, potentially sqlite + NOT-FOR-US: Potentially src:sqlite, but Apple doesn't play by the rules CVE-2017-7128 (An issue was discovered in certain Apple products. iOS before 11 is ...) - TODO: check, potentially sqlite + NOT-FOR-US: Potentially src:sqlite, but Apple doesn't play by the rules CVE-2017-7127 (An issue was discovered in certain Apple products. iOS before 11 is ...) - TODO: check, potentially sqlite + NOT-FOR-US: Potentially src:sqlite, but Apple doesn't play by the rules CVE-2017-7126 (An issue was discovered in certain Apple products. macOS before 10.13 ...) - TODO: check, potentially file + NOT-FOR-US: Potentially src:file, but Apple doesn't play by the rules CVE-2017-7125 (An issue was discovered in certain Apple products. macOS before 10.13 ...) - TODO: check, potentially file + NOT-FOR-US: Potentially src:file, but Apple doesn't play by the rules CVE-2017-7124 (An issue was discovered in certain Apple products. macOS before 10.13 ...) - TODO: check, potentially file + NOT-FOR-US: Potentially src:file, but Apple doesn't play by the rules CVE-2017-7123 (An issue was discovered in certain Apple products. macOS before 10.13 ...) - TODO: check, potentially file + NOT-FOR-US: Potentially src:file, but Apple doesn't play by the rules CVE-2017-7122 (An issue was discovered in certain Apple products. macOS before 10.13 ...) - TODO: check, potentially file + NOT-FOR-US: Potentially src:file, but Apple doesn't play by the rules CVE-2017-7121 (An issue was discovered in certain Apple products. macOS before 10.13 ...) - TODO: check, potentially file + NOT-FOR-US: Potentially src:file, but Apple doesn't play by the rules CVE-2017-7120 (An issue was discovered in certain Apple products. iOS before 11 is ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/a1bf39232a988f00df252f9d602bccf59ef45dd3...81a0add70034707d5aee2f7b580be080ebe9d64e --- View it on
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new kfreebsd issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e1a501f8 by Moritz Muehlenhoff at 2018-04-04T23:23:40+02:00 new kfreebsd issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -6344,14 +6344,20 @@ CVE-2018-6921 CVE-2018-6920 RESERVED CVE-2018-6919 (In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p9, 10.4-STABLE, ...) - TODO: check + - kfreebsd-10 (unimportant) + NOTE: https://security.FreeBSD.org/advisories/FreeBSD-EN-18:04.mem.asc + NOTE: kfreebsd not covered by security support CVE-2018-6918 (In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p9, 10.4-STABLE, ...) - TODO: check + - kfreebsd-10 (unimportant) + NOTE: https://security.FreeBSD.org/advisories/FreeBSD-SA-18:05.ipsec.asc + NOTE: kfreebsd not covered by security support CVE-2018-6917 (In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p9, 10.4-STABLE, ...) - TODO: check + - kfreebsd-10 (unimportant) + NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-18:04.vt.asc + NOTE: kfreebsd not covered by security support CVE-2018-6916 (In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p7, 10.4-STABLE, ...) - kfreebsd-10 (unimportant) - NOTE: Patch https://www.freebsd.org/security/patches/SA-18:01/ipsec-10.patch + NOTE: https://www.freebsd.org/security/patches/SA-18:01/ipsec-10.patch NOTE: kfreebsd not covered by security support CVE-2018-6915 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e1a501f8472ff24fe66c1677b58ad1564cf7baab --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e1a501f8472ff24fe66c1677b58ad1564cf7baab You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a8b515bf by Moritz Muehlenhoff at 2018-04-04T23:18:20+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -250,7 +250,7 @@ CVE-2018-9207 CVE-2018-9206 RESERVED CVE-2018-9205 (Vulnerability in avatar_uploader v7.x-1.0-beta8 , The code in view.php ...) - TODO: check + NOT-FOR-US: avatar_uploader CVE-2018-9204 RESERVED CVE-2018-9203 @@ -438,7 +438,7 @@ CVE-2018-9128 (DVD X Player Standard 5.5.3.9 has a Buffer Overflow via a crafted CVE-2018-9127 (Botan 2.2.0 - 2.4.0 (fixed in 2.5.0) improperly handled wildcard ...) - botan 2.4.0-5 (bug #894648) CVE-2018-9126 (The DNNArticle module 11 for DNN (formerly DotNetNuke) allows remote ...) - TODO: check + NOT-FOR-US: DNN CVE-2018-9125 RESERVED CVE-2018-9124 @@ -452,7 +452,7 @@ CVE-2018-9121 (In Crea8social 2018.2, there is Stored Cross-Site Scripting via a CVE-2018-9120 (In Crea8social 2018.2, there is Stored Cross-Site Scripting via a post. ...) NOT-FOR-US: Crea8social CVE-2018-9119 (An attacker with physical access to a BrilliantTS FUZE card (MCU ...) - TODO: check + NOT-FOR-US: BrilliantTS FUZE card CVE-2018-9118 RESERVED CVE-2018-9117 (WireMock before 2.16.0 contains a vulnerability that allows a remote ...) @@ -460,7 +460,7 @@ CVE-2018-9117 (WireMock before 2.16.0 contains a vulnerability that allows a rem CVE-2018-9116 (An XXE vulnerability within WireMock before 2.16.0 allows a remote ...) NOT-FOR-US: WireMock CVE-2018-9115 (Systematic SitaWare 6.4 SP2 does not validate input from other sources ...) - TODO: check + NOT-FOR-US: Systematic SitaWare CVE-2018-9114 RESERVED CVE-2018-9113 @@ -632,9 +632,9 @@ CVE-2018-9037 CVE-2018-9036 RESERVED CVE-2018-9035 (CSV Injection vulnerability in ExportToCsvUtf8.php of the Contact Form ...) - TODO: check + NOT-FOR-US: Wordpress plugin CVE-2018-9034 (Cross-site scripting (XSS) vulnerability in lib/interface.php of the ...) - TODO: check + NOT-FOR-US: Wordpress plugin CVE-2018-9033 RESERVED CVE-2018-9032 (An authentication bypass vulnerability on D-Link DIR-850L Wireless ...) @@ -2974,7 +2974,7 @@ CVE-2018-8050 (The af_get_page() function in lib/afflib_pages.cpp in AFFLIB (aka NOTE: https://github.com/sshock/AFFLIBv3/commit/435a2ca802358a3debb6d164d2c33049131df81c NOTE: Negligable security impact CVE-2018-8049 (The Stealth endpoint in Unisys Stealth SVG 2.8.x, 3.0.x before ...) - TODO: check + NOT-FOR-US: Unisys Stealth SVG CVE-2018-8048 (In the Loofah gem through 2.2.0 for Ruby, non-whitelisted HTML ...) - ruby-loofah 2.2.1-1 (bug #893596) NOTE: https://github.com/flavorjones/loofah/issues/144 @@ -6465,9 +6465,9 @@ CVE-2018-6876 (The OLEProperty class in ole/oleprop.cpp in libfpx 1.3.1-10, as u CVE-2018-6875 (Format String vulnerability in KeepKey version 4.0.0 allows attackers ...) NOT-FOR-US: KeepKey CVE-2018-6874 (CSRF exists in the Auth0 authentication service through 14591 if the ...) - TODO: check + NOT-FOR-US: Auth0 CVE-2018-6873 (The Auth0 authentication service before 2017-10-15 allows privilege ...) - TODO: check + NOT-FOR-US: Auth0 CVE-2018-6872 (The elf_parse_notes function in elf.c in the Binary File Descriptor ...) - binutils 2.30-4 [stretch] - binutils (Minor issue) @@ -7137,7 +7137,7 @@ CVE-2017-18149 CVE-2017-18148 RESERVED CVE-2017-18147 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18146 RESERVED CVE-2017-18145 @@ -7667,7 +7667,7 @@ CVE-2017-18098 CVE-2017-18097 RESERVED CVE-2017-18096 (The OAuth status rest resource in Atlassian Application Links before ...) - TODO: check + NOT-FOR-US: Atlassian Application Links CVE-2017-18095 (The SnippetRPCServiceImpl class in Atlassian Crucible before version ...) NOT-FOR-US: Atlassian Crucible CVE-2017-18094 (Various resources in Atlassian Fisheye and Crucible before version ...) @@ -13706,7 +13706,7 @@ CVE-2018-4132 (An issue was discovered in certain Apple products. macOS before . CVE-2018-4131 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4130 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4129 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - webkit2gtk (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0003.html @@ -13734,7 +13734,7 @@ CVE-2018-4122 (An
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new gpg issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2538dc0d by Moritz Muehlenhoff at 2018-04-04T21:45:45+02:00 new gpg issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -152,7 +152,11 @@ CVE-2017-18256 (Brave Browser before 0.13.0 allows remote attackers to cause a d CVE-2016-10718 (Brave Browser before 0.13.0 allows a tab to close itself even if the ...) NOT-FOR-US: Brave Browser CVE-2018-9234 (GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key ...) - TODO: check + - gnupg2 (low) + [stretch] - gnupg2 (Minor issue) + [jessie] - gnupg2 (Minor issue) + NOTE: https://dev.gnupg.org/T3844 + TODO: doublecheck gpg1 status with Werner/Niibe CVE-2018-9240 (ncmpc through 0.29 is prone to a NULL pointer dereference flaw. If a ...) - ncmpc (low; bug #894724) [stretch] - ncmpc (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2538dc0d4127b5087fe3d56edcb9a4c97df52585 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2538dc0d4127b5087fe3d56edcb9a4c97df52585 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1d97aac7 by Moritz Muehlenhoff at 2018-04-04T21:37:22+02:00 NFUs - - - - - 45f7bec1 by Moritz Muehlenhoff at 2018-04-04T21:38:28+02:00 Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -124,7 +124,7 @@ CVE-2018-9249 CVE-2018-9248 RESERVED CVE-2018-9247 (The upsql function in \Lib\Lib\Action\Admin\DataAction.class.php in ...) - TODO: check + NOT-FOR-US: Gxlcms QY CVE-2018-9246 RESERVED CVE-2018-9245 @@ -140,17 +140,17 @@ CVE-2018-9241 CVE-2018-9239 RESERVED CVE-2018-9238 (proberv.php in Yahei-PHP Proberv 0.4.7 has XSS via the funName ...) - TODO: check + NOT-FOR-US: Yahei-PHP Proberv CVE-2018-9237 (iScripts EasyCreate 3.2.1 has Stored Cross-Site Scripting in the "Site ...) - TODO: check + NOT-FOR-US: iScripts EasyCreate CVE-2018-9236 (iScripts EasyCreate 3.2.1 has Stored Cross-Site Scripting in the "Site ...) - TODO: check + NOT-FOR-US: iScripts EasyCreate CVE-2018-9235 (iScripts SonicBB 1.0 has Reflected Cross-Site Scripting via the query ...) - TODO: check + NOT-FOR-US: iScripts SonicBB CVE-2017-18256 (Brave Browser before 0.13.0 allows remote attackers to cause a denial ...) - TODO: check + NOT-FOR-US: Brave Browser CVE-2016-10718 (Brave Browser before 0.13.0 allows a tab to close itself even if the ...) - TODO: check + NOT-FOR-US: Brave Browser CVE-2018-9234 (GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key ...) TODO: check CVE-2018-9240 (ncmpc through 0.29 is prone to a NULL pointer dereference flaw. If a ...) @@ -60108,7 +60108,7 @@ CVE-2017-5705 (Multiple buffer overflows in kernel in Intel Manageability Engine CVE-2017-5704 RESERVED CVE-2017-5703 (Configuration of SPI Flash in platforms based on multiple Intel ...) - TODO: check + NOT-FOR-US: Intel CVE-2017-5702 RESERVED CVE-2017-5701 (Insecure platform configuration in system firmware for Intel ...) @@ -65265,7 +65265,7 @@ CVE-2017-4030 CVE-2017-4029 REJECTED CVE-2017-4028 (Maliciously misconfigured registry vulnerability in all Microsoft ...) - TODO: check + NOT-FOR-US: MacAfee CVE-2017-4027 REJECTED CVE-2017-4026 @@ -65377,7 +65377,7 @@ CVE-2017-3974 CVE-2017-3973 REJECTED CVE-2017-3972 (Infrastructure-based foot printing vulnerability in the web interface ...) - TODO: check + NOT-FOR-US: McAfee CVE-2017-3971 RESERVED CVE-2017-3970 @@ -70160,9 +70160,9 @@ CVE-2017-2495 (An issue was discovered in certain Apple products. iOS before 10. CVE-2017-2494 (An issue was discovered in certain Apple products. macOS before ...) NOT-FOR-US: Apple CVE-2017-2493 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-2492 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-2491 (Use after free vulnerability in the String.replace method ...) NOT-FOR-US: Apple Safari CVE-2017-2490 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d0b51f99e2801e54a124c83f33f2ba58093413cb...45f7bec184eac47adad361ac9117519d5fea5331 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d0b51f99e2801e54a124c83f33f2ba58093413cb...45f7bec184eac47adad361ac9117519d5fea5331 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new webkit issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d5ec6210 by Moritz Muehlenhoff at 2018-04-04T21:33:35+02:00 new webkit issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -13588,15 +13588,23 @@ CVE-2018-4167 (An issue was discovered in certain Apple products. iOS before 11. CVE-2018-4166 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4165 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + - webkit2gtk (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0003.html + NOTE: Not covered by security support CVE-2018-4164 (An issue was discovered in certain Apple products. Xcode before 9.3 is ...) NOT-FOR-US: Apple CVE-2018-4163 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + - webkit2gtk (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0003.html + NOTE: Not covered by security support CVE-2018-4162 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + - webkit2gtk (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0003.html + NOTE: Not covered by security support CVE-2018-4161 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + - webkit2gtk (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0003.html + NOTE: Not covered by security support CVE-2018-4160 (An issue was discovered in certain Apple products. macOS before ...) NOT-FOR-US: Apple CVE-2018-4159 @@ -13626,7 +13634,9 @@ CVE-2018-4148 (An issue was discovered in certain Apple products. iOS before 11. CVE-2018-4147 RESERVED CVE-2018-4146 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + - webkit2gtk (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0003.html + NOTE: Not covered by security support CVE-2018-4145 RESERVED CVE-2018-4144 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) @@ -13652,7 +13662,9 @@ CVE-2018-4135 (An issue was discovered in certain Apple products. macOS before . CVE-2018-4134 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4133 (An issue was discovered in certain Apple products. Safari before 11.1 ...) - TODO: check + - webkit2gtk (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0003.html + NOTE: Not covered by security support CVE-2018-4132 (An issue was discovered in certain Apple products. macOS before ...) NOT-FOR-US: Intel graphics driver for MacOS CVE-2018-4131 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) @@ -13660,39 +13672,61 @@ CVE-2018-4131 (An issue was discovered in certain Apple products. iOS before 11. CVE-2018-4130 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) TODO: check CVE-2018-4129 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + - webkit2gtk (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0003.html + NOTE: Not covered by security support CVE-2018-4128 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + - webkit2gtk (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0003.html + NOTE: Not covered by security support CVE-2018-4127 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + - webkit2gtk (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0003.html + NOTE: Not covered by security support CVE-2018-4126 RESERVED CVE-2018-4125 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + - webkit2gtk (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0003.html + NOTE: Not covered by security support CVE-2018-4124 (An issue was discovered in certain Apple products. iOS before 11.2.6 ...) NOT-FOR-US: Apple CVE-2018-4123 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4122 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + - webkit2gtk (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0003.html + NOTE: Not covered by security support CVE-2018-4121 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) TODO: check CVE
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new koji issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2edb4d94 by Moritz Muehlenhoff at 2018-04-04T19:13:20+02:00 new koji issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,6 @@ +CVE-2018-1002150 [koji: Dist Repo call missing authorization check] + - koji + NOTE: http://www.openwall.com/lists/oss-security/2018/04/04/1 CVE-2018-9274 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, ui/failure_message.c ...) - wireshark NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14489 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2edb4d94d1135dca9ee48f488fe730e405fa9486 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2edb4d94d1135dca9ee48f488fe730e405fa9486 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] python no-dsa
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5c51f03e by Moritz Muehlenhoff at 2018-04-04T19:09:23+02:00 python no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -22198,13 +22198,17 @@ CVE-2018-1062 (A vulnerability was discovered in oVirt 4.1.x before 4.1.9, where NOT-FOR-US: ovirt-engine CVE-2018-1061 [DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib] RESERVED - - python3.7 3.7.0~b3-1 - - python3.6 3.6.5~rc1-1 - - python3.5 - - python3.4 - - python3.2 - - python2.7 - - python2.6 + - python3.7 3.7.0~b3-1 (low) + - python3.6 3.6.5~rc1-1 (low) + - python3.5 (low) + [stretch] - python3.5 (Minor issue) + - python3.4 (low) + [jessie] - python3.4 (Minor issue) + - python3.2 (low) + - python2.7 (low) + [stretch] - python2.7 (Minor issue) + [jessie] - python2.7 (Minor issue) + - python2.6 (low) NOTE: https://bugs.python.org/issue32981 NOTE: https://github.com/python/cpython/commit/0e6c8ee2358a2e23117501826c008842acb835ac (master) NOTE: https://github.com/python/cpython/commit/0902a2d6b2d1d9dbde36aeaaccf1788ceaa97143 (3.7) @@ -22214,13 +22218,17 @@ CVE-2018-1061 [DOS via regular expression backtracking in difflib.IS_LINE_JUNK m NOTE: https://github.com/python/cpython/commit/e052d40cea15f582b50947f7d906b39744dc62a2 (2.7) CVE-2018-1060 [DOS via regular expression catastrophic backtracking in apop() method in pop3lib] RESERVED - - python3.7 3.7.0~b3-1 - - python3.6 3.6.5~rc1-1 - - python3.5 - - python3.4 - - python3.2 - - python2.7 - - python2.6 + - python3.7 3.7.0~b3-1 (low) + - python3.6 3.6.5~rc1-1 (low) + - python3.5 (low) + [stretch] - python3.5 (Minor issue) + - python3.4 (low) + [jessie] - python3.4 (Minor issue) + - python3.2 (low) + - python2.7 (low) + [stretch] - python2.7 (Minor issue) + [jessie] - python2.7 (Minor issue) + - python2.6 (low) NOTE: https://bugs.python.org/issue32981 NOTE: https://github.com/python/cpython/commit/0e6c8ee2358a2e23117501826c008842acb835ac (master) NOTE: https://github.com/python/cpython/commit/0902a2d6b2d1d9dbde36aeaaccf1788ceaa97143 (3.7) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5c51f03e1507e3963610829f267864a083fcb321 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5c51f03e1507e3963610829f267864a083fcb321 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] reserve openjdk-7 DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 73fac3af by Moritz Muehlenhoff at 2018-04-04T18:38:54+02:00 reserve openjdk-7 DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,6 @@ +[04 Apr 2018] DSA-4166-1 openjdk-7 - security update + {CVE-2018-2579 CVE-2018-2588 CVE-2018-2599 CVE-2018-2602 CVE-2018-2603 CVE-2018-2618 CVE-2018-2629 CVE-2018-2633 CVE-2018-2634 CVE-2018-2637 CVE-2018-2641 CVE-2018-2663 CVE-2018-2677 CVE-2018-2678} + [jessie] - openjdk-7 7u171-2.6.13-1~deb8u1 [03 Apr 2018] DSA-4165-1 ldap-account-manager - security update {CVE-2018-8763} [jessie] - ldap-account-manager 4.7.1-1+deb8u1 = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -49,8 +49,6 @@ linux -- mercurial -- -openjdk-7/oldstable (jmm) --- openjpeg2 (luciano) -- passenger/stable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/73fac3afd82cb5d577a0181089a453e41c96f858 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/73fac3afd82cb5d577a0181089a453e41c96f858 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1851ffae by Moritz Muehlenhoff at 2018-04-04T16:52:52+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -9501,23 +9501,23 @@ CVE-2018-5830 CVE-2018-5829 RESERVED CVE-2018-5828 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-5827 RESERVED CVE-2018-5826 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-5825 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-5824 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-5823 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-5822 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-5821 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-5820 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-5819 RESERVED CVE-2018-5818 @@ -14968,7 +14968,7 @@ CVE-2018-3647 CVE-2018-3646 RESERVED CVE-2018-3645 (Escalation of privilege in all versions of the Intel Remote Keyboard ...) - TODO: check + NOT-FOR-US: Intel CVE-2018-3644 RESERVED CVE-2018-3643 @@ -14976,13 +14976,13 @@ CVE-2018-3643 CVE-2018-3642 RESERVED CVE-2018-3641 (Escalation of privilege in all versions of the Intel Remote Keyboard ...) - TODO: check + NOT-FOR-US: Intel CVE-2018-3640 RESERVED CVE-2018-3639 RESERVED CVE-2018-3638 (Escalation of privilege in all versions of the Intel Remote Keyboard ...) - TODO: check + NOT-FOR-US: Intel CVE-2018-3637 RESERVED CVE-2018-3636 @@ -15586,13 +15586,13 @@ CVE-2017-17809 (In Golden Frog VyprVPN before 2.15.0.5828 for macOS, the vyprvpn CVE-2017-17808 RESERVED CVE-2018-3599 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-3598 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-3597 RESERVED CVE-2018-3596 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-3595 RESERVED CVE-2018-3594 @@ -15616,7 +15616,7 @@ CVE-2018-3586 CVE-2018-3585 RESERVED CVE-2018-3584 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-3583 RESERVED CVE-2018-3582 @@ -15652,13 +15652,13 @@ CVE-2018-3568 CVE-2018-3567 RESERVED CVE-2018-3566 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-3565 RESERVED CVE-2018-3564 RESERVED CVE-2018-3563 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-3562 RESERVED CVE-2018-3561 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) @@ -28989,7 +28989,7 @@ CVE-2017-15855 CVE-2017-15854 RESERVED CVE-2017-15853 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-15852 (Information leak of the ISPIF base address in Android for MSM, Firefox ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-15851 @@ -29021,9 +29021,9 @@ CVE-2017-15839 CVE-2017-15838 RESERVED CVE-2017-15837 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-15836 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-15835 RESERVED CVE-2017-15834 (In Android for MSM, Firefox OS for MSM
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] jasper unimportant
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e09ddb51 by Moritz Muehlenhoff at 2018-04-04T12:14:16+02:00 jasper unimportant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -101,8 +101,9 @@ CVE-2018-9254 CVE-2018-9253 RESERVED CVE-2018-9252 (JasPer 2.0.14 allows denial of service via a reachable assertion in the ...) - - jasper + - jasper (unimportant) NOTE: https://github.com/mdadams/jasper/issues/173 + NOTE: Negligable impact CVE-2018-9251 (The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzma is ...) - libxml2 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=794914 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e09ddb517cd752ae04bca368c8bc09ff077f3060 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e09ddb517cd752ae04bca368c8bc09ff077f3060 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] exiv confirmed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e080e98 by Moritz Muehlenhoff at 2018-04-03T22:43:40+02:00 exiv confirmed add freeplane to dsa-needed - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -15773,11 +15773,12 @@ CVE-2017-17724 (In Exiv2 0.26, there is a heap-based buffer over-read in the ... NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1524107 NOTE: https://github.com/Exiv2/exiv2/issues/210 CVE-2017-17723 (In Exiv2 0.26, there is a heap-based buffer over-read in the ...) - - exiv2 + - exiv2 (low) + [stretch] - exiv2 (Minor issue) + [jessie] - exiv2 (Minor issue) [wheezy] - exiv2 (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1524104 NOTE: https://github.com/Exiv2/exiv2/issues/229 - TODO: check CVE-2017-17722 (In Exiv2 0.26, there is a reachable assertion in the readHeader ...) [experimental] - exiv2 (low; bug #891044) - exiv2 (Vulnerable code introduced in 0.26) = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -26,6 +26,8 @@ ffmpeg/stable freeplane Felix Natter is preparing updates, asked in #893663 to send debdiffs for review -- +freeplane +-- gitlab Pirate Praveen will prepare updates -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5e080e98cd46916a5bd67816f74562a0665e666d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5e080e98cd46916a5bd67816f74562a0665e666d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] firebird postponed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c62de562 by Moritz Muehlenhoff at 2018-04-03T22:25:28+02:00 firebird postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -41835,11 +41835,12 @@ CVE-2017-11510 (An information leak exists in Wanscam's HW0021 network camera th NOT-FOR-US: Wanscam's HW0021 network camera CVE-2017-11509 (An authenticated remote attacker can execute arbitrary code in ...) - firebird3.0 + [stretch] - firebird3.0 (Minor issue, can be fixed along in a future update) - firebird2.5 + [jessie] - firebird2.4 (Minor issue, can be fixed along in a future update) NOTE: https://www.tenable.com/security/research/tra-2017-36 NOTE: Firebird upstream responded to Tenable the issue is not intended to be addressed NOTE: in "any current release". - TODO: check CVE-2017-11508 (SecurityCenter versions 5.5.0, 5.5.1 and 5.5.2 contain a SQL Injection ...) NOT-FOR-US: SecurityCenter CVE-2017-11507 (A cross site scripting (XSS) vulnerability exists in Check_MK versions ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c62de562657d7a1ce43c5f27c47a86933c22975d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c62de562657d7a1ce43c5f27c47a86933c22975d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] puppet modules unimportant
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3567c990 by Moritz Muehlenhoff at 2018-04-03T22:21:29+02:00 puppet modules unimportant add libslf4j-java to dsa-needed libzypp ignored radare, gpac, leptonlib no-dsa - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1029,14 +1029,20 @@ CVE-2018-8811 (Cross-site request forgery (CSRF) vulnerability in ...) NOT-FOR-US: OpenCMS CVE-2018-8810 (In radare2 2.4.0, there is a heap-based buffer over-read in the ...) - radare2 + [stretch] - radare2 (Minor issue) + [jessie] - radare2 (Minor issue) [wheezy] - radare2 (vulnerable code not present) NOTE: https://github.com/radare/radare2/issues/9727 CVE-2018-8809 (In radare2 2.4.0, there is a heap-based buffer over-read in the ...) - - radare2 + - radare2 (low) + [stretch] - radare2 (Minor issue) + [jessie] - radare2 (Minor issue) [wheezy] - radare2 (minor issue, likely not even affected) NOTE: https://github.com/radare/radare2/issues/9726 CVE-2018-8808 (In radare2 2.4.0, there is a heap-based buffer over-read in the ...) - - radare2 + - radare2 (low) + [stretch] - radare2 (Minor issue) + [jessie] - radare2 (Minor issue) [wheezy] - radare2 (minor issue, likely not even affected) NOTE: https://github.com/radare/radare2/issues/9725 CVE-2018-8807 (In libming 0.4.8, these is a use-after-free in the function ...) @@ -3575,6 +3581,8 @@ CVE-2018-7719 (Acrolinx Server before 5.2.5 on Windows allows Directory Traversa NOT-FOR-US: Acrolinx Server CVE-2018-7752 (GPAC through 0.7.1 has a Buffer Overflow in the gf_media_avc_read_sps ...) - gpac (bug #892526) + [stretch] - gpac (Minor issue) + [jessie] - gpac (Minor issue) [wheezy] - gpac (vulnerable code not present) NOTE: https://github.com/gpac/gpac/issues/997 NOTE: https://github.com/gpac/gpac/commit/90dc7f853d31b0a4e9441cba97feccf36d8b69a4 @@ -5470,7 +5478,9 @@ CVE-2017-18190 (A localhost.localdomain whitelist entry in valid_host() in ...) NOTE: https://github.com/apple/cups/commit/afa80cb2b457bf8d64f775bed307588610476c41 (v2.2.2) CVE-2018-7186 (Leptonica before 1.75.3 does not limit the number of characters in a %s ...) {DLA-1302-1} - - leptonlib 1.75.3-2 (bug #890548) + - leptonlib 1.75.3-2 (low; bug #890548) + [stretch] - leptonlib (Minor issue) + [jessie] - leptonlib (Minor issue) NOTE: https://github.com/DanBloomberg/leptonica/commit/ee301cb2029db8a6289c5295daa42bba7715e99a CVE-2018-7180 (SQL Injection exists in the Saxum Astro 4.0.14 component for Joomla! ...) NOT-FOR-US: Saxum Astro component for Joomla! @@ -7368,9 +7378,9 @@ CVE-2018-6510 CVE-2018-6509 RESERVED CVE-2018-6508 (Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a ...) - - puppet-module-puppetlabs-apt - - puppet-module-puppetlabs-apache - - puppet-module-puppetlabs-mysql + - puppet-module-puppetlabs-apt (unimportant) + - puppet-module-puppetlabs-apache (unimportant) + - puppet-module-puppetlabs-mysql (unimportant) NOTE: https://puppet.com/security/cve/CVE-2018-6508 NOTE: Issue in various puppet modules: facter_task, puppet_conf, apt, apache and mysql modules NOTE: https://github.com/puppetlabs/puppetlabs-facter_task/commit/dd37c72e78c8a37e671e20becb05d6ceafdbd81c @@ -7378,6 +7388,7 @@ CVE-2018-6508 (Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a NOTE: https://github.com/puppetlabs/puppetlabs-apt/commit/81879be960d5723016e3d0b4ff155ee704261bbc NOTE: https://github.com/puppetlabs/puppetlabs-apache/commit/81bc5119ceced1faa4bf261efa4b7cd3731ef3ef NOTE: https://github.com/puppetlabs/puppetlabs-mysql/commit/da3684c79d5fe6ece826e087e8693c75ac40414c + NOTE: This is only exploitable with Puppet Tasks, which aren't packaged/available in Debian CVE-2018-6507 RESERVED CVE-2018-6506 (Cross-Site Scripting (XSS) exists in the Add Forum feature in the ...) @@ -14096,12 +14107,16 @@ CVE-2018-3837 RESERVED CVE-2018-7442 (An issue was discovered in Leptonica through 1.75.3. The ...) - leptonlib + [stretch] - leptonlib (Minor issue) + [jessie] - leptonlib (Minor issue) NOTE: https://lists.debian.org/debian-lts/2018/02/msg00086.html CVE-2018-7441 (Leptonica through 1.75.3 uses hardcoded /tmp pathnames, which might ...) - - leptonlib + - leptonlib (unimportant) NOTE: https://lists.debian.org/debian-lts/2018/02/msg00054.html + NOTE: Neutralised by kernel hardening CVE-2017-18196 (Leptonica 1.74.4 constructs unintended path
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs (remaining open issues are for webkit, which will probably have an advisory on it's own)
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: da3dac59 by Moritz Muehlenhoff at 2018-04-03T10:32:42+02:00 NFUs (remaining open issues are for webkit, which will probably have an advisory on it's own) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -13405,7 +13405,7 @@ CVE-2018-4174 (An issue was discovered in certain Apple products. iOS before 11. CVE-2018-4173 RESERVED CVE-2018-4172 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4171 RESERVED CVE-2018-4170 (An issue was discovered in certain Apple products. macOS before ...) @@ -13413,7 +13413,7 @@ CVE-2018-4170 (An issue was discovered in certain Apple products. macOS before . CVE-2018-4169 RESERVED CVE-2018-4168 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4167 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4166 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) @@ -13421,7 +13421,7 @@ CVE-2018-4166 (An issue was discovered in certain Apple products. iOS before 11. CVE-2018-4165 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) TODO: check CVE-2018-4164 (An issue was discovered in certain Apple products. Xcode before 9.3 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4163 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) TODO: check CVE-2018-4162 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) @@ -13451,9 +13451,9 @@ CVE-2018-4151 (An issue was discovered in certain Apple products. iOS before 11. CVE-2018-4150 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4149 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4148 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4147 RESERVED CVE-2018-4146 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) @@ -13469,19 +13469,19 @@ CVE-2018-4142 (An issue was discovered in certain Apple products. iOS before 11. CVE-2018-4141 RESERVED CVE-2018-4140 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4139 (An issue was discovered in certain Apple products. macOS before ...) NOT-FOR-US: Apple CVE-2018-4138 (An issue was discovered in certain Apple products. macOS before ...) NOT-FOR-US: NVIDIA graphics driver for MacOS CVE-2018-4137 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4136 (An issue was discovered in certain Apple products. macOS before ...) NOT-FOR-US: Apple CVE-2018-4135 (An issue was discovered in certain Apple products. macOS before ...) NOT-FOR-US: Apple CVE-2018-4134 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4133 (An issue was discovered in certain Apple products. Safari before 11.1 ...) TODO: check CVE-2018-4132 (An issue was discovered in certain Apple products. macOS before ...) @@ -13501,9 +13501,9 @@ CVE-2018-4126 CVE-2018-4125 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) TODO: check CVE-2018-4124 (An issue was discovered in certain Apple products. iOS before 11.2.6 ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4123 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4122 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) TODO: check CVE-2018-4121 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) @@ -13517,7 +13517,7 @@ CVE-2018-4118 (An issue was discovered in certain Apple products. iOS before 11. CVE-2018-4117 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) TODO: check CVE-2018-4116 (An issue was discovered in certain Apple products. Safari before 11.1 ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4115 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4114 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) @@ -13529,9 +13529,9 @@ CVE-2018-4112 (An issue was discover
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 40d87dff by Moritz Muehlenhoff at 2018-04-03T10:24:36+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -13397,11 +13397,11 @@ CVE-2018-4178 CVE-2018-4177 RESERVED CVE-2018-4176 (An issue was discovered in certain Apple products. macOS before ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4175 (An issue was discovered in certain Apple products. macOS before ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4174 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4173 RESERVED CVE-2018-4172 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) @@ -13409,15 +13409,15 @@ CVE-2018-4172 (An issue was discovered in certain Apple products. iOS before 11. CVE-2018-4171 RESERVED CVE-2018-4170 (An issue was discovered in certain Apple products. macOS before ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4169 RESERVED CVE-2018-4168 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) TODO: check CVE-2018-4167 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4166 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4165 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) TODO: check CVE-2018-4164 (An issue was discovered in certain Apple products. Xcode before 9.3 is ...) @@ -13429,27 +13429,27 @@ CVE-2018-4162 (An issue was discovered in certain Apple products. iOS before 11. CVE-2018-4161 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) TODO: check CVE-2018-4160 (An issue was discovered in certain Apple products. macOS before ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4159 RESERVED CVE-2018-4158 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4157 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4156 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4155 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4154 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4153 RESERVED CVE-2018-4152 (An issue was discovered in certain Apple products. macOS before ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4151 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4150 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4149 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) TODO: check CVE-2018-4148 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) @@ -13461,33 +13461,33 @@ CVE-2018-4146 (An issue was discovered in certain Apple products. iOS before 11. CVE-2018-4145 RESERVED CVE-2018-4144 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4143 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4142 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4141 RESERVED CVE-2018-4140 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) TODO: check CVE-2018-4139 (An issue was discovered in certain Apple products. macOS before ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4138 (An issue was discovered in certain Apple products. macOS before ...) - TODO: check + NOT-FOR-US: NVIDIA graphics driver for MacOS CVE-2018-4137 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) TODO: check CVE-2018-4136 (An issue was discovered in certain Apple products. macOS before ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4135 (An issue was discovered in certain Apple products. macOS before ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4134 (An issue was discovered in certain Apple products
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] openjdk fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: cec53069 by Moritz Muehlenhoff at 2018-04-03T09:47:19+02:00 openjdk fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -17602,6 +17602,7 @@ CVE-2018-2679 (Vulnerability in the Oracle Financial Services Profitability ...) NOT-FOR-US: Oracle Financial Services Applications CVE-2018-2678 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of ...) {DSA-4144-1} + [experimental] - openjdk-7 7u171-2.6.13-1 - openjdk-9 9.0.4+12-1 - openjdk-8 8u162-b12-1 - openjdk-7 @@ -17609,6 +17610,7 @@ CVE-2018-2678 (Vulnerability in the Java SE, Java SE Embedded, JRockit component [wheezy] - openjdk-6 CVE-2018-2677 (Vulnerability in the Java SE, Java SE Embedded component of Oracle ...) {DSA-4144-1} + [experimental] - openjdk-7 7u171-2.6.13-1 - openjdk-9 9.0.4+12-1 - openjdk-8 8u162-b12-1 - openjdk-7 @@ -17652,6 +17654,7 @@ CVE-2018-2664 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component NOT-FOR-US: Oracle CVE-2018-2663 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of ...) {DSA-4144-1} + [experimental] - openjdk-7 7u171-2.6.13-1 - openjdk-9 9.0.4+12-1 - openjdk-8 8u162-b12-1 - openjdk-7 @@ -17710,6 +17713,7 @@ CVE-2018-2642 (Vulnerability in the Oracle Argus Safety component of Oracle Heal NOT-FOR-US: Oracle CVE-2018-2641 (Vulnerability in the Java SE, Java SE Embedded component of Oracle ...) {DSA-4144-1} + [experimental] - openjdk-7 7u171-2.6.13-1 - openjdk-9 9.0.4+12-1 - openjdk-8 8u162-b12-1 - openjdk-7 @@ -17728,6 +17732,7 @@ CVE-2018-2638 (Vulnerability in the Java SE component of Oracle Java SE ...) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2018-2637 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of ...) {DSA-4144-1} + [experimental] - openjdk-7 7u171-2.6.13-1 - openjdk-9 9.0.4+12-1 - openjdk-8 8u162-b12-1 - openjdk-7 @@ -17739,6 +17744,7 @@ CVE-2018-2635 (Vulnerability in the Oracle Application Object Library component NOT-FOR-US: Oracle CVE-2018-2634 (Vulnerability in the Java SE, Java SE Embedded component of Oracle ...) {DSA-4144-1} + [experimental] - openjdk-7 7u171-2.6.13-1 - openjdk-9 9.0.4+12-1 - openjdk-8 8u162-b12-1 - openjdk-7 @@ -17746,6 +17752,7 @@ CVE-2018-2634 (Vulnerability in the Java SE, Java SE Embedded component of Oracl [wheezy] - openjdk-6 CVE-2018-2633 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of ...) {DSA-4144-1} + [experimental] - openjdk-7 7u171-2.6.13-1 - openjdk-9 9.0.4+12-1 - openjdk-8 8u162-b12-1 - openjdk-7 @@ -17790,6 +17797,7 @@ CVE-2018-2619 (Vulnerability in the Oracle Hospitality Simphony component of Ora NOT-FOR-US: Oracle CVE-2018-2618 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of ...) {DSA-4144-1} + [experimental] - openjdk-7 7u171-2.6.13-1 - openjdk-9 9.0.4+12-1 - openjdk-8 8u162-b12-1 - openjdk-7 @@ -17827,6 +17835,7 @@ CVE-2018-2604 (Vulnerability in the Oracle Hospitality Guest Access component of NOT-FOR-US: Oracle CVE-2018-2603 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of ...) {DSA-4144-1} + [experimental] - openjdk-7 7u171-2.6.13-1 - openjdk-9 9.0.4+12-1 - openjdk-8 8u162-b12-1 - openjdk-7 @@ -17834,6 +17843,7 @@ CVE-2018-2603 (Vulnerability in the Java SE, Java SE Embedded, JRockit component [wheezy] - openjdk-6 CVE-2018-2602 (Vulnerability in the Java SE, Java SE Embedded component of Oracle ...) {DSA-4144-1} + [experimental] - openjdk-7 7u171-2.6.13-1 - openjdk-9 9.0.4+12-1 - openjdk-8 8u162-b12-1 - openjdk-7 @@ -17847,6 +17857,7 @@ CVE-2018-2600 (Vulnerability in the MySQL Server component of Oracle MySQL ...) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL CVE-2018-2599 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of ...) {DSA-4144-1} + [experimental] - openjdk-7 7u171-2.6.13-1 - openjdk-9 9.0.4+12-1 - openjdk-8 8u162-b12-1 - openjdk-7 @@ -17878,6 +17889,7 @@ CVE-2018-2589 (Vulnerability in the Oracle Hospitality Simphony component of Ora NOT-FOR-US: Oracle CVE-2018-2588 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of ...) {DSA-4144-1} + [experimental] - openjdk-7 7u171-2.6.13
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new botan issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ab032a9 by Moritz Muehlenhoff at 2018-04-02T22:46:43+02:00 new botan issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -235,7 +235,7 @@ CVE-2018-9129 CVE-2018-9128 (DVD X Player Standard 5.5.3.9 has a Buffer Overflow via a crafted .plf ...) NOT-FOR-US: DVD X Player Standard CVE-2018-9127 (Botan 2.2.0 - 2.4.0 (fixed in 2.5.0) improperly handled wildcard ...) - TODO: check + - botan (bug #894648) CVE-2018-9126 RESERVED CVE-2018-9125 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7ab032a960ee4dfbd43cc8162d62996a1e6362b5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7ab032a960ee4dfbd43cc8162d62996a1e6362b5 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f5ab4ae2 by Moritz Muehlenhoff at 2018-04-02T22:43:41+02:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -70608,7 +70608,7 @@ CVE-2017-2160 CVE-2017-2159 RESERVED CVE-2017-2158 (Improper verification when expanding ZIP64 archives in Lhaplus ...) - TODO: check + NOT-FOR-US: Lhaplus CVE-2017-2157 (Untrusted search path vulnerability in installers for The Public ...) NOT-FOR-US: The Public Certification Service CVE-2017-2156 (Untrusted search path vulnerability in Vivaldi installer for Windows ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f5ab4ae23735b7e9f64f01bae92aeae2382045b3 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f5ab4ae23735b7e9f64f01bae92aeae2382045b3 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 80e516f8 by Moritz Muehlenhoff at 2018-04-02T22:40:18+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,7 +1,7 @@ CVE-2018-9231 RESERVED CVE-2018-9230 (In OpenResty before 1.13.6.1, URI parameters were obtained using the ...) - TODO: check + NOT-FOR-US: OpenResty CVE-2018-9229 RESERVED CVE-2018-9228 @@ -95,7 +95,7 @@ CVE-2018-9185 CVE-2018-9184 RESERVED CVE-2018-9183 (The Joom Sky JS Jobs extension before 1.2.1 for Joomla! has XSS. ...) - TODO: check + NOT-FOR-US: Joomla addon CVE-2018-9182 RESERVED CVE-2018-9181 @@ -136,7 +136,7 @@ CVE-2018-9165 (The pushdup function in util/decompile.c in libming through 0.4.8 CVE-2018-9164 RESERVED CVE-2018-9163 (A stored Cross-site scripting (XSS) vulnerability in Zoho ManageEngine ...) - TODO: check + NOT-FOR-US: Zoho CVE-2018-9162 (Contec Smart Home 4.15 devices do not require authentication for ...) NOT-FOR-US: Contec Smart Home CVE-2018-9161 (Prisma Industriale Checkweigher PrismaWEB 1.21 allows remote attackers ...) @@ -6741,11 +6741,11 @@ CVE-2018-6663 CVE-2018-6662 RESERVED CVE-2018-6661 (DLL Side-Loading vulnerability in Microsoft Windows Client in McAfee ...) - TODO: check + NOT-FOR-US: McAfee CVE-2018-6660 (Directory Traversal vulnerability in McAfee ePolicy Orchestrator (ePO) ...) - TODO: check + NOT-FOR-US: McAfee CVE-2018-6659 (Reflected Cross-Site Scripting vulnerability in McAfee ePolicy ...) - TODO: check + NOT-FOR-US: McAfee CVE-2018-6658 RESERVED CVE-2018-6758 (The uwsgi_expand_path function in core/utils.c in Unbit uWSGI through ...) @@ -8131,11 +8131,11 @@ CVE-2018-6253 (NVIDIA GPU Display Driver contains a vulnerability in DirectX and [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/4649 CVE-2018-6252 (NVIDIA Windows GPU Display Driver contains a vulnerability in the ...) - TODO: check + NOT-FOR-US: NVIDIA Windows driver CVE-2018-6251 (NVIDIA Windows GPU Display Driver contains a vulnerability in DirectX ...) - TODO: check + NOT-FOR-US: NVIDIA Windows driver CVE-2018-6250 (NVIDIA Windows GPU Display Driver contains a vulnerability in the ...) - TODO: check + NOT-FOR-US: NVIDIA Windows driver CVE-2018-6249 (NVIDIA GPU Display Driver contains a vulnerability in kernel mode ...) - nvidia-graphics-drivers (bug #894338) [stretch] - nvidia-graphics-drivers (Non-free not supported) @@ -8148,9 +8148,9 @@ CVE-2018-6249 (NVIDIA GPU Display Driver contains a vulnerability in kernel mode [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/4649 CVE-2018-6248 (NVIDIA Windows GPU Display Driver contains a vulnerability in the ...) - TODO: check + NOT-FOR-US: NVIDIA Windows driver CVE-2018-6247 (NVIDIA Windows GPU Display Driver contains a vulnerability in the ...) - TODO: check + NOT-FOR-US: NVIDIA Windows driver CVE-2018-6246 RESERVED CVE-2018-6245 @@ -21222,7 +21222,7 @@ CVE-2018-1297 (When using Distributed Test only (RMI based), Apache JMeter 2.x a CVE-2018-1296 RESERVED CVE-2018-1295 (In Apache Ignite 2.3 or earlier, the serialization mechanism does not ...) - TODO: check + NOT-FOR-US: Apache Ignite CVE-2018-1294 (If a user of Commons-Email (typically an application programmer) ...) - commons-email (Fixed with first upload to Debian) NOTE: https://marc.info/?i=CAF8HOZ+J3NkaywfbHuQpHxK9ZXeT4=4vs9rowcdiudnt1qa...@mail.gmail.com @@ -22724,7 +22724,7 @@ CVE-2018-1040 CVE-2018-1039 RESERVED CVE-2018-1038 (The Windows kernel in Windows 7 SP1 and Windows Server 2008 R2 SP1 ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-1037 RESERVED CVE-2018-1036 @@ -24771,7 +24771,7 @@ CVE-2018-0196 (A vulnerability in the web-based user interface (web UI) of Cisco CVE-2018-0195 (A vulnerability in the Cisco IOS XE Software REST API could allow an ...) NOT-FOR-US: Cisco CVE-2018-0194 (Multiple vulnerabilities in the CLI parser of Cisco IOS XE Software ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0193 (Multiple vulnerabilities in the CLI parser of Cisco IOS XE Software ...) NOT-FOR-US: Cisco CVE-2018-0192 @@ -77977,7 +77977,7 @@ CVE-2016-8719 (An exploitable reflected Cross-Site Scripting vulnerability exist CVE-2016-8718 (An exploitable Cross-Site Request Forgery vulnerability exists in the ...) NOT-FOR-US: Moxa CVE-2016-8717 (An exploitable
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] beep DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 625b012e by Moritz Muehlenhoff at 2018-04-02T22:25:42+02:00 beep DSA - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,7 @@ +[02 Apr 2018] DSA-4163-1 beep - security update + {CVE-2018-0492} + [jessie] - beep 1.3-3+deb8u1 + [stretch] - beep 1.3-4+deb9u1 [01 Apr 2018] DSA-4162-1 irssi - security update {CVE-2018-5205 CVE-2018-5206 CVE-2018-5207 CVE-2018-5208 CVE-2018-7050 CVE-2018-7051 CVE-2018-7052 CVE-2018-7053 CVE-2018-7054} [stretch] - irssi 1.0.7-1~deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/625b012ec8ad910c6bd8466276789293fb6321ef --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/625b012ec8ad910c6bd8466276789293fb6321ef You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] sam2p ignored
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4001ea96 by Moritz Muehlenhoff at 2018-04-02T22:23:15+02:00 sam2p ignored - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -4130,15 +4130,19 @@ CVE-2018-7555 RESERVED CVE-2018-7554 (There is an invalid free in ReadImage in input-bmp.ci that leads to a ...) - sam2p + [jessie] - sam2p (Consider removal in next point release) NOTE: https://github.com/pts/sam2p/issues/29 CVE-2018-7553 (There is a heap-based buffer overflow in the pcxLoadRaster function of ...) - sam2p + [jessie] - sam2p (Consider removal in next point release) NOTE: https://github.com/pts/sam2p/issues/32 CVE-2018-7552 (There is an invalid free in Mapping::DoubleHash::clear in mapping.cpp ...) - sam2p + [jessie] - sam2p (Consider removal in next point release) NOTE: https://github.com/pts/sam2p/issues/30 CVE-2018-7551 (There is an invalid free in MiniPS::delete0 in minips.cpp that leads to ...) - sam2p + [jessie] - sam2p (Consider removal in next point release) NOTE: https://github.com/pts/sam2p/issues/28 CVE-2018-7550 (The load_multiboot function in hw/i386/multiboot.c in Quick Emulator ...) - qemu (bug #892041) @@ -4349,6 +4353,7 @@ CVE-2018-7488 RESERVED CVE-2018-7487 (There is a heap-based buffer overflow in the LoadPCX function of ...) - sam2p + [jessie] - sam2p (Consider removal in next point release) NOTE: https://github.com/pts/sam2p/issues/18 CVE-2018-7486 (Blue River Mura CMS before v7.0.7029 supports inline function calls ...) NOT-FOR-US: Blue River Mura CMS View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4001ea96673cf4430a1158c4d8fdf4ba649a90fd --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4001ea96673cf4430a1158c4d8fdf4ba649a90fd You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new HHVM issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4e94bbe4 by Moritz Muehlenhoff at 2018-04-02T17:15:17+02:00 new HHVM issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -7809,6 +7809,8 @@ CVE-2018-6335 RESERVED CVE-2018-6334 RESERVED + - hhvm + NOTE: https://hhvm.com/blog/2018/03/30/hhvm-3.25.2.html CVE-2018-6333 RESERVED CVE-2018-6332 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4e94bbe45b4d14ce6cd1d7e46bf0d7e75044f9a0 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4e94bbe45b4d14ce6cd1d7e46bf0d7e75044f9a0 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] thrift unimportant
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ee12b179 by Moritz Muehlenhoff at 2018-04-02T13:11:11+02:00 thrift unimportant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -88897,11 +88897,13 @@ CVE-2016-5399 (The bzread function in ext/bz2/bz2.c in PHP before 5.5.38, 5.6.x CVE-2016-5398 (Cross-site scripting (XSS) vulnerability in Business Process Editor in ...) NOT-FOR-US: JBoss BPMS CVE-2016-5397 (The Apache Thrift Go client library exposed the potential during code ...) - - thrift-compiler + - thrift-compiler (unimportant) + - thrift (unimportant) NOTE: https://issues.apache.org/jira/browse/THRIFT-3893 NOTE: https://github.com/apache/thrift/commit/2007783e874d524a46b818598a45078448ecc53e NOTE: Fixed in 0.10.0 upstream, and in experimental src:thrift/0.10.0-1 is present NOTE: src:thrift only present in experimental + NOTE: Go bindings only enabled in 0.9.3-2 (not yet in unstable) CVE-2016-5396 (Apache Traffic Server 6.0.0 to 6.2.0 are affected by an HPACK Bomb ...) - trafficserver 7.0.0-1 [wheezy] - trafficserver (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ee12b1797f1b996b6f8b7ece494d390dbc29853b --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ee12b1797f1b996b6f8b7ece494d390dbc29853b You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] several web2py issue n/a, mark the existing no-dsa entries as
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f5361dc0 by Moritz Muehlenhoff at 2018-04-02T13:04:35+02:00 several web2py issue n/a, mark the existing no-dsa entries as <ignored> unixodbc no-dsa ntp postponed podofo CVE dupe - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -2774,10 +2774,9 @@ CVE-2018-8001 (In PoDoFo 0.9.5, there exists a heap-based buffer over-read ...) NOTE: Upstream bug: https://sourceforge.net/p/podofo/tickets/14/ NOTE: Upstream commit: http://sourceforge.net/p/podofo/code/1909 CVE-2018-8000 (In PoDoFo 0.9.5, there exists a heap-based buffer overflow ...) - - libpodofo (bug #892520) NOTE: PoC https://bugzilla.redhat.com/show_bug.cgi?id=1548918 NOTE: Upstream bug: https://sourceforge.net/p/podofo/tickets/13/ - NOTE: Believed to be a dupe of CVE-2017-5886 + NOTE: Upstream tracked this down as a of CVE-2017-5886 CVE-2018-7999 (In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference ...) - graphite2 1.3.11-2 (bug #892590) [stretch] - graphite2 (Minor issue) @@ -4508,6 +4507,8 @@ CVE-2018-7410 RESERVED CVE-2018-7409 (In unixODBC before 2.3.5, there is a buffer overflow in the ...) - unixodbc (bug #891596) + [stretch] - unixodbc (Minor issue) + [jessie] - unixodbc (Minor issue) [wheezy] - unixodbc (Minor issue) NOTE: Fixed by: https://sourceforge.net/p/unixodbc/code/136/ NOTE: https://github.com/lurcher/unixODBC/commit/4f9f77fb4204659ec9b7be8745d9e05a539c80b9 @@ -5321,6 +5322,8 @@ CVE-2018-7183 (Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S CVE-2018-7182 (The ctl_getitem method in ntpd in ntp-4.2.8p6 before 4.2.8p11 allows ...) - ntp 1:4.2.8p11+dfsg-1 + [stretch] - ntp (Can be fixed along in a future update) + [jessie] - ntp (Can be fixed along in a future update) [wheezy] - ntp (Issue not present) - ntpsec 1.0.0+dfsg1-5 NOTE: http://www.kb.cert.org/vuls/id/961909 @@ -91530,25 +91533,25 @@ CVE-2016-4809 (The archive_read_format_cpio_read_header function in ...) NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/fd7e0c02e272913a0a8b6d492c7260dfca0b1408 (v3.2.1) CVE-2016-10321 (web2py before 2.14.6 does not properly check if a host is denied before ...) - web2py (bug #860038) - [jessie] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) + [jessie] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) [wheezy] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) NOTE: https://github.com/web2py/web2py/issues/1585#issuecomment-284317919 NOTE: https://github.com/web2py/web2py/commit/944d8bd8f3c5cf8ae296fc03d149056c65358426 CVE-2016-4808 (Web2py versions 2.14.5 and below was affected by CSRF (Cross Site ...) - web2py (bug #856127) - [jessie] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) + [jessie] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) [wheezy] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) NOTE: https://github.com/web2py/web2py/issues/1585 NOTE: https://github.com/web2py/web2py/commit/4bd002aee978813bc664cf186ef38ff4e8bbe1cd CVE-2016-4807 (Web2py versions 2.14.5 and below was affected by Reflected XSS ...) - web2py (bug #856127) - [jessie] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) + [jessie] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) [wheezy] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) NOTE: https://github.com/web2py/web2py/issues/1585 NOTE: https://github.com/web2py/web2py/commit/51c3b633fe7ad647bc3013e899c1e3a910362dd1 CVE-2016-4806 (Web2py versions 2.14.5 and below was affected by Local File Inclusion ...) - web2py (bug #856127) - [jessie] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) + [jessie] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) [wheezy] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) NOTE: https://github.com/web2py/web2py/issues/1585 NOTE: https://github.com/
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 95d124f3 by Moritz Muehlenhoff at 2018-04-02T11:10:22+02:00 NFUs drop one TODO, no real information around - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,13 +1,13 @@ CVE-2018-9176 RESERVED CVE-2018-9175 (DedeCMS 5.7 allows remote attackers to execute arbitrary PHP code via ...) - TODO: check + NOT-FOR-US: DedeCMS CVE-2018-9174 (sys_verifies.php in DedeCMS 5.7 allows remote attackers to execute ...) - TODO: check + NOT-FOR-US: DedeCMS CVE-2018-9173 (Cross-site scripting (XSS) vulnerability in ...) - TODO: check + NOT-FOR-US: GetSimple CMS CVE-2018-9172 (The Iptanus WordPress File Upload plugin before 4.3.3 for WordPress ...) - TODO: check + NOT-FOR-US: Wordpress plugin CVE-2018-9171 RESERVED CVE-2018-9170 @@ -4441,7 +4441,6 @@ CVE-2012-6709 (ELinks 0.12 and Twibright Links 2.3 have Missing SSL Certificate NOTE: tested links2 against badssl.com, no apparent issue back in wheezy NOTE: src:links2/2.6-1 adds verify-ssl-certs-510417.diff to verify SSL certs. NOTE: src:links2 upstream in 2.11 adds support for verifying SSL certificates. - TODO: double check links2 again, since #694658 claims not all issues are fixed CVE-2018-7422 (A Local File Inclusion vulnerability in the Site Editor plugin through ...) NOT-FOR-US: Site Editor plugin for WordPress CVE-2018-7421 (In Wireshark 2.2.0 to 2.2.12 and 2.4.0 to 2.4.4, the DMP dissector ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/95d124f34af782268a68006f88ff800c75f051d9 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/95d124f34af782268a68006f88ff800c75f051d9 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] remctl fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c0e1137 by Moritz Muehlenhoff at 2018-04-02T09:29:43+02:00 remctl fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -23896,7 +23896,7 @@ CVE-2018-0494 CVE-2018-0493 RESERVED {DSA-4159-1} - - remctl + - remctl 3.14-1 [jessie] - remctl (Affected code introduced in 3.12) [wheezy] - remctl (Affected code introduced in 3.12) CVE-2018-0492 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3c0e1137d4a270e2fdce7e4194ee05569fb02c9e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3c0e1137d4a270e2fdce7e4194ee05569fb02c9e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] two exiv issues no-dsa
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b1f10613 by Moritz Muehlenhoff at 2018-04-01T23:57:55+02:00 two exiv issues no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -461,7 +461,9 @@ CVE-2018-8977 (In Exiv2 0.26, the Exiv2::Internal::printCsLens function in . - exiv2 (Vulnerable code introduced after 0.25) NOTE: https://github.com/Exiv2/exiv2/issues/247 CVE-2018-8976 (In Exiv2 0.26, jpgimage.cpp allows remote attackers to cause a denial ...) - - exiv2 + - exiv2 (low) + [stretch] - exiv2 (Minor issue) + [jessie] - exiv2 (Minor issue) [wheezy] - exiv2 (Vulnerable code not present) NOTE: https://github.com/Exiv2/exiv2/issues/246 CVE-2018-8975 (The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through ...) @@ -15595,12 +15597,13 @@ CVE-2017-17727 (DedeCMS through 5.6 allows arbitrary file upload and PHP code ex CVE-2017-17726 RESERVED CVE-2017-17725 (In Exiv2 0.26, there is an integer overflow leading to a heap-based ...) - - exiv2 + - exiv2 (low) + [stretch] - exiv2 (Minor issue) + [jessie] - exiv2 (Minor issue) [wheezy] - exiv2 (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1525055 NOTE: https://github.com/Exiv2/exiv2/issues/188 NOTE: https://github.com/Exiv2/exiv2/pull/193 - TODO: check CVE-2017-17724 (In Exiv2 0.26, there is a heap-based buffer over-read in the ...) [experimental] - exiv2 (bug #891783) - exiv2 (Introduced in 0.26) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b1f10613d7058358907d3f80bd8297c36739128c --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b1f10613d7058358907d3f80bd8297c36739128c You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c7e2519b by Moritz Muehlenhoff at 2018-04-01T22:24:57+02:00 NFUs - - - - - 554aa805 by Moritz Muehlenhoff at 2018-04-01T22:26:37+02:00 irssi DSA - - - - - 2 changed files: - data/CVE/list - data/DSA/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -20,11 +20,11 @@ CVE-2018-9160 (SickRage before v2018.03.09-1 includes cleartext credentials in H CVE-2018-9159 (In Spark before 2.7.2, a remote attacker can read unintended static ...) NOT-FOR-US: Spark Java framework (unrelated to src:spark) CVE-2018-9158 (An issue was discovered on AXIS M1033-W (IP camera) Firmware version ...) - TODO: check + NOT-FOR-US: AXIS CVE-2018-9157 (** DISPUTED ** An issue was discovered on AXIS M1033-W (IP camera) ...) - TODO: check + NOT-FOR-US: AXIS CVE-2018-9156 (** DISPUTED ** An issue was discovered on AXIS P1354 (IP camera) ...) - TODO: check + NOT-FOR-US: AXIS CVE-2018-9155 RESERVED CVE-2018-9154 @@ -45,7 +45,7 @@ CVE-2018-9151 (A NULL pointer dereference bug in the function ...) CVE-2018-9150 RESERVED CVE-2018-9149 (The Zyxel Multy X (AC3000 Tri-Band WiFi System) device doesn't use a ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2018-9148 (Western Digital WD My Cloud v04.05.00-320 devices embed the session ...) NOT-FOR-US: Western Digital WD My Cloud CVE-2018-9147 (Cross-site scripting (XSS) vulnerabilities in version 7.5.7 of Gespage ...) @@ -6180,7 +6180,7 @@ CVE-2018-6851 CVE-2018-6850 RESERVED CVE-2018-6849 (In the WebRTC component in DuckDuckGo 4.2.0, after visiting a web site ...) - TODO: check + NOT-FOR-US: DuckDuckGo CVE-2018-6848 RESERVED CVE-2018-6847 = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,6 @@ +[01 Apr 2018] DSA-4162-1 irssi - security update + {CVE-2018-5205 CVE-2018-5206 CVE-2018-5207 CVE-2018-5208 CVE-2018-7050 CVE-2018-7051 CVE-2018-7052 CVE-2018-7053 CVE-2018-7054} + [stretch] - irssi 1.0.7-1~deb9u1 [01 Apr 2018] DSA-4161-1 python-django - security update {CVE-2018-7536 CVE-2018-7537} [jessie] - python-django 1.7.11-1+deb8u3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/252a0809a6fbbe0aa5cca66cc2491c625366619c...554aa805580ef153d20be1fc83d39bdef5ddabe5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/252a0809a6fbbe0aa5cca66cc2491c625366619c...554aa805580ef153d20be1fc83d39bdef5ddabe5 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new ming issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 252a0809 by Moritz Muehlenhoff at 2018-04-01T22:23:38+02:00 new ming issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5,7 +5,8 @@ CVE-2018-9167 CVE-2018-9166 RESERVED CVE-2018-9165 (The pushdup function in util/decompile.c in libming through 0.4.8 does ...) - TODO: check + - ming + NOTE: https://github.com/libming/libming/issues/121 CVE-2018-9164 RESERVED CVE-2018-9163 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/252a0809a6fbbe0aa5cca66cc2491c625366619c --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/252a0809a6fbbe0aa5cca66cc2491c625366619c You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] irssi triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b3955ee by Moritz Muehlenhoff at 2018-04-01T21:19:51+02:00 irssi triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5618,16 +5618,19 @@ CVE-2018-7053 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1. CVE-2018-7052 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. ...) {DLA-1289-1} - irssi 1.0.7-1 (bug #890676) + [jessie] - irssi (Minor issue) NOTE: https://irssi.org/security/irssi_sa_2018_02.txt NOTE: Fixed by: https://github.com/irssi/irssi/commit/5b5bfef03596d95079c728f65f523570dd7b03aa CVE-2018-7051 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. ...) {DLA-1318-1} - irssi 1.0.7-1 (bug #890677) + [jessie] - irssi (Minor issue) NOTE: https://irssi.org/security/irssi_sa_2018_02.txt NOTE: Fixed by: https://github.com/irssi/irssi/commit/e32e9d63c67ab95ef0576154680a6c52334b97af CVE-2018-7050 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. A ...) {DLA-1289-1} - irssi 1.0.7-1 (bug #890678) + [jessie] - irssi (Minor issue) NOTE: https://irssi.org/security/irssi_sa_2018_02.txt NOTE: Fixed by: https://github.com/irssi/irssi/commit/e91da9e4098e449dc36eaa15354aff67650e7703 CVE-2017-18189 (In the startread function in xa.c in Sound eXchange (SoX) through ...) @@ -10841,29 +10844,25 @@ CVE-2018-5209 RESERVED CVE-2018-5208 (In Irssi before 1.0.6, a calculation error in the completion code could ...) - irssi 1.0.7-1 (bug #886475) - [stretch] - irssi (Minor issue) - [jessie] - irssi (Minor issue) + [jessie] - irssi (Minor issue) [wheezy] - irssi (Minor issue) NOTE: https://irssi.org/security/irssi_sa_2018_01.txt NOTE: https://github.com/irssi/irssi/releases/download/1.0.6/irssi-1.0.5_1.0.6.diff CVE-2018-5207 (When using an incomplete variable argument, Irssi before 1.0.6 may ...) - irssi 1.0.7-1 (bug #886475) - [stretch] - irssi (Minor issue) - [jessie] - irssi (Minor issue) + [jessie] - irssi (Minor issue) [wheezy] - irssi (Minor issue) NOTE: https://irssi.org/security/irssi_sa_2018_01.txt NOTE: https://github.com/irssi/irssi/releases/download/1.0.6/irssi-1.0.5_1.0.6.diff CVE-2018-5206 (When the channel topic is set without specifying a sender, Irssi before ...) - irssi 1.0.7-1 (bug #886475) - [stretch] - irssi (Minor issue) - [jessie] - irssi (Minor issue) + [jessie] - irssi (Minor issue) [wheezy] - irssi (Minor issue) NOTE: https://irssi.org/security/irssi_sa_2018_01.txt NOTE: https://github.com/irssi/irssi/releases/download/1.0.6/irssi-1.0.5_1.0.6.diff CVE-2018-5205 (When using incomplete escape codes, Irssi before 1.0.6 may access data ...) - irssi 1.0.7-1 (bug #886475) - [stretch] - irssi (Minor issue) - [jessie] - irssi (Minor issue) + [jessie] - irssi (Minor issue) [wheezy] - irssi (Minor issue) NOTE: https://irssi.org/security/irssi_sa_2018_01.txt NOTE: https://github.com/irssi/irssi/releases/download/1.0.6/irssi-1.0.5_1.0.6.diff View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4b3955ee2bbd85297a81e875d78de6d74dc49f32 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4b3955ee2bbd85297a81e875d78de6d74dc49f32 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new imagemagick issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5169697c by Moritz Muehlenhoff at 2018-04-01T15:03:40+02:00 new imagemagick issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -79,7 +79,12 @@ CVE-2018-9135 (In ImageMagick 7.0.7-24 Q16, there is a heap-based buffer over-re CVE-2018-9134 (file_manage_control.php in DedeCMS 5.7 has CSRF in an fmdo=rename ...) NOT-FOR-US: DedeCMS CVE-2018-9133 (ImageMagick 7.0.7-26 Q16 has excessive iteration in the DecodeLabImage ...) - TODO: check + - imagemagick (low) + [stretch] - imagemagick (Minor issue) + [jessie] - imagemagick (Minor issue) + NOTE: https://github.com/ImageMagick/ImageMagick/issues/1072 + NOTE: IM6: https://github.com/ImageMagick/ImageMagick/commit/089fca04e0130549fa15f48ace3f56e30a06049a + NOTE: IM7: https://github.com/ImageMagick/ImageMagick/commit/19b96ba61431914e2ac316b72c0789965f2b7c09 CVE-2018-9132 (libming 0.4.8 has a NULL pointer dereference in the getInt function of ...) - ming NOTE: https://github.com/libming/libming/issues/133 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5169697ca697877d86f84cce53beeb94aa27ef48 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5169697ca697877d86f84cce53beeb94aa27ef48 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 67cd8f05 by Moritz Muehlenhoff at 2018-04-01T15:01:47+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -90,7 +90,7 @@ CVE-2018-9130 (IBOS 4.4.3 has XSS via a company full name. ...) CVE-2018-9129 RESERVED CVE-2018-9128 (DVD X Player Standard 5.5.3.9 has a Buffer Overflow via a crafted .plf ...) - TODO: check + NOT-FOR-US: DVD X Player Standard CVE-2018-9127 RESERVED CVE-2018-9126 @@ -640,7 +640,7 @@ CVE-2018-8910 CVE-2018-8909 (The Wire application before 2018-03-07 for Android allows attackers to ...) NOT-FOR-US: Wire application for Android CVE-2018-8908 (An issue was discovered in /admin/?/user/add in Frog CMS 0.9.5. The ...) - TODO: check + NOT-FOR-US: Frog CMS CVE-2018-8907 RESERVED CVE-2018-8906 (dsmall v20180320 has XSS via a crafted street address to ...) @@ -674,7 +674,7 @@ CVE-2018-8895 (In 2345 Security Guard 3.6, the driver file (2345DumpBlock.sys) a CVE-2018-8894 (In 2345 Security Guard 3.6, the driver file (2345BdPcSafe.sys) allows ...) NOT-FOR-US: 2345 Security Guard CVE-2018-8893 (Z-BlogPHP 1.5.1 Zero has CSRF in plugin_edit.php, resulting in the ...) - TODO: check + NOT-FOR-US: Z-BlogPHP CVE-2018-8892 RESERVED CVE-2018-8891 @@ -5333,7 +5333,7 @@ CVE-2018-167 (An improper authorization vulnerability exists in Jenkins vers CVE-2018-7172 (In index.php in WonderCMS before 2.4.1, remote attackers can delete ...) NOT-FOR-US: WonderCMS CVE-2018-7171 (Directory traversal vulnerability in Twonky Server 7.0.11 through 8.5 ...) - TODO: check + NOT-FOR-US: Twonky Server CVE-2018-7170 (ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows ...) - ntp 1:4.2.8p11+dfsg-1 [stretch] - ntp (Minor issue) @@ -26339,7 +26339,7 @@ CVE-2017-16616 (An exploitable vulnerability exists in the YAML parsing function CVE-2017-16615 (An exploitable vulnerability exists in the YAML parsing functionality ...) NOT-FOR-US: MLAlchemy CVE-2017-16614 (SSRF (Server Side Request Forgery) in tpshop 2.0.5 and 2.0.6 allows ...) - TODO: check + NOT-FOR-US: tpshop CVE-2017-16613 (An issue was discovered in middleware.py in OpenStack Swauth through ...) {DSA-4044-1} - swauth 1.2.0-4 (bug #882314) @@ -26644,7 +26644,7 @@ CVE-2017-16514 (Multiple persistent stored Cross-Site-Scripting (XSS) vulnerabil CVE-2017-16513 (Ipswitch WS_FTP Professional before 12.6.0.3 has buffer overflows in ...) NOT-FOR-US: Ipswitch WS_FTP Professional CVE-2017-16512 (The vagrant update process in Hashicorp vagrant-vmware-fusion 5.0.2 ...) - TODO: check + NOT-FOR-US: vagrant-vmware-fusion CVE-2017-16511 RESERVED CVE-2017-1000171 (Mahara Mobile before 1.2.1 is vulnerable to passwords being sent to ...) @@ -31568,7 +31568,7 @@ CVE-2017-14883 (In the function wma_unified_power_debug_stats_event_handler() in CVE-2017-14882 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14881 (While calling the IPA IOCTL handler for IPA_IOC_ADD_HDR_PROC_CTX in ...) - TODO: check + NOT-FOR-US: Qualcomm component for Android CVE-2017-14880 RESERVED CVE-2017-14879 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) @@ -71225,11 +71225,11 @@ CVE-2017-1769 (IBM Business Process Manager 8.6 is vulnerable to cross-site requ CVE-2017-1768 RESERVED CVE-2017-1767 (IBM Business Process Manager 8.6 is vulnerable to cross-site ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1766 (Due to incorrect authorization in IBM Business Process Manager 8.6 an ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1765 (IBM Business Process Manager 8.6 could allow an authenticated user ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1764 RESERVED CVE-2017-1763 @@ -71247,7 +71247,7 @@ CVE-2017-1758 (IBM Financial Transaction Manager for ACH Services for Multi-Plat CVE-2017-1757 (IBM Security Guardium 10.0 is vulnerable to SQL injection. A remote ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1756 (IBM Business Process Manager 8.6 allows web pages to be stored locally ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1755 RESERVED CVE-2017-1754 @@ -71265,7 +71265,7 @@ CVE-2017-1749 CVE-2017-1748 RESERVED CVE-2017-1747 (A specially crafted message could cause a denial of service in IBM ...) - TODO: check + NOT-FOR-US: IBM CVE-2017-1746 (IBM Jazz for Service Management (IBM Tivoli Components 1.1.3) is ...) NOT-FOR-US: IBM Jazz for Service Management CVE-2017-1745
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3cb23bb7 by Moritz Muehlenhoff at 2018-04-01T14:57:14+02:00 NFUs - - - - - 9be04ab5 by Moritz Muehlenhoff at 2018-04-01T14:57:52+02:00 historic docker notary issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -3,13 +3,13 @@ CVE-2018-9164 CVE-2018-9163 RESERVED CVE-2018-9162 (Contec Smart Home 4.15 devices do not require authentication for ...) - TODO: check + NOT-FOR-US: Contec Smart Home CVE-2018-9161 (Prisma Industriale Checkweigher PrismaWEB 1.21 allows remote attackers ...) - TODO: check + NOT-FOR-US: Prisma Industriale Checkweigher PrismaWEB CVE-2018-9160 (SickRage before v2018.03.09-1 includes cleartext credentials in HTTP ...) - TODO: check + NOT-FOR-US: SickRage CVE-2018-9159 (In Spark before 2.7.2, a remote attacker can read unintended static ...) - TODO: check + NOT-FOR-US: Spark Java framework (unrelated to src:spark) CVE-2018-9158 RESERVED CVE-2018-9157 @@ -26,9 +26,9 @@ CVE-2017-18255 (The perf_cpu_time_max_percent_handler function in kernel/events/ - linux 4.11.6-1 NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1572e45a924f254d9570093abde46430c3172e3d CVE-2015-9259 (In Docker Notary before 0.1, the checkRoot function in ...) - TODO: check + - notary 0.1~ds1-1 CVE-2015-9258 (In Docker Notary before 0.1, gotuf/signed/verify.go has a Signature ...) - TODO: check + - notary 0.1~ds1-1 CVE-2018-9152 RESERVED CVE-2018-9151 (A NULL pointer dereference bug in the function ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/102bc397f860f951d2a2163fe65095581c6e7c08...9be04ab568cbfcec122c448433bdf91215d9c088 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/102bc397f860f951d2a2163fe65095581c6e7c08...9be04ab568cbfcec122c448433bdf91215d9c088 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] libevt DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 102bc397 by Moritz Muehlenhoff at 2018-04-01T14:50:53+02:00 libevt DSA - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,6 @@ +[01 Apr 2018] DSA-4160-1 libevt - security update + {CVE-2018-8754} + [stretch] - libevt 20170120-1+deb9u1 [01 Apr 2018] DSA-4159-1 remctl - security update {CVE-2018-0493} [stretch] - remctl 3.13-1+deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/102bc397f860f951d2a2163fe65095581c6e7c08 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/102bc397f860f951d2a2163fe65095581c6e7c08 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] remctl DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 90a0192a by Moritz Muehlenhoff at 2018-04-01T14:09:13+02:00 remctl DSA - - - - - 2 changed files: - data/CVE/list - data/DSA/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -23866,6 +23866,9 @@ CVE-2018-0494 RESERVED CVE-2018-0493 RESERVED + - remctl + [jessie] - remctl (Affected code introduced in 3.12) + [wheezy] - remctl (Affected code introduced in 3.12) CVE-2018-0492 RESERVED CVE-2018-0491 (A use-after-free issue was discovered in Tor 0.3.2.x before 0.3.2.10. ...) = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,6 @@ +[01 Apr 2018] DSA-4159-1 remctl - security update + {CVE-2018-0493} + [stretch] - remctl 3.13-1+deb9u1 [29 Mar 2018] DSA-4158-1 openssl1.0 - security update {CVE-2018-0739} [stretch] - openssl1.0 1.0.2l-2+deb9u3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/90a0192a108d998bb91f5d701aad1c90d33ea44a --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/90a0192a108d998bb91f5d701aad1c90d33ea44a You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: new logstash issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8d680181 by Moritz Muehlenhoff at 2018-03-31T22:35:27+02:00 new logstash issue - - - - - 19fcf524 by Moritz Muehlenhoff at 2018-03-31T22:38:52+02:00 new imagemagick issue NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -61,9 +61,11 @@ CVE-2018-9137 CVE-2018-9136 (windrvr1260.sys in Jungo DriverWizard WinDriver 12.6.0 allows attackers ...) NOT-FOR-US: Jungo CVE-2018-9135 (In ImageMagick 7.0.7-24 Q16, there is a heap-based buffer over-read in ...) - TODO: check + - imagemagick (unimportant) + NOTE: https://github.com/ImageMagick/ImageMagick/commit/4f7196b0b7539b113f2580b6a77aa496813d8899 + NOTE: webp support not enabled, see #806425 CVE-2018-9134 (file_manage_control.php in DedeCMS 5.7 has CSRF in an fmdo=rename ...) - TODO: check + NOT-FOR-US: DedeCMS CVE-2018-9133 (ImageMagick 7.0.7-26 Q16 has excessive iteration in the DecodeLabImage ...) TODO: check CVE-2018-9132 (libming 0.4.8 has a NULL pointer dereference in the getInt function of ...) @@ -13965,7 +13967,7 @@ CVE-2018-3819 (The fix in Kibana for ESA-2017-23 was incomplete. With X-Pack sec CVE-2018-3818 (Kibana versions 5.1.1 to 6.1.2 and 5.6.6 had a cross-site scripting ...) - kibana (bug #700337) CVE-2018-3817 (When logging warnings regarding deprecated settings, Logstash before ...) - TODO: check + - logstash (bug #664841) CVE-2017-18017 (The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the ...) - linux 4.11.6-1 [stretch] - linux 4.9.47-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/bbdb925e2ca9d81aa80cb0cf744d22b6453a0242...19fcf524572347bbed5e253bdbb37fd08a0ed6c9 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/bbdb925e2ca9d81aa80cb0cf744d22b6453a0242...19fcf524572347bbed5e253bdbb37fd08a0ed6c9 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new linux issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: bbdb925e by Moritz Muehlenhoff at 2018-03-31T22:25:35+02:00 new linux issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -11,7 +11,8 @@ CVE-2018-9154 CVE-2018-9153 RESERVED CVE-2017-18255 (The perf_cpu_time_max_percent_handler function in kernel/events/core.c ...) - TODO: check + - linux 4.11.6-1 + NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1572e45a924f254d9570093abde46430c3172e3d CVE-2015-9259 RESERVED CVE-2015-9258 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bbdb925e2ca9d81aa80cb0cf744d22b6453a0242 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bbdb925e2ca9d81aa80cb0cf744d22b6453a0242 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new ming issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e1b97c29 by Moritz Muehlenhoff at 2018-03-31T22:13:46+02:00 new ming issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -66,7 +66,8 @@ CVE-2018-9134 (file_manage_control.php in DedeCMS 5.7 has CSRF in an fmdo=rename CVE-2018-9133 (ImageMagick 7.0.7-26 Q16 has excessive iteration in the DecodeLabImage ...) TODO: check CVE-2018-9132 (libming 0.4.8 has a NULL pointer dereference in the getInt function of ...) - TODO: check + - ming + NOTE: https://github.com/libming/libming/issues/133 CVE-2018-9131 RESERVED CVE-2018-9130 (IBOS 4.4.3 has XSS via a company full name. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e1b97c29ff552284ea5389db2d3e2289a856d685 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e1b97c29ff552284ea5389db2d3e2289a856d685 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: new binutils issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c282901d by Moritz Muehlenhoff at 2018-03-31T22:02:00+02:00 new binutils issue - - - - - 22d4b8ef by Moritz Muehlenhoff at 2018-03-31T22:12:47+02:00 Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -50,7 +50,11 @@ CVE-2018-9140 (On Samsung mobile devices with M(6.0) software, the Email applica CVE-2018-9139 (On Samsung mobile devices with N(7.x) software, a buffer overflow in ...) NOT-FOR-US: Samsung CVE-2018-9138 (An issue was discovered in cplus-dem.c in GNU libiberty, as distributed ...) - TODO: check + - binutils (low) + [stretch] - binutils (Minor issue) + [jessie] - binutils (Minor issue) + [wheezy] - binutils (Minor issue) + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23008 CVE-2018-9137 RESERVED CVE-2018-9136 (windrvr1260.sys in Jungo DriverWizard WinDriver 12.6.0 allows attackers ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/56821d177e3963fffa8ae392d3a6ca8739e63c65...22d4b8efc6ee4e773ab0b742b5df3d7cf27fe2f8 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/56821d177e3963fffa8ae392d3a6ca8739e63c65...22d4b8efc6ee4e773ab0b742b5df3d7cf27fe2f8 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new exiv issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d79ec54 by Moritz Muehlenhoff at 2018-03-31T21:49:37+02:00 new exiv issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -11,11 +11,16 @@ CVE-2018-9148 (Western Digital WD My Cloud v04.05.00-320 devices embed the sessi CVE-2018-9147 (Cross-site scripting (XSS) vulnerabilities in version 7.5.7 of Gespage ...) NOT-FOR-US: Gespage CVE-2018-9146 (In Exiv2 0.26, there is an out-of-bounds read in ...) - TODO: check + - exiv2 + NOTE: https://github.com/Exiv2/exiv2/issues/254 + NOTE: https://github.com/xiaoqx/pocs/tree/master/exiv2 CVE-2018-9145 (In Exiv2 0.26, there is a reachable assertion abort in the function ...) - TODO: check + - exiv2 + NOTE: https://github.com/xiaoqx/pocs/tree/master/exiv2 CVE-2018-9144 (In Exiv2 0.26, there is an out-of-bounds read in ...) - TODO: check + - exiv2 + NOTE: https://github.com/Exiv2/exiv2/issues/254 + NOTE: https://github.com/xiaoqx/pocs/tree/master/exiv2 CVE-2018-9143 (On Samsung mobile devices with M(6.0) and N(7.x) software, a heap ...) NOT-FOR-US: Samsung CVE-2018-9142 (On Samsung mobile devices with N(7.x) software, attackers can install ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5d79ec54a7628e2e6e4e17f14cad586bd2280fbe --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5d79ec54a7628e2e6e4e17f14cad586bd2280fbe You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: ruby fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b504ebdb by Moritz Muehlenhoff at 2018-03-31T21:30:42+02:00 ruby fixed - - - - - 816b9175 by Moritz Muehlenhoff at 2018-03-31T21:41:27+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,15 +1,15 @@ CVE-2018-9152 RESERVED CVE-2018-9151 (A NULL pointer dereference bug in the function ...) - TODO: check + NOT-FOR-US: Kingsoft Internet Security CVE-2018-9150 RESERVED CVE-2018-9149 RESERVED CVE-2018-9148 (Western Digital WD My Cloud v04.05.00-320 devices embed the session ...) - TODO: check + NOT-FOR-US: Western Digital WD My Cloud CVE-2018-9147 (Cross-site scripting (XSS) vulnerabilities in version 7.5.7 of Gespage ...) - TODO: check + NOT-FOR-US: Gespage CVE-2018-9146 (In Exiv2 0.26, there is an out-of-bounds read in ...) TODO: check CVE-2018-9145 (In Exiv2 0.26, there is a reachable assertion abort in the function ...) @@ -17,21 +17,21 @@ CVE-2018-9145 (In Exiv2 0.26, there is a reachable assertion abort in the functi CVE-2018-9144 (In Exiv2 0.26, there is an out-of-bounds read in ...) TODO: check CVE-2018-9143 (On Samsung mobile devices with M(6.0) and N(7.x) software, a heap ...) - TODO: check + NOT-FOR-US: Samsung CVE-2018-9142 (On Samsung mobile devices with N(7.x) software, attackers can install ...) - TODO: check + NOT-FOR-US: Samsung CVE-2018-9141 (On Samsung mobile devices with L(5.x), M(6.0), and N(7.x) software, ...) - TODO: check + NOT-FOR-US: Samsung CVE-2018-9140 (On Samsung mobile devices with M(6.0) software, the Email application ...) - TODO: check + NOT-FOR-US: Samsung CVE-2018-9139 (On Samsung mobile devices with N(7.x) software, a buffer overflow in ...) - TODO: check + NOT-FOR-US: Samsung CVE-2018-9138 (An issue was discovered in cplus-dem.c in GNU libiberty, as distributed ...) TODO: check CVE-2018-9137 RESERVED CVE-2018-9136 (windrvr1260.sys in Jungo DriverWizard WinDriver 12.6.0 allows attackers ...) - TODO: check + NOT-FOR-US: Jungo CVE-2018-9135 (In ImageMagick 7.0.7-24 Q16, there is a heap-based buffer over-read in ...) TODO: check CVE-2018-9134 (file_manage_control.php in DedeCMS 5.7 has CSRF in an fmdo=rename ...) @@ -43,7 +43,7 @@ CVE-2018-9132 (libming 0.4.8 has a NULL pointer dereference in the getInt functi CVE-2018-9131 RESERVED CVE-2018-9130 (IBOS 4.4.3 has XSS via a company full name. ...) - TODO: check + NOT-FOR-US: IBOS CVE-2018-9129 RESERVED CVE-2018-9128 @@ -69,9 +69,9 @@ CVE-2018-9119 CVE-2018-9118 RESERVED CVE-2018-9117 (WireMock before 2.16.0 contains a vulnerability that allows a remote ...) - TODO: check + NOT-FOR-US: WireMock CVE-2018-9116 (An XXE vulnerability within WireMock before 2.16.0 allows a remote ...) - TODO: check + NOT-FOR-US: WireMock CVE-2018-9115 RESERVED CVE-2018-9114 @@ -807,7 +807,7 @@ CVE-2018-1000135 (GNOME NetworkManager version 1.10.2 and earlier contains a Inf CVE-2018-8821 (windrvr1260.sys in Jungo DriverWizard WinDriver 12.6.0 allows attackers ...) NOT-FOR-US: windrvr1260.sys in Jungo DriverWizard WinDriver CVE-2018-8820 (An issue was discovered in Square 9 GlobalForms 6.2.x. A Time Based ...) - TODO: check + NOT-FOR-US: Square 9 CVE-2018-8819 RESERVED CVE-2018-8818 @@ -903,28 +903,28 @@ CVE-2018-8781 RESERVED CVE-2018-8780 [ruby: Unintentional directory traversal by poisoned NUL byte in Dir] RESERVED - - ruby2.5 + - ruby2.5 2.5.1-1 - ruby2.3 - ruby2.1 - ruby1.9.1 NOTE: https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/ CVE-2018-8779 [ruby: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket] RESERVED - - ruby2.5 + - ruby2.5 2.5.1-1 - ruby2.3 - ruby2.1 - ruby1.9.1 NOTE: https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/ CVE-2018-8778 [ruby: Buffer under-read in String#unpack] RESERVED - - ruby2.5 + - ruby2.5 2.5.1-1 - ruby2.3 - ruby2.1 - ruby1.9.1 NOTE: https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/ CVE-2018-8777 [ruby: DoS by large request in WEBrick] RESERVED - - ruby2.5 + - ruby2.5 2.5.1-1 - ruby2.3 - ruby2.1 - ruby1.9.1 @@ -5159,7 +5159,7 @@ CVE-2018-7205 (** DISPUTED ** Reflected Cross-Site Scripting vulnerability in .. CVE-2018-7204 (inc/logger.php in the Giribaz File Manager plugin before 5.0.2 for
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] add ruby to dsa-needed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9bb333a5 by Moritz Muehlenhoff at 2018-03-31T18:00:36+02:00 add ruby to dsa-needed - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -82,6 +82,8 @@ ruby-loofah -- ruby2.1/oldstable -- +ruby2.3/stable +-- sharutils (luciano) Maintainer proposed debdiff for review for stretch-security. Pending request back for jessie-security View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9bb333a50b28a7eac13eee962ab2d679f21e83ab --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9bb333a50b28a7eac13eee962ab2d679f21e83ab You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new ruby issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f9845649 by Moritz Muehlenhoff at 2018-03-31T17:59:57+02:00 new ruby issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -901,8 +901,13 @@ CVE-2018-8782 RESERVED CVE-2018-8781 RESERVED -CVE-2018-8780 +CVE-2018-8780 [ruby: Unintentional directory traversal by poisoned NUL byte in Dir] RESERVED + - ruby2.5 + - ruby2.3 + - ruby2.1 + - ruby1.9.1 + NOTE: https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/ CVE-2018-8779 [ruby: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket] RESERVED - ruby2.5 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f984564932b03a3494fba70fa91bd9dff1a79c8b --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f984564932b03a3494fba70fa91bd9dff1a79c8b You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new ruby issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 293db617 by Moritz Muehlenhoff at 2018-03-31T17:58:56+02:00 new ruby issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -903,8 +903,13 @@ CVE-2018-8781 RESERVED CVE-2018-8780 RESERVED -CVE-2018-8779 +CVE-2018-8779 [ruby: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket] RESERVED + - ruby2.5 + - ruby2.3 + - ruby2.1 + - ruby1.9.1 + NOTE: https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/ CVE-2018-8778 [ruby: Buffer under-read in String#unpack] RESERVED - ruby2.5 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/293db6175dec4aa5f2ca562d8e41a599c546f5d2 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/293db6175dec4aa5f2ca562d8e41a599c546f5d2 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new ruby issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a3ceda1b by Moritz Muehlenhoff at 2018-03-31T17:57:49+02:00 new ruby issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -905,8 +905,13 @@ CVE-2018-8780 RESERVED CVE-2018-8779 RESERVED -CVE-2018-8778 +CVE-2018-8778 [ruby: Buffer under-read in String#unpack] RESERVED + - ruby2.5 + - ruby2.3 + - ruby2.1 + - ruby1.9.1 + NOTE: https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/ CVE-2018-8777 [ruby: DoS by large request in WEBrick] RESERVED - ruby2.5 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a3ceda1b0f35eb37786ee9204c705981e1899d95 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a3ceda1b0f35eb37786ee9204c705981e1899d95 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new ruby issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5c1ec75d by Moritz Muehlenhoff at 2018-03-30T11:05:12+02:00 new ruby issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -15452,8 +15452,13 @@ CVE-2017-17744 (A cross-site scripting (XSS) vulnerability in the custom-map plu NOT-FOR-US: custom-map plugin for WordPress CVE-2017-17743 (Improper input sanitization within the restricted administration shell ...) NOT-FOR-US: UCOPIA Wireless Appliance -CVE-2017-17742 +CVE-2017-17742 [ruby: HTTP response splitting in WEBrick] RESERVED + - ruby2.5 + - ruby2.3 + - ruby2.1 + - ruby1.9.1 + NOTE: https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/ CVE-2017-17741 (The KVM implementation in the Linux kernel through 4.14.7 allows ...) {DSA-4082-1 DSA-4073-1 DLA-1232-1} - linux 4.14.7-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5c1ec75d4896a95041aced156ced1254db9da15c --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5c1ec75d4896a95041aced156ced1254db9da15c You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new ruby issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9dea7af2 by Moritz Muehlenhoff at 2018-03-30T11:03:38+02:00 new ruby issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -889,8 +889,13 @@ CVE-2018-8779 RESERVED CVE-2018-8778 RESERVED -CVE-2018-8777 +CVE-2018-8777 [ruby: DoS by large request in WEBrick] RESERVED + - ruby2.5 + - ruby2.3 + - ruby2.1 + - ruby1.9.1 + NOTE: https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/ CVE-2018- [Multiple vulnerabilities in CiviCRM] - civicrm 4.7.30+dfsg-1 (bug #887330) NOTE: https://civicrm.org/blog/dev-team/security-release-civicrm-4726-and-4633-monthly-release-4727 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9dea7af284f8489a0b44c386014ad9cd08797de8 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9dea7af284f8489a0b44c386014ad9cd08797de8 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new ruby issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 114c743b by Moritz Muehlenhoff at 2018-03-30T11:02:07+02:00 new ruby issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5889,8 +5889,13 @@ CVE-2018-6916 (In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p7, 10.4-STABLE, ...) NOTE: kfreebsd not covered by security support CVE-2018-6915 RESERVED -CVE-2018-6914 +CVE-2018-6914 [Unintentional file and directory creation with directory traversal in tempfile and tmpdir] RESERVED + - ruby2.5 + - ruby2.3 + - ruby2.1 + - ruby1.9.1 + NOTE: https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/ CVE-2018-163 REJECTED CVE-2017-18179 (Progress Sitefinity 9.1 uses wrap_access_token as a non-expiring ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/114c743b908f60b20763f8b2af852e5dd47f0a2f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/114c743b908f60b20763f8b2af852e5dd47f0a2f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] lrzip unimportant
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fdd8aca5 by Moritz Muehlenhoff at 2018-03-30T09:32:43+02:00 lrzip unimportant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -133,11 +133,9 @@ CVE-2018-9060 CVE-2018-9059 RESERVED CVE-2018-9058 (In Long Range Zip (aka lrzip) 0.631, there is an infinite loop in the ...) - - lrzip - [stretch] - lrzip (Minor issue) - [jessie] - lrzip (Minor issue) - [wheezy] - lrzip (Minor issue) + - lrzip (unimportant) NOTE: https://github.com/ckolivas/lrzip/issues/93 + NOTE: No security impact CVE-2018-7600 (Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x ...) {DSA-4156-1 DLA-1325-1} - drupal7 7.58-1 (bug #894259) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fdd8aca55250d1d54147e1248d982d091861f49e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fdd8aca55250d1d54147e1248d982d091861f49e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new nodejs issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 920f560e by Moritz Muehlenhoff at 2018-03-29T11:38:17+02:00 new nodejs issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5235,12 +5235,18 @@ CVE-2018-7162 RESERVED CVE-2018-7161 RESERVED -CVE-2018-7160 +CVE-2018-7160 [Inspector DNS rebinding] RESERVED + - nodejs (unimportant) + [stretch] - nodejs (Vulnerable code not present) + [jessie] - nodejs (Vulnerable code not present) + [wheezy] - nodejs (Vulnerable code not present) CVE-2018-7159 RESERVED + - nodejs (unimportant) CVE-2018-7158 RESERVED + - nodejs 6.0.0~dfsg-1 (unimportant) CVE-2018-7157 RESERVED CVE-2018-7156 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/920f560ec433e48794bb70ffc171bf71f0af04ab --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/920f560ec433e48794bb70ffc171bf71f0af04ab You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] thunderbird DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ca12b444 by Moritz Muehlenhoff at 2018-03-28T22:31:09+02:00 thunderbird DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,7 @@ +[28 Mar 2018] DSA-4155-1 thunderbird - security update + {CVE-2018-5125 CVE-2018-5127 CVE-2018-5129 CVE-2018-5144 CVE-2018-5145 CVE-2018-5146} + [jessie] - thunderbird 1:52.7.0-1~deb8u1 + [stretch] - thunderbird 1:52.7.0-1~deb9u1 [28 Mar 2018] DSA-4154-1 net-snmp - security update {CVE-2015-5621 CVE-2018-1000116} [jessie] - net-snmp 5.7.2.1+dfsg-1+deb8u1 = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -101,8 +101,6 @@ sqlite3/oldstable -- sssd/stable -- -thunderbird (jmm) --- tomcat7/oldstable -- tomcat8 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ca12b444df0263046f5ff77944c2feb2a8faa3ae --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ca12b444df0263046f5ff77944c2feb2a8faa3ae You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] nm no-dsa
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 04168784 by Moritz Muehlenhoff at 2018-03-27T22:40:15+02:00 nm no-dsa imagemagick no-dsa jasper unimportant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -3,8 +3,9 @@ CVE-2018-9057 (aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terra CVE-2018-9056 (Systems with microprocessors utilizing speculative execution may allow ...) TODO: check CVE-2018-9055 (JasPer 2.0.14 allows denial of service via a reachable assertion in the ...) - - jasper + - jasper (unimportant) NOTE: https://github.com/mdadams/jasper/issues/172 + NOTE: Negligable impact CVE-2018-9054 (In Windows Master (aka Windows Optimization Master) 7.99.13.604, the ...) NOT-FOR-US: Windows Master (aka Windows Optimization Master) CVE-2018-9053 (In Windows Master (aka Windows Optimization Master) 7.99.13.604, the ...) @@ -83,7 +84,9 @@ CVE-2017-18253 (An issue was discovered in ImageMagick 7.0.7. A NULL pointer ... NOTE: https://github.com/ImageMagick/ImageMagick/issues/794 NOTE: https://github.com/ImageMagick/ImageMagick/commit/de5deab202c340162b65f65bafbbe17b1eda2c1a CVE-2017-18252 (An issue was discovered in ImageMagick 7.0.7. The MogrifyImageList ...) - - imagemagick + - imagemagick (low) + [stretch] - imagemagick (Minor issue) + [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/802 NOTE: https://github.com/ImageMagick/ImageMagick/commit/12f34b60564de1cbec08e23e2413dab5b64daeb7 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/bb04ccb34fd45e9c3020786857fb79b09f44d7db @@ -234,7 +237,9 @@ CVE-2018-8961 (In libming 0.4.8, the decompilePUSHPARAM function of decompile.c - ming NOTE: https://github.com/libming/libming/issues/130 CVE-2018-8960 (The ReadTIFFImage function in coders/tiff.c in ImageMagick 7.0.7-26 Q16 ...) - - imagemagick 8:6.9.9.39+dfsg-1 + - imagemagick 8:6.9.9.39+dfsg-1 (low) + [stretch] - imagemagick (Minor issue) + [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1020 NOTE: https://github.com/ImageMagick/ImageMagick/commit/23f6beef78cfe806cabc090a015e73557d60788e NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/7c0b29f621ebcce1a35c0e6c1992c9043b3bb1bd @@ -591,6 +596,8 @@ CVE-2018-8822 (Incorrect buffer length handling in the ncp_read_kernel function - linux CVE-2018-1000135 (GNOME NetworkManager version 1.10.2 and earlier contains a Information ...) - network-manager + [stretch] - network-manager (Minor issue) + [jessie] - network-manager (Minor issue) NOTE: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1754671 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=746422 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1553634 @@ -637,7 +644,9 @@ CVE-2018-8806 (In libming 0.4.8, there is a use-after-free in the ...) CVE-2018-8805 (Yxcms building system (compatible cell phone) v1.4.7 has XSS via the ...) NOT-FOR-US: Yxcms CVE-2018-8804 (WriteEPTImage in coders/ept.c in ImageMagick 7.0.7-25 Q16 allows remote ...) - - imagemagick 8:6.9.9.39+dfsg-1 + - imagemagick 8:6.9.9.39+dfsg-1 (low) + [stretch] - imagemagick (Minor issue) + [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/commit/f55d3a622d234e940fb99325b92c6d3df578fa9b NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/6355db269e03f879c516cf9d592c72e157bc75d6 NOTE: https://github.com/ImageMagick/ImageMagick/issues/1025 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/041687847aed2515ffcb187b696125f6f83b6b6c --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/041687847aed2515ffcb187b696125f6f83b6b6c You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: firefox DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 989c7170 by Moritz Muehlenhoff at 2018-03-27T22:05:59+02:00 firefox DSA - - - - - 951a734f by Moritz Muehlenhoff at 2018-03-27T22:18:41+02:00 Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,7 @@ +[27 Mar 2018] DSA-4153-1 firefox-esr - security update + {CVE-2018-5148} + [stretch] - firefox-esr 52.7.3esr-1~deb9u1 + [jessie] - firefox-esr 52.7.3esr-1~deb8u1 [27 Mar 2018] DSA-4152-1 mupdf - security update {CVE-2018-6544 CVE-2018-151} [jessie] - mupdf 1.5-1+deb8u4 = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -26,8 +26,6 @@ dokuwiki/oldstable ffmpeg/stable Wait for next 3.2.x release -- -firefox-esr --- gitlab Pirate Praveen will prepare updates -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/f0a62418c03df7585e299caf78317beb782498a1...951a734fe990849b56fcea79a41b7454a2704760 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/f0a62418c03df7585e299caf78317beb782498a1...951a734fe990849b56fcea79a41b7454a2704760 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] add references to upstream fixes
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2fdb7559 by Moritz Muehlenhoff at 2018-03-27T16:28:13+02:00 add references to upstream fixes - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -22896,6 +22896,8 @@ CVE-2018-0739 - openssl - openssl1.0 NOTE: https://www.openssl.org/news/secadv/20180327.txt + NOTE: OpenSSL_1_1_0-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=2ac4c6f7b2b2af20c0e2b0ba05367e454cd11b33 + NOTE: OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=9310d45087ae546e27e61ddf8f6367f29848220d CVE-2018-0738 RESERVED CVE-2018-0737 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2fdb7559195de3f869330db3267ed250cac841b7 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2fdb7559195de3f869330db3267ed250cac841b7 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new openssl issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7666247e by Moritz Muehlenhoff at 2018-03-27T16:23:17+02:00 new openssl issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -22893,6 +22893,9 @@ CVE-2018-0740 RESERVED CVE-2018-0739 RESERVED + - openssl + - openssl1.0 + NOTE: https://www.openssl.org/news/secadv/20180327.txt CVE-2018-0738 RESERVED CVE-2018-0737 @@ -22905,6 +22908,9 @@ CVE-2018-0734 RESERVED CVE-2018-0733 RESERVED + - openssl (Specific to HP-UX) + - openssl1.0 (Specific to HP-UX) + NOTE: https://www.openssl.org/news/secadv/20180327.txt CVE-2018-0732 RESERVED CVE-2018-0731 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7666247e39db020d6b3a4e138eed66a4936f50c4 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7666247e39db020d6b3a4e138eed66a4936f50c4 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new exiv2 issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f8c2afcb by Moritz Muehlenhoff at 2018-03-26T23:06:24+02:00 new exiv2 issues netpbm n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -91,11 +91,15 @@ CVE-2018-8979 (Open-AudIT Professional 2.1 has CSRF, as demonstrated by modifyin CVE-2018-8978 (Open-AudIT Professional 2.1 has XSS via a crafted src attribute of an ...) NOT-FOR-US: Open-AudIT Professional CVE-2018-8977 (In Exiv2 0.26, the Exiv2::Internal::printCsLens function in ...) - TODO: check + [experimental] - exiv2 + - exiv2 (Vulnerable code introduced after 0.25) + NOTE: https://github.com/Exiv2/exiv2/issues/247 CVE-2018-8976 (In Exiv2 0.26, jpgimage.cpp allows remote attackers to cause a denial ...) - TODO: check + - exiv2 + NOTE: https://github.com/Exiv2/exiv2/issues/246 CVE-2018-8975 (The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through ...) - TODO: check + - netpbm-free (Vulnerable code not present) + NOTE: Debian uses an unaffected fork CVE-2018-8974 RESERVED CVE-2018-8973 (OTCMS 3.20 allows XSS by adding a keyword or link to an article, as ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f8c2afcbd231620c26f29f51d0b39405afc0f910 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f8c2afcbd231620c26f29f51d0b39405afc0f910 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 15d3ece4 by Moritz Muehlenhoff at 2018-03-26T23:01:46+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -226,7 +226,7 @@ CVE-2018-8939 CVE-2018-8938 RESERVED CVE-2018-8937 (An issue was discovered in Open-AudIT Professional 2.1. It is possible ...) - TODO: check + NOT-FOR-US: Open-AudIT Professional CVE-2018-8936 (The AMD EPYC Server, Ryzen, Ryzen Pro, and Ryzen Mobile processor chips ...) NOT-FOR-US: AMD CVE-2018-8935 (The Promontory chipset, as used in AMD Ryzen and Ryzen Pro platforms, ...) @@ -3162,7 +3162,7 @@ CVE-2018-7675 (In NetIQ Sentinel before 8.1.x, a Sentinel user is logged into th CVE-2018-7674 RESERVED CVE-2018-7673 (The NetIQ Identity Manager communication channel, in versions prior to ...) - TODO: check + NOT-FOR-US: NetIQ Identity Manager CVE-2017-18218 (In drivers/net/ethernet/hisilicon/hns/hns_enet.c in the Linux kernel ...) - linux 4.13.4-1 [jessie] - linux (Vulnerable code not present) @@ -3661,7 +3661,7 @@ CVE-2018-7544 (** DISPUTED ** A cross-protocol scripting issue was discovered in NOTE: affected problematic configurations in both the documentation and with NOTE: a runtime warning. CVE-2018-7543 (Cross-site scripting (XSS) vulnerability in ...) - TODO: check + NOT-FOR-US: Wordpress plugin CVE-2018-7539 RESERVED CVE-2018-7538 (A SQL injection vulnerability in the tracker functionality of Enalean ...) @@ -9668,31 +9668,31 @@ CVE-2018-5476 (A Stack-based Buffer Overflow issue was discovered in Delta Elect CVE-2018-5475 (A Stack-based Buffer Overflow issue was discovered in GE D60 Line ...) NOT-FOR-US: GE D60 Line Distance Relay devices CVE-2018-5474 (Philips Intellispace Portal all versions 7.0.x and 8.0.x have an input ...) - TODO: check + NOT-FOR-US: Philips Intellispace Portal CVE-2018-5473 (An Improper Restriction of Operations within the Bounds of a Memory ...) NOT-FOR-US: GE D60 Line Distance Relay devices CVE-2018-5472 (Philips Intellispace Portal all versions 7.0.x and 8.0.x have an ...) - TODO: check + NOT-FOR-US: Philips Intellispace Portal CVE-2018-5471 (A Cleartext Transmission of Sensitive Information issue was discovered ...) NOT-FOR-US: Belden Hirschmann RS, RSR, RSB, MACH100, MACH1000, MACH4000, MS, and OCTOPUS Classic Platform Switches CVE-2018-5470 (Philips IntelliSpace Portal all versions of 8.0.x, and 7.0.x have an ...) - TODO: check + NOT-FOR-US: Philips Intellispace Portal CVE-2018-5469 (An Improper Restriction of Excessive Authentication Attempts issue was ...) NOT-FOR-US: Belden Hirschmann RS, RSR, RSB, MACH100, MACH1000, MACH4000, MS, and OCTOPUS Classic Platform Switches CVE-2018-5468 (Philips Intellispace Portal all versions 7.0.x and 8.0.x have a remote ...) - TODO: check + NOT-FOR-US: Philips Intellispace Portal CVE-2018-5467 (An Information Exposure Through Query Strings in GET Request issue was ...) NOT-FOR-US: Belden Hirschmann RS, RSR, RSB, MACH100, MACH1000, MACH4000, MS, and OCTOPUS Classic Platform Switches CVE-2018-5466 (Philips IntelliSpace Portal all versions of 8.0.x, and 7.0.x have a ...) - TODO: check + NOT-FOR-US: Philips Intellispace Portal CVE-2018-5465 (A Session Fixation issue was discovered in Belden Hirschmann RS, RSR, ...) NOT-FOR-US: Belden Hirschmann RS, RSR, RSB, MACH100, MACH1000, MACH4000, MS, and OCTOPUS Classic Platform Switches CVE-2018-5464 (Philips IntelliSpace Portal all versions of 8.0.x, and 7.0.x have an ...) - TODO: check + NOT-FOR-US: Philips Intellispace Portal CVE-2018-5463 RESERVED CVE-2018-5462 (Philips IntelliSpace Portal all versions of 8.0.x, and 7.0.x have an ...) - TODO: check + NOT-FOR-US: Philips Intellispace Portal CVE-2018-5461 (An Inadequate Encryption Strength issue was discovered in Belden ...) NOT-FOR-US: Belden Hirschmann RS, RSR, RSB, MACH100, MACH1000, MACH4000, MS, and OCTOPUS Classic Platform Switches CVE-2018-5460 @@ -9700,7 +9700,7 @@ CVE-2018-5460 CVE-2018-5459 (An Improper Authentication issue was discovered in WAGO PFC200 Series ...) NOT-FOR-US: WAGO PFC200 CVE-2018-5458 (Philips IntelliSpace Portal all versions of 8.0.x, and 7.0.x have a ...) - TODO: check + NOT-FOR-US: Philips Intellispace Portal CVE-2018-5457 (A uncontrolled search path element issue was discovered in Vyaire ...) NOT-FOR-US: Vyaire Medical CareFusion Upgrade Utility CVE-2018-5456 @@ -9708,7 +9708,7 @@ CVE-2018-5456 CVE-2018-5455 (A Reliance on Cookies without Validation and Integrity Checking issue ...) NOT-FOR-US: Moxa CVE-2018
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] add ldap-account-manager to dsa-needed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 38d0c7d8 by Moritz Muehlenhoff at 2018-03-26T19:46:58+02:00 add ldap-account-manager to dsa-needed - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -33,6 +33,8 @@ graphicsmagick imagemagick Wait until more issues have piled up -- +ldap-account-manager +-- libav/oldstable We can ship the next libav 11.x point release when available -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/38d0c7d88a8d589a75f86caffa8c255193eacd45 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/38d0c7d88a8d589a75f86caffa8c255193eacd45 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b0ea37f1 by Moritz Muehlenhoff at 2018-03-26T19:26:04+02:00 NFUs - - - - - f411120e by Moritz Muehlenhoff at 2018-03-26T19:26:40+02:00 Merge branch 'master' of https://salsa.debian.org/security-tracker-team/security-tracker - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,18 +1,18 @@ CVE-2018-9020 (The Events Manager plugin before 5.8.1.2 for WordPress allows XSS via ...) - TODO: check + NOT-FOR-US: Wordpress plugin CVE-2018-9019 RESERVED CVE-2018-9018 (In GraphicsMagick 1.3.28, there is a divide-by-zero in the ReadMNGImage ...) - graphicsmagick NOTE: https://sourceforge.net/p/graphicsmagick/bugs/554/ CVE-2018-9017 (dsmall v20180320 allows XSS via the member search box at the ...) - TODO: check + NOT-FOR-US: dsmall CVE-2018-9016 (dsmall v20180320 allows XSS via the main page search box at the ...) - TODO: check + NOT-FOR-US: dsmall CVE-2018-9015 (dsmall v20180320 allows XSS via the ...) - TODO: check + NOT-FOR-US: dsmall CVE-2018-9014 (dsmall v20180320 allows physical path leakage via a ...) - TODO: check + NOT-FOR-US: dsmall CVE-2018-9013 RESERVED CVE-2018-9012 @@ -20,7 +20,7 @@ CVE-2018-9012 CVE-2018-9011 RESERVED CVE-2018-9010 (Intelbras TELEFONE IP TIP200/200 LITE 60.0.75.29 devices allow remote ...) - TODO: check + NOT-FOR-US: Intelbras CVE-2018-9009 (In libming 0.4.8, there is a use-after-free in the decompileJUMP ...) - ming NOTE: https://github.com/libming/libming/issues/131 @@ -83,9 +83,9 @@ CVE-2018-8981 CVE-2018-8980 RESERVED CVE-2018-8979 (Open-AudIT Professional 2.1 has CSRF, as demonstrated by modifying a ...) - TODO: check + NOT-FOR-US: Open-AudIT Professional CVE-2018-8978 (Open-AudIT Professional 2.1 has XSS via a crafted src attribute of an ...) - TODO: check + NOT-FOR-US: Open-AudIT Professional CVE-2018-8977 (In Exiv2 0.26, the Exiv2::Internal::printCsLens function in ...) TODO: check CVE-2018-8976 (In Exiv2 0.26, jpgimage.cpp allows remote attackers to cause a denial ...) @@ -154,7 +154,7 @@ CVE-2018-8949 (An issue was discovered in app/Model/Attribute.php in MISP before CVE-2018-8948 (In MISP before 2.4.89, app/View/Events/resolved_attributes.ctp has ...) NOT-FOR-US: MISP CVE-2018-8947 (rap2hpoutre Laravel Log Viewer before v0.13.0 relies on Base64 encoding ...) - TODO: check + NOT-FOR-US: rap2hpoutre Laravel Log Viewer CVE-2018-1000141 (I, Librarian version 4.9 and earlier contains an Incorrect Access ...) - i-librarian (bug #649291) NOTE: https://github.com/mkucej/i-librarian/issues/124 @@ -489,7 +489,7 @@ CVE-2018-8819 CVE-2018-8818 RESERVED CVE-2018-8817 (Wampserver before 3.1.3 has CSRF in add_vhost.php. ...) - TODO: check + NOT-FOR-US: Wampserver CVE-2018-8816 RESERVED CVE-2018-8815 (Cross-site scripting (XSS) vulnerability in the gallery function in ...) @@ -3019,7 +3019,7 @@ CVE-2018-7721 (Cross Site Scripting (XSS) exists in MetInfo 6.0.0 via ...) CVE-2018-7720 (A cross-site request forgery (CSRF) vulnerability exists in Western ...) NOT-FOR-US: Western Bridge Cobub Razor CVE-2018-7719 (Acrolinx Server before 5.2.5 on Windows allows Directory Traversal. ...) - TODO: check + NOT-FOR-US: Acrolinx Server CVE-2018-7752 (GPAC through 0.7.1 has a Buffer Overflow in the gf_media_avc_read_sps ...) - gpac (bug #892526) [wheezy] - gpac (vulnerable code not present) @@ -20831,7 +20831,7 @@ CVE-2018-1223 CVE-2018-1222 RESERVED CVE-2018-1221 (In cf-deployment before 1.14.0 and routing-release before 0.172.0, the ...) - TODO: check + NOT-FOR-US: Cloud Foundry CVE-2018-1220 (EMC RSA Archer, versions prior to 6.2.0.8, contains a redirect ...) NOT-FOR-US: EMC RSA Archer CVE-2018-1219 (EMC RSA Archer, versions prior to 6.2.0.8, contains an improper access ...) @@ -20885,7 +20885,7 @@ CVE-2018-1197 (In Windows Stemcells versions prior to 1200.14, apps running insi CVE-2018-1196 (Spring Boot supports an embedded launch script that can be used to ...) NOT-FOR-US: Spring Boot CVE-2018-1195 (In Cloud Controller versions prior to 1.46.0, cf-deployment versions ...) - TODO: check + NOT-FOR-US: Cloud Foundry CVE-2018-1194 RESERVED CVE-2018-1193 @@ -23303,9 +23303,9 @@ CVE-2018-0544 (Untrusted search path vulnerability in WinShot 1.53a and earlier CVE-2018-0543 (Untrusted search path vulnerability in Jtrim 1.53c and earlier ...) NOT-FOR-US: Jtrim installer CVE-2018-0542 (Directory traversal vulnerability in WebProxy version 1.7.8 allows an ...) -
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: add squirrelmail to dsa-needed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3a33deae by Moritz Muehlenhoff at 2018-03-26T19:17:48+02:00 add squirrelmail to dsa-needed tiff postponed dolibarr scheduled for removal nasm, ntp no-dsa - - - - - 39e7a0b7 by Moritz Muehlenhoff at 2018-03-26T19:18:21+02:00 Merge branch 'master' of https://salsa.debian.org/security-tracker-team/security-tracker - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -286,6 +286,8 @@ CVE-2018-8906 (dsmall v20180320 has XSS via a crafted street address to ...) NOT-FOR-US: dsmall CVE-2018-8905 (In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function ...) - tiff (bug #893806) + [stretch] - tiff (Can be fixed along in a future DSA) + [jessie] - tiff (Can be fixed along in a future DSA) - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2780 CVE-2018-8904 (In Windows Master (aka Windows Optimization Master) 7.99.13.604, the ...) @@ -338,13 +340,19 @@ CVE-2016-10717 (A vulnerability in the encryption and permission implementation CVE-2018-8884 RESERVED CVE-2018-8883 (Netwide Assembler (NASM) 2.13.02rc2 has a buffer over-read in the ...) - - nasm + - nasm (low) + [stretch] - nasm (Minor issue) + [jessie] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392447 CVE-2018-8882 (Netwide Assembler (NASM) 2.13.02rc2 has a stack-based buffer under-read ...) - - nasm + - nasm (low) + [stretch] - nasm (Minor issue) + [jessie] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392445 CVE-2018-8881 (Netwide Assembler (NASM) 2.13.02rc2 has a heap-based buffer over-read ...) - - nasm + - nasm (low) + [stretch] - nasm (Minor issue) + [jessie] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392446 CVE-2018-8880 RESERVED @@ -4838,13 +4846,17 @@ CVE-2018-7187 (The "go get" implementation in Go 1.9.4, when the -inse NOTE: https://github.com/golang/go/issues/23867 NOTE: https://github.com/golang/go/commit/c941e27e70c3e06e1011d2dd71d72a7a06a9bcbc CVE-2018-7185 (The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote ...) - - ntp 1:4.2.8p11+dfsg-1 + - ntp 1:4.2.8p11+dfsg-1 (low) + [stretch] - ntp (Minor issue) + [jessie] - ntp (Minor issue) - ntpsec (Issue not present) NOTE: http://www.kb.cert.org/vuls/id/961909 NOTE: http://support.ntp.org/bin/view/Main/NtpBug3454 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S CVE-2018-7184 (ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating ...) - - ntp 1:4.2.8p11+dfsg-1 + - ntp 1:4.2.8p11+dfsg-1 (low) + [stretch] - ntp (Minor issue) + [jessie] - ntp (Minor issue) - ntpsec (Issue not present) NOTE: http://www.kb.cert.org/vuls/id/961909 NOTE: http://support.ntp.org/bin/view/Main/NtpBug3453 @@ -7198,6 +7210,7 @@ CVE-2017-1000510 (Croogo version 2.3.1-17-g6f82e6c contains a Cross Site Scripti NOT-FOR-US: Croogo CVE-2017-1000509 (Dolibarr version 6.0.2 contains a Cross Site Scripting (XSS) ...) - dolibarr + [jessie] - dolibarr (Scheduled for removal) NOTE: https://github.com/Dolibarr/dolibarr/issues/7727 CVE-2017-1000508 (Invoice Plane version 1.5.4 and earlier contains a Cross Site ...) NOT-FOR-US: Invoice Plane = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -85,6 +85,8 @@ sharutils (luciano) Maintainer proposed debdiff for review for stretch-security. Pending request back for jessie-security -- +squirrelmail/oldstable +-- sqlite3/oldstable -- sssd/stable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/63b79eced88a6810f993da346bc1bde561e604da...39e7a0b729c73074e0d3d599ff85ed18eb728c62 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/63b79eced88a6810f993da346bc1bde561e604da...39e7a0b729c73074e0d3d599ff85ed18eb728c62 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new thunderbird issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 35ec56a7 by Moritz Muehlenhoff at 2018-03-26T13:57:09+02:00 new thunderbird issues - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -10525,19 +10525,25 @@ CVE-2018-5146 [out-of-bound write] {DSA-4143-1 DSA-4140-1} - firefox 59.0.1-1 - firefox-esr 52.7.2esr-1 + - thunderbird - libvorbis 1.3.5-4.2 (bug #893130) NOTE: https://git.xiph.org/?p=vorbis.git;a=commit;h=667ceb4aab60c1f74060143bb24e5f427b3cce5f NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/ + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-09/ CVE-2018-5145 RESERVED {DSA-4139-1 DLA-1308-1} - firefox-esr 52.7.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-07/ + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-09/ CVE-2018-5144 RESERVED {DSA-4139-1 DLA-1308-1} - firefox-esr 52.7.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-07/ + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-09/ CVE-2018-5143 RESERVED - firefox 59.0-1 @@ -10603,8 +10609,10 @@ CVE-2018-5129 {DSA-4139-1 DLA-1308-1} - firefox 59.0-1 - firefox-esr 52.7.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-07/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-06/ + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-09/ CVE-2018-5128 RESERVED - firefox 59.0-1 @@ -10614,8 +10622,10 @@ CVE-2018-5127 {DSA-4139-1 DLA-1308-1} - firefox 59.0-1 - firefox-esr 52.7.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-07/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-06/ + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-09/ CVE-2018-5126 RESERVED - firefox 59.0-1 @@ -10625,8 +10635,10 @@ CVE-2018-5125 {DSA-4139-1 DLA-1308-1} - firefox 59.0-1 - firefox-esr 52.7.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-07/ NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-06/ + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-09/ CVE-2018-5124 RESERVED - firefox 58.0.1-1 = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -89,6 +89,8 @@ sqlite3/oldstable -- sssd/stable -- +thunderbird (jmm) +-- tomcat7/oldstable -- tomcat8 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/35ec56a71c3c95f07b50917274e9676cd6c82b20 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/35ec56a71c3c95f07b50917274e9676cd6c82b20 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] ntp fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 39a6e582 by Moritz Muehlenhoff at 2018-03-26T10:48:03+02:00 ntp fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -4838,19 +4838,19 @@ CVE-2018-7187 (The "go get" implementation in Go 1.9.4, when the -inse NOTE: https://github.com/golang/go/issues/23867 NOTE: https://github.com/golang/go/commit/c941e27e70c3e06e1011d2dd71d72a7a06a9bcbc CVE-2018-7185 (The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote ...) - - ntp + - ntp 1:4.2.8p11+dfsg-1 - ntpsec (Issue not present) NOTE: http://www.kb.cert.org/vuls/id/961909 NOTE: http://support.ntp.org/bin/view/Main/NtpBug3454 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S CVE-2018-7184 (ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating ...) - - ntp + - ntp 1:4.2.8p11+dfsg-1 - ntpsec (Issue not present) NOTE: http://www.kb.cert.org/vuls/id/961909 NOTE: http://support.ntp.org/bin/view/Main/NtpBug3453 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S CVE-2018-7183 (Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 ...) - - ntp (low) + - ntp 1:4.2.8p11+dfsg-1 (low) [stretch] - ntp (Minor issue) [jessie] - ntp (Minor issue) [wheezy] - ntp (Minor issue) @@ -4859,7 +4859,7 @@ CVE-2018-7183 (Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 NOTE: http://support.ntp.org/bin/view/Main/NtpBug3414 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S CVE-2018-7182 (The ctl_getitem method in ntpd in ntp-4.2.8p6 before 4.2.8p11 allows ...) - - ntp + - ntp 1:4.2.8p11+dfsg-1 - ntpsec 1.0.0+dfsg1-5 NOTE: http://www.kb.cert.org/vuls/id/961909 NOTE: http://support.ntp.org/bin/view/Main/NtpBug3412 @@ -4915,7 +4915,7 @@ CVE-2018-7172 (In index.php in WonderCMS before 2.4.1, remote attackers can dele CVE-2018-7171 RESERVED CVE-2018-7170 (ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows ...) - - ntp + - ntp 1:4.2.8p11+dfsg-1 [stretch] - ntp (Minor issue) [jessie] - ntp (Minor issue) [wheezy] - ntp (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/39a6e58202d8f5867f426cf3f8f2fc63263622eb --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/39a6e58202d8f5867f426cf3f8f2fc63263622eb You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] gitlab fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 036e0e9e by Moritz Muehlenhoff at 2018-03-26T15:32:44+02:00 gitlab fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -184,7 +184,7 @@ CVE-2017-18245 (The mpc8_probe function in libavformat/mpc8.c in Libav 12.2 allo [jessie] - libav (Minor issue) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1094 CVE-2018-8971 (The Auth0 integration in GitLab before 10.3.9, 10.4.x before 10.4.6, ...) - - gitlab (bug #893905) + - gitlab 10.5.6+dfsg-1 (bug #893905) NOTE: https://about.gitlab.com/2018/03/20/critical-security-release-gitlab-10-dot-5-dot-6-released/ CVE-2018-8946 RESERVED @@ -525,7 +525,7 @@ CVE-2018-8802 RESERVED CVE-2018-8801 RESERVED - - gitlab (bug #893905) + - gitlab 10.5.6+dfsg-1 (bug #893905) NOTE: https://about.gitlab.com/2018/03/20/critical-security-release-gitlab-10-dot-5-dot-6-released/ CVE-2018-8800 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/036e0e9e45a14b52ffebc8ece4fc60dcb353 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/036e0e9e45a14b52ffebc8ece4fc60dcb353 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] zsh no-dsa
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4e6e6ce3 by Moritz Muehlenhoff at 2018-03-25T19:46:52+02:00 zsh no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -21265,7 +21265,9 @@ CVE-2018-1084 RESERVED CVE-2018-1083 [check bounds on PATH_MAX-sized buffer used for file completion candidates] RESERVED - - zsh + - zsh (low) + [stretch] - zsh (Minor issue) + [jessie] - zsh (Minor issue) NOTE: https://sourceforge.net/p/zsh/code/ci/259ac472eac291c8c103c7a0d8a4eaf3c2942ed7 CVE-2018-1082 RESERVED @@ -21294,7 +21296,9 @@ CVE-2018-1073 CVE-2018-1072 RESERVED CVE-2018-1071 (zsh through version 5.4.2 is vulnerable to a stack-based buffer ...) - - zsh + - zsh (low) + [stretch] - zsh (Minor issue) + [jessie] - zsh (Minor issue) NOTE: https://sourceforge.net/p/zsh/code/ci/679b71ec4d852037fe5f73d35bf557b0f406c8d4 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1553531 CVE-2018-1070 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4e6e6ce335d7746443154630a2b83b43f736b08f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4e6e6ce335d7746443154630a2b83b43f736b08f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits