[Git][security-tracker-team/security-tracker][master] Reserve DSA number for linux update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 63f39c36 by Salvatore Bonaccorso at 2018-05-08T22:53:08+02:00 Reserve DSA number for linux update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,7 @@ +[08 May 2018] DSA-4196-1 linux - security update + {CVE-2018-1087 CVE-2018-8897} + [jessie] - linux 3.16.56-1+deb8u1 + [stretch] - linux 4.9.88-1+deb9u1 [08 May 2018] DSA-4195-1 wget - security update {CVE-2018-0494} [jessie] - wget 1.16-1+deb8u5 = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -46,7 +46,7 @@ libav/oldstable -- libidn -- -linux (carnil) +linux Wait until more issues have piled up -- mercurial View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/63f39c36e5a786308dcdc6591abdd1d06bb04b1c --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/63f39c36e5a786308dcdc6591abdd1d06bb04b1c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-10805
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d361fccc by Salvatore Bonaccorso at 2018-05-08T22:28:03+02:00 Add bug reference for CVE-2018-10805 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -15,7 +15,7 @@ CVE-2018-10807 CVE-2018-10806 (An issue was discovered in Frog CMS 0.9.5. There is a reflected Cross ...) NOT-FOR-US: Frog CMS CVE-2018-10805 (ImageMagick version 7.0.7-28 contains a memory leak in ReadYCBCRImage ...) - - imagemagick (unimportant) + - imagemagick (unimportant; bug #898218) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1054 CVE-2018-10804 (ImageMagick version 7.0.7-28 contains a memory leak in WriteTIFFImage ...) - imagemagick (unimportant; bug #898217) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d361fccc5a5db99eff6a04504c02b4c3a0d9c0e5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d361fccc5a5db99eff6a04504c02b4c3a0d9c0e5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add CVE-2018-10805/imagemagick
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 13b1ca5a by Salvatore Bonaccorso at 2018-05-08T22:20:59+02:00 Add CVE-2018-10805/imagemagick - - - - - 439775e3 by Salvatore Bonaccorso at 2018-05-08T22:24:05+02:00 Add bug referene for CVE-2018-10804 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -15,9 +15,10 @@ CVE-2018-10807 CVE-2018-10806 (An issue was discovered in Frog CMS 0.9.5. There is a reflected Cross ...) NOT-FOR-US: Frog CMS CVE-2018-10805 (ImageMagick version 7.0.7-28 contains a memory leak in ReadYCBCRImage ...) - TODO: check -CVE-2018-10804 (ImageMagick version 7.0.7-28 contains a memory leak in WriteTIFFImage ...) - imagemagick (unimportant) + NOTE: https://github.com/ImageMagick/ImageMagick/issues/1054 +CVE-2018-10804 (ImageMagick version 7.0.7-28 contains a memory leak in WriteTIFFImage ...) + - imagemagick (unimportant; bug #898217) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1053 NOTE: https://github.com/ImageMagick/ImageMagick/commit/052f6c22d3a2b2aae9dfa24aff9ccdf8b72ace91 CVE-2018-10803 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/ac1ef7ffd80d1f51b18c422fb99c0718e3ce4c42...439775e3cd365ebc3c515ecb4aa85f44d3701853 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/ac1ef7ffd80d1f51b18c422fb99c0718e3ce4c42...439775e3cd365ebc3c515ecb4aa85f44d3701853 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-10804/imagemagick
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5983f97e by Salvatore Bonaccorso at 2018-05-08T22:16:18+02:00 Add CVE-2018-10804/imagemagick - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -17,7 +17,8 @@ CVE-2018-10806 (An issue was discovered in Frog CMS 0.9.5. There is a reflected CVE-2018-10805 (ImageMagick version 7.0.7-28 contains a memory leak in ReadYCBCRImage ...) TODO: check CVE-2018-10804 (ImageMagick version 7.0.7-28 contains a memory leak in WriteTIFFImage ...) - TODO: check + - imagemagick (unimportant) + NOTE: https://github.com/ImageMagick/ImageMagick/commit/052f6c22d3a2b2aae9dfa24aff9ccdf8b72ace91 CVE-2018-10803 RESERVED CVE-2018-1000301 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5983f97e7bad9e893b64e42f1b347aa9ed769d9a --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5983f97e7bad9e893b64e42f1b347aa9ed769d9a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c33351b by Salvatore Bonaccorso at 2018-05-08T22:14:27+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -7,13 +7,13 @@ CVE-2018-10811 CVE-2018-10810 RESERVED CVE-2018-10809 (In 2345 Security Guard 3.7, the driver file (2345NetFirewall.sys) ...) - TODO: check + NOT-FOR-US: 2345 Security Guard CVE-2018-10808 RESERVED CVE-2018-10807 RESERVED CVE-2018-10806 (An issue was discovered in Frog CMS 0.9.5. There is a reflected Cross ...) - TODO: check + NOT-FOR-US: Frog CMS CVE-2018-10805 (ImageMagick version 7.0.7-28 contains a memory leak in ReadYCBCRImage ...) TODO: check CVE-2018-10804 (ImageMagick version 7.0.7-28 contains a memory leak in WriteTIFFImage ...) @@ -49,7 +49,7 @@ CVE-2018-10798 (A hang issue was discovered in Brave before 0.14.0 (on, for exam CVE-2018-10797 RESERVED CVE-2018-10796 (In 2345 Security Guard 3.7, the driver file (2345NetFirewall.sys) ...) - TODO: check + NOT-FOR-US: 2345 Security Guard CVE-2018-10795 (Liferay 6.2.x and before has an FCKeditor configuration that allows an ...) TODO: check CVE-2018- [prosody crashed on error handling for stream errors] @@ -204,7 +204,7 @@ CVE-2018-10736 CVE-2018-10735 RESERVED CVE-2018-10734 (KONGTOP DVR devices A303, A403, D303, D305, and D403 contain a ...) - TODO: check + NOT-FOR-US: KONGTOP DVR devices CVE-2018-10733 (There is a heap-based buffer over-read in the function ...) - libgxps (low; bug #897954) [wheezy] - libgxps (Minor issue) @@ -24722,7 +24722,7 @@ CVE-2018-1415 (IBM Maximo Asset Management 7.6 is vulnerable to cross-site scrip CVE-2018-1414 (IBM Maximo Asset Management 7.5 and 7.6 is vulnerable to SQL ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2018-1413 (IBM Cognos Analytics 11.0 is vulnerable to cross-site scripting. This ...) - TODO: check + NOT-FOR-US: IBM Cognos Analytics CVE-2018-1412 RESERVED CVE-2018-1411 (IBM Notes Diagnostics (IBM Client Application Access and IBM Notes) ...) @@ -25193,9 +25193,9 @@ CVE-2017-17542 CVE-2017-17541 RESERVED CVE-2017-17540 (The presence of a hardcoded account in Fortinet FortiWLC 8.3.3 allows ...) - TODO: check + NOT-FOR-US: Fortinet FortiWLC CVE-2017-17539 (The presence of a hardcoded account in Fortinet FortiWLC 7.0.11 and ...) - TODO: check + NOT-FOR-US: Fortinet FortiWLC CVE-2017-17538 (MikroTik v6.40.5 devices allow remote attackers to cause a denial of ...) NOT-FOR-US: MikroTik CVE-2017-17537 (MikroTik RouterBOARD v6.39.2 and v6.40.5 allows an unauthenticated ...) @@ -25854,7 +25854,7 @@ CVE-2018-1241 CVE-2018-1240 (Dell EMC ViPR Controller, versions after 3.0.0.38, contain an ...) NOT-FOR-US: EMC ViPR Controller CVE-2018-1239 (Dell EMC Unity Operating Environment (OE) versions prior to ...) - TODO: check + NOT-FOR-US: EMC Unity Operating Environment CVE-2018-1238 (Dell EMC ScaleIO versions prior to 2.5, contain a command injection ...) NOT-FOR-US: EMC ScaleIO CVE-2018-1237 (Dell EMC ScaleIO versions prior to 2.5, contain improper restriction ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2c33351be1dae98c9fcfa122deb7da7dbf6a36a1 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2c33351be1dae98c9fcfa122deb7da7dbf6a36a1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ba443f4f by security tracker role at 2018-05-08T20:10:21+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,39 @@ +CVE-2018-10813 + RESERVED +CVE-2018-10812 (The Bitpie application through 3.2.4 for Android and iOS uses cleartext ...) + TODO: check +CVE-2018-10811 + RESERVED +CVE-2018-10810 + RESERVED +CVE-2018-10809 (In 2345 Security Guard 3.7, the driver file (2345NetFirewall.sys) ...) + TODO: check +CVE-2018-10808 + RESERVED +CVE-2018-10807 + RESERVED +CVE-2018-10806 (An issue was discovered in Frog CMS 0.9.5. There is a reflected Cross ...) + TODO: check +CVE-2018-10805 (ImageMagick version 7.0.7-28 contains a memory leak in ReadYCBCRImage ...) + TODO: check +CVE-2018-10804 (ImageMagick version 7.0.7-28 contains a memory leak in WriteTIFFImage ...) + TODO: check +CVE-2018-10803 + RESERVED +CVE-2018-1000301 + RESERVED +CVE-2018-1000300 + RESERVED +CVE-2018-1000177 (A cross-site scripting vulnerability exists in Jenkins S3 Plugin ...) + TODO: check +CVE-2018-1000176 (An exposure of sensitive information vulnerability exists in Jenkins ...) + TODO: check +CVE-2018-1000175 (A path traversal vulnerability exists in Jenkins HTML Publisher Plugin ...) + TODO: check +CVE-2018-1000174 (An open redirect vulnerability exists in Jenkins Google Login Plugin ...) + TODO: check +CVE-2018-1000173 (A session fixaction vulnerability exists in Jenkins Google Login ...) + TODO: check CVE-2018-10802 RESERVED CVE-2018-10801 (TIFFClientOpen in tif_unix.c in LibTIFF 3.8.2 has memory leaks, as ...) @@ -167,8 +203,8 @@ CVE-2018-10736 RESERVED CVE-2018-10735 RESERVED -CVE-2018-10734 - RESERVED +CVE-2018-10734 (KONGTOP DVR devices A303, A403, D303, D305, and D403 contain a ...) + TODO: check CVE-2018-10733 (There is a heap-based buffer over-read in the function ...) - libgxps (low; bug #897954) [wheezy] - libgxps (Minor issue) @@ -996,8 +1032,7 @@ CVE-2018-10382 RESERVED CVE-2018-10381 (TunnelBear 3.2.0.6 for Windows suffers from a SYSTEM privilege ...) NOT-FOR-US: TunnelBear for Windows -CVE-2018-10380 [Access to privileged files] - RESERVED +CVE-2018-10380 (kwallet-pam in KDE KWallet before 5.12.6 allows local users to obtain ...) - kwallet-pam 5.12.1-2 NOTE: https://www.kde.org/info/security/advisory-20180503-1.txt NOTE: https://commits.kde.org/kwallet-pam/2134dec85ce19d6378d03cddfae9e5e464cb24c0 (Plasma 5.12) @@ -1034,13 +1069,13 @@ CVE-2018-10372 (process_cu_tu_index in dwarf.c in GNU Binutils 2.30 allows remot NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6aea08d9f3e3d6475a65454da488a0c51f5dc97d CVE-2018-10371 (An issue was discovered in the wunderfarm WF Cookie Consent plugin ...) NOT-FOR-US: wunderfarm WF Cookie Consent plugin for WordPress -CVE-2018-1000178 [Implement custom deserializer to add our own sanity checks] +CVE-2018-1000178 (A heap corruption of type CWE-120 exists in quassel version 0.12.4 in ...) {DSA-4189-1 DLA-1370-1} - quassel 1:0.12.5-1 (bug #896914) NOTE: https://github.com/quassel/quassel/commit/2b777e99fc9f74d4ed21491710260664a1721d1f (master) NOTE: https://github.com/quassel/quassel/commit/18389a713a6810f57ab237b945e8ee03df857b8b (0.12) NOTE: http://www.openwall.com/lists/oss-security/2018/04/27/1 -CVE-2018-1000179 [Reject clients that attempt to login before the core is configured] +CVE-2018-1000179 (A NULL Pointer Dereference of CWE-476 exists in quassel version 0.12.4 ...) {DSA-4189-1} - quassel 1:0.12.5-1 (bug #896915) [wheezy] - quassel (Minor issue) @@ -2276,8 +2311,7 @@ CVE-2018-9860 (An issue was discovered in Botan 1.11.32 through 2.x before 2.6.0 NOTE: Bug introduced in 1.11.32, fixed in 2.6.0 CVE-2018-9859 RESERVED -CVE-2018-1000168 [Denial of service due to NULL pointer dereference] - RESERVED +CVE-2018-1000168 (nghttp2 version = 1.10.0 and nghttp2 = v1.31.0 contains an Improper ...) - nghttp2 1.31.1-1 (low; bug #895566) [stretch] - nghttp2 (Minor issue) [jessie] - nghttp2 (Issue introduced in 1.10.0) @@ -4569,8 +4603,7 @@ CVE-2018-8899 (IdentityServer IdentityServer4 1.x before 1.5.3 and 2.x before 2. NOT-FOR-US: IdentityServer CVE-2018-8898 RESERVED -CVE-2018-8897 [error in exception handling leads to DoS] - RESERVED +CVE-2018-8897 (A statement in the System Programming Guide of the Intel 64 and IA-32 ...) - linux 4.15.17-1 NOTE: Fixed by:
[Git][security-tracker-team/security-tracker][master] add references to kernel issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 617cc66e by Moritz Muehlenhoff at 2018-05-08T20:37:12+02:00 add references to kernel issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -4568,6 +4568,7 @@ CVE-2018-8897 [error in exception handling leads to DoS] NOTE: Fixed by: https://git.kernel.org/linus/d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9 (4.16-rc7) - xen NOTE: https://xenbits.xen.org/xsa/advisory-260.html + NOTE: http://www.openwall.com/lists/oss-security/2018/05/08/4 CVE-2018-8896 (In 2345 Security Guard 3.6, the driver file (2345DumpBlock.sys) allows ...) NOT-FOR-US: 2345 Security Guard CVE-2018-8895 (In 2345 Security Guard 3.6, the driver file (2345DumpBlock.sys) allows ...) @@ -26405,6 +26406,7 @@ CVE-2018-1087 [error in exception handling leads to wrong debug stack value] RESERVED - linux 4.15.17-1 NOTE: Fixed by: https://git.kernel.org/linus/32d43cd391bacb5f0814c2624399a5dad3501d09 (4.16-rc7) + NOTE: http://www.openwall.com/lists/oss-security/2018/05/08/5 CVE-2018-1086 (pcs before versions 0.9.164 and 0.10 is vulnerable to a debug ...) {DSA-4169-1} - pcs 0.9.164-1 (bug #895313) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/617cc66e2fb6e32da8ac33fadca3b03700161038 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/617cc66e2fb6e32da8ac33fadca3b03700161038 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-1087/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 44c073ac by Salvatore Bonaccorso at 2018-05-08T19:33:58+02:00 Add CVE-2018-1087/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -26401,8 +26401,10 @@ CVE-2018-1088 (A privilege escalation flaw was found in gluster 3.x snapshot ... NOTE: CVE-2018-1112 causing that auth.allow allows all clients to mount volumes. NOTE: Cf. https://bugzilla.redhat.com/show_bug.cgi?id=1570891 NOTE: Needs: https://review.gluster.org/#/c/19899/1..2 -CVE-2018-1087 +CVE-2018-1087 [error in exception handling leads to wrong debug stack value] RESERVED + - linux 4.15.17-1 + NOTE: Fixed by: https://git.kernel.org/linus/32d43cd391bacb5f0814c2624399a5dad3501d09 (4.16-rc7) CVE-2018-1086 (pcs before versions 0.9.164 and 0.10 is vulnerable to a debug ...) {DSA-4169-1} - pcs 0.9.164-1 (bug #895313) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/44c073ac759392300e1f187b3ddb31bc3aa72693 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/44c073ac759392300e1f187b3ddb31bc3aa72693 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add xen for CVE-2018-8897
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c46fc748 by Salvatore Bonaccorso at 2018-05-08T19:32:07+02:00 Add xen for CVE-2018-8897 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -4566,6 +4566,8 @@ CVE-2018-8897 [error in exception handling leads to DoS] RESERVED - linux 4.15.17-1 NOTE: Fixed by: https://git.kernel.org/linus/d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9 (4.16-rc7) + - xen + NOTE: https://xenbits.xen.org/xsa/advisory-260.html CVE-2018-8896 (In 2345 Security Guard 3.6, the driver file (2345DumpBlock.sys) allows ...) NOT-FOR-US: 2345 Security Guard CVE-2018-8895 (In 2345 Security Guard 3.6, the driver file (2345DumpBlock.sys) allows ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c46fc74881878bc2f01788cc65f9dd4c933ae79e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c46fc74881878bc2f01788cc65f9dd4c933ae79e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2018-1108 as unfixed, various regressions reported and fix will be reverted
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 149dad8d by Salvatore Bonaccorso at 2018-05-08T17:19:11+02:00 Mark CVE-2018-1108 as unfixed, various regressions reported and fix will be reverted - - - - - 2 changed files: - data/CVE/list - data/DSA/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -26305,7 +26305,6 @@ CVE-2018-1109 NOTE: nodejs not covered by security support CVE-2018-1108 [random: fix crng_ready() test] RESERVED - {DSA-4188-1} - linux 4.16.5-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -26,7 +26,7 @@ [jessie] - quassel 1:0.10.0-2.3+deb8u4 [stretch] - quassel 1:0.12.4-2+deb9u1 [01 May 2018] DSA-4188-1 linux - security update - {CVE-2017-5715 CVE-2017-5753 CVE-2017-17975 CVE-2017-18193 CVE-2017-18216 CVE-2017-18218 CVE-2017-18222 CVE-2017-18224 CVE-2017-18241 CVE-2017-18257 CVE-2018-1065 CVE-2018-1066 CVE-2018-1068 CVE-2018-1092 CVE-2018-1093 CVE-2018-1108 CVE-2018-5803 CVE-2018-7480 CVE-2018-7566 CVE-2018-7740 CVE-2018-7757 CVE-2018-7995 CVE-2018-8087 CVE-2018-8781 CVE-2018-8822 CVE-2018-10323 CVE-2018-1000199} + {CVE-2017-5715 CVE-2017-5753 CVE-2017-17975 CVE-2017-18193 CVE-2017-18216 CVE-2017-18218 CVE-2017-18222 CVE-2017-18224 CVE-2017-18241 CVE-2017-18257 CVE-2018-1065 CVE-2018-1066 CVE-2018-1068 CVE-2018-1092 CVE-2018-1093 CVE-2018-5803 CVE-2018-7480 CVE-2018-7566 CVE-2018-7740 CVE-2018-7757 CVE-2018-7995 CVE-2018-8087 CVE-2018-8781 CVE-2018-8822 CVE-2018-10323 CVE-2018-1000199} [stretch] - linux 4.9.88-1 [01 May 2018] DSA-4187-1 linux - security update {CVE-2015-9016 CVE-2017-0861 CVE-2017-5715 CVE-2017-5753 CVE-2017-13166 CVE-2017-13220 CVE-2017-16526 CVE-2017-16911 CVE-2017-16912 CVE-2017-16913 CVE-2017-16914 CVE-2017-18017 CVE-2017-18203 CVE-2017-18216 CVE-2017-18232 CVE-2017-18241 CVE-2018-1066 CVE-2018-1068 CVE-2018-1092 CVE-2018-5332 CVE-2018-5333 CVE-2018-5750 CVE-2018-5803 CVE-2018-6927 CVE-2018-7492 CVE-2018-7566 CVE-2018-7740 CVE-2018-7757 CVE-2018-7995 CVE-2018-8781 CVE-2018-8822 CVE-2018-104 CVE-2018-1000199} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/149dad8d4691c627ab6852a1870957f00de7ece4 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/149dad8d4691c627ab6852a1870957f00de7ece4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark undertow as no-dsa, will be removed at point release
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0c2ef367 by Salvatore Bonaccorso at 2018-05-08T14:45:40+02:00 Mark undertow as no-dsa, will be removed at point release - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -26280,6 +26280,7 @@ CVE-2018-1115 CVE-2018-1114 [File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service] RESERVED - undertow 1.4.25-1 (bug #897247) + [stretch] - undertow (Scheduled for removal on point release) NOTE: https://issues.jboss.org/browse/UNDERTOW-1338 NOTE: https://github.com/undertow-io/undertow/commit/882d5884f2614944a0c2ae69bafd9d13bfc5b64a NOTE: https://bugs.openjdk.java.net/browse/JDK-6956385 @@ -26613,6 +26614,7 @@ CVE-2018-1049 (In systemd prior to 234 a race condition exists between .mount an NOTE: https://github.com/systemd/systemd/commit/e7d54bf58789545a9eb0b3964233defa0b007318 CVE-2018-1048 (It was found that the AJP connector in undertow, as shipped in Jboss ...) - undertow 1.4.22-1 (bug #891928) + [stretch] - undertow (Scheduled for removal on point release) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1534343 NOTE: https://issues.jboss.org/browse/UNDERTOW-1245 NOTE: Fixed by https://github.com/undertow-io/undertow/commit/1bc0c275aadf5835abfbd3835d5d78095c2f1cf5 @@ -44345,6 +44347,7 @@ CVE-2017-12197 (It was found that libpam4j up to and including 1.8 did not prope NOTE: (Non-upstream) patch: https://github.com/letonez/libpam4j/commit/84f32f4001fc6bdcc125ccc959081de022d18b6d CVE-2017-12196 (undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was ...) - undertow 1.4.25-1 + [stretch] - undertow (Scheduled for removal on point release) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1503055 NOTE: Fixed by https://github.com/undertow-io/undertow/commit/facb33a5cedaf4b7b96d3840a08210370a806870 NOTE: See also https://github.com/undertow-io/undertow/commit/8804170ce3186bdd83b486959399ec7ac0f59d0f @@ -44492,6 +44495,7 @@ CVE-2017-12166 (OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnera CVE-2017-12165 [improper whitespace parsing leading to potential HTTP request smuggling] RESERVED - undertow (bug #885338) + [stretch] - undertow (Scheduled for removal on point release) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1490301 NOTE: Fix likely included in the same commit as the fix for CVE-2017-7559 NOTE: https://github.com/undertow-io/undertow/commit/3436b03eda8b0b62c1855698c4d7c358add836c2 @@ -58579,6 +58583,7 @@ CVE-2017-7560 (It was found that rhnsd PID files are created as world-writable t NOTE: Introduced by: https://github.com/spacewalkproject/spacewalk/commit/75d9c00b96ab430221c5c7668baebebc74ddd67e CVE-2017-7559 (In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and ...) - undertow 1.4.23-1 (bug #885576) + [stretch] - undertow (Scheduled for removal on point release) NOTE: CVE is for an incomplete fix of CVE-2017-2666 NOTE: Invalid characters were still allowed in the query string and path parameters. NOTE: https://issues.jboss.org/browse/UNDERTOW-1165 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0c2ef367fecf07780ea70d081c45185c05e30d67 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0c2ef367fecf07780ea70d081c45185c05e30d67 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove undertow from dsa needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 44519aab by Salvatore Bonaccorso at 2018-05-08T14:43:26+02:00 Remove undertow from dsa needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -89,8 +89,6 @@ tomcat7/oldstable tomcat8 (seb) 2018-04-11: Emmanuel Bourg submitted a debdiff -- -undertow --- vlc (jmm) -- wavpack (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/44519aab68718d433f11f8cc3cfa8d62df0e2561 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/44519aab68718d433f11f8cc3cfa8d62df0e2561 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for wget
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4983969a by Salvatore Bonaccorso at 2018-05-08T12:19:06+02:00 Reserve DSA number for wget - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,7 @@ +[08 May 2018] DSA-4195-1 wget - security update + {CVE-2018-0494} + [jessie] - wget 1.16-1+deb8u5 + [stretch] - wget 1.18-5+deb9u2 [06 May 2018] DSA-4194-1 lucene-solr - security update {CVE-2018-1308} [jessie] - lucene-solr 3.6.2+dfsg-5+deb8u2 = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -95,8 +95,6 @@ vlc (jmm) -- wavpack (jmm) -- -wget (carnil) --- xen -- zendframework/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4983969afd0078ab1270a3eac03cb257d09e88fb --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4983969afd0078ab1270a3eac03cb257d09e88fb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-10801/tiff
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 11faec29 by Salvatore Bonaccorso at 2018-05-08T10:13:03+02:00 Add CVE-2018-10801/tiff - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,7 +1,9 @@ CVE-2018-10802 RESERVED CVE-2018-10801 (TIFFClientOpen in tif_unix.c in LibTIFF 3.8.2 has memory leaks, as ...) - TODO: check + - tiff + - tiff3 + NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2790 CVE-2018-10800 RESERVED CVE-2018-10799 (A hang issue was discovered in Brave before 0.14.0 (on, for example, ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/11faec29ee743810535a7cb518c05ef608796842 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/11faec29ee743810535a7cb518c05ef608796842 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5c8151b1 by security tracker role at 2018-05-08T08:10:20+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,7 @@ +CVE-2018-10802 + RESERVED +CVE-2018-10801 (TIFFClientOpen in tif_unix.c in LibTIFF 3.8.2 has memory leaks, as ...) + TODO: check CVE-2018-10800 RESERVED CVE-2018-10799 (A hang issue was discovered in Brave before 0.14.0 (on, for example, ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5c8151b1f76bc8148e223645d088dbceb297d9e8 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5c8151b1f76bc8148e223645d088dbceb297d9e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Expand note for CVE-2017-12165
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 33a6817d by Salvatore Bonaccorso at 2018-05-08T08:41:54+02:00 Expand note for CVE-2017-12165 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -44487,6 +44487,8 @@ CVE-2017-12165 [improper whitespace parsing leading to potential HTTP request sm RESERVED - undertow (bug #885338) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1490301 + NOTE: Fix likely included in the same commit as the fix for CVE-2017-7559 + NOTE: https://github.com/undertow-io/undertow/commit/3436b03eda8b0b62c1855698c4d7c358add836c2 CVE-2017-12164 [lock screen can be circumvented when autologin is set] RESERVED - gdm3 3.26.0-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/33a6817d87998b06714860516906d5b0eb99c0e3 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/33a6817d87998b06714860516906d5b0eb99c0e3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits