[Git][security-tracker-team/security-tracker][master] CVE-2018-20184: add link to trimmed down patch
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 110244dd by Hugo Lefeuvre at 2018-12-27T07:57:00Z CVE-2018-20184: add link to trimmed down patch upstream patch contains unnecessary refactoring, indicate that a trimmed down version is available on the Debian bug report - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -934,6 +934,7 @@ CVE-2018-20185 (In GraphicsMagick 1.4 snapshot-20181209 Q8 on 32-bit platforms, CVE-2018-20184 (In GraphicsMagick 1.4 snapshot-20181209 Q8, there is a heap-based ...) - graphicsmagick 1.4~hg15873-1 (bug #916721) NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/15d1b5fd003b + NOTE: upstream patch contains unrelated refactoring, trimmed down version available on the Debian bug report NOTE: https://sourceforge.net/p/graphicsmagick/bugs/583/ CVE-2018-20183 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/110244dd0955f1bd48f2a85108ba1251a2143ac3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/110244dd0955f1bd48f2a85108ba1251a2143ac3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2018-20217/krb5
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e81e366 by Salvatore Bonaccorso at 2018-12-27T07:43:25Z Add Debian bug reference for CVE-2018-20217/krb5 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -839,7 +839,7 @@ CVE-2018-20218 RESERVED CVE-2018-20217 [Ignore password attributes for S4U2Self requests] RESERVED - - krb5 + - krb5 (bug #917387) NOTE: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763 NOTE: https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086 CVE-2018-20216 (QEMU can have an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3e81e3668c42a8da7418691be33c72a5aac76988 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3e81e3668c42a8da7418691be33c72a5aac76988 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-20217/krb5
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6de11a8b by Salvatore Bonaccorso at 2018-12-27T07:37:15Z Add CVE-2018-20217/krb5 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -837,8 +837,11 @@ CVE-2018-20219 RESERVED CVE-2018-20218 RESERVED -CVE-2018-20217 +CVE-2018-20217 [Ignore password attributes for S4U2Self requests] RESERVED + - krb5 + NOTE: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763 + NOTE: https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086 CVE-2018-20216 (QEMU can have an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c ...) - qemu (unimportant) [stretch] - qemu (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6de11a8b34a82539f467d25b594c44e449bb2e08 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6de11a8b34a82539f467d25b594c44e449bb2e08 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2018-16887 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cf53b1d2 by Salvatore Bonaccorso at 2018-12-27T07:07:11Z Mark CVE-2018-16887 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15890,6 +15890,7 @@ CVE-2018-16888 RESERVED CVE-2018-16887 RESERVED + NOT-FOR-US: Katello CVE-2018-16886 RESERVED CVE-2018-16885 [out-of-bound read in memcpy_fromiovecend()] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cf53b1d292474f6e10922cb9b8be554690f99210 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cf53b1d292474f6e10922cb9b8be554690f99210 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] qtvirtualkeyboard-opensource-src fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 206e9c6c by Moritz Muehlenhoff at 2018-12-26T21:22:01Z qtvirtualkeyboard-opensource-src fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5471,7 +5471,7 @@ CVE-2018-19866 RESERVED CVE-2018-19865 (A keystroke logging issue was discovered in Virtual Keyboard in Qt ...) [experimental] - qtvirtualkeyboard-opensource-src 5.11.3+dfsg-1 - - qtvirtualkeyboard-opensource-src + - qtvirtualkeyboard-opensource-src 5.11.3+dfsg-2 NOTE: http://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates/ TODO: check for completeness CVE-2018-19864 (NUUO NVRmini2 Network Video Recorder firmware through 3.9.1 allows ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/206e9c6cf6df87458e5bf1bdbedb2ed0ae3be5d9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/206e9c6cf6df87458e5bf1bdbedb2ed0ae3be5d9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] qtsvg-opensource-src fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c42b2c0f by Moritz Muehlenhoff at 2018-12-26T21:21:15Z qtsvg-opensource-src fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5455,7 +5455,7 @@ CVE-2018-19870 [Check for QImage allocation failure in qgifhandler] CVE-2018-19869 [Fix crash when parsing malformed url reference] RESERVED [experimental] - qtsvg-opensource-src 5.11.3-1 - - qtsvg-opensource-src (low) + - qtsvg-opensource-src 5.11.3-2 (low) [stretch] - qtsvg-opensource-src (Minor issue) [jessie] - qtsvg-opensource-src (Minor issue) - qt4-x11 (low) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c42b2c0faca3ecf5b6281d5abe0f7352b9d7f8e6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c42b2c0faca3ecf5b6281d5abe0f7352b9d7f8e6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2018-19871/qtimageformats-opensource-src
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 145bd1b7 by Salvatore Bonaccorso at 2018-12-26T21:05:14Z Add fixed version for CVE-2018-19871/qtimageformats-opensource-src Fixed in 5.11.3 upstream and in Debian with the experimental upload of 5.11.3-1. Uploaded to unstable as followup 5.11.3-2. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5430,7 +5430,7 @@ CVE-2018-19872 RESERVED CVE-2018-19871 [QImage: QTgaFile CPU exhaustion] RESERVED - - qtimageformats-opensource-src (low) + - qtimageformats-opensource-src 5.11.3-2 (low) [stretch] - qtimageformats-opensource-src (Minor issue) [jessie] - qtimageformats-opensource-src (Minor issue) - qt4-x11 (low) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/145bd1b7c433c982e6d43ff9c34a29bb16de5433 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/145bd1b7c433c982e6d43ff9c34a29bb16de5433 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] qtbase-opensource-src/5.11.3 moved to unstable fixing three CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 705b5020 by Salvatore Bonaccorso at 2018-12-26T21:04:03Z qtbase-opensource-src/5.11.3 moved to unstable fixing three CVEs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5420,7 +5420,7 @@ CVE-2018-19874 CVE-2018-19873 [QBmpHandler segfault on malformed BMP file] RESERVED [experimental] - qtbase-opensource-src 5.11.3+dfsg-1 - - qtbase-opensource-src + - qtbase-opensource-src 5.11.3+dfsg-2 [jessie] - qtbase-opensource-src (Minor issue) - qt4-x11 [jessie] - qt4-x11 (Minor issue) @@ -5442,7 +5442,7 @@ CVE-2018-19871 [QImage: QTgaFile CPU exhaustion] CVE-2018-19870 [Check for QImage allocation failure in qgifhandler] RESERVED [experimental] - qtbase-opensource-src 5.11.3+dfsg-1 - - qtbase-opensource-src (low) + - qtbase-opensource-src 5.11.3+dfsg-2 (low) [stretch] - qtbase-opensource-src (Minor issue) [jessie] - qtbase-opensource-src (Minor issue) - qt4-x11 (low) @@ -19565,7 +19565,7 @@ CVE-2018-15519 CVE-2018-15518 [Qt Base: "double free or corruption" in QXmlStreamReader] RESERVED [experimental] - qtbase-opensource-src 5.11.3+dfsg-1 - - qtbase-opensource-src + - qtbase-opensource-src 5.11.3+dfsg-2 [jessie] - qtbase-opensource-src (Minor issue) NOTE: https://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates/ NOTE: https://codereview.qt-project.org/#/c/236691/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/705b50208c3f9f92754b25ec32ab6c487c47f479 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/705b50208c3f9f92754b25ec32ab6c487c47f479 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2018-20482/tar
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 396f08b7 by Salvatore Bonaccorso at 2018-12-26T21:01:26Z Add Debian bug reference for CVE-2018-20482/tar - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,7 +13,7 @@ CVE-2018-20483 (set_file_metadata in xattr.c in GNU Wget through 1.20 stores a f NOTE: Don't use extended attributes by default: https://git.savannah.gnu.org/cgit/wget.git/commit/?id=c125d24762962d91050d925fbbd9e6f30b2302f8 NOTE: Introduced by: https://git.savannah.gnu.org/cgit/wget.git/commit/?id=a933bdd31eee9c956a3b5cc142f004ef1fa94cb3 (v1.19) CVE-2018-20482 (GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage ...) - - tar + - tar (bug #917377) NOTE: https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug NOTE: https://news.ycombinator.com/item?id=18745431 NOTE: https://twitter.com/thatcks/status/1076166645708668928 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/396f08b7caf843f437a7421854e915e5458d3a6e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/396f08b7caf843f437a7421854e915e5458d3a6e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-20482/tar
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6f65852e by Salvatore Bonaccorso at 2018-12-26T20:50:34Z Add CVE-2018-20482/tar - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,7 +13,10 @@ CVE-2018-20483 (set_file_metadata in xattr.c in GNU Wget through 1.20 stores a f NOTE: Don't use extended attributes by default: https://git.savannah.gnu.org/cgit/wget.git/commit/?id=c125d24762962d91050d925fbbd9e6f30b2302f8 NOTE: Introduced by: https://git.savannah.gnu.org/cgit/wget.git/commit/?id=a933bdd31eee9c956a3b5cc142f004ef1fa94cb3 (v1.19) CVE-2018-20482 (GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage ...) - TODO: check + - tar + NOTE: https://utcc.utoronto.ca/~cks/space/blog/sysadmin/TarFindingTruncateBug + NOTE: https://news.ycombinator.com/item?id=18745431 + NOTE: https://twitter.com/thatcks/status/1076166645708668928 CVE-2018-20481 (XRef::getEntry in XRef.cc in Poppler 0.72.0 mishandles unallocated XRef ...) - poppler (low; bug #917325) [stretch] - poppler (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6f65852edb8768427066ef34db1f1c9d3f340f9c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6f65852edb8768427066ef34db1f1c9d3f340f9c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2018-20483/wget
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c2f66cc4 by Salvatore Bonaccorso at 2018-12-26T20:32:01Z Add Debian bug reference for CVE-2018-20483/wget - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,7 +5,7 @@ CVE-2018-20485 (Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has X CVE-2018-20484 (Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in ...) NOT-FOR-US: Zoho ManageEngine ADSelfService Plus CVE-2018-20483 (set_file_metadata in xattr.c in GNU Wget through 1.20 stores a file's ...) - - wget + - wget (bug #917375) [stretch] - wget (Vulnerable code introduced in 1.19) [jessie] - wget (Vulnerable code introduced in 1.19) NOTE: https://twitter.com/marcan42/status/1077676739877232640 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c2f66cc44972cdf03bdc5f58d68fc0eac4e59f60 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c2f66cc44972cdf03bdc5f58d68fc0eac4e59f60 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: Add CVE-2018-20483/wget
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3ff23b2a by Salvatore Bonaccorso at 2018-12-26T20:20:36Z Add CVE-2018-20483/wget - - - - - 4d4f86f8 by Salvatore Bonaccorso at 2018-12-26T20:26:11Z Add commit references for CVE-2018-20483/wget - - - - - 3eeaba70 by Salvatore Bonaccorso at 2018-12-26T20:28:37Z Track introducing commit for CVE-2018-20483/wget - - - - - 6221d031 by Salvatore Bonaccorso at 2018-12-26T20:29:56Z Mark affected status for CVE-2018-20483/wget The respective feature was only introduced 1.19. As such only current unstable (and buster) are affected. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,7 +5,13 @@ CVE-2018-20485 (Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has X CVE-2018-20484 (Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in ...) NOT-FOR-US: Zoho ManageEngine ADSelfService Plus CVE-2018-20483 (set_file_metadata in xattr.c in GNU Wget through 1.20 stores a file's ...) - TODO: check + - wget + [stretch] - wget (Vulnerable code introduced in 1.19) + [jessie] - wget (Vulnerable code introduced in 1.19) + NOTE: https://twitter.com/marcan42/status/1077676739877232640 + NOTE: Fixed by: https://git.savannah.gnu.org/cgit/wget.git/commit/?id=3cdfb594cf75f11cdbb9702ac5e856c332ccacfa + NOTE: Don't use extended attributes by default: https://git.savannah.gnu.org/cgit/wget.git/commit/?id=c125d24762962d91050d925fbbd9e6f30b2302f8 + NOTE: Introduced by: https://git.savannah.gnu.org/cgit/wget.git/commit/?id=a933bdd31eee9c956a3b5cc142f004ef1fa94cb3 (v1.19) CVE-2018-20482 (GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage ...) TODO: check CVE-2018-20481 (XRef::getEntry in XRef.cc in Poppler 0.72.0 mishandles unallocated XRef ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/857ab33c28633f1d99367d74b569325103dacfec...6221d03135ecd0b3873f408b83c22a01f211d0f6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/857ab33c28633f1d99367d74b569325103dacfec...6221d03135ecd0b3873f408b83c22a01f211d0f6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 857ab33c by Salvatore Bonaccorso at 2018-12-26T20:16:06Z Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,9 @@ CVE-2018-20486 (MetInfo 6.x through 6.1.3 has XSS via the /admin/login/login_check.php ...) - TODO: check + NOT-FOR-US: MetInfo CVE-2018-20485 (Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine ADSelfService Plus CVE-2018-20484 (Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine ADSelfService Plus CVE-2018-20483 (set_file_metadata in xattr.c in GNU Wget through 1.20 stores a file's ...) TODO: check CVE-2018-20482 (GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage ...) @@ -13383,7 +13383,7 @@ CVE-2018-17958 (Qemu has a Buffer Overflow in rtl8139_do_receive in hw/net/rtl81 NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=1a326646fef38782e5542280040ec3ea23e4a730 NOTE: https://www.openwall.com/lists/oss-security/2018/10/08/1 CVE-2018-17957 (The YaST2 RMT module for configuring the SUSE Repository Mirroring ...) - TODO: check + NOT-FOR-US: YaST2 RMT module CVE-2018-17956 RESERVED CVE-2018-17955 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/857ab33c28633f1d99367d74b569325103dacfec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/857ab33c28633f1d99367d74b569325103dacfec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 689f569d by security tracker role at 2018-12-26T20:10:30Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,13 @@ +CVE-2018-20486 (MetInfo 6.x through 6.1.3 has XSS via the /admin/login/login_check.php ...) + TODO: check +CVE-2018-20485 (Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in ...) + TODO: check +CVE-2018-20484 (Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in ...) + TODO: check +CVE-2018-20483 (set_file_metadata in xattr.c in GNU Wget through 1.20 stores a file's ...) + TODO: check +CVE-2018-20482 (GNU Tar through 1.30, when --sparse is used, mishandles file shrinkage ...) + TODO: check CVE-2018-20481 (XRef::getEntry in XRef.cc in Poppler 0.72.0 mishandles unallocated XRef ...) - poppler (low; bug #917325) [stretch] - poppler (Minor issue) @@ -5931,12 +5941,14 @@ CVE-2018-19664 (libjpeg-turbo 2.0.1 has a heap-based buffer over-read in the ... CVE-2018-19663 RESERVED CVE-2018-19662 (An issue was discovered in libsndfile 1.0.28. There is a buffer ...) + {DLA-1618-1} - libsndfile (low) [stretch] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/429 NOTE: https://github.com/erikd/libsndfile/commit/8ddc442d539ca775d80cdbc7af17a718634a743f NOTE: similar to CVE-2017-17456/CVE-2017-17457 (but not duplicate) CVE-2018-19661 (An issue was discovered in libsndfile 1.0.28. There is a buffer ...) + {DLA-1618-1} - libsndfile (low) [stretch] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/429 @@ -9220,6 +9232,7 @@ CVE-2018-19434 (An issue was discovered on the Bank Account Matching - Rec CVE-2018-19433 (ShowDoc 2.4.1 has XSS via the lang parameter because ...) NOT-FOR-US: ShowDoc CVE-2018-19432 (An issue was discovered in libsndfile 1.0.28. There is a NULL pointer ...) + {DLA-1618-1} - libsndfile (low; bug #914381) [stretch] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/427 @@ -13369,8 +13382,8 @@ CVE-2018-17958 (Qemu has a Buffer Overflow in rtl8139_do_receive in hw/net/rtl81 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03269.html NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=1a326646fef38782e5542280040ec3ea23e4a730 NOTE: https://www.openwall.com/lists/oss-security/2018/10/08/1 -CVE-2018-17957 - RESERVED +CVE-2018-17957 (The YaST2 RMT module for configuring the SUSE Repository Mirroring ...) + TODO: check CVE-2018-17956 RESERVED CVE-2018-17955 @@ -25325,6 +25338,7 @@ CVE-2018-13141 CVE-2018-13140 (Druide Antidote through 9.5.1 on Windows and Linux allows remote code ...) NOT-FOR-US: Druide Antidote CVE-2018-13139 (A stack-based buffer overflow in psf_memset in common.c in libsndfile ...) + {DLA-1618-1} - libsndfile (unimportant) NOTE: https://github.com/erikd/libsndfile/issues/397 NOTE: https://github.com/erikd/libsndfile/commit/aaea680337267bfb6d2544da878890ee7f1c5077 @@ -59137,6 +59151,7 @@ CVE-2017-1002101 (In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to - kubernetes 1.7.16+dfsg-1 (bug #892801) NOTE: https://github.com/kubernetes/kubernetes/issues/60813 CVE-2017-17457 (The function d2ulaw_array() in ulaw.c of libsndfile 1.0.29pre1 may lead ...) + {DLA-1618-1} - libsndfile (low; bug #884735) [stretch] - libsndfile (Minor issue) [wheezy] - libsndfile (Minor issue) @@ -59144,6 +59159,7 @@ CVE-2017-17457 (The function d2ulaw_array() in ulaw.c of libsndfile 1.0.29pre1 m NOTE: https://github.com/erikd/libsndfile/commit/8ddc442d539ca775d80cdbc7af17a718634a743f NOTE: Might be a duplicate of CVE-2017-14245/CVE-2017-14246 CVE-2017-17456 (The function d2alaw_array() in alaw.c of libsndfile 1.0.29pre1 may lead ...) + {DLA-1618-1} - libsndfile (low; bug #884735) [stretch] - libsndfile (Minor issue) [wheezy] - libsndfile (Minor issue) @@ -61629,10 +61645,10 @@ CVE-2018-0726 RESERVED CVE-2018-0725 RESERVED -CVE-2018-0724 - RESERVED -CVE-2018-0723 - RESERVED +CVE-2018-0724 (Cross-site scripting (XSS) vulnerability in Q'center Virtual Appliance ...) + TODO: check +CVE-2018-0723 (Cross-site scripting (XSS) vulnerability in Q'center Virtual Appliance ...) + TODO: check CVE-2018-0722 RESERVED CVE-2018-0721 (Buffer Overflow vulnerability in QNAP QTS 4.2.6 build 20180711 and ...) @@ -70751,6 +70767,7 @@ CVE-2017-14650 (A Remote Code Execution vulnerability has been found in the Hord NOTE:
[Git][security-tracker-team/security-tracker][master] 2 commits: Add fixing version information for CVE-2018-3740/ruby-sanitize
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b492f000 by Salvatore Bonaccorso at 2018-12-26T16:24:41Z Add fixing version information for CVE-2018-3740/ruby-sanitize - - - - - d263bc08 by Salvatore Bonaccorso at 2018-12-26T16:33:50Z CVE-2018-3740/ruby-sanitize: Reference fixes for 2.1.x version - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -51888,7 +51888,8 @@ CVE-2018-3740 (A specially crafted HTML fragment can cause Sanitize gem for Ruby - ruby-sanitize 4.6.6-1 (bug #893610) [jessie] - ruby-sanitize (Only occurs with libxml2 >= 2.9.2, jessie has 2.9.1) NOTE: https://github.com/rgrove/sanitize/issues/176 - NOTE: https://github.com/rgrove/sanitize/commit/01629a162e448a83d901456d0ba8b65f3b03d46e + NOTE: https://github.com/rgrove/sanitize/commit/01629a162e448a83d901456d0ba8b65f3b03d46e (v4.6.3) + NOTE: Fixes for 2.1.x: https://github.com/rgrove/sanitize/compare/v2.1.0...v2.1.1 NOTE: Only an issue in combination with libxml2 >= 2.9.2 NOTE: The 'fragment' method was renamed from 'clean' method in earlier version NOTE: in v3.0.0 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/8178259445cd3a9bd74fb3930987a0385bc432d0...d263bc08d24643fc2a7979cd0151410fc16316ae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/8178259445cd3a9bd74fb3930987a0385bc432d0...d263bc08d24643fc2a7979cd0151410fc16316ae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2018-3740/ruby-sanitize in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 81782594 by Salvatore Bonaccorso at 2018-12-26T16:19:15Z Add fixed version for CVE-2018-3740/ruby-sanitize in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -51885,7 +51885,7 @@ CVE-2018-3741 (There is a possible XSS vulnerability in all rails-html-sanitizer NOTE: https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae CVE-2018-3740 (A specially crafted HTML fragment can cause Sanitize gem for Ruby to ...) [experimental] - ruby-sanitize 4.6.5-1 - - ruby-sanitize (bug #893610) + - ruby-sanitize 4.6.6-1 (bug #893610) [jessie] - ruby-sanitize (Only occurs with libxml2 >= 2.9.2, jessie has 2.9.1) NOTE: https://github.com/rgrove/sanitize/issues/176 NOTE: https://github.com/rgrove/sanitize/commit/01629a162e448a83d901456d0ba8b65f3b03d46e View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8178259445cd3a9bd74fb3930987a0385bc432d0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8178259445cd3a9bd74fb3930987a0385bc432d0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2018-1000858/gnupg2 as no-dsa for stretch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e9be6c41 by Salvatore Bonaccorso at 2018-12-26T16:16:17Z Mark CVE-2018-1000858/gnupg2 as no-dsa for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -486,6 +486,7 @@ CVE-2018-1000860 (phpipam version 1.3.2 and earlier contains a Cross Site Script NOTE: https://github.com/phpipam/phpipam/issues/2338 CVE-2018-1000858 (GnuPG version 2.1.12 - 2.2.11 contains a Cross ite Request Forgery ...) - gnupg2 2.2.12-1 + [stretch] - gnupg2 (Minor issue) [jessie] - gnupg2 (Vulnerable code was introduced later) - gnupg1 (Vulnerable code introduced in 2.x in 2.1.12) - gnupg (Vulnerable code introduced in 2.x in 2.1.12) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e9be6c414b2ecf5cf27b1c5eb14ee68834e79cb7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e9be6c414b2ecf5cf27b1c5eb14ee68834e79cb7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: 833b5fd5 by Henri Salo at 2018-12-26T13:16:59Z NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17708,6 +17708,7 @@ CVE-2018-16205 RESERVED CVE-2018-16204 RESERVED + NOT-FOR-US: WordPress plugin google-sitemap-generator CVE-2018-16203 RESERVED NOT-FOR-US: postgresql-pgpoolAdmin View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/833b5fd5f6a849b2b14351142e6d332b0c6d65c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/833b5fd5f6a849b2b14351142e6d332b0c6d65c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] stretch triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f77a7f98 by Moritz Muehlenhoff at 2018-12-26T11:08:12Z stretch triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,6 @@ CVE-2018-20481 (XRef::getEntry in XRef.cc in Poppler 0.72.0 mishandles unallocated XRef ...) - - poppler (bug #917325) + - poppler (low; bug #917325) + [stretch] - poppler (Minor issue) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/692 NOTE: Proposed fix: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/143 CVE-2018-20480 (An issue was discovered in S-CMS 1.0. It allows SQL Injection via the ...) @@ -29,7 +30,8 @@ CVE-2018-20469 CVE-2018-20468 RESERVED CVE-2018-20467 (In coders/bmp.c in ImageMagick before 7.0.8-16, an input file can ...) - - imagemagick (bug #917326) + - imagemagick (low; bug #917326) + [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1408 NOTE: https://github.com/ImageMagick/ImageMagick/commit/db0add932fb850d762b02604ca3053b7d7ab6deb CVE-2018-20466 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f77a7f98f51bacb86e99573d6a66e29e6148daca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f77a7f98f51bacb86e99573d6a66e29e6148daca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2018-20467/imagemagick
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 026880a3 by Salvatore Bonaccorso at 2018-12-26T09:39:29Z Add Debian bug reference for CVE-2018-20467/imagemagick - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29,7 +29,7 @@ CVE-2018-20469 CVE-2018-20468 RESERVED CVE-2018-20467 (In coders/bmp.c in ImageMagick before 7.0.8-16, an input file can ...) - - imagemagick + - imagemagick (bug #917326) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1408 NOTE: https://github.com/ImageMagick/ImageMagick/commit/db0add932fb850d762b02604ca3053b7d7ab6deb CVE-2018-20466 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/026880a3da201f537bd786c48f05a2651934be09 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/026880a3da201f537bd786c48f05a2651934be09 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: dla-needed: update libsndfile entry
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: a243d968 by Hugo Lefeuvre at 2018-12-26T09:06:32Z dla-needed: update libsndfile entry - - - - - 3e1dc523 by Hugo Lefeuvre at 2018-12-26T09:06:32Z dla-needed: add notes to graphicsmagick entry - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -50,6 +50,8 @@ ghostscript (Lucas Kanashiro) gnutls28 -- graphicsmagick (Hugo Lefeuvre) + NOTE: 20181226: CVE-2018-20184: looks like fix involves some refactoring. not sure it's worth it unless i can come with a trimmed down version of it + NOTE: CVE-2018-20185, CVE-2018-20189: fix trivial, easy to test, should be worth it. -- jasper (Markus Koschany) -- @@ -79,8 +81,8 @@ libraw (Abhijith PA) NOTE: the stack-based and heap-based overflow issues. (apo) -- libsndfile (Hugo Lefeuvre) - NOTE: 20181224: CVE-2017-17456 and similar: my patch was approved, will be uploaded soon - NOTE: 20181219: CVE-2017-17457/6: asked for cve update as duplicates of CVE-2017-14245/CVE-2017-14246 + NOTE: 20181226: CVE-2018-19758: currently checking + NOTE: 20181226: CVE-2017-17457/6: asked for cve update as duplicates of CVE-2017-14245/CVE-2017-14246, no answer yet -- linux (Ben Hutchings) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/47e83060f931717fd6c5e921717974a886371771...3e1dc523ff86bbd1431a2c3cb1a779935a6f67b5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/47e83060f931717fd6c5e921717974a886371771...3e1dc523ff86bbd1431a2c3cb1a779935a6f67b5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-20467/imagemagick
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 47e83060 by Salvatore Bonaccorso at 2018-12-26T09:03:26Z Add CVE-2018-20467/imagemagick - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29,7 +29,9 @@ CVE-2018-20469 CVE-2018-20468 RESERVED CVE-2018-20467 (In coders/bmp.c in ImageMagick before 7.0.8-16, an input file can ...) - TODO: check + - imagemagick + NOTE: https://github.com/ImageMagick/ImageMagick/issues/1408 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/db0add932fb850d762b02604ca3053b7d7ab6deb CVE-2018-20466 RESERVED CVE-2018-20465 (Craft CMS through 3.0.34 allows remote authenticated administrators to ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/47e83060f931717fd6c5e921717974a886371771 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/47e83060f931717fd6c5e921717974a886371771 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2018-20481/poppler
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bf4b2302 by Salvatore Bonaccorso at 2018-12-26T08:58:41Z Add Debian bug reference for CVE-2018-20481/poppler - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2018-20481 (XRef::getEntry in XRef.cc in Poppler 0.72.0 mishandles unallocated XRef ...) - - poppler + - poppler (bug #917325) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/692 NOTE: Proposed fix: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/143 CVE-2018-20480 (An issue was discovered in S-CMS 1.0. It allows SQL Injection via the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bf4b2302b29ae6268843adebd515663707b9df62 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bf4b2302b29ae6268843adebd515663707b9df62 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-20481/poppler
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6ea50d4f by Salvatore Bonaccorso at 2018-12-26T08:32:58Z Add CVE-2018-20481/poppler - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,7 @@ CVE-2018-20481 (XRef::getEntry in XRef.cc in Poppler 0.72.0 mishandles unallocated XRef ...) - TODO: check + - poppler + NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/692 + NOTE: Proposed fix: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/143 CVE-2018-20480 (An issue was discovered in S-CMS 1.0. It allows SQL Injection via the ...) NOT-FOR-US: S-CMS CVE-2018-20479 (An issue was discovered in S-CMS 1.0. It allows SQL Injection via the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6ea50d4ff2ce3395ec9b1a6f333db28679bedb3a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6ea50d4ff2ce3395ec9b1a6f333db28679bedb3a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5c3cc88e by Salvatore Bonaccorso at 2018-12-26T08:26:08Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,15 +1,15 @@ CVE-2018-20481 (XRef::getEntry in XRef.cc in Poppler 0.72.0 mishandles unallocated XRef ...) TODO: check CVE-2018-20480 (An issue was discovered in S-CMS 1.0. It allows SQL Injection via the ...) - TODO: check + NOT-FOR-US: S-CMS CVE-2018-20479 (An issue was discovered in S-CMS 1.0. It allows SQL Injection via the ...) - TODO: check + NOT-FOR-US: S-CMS CVE-2018-20478 (An issue was discovered in S-CMS 1.0. It allows reading certain files, ...) - TODO: check + NOT-FOR-US: S-CMS CVE-2018-20477 (An issue was discovered in S-CMS 3.0. It allows SQL Injection via the ...) - TODO: check + NOT-FOR-US: S-CMS CVE-2018-20476 (An issue was discovered in S-CMS 3.0. It allows XSS via the ...) - TODO: check + NOT-FOR-US: S-CMS CVE-2018-20475 RESERVED CVE-2018-20474 @@ -31,13 +31,13 @@ CVE-2018-20467 (In coders/bmp.c in ImageMagick before 7.0.8-16, an input file ca CVE-2018-20466 RESERVED CVE-2018-20465 (Craft CMS through 3.0.34 allows remote authenticated administrators to ...) - TODO: check + NOT-FOR-US: Craft CMS CVE-2018-20464 (There is a reflected XSS vulnerability in the CMS Made Simple 2.2.8 ...) - TODO: check + NOT-FOR-US: CMS Made Simple CVE-2018-20463 (An issue was discovered in the JSmol2WP plugin 1.07 for WordPress. ...) - TODO: check + NOT-FOR-US: JSmol2WP plugin for WordPress CVE-2018-20462 (An issue was discovered in the JSmol2WP plugin 1.07 for WordPress. A ...) - TODO: check + NOT-FOR-US: JSmol2WP plugin for WordPress CVE-2018-20461 (In radare2 prior to 3.1.1, core_anal_bytes in libr/core/cmd_anal.c ...) - radare2 3.1.2+dfsg-1 NOTE: https://github.com/radare/radare2/commit/a1bc65c3db593530775823d6d7506a457ed95267 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5c3cc88eeb2ec95815337920fb80a27bc1bc9db1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5c3cc88eeb2ec95815337920fb80a27bc1bc9db1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove no-dsa tagged entries which got an update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 713149b2 by Salvatore Bonaccorso at 2018-12-26T08:23:59Z Remove no-dsa tagged entries which got an update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -59129,7 +59129,6 @@ CVE-2017-1002101 (In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to CVE-2017-17457 (The function d2ulaw_array() in ulaw.c of libsndfile 1.0.29pre1 may lead ...) - libsndfile (low; bug #884735) [stretch] - libsndfile (Minor issue) - [jessie] - libsndfile (Minor issue) [wheezy] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/344 NOTE: https://github.com/erikd/libsndfile/commit/8ddc442d539ca775d80cdbc7af17a718634a743f @@ -59137,7 +59136,6 @@ CVE-2017-17457 (The function d2ulaw_array() in ulaw.c of libsndfile 1.0.29pre1 m CVE-2017-17456 (The function d2alaw_array() in alaw.c of libsndfile 1.0.29pre1 may lead ...) - libsndfile (low; bug #884735) [stretch] - libsndfile (Minor issue) - [jessie] - libsndfile (Minor issue) [wheezy] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/344 NOTE: https://github.com/erikd/libsndfile/commit/8ddc442d539ca775d80cdbc7af17a718634a743f @@ -70745,7 +70743,6 @@ CVE-2017-14650 (A Remote Code Execution vulnerability has been found in the Hord CVE-2017-14634 (In libsndfile 1.0.28, a divide-by-zero error exists in the function ...) - libsndfile (bug #876783) [stretch] - libsndfile (Minor issue) - [jessie] - libsndfile (Minor issue) [wheezy] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/318 NOTE: Fixed by: https://github.com/erikd/libsndfile/commit/85c877d5072866aadbe8ed0c3e0590fbb5e16788 @@ -71910,14 +71907,12 @@ CVE-2017-14247 (SQL Injection exists in the EyesOfNetwork web interface (aka eon CVE-2017-14246 (An out of bounds read in the function d2ulaw_array() in ulaw.c of ...) - libsndfile (low; bug #876682) [stretch] - libsndfile (Minor issue) - [jessie] - libsndfile (Minor issue) [wheezy] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/317 NOTE: https://github.com/erikd/libsndfile/commit/8ddc442d539ca775d80cdbc7af17a718634a743f CVE-2017-14245 (An out of bounds read in the function d2alaw_array() in alaw.c of ...) - libsndfile (low; bug #876682) [stretch] - libsndfile (Minor issue) - [jessie] - libsndfile (Minor issue) [wheezy] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/317 NOTE: https://github.com/erikd/libsndfile/commit/8ddc442d539ca775d80cdbc7af17a718634a743f @@ -89582,7 +89577,6 @@ CVE-2017-8366 (The strescape function in ec_strings.c in Ettercap 0.8.2 allows r CVE-2017-8365 (The i2les_array function in pcm.c in libsndfile 1.0.28 allows remote ...) {DLA-956-1} - libsndfile 1.0.27-3 (bug #862202) - [jessie] - libsndfile (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/04/29/libsndfile-global-buffer-overflow-in-i2les_array-pcm-c/ NOTE: https://github.com/erikd/libsndfile/issues/230 NOTE: Fixed by: https://github.com/erikd/libsndfile/commit/fd0484aba8e51d16af1e3a880f9b8b857b385eb3 @@ -89595,7 +89589,6 @@ CVE-2017-8364 (The read_buf function in stream.c in rzip 2.1 allows remote attac CVE-2017-8363 (The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows ...) {DLA-956-1} - libsndfile 1.0.27-3 (bug #862203) - [jessie] - libsndfile (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/04/29/libsndfile-heap-based-buffer-overflow-in-flac_buffer_copy-flac-c/ NOTE: https://github.com/erikd/libsndfile/issues/233 NOTE: https://github.com/erikd/libsndfile/commit/fd0484aba8e51d16af1e3a880f9b8b857b385eb3 @@ -89603,14 +89596,12 @@ CVE-2017-8363 (The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allo CVE-2017-8362 (The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows ...) {DLA-956-1} - libsndfile 1.0.27-3 (bug #862204) - [jessie] - libsndfile (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/04/29/libsndfile-invalid-memory-read-in-flac_buffer_copy-flac-c/ NOTE: https://github.com/erikd/libsndfile/issues/231 NOTE: https://github.com/erikd/libsndfile/commit/ef1dbb2df1c0e741486646de40bd638a9c4cd808 CVE-2017-8361 (The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows ...) {DLA-956-1} - libsndfile 1.0.27-3 (bug #862205) - [jessie] - libsndfile (Minor issue) NOTE:
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f3f5d288 by security tracker role at 2018-12-26T08:10:25Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,43 @@ +CVE-2018-20481 (XRef::getEntry in XRef.cc in Poppler 0.72.0 mishandles unallocated XRef ...) + TODO: check +CVE-2018-20480 (An issue was discovered in S-CMS 1.0. It allows SQL Injection via the ...) + TODO: check +CVE-2018-20479 (An issue was discovered in S-CMS 1.0. It allows SQL Injection via the ...) + TODO: check +CVE-2018-20478 (An issue was discovered in S-CMS 1.0. It allows reading certain files, ...) + TODO: check +CVE-2018-20477 (An issue was discovered in S-CMS 3.0. It allows SQL Injection via the ...) + TODO: check +CVE-2018-20476 (An issue was discovered in S-CMS 3.0. It allows XSS via the ...) + TODO: check +CVE-2018-20475 + RESERVED +CVE-2018-20474 + RESERVED +CVE-2018-20473 + RESERVED +CVE-2018-20472 + RESERVED +CVE-2018-20471 + RESERVED +CVE-2018-20470 + RESERVED +CVE-2018-20469 + RESERVED +CVE-2018-20468 + RESERVED +CVE-2018-20467 (In coders/bmp.c in ImageMagick before 7.0.8-16, an input file can ...) + TODO: check +CVE-2018-20466 + RESERVED +CVE-2018-20465 (Craft CMS through 3.0.34 allows remote authenticated administrators to ...) + TODO: check +CVE-2018-20464 (There is a reflected XSS vulnerability in the CMS Made Simple 2.2.8 ...) + TODO: check +CVE-2018-20463 (An issue was discovered in the JSmol2WP plugin 1.07 for WordPress. ...) + TODO: check +CVE-2018-20462 (An issue was discovered in the JSmol2WP plugin 1.07 for WordPress. A ...) + TODO: check CVE-2018-20461 (In radare2 prior to 3.1.1, core_anal_bytes in libr/core/cmd_anal.c ...) - radare2 3.1.2+dfsg-1 NOTE: https://github.com/radare/radare2/commit/a1bc65c3db593530775823d6d7506a457ed95267 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f3f5d288bb73680f7fc50aa141e9e0671f0803d5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f3f5d288bb73680f7fc50aa141e9e0671f0803d5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits