[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1338-1 for beep
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 708b1224 by Chris Lamb at 2018-04-03T07:43:21+01:00 Reserve DLA-1338-1 for beep - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[03 Apr 2018] DLA-1338-1 beep - security update + {CVE-2018-0492} + [wheezy] - beep 1.3-3+deb7u1 [31 Mar 2018] DLA-1337-1 jruby - security update {CVE-2018-175 CVE-2018-176 CVE-2018-177 CVE-2018-178} [wheezy] - jruby 1.5.6-5+deb7u1 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -12,8 +12,6 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- apache2 (Roberto C. Sánchez) -- -beep (Chris Lamb) --- calibre NOTE: 20180321: Instead of replacing pickle with json, maybe disable bookmarking NOTE: 20180321: completely and invest the time to fix the Jessie version instead? View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/708b12240b261b558eb94170cdbd0e427d309aea --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/708b12240b261b558eb94170cdbd0e427d309aea You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: Triage beep for LTS
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ff6a159 by Chris Lamb at 2018-04-03T07:39:48+01:00 Triage beep for LTS - - - - - d36f9705 by Chris Lamb at 2018-04-03T07:39:53+01:00 Claim beep in data/dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -12,6 +12,8 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- apache2 (Roberto C. Sánchez) -- +beep (Chris Lamb) +-- calibre NOTE: 20180321: Instead of replacing pickle with json, maybe disable bookmarking NOTE: 20180321: completely and invest the time to fix the Jessie version instead? View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/7b49b7d4c003a25436004cb095e52213563355fc...d36f9705947aea1bfbe9150d284574190e9c1a24 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/7b49b7d4c003a25436004cb095e52213563355fc...d36f9705947aea1bfbe9150d284574190e9c1a24 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-9127/botan fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7b49b7d4 by Salvatore Bonaccorso at 2018-04-03T08:11:54+02:00 CVE-2018-9127/botan fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -237,7 +237,7 @@ CVE-2018-9129 CVE-2018-9128 (DVD X Player Standard 5.5.3.9 has a Buffer Overflow via a crafted .plf ...) NOT-FOR-US: DVD X Player Standard CVE-2018-9127 (Botan 2.2.0 - 2.4.0 (fixed in 2.5.0) improperly handled wildcard ...) - - botan (bug #894648) + - botan 2.4.0-5 (bug #894648) CVE-2018-9126 RESERVED CVE-2018-9125 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7b49b7d4c003a25436004cb095e52213563355fc --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7b49b7d4c003a25436004cb095e52213563355fc You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Five CVEs for redmine fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 10c278fb by Salvatore Bonaccorso at 2018-04-03T08:08:23+02:00 Five CVEs for redmine fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -10687,7 +10687,7 @@ CVE-2017-1000429 (rui Li finecms 5.0.10 is vulnerable to a reflected XSS in the CVE-2017-1000428 (flatCore-CMS 1.4.6 is vulnerable to reflected XSS in ...) NOT-FOR-US: flatCore-CMS CVE-2017-18026 (Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does ...) - - redmine (bug #887307) + - redmine 3.4.4-1 (bug #887307) [wheezy] - redmine (Not supported in wheezy LTS) NOTE: https://www.redmine.org/issues/27516 (private) NOTE: https://github.com/redmine/redmine/commit/ca87bf766cdc70179cb2dce03015d78ec9c13ebd @@ -29540,26 +29540,26 @@ CVE-2017-15515 CVE-2017-15514 RESERVED CVE-2017-15568 (In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, ...) - - redmine (bug #882544) + - redmine 3.4.4-1 (bug #882544) [wheezy] - redmine (Not supported in wheezy LTS) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/27186 (private) NOTE: upstream fixed in 3.2.8, 3.3.5 and 3.4.3 NOTE: https://github.com/redmine/redmine/commit/94f7cfbf990028348b9262578acbc53a94fce448 CVE-2017-15569 (In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, ...) - - redmine (bug #882545) + - redmine 3.4.4-1 (bug #882545) [wheezy] - redmine (Not supported in wheezy LTS) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/27186 (private) NOTE: https://github.com/redmine/redmine/commit/56c8ee0440d8555aa7822d947ba9091c8a791508 CVE-2017-15570 (In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, ...) - - redmine (bug #882547) + - redmine 3.4.4-1 (bug #882547) [wheezy] - redmine (Not supported in wheezy LTS) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/27186 (private) NOTE: https://github.com/redmine/redmine/commit/1a0976417975a128b0a932ba1552c37e9414953b CVE-2017-15571 (In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, ...) - - redmine (bug #882548) + - redmine 3.4.4-1 (bug #882548) [wheezy] - redmine (Not supported in wheezy LTS) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/27186 (private) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/10c278fb6053ec051303a04fe2d7b90f40df7f82 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/10c278fb6053ec051303a04fe2d7b90f40df7f82 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] mark for now CVE-2018-1000074
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e0146897 by Salvatore Bonaccorso at 2018-04-03T07:53:21+02:00 mark for now CVE-2018-174 The used version 1.5.6-5 is defintively not related to any change in owner_command.rb. If the code is unused in jruby then we can go ahead and mark it as unimportant severity as not affecting the resulting binary packages. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5119,7 +5119,7 @@ CVE-2018-174 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 - ruby2.1 - ruby1.9.1 - rubygems - - jruby 1.5.6-5 + - jruby NOTE: https://github.com/rubygems/rubygems/commit/254e3d0ee873c008c0b74e8b8abcbdab4caa0a6d NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/ CVE-2018-173 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e0146897fe2ede447bc5fabde39a0d720ac1ccf4 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e0146897fe2ede447bc5fabde39a0d720ac1ccf4 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reorder two entries per source package name
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c6ec8306 by Salvatore Bonaccorso at 2018-04-03T07:48:07+02:00 Reorder two entries per source package name - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5067,9 +5067,9 @@ CVE-2018-179 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 - ruby2.1 - ruby1.9.1 - rubygems + [wheezy] - rubygems (Vulnerable code not present) - jruby [wheezy] - jruby (Vulnerable code not present) - [wheezy] - rubygems (Vulnerable code not present) NOTE: https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759 NOTE: https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099 NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/ @@ -5128,9 +5128,9 @@ CVE-2018-173 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 - ruby2.1 - ruby1.9.1 - rubygems + [wheezy] - rubygems (Vulnerable code not present) - jruby [wheezy] - jruby (Vulnerable code not present) - [wheezy] - rubygems (Vulnerable code not present) NOTE: https://github.com/rubygems/rubygems/commit/1b931fc03b819b9a0214be3eaca844ef534175e2 NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/ CVE-2018-172 (iRedMail version prior to commit f04b8ef contains a Insecure ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c6ec8306958784a6e8c726948daa0622a1e3ef80 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c6ec8306958784a6e8c726948daa0622a1e3ef80 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reference fix for CVE-2018-0493/remctl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fc56be01 by Salvatore Bonaccorso at 2018-04-03T07:43:32+02:00 Reference fix for CVE-2018-0493/remctl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -24037,6 +24037,7 @@ CVE-2018-0493 [use-after-free vulnerability] [jessie] - remctl (Affected code introduced in 3.12) [wheezy] - remctl (Affected code introduced in 3.12) NOTE: https://www.eyrie.org/~eagle/software/remctl/security/2018-04-01.html + NOTE: https://git.eyrie.org/?p=kerberos/remctl.git;a=commitdiff;h=e2b34e086f199b39f8ea36dd621684003835d172 CVE-2018-0492 [local privilege escalation] RESERVED - beep (bug #894667) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fc56be01645df8ebf4b831846c27dbfc0c69b7d1 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fc56be01645df8ebf4b831846c27dbfc0c69b7d1 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-0493: reference upstream advisory
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 424f42bc by Salvatore Bonaccorso at 2018-04-03T07:38:29+02:00 CVE-2018-0493: reference upstream advisory - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -24036,6 +24036,7 @@ CVE-2018-0493 [use-after-free vulnerability] - remctl 3.14-1 [jessie] - remctl (Affected code introduced in 3.12) [wheezy] - remctl (Affected code introduced in 3.12) + NOTE: https://www.eyrie.org/~eagle/software/remctl/security/2018-04-01.html CVE-2018-0492 [local privilege escalation] RESERVED - beep (bug #894667) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/424f42bc7a9bbf9490995fa3bd3e162821f1c590 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/424f42bc7a9bbf9490995fa3bd3e162821f1c590 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add temporary description entry for CVE-2018-0493
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 78a2dbce by Salvatore Bonaccorso at 2018-04-03T07:34:52+02:00 Add temporary description entry for CVE-2018-0493 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -24030,7 +24030,7 @@ CVE-2018-0495 RESERVED CVE-2018-0494 RESERVED -CVE-2018-0493 +CVE-2018-0493 [use-after-free vulnerability] RESERVED {DSA-4159-1} - remctl 3.14-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/78a2dbce7ac2f2d01a651ff0ed4bea1ff1379818 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/78a2dbce7ac2f2d01a651ff0ed4bea1ff1379818 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2017-18255: use common short url as per kernel-team patch origin schema
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cc62a054 by Salvatore Bonaccorso at 2018-04-03T07:29:46+02:00 CVE-2017-18255: use common short url as per kernel-team patch origin schema - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -159,7 +159,7 @@ CVE-2018-9153 RESERVED CVE-2017-18255 (The perf_cpu_time_max_percent_handler function in kernel/events/core.c ...) - linux 4.11.6-1 - NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1572e45a924f254d9570093abde46430c3172e3d + NOTE: https://git.kernel.org/linus/1572e45a924f254d9570093abde46430c3172e3d CVE-2015-9259 (In Docker Notary before 0.1, the checkRoot function in ...) - notary 0.1~ds1-1 CVE-2015-9258 (In Docker Notary before 0.1, gotuf/signed/verify.go has a Signature ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cc62a054d518219f0e8e8b81289986fa6aea7003 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cc62a054d518219f0e8e8b81289986fa6aea7003 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add reference for CVE-2018-9135 to upstream issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 39f67361 by Salvatore Bonaccorso at 2018-04-03T07:19:44+02:00 Add reference for CVE-2018-9135 to upstream issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -212,7 +212,9 @@ CVE-2018-9136 (windrvr1260.sys in Jungo DriverWizard WinDriver 12.6.0 allows att NOT-FOR-US: Jungo CVE-2018-9135 (In ImageMagick 7.0.7-24 Q16, there is a heap-based buffer over-read in ...) - imagemagick (unimportant) - NOTE: https://github.com/ImageMagick/ImageMagick/commit/4f7196b0b7539b113f2580b6a77aa496813d8899 + NOTE: https://github.com/ImageMagick/ImageMagick/issues/1009 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/361ed689cc8e56fd125f9d0d6508e9eb303bdca6 + NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/4f7196b0b7539b113f2580b6a77aa496813d8899 NOTE: webp support not enabled, see #806425 CVE-2018-9134 (file_manage_control.php in DedeCMS 5.7 has CSRF in an fmdo=rename ...) NOT-FOR-US: DedeCMS View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/39f67361ceb4771dad7fbed97e89f322594eb9b6 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/39f67361ceb4771dad7fbed97e89f322594eb9b6 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Remove mentioning of CVE-2017-1000116 for DLA-1331-1
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a2f7ffd6 by Salvatore Bonaccorso at 2018-04-03T07:13:54+02:00 Remove mentioning of CVE-2017-1000116 for DLA-1331-1 Reason: The issue fixed in DLA-1331-1 with regard to CVE-2017-1000116 is not a security one but a functional regression. As such CVE-2017-1000116 is fixed in the earlier update already. - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -38198,7 +38198,7 @@ CVE-2017-1000117 (A malicious third-party can give a crafted "ssh://...&quo - git 1:2.14.1-1 NOTE: https://public-inbox.org/git/xmqqh8xf482j@gitster.mtv.corp.google.com/T/#u CVE-2017-1000116 (Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ...) - {DSA-3963-1 DLA-1331-1 DLA-1072-1} + {DSA-3963-1 DLA-1072-1} - mercurial 4.3.1-1 (bug #871710) NOTE: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.3_.282017-08-10.29 NOTE: 11 patches need to be applied, the following are for 4.2: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -17,7 +17,7 @@ {CVE-2018-7225} [wheezy] - libvncserver 0.9.9+dfsg-1+deb7u3 [30 Mar 2018] DLA-1331-1 mercurial - security update - {CVE-2017-1000116 CVE-2018-1000132} + {CVE-2018-1000132} [wheezy] - mercurial 2.2.2-4+deb7u7 [30 Mar 2018] DLA-1330-1 openssl - security update {CVE-2018-0739} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a2f7ffd66a4cfd5f7319063e84d49ec81699aadd --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a2f7ffd66a4cfd5f7319063e84d49ec81699aadd You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2017-11509/firebird*
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ae8473ba by Salvatore Bonaccorso at 2018-04-03T06:49:42+02:00 Add CVE-2017-11509/firebird* - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -41787,6 +41787,11 @@ CVE-2017-11511 (The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary CVE-2017-11510 (An information leak exists in Wanscam's HW0021 network camera that ...) NOT-FOR-US: Wanscam's HW0021 network camera CVE-2017-11509 (An authenticated remote attacker can execute arbitrary code in ...) + - firebird3.0 + - firebird2.5 + NOTE: https://www.tenable.com/security/research/tra-2017-36 + NOTE: Firebird upstream responded to Tenable the issue is not intended to be addressed + NOTE: in "any current release". TODO: check CVE-2017-11508 (SecurityCenter versions 5.5.0, 5.5.1 and 5.5.2 contain a SQL Injection ...) NOT-FOR-US: SecurityCenter View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ae8473bac83379fdc1b7ef0e235c299e42854316 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ae8473bac83379fdc1b7ef0e235c299e42854316 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-0492/beep
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7c3512bf by Salvatore Bonaccorso at 2018-04-03T06:46:05+02:00 Add bug reference for CVE-2018-0492/beep - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -24036,7 +24036,7 @@ CVE-2018-0493 [wheezy] - remctl (Affected code introduced in 3.12) CVE-2018-0492 [local privilege escalation] RESERVED - - beep + - beep (bug #894667) CVE-2018-0491 (A use-after-free issue was discovered in Tor 0.3.2.x before 0.3.2.10. ...) - tor 0.3.2.10-1 [wheezy] - tor (Not supported in wheezy LTS) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7c3512bf9b5d8937df05c23afd65e32ed5af695f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7c3512bf9b5d8937df05c23afd65e32ed5af695f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-0492/beep
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 33446f10 by Salvatore Bonaccorso at 2018-04-03T06:38:38+02:00 Add CVE-2018-0492/beep - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -24034,8 +24034,9 @@ CVE-2018-0493 - remctl 3.14-1 [jessie] - remctl (Affected code introduced in 3.12) [wheezy] - remctl (Affected code introduced in 3.12) -CVE-2018-0492 +CVE-2018-0492 [local privilege escalation] RESERVED + - beep CVE-2018-0491 (A use-after-free issue was discovered in Tor 0.3.2.x before 0.3.2.10. ...) - tor 0.3.2.10-1 [wheezy] - tor (Not supported in wheezy LTS) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/33446f107c178f9715cff504328e9f3ce8201289 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/33446f107c178f9715cff504328e9f3ce8201289 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new botan issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ab032a9 by Moritz Muehlenhoff at 2018-04-02T22:46:43+02:00 new botan issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -235,7 +235,7 @@ CVE-2018-9129 CVE-2018-9128 (DVD X Player Standard 5.5.3.9 has a Buffer Overflow via a crafted .plf ...) NOT-FOR-US: DVD X Player Standard CVE-2018-9127 (Botan 2.2.0 - 2.4.0 (fixed in 2.5.0) improperly handled wildcard ...) - TODO: check + - botan (bug #894648) CVE-2018-9126 RESERVED CVE-2018-9125 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7ab032a960ee4dfbd43cc8162d62996a1e6362b5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7ab032a960ee4dfbd43cc8162d62996a1e6362b5 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f5ab4ae2 by Moritz Muehlenhoff at 2018-04-02T22:43:41+02:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -70608,7 +70608,7 @@ CVE-2017-2160 CVE-2017-2159 RESERVED CVE-2017-2158 (Improper verification when expanding ZIP64 archives in Lhaplus ...) - TODO: check + NOT-FOR-US: Lhaplus CVE-2017-2157 (Untrusted search path vulnerability in installers for The Public ...) NOT-FOR-US: The Public Certification Service CVE-2017-2156 (Untrusted search path vulnerability in Vivaldi installer for Windows ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f5ab4ae23735b7e9f64f01bae92aeae2382045b3 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f5ab4ae23735b7e9f64f01bae92aeae2382045b3 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 80e516f8 by Moritz Muehlenhoff at 2018-04-02T22:40:18+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,7 +1,7 @@ CVE-2018-9231 RESERVED CVE-2018-9230 (In OpenResty before 1.13.6.1, URI parameters were obtained using the ...) - TODO: check + NOT-FOR-US: OpenResty CVE-2018-9229 RESERVED CVE-2018-9228 @@ -95,7 +95,7 @@ CVE-2018-9185 CVE-2018-9184 RESERVED CVE-2018-9183 (The Joom Sky JS Jobs extension before 1.2.1 for Joomla! has XSS. ...) - TODO: check + NOT-FOR-US: Joomla addon CVE-2018-9182 RESERVED CVE-2018-9181 @@ -136,7 +136,7 @@ CVE-2018-9165 (The pushdup function in util/decompile.c in libming through 0.4.8 CVE-2018-9164 RESERVED CVE-2018-9163 (A stored Cross-site scripting (XSS) vulnerability in Zoho ManageEngine ...) - TODO: check + NOT-FOR-US: Zoho CVE-2018-9162 (Contec Smart Home 4.15 devices do not require authentication for ...) NOT-FOR-US: Contec Smart Home CVE-2018-9161 (Prisma Industriale Checkweigher PrismaWEB 1.21 allows remote attackers ...) @@ -6741,11 +6741,11 @@ CVE-2018-6663 CVE-2018-6662 RESERVED CVE-2018-6661 (DLL Side-Loading vulnerability in Microsoft Windows Client in McAfee ...) - TODO: check + NOT-FOR-US: McAfee CVE-2018-6660 (Directory Traversal vulnerability in McAfee ePolicy Orchestrator (ePO) ...) - TODO: check + NOT-FOR-US: McAfee CVE-2018-6659 (Reflected Cross-Site Scripting vulnerability in McAfee ePolicy ...) - TODO: check + NOT-FOR-US: McAfee CVE-2018-6658 RESERVED CVE-2018-6758 (The uwsgi_expand_path function in core/utils.c in Unbit uWSGI through ...) @@ -8131,11 +8131,11 @@ CVE-2018-6253 (NVIDIA GPU Display Driver contains a vulnerability in DirectX and [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/4649 CVE-2018-6252 (NVIDIA Windows GPU Display Driver contains a vulnerability in the ...) - TODO: check + NOT-FOR-US: NVIDIA Windows driver CVE-2018-6251 (NVIDIA Windows GPU Display Driver contains a vulnerability in DirectX ...) - TODO: check + NOT-FOR-US: NVIDIA Windows driver CVE-2018-6250 (NVIDIA Windows GPU Display Driver contains a vulnerability in the ...) - TODO: check + NOT-FOR-US: NVIDIA Windows driver CVE-2018-6249 (NVIDIA GPU Display Driver contains a vulnerability in kernel mode ...) - nvidia-graphics-drivers (bug #894338) [stretch] - nvidia-graphics-drivers (Non-free not supported) @@ -8148,9 +8148,9 @@ CVE-2018-6249 (NVIDIA GPU Display Driver contains a vulnerability in kernel mode [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/4649 CVE-2018-6248 (NVIDIA Windows GPU Display Driver contains a vulnerability in the ...) - TODO: check + NOT-FOR-US: NVIDIA Windows driver CVE-2018-6247 (NVIDIA Windows GPU Display Driver contains a vulnerability in the ...) - TODO: check + NOT-FOR-US: NVIDIA Windows driver CVE-2018-6246 RESERVED CVE-2018-6245 @@ -21222,7 +21222,7 @@ CVE-2018-1297 (When using Distributed Test only (RMI based), Apache JMeter 2.x a CVE-2018-1296 RESERVED CVE-2018-1295 (In Apache Ignite 2.3 or earlier, the serialization mechanism does not ...) - TODO: check + NOT-FOR-US: Apache Ignite CVE-2018-1294 (If a user of Commons-Email (typically an application programmer) ...) - commons-email (Fixed with first upload to Debian) NOTE: https://marc.info/?i=CAF8HOZ+J3NkaywfbHuQpHxK9ZXeT4=4vs9rowcdiudnt1qa...@mail.gmail.com @@ -22724,7 +22724,7 @@ CVE-2018-1040 CVE-2018-1039 RESERVED CVE-2018-1038 (The Windows kernel in Windows 7 SP1 and Windows Server 2008 R2 SP1 ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-1037 RESERVED CVE-2018-1036 @@ -24771,7 +24771,7 @@ CVE-2018-0196 (A vulnerability in the web-based user interface (web UI) of Cisco CVE-2018-0195 (A vulnerability in the Cisco IOS XE Software REST API could allow an ...) NOT-FOR-US: Cisco CVE-2018-0194 (Multiple vulnerabilities in the CLI parser of Cisco IOS XE Software ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0193 (Multiple vulnerabilities in the CLI parser of Cisco IOS XE Software ...) NOT-FOR-US: Cisco CVE-2018-0192 @@ -77977,7 +77977,7 @@ CVE-2016-8719 (An exploitable reflected Cross-Site Scripting vulnerability exist CVE-2016-8718 (An exploitable Cross-Site Request Forgery vulnerability exists in the ...) NOT-FOR-US: Moxa CVE-2016-8717 (An exploitable Use
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] beep DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 625b012e by Moritz Muehlenhoff at 2018-04-02T22:25:42+02:00 beep DSA - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,7 @@ +[02 Apr 2018] DSA-4163-1 beep - security update + {CVE-2018-0492} + [jessie] - beep 1.3-3+deb8u1 + [stretch] - beep 1.3-4+deb9u1 [01 Apr 2018] DSA-4162-1 irssi - security update {CVE-2018-5205 CVE-2018-5206 CVE-2018-5207 CVE-2018-5208 CVE-2018-7050 CVE-2018-7051 CVE-2018-7052 CVE-2018-7053 CVE-2018-7054} [stretch] - irssi 1.0.7-1~deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/625b012ec8ad910c6bd8466276789293fb6321ef --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/625b012ec8ad910c6bd8466276789293fb6321ef You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] sam2p ignored
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4001ea96 by Moritz Muehlenhoff at 2018-04-02T22:23:15+02:00 sam2p ignored - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -4130,15 +4130,19 @@ CVE-2018-7555 RESERVED CVE-2018-7554 (There is an invalid free in ReadImage in input-bmp.ci that leads to a ...) - sam2p + [jessie] - sam2p (Consider removal in next point release) NOTE: https://github.com/pts/sam2p/issues/29 CVE-2018-7553 (There is a heap-based buffer overflow in the pcxLoadRaster function of ...) - sam2p + [jessie] - sam2p (Consider removal in next point release) NOTE: https://github.com/pts/sam2p/issues/32 CVE-2018-7552 (There is an invalid free in Mapping::DoubleHash::clear in mapping.cpp ...) - sam2p + [jessie] - sam2p (Consider removal in next point release) NOTE: https://github.com/pts/sam2p/issues/30 CVE-2018-7551 (There is an invalid free in MiniPS::delete0 in minips.cpp that leads to ...) - sam2p + [jessie] - sam2p (Consider removal in next point release) NOTE: https://github.com/pts/sam2p/issues/28 CVE-2018-7550 (The load_multiboot function in hw/i386/multiboot.c in Quick Emulator ...) - qemu (bug #892041) @@ -4349,6 +4353,7 @@ CVE-2018-7488 RESERVED CVE-2018-7487 (There is a heap-based buffer overflow in the LoadPCX function of ...) - sam2p + [jessie] - sam2p (Consider removal in next point release) NOTE: https://github.com/pts/sam2p/issues/18 CVE-2018-7486 (Blue River Mura CMS before v7.0.7029 supports inline function calls ...) NOT-FOR-US: Blue River Mura CMS View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4001ea96673cf4430a1158c4d8fdf4ba649a90fd --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4001ea96673cf4430a1158c4d8fdf4ba649a90fd You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e9426be7 by security tracker role at 2018-04-02T20:10:20+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,113 @@ +CVE-2018-9231 + RESERVED +CVE-2018-9230 (In OpenResty before 1.13.6.1, URI parameters were obtained using the ...) + TODO: check +CVE-2018-9229 + RESERVED +CVE-2018-9228 + RESERVED +CVE-2018-9227 + RESERVED +CVE-2018-9226 + RESERVED +CVE-2018-9225 + RESERVED +CVE-2018-9224 + RESERVED +CVE-2018-9223 + RESERVED +CVE-2018-9222 + RESERVED +CVE-2018-9221 + RESERVED +CVE-2018-9220 + RESERVED +CVE-2018-9219 + RESERVED +CVE-2018-9218 + RESERVED +CVE-2018-9217 + RESERVED +CVE-2018-9216 + RESERVED +CVE-2018-9215 + RESERVED +CVE-2018-9214 + RESERVED +CVE-2018-9213 + RESERVED +CVE-2018-9212 + RESERVED +CVE-2018-9211 + RESERVED +CVE-2018-9210 + RESERVED +CVE-2018-9209 + RESERVED +CVE-2018-9208 + RESERVED +CVE-2018-9207 + RESERVED +CVE-2018-9206 + RESERVED +CVE-2018-9205 + RESERVED +CVE-2018-9204 + RESERVED +CVE-2018-9203 + RESERVED +CVE-2018-9202 + RESERVED +CVE-2018-9201 + RESERVED +CVE-2018-9200 + RESERVED +CVE-2018-9199 + RESERVED +CVE-2018-9198 + RESERVED +CVE-2018-9197 + RESERVED +CVE-2018-9196 + RESERVED +CVE-2018-9195 + RESERVED +CVE-2018-9194 + RESERVED +CVE-2018-9193 + RESERVED +CVE-2018-9192 + RESERVED +CVE-2018-9191 + RESERVED +CVE-2018-9190 + RESERVED +CVE-2018-9189 + RESERVED +CVE-2018-9188 + RESERVED +CVE-2018-9187 + RESERVED +CVE-2018-9186 + RESERVED +CVE-2018-9185 + RESERVED +CVE-2018-9184 + RESERVED +CVE-2018-9183 (The Joom Sky JS Jobs extension before 1.2.1 for Joomla! has XSS. ...) + TODO: check +CVE-2018-9182 + RESERVED +CVE-2018-9181 + RESERVED +CVE-2018-9180 + RESERVED +CVE-2018-9179 + RESERVED +CVE-2018-9178 + RESERVED +CVE-2018-9177 + RESERVED CVE-2018-9176 RESERVED CVE-2018-9175 (DedeCMS 5.7 allows remote attackers to execute arbitrary PHP code via ...) @@ -25,8 +135,8 @@ CVE-2018-9165 (The pushdup function in util/decompile.c in libming through 0.4.8 NOTE: https://github.com/libming/libming/issues/121 CVE-2018-9164 RESERVED -CVE-2018-9163 - RESERVED +CVE-2018-9163 (A stored Cross-site scripting (XSS) vulnerability in Zoho ManageEngine ...) + TODO: check CVE-2018-9162 (Contec Smart Home 4.15 devices do not require authentication for ...) NOT-FOR-US: Contec Smart Home CVE-2018-9161 (Prisma Industriale Checkweigher PrismaWEB 1.21 allows remote attackers ...) @@ -124,8 +234,8 @@ CVE-2018-9129 RESERVED CVE-2018-9128 (DVD X Player Standard 5.5.3.9 has a Buffer Overflow via a crafted .plf ...) NOT-FOR-US: DVD X Player Standard -CVE-2018-9127 - RESERVED +CVE-2018-9127 (Botan 2.2.0 - 2.4.0 (fixed in 2.5.0) improperly handled wildcard ...) + TODO: check CVE-2018-9126 RESERVED CVE-2018-9125 @@ -6625,12 +6735,12 @@ CVE-2018-6663 RESERVED CVE-2018-6662 RESERVED -CVE-2018-6661 - RESERVED -CVE-2018-6660 - RESERVED -CVE-2018-6659 - RESERVED +CVE-2018-6661 (DLL Side-Loading vulnerability in Microsoft Windows Client in McAfee ...) + TODO: check +CVE-2018-6660 (Directory Traversal vulnerability in McAfee ePolicy Orchestrator (ePO) ...) + TODO: check +CVE-2018-6659 (Reflected Cross-Site Scripting vulnerability in McAfee ePolicy ...) + TODO: check CVE-2018-6658 RESERVED CVE-2018-6758 (The uwsgi_expand_path function in core/utils.c in Unbit uWSGI through ...) @@ -8004,8 +8114,7 @@ CVE-2018-6255 RESERVED CVE-2018-6254 RESERVED -CVE-2018-6253 - RESERVED +CVE-2018-6253 (NVIDIA GPU Display Driver contains a vulnerability in DirectX and ...) - nvidia-graphics-drivers (bug #894338) [stretch] - nvidia-graphics-drivers (Non-free not supported) [jessie] - nvidia-graphics-drivers (Non-free not supported) @@ -8016,14 +8125,13 @@ CVE-2018-6253 [stretch] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/4649 -CVE-2018-6252 - RESERVED -CVE-2018-6251 - RESERVED -CVE-2018-6250 - RESERVED -CVE-2018-6249 - RESERVED +CVE-2018-6252 (NVIDIA Windows GPU Display Driver contains a vulnerability in the ...) + TODO: check +CVE-2018-6251 (NVIDIA Windows GPU Display Driver contains a vulnerability in DirectX ...) + TOD
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new HHVM issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4e94bbe4 by Moritz Muehlenhoff at 2018-04-02T17:15:17+02:00 new HHVM issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -7809,6 +7809,8 @@ CVE-2018-6335 RESERVED CVE-2018-6334 RESERVED + - hhvm + NOTE: https://hhvm.com/blog/2018/03/30/hhvm-3.25.2.html CVE-2018-6333 RESERVED CVE-2018-6332 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4e94bbe45b4d14ce6cd1d7e46bf0d7e75044f9a0 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4e94bbe45b4d14ce6cd1d7e46bf0d7e75044f9a0 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] thrift unimportant
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ee12b179 by Moritz Muehlenhoff at 2018-04-02T13:11:11+02:00 thrift unimportant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -88897,11 +88897,13 @@ CVE-2016-5399 (The bzread function in ext/bz2/bz2.c in PHP before 5.5.38, 5.6.x CVE-2016-5398 (Cross-site scripting (XSS) vulnerability in Business Process Editor in ...) NOT-FOR-US: JBoss BPMS CVE-2016-5397 (The Apache Thrift Go client library exposed the potential during code ...) - - thrift-compiler + - thrift-compiler (unimportant) + - thrift (unimportant) NOTE: https://issues.apache.org/jira/browse/THRIFT-3893 NOTE: https://github.com/apache/thrift/commit/2007783e874d524a46b818598a45078448ecc53e NOTE: Fixed in 0.10.0 upstream, and in experimental src:thrift/0.10.0-1 is present NOTE: src:thrift only present in experimental + NOTE: Go bindings only enabled in 0.9.3-2 (not yet in unstable) CVE-2016-5396 (Apache Traffic Server 6.0.0 to 6.2.0 are affected by an HPACK Bomb ...) - trafficserver 7.0.0-1 [wheezy] - trafficserver (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ee12b1797f1b996b6f8b7ece494d390dbc29853b --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ee12b1797f1b996b6f8b7ece494d390dbc29853b You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] several web2py issue n/a, mark the existing no-dsa entries as
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f5361dc0 by Moritz Muehlenhoff at 2018-04-02T13:04:35+02:00 several web2py issue n/a, mark the existing no-dsa entries asunixodbc no-dsa ntp postponed podofo CVE dupe - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -2774,10 +2774,9 @@ CVE-2018-8001 (In PoDoFo 0.9.5, there exists a heap-based buffer over-read ...) NOTE: Upstream bug: https://sourceforge.net/p/podofo/tickets/14/ NOTE: Upstream commit: http://sourceforge.net/p/podofo/code/1909 CVE-2018-8000 (In PoDoFo 0.9.5, there exists a heap-based buffer overflow ...) - - libpodofo (bug #892520) NOTE: PoC https://bugzilla.redhat.com/show_bug.cgi?id=1548918 NOTE: Upstream bug: https://sourceforge.net/p/podofo/tickets/13/ - NOTE: Believed to be a dupe of CVE-2017-5886 + NOTE: Upstream tracked this down as a of CVE-2017-5886 CVE-2018-7999 (In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference ...) - graphite2 1.3.11-2 (bug #892590) [stretch] - graphite2 (Minor issue) @@ -4508,6 +4507,8 @@ CVE-2018-7410 RESERVED CVE-2018-7409 (In unixODBC before 2.3.5, there is a buffer overflow in the ...) - unixodbc (bug #891596) + [stretch] - unixodbc (Minor issue) + [jessie] - unixodbc (Minor issue) [wheezy] - unixodbc (Minor issue) NOTE: Fixed by: https://sourceforge.net/p/unixodbc/code/136/ NOTE: https://github.com/lurcher/unixODBC/commit/4f9f77fb4204659ec9b7be8745d9e05a539c80b9 @@ -5321,6 +5322,8 @@ CVE-2018-7183 (Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S CVE-2018-7182 (The ctl_getitem method in ntpd in ntp-4.2.8p6 before 4.2.8p11 allows ...) - ntp 1:4.2.8p11+dfsg-1 + [stretch] - ntp (Can be fixed along in a future update) + [jessie] - ntp (Can be fixed along in a future update) [wheezy] - ntp (Issue not present) - ntpsec 1.0.0+dfsg1-5 NOTE: http://www.kb.cert.org/vuls/id/961909 @@ -91530,25 +91533,25 @@ CVE-2016-4809 (The archive_read_format_cpio_read_header function in ...) NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/fd7e0c02e272913a0a8b6d492c7260dfca0b1408 (v3.2.1) CVE-2016-10321 (web2py before 2.14.6 does not properly check if a host is denied before ...) - web2py (bug #860038) - [jessie] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) + [jessie] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) [wheezy] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) NOTE: https://github.com/web2py/web2py/issues/1585#issuecomment-284317919 NOTE: https://github.com/web2py/web2py/commit/944d8bd8f3c5cf8ae296fc03d149056c65358426 CVE-2016-4808 (Web2py versions 2.14.5 and below was affected by CSRF (Cross Site ...) - web2py (bug #856127) - [jessie] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) + [jessie] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) [wheezy] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) NOTE: https://github.com/web2py/web2py/issues/1585 NOTE: https://github.com/web2py/web2py/commit/4bd002aee978813bc664cf186ef38ff4e8bbe1cd CVE-2016-4807 (Web2py versions 2.14.5 and below was affected by Reflected XSS ...) - web2py (bug #856127) - [jessie] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) + [jessie] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) [wheezy] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) NOTE: https://github.com/web2py/web2py/issues/1585 NOTE: https://github.com/web2py/web2py/commit/51c3b633fe7ad647bc3013e899c1e3a910362dd1 CVE-2016-4806 (Web2py versions 2.14.5 and below was affected by Local File Inclusion ...) - web2py (bug #856127) - [jessie] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) + [jessie] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) [wheezy] - web2py (Minor issue; issue in web admin interface which has no need to be used in production) NOTE: https://github.com/web2py/web2py/issues/1585 NOTE: https://github.com/web2py/web2p
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 95d124f3 by Moritz Muehlenhoff at 2018-04-02T11:10:22+02:00 NFUs drop one TODO, no real information around - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,13 +1,13 @@ CVE-2018-9176 RESERVED CVE-2018-9175 (DedeCMS 5.7 allows remote attackers to execute arbitrary PHP code via ...) - TODO: check + NOT-FOR-US: DedeCMS CVE-2018-9174 (sys_verifies.php in DedeCMS 5.7 allows remote attackers to execute ...) - TODO: check + NOT-FOR-US: DedeCMS CVE-2018-9173 (Cross-site scripting (XSS) vulnerability in ...) - TODO: check + NOT-FOR-US: GetSimple CMS CVE-2018-9172 (The Iptanus WordPress File Upload plugin before 4.3.3 for WordPress ...) - TODO: check + NOT-FOR-US: Wordpress plugin CVE-2018-9171 RESERVED CVE-2018-9170 @@ -4441,7 +4441,6 @@ CVE-2012-6709 (ELinks 0.12 and Twibright Links 2.3 have Missing SSL Certificate NOTE: tested links2 against badssl.com, no apparent issue back in wheezy NOTE: src:links2/2.6-1 adds verify-ssl-certs-510417.diff to verify SSL certs. NOTE: src:links2 upstream in 2.11 adds support for verifying SSL certificates. - TODO: double check links2 again, since #694658 claims not all issues are fixed CVE-2018-7422 (A Local File Inclusion vulnerability in the Site Editor plugin through ...) NOT-FOR-US: Site Editor plugin for WordPress CVE-2018-7421 (In Wireshark 2.2.0 to 2.2.12 and 2.4.0 to 2.4.4, the DMP dissector ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/95d124f34af782268a68006f88ff800c75f051d9 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/95d124f34af782268a68006f88ff800c75f051d9 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 77af6ecb by security tracker role at 2018-04-02T08:10:20+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,19 @@ +CVE-2018-9176 + RESERVED +CVE-2018-9175 (DedeCMS 5.7 allows remote attackers to execute arbitrary PHP code via ...) + TODO: check +CVE-2018-9174 (sys_verifies.php in DedeCMS 5.7 allows remote attackers to execute ...) + TODO: check +CVE-2018-9173 (Cross-site scripting (XSS) vulnerability in ...) + TODO: check +CVE-2018-9172 (The Iptanus WordPress File Upload plugin before 4.3.3 for WordPress ...) + TODO: check +CVE-2018-9171 + RESERVED +CVE-2018-9170 + RESERVED +CVE-2018-9169 + RESERVED CVE-2018-9168 RESERVED CVE-2018-9167 @@ -5612,6 +5628,7 @@ CVE-2018-7056 (RoomWizard before 4.4.x allows remote attackers to obtain potenti CVE-2018-7055 (GroupViewProxyServlet in RoomWizard before 4.4.x allows SSRF via the ...) NOT-FOR-US: RoomWizard CVE-2018-7054 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. ...) + {DSA-4162-1} - irssi 1.0.7-1 (bug #890674) [jessie] - irssi (Vulnerable netsplit code introduced in 1.0.0) [wheezy] - irssi (Vulnerable netsplit code introduced in 1.0.0) @@ -5622,25 +5639,26 @@ CVE-2018-7054 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1. NOTE: https://github.com/irssi/irssi/commit/a4f99ae746efb121185fe76c392a64d743a9eb92 NOTE: But the CVE is specifically for the use-after-free issue. CVE-2018-7053 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. ...) + {DSA-4162-1} - irssi 1.0.7-1 (bug #890674) [jessie] - irssi (Vulnerable code introduced in 0.8.18) [wheezy] - irssi (Vulnerable code introduced in 0.8.18) NOTE: https://irssi.org/security/irssi_sa_2018_02.txt NOTE: Fixed by: https://github.com/irssi/irssi/commit/84f03e01467b90a4251987b32b2813ee976b357c CVE-2018-7052 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. ...) - {DLA-1289-1} + {DSA-4162-1 DLA-1289-1} - irssi 1.0.7-1 (bug #890676) [jessie] - irssi (Minor issue) NOTE: https://irssi.org/security/irssi_sa_2018_02.txt NOTE: Fixed by: https://github.com/irssi/irssi/commit/5b5bfef03596d95079c728f65f523570dd7b03aa CVE-2018-7051 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. ...) - {DLA-1318-1} + {DSA-4162-1 DLA-1318-1} - irssi 1.0.7-1 (bug #890677) [jessie] - irssi (Minor issue) NOTE: https://irssi.org/security/irssi_sa_2018_02.txt NOTE: Fixed by: https://github.com/irssi/irssi/commit/e32e9d63c67ab95ef0576154680a6c52334b97af CVE-2018-7050 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1.1.1. A ...) - {DLA-1289-1} + {DSA-4162-1 DLA-1289-1} - irssi 1.0.7-1 (bug #890678) [jessie] - irssi (Minor issue) NOTE: https://irssi.org/security/irssi_sa_2018_02.txt @@ -10855,24 +10873,28 @@ CVE-2018-5210 (On Samsung mobile devices with N(7.x) software and Exynos chipset CVE-2018-5209 RESERVED CVE-2018-5208 (In Irssi before 1.0.6, a calculation error in the completion code could ...) + {DSA-4162-1} - irssi 1.0.7-1 (bug #886475) [jessie] - irssi (Minor issue) [wheezy] - irssi (Minor issue) NOTE: https://irssi.org/security/irssi_sa_2018_01.txt NOTE: https://github.com/irssi/irssi/releases/download/1.0.6/irssi-1.0.5_1.0.6.diff CVE-2018-5207 (When using an incomplete variable argument, Irssi before 1.0.6 may ...) + {DSA-4162-1} - irssi 1.0.7-1 (bug #886475) [jessie] - irssi (Minor issue) [wheezy] - irssi (Minor issue) NOTE: https://irssi.org/security/irssi_sa_2018_01.txt NOTE: https://github.com/irssi/irssi/releases/download/1.0.6/irssi-1.0.5_1.0.6.diff CVE-2018-5206 (When the channel topic is set without specifying a sender, Irssi before ...) + {DSA-4162-1} - irssi 1.0.7-1 (bug #886475) [jessie] - irssi (Minor issue) [wheezy] - irssi (Minor issue) NOTE: https://irssi.org/security/irssi_sa_2018_01.txt NOTE: https://github.com/irssi/irssi/releases/download/1.0.6/irssi-1.0.5_1.0.6.diff CVE-2018-5205 (When using incomplete escape codes, Irssi before 1.0.6 may access data ...) + {DSA-4162-1} - irssi 1.0.7-1 (bug #886475) [jessie] - irssi (Minor issue) [wheezy] - irssi (Minor issue) @@ -21759,20 +21781,16 @@ CVE-2018-1096 [SQL injection in dashboard page] - foreman (bug #663101) NOTE: http://projects.theforeman.org/issues/23028 NOTE: h
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 4 commits: jruby 1.5.6-5 vulnerable to CVE-2018-1000074
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 4fe929ed by Chris Lamb at 2018-04-02T08:47:16+01:00 jruby 1.5.6-5 vulnerable to CVE-2018-174 - - - - - c5c89f2c by Chris Lamb at 2018-04-02T08:47:54+01:00 Triage jruby for LTS - - - - - 759dc058 by Chris Lamb at 2018-04-02T08:48:03+01:00 Triage rubygems for LTS - - - - - 8cb9f6ab by Chris Lamb at 2018-04-02T08:51:03+01:00 data/dla-needed.txt: Add note for ruby 1.9.1. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -4986,7 +4986,7 @@ CVE-2018-174 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 - ruby2.1 - ruby1.9.1 - rubygems - - jruby + - jruby 1.5.6-5 NOTE: https://github.com/rubygems/rubygems/commit/254e3d0ee873c008c0b74e8b8abcbdab4caa0a6d NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/ CVE-2018-173 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: ...) = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -43,6 +43,8 @@ ipython NOTE: with untrusted content and upgrade to Jessie. Please double-check all NOTE: this. -- +jruby +-- krb5 NOTE: lts-do-not-call NOTE: Details not public. Yet. See https://lists.debian.org/msgid-search/20180208212643.GB7792@pisco.westfalen.local @@ -105,6 +107,9 @@ qemu-kvm ruby-rack-protection -- ruby1.9.1 (Santiago R.R.) + NOTE: 20180402: Also vulnerable to CVE-2018-174. (lamby) +-- +rubygems -- sam2p (Markus Koschany) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/3c0e1137d4a270e2fdce7e4194ee05569fb02c9e...8cb9f6ab13f459aae9cd2d8c76ce59ac84457a70 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/3c0e1137d4a270e2fdce7e4194ee05569fb02c9e...8cb9f6ab13f459aae9cd2d8c76ce59ac84457a70 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] remctl fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c0e1137 by Moritz Muehlenhoff at 2018-04-02T09:29:43+02:00 remctl fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -23896,7 +23896,7 @@ CVE-2018-0494 CVE-2018-0493 RESERVED {DSA-4159-1} - - remctl + - remctl 3.14-1 [jessie] - remctl (Affected code introduced in 3.12) [wheezy] - remctl (Affected code introduced in 3.12) CVE-2018-0492 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3c0e1137d4a270e2fdce7e4194ee05569fb02c9e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3c0e1137d4a270e2fdce7e4194ee05569fb02c9e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits