[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Fixes for CVE-2018-8763 may be incomplete
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: bf7a5506 by Brian May at 2018-04-06T16:42:13+10:00 Fixes for CVE-2018-8763 may be incomplete - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1508,6 +1508,7 @@ CVE-2018-8763 (Roland Gruber Softwareentwicklung LDAP Account Manager before 6.3 NOTE: https://github.com/LDAPAccountManager/lam/commit/16fc7f7e8603c5cb7c129cfbf97fc572b9b8740c NOTE: https://github.com/LDAPAccountManager/lam/commit/d4f0d6db966af4dd7d83c978125635f03895b81a NOTE: https://www.ldap-account-manager.org/lamcms/node/354 + NOTE: Patches may be incomplete, see https://sourceforge.net/p/lam/bugs/196/ CVE-2018-8762 RESERVED CVE-2018-8761 (protected\apps\member\controller\shopcarController.php in Yxcms ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bf7a55065c7621a316f2ba09a4f53ef1114c2ed5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bf7a55065c7621a316f2ba09a4f53ef1114c2ed5 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reference upstream bug for patch issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2bbe79d9 by Salvatore Bonaccorso at 2018-04-06T07:26:40+02:00 Reference upstream bug for patch issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -128161,6 +128161,7 @@ CVE-2015-1418 (patch in FreeBSD 10.1 before 10.1-RELEASE-p17, 10.2 before ...) NOT-FOR-US: patch as used in FreeBSD specifically CVE-2018-1000156 [input validation vulnerability when processing patch files] - patch (bug #894993) + NOTE: Upstream bug: https://savannah.gnu.org/bugs/?53566 NOTE: https://rachelbythebay.com/w/2018/04/05/bangpatch/ NOTE: https://twitter.com/kurtseifried/status/982028968877436928 NOTE: This CVE is specifically for GNU patch and relates to CVE-2015-1418 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2bbe79d9fdf001c2ccd8b06145f8f94bd37ccb83 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2bbe79d9fdf001c2ccd8b06145f8f94bd37ccb83 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-1000156/patch specifically assigned for GNU patch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f3ed278c by Salvatore Bonaccorso at 2018-04-06T07:07:54+02:00 CVE-2018-1000156/patch specifically assigned for GNU patch Queried MITRE which informed they can either update the desciption to match GNU patch. OTOH, DWF project has already assigned CVE-2018-1000156 for specifically GNU patch with the reason that as both have though same root, the code has substantially diverged over time by now, thus the seprate CVE id. Follow that decision by marking CVE-2015-1418 NFU (specifically for patch in FreeBSD) and add CVE-2018-1000156 entry for patch. Updated https://bugs.debian.org/894993 accordingly. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -128158,11 +128158,14 @@ CVE-2015-1419 (Unspecified vulnerability in vsftpd 3.0.2 and earlier allows remo NOTE: http://seclists.org/oss-sec/2015/q1/389 NOTE: Not a real security feature according the manpage and upstream CVE-2015-1418 (patch in FreeBSD 10.1 before 10.1-RELEASE-p17, 10.2 before ...) + NOT-FOR-US: patch as used in FreeBSD specifically +CVE-2018-1000156 [input validation vulnerability when processing patch files] - patch (bug #894993) NOTE: https://rachelbythebay.com/w/2018/04/05/bangpatch/ - NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:18.bsdpatch.asc - NOTE: https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/013_patch.patch.sig - TODO: The CVE is actually specifically for "bsdpatch", asked MITRE for clarification on scope (i.e. if we should get a new CVE for src:patch) + NOTE: https://twitter.com/kurtseifried/status/982028968877436928 + NOTE: This CVE is specifically for GNU patch and relates to CVE-2015-1418 + NOTE: Respective patch in FreeBSD: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:18.bsdpatch.asc + NOTE: Respective patch in OpenBSD: https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/013_patch.patch.sig CVE-2015-1417 (The inet module in FreeBSD 10.2x before 10.2-PRERELEASE, ...) - kfreebsd-10 10.2-1 (unimportant) NOTE: kfreebsd not covered by security support in Jessie View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f3ed278cd5aa2a49a1d686d495c03e3f8d91d51f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f3ed278cd5aa2a49a1d686d495c03e3f8d91d51f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Update entry for CVE-2015-1418, keep TODO until clarified with MITRE
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a6ac9a25 by Salvatore Bonaccorso at 2018-04-06T06:04:03+02:00 Update entry for CVE-2015-1418, keep TODO until clarified with MITRE Same issue is in src:patch as well as shown by https://bugs.debian.org/894993 and https://rachelbythebay.com/w/2018/04/05/bangpatch/ with a crafted patch file. For now associate CVE-2015-1418 as well with src:patch but clarfication with MITRE is pending if the src:patch issue should get a new identifier bsdpatch and GNU patch being different sources. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -128158,7 +128158,11 @@ CVE-2015-1419 (Unspecified vulnerability in vsftpd 3.0.2 and earlier allows remo NOTE: http://seclists.org/oss-sec/2015/q1/389 NOTE: Not a real security feature according the manpage and upstream CVE-2015-1418 (patch in FreeBSD 10.1 before 10.1-RELEASE-p17, 10.2 before ...) - TODO: check + - patch (bug #894993) + NOTE: https://rachelbythebay.com/w/2018/04/05/bangpatch/ + NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:18.bsdpatch.asc + NOTE: https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/013_patch.patch.sig + TODO: The CVE is actually specifically for "bsdpatch", asked MITRE for clarification on scope (i.e. if we should get a new CVE for src:patch) CVE-2015-1417 (The inet module in FreeBSD 10.2x before 10.2-PRERELEASE, ...) - kfreebsd-10 10.2-1 (unimportant) NOTE: kfreebsd not covered by security support in Jessie View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a6ac9a25a288b83168ec1cc1ea7441341face70e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a6ac9a25a288b83168ec1cc1ea7441341face70e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-9234
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d1f7d23d by Salvatore Bonaccorso at 2018-04-05T23:05:22+02:00 Add bug reference for CVE-2018-9234 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -312,7 +312,7 @@ CVE-2017-18256 (Brave Browser before 0.13.0 allows remote attackers to cause a d CVE-2016-10718 (Brave Browser before 0.13.0 allows a tab to close itself even if the ...) NOT-FOR-US: Brave Browser CVE-2018-9234 (GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key ...) - - gnupg2 (low) + - gnupg2 (low; bug #894983) [stretch] - gnupg2 (Minor issue) [jessie] - gnupg2 (Minor issue) [wheezy] - gnupg2 (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d1f7d23da930a7217b35d6cf2a231935f98fff01 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d1f7d23da930a7217b35d6cf2a231935f98fff01 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7e2c3f39 by Salvatore Bonaccorso at 2018-04-05T22:16:22+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -3,7 +3,7 @@ CVE-2018-9330 CVE-2018-9329 RESERVED CVE-2018-9328 (PHP Scripts Mall Redbus Clone Script 3.0.6 has XSS via the ter_from ...) - TODO: check + NOT-FOR-US: PHP Scripts Mall Redbus Clone Script CVE-2018-9327 RESERVED CVE-2018-9326 @@ -41,7 +41,7 @@ CVE-2018-9311 CVE-2018-1000155 RESERVED CVE-2018-1000154 (Zammad GmbH Zammad version 2.3.0 and earlier contains a Improper ...) - TODO: check + NOT-FOR-US: Zammad GmbH Zammad CVE-2018-1000142 (An exposure of sensitive information vulnerability exists in Jenkins ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000143 (An exposure of sensitive information vulnerability exists in Jenkins ...) @@ -325,7 +325,7 @@ CVE-2018-9240 (ncmpc through 0.29 is prone to a NULL pointer dereference flaw. I [jessie] - ncmpc (Minor issue) [wheezy] - ncmpc (Minor issue) CVE-2018-9233 (Sophos Endpoint Protection 10.7 uses an unsalted SHA-1 hash for ...) - TODO: check + NOT-FOR-US: Sophos CVE-2018-9232 RESERVED CVE-2018-9231 @@ -6164,7 +6164,7 @@ CVE-2018-7037 CVE-2018-7036 RESERVED CVE-2018-7035 (Cross-site scripting (XSS) vulnerability in Gleez CMS 1.2.0 and 2.0 ...) - TODO: check + NOT-FOR-US: Gleez CMS CVE-2018-7034 (TRENDnet TEW-751DR v1.03B03, TEW-752DRU v1.03B01, and TEW733GR v1.03B01 ...) NOT-FOR-US: TRENDnet devices CVE-2018-7033 (SchedMD Slurm before 17.02.10 and 17.11.x before 17.11.5 allows SQL ...) @@ -12380,7 +12380,7 @@ CVE-2018-4865 CVE-2018-4864 RESERVED CVE-2018-4863 (Sophos Endpoint Protection 10.7 allows local users to bypass an ...) - TODO: check + NOT-FOR-US: Sophos CVE-2018-4862 (In Octopus Deploy versions 3.2.11 - 4.1.5 (fixed in 4.1.6), an ...) NOT-FOR-US: Octopus Deploy CVE-2018-4861 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7e2c3f39da216eb869faebe2e3e0f452b9ce21b9 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7e2c3f39da216eb869faebe2e3e0f452b9ce21b9 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Gitlab issues fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8fb188f2 by Salvatore Bonaccorso at 2018-04-05T22:37:30+02:00 Gitlab issues fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -123,13 +123,13 @@ CVE-2018-9287 CVE-2018-9286 RESERVED CVE-2018-9243 (GitLab Community and Enterprise Editions version 8.4 up to 10.4 are ...) - - gitlab (bug #894869) + - gitlab 10.6.3+dfsg-1 (bug #894869) NOTE: https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/ CVE-2018-9244 (GitLab Community and Enterprise Editions version 9.2 up to 10.4 are ...) - - gitlab (bug #894868) + - gitlab 10.6.3+dfsg-1 (bug #894868) NOTE: https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/ CVE-2018- [Confidential issue comments in Slack, Mattermost, and webhook integrations] - - gitlab (bug #894867) + - gitlab 10.6.3+dfsg-1 (bug #894867) NOTE: https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/ CVE-2018-9285 (Main_Analysis_Content.asp in /apply.cgi on ASUS RT-AC66U, RT-AC68U, ...) NOT-FOR-US: ASUS View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8fb188f219af35a0261e91d1286a3fe1e9d6ad7e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8fb188f219af35a0261e91d1286a3fe1e9d6ad7e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
4def6811 by security tracker role at 2018-04-05T20:10:25+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,26 +1,70 @@
-CVE-2018-1000142
+CVE-2018-9330
+ RESERVED
+CVE-2018-9329
+ RESERVED
+CVE-2018-9328 (PHP Scripts Mall Redbus Clone Script 3.0.6 has XSS via the
ter_from ...)
+ TODO: check
+CVE-2018-9327
+ RESERVED
+CVE-2018-9326
+ RESERVED
+CVE-2018-9325
+ RESERVED
+CVE-2018-9324
+ RESERVED
+CVE-2018-9323
+ RESERVED
+CVE-2018-9322
+ RESERVED
+CVE-2018-9321
+ RESERVED
+CVE-2018-9320
+ RESERVED
+CVE-2018-9319
+ RESERVED
+CVE-2018-9318
+ RESERVED
+CVE-2018-9317
+ RESERVED
+CVE-2018-9316
+ RESERVED
+CVE-2018-9315
+ RESERVED
+CVE-2018-9314
+ RESERVED
+CVE-2018-9313
+ RESERVED
+CVE-2018-9312
+ RESERVED
+CVE-2018-9311
+ RESERVED
+CVE-2018-1000155
+ RESERVED
+CVE-2018-1000154 (Zammad GmbH Zammad version 2.3.0 and earlier contains a
Improper ...)
+ TODO: check
+CVE-2018-1000142 (An exposure of sensitive information vulnerability exists in
Jenkins ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1000143
+CVE-2018-1000143 (An exposure of sensitive information vulnerability exists in
Jenkins ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1000144
+CVE-2018-1000144 (A cross site scripting vulnerability exists in Jenkins
Cucumber Living ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1000145
+CVE-2018-1000145 (An exposure of sensitive information vulnerability exists in
Jenkins ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1000146
+CVE-2018-1000146 (An arbitrary code execution vulnerability exists in
Liquibase Runner ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1000147
+CVE-2018-1000147 (An exposure of sensitive information vulnerability exists in
Jenkins ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1000148
+CVE-2018-1000148 (An exposure of sensitive information vulnerability exists in
Jenkins ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1000149
+CVE-2018-1000149 (A man in the middle vulnerability exists in Jenkins Ansible
Plugin 0.8 ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1000150
+CVE-2018-1000150 (An exposure of sensitive information vulnerability exists in
Jenkins ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1000151
+CVE-2018-1000151 (A man in the middle vulnerability exists in Jenkins vSphere
Plugin ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1000152
+CVE-2018-1000152 (An improper authorization vulnerability exists in Jenkins
vSphere ...)
NOT-FOR-US: Jenkins plugin
-CVE-2018-1000153
+CVE-2018-1000153 (A cross-site request forgery vulnerability exists in Jenkins
vSphere ...)
NOT-FOR-US: Jenkins plugin
CVE-2018-9310
RESERVED
@@ -78,10 +122,10 @@ CVE-2018-9287
RESERVED
CVE-2018-9286
RESERVED
-CVE-2018-9243 [Persistent XSS in filename of merge request]
+CVE-2018-9243 (GitLab Community and Enterprise Editions version 8.4 up to 10.4
are ...)
- gitlab (bug #894869)
NOTE:
https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/
-CVE-2018-9244 [Persistent XSS in milestones data-milestone-id]
+CVE-2018-9244 (GitLab Community and Enterprise Editions version 9.2 up to 10.4
are ...)
- gitlab (bug #894868)
NOTE:
https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/
CVE-2018- [Confidential issue comments in Slack, Mattermost, and webhook
integrations]
@@ -280,8 +324,8 @@ CVE-2018-9240 (ncmpc through 0.29 is prone to a NULL
pointer dereference flaw. I
[stretch] - ncmpc (Minor issue)
[jessie] - ncmpc (Minor issue)
[wheezy] - ncmpc (Minor issue)
-CVE-2018-9233
- RESERVED
+CVE-2018-9233 (Sophos Endpoint Protection 10.7 uses an unsalted SHA-1 hash for
...)
+ TODO: check
CVE-2018-9232
RESERVED
CVE-2018-9231
@@ -2976,6 +3020,7 @@ CVE-2018-8086
CVE-2018-8085
RESERVED
CVE-2018-197 (Sharutils sharutils (unshar command) version 4.15.2 contains
a Buffer ...)
+ {DSA-4167-1}
- sharutils 1:4.15.2-3 (bug #893525)
NOTE: http://seclists.org/bugtraq/2018/Feb/54
CVE-2018-196 (brianleroux tiny-json-http version all versions since commit
...)
@@ -6118,8 +6163,8 @@ CVE-2018-7037
RESERVED
CVE-2018-7036
RESERVED
-CVE-2018-7035
- RESERVED
+CVE-2018-7035 (Cross-site scripting (XSS) vulnerability in Gleez CMS 1.2.0 and
2.0 ...)
+ TODO: check
CVE-2018-7034 (TRENDnet TEW-751DR v1.03B03, TEW-752DRU v1.03B01, and TEW733GR
v1.03B01 ...)
NOT-FOR-US: TRENDnet devices
CVE-2018-7033 (SchedMD Slurm before 17.02.10 and 17.11.x before 17.11.
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Two nvidia-graphics-drivers issues fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4ce95d2a by Salvatore Bonaccorso at 2018-04-05T22:05:24+02:00 Two nvidia-graphics-drivers issues fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -8433,7 +8433,7 @@ CVE-2018-6255 CVE-2018-6254 RESERVED CVE-2018-6253 (An exploitable denial-of-service vulnerability exists in the Nvidia ...) - - nvidia-graphics-drivers (bug #894338) + - nvidia-graphics-drivers 390.48-1 (bug #894338) [stretch] - nvidia-graphics-drivers (Non-free not supported) [jessie] - nvidia-graphics-drivers (Non-free not supported) [wheezy] - nvidia-graphics-drivers (Non-free not supported) @@ -8450,7 +8450,7 @@ CVE-2018-6251 (An exploitable heap memory corruption vulnerability exists in the CVE-2018-6250 (NVIDIA Windows GPU Display Driver contains a vulnerability in the ...) NOT-FOR-US: NVIDIA Windows driver CVE-2018-6249 (NVIDIA GPU Display Driver contains a vulnerability in kernel mode ...) - - nvidia-graphics-drivers (bug #894338) + - nvidia-graphics-drivers 390.48-1 (bug #894338) [stretch] - nvidia-graphics-drivers (Non-free not supported) [jessie] - nvidia-graphics-drivers (Non-free not supported) [wheezy] - nvidia-graphics-drivers (Non-free not supported) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4ce95d2a86a23e2d7ef7b36c09603f244a3381a1 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4ce95d2a86a23e2d7ef7b36c09603f244a3381a1 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add fixing version for CVE-2018-8768
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 18a5f054 by Salvatore Bonaccorso at 2018-04-05T22:02:48+02:00 Add fixing version for CVE-2018-8768 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1511,7 +1511,7 @@ CVE-2018-8742 CVE-2017-18239 (A time-sensitive equality check on the JWT signature in the ...) NOT-FOR-US: authentikat-jwt CVE-2018-8768 (In Jupyter Notebook before 5.4.1, a maliciously forged notebook file ...) - - jupyter-notebook (bug #893436) + - jupyter-notebook 5.4.1-1 (bug #893436) - ipython 5.1.0-2 [wheezy] - ipython (requires implementation of sanitization first, see NOTES) NOTE: After the reupload of ipython to Debian as 4.1.2-1 via experimental View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/18a5f05488cae4b8a573d0272c572bf59d718a3e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/18a5f05488cae4b8a573d0272c572bf59d718a3e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-9243/gitlab assigned
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 35453250 by Salvatore Bonaccorso at 2018-04-05T21:30:54+02:00 CVE-2018-9243/gitlab assigned - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -78,7 +78,7 @@ CVE-2018-9287 RESERVED CVE-2018-9286 RESERVED -CVE-2018- [Persistent XSS in filename of merge request] +CVE-2018-9243 [Persistent XSS in filename of merge request] - gitlab (bug #894869) NOTE: https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/ CVE-2018-9244 [Persistent XSS in milestones data-milestone-id] @@ -249,8 +249,6 @@ CVE-2018-9246 RESERVED CVE-2018-9245 RESERVED -CVE-2018-9243 - RESERVED CVE-2018-9242 RESERVED CVE-2018-9241 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/35453250f126e937a2c799f2f97b1aa42d3036b1 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/35453250f126e937a2c799f2f97b1aa42d3036b1 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-9244/gitlab assigned
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f4818c6 by Salvatore Bonaccorso at 2018-04-05T21:30:15+02:00 CVE-2018-9244/gitlab assigned - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -81,7 +81,7 @@ CVE-2018-9286 CVE-2018- [Persistent XSS in filename of merge request] - gitlab (bug #894869) NOTE: https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/ -CVE-2018- [Persistent XSS in milestones data-milestone-id] +CVE-2018-9244 [Persistent XSS in milestones data-milestone-id] - gitlab (bug #894868) NOTE: https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/ CVE-2018- [Confidential issue comments in Slack, Mattermost, and webhook integrations] @@ -249,8 +249,6 @@ CVE-2018-9246 RESERVED CVE-2018-9245 RESERVED -CVE-2018-9244 - RESERVED CVE-2018-9243 RESERVED CVE-2018-9242 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f4818c69b21487bde0f0e97f6a7cba5dd63b592 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f4818c69b21487bde0f0e97f6a7cba5dd63b592 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] historic OBS issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f614ef87 by Moritz Muehlenhoff at 2018-04-05T21:26:02+02:00
historic OBS issue
resolved some TODOs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -5786,17 +5786,14 @@ CVE-2018-7175 (An issue was discovered in xpdf 4.00. A
NULL pointer dereference
- xpdf (unimportant)
NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=613
NOTE: src:xpdf switched to use system poppler libary in 3.02-3
- TODO: check, poppler
CVE-2018-7174 (An issue was discovered in xpdf 4.00. An infinite loop in
XRef::Xref ...)
- xpdf (unimportant)
NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=605
NOTE: src:xpdf switched to use system poppler libary in 3.02-3
- TODO: check, poppler
CVE-2018-7173 (A large loop in JBIG2Stream::readSymbolDictSeg in xpdf 4.00
allows an ...)
- xpdf (unimportant)
NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=607
NOTE: src:xpdf switched to use system poppler libary in 3.02-3
- TODO: check, poppler
CVE-2018-168 (An improper input validation vulnerability exists in Jenkins
versions ...)
- jenkins
CVE-2018-167 (An improper authorization vulnerability exists in Jenkins
versions ...)
@@ -44664,7 +44661,6 @@ CVE-2017-10689 (In previous versions of Puppet Agent it
was possible to install
NOTE: https://tickets.puppetlabs.com/browse/PUP-7866
NOTE:
https://github.com/puppetlabs/puppet/commit/17d9e02da3882e44c1876e2805cf9708481715ee
NOTE:
https://github.com/puppetlabs/puppet/commit/983154f7e29a2a50d416d889a6fed012b9b12399
- TODO: check, similar issue might be in ruby-puppet-forge
CVE-2017-10688 (In LibTIFF 4.0.8, there is a assertion abort in the ...)
{DSA-3903-1 DLA-1022-1}
- tiff 4.0.8-3 (bug #866611)
@@ -200148,7 +200144,7 @@ CVE-2011-3180 (kiwi before 4.98.08, as used in SUSE
Studio Onsite 1.2 before 1.2
CVE-2011-3179 (The server process in Novell Messenger 2.1 and 2.2.x before
2.2.1, and ...)
NOT-FOR-US: Novell Messenger
CVE-2011-3178 (In the web ui of the openbuildservice before 2.3.0 a code
injection of ...)
- TODO: check
+ - open-build-service (Fixed before initial upload to
Debian)
CVE-2011-3177 (The YaST2 network created files with world readable permissions
which ...)
NOT-FOR-US: YaST
CVE-2011-3176 (Stack-based buffer overflow in the Preboot Service in Novell
ZENworks ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/f614ef87624d442799ccdbe7d59adc43a4311714
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/f614ef87624d442799ccdbe7d59adc43a4311714
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reference fix for CVE-2018-9234
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 115001aa by Salvatore Bonaccorso at 2018-04-05T21:11:24+02:00 Reference fix for CVE-2018-9234 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -277,6 +277,7 @@ CVE-2018-9234 (GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which k [jessie] - gnupg2 (Minor issue) [wheezy] - gnupg2 (Minor issue) NOTE: https://dev.gnupg.org/T3844 + NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=a17d2d1f690ebe5d005b4589a5fe378b6487c657 TODO: doublecheck gpg1 status with Werner/Niibe CVE-2018-9240 (ncmpc through 0.29 is prone to a NULL pointer dereference flaw. If a ...) - ncmpc (low; bug #894724) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/115001aa94639df78fbe639fc57f77c78247eba6 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/115001aa94639df78fbe639fc57f77c78247eba6 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add missing epoch fuer sharutils version
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a3e12c0a by Salvatore Bonaccorso at 2018-04-05T21:03:01+02:00
Add missing epoch fuer sharutils version
- - - - -
1 changed file:
- data/DSA/list
Changes:
=
data/DSA/list
=
--- a/data/DSA/list
+++ b/data/DSA/list
@@ -1,6 +1,6 @@
[05 Apr 2018] DSA-4167-1 sharutils - security update
{CVE-2018-197}
- [jessie] - sharutils 4.14-2+deb8u1
+ [jessie] - sharutils 1:4.14-2+deb8u1
[stretch] - sharutils 1:4.15.2-2+deb9u1
[04 Apr 2018] DSA-4166-1 openjdk-7 - security update
{CVE-2018-2579 CVE-2018-2588 CVE-2018-2599 CVE-2018-2602 CVE-2018-2603
CVE-2018-2618 CVE-2018-2629 CVE-2018-2633 CVE-2018-2634 CVE-2018-2637
CVE-2018-2641 CVE-2018-2663 CVE-2018-2677 CVE-2018-2678}
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a3e12c0ae09ba267ede48ce10a3d7d6d648ce3f1
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a3e12c0ae09ba267ede48ce10a3d7d6d648ce3f1
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] DSA-4167-1 sharutils
Luciano Bello pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3f190df2 by Luciano Bello at 2018-04-05T12:47:02-04:00
DSA-4167-1 sharutils
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
--- a/data/DSA/list
+++ b/data/DSA/list
@@ -1,3 +1,7 @@
+[05 Apr 2018] DSA-4167-1 sharutils - security update
+ {CVE-2018-197}
+ [jessie] - sharutils 4.14-2+deb8u1
+ [stretch] - sharutils 1:4.15.2-2+deb9u1
[04 Apr 2018] DSA-4166-1 openjdk-7 - security update
{CVE-2018-2579 CVE-2018-2588 CVE-2018-2599 CVE-2018-2602 CVE-2018-2603
CVE-2018-2618 CVE-2018-2629 CVE-2018-2633 CVE-2018-2634 CVE-2018-2637
CVE-2018-2641 CVE-2018-2663 CVE-2018-2677 CVE-2018-2678}
[jessie] - openjdk-7 7u171-2.6.13-1~deb8u1
=
data/dsa-needed.txt
=
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -80,10 +80,6 @@ ruby2.1/oldstable
--
ruby2.3/stable
--
-sharutils (luciano)
- Maintainer proposed debdiff for review for stretch-security.
- Pending request back for jessie-security
---
squirrelmail/oldstable
--
sqlite3/oldstable
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3f190df282237a6e9f1edca0768dc90b4465c613
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3f190df282237a6e9f1edca0768dc90b4465c613
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 331c35ec by Moritz Muehlenhoff at 2018-04-05T15:20:04+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -36573,73 +36573,73 @@ CVE-2017-13309 CVE-2017-13308 RESERVED CVE-2017-13307 (A elevation of privilege vulnerability in the Upstream kernel pci ...) - TODO: check + NOT-FOR-US: Android kernel (no source release, so apparently not in mainline) CVE-2017-13306 (A elevation of privilege vulnerability in the Upstream kernel mnh ...) - TODO: check + NOT-FOR-US: Android kernel (no source release, so apparently not in mainline) CVE-2017-13305 (A information disclosure vulnerability in the Upstream kernel ...) - TODO: check + NOT-FOR-US: Android kernel (no source release, so apparently not in mainline) CVE-2017-13304 (A information disclosure vulnerability in the Upstream kernel mnh_sm ...) - TODO: check + NOT-FOR-US: Android kernel (no source release, so apparently not in mainline) CVE-2017-13303 (A information disclosure vulnerability in the Broadcom bcmdhd driver. ...) NOT-FOR-US: Broadcom components for Android CVE-2017-13302 (A denial of service vulnerability in the Android system (system ui). ...) - TODO: check + NOT-FOR-US: Android CVE-2017-13301 (A denial of service vulnerability in the Android system (system ui). ...) - TODO: check + NOT-FOR-US: Android CVE-2017-13300 (A denial of service vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-13299 (A other vulnerability in the Android media framework (libavc). ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-13298 (A information disclosure vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-13297 (A information disclosure vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-13296 (A information disclosure vulnerability in the Android media framework ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-13295 (A denial of service vulnerability in the Android framework (package ...) - TODO: check + NOT-FOR-US: Android CVE-2017-13294 (A information disclosure vulnerability in the Android framework (aosp ...) NOT-FOR-US: Android framework (aosp email application) CVE-2017-13293 (In the nfc_hci_cmd_received() function of core.c, there is a possible ...) - TODO: check + NOT-FOR-US: Android kernel (no source release, so apparently not in mainline) CVE-2017-13292 (In wl_get_assoc_ies of wl_cfg80211.c, there is a possible out of ...) - TODO: check + NOT-FOR-US: Broadcom components for Android CVE-2017-13291 (In avrc_ctrl_pars_vendor_rsp of avrc_pars_ct.cc, there is a possible ...) - TODO: check + NOT-FOR-US: Android CVE-2017-13290 (In sdp_server_handle_client_req of sdp_server.cc, there is an out of ...) - TODO: check + NOT-FOR-US: Android CVE-2017-13289 (In writeToParcel and createFromParcel of RttManager.java, there is a ...) - TODO: check + NOT-FOR-US: Android CVE-2017-13288 (In writeToParcel and readFromParcel of PeriodicAdvertisingReport.java, ...) - TODO: check + NOT-FOR-US: Android CVE-2017-13287 (In createFromParcel of VerifyCredentialResponse.java, there is a ...) - TODO: check + NOT-FOR-US: Android CVE-2017-13286 (In writeToParcel and readFromParcel of OutputConfiguration.java, there ...) - TODO: check + NOT-FOR-US: Android CVE-2017-13285 (In SvoxSsmlParser and startElement of svox_ssml_parser.cpp, there is a ...) - TODO: check + NOT-FOR-US: Android CVE-2017-13284 (In config_set_string of config.cc, it is possible to pair a second BT ...) - TODO: check + NOT-FOR-US: Android CVE-2017-13283 (In avrc_ctrl_pars_vendor_rsp of bluetooth avrcp_ctrl, there is a ...) - TODO: check + NOT-FOR-US: Android CVE-2017-13282 (In avrc_ctrl_pars_vendor_rsp of avrc_pars_ct.cc, there is a possible ...) - TODO: check + NOT-FOR-US: Android CVE-2017-13281 (In avrc_pars_browsing_cmd of avrc_pars_tg.cc, there is a possible ...) - TODO: check + NOT-FOR-US: Android CVE-2017-13280 (In the FrameSequence_gif::FrameSequence_gif function of ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-13279 (In M3UParser::parse of M3UParser.cpp, there is a memory resource ...) - TODO: check + NOT-FOR-US: Android media framework CVE-2017-13278 (In MediaPlayerService::Client::notify of MediaPlayerService.cpp, there ...) - TOD
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] exiv n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4ae9c04f by Moritz Muehlenhoff at 2018-04-05T15:10:57+02:00 exiv n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -31,20 +31,19 @@ CVE-2018-9308 CVE-2018-9307 (dsmall v20180320 allows XSS via the pdr_sn parameter to ...) NOT-FOR-US: dsmall CVE-2018-9306 (In Exiv2 0.26, an out-of-bounds read in IptcData::printStructure in ...) - - exiv2 + [experimental] - exiv2 + - exiv2 (Vulnerable code introduced after 0.25) NOTE: https://github.com/Exiv2/exiv2/issues/263 - TODO: check CVE-2018-9305 (In Exiv2 0.26, an out-of-bounds read in IptcData::printStructure in ...) - - exiv2 + [experimental] - exiv2 + - exiv2 (Vulnerable code introduced after 0.25) NOTE: https://github.com/Exiv2/exiv2/issues/263 - TODO: check CVE-2018-9304 (In Exiv2 0.26, a divide by zero in BigTiffImage::printIFD in ...) - - exiv2 + - exiv2 (Vulnerable code introduced after 0.26) NOTE: https://github.com/Exiv2/exiv2/issues/262 - TODO: check CVE-2018-9303 (In Exiv2 0.26, an assertion failure in BigTiffImage::readData in ...) - - exiv2 - TODO: check + - exiv2 (Vulnerable code introduced after 0.26) + NOTE: https://github.com/Exiv2/exiv2/issues/262 CVE-2018-9302 RESERVED CVE-2018-9301 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4ae9c04fc5ee52996677e535805d7feb6a082851 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4ae9c04fc5ee52996677e535805d7feb6a082851 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs posted to oss-sec
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 95decbba by Moritz Muehlenhoff at 2018-04-05T13:12:28+02:00 NFUs posted to oss-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,27 @@ +CVE-2018-1000142 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000143 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000144 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000145 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000146 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000147 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000148 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000149 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000150 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000151 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000152 + NOT-FOR-US: Jenkins plugin +CVE-2018-1000153 + NOT-FOR-US: Jenkins plugin CVE-2018-9310 RESERVED CVE-2018-9309 (An issue was discovered in zzcms 8.2. It allows SQL injection via the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/95decbbadc17243c43e3167a5d1c91db94b6a22f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/95decbbadc17243c43e3167a5d1c91db94b6a22f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Start tracking four more exiv2 CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 327dc4ce by Salvatore Bonaccorso at 2018-04-05T10:38:04+02:00 Start tracking four more exiv2 CVEs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -7,12 +7,19 @@ CVE-2018-9308 CVE-2018-9307 (dsmall v20180320 allows XSS via the pdr_sn parameter to ...) NOT-FOR-US: dsmall CVE-2018-9306 (In Exiv2 0.26, an out-of-bounds read in IptcData::printStructure in ...) + - exiv2 + NOTE: https://github.com/Exiv2/exiv2/issues/263 TODO: check CVE-2018-9305 (In Exiv2 0.26, an out-of-bounds read in IptcData::printStructure in ...) + - exiv2 + NOTE: https://github.com/Exiv2/exiv2/issues/263 TODO: check CVE-2018-9304 (In Exiv2 0.26, a divide by zero in BigTiffImage::printIFD in ...) + - exiv2 + NOTE: https://github.com/Exiv2/exiv2/issues/262 TODO: check CVE-2018-9303 (In Exiv2 0.26, an assertion failure in BigTiffImage::readData in ...) + - exiv2 TODO: check CVE-2018-9302 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/327dc4cea3220742accb9924f7a6cc4d1b83ca33 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/327dc4cea3220742accb9924f7a6cc4d1b83ca33 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4d858852 by Salvatore Bonaccorso at 2018-04-05T10:34:38+02:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,11 +1,11 @@ CVE-2018-9310 RESERVED CVE-2018-9309 (An issue was discovered in zzcms 8.2. It allows SQL injection via the ...) - TODO: check + NOT-FOR-US: zzcms CVE-2018-9308 RESERVED CVE-2018-9307 (dsmall v20180320 allows XSS via the pdr_sn parameter to ...) - TODO: check + NOT-FOR-US: dsmall CVE-2018-9306 (In Exiv2 0.26, an out-of-bounds read in IptcData::printStructure in ...) TODO: check CVE-2018-9305 (In Exiv2 0.26, an out-of-bounds read in IptcData::printStructure in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4d85885294a58d8a8466231f07f66b3fbba61986 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4d85885294a58d8a8466231f07f66b3fbba61986 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add two new moodle issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4864b224 by Salvatore Bonaccorso at 2018-04-05T10:34:58+02:00 Add two new moodle issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -22291,9 +22291,9 @@ CVE-2018-1083 (Zsh before version 5.4.2-test-1 is vulnerable to a buffer overflo [jessie] - zsh (Minor issue) NOTE: https://sourceforge.net/p/zsh/code/ci/259ac472eac291c8c103c7a0d8a4eaf3c2942ed7 CVE-2018-1082 (A flaw was found in Moodle 3.4 to 3.4.1, and 3.3 to 3.3.4. If a user ...) - TODO: check + - moodle CVE-2018-1081 (A flaw was found in Moodle 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, ...) - TODO: check + - moodle CVE-2018-1080 [Mishandled ACL configuration in AAclAuthz.java reverses rules that allow and deny access] RESERVED - dogtag-pki (bug #893690) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4864b22452868799766f6036c16b61daa5e48090 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4864b22452868799766f6036c16b61daa5e48090 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ffc1f82 by security tracker role at 2018-04-05T08:10:18+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,53 @@ +CVE-2018-9310 + RESERVED +CVE-2018-9309 (An issue was discovered in zzcms 8.2. It allows SQL injection via the ...) + TODO: check +CVE-2018-9308 + RESERVED +CVE-2018-9307 (dsmall v20180320 allows XSS via the pdr_sn parameter to ...) + TODO: check +CVE-2018-9306 (In Exiv2 0.26, an out-of-bounds read in IptcData::printStructure in ...) + TODO: check +CVE-2018-9305 (In Exiv2 0.26, an out-of-bounds read in IptcData::printStructure in ...) + TODO: check +CVE-2018-9304 (In Exiv2 0.26, a divide by zero in BigTiffImage::printIFD in ...) + TODO: check +CVE-2018-9303 (In Exiv2 0.26, an assertion failure in BigTiffImage::readData in ...) + TODO: check +CVE-2018-9302 + RESERVED +CVE-2018-9301 + RESERVED +CVE-2018-9300 + RESERVED +CVE-2018-9299 + RESERVED +CVE-2018-9298 + RESERVED +CVE-2018-9297 + RESERVED +CVE-2018-9296 + RESERVED +CVE-2018-9295 + RESERVED +CVE-2018-9294 + RESERVED +CVE-2018-9293 + RESERVED +CVE-2018-9292 + RESERVED +CVE-2018-9291 + RESERVED +CVE-2018-9290 + RESERVED +CVE-2018-9289 + RESERVED +CVE-2018-9288 + RESERVED +CVE-2018-9287 + RESERVED +CVE-2018-9286 + RESERVED CVE-2018- [Persistent XSS in filename of merge request] - gitlab (bug #894869) NOTE: https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/ @@ -38,7 +88,7 @@ CVE-2018-9275 (In check_user_token in util.c in the Yubico PAM module (aka pam_y CVE-2017-18257 (The __get_data_block function in fs/f2fs/data.c in the Linux kernel ...) - linux 4.11.6-1 NOTE: Fixed by: https://git.kernel.org/linus/b86e33075ed1909d8002745b56ecf73b833db143 -CVE-2018-1002150 [koji: Dist Repo call missing authorization check] +CVE-2018-1002150 (Koji version 1.12, 1.13, 1.14 and 1.15 contain an incorrect access ...) - koji (bug #894832) NOTE: http://www.openwall.com/lists/oss-security/2018/04/04/1 NOTE: https://docs.pagure.org/koji/CVE-2018-1002150/ @@ -22193,8 +22243,7 @@ CVE-2018-1098 (A cross-site request forgery flaw was found in etcd 3.3.1 and ear - etcd NOTE: https://github.com/coreos/etcd/issues/9353 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1552714 -CVE-2018-1097 [Ovirt admin password exposed by foreman API] - RESERVED +CVE-2018-1097 (A flaw was found in foreman before 1.16.1. The issue allows users with ...) - foreman (bug #663101) NOTE: https://projects.theforeman.org/issues/22546 NOTE: https://github.com/theforeman/foreman/pull/5369 @@ -22241,10 +22290,10 @@ CVE-2018-1083 (Zsh before version 5.4.2-test-1 is vulnerable to a buffer overflo [stretch] - zsh (Minor issue) [jessie] - zsh (Minor issue) NOTE: https://sourceforge.net/p/zsh/code/ci/259ac472eac291c8c103c7a0d8a4eaf3c2942ed7 -CVE-2018-1082 - RESERVED -CVE-2018-1081 - RESERVED +CVE-2018-1082 (A flaw was found in Moodle 3.4 to 3.4.1, and 3.3 to 3.3.4. If a user ...) + TODO: check +CVE-2018-1081 (A flaw was found in Moodle 3.4 to 3.4.1, 3.3 to 3.3.4, 3.2 to 3.2.7, ...) + TODO: check CVE-2018-1080 [Mishandled ACL configuration in AAclAuthz.java reverses rules that allow and deny access] RESERVED - dogtag-pki (bug #893690) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7ffc1f82203aa5f717f841fb0fa3ccbd1f757587 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7ffc1f82203aa5f717f841fb0fa3ccbd1f757587 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Triage bouncycastle for LTS
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 54705e60 by Chris Lamb at 2018-04-05T08:41:44+01:00 Triage bouncycastle for LTS - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -12,6 +12,8 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- apache2 (Roberto C. Sánchez) -- +bouncycastle +-- calibre NOTE: 20180321: Instead of replacing pickle with json, maybe disable bookmarking NOTE: 20180321: completely and invest the time to fix the Jessie version instead? View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/54705e606c495cae06ee81030cc19fd036f21254 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/54705e606c495cae06ee81030cc19fd036f21254 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
