[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2bb7ee72 by Salvatore Bonaccorso at 2018-04-11T08:20:31+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -13574,16 +13574,22 @@ CVE-2018-4938 RESERVED CVE-2018-4937 RESERVED + NOT-FOR-US: Adobe CVE-2018-4936 RESERVED + NOT-FOR-US: Adobe CVE-2018-4935 RESERVED + NOT-FOR-US: Adobe CVE-2018-4934 RESERVED + NOT-FOR-US: Adobe CVE-2018-4933 RESERVED + NOT-FOR-US: Adobe CVE-2018-4932 RESERVED + NOT-FOR-US: Adobe CVE-2018-4931 RESERVED CVE-2018-4930 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2bb7ee72b1bfcb56a9ce77e2218e44632531cbda --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2bb7ee72b1bfcb56a9ce77e2218e44632531cbda You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-998{8, 9}/mbedtls
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 35798e13 by Salvatore Bonaccorso at 2018-04-10T22:59:10+02:00 Add CVE-2018-998{8,9}/mbedtls - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,7 +1,15 @@ CVE-2018-9989 (ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer ...) - TODO: check + - mbedtls 2.8.0-1 + - polarssl + NOTE: https://github.com/ARMmbed/mbedtls/commit/5224a7544c95552553e2e6be0b4a789956a6464e + NOTE: https://github.com/ARMmbed/mbedtls/commit/740b218386083dc708ce98ccc94a63a95cd5629e + NOTE: https://tls.mbed.org/tech-updates/releases/mbedtls-2.8.0-2.7.2-and-2.1.11-released CVE-2018-9988 (ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer ...) - TODO: check + - mbedtls 2.8.0-1 + - polarssl + NOTE: https://github.com/ARMmbed/mbedtls/commit/027f84c69f4ef30c0693832a6c396ef19e563ca1 + NOTE: https://github.com/ARMmbed/mbedtls/commit/a1098f81c252b317ad34ea978aea2bc47760b215 + NOTE: https://tls.mbed.org/tech-updates/releases/mbedtls-2.8.0-2.7.2-and-2.1.11-released CVE-2018-9987 RESERVED CVE-2018-9986 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/35798e1355ac8ae8e57c8104b645a6394f7f3a93 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/35798e1355ac8ae8e57c8104b645a6394f7f3a93 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reference fix for CVE-2018-9860
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 406a7119 by Salvatore Bonaccorso at 2018-04-10T22:53:16+02:00 Reference fix for CVE-2018-9860 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -256,9 +256,12 @@ CVE-2018-9862 (util.c in runV 1.0.0 for Docker mishandles a numeric username, wh TODO: check CVE-2018-9861 RESERVED -CVE-2018-9860 [An off by one error in TLS CBC decryption ...] +CVE-2018-9860 [An off by one error in TLS CBC decryption] RESERVED - botan 2.4.0-6 + - botan1.10 (Issue introduced in 1.11.32) + NOTE: https://github.com/randombit/botan/commit/ec222c99719c396a1f4756b2ca345dbbfbeb5ed5 + NOTE: Bug introduced in 1.11.32, fixed in 2.6.0 CVE-2018-9859 RESERVED CVE-2018-1000168 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/406a7119f0e6cfb16e59f66d8d5cf6f49e1a8948 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/406a7119f0e6cfb16e59f66d8d5cf6f49e1a8948 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 55a23054 by Salvatore Bonaccorso at 2018-04-10T22:37:36+02:00 Process more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -20099,27 +20099,27 @@ CVE-2018-2415 CVE-2018-2414 RESERVED CVE-2018-2413 (SAP Disclosure Management 10.1 does not perform necessary ...) - TODO: check + NOT-FOR-US: SAP CVE-2018-2412 (SAP Disclosure Management 10.1 does not perform necessary ...) - TODO: check + NOT-FOR-US: SAP CVE-2018-2411 RESERVED CVE-2018-2410 (SAP Business One, 9.2, 9.3, browser access does not sufficiently ...) - TODO: check + NOT-FOR-US: SAP CVE-2018-2409 (Improper session management when using SAP Cloud Platform 2.0 ...) - TODO: check + NOT-FOR-US: SAP CVE-2018-2408 (Improper Session Management in SAP Business Objects, 4.0, from 4.10, ...) - TODO: check + NOT-FOR-US: SAP CVE-2018-2407 RESERVED CVE-2018-2406 (Unquoted windows search path (directory/path traversal) vulnerability ...) TODO: check CVE-2018-2405 (SAP Solution Manager, 7.10, 7.20, Incident Management Work Center ...) - TODO: check + NOT-FOR-US: SAP CVE-2018-2404 (SAP Disclosure Management 10.1 allows an attacker to upload any file ...) - TODO: check + NOT-FOR-US: SAP CVE-2018-2403 (Under certain conditions, SAP Disclosure Management 10.1 allows an ...) - TODO: check + NOT-FOR-US: SAP CVE-2018-2402 (In systems using the optional capture & replay functionality of SAP ...) NOT-FOR-US: SAP CVE-2018-2401 (SAP Business Process Automation (BPA) By Redwood does not sufficiently ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/55a230548167a1a195d2bca08895b32b205f3eea --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/55a230548167a1a195d2bca08895b32b205f3eea You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d41ebca by Salvatore Bonaccorso at 2018-04-10T22:35:17+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -7,7 +7,7 @@ CVE-2018-9987 CVE-2018-9986 RESERVED CVE-2018-9985 (The front page of MetInfo 6.0 allows XSS by sending a feedback message ...) - TODO: check + NOT-FOR-US: MetInfo CVE-2018-9984 RESERVED CVE-2018-9983 @@ -2129,9 +2129,9 @@ CVE-2018-9040 (In Advanced SystemCare Ultimate 11.0.1.58, the driver file ...) CVE-2018-9039 (In Octopus Deploy 2.0 and later before 2018.3.7, an authenticated user, ...) NOT-FOR-US: Octopus Deploy CVE-2018-9038 (Monstra CMS 3.0.4 allows remote attackers to delete files via an ...) - TODO: check + NOT-FOR-US: Monstra CMS CVE-2018-9037 (Monstra CMS 3.0.4 allows remote code execution via an upload_file ...) - TODO: check + NOT-FOR-US: Monstra CMS CVE-2018-9036 RESERVED CVE-2018-9035 (CSV Injection vulnerability in ExportToCsvUtf8.php of the Contact Form ...) @@ -2851,7 +2851,7 @@ CVE-2018-8774 CVE-2018-8773 RESERVED CVE-2018-8772 (Coship RT3052 4.0.0.48 devices allow XSS via a crafted SSID field on ...) - TODO: check + NOT-FOR-US: Coship RT3052 4.0.0.48 devices CVE-2018-8771 RESERVED CVE-2018-8770 (Physical path Leakage exists in Western Bridge Cobub Razor 0.8.0 via ...) @@ -9213,9 +9213,9 @@ CVE-2017-18103 CVE-2017-18102 RESERVED CVE-2017-18101 (Various administrative external system import resources in Atlassian ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2017-18100 (The agile wallboard gadget in Atlassian Jira before version 7.8.1 ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2017-18099 RESERVED CVE-2017-18098 (The searchrequest-xml resource in Atlassian Jira before version 7.6.1 ...) @@ -12064,7 +12064,7 @@ CVE-2018-5465 (A Session Fixation issue was discovered in Belden Hirschmann RS, CVE-2018-5464 (Philips IntelliSpace Portal all versions of 8.0.x, and 7.0.x have an ...) NOT-FOR-US: Philips Intellispace Portal CVE-2018-5463 (A structured exception handler overflow vulnerability in Leao ...) - TODO: check + NOT-FOR-US: Leao Consultoria e Desenvolvimento de Sistemas (LCDS) LTDA ME LAquis SCADA CVE-2018-5462 (Philips IntelliSpace Portal all versions of 8.0.x, and 7.0.x have an ...) NOT-FOR-US: Philips Intellispace Portal CVE-2018-5461 (An Inadequate Encryption Strength issue was discovered in Belden ...) @@ -12735,7 +12735,7 @@ CVE-2018-5229 CVE-2018-5228 RESERVED CVE-2018-5227 (Various administrative application link resources in Atlassian ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2018-5226 RESERVED CVE-2018-5225 (In browser editing in Atlassian Bitbucket Server from version 4.13.0 ...) @@ -23304,7 +23304,7 @@ CVE-2018-1219 (EMC RSA Archer, versions prior to 6.2.0.8, contains an improper a CVE-2018-1218 (In Dell EMC NetWorker versions prior to 9.2.1.1, versions prior to ...) NOT-FOR-US: EMC NetWorker CVE-2018-1217 (Avamar Installation Manager in Dell EMC Avamar Server 7.3.1, 7.4.1, ...) - TODO: check + NOT-FOR-US: EMC Avamar Server CVE-2018-1216 (A hard-coded password vulnerability was discovered in vApp Manager ...) NOT-FOR-US: EMC CVE-2018-1215 (An arbitrary file upload vulnerability was discovered in vApp Manager ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5d41ebca906a313450ecf37f4a3b4c5dbc6f0da1 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5d41ebca906a313450ecf37f4a3b4c5dbc6f0da1 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-9860/botan fixed version in unstable
László Böszörményi pushed to branch master at Debian Security Tracker / security-tracker Commits: 213314b5 by Laszlo Boszormenyi (GCS) at 2018-04-10T20:07:37+00:00 Add CVE-2018-9860/botan fixed version in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -148,7 +148,7 @@ CVE-2018-9861 RESERVED CVE-2018-9860 [An off by one error in TLS CBC decryption ...] RESERVED - - botan + - botan 2.4.0-6 CVE-2018-9859 RESERVED CVE-2018-1000168 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/213314b582e32941ab662b7165172bf60dbcbd27 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/213314b582e32941ab662b7165172bf60dbcbd27 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c4d5f605 by security tracker role at 2018-04-10T20:10:23+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,113 @@ +CVE-2018-9989 (ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer ...) + TODO: check +CVE-2018-9988 (ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffer ...) + TODO: check +CVE-2018-9987 + RESERVED +CVE-2018-9986 + RESERVED +CVE-2018-9985 (The front page of MetInfo 6.0 allows XSS by sending a feedback message ...) + TODO: check +CVE-2018-9984 + RESERVED +CVE-2018-9983 + RESERVED +CVE-2018-9982 + RESERVED +CVE-2018-9981 + RESERVED +CVE-2018-9980 + RESERVED +CVE-2018-9979 + RESERVED +CVE-2018-9978 + RESERVED +CVE-2018-9977 + RESERVED +CVE-2018-9976 + RESERVED +CVE-2018-9975 + RESERVED +CVE-2018-9974 + RESERVED +CVE-2018-9973 + RESERVED +CVE-2018-9972 + RESERVED +CVE-2018-9971 + RESERVED +CVE-2018-9970 + RESERVED +CVE-2018-9969 + RESERVED +CVE-2018-9968 + RESERVED +CVE-2018-9967 + RESERVED +CVE-2018-9966 + RESERVED +CVE-2018-9965 + RESERVED +CVE-2018-9964 + RESERVED +CVE-2018-9963 + RESERVED +CVE-2018-9962 + RESERVED +CVE-2018-9961 + RESERVED +CVE-2018-9960 + RESERVED +CVE-2018-9959 + RESERVED +CVE-2018-9958 + RESERVED +CVE-2018-9957 + RESERVED +CVE-2018-9956 + RESERVED +CVE-2018-9955 + RESERVED +CVE-2018-9954 + RESERVED +CVE-2018-9953 + RESERVED +CVE-2018-9952 + RESERVED +CVE-2018-9951 + RESERVED +CVE-2018-9950 + RESERVED +CVE-2018-9949 + RESERVED +CVE-2018-9948 + RESERVED +CVE-2018-9947 + RESERVED +CVE-2018-9946 + RESERVED +CVE-2018-9945 + RESERVED +CVE-2018-9944 + RESERVED +CVE-2018-9943 + RESERVED +CVE-2018-9942 + RESERVED +CVE-2018-9941 + RESERVED +CVE-2018-9940 + RESERVED +CVE-2018-9939 + RESERVED +CVE-2018-9938 + RESERVED +CVE-2018-9937 + RESERVED +CVE-2018-9936 + RESERVED +CVE-2018-9935 + RESERVED CVE-2018-9934 (The reset-password feature in MetInfo 6.0 allows remote attackers to ...) NOT-FOR-US: MetInfo CVE-2018-9933 @@ -30,8 +140,8 @@ CVE-2018-9920 RESERVED CVE-2018-9919 RESERVED -CVE-2018-9918 - RESERVED +CVE-2018-9918 (libqpdf.a in QPDF through 8.0.2 mishandles certain "expected dictionary ...) + TODO: check CVE-2018-9917 RESERVED CVE-2018-9916 @@ -2018,10 +2128,10 @@ CVE-2018-9040 (In Advanced SystemCare Ultimate 11.0.1.58, the driver file ...) NOT-FOR-US: Advanced SystemCare Ultimate CVE-2018-9039 (In Octopus Deploy 2.0 and later before 2018.3.7, an authenticated user, ...) NOT-FOR-US: Octopus Deploy -CVE-2018-9038 - RESERVED -CVE-2018-9037 - RESERVED +CVE-2018-9038 (Monstra CMS 3.0.4 allows remote attackers to delete files via an ...) + TODO: check +CVE-2018-9037 (Monstra CMS 3.0.4 allows remote code execution via an upload_file ...) + TODO: check CVE-2018-9036 RESERVED CVE-2018-9035 (CSV Injection vulnerability in ExportToCsvUtf8.php of the Contact Form ...) @@ -2740,8 +2850,8 @@ CVE-2018-8774 RESERVED CVE-2018-8773 RESERVED -CVE-2018-8772 - RESERVED +CVE-2018-8772 (Coship RT3052 4.0.0.48 devices allow XSS via a crafted SSID field on ...) + TODO: check CVE-2018-8771 RESERVED CVE-2018-8770 (Physical path Leakage exists in Western Bridge Cobub Razor 0.8.0 via ...) @@ -9102,10 +9212,10 @@ CVE-2017-18103 RESERVED CVE-2017-18102 RESERVED -CVE-2017-18101 - RESERVED -CVE-2017-18100 - RESERVED +CVE-2017-18101 (Various administrative external system import resources in Atlassian ...) + TODO: check +CVE-2017-18100 (The agile wallboard gadget in Atlassian Jira before version 7.8.1 ...) + TODO: check CVE-2017-18099 RESERVED CVE-2017-18098 (The searchrequest-xml resource in Atlassian Jira before version 7.6.1 ...) @@ -12624,8 +12734,8 @@ CVE-2018-5229 RESERVED CVE-2018-5228 RESERVED -CVE-2018-5227 - RESERVED +CVE-2018-5227 (Various administrative application link resources in Atlassian ...) + TODO: check CVE-2018-5226 RESERVED CVE-2018-5225 (In browser editing in Atlassian Bitbucket Server from version 4.13.0 ...) @@ -19988,28 +20098,28 @@ CVE-2018-2415 RESERVED CVE-2018-2414 RESERVED -CVE-2018-2413 - RESERVED -CVE-2018-2412 - RESERVED +CVE-2018-2413 (SAP Disclosure Management 10.1 does not perform necessary ...) + TODO: check +CVE-2018-2412 (SAP Disclosure Management 10.1 does not pe
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-9860/botan
László Böszörményi pushed to branch master at Debian Security Tracker / security-tracker Commits: 846ca1e2 by Laszlo Boszormenyi (GCS) at 2018-04-10T19:50:49+00:00 Add CVE-2018-9860/botan - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -146,8 +146,9 @@ CVE-2018-9862 (util.c in runV 1.0.0 for Docker mishandles a numeric username, wh TODO: check CVE-2018-9861 RESERVED -CVE-2018-9860 +CVE-2018-9860 [An off by one error in TLS CBC decryption ...] RESERVED + - botan CVE-2018-9859 RESERVED CVE-2018-1000168 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/846ca1e27d24bfdc0dc913457478897c9041f415 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/846ca1e27d24bfdc0dc913457478897c9041f415 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] dsa-needed.txt propose myself to prepare an upload for ruby2.1 and ruby2.3
Santiago R.R. pushed to branch master at Debian Security Tracker / security-tracker Commits: b3787649 by Santiago R.R at 2018-04-10T18:07:33+02:00 dsa-needed.txt propose myself to prepare an upload for ruby2.1 and ruby2.3 Signed-off-by: Santiago R.R- - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -72,8 +72,10 @@ ruby-loofah Georg Faerber proposed to prepare an update -- ruby2.1/oldstable + Santiago will prepare an update -- ruby2.3/stable + Santiago will prepare an update -- sqlite3/oldstable -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b37876494dbb3bc88f06d6c5731e4931211f2795 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b37876494dbb3bc88f06d6c5731e4931211f2795 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: Use shorter URL
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: be9e165f by Salvatore Bonaccorso at 2018-04-10T14:27:06+02:00 Use shorter URL - - - - - c2f9f03d by Salvatore Bonaccorso at 2018-04-10T14:28:07+02:00 Sync status for CVE-2017-13220 in wheezy with kernel sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -38139,7 +38139,8 @@ CVE-2017-13221 (An elevation of privilege vulnerability in the Upstream kernel w NOT-FOR-US: Android kernel component (no source release, no apparently not affecting mainline) CVE-2017-13220 (An elevation of privilege vulnerability in the Upstream kernel bluez. ...) - linux 4.0.2-1 - NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=51bda2bca53b + [wheezy] - linux (Vulnerable code introduced later) + NOTE: https://git.kernel.org/linus/51bda2bca53b265715ca1852528f38dc67429d9a CVE-2017-13219 (A denial of service vulnerability in the Upstream kernel synaptics ...) NOT-FOR-US: Android kernel component (no source release, no apparently not affecting mainline) CVE-2017-13218 (Access to CNTVCT_EL0 could be used for side channel attacks. This ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/5e62dad600a9a2285ac4710066fcffcdce79c505...c2f9f03db4fedba8c4c85189d291267812063e38 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/5e62dad600a9a2285ac4710066fcffcdce79c505...c2f9f03db4fedba8c4c85189d291267812063e38 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Android issue actually affecting mainline
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e62dad6 by Moritz Muehlenhoff at 2018-04-10T13:56:08+02:00 Android issue actually affecting mainline - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -38138,7 +38138,8 @@ CVE-2017-13222 (An information disclosure vulnerability in the Upstream kernel k CVE-2017-13221 (An elevation of privilege vulnerability in the Upstream kernel wifi ...) NOT-FOR-US: Android kernel component (no source release, no apparently not affecting mainline) CVE-2017-13220 (An elevation of privilege vulnerability in the Upstream kernel bluez. ...) - NOT-FOR-US: Android kernel component (no source release, no apparently not affecting mainline) + - linux 4.0.2-1 + NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=51bda2bca53b CVE-2017-13219 (A denial of service vulnerability in the Upstream kernel synaptics ...) NOT-FOR-US: Android kernel component (no source release, no apparently not affecting mainline) CVE-2017-13218 (Access to CNTVCT_EL0 could be used for side channel attacks. This ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5e62dad600a9a2285ac4710066fcffcdce79c505 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5e62dad600a9a2285ac4710066fcffcdce79c505 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 86ea50bd by Salvatore Bonaccorso at 2018-04-10T10:24:52+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,5 +1,5 @@ CVE-2018-9934 (The reset-password feature in MetInfo 6.0 allows remote attackers to ...) - TODO: check + NOT-FOR-US: MetInfo CVE-2018-9933 RESERVED CVE-2018-9932 @@ -11,19 +11,19 @@ CVE-2018-9930 CVE-2018-9929 RESERVED CVE-2018-9928 (Cross-site scripting (XSS) vulnerability in save.php in MetInfo 6.0 ...) - TODO: check + NOT-FOR-US: MetInfo CVE-2018-9927 (An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF ...) - TODO: check + NOT-FOR-US: WUZHI CMS CVE-2018-9926 (An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF ...) - TODO: check + NOT-FOR-US: WUZHI CMS CVE-2018-9925 (An issue was discovered in idreamsoft iCMS through 7.0.7. XSS exists ...) - TODO: check + NOT-FOR-US: idreamsoft iCMS CVE-2018-9924 (An issue was discovered in idreamsoft iCMS through 7.0.7. SQL injection ...) - TODO: check + NOT-FOR-US: idreamsoft iCMS CVE-2018-9923 (An issue was discovered in idreamsoft iCMS through 7.0.7. CSRF exists ...) - TODO: check + NOT-FOR-US: idreamsoft iCMS CVE-2018-9922 (An issue was discovered in idreamsoft iCMS through 7.0.7. Physical path ...) - TODO: check + NOT-FOR-US: idreamsoft iCMS CVE-2018-9921 RESERVED CVE-2018-9920 @@ -195,7 +195,7 @@ CVE-2018-9841 (The export function in libavfilter/vf_signature.c in FFmpeg throu [stretch] - ffmpeg (Can wait until the next ffmpeg 3.2.x release) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=35eeff30caf34df835206f1c12bcf4b7c2bd6758 CVE-2018-9840 (The Open Whisper Signal app before 2.23.2 for iOS allows physically ...) - TODO: check + NOT-FOR-US: Open Whisper Signal app for iOS CVE-2018-9839 RESERVED CVE-2018-1000166 [Unsafe use of sprintf() can allow a remote unauthenticated attacker to execute arbitrary code] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/86ea50bda4d081a759fa4eb25088c10c411167b3 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/86ea50bda4d081a759fa4eb25088c10c411167b3 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: aec1866f by security tracker role at 2018-04-10T08:10:13+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,41 @@ +CVE-2018-9934 (The reset-password feature in MetInfo 6.0 allows remote attackers to ...) + TODO: check +CVE-2018-9933 + RESERVED +CVE-2018-9932 + RESERVED +CVE-2018-9931 + RESERVED +CVE-2018-9930 + RESERVED +CVE-2018-9929 + RESERVED +CVE-2018-9928 (Cross-site scripting (XSS) vulnerability in save.php in MetInfo 6.0 ...) + TODO: check +CVE-2018-9927 (An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF ...) + TODO: check +CVE-2018-9926 (An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF ...) + TODO: check +CVE-2018-9925 (An issue was discovered in idreamsoft iCMS through 7.0.7. XSS exists ...) + TODO: check +CVE-2018-9924 (An issue was discovered in idreamsoft iCMS through 7.0.7. SQL injection ...) + TODO: check +CVE-2018-9923 (An issue was discovered in idreamsoft iCMS through 7.0.7. CSRF exists ...) + TODO: check +CVE-2018-9922 (An issue was discovered in idreamsoft iCMS through 7.0.7. Physical path ...) + TODO: check +CVE-2018-9921 + RESERVED +CVE-2018-9920 + RESERVED +CVE-2018-9919 + RESERVED +CVE-2018-9918 + RESERVED +CVE-2018-9917 + RESERVED +CVE-2018-9916 + RESERVED CVE-2018-9915 RESERVED CVE-2018-9914 @@ -156,8 +194,8 @@ CVE-2018-9841 (The export function in libavfilter/vf_signature.c in FFmpeg throu - ffmpeg (low) [stretch] - ffmpeg (Can wait until the next ffmpeg 3.2.x release) NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=35eeff30caf34df835206f1c12bcf4b7c2bd6758 -CVE-2018-9840 - RESERVED +CVE-2018-9840 (The Open Whisper Signal app before 2.23.2 for iOS allows physically ...) + TODO: check CVE-2018-9839 RESERVED CVE-2018-1000166 [Unsafe use of sprintf() can allow a remote unauthenticated attacker to execute arbitrary code] @@ -5981,12 +6019,14 @@ CVE-2018-7482 (** DISPUTED ** The K2 component 2.8.0 for Joomla! has Incorrect A CVE-2017-18200 (The f2fs implementation in the Linux kernel before 4.14 mishandles ...) - linux (Vulnerable code not present) CVE-2018-199 (Teluu PJSIP version 2.7.1 and earlier contains a Access of ...) + {DSA-4170-1} - pjproject 2.7.2~dfsg-1 [jessie] - pjproject (Minor issue) NOTE: http://downloads.asterisk.org/pub/security/AST-2018-003.html NOTE: https://trac.pjsip.org/repos/ticket/2092 NOTE: In jessie Asterisk doesn't use pjproject for SIP (only for ICE, STUN and TURN) CVE-2018-198 (Teluu PJSIP version 2.7.1 and earlier contains a Integer Overflow ...) + {DSA-4170-1} - pjproject 2.7.2~dfsg-1 [jessie] - pjproject (Minor issue) NOTE: http://downloads.asterisk.org/pub/security/AST-2018-002.html @@ -9932,8 +9972,8 @@ CVE-2018-6184 (ZEIT Next.js 4 before 4.2.3 has Directory Traversal under the /_n NOT-FOR-US: ZEIT Next.js CVE-2018-6183 (BitDefender Total Security 2018 allows local users to gain privileges ...) NOT-FOR-US: BitDefender Total Security -CVE-2018-6182 - RESERVED +CVE-2018-6182 (Mahara 16.10 before 16.10.9 and 17.04 before 17.04.7 and 17.10 before ...) + TODO: check CVE-2018-6181 RESERVED CVE-2018-6180 (A flaw in the profile section of Online Voting System 1.0 allows an ...) @@ -11912,8 +11952,8 @@ CVE-2018-5465 (A Session Fixation issue was discovered in Belden Hirschmann RS, NOT-FOR-US: Belden Hirschmann RS, RSR, RSB, MACH100, MACH1000, MACH4000, MS, and OCTOPUS Classic Platform Switches CVE-2018-5464 (Philips IntelliSpace Portal all versions of 8.0.x, and 7.0.x have an ...) NOT-FOR-US: Philips Intellispace Portal -CVE-2018-5463 - RESERVED +CVE-2018-5463 (A structured exception handler overflow vulnerability in Leao ...) + TODO: check CVE-2018-5462 (Philips IntelliSpace Portal all versions of 8.0.x, and 7.0.x have an ...) NOT-FOR-US: Philips Intellispace Portal CVE-2018-5461 (An Inadequate Encryption Strength issue was discovered in Belden ...) @@ -23152,8 +23192,8 @@ CVE-2018-1219 (EMC RSA Archer, versions prior to 6.2.0.8, contains an improper a NOT-FOR-US: EMC RSA Archer CVE-2018-1218 (In Dell EMC NetWorker versions prior to 9.2.1.1, versions prior to ...) NOT-FOR-US: EMC NetWorker -CVE-2018-1217 - RESERVED +CVE-2018-1217 (Avamar Installation Manager in Dell EMC Avamar Server 7.3.1, 7.4.1, ...) + TODO: check CVE-2018-1216 (A hard-coded password vulnerability was discovered in vApp Manager ...) NOT-FOR-US: EMC CVE-2018-1215 (An arbitrary file upl
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Annotate CVE-2018-6594
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: fd006adc by Brian May at 2018-04-10T17:02:13+10:00 Annotate CVE-2018-6594 * Mark no-dsa in wheezy. * Add comment about why this isn't being fixed upstream. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -8659,11 +8659,14 @@ CVE-2018-6594 (lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 generat - python-crypto (bug #88) [stretch] - python-crypto (Minor issue) [jessie] - python-crypto (Minor issue) + [wheezy] - python-crypto (Minor issue) NOTE: PyCrypto: https://github.com/dlitz/pycrypto/issues/253 NOTE: The issue is found as well in pycryptodome (fork from python-crypto) NOTE: PyCryptodome: https://github.com/Legrandin/pycryptodome/issues/90 NOTE: PyCrytpodome: https://github.com/Legrandin/pycryptodome/commit/99c27a3b9e8a884bbde0e88c63234b669d4398d8 (3.4.10) NOTE: See further discussion as per https://github.com/Legrandin/pycryptodome/issues/90#issuecomment-362783537 + NOTE: Upstream feels that this is not a vulnerability in pycryptodome/python-crypto, + NOTE: but in an application using it in an insecure manner. CVE-2018-6593 (An issue was discovered in MalwareFox AntiMalware 2.74.0.150. Improper ...) NOT-FOR-US: MalwareFox AntiMalware CVE-2018-6592 (Unisys Stealth 3.3 Windows endpoints before 3.3.016.1 allow local ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fd006adcdd7c86fc658b4efabf17327a7e8100d6 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fd006adcdd7c86fc658b4efabf17327a7e8100d6 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits