date:20180410

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process NFUs

2018-04-10 Thread Salvatore Bonaccorso

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2bb7ee72 by Salvatore Bonaccorso at 2018-04-11T08:20:31+02:00
Process NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -13574,16 +13574,22 @@ CVE-2018-4938
RESERVED
 CVE-2018-4937
RESERVED
+   NOT-FOR-US: Adobe
 CVE-2018-4936
RESERVED
+   NOT-FOR-US: Adobe
 CVE-2018-4935
RESERVED
+   NOT-FOR-US: Adobe
 CVE-2018-4934
RESERVED
+   NOT-FOR-US: Adobe
 CVE-2018-4933
RESERVED
+   NOT-FOR-US: Adobe
 CVE-2018-4932
RESERVED
+   NOT-FOR-US: Adobe
 CVE-2018-4931
RESERVED
 CVE-2018-4930



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2bb7ee72b1bfcb56a9ce77e2218e44632531cbda

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2bb7ee72b1bfcb56a9ce77e2218e44632531cbda
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-998{8, 9}/mbedtls

2018-04-10 Thread Salvatore Bonaccorso

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
35798e13 by Salvatore Bonaccorso at 2018-04-10T22:59:10+02:00
Add CVE-2018-998{8,9}/mbedtls

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,7 +1,15 @@
 CVE-2018-9989 (ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has 
a buffer ...)
-   TODO: check
+   - mbedtls 2.8.0-1
+   - polarssl 
+   NOTE: 
https://github.com/ARMmbed/mbedtls/commit/5224a7544c95552553e2e6be0b4a789956a6464e
+   NOTE: 
https://github.com/ARMmbed/mbedtls/commit/740b218386083dc708ce98ccc94a63a95cd5629e
+   NOTE: 
https://tls.mbed.org/tech-updates/releases/mbedtls-2.8.0-2.7.2-and-2.1.11-released
 CVE-2018-9988 (ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has 
a buffer ...)
-   TODO: check
+   - mbedtls 2.8.0-1
+   - polarssl 
+   NOTE: 
https://github.com/ARMmbed/mbedtls/commit/027f84c69f4ef30c0693832a6c396ef19e563ca1
+   NOTE: 
https://github.com/ARMmbed/mbedtls/commit/a1098f81c252b317ad34ea978aea2bc47760b215
+   NOTE: 
https://tls.mbed.org/tech-updates/releases/mbedtls-2.8.0-2.7.2-and-2.1.11-released
 CVE-2018-9987
RESERVED
 CVE-2018-9986



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/35798e1355ac8ae8e57c8104b645a6394f7f3a93

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/35798e1355ac8ae8e57c8104b645a6394f7f3a93
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reference fix for CVE-2018-9860

2018-04-10 Thread Salvatore Bonaccorso

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
406a7119 by Salvatore Bonaccorso at 2018-04-10T22:53:16+02:00
Reference fix for CVE-2018-9860

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -256,9 +256,12 @@ CVE-2018-9862 (util.c in runV 1.0.0 for Docker mishandles 
a numeric username, wh
TODO: check
 CVE-2018-9861
RESERVED
-CVE-2018-9860 [An off by one error in TLS CBC decryption ...]
+CVE-2018-9860 [An off by one error in TLS CBC decryption]
RESERVED
- botan 2.4.0-6
+   - botan1.10  (Issue introduced in 1.11.32)
+   NOTE: 
https://github.com/randombit/botan/commit/ec222c99719c396a1f4756b2ca345dbbfbeb5ed5
+   NOTE: Bug introduced in 1.11.32, fixed in 2.6.0
 CVE-2018-9859
RESERVED
 CVE-2018-1000168



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/406a7119f0e6cfb16e59f66d8d5cf6f49e1a8948

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/406a7119f0e6cfb16e59f66d8d5cf6f49e1a8948
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process more NFUs

2018-04-10 Thread Salvatore Bonaccorso

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
55a23054 by Salvatore Bonaccorso at 2018-04-10T22:37:36+02:00
Process more NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -20099,27 +20099,27 @@ CVE-2018-2415
 CVE-2018-2414
RESERVED
 CVE-2018-2413 (SAP Disclosure Management 10.1 does not perform necessary ...)
-   TODO: check
+   NOT-FOR-US: SAP
 CVE-2018-2412 (SAP Disclosure Management 10.1 does not perform necessary ...)
-   TODO: check
+   NOT-FOR-US: SAP
 CVE-2018-2411
RESERVED
 CVE-2018-2410 (SAP Business One, 9.2, 9.3, browser access does not 
sufficiently ...)
-   TODO: check
+   NOT-FOR-US: SAP
 CVE-2018-2409 (Improper session management when using SAP Cloud Platform 2.0 
...)
-   TODO: check
+   NOT-FOR-US: SAP
 CVE-2018-2408 (Improper Session Management in SAP Business Objects, 4.0, from 
4.10, ...)
-   TODO: check
+   NOT-FOR-US: SAP
 CVE-2018-2407
RESERVED
 CVE-2018-2406 (Unquoted windows search path (directory/path traversal) 
vulnerability ...)
TODO: check
 CVE-2018-2405 (SAP Solution Manager, 7.10, 7.20, Incident Management Work 
Center ...)
-   TODO: check
+   NOT-FOR-US: SAP
 CVE-2018-2404 (SAP Disclosure Management 10.1 allows an attacker to upload any 
file ...)
-   TODO: check
+   NOT-FOR-US: SAP
 CVE-2018-2403 (Under certain conditions, SAP Disclosure Management 10.1 allows 
an ...)
-   TODO: check
+   NOT-FOR-US: SAP
 CVE-2018-2402 (In systems using the optional capture & replay 
functionality of SAP ...)
NOT-FOR-US: SAP
 CVE-2018-2401 (SAP Business Process Automation (BPA) By Redwood does not 
sufficiently ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/55a230548167a1a195d2bca08895b32b205f3eea

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/55a230548167a1a195d2bca08895b32b205f3eea
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process NFUs

2018-04-10 Thread Salvatore Bonaccorso

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5d41ebca by Salvatore Bonaccorso at 2018-04-10T22:35:17+02:00
Process NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -7,7 +7,7 @@ CVE-2018-9987
 CVE-2018-9986
RESERVED
 CVE-2018-9985 (The front page of MetInfo 6.0 allows XSS by sending a feedback 
message ...)
-   TODO: check
+   NOT-FOR-US: MetInfo
 CVE-2018-9984
RESERVED
 CVE-2018-9983
@@ -2129,9 +2129,9 @@ CVE-2018-9040 (In Advanced SystemCare Ultimate 11.0.1.58, 
the driver file ...)
 CVE-2018-9039 (In Octopus Deploy 2.0 and later before 2018.3.7, an 
authenticated user, ...)
NOT-FOR-US: Octopus Deploy
 CVE-2018-9038 (Monstra CMS 3.0.4 allows remote attackers to delete files via 
an ...)
-   TODO: check
+   NOT-FOR-US: Monstra CMS
 CVE-2018-9037 (Monstra CMS 3.0.4 allows remote code execution via an 
upload_file ...)
-   TODO: check
+   NOT-FOR-US: Monstra CMS
 CVE-2018-9036
RESERVED
 CVE-2018-9035 (CSV Injection vulnerability in ExportToCsvUtf8.php of the 
Contact Form ...)
@@ -2851,7 +2851,7 @@ CVE-2018-8774
 CVE-2018-8773
RESERVED
 CVE-2018-8772 (Coship RT3052 4.0.0.48 devices allow XSS via a crafted SSID 
field on ...)
-   TODO: check
+   NOT-FOR-US: Coship RT3052 4.0.0.48 devices
 CVE-2018-8771
RESERVED
 CVE-2018-8770 (Physical path Leakage exists in Western Bridge Cobub Razor 
0.8.0 via ...)
@@ -9213,9 +9213,9 @@ CVE-2017-18103
 CVE-2017-18102
RESERVED
 CVE-2017-18101 (Various administrative external system import resources in 
Atlassian ...)
-   TODO: check
+   NOT-FOR-US: Atlassian
 CVE-2017-18100 (The agile wallboard gadget in Atlassian Jira before version 
7.8.1 ...)
-   TODO: check
+   NOT-FOR-US: Atlassian
 CVE-2017-18099
RESERVED
 CVE-2017-18098 (The searchrequest-xml resource in Atlassian Jira before 
version 7.6.1 ...)
@@ -12064,7 +12064,7 @@ CVE-2018-5465 (A Session Fixation issue was discovered 
in Belden Hirschmann RS, 
 CVE-2018-5464 (Philips IntelliSpace Portal all versions of 8.0.x, and 7.0.x 
have an ...)
NOT-FOR-US: Philips Intellispace Portal
 CVE-2018-5463 (A structured exception handler overflow vulnerability in Leao 
...)
-   TODO: check
+   NOT-FOR-US: Leao Consultoria e Desenvolvimento de Sistemas (LCDS) LTDA 
ME LAquis SCADA
 CVE-2018-5462 (Philips IntelliSpace Portal all versions of 8.0.x, and 7.0.x 
have an ...)
NOT-FOR-US: Philips Intellispace Portal
 CVE-2018-5461 (An Inadequate Encryption Strength issue was discovered in 
Belden ...)
@@ -12735,7 +12735,7 @@ CVE-2018-5229
 CVE-2018-5228
RESERVED
 CVE-2018-5227 (Various administrative application link resources in Atlassian 
...)
-   TODO: check
+   NOT-FOR-US: Atlassian
 CVE-2018-5226
RESERVED
 CVE-2018-5225 (In browser editing in Atlassian Bitbucket Server from version 
4.13.0 ...)
@@ -23304,7 +23304,7 @@ CVE-2018-1219 (EMC RSA Archer, versions prior to 
6.2.0.8, contains an improper a
 CVE-2018-1218 (In Dell EMC NetWorker versions prior to 9.2.1.1, versions prior 
to ...)
NOT-FOR-US: EMC NetWorker
 CVE-2018-1217 (Avamar Installation Manager in Dell EMC Avamar Server 7.3.1, 
7.4.1, ...)
-   TODO: check
+   NOT-FOR-US: EMC Avamar Server
 CVE-2018-1216 (A hard-coded password vulnerability was discovered in vApp 
Manager ...)
NOT-FOR-US: EMC
 CVE-2018-1215 (An arbitrary file upload vulnerability was discovered in vApp 
Manager ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/5d41ebca906a313450ecf37f4a3b4c5dbc6f0da1

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/5d41ebca906a313450ecf37f4a3b4c5dbc6f0da1
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-9860/botan fixed version in unstable

2018-04-10 Thread László Böszörményi

László Böszörményi pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
213314b5 by Laszlo Boszormenyi (GCS) at 2018-04-10T20:07:37+00:00
Add CVE-2018-9860/botan fixed version in unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -148,7 +148,7 @@ CVE-2018-9861
RESERVED
 CVE-2018-9860 [An off by one error in TLS CBC decryption ...]
RESERVED
-   - botan 
+   - botan 2.4.0-6
 CVE-2018-9859
RESERVED
 CVE-2018-1000168



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/213314b582e32941ab662b7165172bf60dbcbd27

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/213314b582e32941ab662b7165172bf60dbcbd27
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update

2018-04-10 Thread Salvatore Bonaccorso

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c4d5f605 by security tracker role at 2018-04-10T20:10:23+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,3 +1,113 @@
+CVE-2018-9989 (ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has 
a buffer ...)
+   TODO: check
+CVE-2018-9988 (ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has 
a buffer ...)
+   TODO: check
+CVE-2018-9987
+   RESERVED
+CVE-2018-9986
+   RESERVED
+CVE-2018-9985 (The front page of MetInfo 6.0 allows XSS by sending a feedback 
message ...)
+   TODO: check
+CVE-2018-9984
+   RESERVED
+CVE-2018-9983
+   RESERVED
+CVE-2018-9982
+   RESERVED
+CVE-2018-9981
+   RESERVED
+CVE-2018-9980
+   RESERVED
+CVE-2018-9979
+   RESERVED
+CVE-2018-9978
+   RESERVED
+CVE-2018-9977
+   RESERVED
+CVE-2018-9976
+   RESERVED
+CVE-2018-9975
+   RESERVED
+CVE-2018-9974
+   RESERVED
+CVE-2018-9973
+   RESERVED
+CVE-2018-9972
+   RESERVED
+CVE-2018-9971
+   RESERVED
+CVE-2018-9970
+   RESERVED
+CVE-2018-9969
+   RESERVED
+CVE-2018-9968
+   RESERVED
+CVE-2018-9967
+   RESERVED
+CVE-2018-9966
+   RESERVED
+CVE-2018-9965
+   RESERVED
+CVE-2018-9964
+   RESERVED
+CVE-2018-9963
+   RESERVED
+CVE-2018-9962
+   RESERVED
+CVE-2018-9961
+   RESERVED
+CVE-2018-9960
+   RESERVED
+CVE-2018-9959
+   RESERVED
+CVE-2018-9958
+   RESERVED
+CVE-2018-9957
+   RESERVED
+CVE-2018-9956
+   RESERVED
+CVE-2018-9955
+   RESERVED
+CVE-2018-9954
+   RESERVED
+CVE-2018-9953
+   RESERVED
+CVE-2018-9952
+   RESERVED
+CVE-2018-9951
+   RESERVED
+CVE-2018-9950
+   RESERVED
+CVE-2018-9949
+   RESERVED
+CVE-2018-9948
+   RESERVED
+CVE-2018-9947
+   RESERVED
+CVE-2018-9946
+   RESERVED
+CVE-2018-9945
+   RESERVED
+CVE-2018-9944
+   RESERVED
+CVE-2018-9943
+   RESERVED
+CVE-2018-9942
+   RESERVED
+CVE-2018-9941
+   RESERVED
+CVE-2018-9940
+   RESERVED
+CVE-2018-9939
+   RESERVED
+CVE-2018-9938
+   RESERVED
+CVE-2018-9937
+   RESERVED
+CVE-2018-9936
+   RESERVED
+CVE-2018-9935
+   RESERVED
 CVE-2018-9934 (The reset-password feature in MetInfo 6.0 allows remote 
attackers to ...)
NOT-FOR-US: MetInfo
 CVE-2018-9933
@@ -30,8 +140,8 @@ CVE-2018-9920
RESERVED
 CVE-2018-9919
RESERVED
-CVE-2018-9918
-   RESERVED
+CVE-2018-9918 (libqpdf.a in QPDF through 8.0.2 mishandles certain 
"expected dictionary ...)
+   TODO: check
 CVE-2018-9917
RESERVED
 CVE-2018-9916
@@ -2018,10 +2128,10 @@ CVE-2018-9040 (In Advanced SystemCare Ultimate 
11.0.1.58, the driver file ...)
NOT-FOR-US: Advanced SystemCare Ultimate
 CVE-2018-9039 (In Octopus Deploy 2.0 and later before 2018.3.7, an 
authenticated user, ...)
NOT-FOR-US: Octopus Deploy
-CVE-2018-9038
-   RESERVED
-CVE-2018-9037
-   RESERVED
+CVE-2018-9038 (Monstra CMS 3.0.4 allows remote attackers to delete files via 
an ...)
+   TODO: check
+CVE-2018-9037 (Monstra CMS 3.0.4 allows remote code execution via an 
upload_file ...)
+   TODO: check
 CVE-2018-9036
RESERVED
 CVE-2018-9035 (CSV Injection vulnerability in ExportToCsvUtf8.php of the 
Contact Form ...)
@@ -2740,8 +2850,8 @@ CVE-2018-8774
RESERVED
 CVE-2018-8773
RESERVED
-CVE-2018-8772
-   RESERVED
+CVE-2018-8772 (Coship RT3052 4.0.0.48 devices allow XSS via a crafted SSID 
field on ...)
+   TODO: check
 CVE-2018-8771
RESERVED
 CVE-2018-8770 (Physical path Leakage exists in Western Bridge Cobub Razor 
0.8.0 via ...)
@@ -9102,10 +9212,10 @@ CVE-2017-18103
RESERVED
 CVE-2017-18102
RESERVED
-CVE-2017-18101
-   RESERVED
-CVE-2017-18100
-   RESERVED
+CVE-2017-18101 (Various administrative external system import resources in 
Atlassian ...)
+   TODO: check
+CVE-2017-18100 (The agile wallboard gadget in Atlassian Jira before version 
7.8.1 ...)
+   TODO: check
 CVE-2017-18099
RESERVED
 CVE-2017-18098 (The searchrequest-xml resource in Atlassian Jira before 
version 7.6.1 ...)
@@ -12624,8 +12734,8 @@ CVE-2018-5229
RESERVED
 CVE-2018-5228
RESERVED
-CVE-2018-5227
-   RESERVED
+CVE-2018-5227 (Various administrative application link resources in Atlassian 
...)
+   TODO: check
 CVE-2018-5226
RESERVED
 CVE-2018-5225 (In browser editing in Atlassian Bitbucket Server from version 
4.13.0 ...)
@@ -19988,28 +20098,28 @@ CVE-2018-2415
RESERVED
 CVE-2018-2414
RESERVED
-CVE-2018-2413
-   RESERVED
-CVE-2018-2412
-   RESERVED
+CVE-2018-2413 (SAP Disclosure Management 10.1 does not perform necessary ...)
+   TODO: check
+CVE-2018-2412 (SAP Disclosure Management 10.1 does not pe

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-9860/botan

2018-04-10 Thread László Böszörményi

László Böszörményi pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
846ca1e2 by Laszlo Boszormenyi (GCS) at 2018-04-10T19:50:49+00:00
Add CVE-2018-9860/botan

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -146,8 +146,9 @@ CVE-2018-9862 (util.c in runV 1.0.0 for Docker mishandles a 
numeric username, wh
TODO: check
 CVE-2018-9861
RESERVED
-CVE-2018-9860
+CVE-2018-9860 [An off by one error in TLS CBC decryption ...]
RESERVED
+   - botan 
 CVE-2018-9859
RESERVED
 CVE-2018-1000168



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/846ca1e27d24bfdc0dc913457478897c9041f415

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/846ca1e27d24bfdc0dc913457478897c9041f415
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] dsa-needed.txt propose myself to prepare an upload for ruby2.1 and ruby2.3

2018-04-10 Thread Santiago R.R.

Santiago R.R. pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b3787649 by Santiago R.R at 2018-04-10T18:07:33+02:00
dsa-needed.txt propose myself to prepare an upload for ruby2.1 and ruby2.3

Signed-off-by: Santiago R.R 

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -72,8 +72,10 @@ ruby-loofah
   Georg Faerber proposed to prepare an update
 --
 ruby2.1/oldstable
+  Santiago will prepare an update
 --
 ruby2.3/stable
+  Santiago will prepare an update
 --
 sqlite3/oldstable
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/b37876494dbb3bc88f06d6c5731e4931211f2795

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/b37876494dbb3bc88f06d6c5731e4931211f2795
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: Use shorter URL

2018-04-10 Thread Salvatore Bonaccorso

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
be9e165f by Salvatore Bonaccorso at 2018-04-10T14:27:06+02:00
Use shorter URL

- - - - -
c2f9f03d by Salvatore Bonaccorso at 2018-04-10T14:28:07+02:00
Sync status for CVE-2017-13220 in wheezy with kernel sec

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -38139,7 +38139,8 @@ CVE-2017-13221 (An elevation of privilege vulnerability 
in the Upstream kernel w
NOT-FOR-US: Android kernel component (no source release, no apparently 
not affecting mainline)
 CVE-2017-13220 (An elevation of privilege vulnerability in the Upstream kernel 
bluez. ...)
- linux 4.0.2-1
-   NOTE: 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=51bda2bca53b
+   [wheezy] - linux  (Vulnerable code introduced later)
+   NOTE: 
https://git.kernel.org/linus/51bda2bca53b265715ca1852528f38dc67429d9a
 CVE-2017-13219 (A denial of service vulnerability in the Upstream kernel 
synaptics ...)
NOT-FOR-US: Android kernel component (no source release, no apparently 
not affecting mainline)
 CVE-2017-13218 (Access to CNTVCT_EL0 could be used for side channel attacks. 
This ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/5e62dad600a9a2285ac4710066fcffcdce79c505...c2f9f03db4fedba8c4c85189d291267812063e38

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/5e62dad600a9a2285ac4710066fcffcdce79c505...c2f9f03db4fedba8c4c85189d291267812063e38
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Android issue actually affecting mainline

2018-04-10 Thread Moritz Muehlenhoff

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5e62dad6 by Moritz Muehlenhoff at 2018-04-10T13:56:08+02:00
Android issue actually affecting mainline

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -38138,7 +38138,8 @@ CVE-2017-13222 (An information disclosure vulnerability 
in the Upstream kernel k
 CVE-2017-13221 (An elevation of privilege vulnerability in the Upstream kernel 
wifi ...)
NOT-FOR-US: Android kernel component (no source release, no apparently 
not affecting mainline)
 CVE-2017-13220 (An elevation of privilege vulnerability in the Upstream kernel 
bluez. ...)
-   NOT-FOR-US: Android kernel component (no source release, no apparently 
not affecting mainline)
+   - linux 4.0.2-1
+   NOTE: 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=51bda2bca53b
 CVE-2017-13219 (A denial of service vulnerability in the Upstream kernel 
synaptics ...)
NOT-FOR-US: Android kernel component (no source release, no apparently 
not affecting mainline)
 CVE-2017-13218 (Access to CNTVCT_EL0 could be used for side channel attacks. 
This ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/5e62dad600a9a2285ac4710066fcffcdce79c505

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/5e62dad600a9a2285ac4710066fcffcdce79c505
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process NFUs

2018-04-10 Thread Salvatore Bonaccorso

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
86ea50bd by Salvatore Bonaccorso at 2018-04-10T10:24:52+02:00
Process NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,5 +1,5 @@
 CVE-2018-9934 (The reset-password feature in MetInfo 6.0 allows remote 
attackers to ...)
-   TODO: check
+   NOT-FOR-US: MetInfo
 CVE-2018-9933
RESERVED
 CVE-2018-9932
@@ -11,19 +11,19 @@ CVE-2018-9930
 CVE-2018-9929
RESERVED
 CVE-2018-9928 (Cross-site scripting (XSS) vulnerability in save.php in MetInfo 
6.0 ...)
-   TODO: check
+   NOT-FOR-US: MetInfo
 CVE-2018-9927 (An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF ...)
-   TODO: check
+   NOT-FOR-US: WUZHI CMS
 CVE-2018-9926 (An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF ...)
-   TODO: check
+   NOT-FOR-US: WUZHI CMS
 CVE-2018-9925 (An issue was discovered in idreamsoft iCMS through 7.0.7. XSS 
exists ...)
-   TODO: check
+   NOT-FOR-US: idreamsoft iCMS
 CVE-2018-9924 (An issue was discovered in idreamsoft iCMS through 7.0.7. SQL 
injection ...)
-   TODO: check
+   NOT-FOR-US: idreamsoft iCMS
 CVE-2018-9923 (An issue was discovered in idreamsoft iCMS through 7.0.7. CSRF 
exists ...)
-   TODO: check
+   NOT-FOR-US: idreamsoft iCMS
 CVE-2018-9922 (An issue was discovered in idreamsoft iCMS through 7.0.7. 
Physical path ...)
-   TODO: check
+   NOT-FOR-US: idreamsoft iCMS
 CVE-2018-9921
RESERVED
 CVE-2018-9920
@@ -195,7 +195,7 @@ CVE-2018-9841 (The export function in 
libavfilter/vf_signature.c in FFmpeg throu
[stretch] - ffmpeg  (Can wait until the next ffmpeg 3.2.x 
release)
NOTE: 
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=35eeff30caf34df835206f1c12bcf4b7c2bd6758
 CVE-2018-9840 (The Open Whisper Signal app before 2.23.2 for iOS allows 
physically ...)
-   TODO: check
+   NOT-FOR-US: Open Whisper Signal app for iOS
 CVE-2018-9839
RESERVED
 CVE-2018-1000166 [Unsafe use of sprintf() can allow a remote unauthenticated 
attacker to execute arbitrary code]



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/86ea50bda4d081a759fa4eb25088c10c411167b3

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/86ea50bda4d081a759fa4eb25088c10c411167b3
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update

2018-04-10 Thread Salvatore Bonaccorso

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
aec1866f by security tracker role at 2018-04-10T08:10:13+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,3 +1,41 @@
+CVE-2018-9934 (The reset-password feature in MetInfo 6.0 allows remote 
attackers to ...)
+   TODO: check
+CVE-2018-9933
+   RESERVED
+CVE-2018-9932
+   RESERVED
+CVE-2018-9931
+   RESERVED
+CVE-2018-9930
+   RESERVED
+CVE-2018-9929
+   RESERVED
+CVE-2018-9928 (Cross-site scripting (XSS) vulnerability in save.php in MetInfo 
6.0 ...)
+   TODO: check
+CVE-2018-9927 (An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF ...)
+   TODO: check
+CVE-2018-9926 (An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF ...)
+   TODO: check
+CVE-2018-9925 (An issue was discovered in idreamsoft iCMS through 7.0.7. XSS 
exists ...)
+   TODO: check
+CVE-2018-9924 (An issue was discovered in idreamsoft iCMS through 7.0.7. SQL 
injection ...)
+   TODO: check
+CVE-2018-9923 (An issue was discovered in idreamsoft iCMS through 7.0.7. CSRF 
exists ...)
+   TODO: check
+CVE-2018-9922 (An issue was discovered in idreamsoft iCMS through 7.0.7. 
Physical path ...)
+   TODO: check
+CVE-2018-9921
+   RESERVED
+CVE-2018-9920
+   RESERVED
+CVE-2018-9919
+   RESERVED
+CVE-2018-9918
+   RESERVED
+CVE-2018-9917
+   RESERVED
+CVE-2018-9916
+   RESERVED
 CVE-2018-9915
RESERVED
 CVE-2018-9914
@@ -156,8 +194,8 @@ CVE-2018-9841 (The export function in 
libavfilter/vf_signature.c in FFmpeg throu
- ffmpeg  (low)
[stretch] - ffmpeg  (Can wait until the next ffmpeg 3.2.x 
release)
NOTE: 
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=35eeff30caf34df835206f1c12bcf4b7c2bd6758
-CVE-2018-9840
-   RESERVED
+CVE-2018-9840 (The Open Whisper Signal app before 2.23.2 for iOS allows 
physically ...)
+   TODO: check
 CVE-2018-9839
RESERVED
 CVE-2018-1000166 [Unsafe use of sprintf() can allow a remote unauthenticated 
attacker to execute arbitrary code]
@@ -5981,12 +6019,14 @@ CVE-2018-7482 (** DISPUTED ** The K2 component 2.8.0 
for Joomla! has Incorrect A
 CVE-2017-18200 (The f2fs implementation in the Linux kernel before 4.14 
mishandles ...)
- linux  (Vulnerable code not present)
 CVE-2018-199 (Teluu PJSIP version 2.7.1 and earlier contains a Access of 
...)
+   {DSA-4170-1}
- pjproject 2.7.2~dfsg-1
[jessie] - pjproject  (Minor issue)
NOTE: http://downloads.asterisk.org/pub/security/AST-2018-003.html
NOTE: https://trac.pjsip.org/repos/ticket/2092
NOTE: In jessie Asterisk doesn't use pjproject for SIP (only for ICE, 
STUN and TURN)
 CVE-2018-198 (Teluu PJSIP version 2.7.1 and earlier contains a Integer 
Overflow ...)
+   {DSA-4170-1}
- pjproject 2.7.2~dfsg-1
[jessie] - pjproject  (Minor issue)
NOTE: http://downloads.asterisk.org/pub/security/AST-2018-002.html
@@ -9932,8 +9972,8 @@ CVE-2018-6184 (ZEIT Next.js 4 before 4.2.3 has Directory 
Traversal under the /_n
NOT-FOR-US: ZEIT Next.js
 CVE-2018-6183 (BitDefender Total Security 2018 allows local users to gain 
privileges ...)
NOT-FOR-US: BitDefender Total Security
-CVE-2018-6182
-   RESERVED
+CVE-2018-6182 (Mahara 16.10 before 16.10.9 and 17.04 before 17.04.7 and 17.10 
before ...)
+   TODO: check
 CVE-2018-6181
RESERVED
 CVE-2018-6180 (A flaw in the profile section of Online Voting System 1.0 
allows an ...)
@@ -11912,8 +11952,8 @@ CVE-2018-5465 (A Session Fixation issue was discovered 
in Belden Hirschmann RS, 
NOT-FOR-US: Belden Hirschmann RS, RSR, RSB, MACH100, MACH1000, 
MACH4000, MS, and OCTOPUS Classic Platform Switches
 CVE-2018-5464 (Philips IntelliSpace Portal all versions of 8.0.x, and 7.0.x 
have an ...)
NOT-FOR-US: Philips Intellispace Portal
-CVE-2018-5463
-   RESERVED
+CVE-2018-5463 (A structured exception handler overflow vulnerability in Leao 
...)
+   TODO: check
 CVE-2018-5462 (Philips IntelliSpace Portal all versions of 8.0.x, and 7.0.x 
have an ...)
NOT-FOR-US: Philips Intellispace Portal
 CVE-2018-5461 (An Inadequate Encryption Strength issue was discovered in 
Belden ...)
@@ -23152,8 +23192,8 @@ CVE-2018-1219 (EMC RSA Archer, versions prior to 
6.2.0.8, contains an improper a
NOT-FOR-US: EMC RSA Archer
 CVE-2018-1218 (In Dell EMC NetWorker versions prior to 9.2.1.1, versions prior 
to ...)
NOT-FOR-US: EMC NetWorker
-CVE-2018-1217
-   RESERVED
+CVE-2018-1217 (Avamar Installation Manager in Dell EMC Avamar Server 7.3.1, 
7.4.1, ...)
+   TODO: check
 CVE-2018-1216 (A hard-coded password vulnerability was discovered in vApp 
Manager ...)
NOT-FOR-US: EMC
 CVE-2018-1215 (An arbitrary file upl

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Annotate CVE-2018-6594

2018-04-10 Thread Brian May

Brian May pushed to branch master at Debian Security Tracker / security-tracker


Commits:
fd006adc by Brian May at 2018-04-10T17:02:13+10:00
Annotate CVE-2018-6594

* Mark no-dsa in wheezy.
* Add comment about why this isn't being fixed upstream.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -8659,11 +8659,14 @@ CVE-2018-6594 (lib/Crypto/PublicKey/ElGamal.py in 
PyCrypto through 2.6.1 generat
- python-crypto  (bug #88)
[stretch] - python-crypto  (Minor issue)
[jessie] - python-crypto  (Minor issue)
+   [wheezy] - python-crypto  (Minor issue)
NOTE: PyCrypto: https://github.com/dlitz/pycrypto/issues/253
NOTE: The issue is found as well in pycryptodome (fork from 
python-crypto)
NOTE: PyCryptodome: https://github.com/Legrandin/pycryptodome/issues/90
NOTE: PyCrytpodome: 
https://github.com/Legrandin/pycryptodome/commit/99c27a3b9e8a884bbde0e88c63234b669d4398d8
 (3.4.10)
NOTE: See further discussion as per 
https://github.com/Legrandin/pycryptodome/issues/90#issuecomment-362783537
+   NOTE: Upstream feels that this is not a vulnerability in 
pycryptodome/python-crypto,
+   NOTE: but in an application using it in an insecure manner.
 CVE-2018-6593 (An issue was discovered in MalwareFox AntiMalware 2.74.0.150. 
Improper ...)
NOT-FOR-US: MalwareFox AntiMalware
 CVE-2018-6592 (Unisys Stealth 3.3 Windows endpoints before 3.3.016.1 allow 
local ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/fd006adcdd7c86fc658b4efabf17327a7e8100d6

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/fd006adcdd7c86fc658b4efabf17327a7e8100d6
You're receiving this email because of your account on salsa.debian.org.
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process NFUs

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-998{8, 9}/mbedtls

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reference fix for CVE-2018-9860

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process more NFUs

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process NFUs

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-9860/botan fixed version in unstable

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-9860/botan

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] dsa-needed.txt propose myself to prepare an upload for ruby2.1 and ruby2.3

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: Use shorter URL

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Android issue actually affecting mainline

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process NFUs

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Annotate CVE-2018-6594

14 matches

Site Navigation

Mail list logo

Footer information