[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] lts: unassign vorbis
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: b2042491 by Guido Günther at 2018-03-17T19:37:48+01:00 lts: unassign vorbis Theres still a fix for one CVE missing but it might make sense to roll out a dla anyway - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -69,7 +69,7 @@ libmad (Kurt Roeckx) -- libreoffice -- -libvorbis (Guido Günther) +libvorbis NOTE: Underlying reason for CVE-2017-14160 yet unclear, no upstream feedback on this issue. NOTE: Fixes for other CVEs applied upstream and in sid. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b2042491a938ead42be68e26852ae4a12266dca6 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b2042491a938ead42be68e26852ae4a12266dca6 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] libvirt: mark CVE-2018-6764 as not affecting jessie and wheezy
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: 4982996e by Guido Günther at 2018-03-12T21:06:10+01:00 libvirt: mark CVE-2018-6764 as not affecting jessie and wheezy The bug was introduced in 1.3.1 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -3716,10 +3716,10 @@ CVE-2018-6767 (A stack-based buffer over-read in the ParseRiffHeaderConfig funct CVE-2018-6764 (util/virlog.c in libvirt does not properly determine the hostname on ...) - libvirt 4.0.0-2 (bug #889839) [stretch] - libvirt (Minor issue) - [jessie] - libvirt (Minor issue) - [wheezy] - libvirt (Minor issue) + [jessie] - libvirt (Vulnerable code introduced later in 1.3.1) + [wheezy] - libvirt (Vulnerable code introduced later in 1.3.1) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1541444 - NOTE: https://libvirt.org/git/?p=libvirt.git;a=commit;h=759b4d1b0fe5f4d84d98b99153dfa7ac289dd167 + NOTE: introduced-by https://libvirt.org/git/?p=libvirt.git;a=commit;h=759b4d1b0fe5f4d84d98b99153dfa7ac289dd167 CVE-2018-6759 (The bfd_get_debug_link_info_1 function in opncls.c in the Binary File ...) - binutils 2.30-3 [stretch] - binutils (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4982996e221787d6eee0d276c2c9693b380974fc --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4982996e221787d6eee0d276c2c9693b380974fc You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] lts: xen not affected by CVE-2018-7542
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: 66ae313e by Guido Günther at 2018-02-28T20:39:46+01:00 lts: xen not affected by CVE-2018-7542 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -59,6 +59,7 @@ CVE-2018-7538 CVE-2018-7542 (An issue was discovered in Xen 4.8.x through 4.10.x allowing x86 PVH ...) - xen [jessie] - xen (Vulnerable code introduced later) + [wheezy] - xen (Vulnerable code introduced later) NOTE: https://xenbits.xen.org/xsa/advisory-256.html CVE-2018-7541 (An issue was discovered in Xen through 4.10.x allowing guest OS users ...) - xen View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/66ae313e7d76cb05c2bc18a964cd5ee408cdfa18 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/66ae313e7d76cb05c2bc18a964cd5ee408cdfa18 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Unbreak syntax check
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: aa37aed1 by Guido Günther at 2018-02-23T11:01:10+01:00 Unbreak syntax check by removing the UTF-8 character - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -46684,7 +46684,7 @@ CVE-2017-8054 (The function PdfPagesTree::GetPageNodeFromArray in PdfPageTree.cp NOTE: PoC: https://github.com/qwertwwwe/PoC/blob/master/podofo/PoC NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1872 NOTE: partially reverted in: https://sourceforge.net/p/podofo/code/1881 - NOTE: … and re-fixed in: https://sourceforge.net/p/podofo/code/1882 + NOTE: ... and re-fixed in: https://sourceforge.net/p/podofo/code/1882 NOTE: and https://sourceforge.net/p/podofo/code/1883 CVE-2017-8053 (PoDoFo 0.9.5 allows denial of service (infinite recursion and stack ...) - libpodofo (bug #860994) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/aa37aed1eb43c26be587cf416b43f4b4bc9a13a2 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/aa37aed1eb43c26be587cf416b43f4b4bc9a13a2 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] lts: fix typo
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: cf37bc29 by Guido Günther at 2018-01-31T11:51:49+01:00 lts: fix typo - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -43,7 +43,7 @@ libreoffice (Emilio Pozuelo) NOTE: https://lists.debian.org/debian-lts/2017/05/msg00012.html -- libvorbis (Guido Günther) - NOTE: Underlying reason for CVE-2017-14160 yet unclear, no ustream feedback on this issue. + NOTE: Underlying reason for CVE-2017-14160 yet unclear, no upstream feedback on this issue. NOTE: Fixes for other CVEs applied upstream and in sid. -- linux View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cf37bc29c3de23dc5a80c6970983b97ab050bb55 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cf37bc29c3de23dc5a80c6970983b97ab050bb55 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1263-1 for debian-security-support
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: d6384a62 by Guido Günther at 2018-01-29T17:51:27+01:00 Reserve DLA-1263-1 for debian-security-support - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -63,11 +63,6 @@ openjdk-7 (Emilio Pozuelo) -- p7zip -- -swftools (Guido Günther) - NOTE: 20171118: At least CVE-2017-16797 is present. (lamby) - NOTE: 20171210: likely to be turned into a pkg with limited sec support - NOTE 20180128: jmm is waiting for feedback from maintainer --- unbound (Markus Koschany) -- wordpress View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d6384a62090cff3533c18118a5fcb34080a82280 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d6384a62090cff3533c18118a5fcb34080a82280 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1262-1 for thunderbird
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: 38ba3e68 by Guido Günther at 2018-01-29T13:16:29+01:00 Reserve DLA-1262-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[29 Jan 2018] DLA-1262-1 thunderbird - security update + {CVE-2018-5089 CVE-2018-5095 CVE-2018-5096 CVE-2018-5097 CVE-2018-5098 CVE-2018-5099 CVE-2018-5102 CVE-2018-5103 CVE-2018-5104 CVE-2018-5117} + [wheezy] - thunderbird 1:52.6.0-1~deb7u1 [27 Jan 2018] DLA-1261-1 clamav - security update {CVE-2017-6418 CVE-2017-6420 CVE-2017-12374 CVE-2017-12375 CVE-2017-12376 CVE-2017-12377 CVE-2017-12378 CVE-2017-12379 CVE-2017-12380} [wheezy] - clamav 0.99.2+dfsg-0+deb7u4 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -68,8 +68,6 @@ swftools (Guido Günther) NOTE: 20171210: likely to be turned into a pkg with limited sec support NOTE 20180128: jmm is waiting for feedback from maintainer -- -thunderbird (Guido Günther) --- unbound (Markus Koschany) -- wordpress View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/38ba3e68dd216f2924fb73b1c547221e7b50d293 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/38ba3e68dd216f2924fb73b1c547221e7b50d293 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] lts: update swftools status
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: 070a04e8 by Guido Günther at 2018-01-28T12:36:55+01:00 lts: update swftools status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -66,6 +66,7 @@ p7zip swftools (Guido Günther) NOTE: 20171118: At least CVE-2017-16797 is present. (lamby) NOTE: 20171210: likely to be turned into a pkg with limited sec support + NOTE 20180128: jmm is waiting for feedback from maintainer -- thunderbird (Guido Günther) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/070a04e8d61af69be219343857fdd635ed644359 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/070a04e8d61af69be219343857fdd635ed644359 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] triage thunderbird
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: 9a40b7d9 by Guido Günther at 2018-01-26T09:11:14+01:00 triage thunderbird - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -3065,6 +3065,7 @@ CVE-2018-5095 - firefox-esr 52.6.0esr-1 - thunderbird - skia (bug #818180) + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5095 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5095 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-04/#CVE-2018-5095 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9a40b7d98648705df03b28273c1b1afa2d30db07 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9a40b7d98648705df03b28273c1b1afa2d30db07 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] lts: add an claim thunderbird
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: 0dfe3a67 by Guido Günther at 2018-01-26T08:47:39+01:00 lts: add an claim thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -55,6 +55,8 @@ swftools (Guido Günther) NOTE: 20171118: At least CVE-2017-16797 is present. (lamby) NOTE: 20171210: likely to be turned into a pkg with limited sec support -- +thunderbird (Guido Günther) +-- tiff (Roberto C. Sánchez) -- tiff3 (Roberto C. Sánchez) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0dfe3a6753af600a112533f0687f6edec5d0ffa5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0dfe3a6753af600a112533f0687f6edec5d0ffa5 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] lts: mark lrzip issues as no-dsa
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: 414b941c by Guido Günther at 2018-01-20T16:32:54+01:00 lts: mark lrzip issues as no-dsa There are plenty of other DoS already. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -332,6 +332,7 @@ CVE-2017-18044 (A Command Injection issue was discovered in ...) NOT-FOR-US: Commvault CVE-2018-5786 (In Long Range Zip (aka lrzip) 0.631, there is an infinite loop and ...) - lrzip + [wheezy] - lrzip (Minor issue) NOTE: https://github.com/ckolivas/lrzip/issues/91 CVE-2018-5785 (In OpenJPEG 2.3.0, there is an integer overflow caused by an ...) - openjpeg2 @@ -478,6 +479,7 @@ CVE-2018-5748 [resource exhaustion via qemuMonitorIORead() method] NOTE: https://libvirt.org/git/?p=libvirt.git;a=commit;h=bc251ea91bcfddd2622fce6bce701a438b2e7276 CVE-2018-5747 (In Long Range Zip (aka lrzip) 0.631, there is a use-after-free in the ...) - lrzip + [wheezy] - lrzip (Minor issue) NOTE: https://github.com/ckolivas/lrzip/issues/90 CVE-2018-5746 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/414b941c20da40a672cd03e90d6e22413a6ee619 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/414b941c20da40a672cd03e90d6e22413a6ee619 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark mysql-connector-net as no-dsa
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: da823ade by Guido Günther at 2018-01-19T17:42:29+01:00 Mark mysql-connector-net as no-dsa as discussed with carnil - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -7985,7 +7985,10 @@ CVE-2018-2586 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL CVE-2018-2585 (Vulnerability in the MySQL Connectors component of Oracle MySQL ...) - - mysql-connector-net + - mysql-connector-net (bug #887751) + [stretch] - mysql-connector-net (Minor issue) + [jessie] - mysql-connector-net (Minor issue) + [wheezy] - mysql-connector-net (Minor issue) NOTE: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixMSQL CVE-2018-2584 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/da823ade111de17ecfbef8e052b1d339027c9aff --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/da823ade111de17ecfbef8e052b1d339027c9aff You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] lts: follow the security teams decision on openocd
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: 1b4e62b7 by Guido Günther at 2018-01-19T17:08:31+01:00 lts: follow the security teams decision on openocd - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -258,7 +258,6 @@ CVE-2018-102 RESERVED CVE-2018-5704 (Open On-Chip Debugger (OpenOCD) 0.10.0 does not block attempts to use ...) - openocd 0.10.0-4 (bug #887488) - [wheezy] - openocd (minor issue) NOTE: https://sourceforge.net/p/openocd/mailman/message/36188041/ NOTE: http://openocd.zylin.com/4330 NOTE: http://openocd.zylin.com/4331 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -55,6 +55,8 @@ opencv (Thorsten Alteholz) -- openjdk-7 (Emilio Pozuelo) -- +openocd +-- php5 (Markus Koschany) -- swftools (Guido Günther) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1b4e62b7fa240caf6551fc4e1158d044a92ea55c --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1b4e62b7fa240caf6551fc4e1158d044a92ea55c You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] lts: triage qemu CVE-2017-18043
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: 883d779e by Guido Günther at 2018-01-19T17:07:12+01:00 lts: triage qemu CVE-2017-18043 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -32,7 +32,9 @@ CVE-2018-5773 (An issue was discovered in markdown2 (aka python-markdown2) throu CVE-2017-18043 [integer overflow in ROUND_UP macro could result in DoS] RESERVED - qemu 1:2.10.0+dfsg-2 + [wheezy] - qemu (vulnerable code not present) - qemu-kvm + [wheezy] - qemu-kvm (vulnerable code not present) NOTE: Fixed by: https://git.qemu.org/?p=qemu.git;a=commit;h=2098b073f398cd628c09c5a78537a6854 NOTE: Broken since: https://git.qemu.org/?p=qemu.git;a=object;h=292c8e50 (v1.5.0) NOTE: Fix included in 1:2.10.0+dfsg-2 via debian/patches/qemu-2.10.1.diff patch View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/883d779ec79391ccbd4d2f5fc869187998041543 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/883d779ec79391ccbd4d2f5fc869187998041543 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add link to fix for CVE-2018-5748
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: 718ab5df by Guido Günther at 2018-01-19T09:38:27+01:00 Add link to fix for CVE-2018-5748 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -79,7 +79,9 @@ CVE-2018-5748 [resource exhaustion via qemuMonitorIORead() method] - libvirt (bug #887700) [stretch] - libvirt (Minor issue) [jessie] - libvirt (Minor issue) + [wheezy] - libvirt (Can be fixed in a later update) NOTE: https://www.redhat.com/archives/libvir-list/2017-December/msg00749.html + NOTE: https://libvirt.org/git/?p=libvirt.git;a=commit;h=bc251ea91bcfddd2622fce6bce701a438b2e7276 CVE-2018-5747 (In Long Range Zip (aka lrzip) 0.631, there is a use-after-free in the ...) - lrzip NOTE: https://github.com/ckolivas/lrzip/issues/90 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/718ab5df9084724e48afbd96dd3af2ec4d3f02cf --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/718ab5df9084724e48afbd96dd3af2ec4d3f02cf You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] lts: mark virtualbox-guest-additions-iso as no-dsa
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: 08f4e273 by Guido Günther at 2018-01-18T20:35:34+01:00 lts: mark virtualbox-guest-additions-iso as no-dsa non-free is not supported - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -7592,6 +7592,7 @@ CVE-2018-2694 (Vulnerability in the Oracle VM VirtualBox component of Oracle ... CVE-2018-2693 (Vulnerability in the Oracle VM VirtualBox component of Oracle ...) - virtualbox-guest-additions-iso 5.2.6-1 [jessie] - virtualbox-guest-additions-iso (Non-free not supported) + [wheezy] - virtualbox-guest-additions-iso (Non-free not supported) NOTE: http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html CVE-2018-2692 (Vulnerability in the Oracle Financial Services Asset Liability ...) NOT-FOR-US: Oracle View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/08f4e273a988d5b95b183bd45d40fe22725af759 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/08f4e273a988d5b95b183bd45d40fe22725af759 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] lts: add rsync to dla-needed
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: fd49ba9b by Guido Günther at 2018-01-18T20:28:46+01:00 lts: add rsync to dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -64,6 +64,8 @@ osc -- php5 (Markus Koschany) -- +rsync +-- smarty3 (Chris Lamb) NOTE: 20180108: Maintainer will take care of it, but ping in 6d. (lamby) NOTE: 20180115: Maintainer pinged. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fd49ba9b7c2196c673d7cdb5f9bde7228a6eb357 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fd49ba9b7c2196c673d7cdb5f9bde7228a6eb357 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] lts: mark openocd issue as no-dsa
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: 7bcddedd by Guido Günther at 2018-01-17T11:04:35+01:00 lts: mark openocd issue as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -74,6 +74,7 @@ CVE-2018-102 RESERVED CVE-2018-5704 (Open On-Chip Debugger (OpenOCD) 0.10.0 does not block attempts to use ...) - openocd + [wheezy] - openocd (minor issue) NOTE: https://sourceforge.net/p/openocd/mailman/message/36188041/ CVE-2018-5703 (The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux ...) - linux View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7bcddeddb8b75ce73c69d9d3902dac0fb78beed7 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7bcddeddb8b75ce73c69d9d3902dac0fb78beed7 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: lts: triage libgd2
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: 3df99424 by Guido Günther at 2018-01-17T10:00:22+01:00 lts: triage libgd2 - - - - - 42db45a8 by Guido Günther at 2018-01-17T10:00:22+01:00 Add bug ref for CVE-2018-5711 - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -26,7 +26,7 @@ CVE-2018-5711 (gd_gif_in.c in the GD Graphics Library (aka libgd), as used in PH - php5 (unimportant) NOTE: Fixed in 5.6.33, 7.0.27, 7.1.13, 7.2.1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=75571 - - libgd2 + - libgd2 (bug #887485) CVE-2018-5710 (An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. The ...) - krb5 NOTE: https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Denial%20Of%20Service(DoS) = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -34,6 +34,8 @@ lame (Hugo Lefeuvre) libav (Hugo Lefeuvre) NOTE: 20171116: Diego Biurrun (from the libav team) is working on patches. -- +libgd2 +-- libreoffice (Emilio Pozuelo) NOTE: regression update, see: NOTE: https://lists.debian.org/debian-lts/2017/05/msg00012.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/1aec5664537044205dde36c5a51b2057002d2bb2...42db45a883a5f0c35bdcbef94f375315d010a955 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/1aec5664537044205dde36c5a51b2057002d2bb2...42db45a883a5f0c35bdcbef94f375315d010a955 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: lts: add php5 to dla-needed
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: 272834df by Guido Günther at 2018-01-17T09:44:56+01:00 lts: add php5 to dla-needed - - - - - b202d115 by Guido Günther at 2018-01-17T09:44:56+01:00 lts: triage systemd Since its not the default init system on wheezy this can be fixed with a later update. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -11846,6 +11846,7 @@ CVE-2018-1050 CVE-2018-1049 [automount: access to automounted volumes can lock up] RESERVED - systemd 234-1 + [wheezy] - systemd (Minor issue, can be fixed along in next DLA) NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1709649 NOTE: https://github.com/systemd/systemd/pull/5916 NOTE: https://github.com/systemd/systemd/commit/e7d54bf58789545a9eb0b3964233defa0b007318 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -55,6 +55,8 @@ opencv (Thorsten Alteholz) -- osc -- +php5 +-- smarty3 (Chris Lamb) NOTE: 20180108: Maintainer will take care of it, but ping in 6d. (lamby) NOTE: 20180115: Maintainer pinged. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/01f995f8974cb848178e5180f49d4be5746719f0...b202d115b2c156493da02019ba553da995ef6579 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/01f995f8974cb848178e5180f49d4be5746719f0...b202d115b2c156493da02019ba553da995ef6579 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] lts: add bind9 to dla-needed
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: 48d97cd3 by Guido Günther at 2018-01-17T09:17:41+01:00 lts: add bind9 to dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -10,6 +10,8 @@ this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- +bind9 +-- couchdb (Thorsten Alteholz) NOTE: Only in wheezy, we are on our own. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/48d97cd30b906fc6b0c058744a15a98091c9e9a2 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/48d97cd30b906fc6b0c058744a15a98091c9e9a2 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] lts: add irssie to dla-needed
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: 69a24f26 by Guido Günther at 2018-01-16T14:13:23+01:00 lts: add irssie to dla-needed Affected by CVE-2018-5205, CVE-2018-5206, CVE-2018-5207, CVE-2018-5208 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -19,6 +19,8 @@ exiv2 (Brian May) icu NOTE: 20171229: CVE-2017-15422 was reported via Google Code issue report in Chromium project; report is not visible to the public -- +irssi +-- isc-dhcp -- lame (Hugo Lefeuvre) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/69a24f26a22737c1c6290572ab3af75e95575c3d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/69a24f26a22737c1c6290572ab3af75e95575c3d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] lts: Add isc-dhcp to dla-needed
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: d5cda7f6 by Guido Günther at 2018-01-16T12:29:28+01:00 lts: Add isc-dhcp to dla-needed This would be a perfect candidate for a point release - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -19,6 +19,8 @@ exiv2 (Brian May) icu NOTE: 20171229: CVE-2017-15422 was reported via Google Code issue report in Chromium project; report is not visible to the public -- +isc-dhcp +-- lame (Hugo Lefeuvre) NOTE: Couldn't reproduce CVE-2017-{69-72}, but successfully reproduced CVE-2017-150{18,45,46} NOTE: 20171120: Backporting 3.100 is not conceivable, diff >40k lines. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d5cda7f69498f5938aecae7e234c6459aecc8924 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d5cda7f69498f5938aecae7e234c6459aecc8924 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 4 commits: lts: CVE-2018-5683 can be fixed in a future update
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: 8ad480d1 by Guido Günther at 2018-01-16T12:01:50+01:00 lts: CVE-2018-5683 can be fixed in a future update - - - - - a9831228 by Guido Günther at 2018-01-16T12:01:55+01:00 lts: xen on arm is not supported in wheezy (CVE-2017-17046) - - - - - b4257c49 by Guido Günther at 2018-01-16T12:01:59+01:00 lts: upstream concludes only xen 4.2+ affected - - - - - 1ea6a198 by Guido Günther at 2018-01-16T12:02:03+01:00 lts: add xen to dla-needed for CVE-2017-15590 / xsa-237 CVE-2016-9603 / xsa-211 CVE-2016-9637 / xsa-199 CVE-2016-2620 / xsa-209 - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -57,7 +57,9 @@ CVE-2018-5684 (In Libav through 12.2, there is an invalid memcpy call in the ... CVE-2018-5683 [Out-of-bounds read in vga_draw_text routine] RESERVED - qemu (bug #887392) + [wheezy] - qemu (Minor issue, can be fixed along in next DLA) - qemu-kvm + [wheezy] - qemu-kvm (Minor issue, can be fixed along in next DLA) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-01/msg02131.html CVE-2017-18030 [Out-of-bounds access in cirrus_invalidate_region routine] RESERVED @@ -13107,6 +13109,7 @@ CVE-2017-17044 (An issue was discovered in Xen through 4.9.x allowing HVM guest CVE-2017-17046 (An issue was discovered in Xen through 4.9.x on the ARM platform ...) {DSA-4050-1} - xen 4.8.2+xsa245-0+deb9u1 + [wheezy] - xen (arm not supported) NOTE: https://xenbits.xen.org/xsa/advisory-245.html CVE-2018-0705 RESERVED @@ -18819,6 +18822,7 @@ CVE-2017-15598 CVE-2017-15597 (An issue was discovered in Xen through 4.9.x. Grant copying code made ...) {DSA-4050-1} - xen 4.8.2+xsa245-0+deb9u1 + [wheezy] - xen (Vulnerable code not present) NOTE: https://xenbits.xen.org/xsa/advisory-236.html CVE-2017-15586 RESERVED = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -73,3 +73,5 @@ wordpress NOTE: 2018-08-09: Upstream bug opened 6 years ago and no chages to upstream NOTE: bug in 7 weeks. -- +xen +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/7286bf5ef4a3c02789c892a4bd193fca9da2d038...1ea6a19889836202aa15306c862068c7aae50239 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/7286bf5ef4a3c02789c892a4bd193fca9da2d038...1ea6a19889836202aa15306c862068c7aae50239 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] lts: mark CVE-2017-18030 as fixed in qemu{, -kvm}
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: 7286bf5e by Guido Günther at 2018-01-16T11:29:23+01:00 lts: mark CVE-2017-18030 as fixed in qemu{,-kvm} The patch was part of our cirrus update. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -62,7 +62,9 @@ CVE-2018-5683 [Out-of-bounds read in vga_draw_text routine] CVE-2017-18030 [Out-of-bounds access in cirrus_invalidate_region routine] RESERVED - qemu 1:2.8+dfsg-4 + [wheezy] - qemu 1.1.2+dfsg-6+deb7u22 - qemu-kvm + [wheezy] - qemu-kvm 1.1.2+dfsg-6+deb7u21 NOTE: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=f153b563f8cf121aebf5a2fff5f0110faf58ccb3 CVE-2018-5682 (PrestaShop 1.7.2.4 allows user enumeration via the Reset Password ...) NOT-FOR-US: PrestaShop View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7286bf5ef4a3c02789c892a4bd193fca9da2d038 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7286bf5ef4a3c02789c892a4bd193fca9da2d038 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Remove .gitignore from .gitignore
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: d8541fd7 by Guido Günther at 2017-12-29T23:53:56+01:00 Remove .gitignore from .gitignore - - - - - 1 changed file: - .gitignore Changes: = .gitignore = --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,6 @@ # # general rules # -.gitignore data/CVE/allitems.html data/CVE/allitems.html.gz data/CVE/list.old View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d8541fd7f81fd6ce5715cd25250cba4cfd6c2e5e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d8541fd7f81fd6ce5715cd25250cba4cfd6c2e5e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] .gitignore data/usertags
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: c4971a55 by Guido Günther at 2017-12-29T23:05:18+01:00 .gitignore data/usertags generated by bin/compare-embed-usertags - - - - - 1 changed file: - .gitignore Changes: = .gitignore = --- a/.gitignore +++ b/.gitignore @@ -7,6 +7,7 @@ data/CVE/allitems.html.gz data/CVE/list.old data/nvd/ data/security.db* +data/usertags stamps/ *_Packages *_Sources View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c4971a55b23080f6a79bec06c14ae684a555b350 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c4971a55b23080f6a79bec06c14ae684a555b350 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] .gitignore allitems.html.gz as well
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: 234317c8 by Guido Günther at 2017-12-29T21:48:28+01:00 .gitignore allitems.html.gz as well - - - - - 1 changed file: - .gitignore Changes: = .gitignore = --- a/.gitignore +++ b/.gitignore @@ -3,6 +3,7 @@ # .gitignore data/CVE/allitems.html +data/CVE/allitems.html.gz data/nvd/ data/security.db* stamps/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/234317c8f238a33481991f6aaccc497dd00af321 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/234317c8f238a33481991f6aaccc497dd00af321 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] lts: update vorbis status
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: 896562c7 by Guido Günther at 2017-12-29T21:10:00+01:00 lts: update vorbis status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -39,8 +39,8 @@ libreoffice (Emilio Pozuelo) NOTE: https://lists.debian.org/debian-lts/2017/05/msg00012.html -- libvorbis (Guido Günther) - NOTE: Underlying reason for CVE-2017-14160 yet unclear, no ustream feedback on this. - NOTE: Fixes for other CVEs applied upstream. + NOTE: Underlying reason for CVE-2017-14160 yet unclear, no ustream feedback on this issue. + NOTE: Fixes for other CVEs applied upstream and in sid. -- linux -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/896562c79a6f2e4d36f963a4159941b544dc6e00 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/896562c79a6f2e4d36f963a4159941b544dc6e00 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits