[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] add a note with the upstream commits
Mattia Rizzolo pushed to branch master at Debian Security Tracker / security-tracker Commits: c20878eb by Mattia Rizzolo at 2018-03-11T16:35:55+01:00 add a note with the upstream commits Signed-off-by: Mattia Rizzolo mat...@debian.org - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -108,6 +108,7 @@ CVE-2018-8001 (In PoDoFo 0.9.5, there exists a heap-based buffer over-read ...) - libpodofo (bug #892556) NOTE: PoC https://bugzilla.redhat.com/show_bug.cgi?id=1549469 NOTE: Upstream bug: https://sourceforge.net/p/podofo/tickets/14/ + NOTE: Upstream commit: http://sourceforge.net/p/podofo/code/1909 CVE-2018-8000 (In PoDoFo 0.9.5, there exists a heap-based buffer overflow ...) - libpodofo (bug #892520) NOTE: PoC https://bugzilla.redhat.com/show_bug.cgi?id=1548918 @@ -7770,6 +7771,7 @@ CVE-2018-5309 (In PoDoFo 0.9.5, there is an integer overflow in the ...) [wheezy] - libpodofo (Minor issue) NOTE: https://sourceforge.net/p/podofo/tickets/5/ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1532381 + Note: upstream commit: https://sourceforge.net/p/podofo/code/1907 CVE-2018-5308 (PoDoFo 0.9.5 does not properly validate memcpy arguments in the ...) - libpodofo 0.9.5-9 (low) [stretch] - libpodofo (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c20878eb64ce5cb3f1f8cbc8269954e0b50c715a --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c20878eb64ce5cb3f1f8cbc8269954e0b50c715a You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] deal with the newest libpodofo CVEs
Mattia Rizzolo pushed to branch master at Debian Security Tracker / security-tracker Commits: f8637439 by Mattia Rizzolo at 2018-03-10T17:20:11+01:00 deal with the newest libpodofo CVEs Signed-off-by: Mattia Rizzolo mat...@debian.org - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -79,14 +79,17 @@ CVE-2018-8004 CVE-2018-8003 RESERVED CVE-2018-8002 (In PoDoFo 0.9.5, there exists an infinite loop vulnerability in ...) - - libpodofo (bug #892520) + - libpodofo (bug #892557) NOTE: PoC https://bugzilla.redhat.com/show_bug.cgi?id=1548930 + NOTE: Upstream bug: https://sourceforge.net/p/podofo/tickets/15/ CVE-2018-8001 (In PoDoFo 0.9.5, there exists a heap-based buffer over-read ...) - - libpodofo (bug #892520) + - libpodofo (bug #892556) NOTE: PoC https://bugzilla.redhat.com/show_bug.cgi?id=1549469 + NOTE: Upstream bug: https://sourceforge.net/p/podofo/tickets/14/ CVE-2018-8000 (In PoDoFo 0.9.5, there exists a heap-based buffer overflow ...) - libpodofo (bug #892520) NOTE: PoC https://bugzilla.redhat.com/show_bug.cgi?id=1548918 + NOTE: Upstream bug: https://sourceforge.net/p/podofo/tickets/13/ CVE-2018-7999 (In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference ...) - graphite2 NOTE: https://github.com/silnrsi/graphite/commit/db132b4731a9b4c9534144ba3a18e65b390e9ff6 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f8637439c8b22e8445446ea30038a8826c04ac40 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f8637439c8b22e8445446ea30038a8826c04ac40 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] link upstream bug reports for libpodofo cves
Mattia Rizzolo pushed to branch master at Debian Security Tracker / security-tracker Commits: e1ed5975 by Mattia Rizzolo at 2018-02-24T16:29:49+01:00 link upstream bug reports for libpodofo cves Signed-off-by: Mattia Rizzolo mat...@debian.org - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -3255,6 +3255,7 @@ CVE-2018-6352 (In PoDoFo 0.9.5, there is an Excessive Iteration in the ...) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1539237 + NOTE: https://sourceforge.net/p/podofo/tickets/3/ CVE-2018-6351 RESERVED CVE-2018-6350 @@ -4696,6 +4697,7 @@ CVE-2018-5783 (In PoDoFo 0.9.5, there is an uncontrolled memory allocation in th [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) + NOTE: https://sourceforge.net/p/podofo/tickets/4/ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1536179 CVE-2018-5782 RESERVED @@ -5931,6 +5933,7 @@ CVE-2018-5309 (In PoDoFo 0.9.5, there is an integer overflow in the ...) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) + NOTE: https://sourceforge.net/p/podofo/tickets/5/ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1532381 CVE-2018-5308 (PoDoFo 0.9.5 does not properly validate memcpy arguments in the ...) - libpodofo 0.9.5-9 (low) @@ -6007,7 +6010,7 @@ CVE-2018-5296 (In PoDoFo 0.9.5, there is an uncontrolled memory allocation in th [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) - TODO: check, possibly not reported upstream only in Red Hat Bugzilla + NOTE: https://sourceforge.net/p/podofo/tickets/6/ CVE-2018-5295 (In PoDoFo 0.9.5, there is an integer overflow in the ...) - libpodofo 0.9.5-9 (low; bug #889511) [stretch] - libpodofo (Minor issue) @@ -46888,9 +46891,7 @@ CVE-2017-8053 (PoDoFo 0.9.5 allows denial of service (infinite recursion and sta [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: http://openwall.com/lists/oss-security/2017/04/22/1 - NOTE: The motivation for no-dsa in wheezy is that there are no known - NOTE: services that use this library (apart from desktop applications) - NOTE: and the worst case is a DoS. + NOTE: https://sourceforge.net/p/podofo/tickets/7/ CVE-2017-8052 (Craft CMS before 2.6.2974 allows XSS attacks. ...) NOT-FOR-US: Craft CMS CVE-2017-8051 (Tenable Appliance 3.5 - 4.4.0, and possibly prior versions, contains a ...) @@ -52437,11 +52438,9 @@ CVE-2017-6849 (The PoDoFo::PdfColorGray::~PdfColorGray function in PdfColor.cpp [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) - NOTE: The motivation for no-dsa in wheezy is that there are no known - NOTE: services that use this library (apart from desktop applications) - NOTE: and the worst case is a DoS. NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/10 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfcolorgraypdfcolorgray-pdfcolor-cpp + NOTE: https://sourceforge.net/p/podofo/tickets/8/ CVE-2017-6848 (The PoDoFo::PdfXObject::PdfXObject function in PdfXObject.cpp in ...) {DLA-968-1} - libpodofo 0.9.4-6 (bug #861565) @@ -52462,11 +52461,9 @@ CVE-2017-6846 (The GraphicsStack::TGraphicsStackElement::SetNonStrokingColorSpac [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) - NOTE: The motivation for no-dsa in wheezy is that there are no known - NOTE: services that use this library (apart from desktop applications) - NOTE: and the worst case is a DoS. NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/7 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-graphicsstacktgraphicsstackelementsetnonstrokingcolorspace-graphicsstack-h/ + NOTE: https://sourceforge.net/p/podofo/tickets/9/ CVE-2017-6845 (The PoDoFo::PdfColor::operator function in PdfColor.cpp in PoDoFo ...) - libpodofo 0.9.5-9 (bug #861562) [stretch] - libpodofo (Minor issue) @@ -52506,11 +52503,9 @@ CVE-2017-6841 (The GraphicsStack::TGraphicsStackElement::~TGraphicsStackElement [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) - NOTE: The motivation for no-dsa in wheezy is that there are no known - NOTE
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] mark some libpodofo CVEs as fixed
Mattia Rizzolo pushed to branch master at Debian Security Tracker / security-tracker Commits: bb48db19 by Mattia Rizzolo at 2018-02-24T11:59:02+01:00 mark some libpodofo CVEs as fixed Signed-off-by: Mattia Rizzolo mat...@debian.org - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5923,7 +5923,7 @@ CVE-2018-5309 (In PoDoFo 0.9.5, there is an integer overflow in the ...) [wheezy] - libpodofo (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1532381 CVE-2018-5308 (PoDoFo 0.9.5 does not properly validate memcpy arguments in the ...) - - libpodofo (low) + - libpodofo 0.9.5-9 (low) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) @@ -5999,7 +5999,7 @@ CVE-2018-5296 (In PoDoFo 0.9.5, there is an uncontrolled memory allocation in th [wheezy] - libpodofo (Minor issue) TODO: check, possibly not reported upstream only in Red Hat Bugzilla CVE-2018-5295 (In PoDoFo 0.9.5, there is an integer overflow in the ...) - - libpodofo (low; bug #889511) + - libpodofo 0.9.5-9 (low; bug #889511) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) @@ -45959,7 +45959,7 @@ CVE-2017-8379 (Memory leak in the keyboard input event handlers support in QEMU [wheezy] - qemu-kvm (Minor issue) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=fa18f36a461984eae50ab957e47ec78dae3c14fc CVE-2017-8378 (Heap-based buffer overflow in the PdfParser::ReadObjects function in ...) - - libpodofo (bug #861597) + - libpodofo 0.9.5-9 (bug #861597) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) @@ -46857,7 +46857,7 @@ CVE-2017-8056 (WatchGuard Fireware v11.12.1 and earlier mishandles requests refe CVE-2017-8055 (WatchGuard Fireware allows user enumeration, e.g., in the Firebox ...) NOT-FOR-US: WatchGuard CVE-2017-8054 (The function PdfPagesTree::GetPageNodeFromArray in PdfPageTree.cpp:464 ...) - - libpodofo (bug #860995) + - libpodofo 0.9.5-9 (bug #860995) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) @@ -52456,7 +52456,7 @@ CVE-2017-6846 (The GraphicsStack::TGraphicsStackElement::SetNonStrokingColorSpac NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/7 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-graphicsstacktgraphicsstackelementsetnonstrokingcolorspace-graphicsstack-h/ CVE-2017-6845 (The PoDoFo::PdfColor::operator function in PdfColor.cpp in PoDoFo ...) - - libpodofo (bug #861562) + - libpodofo 0.9.5-9 (bug #861562) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bb48db19539844d9f4e381af6602bbc5c8daa5f5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bb48db19539844d9f4e381af6602bbc5c8daa5f5 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] update some libpodofo CVEs
Mattia Rizzolo pushed to branch master at Debian Security Tracker / security-tracker Commits: e2c5702e by Mattia Rizzolo at 2018-02-23T10:19:18+01:00 update some libpodofo CVEs Signed-off-by: Mattia Rizzolo mat...@debian.org - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5823,6 +5823,7 @@ CVE-2018-5295 (In PoDoFo 0.9.5, there is an integer overflow in the ...) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: upstream thread: https://sourceforge.net/p/podofo/mailman/message/36180168/ + NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1889 CVE-2018-5294 (In libming 0.4.8, there is an integer overflow (caused by an ...) - ming NOTE: https://github.com/libming/libming/issues/98 @@ -46683,6 +46684,8 @@ CVE-2017-8054 (The function PdfPagesTree::GetPageNodeFromArray in PdfPageTree.cp NOTE: PoC: https://github.com/qwertwwwe/PoC/blob/master/podofo/PoC NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1872 NOTE: partially reverted in: https://sourceforge.net/p/podofo/code/1881 + NOTE: … and re-fixed in: https://sourceforge.net/p/podofo/code/1882 + NOTE: and https://sourceforge.net/p/podofo/code/1883 CVE-2017-8053 (PoDoFo 0.9.5 allows denial of service (infinite recursion and stack ...) - libpodofo (bug #860994) [stretch] - libpodofo (Minor issue) @@ -52278,7 +52281,7 @@ CVE-2017-6845 (The PoDoFo::PdfColor::operator function in PdfColor.cpp in PoDoFo NOTE: and the worst case is a DoS. NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/6 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfcoloroperator-pdfcolor-cpp - NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1873/ + NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1892 CVE-2017-6844 (Buffer overflow in the PoDoFo::PdfParser::ReadXRefSubsection function ...) {DLA-929-1} - libpodofo 0.9.4-5 (bug #861561) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e2c5702e5b5787b20f01dceb8290ae8d2f4caf3a --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e2c5702e5b5787b20f01dceb8290ae8d2f4caf3a You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] link upstream commits for CVE-2018-5308/libpodofo
Mattia Rizzolo pushed to branch master at Debian Security Tracker / security-tracker Commits: 8a7a655c by Mattia Rizzolo at 2018-01-28T18:03:46+01:00 link upstream commits for CVE-2018-5308/libpodofo Signed-off-by: Mattia Rizzolo mat...@debian.org - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -2636,6 +2636,8 @@ CVE-2018-5308 (PoDoFo 0.9.5 does not properly validate memcpy arguments in the . [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1532390 + NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1870 + NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1876 CVE-2018-5307 RESERVED CVE-2018-5306 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8a7a655cba1b6c6b7f783a0019e0659ac18a62ae --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8a7a655cba1b6c6b7f783a0019e0659ac18a62ae You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] link upstream commit for CVE-2017-6845/libpodofo
Mattia Rizzolo pushed to branch master at Debian Security Tracker / security-tracker Commits: b64c8873 by Mattia Rizzolo at 2018-01-26T18:01:31+01:00 link upstream commit for CVE-2017-6845/libpodofo Signed-off-by: Mattia Rizzolo mat...@debian.org - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -48770,6 +48770,7 @@ CVE-2017-6845 (The PoDoFo::PdfColor::operator function in PdfColor.cpp in PoDoFo NOTE: and the worst case is a DoS. NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/6 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfcoloroperator-pdfcolor-cpp + NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1873/ CVE-2017-6844 (Buffer overflow in the PoDoFo::PdfParser::ReadXRefSubsection function ...) {DLA-929-1} - libpodofo 0.9.4-5 (bug #861561) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b64c887361e5ee44a3eb8baa75c0e6da87f78639 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b64c887361e5ee44a3eb8baa75c0e6da87f78639 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] link upstream commit for CVE-2017-8054/libpodofo
Mattia Rizzolo pushed to branch master at Debian Security Tracker / security-tracker Commits: 7e687e31 by Mattia Rizzolo at 2018-01-26T09:27:18+01:00 link upstream commit for CVE-2017-8054/libpodofo Signed-off-by: Mattia Rizzolo mat...@debian.org - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -43121,6 +43121,7 @@ CVE-2017-8054 (The function PdfPagesTree::GetPageNodeFromArray in PdfPageTree.cp NOTE: and the worst case is a DoS. NOTE: http://qwertwwwe.github.io/2017/04/22/PoDoFo-0-9-5-allows-remote-attackers-to-cause-a-denial-of-service-infinit-loop/ NOTE: PoC: https://github.com/qwertwwwe/PoC/blob/master/podofo/PoC + NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1872 CVE-2017-8053 (PoDoFo 0.9.5 allows denial of service (infinite recursion and stack ...) - libpodofo (bug #860994) [stretch] - libpodofo (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7e687e316d1f36b4e70dfe076fe6470abce62cf4 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7e687e316d1f36b4e70dfe076fe6470abce62cf4 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Remove temporary CVE already covered by CVE-2010-2058/prewikka
Mattia Rizzolo pushed to branch master at Debian Security Tracker / security-tracker Commits: aa19c4c7 by Mattia Rizzolo at 2018-01-22T19:30:49+01:00 Remove temporary CVE already covered by CVE-2010-2058/prewikka Signed-off-by: Mattia Rizzolo mat...@debian.org - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -206501,6 +206501,7 @@ CVE-2010-2059 (lib/fsm.c in RPM 4.8.0 and unspecified 4.7.x and 4.6.x versions, CVE-2010-2058 (setup.py in Prewikka 0.9.14 installs prewikka.conf with world-readable ...) - prewikka 1.0.0-1.1 (low; bug #584469) [lenny] - prewikka (The insecure permissions only apply for a very short timeframe during pkg update) + NOTE: FEDORA-2009-3761 http://lwn.net/Articles/330642 CVE-2010-2057 (shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, ...) NOT-FOR-US: Apache MyFaces CVE-2010-2056 (GNU gv before 3.7.0 allows local users to overwrite arbitrary files ...) @@ -222143,9 +222144,6 @@ CVE-2009-1549 (AGTC MyShop 3.2b allows remote attackers to bypass authentication NOT-FOR-US: AGTC MyShop CVE-2009-1548 (SQL injection vulnerability in index.php in BluSky CMS allows remote ...) NOT-FOR-US: BluSky CMS -CVE-2009- [prewkikka: pasword world-readable] - - prewikka 0.9.11.3-2 (low; bug #527476) - NOTE: FEDORA-2009-3761 http://lwn.net/Articles/330642 CVE-2009- [prelude-manager: password world-readable] - prelude-manager (The postinst sets correct permissions, see bug #527344) NOTE: FEDORA-2009-3931 http://lwn.net/Articles/331612 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/aa19c4c73b6b1fcb2dfa732d042ac6c953dec5f5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/aa19c4c73b6b1fcb2dfa732d042ac6c953dec5f5 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2017-16909/libraw and CVE-2017-16910/libraw fixed in libraw/ 0.18.6-1. …
Mattia Rizzolo pushed to branch master at Debian Security Tracker / security-tracker Commits: cce9a64a by Mattia Rizzolo at 2018-01-15T18:45:41+01:00 CVE-2017-16909/libraw and CVE-2017-16910/libraw fixed in libraw/ 0.18.6-1. Thanks mfv for notifying. Signed-off-by: Mattia Rizzolo mat...@debian.org - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -14672,13 +14672,13 @@ CVE-2017-16911 RESERVED CVE-2017-16910 RESERVED - - libraw + - libraw 0.18.6-1 [wheezy] - libraw (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2017-19 NOTE: https://github.com/LibRaw/LibRaw/commit/2f59bac59dbcbf6bbcf01a9f3eed74307e96ca7e CVE-2017-16909 RESERVED - - libraw + - libraw 0.18.6-1 [wheezy] - libraw (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2017-19 NOTE: https://github.com/LibRaw/LibRaw/commit/2f59bac59dbcbf6bbcf01a9f3eed74307e96ca7e View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cce9a64ae876a85c0b936fbc4f10d5ba6a1232be --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cce9a64ae876a85c0b936fbc4f10d5ba6a1232be You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r58365 - data/CVE
Author: mattia Date: 2017-12-08 16:36:08 + (Fri, 08 Dec 2017) New Revision: 58365 Modified: data/CVE/list Log: link upstream commit for libpodofo/CVE-2017-8378 Modified: data/CVE/list === --- data/CVE/list 2017-12-08 16:08:51 UTC (rev 58364) +++ data/CVE/list 2017-12-08 16:36:08 UTC (rev 58365) @@ -29189,8 +29189,8 @@ [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) - NOTE: https://github.com/xiangxiaobo/poc_and_report/tree/master/podofo_heapoverflow_PdfParser.ReadObjects - NOTE: Proposed patch (for wheezy) attached to bug #861597. + NOTE: PoC: https://github.com/xiangxiaobo/poc_and_report/tree/master/podofo_heapoverflow_PdfParser.ReadObjects + NOTE: Upstream commit: https://sourceforge.net/p/podofo/code/1833/ CVE-2017-8377 (GeniXCMS 1.0.2 has SQL Injection in ...) NOT-FOR-US: GeniXCMS CVE-2017-8376 (GeniXCMS 1.0.2 has XSS triggered by an authenticated comment that is ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r57576 - data/CVE
Author: mattia Date: 2017-11-12 14:58:27 + (Sun, 12 Nov 2017) New Revision: 57576 Modified: data/CVE/list Log: update libpodofo CVE info Modified: data/CVE/list === --- data/CVE/list 2017-11-12 13:23:45 UTC (rev 57575) +++ data/CVE/list 2017-11-12 14:58:27 UTC (rev 57576) @@ -23140,12 +23140,12 @@ CVE-2017-8788 (An issue was discovered on Accellion FTA devices before FTA_9_12_180. ...) NOT-FOR-US: Accellion FTA devices CVE-2017-8787 (The PoDoFo::PdfXRefStreamParserObject::ReadXRefStreamEntry function in ...) - - libpodofo (bug #861738) + - libpodofo 0.9.5-7 (bug #861738) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: Possible unspecified impact. Needs further analysis. - NOTE: Proposed patch (for wheezy) attached to bug #861738. + NOTE: Upstream commit: https://sourceforge.net/p/podofo/code/1851 CVE-2017-8786 (pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of ...) - pcre2 (unimportant; bug #861873) NOTE: https://bugs.exim.org/show_bug.cgi?id=2079 @@ -25129,7 +25129,7 @@ - xen 4.3.0-1 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1033948 CVE-2017-7994 (The function TextExtractor::ExtractText in TextExtractor.cpp:77 in ...) - - libpodofo (bug #860930) + - libpodofo 0.9.5-7 (bug #860930) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) @@ -32883,7 +32883,7 @@ NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1840/ CVE-2017-5852 (The PoDoFo::PdfPage::GetInheritedKeyFromObject function in ...) {DLA-929-1} - - libpodofo (low; bug #854600) + - libpodofo 0.9.5-7 (low; bug #854600) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-infinite-loop-in-podofopdfpagegetinheritedkeyfromobject-pdfpage-cpp @@ -32891,6 +32891,7 @@ NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1835 NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1838 NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1841 + NOTE: further patch for ABI compatibility: https://sourceforge.net/p/podofo/mailman/message/36084628/ CVE-2017-5849 (tiffttopnm in netpbm 10.47.63 does not properly use the libtiff ...) - netpbm-free (vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/02/02/2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r54487 - data/CVE
Author: mattia Date: 2017-08-09 18:41:09 + (Wed, 09 Aug 2017) New Revision: 54487 Modified: data/CVE/list Log: xchat CVEs Modified: data/CVE/list === --- data/CVE/list 2017-08-09 17:35:07 UTC (rev 54486) +++ data/CVE/list 2017-08-09 18:41:09 UTC (rev 54487) @@ -59571,6 +59571,7 @@ NOTE: https://kb.isc.org/article/AA-01351 CVE-2016-2087 (Directory traversal vulnerability in the client in HexChat 2.11.0 ...) - hexchat 2.12.4-4 (bug #852275) + - xchat 2.8.8-10 [stretch] - hexchat (Minor issue) [jessie] - hexchat (Minor issue) NOTE: https://www.exploit-db.com/exploits/39656/ @@ -87522,7 +87523,7 @@ NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-24666 NOTE: http://downloads.digium.com/pub/security/AST-2015-001.html CVE-2013-7449 (The ssl_do_connect function in common/server.c in HexChat before ...) - - xchat (bug #776609) + - xchat 2.8.8-10 (bug #776609) [jessie] - xchat (Minor issue) [squeeze] - xchat (Minor issue) [wheezy] - xchat (Minor issue) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r53493 - data/CVE
Author: mattia Date: 2017-07-14 14:24:25 + (Fri, 14 Jul 2017) New Revision: 53493 Modified: data/CVE/list Log: note fixed version for CVE-2016-2087 Modified: data/CVE/list === --- data/CVE/list 2017-07-14 14:21:09 UTC (rev 53492) +++ data/CVE/list 2017-07-14 14:24:25 UTC (rev 53493) @@ -55530,7 +55530,7 @@ - bind9 (Introduced in Bind 9.10) NOTE: https://kb.isc.org/article/AA-01351 CVE-2016-2087 (Directory traversal vulnerability in the client in HexChat 2.11.0 ...) - - hexchat (bug #852275) + - hexchat 2.12.4-4 (bug #852275) [stretch] - hexchat (Minor issue) [jessie] - hexchat (Minor issue) NOTE: https://www.exploit-db.com/exploits/39656/ ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r51694 - data/CVE
Author: mattia Date: 2017-05-17 13:05:40 + (Wed, 17 May 2017) New Revision: 51694 Modified: data/CVE/list Log: mark fixed versions in some libpodofo CVEs Modified: data/CVE/list === --- data/CVE/list 2017-05-17 11:08:37 UTC (rev 51693) +++ data/CVE/list 2017-05-17 13:05:40 UTC (rev 51694) @@ -4375,7 +4375,7 @@ CVE-2017-7384 RESERVED CVE-2017-7383 (The PdfFontFactory.cpp:195:62 code in PoDoFo 0.9.5 allows remote ...) - - libpodofo (bug #859329) + - libpodofo 0.9.4-6 (bug #859329) [wheezy] - libpodofo (Minor issue) NOTE: The motivation for no-dsa in wheezy is that there are no known NOTE: services that use this library (apart from desktop applications) @@ -4384,7 +4384,7 @@ NOTE: https://github.com/asarubbo/poc/blob/master/00252-podofo-nullptr4 NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1848 CVE-2017-7382 (The PdfFontFactory.cpp:200:88 code in PoDoFo 0.9.5 allows remote ...) - - libpodofo (bug #859329) + - libpodofo 0.9.4-6 (bug #859329) [wheezy] - libpodofo (Minor issue) NOTE: The motivation for no-dsa in wheezy is that there are no known NOTE: services that use this library (apart from desktop applications) @@ -4393,7 +4393,7 @@ NOTE: https://github.com/asarubbo/poc/blob/master/00251-podofo-nullptr3 NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1848 CVE-2017-7381 (The doc/PdfPage.cpp:609:23 code in PoDoFo 0.9.5 allows remote attackers ...) - - libpodofo (bug #859329) + - libpodofo 0.9.4-6 (bug #859329) [wheezy] - libpodofo (Minor issue) NOTE: The motivation for no-dsa in wheezy is that there are no known NOTE: services that use this library (apart from desktop applications) @@ -4402,7 +4402,7 @@ NOTE: https://github.com/asarubbo/poc/blob/master/00251-podofo-nullptr2 NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1848 CVE-2017-7380 (The doc/PdfPage.cpp:614:20 code in PoDoFo 0.9.5 allows remote attackers ...) - - libpodofo (bug #859329) + - libpodofo 0.9.4-6 (bug #859329) [wheezy] - libpodofo (Minor issue) NOTE: The motivation for no-dsa in wheezy is that there are no known NOTE: services that use this library (apart from desktop applications) @@ -4416,7 +4416,7 @@ NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/2 NOTE: upstream fix: https://sourceforge.net/p/podofo/code/1842/ CVE-2017-7378 (The PoDoFo::PdfPainter::ExpandTabs function in PdfPainter.cpp in PoDoFo ...) - - libpodofo (bug #859330) + - libpodofo 0.9.4-6 (bug #859330) [wheezy] - libpodofo (Minor issue) NOTE: The motivation for no-dsa in wheezy is that there are no known NOTE: services that use this library (apart from desktop applications) @@ -7121,7 +7121,7 @@ NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/10 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfcolorgraypdfcolorgray-pdfcolor-cpp CVE-2017-6848 (The PoDoFo::PdfXObject::PdfXObject function in PdfXObject.cpp in ...) - - libpodofo (bug #861565) + - libpodofo 0.9.4-6 (bug #861565) [wheezy] - libpodofo (Minor issue) NOTE: The motivation for no-dsa in wheezy is that there are no known NOTE: services that use this library (apart from desktop applications) @@ -7130,7 +7130,7 @@ NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfxobjectpdfxobject-pdfxobject-cpp NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1846 CVE-2017-6847 (The PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo ...) - - libpodofo (bug #861564) + - libpodofo 0.9.4-6 (bug #861564) [wheezy] - libpodofo (Minor issue) NOTE: The motivation for no-dsa in wheezy is that there are no known NOTE: services that use this library (apart from desktop applications) @@ -7161,13 +7161,13 @@ NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-global-buffer-overflow-in-podofopdfparserreadxrefsubsection-pdfparser-cpp NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1840/ CVE-2017-6843 (Heap-based buffer overflow in the PoDoFo::PdfVariant::DelayedLoad ...) - - libpodofo (bug #861560) + - libpodofo 0.9.4-6 (bug #861560) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/4 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-heap-based-buffer-overflow-in-podofopdfvariantdelayedload-pdfvariant-h NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1844 NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1845 CVE-2017-6842 (The ColorChanger::GetColorFromStack function in colorchanger.cpp in ...) - -
[Secure-testing-commits] r51681 - data/CVE
Author: mattia Date: 2017-05-16 13:52:56 + (Tue, 16 May 2017) New Revision: 51681 Modified: data/CVE/list Log: link upstream fixes for podofo issues Modified: data/CVE/list === --- data/CVE/list 2017-05-16 13:04:18 UTC (rev 51680) +++ data/CVE/list 2017-05-16 13:52:56 UTC (rev 51681) @@ -2497,6 +2497,7 @@ [wheezy] - libpodofo (Minor issue) NOTE: https://github.com/icepng/PoC/tree/master/PoC1 NOTE: https://icepng.github.io/2017/04/21/PoDoFo-1/ + NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1849 CVE-2017-7993 RESERVED CVE-2017-7992 (Heartland Payment Systems Payment Gateway PHP SDK hps/heartland-php ...) @@ -4361,6 +4362,7 @@ NOTE: and the worst case is a DoS. NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/3 NOTE: https://github.com/asarubbo/poc/blob/master/00252-podofo-nullptr4 + NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1848 CVE-2017-7382 (The PdfFontFactory.cpp:200:88 code in PoDoFo 0.9.5 allows remote ...) - libpodofo (bug #859329) [wheezy] - libpodofo (Minor issue) @@ -4369,6 +4371,7 @@ NOTE: and the worst case is a DoS. NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/3 NOTE: https://github.com/asarubbo/poc/blob/master/00251-podofo-nullptr3 + NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1848 CVE-2017-7381 (The doc/PdfPage.cpp:609:23 code in PoDoFo 0.9.5 allows remote attackers ...) - libpodofo (bug #859329) [wheezy] - libpodofo (Minor issue) @@ -4377,6 +4380,7 @@ NOTE: and the worst case is a DoS. NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/3 NOTE: https://github.com/asarubbo/poc/blob/master/00251-podofo-nullptr2 + NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1848 CVE-2017-7380 (The doc/PdfPage.cpp:614:20 code in PoDoFo 0.9.5 allows remote attackers ...) - libpodofo (bug #859329) [wheezy] - libpodofo (Minor issue) @@ -4385,6 +4389,7 @@ NOTE: and the worst case is a DoS. NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/3 NOTE: https://github.com/asarubbo/poc/blob/master/00250-podofo-nullptr1 + NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1848 CVE-2017-7379 (The PoDoFo::PdfSimpleEncoding::ConvertToEncoding function in ...) {DLA-929-1} - libpodofo 0.9.4-5 (bug #859331) @@ -4397,6 +4402,7 @@ NOTE: services that use this library (apart from desktop applications) NOTE: and the worst case is a DoS. NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/1 + NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1847 CVE-2017-7377 (The (1) v9fs_create and (2) v9fs_lcreate functions in hw/9pfs/9p.c in ...) - qemu 1:2.8+dfsg-4 (bug #859854) [jessie] - qemu (Minor issue) @@ -7102,6 +7108,7 @@ NOTE: and the worst case is a DoS. NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/9 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfxobjectpdfxobject-pdfxobject-cpp + NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1846 CVE-2017-6847 (The PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo ...) - libpodofo (bug #861564) [wheezy] - libpodofo (Minor issue) @@ -7110,6 +7117,7 @@ NOTE: and the worst case is a DoS. NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/8 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfvariantdelayedload-pdfvariant-h + NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1846 CVE-2017-6846 (The GraphicsStack::TGraphicsStackElement::SetNonStrokingColorSpace ...) - libpodofo (bug #861563) [wheezy] - libpodofo (Minor issue) @@ -7136,6 +7144,8 @@ - libpodofo (bug #861560) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/4 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-heap-based-buffer-overflow-in-podofopdfvariantdelayedload-pdfvariant-h + NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1844 + NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1845 CVE-2017-6842 (The ColorChanger::GetColorFromStack function in colorchanger.cpp in ...) - libpodofo (bug #861559) [wheezy] - libpodofo (Minor issue) @@ -7144,6 +7154,8 @@ NOTE: and the worst case is a DoS. NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/3 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-colorchangergetcolorfromstack-colorchanger-cpp + NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1844 + NOTE: upstream commit:
[Secure-testing-commits] r51306 - data/CVE
Author: mattia Date: 2017-05-03 10:37:46 + (Wed, 03 May 2017) New Revision: 51306 Modified: data/CVE/list Log: record libpodofo fixes Modified: data/CVE/list === --- data/CVE/list 2017-05-03 10:15:32 UTC (rev 51305) +++ data/CVE/list 2017-05-03 10:37:46 UTC (rev 51306) @@ -2978,7 +2978,7 @@ NOTE: https://github.com/asarubbo/poc/blob/master/00250-podofo-nullptr1 CVE-2017-7379 (The PoDoFo::PdfSimpleEncoding::ConvertToEncoding function in ...) {DLA-929-1} - - libpodofo (bug #859331) + - libpodofo 0.9.4-5 (bug #859331) NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/2 NOTE: upstream fix: https://sourceforge.net/p/podofo/code/1842/ CVE-2017-7378 (The PoDoFo::PdfPainter::ExpandTabs function in PdfPainter.cpp in PoDoFo ...) @@ -5708,7 +5708,7 @@ NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfcoloroperator-pdfcolor-cpp CVE-2017-6844 (Buffer overflow in the PoDoFo::PdfParser::ReadXRefSubsection function ...) {DLA-929-1} - - libpodofo (bug #861561) + - libpodofo 0.9.4-5 (bug #861561) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/5 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-global-buffer-overflow-in-podofopdfparserreadxrefsubsection-pdfparser-cpp NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1840/ @@ -7442,7 +7442,7 @@ NOTE: Introduced by: https://github.com/torvalds/linux/commit/952fc18ef9ec707ebdc16c0786ec360295e5ff15 (3.6-rc1) CVE-2017-5886 (Heap-based buffer overflow in the PoDoFo::PdfTokenizer::GetNextToken ...) {DLA-929-1} - - libpodofo (bug #854604) + - libpodofo 0.9.4-5 (bug #854604) [jessie] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/03/podofo-heap-based-buffer-overflow-in-podofopdftokenizergetnexttoken-pdftokenizer-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/1623824.EtgW9yDooZ%40blackgate/#msg35644693 @@ -7993,14 +7993,14 @@ NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 CVE-2017-5854 (base/PdfOutputStream.cpp in PoDoFo 0.9.4 allows remote attackers to ...) {DLA-929-1} - - libpodofo (bug #854602) + - libpodofo 0.9.4-5 (bug #854602) [jessie] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfoutputstream-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1836 CVE-2017-5853 (Integer overflow in base/PdfParser.cpp in PoDoFo 0.9.4 allows remote ...) {DLA-929-1} - - libpodofo (bug #854601) + - libpodofo 0.9.4-5 (bug #854601) [jessie] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-signed-integer-overflow-in-pdfparser-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r51305 - data/CVE
Author: mattia Date: 2017-05-03 10:15:32 + (Wed, 03 May 2017) New Revision: 51305 Modified: data/CVE/list Log: update libpodofo bugs Modified: data/CVE/list === --- data/CVE/list 2017-05-03 09:12:17 UTC (rev 51304) +++ data/CVE/list 2017-05-03 10:15:32 UTC (rev 51305) @@ -5687,45 +5687,45 @@ CVE-2017-6427 (A Buffer Overflow was discovered in EvoStream Media Server 1.7.1. A ...) NOT-FOR-US: EvoStream Media Server CVE-2017-6849 (The PoDoFo::PdfColorGray::~PdfColorGray function in PdfColor.cpp in ...) - - libpodofo (bug #856592) + - libpodofo (bug #861566) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/10 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfcolorgraypdfcolorgray-pdfcolor-cpp CVE-2017-6848 (The PoDoFo::PdfXObject::PdfXObject function in PdfXObject.cpp in ...) - - libpodofo (bug #856592) + - libpodofo (bug #861565) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/9 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfxobjectpdfxobject-pdfxobject-cpp CVE-2017-6847 (The PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo ...) - - libpodofo (bug #856592) + - libpodofo (bug #861564) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/8 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfvariantdelayedload-pdfvariant-h CVE-2017-6846 (The GraphicsStack::TGraphicsStackElement::SetNonStrokingColorSpace ...) - - libpodofo (bug #856592) + - libpodofo (bug #861563) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/7 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-graphicsstacktgraphicsstackelementsetnonstrokingcolorspace-graphicsstack-h/ CVE-2017-6845 (The PoDoFo::PdfColor::operator function in PdfColor.cpp in PoDoFo ...) - - libpodofo (bug #856592) + - libpodofo (bug #861562) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/6 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfcoloroperator-pdfcolor-cpp CVE-2017-6844 (Buffer overflow in the PoDoFo::PdfParser::ReadXRefSubsection function ...) {DLA-929-1} - - libpodofo (bug #856592) + - libpodofo (bug #861561) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/5 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-global-buffer-overflow-in-podofopdfparserreadxrefsubsection-pdfparser-cpp NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1840/ CVE-2017-6843 (Heap-based buffer overflow in the PoDoFo::PdfVariant::DelayedLoad ...) - - libpodofo (bug #856592) + - libpodofo (bug #861560) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/4 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-heap-based-buffer-overflow-in-podofopdfvariantdelayedload-pdfvariant-h CVE-2017-6842 (The ColorChanger::GetColorFromStack function in colorchanger.cpp in ...) - - libpodofo (bug #856592) + - libpodofo (bug #861559) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/3 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-colorchangergetcolorfromstack-colorchanger-cpp CVE-2017-6841 (The GraphicsStack::TGraphicsStackElement::~TGraphicsStackElement ...) - - libpodofo (bug #856592) + - libpodofo (bug #861558) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/2 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-graphicsstacktgraphicsstackelementtgraphicsstackelement-graphicsstack-h CVE-2017-6840 (The ColorChanger::GetColorFromStack function in colorchanger.cpp in ...) - - libpodofo (bug #856592) + - libpodofo (bug #861557) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/1 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-invalid-memory-read-in-colorchangergetcolorfromstack-colorchanger-cpp CVE-2017-6426 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r51157 - data/CVE
Author: mattia Date: 2017-04-28 17:54:19 + (Fri, 28 Apr 2017) New Revision: 51157 Modified: data/CVE/list Log: another libpodofo commit Modified: data/CVE/list === --- data/CVE/list 2017-04-28 17:53:47 UTC (rev 51156) +++ data/CVE/list 2017-04-28 17:54:19 UTC (rev 51157) @@ -2532,6 +2532,7 @@ CVE-2017-7379 (The PoDoFo::PdfSimpleEncoding::ConvertToEncoding function in ...) - libpodofo (bug #859331) NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/2 + NOTE: upstream fix: https://sourceforge.net/p/podofo/code/1842/ CVE-2017-7378 (The PoDoFo::PdfPainter::ExpandTabs function in PdfPainter.cpp in PoDoFo ...) - libpodofo (bug #859330) NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/1 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r51153 - data/CVE
Author: mattia Date: 2017-04-28 17:36:31 + (Fri, 28 Apr 2017) New Revision: 51153 Modified: data/CVE/list Log: fix reproducer link of CVE-2017-6846 Modified: data/CVE/list === --- data/CVE/list 2017-04-28 15:49:50 UTC (rev 51152) +++ data/CVE/list 2017-04-28 17:36:31 UTC (rev 51153) @@ -5204,7 +5204,7 @@ CVE-2017-6846 (The GraphicsStack::TGraphicsStackElement::SetNonStrokingColorSpace ...) - libpodofo (bug #856592) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/7 - NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfcoloroperator-pdfcolor-cpp + NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-graphicsstacktgraphicsstackelementsetnonstrokingcolorspace-graphicsstack-h/ CVE-2017-6845 (The PoDoFo::PdfColor::operator function in PdfColor.cpp in PoDoFo ...) - libpodofo (bug #856592) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/6 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r51152 - data/CVE
Author: mattia Date: 2017-04-28 15:49:50 + (Fri, 28 Apr 2017) New Revision: 51152 Modified: data/CVE/list Log: link libpodofo fixing commits Modified: data/CVE/list === --- data/CVE/list 2017-04-28 13:37:06 UTC (rev 51151) +++ data/CVE/list 2017-04-28 15:49:50 UTC (rev 51152) @@ -5213,6 +5213,7 @@ - libpodofo (bug #856592) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/5 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-global-buffer-overflow-in-podofopdfparserreadxrefsubsection-pdfparser-cpp + NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1840/ CVE-2017-6843 (Heap-based buffer overflow in the PoDoFo::PdfVariant::DelayedLoad ...) - libpodofo (bug #856592) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/4 @@ -7492,13 +7493,14 @@ NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-signed-integer-overflow-in-pdfparser-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 NOTE: Proposed fix: https://sourceforge.net/p/podofo/mailman/message/35692197/ + NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1840/ CVE-2017-5852 (The PoDoFo::PdfPage::GetInheritedKeyFromObject function in ...) - libpodofo (bug #854600) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-infinite-loop-in-podofopdfpagegetinheritedkeyfromobject-pdfpage-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 - NOTE: upstream commits: https://sourceforge.net/p/podofo/code/1835 - https://sourceforge.net/p/podofo/code/1838 + NOTE: upstream commits: https://sourceforge.net/p/podofo/code/1835 - https://sourceforge.net/p/podofo/code/1838 - https://sourceforge.net/p/podofo/code/1841/ CVE-2017-5849 (tiffttopnm in netpbm 10.47.63 does not properly use the libtiff ...) - netpbm-free (vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/02/02/2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50529 - data/CVE
Author: mattia Date: 2017-04-10 14:30:14 + (Mon, 10 Apr 2017) New Revision: 50529 Modified: data/CVE/list Log: link another libpodofo commit fix Modified: data/CVE/list === --- data/CVE/list 2017-04-10 13:00:05 UTC (rev 50528) +++ data/CVE/list 2017-04-10 14:30:14 UTC (rev 50529) @@ -5553,7 +5553,7 @@ [wheezy] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-infinite-loop-in-podofopdfpagegetinheritedkeyfromobject-pdfpage-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 - NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1835 + NOTE: upstream commits: https://sourceforge.net/p/podofo/code/1835 - https://sourceforge.net/p/podofo/code/1838 CVE-2017-5849 (tiffttopnm in netpbm 10.47.63 does not properly use the libtiff ...) - netpbm-free (vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/02/02/2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r50445 - data/CVE
Author: mattia Date: 2017-04-07 19:03:31 + (Fri, 07 Apr 2017) New Revision: 50445 Modified: data/CVE/list Log: Add 3 upstream commits for libpodofo issues Modified: data/CVE/list === --- data/CVE/list 2017-04-07 18:51:07 UTC (rev 50444) +++ data/CVE/list 2017-04-07 19:03:31 UTC (rev 50445) @@ -4832,6 +4832,7 @@ [jessie] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/03/podofo-heap-based-buffer-overflow-in-podofopdftokenizergetnexttoken-pdftokenizer-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/1623824.EtgW9yDooZ%40blackgate/#msg35644693 + NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1837 CVE-2017-5877 (XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack ...) NOT-FOR-US: dotCMS CVE-2017-5876 (XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack ...) @@ -5378,6 +5379,7 @@ [wheezy] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfoutputstream-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 + NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1836 CVE-2017-5853 (Integer overflow in base/PdfParser.cpp in PoDoFo 0.9.4 allows remote ...) - libpodofo (bug #854601) [jessie] - libpodofo (Minor issue) @@ -5391,6 +5393,7 @@ [wheezy] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-infinite-loop-in-podofopdfpagegetinheritedkeyfromobject-pdfpage-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 + NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1835 CVE-2017-5849 (tiffttopnm in netpbm 10.47.63 does not properly use the libtiff ...) - netpbm-free (vulnerable code not present) NOTE: http://www.openwall.com/lists/oss-security/2017/02/02/2 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48879 - data/CVE
Author: mattia Date: 2017-02-13 16:14:30 + (Mon, 13 Feb 2017) New Revision: 48879 Modified: data/CVE/list Log: CVE-2017-0359/diffoscope fixed in version 76 Modified: data/CVE/list === --- data/CVE/list 2017-02-13 13:39:03 UTC (rev 48878) +++ data/CVE/list 2017-02-13 16:14:30 UTC (rev 48879) @@ -14141,7 +14141,7 @@ RESERVED CVE-2017-0359 [diffoscope writes to arbitrary locations on disk based on the contents of an untrusted archive] RESERVED - - diffoscope (bug #854723) + - diffoscope 76 (bug #854723) CVE-2017-0358 RESERVED {DSA-3780-1 DLA-815-1} ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48772 - data/CVE
Author: mattia Date: 2017-02-08 16:27:16 + (Wed, 08 Feb 2017) New Revision: 48772 Modified: data/CVE/list Log: Update libpodofo CVEs status Modified: data/CVE/list === --- data/CVE/list 2017-02-08 15:10:48 UTC (rev 48771) +++ data/CVE/list 2017-02-08 16:27:16 UTC (rev 48772) @@ -194,9 +194,9 @@ NOTE: Introduced by: https://github.com/torvalds/linux/commit/952fc18ef9ec707ebdc16c0786ec360295e5ff15 (3.6-rc1) CVE-2017-5886 [podofo: heap-based buffer overflow in PoDoFo::PdfTokenizer::GetNextToken (PdfTokenizer.cpp)] RESERVED - - libpodofo + - libpodofo (bug #854604) NOTE: https://blogs.gentoo.org/ago/2017/02/03/podofo-heap-based-buffer-overflow-in-podofopdftokenizergetnexttoken-pdftokenizer-cpp - NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/20170204121312.lq26ge6osbiuwnjo%40mapreri.org/#msg35646469 + NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/1623824.EtgW9yDooZ%40blackgate/#msg35644693 CVE-2017-5877 (XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack ...) NOT-FOR-US: dotCMS CVE-2017-5876 (XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack ...) @@ -708,30 +708,36 @@ CVE-2016-10194 RESERVED NOT-FOR-US: festivaltts4r +CVE-2017- [podofo: NULL pointer dereference in PdfInfo::GuessFormat (pdfinfo.cpp)] + - libpodofo (bug #854605) + NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfinfoguessformat-pdfinfo-cpp/ + NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 + NOTE: https://marc.info/?l=oss-security=148603648823037=2 CVE-2015-8981 [Heap overflow in the function ReadXRefSubsection] RESERVED - - libpodofo (bug #854118) + - libpodofo 0.9.4-1 (bug #854599) NOTE: https://sourceforge.net/p/podofo/mailman/message/34205419/ NOTE: https://sourceforge.net/p/podofo/code/1672 CVE-2017-5855 [NULL pointer dereference in PoDoFo::PdfParser::ReadXRefSubsection] RESERVED - - libpodofo (bug #854118) + - libpodofo (bug #854603) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-podofopdfparserreadxrefsubsection-pdfparser-cpp + NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 CVE-2017-5854 [NULL pointer dereference in PdfOutputStream.cpp] RESERVED - - libpodofo (bug #854118) + - libpodofo (bug #854602) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfoutputstream-cpp - NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/20170204121312.lq26ge6osbiuwnjo%40mapreri.org/#msg35646469 + NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 CVE-2017-5853 [Signed integer overflow in PdfParser.cpp] RESERVED - - libpodofo (bug #854118) + - libpodofo (bug #854601) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-signed-integer-overflow-in-pdfparser-cpp - NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/20170204121312.lq26ge6osbiuwnjo%40mapreri.org/#msg35646469 + NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 CVE-2017-5852 [Infinite loop in PoDoFo::PdfPage::GetInheritedKeyFromObject] RESERVED - - libpodofo (bug #854118) + - libpodofo (bug #854600) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-infinite-loop-in-podofopdfpagegetinheritedkeyfromobject-pdfpage-cpp - NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/20170204121312.lq26ge6osbiuwnjo%40mapreri.org/#msg35646469 + NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 CVE-2017-5849 [Out-of-Bound read and write issues in put1bitbwtile() and putgreytile()] RESERVED - netpbm-free (vulnerable code not present) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r48709 - data/CVE
Author: mattia Date: 2017-02-04 14:01:33 + (Sat, 04 Feb 2017) New Revision: 48709 Modified: data/CVE/list Log: update libpodofo info Modified: data/CVE/list === --- data/CVE/list 2017-02-04 13:10:23 UTC (rev 48708) +++ data/CVE/list 2017-02-04 14:01:33 UTC (rev 48709) @@ -1,6 +1,7 @@ CVE-2017- [podofo: heap-based buffer overflow in PoDoFo::PdfTokenizer::GetNextToken (PdfTokenizer.cpp)] - libpodofo NOTE: https://blogs.gentoo.org/ago/2017/02/03/podofo-heap-based-buffer-overflow-in-podofopdftokenizergetnexttoken-pdftokenizer-cpp + NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/20170204121312.lq26ge6osbiuwnjo%40mapreri.org/#msg35646469 CVE-2017-5877 RESERVED CVE-2017-5876 @@ -524,14 +525,17 @@ RESERVED - libpodofo (bug #854118) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfoutputstream-cpp + NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/20170204121312.lq26ge6osbiuwnjo%40mapreri.org/#msg35646469 CVE-2017-5853 [Signed integer overflow in PdfParser.cpp] RESERVED - libpodofo (bug #854118) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-signed-integer-overflow-in-pdfparser-cpp + NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/20170204121312.lq26ge6osbiuwnjo%40mapreri.org/#msg35646469 CVE-2017-5852 [Infinite loop in PoDoFo::PdfPage::GetInheritedKeyFromObject] RESERVED - libpodofo (bug #854118) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-infinite-loop-in-podofopdfpagegetinheritedkeyfromobject-pdfpage-cpp + NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/20170204121312.lq26ge6osbiuwnjo%40mapreri.org/#msg35646469 CVE-2017-5849 [Out-of-Bound read and write issues in put1bitbwtile() and putgreytile()] RESERVED - netpbm-free (vulnerable code not present) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits