[Secure-testing-commits] r54465 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-08-09 07:07:54 + (Wed, 09 Aug 2017)
New Revision: 54465

Modified:
   data/CVE/list
Log:
Add bug reference for curl issue, #871554

Modified: data/CVE/list
===
--- data/CVE/list   2017-08-09 06:55:58 UTC (rev 54464)
+++ data/CVE/list   2017-08-09 07:07:54 UTC (rev 54465)
@@ -1,5 +1,5 @@
 CVE-2017-1000101 [URL globbing out of bounds read]
-   - curl 
+   - curl  (bug #871554)
NOTE: https://curl.haxx.se/docs/adv_20170809A.html
NOTE: https://curl.haxx.se/CVE-2017-1000101.patch
 CVE-2017-1000100 [TFTP sends more than buffer size]


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54466 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-08-09 07:10:05 + (Wed, 09 Aug 2017)
New Revision: 54466

Modified:
   data/CVE/list
Log:
Add bug for CVE-2017-1000100/curl issue, #871555

Modified: data/CVE/list
===
--- data/CVE/list   2017-08-09 07:07:54 UTC (rev 54465)
+++ data/CVE/list   2017-08-09 07:10:05 UTC (rev 54466)
@@ -3,7 +3,7 @@
NOTE: https://curl.haxx.se/docs/adv_20170809A.html
NOTE: https://curl.haxx.se/CVE-2017-1000101.patch
 CVE-2017-1000100 [TFTP sends more than buffer size]
-   - curl 
+   - curl  (bug #871555)
NOTE: https://curl.haxx.se/docs/adv_20170809B.html
NOTE: https://curl.haxx.se/CVE-2017-1000100.patch
 CVE-2017-199 [FILE buffer read out of bounds]


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54467 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-08-09 08:17:33 + (Wed, 09 Aug 2017)
New Revision: 54467

Modified:
   data/CVE/list
Log:
Add fixed version for firefox-esr upload to unstable

Modified: data/CVE/list
===
--- data/CVE/list   2017-08-09 07:10:05 UTC (rev 54466)
+++ data/CVE/list   2017-08-09 08:17:33 UTC (rev 54467)
@@ -13237,7 +13237,7 @@
 CVE-2017-7807
RESERVED
- firefox 
-   - firefox-esr  
+   - firefox-esr 52.3.0esr-1
 CVE-2017-7806
RESERVED
- firefox 
@@ -13250,26 +13250,26 @@
 CVE-2017-7803
RESERVED
- firefox 
-   - firefox-esr  
+   - firefox-esr 52.3.0esr-1
 CVE-2017-7802
RESERVED
- firefox 
-   - firefox-esr  
+   - firefox-esr 52.3.0esr-1
 CVE-2017-7801
RESERVED
- firefox 
-   - firefox-esr  
+   - firefox-esr 52.3.0esr-1
 CVE-2017-7800
RESERVED
- firefox 
-   - firefox-esr  
+   - firefox-esr 52.3.0esr-1
 CVE-2017-7799
RESERVED
- firefox 
 CVE-2017-7798
RESERVED
- firefox 
-   - firefox-esr  
+   - firefox-esr 52.3.0esr-1
 CVE-2017-7797
RESERVED
- firefox 
@@ -13286,11 +13286,11 @@
 CVE-2017-7792
RESERVED
- firefox 
-   - firefox-esr  
+   - firefox-esr 52.3.0esr-1
 CVE-2017-7791
RESERVED
- firefox 
-   - firefox-esr  
+   - firefox-esr 52.3.0esr-1
 CVE-2017-7790
RESERVED
- firefox  (Windows-specific)
@@ -13304,19 +13304,19 @@
 CVE-2017-7787
RESERVED
- firefox 
-   - firefox-esr  
+   - firefox-esr 52.3.0esr-1
 CVE-2017-7786
RESERVED
- firefox 
-   - firefox-esr  
+   - firefox-esr 52.3.0esr-1
 CVE-2017-7785
RESERVED
- firefox 
-   - firefox-esr  
+   - firefox-esr 52.3.0esr-1
 CVE-2017-7784
RESERVED
- firefox 
-   - firefox-esr  
+   - firefox-esr 52.3.0esr-1
 CVE-2017-7783
RESERVED
- firefox 
@@ -1,7 +1,7 @@
 CVE-2017-7779
RESERVED
- firefox 
-   - firefox-esr  
+   - firefox-esr 52.3.0esr-1
 CVE-2017-7778
RESERVED
{DSA-3918-1 DSA-3894-1 DSA-3881-1 DLA-1013-1 DLA-1007-1 DLA-991-1}
@@ -13516,7 +13516,7 @@
 CVE-2017-7753
RESERVED
- firefox 
-   - firefox-esr  
+   - firefox-esr 52.3.0esr-1
 CVE-2017-7752
RESERVED
{DSA-3918-1 DSA-3881-1 DLA-1007-1 DLA-991-1}


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54468 - data

[Emilio Pozuelo Monfort]

Author: pochu
Date: 2017-08-09 08:35:12 + (Wed, 09 Aug 2017)
New Revision: 54468

Modified:
   data/dla-needed.txt
Log:
dla: claim firefox-esr

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-08-09 08:17:33 UTC (rev 54467)
+++ data/dla-needed.txt 2017-08-09 08:35:12 UTC (rev 54468)
@@ -36,6 +36,8 @@
 faad2
   NOTE: 20170702, no upstream fix yet, so no need to bother maintainer yet, 
sent email later
 --
+firefox-esr (Emilio Pozuelo)
+--
 fontforge
 --
 freeradius


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54469 - data/CVE

[security tracker role]

Author: sectracker
Date: 2017-08-09 09:10:20 + (Wed, 09 Aug 2017)
New Revision: 54469

Modified:
   data/CVE/list
Log:
automatic update

Modified: data/CVE/list
===
--- data/CVE/list   2017-08-09 08:35:12 UTC (rev 54468)
+++ data/CVE/list   2017-08-09 09:10:20 UTC (rev 54469)
@@ -10810,8 +10810,8 @@
RESERVED
 CVE-2017-8692
RESERVED
-CVE-2017-8691
-   RESERVED
+CVE-2017-8691 (Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allow an 
...)
+   TODO: check
 CVE-2017-8690
RESERVED
 CVE-2017-8689
@@ -10844,90 +10844,90 @@
RESERVED
 CVE-2017-8675
RESERVED
-CVE-2017-8674
-   RESERVED
-CVE-2017-8673
-   RESERVED
-CVE-2017-8672
-   RESERVED
-CVE-2017-8671
-   RESERVED
-CVE-2017-8670
-   RESERVED
-CVE-2017-8669
-   RESERVED
-CVE-2017-8668
-   RESERVED
+CVE-2017-8674 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker 
to ...)
+   TODO: check
+CVE-2017-8673 (The Remote Desktop Protocol (RDP) implementation in Microsoft 
Windows ...)
+   TODO: check
+CVE-2017-8672 (Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, and 
Windows ...)
+   TODO: check
+CVE-2017-8671 (Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, and 
Windows ...)
+   TODO: check
+CVE-2017-8670 (Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows 
Server ...)
+   TODO: check
+CVE-2017-8669 (Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 
2008 R2 ...)
+   TODO: check
+CVE-2017-8668 (The Volume Manager Extension Driver in Microsoft Windows 7 SP1, 
...)
+   TODO: check
 CVE-2017-8667
RESERVED
-CVE-2017-8666
-   RESERVED
+CVE-2017-8666 (Microsoft Win32k in Windows Server 2008 SP2 and R2 SP1, Windows 
7 SP1, ...)
+   TODO: check
 CVE-2017-8665
RESERVED
-CVE-2017-8664
-   RESERVED
+CVE-2017-8664 (Windows Hyper-V in Windows 8.1, Windows Server 2012 Gold and 
R2, ...)
+   TODO: check
 CVE-2017-8663 (Microsoft Outlook 2007 SP3, Outlook 2010 SP2, Outlook 2013 SP1, 
...)
NOT-FOR-US: Microsoft
-CVE-2017-8662
-   RESERVED
-CVE-2017-8661
-   RESERVED
+CVE-2017-8662 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker 
to ...)
+   TODO: check
+CVE-2017-8661 (Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows 
Server ...)
+   TODO: check
 CVE-2017-8660
RESERVED
-CVE-2017-8659
-   RESERVED
+CVE-2017-8659 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker 
to ...)
+   TODO: check
 CVE-2017-8658
RESERVED
-CVE-2017-8657
-   RESERVED
-CVE-2017-8656
-   RESERVED
-CVE-2017-8655
-   RESERVED
-CVE-2017-8654
-   RESERVED
-CVE-2017-8653
-   RESERVED
-CVE-2017-8652
-   RESERVED
-CVE-2017-8651
-   RESERVED
-CVE-2017-8650
-   RESERVED
+CVE-2017-8657 (Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, and 
Windows ...)
+   TODO: check
+CVE-2017-8656 (Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows 
Server ...)
+   TODO: check
+CVE-2017-8655 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 
and ...)
+   TODO: check
+CVE-2017-8654 (Microsoft SharePoint Server 2010 Service Pack 2 allows a 
cross-site ...)
+   TODO: check
+CVE-2017-8653 (Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 
2008 SP2 ...)
+   TODO: check
+CVE-2017-8652 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 
and ...)
+   TODO: check
+CVE-2017-8651 (Internet Explorer in Microsoft Windows Server 2008 SP2 and 
Windows ...)
+   TODO: check
+CVE-2017-8650 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker 
to ...)
+   TODO: check
 CVE-2017-8649
RESERVED
 CVE-2017-8648
RESERVED
-CVE-2017-8647
-   RESERVED
-CVE-2017-8646
-   RESERVED
-CVE-2017-8645
-   RESERVED
-CVE-2017-8644
-   RESERVED
+CVE-2017-8647 (Microsoft Edge in Windows 10 1703 allows an attacker to execute 
...)
+   TODO: check
+CVE-2017-8646 (Microsoft Edge in Windows 10 1511, 1607, 1703, and Windows 
Server 2016 ...)
+   TODO: check
+CVE-2017-8645 (Microsoft Edge in Windows 10 1511, 1607, 1703, and Windows 
Server 2016 ...)
+   TODO: check
+CVE-2017-8644 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 
and ...)
+   TODO: check
 CVE-2017-8643
RESERVED
-CVE-2017-8642
-   RESERVED
-CVE-2017-8641
-   RESERVED
-CVE-2017-8640
-   RESERVED
-CVE-2017-8639
-   RESERVED
-CVE-2017-8638
-   RESERVED
-CVE-2017-8637
-   RESERVED
-CVE-2017-8636
-   RESERVED
-CVE-2017-8635
-   RESERVED
-CVE-2017-8634
-   RESERVED
-CVE-2017-8633
-   RESERVED
+CVE-2017-8642 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker 
to ...)
+   TODO: check
+CVE-2017-8641 (Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 
2008 R2 ...)
+   TODO: check
+CVE-2017-8640 (Microsof

[Secure-testing-commits] r54470 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-08-09 09:19:27 + (Wed, 09 Aug 2017)
New Revision: 54470

Modified:
   data/CVE/list
Log:
Process various CVEs specific to Microsoft products

Modified: data/CVE/list
===
--- data/CVE/list   2017-08-09 09:10:20 UTC (rev 54469)
+++ data/CVE/list   2017-08-09 09:19:27 UTC (rev 54470)
@@ -10811,7 +10811,7 @@
 CVE-2017-8692
RESERVED
 CVE-2017-8691 (Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allow an 
...)
-   TODO: check
+   NOT-FOR-US: Microsoft Windows
 CVE-2017-8690
RESERVED
 CVE-2017-8689
@@ -10845,89 +10845,89 @@
 CVE-2017-8675
RESERVED
 CVE-2017-8674 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker 
to ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-8673 (The Remote Desktop Protocol (RDP) implementation in Microsoft 
Windows ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-8672 (Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, and 
Windows ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-8671 (Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, and 
Windows ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-8670 (Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows 
Server ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-8669 (Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 
2008 R2 ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-8668 (The Volume Manager Extension Driver in Microsoft Windows 7 SP1, 
...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-8667
RESERVED
 CVE-2017-8666 (Microsoft Win32k in Windows Server 2008 SP2 and R2 SP1, Windows 
7 SP1, ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-8665
RESERVED
 CVE-2017-8664 (Windows Hyper-V in Windows 8.1, Windows Server 2012 Gold and 
R2, ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-8663 (Microsoft Outlook 2007 SP3, Outlook 2010 SP2, Outlook 2013 SP1, 
...)
NOT-FOR-US: Microsoft
 CVE-2017-8662 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker 
to ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-8661 (Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows 
Server ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-8660
RESERVED
 CVE-2017-8659 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker 
to ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-8658
RESERVED
 CVE-2017-8657 (Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, and 
Windows ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-8656 (Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows 
Server ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-8655 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 
and ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-8654 (Microsoft SharePoint Server 2010 Service Pack 2 allows a 
cross-site ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-8653 (Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 
2008 SP2 ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-8652 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 
and ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-8651 (Internet Explorer in Microsoft Windows Server 2008 SP2 and 
Windows ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-8650 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker 
to ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-8649
RESERVED
 CVE-2017-8648
RESERVED
 CVE-2017-8647 (Microsoft Edge in Windows 10 1703 allows an attacker to execute 
...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-8646 (Microsoft Edge in Windows 10 1511, 1607, 1703, and Windows 
Server 2016 ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-8645 (Microsoft Edge in Windows 10 1511, 1607, 1703, and Windows 
Server 2016 ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-8644 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 
and ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-8643
RESERVED
 CVE-2017-8642 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker 
to ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-8641 (Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 
2008 R2 ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-8640 (Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, and 
Windows ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-8639 (Microsoft Edge in Windows 10 1607, 1703, and Windows Server 
2016 ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-8638 (Microsoft Edge in Microsoft Windows 10 

[Secure-testing-commits] r54471 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-08-09 11:10:19 + (Wed, 09 Aug 2017)
New Revision: 54471

Modified:
   data/CVE/list
Log:
Update silverjuke entry

Modified: data/CVE/list
===
--- data/CVE/list   2017-08-09 09:19:27 UTC (rev 54470)
+++ data/CVE/list   2017-08-09 11:10:19 UTC (rev 54471)
@@ -46,8 +46,7 @@
[stretch] - taglib  (Minor issue)
[jessie] - taglib  (Vulnerable code not present)
[wheezy] - taglib  (Vulnerable code not present)
-   - silverjuke 
-   TODO: check silverjuke
+   - silverjuke  (Vulnerable code not present, based on 
older taglib version)
NOTE: https://github.com/taglib/taglib/issues/829
NOTE: 
https://github.com/taglib/taglib/pull/831/commits/eb9ded1206f18f2c319157337edea2533a40bea6#diff-37f706c8696a7c1ca939b169c0a04d97
 CVE-2017-12677 (IdentityServer3 2.4.x, 2.5.x, and 2.6.x before 2.6.1 has XSS 
in an ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54472 - data/CVE

[Henri Salo]

Author: fgeek-guest
Date: 2017-08-09 11:16:39 + (Wed, 09 Aug 2017)
New Revision: 54472

Modified:
   data/CVE/list
Log:
giflib gif2rgb DumpScreen2RGB

Modified: data/CVE/list
===
--- data/CVE/list   2017-08-09 11:10:19 UTC (rev 54471)
+++ data/CVE/list   2017-08-09 11:16:39 UTC (rev 54472)
@@ -1,3 +1,7 @@
+CVE-2016- [heap buffer overflow in gif2rgb DumpScreen2RGB function]
+   - giflib 
+   NOTE: https://sourceforge.net/p/giflib/bugs/102/
+   TODO: check
 CVE-2017-1000101 [URL globbing out of bounds read]
- curl  (bug #871554)
NOTE: https://curl.haxx.se/docs/adv_20170809A.html


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54473 - conf

[Sebastien Delafond]

Author: seb
Date: 2017-08-09 11:58:18 + (Wed, 09 Aug 2017)
New Revision: 54473

Modified:
   conf/cvelist.el
Log:
In emacs debian-cvelist-mode, handle up to 7 digits in CVE IDs

Modified: conf/cvelist.el
===
--- conf/cvelist.el 2017-08-09 11:16:39 UTC (rev 54472)
+++ conf/cvelist.el 2017-08-09 11:58:18 UTC (rev 54473)
@@ -26,11 +26,11 @@
"Keymap for `debian-cvelist-mode'.")
 
 (defvar debian-cvelist-font-lock-keywords
-  '(("^CVE-[0-9]\\{4\\}-[0-9X]\\{4,5\\}" . font-lock-function-name-face)
+  '(("^CVE-[0-9]\\{4\\}-[0-9X]\\{4,7\\}" . font-lock-function-name-face)
 ("^\tNOTE:" . font-lock-comment-delimiter-face)
 ("^\tTODO:" . font-lock-warning-face)
 ("^\t\\(RESERVED\\|NOT-FOR-US\\|REJECTED\\)" . font-lock-keyword-face)
-("^CVE-[0-9]\\{4\\}-[0-9X]\\{4,5\\}" "\\[\\(.*\\)\\]$" nil nil (1 
font-lock-variable-name-face))
+("^CVE-[0-9]\\{4\\}-[0-9X]\\{4,7\\}" "\\[\\(.*\\)\\]$" nil nil (1 
font-lock-variable-name-face))
 ("\\" . font-lock-warning-face)
 ("\\" . font-lock-constant-face))
   "Keyword highlighting for `debian-cvelist-mode'")


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54474 - data

[Chris Lamb]

Author: lamby
Date: 2017-08-09 12:01:36 + (Wed, 09 Aug 2017)
New Revision: 54474

Modified:
   data/dla-needed.txt
Log:
Triage cacti for LTS

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-08-09 11:58:18 UTC (rev 54473)
+++ data/dla-needed.txt 2017-08-09 12:01:36 UTC (rev 54474)
@@ -15,6 +15,9 @@
 ca-certificates
   NOTE: 2017-07-19: maintainer will handle the upload, see 
https://lists.debian.org/d0b9674a-ac5b-5cc9-1982-fb6f36155...@pbandjelly.org
 --
+cacti
+  NOTE: 2017-08-09: note that there is some "drama" re. duplicates. See 

+--
 cairo (Emilio Pozuelo)
 --
 check-mk


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54478 - data

[Chris Lamb]

Author: lamby
Date: 2017-08-09 12:06:35 + (Wed, 09 Aug 2017)
New Revision: 54478

Modified:
   data/dla-needed.txt
Log:
Triage giflib for LTS

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-08-09 12:06:33 UTC (rev 54477)
+++ data/dla-needed.txt 2017-08-09 12:06:35 UTC (rev 54478)
@@ -51,6 +51,8 @@
 --
 freerdp (Markus Koschany)
 --
+giflib
+--
 gnupg
 --
 imagemagick (Roberto C. Sánchez)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54475 - data

[Chris Lamb]

Author: lamby
Date: 2017-08-09 12:06:29 + (Wed, 09 Aug 2017)
New Revision: 54475

Modified:
   data/dla-needed.txt
Log:
Triage curl for LTS

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-08-09 12:01:36 UTC (rev 54474)
+++ data/dla-needed.txt 2017-08-09 12:06:29 UTC (rev 54475)
@@ -29,6 +29,8 @@
 clamav
   NOTE: https://lists.debian.org/debian-lts/2017/08/msg2.html
 --
+curl
+--
 eglibc
   NOTE: 20170510, patch available, however not yet applied upstream.
   NOTE: 20170706: no change upstream, patch disputed.


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54477 - data

[Chris Lamb]

Author: lamby
Date: 2017-08-09 12:06:33 + (Wed, 09 Aug 2017)
New Revision: 54477

Modified:
   data/dla-needed.txt
Log:
Add comment for curl

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-08-09 12:06:31 UTC (rev 54476)
+++ data/dla-needed.txt 2017-08-09 12:06:33 UTC (rev 54477)
@@ -30,6 +30,7 @@
   NOTE: https://lists.debian.org/debian-lts/2017/08/msg2.html
 --
 curl
+  NOTE: 2017-08-09: Not entirely sure vulnerable, adding just in case. (lamby)
 --
 eglibc
   NOTE: 20170510, patch available, however not yet applied upstream.


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54476 - data

[Chris Lamb]

Author: lamby
Date: 2017-08-09 12:06:31 + (Wed, 09 Aug 2017)
New Revision: 54476

Modified:
   data/dla-needed.txt
Log:
Add attribution for previous comment.

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-08-09 12:06:29 UTC (rev 54475)
+++ data/dla-needed.txt 2017-08-09 12:06:31 UTC (rev 54476)
@@ -16,7 +16,7 @@
   NOTE: 2017-07-19: maintainer will handle the upload, see 
https://lists.debian.org/d0b9674a-ac5b-5cc9-1982-fb6f36155...@pbandjelly.org
 --
 cacti
-  NOTE: 2017-08-09: note that there is some "drama" re. duplicates. See 

+  NOTE: 2017-08-09: note that there is some "drama" re. duplicates. See 
 (lamby)
 --
 cairo (Emilio Pozuelo)
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54479 - data/CVE

[Chris Lamb]

Author: lamby
Date: 2017-08-09 12:09:57 + (Wed, 09 Aug 2017)
New Revision: 54479

Modified:
   data/CVE/list
Log:
CVE-2017-11664 (etc.) for wheezy  (vulnerable code not present)

Modified: data/CVE/list
===
--- data/CVE/list   2017-08-09 12:06:35 UTC (rev 54478)
+++ data/CVE/list   2017-08-09 12:09:57 UTC (rev 54479)
@@ -2398,21 +2398,25 @@
 CVE-2017-11664
RESERVED
- wildmidi 
+   [wheezy] - wildmidi  (vulnerable code not present)
NOTE: http://seclists.org/fulldisclosure/2017/Aug/12
NOTE: 
https://github.com/Mindwerks/wildmidi/commit/660b513d99bced8783a4a5984ac2f742c74ebbdd
 CVE-2017-11663
RESERVED
- wildmidi 
+   [wheezy] - wildmidi  (vulnerable code not present)
NOTE: http://seclists.org/fulldisclosure/2017/Aug/12
NOTE: 
https://github.com/Mindwerks/wildmidi/commit/660b513d99bced8783a4a5984ac2f742c74ebbdd
 CVE-2017-11662
RESERVED
- wildmidi 
+   [wheezy] - wildmidi  (vulnerable code not present)
NOTE: http://seclists.org/fulldisclosure/2017/Aug/12
NOTE: 
https://github.com/Mindwerks/wildmidi/commit/660b513d99bced8783a4a5984ac2f742c74ebbdd
 CVE-2017-11661
RESERVED
- wildmidi 
+   [wheezy] - wildmidi  (vulnerable code not present)
NOTE: http://seclists.org/fulldisclosure/2017/Aug/12
NOTE: 
https://github.com/Mindwerks/wildmidi/commit/660b513d99bced8783a4a5984ac2f742c74ebbdd
 CVE-2017-11660


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54480 - data/CVE

[Henri Salo]

Author: fgeek-guest
Date: 2017-08-09 12:55:49 + (Wed, 09 Aug 2017)
New Revision: 54480

Modified:
   data/CVE/list
Log:
Duplicate of CVE-2016-3977

Modified: data/CVE/list
===
--- data/CVE/list   2017-08-09 12:09:57 UTC (rev 54479)
+++ data/CVE/list   2017-08-09 12:55:49 UTC (rev 54480)
@@ -1,7 +1,3 @@
-CVE-2016- [heap buffer overflow in gif2rgb DumpScreen2RGB function]
-   - giflib 
-   NOTE: https://sourceforge.net/p/giflib/bugs/102/
-   TODO: check
 CVE-2017-1000101 [URL globbing out of bounds read]
- curl  (bug #871554)
NOTE: https://curl.haxx.se/docs/adv_20170809A.html


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54481 - data/CVE

[Moritz Muehlenhoff]

Author: jmm
Date: 2017-08-09 13:35:48 + (Wed, 09 Aug 2017)
New Revision: 54481

Modified:
   data/CVE/list
Log:
NFUs
miniupnpc no-dsa


Modified: data/CVE/list
===
--- data/CVE/list   2017-08-09 12:55:49 UTC (rev 54480)
+++ data/CVE/list   2017-08-09 13:35:48 UTC (rev 54481)
@@ -2156,7 +2156,7 @@
 CVE-2017-11742 (The writeRandomBytes_RtlGenRandom function in xmlparse.c in 
libexpat in ...)
- expat  (Windows specfic issue)
 CVE-2017-11741 (HashiCorp Vagrant VMware Fusion plugin (aka 
vagrant-vmware-fusion) ...)
-   TODO: check
+   NOT-FOR-US: HashiCorp Vagrant VMware Fusion plugin
 CVE-2017-11740
RESERVED
 CVE-2017-11739
@@ -3830,15 +3830,15 @@
 CVE-2017-11156
RESERVED
 CVE-2017-11155 (An information exposure vulnerability in index.php in Synology 
Photo ...)
-   TODO: check
+   NOT-FOR-US: Synology
 CVE-2017-11154 (Unrestricted file upload vulnerability in 
PixlrEditorHandler.php in ...)
TODO: check
 CVE-2017-11153 (Deserialization vulnerability in synophoto_csPhotoMisc.php in 
Synology ...)
-   TODO: check
+   NOT-FOR-US: Synology
 CVE-2017-11152 (Directory traversal vulnerability in PixlrEditorHandler.php in 
...)
TODO: check
 CVE-2017-11151 (A vulnerability in synotheme_upload.php in Synology Photo 
Station ...)
-   TODO: check
+   NOT-FOR-US: Synology
 CVE-2017-11150
RESERVED
 CVE-2017-11149
@@ -4051,6 +4051,7 @@
NOT-FOR-US: ATutor
 CVE-2017-101 (FedMsg 0.18.1 and older is vulnerable to a message 
validation flaw ...)
- fedmsg  (bug #868508)
+   [jessie] - fedmsg  (Minor issue)
NOTE: https://github.com/fedora-infra/fedmsg/commit/5c21cf88a
 CVE-2017-11141 (The ReadMATImage function in coders\mat.c in ImageMagick 
7.0.5-6 has a ...)
{DSA-3914-1}
@@ -6697,35 +6698,35 @@
 CVE-2017-10259
RESERVED
 CVE-2017-10258 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction 
Hub ...)
-   TODO: check
+   NOT-FOR-US: PeopleSoft
 CVE-2017-10257 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction 
Hub ...)
-   TODO: check
+   NOT-FOR-US: PeopleSoft
 CVE-2017-10256 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction 
Hub ...)
-   TODO: check
+   NOT-FOR-US: PeopleSoft
 CVE-2017-10255 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction 
Hub ...)
-   TODO: check
+   NOT-FOR-US: PeopleSoft
 CVE-2017-10254 (Vulnerability in the PeopleSoft Enterprise FSCM component of 
Oracle ...)
-   TODO: check
+   NOT-FOR-US: PeopleSoft
 CVE-2017-10253 (Vulnerability in the PeopleSoft Enterprise PeopleTools 
component of ...)
-   TODO: check
+   NOT-FOR-US: PeopleSoft
 CVE-2017-10252 (Vulnerability in the PeopleSoft Enterprise PeopleTools 
component of ...)
-   TODO: check
+   NOT-FOR-US: PeopleSoft
 CVE-2017-10251 (Vulnerability in the PeopleSoft Enterprise PeopleTools 
component of ...)
-   TODO: check
+   NOT-FOR-US: PeopleSoft
 CVE-2017-10250 (Vulnerability in the PeopleSoft Enterprise PeopleTools 
component of ...)
-   TODO: check
+   NOT-FOR-US: PeopleSoft
 CVE-2017-10249 (Vulnerability in the PeopleSoft Enterprise PeopleTools 
component of ...)
-   TODO: check
+   NOT-FOR-US: PeopleSoft
 CVE-2017-10248 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction 
Hub ...)
-   TODO: check
+   NOT-FOR-US: PeopleSoft
 CVE-2017-10247 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction 
Hub ...)
-   TODO: check
+   NOT-FOR-US: PeopleSoft
 CVE-2017-10246 (Vulnerability in the Oracle Application Object Library 
component of ...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-10245 (Vulnerability in the Oracle General Ledger component of Oracle 
...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-10244 (Vulnerability in the Oracle Application Object Library 
component of ...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-10243 (Vulnerability in the Java SE, Java SE Embedded, JRockit 
component of ...)
- openjdk-8 8u141-b15-1
- openjdk-7 
@@ -6764,55 +6765,55 @@
[jessie] - virtualbox  (DSA-3699-1)
[wheezy] - virtualbox  (DSA 3454)
 CVE-2017-10234 (Vulnerability in the Solaris Cluster component of Oracle Sun 
Systems ...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-10233 (Vulnerability in the Oracle VM VirtualBox component of Oracle 
...)
- virtualbox 5.1.24-dfsg-1
[jessie] - virtualbox  (DSA-3699-1)
[wheezy] - virtualbox  (DSA 3454)
 CVE-2017-10232 (Vulnerability in the Hospitality WebSuite8 Cloud Service 
component of ...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-10231 (Vulnerability in the Oracle Hospitality Cruise AffairWhere 
component ...)
-   TODO: check
+   NOT-FOR-US: Oracle
 CVE-2017-10230 (Vulnerability in the Oracle Hospitality Cruise Dining Room 
Management ...)
-   T

[Secure-testing-commits] r54482 - data/CVE

[Moritz Muehlenhoff]

Author: jmm
Date: 2017-08-09 13:39:12 + (Wed, 09 Aug 2017)
New Revision: 54482

Modified:
   data/CVE/list
Log:
firefox fixed


Modified: data/CVE/list
===
--- data/CVE/list   2017-08-09 13:35:48 UTC (rev 54481)
+++ data/CVE/list   2017-08-09 13:39:12 UTC (rev 54482)
@@ -13234,18 +13234,18 @@
RESERVED
 CVE-2017-7809
RESERVED
-   - firefox 
+   - firefox 55.0-1
- firefox-esr 
 CVE-2017-7808
RESERVED
-   - firefox 
+   - firefox 55.0-1
 CVE-2017-7807
RESERVED
-   - firefox 
+   - firefox 55.0-1
- firefox-esr 52.3.0esr-1
 CVE-2017-7806
RESERVED
-   - firefox 
+   - firefox 55.0-1
 CVE-2017-7805
RESERVED
 CVE-2017-7804
@@ -13254,30 +13254,30 @@
- firefox-esr  (Windows-specific)
 CVE-2017-7803
RESERVED
-   - firefox 
+   - firefox 55.0-1
- firefox-esr 52.3.0esr-1
 CVE-2017-7802
RESERVED
-   - firefox 
+   - firefox 55.0-1
- firefox-esr 52.3.0esr-1
 CVE-2017-7801
RESERVED
-   - firefox 
+   - firefox 55.0-1
- firefox-esr 52.3.0esr-1
 CVE-2017-7800
RESERVED
-   - firefox 
+   - firefox 55.0-1
- firefox-esr 52.3.0esr-1
 CVE-2017-7799
RESERVED
-   - firefox 
+   - firefox 55.0-1
 CVE-2017-7798
RESERVED
-   - firefox 
+   - firefox 55.0-1
- firefox-esr 52.3.0esr-1
 CVE-2017-7797
RESERVED
-   - firefox 
+   - firefox 55.0-1
 CVE-2017-7796
RESERVED
- firefox  (Windows-specific)
@@ -13285,59 +13285,59 @@
RESERVED
 CVE-2017-7794
RESERVED
-   - firefox 
+   - firefox 55.0-1
 CVE-2017-7793
RESERVED
 CVE-2017-7792
RESERVED
-   - firefox 
+   - firefox 55.0-1
- firefox-esr 52.3.0esr-1
 CVE-2017-7791
RESERVED
-   - firefox 
+   - firefox 55.0-1
- firefox-esr 52.3.0esr-1
 CVE-2017-7790
RESERVED
- firefox  (Windows-specific)
 CVE-2017-7789 [Firefox ignores Strict-Transport-Security when two more STS 
headers are sent from server]
RESERVED
-   - firefox  (low)
+   - firefox 55.0-1 (low)
NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1074642
 CVE-2017-7788
RESERVED
-   - firefox 
+   - firefox 55.0-1
 CVE-2017-7787
RESERVED
-   - firefox 
+   - firefox 55.0-1
- firefox-esr 52.3.0esr-1
 CVE-2017-7786
RESERVED
-   - firefox 
+   - firefox 55.0-1
- firefox-esr 52.3.0esr-1
 CVE-2017-7785
RESERVED
-   - firefox 
+   - firefox 55.0-1
- firefox-esr 52.3.0esr-1
 CVE-2017-7784
RESERVED
-   - firefox 
+   - firefox 55.0-1
- firefox-esr 52.3.0esr-1
 CVE-2017-7783
RESERVED
-   - firefox 
+   - firefox 55.0-1
 CVE-2017-7782
RESERVED
- firefox  (Windows-specific)
- firefox-esr  (Windows-specific)
 CVE-2017-7781
RESERVED
-   - firefox 
+   - firefox 55.0-1
 CVE-2017-7780
RESERVED
-   - firefox 
+   - firefox 55.0-1
 CVE-2017-7779
RESERVED
-   - firefox 
+   - firefox 55.0-1
- firefox-esr 52.3.0esr-1
 CVE-2017-7778
RESERVED
@@ -13520,7 +13520,7 @@
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-7754
 CVE-2017-7753
RESERVED
-   - firefox 
+   - firefox 55.0-1
- firefox-esr 52.3.0esr-1
 CVE-2017-7752
RESERVED


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54483 - data/CVE

[Moritz Muehlenhoff]

Author: jmm
Date: 2017-08-09 13:40:08 + (Wed, 09 Aug 2017)
New Revision: 54483

Modified:
   data/CVE/list
Log:
esr also fixed


Modified: data/CVE/list
===
--- data/CVE/list   2017-08-09 13:39:12 UTC (rev 54482)
+++ data/CVE/list   2017-08-09 13:40:08 UTC (rev 54483)
@@ -13235,7 +13235,7 @@
 CVE-2017-7809
RESERVED
- firefox 55.0-1
-   - firefox-esr 
+   - firefox-esr 52.3.0esr-1
 CVE-2017-7808
RESERVED
- firefox 55.0-1


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54484 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-08-09 13:43:48 + (Wed, 09 Aug 2017)
New Revision: 54484

Modified:
   data/CVE/list
Log:
Process various NFUs

Rebased/merged with jmm's commit

Modified: data/CVE/list
===
--- data/CVE/list   2017-08-09 13:40:08 UTC (rev 54483)
+++ data/CVE/list   2017-08-09 13:43:48 UTC (rev 54484)
@@ -3830,15 +3830,15 @@
 CVE-2017-11156
RESERVED
 CVE-2017-11155 (An information exposure vulnerability in index.php in Synology 
Photo ...)
-   NOT-FOR-US: Synology
+   NOT-FOR-US: Synology Photo Station
 CVE-2017-11154 (Unrestricted file upload vulnerability in 
PixlrEditorHandler.php in ...)
-   TODO: check
+   NOT-FOR-US: Synology Photo Station
 CVE-2017-11153 (Deserialization vulnerability in synophoto_csPhotoMisc.php in 
Synology ...)
-   NOT-FOR-US: Synology
+   NOT-FOR-US: Synology Photo Station
 CVE-2017-11152 (Directory traversal vulnerability in PixlrEditorHandler.php in 
...)
-   TODO: check
+   NOT-FOR-US: Synology Photo Station
 CVE-2017-11151 (A vulnerability in synotheme_upload.php in Synology Photo 
Station ...)
-   NOT-FOR-US: Synology
+   NOT-FOR-US: Synology Photo Station
 CVE-2017-11150
RESERVED
 CVE-2017-11149
@@ -26287,7 +26287,7 @@
- mysql-5.7  (bug #868798)
- mysql-5.5  (Only affects MySQL 5.6 and 5.7)
 CVE-2017-3632 (Vulnerability in the Solaris component of Oracle Sun Systems 
Products ...)
-   NOT-FOR-US: Oracle
+   NOT-FOR-US: Oracle Solaris
 CVE-2017-3631 (Vulnerability in the Solaris component of Oracle Sun Systems 
Products ...)
NOT-FOR-US: Solaris
 CVE-2017-3630 (Vulnerability in the Solaris component of Oracle Sun Systems 
Products ...)
@@ -39380,7 +39380,7 @@
 CVE-2017-0294 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, 
Windows ...)
NOT-FOR-US: Microsoft
 CVE-2017-0293 (Microsoft Windows PDF Library in Windows Server 2008 R2 SP1, 
Windows ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-0292 (Windows PDF in Windows 8.1, Windows Server 2012 Gold and R2, 
Windows ...)
NOT-FOR-US: Microsoft
 CVE-2017-0291 (Windows PDF in Windows 8.1, Windows Server 2012 Gold and R2, 
Windows ...)
@@ -39466,7 +39466,7 @@
 CVE-2017-0251
RESERVED
 CVE-2017-0250 (Microsoft JET Database Engine in Windows Server 2008 SP2 and R2 
SP1, ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-0249 (An elevation of privilege vulnerability exists when the ASP.NET 
Core ...)
NOT-FOR-US: Microsoft
 CVE-2017-0248 (Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 
4.6.2 and ...)
@@ -39618,7 +39618,7 @@
 CVE-2017-0175 (The Windows kernel in Windows Server 2008 SP2 and R2 SP1, and 
Windows ...)
NOT-FOR-US: Microsoft
 CVE-2017-0174 (Windows NetBIOS in Windows Server 2008 SP2 and R2 SP1, Windows 
7 SP1, ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2017-0173 (Microsoft Windows 10 1607 and Windows Server 2016 allow an 
attacker to ...)
NOT-FOR-US: Microsoft
 CVE-2017-0172


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54485 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-08-09 13:52:06 + (Wed, 09 Aug 2017)
New Revision: 54485

Modified:
   data/CVE/list
Log:
Remove two todo items

Modified: data/CVE/list
===
--- data/CVE/list   2017-08-09 13:43:48 UTC (rev 54484)
+++ data/CVE/list   2017-08-09 13:52:06 UTC (rev 54485)
@@ -2103,11 +2103,11 @@
 CVE-2017-11755 (The WritePICONImage function in coders/xpm.c in ImageMagick 
7.0.6-4 ...)
- imagemagick  (unimportant)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/634
-   TODO: check, possibly fixed by same commit as issue #631 upstream
+   NOTE: Possibly fixed by same commit as issue #631 upstream
 CVE-2017-11754 (The WritePICONImage function in coders/xpm.c in ImageMagick 
7.0.6-4 ...)
- imagemagick  (unimportant)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/633
-   TODO: check, possibly fixed by same commit as issue #631 upstream
+   NOTE: ossibly fixed by same commit as issue #631 upstream
 CVE-2017-11753 (The GetImageDepth function in MagickCore/attribute.c in 
ImageMagick ...)
- imagemagick 
NOTE: https://github.com/ImageMagick/ImageMagick/issues/629


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54486 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-08-09 17:35:07 + (Wed, 09 Aug 2017)
New Revision: 54486

Modified:
   data/CVE/list
Log:
Add fixing version for CVE-2017-11468/docker-registry

Modified: data/CVE/list
===
--- data/CVE/list   2017-08-09 13:52:06 UTC (rev 54485)
+++ data/CVE/list   2017-08-09 17:35:07 UTC (rev 54486)
@@ -2964,7 +2964,7 @@
 CVE-2017-11469 (get2post.php in IDERA Uptime Monitor 7.8 has directory 
traversal in the ...)
NOT-FOR-US: IDERA Uptime Monitor
 CVE-2017-11468 (Docker Registry before 2.6.2 in Docker Distribution does not 
properly ...)
-   - docker-registry  (bug #869242)
+   - docker-registry 2.6.2~ds1-1 (bug #869242)
 CVE-2017-11467 (OrientDB through 2.2.22 does not enforce privilege 
requirements during ...)
NOT-FOR-US: OrientDB
 CVE-2017-11465 (The parser_yyerror function in the UTF-8 parser in Ruby 2.4.1 
allows ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54487 - data/CVE

[Mattia Rizzolo]

Author: mattia
Date: 2017-08-09 18:41:09 + (Wed, 09 Aug 2017)
New Revision: 54487

Modified:
   data/CVE/list
Log:
xchat CVEs

Modified: data/CVE/list
===
--- data/CVE/list   2017-08-09 17:35:07 UTC (rev 54486)
+++ data/CVE/list   2017-08-09 18:41:09 UTC (rev 54487)
@@ -59571,6 +59571,7 @@
NOTE: https://kb.isc.org/article/AA-01351
 CVE-2016-2087 (Directory traversal vulnerability in the client in HexChat 
2.11.0 ...)
- hexchat 2.12.4-4 (bug #852275)
+   - xchat 2.8.8-10
[stretch] - hexchat  (Minor issue)
[jessie] - hexchat  (Minor issue)
NOTE: https://www.exploit-db.com/exploits/39656/
@@ -87522,7 +87523,7 @@
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-24666
NOTE: http://downloads.digium.com/pub/security/AST-2015-001.html
 CVE-2013-7449 (The ssl_do_connect function in common/server.c in HexChat 
before ...)
-   - xchat  (bug #776609)
+   - xchat 2.8.8-10 (bug #776609)
[jessie] - xchat  (Minor issue)
[squeeze] - xchat  (Minor issue)
[wheezy] - xchat  (Minor issue)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54488 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-08-09 18:46:14 + (Wed, 09 Aug 2017)
New Revision: 54488

Modified:
   data/CVE/list
Log:
Sort some entries

Modified: data/CVE/list
===
--- data/CVE/list   2017-08-09 18:41:09 UTC (rev 54487)
+++ data/CVE/list   2017-08-09 18:46:14 UTC (rev 54488)
@@ -59570,8 +59570,8 @@
- bind9  (Introduced in Bind 9.10)
NOTE: https://kb.isc.org/article/AA-01351
 CVE-2016-2087 (Directory traversal vulnerability in the client in HexChat 
2.11.0 ...)
+   - xchat 2.8.8-10
- hexchat 2.12.4-4 (bug #852275)
-   - xchat 2.8.8-10
[stretch] - hexchat  (Minor issue)
[jessie] - hexchat  (Minor issue)
NOTE: https://www.exploit-db.com/exploits/39656/
@@ -87525,11 +87525,11 @@
 CVE-2013-7449 (The ssl_do_connect function in common/server.c in HexChat 
before ...)
- xchat 2.8.8-10 (bug #776609)
[jessie] - xchat  (Minor issue)
+   [wheezy] - xchat  (Minor issue)
[squeeze] - xchat  (Minor issue)
-   [wheezy] - xchat  (Minor issue)
- xchat-gnome  (bug #829730)
+   [wheezy] - xchat-gnome  (Minor issue)
[squeeze] - xchat-gnome  (Minor issue)
-   [wheezy] - xchat-gnome  (Minor issue)
- hexchat 2.10.2-1 (bug #818009)
[jessie] - hexchat 2.10.1-1+deb8u1
NOTE: https://github.com/hexchat/hexchat/issues/524


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54489 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-08-09 19:37:56 + (Wed, 09 Aug 2017)
New Revision: 54489

Modified:
   data/CVE/list
Log:
Mark CVE-2017-9799 as NFU

Modified: data/CVE/list
===
--- data/CVE/list   2017-08-09 18:46:14 UTC (rev 54488)
+++ data/CVE/list   2017-08-09 19:37:56 UTC (rev 54489)
@@ -5975,6 +5975,7 @@
RESERVED
 CVE-2017-9799
RESERVED
+   NOT-FOR-US: Apache Storm
 CVE-2017-9798
RESERVED
 CVE-2017-9797


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54490 - data/CVE

[security tracker role]

Author: sectracker
Date: 2017-08-09 21:10:19 + (Wed, 09 Aug 2017)
New Revision: 54490

Modified:
   data/CVE/list
Log:
automatic update

Modified: data/CVE/list
===
--- data/CVE/list   2017-08-09 19:37:56 UTC (rev 54489)
+++ data/CVE/list   2017-08-09 21:10:19 UTC (rev 54490)
@@ -1,3 +1,163 @@
+CVE-2017-12773
+   RESERVED
+CVE-2017-12772
+   RESERVED
+CVE-2017-12771
+   RESERVED
+CVE-2017-12770
+   RESERVED
+CVE-2017-12769
+   RESERVED
+CVE-2017-12768
+   RESERVED
+CVE-2017-12767
+   RESERVED
+CVE-2017-12766
+   RESERVED
+CVE-2017-12765
+   RESERVED
+CVE-2017-12764
+   RESERVED
+CVE-2017-12763
+   RESERVED
+CVE-2017-12762
+   RESERVED
+CVE-2017-12761
+   RESERVED
+CVE-2017-12760
+   RESERVED
+CVE-2017-12759
+   RESERVED
+CVE-2017-12758
+   RESERVED
+CVE-2017-12757
+   RESERVED
+CVE-2017-12756
+   RESERVED
+CVE-2017-12755
+   RESERVED
+CVE-2017-12754 (Stack buffer overflow in httpd in Asuswrt-Merlin firmware ...)
+   TODO: check
+CVE-2017-12753
+   RESERVED
+CVE-2017-12752
+   RESERVED
+CVE-2017-12751
+   RESERVED
+CVE-2017-12750
+   RESERVED
+CVE-2017-12749
+   RESERVED
+CVE-2017-12748
+   RESERVED
+CVE-2017-12747
+   RESERVED
+CVE-2017-12746
+   RESERVED
+CVE-2017-12745
+   RESERVED
+CVE-2017-12744
+   RESERVED
+CVE-2017-12743
+   RESERVED
+CVE-2017-12742
+   RESERVED
+CVE-2017-12741
+   RESERVED
+CVE-2017-12740
+   RESERVED
+CVE-2017-12739
+   RESERVED
+CVE-2017-12738
+   RESERVED
+CVE-2017-12737
+   RESERVED
+CVE-2017-12736
+   RESERVED
+CVE-2017-12735
+   RESERVED
+CVE-2017-12734
+   RESERVED
+CVE-2017-12733
+   RESERVED
+CVE-2017-12732
+   RESERVED
+CVE-2017-12731
+   RESERVED
+CVE-2017-12730
+   RESERVED
+CVE-2017-12729
+   RESERVED
+CVE-2017-12728
+   RESERVED
+CVE-2017-12727
+   RESERVED
+CVE-2017-12726
+   RESERVED
+CVE-2017-12725
+   RESERVED
+CVE-2017-12724
+   RESERVED
+CVE-2017-12723
+   RESERVED
+CVE-2017-12722
+   RESERVED
+CVE-2017-12721
+   RESERVED
+CVE-2017-12720
+   RESERVED
+CVE-2017-12719
+   RESERVED
+CVE-2017-12718
+   RESERVED
+CVE-2017-12717
+   RESERVED
+CVE-2017-12716
+   RESERVED
+CVE-2017-12715
+   RESERVED
+CVE-2017-12714
+   RESERVED
+CVE-2017-12713
+   RESERVED
+CVE-2017-12712
+   RESERVED
+CVE-2017-12711
+   RESERVED
+CVE-2017-12710
+   RESERVED
+CVE-2017-12709
+   RESERVED
+CVE-2017-12708
+   RESERVED
+CVE-2017-12707
+   RESERVED
+CVE-2017-12706
+   RESERVED
+CVE-2017-12705
+   RESERVED
+CVE-2017-12704
+   RESERVED
+CVE-2017-12703
+   RESERVED
+CVE-2017-12702
+   RESERVED
+CVE-2017-12701
+   RESERVED
+CVE-2017-12700
+   RESERVED
+CVE-2017-12699
+   RESERVED
+CVE-2017-12698
+   RESERVED
+CVE-2017-12697
+   RESERVED
+CVE-2017-12696
+   RESERVED
+CVE-2017-12695
+   RESERVED
+CVE-2017-12694
+   RESERVED
 CVE-2017-1000101 [URL globbing out of bounds read]
- curl  (bug #871554)
NOTE: https://curl.haxx.se/docs/adv_20170809A.html
@@ -2875,8 +3035,8 @@
RESERVED
 CVE-2017-11507
RESERVED
-CVE-2017-11506
-   RESERVED
+CVE-2017-11506 (When linking a Nessus scanner or agent to Tenable.io or other 
manager, ...)
+   TODO: check
 CVE-2017-11565 (debian/tor.init in the Debian tor_0.2.9.11-1~deb9u1 package 
for Tor was ...)
- tor  (bug #869153)
[stretch] - tor  (Minor issue)
@@ -3245,8 +3405,7 @@
RESERVED
 CVE-2017-11369
RESERVED
-CVE-2017-11368 [Invalid S4U2Self or S4U2Proxy request causes assertion failure]
-   RESERVED
+CVE-2017-11368 (In MIT Kerberos 5 (aka krb5) 1.7 and later, an authenticated 
attacker ...)
- krb5 1.15.1-2 (bug #869260)
[stretch] - krb5  (Minor issue; can be fixed along with a 
future DSA)
[jessie] - krb5  (Minor issue; can be fixed along with a future 
DSA)
@@ -8360,7 +8519,7 @@
NOT-FOR-US: Palo Alto Networks PAN-OS
 CVE-2017-9458
RESERVED
-CVE-2017-9457 (Intense PC (aka MintBox 2) Phoenix SecureCore UEFI firmware 
does not ...)
+CVE-2017-9457 (Intense PC Phoenix SecureCore UEFI firmware does not perform 
capsule ...)
NOT-FOR-US: Intense PC (aka MintBox 2) Phoenix SecureCore UEFI firmware
 CVE-2017-9456
RESERVED
@@ -8646,8 +8805,8 @@
NOTE: Fixed by: 
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=d68f0f778e7f4fbd674627274267f269e40f0b04
 CVE-2017-9371
RESERVED
-CVE-2017-9370
-   RESERVED
+CVE-2017-9370 (An information disclosure / elevation of privilege 
vulnerability in ...)
+   TODO: check
 CVE-2017-9369
RESERVED
 CVE-2017-9368
@@ -19784,10 +19943,10 @@
NOT-FOR-US: Intel
 CVE-2017-5696
RESERVED
-CVE-2017-5695
-   RESERVED
-CVE-2017-5694
-   RESERVED
+CVE-2017-5695 (Data corruption vulnerabil

[Secure-testing-commits] r54491 - data/CVE

[Moritz Muehlenhoff]

Author: jmm
Date: 2017-08-09 21:11:11 + (Wed, 09 Aug 2017)
New Revision: 54491

Modified:
   data/CVE/list
Log:
xchat no-dsa


Modified: data/CVE/list
===
--- data/CVE/list   2017-08-09 21:10:19 UTC (rev 54490)
+++ data/CVE/list   2017-08-09 21:11:11 UTC (rev 54491)
@@ -59731,6 +59731,7 @@
NOTE: https://kb.isc.org/article/AA-01351
 CVE-2016-2087 (Directory traversal vulnerability in the client in HexChat 
2.11.0 ...)
- xchat 2.8.8-10
+   [jessie] - xchat  (Minor issue)
- hexchat 2.12.4-4 (bug #852275)
[stretch] - hexchat  (Minor issue)
[jessie] - hexchat  (Minor issue)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54492 - data/CVE

[Moritz Muehlenhoff]

Author: jmm
Date: 2017-08-09 21:19:00 + (Wed, 09 Aug 2017)
New Revision: 54492

Modified:
   data/CVE/list
Log:
puppet n/a
NFUs


Modified: data/CVE/list
===
--- data/CVE/list   2017-08-09 21:11:11 UTC (rev 54491)
+++ data/CVE/list   2017-08-09 21:19:00 UTC (rev 54492)
@@ -3036,7 +3036,7 @@
 CVE-2017-11507
RESERVED
 CVE-2017-11506 (When linking a Nessus scanner or agent to Tenable.io or other 
manager, ...)
-   TODO: check
+   NOT-FOR-US: Nessus
 CVE-2017-11565 (debian/tor.init in the Debian tor_0.2.9.11-1~deb9u1 package 
for Tor was ...)
- tor  (bug #869153)
[stretch] - tor  (Minor issue)
@@ -8806,7 +8806,7 @@
 CVE-2017-9371
RESERVED
 CVE-2017-9370 (An information disclosure / elevation of privilege 
vulnerability in ...)
-   TODO: check
+   NOT-FOR-US: BlackBerry
 CVE-2017-9369
RESERVED
 CVE-2017-9368
@@ -19944,9 +19944,9 @@
 CVE-2017-5696
RESERVED
 CVE-2017-5695 (Data corruption vulnerability in firmware in Intel Solid-State 
Drive ...)
-   TODO: check
+   NOT-FOR-US: Intel
 CVE-2017-5694 (Data corruption vulnerability in firmware in Intel Solid-State 
Drive ...)
-   TODO: check
+   NOT-FOR-US: Intel
 CVE-2017-5693
RESERVED
 CVE-2017-5692
@@ -31879,7 +31879,7 @@
 CVE-2017-1449
RESERVED
 CVE-2017-1448 (IBM Emptoris Supplier Lifecycle Management 10.0.x and 10.1.x 
could ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2017-1447
RESERVED
 CVE-2017-1446
@@ -32061,7 +32061,7 @@
 CVE-2017-1358
RESERVED
 CVE-2017-1357 (IBM Maximo Asset Management 7.5 and 7.6 could allow an 
authenticated ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2017-1356
RESERVED
 CVE-2017-1355
@@ -37188,7 +37188,7 @@
 CVE-2016-8950 (IBM Emptoris Sourcing 9.5.x through 10.1.x is vulnerable to 
cross-site ...)
NOT-FOR-US: IBM
 CVE-2016-8949 (IBM Emptoris Supplier Lifecycle Management 10.0.x and 10.1.x 
could ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2016-8948 (IBM Emptoris Sourcing 9.5.x through 10.1.x is vulnerable to 
cross-site ...)
NOT-FOR-US: IBM
 CVE-2016-8947 (IBM Emptoris Sourcing 9.5.x through 10.1.x could allow a remote 
...)
@@ -47798,7 +47798,7 @@
 CVE-2016-5717
RESERVED
 CVE-2016-5716 (The console in Puppet Enterprise 2015.x and 2016.x prior to 
2016.4.0 ...)
-   TODO: check
+   - puppet  (Limited to Puppet Enterprise)
 CVE-2016-5715 (Open redirect vulnerability in the Console in Puppet Enterprise 
2015.x ...)
- puppet  (Limited to Puppet Enterprise)
 CVE-2016-5714
@@ -68539,7 +68539,7 @@
 CVE-2015-7895 (Samsung Gallery on the Samsung Galaxy S6 allows local users to 
cause a ...)
NOT-FOR-US: Samsung
 CVE-2015-7894 (The DCMProvider service in Samsung LibQjpeg on a Samsung 
SM-G925V ...)
-   TODO: check
+   NOT-FOR-US: Samsung
 CVE-2015-7893 (SecEmailUI in Samsung Galaxy S6 does not sanitize HTML email 
content, ...)
NOT-FOR-US: Samsung
 CVE-2015-7892


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54493 - data

[Michael Banck]

Author: mbanck
Date: 2017-08-09 21:27:07 + (Wed, 09 Aug 2017)
New Revision: 54493

Modified:
   data/dla-needed.txt
Log:
update/claim postgresql-9.1 for LTS

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-08-09 21:19:00 UTC (rev 54492)
+++ data/dla-needed.txt 2017-08-09 21:27:07 UTC (rev 54493)
@@ -150,11 +150,12 @@
   NOTE: yet. two more issues fixed upstream, but not in a release nor
   NOTE: unstable.
 --
-postgresql-9.1 (Christoph Berg)
+postgresql-9.1 (Michael Banck)
   NOTE: maintainer will give it a try tomorrow (2017-05-28)
   NOTE: 20170708: This issue cannot be backported to postgresql-9.1 because
   NOTE: 20170708: 9.1 does nothave the leak-proof function feature that the
   NOTE: 20170708: fix depends on. (lamby)
+  NOTE: 20170809: CVE-2017-7484 is not affected (mbanck)
 --
 qemu (Guido Günther)
   NOTE: see qemu-kvm below


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54494 - data/CVE

[Moritz Muehlenhoff]

Author: jmm
Date: 2017-08-09 22:21:21 + (Wed, 09 Aug 2017)
New Revision: 54494

Modified:
   data/CVE/list
Log:
neutron n/a


Modified: data/CVE/list
===
--- data/CVE/list   2017-08-09 21:27:07 UTC (rev 54493)
+++ data/CVE/list   2017-08-09 22:21:21 UTC (rev 54494)
@@ -14354,9 +14354,8 @@
RESERVED
 CVE-2017-7543 [iptables not active after update]
RESERVED
-   - neutron 
+   - neutron  (Specific to Red Hat packaging)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1473792
-   TODO: check
 CVE-2017-7542 (The ip6_find_1stfragopt function in net/ipv6/output_core.c in 
the Linux ...)
{DSA-3927-1}
- linux 


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54495 - data/CVE

[Moritz Muehlenhoff]

Author: jmm
Date: 2017-08-09 22:52:04 + (Wed, 09 Aug 2017)
New Revision: 54495

Modified:
   data/CVE/list
Log:
wildmidi no-dsa/not-affected
mame doesn't embed libnodefart in mame (checked jessie and stretch)
jetty no-dsa
mcollective no-dsa


Modified: data/CVE/list
===
--- data/CVE/list   2017-08-09 22:21:21 UTC (rev 54494)
+++ data/CVE/list   2017-08-09 22:52:04 UTC (rev 54495)
@@ -2554,24 +2554,32 @@
 CVE-2017-11664
RESERVED
- wildmidi 
+   [stretch] - wildmidi  (Minor issue)
+   [jessie] - wildmidi  (vulnerable code not present)
[wheezy] - wildmidi  (vulnerable code not present)
NOTE: http://seclists.org/fulldisclosure/2017/Aug/12
NOTE: 
https://github.com/Mindwerks/wildmidi/commit/660b513d99bced8783a4a5984ac2f742c74ebbdd
 CVE-2017-11663
RESERVED
- wildmidi 
+   [stretch] - wildmidi  (Minor issue)
+   [jessie] - wildmidi  (vulnerable code not present)
[wheezy] - wildmidi  (vulnerable code not present)
NOTE: http://seclists.org/fulldisclosure/2017/Aug/12
NOTE: 
https://github.com/Mindwerks/wildmidi/commit/660b513d99bced8783a4a5984ac2f742c74ebbdd
 CVE-2017-11662
RESERVED
- wildmidi 
+   [stretch] - wildmidi  (Minor issue)
+   [jessie] - wildmidi  (vulnerable code not present)
[wheezy] - wildmidi  (vulnerable code not present)
NOTE: http://seclists.org/fulldisclosure/2017/Aug/12
NOTE: 
https://github.com/Mindwerks/wildmidi/commit/660b513d99bced8783a4a5984ac2f742c74ebbdd
 CVE-2017-11661
RESERVED
- wildmidi 
+   [stretch] - wildmidi  (Minor issue)
+   [jessie] - wildmidi  (vulnerable code not present)
[wheezy] - wildmidi  (vulnerable code not present)
NOTE: http://seclists.org/fulldisclosure/2017/Aug/12
NOTE: 
https://github.com/Mindwerks/wildmidi/commit/660b513d99bced8783a4a5984ac2f742c74ebbdd
@@ -4265,11 +4273,8 @@
 CVE-2017-11120
RESERVED
 CVE-2017-9 (The chk_mem_access function in cpu/nes6502/nes6502.c in 
libnosefart.a ...)
-   - mame 
- xine-lib-1.2  (it is built with --disable-nosefart)
- xine-lib  (it is built with --disable-nosefart)
-   TODO: check
-   NOTE: mame is probably not affected
 CVE-2017-8 (The ExifImageFile::readImage function in ExifImageFileRead.cpp 
in ...)
NOT-FOR-US: OpenExif
 CVE-2017-7 (The ExifImageFile::readDHT function in ExifImageFileRead.cpp 
in ...)
@@ -7846,8 +7851,11 @@
 CVE-2017-9735 (Jetty through 9.4.x is prone to a timing channel in ...)
{DLA-1021-1 DLA-1020-1}
- jetty9 9.2.22-1 (bug #864898)
+   [stretch] - jetty9  (Minor issue)
- jetty8 
+   [jessie] - jetty8  (Minor issue)
- jetty 
+   [jessie] - jetty  (Minor issue)
NOTE: https://github.com/eclipse/jetty.project/issues/1556
NOTE: 
https://github.com/eclipse/jetty.project/commit/042f325f1cd6e7891d72c7e668f5947b5457dc02
NOTE: 
https://github.com/eclipse/jetty.project/commit/f3751d70787fd8ab93932a51c60514c2eb37cb58
@@ -30189,6 +30197,7 @@
RESERVED
 CVE-2017-2292 (Versions of MCollective prior to 2.10.4 deserialized YAML from 
agents ...)
- mcollective  (bug #866711)
+   [jessie] - mcollective  (Minor issue)
NOTE: https://puppet.com/security/cve/cve-2017-2292
NOTE: 
https://github.com/puppetlabs/marionette-collective/commit/e0e741889f5adeb8f75387037106b0d28a9099b0
 CVE-2017-2291
@@ -57174,6 +57183,7 @@
NOTE: http://www.openwall.com/lists/oss-security/2016/03/02/8
 CVE-2016-2788 (MCollective 2.7.0 and 2.8.x before 2.8.9, as used in Puppet ...)
- mcollective  (bug #850968)
+   [jessie] - mcollective  (Minor issue)
NOTE: https://puppet.com/security/cve/cve-2016-2788
NOTE: 
https://github.com/puppetlabs/marionette-collective/commit/4918a0f136aea04452b48a1ba29eb9aabcf5c97d
 CVE-2016-2787 (The Puppet Communications Protocol in Puppet Enterprise 
2015.3.x ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54496 - data

[Moritz Muehlenhoff]

Author: jmm
Date: 2017-08-09 22:54:45 + (Wed, 09 Aug 2017)
New Revision: 54496

Modified:
   data/dsa-needed.txt
Log:
add tcpdump to dsa-needed


Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-08-09 22:52:04 UTC (rev 54495)
+++ data/dsa-needed.txt 2017-08-09 22:54:45 UTC (rev 54496)
@@ -57,6 +57,9 @@
 --
 phpmyadmin
 --
+tcpdump
+  wait until next release (which is expected to fix additional issues)
+--
 wireshark (seb)
   2017-05-13: asked balint@ if he wants to prepare an update now
   2017-07-28: re-ping balint@


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54497 - data/CVE

[Moritz Muehlenhoff]

Author: jmm
Date: 2017-08-09 22:55:41 + (Wed, 09 Aug 2017)
New Revision: 54497

Modified:
   data/CVE/list
Log:
yara no-dsa


Modified: data/CVE/list
===
--- data/CVE/list   2017-08-09 22:54:45 UTC (rev 54496)
+++ data/CVE/list   2017-08-09 22:55:41 UTC (rev 54497)
@@ -3581,6 +3581,8 @@
NOT-FOR-US: Android
 CVE-2017-11328 (Heap buffer overflow in the yr_object_array_set_item() 
function in ...)
- yara 3.6.3+dfsg-1
+   [stretch] - yara  (Minor issue)
+   [jessie] - yara  (Minor issue)
NOTE: Fixed by: 
https://github.com/VirusTotal/yara/commit/4a342f01e5439b9bb901aff1c6c23c536baeeb3f
 CVE-2017-11327 (An issue was discovered in Tilde CMS 1.0.1. It is possible to 
retrieve ...)
NOT-FOR-US: Tilde CMS


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54498 - data/CVE

[Moritz Muehlenhoff]

Author: jmm
Date: 2017-08-09 22:59:52 + (Wed, 09 Aug 2017)
New Revision: 54498

Modified:
   data/CVE/list
Log:
minidjvu unimportant
  - just a crash in a CLI tool (and and unused library)


Modified: data/CVE/list
===
--- data/CVE/list   2017-08-09 22:55:41 UTC (rev 54497)
+++ data/CVE/list   2017-08-09 22:59:52 UTC (rev 54498)
@@ -790,23 +790,23 @@
RESERVED
 CVE-2017-12445
RESERVED
-   - minidjvu  (bug #871495)
+   - minidjvu  (unimportant; bug #871495)
NOTE: https://sourceforge.net/p/minidjvu/bugs/8/
 CVE-2017-12444
RESERVED
-   - minidjvu  (bug #871495)
+   - minidjvu  (unimportant; bug #871495)
NOTE: https://sourceforge.net/p/minidjvu/bugs/8/
 CVE-2017-12443
RESERVED
-   - minidjvu  (bug #871495)
+   - minidjvu  (unimportant; bug #871495)
NOTE: https://sourceforge.net/p/minidjvu/bugs/8/
 CVE-2017-12442
RESERVED
-   - minidjvu  (bug #871495)
+   - minidjvu  (unimportant; bug #871495)
NOTE: https://sourceforge.net/p/minidjvu/bugs/8/
 CVE-2017-12441
RESERVED
-   - minidjvu  (bug #871495)
+   - minidjvu  (unimportant; bug #871495)
NOTE: https://sourceforge.net/p/minidjvu/bugs/8/
 CVE-2017-12440
RESERVED


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54499 - data

[Moritz Muehlenhoff]

Author: jmm
Date: 2017-08-09 23:02:04 + (Wed, 09 Aug 2017)
New Revision: 54499

Modified:
   data/dsa-needed.txt
Log:
add ioquake to dsa-needed


Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-08-09 22:59:52 UTC (rev 54498)
+++ data/dsa-needed.txt 2017-08-09 23:02:04 UTC (rev 54499)
@@ -30,6 +30,8 @@
 imagemagick
   wait until more issues have piled up
 --
+ioquake3
+--
 libav/oldstable
   several issues unfixed upstream
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54500 - data/CVE

[Moritz Muehlenhoff]

Author: jmm
Date: 2017-08-09 23:08:09 + (Wed, 09 Aug 2017)
New Revision: 54500

Modified:
   data/CVE/list
Log:
libvorbis no-dsa


Modified: data/CVE/list
===
--- data/CVE/list   2017-08-09 23:02:04 UTC (rev 54499)
+++ data/CVE/list   2017-08-09 23:08:09 UTC (rev 54500)
@@ -2330,7 +2330,9 @@
 CVE-2017-11736 (SQL injection vulnerability in ...)
NOT-FOR-US: BigTree CMS
 CVE-2017-11735 (The vorbis_block_clear function in lib/block.c in Xiph.Org 
libvorbis ...)
-   - libvorbis  (bug #870342)
+   - libvorbis  (low; bug #870342)
+   [stretch] - libvorbis  (Minor issue)
+   [jessie] - libvorbis  (Minor issue)
NOTE: http://seclists.org/fulldisclosure/2017/Jul/82
 CVE-2017-11734 (A heap-based buffer over-read was found in the function ...)
- ming 
@@ -3558,7 +3560,9 @@
- qemu-kvm 
NOTE: 
https://lists.gnu.org/archive/html/qemu-devel/2017-07/msg03775.html
 CVE-2017-11333 (The vorbis_analysis_wrote function in lib/block.c in Xiph.Org 
libvorbis ...)
-   - libvorbis  (bug #870341)
+   - libvorbis  (low; bug #870341)
+   [stretch] - libvorbis  (Minor issue)
+   [jessie] - libvorbis  (Minor issue)
NOTE: http://seclists.org/fulldisclosure/2017/Jul/82
 CVE-2017-11332 (The startread function in wav.c in Sound eXchange (SoX) 14.4.2 
allows ...)
- sox  (bug #870328)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54501 - data/CVE

[Moritz Muehlenhoff]

Author: jmm
Date: 2017-08-09 23:14:15 + (Wed, 09 Aug 2017)
New Revision: 54501

Modified:
   data/CVE/list
Log:
wildmidi bug
quagga no-dsa


Modified: data/CVE/list
===
--- data/CVE/list   2017-08-09 23:08:09 UTC (rev 54500)
+++ data/CVE/list   2017-08-09 23:14:15 UTC (rev 54501)
@@ -2555,7 +2555,7 @@
NOTE: Fixed in 3.2.7
 CVE-2017-11664
RESERVED
-   - wildmidi 
+   - wildmidi  (low; bug #871616)
[stretch] - wildmidi  (Minor issue)
[jessie] - wildmidi  (vulnerable code not present)
[wheezy] - wildmidi  (vulnerable code not present)
@@ -2563,7 +2563,7 @@
NOTE: 
https://github.com/Mindwerks/wildmidi/commit/660b513d99bced8783a4a5984ac2f742c74ebbdd
 CVE-2017-11663
RESERVED
-   - wildmidi 
+   - wildmidi  (low; bug #871616)
[stretch] - wildmidi  (Minor issue)
[jessie] - wildmidi  (vulnerable code not present)
[wheezy] - wildmidi  (vulnerable code not present)
@@ -2571,7 +2571,7 @@
NOTE: 
https://github.com/Mindwerks/wildmidi/commit/660b513d99bced8783a4a5984ac2f742c74ebbdd
 CVE-2017-11662
RESERVED
-   - wildmidi 
+   - wildmidi  (low; bug #871616)
[stretch] - wildmidi  (Minor issue)
[jessie] - wildmidi  (vulnerable code not present)
[wheezy] - wildmidi  (vulnerable code not present)
@@ -2579,7 +2579,7 @@
NOTE: 
https://github.com/Mindwerks/wildmidi/commit/660b513d99bced8783a4a5984ac2f742c74ebbdd
 CVE-2017-11661
RESERVED
-   - wildmidi 
+   - wildmidi  (low; bug #871616)
[stretch] - wildmidi  (Minor issue)
[jessie] - wildmidi  (vulnerable code not present)
[wheezy] - wildmidi  (vulnerable code not present)
@@ -27658,7 +27658,9 @@
RESERVED
 CVE-2017-3224 [OSPF implementation improperly determines LSA recency 
(VU#793496)]
RESERVED
-   - quagga 
+   - quagga  (low)
+   [stretch] - quagga  (Minor issue)
+   [jessie] - quagga  (Minor issue)
NOTE: http://www.kb.cert.org/vuls/id/793496
 CVE-2017-3223
RESERVED


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54502 - data/CVE

[Moritz Muehlenhoff]

Author: jmm
Date: 2017-08-10 00:48:03 + (Thu, 10 Aug 2017)
New Revision: 54502

Modified:
   data/CVE/list
Log:
quagga bug


Modified: data/CVE/list
===
--- data/CVE/list   2017-08-09 23:14:15 UTC (rev 54501)
+++ data/CVE/list   2017-08-10 00:48:03 UTC (rev 54502)
@@ -27658,7 +27658,7 @@
RESERVED
 CVE-2017-3224 [OSPF implementation improperly determines LSA recency 
(VU#793496)]
RESERVED
-   - quagga  (low)
+   - quagga  (low; bug #871617)
[stretch] - quagga  (Minor issue)
[jessie] - quagga  (Minor issue)
NOTE: http://www.kb.cert.org/vuls/id/793496


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54503 - in data: . DSA

[Moritz Muehlenhoff]

Author: jmm
Date: 2017-08-10 02:53:14 + (Thu, 10 Aug 2017)
New Revision: 54503

Modified:
   data/DSA/list
   data/dsa-needed.txt
Log:
firefox-esr DSA


Modified: data/DSA/list
===
--- data/DSA/list   2017-08-10 00:48:03 UTC (rev 54502)
+++ data/DSA/list   2017-08-10 02:53:14 UTC (rev 54503)
@@ -1,3 +1,7 @@
+[10 Aug 2017] DSA-3928-1 firefox-esr - security update
+   {CVE-2017-7753 CVE-2017-7779 CVE-2017-7784 CVE-2017-7785 CVE-2017-7786 
CVE-2017-7787 CVE-2017-7791 CVE-2017-7792 CVE-2017-7798 CVE-2017-7800 
CVE-2017-7801 CVE-2017-7802 CVE-2017-7803 CVE-2017-7807 CVE-2017-7809}
+   [jessie] - firefox-esr 52.3.0esr-1~deb8u1
+   [stretch] - firefox-esr 52.3.0esr-1~deb9u1
 [07 Aug 2017] DSA-3927-1 linux - security update
{CVE-2017-7346 CVE-2017-7482 CVE-2017-7533 CVE-2017-7541 CVE-2017-7542 
CVE-2017-9605 CVE-2017-10810 CVE-2017-10911 CVE-2017-11176 CVE-2017-1000365}
[stretch] - linux 4.9.30-2+deb9u3

Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2017-08-10 00:48:03 UTC (rev 54502)
+++ data/dsa-needed.txt 2017-08-10 02:53:14 UTC (rev 54503)
@@ -16,8 +16,6 @@
 --
 ffmpeg/stable
 --
-firefox-esr
---
 freeradius (seb)
   Maintainer proposed to do an update, send a debdiff which needs review
   and advise for changelog


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54504 - data/CVE

[Moritz Muehlenhoff]

Author: jmm
Date: 2017-08-10 02:59:38 + (Thu, 10 Aug 2017)
New Revision: 54504

Modified:
   data/CVE/list
Log:
podofo no-dsa
libsndfile no-dsa
libmad no-dsa
jasper n/a and unimportant
ruby-rack-cors n/a in jessie


Modified: data/CVE/list
===
--- data/CVE/list   2017-08-10 02:53:14 UTC (rev 54503)
+++ data/CVE/list   2017-08-10 02:59:38 UTC (rev 54504)
@@ -2917,7 +2917,9 @@
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1471772
TODO: check
 CVE-2017-11552 (The mad_decoder_run function in decoder.c in libmad 0.15.1b 
allows ...)
-   - libmad  (bug #870406)
+   - libmad  (low; bug #870406)
+   [stretch] - libmad  (Minor issue)
+   [jessie] - libmad  (Minor issue)
NOTE: http://seclists.org/fulldisclosure/2017/Jul/94
 CVE-2017-11551 (The id3_field_parse function in field.c in libid3tag 0.15.1b 
allows ...)
- libid3tag  (bug #870333)
@@ -3862,6 +3864,8 @@
 CVE-2017-12562 (Heap-based Buffer Overflow in the psf_binheader_writef 
function in ...)
{DLA-1049-1}
- libsndfile 1.0.28-3 (bug #869166)
+   [stretch] - libsndfile  (Minor issue)
+   [jessie] - libsndfile  (Minor issue)
NOTE: https://github.com/erikd/libsndfile/issues/292
NOTE: 
https://github.com/erikd/libsndfile/commit/cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8
 CVE-2017-11196 (Pulse Connect Secure 8.3R1 has CSRF in logout.cgi. The logout 
function ...)
@@ -3916,6 +3920,7 @@
NOT-FOR-US: XOOPS
 CVE-2017-11173 (Missing anchor in generated regex for rack-cors before 0.4.1 
allows a ...)
- ruby-rack-cors 0.4.1-1
+   [jessie] - ruby-rack-cors  (Vulnerable code not present)
 CVE-2017-11172
RESERVED
 CVE-2017-196
@@ -10782,6 +10787,8 @@
NOT-FOR-US: Accellion FTA devices
 CVE-2017-8787 (The PoDoFo::PdfXRefStreamParserObject::ReadXRefStreamEntry 
function in ...)
- libpodofo  (bug #861738)
+   [stretch] - libpodofo  (Minor issue)
+   [jessie] - libpodofo  (Minor issue)
[wheezy] - libpodofo  (Minor issue)
NOTE: Possible unspecified impact. Needs further analysis.
NOTE: Proposed patch (for wheezy) attached to bug #861738.
@@ -11741,6 +11748,8 @@
NOTE: Fixed by: 
http://git.qemu.org/?p=qemu.git;a=commit;h=fa18f36a461984eae50ab957e47ec78dae3c14fc
 CVE-2017-8378 (Heap-based buffer overflow in the PdfParser::ReadObjects 
function in ...)
- libpodofo  (bug #861597)
+   [stretch] - libpodofo  (Minor issue)
+   [jessie] - libpodofo  (Minor issue)
[wheezy] - libpodofo  (Minor issue)
NOTE: 
https://github.com/xiangxiaobo/poc_and_report/tree/master/podofo_heapoverflow_PdfParser.ReadObjects
NOTE: Proposed patch (for wheezy) attached to bug #861597.
@@ -12624,6 +12633,8 @@
NOT-FOR-US: WatchGuard
 CVE-2017-8054 (The function PdfPagesTree::GetPageNodeFromArray in 
PdfPageTree.cpp:464 ...)
- libpodofo  (bug #860995)
+   [stretch] - libpodofo  (Minor issue)
+   [jessie] - libpodofo  (Minor issue)
[wheezy] - libpodofo  (Minor issue)
NOTE: The motivation for no-dsa in wheezy is that there are no known
NOTE: services that use this library (apart from desktop applications)
@@ -12632,6 +12643,8 @@
NOTE: PoC: https://github.com/qwertwwwe/PoC/blob/master/podofo/PoC
 CVE-2017-8053 (PoDoFo 0.9.5 allows denial of service (infinite recursion and 
stack ...)
- libpodofo  (bug #860994)
+   [stretch] - libpodofo  (Minor issue)
+   [jessie] - libpodofo  (Minor issue)
[wheezy] - libpodofo  (Minor issue)
NOTE: http://openwall.com/lists/oss-security/2017/04/22/1
NOTE: The motivation for no-dsa in wheezy is that there are no known
@@ -12757,6 +12770,7 @@
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1033948
 CVE-2017-7994 (The function TextExtractor::ExtractText in TextExtractor.cpp:77 
in ...)
- libpodofo  (bug #860930)
+   [stretch] - libpodofo  (Minor issue)
[jessie] - libpodofo  (Minor issue)
[wheezy] - libpodofo  (Minor issue)
NOTE: https://github.com/icepng/PoC/tree/master/PoC1
@@ -14996,35 +15010,41 @@
 CVE-2017-7383 (The PdfFontFactory.cpp:195:62 code in PoDoFo 0.9.5 allows 
remote ...)
{DLA-968-1}
- libpodofo 0.9.4-6 (bug #859329)
+   [jessie] - libpodofo  (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/3
NOTE: https://github.com/asarubbo/poc/blob/master/00252-podofo-nullptr4
NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1848
 CVE-2017-7382 (The PdfFontFactory.cpp:200:88 code in PoDoFo 0.9.5 allows 
remote ...)
{DLA-968-1}
- libpodofo 0.9.4-6 (bug #859329)
+   [jessie] - libpodofo  (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2017/04/01/3
NOTE: https://github.com/asarubbo/poc/blob/master/00251-podofo-nullptr3
NOTE: upstre

[Secure-testing-commits] r54505 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-08-10 03:14:40 + (Thu, 10 Aug 2017)
New Revision: 54505

Modified:
   data/CVE/list
Log:
CVE-2015-7764/lemur

Modified: data/CVE/list
===
--- data/CVE/list   2017-08-10 02:59:38 UTC (rev 54504)
+++ data/CVE/list   2017-08-10 03:14:40 UTC (rev 54505)
@@ -69017,7 +69017,7 @@
- php5 5.6.14+dfsg-1 (low)
NOTE: https://bugs.php.net/bug.php?id=69720
 CVE-2015-7764 (Lemur 0.1.4 does not use sufficient entropy in its IV when 
encrypting ...)
-   TODO: check
+   - lemur  (bug #809533)
 CVE-2015-7763 (rx/rx.c in OpenAFS 1.5.75 through 1.5.78, 1.6.x before 1.6.15, 
and ...)
{DSA-3387-1 DLA-342-1}
- openafs 1.6.15-1


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54506 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-08-10 03:14:50 + (Thu, 10 Aug 2017)
New Revision: 54506

Modified:
   data/CVE/list
Log:
Process NFUs

Modified: data/CVE/list
===
--- data/CVE/list   2017-08-10 03:14:40 UTC (rev 54505)
+++ data/CVE/list   2017-08-10 03:14:50 UTC (rev 54506)
@@ -37,7 +37,7 @@
 CVE-2017-12755
RESERVED
 CVE-2017-12754 (Stack buffer overflow in httpd in Asuswrt-Merlin firmware ...)
-   TODO: check
+   NOT-FOR-US: Asuswrt-Merlin firmware
 CVE-2017-12753
RESERVED
 CVE-2017-12752
@@ -46696,7 +46696,7 @@
 CVE-2016-6122 (IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 discloses 
answers to ...)
NOT-FOR-US: IBM
 CVE-2016-6121 (IBM Emptoris Supplier Lifecycle Management 10.0.x and 10.1.x is 
...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2016-6120
RESERVED
 CVE-2016-6119
@@ -84693,7 +84693,7 @@
 CVE-2015-2292 (Multiple SQL injection vulnerabilities in ...)
NOT-FOR-US: WordPress plugin wordpress-seo
 CVE-2015-2291 ((1) IQVW32.sys before 1.3.1.0 and (2) IQVW64.sys before 1.3.1.0 
in the ...)
-   TODO: check
+   NOT-FOR-US: Intel Ethernet diagnostics driver for Windows
 CVE-2015-2290
RESERVED
 CVE-2015-2288
@@ -92148,7 +92148,7 @@
 CVE-2014-9263 (Multiple buffer overflows in the ...)
NOT-FOR-US: 3S Pocketnet Tech VMS
 CVE-2014-9262 (The Duplicator plugin in Wordpress before 0.5.10 allows remote 
...)
-   TODO: check
+   NOT-FOR-US: Duplicator plugin in Wordpress
 CVE-2014-9261 (The sanitize function in Codoforum 2.5.1 does not properly 
implement ...)
NOT-FOR-US: Codoforum
 CVE-2014-9260 (The basic_settings function in the download manager plugin for 
...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54507 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-08-10 03:18:10 + (Thu, 10 Aug 2017)
New Revision: 54507

Modified:
   data/CVE/list
Log:
Process NFUs

Modified: data/CVE/list
===
--- data/CVE/list   2017-08-10 03:14:50 UTC (rev 54506)
+++ data/CVE/list   2017-08-10 03:18:10 UTC (rev 54507)
@@ -90050,19 +90050,19 @@
 CVE-2015-0787 (XSS in NetIQ Designer for Identity Manager before 4.5.3 allows 
remote ...)
NOT-FOR-US: NetIQ Designer for Identity Manager
 CVE-2015-0786 (Stack-based buffer overflow in the logging functionality in the 
...)
-   TODO: check
+   NOT-FOR-US: Novell ZENworks Configuration Management
 CVE-2015-0785 (com.novell.zenworks.inventory.rtr.actionclasses.wcreports in 
Novell ...)
-   TODO: check
+   NOT-FOR-US: Novell ZENworks Configuration Management
 CVE-2015-0784 (Rtrlet.class in Novell ZENworks Configuration Management (ZCM) 
allows ...)
-   TODO: check
+   NOT-FOR-US: Novell ZENworks Configuration Management
 CVE-2015-0783 (The FileViewer class in Novell ZENworks Configuration 
Management (ZCM) ...)
-   TODO: check
+   NOT-FOR-US: Novell ZENworks Configuration Management
 CVE-2015-0782 (SQL injection vulnerability in the ScheduleQuery method of the 
...)
-   TODO: check
+   NOT-FOR-US: Novell ZENworks Configuration Management
 CVE-2015-0781 (Directory traversal vulnerability in the doPost method of the 
Rtrlet ...)
-   TODO: check
+   NOT-FOR-US: Novell ZENworks Configuration Management
 CVE-2015-0780 (SQL injection vulnerability in the GetReRequestData method of 
the ...)
-   TODO: check
+   NOT-FOR-US: Novell ZENworks Configuration Management
 CVE-2015-0779 (Directory traversal vulnerability in UploadServlet in Novell 
ZENworks ...)
NOT-FOR-US: Novell ZENworks Configuration Management
 CVE-2015-0778 (osc before 0.151.0 allows remote attackers to execute arbitrary 
...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54508 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-08-10 03:22:12 + (Thu, 10 Aug 2017)
New Revision: 54508

Modified:
   data/CVE/list
Log:
Process 2012 ffmpeg CVEs

All fixed with the reintroduction to Debian, included with the unstable
upload as 7:2.4.1-1

Modified: data/CVE/list
===
--- data/CVE/list   2017-08-10 03:18:10 UTC (rev 54507)
+++ data/CVE/list   2017-08-10 03:22:12 UTC (rev 54508)
@@ -147035,15 +147035,15 @@
 CVE-2012-2782 (Unspecified vulnerability in the decode_slice_header function 
in ...)
- libav  (Doesn't affect libav)
 CVE-2012-2781 (Unspecified vulnerability in FFmpeg before 0.10.3 has unknown 
impact ...)
-   TODO: check
+   - ffmpeg 7:2.4.1-1
 CVE-2012-2780 (Unspecified vulnerability in FFmpeg before 0.10.3 has unknown 
impact ...)
-   TODO: check
+   - ffmpeg 7:2.4.1-1
 CVE-2012-2779 (Unspecified vulnerability in the decode_frame function in ...)
- ffmpeg 7:2.4.1-1
[squeeze] - ffmpeg  (Vulnerable code not present, bug 
#688849)
- libav 6:0.8.4-1 (bug #688847)
 CVE-2012-2778 (Unspecified vulnerability in FFmpeg before 0.10.3 has unknown 
impact ...)
-   TODO: check
+   - ffmpeg 7:2.4.1-1
 CVE-2012-2777 (Unspecified vulnerability in the decode_pic function in ...)
{DSA-2624-1}
[squeeze] - ffmpeg 4:0.5.9-1 (bug #688849)
@@ -147063,13 +147063,13 @@
NOTE: 
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=59a4b73531428d2f420b4dad545172c8483ced0f
NOTE: patch proposed: http://patches.libav.org/patch/32644/
 CVE-2012-2773 (Unspecified vulnerability in FFmpeg before 0.10.3 has unknown 
impact ...)
-   TODO: check
+   - ffmpeg 7:2.4.1-1
 CVE-2012-2772 (Unspecified vulnerability in the ff_rv34_decode_frame function 
in ...)
- ffmpeg 7:2.4.1-1
[squeeze] - ffmpeg  (Vulnerable code not present, bug 
#688849)
- libav 6:0.8.4-1 (bug #688847)
 CVE-2012-2771 (Unspecified vulnerability in FFmpeg before 0.10.3 has unknown 
impact ...)
-   TODO: check
+   - ffmpeg 7:2.4.1-1
 CVE-2012-2770 (The Authen::ExternalAuth extension before 0.11 for Best 
Practical ...)
- rt-authen-externalauth 0.10-2 (bug #683288)
 CVE-2012-2769 (Multiple cross-site scripting (XSS) vulnerabilities in the 
topic ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54509 - data

[Roberto C. Sanchez]

Author: roberto
Date: 2017-08-10 03:38:53 + (Thu, 10 Aug 2017)
New Revision: 54509

Modified:
   data/dla-needed.txt
Log:
Release lock on tiff/tiff3

Modified: data/dla-needed.txt
===
--- data/dla-needed.txt 2017-08-10 03:22:12 UTC (rev 54508)
+++ data/dla-needed.txt 2017-08-10 03:38:53 UTC (rev 54509)
@@ -185,13 +185,9 @@
   NOTE: new upstream release 4.9.1 fixed CVE-2017-11108 but new CVEs
   NOTE: came out, sync with secur...@tcpdump.org and team@security.d.o?
 --
-tiff (Roberto C. Sánchez)
-  NOTE: 20170711, Version 4.0.2-6+deb7u14 fixes CVE-2017-9936 and 
CVE-2017-10688 (DLA-1022-1)
-  NOTE: CVE-2017-9935 is still unresolved upstream
+tiff
 --
-tiff3 (Roberto C. Sánchez)
-  NOTE: 20170711, Version 3.9.6-11+deb7u7 fixes CVE-2017-9936 (DLA-1023-1)
-  NOTE: CVE-2017-9935 is still unresolved upstream
+tiff3
 --
 wireshark
 --


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54510 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-08-10 03:45:37 + (Thu, 10 Aug 2017)
New Revision: 54510

Modified:
   data/CVE/list
Log:
Correct tracking for CVE-2017-11590

Correct the initial triaging (done by me, so blame on me). Although the
original report triggers the issue in the caseless_hash function,
whichis only introduced in later version, the root cause lies within the
gxps_archive_initable_init function. A pathname is dereferences before
checking for NULL.

Modified: data/CVE/list
===
--- data/CVE/list   2017-08-10 03:38:53 UTC (rev 54509)
+++ data/CVE/list   2017-08-10 03:45:37 UTC (rev 54510)
@@ -2819,10 +2819,9 @@
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1473888
 CVE-2017-11590 (There is a NULL pointer dereference in the caseless_hash 
function in ...)
- libgxps  (bug #870183)
-   [stretch] - libgxps  (Vulnerable function introduced 
later)
-   [jessie] - libgxps  (Vulnerable function introduced later)
-   [wheezy] - libgxps  (Vulnerable function introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1473167
+   NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=785479
+   NOTE: Fixed by: https://git.gnome.org/browse/libgxps/commit/?id=9d5d2920
 CVE-2017-11589 (On Cisco DDR2200 ADSL2+ Residential Gateway ...)
NOT-FOR-US: Cisco
 CVE-2017-11588 (On Cisco DDR2200 ADSL2+ Residential Gateway ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54511 - data/CVE

[Moritz Muehlenhoff]

Author: jmm
Date: 2017-08-10 03:49:44 + (Thu, 10 Aug 2017)
New Revision: 54511

Modified:
   data/CVE/list
Log:
clamav no-dsa


Modified: data/CVE/list
===
--- data/CVE/list   2017-08-10 03:45:37 UTC (rev 54510)
+++ data/CVE/list   2017-08-10 03:49:44 UTC (rev 54511)
@@ -17998,6 +17998,8 @@
RESERVED
 CVE-2017-6420 (The wwunpack function in libclamav/wwunpack.c in ClamAV 0.99.2 
allows ...)
- clamav 0.99.3~beta1+dfsg-1
+   [stretch] - clamav  (Gets updated via -updates)
+   [jessie] - clamav  (Gets updated via -updates)
NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11798
NOTE: 
https://github.com/vrtadmin/clamav-devel/commit/dfc00cd3301a42b571454b51a6102eecf58407bc
 CVE-2017-6419 (mspack/lzxd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2, 
allows ...)
@@ -18011,6 +18013,8 @@
NOTE: src:clamav source package.
 CVE-2017-6418 (libclamav/message.c in ClamAV 0.99.2 allows remote attackers to 
cause a ...)
- clamav 0.99.3~beta1+dfsg-1
+   [stretch] - clamav  (Gets updated via -updates)
+   [jessie] - clamav  (Gets updated via -updates)
NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11797
NOTE: 
https://github.com/vrtadmin/clamav-devel/commit/586a5180287262070637c8943f2f7efd652e4a2c
 CVE-2017-6417 (Code injection vulnerability in Avira Total Security Suite 15.0 
(and ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54512 - data/CVE

[Roberto C. Sanchez]

Author: roberto
Date: 2017-08-10 03:51:44 + (Thu, 10 Aug 2017)
New Revision: 54512

Modified:
   data/CVE/list
Log:
Add references for upstream commits that fix CVE-2017-11352

Modified: data/CVE/list
===
--- data/CVE/list   2017-08-10 03:49:44 UTC (rev 54511)
+++ data/CVE/list   2017-08-10 03:51:44 UTC (rev 54512)
@@ -9711,6 +9711,8 @@
- imagemagick 8:6.9.7.4+dfsg-12 (bug #868469)
[stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u1
NOTE: https://github.com/ImageMagick/ImageMagick/issues/502
+   NOTE: ImageMagick-6: 
https://github.com/ImageMagick/ImageMagick/commit/7f1f01b695e869c410ee10e2176f8fd764f09373
+   NOTE: ImageMagick-7: 
https://github.com/ImageMagick/ImageMagick/commit/86cb33143c5b21912187403860a7c26761a3cd23
 CVE-2017-9144 (In ImageMagick 7.0.5-5, a crafted RLE image can trigger a crash 
because ...)
{DSA-3863-1 DLA-960-1}
- imagemagick 8:6.9.7.4+dfsg-9 (bug #863126)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54513 - data/CVE

[Roberto C. Sanchez]

Author: roberto
Date: 2017-08-10 04:57:14 + (Thu, 10 Aug 2017)
New Revision: 54513

Modified:
   data/CVE/list
Log:
Note that CVE-2017-11536 does not affect imagemagick in wheezy

Modified: data/CVE/list
===
--- data/CVE/list   2017-08-10 03:51:44 UTC (rev 54512)
+++ data/CVE/list   2017-08-10 04:57:14 UTC (rev 54513)
@@ -2981,6 +2981,7 @@
NOTE: ImageMagick-6: 
https://github.com/ImageMagick/ImageMagick/commit/bac384563f557d1ac7413d2eaec00dd59c3cc29b
 CVE-2017-11536 (When ImageMagick 7.0.6-1 processes a crafted file in convert, 
it can ...)
- imagemagick 8:6.9.7.4+dfsg-13 (bug #869831)
+   [wheezy] - imagemagick  (vulnerable code not present)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/567
NOTE: 
https://github.com/ImageMagick/ImageMagick/commit/167e1538ae9818d46c9462a4273082871e35a480
NOTE: ImageMagick-6: 
https://github.com/ImageMagick/ImageMagick/commit/dba1ccfbcdf61c0eb599c7c308b42ed46dc92be6


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54514 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-08-10 05:55:30 + (Thu, 10 Aug 2017)
New Revision: 54514

Modified:
   data/CVE/list
Log:
Add CVE-2017-10661/linux

Modified: data/CVE/list
===
--- data/CVE/list   2017-08-10 04:57:14 UTC (rev 54513)
+++ data/CVE/list   2017-08-10 05:55:30 UTC (rev 54514)
@@ -5491,8 +5491,10 @@
RESERVED
 CVE-2017-10662
RESERVED
-CVE-2017-10661
+CVE-2017-10661 [timerfd: Protect the might cancel mechanism proper]
RESERVED
+   - linux 4.9.30-1
+   NOTE: Fixed by: 
https://git.kernel.org/linus/1e38da300e1e395a15048b0af1e5305bd91402f6 
(v4.11-rc1)
 CVE-2017-10660
RESERVED
 CVE-2017-10659


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54515 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-08-10 06:01:40 + (Thu, 10 Aug 2017)
New Revision: 54515

Modified:
   data/CVE/list
Log:
Add CVE-2017-10662/linux

Modified: data/CVE/list
===
--- data/CVE/list   2017-08-10 05:55:30 UTC (rev 54514)
+++ data/CVE/list   2017-08-10 06:01:40 UTC (rev 54515)
@@ -5489,8 +5489,10 @@
NOTE: Fixed by (master): 
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=041e32b8d9d076980b4e35317c0339e57ab888f1
 CVE-2017-10663
RESERVED
-CVE-2017-10662
+CVE-2017-10662 [f2fs: sanity check segment count]
RESERVED
+   - linux 4.9.30-1
+   NOTE: Fixed by: 
https://git.kernel.org/linus/b9dd46188edc2f0d1f37328637860bb65a771124 
(v4.12-rc1)
 CVE-2017-10661 [timerfd: Protect the might cancel mechanism proper]
RESERVED
- linux 4.9.30-1


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54516 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-08-10 06:03:36 + (Thu, 10 Aug 2017)
New Revision: 54516

Modified:
   data/CVE/list
Log:
Add two CVEs for linux from Android security bulletin

Modified: data/CVE/list
===
--- data/CVE/list   2017-08-10 06:01:40 UTC (rev 54515)
+++ data/CVE/list   2017-08-10 06:03:36 UTC (rev 54516)
@@ -33464,10 +33464,14 @@
RESERVED
 CVE-2017-0751
RESERVED
-CVE-2017-0750
+CVE-2017-0750 [A-36817013]
RESERVED
-CVE-2017-0749
+   - linux 
+   NOTE: https://source.android.com/security/bulletin/2017-08-01
+CVE-2017-0749 [A-36007735]
RESERVED
+   - linux 
+   NOTE: https://source.android.com/security/bulletin/2017-08-01
 CVE-2017-0748
RESERVED
 CVE-2017-0747


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54517 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-08-10 06:11:49 + (Thu, 10 Aug 2017)
New Revision: 54517

Modified:
   data/CVE/list
Log:
AddCVE-2017-10663/linux

Modified: data/CVE/list
===
--- data/CVE/list   2017-08-10 06:03:36 UTC (rev 54516)
+++ data/CVE/list   2017-08-10 06:11:49 UTC (rev 54517)
@@ -5487,8 +5487,10 @@
[wheezy] - qemu-kvm  (qemu-nbd shipped from qemu package)
NOTE: 
https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg02693.html
NOTE: Fixed by (master): 
http://git.qemu.org/?p=qemu.git;a=commitdiff;h=041e32b8d9d076980b4e35317c0339e57ab888f1
-CVE-2017-10663
+CVE-2017-10663 [f2fs: sanity check checkpoint segno and blkoff]
RESERVED
+   - linux 
+   NOTE: Fixed by: 
https://git.kernel.org/linus/15d3042a937c13f5d9244241c7a9c8416ff6e82a 
(v4.13-rc1)
 CVE-2017-10662 [f2fs: sanity check segment count]
RESERVED
- linux 4.9.30-1


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54518 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-08-10 06:28:43 + (Thu, 10 Aug 2017)
New Revision: 54518

Modified:
   data/CVE/list
Log:
Add two NFUs (external, only Adobe Flash)

Modified: data/CVE/list
===
--- data/CVE/list   2017-08-10 06:11:49 UTC (rev 54517)
+++ data/CVE/list   2017-08-10 06:28:43 UTC (rev 54518)
@@ -28011,6 +28011,7 @@
RESERVED
 CVE-2017-3106
RESERVED
+   NOT-FOR-US: Adobe Flash
 CVE-2017-3105
RESERVED
 CVE-2017-3104
@@ -28053,6 +28054,7 @@
NOT-FOR-US: Adobe
 CVE-2017-3085
RESERVED
+   NOT-FOR-US: Adobe Flash
 CVE-2017-3084 (Adobe Flash Player versions 25.0.0.171 and earlier have an 
exploitable ...)
NOT-FOR-US: Adobe Flash
 CVE-2017-3083 (Adobe Flash Player versions 25.0.0.171 and earlier have an 
exploitable ...)


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] r54519 - data/CVE

[Salvatore Bonaccorso]

Author: carnil
Date: 2017-08-10 06:42:55 + (Thu, 10 Aug 2017)
New Revision: 54519

Modified:
   data/CVE/list
Log:
Add CVE-2017-12762/linux

Modified: data/CVE/list
===
--- data/CVE/list   2017-08-10 06:28:43 UTC (rev 54518)
+++ data/CVE/list   2017-08-10 06:42:55 UTC (rev 54519)
@@ -20,8 +20,10 @@
RESERVED
 CVE-2017-12763
RESERVED
-CVE-2017-12762
+CVE-2017-12762 [isdn/i4l: fix buffer overflow]
RESERVED
+   - linux 
+   NOTE: Fixed by: 
https://git.kernel.org/linux/9f5af546e6acc30f075828cb58c7f09665033967 
(v4.13-rc4)
 CVE-2017-12761
RESERVED
 CVE-2017-12760


___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits