[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Follow stretch et al., for CVE-2018-9234 (gnupg2)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 28947f9c by Chris Lamb at 2018-04-04T22:54:40+01:00 Follow stretch et al., for CVE-2018-9234 (gnupg2) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -184,6 +184,7 @@ CVE-2016-10718 (Brave Browser before 0.13.0 allows a tab to close itself even if NOT-FOR-US: Brave Browser CVE-2018-9234 (GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key ...) - gnupg2 (low) + [wheezy] - gnupg2 (Minor issue) [stretch] - gnupg2 (Minor issue) [jessie] - gnupg2 (Minor issue) NOTE: https://dev.gnupg.org/T3844 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/28947f9c9390dbbe060746fd4625f93c65779c2e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/28947f9c9390dbbe060746fd4625f93c65779c2e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Triage CVE-2018-1060 & CVE-2018-1061 for wheezy (python2.6, python2.7 & python3.2)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 05bc2fc8 by Chris Lamb at 2018-04-04T22:57:01+01:00 Triage CVE-2018-1060 CVE-2018-1061 for wheezy (python2.6, python2.7 python3.2) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -22300,10 +22300,13 @@ CVE-2018-1061 [DOS via regular expression backtracking in difflib.IS_LINE_JUNK m - python3.4 (low) [jessie] - python3.4 (Minor issue) - python3.2 (low) + [wheezy] - python3.2 (Minor issue) - python2.7 (low) + [wheezy] - python2.7 (Minor issue) [stretch] - python2.7 (Minor issue) [jessie] - python2.7 (Minor issue) - python2.6 (low) + [wheezy] - python2.6 (Minor issue) NOTE: https://bugs.python.org/issue32981 NOTE: https://github.com/python/cpython/commit/0e6c8ee2358a2e23117501826c008842acb835ac (master) NOTE: https://github.com/python/cpython/commit/0902a2d6b2d1d9dbde36aeaaccf1788ceaa97143 (3.7) @@ -22320,10 +22323,13 @@ CVE-2018-1060 [DOS via regular expression catastrophic backtracking in apop() me - python3.4 (low) [jessie] - python3.4 (Minor issue) - python3.2 (low) + [wheezy] - python3.2 (Minor issue) - python2.7 (low) + [wheezy] - python2.7 (Minor issue) [stretch] - python2.7 (Minor issue) [jessie] - python2.7 (Minor issue) - python2.6 (low) + [wheezy] - python2.6 (Minor issue) NOTE: https://bugs.python.org/issue32981 NOTE: https://github.com/python/cpython/commit/0e6c8ee2358a2e23117501826c008842acb835ac (master) NOTE: https://github.com/python/cpython/commit/0902a2d6b2d1d9dbde36aeaaccf1788ceaa97143 (3.7) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/05bc2fc82f535d6fd33673aa6627ebcd9399ee15 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/05bc2fc82f535d6fd33673aa6627ebcd9399ee15 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Properly sort tagged entries
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 912af562 by Salvatore Bonaccorso at 2018-04-05T06:30:05+02:00 Properly sort tagged entries - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -184,9 +184,9 @@ CVE-2016-10718 (Brave Browser before 0.13.0 allows a tab to close itself even if NOT-FOR-US: Brave Browser CVE-2018-9234 (GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key ...) - gnupg2 (low) - [wheezy] - gnupg2 (Minor issue) [stretch] - gnupg2 (Minor issue) [jessie] - gnupg2 (Minor issue) + [wheezy] - gnupg2 (Minor issue) NOTE: https://dev.gnupg.org/T3844 TODO: doublecheck gpg1 status with Werner/Niibe CVE-2018-9240 (ncmpc through 0.29 is prone to a NULL pointer dereference flaw. If a ...) @@ -22302,9 +22302,9 @@ CVE-2018-1061 [DOS via regular expression backtracking in difflib.IS_LINE_JUNK m - python3.2 (low) [wheezy] - python3.2 (Minor issue) - python2.7 (low) - [wheezy] - python2.7 (Minor issue) [stretch] - python2.7 (Minor issue) [jessie] - python2.7 (Minor issue) + [wheezy] - python2.7 (Minor issue) - python2.6 (low) [wheezy] - python2.6 (Minor issue) NOTE: https://bugs.python.org/issue32981 @@ -22325,9 +22325,9 @@ CVE-2018-1060 [DOS via regular expression catastrophic backtracking in apop() me - python3.2 (low) [wheezy] - python3.2 (Minor issue) - python2.7 (low) - [wheezy] - python2.7 (Minor issue) [stretch] - python2.7 (Minor issue) [jessie] - python2.7 (Minor issue) + [wheezy] - python2.7 (Minor issue) - python2.6 (low) [wheezy] - python2.6 (Minor issue) NOTE: https://bugs.python.org/issue32981 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/912af562beaeb66431ac446e941486d03e3b8712 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/912af562beaeb66431ac446e941486d03e3b8712 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] jasper unimportant
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e09ddb51 by Moritz Muehlenhoff at 2018-04-04T12:14:16+02:00 jasper unimportant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -101,8 +101,9 @@ CVE-2018-9254 CVE-2018-9253 RESERVED CVE-2018-9252 (JasPer 2.0.14 allows denial of service via a reachable assertion in the ...) - - jasper + - jasper (unimportant) NOTE: https://github.com/mdadams/jasper/issues/173 + NOTE: Negligable impact CVE-2018-9251 (The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzma is ...) - libxml2 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=794914 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e09ddb517cd752ae04bca368c8bc09ff077f3060 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e09ddb517cd752ae04bca368c8bc09ff077f3060 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2018-2581 via unstable upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 74cd2b5e by Salvatore Bonaccorso at 2018-04-05T06:33:03+02:00 Add fixed version for CVE-2018-2581 via unstable upload - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -18182,7 +18182,7 @@ CVE-2018-2582 (Vulnerability in the Java SE, Java SE Embedded component of Oracl - openjdk-9 9.0.4+12-1 - openjdk-8 8u162-b12-1 CVE-2018-2581 (Vulnerability in the Java SE component of Oracle Java SE ...) - - openjfx (bug #888530) + - openjfx 8u161-b12-1 (bug #888530) [stretch] - openjfx (Minor issue) CVE-2018-2580 (Vulnerability in the Oracle Applications DBA component of Oracle ...) NOT-FOR-US: Oracle View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/74cd2b5eaac87a3d2e8a950ca936d190c5727164 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/74cd2b5eaac87a3d2e8a950ca936d190c5727164 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add commit for CVE-2018-8778
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 838aa9ae by Salvatore Bonaccorso at 2018-04-05T06:31:29+02:00 Add commit for CVE-2018-8778 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1324,6 +1324,7 @@ CVE-2018-8778 (In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2. - ruby1.9.1 NOTE: https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/ NOTE: https://hackerone.com/reports/298246 + NOTE: Fixed by: https://github.com/ruby/ruby/commit/d02b7bd864706fc2a40d83fb6014772ad3cc3b80 NOTE: Fixed by: https://github.com/ruby/ruby/commit/4cd92d7b13002161a3452a0fe278b877901a8859 (2.2.10) CVE-2018-8777 (In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x ...) - ruby2.5 2.5.1-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/838aa9aecb9b94d008232c5032fc43319da0fee0 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/838aa9aecb9b94d008232c5032fc43319da0fee0 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add new gitlab issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 38c37202 by Salvatore Bonaccorso at 2018-04-05T06:44:32+02:00 Add new gitlab issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,12 @@ +CVE-2018- [Persistent XSS in filename of merge request] + - gitlab (bug #894869) + NOTE: https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/ +CVE-2018- [Persistent XSS in milestones data-milestone-id] + - gitlab (bug #894868) + NOTE: https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/ +CVE-2018- [Confidential issue comments in Slack, Mattermost, and webhook integrations] + - gitlab (bug #894867) + NOTE: https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/ CVE-2018-9285 (Main_Analysis_Content.asp in /apply.cgi on ASUS RT-AC66U, RT-AC68U, ...) NOT-FOR-US: ASUS CVE-2018-9284 (authentication.cgi on D-Link DIR-868L devices with Singapore StarHub ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/38c372028bfbed9aad5772afc92d28ef2ac46e0f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/38c372028bfbed9aad5772afc92d28ef2ac46e0f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process three new NFUs in Apache Hive
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: aeb7bc84 by Salvatore Bonaccorso at 2018-04-05T07:55:12+02:00 Process three new NFUs in Apache Hive - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -21433,6 +21433,7 @@ CVE-2018-1316 (The ODE process deployment web service was sensible to deployment NOT-FOR-US: Apache ODE CVE-2018-1315 RESERVED + NOT-FOR-US: Apache Hive CVE-2018-1314 RESERVED CVE-2018-1313 @@ -21544,12 +21545,14 @@ CVE-2018-1285 RESERVED CVE-2018-1284 RESERVED + NOT-FOR-US: Apache Hive CVE-2018-1283 (In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to ...) {DSA-4164-1} - apache2 2.4.33-1 NOTE: http://www.openwall.com/lists/oss-security/2018/03/24/4 CVE-2018-1282 RESERVED + NOT-FOR-US: Apache Hive CVE-2018-1281 RESERVED CVE-2017-17459 (http_transport.c in Fossil before 2.4, when the SSH sync protocol is ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/aeb7bc84c6480915d2e4e6e417aeb30195bbf0e5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/aeb7bc84c6480915d2e4e6e417aeb30195bbf0e5 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add clarifying note for CVE-2018-9251
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e6de419a by Salvatore Bonaccorso at 2018-04-04T16:03:31+02:00 Add clarifying note for CVE-2018-9251 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -107,6 +107,11 @@ CVE-2018-9252 (JasPer 2.0.14 allows denial of service via a reachable assertion CVE-2018-9251 (The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzma is ...) - libxml2 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=794914 + NOTE: Before upstream commit https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb + NOTE: the memlimit argument to lzma_auto_decoder was set to UINT64_MAX, possibly + NOTE: allowing a malicious LZMA compressed files to consume large amounts of memory + NOTE: when decompressed. After upstream commit e2a9122b8dde53d320750451e9907a7dcb2ca8bb + NOTE: with xz_decomp is more prominently uncovered. CVE-2018-9250 RESERVED CVE-2018-9249 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e6de419a3d0ec5439a5a469cfde376863e7c95a9 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e6de419a3d0ec5439a5a469cfde376863e7c95a9 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1851ffae by Moritz Muehlenhoff at 2018-04-04T16:52:52+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -9501,23 +9501,23 @@ CVE-2018-5830 CVE-2018-5829 RESERVED CVE-2018-5828 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-5827 RESERVED CVE-2018-5826 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-5825 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-5824 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-5823 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-5822 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-5821 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-5820 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-5819 RESERVED CVE-2018-5818 @@ -14968,7 +14968,7 @@ CVE-2018-3647 CVE-2018-3646 RESERVED CVE-2018-3645 (Escalation of privilege in all versions of the Intel Remote Keyboard ...) - TODO: check + NOT-FOR-US: Intel CVE-2018-3644 RESERVED CVE-2018-3643 @@ -14976,13 +14976,13 @@ CVE-2018-3643 CVE-2018-3642 RESERVED CVE-2018-3641 (Escalation of privilege in all versions of the Intel Remote Keyboard ...) - TODO: check + NOT-FOR-US: Intel CVE-2018-3640 RESERVED CVE-2018-3639 RESERVED CVE-2018-3638 (Escalation of privilege in all versions of the Intel Remote Keyboard ...) - TODO: check + NOT-FOR-US: Intel CVE-2018-3637 RESERVED CVE-2018-3636 @@ -15586,13 +15586,13 @@ CVE-2017-17809 (In Golden Frog VyprVPN before 2.15.0.5828 for macOS, the vyprvpn CVE-2017-17808 RESERVED CVE-2018-3599 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-3598 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-3597 RESERVED CVE-2018-3596 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-3595 RESERVED CVE-2018-3594 @@ -15616,7 +15616,7 @@ CVE-2018-3586 CVE-2018-3585 RESERVED CVE-2018-3584 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-3583 RESERVED CVE-2018-3582 @@ -15652,13 +15652,13 @@ CVE-2018-3568 CVE-2018-3567 RESERVED CVE-2018-3566 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-3565 RESERVED CVE-2018-3564 RESERVED CVE-2018-3563 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-3562 RESERVED CVE-2018-3561 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) @@ -28989,7 +28989,7 @@ CVE-2017-15855 CVE-2017-15854 RESERVED CVE-2017-15853 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-15852 (Information leak of the ISPIF base address in Android for MSM, Firefox ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-15851 @@ -29021,9 +29021,9 @@ CVE-2017-15839 CVE-2017-15838 RESERVED CVE-2017-15837 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-15836 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-15835 RESERVED CVE-2017-15834 (In Android for MSM, Firefox OS for MSM,
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] reserve openjdk-7 DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 73fac3af by Moritz Muehlenhoff at 2018-04-04T18:38:54+02:00 reserve openjdk-7 DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,6 @@ +[04 Apr 2018] DSA-4166-1 openjdk-7 - security update + {CVE-2018-2579 CVE-2018-2588 CVE-2018-2599 CVE-2018-2602 CVE-2018-2603 CVE-2018-2618 CVE-2018-2629 CVE-2018-2633 CVE-2018-2634 CVE-2018-2637 CVE-2018-2641 CVE-2018-2663 CVE-2018-2677 CVE-2018-2678} + [jessie] - openjdk-7 7u171-2.6.13-1~deb8u1 [03 Apr 2018] DSA-4165-1 ldap-account-manager - security update {CVE-2018-8763} [jessie] - ldap-account-manager 4.7.1-1+deb8u1 = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -49,8 +49,6 @@ linux -- mercurial -- -openjdk-7/oldstable (jmm) --- openjpeg2 (luciano) -- passenger/stable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/73fac3afd82cb5d577a0181089a453e41c96f858 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/73fac3afd82cb5d577a0181089a453e41c96f858 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 3 commits: Add bug reference for CVE-2018-1002150
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 832be1f9 by Salvatore Bonaccorso at 2018-04-04T19:21:50+02:00 Add bug reference for CVE-2018-1002150 - - - - - 21499f86 by Salvatore Bonaccorso at 2018-04-04T19:22:33+02:00 Reference upstream advisory for CVE-2018-1002150 - - - - - 1e859186 by Salvatore Bonaccorso at 2018-04-04T19:23:36+02:00 Reference upstream fix for CVE-2018-1002150 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,6 +1,8 @@ CVE-2018-1002150 [koji: Dist Repo call missing authorization check] - - koji + - koji (bug #894832) NOTE: http://www.openwall.com/lists/oss-security/2018/04/04/1 + NOTE: https://docs.pagure.org/koji/CVE-2018-1002150/ + NOTE: Fixed by: https://pagure.io/koji/c/ab1ade7 CVE-2018-9274 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, ui/failure_message.c ...) - wireshark NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14489 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/2edb4d94d1135dca9ee48f488fe730e405fa9486...1e859186c83c269da51bc0e216c99c4f402033d9 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/2edb4d94d1135dca9ee48f488fe730e405fa9486...1e859186c83c269da51bc0e216c99c4f402033d9 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] python no-dsa
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5c51f03e by Moritz Muehlenhoff at 2018-04-04T19:09:23+02:00 python no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -22198,13 +22198,17 @@ CVE-2018-1062 (A vulnerability was discovered in oVirt 4.1.x before 4.1.9, where NOT-FOR-US: ovirt-engine CVE-2018-1061 [DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib] RESERVED - - python3.7 3.7.0~b3-1 - - python3.6 3.6.5~rc1-1 - - python3.5 - - python3.4 - - python3.2 - - python2.7 - - python2.6 + - python3.7 3.7.0~b3-1 (low) + - python3.6 3.6.5~rc1-1 (low) + - python3.5 (low) + [stretch] - python3.5 (Minor issue) + - python3.4 (low) + [jessie] - python3.4 (Minor issue) + - python3.2 (low) + - python2.7 (low) + [stretch] - python2.7 (Minor issue) + [jessie] - python2.7 (Minor issue) + - python2.6 (low) NOTE: https://bugs.python.org/issue32981 NOTE: https://github.com/python/cpython/commit/0e6c8ee2358a2e23117501826c008842acb835ac (master) NOTE: https://github.com/python/cpython/commit/0902a2d6b2d1d9dbde36aeaaccf1788ceaa97143 (3.7) @@ -22214,13 +22218,17 @@ CVE-2018-1061 [DOS via regular expression backtracking in difflib.IS_LINE_JUNK m NOTE: https://github.com/python/cpython/commit/e052d40cea15f582b50947f7d906b39744dc62a2 (2.7) CVE-2018-1060 [DOS via regular expression catastrophic backtracking in apop() method in pop3lib] RESERVED - - python3.7 3.7.0~b3-1 - - python3.6 3.6.5~rc1-1 - - python3.5 - - python3.4 - - python3.2 - - python2.7 - - python2.6 + - python3.7 3.7.0~b3-1 (low) + - python3.6 3.6.5~rc1-1 (low) + - python3.5 (low) + [stretch] - python3.5 (Minor issue) + - python3.4 (low) + [jessie] - python3.4 (Minor issue) + - python3.2 (low) + - python2.7 (low) + [stretch] - python2.7 (Minor issue) + [jessie] - python2.7 (Minor issue) + - python2.6 (low) NOTE: https://bugs.python.org/issue32981 NOTE: https://github.com/python/cpython/commit/0e6c8ee2358a2e23117501826c008842acb835ac (master) NOTE: https://github.com/python/cpython/commit/0902a2d6b2d1d9dbde36aeaaccf1788ceaa97143 (3.7) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5c51f03e1507e3963610829f267864a083fcb321 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5c51f03e1507e3963610829f267864a083fcb321 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new koji issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2edb4d94 by Moritz Muehlenhoff at 2018-04-04T19:13:20+02:00 new koji issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,6 @@ +CVE-2018-1002150 [koji: Dist Repo call missing authorization check] + - koji + NOTE: http://www.openwall.com/lists/oss-security/2018/04/04/1 CVE-2018-9274 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, ui/failure_message.c ...) - wireshark NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14489 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2edb4d94d1135dca9ee48f488fe730e405fa9486 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2edb4d94d1135dca9ee48f488fe730e405fa9486 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Update information for CVE-2018-8881/nasm
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d0b51f99 by Salvatore Bonaccorso at 2018-04-04T21:36:44+02:00 Update information for CVE-2018-8881/nasm - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1025,11 +1025,12 @@ CVE-2018-8882 (Netwide Assembler (NASM) 2.13.02rc2 has a stack-based buffer unde [wheezy] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392445 CVE-2018-8881 (Netwide Assembler (NASM) 2.13.02rc2 has a heap-based buffer over-read ...) - - nasm (low) + - nasm 2.13.02-0.1 (low) [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) [wheezy] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392446 + NOTE: http://repo.or.cz/nasm.git/commit/3144e84add8b152cc7a71e44617ce6f21daa4ba3 (nasm-2.13.02rc3) CVE-2018-8880 RESERVED CVE-2018-8879 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d0b51f99e2801e54a124c83f33f2ba58093413cb --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d0b51f99e2801e54a124c83f33f2ba58093413cb You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new webkit issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d5ec6210 by Moritz Muehlenhoff at 2018-04-04T21:33:35+02:00 new webkit issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -13588,15 +13588,23 @@ CVE-2018-4167 (An issue was discovered in certain Apple products. iOS before 11. CVE-2018-4166 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4165 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + - webkit2gtk (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0003.html + NOTE: Not covered by security support CVE-2018-4164 (An issue was discovered in certain Apple products. Xcode before 9.3 is ...) NOT-FOR-US: Apple CVE-2018-4163 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + - webkit2gtk (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0003.html + NOTE: Not covered by security support CVE-2018-4162 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + - webkit2gtk (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0003.html + NOTE: Not covered by security support CVE-2018-4161 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + - webkit2gtk (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0003.html + NOTE: Not covered by security support CVE-2018-4160 (An issue was discovered in certain Apple products. macOS before ...) NOT-FOR-US: Apple CVE-2018-4159 @@ -13626,7 +13634,9 @@ CVE-2018-4148 (An issue was discovered in certain Apple products. iOS before 11. CVE-2018-4147 RESERVED CVE-2018-4146 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + - webkit2gtk (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0003.html + NOTE: Not covered by security support CVE-2018-4145 RESERVED CVE-2018-4144 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) @@ -13652,7 +13662,9 @@ CVE-2018-4135 (An issue was discovered in certain Apple products. macOS before . CVE-2018-4134 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4133 (An issue was discovered in certain Apple products. Safari before 11.1 ...) - TODO: check + - webkit2gtk (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0003.html + NOTE: Not covered by security support CVE-2018-4132 (An issue was discovered in certain Apple products. macOS before ...) NOT-FOR-US: Intel graphics driver for MacOS CVE-2018-4131 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) @@ -13660,39 +13672,61 @@ CVE-2018-4131 (An issue was discovered in certain Apple products. iOS before 11. CVE-2018-4130 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) TODO: check CVE-2018-4129 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + - webkit2gtk (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0003.html + NOTE: Not covered by security support CVE-2018-4128 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + - webkit2gtk (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0003.html + NOTE: Not covered by security support CVE-2018-4127 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + - webkit2gtk (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0003.html + NOTE: Not covered by security support CVE-2018-4126 RESERVED CVE-2018-4125 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + - webkit2gtk (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0003.html + NOTE: Not covered by security support CVE-2018-4124 (An issue was discovered in certain Apple products. iOS before 11.2.6 ...) NOT-FOR-US: Apple CVE-2018-4123 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4122 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + - webkit2gtk (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0003.html + NOTE: Not covered by security support CVE-2018-4121 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) TODO: check
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1d97aac7 by Moritz Muehlenhoff at 2018-04-04T21:37:22+02:00 NFUs - - - - - 45f7bec1 by Moritz Muehlenhoff at 2018-04-04T21:38:28+02:00 Merge branch master of salsa.debian.org:security-tracker-team/security-tracker - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -124,7 +124,7 @@ CVE-2018-9249 CVE-2018-9248 RESERVED CVE-2018-9247 (The upsql function in \Lib\Lib\Action\Admin\DataAction.class.php in ...) - TODO: check + NOT-FOR-US: Gxlcms QY CVE-2018-9246 RESERVED CVE-2018-9245 @@ -140,17 +140,17 @@ CVE-2018-9241 CVE-2018-9239 RESERVED CVE-2018-9238 (proberv.php in Yahei-PHP Proberv 0.4.7 has XSS via the funName ...) - TODO: check + NOT-FOR-US: Yahei-PHP Proberv CVE-2018-9237 (iScripts EasyCreate 3.2.1 has Stored Cross-Site Scripting in the Site ...) - TODO: check + NOT-FOR-US: iScripts EasyCreate CVE-2018-9236 (iScripts EasyCreate 3.2.1 has Stored Cross-Site Scripting in the Site ...) - TODO: check + NOT-FOR-US: iScripts EasyCreate CVE-2018-9235 (iScripts SonicBB 1.0 has Reflected Cross-Site Scripting via the query ...) - TODO: check + NOT-FOR-US: iScripts SonicBB CVE-2017-18256 (Brave Browser before 0.13.0 allows remote attackers to cause a denial ...) - TODO: check + NOT-FOR-US: Brave Browser CVE-2016-10718 (Brave Browser before 0.13.0 allows a tab to close itself even if the ...) - TODO: check + NOT-FOR-US: Brave Browser CVE-2018-9234 (GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key ...) TODO: check CVE-2018-9240 (ncmpc through 0.29 is prone to a NULL pointer dereference flaw. If a ...) @@ -60108,7 +60108,7 @@ CVE-2017-5705 (Multiple buffer overflows in kernel in Intel Manageability Engine CVE-2017-5704 RESERVED CVE-2017-5703 (Configuration of SPI Flash in platforms based on multiple Intel ...) - TODO: check + NOT-FOR-US: Intel CVE-2017-5702 RESERVED CVE-2017-5701 (Insecure platform configuration in system firmware for Intel ...) @@ -65265,7 +65265,7 @@ CVE-2017-4030 CVE-2017-4029 REJECTED CVE-2017-4028 (Maliciously misconfigured registry vulnerability in all Microsoft ...) - TODO: check + NOT-FOR-US: MacAfee CVE-2017-4027 REJECTED CVE-2017-4026 @@ -65377,7 +65377,7 @@ CVE-2017-3974 CVE-2017-3973 REJECTED CVE-2017-3972 (Infrastructure-based foot printing vulnerability in the web interface ...) - TODO: check + NOT-FOR-US: McAfee CVE-2017-3971 RESERVED CVE-2017-3970 @@ -70160,9 +70160,9 @@ CVE-2017-2495 (An issue was discovered in certain Apple products. iOS before 10. CVE-2017-2494 (An issue was discovered in certain Apple products. macOS before ...) NOT-FOR-US: Apple CVE-2017-2493 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-2492 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-2491 (Use after free vulnerability in the String.replace method ...) NOT-FOR-US: Apple Safari CVE-2017-2490 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d0b51f99e2801e54a124c83f33f2ba58093413cb...45f7bec184eac47adad361ac9117519d5fea5331 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d0b51f99e2801e54a124c83f33f2ba58093413cb...45f7bec184eac47adad361ac9117519d5fea5331 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new gpg issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2538dc0d by Moritz Muehlenhoff at 2018-04-04T21:45:45+02:00 new gpg issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -152,7 +152,11 @@ CVE-2017-18256 (Brave Browser before 0.13.0 allows remote attackers to cause a d CVE-2016-10718 (Brave Browser before 0.13.0 allows a tab to close itself even if the ...) NOT-FOR-US: Brave Browser CVE-2018-9234 (GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key ...) - TODO: check + - gnupg2 (low) + [stretch] - gnupg2 (Minor issue) + [jessie] - gnupg2 (Minor issue) + NOTE: https://dev.gnupg.org/T3844 + TODO: doublecheck gpg1 status with Werner/Niibe CVE-2018-9240 (ncmpc through 0.29 is prone to a NULL pointer dereference flaw. If a ...) - ncmpc (low; bug #894724) [stretch] - ncmpc (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2538dc0d4127b5087fe3d56edcb9a4c97df52585 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2538dc0d4127b5087fe3d56edcb9a4c97df52585 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 11eb9623 by security tracker role at 2018-04-04T20:10:21+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,27 @@ +CVE-2018-9285 (Main_Analysis_Content.asp in /apply.cgi on ASUS RT-AC66U, RT-AC68U, ...) + TODO: check +CVE-2018-9284 (authentication.cgi on D-Link DIR-868L devices with Singapore StarHub ...) + TODO: check +CVE-2018-9283 + RESERVED +CVE-2018-9282 + RESERVED +CVE-2018-9281 + RESERVED +CVE-2018-9280 + RESERVED +CVE-2018-9279 + RESERVED +CVE-2018-9278 + RESERVED +CVE-2018-9277 + RESERVED +CVE-2018-9276 + RESERVED +CVE-2018-9275 (In check_user_token in util.c in the Yubico PAM module (aka pam_yubico) ...) + TODO: check +CVE-2017-18257 (The __get_data_block function in fs/f2fs/data.c in the Linux kernel ...) + TODO: check CVE-2018-1002150 [koji: Dist Repo call missing authorization check] - koji (bug #894832) NOTE: http://www.openwall.com/lists/oss-security/2018/04/04/1 @@ -119,10 +143,10 @@ CVE-2018-9251 (The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzm NOTE: with xz_decomp is more prominently uncovered. CVE-2018-9250 RESERVED -CVE-2018-9249 - RESERVED -CVE-2018-9248 - RESERVED +CVE-2018-9249 (FiberHome VDSL2 Modem HG 150-UB devices allow authentication bypass by ...) + TODO: check +CVE-2018-9248 (FiberHome VDSL2 Modem HG 150-UB devices allow authentication bypass via ...) + TODO: check CVE-2018-9247 (The upsql function in \Lib\Lib\Action\Admin\DataAction.class.php in ...) NOT-FOR-US: Gxlcms QY CVE-2018-9246 @@ -218,8 +242,8 @@ CVE-2018-9207 RESERVED CVE-2018-9206 RESERVED -CVE-2018-9205 - RESERVED +CVE-2018-9205 (Vulnerability in avatar_uploader v7.x-1.0-beta8 , The code in view.php ...) + TODO: check CVE-2018-9204 RESERVED CVE-2018-9203 @@ -406,8 +430,8 @@ CVE-2018-9128 (DVD X Player Standard 5.5.3.9 has a Buffer Overflow via a crafted NOT-FOR-US: DVD X Player Standard CVE-2018-9127 (Botan 2.2.0 - 2.4.0 (fixed in 2.5.0) improperly handled wildcard ...) - botan 2.4.0-5 (bug #894648) -CVE-2018-9126 - RESERVED +CVE-2018-9126 (The DNNArticle module 11 for DNN (formerly DotNetNuke) allows remote ...) + TODO: check CVE-2018-9125 RESERVED CVE-2018-9124 @@ -420,16 +444,16 @@ CVE-2018-9121 (In Crea8social 2018.2, there is Stored Cross-Site Scripting via a NOT-FOR-US: Crea8social CVE-2018-9120 (In Crea8social 2018.2, there is Stored Cross-Site Scripting via a post. ...) NOT-FOR-US: Crea8social -CVE-2018-9119 - RESERVED +CVE-2018-9119 (An attacker with physical access to a BrilliantTS FUZE card (MCU ...) + TODO: check CVE-2018-9118 RESERVED CVE-2018-9117 (WireMock before 2.16.0 contains a vulnerability that allows a remote ...) NOT-FOR-US: WireMock CVE-2018-9116 (An XXE vulnerability within WireMock before 2.16.0 allows a remote ...) NOT-FOR-US: WireMock -CVE-2018-9115 - RESERVED +CVE-2018-9115 (Systematic SitaWare 6.4 SP2 does not validate input from other sources ...) + TODO: check CVE-2018-9114 RESERVED CVE-2018-9113 @@ -600,10 +624,10 @@ CVE-2018-9037 RESERVED CVE-2018-9036 RESERVED -CVE-2018-9035 - RESERVED -CVE-2018-9034 - RESERVED +CVE-2018-9035 (CSV Injection vulnerability in ExportToCsvUtf8.php of the Contact Form ...) + TODO: check +CVE-2018-9034 (Cross-site scripting (XSS) vulnerability in lib/interface.php of the ...) + TODO: check CVE-2018-9033 RESERVED CVE-2018-9032 (An authentication bypass vulnerability on D-Link DIR-850L Wireless ...) @@ -1178,10 +1202,10 @@ CVE-2018-8816 RESERVED CVE-2018-8815 (Cross-site scripting (XSS) vulnerability in the gallery function in ...) NOT-FOR-US: Alkacon OpenCMS -CVE-2018-8814 - RESERVED -CVE-2018-8813 - RESERVED +CVE-2018-8814 (Cross-site request forgery (CSRF) vulnerability in WolfCMS 0.8.3.1 ...) + TODO: check +CVE-2018-8813 (Open redirect vulnerability in the login[redirect] parameter login ...) + TODO: check CVE-2018-8812 RESERVED CVE-2018-8811 (Cross-site request forgery (CSRF) vulnerability in ...) @@ -1498,8 +1522,8 @@ CVE-2018-8721 (Zoho ManageEngine EventLog Analyzer version 11.0 build 11000 has NOT-FOR-US: Zoho CVE-2018-8720 (ServiceNow ITSM 2016-06-02 has XSS via the First Name or Last Name ...) NOT-FOR-US: ServiceNow ITSM -CVE-2018-8719 - RESERVED +CVE-2018-8719 (An issue was discovered in the WP Security Audit Log plugin 3.1.1 for ...) + TODO: check CVE-2018-8718 (Cross-site request forgery (CSRF)
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-9133/imagemagick: #894848
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 56ac3a06 by Salvatore Bonaccorso at 2018-04-04T22:15:18+02:00 Add bug reference for CVE-2018-9133/imagemagick: #894848 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -412,7 +412,7 @@ CVE-2018-9135 (In ImageMagick 7.0.7-24 Q16, there is a heap-based buffer over-re CVE-2018-9134 (file_manage_control.php in DedeCMS 5.7 has CSRF in an fmdo=rename ...) NOT-FOR-US: DedeCMS CVE-2018-9133 (ImageMagick 7.0.7-26 Q16 has excessive iteration in the DecodeLabImage ...) - - imagemagick (low) + - imagemagick (low; bug #894848) [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1072 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/56ac3a06c56e5a627dd89aa740c315d573e27b7c --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/56ac3a06c56e5a627dd89aa740c315d573e27b7c You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2017-18257/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2eafc334 by Salvatore Bonaccorso at 2018-04-04T22:14:31+02:00 Add CVE-2017-18257/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -21,7 +21,8 @@ CVE-2018-9276 CVE-2018-9275 (In check_user_token in util.c in the Yubico PAM module (aka pam_yubico) ...) TODO: check CVE-2017-18257 (The __get_data_block function in fs/f2fs/data.c in the Linux kernel ...) - TODO: check + - linux 4.11.6-1 + NOTE: Fixed by: https://git.kernel.org/linus/b86e33075ed1909d8002745b56ecf73b833db143 CVE-2018-1002150 [koji: Dist Repo call missing authorization check] - koji (bug #894832) NOTE: http://www.openwall.com/lists/oss-security/2018/04/04/1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2eafc334324936ad5451a8aef57cc25690e22c59 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2eafc334324936ad5451a8aef57cc25690e22c59 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-9275/yubico-pam
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5255737c by Salvatore Bonaccorso at 2018-04-04T22:24:28+02:00 Add CVE-2018-9275/yubico-pam - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -19,7 +19,13 @@ CVE-2018-9277 CVE-2018-9276 RESERVED CVE-2018-9275 (In check_user_token in util.c in the Yubico PAM module (aka pam_yubico) ...) - TODO: check + - yubico-pam + [jessie] - yubico-pam (Vulnerable code introduced later) + [wheezy] - yubico-pam (Vulnerable code introduced later) + NOTE: https://bugzilla.opensuse.org/show_bug.cgi?id=1088027 + NOTE: Fixed by: https://github.com/Yubico/yubico-pam/commit/0f6ceabab0a8849b47f67d727aa526c2656089ba + NOTE: Introduced in: https://github.com/Yubico/yubico-pam/commit/d9780eacd9e61c5062cdabdce21c224de1884583 (2.18) + NOTE: https://github.com/Yubico/yubico-pam/issues/136 CVE-2017-18257 (The __get_data_block function in fs/f2fs/data.c in the Linux kernel ...) - linux 4.11.6-1 NOTE: Fixed by: https://git.kernel.org/linus/b86e33075ed1909d8002745b56ecf73b833db143 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5255737c5bfb8f9c986e1641d0bf4566e1ecfcda --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5255737c5bfb8f9c986e1641d0bf4566e1ecfcda You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-8883
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 727c54cf by Salvatore Bonaccorso at 2018-04-04T21:57:16+02:00 Add bug reference for CVE-2018-8883 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1017,7 +1017,7 @@ CVE-2016-10717 (A vulnerability in the encryption and permission implementation CVE-2018-8884 RESERVED CVE-2018-8883 (Netwide Assembler (NASM) 2.13.02rc2 has a buffer over-read in the ...) - - nasm (low) + - nasm (low; bug #894847) [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) [wheezy] - nasm (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/727c54cf28728a73e7e0c1243301fb3f2b280e61 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/727c54cf28728a73e7e0c1243301fb3f2b280e61 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-8882
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fe40cba8 by Salvatore Bonaccorso at 2018-04-04T21:58:00+02:00 Add bug reference for CVE-2018-8882 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1023,7 +1023,7 @@ CVE-2018-8883 (Netwide Assembler (NASM) 2.13.02rc2 has a buffer over-read in the [wheezy] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392447 CVE-2018-8882 (Netwide Assembler (NASM) 2.13.02rc2 has a stack-based buffer under-read ...) - - nasm (low) + - nasm (low; bug #894846) [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) [wheezy] - nasm (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fe40cba8045904a2e151eda5fb6e40201ae2090a --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fe40cba8045904a2e151eda5fb6e40201ae2090a You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process two new NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e38222f3 by Salvatore Bonaccorso at 2018-04-04T22:22:04+02:00 Process two new NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,7 +1,7 @@ CVE-2018-9285 (Main_Analysis_Content.asp in /apply.cgi on ASUS RT-AC66U, RT-AC68U, ...) - TODO: check + NOT-FOR-US: ASUS CVE-2018-9284 (authentication.cgi on D-Link DIR-868L devices with Singapore StarHub ...) - TODO: check + NOT-FOR-US: D-Link CVE-2018-9283 RESERVED CVE-2018-9282 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e38222f3c11e4894d480534dd90382049316bf31 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e38222f3c11e4894d480534dd90382049316bf31 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 896b8d4a by Salvatore Bonaccorso at 2018-04-04T22:29:18+02:00 Process more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -151,9 +151,9 @@ CVE-2018-9251 (The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzm CVE-2018-9250 RESERVED CVE-2018-9249 (FiberHome VDSL2 Modem HG 150-UB devices allow authentication bypass by ...) - TODO: check + NOT-FOR-US: FiberHome VDSL2 Modem HG 150-UB devices CVE-2018-9248 (FiberHome VDSL2 Modem HG 150-UB devices allow authentication bypass via ...) - TODO: check + NOT-FOR-US: FiberHome VDSL2 Modem HG 150-UB devices CVE-2018-9247 (The upsql function in \Lib\Lib\Action\Admin\DataAction.class.php in ...) NOT-FOR-US: Gxlcms QY CVE-2018-9246 @@ -921,7 +921,7 @@ CVE-2017-18242 (The apply_dependent_coupling function in libavcodec/aacdec.c in [jessie] - libav (Minor issue) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1093 CVE-2018-8941 (Diagnostics functionality on D-Link DSL-3782 devices with firmware EU ...) - TODO: check + NOT-FOR-US: D-Link CVE-2018-8940 RESERVED CVE-2018-8939 @@ -1210,9 +1210,9 @@ CVE-2018-8816 CVE-2018-8815 (Cross-site scripting (XSS) vulnerability in the gallery function in ...) NOT-FOR-US: Alkacon OpenCMS CVE-2018-8814 (Cross-site request forgery (CSRF) vulnerability in WolfCMS 0.8.3.1 ...) - TODO: check + NOT-FOR-US: WolfCMS CVE-2018-8813 (Open redirect vulnerability in the login[redirect] parameter login ...) - TODO: check + NOT-FOR-US: WolfCMS CVE-2018-8812 RESERVED CVE-2018-8811 (Cross-site request forgery (CSRF) vulnerability in ...) @@ -1530,7 +1530,7 @@ CVE-2018-8721 (Zoho ManageEngine EventLog Analyzer version 11.0 build 11000 has CVE-2018-8720 (ServiceNow ITSM 2016-06-02 has XSS via the First Name or Last Name ...) NOT-FOR-US: ServiceNow ITSM CVE-2018-8719 (An issue was discovered in the WP Security Audit Log plugin 3.1.1 for ...) - TODO: check + NOT-FOR-US: WP Security Audit Log plugin for WordPress CVE-2018-8718 (Cross-site request forgery (CSRF) vulnerability in the Mailer Plugin ...) - jenkins-mailer-plugin CVE-2017-18232 (The Serial Attached SCSI (SAS) implementation in the Linux kernel ...) @@ -20439,7 +20439,7 @@ CVE-2018-1471 CVE-2018-1470 RESERVED CVE-2018-1469 (IBM API Connect Developer Portal 5.0.0.0 through 5.0.8.2 could allow ...) - TODO: check + NOT-FOR-US: IBM API Connect Developer Portal CVE-2018-1468 RESERVED CVE-2018-1467 @@ -20483,7 +20483,7 @@ CVE-2018-1449 CVE-2018-1448 (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1 ...) NOT-FOR-US: IBM CVE-2018-1447 (The GSKit (IBM Spectrum Protect 7.1 and 7.2) and (IBM Spectrum Protect ...) - TODO: check + NOT-FOR-US: IBM Spectrum Protect CVE-2018-1446 RESERVED CVE-2018-1445 @@ -20535,7 +20535,7 @@ CVE-2018-1423 CVE-2018-1422 RESERVED CVE-2018-1421 (IBM WebSphere DataPower Appliances 7.1, 7.2, 7.5, 7.5.1, 7.5.2, and ...) - TODO: check + NOT-FOR-US: IBM WebSphere DataPower Appliances CVE-2018-1420 RESERVED CVE-2018-1419 @@ -23133,7 +23133,7 @@ CVE-2018-0988 CVE-2018-0987 RESERVED CVE-2018-0986 (The Microsoft Malware Protection Engine running on Microsoft Forefront ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-0985 RESERVED CVE-2018-0984 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/896b8d4aa59a57c068f3262b1357455f361332d5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/896b8d4aa59a57c068f3262b1357455f361332d5 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a8b515bf by Moritz Muehlenhoff at 2018-04-04T23:18:20+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -250,7 +250,7 @@ CVE-2018-9207 CVE-2018-9206 RESERVED CVE-2018-9205 (Vulnerability in avatar_uploader v7.x-1.0-beta8 , The code in view.php ...) - TODO: check + NOT-FOR-US: avatar_uploader CVE-2018-9204 RESERVED CVE-2018-9203 @@ -438,7 +438,7 @@ CVE-2018-9128 (DVD X Player Standard 5.5.3.9 has a Buffer Overflow via a crafted CVE-2018-9127 (Botan 2.2.0 - 2.4.0 (fixed in 2.5.0) improperly handled wildcard ...) - botan 2.4.0-5 (bug #894648) CVE-2018-9126 (The DNNArticle module 11 for DNN (formerly DotNetNuke) allows remote ...) - TODO: check + NOT-FOR-US: DNN CVE-2018-9125 RESERVED CVE-2018-9124 @@ -452,7 +452,7 @@ CVE-2018-9121 (In Crea8social 2018.2, there is Stored Cross-Site Scripting via a CVE-2018-9120 (In Crea8social 2018.2, there is Stored Cross-Site Scripting via a post. ...) NOT-FOR-US: Crea8social CVE-2018-9119 (An attacker with physical access to a BrilliantTS FUZE card (MCU ...) - TODO: check + NOT-FOR-US: BrilliantTS FUZE card CVE-2018-9118 RESERVED CVE-2018-9117 (WireMock before 2.16.0 contains a vulnerability that allows a remote ...) @@ -460,7 +460,7 @@ CVE-2018-9117 (WireMock before 2.16.0 contains a vulnerability that allows a rem CVE-2018-9116 (An XXE vulnerability within WireMock before 2.16.0 allows a remote ...) NOT-FOR-US: WireMock CVE-2018-9115 (Systematic SitaWare 6.4 SP2 does not validate input from other sources ...) - TODO: check + NOT-FOR-US: Systematic SitaWare CVE-2018-9114 RESERVED CVE-2018-9113 @@ -632,9 +632,9 @@ CVE-2018-9037 CVE-2018-9036 RESERVED CVE-2018-9035 (CSV Injection vulnerability in ExportToCsvUtf8.php of the Contact Form ...) - TODO: check + NOT-FOR-US: Wordpress plugin CVE-2018-9034 (Cross-site scripting (XSS) vulnerability in lib/interface.php of the ...) - TODO: check + NOT-FOR-US: Wordpress plugin CVE-2018-9033 RESERVED CVE-2018-9032 (An authentication bypass vulnerability on D-Link DIR-850L Wireless ...) @@ -2974,7 +2974,7 @@ CVE-2018-8050 (The af_get_page() function in lib/afflib_pages.cpp in AFFLIB (aka NOTE: https://github.com/sshock/AFFLIBv3/commit/435a2ca802358a3debb6d164d2c33049131df81c NOTE: Negligable security impact CVE-2018-8049 (The Stealth endpoint in Unisys Stealth SVG 2.8.x, 3.0.x before ...) - TODO: check + NOT-FOR-US: Unisys Stealth SVG CVE-2018-8048 (In the Loofah gem through 2.2.0 for Ruby, non-whitelisted HTML ...) - ruby-loofah 2.2.1-1 (bug #893596) NOTE: https://github.com/flavorjones/loofah/issues/144 @@ -6465,9 +6465,9 @@ CVE-2018-6876 (The OLEProperty class in ole/oleprop.cpp in libfpx 1.3.1-10, as u CVE-2018-6875 (Format String vulnerability in KeepKey version 4.0.0 allows attackers ...) NOT-FOR-US: KeepKey CVE-2018-6874 (CSRF exists in the Auth0 authentication service through 14591 if the ...) - TODO: check + NOT-FOR-US: Auth0 CVE-2018-6873 (The Auth0 authentication service before 2017-10-15 allows privilege ...) - TODO: check + NOT-FOR-US: Auth0 CVE-2018-6872 (The elf_parse_notes function in elf.c in the Binary File Descriptor ...) - binutils 2.30-4 [stretch] - binutils (Minor issue) @@ -7137,7 +7137,7 @@ CVE-2017-18149 CVE-2017-18148 RESERVED CVE-2017-18147 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-18146 RESERVED CVE-2017-18145 @@ -7667,7 +7667,7 @@ CVE-2017-18098 CVE-2017-18097 RESERVED CVE-2017-18096 (The OAuth status rest resource in Atlassian Application Links before ...) - TODO: check + NOT-FOR-US: Atlassian Application Links CVE-2017-18095 (The SnippetRPCServiceImpl class in Atlassian Crucible before version ...) NOT-FOR-US: Atlassian Crucible CVE-2017-18094 (Various resources in Atlassian Fisheye and Crucible before version ...) @@ -13706,7 +13706,7 @@ CVE-2018-4132 (An issue was discovered in certain Apple products. macOS before . CVE-2018-4131 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) NOT-FOR-US: Apple CVE-2018-4130 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2018-4129 (An issue was discovered in certain Apple products. iOS before 11.3 is ...) - webkit2gtk (unimportant) NOTE: https://webkitgtk.org/security/WSA-2018-0003.html @@ -13734,7 +13734,7 @@ CVE-2018-4122 (An
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new kfreebsd issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e1a501f8 by Moritz Muehlenhoff at 2018-04-04T23:23:40+02:00 new kfreebsd issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -6344,14 +6344,20 @@ CVE-2018-6921 CVE-2018-6920 RESERVED CVE-2018-6919 (In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p9, 10.4-STABLE, ...) - TODO: check + - kfreebsd-10 (unimportant) + NOTE: https://security.FreeBSD.org/advisories/FreeBSD-EN-18:04.mem.asc + NOTE: kfreebsd not covered by security support CVE-2018-6918 (In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p9, 10.4-STABLE, ...) - TODO: check + - kfreebsd-10 (unimportant) + NOTE: https://security.FreeBSD.org/advisories/FreeBSD-SA-18:05.ipsec.asc + NOTE: kfreebsd not covered by security support CVE-2018-6917 (In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p9, 10.4-STABLE, ...) - TODO: check + - kfreebsd-10 (unimportant) + NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-18:04.vt.asc + NOTE: kfreebsd not covered by security support CVE-2018-6916 (In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p7, 10.4-STABLE, ...) - kfreebsd-10 (unimportant) - NOTE: Patch https://www.freebsd.org/security/patches/SA-18:01/ipsec-10.patch + NOTE: https://www.freebsd.org/security/patches/SA-18:01/ipsec-10.patch NOTE: kfreebsd not covered by security support CVE-2018-6915 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e1a501f8472ff24fe66c1677b58ad1564cf7baab --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e1a501f8472ff24fe66c1677b58ad1564cf7baab You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 3 commits: Notes/fixed by for ruby's issues: CVE-2018-6914 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780
Santiago R.R. pushed to branch master at Debian Security Tracker / security-tracker Commits: 2fca27b8 by Santiago R.R at 2018-04-04T23:23:02+02:00 Notes/fixed by for rubys issues: CVE-2018-6914 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 Signed-off-by: Santiago R.R santiag...@riseup.net - - - - - fae6a38a by Santiago R.R at 2018-04-04T23:23:44+02:00 Merge remote-tracking branch refs/remotes/origin/master - - - - - a1bf3923 by Santiago R.R at 2018-04-04T23:24:39+02:00 Merge remote-tracking branch refs/remotes/origin/master - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1304,18 +1304,26 @@ CVE-2018-8780 (In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2. - ruby2.1 - ruby1.9.1 NOTE: https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/ + NOTE: https://hackerone.com/reports/302338 + NOTE: Fixed by: https://github.com/ruby/ruby/commit/bd5661a3cbb38a8c3a3ea10cd76c88bbef7871b8 + NOTE: Fixed by: https://github.com/ruby/ruby/commit/143eb22f1877815dd802f7928959c5f93d4c7bb3 (2.2.10) CVE-2018-8779 (In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x ...) - ruby2.5 2.5.1-1 - ruby2.3 - ruby2.1 - ruby1.9.1 NOTE: https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/ + NOTE: https://hackerone.com/reports/302997 + NOTE: Fixed by: https://github.com/ruby/ruby/commit/8794dec6a5f11adc5cdd19a5ee91ea6b0816763f + NOTE: Fixed by: https://github.com/ruby/ruby/commit/47165eed264d357e78e27371cfef20d5c2bde5d9 (2.2.10) CVE-2018-8778 (In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x ...) - ruby2.5 2.5.1-1 - ruby2.3 - ruby2.1 - ruby1.9.1 NOTE: https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/ + NOTE: https://hackerone.com/reports/298246 + NOTE: Fixed by: https://github.com/ruby/ruby/commit/4cd92d7b13002161a3452a0fe278b877901a8859 (2.2.10) CVE-2018-8777 (In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x ...) - ruby2.5 2.5.1-1 - ruby2.3 @@ -6367,6 +6375,9 @@ CVE-2018-6914 (Directory traversal vulnerability in the Dir.mktmpdir method in t - ruby2.1 - ruby1.9.1 NOTE: https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/ + NOTE: https://hackerone.com/reports/302298 + NOTE: Fixed by: https://github.com/ruby/ruby/commit/10b96900b90914b0cc1dba36f9736c038db2859d + NOTE: Fixed by: https://github.com/ruby/ruby/commit/e9ddf2ba41a0bffe1047e33576affd48808c5d0b (2.2.10) CVE-2018-163 REJECTED CVE-2017-18179 (Progress Sitefinity 9.1 uses wrap_access_token as a non-expiring ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/e1a501f8472ff24fe66c1677b58ad1564cf7baab...a1bf39232a988f00df252f9d602bccf59ef45dd3 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/e1a501f8472ff24fe66c1677b58ad1564cf7baab...a1bf39232a988f00df252f9d602bccf59ef45dd3 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: Mark some questionable Apple CVE assignments as NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5ae5b8e0 by Moritz Muehlenhoff at 2018-04-04T23:29:29+02:00 Mark some questionable Apple CVE assignments as NFU - No point in investigating this further, we can only assume that Apple staff is stupid and assigned internal ID duplicates to otherwise public issues They can prove us wrong by providing proper commit references! - - - - - 81a0add7 by Moritz Muehlenhoff at 2018-04-04T23:31:49+02:00 Merge branch master of https://salsa.debian.org/security-tracker-team/security-tracker - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -35115,15 +35115,15 @@ CVE-2017-13818 (An issue was discovered in certain Apple products. macOS before CVE-2017-13817 (An out-of-bounds read issue was discovered in certain Apple products. ...) NOT-FOR-US: Apple CVE-2017-13816 (An issue was discovered in certain Apple products. macOS before ...) - TODO: check, potentially libarchive + NOT-FOR-US: Potentially src:libarchive, but Apple doesn't play by the rules CVE-2017-13815 (An issue was discovered in certain Apple products. macOS before ...) - TODO: check, potentially file + NOT-FOR-US: Potentially src:file, but Apple doesn't play by the rules CVE-2017-13814 (An issue was discovered in certain Apple products. macOS before ...) NOT-FOR-US: Apple CVE-2017-13813 (An issue was discovered in certain Apple products. macOS before ...) - TODO: check, potentially libarchive + NOT-FOR-US: Potentially src:libarchive, but Apple doesn't play by the rules CVE-2017-13812 (An issue was discovered in certain Apple products. macOS before ...) - TODO: check, potentially libarchive + NOT-FOR-US: Potentially src:libarchive, but Apple doesn't play by the rules CVE-2017-13811 (An issue was discovered in certain Apple products. macOS before ...) NOT-FOR-US: Apple CVE-2017-13810 (An issue was discovered in certain Apple products. macOS before ...) @@ -55992,25 +55992,25 @@ CVE-2017-7132 (An issue was discovered in certain Apple products. macOS before . CVE-2017-7131 (An issue was discovered in certain Apple products. iOS before 11 is ...) NOT-FOR-US: Apple CVE-2017-7130 (An issue was discovered in certain Apple products. iOS before 11 is ...) - TODO: check, potentially sqlite + NOT-FOR-US: Potentially src:sqlite, but Apple doesn't play by the rules CVE-2017-7129 (An issue was discovered in certain Apple products. iOS before 11 is ...) - TODO: check, potentially sqlite + NOT-FOR-US: Potentially src:sqlite, but Apple doesn't play by the rules CVE-2017-7128 (An issue was discovered in certain Apple products. iOS before 11 is ...) - TODO: check, potentially sqlite + NOT-FOR-US: Potentially src:sqlite, but Apple doesn't play by the rules CVE-2017-7127 (An issue was discovered in certain Apple products. iOS before 11 is ...) - TODO: check, potentially sqlite + NOT-FOR-US: Potentially src:sqlite, but Apple doesn't play by the rules CVE-2017-7126 (An issue was discovered in certain Apple products. macOS before 10.13 ...) - TODO: check, potentially file + NOT-FOR-US: Potentially src:file, but Apple doesn't play by the rules CVE-2017-7125 (An issue was discovered in certain Apple products. macOS before 10.13 ...) - TODO: check, potentially file + NOT-FOR-US: Potentially src:file, but Apple doesn't play by the rules CVE-2017-7124 (An issue was discovered in certain Apple products. macOS before 10.13 ...) - TODO: check, potentially file + NOT-FOR-US: Potentially src:file, but Apple doesn't play by the rules CVE-2017-7123 (An issue was discovered in certain Apple products. macOS before 10.13 ...) - TODO: check, potentially file + NOT-FOR-US: Potentially src:file, but Apple doesn't play by the rules CVE-2017-7122 (An issue was discovered in certain Apple products. macOS before 10.13 ...) - TODO: check, potentially file + NOT-FOR-US: Potentially src:file, but Apple doesn't play by the rules CVE-2017-7121 (An issue was discovered in certain Apple products. macOS before 10.13 ...) - TODO: check, potentially file + NOT-FOR-US: Potentially src:file, but Apple doesn't play by the rules CVE-2017-7120 (An issue was discovered in certain Apple products. iOS before 11 is ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/a1bf39232a988f00df252f9d602bccf59ef45dd3...81a0add70034707d5aee2f7b580be080ebe9d64e --- View it on GitLab:
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a3d0ad7f by Moritz Muehlenhoff at 2018-04-04T23:38:48+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -43564,7 +43564,7 @@ CVE-2017-11077 CVE-2017-11076 RESERVED CVE-2017-11075 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2017-11074 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11073 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) @@ -55293,9 +55293,9 @@ CVE-2016-10301 CVE-2016-10300 RESERVED CVE-2016-10299 (An elevation of privilege vulnerability in Qualcomm closed source ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2016-10298 (An elevation of privilege vulnerability in Qualcomm closed source ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2016-10297 (In TrustZone in all Android releases from CAF using the Linux kernel, ...) NOT-FOR-US: Qualcomm components for Android CVE-2016-10296 (An information disclosure vulnerability in the Qualcomm shared memory ...) @@ -55356,21 +55356,21 @@ CVE-2015-9016 [blk-mq: fix race between timeout and freeing request] [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/0048b4837affd153897ed183492070027aa9 (4.3-rc1) CVE-2015-9015 (An elevation of privilege vulnerability in Qualcomm closed source ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2015-9014 (An elevation of privilege vulnerability in Qualcomm closed source ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2015-9013 (An elevation of privilege vulnerability in Qualcomm closed source ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2015-9012 (An elevation of privilege vulnerability in Qualcomm closed source ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2015-9011 (An elevation of privilege vulnerability in Qualcomm closed source ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2015-9010 (An elevation of privilege vulnerability in Qualcomm closed source ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2015-9009 (An elevation of privilege vulnerability in Qualcomm closed source ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2015-9008 (An elevation of privilege vulnerability in Qualcomm closed source ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2015-9007 (In TrustZone in all Android releases from CAF using the Linux kernel, ...) NOT-FOR-US: Qualcomm components for Android CVE-2015-9006 (In Resource Power Manager (RPM) in all Android releases from CAF using ...) @@ -55393,7 +55393,7 @@ CVE-2014-9955 (An elevation of privilege vulnerability in Qualcomm closed source CVE-2014-9954 (An elevation of privilege vulnerability in Qualcomm closed source ...) NOT-FOR-US: Qualcomm component for Android CVE-2014-9953 (An elevation of privilege vulnerability in Qualcomm closed source ...) - TODO: check + NOT-FOR-US: Qualcomm component for Android CVE-2014-9952 (In the Secure File System in all Android releases from CAF using the ...) NOT-FOR-US: Qualcomm components for Android CVE-2014-9951 (In TrustZone in all Android releases from CAF using the Linux kernel, ...) @@ -55891,19 +55891,19 @@ CVE-2017-7175 (NfSen before 1.3.8 allows remote attackers to execute arbitrary O CVE-2017-7174 (The user-account creation feature in Chef Manage 2.1.0 through 2.4.4 ...) NOT-FOR-US: Chef Manage CVE-2017-7173 (An issue was discovered in certain Apple products. macOS before ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-7172 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-7171 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-7170 (An issue was discovered in certain Apple products. macOS before ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-7169 RESERVED CVE-2017-7168 RESERVED CVE-2017-7167 (An issue was discovered in certain Apple products. Xcode before 9.2 is ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-7166 RESERVED CVE-2017-7165 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) @@ -55912,7 +55912,7 @@
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new webkit issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 32044344 by Moritz Muehlenhoff at 2018-04-04T23:42:27+02:00 new webkit issue NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -55944,7 +55944,9 @@ CVE-2017-7155 (An issue was discovered in certain Apple products. macOS before . CVE-2017-7154 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-7153 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - TODO: check + - webkit2gtk 2.18.6-1 (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0002.html + NOTE: Not covered by security support CVE-2017-7152 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-7151 @@ -56150,7 +56152,7 @@ CVE-2017-7073 CVE-2017-7072 (An issue was discovered in certain Apple products. iOS before 11 is ...) NOT-FOR-US: Apple CVE-2017-7071 (An issue was discovered in certain Apple products. Safari before 10.1 ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-7070 (An issue was discovered in certain Apple products. macOS before ...) NOT-FOR-US: Apple CVE-2017-7069 (An issue was discovered in certain Apple products. iOS before 10.3.3 ...) @@ -56341,7 +56343,7 @@ CVE-2017-7006 (An issue was discovered in certain Apple products. iOS before 10. NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7005 (An issue was discovered in certain Apple products. iOS before 10.3.2 ...) - TODO: check + NOT-FOR-US: Apple CVE-2017-7004 (An issue was discovered in certain Apple products. iOS before 10.3.2 ...) NOT-FOR-US: Apple CVE-2017-7003 (An issue was discovered in certain Apple products. iOS before 10.3.2 ...) @@ -144279,7 +144281,7 @@ CVE-2014-4961 CVE-2014-4960 (Multiple SQL injection vulnerabilities in models\gallery.php in ...) NOT-FOR-US: Joomla! component CVE-2014-4959 (**DISPUTED** SQL injection vulnerability in SQLiteDatabase.java in the ...) - TODO: check + NOT-FOR-US: Disputed Android issue CVE-2014-4958 (Cross-site scripting (XSS) vulnerability in Telerik UI for ASP.NET ...) NOT-FOR-US: Telerik UI for ASP.NET AJAX RadEditor Control CVE-2014-4957 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3204434407b428688ac13da532388d05a5aad5e7 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3204434407b428688ac13da532388d05a5aad5e7 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add two new python issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 37f5ebb3 by Salvatore Bonaccorso at 2018-04-04T08:39:14+02:00 Add two new python issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -22052,10 +22052,26 @@ CVE-2018-1063 (Context relabeling of filesystems is vulnerable to symbolic link NOTE: relabeling time. CVE-2018-1062 (A vulnerability was discovered in oVirt 4.1.x before 4.1.9, where the ...) NOT-FOR-US: ovirt-engine -CVE-2018-1061 +CVE-2018-1061 [DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib] RESERVED -CVE-2018-1060 + - python3.7 + - python3.6 + - python3.5 + - python3.4 + - python3.2 + - python2.7 + - python2.6 + NOTE: https://bugs.python.org/issue32981 +CVE-2018-1060 [DOS via regular expression catastrophic backtracking in apop() method in pop3lib] RESERVED + - python3.7 + - python3.6 + - python3.5 + - python3.4 + - python3.2 + - python2.7 + - python2.6 + NOTE: https://bugs.python.org/issue32981 CVE-2018-1059 RESERVED CVE-2018-1058 (A flaw was found in the way Postgresql allowed a user to modify the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/37f5ebb32274d98e32416a28e57f93f0da846fd2 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/37f5ebb32274d98e32416a28e57f93f0da846fd2 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-106{0, 1}/python3.6 fixed since 3.6.5~rc1-1 upload to unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 650e0a96 by Salvatore Bonaccorso at 2018-04-04T08:56:17+02:00 CVE-2018-106{0,1}/python3.6 fixed since 3.6.5~rc1-1 upload to unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -22055,7 +22055,7 @@ CVE-2018-1062 (A vulnerability was discovered in oVirt 4.1.x before 4.1.9, where CVE-2018-1061 [DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflib] RESERVED - python3.7 - - python3.6 + - python3.6 3.6.5~rc1-1 - python3.5 - python3.4 - python3.2 @@ -22071,7 +22071,7 @@ CVE-2018-1061 [DOS via regular expression backtracking in difflib.IS_LINE_JUNK m CVE-2018-1060 [DOS via regular expression catastrophic backtracking in apop() method in pop3lib] RESERVED - python3.7 - - python3.6 + - python3.6 3.6.5~rc1-1 - python3.5 - python3.4 - python3.2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/650e0a96240224ab036b434354ea8255b155d5fe --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/650e0a96240224ab036b434354ea8255b155d5fe You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: Triage CVE-2018-9240 (ncmpc) for wheezy.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: f3980332 by Chris Lamb at 2018-04-04T08:36:28+01:00 Triage CVE-2018-9240 (ncmpc) for wheezy. - - - - - 1af9e704 by Chris Lamb at 2018-04-04T08:37:14+01:00 Triage firebird2.5 for LTS - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -2,6 +2,7 @@ CVE-2018-9234 RESERVED CVE-2018-9240 [Crash in chat screen when another client sends a long line] - ncmpc (low; bug #894724) + [wheezy] - ncmpc (Minor issue) [stretch] - ncmpc (Minor issue) [jessie] - ncmpc (Minor issue) CVE-2018-9233 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -22,6 +22,8 @@ cups elinks NOTE: 20180226: maintainer is on the security team (jmm), no notice sent (anarcat) -- +firebird2.5 +-- gcc-4.6 (Roberto C. Sánchez) NOTE: 20180215: Backport the retpoline support for spectre mitigation. NOTE: 20180215: Coordinate with jmm who started the work for gcc-4.9 in jessie. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/b7ab156232eb977925103760664c0db9c0235133...1af9e7043dfbe1f5e6b69ac2a60874354c376dbf --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/b7ab156232eb977925103760664c0db9c0235133...1af9e7043dfbe1f5e6b69ac2a60874354c376dbf You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-9251/libxml2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7b6ec2ff by Salvatore Bonaccorso at 2018-04-04T10:18:49+02:00 Add CVE-2018-9251/libxml2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -45,7 +45,8 @@ CVE-2018-9253 CVE-2018-9252 (JasPer 2.0.14 allows denial of service via a reachable assertion in the ...) TODO: check CVE-2018-9251 (The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzma is ...) - TODO: check + - libxml2 + NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=794914 CVE-2018-9250 RESERVED CVE-2018-9249 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7b6ec2ffbcc2d4fb4ad833505eb7847a74f6df5a --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7b6ec2ffbcc2d4fb4ad833505eb7847a74f6df5a You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reference upstream commits for CVE-2018-106{0, 1}/python
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 24289e57 by Salvatore Bonaccorso at 2018-04-04T08:43:46+02:00 Reference upstream commits for CVE-2018-106{0,1}/python - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -22062,6 +22062,12 @@ CVE-2018-1061 [DOS via regular expression backtracking in difflib.IS_LINE_JUNK m - python2.7 - python2.6 NOTE: https://bugs.python.org/issue32981 + NOTE: https://github.com/python/cpython/commit/0e6c8ee2358a2e23117501826c008842acb835ac (master) + NOTE: https://github.com/python/cpython/commit/0902a2d6b2d1d9dbde36aeaaccf1788ceaa97143 (3.7) + NOTE: https://github.com/python/cpython/commit/c9516754067d71fd7429a25ccfcb2141fc583523 (3.6) + NOTE: https://github.com/python/cpython/commit/937ac1fe069a4dc8471dff205f553d82e724015b (3.5) + NOTE: https://github.com/python/cpython/commit/942cc04ae44825ea120e3a19a80c9b348b8194d0 (3.4) + NOTE: https://github.com/python/cpython/commit/e052d40cea15f582b50947f7d906b39744dc62a2 (2.7) CVE-2018-1060 [DOS via regular expression catastrophic backtracking in apop() method in pop3lib] RESERVED - python3.7 @@ -22072,6 +22078,12 @@ CVE-2018-1060 [DOS via regular expression catastrophic backtracking in apop() me - python2.7 - python2.6 NOTE: https://bugs.python.org/issue32981 + NOTE: https://github.com/python/cpython/commit/0e6c8ee2358a2e23117501826c008842acb835ac (master) + NOTE: https://github.com/python/cpython/commit/0902a2d6b2d1d9dbde36aeaaccf1788ceaa97143 (3.7) + NOTE: https://github.com/python/cpython/commit/c9516754067d71fd7429a25ccfcb2141fc583523 (3.6) + NOTE: https://github.com/python/cpython/commit/937ac1fe069a4dc8471dff205f553d82e724015b (3.5) + NOTE: https://github.com/python/cpython/commit/942cc04ae44825ea120e3a19a80c9b348b8194d0 (3.4) + NOTE: https://github.com/python/cpython/commit/e052d40cea15f582b50947f7d906b39744dc62a2 (2.7) CVE-2018-1059 RESERVED CVE-2018-1058 (A flaw was found in the way Postgresql allowed a user to modify the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/24289e57fd5f654bab4e74543422a267c9b413c6 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/24289e57fd5f654bab4e74543422a267c9b413c6 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 3 commits: Order suites list top-down
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 08af4c3f by Salvatore Bonaccorso at 2018-04-04T09:42:41+02:00 Order suites list top-down Just for cosmetics. - - - - - c83cb1ae by Salvatore Bonaccorso at 2018-04-04T09:43:24+02:00 Note that berni is working on updates for asterisk - - - - - 7c50fbcb by Salvatore Bonaccorso at 2018-04-04T09:43:53+02:00 Note that berni is working on updates for pjproject - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -2,9 +2,9 @@ CVE-2018-9234 RESERVED CVE-2018-9240 [Crash in chat screen when another client sends a long line] - ncmpc (low; bug #894724) - [wheezy] - ncmpc (Minor issue) [stretch] - ncmpc (Minor issue) [jessie] - ncmpc (Minor issue) + [wheezy] - ncmpc (Minor issue) CVE-2018-9233 RESERVED CVE-2018-9232 = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -15,6 +15,7 @@ If needed, specify the release by adding a slash after the name of the source pa 389-ds-base (fw) -- asterisk/stable + berni working on updates -- chromium-browser/stable -- @@ -67,6 +68,7 @@ phpmyadmin/oldstable (abhijith) https://mentors.debian.net/debian/pool/main/p/phpmyadmin/phpmyadmin_4.2.12-2+deb8u3.dsc -- pjproject + berni is working on updates -- qemu/oldstable -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/1af9e7043dfbe1f5e6b69ac2a60874354c376dbf...7c50fbcb281daf4e41acc677ed01e55cee2adccd --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/1af9e7043dfbe1f5e6b69ac2a60874354c376dbf...7c50fbcb281daf4e41acc677ed01e55cee2adccd You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Take ldap-account-manager
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 0acbc544 by Brian May at 2018-04-04T16:49:54+10:00 Take ldap-account-manager - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -53,7 +53,7 @@ lame (Hugo Lefeuvre) NOTE: 20180317: Patch available and tested. However I am probably not going to upload it since the security team is not NOTE: interested in patching Jessie and I evaluate regression risks as non negligible. -- -ldap-account-manager +ldap-account-manager (Brian May) -- leptonlib NOTE: more issues like previous ones View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0acbc54499e1d0a6978632375de50acdf0e6d41d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0acbc54499e1d0a6978632375de50acdf0e6d41d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Cleanup trailing whitespaces
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0328c240 by Salvatore Bonaccorso at 2018-04-04T11:01:34+02:00 Cleanup trailing whitespaces - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -6313,7 +6313,7 @@ CVE-2018-6914 (Directory traversal vulnerability in the Dir.mktmpdir method in t - ruby2.3 - ruby2.1 - ruby1.9.1 - NOTE: https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/ + NOTE: https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/ CVE-2018-163 REJECTED CVE-2017-18179 (Progress Sitefinity 9.1 uses wrap_access_token as a non-expiring ...) @@ -23609,7 +23609,7 @@ CVE-2018-0739 (Constructed ASN.1 types with a recursive definition (such as can - openssl1.0 1.0.2o-1 NOTE: https://www.openssl.org/news/secadv/20180327.txt NOTE: OpenSSL_1_1_0-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=2ac4c6f7b2b2af20c0e2b0ba05367e454cd11b33 - NOTE: OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=9310d45087ae546e27e61ddf8f6367f29848220d + NOTE: OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=9310d45087ae546e27e61ddf8f6367f29848220d CVE-2018-0738 RESERVED CVE-2018-0737 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0328c240d9973ed62266bf9c788714af78d260f3 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0328c240d9973ed62266bf9c788714af78d260f3 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add preliminary information on new wireshark CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 287a4e7c by Salvatore Bonaccorso at 2018-04-04T11:01:04+02:00 Add preliminary information on new wireshark CVEs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,41 +1,99 @@ CVE-2018-9274 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, ui/failure_message.c ...) - TODO: check + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14489 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=211845aba4794720ae265c782cdffddae54a3e7a + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f38e895dfc0d97bce64f73ce99df706911d9aa07 + NOTE: https://www.wireshark.org/security/wnpa-sec-2018-24.html CVE-2018-9273 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, ...) - TODO: check + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14488 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=1f8f1456f1e73b6c09e50a64749e43413ac12df7 + NOTE: https://www.wireshark.org/security/wnpa-sec-2018-24.html CVE-2018-9272 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, ...) - TODO: check + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14487 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=6e3b90824a82724f445a0374e99f0b76e4cf5e8b + NOTE: https://www.wireshark.org/security/wnpa-sec-2018-24.html CVE-2018-9271 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, ...) - TODO: check + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14486 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=5b0228945dc74ee82d2ab4a4e7af2bdfe7b75910 + NOTE: https://www.wireshark.org/security/wnpa-sec-2018-24.html CVE-2018-9270 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/oids.c has a ...) - TODO: check + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14485 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=0fbc50f9b9219be54d6db47f04b65af19696a7c7 + NOTE: https://www.wireshark.org/security/wnpa-sec-2018-24.html CVE-2018-9269 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, ...) - TODO: check + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14484 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=e19aba33026212cbe000ece633adf14d109489fa + NOTE: https://www.wireshark.org/security/wnpa-sec-2018-24.html CVE-2018-9268 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, ...) - TODO: check + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14483 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=c69d710d2bf39fe633800db65efddf55701131b6 + NOTE: https://www.wireshark.org/security/wnpa-sec-2018-24.html CVE-2018-9267 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, ...) - TODO: check + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14482 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=8ed057f7faa709dbde34b91f0715a957837f74d9 + NOTE: https://www.wireshark.org/security/wnpa-sec-2018-24.html CVE-2018-9266 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, ...) - TODO: check + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14481 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=9d3714e767cb104dcfa1647935fa5960b16bb8e1 + NOTE: https://www.wireshark.org/security/wnpa-sec-2018-24.html CVE-2018-9265 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, ...) - TODO: check + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14480 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=b12cc581cd4878d74b6116ca02c7dbe650c1f242 + NOTE: https://www.wireshark.org/security/wnpa-sec-2018-24.html CVE-2018-9264 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the ADB dissector ...) - TODO: check + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14460 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=0290a62be0fca8da9bb190f59dc1fe26c1d65024 + NOTE: https://www.wireshark.org/security/wnpa-sec-2018-16.html CVE-2018-9263 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the Kerberos dissector ...) - TODO: check + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14576 + NOTE:
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark CVE-2017-12627 as no-dsa as discussed with maintainer
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3472d427 by Salvatore Bonaccorso at 2018-04-04T11:26:35+02:00 Mark CVE-2017-12627 as no-dsa as discussed with maintainer - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -38842,6 +38842,8 @@ CVE-2017-12628 (The JMX server embedded in Apache James, also used by the comman CVE-2017-12627 (In Apache Xerces-C XML Parser library before 3.2.1, processing of ...) {DLA-1328-1} - xerces-c 3.2.1+debian-1 (bug #894050) + [stretch] - xerces-c (Minor issue; can be fixed via point release) + [jessie] - xerces-c (Minor issue; can be fixed via point release) NOTE: https://svn.apache.org/viewvc?view=revision=1819998 NOTE: https://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt CVE-2017-12626 (Apache POI in versions prior to release 3.17 are vulnerable to Denial ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3472d4273f5afe9c1416f5d55cda2b23bd5aa943 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3472d4273f5afe9c1416f5d55cda2b23bd5aa943 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0b8b4a47 by security tracker role at 2018-04-04T08:10:25+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,6 +1,88 @@ -CVE-2018-9234 +CVE-2018-9274 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, ui/failure_message.c ...) + TODO: check +CVE-2018-9273 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, ...) + TODO: check +CVE-2018-9272 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, ...) + TODO: check +CVE-2018-9271 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, ...) + TODO: check +CVE-2018-9270 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, epan/oids.c has a ...) + TODO: check +CVE-2018-9269 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, ...) + TODO: check +CVE-2018-9268 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, ...) + TODO: check +CVE-2018-9267 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, ...) + TODO: check +CVE-2018-9266 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, ...) + TODO: check +CVE-2018-9265 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, ...) + TODO: check +CVE-2018-9264 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the ADB dissector ...) + TODO: check +CVE-2018-9263 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the Kerberos dissector ...) + TODO: check +CVE-2018-9262 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the VLAN dissector ...) + TODO: check +CVE-2018-9261 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the NBAP dissector ...) + TODO: check +CVE-2018-9260 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the IEEE 802.15.4 ...) + TODO: check +CVE-2018-9259 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the MP4 dissector ...) + TODO: check +CVE-2018-9258 (In Wireshark 2.4.0 to 2.4.5, the TCP dissector could crash. This was ...) + TODO: check +CVE-2018-9257 (In Wireshark 2.4.0 to 2.4.5, the CQL dissector could go into an ...) + TODO: check +CVE-2018-9256 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the LWAPP dissector ...) + TODO: check +CVE-2018-9255 + RESERVED +CVE-2018-9254 RESERVED -CVE-2018-9240 [Crash in chat screen when another client sends a long line] +CVE-2018-9253 + RESERVED +CVE-2018-9252 (JasPer 2.0.14 allows denial of service via a reachable assertion in the ...) + TODO: check +CVE-2018-9251 (The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzma is ...) + TODO: check +CVE-2018-9250 + RESERVED +CVE-2018-9249 + RESERVED +CVE-2018-9248 + RESERVED +CVE-2018-9247 (The upsql function in \Lib\Lib\Action\Admin\DataAction.class.php in ...) + TODO: check +CVE-2018-9246 + RESERVED +CVE-2018-9245 + RESERVED +CVE-2018-9244 + RESERVED +CVE-2018-9243 + RESERVED +CVE-2018-9242 + RESERVED +CVE-2018-9241 + RESERVED +CVE-2018-9239 + RESERVED +CVE-2018-9238 (proberv.php in Yahei-PHP Proberv 0.4.7 has XSS via the funName ...) + TODO: check +CVE-2018-9237 (iScripts EasyCreate 3.2.1 has Stored Cross-Site Scripting in the Site ...) + TODO: check +CVE-2018-9236 (iScripts EasyCreate 3.2.1 has Stored Cross-Site Scripting in the Site ...) + TODO: check +CVE-2018-9235 (iScripts SonicBB 1.0 has Reflected Cross-Site Scripting via the query ...) + TODO: check +CVE-2017-18256 (Brave Browser before 0.13.0 allows remote attackers to cause a denial ...) + TODO: check +CVE-2016-10718 (Brave Browser before 0.13.0 allows a tab to close itself even if the ...) + TODO: check +CVE-2018-9234 (GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which key ...) + TODO: check +CVE-2018-9240 (ncmpc through 0.29 is prone to a NULL pointer dereference flaw. If a ...) - ncmpc (low; bug #894724) [stretch] - ncmpc (Minor issue) [jessie] - ncmpc (Minor issue) @@ -732,8 +814,8 @@ CVE-2017-18242 (The apply_dependent_coupling function in libavcodec/aacdec.c in - libav (low) [jessie] - libav (Minor issue) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1093 -CVE-2018-8941 - RESERVED +CVE-2018-8941 (Diagnostics functionality on D-Link DSL-3782 devices with firmware EU ...) + TODO: check CVE-2018-8940 RESERVED CVE-2018-8939 @@ -1109,29 +1191,25 @@ CVE-2018-8782 RESERVED CVE-2018-8781 RESERVED -CVE-2018-8780 [ruby: Unintentional directory traversal by poisoned NUL byte in Dir] - RESERVED +CVE-2018-8780 (In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x ...) - ruby2.5 2.5.1-1 - ruby2.3 - ruby2.1 - ruby1.9.1 NOTE:
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-9252/jasper
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fc7b2c38 by Salvatore Bonaccorso at 2018-04-04T10:31:17+02:00 Add CVE-2018-9252/jasper - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -43,7 +43,8 @@ CVE-2018-9254 CVE-2018-9253 RESERVED CVE-2018-9252 (JasPer 2.0.14 allows denial of service via a reachable assertion in the ...) - TODO: check + - jasper + NOTE: https://github.com/mdadams/jasper/issues/173 CVE-2018-9251 (The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzma is ...) - libxml2 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=794914 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fc7b2c38fc244af075bdd81954eb92248d7e31f0 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fc7b2c38fc244af075bdd81954eb92248d7e31f0 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits