[Git][security-tracker-team/security-tracker][master] Process NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 62b10f03 by Salvatore Bonaccorso at 2018-09-19T20:18:01Z Process NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11,7 +11,7 @@ CVE-2018-17210 CVE-2018-17209 RESERVED CVE-2018-17208 (Linksys Velop 1.1.2.187020 devices allow unauthenticated command ...) - TODO: check + NOT-FOR-US: Linksys Velop CVE-2018-17207 (An issue was discovered in Snap Creek Duplicator before 1.2.42. By ...) TODO: check CVE-2018-17206 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6. The ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/62b10f0329faa7ca965bdbdabf0cb323b2a6fbe3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/62b10f0329faa7ca965bdbdabf0cb323b2a6fbe3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS/Take over php5 from Abhijith with his approval
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 81b1938e by Roberto C. Sánchez at 2018-09-20T01:44:53Z LTS/Take over php5 from Abhijith with his approval - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -72,7 +72,7 @@ openjdk-7 (Emilio Pozuelo) openjpeg2 (Hugo Lefeuvre) NOTE: 20180719: there is no patch available for the remaining CVEs -- -php5 (Abhijith PA) +php5 (Roberto C. Sánchez) -- phpldapadmin (Mike Gabriel) NOTE: 20180731: See https://lists.debian.org/debian-lts/2018/07/msg00123.html for research already done View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/81b1938e98069fe677255963ff73e4fa6c31b8b9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/81b1938e98069fe677255963ff73e4fa6c31b8b9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-17204/openvswitch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 68d10f13 by Salvatore Bonaccorso at 2018-09-19T21:11:31Z Add CVE-2018-17204/openvswitch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25,7 +25,11 @@ CVE-2018-17205 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7. NOTE: https://github.com/openvswitch/ovs/commit/638d406e3b647359f3d82189d7a6ee56b4a54928 (branch-2.8) NOTE: https://github.com/openvswitch/ovs/commit/0befd1f3745055c32940f5faf9559be6a14395e6 (branch-2.7) CVE-2018-17204 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, ...) - TODO: check + - openvswitch + NOTE: https://github.com/openvswitch/ovs/commit/9740d81d94888cb158fa99a9366fe2b32b3e4aaa (master) + NOTE: https://github.com/openvswitch/ovs/commit/8976ea1d680ab7a2d726a50e5666aa8fefd24168 (branch-2.8) + NOTE: https://github.com/openvswitch/ovs/commit/4af6da3b275b764b1afe194df6499b33d2bf4cde (branch-2.7) + NOTE: ovs-vswitchd does not enable support for OpenFlow 1.5 by default. CVE-2018-17203 RESERVED CVE-2018-17202 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/68d10f136ad2863973cf30383913a7cd328cce91 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/68d10f136ad2863973cf30383913a7cd328cce91 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add note to dla-needed.txt
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: ea5313a2 by Abhijith PA at 2018-09-19T20:13:38Z add note to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -91,6 +91,7 @@ suricata (Thorsten Alteholz) symfony (Thorsten Alteholz) -- sympa + NOTE: 20180920: update available at https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=908165;filename=sympa_deb8u3.debdiff;msg=17 (abhijith) -- thunderbird -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea5313a2a047bd0ce1e86d9ab854fba2795e0a5f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea5313a2a047bd0ce1e86d9ab854fba2795e0a5f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7a25996b by Salvatore Bonaccorso at 2018-09-19T20:38:37Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,7 +13,7 @@ CVE-2018-17209 CVE-2018-17208 (Linksys Velop 1.1.2.187020 devices allow unauthenticated command ...) NOT-FOR-US: Linksys Velop CVE-2018-17207 (An issue was discovered in Snap Creek Duplicator before 1.2.42. By ...) - TODO: check + NOT-FOR-US: Snap Creek Duplicator CVE-2018-17206 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6. The ...) TODO: check CVE-2018-17205 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, ...) @@ -1371,7 +1371,7 @@ CVE-2018-16609 CVE-2018-16608 (In Monstra CMS 3.0.4, an attacker with 'Editor' privileges can change ...) NOT-FOR-US: Monstra CMS CVE-2018-16607 (Cross-site scripting (XSS) vulnerability in the Orgs Page in ...) - TODO: check + NOT-FOR-US: Orgs Page in Open-AudIT Professional CVE-2018-16606 (In ProConf before 6.1, an Insecure Direct Object Reference (IDOR) ...) NOT-FOR-US: ProConf CVE-2018-16605 (D-Link DIR-600M devices allow XSS via the Hostname and Username fields ...) @@ -4072,7 +4072,7 @@ CVE-2018-15548 CVE-2018-15547 RESERVED CVE-2018-15546 (Accusoft PrizmDoc version 13.3 and earlier contains a Stored ...) - TODO: check + NOT-FOR-US: Accusoft PrizmDoc CVE-2018-15545 RESERVED CVE-2018-15544 @@ -5669,7 +5669,7 @@ CVE-2018-14794 CVE-2018-14793 (DeltaV Versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, and R5 is vulnerable ...) NOT-FOR-US: DeltaV CVE-2018-14792 (WECON PLC Editor version 1.3.3U may allow an attacker to execute code ...) - TODO: check + NOT-FOR-US: WECON CVE-2018-14791 (Emerson DeltaV DCS versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, R5 may ...) NOT-FOR-US: Emerson DeltaV DCS CVE-2018-14790 @@ -9207,7 +9207,7 @@ CVE-2018-13400 CVE-2018-13399 RESERVED CVE-2018-13398 (The administrative smart-commits resource in Atlassian Fisheye and ...) - TODO: check + NOT-FOR-US: Atlassian Fisheye and Crucible CVE-2018-13397 RESERVED CVE-2018-13396 @@ -12311,9 +12311,9 @@ CVE-2018-12245 CVE-2018-12244 RESERVED CVE-2018-12243 (The Symantec Messaging Gateway product prior to 10.6.6 may be ...) - TODO: check + NOT-FOR-US: Symantec CVE-2018-12242 (The Symantec Messaging Gateway product prior to 10.6.6 may be ...) - TODO: check + NOT-FOR-US: Symantec CVE-2018-12241 RESERVED CVE-2018-12240 (The Norton Identity Safe product prior to 5.3.0.976 may be susceptible ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7a25996b33a8051f9569179baa4b65efeeffbba1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7a25996b33a8051f9569179baa4b65efeeffbba1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add reference to reported bug for glusterfs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d5673d80 by Salvatore Bonaccorso at 2018-09-19T20:20:38Z
Add reference to reported bug for glusterfs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -15753,20 +15753,20 @@ CVE-2018-10931 (It was found that cobbler 2.6.x
exposed all functions from its .
- cobbler
NOTE: http://www.openwall.com/lists/oss-security/2018/08/09/9
CVE-2018-10930 (A flaw was found in RPC request using gfs3_rename_req in
glusterfs ...)
- - glusterfs
+ - glusterfs (bug #909215)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1612664
NOTE: https://review.gluster.org/21068
CVE-2018-10929 (A flaw was found in RPC request using gfs2_create_req in
glusterfs ...)
- - glusterfs
+ - glusterfs (bug #909215)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1612660
CVE-2018-10928 (A flaw was found in RPC request using gfs3_symlink_req in
glusterfs ...)
- - glusterfs
+ - glusterfs (bug #909215)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1612659
CVE-2018-10927 (A flaw was found in RPC request using gfs3_lookup_req in
glusterfs ...)
- - glusterfs
+ - glusterfs (bug #909215)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1612658
CVE-2018-10926 (A flaw was found in RPC request using gfs3_mknod_req supported
by ...)
- - glusterfs
+ - glusterfs (bug #909215)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1613143
CVE-2018-10925 (It was discovered that PostgreSQL versions before 10.5,
9.6.10, ...)
{DSA-4269-1}
@@ -15786,7 +15786,7 @@ CVE-2018-10924 (It was discovered that fsync(2) system
call in glusterfs client
NOTE: Introduced by:
http://git.gluster.org/cgit/glusterfs.git/commit/?id=51dfc9c789b8405f595a337eade938aedcb449c4
NOTE: https://review.gluster.org/20723
CVE-2018-10923 (It was found that the mknod call derived from
mknod(2) can create ...)
- - glusterfs
+ - glusterfs (bug #909215)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1610659
NOTE: https://review.gluster.org/21069
CVE-2018-10922 (An input validation flaw exists in ttembed. With a crafted
input file, ...)
@@ -15825,17 +15825,17 @@ CVE-2018-10915 (A vulnerability was found in libpq,
the default PostgreSQL clien
NOTE: Fixed in 9.3.24, 9.4.19, 9.5.14, 9.6.10, 10.5
NOTE: https://www.postgresql.org/about/news/1878/
CVE-2018-10914 (It was found that an attacker could issue a xattr request via
...)
- - glusterfs
+ - glusterfs (bug #909215)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1607617
NOTE: https://review.gluster.org/21071
CVE-2018-10913 (An information disclosure vulnerability was discovered in
glusterfs ...)
- - glusterfs
+ - glusterfs (bug #909215)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1607618
NOTE: https://review.gluster.org/21071
CVE-2018-10912 (keycloak before version 4.0.0.final is vulnerable to a
infinite loop ...)
NOT-FOR-US: Keycloak
CVE-2018-10911 (A flaw was found in the way dic_unserialize function of
glusterfs does ...)
- - glusterfs
+ - glusterfs (bug #909215)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1601657
NOTE: https://review.gluster.org/21067
CVE-2018-10910 [ailure in disabling Bluetooth discoverability in certain cases
may lead to the unauthorized pairing of Bluetooth devices]
@@ -15852,7 +15852,7 @@ CVE-2018-10909
CVE-2018-10908 (It was found that vdsm before version 4.20.37 invokes qemu-img
on ...)
NOT-FOR-US: ovirt
CVE-2018-10907 (It was found that glusterfs server is vulnerable to multiple
stack ...)
- - glusterfs
+ - glusterfs (bug #909215)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1601642
NOTE: https://review.gluster.org/21070
CVE-2018-10906 (In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount
is ...)
@@ -15864,7 +15864,7 @@ CVE-2018-10906 (In fuse before versions 2.9.8 and 3.x
before 3.2.5, fusermount i
CVE-2018-10905 (CloudForms Management Engine (cfme) is vulnerable to an
improper ...)
NOT-FOR-US: Red Hat CloudForms Management Engine
CVE-2018-10904 (It was found that glusterfs server does not properly sanitize
file ...)
- - glusterfs
+ - glusterfs (bug #909215)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1601298
NOTE: https://review.gluster.org/21072
CVE-2018-10903 (A flaw was found in python-cryptography versions between
=1.9.0 and ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d5673d80d8dfa8f2b2c6c6b2d6363dd1923252e7
--
View it on GitLab:
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-17206/openvswitch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: edb64179 by Salvatore Bonaccorso at 2018-09-19T21:02:05Z Add CVE-2018-17206/openvswitch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15,7 +15,10 @@ CVE-2018-17208 (Linksys Velop 1.1.2.187020 devices allow unauthenticated command CVE-2018-17207 (An issue was discovered in Snap Creek Duplicator before 1.2.42. By ...) NOT-FOR-US: Snap Creek Duplicator CVE-2018-17206 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6. The ...) - TODO: check + - openvswitch + NOTE: https://github.com/openvswitch/ovs/commit/5026a263d7846077eee540de42192d27da513226 (master) + NOTE: https://github.com/openvswitch/ovs/commit/20626d38c1a1d4cebb5a6911ea3cb6a7f4f993f8 (branch-2.8) + NOTE: https://github.com/openvswitch/ovs/commit/9237a63c47bd314b807cda0bd2216264e82edbe8 (branch-2.7) CVE-2018-17205 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, ...) TODO: check CVE-2018-17204 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/edb641791a2a05b2ea85525b9c73a56c910ae39a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/edb641791a2a05b2ea85525b9c73a56c910ae39a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-17144/bitcoin
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9682af2f by Salvatore Bonaccorso at 2018-09-19T21:19:58Z Add CVE-2018-17144/bitcoin - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -151,7 +151,8 @@ CVE-2018-17146 CVE-2018-17145 RESERVED CVE-2018-17144 (Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x ...) - TODO: check + - bitcoin + NOTE: https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures#CVE-2018-17144 CVE-2018-17143 (The html package (aka x/net/html) through 2018-09-17 in Go mishandles ...) TODO: check, in golang-golang-x-net-dev? CVE-2018-17142 (The html package (aka x/net/html) through 2018-09-17 in Go mishandles ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9682af2f29bf4e041885a2273efa63a9fe2b1eea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9682af2f29bf4e041885a2273efa63a9fe2b1eea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-17205/openvswitch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6d5b57ad by Salvatore Bonaccorso at 2018-09-19T21:05:41Z Add CVE-2018-17205/openvswitch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20,7 +20,10 @@ CVE-2018-17206 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7. NOTE: https://github.com/openvswitch/ovs/commit/20626d38c1a1d4cebb5a6911ea3cb6a7f4f993f8 (branch-2.8) NOTE: https://github.com/openvswitch/ovs/commit/9237a63c47bd314b807cda0bd2216264e82edbe8 (branch-2.7) CVE-2018-17205 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, ...) - TODO: check + - openvswitch + NOTE: https://github.com/openvswitch/ovs/commit/9a0ac025de9303334688ff08f01fc08604d2f624 (master) + NOTE: https://github.com/openvswitch/ovs/commit/638d406e3b647359f3d82189d7a6ee56b4a54928 (branch-2.8) + NOTE: https://github.com/openvswitch/ovs/commit/0befd1f3745055c32940f5faf9559be6a14395e6 (branch-2.7) CVE-2018-17204 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, ...) TODO: check CVE-2018-17203 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6d5b57ad5c288648d99c078492eada100fc6b157 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6d5b57ad5c288648d99c078492eada100fc6b157 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update unstable information for CVE-2018-1084{4,5,6}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
1b59f21e by Salvatore Bonaccorso at 2018-09-19T20:08:13Z
Update unstable information for CVE-2018-1084{4,5,6}
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -16051,22 +16051,26 @@ CVE-2018-10846 (A cache-based side channel in GnuTLS
implementation that leads t
- gnutls28
- gnutls26
NOTE: https://gitlab.com/gnutls/gnutls/merge_requests/657
+ NOTE:
https://gitlab.com/gnutls/gnutls/commit/ce671a6db9e47006cff152d485091141b1569f39
(master)
NOTE: The proposed fix is to introduce a new option to force
encrypt-then-mac
NOTE: instead of correcting the issue.
NOTE: https://eprint.iacr.org/2018/747
CVE-2018-10845 (It was found that the GnuTLS implementation of HMAC-SHA-384
was ...)
- - gnutls28
+ - gnutls28 3.5.19-1
- gnutls26
NOTE: https://gitlab.com/gnutls/gnutls/issues/455
- NOTE: Correctly account length field
https://gitlab.com/gnutls/gnutls/commit/cc14ec5ece856cb083d64e6a5a8657323da661cb
+ NOTE:
https://gitlab.com/gnutls/gnutls/commit/cc14ec5ece856cb083d64e6a5a8657323da661cb
(master)
+ NOTE:
https://gitlab.com/gnutls/gnutls/commit/e14d85eb8b1987d86f7b1d101a0e7795675d20d4
(gnutls_3_5_19)
NOTE: https://gitlab.com/gnutls/gnutls/merge_requests/657
NOTE: https://eprint.iacr.org/2018/747
CVE-2018-10844 (It was found that the GnuTLS implementation of HMAC-SHA-256
was ...)
- - gnutls28
+ - gnutls28 3.5.19-1
- gnutls26
NOTE: https://gitlab.com/gnutls/gnutls/issues/456
- NOTE: Remove from defaults
https://gitlab.com/gnutls/gnutls/commit/29ffa2a1fa4cc396c5d1563a3e5cdca0174de28b
- NOTE:
https://gitlab.com/gnutls/gnutls/commit/c32a8690f9f9b05994078fe9d2e7a41b18da5b09
+ NOTE:
https://gitlab.com/gnutls/gnutls/commit/29ffa2a1fa4cc396c5d1563a3e5cdca0174de28b
(master)
+ NOTE:
https://gitlab.com/gnutls/gnutls/commit/c32a8690f9f9b05994078fe9d2e7a41b18da5b09
(master)
+ NOTE:
https://gitlab.com/gnutls/gnutls/commit/c433cdf92349afae66c703bdacedf987f423605e
(gnutls_3_5_19)
+ NOTE:
https://gitlab.com/gnutls/gnutls/commit/c2e094acd68f7159025b2e2556d6fb4427b41dd7
(gnutls_3_5_19)
NOTE: https://gitlab.com/gnutls/gnutls/merge_requests/657
NOTE: https://eprint.iacr.org/2018/747
CVE-2018-10843 (source-to-image component of Openshift Container Platform
before ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1b59f21efe1f6fc62c23d3833ea875b662b68676
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1b59f21efe1f6fc62c23d3833ea875b662b68676
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1508-1 for suricata
Thorsten Alteholz pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2556fb7b by Thorsten Alteholz at 2018-09-19T20:32:00Z
Reserve DLA-1508-1 for suricata
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[19 Sep 2018] DLA-1508-1 suricata - security update
+ {CVE-2016-10728}
+ [jessie] - suricata 2.0.7-2+deb8u1
[18 Sep 2018] DLA-1507-1 libapache2-mod-perl2 - security update
{CVE-2011-2767}
[jessie] - libapache2-mod-perl2 2.0.9~1624218-2+deb8u3
=
data/dla-needed.txt
=
@@ -86,8 +86,6 @@ smarty3 (Mike Gabriel)
--
spamassassin
--
-suricata (Thorsten Alteholz)
---
symfony (Thorsten Alteholz)
--
sympa
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2556fb7b34c0e51ce687b6510c88ee73506c85fb
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2556fb7b34c0e51ce687b6510c88ee73506c85fb
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
0b5daf78 by security tracker role at 2018-09-19T20:10:24Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,4 +1,66 @@
-CVE-2018-17182 [mm: get rid of vmacache_flush_all() entirely]
+CVE-2018-17214
+ RESERVED
+CVE-2018-17213
+ RESERVED
+CVE-2018-17212
+ RESERVED
+CVE-2018-17211
+ RESERVED
+CVE-2018-17210
+ RESERVED
+CVE-2018-17209
+ RESERVED
+CVE-2018-17208 (Linksys Velop 1.1.2.187020 devices allow unauthenticated
command ...)
+ TODO: check
+CVE-2018-17207 (An issue was discovered in Snap Creek Duplicator before
1.2.42. By ...)
+ TODO: check
+CVE-2018-17206 (An issue was discovered in Open vSwitch (OvS) 2.7.x through
2.7.6. The ...)
+ TODO: check
+CVE-2018-17205 (An issue was discovered in Open vSwitch (OvS) 2.7.x through
2.7.6, ...)
+ TODO: check
+CVE-2018-17204 (An issue was discovered in Open vSwitch (OvS) 2.7.x through
2.7.6, ...)
+ TODO: check
+CVE-2018-17203
+ RESERVED
+CVE-2018-17202
+ RESERVED
+CVE-2018-17201
+ RESERVED
+CVE-2018-17200
+ RESERVED
+CVE-2018-17199
+ RESERVED
+CVE-2018-17198
+ RESERVED
+CVE-2018-17197
+ RESERVED
+CVE-2018-17196
+ RESERVED
+CVE-2018-17195
+ RESERVED
+CVE-2018-17194
+ RESERVED
+CVE-2018-17193
+ RESERVED
+CVE-2018-17192
+ RESERVED
+CVE-2018-17191
+ RESERVED
+CVE-2018-17190
+ RESERVED
+CVE-2018-17189
+ RESERVED
+CVE-2018-17188
+ RESERVED
+CVE-2018-17187
+ RESERVED
+CVE-2018-17186
+ RESERVED
+CVE-2018-17185
+ RESERVED
+CVE-2018-17184
+ RESERVED
+CVE-2018-17182 (An issue was discovered in the Linux kernel through 4.18.8.
The ...)
- linux
NOTE:
https://git.kernel.org/linus/7a9cdebdcc17e426fb5287e4a82db1dfe86339b2
CVE-2018-17181
@@ -78,8 +140,8 @@ CVE-2018-17146
RESERVED
CVE-2018-17145
RESERVED
-CVE-2018-17144
- RESERVED
+CVE-2018-17144 (Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and
0.16.x ...)
+ TODO: check
CVE-2018-17143 (The html package (aka x/net/html) through 2018-09-17 in Go
mishandles ...)
TODO: check, in golang-golang-x-net-dev?
CVE-2018-17142 (The html package (aka x/net/html) through 2018-09-17 in Go
mishandles ...)
@@ -195,7 +257,8 @@ CVE-2018-17096 (The BPMDetect class in BPMDetect.cpp in
libSoundTouch.a in Olli
[stretch] - soundtouch (Minor issue)
[jessie] - soundtouch (Minor issue)
NOTE: https://gitlab.com/soundtouch/soundtouch/issues/14
-CVE-2018-17183 [gs 699708: 'Hide' non-replaceable error handlers for SAFER]
+CVE-2018-17183 (Artifex Ghostscript before 9.25 allowed a user-writable error
exception ...)
+ {DSA-4294-1}
- ghostscript 9.25~dfsg-1
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699708
NOTE:
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fb713b3818b52d8a6cf62c951eba2e1795ff9624
@@ -894,8 +957,8 @@ CVE-2018-16787
RESERVED
CVE-2018-16786
RESERVED
-CVE-2018-16785
- RESERVED
+CVE-2018-16785 (XML injection vulnerability exists in the file of DedeCMS V5.7
SP2 ...)
+ TODO: check
CVE-2018-16784
RESERVED
CVE-2018-16783
@@ -1307,8 +1370,8 @@ CVE-2018-16609
RESERVED
CVE-2018-16608 (In Monstra CMS 3.0.4, an attacker with 'Editor' privileges can
change ...)
NOT-FOR-US: Monstra CMS
-CVE-2018-16607
- RESERVED
+CVE-2018-16607 (Cross-site scripting (XSS) vulnerability in the Orgs Page in
...)
+ TODO: check
CVE-2018-16606 (In ProConf before 6.1, an Insecure Direct Object Reference
(IDOR) ...)
NOT-FOR-US: ProConf
CVE-2018-16605 (D-Link DIR-600M devices allow XSS via the Hostname and
Username fields ...)
@@ -5605,8 +5668,8 @@ CVE-2018-14794
RESERVED
CVE-2018-14793 (DeltaV Versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, and R5 is
vulnerable ...)
NOT-FOR-US: DeltaV
-CVE-2018-14792
- RESERVED
+CVE-2018-14792 (WECON PLC Editor version 1.3.3U may allow an attacker to
execute code ...)
+ TODO: check
CVE-2018-14791 (Emerson DeltaV DCS versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, R5
may ...)
NOT-FOR-US: Emerson DeltaV DCS
CVE-2018-14790
@@ -12247,10 +12310,10 @@ CVE-2018-12245
RESERVED
CVE-2018-12244
RESERVED
-CVE-2018-12243
- RESERVED
-CVE-2018-12242
- RESERVED
+CVE-2018-12243 (The Symantec Messaging Gateway product prior to 10.6.6 may be
...)
+ TODO: check
+CVE-2018-12242 (The Symantec Messaging Gateway product prior to 10.6.6 may be
...)
+ TODO: check
CVE-2018-12241
RESERVED
CVE-2018-12240 (The Norton Identity Safe product prior to 5.3.0.976 may be
susceptible ...)
@@ -13028,51 +13091,50 @@ CVE-2018-11906
RESERVED
CVE-2018-11905
RESERVED
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1509-1 for php5
Roberto C. Sánchez pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
09d98fa0 by Roberto C. Sánchez at 2018-09-20T02:48:46Z
Reserve DLA-1509-1 for php5
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[19 Sep 2018] DLA-1509-1 php5 - security update
+ {CVE-2018-17082}
+ [jessie] - php5 5.6.38+dfsg-0+deb8u1
[19 Sep 2018] DLA-1508-1 suricata - security update
{CVE-2016-10728}
[jessie] - suricata 2.0.7-2+deb8u1
=
data/dla-needed.txt
=
@@ -72,8 +72,6 @@ openjdk-7 (Emilio Pozuelo)
openjpeg2 (Hugo Lefeuvre)
NOTE: 20180719: there is no patch available for the remaining CVEs
--
-php5 (Roberto C. Sánchez)
---
phpldapadmin (Mike Gabriel)
NOTE: 20180731: See
https://lists.debian.org/debian-lts/2018/07/msg00123.html for research already
done
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/09d98fa098b46d5bc608b0b5c457e0a56f22
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/09d98fa098b46d5bc608b0b5c457e0a56f22
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-5741/bind9
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
10ba7b53 by Salvatore Bonaccorso at 2018-09-20T05:14:27Z
Add CVE-2018-5741/bind9
ISC BIND before releases 9.11.4-P2 and 9.12.2-P2 does not properly
document the behaviour of the krb5-subdomain and ms-subdomain update
policies. This incorrect documentation could mislead operators into
believing that policies they had configured were more restrictive than
they actually were.
Will be adressed in
BIND 9.11.5
BIND 9.12.3
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -30768,8 +30768,12 @@ CVE-2018-5743
RESERVED
CVE-2018-5742
RESERVED
-CVE-2018-5741
+CVE-2018-5741 [Update policies krb5-subdomain and ms-subdomain]
RESERVED
+ - bind9 (unimportant)
+ NOTE: https://kb.isc.org/docs/cve-2018-5741
+ NOTE: No code fix provided; Incorrect documentation of krb5-subdomain
and ms-subdomain update policies.
+ NOTE: Will be adressed in 9.11.5, 9.12.3
CVE-2018-5740 [A flaw in the "deny-answer-aliases" feature can cause an INSIST
assertion failure in named]
RESERVED
{DLA-1485-1}
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/10ba7b53408ec359d2ab937532ba94e003e1b30d
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/10ba7b53408ec359d2ab937532ba94e003e1b30d
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add as well litecoin source package tracking for CVE-2018-17144
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 51356f27 by Salvatore Bonaccorso at 2018-09-20T05:31:35Z Add as well litecoin source package tracking for CVE-2018-17144 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -152,6 +152,7 @@ CVE-2018-17145 RESERVED CVE-2018-17144 (Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x ...) - bitcoin + - litecoin 0.16.3-1 NOTE: https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures#CVE-2018-17144 CVE-2018-17143 (The html package (aka x/net/html) through 2018-09-17 in Go mishandles ...) TODO: check, in golang-golang-x-net-dev? View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/51356f27c3c067bc2c3cb7b6455295dd7c7ddee4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/51356f27c3c067bc2c3cb7b6455295dd7c7ddee4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add three tika issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 82f0 by Salvatore Bonaccorso at 2018-09-19T13:01:11Z Add three tika issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13401,10 +13401,14 @@ CVE-2018-11764 RESERVED CVE-2018-11763 RESERVED -CVE-2018-11762 +CVE-2018-11762 [Zip Slip Vulnerability in Apache Tika's tika-app] RESERVED -CVE-2018-11761 + - tika + NOTE: https://www.openwall.com/lists/oss-security/2018/09/19/5 +CVE-2018-11761 [Denial of Service via XML Entity Expansion Vulnerability] RESERVED + - tika + NOTE: https://www.openwall.com/lists/oss-security/2018/09/19/4 CVE-2018-11760 RESERVED CVE-2018-11759 @@ -23142,8 +23146,10 @@ CVE-2018-8019 (When using an OCSP responder Apache Tomcat Native 1.2.0 to 1.2.16 NOTE: https://svn.apache.org/r1832832 CVE-2018-8018 (Apache Ignite 2.5 and earlier serialization mechanism does not have a ...) NOT-FOR-US: Apache Ignite -CVE-2018-8017 +CVE-2018-8017 [Potential Infinite Loop in IptcAnpaParser] RESERVED + - tika + NOTE: https://www.openwall.com/lists/oss-security/2018/09/19/6 CVE-2018-8016 (The default configuration in Apache Cassandra 3.8 through 3.11.1 binds ...) - cassandra (bug #585905) CVE-2018-8015 (In Apache ORC 1.0.0 to 1.4.3 a malformed ORC file can trigger an ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/82f0e4b724bfb65ff1cc5c95bd1c9aae766c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/82f0e4b724bfb65ff1cc5c95bd1c9aae766c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage results.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 7f6079f9 by Ola Lundqvist at 2018-09-19T18:23:00Z Triage results. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -169,11 +169,15 @@ CVE-2018-17102 (An issue was discovered in QuickAppsCMS (aka QACMS) through ...) CVE-2018-17101 (An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds ...) - tiff (bug #909037) - tiff3 + [stretch] - tiff (Can be fixed along in future DSA) + [jessie] - tiff (Can be fixed along in future DLA) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2807 NOTE: https://gitlab.com/libtiff/libtiff/merge_requests/33/diffs?commit_id=f1b94e8a3ba49febdd3361c0214a1d1149251577 CVE-2018-17100 (An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in ...) - tiff (bug #909038) - tiff3 + [stretch] - tiff (Can be fixed along in future DSA) + [jessie] - tiff (Can be fixed along in future DLA) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2810 NOTE: https://gitlab.com/libtiff/libtiff/merge_requests/33/diffs?commit_id=6da1fb3f64d43be37e640efbec60400d1f1ac39e CVE-2018-17099 @@ -199,6 +203,7 @@ CVE-2018- [gs 699708: 'Hide' non-replaceable error handlers for SAFER] NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fb713b3818b52d8a6cf62c951eba2e1795ff9624 CVE-2018-17095 (An issue has been discovered in mpruett Audio File Library (aka ...) - audiofile + [jessie] - audiofile (Can be fixed along in future DLA) NOTE: https://github.com/mpruett/audiofile/issues/50 NOTE: https://github.com/mpruett/audiofile/issues/51 CVE-2018-17094 (An issue has been discovered in mackyle xar 1.6.1. There is a NULL ...) @@ -406,6 +411,8 @@ CVE-2018-17001 CVE-2018-17000 (A NULL pointer dereference in the function _TIFFmemcmp at tif_unix.c ...) - tiff (bug #908778) - tiff3 + [stretch] - tiff (Can be fixed along in future DSA) + [jessie] - tiff (Can be fixed along in future DLA) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2811 CVE-2018-16999 (Netwide Assembler (NASM) 2.14rc15 has an invalid memory write ...) - nasm (unimportant) @@ -7075,6 +7082,7 @@ CVE-2018-14321 RESERVED CVE-2018-14320 (This vulnerability allows remote attackers to disclose sensitive ...) - libpodofo + [jessie] - libpodofo (Minor issue) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-18-1046/ CVE-2018-14319 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7f6079f9eaa4b5c6e230517272ed1096d61323ba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7f6079f9eaa4b5c6e230517272ed1096d61323ba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage results.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: c8607cd5 by Ola Lundqvist at 2018-09-19T18:35:48Z Triage results. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13407,12 +13407,12 @@ CVE-2018-11764 CVE-2018-11763 RESERVED CVE-2018-11762 [Zip Slip Vulnerability in Apache Tika's tika-app] - RESERVED - tika + [jessie] - tika (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2018/09/19/5 CVE-2018-11761 [Denial of Service via XML Entity Expansion Vulnerability] - RESERVED - tika + [jessie] - tika (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2018/09/19/4 CVE-2018-11760 RESERVED @@ -23154,6 +23154,7 @@ CVE-2018-8018 (Apache Ignite 2.5 and earlier serialization mechanism does not ha CVE-2018-8017 [Potential Infinite Loop in IptcAnpaParser] RESERVED - tika + [jessie] - tika (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2018/09/19/6 CVE-2018-8016 (The default configuration in Apache Cassandra 3.8 through 3.11.1 binds ...) - cassandra (bug #585905) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c8607cd52ceff09cba821008152601495e7cb13e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c8607cd52ceff09cba821008152601495e7cb13e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for jhead issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ff542f7d by Salvatore Bonaccorso at 2018-09-19T18:39:48Z Add fixed version for jhead issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1529,11 +1529,11 @@ CVE-2018-16516 (helpers.py in Flask-Admin 1.5.2 has Reflected XSS via a crafted CVE-2018-16514 RESERVED CVE-2018-17088 (The ProcessGpsInfo function of the gpsinfo.c file of jhead 3.00 may ...) - - jhead (bug #907925) + - jhead 1:3.00-8 (bug #907925) [stretch] - jhead (Minor issue) [jessie] - jhead (Minor issue) CVE-2018-16554 (The ProcessGpsInfo function of the gpsinfo.c file of jhead 3.00 may ...) - - jhead (bug #908176) + - jhead 1:3.00-8 (bug #908176) [stretch] - jhead (Minor issue) [jessie] - jhead (Minor issue) CVE-2018-16515 (Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ff542f7df9a5398fac328380452e11d4f2ff5d8b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ff542f7df9a5398fac328380452e11d4f2ff5d8b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-17183/ghostscript assigned
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
7d7ff487 by Salvatore Bonaccorso at 2018-09-19T19:08:34Z
CVE-2018-17183/ghostscript assigned
- - - - -
2 changed files:
- data/CVE/list
- data/DSA/list
Changes:
=
data/CVE/list
=
@@ -195,9 +195,9 @@ CVE-2018-17096 (The BPMDetect class in BPMDetect.cpp in
libSoundTouch.a in Olli
[stretch] - soundtouch (Minor issue)
[jessie] - soundtouch (Minor issue)
NOTE: https://gitlab.com/soundtouch/soundtouch/issues/14
-CVE-2018- [gs 699708: 'Hide' non-replaceable error handlers for SAFER]
+CVE-2018-17183 [gs 699708: 'Hide' non-replaceable error handlers for SAFER]
- ghostscript 9.25~dfsg-1
- [stretch] - ghostscript 9.20~dfsg-3.2+deb9u5
+ NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699708
NOTE:
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fb713b3818b52d8a6cf62c951eba2e1795ff9624
CVE-2018-17095 (An issue has been discovered in mpruett Audio File Library
(aka ...)
- audiofile
=
data/DSA/list
=
@@ -10,7 +10,7 @@
{CVE-2018-3639 CVE-2018-3640}
[stretch] - intel-microcode 3.20180807a.1~deb9u1
[16 Sep 2018] DSA-4294-1 ghostscript - security update
- {CVE-2018-16509 CVE-2018-16802}
+ {CVE-2018-16509 CVE-2018-16802 CVE-2018-17183}
[stretch] - ghostscript 9.20~dfsg-3.2+deb9u5
[14 Sep 2018] DSA-4293-1 discount - security update
{CVE-2018-11468 CVE-2018-11503 CVE-2018-11504 CVE-2018-12495}
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/7d7ff4871232f5de26bc7af8b613f77f73a2a3b6
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/7d7ff4871232f5de26bc7af8b613f77f73a2a3b6
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Update information for CVE-2018-10846/gnutls28
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 12894eb7 by Salvatore Bonaccorso at 2018-09-19T19:46:25Z Update information for CVE-2018-10846/gnutls28 - - - - - 6c5a7e68 by Salvatore Bonaccorso at 2018-09-19T19:46:35Z Wrap one note - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16047,10 +16047,12 @@ CVE-2018-10847 (prosody before versions 0.10.2, 0.9.14 is vulnerable to an ...) NOTE: https://prosody.im/security/advisory_20180531/issue1147-0.10.1.patch (0.10.1) NOTE: https://prosody.im/security/advisory_20180531/issue1147-0.9.patch (0.9.x) CVE-2018-10846 (A cache-based side channel in GnuTLS implementation that leads to ...) + [experimental] - gnutls28 3.6.3-1 - gnutls28 - gnutls26 NOTE: https://gitlab.com/gnutls/gnutls/merge_requests/657 - NOTE: The proposed fix is to introduce a new option to force encrypt-then-mac instead of correcting the issue. + NOTE: The proposed fix is to introduce a new option to force encrypt-then-mac + NOTE: instead of correcting the issue. NOTE: https://eprint.iacr.org/2018/747 CVE-2018-10845 (It was found that the GnuTLS implementation of HMAC-SHA-384 was ...) - gnutls28 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/7d7ff4871232f5de26bc7af8b613f77f73a2a3b6...6c5a7e68c81a63097e37c90b7b0ea79aef667e5a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/7d7ff4871232f5de26bc7af8b613f77f73a2a3b6...6c5a7e68c81a63097e37c90b7b0ea79aef667e5a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 09b61d88 by security tracker role at 2018-09-19T08:10:19Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -143,8 +143,8 @@ CVE-2018-17113 (App/Modules/Admin/Tpl/default/Public/dwz/uploadify/scripts/uploa NOT-FOR-US: EasyCMS CVE-2018-17112 RESERVED -CVE-2018-17111 - RESERVED +CVE-2018-17111 (The onlyOwner modifier of a smart contract implementation for ...) + TODO: check CVE-2018-17110 (Simple POS 4.0.24 allows SQL Injection via a products/get_products/ ...) NOT-FOR-US: Simple POS CVE-2018-17109 @@ -252,8 +252,8 @@ CVE-2018-17073 (wernsey/bitmap before 2018-08-18 allows a NULL pointer dereferen NOT-FOR-US: bitmap CVE-2018-17072 (JSON++ through 2016-06-15 has a buffer over-read in yyparse() in ...) NOT-FOR-US: JSON++ -CVE-2018-17071 - RESERVED +CVE-2018-17071 (The fallback function of a simple lottery smart contract ...) + TODO: check CVE-2018-17070 (An issue was discovered in UNL-CMS 7.59. A CSRF attack can update the ...) NOT-FOR-US: UNL-CMS CVE-2018-17069 (An issue was discovered in UNL-CMS 7.59. A CSRF attack can create new ...) @@ -809,10 +809,10 @@ CVE-2018-16822 RESERVED CVE-2018-16821 RESERVED -CVE-2018-16820 - RESERVED -CVE-2018-16819 - RESERVED +CVE-2018-16820 (admin/index.php in Monstra CMS 3.0.4 allows arbitrary directory ...) + TODO: check +CVE-2018-16819 (admin/index.php in Monstra CMS 3.0.4 allows arbitrary file deletion ...) + TODO: check CVE-2018-16818 RESERVED CVE-2018-16817 @@ -861,8 +861,8 @@ CVE-2018-16796 (HiScout GRC Suite before 3.1.5 allows Unrestricted Upload of Fil NOT-FOR-US: HiScout GRC Suite CVE-2018-16795 RESERVED -CVE-2018-16794 - RESERVED +CVE-2018-16794 (Microsoft ADFS 4.0 Windows Server 2016 and previous (Active Directory ...) + TODO: check CVE-2018-16793 RESERVED CVE-2018-16802 (An issue was discovered in Artifex Ghostscript before 9.25. Incorrect ...) @@ -1138,14 +1138,14 @@ CVE-2018-16673 RESERVED CVE-2018-16672 RESERVED -CVE-2018-16671 - RESERVED -CVE-2018-16670 - RESERVED -CVE-2018-16669 - RESERVED -CVE-2018-16668 - RESERVED +CVE-2018-16671 (An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is ...) + TODO: check +CVE-2018-16670 (An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is ...) + TODO: check +CVE-2018-16669 (An issue was discovered in CIRCONTROL Open Charge Point Protocol ...) + TODO: check +CVE-2018-16668 (An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is ...) + TODO: check CVE-2018-16667 (An issue was discovered in Contiki-NG through 4.1. There is a buffer ...) NOT-FOR-US: Contiki Operating System CVE-2018-1 (An issue was discovered in Contiki-NG through 4.1. There is a ...) @@ -1529,8 +1529,7 @@ CVE-2018-16554 (The ProcessGpsInfo function of the gpsinfo.c file of jhead 3.00 - jhead (bug #908176) [stretch] - jhead (Minor issue) [jessie] - jhead (Minor issue) -CVE-2018-16515 [Synapse: Failures to correctly validate signatures on transactions and events] - RESERVED +CVE-2018-16515 (Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events ...) - matrix-synapse 0.33.3.1-1 (bug #908044) NOTE: https://matrix.org/blog/2018/09/05/pre-disclosure-upcoming-critical-security-fix-for-synapse/ NOTE: https://matrix.org/blog/2018/09/06/critical-security-update-synapse-0-33-3-1/ @@ -2224,8 +2223,8 @@ CVE-2018-16227 RESERVED CVE-2018-16226 RESERVED -CVE-2018-16225 - RESERVED +CVE-2018-16225 (The QBee MultiSensor Camera through 4.16.4 accepts unencrypted network ...) + TODO: check CVE-2018-16224 RESERVED CVE-2018-16223 @@ -4002,8 +4001,8 @@ CVE-2018-15548 RESERVED CVE-2018-15547 RESERVED -CVE-2018-15546 - RESERVED +CVE-2018-15546 (Accusoft PrizmDoc version 13.3 and earlier contains a Stored ...) + TODO: check CVE-2018-15545 RESERVED CVE-2018-15544 @@ -7860,8 +7859,7 @@ CVE-2018-13984 RESERVED CVE-2018-13983 RESERVED -CVE-2018-13982 - RESERVED +CVE-2018-13982 (Smarty_Security::isTrustedResourceDir() in Smarty before 3.1.33 is ...) - smarty3 3.1.33+20180830.1.3a78a21f+selfpack1-1 NOTE: https://github.com/smarty-php/smarty/commit/8d21f38dc35c4cd6b31c2f23fc9b8e5adbc56dfe NOTE: https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8 @@ -11028,7 +11026,7 @@ CVE-2018-12636 (The iThemes Security (better-wp-security) plugin before 7.0.3 fo NOT-FOR-US: Wordpress plugin CVE-2018-12635 (CirCarLife Scada v4.2.4
[Git][security-tracker-team/security-tracker][master] claim okular
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 83cfe64b by Thorsten Alteholz at 2018-09-19T08:26:35Z claim okular - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -63,7 +63,7 @@ mosquitto -- mysql-5.5 (Emilio Pozuelo) -- -okular +okular (Thorsten Alteholz) -- openafs -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/83cfe64b1a956bfb4196835ab6734d9330ac2816 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/83cfe64b1a956bfb4196835ab6734d9330ac2816 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 13f0810f by Salvatore Bonaccorso at 2018-09-19T08:25:49Z Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -144,7 +144,7 @@ CVE-2018-17113 (App/Modules/Admin/Tpl/default/Public/dwz/uploadify/scripts/uploa CVE-2018-17112 RESERVED CVE-2018-17111 (The onlyOwner modifier of a smart contract implementation for ...) - TODO: check + NOT-FOR-US: onlyOwner modifier of a smart contract implementation for Coinlancer (CL) CVE-2018-17110 (Simple POS 4.0.24 allows SQL Injection via a products/get_products/ ...) NOT-FOR-US: Simple POS CVE-2018-17109 @@ -253,7 +253,7 @@ CVE-2018-17073 (wernsey/bitmap before 2018-08-18 allows a NULL pointer dereferen CVE-2018-17072 (JSON++ through 2016-06-15 has a buffer over-read in yyparse() in ...) NOT-FOR-US: JSON++ CVE-2018-17071 (The fallback function of a simple lottery smart contract ...) - TODO: check + NOT-FOR-US: fallback function of a simple lottery smart contract implementation for Lucky9io CVE-2018-17070 (An issue was discovered in UNL-CMS 7.59. A CSRF attack can update the ...) NOT-FOR-US: UNL-CMS CVE-2018-17069 (An issue was discovered in UNL-CMS 7.59. A CSRF attack can create new ...) @@ -810,9 +810,9 @@ CVE-2018-16822 CVE-2018-16821 RESERVED CVE-2018-16820 (admin/index.php in Monstra CMS 3.0.4 allows arbitrary directory ...) - TODO: check + NOT-FOR-US: Monstra CMS CVE-2018-16819 (admin/index.php in Monstra CMS 3.0.4 allows arbitrary file deletion ...) - TODO: check + NOT-FOR-US: Monstra CMS CVE-2018-16818 RESERVED CVE-2018-16817 @@ -862,7 +862,7 @@ CVE-2018-16796 (HiScout GRC Suite before 3.1.5 allows Unrestricted Upload of Fil CVE-2018-16795 RESERVED CVE-2018-16794 (Microsoft ADFS 4.0 Windows Server 2016 and previous (Active Directory ...) - TODO: check + NOT-FOR-US: Microsoft ADFS 4.0 Windows Server CVE-2018-16793 RESERVED CVE-2018-16802 (An issue was discovered in Artifex Ghostscript before 9.25. Incorrect ...) @@ -1139,13 +1139,13 @@ CVE-2018-16673 CVE-2018-16672 RESERVED CVE-2018-16671 (An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is ...) - TODO: check + NOT-FOR-US: CIRCONTROL CirCarLife CVE-2018-16670 (An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is ...) - TODO: check + NOT-FOR-US: CIRCONTROL CirCarLife CVE-2018-16669 (An issue was discovered in CIRCONTROL Open Charge Point Protocol ...) - TODO: check + NOT-FOR-US: CIRCONTROL Open Charge Point Protocol CVE-2018-16668 (An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is ...) - TODO: check + NOT-FOR-US: CIRCONTROL CirCarLife CVE-2018-16667 (An issue was discovered in Contiki-NG through 4.1. There is a buffer ...) NOT-FOR-US: Contiki Operating System CVE-2018-1 (An issue was discovered in Contiki-NG through 4.1. There is a ...) @@ -2224,7 +2224,7 @@ CVE-2018-16227 CVE-2018-16226 RESERVED CVE-2018-16225 (The QBee MultiSensor Camera through 4.16.4 accepts unencrypted network ...) - TODO: check + NOT-FOR-US: QBee MultiSensor Camera CVE-2018-16224 RESERVED CVE-2018-16223 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/13f0810f646e6d27d89a08c28768af52a8b0050f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/13f0810f646e6d27d89a08c28768af52a8b0050f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] claim hylafax
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 8ba6cb09 by Thorsten Alteholz at 2018-09-19T08:23:23Z claim hylafax - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -35,7 +35,7 @@ glusterfs (Markus Koschany) gnutls28 NOTE: 20180824: Upstream patch is quite invasive, adding new options etc. (lamby) -- -hylafax +hylafax (Thorsten Alteholz) -- imagemagick (Roberto C. Sánchez) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8ba6cb0903dbe0c995e875f5a1cdb1c3e129f129 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8ba6cb0903dbe0c995e875f5a1cdb1c3e129f129 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-17182/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e05b86fc by Salvatore Bonaccorso at 2018-09-19T09:07:28Z Add CVE-2018-17182/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,6 @@ +CVE-2018-17182 [mm: get rid of vmacache_flush_all() entirely] + - linux + NOTE: https://git.kernel.org/linus/7a9cdebdcc17e426fb5287e4a82db1dfe86339b2 CVE-2018-17181 RESERVED CVE-2018-17180 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e05b86fc91e1ff63bee8e71642567c7e7f35bdf2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e05b86fc91e1ff63bee8e71642567c7e7f35bdf2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage results.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d805406 by Ola Lundqvist at 2018-09-19T06:37:20Z Triage results. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1460,6 +1460,7 @@ CVE-2018-16549 (HScripts PHP File Browser Script v1.0 allows Directory Traversal NOT-FOR-US: HScripts PHP File Browser Script CVE-2018-16548 (An issue was discovered in ZZIPlib through 0.13.69. There is a memory ...) - zziplib + [jessie] - zziplib (Minor issue) NOTE: https://github.com/gdraheim/zziplib/issues/58 CVE-2018-16547 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5d8054061a57ade43855267fd7cced6b221ca55d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5d8054061a57ade43855267fd7cced6b221ca55d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage results.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: bf34228f by Ola Lundqvist at 2018-09-19T06:28:14Z Triage results. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -282,7 +282,10 @@ CVE-2018-17058 RESERVED CVE-2018-17057 (An issue was discovered in TCPDF before 6.2.22. Attackers can trigger ...) - tcpdf (bug #908866) + [jessie] - tcpdf (Minor issue) NOTE: https://github.com/tecnickcom/TCPDF/commit/1861e33fe05f653b67d070f7c106463e7a5c26e + NOTE: Was considered minor for jessie since arbitrary deserialization + NOTE: is still possible using http and https. CVE-2018-17056 RESERVED CVE-2018-17055 = data/dla-needed.txt = @@ -90,6 +90,8 @@ suricata (Thorsten Alteholz) -- symfony (Thorsten Alteholz) -- +sympa +-- thunderbird -- xen View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bf34228f593d5c4bf39c64cd9426b4d983321123 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bf34228f593d5c4bf39c64cd9426b4d983321123 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-17141
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 514866c7 by Salvatore Bonaccorso at 2018-09-19T06:49:19Z Add bug reference for CVE-2018-17141 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -83,7 +83,7 @@ CVE-2018-17142 (The html package (aka x/net/html) through 2018-09-17 in Go misha TODO: check, in golang-golang-x-net-dev? CVE-2018-17141 RESERVED - - hylafax + - hylafax (bug #909161) NOTE: http://git.hylafax.org/HylaFAX?a=commit;h=82fa7bdbffc253de4d3e80a87d47fdbf68eabe36 CVE-2018-17140 (The Quizlord plugin through 2.0 for WordPress is prone to Stored XSS ...) NOT-FOR-US: Wordpress plugin View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/514866c7c48bb8727af9bca6b9c0a0bd7c68b996 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/514866c7c48bb8727af9bca6b9c0a0bd7c68b996 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
