[Git][security-tracker-team/security-tracker][master] Process NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 62b10f03 by Salvatore Bonaccorso at 2018-09-19T20:18:01Z Process NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11,7 +11,7 @@ CVE-2018-17210 CVE-2018-17209 RESERVED CVE-2018-17208 (Linksys Velop 1.1.2.187020 devices allow unauthenticated command ...) - TODO: check + NOT-FOR-US: Linksys Velop CVE-2018-17207 (An issue was discovered in Snap Creek Duplicator before 1.2.42. By ...) TODO: check CVE-2018-17206 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6. The ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/62b10f0329faa7ca965bdbdabf0cb323b2a6fbe3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/62b10f0329faa7ca965bdbdabf0cb323b2a6fbe3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS/Take over php5 from Abhijith with his approval
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 81b1938e by Roberto C. Sánchez at 2018-09-20T01:44:53Z LTS/Take over php5 from Abhijith with his approval - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -72,7 +72,7 @@ openjdk-7 (Emilio Pozuelo) openjpeg2 (Hugo Lefeuvre) NOTE: 20180719: there is no patch available for the remaining CVEs -- -php5 (Abhijith PA) +php5 (Roberto C. Sánchez) -- phpldapadmin (Mike Gabriel) NOTE: 20180731: See https://lists.debian.org/debian-lts/2018/07/msg00123.html for research already done View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/81b1938e98069fe677255963ff73e4fa6c31b8b9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/81b1938e98069fe677255963ff73e4fa6c31b8b9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-17204/openvswitch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 68d10f13 by Salvatore Bonaccorso at 2018-09-19T21:11:31Z Add CVE-2018-17204/openvswitch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25,7 +25,11 @@ CVE-2018-17205 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7. NOTE: https://github.com/openvswitch/ovs/commit/638d406e3b647359f3d82189d7a6ee56b4a54928 (branch-2.8) NOTE: https://github.com/openvswitch/ovs/commit/0befd1f3745055c32940f5faf9559be6a14395e6 (branch-2.7) CVE-2018-17204 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, ...) - TODO: check + - openvswitch + NOTE: https://github.com/openvswitch/ovs/commit/9740d81d94888cb158fa99a9366fe2b32b3e4aaa (master) + NOTE: https://github.com/openvswitch/ovs/commit/8976ea1d680ab7a2d726a50e5666aa8fefd24168 (branch-2.8) + NOTE: https://github.com/openvswitch/ovs/commit/4af6da3b275b764b1afe194df6499b33d2bf4cde (branch-2.7) + NOTE: ovs-vswitchd does not enable support for OpenFlow 1.5 by default. CVE-2018-17203 RESERVED CVE-2018-17202 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/68d10f136ad2863973cf30383913a7cd328cce91 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/68d10f136ad2863973cf30383913a7cd328cce91 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add note to dla-needed.txt
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: ea5313a2 by Abhijith PA at 2018-09-19T20:13:38Z add note to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -91,6 +91,7 @@ suricata (Thorsten Alteholz) symfony (Thorsten Alteholz) -- sympa + NOTE: 20180920: update available at https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=908165;filename=sympa_deb8u3.debdiff;msg=17 (abhijith) -- thunderbird -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea5313a2a047bd0ce1e86d9ab854fba2795e0a5f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea5313a2a047bd0ce1e86d9ab854fba2795e0a5f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7a25996b by Salvatore Bonaccorso at 2018-09-19T20:38:37Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,7 +13,7 @@ CVE-2018-17209 CVE-2018-17208 (Linksys Velop 1.1.2.187020 devices allow unauthenticated command ...) NOT-FOR-US: Linksys Velop CVE-2018-17207 (An issue was discovered in Snap Creek Duplicator before 1.2.42. By ...) - TODO: check + NOT-FOR-US: Snap Creek Duplicator CVE-2018-17206 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6. The ...) TODO: check CVE-2018-17205 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, ...) @@ -1371,7 +1371,7 @@ CVE-2018-16609 CVE-2018-16608 (In Monstra CMS 3.0.4, an attacker with 'Editor' privileges can change ...) NOT-FOR-US: Monstra CMS CVE-2018-16607 (Cross-site scripting (XSS) vulnerability in the Orgs Page in ...) - TODO: check + NOT-FOR-US: Orgs Page in Open-AudIT Professional CVE-2018-16606 (In ProConf before 6.1, an Insecure Direct Object Reference (IDOR) ...) NOT-FOR-US: ProConf CVE-2018-16605 (D-Link DIR-600M devices allow XSS via the Hostname and Username fields ...) @@ -4072,7 +4072,7 @@ CVE-2018-15548 CVE-2018-15547 RESERVED CVE-2018-15546 (Accusoft PrizmDoc version 13.3 and earlier contains a Stored ...) - TODO: check + NOT-FOR-US: Accusoft PrizmDoc CVE-2018-15545 RESERVED CVE-2018-15544 @@ -5669,7 +5669,7 @@ CVE-2018-14794 CVE-2018-14793 (DeltaV Versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, and R5 is vulnerable ...) NOT-FOR-US: DeltaV CVE-2018-14792 (WECON PLC Editor version 1.3.3U may allow an attacker to execute code ...) - TODO: check + NOT-FOR-US: WECON CVE-2018-14791 (Emerson DeltaV DCS versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, R5 may ...) NOT-FOR-US: Emerson DeltaV DCS CVE-2018-14790 @@ -9207,7 +9207,7 @@ CVE-2018-13400 CVE-2018-13399 RESERVED CVE-2018-13398 (The administrative smart-commits resource in Atlassian Fisheye and ...) - TODO: check + NOT-FOR-US: Atlassian Fisheye and Crucible CVE-2018-13397 RESERVED CVE-2018-13396 @@ -12311,9 +12311,9 @@ CVE-2018-12245 CVE-2018-12244 RESERVED CVE-2018-12243 (The Symantec Messaging Gateway product prior to 10.6.6 may be ...) - TODO: check + NOT-FOR-US: Symantec CVE-2018-12242 (The Symantec Messaging Gateway product prior to 10.6.6 may be ...) - TODO: check + NOT-FOR-US: Symantec CVE-2018-12241 RESERVED CVE-2018-12240 (The Norton Identity Safe product prior to 5.3.0.976 may be susceptible ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7a25996b33a8051f9569179baa4b65efeeffbba1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7a25996b33a8051f9569179baa4b65efeeffbba1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add reference to reported bug for glusterfs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d5673d80 by Salvatore Bonaccorso at 2018-09-19T20:20:38Z Add reference to reported bug for glusterfs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15753,20 +15753,20 @@ CVE-2018-10931 (It was found that cobbler 2.6.x exposed all functions from its . - cobbler NOTE: http://www.openwall.com/lists/oss-security/2018/08/09/9 CVE-2018-10930 (A flaw was found in RPC request using gfs3_rename_req in glusterfs ...) - - glusterfs + - glusterfs (bug #909215) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1612664 NOTE: https://review.gluster.org/21068 CVE-2018-10929 (A flaw was found in RPC request using gfs2_create_req in glusterfs ...) - - glusterfs + - glusterfs (bug #909215) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1612660 CVE-2018-10928 (A flaw was found in RPC request using gfs3_symlink_req in glusterfs ...) - - glusterfs + - glusterfs (bug #909215) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1612659 CVE-2018-10927 (A flaw was found in RPC request using gfs3_lookup_req in glusterfs ...) - - glusterfs + - glusterfs (bug #909215) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1612658 CVE-2018-10926 (A flaw was found in RPC request using gfs3_mknod_req supported by ...) - - glusterfs + - glusterfs (bug #909215) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1613143 CVE-2018-10925 (It was discovered that PostgreSQL versions before 10.5, 9.6.10, ...) {DSA-4269-1} @@ -15786,7 +15786,7 @@ CVE-2018-10924 (It was discovered that fsync(2) system call in glusterfs client NOTE: Introduced by: http://git.gluster.org/cgit/glusterfs.git/commit/?id=51dfc9c789b8405f595a337eade938aedcb449c4 NOTE: https://review.gluster.org/20723 CVE-2018-10923 (It was found that the mknod call derived from mknod(2) can create ...) - - glusterfs + - glusterfs (bug #909215) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1610659 NOTE: https://review.gluster.org/21069 CVE-2018-10922 (An input validation flaw exists in ttembed. With a crafted input file, ...) @@ -15825,17 +15825,17 @@ CVE-2018-10915 (A vulnerability was found in libpq, the default PostgreSQL clien NOTE: Fixed in 9.3.24, 9.4.19, 9.5.14, 9.6.10, 10.5 NOTE: https://www.postgresql.org/about/news/1878/ CVE-2018-10914 (It was found that an attacker could issue a xattr request via ...) - - glusterfs + - glusterfs (bug #909215) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1607617 NOTE: https://review.gluster.org/21071 CVE-2018-10913 (An information disclosure vulnerability was discovered in glusterfs ...) - - glusterfs + - glusterfs (bug #909215) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1607618 NOTE: https://review.gluster.org/21071 CVE-2018-10912 (keycloak before version 4.0.0.final is vulnerable to a infinite loop ...) NOT-FOR-US: Keycloak CVE-2018-10911 (A flaw was found in the way dic_unserialize function of glusterfs does ...) - - glusterfs + - glusterfs (bug #909215) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1601657 NOTE: https://review.gluster.org/21067 CVE-2018-10910 [ailure in disabling Bluetooth discoverability in certain cases may lead to the unauthorized pairing of Bluetooth devices] @@ -15852,7 +15852,7 @@ CVE-2018-10909 CVE-2018-10908 (It was found that vdsm before version 4.20.37 invokes qemu-img on ...) NOT-FOR-US: ovirt CVE-2018-10907 (It was found that glusterfs server is vulnerable to multiple stack ...) - - glusterfs + - glusterfs (bug #909215) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1601642 NOTE: https://review.gluster.org/21070 CVE-2018-10906 (In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount is ...) @@ -15864,7 +15864,7 @@ CVE-2018-10906 (In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount i CVE-2018-10905 (CloudForms Management Engine (cfme) is vulnerable to an improper ...) NOT-FOR-US: Red Hat CloudForms Management Engine CVE-2018-10904 (It was found that glusterfs server does not properly sanitize file ...) - - glusterfs + - glusterfs (bug #909215) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1601298 NOTE: https://review.gluster.org/21072 CVE-2018-10903 (A flaw was found in python-cryptography versions between =1.9.0 and ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d5673d80d8dfa8f2b2c6c6b2d6363dd1923252e7 -- View it on GitLab:
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-17206/openvswitch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: edb64179 by Salvatore Bonaccorso at 2018-09-19T21:02:05Z Add CVE-2018-17206/openvswitch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15,7 +15,10 @@ CVE-2018-17208 (Linksys Velop 1.1.2.187020 devices allow unauthenticated command CVE-2018-17207 (An issue was discovered in Snap Creek Duplicator before 1.2.42. By ...) NOT-FOR-US: Snap Creek Duplicator CVE-2018-17206 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6. The ...) - TODO: check + - openvswitch + NOTE: https://github.com/openvswitch/ovs/commit/5026a263d7846077eee540de42192d27da513226 (master) + NOTE: https://github.com/openvswitch/ovs/commit/20626d38c1a1d4cebb5a6911ea3cb6a7f4f993f8 (branch-2.8) + NOTE: https://github.com/openvswitch/ovs/commit/9237a63c47bd314b807cda0bd2216264e82edbe8 (branch-2.7) CVE-2018-17205 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, ...) TODO: check CVE-2018-17204 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/edb641791a2a05b2ea85525b9c73a56c910ae39a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/edb641791a2a05b2ea85525b9c73a56c910ae39a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-17144/bitcoin
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9682af2f by Salvatore Bonaccorso at 2018-09-19T21:19:58Z Add CVE-2018-17144/bitcoin - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -151,7 +151,8 @@ CVE-2018-17146 CVE-2018-17145 RESERVED CVE-2018-17144 (Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x ...) - TODO: check + - bitcoin + NOTE: https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures#CVE-2018-17144 CVE-2018-17143 (The html package (aka x/net/html) through 2018-09-17 in Go mishandles ...) TODO: check, in golang-golang-x-net-dev? CVE-2018-17142 (The html package (aka x/net/html) through 2018-09-17 in Go mishandles ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9682af2f29bf4e041885a2273efa63a9fe2b1eea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9682af2f29bf4e041885a2273efa63a9fe2b1eea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-17205/openvswitch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6d5b57ad by Salvatore Bonaccorso at 2018-09-19T21:05:41Z Add CVE-2018-17205/openvswitch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20,7 +20,10 @@ CVE-2018-17206 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7. NOTE: https://github.com/openvswitch/ovs/commit/20626d38c1a1d4cebb5a6911ea3cb6a7f4f993f8 (branch-2.8) NOTE: https://github.com/openvswitch/ovs/commit/9237a63c47bd314b807cda0bd2216264e82edbe8 (branch-2.7) CVE-2018-17205 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, ...) - TODO: check + - openvswitch + NOTE: https://github.com/openvswitch/ovs/commit/9a0ac025de9303334688ff08f01fc08604d2f624 (master) + NOTE: https://github.com/openvswitch/ovs/commit/638d406e3b647359f3d82189d7a6ee56b4a54928 (branch-2.8) + NOTE: https://github.com/openvswitch/ovs/commit/0befd1f3745055c32940f5faf9559be6a14395e6 (branch-2.7) CVE-2018-17204 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, ...) TODO: check CVE-2018-17203 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6d5b57ad5c288648d99c078492eada100fc6b157 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6d5b57ad5c288648d99c078492eada100fc6b157 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update unstable information for CVE-2018-1084{4,5,6}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1b59f21e by Salvatore Bonaccorso at 2018-09-19T20:08:13Z Update unstable information for CVE-2018-1084{4,5,6} - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16051,22 +16051,26 @@ CVE-2018-10846 (A cache-based side channel in GnuTLS implementation that leads t - gnutls28 - gnutls26 NOTE: https://gitlab.com/gnutls/gnutls/merge_requests/657 + NOTE: https://gitlab.com/gnutls/gnutls/commit/ce671a6db9e47006cff152d485091141b1569f39 (master) NOTE: The proposed fix is to introduce a new option to force encrypt-then-mac NOTE: instead of correcting the issue. NOTE: https://eprint.iacr.org/2018/747 CVE-2018-10845 (It was found that the GnuTLS implementation of HMAC-SHA-384 was ...) - - gnutls28 + - gnutls28 3.5.19-1 - gnutls26 NOTE: https://gitlab.com/gnutls/gnutls/issues/455 - NOTE: Correctly account length field https://gitlab.com/gnutls/gnutls/commit/cc14ec5ece856cb083d64e6a5a8657323da661cb + NOTE: https://gitlab.com/gnutls/gnutls/commit/cc14ec5ece856cb083d64e6a5a8657323da661cb (master) + NOTE: https://gitlab.com/gnutls/gnutls/commit/e14d85eb8b1987d86f7b1d101a0e7795675d20d4 (gnutls_3_5_19) NOTE: https://gitlab.com/gnutls/gnutls/merge_requests/657 NOTE: https://eprint.iacr.org/2018/747 CVE-2018-10844 (It was found that the GnuTLS implementation of HMAC-SHA-256 was ...) - - gnutls28 + - gnutls28 3.5.19-1 - gnutls26 NOTE: https://gitlab.com/gnutls/gnutls/issues/456 - NOTE: Remove from defaults https://gitlab.com/gnutls/gnutls/commit/29ffa2a1fa4cc396c5d1563a3e5cdca0174de28b - NOTE: https://gitlab.com/gnutls/gnutls/commit/c32a8690f9f9b05994078fe9d2e7a41b18da5b09 + NOTE: https://gitlab.com/gnutls/gnutls/commit/29ffa2a1fa4cc396c5d1563a3e5cdca0174de28b (master) + NOTE: https://gitlab.com/gnutls/gnutls/commit/c32a8690f9f9b05994078fe9d2e7a41b18da5b09 (master) + NOTE: https://gitlab.com/gnutls/gnutls/commit/c433cdf92349afae66c703bdacedf987f423605e (gnutls_3_5_19) + NOTE: https://gitlab.com/gnutls/gnutls/commit/c2e094acd68f7159025b2e2556d6fb4427b41dd7 (gnutls_3_5_19) NOTE: https://gitlab.com/gnutls/gnutls/merge_requests/657 NOTE: https://eprint.iacr.org/2018/747 CVE-2018-10843 (source-to-image component of Openshift Container Platform before ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1b59f21efe1f6fc62c23d3833ea875b662b68676 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1b59f21efe1f6fc62c23d3833ea875b662b68676 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1508-1 for suricata
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 2556fb7b by Thorsten Alteholz at 2018-09-19T20:32:00Z Reserve DLA-1508-1 for suricata - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[19 Sep 2018] DLA-1508-1 suricata - security update + {CVE-2016-10728} + [jessie] - suricata 2.0.7-2+deb8u1 [18 Sep 2018] DLA-1507-1 libapache2-mod-perl2 - security update {CVE-2011-2767} [jessie] - libapache2-mod-perl2 2.0.9~1624218-2+deb8u3 = data/dla-needed.txt = @@ -86,8 +86,6 @@ smarty3 (Mike Gabriel) -- spamassassin -- -suricata (Thorsten Alteholz) --- symfony (Thorsten Alteholz) -- sympa View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2556fb7b34c0e51ce687b6510c88ee73506c85fb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2556fb7b34c0e51ce687b6510c88ee73506c85fb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0b5daf78 by security tracker role at 2018-09-19T20:10:24Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,4 +1,66 @@ -CVE-2018-17182 [mm: get rid of vmacache_flush_all() entirely] +CVE-2018-17214 + RESERVED +CVE-2018-17213 + RESERVED +CVE-2018-17212 + RESERVED +CVE-2018-17211 + RESERVED +CVE-2018-17210 + RESERVED +CVE-2018-17209 + RESERVED +CVE-2018-17208 (Linksys Velop 1.1.2.187020 devices allow unauthenticated command ...) + TODO: check +CVE-2018-17207 (An issue was discovered in Snap Creek Duplicator before 1.2.42. By ...) + TODO: check +CVE-2018-17206 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6. The ...) + TODO: check +CVE-2018-17205 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, ...) + TODO: check +CVE-2018-17204 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, ...) + TODO: check +CVE-2018-17203 + RESERVED +CVE-2018-17202 + RESERVED +CVE-2018-17201 + RESERVED +CVE-2018-17200 + RESERVED +CVE-2018-17199 + RESERVED +CVE-2018-17198 + RESERVED +CVE-2018-17197 + RESERVED +CVE-2018-17196 + RESERVED +CVE-2018-17195 + RESERVED +CVE-2018-17194 + RESERVED +CVE-2018-17193 + RESERVED +CVE-2018-17192 + RESERVED +CVE-2018-17191 + RESERVED +CVE-2018-17190 + RESERVED +CVE-2018-17189 + RESERVED +CVE-2018-17188 + RESERVED +CVE-2018-17187 + RESERVED +CVE-2018-17186 + RESERVED +CVE-2018-17185 + RESERVED +CVE-2018-17184 + RESERVED +CVE-2018-17182 (An issue was discovered in the Linux kernel through 4.18.8. The ...) - linux NOTE: https://git.kernel.org/linus/7a9cdebdcc17e426fb5287e4a82db1dfe86339b2 CVE-2018-17181 @@ -78,8 +140,8 @@ CVE-2018-17146 RESERVED CVE-2018-17145 RESERVED -CVE-2018-17144 - RESERVED +CVE-2018-17144 (Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x ...) + TODO: check CVE-2018-17143 (The html package (aka x/net/html) through 2018-09-17 in Go mishandles ...) TODO: check, in golang-golang-x-net-dev? CVE-2018-17142 (The html package (aka x/net/html) through 2018-09-17 in Go mishandles ...) @@ -195,7 +257,8 @@ CVE-2018-17096 (The BPMDetect class in BPMDetect.cpp in libSoundTouch.a in Olli [stretch] - soundtouch (Minor issue) [jessie] - soundtouch (Minor issue) NOTE: https://gitlab.com/soundtouch/soundtouch/issues/14 -CVE-2018-17183 [gs 699708: 'Hide' non-replaceable error handlers for SAFER] +CVE-2018-17183 (Artifex Ghostscript before 9.25 allowed a user-writable error exception ...) + {DSA-4294-1} - ghostscript 9.25~dfsg-1 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699708 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fb713b3818b52d8a6cf62c951eba2e1795ff9624 @@ -894,8 +957,8 @@ CVE-2018-16787 RESERVED CVE-2018-16786 RESERVED -CVE-2018-16785 - RESERVED +CVE-2018-16785 (XML injection vulnerability exists in the file of DedeCMS V5.7 SP2 ...) + TODO: check CVE-2018-16784 RESERVED CVE-2018-16783 @@ -1307,8 +1370,8 @@ CVE-2018-16609 RESERVED CVE-2018-16608 (In Monstra CMS 3.0.4, an attacker with 'Editor' privileges can change ...) NOT-FOR-US: Monstra CMS -CVE-2018-16607 - RESERVED +CVE-2018-16607 (Cross-site scripting (XSS) vulnerability in the Orgs Page in ...) + TODO: check CVE-2018-16606 (In ProConf before 6.1, an Insecure Direct Object Reference (IDOR) ...) NOT-FOR-US: ProConf CVE-2018-16605 (D-Link DIR-600M devices allow XSS via the Hostname and Username fields ...) @@ -5605,8 +5668,8 @@ CVE-2018-14794 RESERVED CVE-2018-14793 (DeltaV Versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, and R5 is vulnerable ...) NOT-FOR-US: DeltaV -CVE-2018-14792 - RESERVED +CVE-2018-14792 (WECON PLC Editor version 1.3.3U may allow an attacker to execute code ...) + TODO: check CVE-2018-14791 (Emerson DeltaV DCS versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, R5 may ...) NOT-FOR-US: Emerson DeltaV DCS CVE-2018-14790 @@ -12247,10 +12310,10 @@ CVE-2018-12245 RESERVED CVE-2018-12244 RESERVED -CVE-2018-12243 - RESERVED -CVE-2018-12242 - RESERVED +CVE-2018-12243 (The Symantec Messaging Gateway product prior to 10.6.6 may be ...) + TODO: check +CVE-2018-12242 (The Symantec Messaging Gateway product prior to 10.6.6 may be ...) + TODO: check CVE-2018-12241 RESERVED CVE-2018-12240 (The Norton Identity Safe product prior to 5.3.0.976 may be susceptible ...) @@ -13028,51 +13091,50 @@ CVE-2018-11906 RESERVED CVE-2018-11905 RESERVED
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1509-1 for php5
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 09d98fa0 by Roberto C. Sánchez at 2018-09-20T02:48:46Z Reserve DLA-1509-1 for php5 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[19 Sep 2018] DLA-1509-1 php5 - security update + {CVE-2018-17082} + [jessie] - php5 5.6.38+dfsg-0+deb8u1 [19 Sep 2018] DLA-1508-1 suricata - security update {CVE-2016-10728} [jessie] - suricata 2.0.7-2+deb8u1 = data/dla-needed.txt = @@ -72,8 +72,6 @@ openjdk-7 (Emilio Pozuelo) openjpeg2 (Hugo Lefeuvre) NOTE: 20180719: there is no patch available for the remaining CVEs -- -php5 (Roberto C. Sánchez) --- phpldapadmin (Mike Gabriel) NOTE: 20180731: See https://lists.debian.org/debian-lts/2018/07/msg00123.html for research already done -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/09d98fa098b46d5bc608b0b5c457e0a56f22 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/09d98fa098b46d5bc608b0b5c457e0a56f22 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-5741/bind9
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 10ba7b53 by Salvatore Bonaccorso at 2018-09-20T05:14:27Z Add CVE-2018-5741/bind9 ISC BIND before releases 9.11.4-P2 and 9.12.2-P2 does not properly document the behaviour of the krb5-subdomain and ms-subdomain update policies. This incorrect documentation could mislead operators into believing that policies they had configured were more restrictive than they actually were. Will be adressed in BIND 9.11.5 BIND 9.12.3 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30768,8 +30768,12 @@ CVE-2018-5743 RESERVED CVE-2018-5742 RESERVED -CVE-2018-5741 +CVE-2018-5741 [Update policies krb5-subdomain and ms-subdomain] RESERVED + - bind9 (unimportant) + NOTE: https://kb.isc.org/docs/cve-2018-5741 + NOTE: No code fix provided; Incorrect documentation of krb5-subdomain and ms-subdomain update policies. + NOTE: Will be adressed in 9.11.5, 9.12.3 CVE-2018-5740 [A flaw in the "deny-answer-aliases" feature can cause an INSIST assertion failure in named] RESERVED {DLA-1485-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/10ba7b53408ec359d2ab937532ba94e003e1b30d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/10ba7b53408ec359d2ab937532ba94e003e1b30d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add as well litecoin source package tracking for CVE-2018-17144
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 51356f27 by Salvatore Bonaccorso at 2018-09-20T05:31:35Z Add as well litecoin source package tracking for CVE-2018-17144 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -152,6 +152,7 @@ CVE-2018-17145 RESERVED CVE-2018-17144 (Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x ...) - bitcoin + - litecoin 0.16.3-1 NOTE: https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures#CVE-2018-17144 CVE-2018-17143 (The html package (aka x/net/html) through 2018-09-17 in Go mishandles ...) TODO: check, in golang-golang-x-net-dev? View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/51356f27c3c067bc2c3cb7b6455295dd7c7ddee4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/51356f27c3c067bc2c3cb7b6455295dd7c7ddee4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add three tika issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 82f0 by Salvatore Bonaccorso at 2018-09-19T13:01:11Z Add three tika issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13401,10 +13401,14 @@ CVE-2018-11764 RESERVED CVE-2018-11763 RESERVED -CVE-2018-11762 +CVE-2018-11762 [Zip Slip Vulnerability in Apache Tika's tika-app] RESERVED -CVE-2018-11761 + - tika + NOTE: https://www.openwall.com/lists/oss-security/2018/09/19/5 +CVE-2018-11761 [Denial of Service via XML Entity Expansion Vulnerability] RESERVED + - tika + NOTE: https://www.openwall.com/lists/oss-security/2018/09/19/4 CVE-2018-11760 RESERVED CVE-2018-11759 @@ -23142,8 +23146,10 @@ CVE-2018-8019 (When using an OCSP responder Apache Tomcat Native 1.2.0 to 1.2.16 NOTE: https://svn.apache.org/r1832832 CVE-2018-8018 (Apache Ignite 2.5 and earlier serialization mechanism does not have a ...) NOT-FOR-US: Apache Ignite -CVE-2018-8017 +CVE-2018-8017 [Potential Infinite Loop in IptcAnpaParser] RESERVED + - tika + NOTE: https://www.openwall.com/lists/oss-security/2018/09/19/6 CVE-2018-8016 (The default configuration in Apache Cassandra 3.8 through 3.11.1 binds ...) - cassandra (bug #585905) CVE-2018-8015 (In Apache ORC 1.0.0 to 1.4.3 a malformed ORC file can trigger an ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/82f0e4b724bfb65ff1cc5c95bd1c9aae766c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/82f0e4b724bfb65ff1cc5c95bd1c9aae766c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage results.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 7f6079f9 by Ola Lundqvist at 2018-09-19T18:23:00Z Triage results. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -169,11 +169,15 @@ CVE-2018-17102 (An issue was discovered in QuickAppsCMS (aka QACMS) through ...) CVE-2018-17101 (An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds ...) - tiff (bug #909037) - tiff3 + [stretch] - tiff (Can be fixed along in future DSA) + [jessie] - tiff (Can be fixed along in future DLA) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2807 NOTE: https://gitlab.com/libtiff/libtiff/merge_requests/33/diffs?commit_id=f1b94e8a3ba49febdd3361c0214a1d1149251577 CVE-2018-17100 (An issue was discovered in LibTIFF 4.0.9. There is a int32 overflow in ...) - tiff (bug #909038) - tiff3 + [stretch] - tiff (Can be fixed along in future DSA) + [jessie] - tiff (Can be fixed along in future DLA) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2810 NOTE: https://gitlab.com/libtiff/libtiff/merge_requests/33/diffs?commit_id=6da1fb3f64d43be37e640efbec60400d1f1ac39e CVE-2018-17099 @@ -199,6 +203,7 @@ CVE-2018- [gs 699708: 'Hide' non-replaceable error handlers for SAFER] NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fb713b3818b52d8a6cf62c951eba2e1795ff9624 CVE-2018-17095 (An issue has been discovered in mpruett Audio File Library (aka ...) - audiofile + [jessie] - audiofile (Can be fixed along in future DLA) NOTE: https://github.com/mpruett/audiofile/issues/50 NOTE: https://github.com/mpruett/audiofile/issues/51 CVE-2018-17094 (An issue has been discovered in mackyle xar 1.6.1. There is a NULL ...) @@ -406,6 +411,8 @@ CVE-2018-17001 CVE-2018-17000 (A NULL pointer dereference in the function _TIFFmemcmp at tif_unix.c ...) - tiff (bug #908778) - tiff3 + [stretch] - tiff (Can be fixed along in future DSA) + [jessie] - tiff (Can be fixed along in future DLA) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2811 CVE-2018-16999 (Netwide Assembler (NASM) 2.14rc15 has an invalid memory write ...) - nasm (unimportant) @@ -7075,6 +7082,7 @@ CVE-2018-14321 RESERVED CVE-2018-14320 (This vulnerability allows remote attackers to disclose sensitive ...) - libpodofo + [jessie] - libpodofo (Minor issue) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-18-1046/ CVE-2018-14319 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7f6079f9eaa4b5c6e230517272ed1096d61323ba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7f6079f9eaa4b5c6e230517272ed1096d61323ba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage results.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: c8607cd5 by Ola Lundqvist at 2018-09-19T18:35:48Z Triage results. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13407,12 +13407,12 @@ CVE-2018-11764 CVE-2018-11763 RESERVED CVE-2018-11762 [Zip Slip Vulnerability in Apache Tika's tika-app] - RESERVED - tika + [jessie] - tika (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2018/09/19/5 CVE-2018-11761 [Denial of Service via XML Entity Expansion Vulnerability] - RESERVED - tika + [jessie] - tika (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2018/09/19/4 CVE-2018-11760 RESERVED @@ -23154,6 +23154,7 @@ CVE-2018-8018 (Apache Ignite 2.5 and earlier serialization mechanism does not ha CVE-2018-8017 [Potential Infinite Loop in IptcAnpaParser] RESERVED - tika + [jessie] - tika (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2018/09/19/6 CVE-2018-8016 (The default configuration in Apache Cassandra 3.8 through 3.11.1 binds ...) - cassandra (bug #585905) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c8607cd52ceff09cba821008152601495e7cb13e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c8607cd52ceff09cba821008152601495e7cb13e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for jhead issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ff542f7d by Salvatore Bonaccorso at 2018-09-19T18:39:48Z Add fixed version for jhead issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1529,11 +1529,11 @@ CVE-2018-16516 (helpers.py in Flask-Admin 1.5.2 has Reflected XSS via a crafted CVE-2018-16514 RESERVED CVE-2018-17088 (The ProcessGpsInfo function of the gpsinfo.c file of jhead 3.00 may ...) - - jhead (bug #907925) + - jhead 1:3.00-8 (bug #907925) [stretch] - jhead (Minor issue) [jessie] - jhead (Minor issue) CVE-2018-16554 (The ProcessGpsInfo function of the gpsinfo.c file of jhead 3.00 may ...) - - jhead (bug #908176) + - jhead 1:3.00-8 (bug #908176) [stretch] - jhead (Minor issue) [jessie] - jhead (Minor issue) CVE-2018-16515 (Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ff542f7df9a5398fac328380452e11d4f2ff5d8b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ff542f7df9a5398fac328380452e11d4f2ff5d8b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-17183/ghostscript assigned
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7d7ff487 by Salvatore Bonaccorso at 2018-09-19T19:08:34Z CVE-2018-17183/ghostscript assigned - - - - - 2 changed files: - data/CVE/list - data/DSA/list Changes: = data/CVE/list = @@ -195,9 +195,9 @@ CVE-2018-17096 (The BPMDetect class in BPMDetect.cpp in libSoundTouch.a in Olli [stretch] - soundtouch (Minor issue) [jessie] - soundtouch (Minor issue) NOTE: https://gitlab.com/soundtouch/soundtouch/issues/14 -CVE-2018- [gs 699708: 'Hide' non-replaceable error handlers for SAFER] +CVE-2018-17183 [gs 699708: 'Hide' non-replaceable error handlers for SAFER] - ghostscript 9.25~dfsg-1 - [stretch] - ghostscript 9.20~dfsg-3.2+deb9u5 + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699708 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fb713b3818b52d8a6cf62c951eba2e1795ff9624 CVE-2018-17095 (An issue has been discovered in mpruett Audio File Library (aka ...) - audiofile = data/DSA/list = @@ -10,7 +10,7 @@ {CVE-2018-3639 CVE-2018-3640} [stretch] - intel-microcode 3.20180807a.1~deb9u1 [16 Sep 2018] DSA-4294-1 ghostscript - security update - {CVE-2018-16509 CVE-2018-16802} + {CVE-2018-16509 CVE-2018-16802 CVE-2018-17183} [stretch] - ghostscript 9.20~dfsg-3.2+deb9u5 [14 Sep 2018] DSA-4293-1 discount - security update {CVE-2018-11468 CVE-2018-11503 CVE-2018-11504 CVE-2018-12495} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7d7ff4871232f5de26bc7af8b613f77f73a2a3b6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7d7ff4871232f5de26bc7af8b613f77f73a2a3b6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Update information for CVE-2018-10846/gnutls28
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 12894eb7 by Salvatore Bonaccorso at 2018-09-19T19:46:25Z Update information for CVE-2018-10846/gnutls28 - - - - - 6c5a7e68 by Salvatore Bonaccorso at 2018-09-19T19:46:35Z Wrap one note - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16047,10 +16047,12 @@ CVE-2018-10847 (prosody before versions 0.10.2, 0.9.14 is vulnerable to an ...) NOTE: https://prosody.im/security/advisory_20180531/issue1147-0.10.1.patch (0.10.1) NOTE: https://prosody.im/security/advisory_20180531/issue1147-0.9.patch (0.9.x) CVE-2018-10846 (A cache-based side channel in GnuTLS implementation that leads to ...) + [experimental] - gnutls28 3.6.3-1 - gnutls28 - gnutls26 NOTE: https://gitlab.com/gnutls/gnutls/merge_requests/657 - NOTE: The proposed fix is to introduce a new option to force encrypt-then-mac instead of correcting the issue. + NOTE: The proposed fix is to introduce a new option to force encrypt-then-mac + NOTE: instead of correcting the issue. NOTE: https://eprint.iacr.org/2018/747 CVE-2018-10845 (It was found that the GnuTLS implementation of HMAC-SHA-384 was ...) - gnutls28 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/7d7ff4871232f5de26bc7af8b613f77f73a2a3b6...6c5a7e68c81a63097e37c90b7b0ea79aef667e5a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/7d7ff4871232f5de26bc7af8b613f77f73a2a3b6...6c5a7e68c81a63097e37c90b7b0ea79aef667e5a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 09b61d88 by security tracker role at 2018-09-19T08:10:19Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -143,8 +143,8 @@ CVE-2018-17113 (App/Modules/Admin/Tpl/default/Public/dwz/uploadify/scripts/uploa NOT-FOR-US: EasyCMS CVE-2018-17112 RESERVED -CVE-2018-17111 - RESERVED +CVE-2018-17111 (The onlyOwner modifier of a smart contract implementation for ...) + TODO: check CVE-2018-17110 (Simple POS 4.0.24 allows SQL Injection via a products/get_products/ ...) NOT-FOR-US: Simple POS CVE-2018-17109 @@ -252,8 +252,8 @@ CVE-2018-17073 (wernsey/bitmap before 2018-08-18 allows a NULL pointer dereferen NOT-FOR-US: bitmap CVE-2018-17072 (JSON++ through 2016-06-15 has a buffer over-read in yyparse() in ...) NOT-FOR-US: JSON++ -CVE-2018-17071 - RESERVED +CVE-2018-17071 (The fallback function of a simple lottery smart contract ...) + TODO: check CVE-2018-17070 (An issue was discovered in UNL-CMS 7.59. A CSRF attack can update the ...) NOT-FOR-US: UNL-CMS CVE-2018-17069 (An issue was discovered in UNL-CMS 7.59. A CSRF attack can create new ...) @@ -809,10 +809,10 @@ CVE-2018-16822 RESERVED CVE-2018-16821 RESERVED -CVE-2018-16820 - RESERVED -CVE-2018-16819 - RESERVED +CVE-2018-16820 (admin/index.php in Monstra CMS 3.0.4 allows arbitrary directory ...) + TODO: check +CVE-2018-16819 (admin/index.php in Monstra CMS 3.0.4 allows arbitrary file deletion ...) + TODO: check CVE-2018-16818 RESERVED CVE-2018-16817 @@ -861,8 +861,8 @@ CVE-2018-16796 (HiScout GRC Suite before 3.1.5 allows Unrestricted Upload of Fil NOT-FOR-US: HiScout GRC Suite CVE-2018-16795 RESERVED -CVE-2018-16794 - RESERVED +CVE-2018-16794 (Microsoft ADFS 4.0 Windows Server 2016 and previous (Active Directory ...) + TODO: check CVE-2018-16793 RESERVED CVE-2018-16802 (An issue was discovered in Artifex Ghostscript before 9.25. Incorrect ...) @@ -1138,14 +1138,14 @@ CVE-2018-16673 RESERVED CVE-2018-16672 RESERVED -CVE-2018-16671 - RESERVED -CVE-2018-16670 - RESERVED -CVE-2018-16669 - RESERVED -CVE-2018-16668 - RESERVED +CVE-2018-16671 (An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is ...) + TODO: check +CVE-2018-16670 (An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is ...) + TODO: check +CVE-2018-16669 (An issue was discovered in CIRCONTROL Open Charge Point Protocol ...) + TODO: check +CVE-2018-16668 (An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is ...) + TODO: check CVE-2018-16667 (An issue was discovered in Contiki-NG through 4.1. There is a buffer ...) NOT-FOR-US: Contiki Operating System CVE-2018-1 (An issue was discovered in Contiki-NG through 4.1. There is a ...) @@ -1529,8 +1529,7 @@ CVE-2018-16554 (The ProcessGpsInfo function of the gpsinfo.c file of jhead 3.00 - jhead (bug #908176) [stretch] - jhead (Minor issue) [jessie] - jhead (Minor issue) -CVE-2018-16515 [Synapse: Failures to correctly validate signatures on transactions and events] - RESERVED +CVE-2018-16515 (Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events ...) - matrix-synapse 0.33.3.1-1 (bug #908044) NOTE: https://matrix.org/blog/2018/09/05/pre-disclosure-upcoming-critical-security-fix-for-synapse/ NOTE: https://matrix.org/blog/2018/09/06/critical-security-update-synapse-0-33-3-1/ @@ -2224,8 +2223,8 @@ CVE-2018-16227 RESERVED CVE-2018-16226 RESERVED -CVE-2018-16225 - RESERVED +CVE-2018-16225 (The QBee MultiSensor Camera through 4.16.4 accepts unencrypted network ...) + TODO: check CVE-2018-16224 RESERVED CVE-2018-16223 @@ -4002,8 +4001,8 @@ CVE-2018-15548 RESERVED CVE-2018-15547 RESERVED -CVE-2018-15546 - RESERVED +CVE-2018-15546 (Accusoft PrizmDoc version 13.3 and earlier contains a Stored ...) + TODO: check CVE-2018-15545 RESERVED CVE-2018-15544 @@ -7860,8 +7859,7 @@ CVE-2018-13984 RESERVED CVE-2018-13983 RESERVED -CVE-2018-13982 - RESERVED +CVE-2018-13982 (Smarty_Security::isTrustedResourceDir() in Smarty before 3.1.33 is ...) - smarty3 3.1.33+20180830.1.3a78a21f+selfpack1-1 NOTE: https://github.com/smarty-php/smarty/commit/8d21f38dc35c4cd6b31c2f23fc9b8e5adbc56dfe NOTE: https://github.com/smarty-php/smarty/commit/f9ca3c63d1250bb56b2bda609dcc9dd81f0065f8 @@ -11028,7 +11026,7 @@ CVE-2018-12636 (The iThemes Security (better-wp-security) plugin before 7.0.3 fo NOT-FOR-US: Wordpress plugin CVE-2018-12635 (CirCarLife Scada v4.2.4
[Git][security-tracker-team/security-tracker][master] claim okular
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 83cfe64b by Thorsten Alteholz at 2018-09-19T08:26:35Z claim okular - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -63,7 +63,7 @@ mosquitto -- mysql-5.5 (Emilio Pozuelo) -- -okular +okular (Thorsten Alteholz) -- openafs -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/83cfe64b1a956bfb4196835ab6734d9330ac2816 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/83cfe64b1a956bfb4196835ab6734d9330ac2816 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 13f0810f by Salvatore Bonaccorso at 2018-09-19T08:25:49Z Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -144,7 +144,7 @@ CVE-2018-17113 (App/Modules/Admin/Tpl/default/Public/dwz/uploadify/scripts/uploa CVE-2018-17112 RESERVED CVE-2018-17111 (The onlyOwner modifier of a smart contract implementation for ...) - TODO: check + NOT-FOR-US: onlyOwner modifier of a smart contract implementation for Coinlancer (CL) CVE-2018-17110 (Simple POS 4.0.24 allows SQL Injection via a products/get_products/ ...) NOT-FOR-US: Simple POS CVE-2018-17109 @@ -253,7 +253,7 @@ CVE-2018-17073 (wernsey/bitmap before 2018-08-18 allows a NULL pointer dereferen CVE-2018-17072 (JSON++ through 2016-06-15 has a buffer over-read in yyparse() in ...) NOT-FOR-US: JSON++ CVE-2018-17071 (The fallback function of a simple lottery smart contract ...) - TODO: check + NOT-FOR-US: fallback function of a simple lottery smart contract implementation for Lucky9io CVE-2018-17070 (An issue was discovered in UNL-CMS 7.59. A CSRF attack can update the ...) NOT-FOR-US: UNL-CMS CVE-2018-17069 (An issue was discovered in UNL-CMS 7.59. A CSRF attack can create new ...) @@ -810,9 +810,9 @@ CVE-2018-16822 CVE-2018-16821 RESERVED CVE-2018-16820 (admin/index.php in Monstra CMS 3.0.4 allows arbitrary directory ...) - TODO: check + NOT-FOR-US: Monstra CMS CVE-2018-16819 (admin/index.php in Monstra CMS 3.0.4 allows arbitrary file deletion ...) - TODO: check + NOT-FOR-US: Monstra CMS CVE-2018-16818 RESERVED CVE-2018-16817 @@ -862,7 +862,7 @@ CVE-2018-16796 (HiScout GRC Suite before 3.1.5 allows Unrestricted Upload of Fil CVE-2018-16795 RESERVED CVE-2018-16794 (Microsoft ADFS 4.0 Windows Server 2016 and previous (Active Directory ...) - TODO: check + NOT-FOR-US: Microsoft ADFS 4.0 Windows Server CVE-2018-16793 RESERVED CVE-2018-16802 (An issue was discovered in Artifex Ghostscript before 9.25. Incorrect ...) @@ -1139,13 +1139,13 @@ CVE-2018-16673 CVE-2018-16672 RESERVED CVE-2018-16671 (An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is ...) - TODO: check + NOT-FOR-US: CIRCONTROL CirCarLife CVE-2018-16670 (An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is ...) - TODO: check + NOT-FOR-US: CIRCONTROL CirCarLife CVE-2018-16669 (An issue was discovered in CIRCONTROL Open Charge Point Protocol ...) - TODO: check + NOT-FOR-US: CIRCONTROL Open Charge Point Protocol CVE-2018-16668 (An issue was discovered in CIRCONTROL CirCarLife before 4.3. There is ...) - TODO: check + NOT-FOR-US: CIRCONTROL CirCarLife CVE-2018-16667 (An issue was discovered in Contiki-NG through 4.1. There is a buffer ...) NOT-FOR-US: Contiki Operating System CVE-2018-1 (An issue was discovered in Contiki-NG through 4.1. There is a ...) @@ -2224,7 +2224,7 @@ CVE-2018-16227 CVE-2018-16226 RESERVED CVE-2018-16225 (The QBee MultiSensor Camera through 4.16.4 accepts unencrypted network ...) - TODO: check + NOT-FOR-US: QBee MultiSensor Camera CVE-2018-16224 RESERVED CVE-2018-16223 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/13f0810f646e6d27d89a08c28768af52a8b0050f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/13f0810f646e6d27d89a08c28768af52a8b0050f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] claim hylafax
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 8ba6cb09 by Thorsten Alteholz at 2018-09-19T08:23:23Z claim hylafax - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -35,7 +35,7 @@ glusterfs (Markus Koschany) gnutls28 NOTE: 20180824: Upstream patch is quite invasive, adding new options etc. (lamby) -- -hylafax +hylafax (Thorsten Alteholz) -- imagemagick (Roberto C. Sánchez) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8ba6cb0903dbe0c995e875f5a1cdb1c3e129f129 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8ba6cb0903dbe0c995e875f5a1cdb1c3e129f129 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-17182/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e05b86fc by Salvatore Bonaccorso at 2018-09-19T09:07:28Z Add CVE-2018-17182/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,6 @@ +CVE-2018-17182 [mm: get rid of vmacache_flush_all() entirely] + - linux + NOTE: https://git.kernel.org/linus/7a9cdebdcc17e426fb5287e4a82db1dfe86339b2 CVE-2018-17181 RESERVED CVE-2018-17180 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e05b86fc91e1ff63bee8e71642567c7e7f35bdf2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e05b86fc91e1ff63bee8e71642567c7e7f35bdf2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage results.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d805406 by Ola Lundqvist at 2018-09-19T06:37:20Z Triage results. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1460,6 +1460,7 @@ CVE-2018-16549 (HScripts PHP File Browser Script v1.0 allows Directory Traversal NOT-FOR-US: HScripts PHP File Browser Script CVE-2018-16548 (An issue was discovered in ZZIPlib through 0.13.69. There is a memory ...) - zziplib + [jessie] - zziplib (Minor issue) NOTE: https://github.com/gdraheim/zziplib/issues/58 CVE-2018-16547 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5d8054061a57ade43855267fd7cced6b221ca55d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5d8054061a57ade43855267fd7cced6b221ca55d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage results.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: bf34228f by Ola Lundqvist at 2018-09-19T06:28:14Z Triage results. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -282,7 +282,10 @@ CVE-2018-17058 RESERVED CVE-2018-17057 (An issue was discovered in TCPDF before 6.2.22. Attackers can trigger ...) - tcpdf (bug #908866) + [jessie] - tcpdf (Minor issue) NOTE: https://github.com/tecnickcom/TCPDF/commit/1861e33fe05f653b67d070f7c106463e7a5c26e + NOTE: Was considered minor for jessie since arbitrary deserialization + NOTE: is still possible using http and https. CVE-2018-17056 RESERVED CVE-2018-17055 = data/dla-needed.txt = @@ -90,6 +90,8 @@ suricata (Thorsten Alteholz) -- symfony (Thorsten Alteholz) -- +sympa +-- thunderbird -- xen View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bf34228f593d5c4bf39c64cd9426b4d983321123 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bf34228f593d5c4bf39c64cd9426b4d983321123 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-17141
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 514866c7 by Salvatore Bonaccorso at 2018-09-19T06:49:19Z Add bug reference for CVE-2018-17141 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -83,7 +83,7 @@ CVE-2018-17142 (The html package (aka x/net/html) through 2018-09-17 in Go misha TODO: check, in golang-golang-x-net-dev? CVE-2018-17141 RESERVED - - hylafax + - hylafax (bug #909161) NOTE: http://git.hylafax.org/HylaFAX?a=commit;h=82fa7bdbffc253de4d3e80a87d47fdbf68eabe36 CVE-2018-17140 (The Quizlord plugin through 2.0 for WordPress is prone to Stored XSS ...) NOT-FOR-US: Wordpress plugin View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/514866c7c48bb8727af9bca6b9c0a0bd7c68b996 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/514866c7c48bb8727af9bca6b9c0a0bd7c68b996 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits