[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2018-0491: Only affects tor 0.3.2.x series and later
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e68721d8 by Salvatore Bonaccorso at 2018-04-21T08:56:44+02:00 CVE-2018-0491: Only affects tor 0.3.2.x series and later - - - - - 5d5c9939 by Salvatore Bonaccorso at 2018-04-21T08:57:14+02:00 Add commit for CVE-2018-0491 for reference - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -27008,10 +27008,13 @@ CVE-2018-0492 (Johnathan Nightingale beep through 1.3.4, if setuid, has a race . NOTE: https://github.com/johnath/beep/issues/11 CVE-2018-0491 (A use-after-free issue was discovered in Tor 0.3.2.x before 0.3.2.10. ...) - tor 0.3.2.10-1 - [wheezy] - tor (Not supported in wheezy LTS) + [stretch] - tor (Only affects tor 0.3.2.x series and later) + [jessie] - tor (Only affects tor 0.3.2.x series and later) + [wheezy] - tor (Only affects tor 0.3.2.x series and later) NOTE: https://trac.torproject.org/projects/tor/ticket/25117 NOTE: https://trac.torproject.org/projects/tor/ticket/24700 NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-and-dos-prevention-03210-03110-02915 + NOTE: https://gitweb.torproject.org/tor.git/commit/?id=adaf3e9b89f62d68ab631b8f672d9bff996689b9 CVE-2018-0490 (An issue was discovered in Tor before 0.2.9.15, 0.3.1.x before ...) - tor 0.3.2.10-1 [wheezy] - tor (Not supported in wheezy LTS) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/e8f537471b2766df5430d90dee6877552a68658e...5d5c9939b37f424570240d9a21a208e87ffba546 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/e8f537471b2766df5430d90dee6877552a68658e...5d5c9939b37f424570240d9a21a208e87ffba546 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2017-8908 addressed in 9.22 upstream
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e8f53747 by Salvatore Bonaccorso at 2018-04-21T08:40:33+02:00 CVE-2017-8908 addressed in 9.22 upstream - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -52677,7 +52677,7 @@ CVE-2017-8910 CVE-2017-8909 RESERVED CVE-2017-8908 (The mark_line_tr function in gxscanc.c in Artifex Ghostscript 9.21 ...) - - ghostscript (unimportant) + - ghostscript 9.22~dfsg-1 (unimportant) [jessie] - ghostscript (Vulnerable code not present) [wheezy] - ghostscript (Vulnerable code not present) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697810 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e8f537471b2766df5430d90dee6877552a68658e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e8f537471b2766df5430d90dee6877552a68658e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2017-7948
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 30e8146d by Salvatore Bonaccorso at 2018-04-21T08:38:07+02:00 Add fixed version for CVE-2017-7948 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -55249,7 +55249,7 @@ CVE-2017-7950 (Nitro Pro 11.0.3 and earlier allows remote attackers to cause a d CVE-2017-7949 RESERVED CVE-2017-7948 (Integer overflow in the mark_curve function in Artifex Ghostscript 9.21 ...) - - ghostscript (unimportant) + - ghostscript 9.22~dfsg-1 (unimportant) [jessie] - ghostscript (Vulnerable code not present) [wheezy] - ghostscript (Vulnerable code not present) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697762 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/30e8146d40c9e995aabd417a9064355b47501d0c --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/30e8146d40c9e995aabd417a9064355b47501d0c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Unmkark no-dsa status for CVE-2018-1000071
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 374558ac by Salvatore Bonaccorso at 2018-04-21T08:17:06+02:00 Unmkark no-dsa status for CVE-2018-171 The fix will be included in the upcoming roundcube DSA. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -7615,7 +7615,6 @@ CVE-2018-172 (iRedMail version prior to commit f04b8ef contains a Insecure . NOT-FOR-US: iRedMail CVE-2018-171 (roundcube version 1.3.4 and earlier contains an Insecure Permissions ...) - roundcube - [stretch] - roundcube (Minor issue) [wheezy] - roundcube (Minor issue) NOTE: https://github.com/roundcube/roundcubemail/issues/6173 NOTE: https://github.com/roundcube/roundcubemail/commit/48417c5fc9f6eb4b90500c09596606d489c700b5 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/374558ac94fc12409b7eeb540a0f7d183959c236 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/374558ac94fc12409b7eeb540a0f7d183959c236 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add clarifying note for CVE-2018-10245
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3804732c by Salvatore Bonaccorso at 2018-04-21T08:08:20+02:00 Add clarifying note for CVE-2018-10245 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -10,6 +10,7 @@ CVE-2018-10246 RESERVED CVE-2018-10245 (A Full Path Disclosure vulnerability in AWStats through 7.6 allows ...) - awstats (unimportant) + NOTE: Path disclosure for awstats negligible within Debian CVE-2018-10244 RESERVED CVE-2018-10243 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3804732c43faf339236bb32a049c45f2be51f374 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3804732c43faf339236bb32a049c45f2be51f374 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-10245/awstats
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: da45ebdd by Salvatore Bonaccorso at 2018-04-21T08:07:21+02:00 Add CVE-2018-10245/awstats - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -9,7 +9,7 @@ CVE-2018-10247 CVE-2018-10246 RESERVED CVE-2018-10245 (A Full Path Disclosure vulnerability in AWStats through 7.6 allows ...) - TODO: check + - awstats (unimportant) CVE-2018-10244 RESERVED CVE-2018-10243 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/da45ebdde62f3407891cd87ae2b8366e590bceaa --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/da45ebdde62f3407891cd87ae2b8366e590bceaa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c6af1f6 by Salvatore Bonaccorso at 2018-04-21T07:59:38+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,9 +1,9 @@ CVE-2018-10250 (iCMS V7.0.8 has XSS via the admincp.php keywords parameter in a ...) - TODO: check + NOT-FOR-US: iCMS CVE-2018-10249 (baijiacms V3 has CSRF via ...) - TODO: check + NOT-FOR-US: baijiacms CVE-2018-10248 (An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF ...) - TODO: check + NOT-FOR-US: WUZHI CMS CVE-2018-10247 RESERVED CVE-2018-10246 @@ -100,7 +100,7 @@ CVE-2018-10203 CVE-2018-10202 RESERVED CVE-2018-10201 (An issue was discovered in NcMonitorServer.exe in NC Monitor Server in ...) - TODO: check + NOT-FOR-US: NC Monitor Server CVE-2017-18261 (The arch_timer_reg_read_stable macro in ...) - linux 4.13.4-1 NOTE: Fixed by: https://git.kernel.org/linus/adb4f11e0a8f4e29900adb2b7af28b6bbd5c1fa4 (4.13-rc6) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2c6af1f6eae0c66c4d8f6541b1d9958b563576f2 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2c6af1f6eae0c66c4d8f6541b1d9958b563576f2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2018-1172
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a3efe34d by Salvatore Bonaccorso at 2018-04-21T07:48:10+02:00 Update information on CVE-2018-1172 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -24509,6 +24509,7 @@ CVE-2018-1172 RESERVED [experimental] - squid 4.0.21-1~exp5 (unimportant) - squid (unimportant) + [wheezy] - squid (Vunerable code introduced in 3.1) - squid3 (unimportant) NOTE: src:squid as source package reintroduced for 4.x in experimental NOTE: http://www.squid-cache.org/Advisories/SQUID-2018_3.txt View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a3efe34de0b1215aaf75861710bead7c98260237 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a3efe34de0b1215aaf75861710bead7c98260237 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark xulrunner issues as end-of-life in wheezy because
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0ee207b8 by Markus Koschany at 2018-04-20T23:22:05+02:00 Mark xulrunner issues as end-of-life in wheezy because they are ancient history by now and no detailed information are available to fix them. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -213379,6 +213379,7 @@ CVE-2010-4222 RESERVED CVE-2009-5017 (Mozilla Firefox before 3.6 Beta 3 does not properly handle overlong ...) - xulrunner + [wheezy] - xulrunner (no detailed information available) CVE-2009-5016 (Integer overflow in the xml_utf8_decode function in ext/xml/xml.c in ...) - php5 5.3.3-4 [lenny] - php5 5.2.6.dfsg.1-1+lenny10 @@ -223647,6 +223648,7 @@ CVE-2010-0649 (Integer overflow in the CrossCallParamsEx::CreateFromBuffer funct - webkit (chrome-specific issue) CVE-2010-0648 (Mozilla Firefox, possibly before 3.6, allows remote attackers to ...) - xulrunner (bug #570743) + [wheezy] - xulrunner (no detailed information available) CVE-2010-0647 (WebKit before r53525, as used in Google Chrome before 4.0.249.89, ...) - chromium-browser 5.0.375.29~r46008-1 - webkit 1.1.21-1 (medium) @@ -226743,8 +226745,10 @@ CVE-2009- [monkey DoS] [lenny] - monkey (Minor issue, fringe package) CVE-2009-4130 (Visual truncation vulnerability in the MakeScriptDialogTitle function ...) - xulrunner (bug #565521) + [wheezy] - xulrunner (no detailed information available) CVE-2009-4129 (Race condition in Mozilla Firefox allows remote attackers to produce a ...) - xulrunner (bug #565521) + [wheezy] - xulrunner (no detailed information available) CVE-2009-4128 (GNU GRand Unified Bootloader (GRUB) 2 1.97 only compares the submitted ...) - grub2 1.97+20091115-1 (bug #555195) [lenny] - grub2 (Password authentication not yet present) @@ -233471,6 +233475,7 @@ CVE-2009-2066 (Apple Safari detects http content in https web pages only when th NOT-FOR-US: Apple Safari CVE-2009-2065 (Mozilla Firefox 3.0.10, and possibly other versions, detects http ...) - xulrunner (bug #565521) + [wheezy] - xulrunner (no detailed information available) CVE-2009-2064 (Microsoft Internet Explorer 8, and possibly other versions, detects ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2009-2063 (Opera, possibly before 9.25, processes a 3xx HTTP CONNECT response ...) @@ -234850,6 +234855,7 @@ CVE-2009-1598 (Google Chrome executes DOM calls in response to a javascript: URI NOTE: it sounds like a "researcher misconception bug" (as seeming explained by Abobe) rather than a security issue CVE-2009-1597 (Mozilla Firefox executes DOM calls in response to a javascript: URI in ...) - xulrunner (bug #565521) + [wheezy] - xulrunner (no detailed information available) CVE-2009-1596 (Ignite Realtime Openfire before 3.6.5 does not properly implement the ...) NOT-FOR-US: Openfire CVE-2009-1595 (The jabber:iq:auth implementation in IQAuthHandler.java in Ignite ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0ee207b83b731c49d4a7f3332bcb1917efaaa12f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0ee207b83b731c49d4a7f3332bcb1917efaaa12f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c281f82 by security tracker role at 2018-04-20T20:10:26+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,21 @@ +CVE-2018-10250 (iCMS V7.0.8 has XSS via the admincp.php keywords parameter in a ...) + TODO: check +CVE-2018-10249 (baijiacms V3 has CSRF via ...) + TODO: check +CVE-2018-10248 (An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF ...) + TODO: check +CVE-2018-10247 + RESERVED +CVE-2018-10246 + RESERVED +CVE-2018-10245 (A Full Path Disclosure vulnerability in AWStats through 7.6 allows ...) + TODO: check +CVE-2018-10244 + RESERVED +CVE-2018-10243 + RESERVED +CVE-2018-10242 + RESERVED CVE-2018- [directory traversal flaw] - psensor 1.1.5-1 (bug #896195) NOTE: http://git.wpitchoune.net/gitweb/?p=psensor.git;a=commitdiff;h=8b10426dcc0246c1712a99460dd470dcb1cc4d9c @@ -81,8 +99,8 @@ CVE-2018-10203 RESERVED CVE-2018-10202 RESERVED -CVE-2018-10201 - RESERVED +CVE-2018-10201 (An issue was discovered in NcMonitorServer.exe in NC Monitor Server in ...) + TODO: check CVE-2017-18261 (The arch_timer_reg_read_stable macro in ...) - linux 4.13.4-1 NOTE: Fixed by: https://git.kernel.org/linus/adb4f11e0a8f4e29900adb2b7af28b6bbd5c1fa4 (4.13-rc6) @@ -286,7 +304,7 @@ CVE-2018-10122 (QingDao Nature Easy Soft Chanzhi Enterprise Portal System (aka . CVE-2018-10121 (plugins/box/pages/pages.admin.php in Monstra CMS 3.0.4 has a stored XSS ...) NOT-FOR-US: Monstra CMS CVE-2018-10120 (The SwCTBWrapper::Read function in sw/source/filter/ww8/ww8toolbar.cxx ...) - {DLA-1356-1} + {DSA-4178-1 DLA-1356-1} - libreoffice 1:6.0.2-1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6173 NOTE: https://gerrit.libreoffice.org/#/c/49486/ @@ -295,7 +313,7 @@ CVE-2018-10120 (The SwCTBWrapper::Read function in sw/source/filter/ww8/ww8toolb NOTE: https://gerrit.libreoffice.org/gitweb?p=core.git;a=commit;h=017fcc2fcd00af17a97bd5463d89662404f57667 NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2018-10120/ CVE-2018-10119 (sot/source/sdstor/stgstrms.cxx in LibreOffice before 5.4.5.1 and 6.x ...) - {DLA-1356-1} + {DSA-4178-1 DLA-1356-1} - libreoffice 1:6.0.1-1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5747 NOTE: https://gerrit.libreoffice.org/#/c/48751/ @@ -8425,8 +8443,8 @@ CVE-2018-6962 RESERVED CVE-2018-6961 RESERVED -CVE-2018-6960 - RESERVED +CVE-2018-6960 (VMware Horizon DaaS (7.x before 8.0.0) contains a broken ...) + TODO: check CVE-2018-6959 (VMware vRealize Automation (vRA) prior to 7.4.0 contains a ...) NOT-FOR-US: VMware vRealize Automation CVE-2018-6958 (VMware vRealize Automation (vRA) prior to 7.3.1 contains a ...) @@ -16750,19 +16768,19 @@ CVE-2018-3841 CVE-2018-3840 RESERVED CVE-2018-3839 (An exploitable code execution vulnerability exists in the XCF image ...) - {DLA-1341-1} + {DSA-4177-1 DLA-1341-1} - libsdl2-image 2.0.3+dfsg1-1 - sdl-image1.2 1.2.12-8 NOTE: https://hg.libsdl.org/SDL_image/rev/fb643e371806910f1973abfdfe7f981e8dba60f5 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0521 CVE-2018-3838 (An exploitable information vulnerability exists in the XCF image ...) - {DLA-1341-1} + {DSA-4177-1 DLA-1341-1} - libsdl2-image 2.0.3+dfsg1-1 - sdl-image1.2 1.2.12-8 NOTE: https://hg.libsdl.org/SDL_image/rev/c5f9cbb5d2bbcb2150ba0596ea56b49efeed660d NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0520 CVE-2018-3837 (An exploitable information disclosure vulnerability exists in the PCX ...) - {DLA-1341-1} + {DSA-4177-1 DLA-1341-1} - libsdl2-image 2.0.3+dfsg1-1 - sdl-image1.2 1.2.12-8 NOTE: https://hg.libsdl.org/SDL_image/rev/2938fc80591abeae74b971cbdf966eff3213297e @@ -20006,17 +20024,17 @@ CVE-2018-2821 (Vulnerability in the PeopleSoft Enterprise PeopleTools component CVE-2018-2820 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of ...) NOT-FOR-US: Oracle CVE-2018-2819 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - {DLA-1355-1} + {DSA-4176-1 DLA-1355-1} - mysql-5.7 (bug #895997) - mysql-5.5 NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2818 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - {DLA-1355-1} + {DSA-4176-1 DLA-1355-1} - mysql-5.7 (bug #895997) - mysql
[Git][security-tracker-team/security-tracker][master] Mark issues for jasperreports as end-of-life in Wheezy.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 8ec56358 by Markus Koschany at 2018-04-20T21:32:41+02:00 Mark issues for jasperreports as end-of-life in Wheezy. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -12956,12 +12956,15 @@ CVE-2018-5432 RESERVED CVE-2018-5431 (The domain designer component of TIBCO Software Inc.'s TIBCO ...) - jasperreports + [wheezy] - jasperreports (not supported in Wheezy) NOTE: https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5431 CVE-2018-5430 (The Spring web flows of TIBCO Software Inc.'s TIBCO JasperReports ...) - jasperreports + [wheezy] - jasperreports (not supported in Wheezy) NOTE: https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5430 CVE-2018-5429 (A vulnerability in the report scripting component of TIBCO Software ...) - jasperreports + [wheezy] - jasperreports (not supported in Wheezy) NOTE: https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5429 CVE-2018-5428 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8ec56358bc8964f526813e41232693e7f125ef67 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8ec56358bc8964f526813e41232693e7f125ef67 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add bug reference for psensor issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 47dc9cc5 by Salvatore Bonaccorso at 2018-04-20T21:14:13+02:00 add bug reference for psensor issue A CVE has been requested for this oldre psensor issue fixed in 1.1.4 upstream already. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,5 +1,5 @@ CVE-2018- [directory traversal flaw] - - psensor 1.1.5-1 + - psensor 1.1.5-1 (bug #896195) NOTE: http://git.wpitchoune.net/gitweb/?p=psensor.git;a=commitdiff;h=8b10426dcc0246c1712a99460dd470dcb1cc4d9c CVE-2018-10241 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/47dc9cc5ef114edc0f93a2821881bbf7d7214cdf --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/47dc9cc5ef114edc0f93a2821881bbf7d7214cdf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add psensor issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9af99ed2 by Salvatore Bonaccorso at 2018-04-20T21:10:48+02:00 Add psensor issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,6 @@ +CVE-2018- [directory traversal flaw] + - psensor 1.1.5-1 + NOTE: http://git.wpitchoune.net/gitweb/?p=psensor.git;a=commitdiff;h=8b10426dcc0246c1712a99460dd470dcb1cc4d9c CVE-2018-10241 RESERVED CVE-2018-10240 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9af99ed2681946ba8475a9a9947579b088edac23 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9af99ed2681946ba8475a9a9947579b088edac23 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Cleanup CVE-2018-9146
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d0598735 by Salvatore Bonaccorso at 2018-04-20T20:29:42+02:00 Cleanup CVE-2018-9146 Further research has shown that this was a reservation duplicate of CVE-2017-17724. Next MITRE updates should cleanup this entry accordingly, already drop it from tracker. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -2538,11 +2538,8 @@ CVE-2018-9148 (Western Digital WD My Cloud v04.05.00-320 devices embed the sessi NOT-FOR-US: Western Digital WD My Cloud CVE-2018-9147 (Cross-site scripting (XSS) vulnerabilities in version 7.5.7 of Gespage ...) NOT-FOR-US: Gespage -CVE-2018-9146 (In Exiv2 0.26, there is an out-of-bounds read in ...) - - exiv2 - [wheezy] - exiv2 (Minor issue) - NOTE: https://github.com/Exiv2/exiv2/issues/254 - NOTE: https://github.com/xiaoqx/pocs/tree/master/exiv2 +CVE-2018-9146 + REJECTED CVE-2018-9145 (In the DataBuf class in include/exiv2/types.hpp in Exiv2 0.26, an ...) - exiv2 [wheezy] - exiv2 (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d05987355bd7b62af90b6db02d8bba00c9c70e42 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d05987355bd7b62af90b6db02d8bba00c9c70e42 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixing version for CVE-2016-10317 and CVE-2018-10194
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cbca6eb8 by Salvatore Bonaccorso at 2018-04-20T20:26:43+02:00 Add fixing version for CVE-2016-10317 and CVE-2018-10194 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -94,7 +94,7 @@ CVE-2018-10196 CVE-2018-10195 RESERVED CVE-2018-10194 (The set_text_distance function in devices/vector/gdevpdts.c in the ...) - - ghostscript (bug #896069) + - ghostscript 9.22~dfsg-2.1 (bug #896069) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=39b1e54b2968620723bf32e96764c88797714879 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699255 (not yet public) CVE-2018-1000200 @@ -57560,7 +57560,7 @@ CVE-2017-7400 (OpenStack Horizon 9.x through 9.1.1, 10.x through 10.0.2, and 11. [wheezy] - horizon (Vulnerable code not present) NOTE: https://launchpad.net/bugs/1667086 CVE-2016-10317 (The fill_threshhold_buffer function in base/gxht_thresh.c in Artifex ...) - - ghostscript (bug #860869) + - ghostscript 9.22~dfsg-2.1 (bug #860869) [stretch] - ghostscript (Minor issue) [jessie] - ghostscript (Minor issue) [wheezy] - ghostscript (Not directly reproducible, to re-evaluate once the upstream fix is known) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cbca6eb80a47e167beae0501092f6469707006b7 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cbca6eb80a47e167beae0501092f6469707006b7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] salt spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a1a29881 by Moritz Muehlenhoff at 2018-04-20T19:10:14+02:00 salt spu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = --- a/data/next-point-update.txt +++ b/data/next-point-update.txt @@ -57,3 +57,5 @@ CVE-2018-1000159 [stretch] - tlslite-ng 0.6.0-1+deb9u1 CVE-2018-1000156 [stretch] - patch 2.7.5-1+deb9u1 +CVE-2017-8109 + [stretch] - salt 2016.11.2+ds-1+deb9u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a1a29881015924da2384f98a1e3b15173d04a3de --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a1a29881015924da2384f98a1e3b15173d04a3de You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference fix for CVE-2018-1092/linux
László Böszörményi pushed to branch master at Debian Security Tracker / security-tracker Commits: f68c62b1 by Laszlo Boszormenyi (GCS) at 2018-04-20T17:06:22+00:00 Reference fix for CVE-2018-1092/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -24791,6 +24791,7 @@ CVE-2018-1093 (The ext4_valid_block_bitmap function in fs/ext4/balloc.c in the L CVE-2018-1092 (The ext4_iget function in fs/ext4/inode.c in the Linux kernel through ...) - linux 4.15.17-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199179 + NOTE: Fixed by: https://git.kernel.org/linus/8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44 CVE-2018-1091 (In the flush_tmregs_to_thread function in arch/powerpc/kernel/ptrace.c ...) - linux 4.13.10-1 [stretch] - linux 4.9.65-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f68c62b199fcc487a038d3bc16448d32ba24f4bc --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f68c62b199fcc487a038d3bc16448d32ba24f4bc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] sdl-image2, libreoffice DSAs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8ce08eda by Moritz Muehlenhoff at 2018-04-20T18:54:20+02:00 sdl-image2, libreoffice DSAs - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,11 @@ +[20 Apr 2018] DSA-4178-1 libreoffice - security update + {CVE-2018-10119 CVE-2018-10120} + [jessie] - libreoffice 1:4.3.3-2+deb8u11 + [stretch] - libreoffice 1:5.2.7-1+deb9u4 +[20 Apr 2018] DSA-4177-1 libsdl2-image - security update + {CVE-2017-2887 CVE-2017-12122 CVE-2017-14440 CVE-2017-14441 CVE-2017-14442 CVE-2017-14448 CVE-2017-14449 CVE-2017-14450 CVE-2018-3837 CVE-2018-3838 CVE-2018-3839} + [jessie] - libsdl2-image 2.0.0+dfsg-3+deb8u1 + [stretch] - libsdl2-image 2.0.1+dfsg-2+deb9u1 [20 Apr 2018] DSA-4176-1 mysql-5.5 - security update {CVE-2018-2755 CVE-2018-2761 CVE-2018-2771 CVE-2018-2773 CVE-2018-2781 CVE-2018-2813 CVE-2018-2817 CVE-2018-2818 CVE-2018-2819} [jessie] - mysql-5.5 5.5.60-0+deb8u1 = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -41,11 +41,6 @@ libidn -- libmad -- -libreoffice --- -libsdl2-image - Felix Geyer (debfx) working on updates --- linux/stable (carnil) Wait until more issues have piled up -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8ce08edab7abb5a771d77ac44224696733411bfc --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8ce08edab7abb5a771d77ac44224696733411bfc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] openjdk n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 93b74b64 by Moritz Muehlenhoff at 2018-04-20T14:21:27+02:00 openjdk n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -20043,7 +20043,7 @@ CVE-2018-2812 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixMSQL CVE-2018-2811 (Vulnerability in the Java SE component of Oracle Java SE ...) - TODO: probably specific to Oracle Java + - openjdk-8 (Specific to Oracle Java, our installation procedure are obviously different) CVE-2018-2810 (Vulnerability in the MySQL Server component of Oracle MySQL ...) - mysql-5.7 (bug #895997) - mysql-5.5 (Only affects MySQL 5.7) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/93b74b64a37a7410571a291b42607e80e497304b --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/93b74b64a37a7410571a291b42607e80e497304b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new jasperreports issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0fa20c8f by Moritz Muehlenhoff at 2018-04-20T12:36:31+02:00 new jasperreports issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -12955,11 +12955,14 @@ CVE-2018-5433 CVE-2018-5432 RESERVED CVE-2018-5431 (The domain designer component of TIBCO Software Inc.'s TIBCO ...) - TODO: check + - jasperreports + NOTE: https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5431 CVE-2018-5430 (The Spring web flows of TIBCO Software Inc.'s TIBCO JasperReports ...) - TODO: check + - jasperreports + NOTE: https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5430 CVE-2018-5429 (A vulnerability in the report scripting component of TIBCO Software ...) - TODO: check + - jasperreports + NOTE: https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5429 CVE-2018-5428 RESERVED CVE-2018-5427 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0fa20c8f14e1d35ed684b253637057386153d6cb --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0fa20c8f14e1d35ed684b253637057386153d6cb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c3d58f6a by Moritz Muehlenhoff at 2018-04-20T12:29:30+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -71,7 +71,7 @@ CVE-2018-10207 CVE-2018-10206 RESERVED CVE-2018-10205 (hyperstart 1.0.0 in HyperHQ Hyper has memory leaks in the ...) - TODO: check + NOT-FOR-US: HyperHQ Hyper CVE-2018-10204 (PureVPN 6.0.1 for Windows suffers from a SYSTEM privilege escalation ...) NOT-FOR-US: PureVPN CVE-2018-10203 @@ -889,7 +889,7 @@ CVE-2018-9863 CVE-2018-9862 (util.c in runV 1.0.0 for Docker mishandles a numeric username, which ...) NOT-FOR-US: runV for Docker CVE-2018-9861 (Cross-site scripting (XSS) vulnerability in the Enhanced Image (aka ...) - TODO: check + NOT-FOR-US: ckeditor plugin CVE-2018-9860 (An issue was discovered in Botan 1.11.32 through 2.x before 2.6.0. An ...) - botan 2.4.0-6 - botan1.10 (Issue introduced in 1.11.32) @@ -23952,7 +23952,7 @@ CVE-2018-1327 (The Apache Struts REST Plugin is using XStream library which is . CVE-2018-1326 RESERVED CVE-2018-1325 (In Apache wicket-jquery-ui <= 6.29.0, <= 7.10.1, <= 8.0.0-M9.1, JS ...) - TODO: check + NOT-FOR-US: Wicket jQuery UI CVE-2018-1324 (A specially crafted ZIP archive can be used to cause an infinite loop ...) - libcommons-compress-java 1.13-2 (bug #893174) [stretch] - libcommons-compress-java (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c3d58f6a8dc0bc35b791e62372b9831c4c0346d5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c3d58f6a8dc0bc35b791e62372b9831c4c0346d5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Five (unimportant) CVEs for ghostscript fixed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f3d651ff by Salvatore Bonaccorso at 2018-04-20T12:13:27+02:00 Five (unimportant) CVEs for ghostscript fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -49935,7 +49935,7 @@ CVE-2017-9742 (The score_opcodes function in opcodes/score7-dis.c in GNU Binutil CVE-2017-9741 (install/make-config.php in ProjectSend r754 allows remote attackers to ...) NOT-FOR-US: ProjectSend CVE-2017-9740 (The xps_decode_font_char_imp function in xps/xpsfont.c in Artifex ...) - - ghostscript (unimportant; bug #869879) + - ghostscript 9.22~dfsg-1 (unimportant; bug #869879) [jessie] - ghostscript (Vulnerable code not present) [wheezy] - ghostscript (Vulnerable code not present) NOTE: The Debian binary package is not affected xps/ not used @@ -50219,21 +50219,21 @@ CVE-2017-9622 (Multiple cross-site scripting (XSS) vulnerabilities in Telaxus/EP CVE-2017-9621 (Cross-site scripting (XSS) vulnerability in ...) NOT-FOR-US: Telaxus/EPESI CVE-2017-9620 (The xps_select_font_encoding function in xps/xpsfont.c in Artifex ...) - - ghostscript (unimportant; bug #869879) + - ghostscript 9.22~dfsg-1 (unimportant; bug #869879) [jessie] - ghostscript (Vulnerable code not present) [wheezy] - ghostscript (Vulnerable code not present) NOTE: The Debian binary package is not affected xps/ not used NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698050 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=3ee55637480d5e319a5de0481b01c3346855cbc9 CVE-2017-9619 (The xps_true_callback_glyph_name function in xps/xpsttf.c in Artifex ...) - - ghostscript (unimportant; bug #869879) + - ghostscript 9.22~dfsg-1 (unimportant; bug #869879) [jessie] - ghostscript (Vulnerable code not present) [wheezy] - ghostscript (Vulnerable code not present) NOTE: The Debian binary package is not affected xps/ not used NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698042 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=c53183d4e7103e87368b7cfa15367a47d559e323 CVE-2017-9618 (The xps_load_sfnt_name function in xps/xpsfont.c in Artifex Ghostscript ...) - - ghostscript (unimportant; bug #869879) + - ghostscript 9.22~dfsg-1 (unimportant; bug #869879) [jessie] - ghostscript (Vulnerable code not present) [wheezy] - ghostscript (Vulnerable code not present) NOTE: The Debian binary package is not affected xps/ not used @@ -50271,7 +50271,7 @@ CVE-2017-9611 (The Ins_MIRP function in base/ttinterp.c in Artifex Ghostscript . NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698024 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=c7c55972758a93350882c32147801a3485b010fe (ghostpdl-9.22rc1) CVE-2017-9610 (The xps_load_sfnt_name function in xps/xpsfont.c in Artifex Ghostscript ...) - - ghostscript (unimportant; bug #869879) + - ghostscript 9.22~dfsg-1 (unimportant; bug #869879) [jessie] - ghostscript (Vulnerable code not present) [wheezy] - ghostscript (Vulnerable code not present) NOTE: The Debian binary package is not affected xps/ not used View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f3d651ffce9263b1d8be61ac56218d3cb0e15177 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f3d651ffce9263b1d8be61ac56218d3cb0e15177 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ecff67a6 by Moritz Muehlenhoff at 2018-04-20T11:03:33+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5,7 +5,7 @@ CVE-2018-10240 CVE-2018-10239 RESERVED CVE-2018-10238 (bvlc.c in skarg BACnet Protocol Stack 0.8.5 has a buffer overflow in ...) - TODO: check + NOT-FOR-US: skarg BACnet Protocol Stack CVE-2018-10237 RESERVED CVE-2018-10236 (POSCMS 3.2.18 allows remote attackers to execute arbitrary PHP code via ...) @@ -21,7 +21,7 @@ CVE-2018-10232 CVE-2018-10231 RESERVED CVE-2018-10230 (Zend Debugger in Zend Server before 9.1.3 has XSS, aka ZSR-2455. ...) - TODO: check + NOT-FOR-US: Zend Server CVE-2018-10229 RESERVED CVE-2018-10228 @@ -31,7 +31,7 @@ CVE-2018-10227 (MiniCMS v1.10 has XSS via the mc-admin/conf.php site_link parame CVE-2018-10226 RESERVED CVE-2018-10225 (thinkphp 3.1.3 has SQL Injection via the index.php s parameter. ...) - TODO: check + NOT-FOR-US: thinkphp CVE-2018-10224 (An issue was discovered in YzmCMS 3.8. There is a CSRF vulnerability ...) NOT-FOR-US: YzmCMS CVE-2018-10223 (An issue was discovered in YzmCMS 3.8. There is a CSRF vulnerability ...) @@ -41,7 +41,7 @@ CVE-2018-10222 (An issue was discovered in idreamsoft iCMS V7.0. There is a CSRF CVE-2018-10221 (An issue was discovered in WUZHI CMS V4.1.0. There is a persistent XSS ...) NOT-FOR-US: WUZHI CMS CVE-2018-10220 (** DISPUTED ** Glastopf 3.1.3-dev has SSRF, as demonstrated by the ...) - TODO: check + NOT-FOR-US: Glastopf CVE-2018-10219 (baijiacms V3 has physical path leakage via an ...) NOT-FOR-US: baijiacms CVE-2018-10218 @@ -24545,13 +24545,13 @@ CVE-2018-1148 CVE-2018-1147 RESERVED CVE-2018-1146 (A remote unauthenticated user can enable telnet on the Belkin N750 ...) - TODO: check + NOT-FOR-US: Belkin CVE-2018-1145 (A remote unauthenticated user can overflow a stack buffer in the ...) - TODO: check + NOT-FOR-US: Belkin CVE-2018-1144 (A remote unauthenticated user can execute commands as root in the ...) - TODO: check + NOT-FOR-US: Belkin CVE-2018-1143 (A remote unauthenticated user can execute commands as root in the ...) - TODO: check + NOT-FOR-US: Belkin CVE-2018-1142 (Tenable Appliance versions 4.6.1 and earlier have been found to ...) NOT-FOR-US: Tenable CVE-2018-1141 (When installing Nessus to a directory outside of the default location, ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ecff67a6ee0943122db0868e3ffeabc108da4dd6 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ecff67a6ee0943122db0868e3ffeabc108da4dd6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-1084/corosync fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ef3622d6 by Salvatore Bonaccorso at 2018-04-20T10:56:04+02:00 CVE-2018-1084/corosync fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -24815,7 +24815,7 @@ CVE-2018-1085 NOT-FOR-US: openshift-ansible CVE-2018-1084 (corosync before version 2.4.4 is vulnerable to an integer overflow in ...) {DSA-4174-1} - - corosync (bug #895653) + - corosync 2.4.4-1 (bug #895653) [jessie] - corosync (Vulnerable code introduced later) [wheezy] - corosync (Vulnerable code introduced later) NOTE: http://www.openwall.com/lists/oss-security/2018/04/12/2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ef3622d6d0b34846daf527a25fc4bf3bacb37224 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ef3622d6d0b34846daf527a25fc4bf3bacb37224 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7f15d5a3 by Salvatore Bonaccorso at 2018-04-20T10:53:11+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -4931,7 +4931,7 @@ CVE-2018-8120 CVE-2018-8119 RESERVED CVE-2018-8118 (A remote code execution vulnerability exists when Internet Explorer ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-8117 (A security feature bypass vulnerability exists in the Microsoft ...) NOT-FOR-US: Microsoft CVE-2018-8116 (A denial of service vulnerability exists in the way that Windows ...) @@ -25174,13 +25174,13 @@ CVE-2017-17315 CVE-2017-17314 RESERVED CVE-2017-17313 (The inputhub driver of HUAWEI P9 Lite mobile phones with Versions ...) - TODO: check + NOT-FOR-US: inputhub driver of HUAWEI P9 Lite mobile phones CVE-2017-17312 RESERVED CVE-2017-17311 RESERVED CVE-2017-17310 (Electronic Numbers to URI Mapping (ENUM) module in some Huawei ...) - TODO: check + NOT-FOR-US: Huawei CVE-2017-17309 RESERVED CVE-2017-17308 (SCCPX module in Huawei DP300 V500R002C00, RP200 V500R002C00, ...) @@ -27545,27 +27545,27 @@ CVE-2018-0278 CVE-2018-0277 RESERVED CVE-2018-0276 (A vulnerability in Cisco WebEx Connect IM could allow an ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0275 (A vulnerability in the support tunnel feature of Cisco Identity ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0274 RESERVED CVE-2018-0273 (A vulnerability in the IPsec Manager of Cisco StarOS for Cisco ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0272 (A vulnerability in the Secure Sockets Layer (SSL) Engine of Cisco ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0271 RESERVED CVE-2018-0270 RESERVED CVE-2018-0269 (A vulnerability in the web framework of the Cisco Digital Network ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0268 RESERVED CVE-2018-0267 (A vulnerability in the web framework of Cisco Unified Communications ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0266 (A vulnerability in the web framework of Cisco Unified Communications ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0265 RESERVED CVE-2018-0264 @@ -27577,25 +27577,25 @@ CVE-2018-0262 CVE-2018-0261 RESERVED CVE-2018-0260 (A vulnerability in the web interface of Cisco MATE Live could allow an ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0259 (A vulnerability in the web-based management interface of Cisco MATE ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0258 RESERVED CVE-2018-0257 (A vulnerability in Cisco IOS XE Software running on Cisco cBR Series ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0256 (A vulnerability in the peer-to-peer message processing functionality of ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0255 (A vulnerability in the device manager web interface of Cisco Industrial ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0254 (A vulnerability in the detection engine of Cisco Firepower System ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0253 RESERVED CVE-2018-0252 RESERVED CVE-2018-0251 (A vulnerability in the Web Server Authentication Required screen of the ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0250 RESERVED CVE-2018-0249 @@ -27609,21 +27609,21 @@ CVE-2018-0246 CVE-2018-0245 RESERVED CVE-2018-0244 (A vulnerability in the detection engine of Cisco Firepower System ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0243 (A vulnerability in the detection engine of Cisco Firepower System ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0242 (A vulnerability in the WebVPN web-based management interface of Cisco ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0241 (A vulnerability in the UDP broadcast forwarding function of Cisco IOS ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0240 (Multiple vulnerabilities in the Application Layer Protocol Inspection ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0239 (A vulnerability in the egress packet processing functionality of the ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0238 (A vulnerability in the role-based resource checking functionality of ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0237 (A vulnerability in the file type detection mechanism of the Cisco ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0236 RESERVED CVE-2018-0235 @@ -27631,19 +27631,19 @@ CVE-2018-0235 CVE-2018-0234 RESERVED CVE-2018-0233 (A
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for mysql-5.5 update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3fdf8076 by Salvatore Bonaccorso at 2018-04-20T10:20:54+02:00 Reserve DSA number for mysql-5.5 update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,6 @@ +[20 Apr 2018] DSA-4176-1 mysql-5.5 - security update + {CVE-2018-2755 CVE-2018-2761 CVE-2018-2771 CVE-2018-2773 CVE-2018-2781 CVE-2018-2813 CVE-2018-2817 CVE-2018-2818 CVE-2018-2819} + [jessie] - mysql-5.5 5.5.60-0+deb8u1 [18 Apr 2018] DSA-4175-1 freeplane - security update {CVE-2018-169} [jessie] - freeplane 1.3.12-1+deb8u1 = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -60,8 +60,6 @@ mercurial mosquitto (seb) 2018-02-27: Roger Light provided a debdiff targetting stretch, needs review -- -mysql-5.5 (carnil) --- openjdk-7/oldstable (jmm) -- openjdk-8/stable (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3fdf8076f37454028384d91240339f1adc74ae78 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3fdf8076f37454028384d91240339f1adc74ae78 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 77597b1e by security tracker role at 2018-04-20T08:10:28+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,13 @@ +CVE-2018-10241 + RESERVED +CVE-2018-10240 + RESERVED +CVE-2018-10239 + RESERVED +CVE-2018-10238 (bvlc.c in skarg BACnet Protocol Stack 0.8.5 has a buffer overflow in ...) + TODO: check +CVE-2018-10237 + RESERVED CVE-2018-10236 (POSCMS 3.2.18 allows remote attackers to execute arbitrary PHP code via ...) NOT-FOR-US: POSCMS CVE-2018-10235 (POSCMS 3.2.10 allows remote attackers to execute arbitrary PHP code via ...) @@ -273,6 +283,7 @@ CVE-2018-10122 (QingDao Nature Easy Soft Chanzhi Enterprise Portal System (aka . CVE-2018-10121 (plugins/box/pages/pages.admin.php in Monstra CMS 3.0.4 has a stored XSS ...) NOT-FOR-US: Monstra CMS CVE-2018-10120 (The SwCTBWrapper::Read function in sw/source/filter/ww8/ww8toolbar.cxx ...) + {DLA-1356-1} - libreoffice 1:6.0.2-1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=6173 NOTE: https://gerrit.libreoffice.org/#/c/49486/ @@ -281,6 +292,7 @@ CVE-2018-10120 (The SwCTBWrapper::Read function in sw/source/filter/ww8/ww8toolb NOTE: https://gerrit.libreoffice.org/gitweb?p=core.git;a=commit;h=017fcc2fcd00af17a97bd5463d89662404f57667 NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2018-10120/ CVE-2018-10119 (sot/source/sdstor/stgstrms.cxx in LibreOffice before 5.4.5.1 and 6.x ...) + {DLA-1356-1} - libreoffice 1:6.0.1-1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5747 NOTE: https://gerrit.libreoffice.org/#/c/48751/ @@ -27532,28 +27544,28 @@ CVE-2018-0278 RESERVED CVE-2018-0277 RESERVED -CVE-2018-0276 - RESERVED -CVE-2018-0275 - RESERVED +CVE-2018-0276 (A vulnerability in Cisco WebEx Connect IM could allow an ...) + TODO: check +CVE-2018-0275 (A vulnerability in the support tunnel feature of Cisco Identity ...) + TODO: check CVE-2018-0274 RESERVED -CVE-2018-0273 - RESERVED -CVE-2018-0272 - RESERVED +CVE-2018-0273 (A vulnerability in the IPsec Manager of Cisco StarOS for Cisco ...) + TODO: check +CVE-2018-0272 (A vulnerability in the Secure Sockets Layer (SSL) Engine of Cisco ...) + TODO: check CVE-2018-0271 RESERVED CVE-2018-0270 RESERVED -CVE-2018-0269 - RESERVED +CVE-2018-0269 (A vulnerability in the web framework of the Cisco Digital Network ...) + TODO: check CVE-2018-0268 RESERVED -CVE-2018-0267 - RESERVED -CVE-2018-0266 - RESERVED +CVE-2018-0267 (A vulnerability in the web framework of Cisco Unified Communications ...) + TODO: check +CVE-2018-0266 (A vulnerability in the web framework of Cisco Unified Communications ...) + TODO: check CVE-2018-0265 RESERVED CVE-2018-0264 @@ -27564,26 +27576,26 @@ CVE-2018-0262 RESERVED CVE-2018-0261 RESERVED -CVE-2018-0260 - RESERVED -CVE-2018-0259 - RESERVED +CVE-2018-0260 (A vulnerability in the web interface of Cisco MATE Live could allow an ...) + TODO: check +CVE-2018-0259 (A vulnerability in the web-based management interface of Cisco MATE ...) + TODO: check CVE-2018-0258 RESERVED -CVE-2018-0257 - RESERVED -CVE-2018-0256 - RESERVED -CVE-2018-0255 - RESERVED -CVE-2018-0254 - RESERVED +CVE-2018-0257 (A vulnerability in Cisco IOS XE Software running on Cisco cBR Series ...) + TODO: check +CVE-2018-0256 (A vulnerability in the peer-to-peer message processing functionality of ...) + TODO: check +CVE-2018-0255 (A vulnerability in the device manager web interface of Cisco Industrial ...) + TODO: check +CVE-2018-0254 (A vulnerability in the detection engine of Cisco Firepower System ...) + TODO: check CVE-2018-0253 RESERVED CVE-2018-0252 RESERVED -CVE-2018-0251 - RESERVED +CVE-2018-0251 (A vulnerability in the Web Server Authentication Required screen of the ...) + TODO: check CVE-2018-0250 RESERVED CVE-2018-0249 @@ -27596,42 +27608,42 @@ CVE-2018-0246 RESERVED CVE-2018-0245 RESERVED -CVE-2018-0244 - RESERVED -CVE-2018-0243 - RESERVED -CVE-2018-0242 - RESERVED -CVE-2018-0241 - RESERVED -CVE-2018-0240 - RESERVED -CVE-2018-0239 - RESERVED -CVE-2018-0238 - RESERVED -CVE-2018-0237 - RESERVED +CVE-2018-0244 (A vulnerability in the detection engine of Cisco Firepower System ...) + TODO: check +CVE-2018-0243 (A vulnerability in the detection engine of Cisco Firepower System ...) + TODO: check +CVE-2018-0242 (A vulnerabili
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e6ad39d by Moritz Muehlenhoff at 2018-04-20T09:21:23+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -24063,12 +24063,16 @@ CVE-2018-1293 RESERVED CVE-2018-1292 RESERVED + NOT-FOR-US: Apache Fineract CVE-2018-1291 RESERVED + NOT-FOR-US: Apache Fineract CVE-2018-1290 RESERVED + NOT-FOR-US: Apache Fineract CVE-2018-1289 RESERVED + NOT-FOR-US: Apache Fineract CVE-2018-1288 RESERVED CVE-2018-1287 (In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2e6ad39d9f03c78c66ea37f470770fb282d37d3c --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2e6ad39d9f03c78c66ea37f470770fb282d37d3c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits