[Git][security-tracker-team/security-tracker][master] Add commit for CVE-2018-5650
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 48aace7a by Salvatore Bonaccorso at 2018-05-16T22:44:53+02:00 Add commit for CVE-2018-5650 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -15013,6 +15013,7 @@ CVE-2018-5650 (In Long Range Zip (aka lrzip) 0.631, there is an infinite loop an [jessie] - lrzip (Minor issue) [wheezy] - lrzip (Minor issue) NOTE: https://github.com/ckolivas/lrzip/issues/88 + NOTE: https://github.com/ckolivas/lrzip/commit/50cfb3b9f68c7458822795e8b87a07dc06b39816 CVE-2018-5649 RESERVED CVE-2018-5648 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/48aace7a14b1249634d240a01a6000d1ccedb617 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/48aace7a14b1249634d240a01a6000d1ccedb617 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference merge for CVE-2018-1000135
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c607e295 by Salvatore Bonaccorso at 2018-05-16T22:28:17+02:00 Reference merge for CVE-2018-1000135 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5703,6 +5703,7 @@ CVE-2018-1000135 (GNOME NetworkManager version 1.10.2 and earlier contains a Inf NOTE: https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/1754671 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=746422 NOTE: https://cgit.freedesktop.org/NetworkManager/NetworkManager/log/?h=bg/dns-bgo746422 + NOTE: Merge: https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=d9782589248e61c0cb5aec90e3eb62612891116b NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1553634 CVE-2018-8821 (windrvr1260.sys in Jungo DriverWizard WinDriver 12.6.0 allows attackers ...) NOT-FOR-US: windrvr1260.sys in Jungo DriverWizard WinDriver View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c607e295ad495677d078ac0ccd2fda0bdff17bbd --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c607e295ad495677d078ac0ccd2fda0bdff17bbd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference fix for CVE-2017-8845
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ece8bffa by Salvatore Bonaccorso at 2018-05-16T22:24:55+02:00 Reference fix for CVE-2017-8845 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -55690,6 +55690,7 @@ CVE-2017-8846 (The read_stream function in stream.c in liblrzip.so in lrzip 0.63 CVE-2017-8845 (The lzo1x_decompress function in lzo1x_d.ch in LZO 2.08, as used in ...) - lrzip (unimportant; bug #863151) NOTE: https://github.com/ckolivas/lrzip/issues/68 + NOTE: https://github.com/ckolivas/lrzip/commit/89d7b33e6a6450eed326b40084b547d42bad333f NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-invalid-memory-read-in-lzo_decompress_buf-stream-c/ NOTE: Crash in CLI tool, no security implications CVE-2017-8844 (The read_1g function in stream.c in liblrzip.so in lrzip 0.631 allows ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ece8bffa34541aafcb5290e90d0609f98770e138 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ece8bffa34541aafcb5290e90d0609f98770e138 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0be110d1 by Salvatore Bonaccorso at 2018-05-16T22:23:14+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -12,9 +12,9 @@ CVE-2018-11210 (TinyXML2 6.2.0 has a heap-based buffer over-read in the ...) - tinyxml2 NOTE: https://github.com/leethomason/tinyxml2/issues/675 CVE-2018-11209 (** DISPUTED ** An issue was discovered in Z-BlogPHP 2.0.0. ...) - TODO: check + NOT-FOR-US: Z-BlogPHP CVE-2018-11208 (** DISPUTED ** An issue was discovered in Z-BlogPHP 2.0.0. There is a ...) - TODO: check + NOT-FOR-US: Z-BlogPHP CVE-2018-11207 (A division by zero was discovered in H5D__chunk_init in H5Dchunk.c in ...) TODO: check CVE-2018-11206 (A out of bounds read was discovered in H5O_fill_new_decode and ...) @@ -850,7 +850,7 @@ CVE-2018-10812 (The Bitpie application through 3.2.4 for Android and iOS uses cl CVE-2018-10811 RESERVED CVE-2018-10810 (chat/mobile/index.php in LiveZilla Live Chat 7.0.9.5 and prior is ...) - TODO: check + NOT-FOR-US: LiveZilla Live Chat CVE-2018-10809 (In 2345 Security Guard 3.7, the driver file (2345NetFirewall.sys) ...) NOT-FOR-US: 2345 Security Guard CVE-2018-10808 @@ -1004,9 +1004,9 @@ CVE-2018-10762 CVE-2018-10761 RESERVED CVE-2018-10760 (Unrestricted file upload vulnerability in the Files plugin in ...) - TODO: check + NOT-FOR-US: Files plugin in ProjectPier CVE-2018-10759 (PHP remote file inclusion vulnerability in public/patch/patch.php in ...) - TODO: check + NOT-FOR-US: Project Pier CVE-2018- [Checker config files allow arbitrary code execution scenarios] - vim-syntastic 3.9.0-1 (bug #894736) NOTE: https://github.com/vim-syntastic/syntastic/issues/2170 @@ -2254,9 +2254,9 @@ CVE-2014-10073 (The create_response function in server/server.c in Psensor befor [jessie] - psensor (Minor issue) NOTE: http://git.wpitchoune.net/gitweb/?p=psensor.git;a=commitdiff;h=8b10426dcc0246c1712a99460dd470dcb1cc4d9c CVE-2018-10241 (A denial of service vulnerability in SolarWinds Serv-U before 15.1.6 ...) - TODO: check + NOT-FOR-US: SolarWinds Serv-U CVE-2018-10240 (SolarWinds Serv-U MFT before 15.1.6 HFv1 assigns authenticated users a ...) - TODO: check + NOT-FOR-US: SolarWinds Serv-U CVE-2018-10239 RESERVED CVE-2018-10238 (bvlc.c in skarg BACnet Protocol Stack 0.8.5 has a buffer overflow in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0be110d1e0f7c56cdfd45938d93d32d867ca9707 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0be110d1e0f7c56cdfd45938d93d32d867ca9707 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-11211/tinyxml2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9d204293 by Salvatore Bonaccorso at 2018-05-16T22:22:26+02:00 Add CVE-2018-11211/tinyxml2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -9,7 +9,8 @@ CVE-2018-11212 (An issue was discovered in libjpeg 9a. The alloc_sarray function CVE-2018-11211 RESERVED CVE-2018-11210 (TinyXML2 6.2.0 has a heap-based buffer over-read in the ...) - TODO: check + - tinyxml2 + NOTE: https://github.com/leethomason/tinyxml2/issues/675 CVE-2018-11209 (** DISPUTED ** An issue was discovered in Z-BlogPHP 2.0.0. ...) TODO: check CVE-2018-11208 (** DISPUTED ** An issue was discovered in Z-BlogPHP 2.0.0. There is a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9d204293f47c368916632ec96b6cda235acb24e7 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9d204293f47c368916632ec96b6cda235acb24e7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Cleanup CVE-2017-7473
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 476bbfd7 by Salvatore Bonaccorso at 2018-05-16T22:13:35+02:00 Cleanup CVE-2017-7473 Further analysis by its CNA schowed there is no security issue here, further investigation determined that there was a secure method for using the directive. Closes: #863583 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -60208,10 +60208,6 @@ CVE-2017-7474 (It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not NOT-FOR-US: Keycloak CVE-2017-7473 REJECTED - - ansible (unimportant; bug #863583) - NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1440912 - NOTE: Upstream issue is https://github.com/ansible/ansible/issues/22505 - NOTE: but upstream denies that it is a bug. CVE-2017-7472 (The KEYS subsystem in the Linux kernel before 4.10.13 allows local ...) {DLA-922-1} - linux 4.9.25-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/476bbfd700a2b87473ebcdb06fb9eff31d06bb67 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/476bbfd700a2b87473ebcdb06fb9eff31d06bb67 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 356c6b07 by security tracker role at 2018-05-16T20:10:28+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,151 @@ +CVE-2018-11215 + RESERVED +CVE-2018-11214 (An issue was discovered in libjpeg 9a. The get_text_rgb_row function in ...) + TODO: check +CVE-2018-11213 (An issue was discovered in libjpeg 9a. The get_text_gray_row function ...) + TODO: check +CVE-2018-11212 (An issue was discovered in libjpeg 9a. The alloc_sarray function in ...) + TODO: check +CVE-2018-11211 + RESERVED +CVE-2018-11210 (TinyXML2 6.2.0 has a heap-based buffer over-read in the ...) + TODO: check +CVE-2018-11209 (** DISPUTED ** An issue was discovered in Z-BlogPHP 2.0.0. ...) + TODO: check +CVE-2018-11208 (** DISPUTED ** An issue was discovered in Z-BlogPHP 2.0.0. There is a ...) + TODO: check +CVE-2018-11207 (A division by zero was discovered in H5D__chunk_init in H5Dchunk.c in ...) + TODO: check +CVE-2018-11206 (A out of bounds read was discovered in H5O_fill_new_decode and ...) + TODO: check +CVE-2018-11205 (A out of bounds read was discovered in H5VM_memcpyvv in H5VM.c in the ...) + TODO: check +CVE-2018-11204 (A NULL pointer dereference was discovered in H5O__chunk_deserialize in ...) + TODO: check +CVE-2018-11203 (A division by zero was discovered in H5D__btree_decode_key in ...) + TODO: check +CVE-2018-11202 (A NULL pointer dereference was discovered in H5S_hyper_make_spans in ...) + TODO: check +CVE-2018-11201 + RESERVED +CVE-2018-11200 + RESERVED +CVE-2018-11199 + RESERVED +CVE-2018-11198 + RESERVED +CVE-2018-11197 + RESERVED +CVE-2018-11196 + RESERVED +CVE-2018-11195 + RESERVED +CVE-2018-11194 + RESERVED +CVE-2018-11193 + RESERVED +CVE-2018-11192 + RESERVED +CVE-2018-11191 + RESERVED +CVE-2018-11190 + RESERVED +CVE-2018-11189 + RESERVED +CVE-2018-11188 + RESERVED +CVE-2018-11187 + RESERVED +CVE-2018-11186 + RESERVED +CVE-2018-11185 + RESERVED +CVE-2018-11184 + RESERVED +CVE-2018-11183 + RESERVED +CVE-2018-11182 + RESERVED +CVE-2018-11181 + RESERVED +CVE-2018-11180 + RESERVED +CVE-2018-11179 + RESERVED +CVE-2018-11178 + RESERVED +CVE-2018-11177 + RESERVED +CVE-2018-11176 + RESERVED +CVE-2018-11175 + RESERVED +CVE-2018-11174 + RESERVED +CVE-2018-11173 + RESERVED +CVE-2018-11172 + RESERVED +CVE-2018-11171 + RESERVED +CVE-2018-11170 + RESERVED +CVE-2018-11169 + RESERVED +CVE-2018-11168 + RESERVED +CVE-2018-11167 + RESERVED +CVE-2018-11166 + RESERVED +CVE-2018-11165 + RESERVED +CVE-2018-11164 + RESERVED +CVE-2018-11163 + RESERVED +CVE-2018-11162 + RESERVED +CVE-2018-11161 + RESERVED +CVE-2018-11160 + RESERVED +CVE-2018-11159 + RESERVED +CVE-2018-11158 + RESERVED +CVE-2018-11157 + RESERVED +CVE-2018-11156 + RESERVED +CVE-2018-11155 + RESERVED +CVE-2018-11154 + RESERVED +CVE-2018-11153 + RESERVED +CVE-2018-11152 + RESERVED +CVE-2018-11151 + RESERVED +CVE-2018-11150 + RESERVED +CVE-2018-11149 + RESERVED +CVE-2018-11148 + RESERVED +CVE-2018-11147 + RESERVED +CVE-2018-11146 + RESERVED +CVE-2018-11145 + RESERVED +CVE-2018-11144 + RESERVED +CVE-2018-11143 + RESERVED +CVE-2018-11142 + RESERVED CVE-2018-11141 RESERVED CVE-2018-11140 @@ -700,8 +848,8 @@ CVE-2018-10812 (The Bitpie application through 3.2.4 for Android and iOS uses cl NOT-FOR-US: Bitpie application for Android and iOS CVE-2018-10811 RESERVED -CVE-2018-10810 - RESERVED +CVE-2018-10810 (chat/mobile/index.php in LiveZilla Live Chat 7.0.9.5 and prior is ...) + TODO: check CVE-2018-10809 (In 2345 Security Guard 3.7, the driver file (2345NetFirewall.sys) ...) NOT-FOR-US: 2345 Security Guard CVE-2018-10808 @@ -721,6 +869,7 @@ CVE-2018-10803 (Cross-site scripting (XSS) vulnerability in the add credentials NOT-FOR-US: Zoho ManageEngine NetFlow Analyzer CVE-2018-1000301 [RTSP bad headers buffer over-read] RESERVED + {DSA-4202-1 DLA-1379-1} - curl (bug #898856) NOTE: https://curl.haxx.se/docs/adv_2018-b138.html CVE-2018-1000300 [FTP shutdown response buffer overflow] @@ -853,10 +1002,10 @@ CVE-2018-10762 RESERVED CVE-2018-10761 RESERVED -CVE-2018-10760 - RESERVED -CVE-2018-10759 - RESERVED +CVE-2018-10760 (Unrestricted file upload vulnerability in the Files plugin in ...) + TODO: check +CVE-2018-10759 (PHP remote file inclusion vulnerabili
[Git][security-tracker-team/security-tracker][master] Reserve curl DSA
Alessandro Ghedini pushed to branch master at Debian Security Tracker / security-tracker Commits: e1acd64c by Alessandro Ghedini at 2018-05-16T21:09:12+01:00 Reserve curl DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,7 @@ +[16 May 2018] DSA-4202-1 curl - security update + {CVE-2018-1000301} + [jessie] - curl 7.38.0-4+deb8u11 + [stretch] - curl 7.52.1-5+deb9u6 [15 May 2018] DSA-4201-1 xen - security update {CVE-2018-8897 CVE-2018-10471 CVE-2018-10472 CVE-2018-10981 CVE-2018-10982} [stretch] - xen 4.8.3+comet2+shim4.10.0+comet3-1+deb9u6 = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -19,8 +19,6 @@ asterisk/stable -- chromium-browser -- -curl (ghedo) --- dokuwiki/oldstable -- ffmpeg/stable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e1acd64c1ba4ea3057a0fe07b0e2df5b53f493f8 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e1acd64c1ba4ea3057a0fe07b0e2df5b53f493f8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new tomcat issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 61e6edd9 by Salvatore Bonaccorso at 2018-05-16T22:01:03+02:00 Add new tomcat issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -7456,8 +7456,17 @@ CVE-2018-8016 RESERVED CVE-2018-8015 RESERVED -CVE-2018-8014 +CVE-2018-8014 [Insecure defaults for CORS filter] RESERVED + - tomcat9 (bug #802312) + - tomcat8 + - tomcat8.0 (unimportant) + NOTE: tomcat8.0 builds only tomcat8.0-user and libtomcat8.0-java + - tomcat7 7.0.72-3 + NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API + NOTE: https://svn.apache.org/r1831728 (8.5.x) + NOTE: https://svn.apache.org/r1831729 (8.0.x) + NOTE: https://svn.apache.org/r1831730 (7.0.x) CVE-2018-8013 RESERVED CVE-2018-8012 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/61e6edd945643c864f6b018f461d62423ae56df3 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/61e6edd945643c864f6b018f461d62423ae56df3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-1000300: Order entries
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bf9b9fa2 by Salvatore Bonaccorso at 2018-05-16T21:44:26+02:00 CVE-2018-1000300: Order entries - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -726,9 +726,9 @@ CVE-2018-1000301 [RTSP bad headers buffer over-read] CVE-2018-1000300 [FTP shutdown response buffer overflow] RESERVED - curl - [wheezy] - curl (Vulnerable code introduced in 7.54.1) [stretch] - curl (Vulnerable code introduced in 7.54.1) [jessie] - curl (Vulnerable code introduced in 7.54.1) + [wheezy] - curl (Vulnerable code introduced in 7.54.1) NOTE: https://curl.haxx.se/docs/adv_2018-82c2.html CVE-2018-1000177 (A cross-site scripting vulnerability exists in Jenkins S3 Plugin ...) NOT-FOR-US: Jenkins plugin View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bf9b9fa27829528863d4e6730cb5742dcfc1d743 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bf9b9fa27829528863d4e6730cb5742dcfc1d743 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1379-1 for curl
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: d0939483 by Chris Lamb at 2018-05-16T20:02:16+02:00 Reserve DLA-1379-1 for curl - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[16 May 2018] DLA-1379-1 curl - security update + {CVE-2018-1000301} + [wheezy] - curl 7.26.0-1+wheezy25+deb7u1 [13 May 2018] DLA-1378-1 tiff3 - security update {CVE-2018-8905} [wheezy] - tiff3 3.9.6-11+deb7u11 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -15,8 +15,6 @@ apache2 (Roberto C. Sánchez) cups (Thorsten Alteholz) NOTE: 20180318: not clear whether patch is fine, so no email to maintainer sent (alteholz) -- -curl (Chris Lamb) --- krb5 (Thorsten Alteholz) NOTE: 20180131: lts-do-not-call NOTE: 20180411: Details not public yet. Security team in contact with upstream. (anarcat) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d0939483ced77d98342e0ae0a7499ed0aa040a65 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d0939483ced77d98342e0ae0a7499ed0aa040a65 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug for CVE-2018-1000301 in curl.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 9d4fe270 by Chris Lamb at 2018-05-16T20:00:49+02:00 Add Debian bug for CVE-2018-1000301 in curl. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -721,7 +721,7 @@ CVE-2018-10803 (Cross-site scripting (XSS) vulnerability in the add credentials NOT-FOR-US: Zoho ManageEngine NetFlow Analyzer CVE-2018-1000301 [RTSP bad headers buffer over-read] RESERVED - - curl + - curl (bug #898856) NOTE: https://curl.haxx.se/docs/adv_2018-b138.html CVE-2018-1000300 [FTP shutdown response buffer overflow] RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9d4fe270fdc8248489bfe6db2bf7e2556ffd45f5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9d4fe270fdc8248489bfe6db2bf7e2556ffd45f5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-1000300 (curl) not affected in wheezy; vulnerable code introduced in 7.54.1.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 4576cc6a by Chris Lamb at 2018-05-16T19:53:18+02:00 CVE-2018-1000300 (curl) not affected in wheezy; vulnerable code introduced in 7.54.1. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -726,6 +726,7 @@ CVE-2018-1000301 [RTSP bad headers buffer over-read] CVE-2018-1000300 [FTP shutdown response buffer overflow] RESERVED - curl + [wheezy] - curl (Vulnerable code introduced in 7.54.1) [stretch] - curl (Vulnerable code introduced in 7.54.1) [jessie] - curl (Vulnerable code introduced in 7.54.1) NOTE: https://curl.haxx.se/docs/adv_2018-82c2.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4576cc6ac619d10a364a9e1fccdc8019e4ee39a5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4576cc6ac619d10a364a9e1fccdc8019e4ee39a5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Triage curl for LTS
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: a9bd5d97 by Chris Lamb at 2018-05-16T15:50:57+02:00 Triage curl for LTS - - - - - c15ea507 by Chris Lamb at 2018-05-16T15:51:02+02:00 Claim curl in data/dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -15,6 +15,8 @@ apache2 (Roberto C. Sánchez) cups (Thorsten Alteholz) NOTE: 20180318: not clear whether patch is fine, so no email to maintainer sent (alteholz) -- +curl (Chris Lamb) +-- krb5 (Thorsten Alteholz) NOTE: 20180131: lts-do-not-call NOTE: 20180411: Details not public yet. Security team in contact with upstream. (anarcat) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/e43929a5d7ab54d9889b8d14b93e112b92019567...c15ea5079664152f9ed031561d63b4f1f6e5fbcb --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/e43929a5d7ab54d9889b8d14b93e112b92019567...c15ea5079664152f9ed031561d63b4f1f6e5fbcb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add curl to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e43929a5 by Salvatore Bonaccorso at 2018-05-16T15:39:01+02:00 Add curl to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -19,6 +19,8 @@ asterisk/stable -- chromium-browser -- +curl (ghedo) +-- dokuwiki/oldstable -- ffmpeg/stable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e43929a5d7ab54d9889b8d14b93e112b92019567 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e43929a5d7ab54d9889b8d14b93e112b92019567 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-1000300/curl does not affect stretch as well
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0cf89039 by Salvatore Bonaccorso at 2018-05-16T15:06:20+02:00 CVE-2018-1000300/curl does not affect stretch as well - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -726,6 +726,7 @@ CVE-2018-1000301 [RTSP bad headers buffer over-read] CVE-2018-1000300 [FTP shutdown response buffer overflow] RESERVED - curl + [stretch] - curl (Vulnerable code introduced in 7.54.1) [jessie] - curl (Vulnerable code introduced in 7.54.1) NOTE: https://curl.haxx.se/docs/adv_2018-82c2.html CVE-2018-1000177 (A cross-site scripting vulnerability exists in Jenkins S3 Plugin ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0cf890390d2fe5a53f81fda16edc86820813b55c --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0cf890390d2fe5a53f81fda16edc86820813b55c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-10196
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 336a033c by Salvatore Bonaccorso at 2018-05-16T15:01:07+02:00 Add bug reference for CVE-2018-10196 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -2197,7 +2197,7 @@ CVE-2018-10197 RESERVED CVE-2018-10196 [null derefence in rebuild_vlist] RESERVED - - graphviz + - graphviz (low; bug #898841) NOTE: https://gitlab.com/graphviz/graphviz/issues/1367 NOTE: https://issuetracker.google.com/issues/77810342 CVE-2018-10195 [rzsz: sz can leak data to receiving side] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/336a033cf06513260922f115eca8f5fab1290ceb --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/336a033cf06513260922f115eca8f5fab1290ceb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove TODO item for CVE-2018-10196
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 603cd5ea by Salvatore Bonaccorso at 2018-05-16T14:54:13+02:00 Remove TODO item for CVE-2018-10196 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -2200,7 +2200,6 @@ CVE-2018-10196 [null derefence in rebuild_vlist] - graphviz NOTE: https://gitlab.com/graphviz/graphviz/issues/1367 NOTE: https://issuetracker.google.com/issues/77810342 - TODO: check CVE-2018-10195 [rzsz: sz can leak data to receiving side] RESERVED - lrzsz 0.12.21-10 (low; bug #897010) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/603cd5ea337e7d93ebe884dd4c31e42c0a1f1953 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/603cd5ea337e7d93ebe884dd4c31e42c0a1f1953 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add two new curl issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cf857202 by Salvatore Bonaccorso at 2018-05-16T14:30:01+02:00 Add two new curl issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -719,10 +719,15 @@ CVE-2018-10804 (ImageMagick version 7.0.7-28 contains a memory leak in WriteTIFF NOTE: https://github.com/ImageMagick/ImageMagick/commit/052f6c22d3a2b2aae9dfa24aff9ccdf8b72ace91 CVE-2018-10803 (Cross-site scripting (XSS) vulnerability in the add credentials ...) NOT-FOR-US: Zoho ManageEngine NetFlow Analyzer -CVE-2018-1000301 +CVE-2018-1000301 [RTSP bad headers buffer over-read] RESERVED -CVE-2018-1000300 + - curl + NOTE: https://curl.haxx.se/docs/adv_2018-b138.html +CVE-2018-1000300 [FTP shutdown response buffer overflow] RESERVED + - curl + [jessie] - curl (Vulnerable code introduced in 7.54.1) + NOTE: https://curl.haxx.se/docs/adv_2018-82c2.html CVE-2018-1000177 (A cross-site scripting vulnerability exists in Jenkins S3 Plugin ...) NOT-FOR-US: Jenkins plugin CVE-2018-1000176 (An exposure of sensitive information vulnerability exists in Jenkins ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cf857202d3943595d1366f17eff9d89a6a8739e0 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cf857202d3943595d1366f17eff9d89a6a8739e0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Correct ming version (missing epoch)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1a51ddf4 by Salvatore Bonaccorso at 2018-05-16T14:21:03+02:00 Correct ming version (missing epoch) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5149,19 +5149,19 @@ CVE-2015-9257 (BMC Remedy Action Request (AR) System 9.0 before 9.0.00 Service P NOT-FOR-US: BMC Remedy Action Request (AR) System CVE-2018-8964 (In libming 0.4.8, the decompileDELETE function of decompile.c has a ...) - ming - [wheezy] - ming 0.4.4-1.1+deb7u8 + [wheezy] - ming 1:0.4.4-1.1+deb7u8 NOTE: https://github.com/libming/libming/issues/130 CVE-2018-8963 (In libming 0.4.8, the decompileGETVARIABLE function of decompile.c has ...) - ming - [wheezy] - ming 0.4.4-1.1+deb7u8 + [wheezy] - ming 1:0.4.4-1.1+deb7u8 NOTE: https://github.com/libming/libming/issues/130 CVE-2018-8962 (In libming 0.4.8, the decompileSingleArgBuiltInFunctionCall function of ...) - ming - [wheezy] - ming 0.4.4-1.1+deb7u8 + [wheezy] - ming 1:0.4.4-1.1+deb7u8 NOTE: https://github.com/libming/libming/issues/130 CVE-2018-8961 (In libming 0.4.8, the decompilePUSHPARAM function of decompile.c has a ...) - ming - [wheezy] - ming 0.4.4-1.1+deb7u8 + [wheezy] - ming 1:0.4.4-1.1+deb7u8 NOTE: https://github.com/libming/libming/issues/130 CVE-2018-8960 (The ReadTIFFImage function in coders/tiff.c in ImageMagick 7.0.7-26 Q16 ...) - imagemagick 8:6.9.9.39+dfsg-1 (low) @@ -5593,11 +5593,11 @@ CVE-2018-8808 (In radare2 2.4.0, there is a heap-based buffer over-read in the . NOTE: https://github.com/radare/radare2/commit/a88069940950999d5e2fd16cd7d16c7e956bf516 CVE-2018-8807 (In libming 0.4.8, these is a use-after-free in the function ...) - ming - [wheezy] - ming 0.4.4-1.1+deb7u8 + [wheezy] - ming 1:0.4.4-1.1+deb7u8 NOTE: https://github.com/libming/libming/issues/129 CVE-2018-8806 (In libming 0.4.8, there is a use-after-free in the ...) - ming - [wheezy] - ming 0.4.4-1.1+deb7u8 + [wheezy] - ming 1:0.4.4-1.1+deb7u8 NOTE: https://github.com/libming/libming/issues/128 CVE-2018-8805 (Yxcms building system (compatible cell phone) v1.4.7 has XSS via the ...) NOT-FOR-US: Yxcms @@ -7774,7 +7774,7 @@ CVE-2018-7878 RESERVED CVE-2018-7877 (There is a heap-based buffer overflow in the getString function of ...) - ming - [wheezy] - ming 0.4.4-1.1+deb7u8 + [wheezy] - ming 1:0.4.4-1.1+deb7u8 NOTE: https://github.com/libming/libming/issues/110 CVE-2018-7876 (In libming 0.4.8, a memory exhaustion vulnerability was found in the ...) - ming @@ -7785,7 +7785,7 @@ CVE-2018-7875 (There is a heap-based buffer over-read in the getString function NOTE: https://github.com/libming/libming/issues/112 CVE-2018-7874 (An invalid memory address dereference was discovered in strlenext in ...) - ming - [wheezy] - ming 0.4.4-1.1+deb7u8 + [wheezy] - ming 1:0.4.4-1.1+deb7u8 NOTE: https://github.com/libming/libming/issues/115 CVE-2018-7873 (There is a heap-based buffer overflow in the getString function of ...) - ming View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1a51ddf47fcd9ebdf4f301a4c818dd0c393e2099 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1a51ddf47fcd9ebdf4f301a4c818dd0c393e2099 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2017-12194 as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ee041db2 by Salvatore Bonaccorso at 2018-05-16T14:17:15+02:00 Mark CVE-2017-12194 as no-dsa A malicious spice server can cause problems to a spice-gtk client. Issue is mninor and can be adressed in a point release. Adding a note regarding the (de)marshal.py which are present in source but not in a binary package: AFAICS these are actually used to generate code in generated_client_(de)marshallers* and to be included in libspice-common-client.so. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -45380,8 +45380,12 @@ CVE-2017-12195 NOT-FOR-US: OpenShift CVE-2017-12194 (A flaw was found in the way spice-client processed certain messages ...) - spice-gtk (bug #898503) + [stretch] - spice-gtk (Minor issue) + [jessie] - spice-gtk (Minor issue) [wheezy] - spice-gtk (Vulnerable code is not in any binary package, only in the source package) NOTE: Proposed patches in: https://bugzilla.redhat.com/show_bug.cgi?id=1240165 + NOTE: Although not present in the binary packages the (de)marshal.py are used to + NOTE: generate repsecitve code which should be in libspice-common-client. CVE-2017-12193 (The assoc_array_insert_into_terminal_node function in lib/assoc_array.c ...) - linux 4.13.13-1 [stretch] - linux 4.9.65-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ee041db2628c4f1f54b6ea6abe2177594fb5ec1a --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ee041db2628c4f1f54b6ea6abe2177594fb5ec1a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7deadfba by Moritz Muehlenhoff at 2018-05-16T13:55:31+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1225,11 +1225,11 @@ CVE-2018-10593 CVE-2018-10592 RESERVED CVE-2018-10591 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ...) - TODO: check + NOT-FOR-US: Advantech CVE-2018-10590 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ...) - TODO: check + NOT-FOR-US: Advantech CVE-2018-10589 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ...) - TODO: check + NOT-FOR-US: Advantech CVE-2018-10588 RESERVED CVE-2018-10587 @@ -5482,7 +5482,7 @@ CVE-2018-8847 CVE-2018-8846 RESERVED CVE-2018-8845 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ...) - TODO: check + NOT-FOR-US: Advantech CVE-2018-8844 RESERVED CVE-2018-8843 (Rockwell Automation Arena versions 16.10.00 and prior contains a use ...) @@ -5490,7 +5490,7 @@ CVE-2018-8843 (Rockwell Automation Arena versions 16.10.00 and prior contains a CVE-2018-8842 RESERVED CVE-2018-8841 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ...) - TODO: check + NOT-FOR-US: Advantech CVE-2018-8840 (A remote attacker could send a carefully crafted packet in InduSoft ...) NOT-FOR-US: InduSoft CVE-2018-8839 (Delta PMSoft versions 2.10 and prior have multiple stack-based buffer ...) @@ -8947,27 +8947,27 @@ CVE-2018-7507 (WPLSoft in Delta Electronics versions 2.45.0 and prior utilizes a CVE-2018-7506 (The private key of the web server in Moxa MXview versions 2.8 and ...) NOT-FOR-US: Moxa CVE-2018-7505 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ...) - TODO: check + NOT-FOR-US: Advantech CVE-2018-7504 (A Protection Mechanism Failure issue was discovered in OSIsoft PI ...) NOT-FOR-US: OSIsoft PI CVE-2018-7503 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ...) - TODO: check + NOT-FOR-US: Advantech CVE-2018-7502 (Kernel drivers in Beckhoff TwinCAT 3.1 Build 4022.4, TwinCAT 2.11 R3 ...) NOT-FOR-US: Beckhoff TwinCAT CVE-2018-7501 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ...) - TODO: check + NOT-FOR-US: Advantech CVE-2018-7500 (A Permissions, Privileges, and Access Controls issue was discovered in ...) NOT-FOR-US: OSIsoft PI CVE-2018-7499 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ...) - TODO: check + NOT-FOR-US: Advantech CVE-2018-7498 (In Philips Alice 6 System version R8.0.2 or prior, the lack of proper ...) NOT-FOR-US: Philips Alice 6 System CVE-2018-7497 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ...) - TODO: check + NOT-FOR-US: Advantech CVE-2018-7496 (An Information Exposure issue was discovered in OSIsoft PI Vision ...) NOT-FOR-US: OSIsoft PI CVE-2018-7495 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ...) - TODO: check + NOT-FOR-US: Advantech CVE-2018-7494 (WPLSoft in Delta Electronics versions 2.45.0 and prior utilizes a ...) NOT-FOR-US: Delta Electronics CVE-2018-7493 (CactusVPN through 6.0 for macOS suffers from a root privilege ...) @@ -26741,9 +26741,9 @@ CVE-2018-1265 CVE-2018-1264 RESERVED CVE-2018-1263 (Addresses partial fix in CVE-2018-1261. Pivotal ...) - TODO: check + NOT-FOR-US: Spring-integration-zip CVE-2018-1262 (Cloud Foundry Foundation UAA, versions 4.12.X and 4.13.X, introduced a ...) - TODO: check + NOT-FOR-US: Cloud Foundry Foundation UAA CVE-2018-1261 (Spring-integration-zip versions prior to 1.0.1 exposes an arbitrary ...) NOT-FOR-US: Spring-integration-zip CVE-2018-1260 (Spring Security OAuth, versions 2.3 prior to 2.3.3, 2.2 prior to ...) @@ -45669,19 +45669,19 @@ CVE-2017-12131 (The Easy Testimonials plugin 3.0.4 for WordPress has XSS in ...) CVE-2017-12130 (An exploitable NULL pointer dereference vulnerability exists in the ...) NOT-FOR-US: tinysvcmdns CVE-2017-12129 (An exploitable Weak Cryptography for Passwords vulnerability exists in ...) - TODO: check + NOT-FOR-US: Moxa CVE-2017-12128 (An exploitable information disclosure vulnerability exists in the ...) - TODO: check + NOT-FOR-US: Moxa CVE-2017-12127 (A password storage vulnerability exists in the operating system ...) - TODO: check + NOT-FOR-US: Moxa CVE-2017-12126 (An exploitable cross-site request forgery vulnerability exists in the ...) - TODO: check + NOT-FOR-US: Moxa CVE-2017-12125 (An exploitable command in
[Git][security-tracker-team/security-tracker][master] new spring issues, spring NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: dfdc7c4f by Moritz Muehlenhoff at 2018-05-16T12:16:41+02:00 new spring issues, spring NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -26745,17 +26745,19 @@ CVE-2018-1263 (Addresses partial fix in CVE-2018-1261. Pivotal ...) CVE-2018-1262 (Cloud Foundry Foundation UAA, versions 4.12.X and 4.13.X, introduced a ...) TODO: check CVE-2018-1261 (Spring-integration-zip versions prior to 1.0.1 exposes an arbitrary ...) - TODO: check + NOT-FOR-US: Spring-integration-zip CVE-2018-1260 (Spring Security OAuth, versions 2.3 prior to 2.3.3, 2.2 prior to ...) - TODO: check + NOT-FOR-US: Spring Security OAuth CVE-2018-1259 (Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to ...) - TODO: check + NOT-FOR-US: Spring Data Commons CVE-2018-1258 (Spring Security in combination with Spring Framework versions prior to ...) - TODO: check + - libspring-security-2.0-java + NOTE: https://pivotal.io/security/cve-2018-1258 CVE-2018-1257 (Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior ...) - TODO: check + - libspring-java + NOTE: https://pivotal.io/security/cve-2018-1257 CVE-2018-1256 (Spring Cloud SSO Connector, version 2.1.2, contains a regression which ...) - TODO: check + NOT-FOR-US: Spring Cloud SSO Connector CVE-2018-1255 RESERVED CVE-2018-1254 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dfdc7c4fddbd9803f332d7f3cff69e3c7b41b5fd --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dfdc7c4fddbd9803f332d7f3cff69e3c7b41b5fd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cc0640f2 by security tracker role at 2018-05-16T08:10:13+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,25 @@ +CVE-2018-11141 + RESERVED +CVE-2018-11140 + RESERVED +CVE-2018-11139 + RESERVED +CVE-2018-11138 + RESERVED +CVE-2018-11137 + RESERVED +CVE-2018-11136 + RESERVED +CVE-2018-11135 + RESERVED +CVE-2018-11134 + RESERVED +CVE-2018-11133 + RESERVED +CVE-2018-11132 + RESERVED +CVE-2018-11131 + RESERVED CVE-2018-11130 RESERVED CVE-2018-11129 @@ -1202,12 +1224,12 @@ CVE-2018-10593 RESERVED CVE-2018-10592 RESERVED -CVE-2018-10591 - RESERVED -CVE-2018-10590 - RESERVED -CVE-2018-10589 - RESERVED +CVE-2018-10591 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ...) + TODO: check +CVE-2018-10590 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ...) + TODO: check +CVE-2018-10589 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ...) + TODO: check CVE-2018-10588 RESERVED CVE-2018-10587 @@ -5459,16 +5481,16 @@ CVE-2018-8847 RESERVED CVE-2018-8846 RESERVED -CVE-2018-8845 - RESERVED +CVE-2018-8845 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ...) + TODO: check CVE-2018-8844 RESERVED CVE-2018-8843 (Rockwell Automation Arena versions 16.10.00 and prior contains a use ...) NOT-FOR-US: Rockwell CVE-2018-8842 RESERVED -CVE-2018-8841 - RESERVED +CVE-2018-8841 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ...) + TODO: check CVE-2018-8840 (A remote attacker could send a carefully crafted packet in InduSoft ...) NOT-FOR-US: InduSoft CVE-2018-8839 (Delta PMSoft versions 2.10 and prior have multiple stack-based buffer ...) @@ -8924,28 +8946,28 @@ CVE-2018-7507 (WPLSoft in Delta Electronics versions 2.45.0 and prior utilizes a NOT-FOR-US: Delta Electronics CVE-2018-7506 (The private key of the web server in Moxa MXview versions 2.8 and ...) NOT-FOR-US: Moxa -CVE-2018-7505 - RESERVED +CVE-2018-7505 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ...) + TODO: check CVE-2018-7504 (A Protection Mechanism Failure issue was discovered in OSIsoft PI ...) NOT-FOR-US: OSIsoft PI -CVE-2018-7503 - RESERVED +CVE-2018-7503 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ...) + TODO: check CVE-2018-7502 (Kernel drivers in Beckhoff TwinCAT 3.1 Build 4022.4, TwinCAT 2.11 R3 ...) NOT-FOR-US: Beckhoff TwinCAT -CVE-2018-7501 - RESERVED +CVE-2018-7501 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ...) + TODO: check CVE-2018-7500 (A Permissions, Privileges, and Access Controls issue was discovered in ...) NOT-FOR-US: OSIsoft PI -CVE-2018-7499 - RESERVED +CVE-2018-7499 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ...) + TODO: check CVE-2018-7498 (In Philips Alice 6 System version R8.0.2 or prior, the lack of proper ...) NOT-FOR-US: Philips Alice 6 System -CVE-2018-7497 - RESERVED +CVE-2018-7497 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ...) + TODO: check CVE-2018-7496 (An Information Exposure issue was discovered in OSIsoft PI Vision ...) NOT-FOR-US: OSIsoft PI -CVE-2018-7495 - RESERVED +CVE-2018-7495 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ...) + TODO: check CVE-2018-7494 (WPLSoft in Delta Electronics versions 2.45.0 and prior utilizes a ...) NOT-FOR-US: Delta Electronics CVE-2018-7493 (CactusVPN through 6.0 for macOS suffers from a root privilege ...) @@ -26718,10 +26740,10 @@ CVE-2018-1265 RESERVED CVE-2018-1264 RESERVED -CVE-2018-1263 - RESERVED -CVE-2018-1262 - RESERVED +CVE-2018-1263 (Addresses partial fix in CVE-2018-1261. Pivotal ...) + TODO: check +CVE-2018-1262 (Cloud Foundry Foundation UAA, versions 4.12.X and 4.13.X, introduced a ...) + TODO: check CVE-2018-1261 (Spring-integration-zip versions prior to 1.0.1 exposes an arbitrary ...) TODO: check CVE-2018-1260 (Spring Security OAuth, versions 2.3 prior to 2.3.3, 2.2 prior to ...) @@ -75216,27 +75238,23 @@ CVE-2017-2615 [display: cirrus: oob access while doing bitblt copy backward mode CVE-2017-2614 RESERVED NOT-FOR-US: Red Hat ovirt-aaa-jdbc-tool tools -CVE-2017-2613 - RESERVED +CVE-2017-2613 (jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation ...) - jenkins NOTE: https://jenkins.io/security