[Git][security-tracker-team/security-tracker][master] Add new wireshark issues, all need to be closer checked
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fe61f23f by Salvatore Bonaccorso at 2018-05-23T08:57:00+02:00 Add new wireshark issues, all need to be closer checked - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -81,22 +81,62 @@ CVE-2018-11363 (jpeg_size in pdfgen.c in PDFGen before 2018-04-09 has a heap-bas NOT-FOR-US: PDFGen CVE-2018-11362 RESERVED + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14615 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f177008b04a530640de835ca878892e58b826d58 + NOTE: https://www.wireshark.org/security/wnpa-sec-2018-25.html + TODO: check, only 2.6.0 affected? CVE-2018-11361 RESERVED + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14686 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=1b52f9929238ce3948ec924ae4f9456b5e9df558 + NOTE: https://www.wireshark.org/security/wnpa-sec-2018-32.html + TODO: check, only 2.6.0 affected? CVE-2018-11360 RESERVED + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14688 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=a55b36c51f83a7b9680824e8ee3a6ce8429ab24b + NOTE: https://www.wireshark.org/security/wnpa-sec-2018-30.html CVE-2018-11359 RESERVED + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14703 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=beaebe91b14564fb9f86f0726bab09927872721b + NOTE: https://www.wireshark.org/security/wnpa-sec-2018-33.html CVE-2018-11358 RESERVED + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14689 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=ccb1ac3c8cec47fbbbf2e80ced80644005c65252 + NOTE: https://www.wireshark.org/security/wnpa-sec-2018-31.html CVE-2018-11357 RESERVED + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14678 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=ab8a33ef083b9732c89117747a83a905a676faf6 + NOTE: https://www.wireshark.org/security/wnpa-sec-2018-28.html CVE-2018-11356 RESERVED + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14681 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=4425716ddba99374749bd033d9bc0f4add2fb973 + NOTE: https://www.wireshark.org/security/wnpa-sec-2018-29.html CVE-2018-11355 RESERVED + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14673 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=99d27a5fd2c540f837154aca3b3647f5ccfa0c33 + NOTE: https://www.wireshark.org/security/wnpa-sec-2018-27.html + TODO: check, only 2.6.0 affected? CVE-2018-11354 RESERVED + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14647 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=cb517a4a434387e74a2f75ebb106ee3c3893251c + NOTE: https://www.wireshark.org/security/wnpa-sec-2018-26.html + TODO: check, only 2.6.0 affected? CVE-2018-11353 RESERVED CVE-2018-11352 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fe61f23f95662b0451a4b56733846b7fe5023eca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fe61f23f95662b0451a4b56733846b7fe5023eca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dsa-needed.txt : santiago will prepare a libidn update
Santiago R.R. pushed to branch master at Debian Security Tracker / security-tracker Commits: b1ce1b68 by Santiago R.R at 2018-05-23T07:04:41+02:00 data/dsa-needed.txt : santiago will prepare a libidn update Signed-off-by: Santiago R.R- - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -36,6 +36,7 @@ libav/oldstable We can ship the next libav 11.x point release when available -- libidn + santiago will prepare update -- linux Wait until more issues have piled up View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b1ce1b681d6108338afbe1d11df8d0a1bae11876 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b1ce1b681d6108338afbe1d11df8d0a1bae11876 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-1136{4,5}/r-cran-haven
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 20dc99af by Salvatore Bonaccorso at 2018-05-23T06:34:38+02:00 Add bug reference for CVE-2018-1136{4,5}/r-cran-haven - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -74,9 +74,9 @@ CVE-2018-11367 (An issue was discovered in CppCMS before 1.2.1. There is a denia CVE-2018-11366 (init.php in the Loginizer plugin 1.3.8 through 1.3.9 for WordPress has ...) NOT-FOR-US: Wordpress plugin CVE-2018-11365 (sas/readstat_sas7bcat_read.c in libreadstat.a in ReadStat 0.1.1 has an ...) - - r-cran-haven (low) + - r-cran-haven (low; bug #899335) CVE-2018-11364 (sav_parse_machine_integer_info_record in spss/readstat_sav_read.c in ...) - - r-cran-haven (low) + - r-cran-haven (low; bug #899335) CVE-2018-11363 (jpeg_size in pdfgen.c in PDFGen before 2018-04-09 has a heap-based ...) NOT-FOR-US: PDFGen CVE-2018-11362 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/20dc99af8eb8ea395c52bcf1082b5ebf1151db1e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/20dc99af8eb8ea395c52bcf1082b5ebf1151db1e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add references for CVE-2018-5698
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e279f95 by Salvatore Bonaccorso at 2018-05-23T06:26:59+02:00 Add references for CVE-2018-5698 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -15412,6 +15412,8 @@ CVE-2017-18031 RESERVED CVE-2018-5698 (libreadstat.a in WizardMac ReadStat 0.1.1 has a heap-based buffer ...) - r-cran-haven 1.1.1-1 + NOTE: https://github.com/WizardMac/ReadStat/issues/108 + NOTE: https://github.com/WizardMac/ReadStat/commit/79793dba3b665ff037ca60140441a6679a8971cf CVE-2018-5697 (Icy Phoenix 2.2.0.105 allows SQL injection via an unapprove request to ...) NOT-FOR-US: Icy Phoenix CVE-2018-5696 (The iJoomla com_adagency plugin 6.0.9 for Joomla! allows SQL injection ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9e279f95a0156e341ed6a6cba1cbf211caa86b1c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9e279f95a0156e341ed6a6cba1cbf211caa86b1c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dsa-needed.txt: xdg-utils (luciano)
Luciano Bello pushed to branch master at Debian Security Tracker / security-tracker Commits: 8e281ab3 by Luciano Bello at 2018-05-22T22:07:51-04:00 dsa-needed.txt: xdg-utils (luciano) - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -83,7 +83,9 @@ tomcat7/oldstable tomcat8 (seb) 2018-04-11: Emmanuel Bourg submitted a debdiff -- -zendframework/oldstable +xdg-utils (luciano) -- xen -- +zendframework/oldstable +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8e281ab3b77f5ca2b9cec5da4ee77c871d0b47cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8e281ab3b77f5ca2b9cec5da4ee77c871d0b47cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] older r-cran-haven issue fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d56c0872 by Moritz Muehlenhoff at 2018-05-22T23:36:23+02:00 older r-cran-haven issue fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -15411,7 +15411,7 @@ CVE-2018-5699 CVE-2017-18031 RESERVED CVE-2018-5698 (libreadstat.a in WizardMac ReadStat 0.1.1 has a heap-based buffer ...) - - r-cran-haven + - r-cran-haven 1.1.1-1 CVE-2018-5697 (Icy Phoenix 2.2.0.105 allows SQL injection via an unapprove request to ...) NOT-FOR-US: Icy Phoenix CVE-2018-5696 (The iJoomla com_adagency plugin 6.0.9 for Joomla! allows SQL injection ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d56c087270b72bb942689123befb204ece09ef7a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d56c087270b72bb942689123befb204ece09ef7a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim zookeeper in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 88e56251 by Markus Koschany at 2018-05-22T23:35:03+02:00 Claim zookeeper in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -59,3 +59,5 @@ xdg-utils (Abhijith PA) -- xen (Emilio Pozuelo) -- +zookeeper (Markus Koschany) +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/88e562511be7e995ba8755a8960b3a0c06f38fa7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/88e562511be7e995ba8755a8960b3a0c06f38fa7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2018-8012,zookeeper: Add bug reference and more information.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 84552e45 by Markus Koschany at 2018-05-22T23:33:25+02:00 CVE-2018-8012,zookeeper: Add bug reference and more information. - - - - - b066d9b7 by Markus Koschany at 2018-05-22T23:34:08+02:00 Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -8130,9 +8130,11 @@ CVE-2018-8014 (The defaults settings for the CORS filter provided in Apache Tomc CVE-2018-8013 RESERVED CVE-2018-8012 (No authentication/authorization is enforced when a server attempts to ...) - - zookeeper 3.4.10-2 + - zookeeper 3.4.10-2 (bug #899332) NOTE: https://issues.apache.org/jira/browse/ZOOKEEPER-1045 NOTE: http://www.openwall.com/lists/oss-security/2018/05/21/6 + NOTE: https://cwiki.apache.org/confluence/display/ZOOKEEPER/Server-Server+mutual+authentication + NOTE: https://issues.apache.org/jira/secure/attachment/12840904/ZOOKEEPER-1045-br-3-4.patch CVE-2018-8011 RESERVED CVE-2018-8010 (This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/eedb3a77cd8658f7228bb79a1951bd3f5f390ecf...b066d9b7967e0a1c13995005665fa4071eb7c756 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/eedb3a77cd8658f7228bb79a1951bd3f5f390ecf...b066d9b7967e0a1c13995005665fa4071eb7c756 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] remove TODO for "efail", all clients mentioned in advisory covered
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: eedb3a77 by Moritz Muehlenhoff at 2018-05-22T23:31:00+02:00 remove TODO for "efail", all clients mentioned in advisory covered - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -24467,12 +24467,10 @@ CVE-2017-17689 (The S/MIME specification allows a Cipher Block Chaining (CBC) .. NOTE: https://efail.de NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=796135 NOTE: https://dot.kde.org/2018/05/15/efail-and-kmail - TODO: check all clients CVE-2017-17688 (** DISPUTED ** The OpenPGP specification allows a Cipher Feedback Mode ...) - enigmail (bug #898630) NOTE: vulnerability is in the clients handling, not in OpenPGP NOTE: https://efail.de - TODO: check all clients CVE-2017-17687 RESERVED CVE-2017-17686 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eedb3a77cd8658f7228bb79a1951bd3f5f390ecf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eedb3a77cd8658f7228bb79a1951bd3f5f390ecf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f93bff7f by Moritz Muehlenhoff at 2018-05-22T23:30:01+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -58,21 +58,21 @@ CVE-2018-11375 (The _inst__lds() function in radare2 2.5.0 allows remote attacke CVE-2018-11374 RESERVED CVE-2018-11373 (iScripts eSwap v2.4 has SQL injection via the "salelistdetailed.php" ...) - TODO: check + NOT-FOR-US: iScripts eSwap CVE-2018-11372 (iScripts eSwap v2.4 has SQL injection via the wishlistdetailed.php User ...) - TODO: check + NOT-FOR-US: iScripts eSwap CVE-2018-11371 (SkyCaiji 1.2 allows CSRF to add an Administrator user. ...) - TODO: check + NOT-FOR-US: SkyCaiji CVE-2018-11370 RESERVED CVE-2018-11369 (An issue was discovered in PbootCMS v1.0.9. There is a SQL Injection ...) - TODO: check + NOT-FOR-US: PbootCMS CVE-2018-11368 RESERVED CVE-2018-11367 (An issue was discovered in CppCMS before 1.2.1. There is a denial of ...) - TODO: check + NOT-FOR-US: CppCMS CVE-2018-11366 (init.php in the Loginizer plugin 1.3.8 through 1.3.9 for WordPress has ...) - TODO: check + NOT-FOR-US: Wordpress plugin CVE-2018-11365 (sas/readstat_sas7bcat_read.c in libreadstat.a in ReadStat 0.1.1 has an ...) - r-cran-haven (low) CVE-2018-11364 (sav_parse_machine_integer_info_record in spss/readstat_sav_read.c in ...) @@ -146,23 +146,23 @@ CVE-2018-11331 (An issue was discovered in Pluck before 4.7.6. Remote PHP code . CVE-2018-11330 (An issue was discovered in Pluck before 4.7.6. There is authenticated ...) NOT-FOR-US: Pluck CMS CVE-2018-11329 (The DrugDealer function of a smart contract implementation for Ether ...) - TODO: check + NOT-FOR-US: DrugDealer smart contractz CVE-2018-11328 (An issue was discovered in Joomla! Core before 3.8.8. Under specific ...) - TODO: check + NOT-FOR-US: Joomla! CVE-2018-11327 (An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks ...) - TODO: check + NOT-FOR-US: Joomla! CVE-2018-11326 (An issue was discovered in Joomla! Core before 3.8.8. Inadequate input ...) - TODO: check + NOT-FOR-US: Joomla! CVE-2018-11325 (An issue was discovered in Joomla! Core before 3.8.8. The web install ...) - TODO: check + NOT-FOR-US: Joomla! CVE-2018-11324 (An issue was discovered in Joomla! Core before 3.8.8. A long running ...) - TODO: check + NOT-FOR-US: Joomla! CVE-2018-11323 (An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks ...) - TODO: check + NOT-FOR-US: Joomla! CVE-2018-11322 (An issue was discovered in Joomla! Core before 3.8.8. Depending on the ...) - TODO: check + NOT-FOR-US: Joomla! CVE-2018-11321 (An issue was discovered in com_fields in Joomla! Core before 3.8.8. ...) - TODO: check + NOT-FOR-US: Joomla! CVE-2018-11320 (In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are ...) NOT-FOR-US: Octopus Deploy CVE-2018-1000181 @@ -718,7 +718,7 @@ CVE-2018-11095 (The decompileJUMP function in decompile.c in libming through 0.4 CVE-2018-11094 (An issue was discovered on Intelbras NCLOUD 300 1.0 devices. ...) NOT-FOR-US: Intelbras NCLOUD CVE-2018-11093 (Cross-site scripting (XSS) vulnerability in the Link package for ...) - TODO: check + NOT-FOR-US: CKeditor addon CVE-2018-11092 (An issue was discovered in the Admin Notes plugin 1.1 for MyBB. CSRF ...) NOT-FOR-US: Admin Notes plugin for MyBB CVE-2018-11091 (An issue was discovered in MyBiz MyProcureNet 5.0.0. A malicious file ...) @@ -11334,9 +11334,9 @@ CVE-2018-6965 CVE-2018-6964 RESERVED CVE-2018-6963 (VMware Workstation (14.x before 14.1.2) and Fusion (10.x before ...) - TODO: check + NOT-FOR-US: VMware CVE-2018-6962 (VMware Fusion (10.x before 10.1.2) contains a signature bypass ...) - TODO: check + NOT-FOR-US: VMware CVE-2018-6961 RESERVED CVE-2018-6960 (VMware Horizon DaaS (7.x before 8.0.0) contains a broken ...) @@ -12808,11 +12808,11 @@ CVE-2018-6496 CVE-2018-6495 RESERVED CVE-2018-6494 (Remote SQL Injection against the HP Service Manager Software Web Tier, ...) - TODO: check + NOT-FOR-US: HP CVE-2018-6493 (SQL Injection in HP Network Operations Management Ultimate, version ...) - TODO: check + NOT-FOR-US: HP CVE-2018-6492 (Persistent Cross-Site Scripting, and non-persistent HTML Injection in ...) - TODO: check + NOT-FOR-US: HP CVE-2018-6491 (Local Escalation of Privilege vulnerability to Micro Focus Universal ...) NOT-FOR-US: Micro Focus Universal CMDB CVE-2018-6490 (Denial of Service vulnerability in M
[Git][security-tracker-team/security-tracker][master] new radare issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a1c1a04c by Moritz Muehlenhoff at 2018-05-22T23:25:59+02:00 new radare issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,23 +1,60 @@ CVE-2018-11384 (The sh_op() function in radare2 2.5.0 allows remote attackers to cause ...) - TODO: check + - radare2 (low) + [stretch] - radare2 (Minor issue) + [jessie] - radare2 (Minor issue) + NOTE: https://github.com/radare/radare2/commit/77c47cf873dd55b396da60baa2ca83bbd39e4add + NOTE: https://github.com/radare/radare2/issues/9903 CVE-2018-11383 (The r_strbuf_fini() function in radare2 2.5.0 allows remote attackers ...) - TODO: check + - radare2 (low) + [stretch] - radare2 (Minor issue) + [jessie] - radare2 (Minor issue) + NOTE: https://github.com/radare/radare2/commit/9d348bcc2c4bbd3805e7eec97b594be9febbdf9a + NOTE: https://github.com/radare/radare2/issues/9943 CVE-2018-11382 (The _inst__sts() function in radare2 2.5.0 allows remote attackers to ...) - TODO: check + - radare2 (Vulnerable code not yet present) + NOTE: https://github.com/radare/radare2/commit/d04c78773f6959bcb427453f8e5b9824d5ba9eff + NOTE: https://github.com/radare/radare2/issues/10091 CVE-2018-11381 (The string_scan_range() function in radare2 2.5.0 allows remote ...) - TODO: check + - radare2 (low) + [stretch] - radare2 (Minor issue) + [jessie] - radare2 (Minor issue) + NOTE: https://github.com/radare/radare2/commit/3fcf41ed96ffa25b38029449520c8d0a198745f3 + NOTE: https://github.com/radare/radare2/issues/9902 CVE-2018-11380 (The parse_import_ptr() function in radare2 2.5.0 allows remote ...) - TODO: check + - radare2 (low) + [stretch] - radare2 (Minor issue) + [jessie] - radare2 (Minor issue) + NOTE: https://github.com/radare/radare2/commit/60208765887f5f008b3b9a883f3addc8bdb9c134 + NOTE: https://github.com/radare/radare2/issues/9970 CVE-2018-11379 (The get_debug_info() function in radare2 2.5.0 allows remote attackers ...) - TODO: check + - radare2 (low) + [stretch] - radare2 (Minor issue) + [jessie] - radare2 (Minor issue) + NOTE: https://github.com/radare/radare2/commit/4e1cf0d3e6f6fe2552a269def0af1cd2403e266c + NOTE: https://github.com/radare/radare2/issues/9926 CVE-2018-11378 (The wasm_dis() function in libr/asm/arch/wasm/wasm.c in or possibly ...) - TODO: check + - radare2 (low) + [stretch] - radare2 (Vulnerable code not present) + [jessie] - radare2 (Vulnerable code not present) + NOTE: https://github.com/radare/radare2/commit/bd276ef2fd8ac3401e65be7c126a43175ccfbcd7 + NOTE: https://github.com/radare/radare2/issues/9969 CVE-2018-11377 (The avr_op_analyze() function in radare2 2.5.0 allows remote attackers ...) - TODO: check + - radare2 (low) + [stretch] - radare2 (Minor issue) + [jessie] - radare2 (Minor issue) + NOTE: https://github.com/radare/radare2/commit/25a3703ef2e015bbe1d1f16f6b2f63bb10dd34f4 + NOTE: https://github.com/radare/radare2/commit/b35530fa0681b27eba084de5527037ebfb397422 + NOTE: https://github.com/radare/radare2/issues/9901 CVE-2018-11376 (The r_read_le32() function in radare2 2.5.0 allows remote attackers to ...) - TODO: check + - radare2 (low) + [stretch] - radare2 (Minor issue) + [jessie] - radare2 (Minor issue) + NOTE: https://github.com/radare/radare2/commit/1f37c04f2a762500222dda2459e6a04646feeedf + NOTE: https://github.com/radare/radare2/issues/9904 CVE-2018-11375 (The _inst__lds() function in radare2 2.5.0 allows remote attackers to ...) - TODO: check + - radare2 (Vulnerable code not yet present) + NOTE: https://github.com/radare/radare2/commit/041e53cab7ca33481ae45ecd65ad596976d78e68 + NOTE: https://github.com/radare/radare2/issues/9928 CVE-2018-11374 RESERVED CVE-2018-11373 (iScripts eSwap v2.4 has SQL injection via the "salelistdetailed.php" ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a1c1a04c1ed786c0ef42f03bc09a618879ab24bc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a1c1a04c1ed786c0ef42f03bc09a618879ab24bc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] drop wavpack, already released
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9a174d5c by Moritz Muehlenhoff at 2018-05-22T23:12:58+02:00 drop wavpack, already released - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -83,8 +83,6 @@ tomcat7/oldstable tomcat8 (seb) 2018-04-11: Emmanuel Bourg submitted a debdiff -- -wavpack (jmm) --- zendframework/oldstable -- xen View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9a174d5cb7fc50104bae37f6ac1b76d20a379cda -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9a174d5cb7fc50104bae37f6ac1b76d20a379cda You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8961a379 by security tracker role at 2018-05-22T20:10:26+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,41 @@ +CVE-2018-11384 (The sh_op() function in radare2 2.5.0 allows remote attackers to cause ...) + TODO: check +CVE-2018-11383 (The r_strbuf_fini() function in radare2 2.5.0 allows remote attackers ...) + TODO: check +CVE-2018-11382 (The _inst__sts() function in radare2 2.5.0 allows remote attackers to ...) + TODO: check +CVE-2018-11381 (The string_scan_range() function in radare2 2.5.0 allows remote ...) + TODO: check +CVE-2018-11380 (The parse_import_ptr() function in radare2 2.5.0 allows remote ...) + TODO: check +CVE-2018-11379 (The get_debug_info() function in radare2 2.5.0 allows remote attackers ...) + TODO: check +CVE-2018-11378 (The wasm_dis() function in libr/asm/arch/wasm/wasm.c in or possibly ...) + TODO: check +CVE-2018-11377 (The avr_op_analyze() function in radare2 2.5.0 allows remote attackers ...) + TODO: check +CVE-2018-11376 (The r_read_le32() function in radare2 2.5.0 allows remote attackers to ...) + TODO: check +CVE-2018-11375 (The _inst__lds() function in radare2 2.5.0 allows remote attackers to ...) + TODO: check +CVE-2018-11374 + RESERVED +CVE-2018-11373 (iScripts eSwap v2.4 has SQL injection via the "salelistdetailed.php" ...) + TODO: check +CVE-2018-11372 (iScripts eSwap v2.4 has SQL injection via the wishlistdetailed.php User ...) + TODO: check +CVE-2018-11371 (SkyCaiji 1.2 allows CSRF to add an Administrator user. ...) + TODO: check +CVE-2018-11370 + RESERVED +CVE-2018-11369 (An issue was discovered in PbootCMS v1.0.9. There is a SQL Injection ...) + TODO: check +CVE-2018-11368 + RESERVED +CVE-2018-11367 (An issue was discovered in CppCMS before 1.2.1. There is a denial of ...) + TODO: check +CVE-2018-11366 (init.php in the Loginizer plugin 1.3.8 through 1.3.9 for WordPress has ...) + TODO: check CVE-2018-11365 (sas/readstat_sas7bcat_read.c in libreadstat.a in ReadStat 0.1.1 has an ...) - r-cran-haven (low) CVE-2018-11364 (sav_parse_machine_integer_info_record in spss/readstat_sav_read.c in ...) @@ -72,22 +110,22 @@ CVE-2018-11330 (An issue was discovered in Pluck before 4.7.6. There is authenti NOT-FOR-US: Pluck CMS CVE-2018-11329 (The DrugDealer function of a smart contract implementation for Ether ...) TODO: check -CVE-2018-11328 - RESERVED -CVE-2018-11327 - RESERVED -CVE-2018-11326 - RESERVED -CVE-2018-11325 - RESERVED -CVE-2018-11324 - RESERVED -CVE-2018-11323 - RESERVED -CVE-2018-11322 - RESERVED -CVE-2018-11321 - RESERVED +CVE-2018-11328 (An issue was discovered in Joomla! Core before 3.8.8. Under specific ...) + TODO: check +CVE-2018-11327 (An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks ...) + TODO: check +CVE-2018-11326 (An issue was discovered in Joomla! Core before 3.8.8. Inadequate input ...) + TODO: check +CVE-2018-11325 (An issue was discovered in Joomla! Core before 3.8.8. The web install ...) + TODO: check +CVE-2018-11324 (An issue was discovered in Joomla! Core before 3.8.8. A long running ...) + TODO: check +CVE-2018-11323 (An issue was discovered in Joomla! Core before 3.8.8. Inadequate checks ...) + TODO: check +CVE-2018-11322 (An issue was discovered in Joomla! Core before 3.8.8. Depending on the ...) + TODO: check +CVE-2018-11321 (An issue was discovered in com_fields in Joomla! Core before 3.8.8. ...) + TODO: check CVE-2018-11320 (In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are ...) NOT-FOR-US: Octopus Deploy CVE-2018-1000181 @@ -642,8 +680,8 @@ CVE-2018-11095 (The decompileJUMP function in decompile.c in libming through 0.4 NOTE: https://github.com/libming/libming/issues/141 CVE-2018-11094 (An issue was discovered on Intelbras NCLOUD 300 1.0 devices. ...) NOT-FOR-US: Intelbras NCLOUD -CVE-2018-11093 - RESERVED +CVE-2018-11093 (Cross-site scripting (XSS) vulnerability in the Link package for ...) + TODO: check CVE-2018-11092 (An issue was discovered in the Admin Notes plugin 1.1 for MyBB. CSRF ...) NOT-FOR-US: Admin Notes plugin for MyBB CVE-2018-11091 (An issue was discovered in MyBiz MyProcureNet 5.0.0. A malicious file ...) @@ -11258,10 +11296,10 @@ CVE-2018-6965 RESERVED CVE-2018-6964 RESERVED -CVE-2018-6963 - RESERVED -CVE-2018-6962 - RESERVED +CVE-2018-6963 (VMware Workstation (14.x before 14.1.2) and Fusion (10.x before ...) + TODO: check +CVE-2018-6962 (VMware Fusion (10.x
[Git][security-tracker-team/security-tracker][master] Add imagemagick to dla-needed.txt and claim it.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: dd86cc1c by Markus Koschany at 2018-05-22T20:36:28+02:00 Add imagemagick to dla-needed.txt and claim it. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -17,6 +17,8 @@ cups (Thorsten Alteholz) -- enigmail (Abhijith PA) -- +imagemagick (Markus Koschany) +-- krb5 (Thorsten Alteholz) NOTE: 20180131: lts-do-not-call NOTE: 20180411: Details not public yet. Security team in contact with upstream. (anarcat) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dd86cc1cc860c3006e6e226987168ab9028d65ab --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dd86cc1cc860c3006e6e226987168ab9028d65ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove tomcat7 from dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 357222a8 by Markus Koschany at 2018-05-22T20:12:19+02:00 Remove tomcat7 from dla-needed.txt Asked the security team for a Jessie update instead. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -50,8 +50,6 @@ tiff -- tiff3 -- -tomcat7 (Markus Koschany) --- wireshark (Thorsten Alteholz) -- xdg-utils (Abhijith PA) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/357222a899d725c2acd077443f175ddbd4a904cf --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/357222a899d725c2acd077443f175ddbd4a904cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-8014,tomcat7: Wheezy is not affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 6af9e6e1 by Markus Koschany at 2018-05-22T20:11:28+02:00 CVE-2018-8014,tomcat7: Wheezy is not affected The vulnerable code (CORS)-filter is not present. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -8044,6 +8044,7 @@ CVE-2018-8014 (The defaults settings for the CORS filter provided in Apache Tomc NOTE: tomcat8.0 builds only tomcat8.0-user and libtomcat8.0-java - tomcat7 7.0.72-3 [jessie] - tomcat7 (Minor issue; user expected to configure filters appropriately) + [wheezy] - tomcat7 (vulnerable code not present) NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API NOTE: https://svn.apache.org/r1831728 (8.5.x) NOTE: https://svn.apache.org/r1831729 (8.0.x) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6af9e6e1772870a2acace4076fe06ce7b2af5aee --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6af9e6e1772870a2acace4076fe06ce7b2af5aee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add xen to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 89e54555 by Salvatore Bonaccorso at 2018-05-22T19:24:20+02:00 Add xen to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -87,3 +87,5 @@ wavpack (jmm) -- zendframework/oldstable -- +xen +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/89e54322cdf123f63252385f2b1e659b09a0 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/89e54322cdf123f63252385f2b1e659b09a0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for procps update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 56d505c7 by Salvatore Bonaccorso at 2018-05-22T17:32:06+02:00 Reserve DSA number for procps update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,7 @@ +[22 May 2018] DSA-4208-1 procps - security update + {CVE-2018-1122 CVE-2018-1123 CVE-2018-1124 CVE-2018-1125 CVE-2018-1126} + [jessie] - procps 2:3.3.9-9+deb8u1 + [stretch] - procps 2:3.3.12-3+deb9u1 [22 May 2018] DSA-4207-1 packagekit - security update {CVE-2018-1106} [stretch] - packagekit 1.1.5-2+deb9u1 = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -64,8 +64,6 @@ php-horde-image phpmyadmin/oldstable (abhijith) https://mentors.debian.net/debian/pool/main/p/phpmyadmin/phpmyadmin_4.2.12-2+deb8u3.dsc -- -procps (carnil) --- qemu/oldstable -- ruby2.1/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/56d505c76c17dfa92ca021ec67b6365944dc9242 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/56d505c76c17dfa92ca021ec67b6365944dc9242 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference directly qualys report for CVE-2018-112{0..6}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2671c701 by Salvatore Bonaccorso at 2018-05-22T17:08:41+02:00 Reference directly qualys report for CVE-2018-112{0..6} - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -27882,40 +27882,47 @@ CVE-2018-1126 [0035-proc-alloc.-Use-size_t-not-unsigned-int.patch] RESERVED - procps 2:3.3.15-1 (bug #899170) NOTE: http://www.openwall.com/lists/oss-security/2018/05/17/1 + NOTE: https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt NOTE: Patch: 0035-proc-alloc.-Use-size_t-not-unsigned-int.patch NOTE: https://gitlab.com/procps-ng/procps/commit/f1077b7a558a5545837aae068422e58f1f9b1d33 CVE-2018-1125 [0008-pgrep-Prevent-a-potential-stack-based-buffer-overflo.patch] RESERVED - procps 2:3.3.15-1 (bug #899170) NOTE: http://www.openwall.com/lists/oss-security/2018/05/17/1 + NOTE: https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt NOTE: Patch: 0008-pgrep-Prevent-a-potential-stack-based-buffer-overflo.patch NOTE: https://gitlab.com/procps-ng/procps/commit/b51ca2a1f8ca779f7632ade6a0a259ed882fa584 CVE-2018-1124 [Local Privilege Escalation in libprocps] RESERVED - procps 2:3.3.15-1 (bug #899170) NOTE: http://www.openwall.com/lists/oss-security/2018/05/17/1 + NOTE: https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt NOTE: Patch: 0074-proc-readproc.c-Fix-bugs-and-overflows-in-file2strve.patch NOTE: https://gitlab.com/procps-ng/procps/commit/36c350f07c75aabf747fb833f52a234ae5781b20 CVE-2018-1123 [Denial of Service in ps] RESERVED - procps 2:3.3.15-1 (bug #899170) NOTE: http://www.openwall.com/lists/oss-security/2018/05/17/1 + NOTE: https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt NOTE: Patch: 0054-ps-output.c-Fix-outbuf-overflows-in-pr_args-etc.patch NOTE: https://gitlab.com/procps-ng/procps/commit/136e3724952827bbae8887a42d9d2b6f658a48ab CVE-2018-1122 [Local Privilege Escalation in top] RESERVED - procps 2:3.3.15-1 (bug #899170) NOTE: http://www.openwall.com/lists/oss-security/2018/05/17/1 + NOTE: https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt NOTE: Patch: 0097-top-Do-not-default-to-the-cwd-in-configs_read.patch NOTE: https://gitlab.com/procps-ng/procps/commit/b45c4803dd176f4e3f9d3d47421ddec9bbbe66cd CVE-2018-1121 [Unprivileged process hiding] RESERVED - linux (unimportant) NOTE: http://www.openwall.com/lists/oss-security/2018/05/17/1 + NOTE: https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt CVE-2018-1120 [FUSE-backed /proc/PID/cmdline] RESERVED - linux NOTE: http://www.openwall.com/lists/oss-security/2018/05/17/1 + NOTE: https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt NOTE: Fixed by: https://git.kernel.org/linus/7f7ccc2ccc2e70c6054685f5e3522efa81556830 CVE-2018-1119 REJECTED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2671c701e95d6d52b1dd70c9acfa3c430e2408ee --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2671c701e95d6d52b1dd70c9acfa3c430e2408ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add note dla-needed.txt
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: b236a1d7 by Abhijith PA at 2018-05-22T19:45:52+05:30 add note dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -55,6 +55,7 @@ tomcat7 (Markus Koschany) wireshark (Thorsten Alteholz) -- xdg-utils (Abhijith PA) + NOTE: 20180522: Upstream patch doesn't apply cleanily in wheezy. -- xen (Emilio Pozuelo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b236a1d7e73962ff02e699bdbb03043097e0db92 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b236a1d7e73962ff02e699bdbb03043097e0db92 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for packagekit
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7131fd24 by Salvatore Bonaccorso at 2018-05-22T14:47:07+02:00 Reserve DSA number for packagekit - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,6 @@ +[22 May 2018] DSA-4207-1 packagekit - security update + {CVE-2018-1106} + [stretch] - packagekit 1.1.5-2+deb9u1 [21 May 2018] DSA-4206-1 gitlab - security update {CVE-2017-0920 CVE-2018-8971} [stretch] - gitlab 8.13.11+dfsg1-8+deb9u2 = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -53,9 +53,6 @@ openjdk-7/oldstable (jmm) -- openjpeg2 (luciano) -- -packagekit (carnil) - Matthias Klumpp (mak) uploaded package but needs release --- passenger/stable -- php5/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7131fd24dc3188f38543cc0b700122904767607b --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7131fd24dc3188f38543cc0b700122904767607b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take packagekit from dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8bec7a37 by Salvatore Bonaccorso at 2018-05-22T14:19:07+02:00 Take packagekit from dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -53,7 +53,7 @@ openjdk-7/oldstable (jmm) -- openjpeg2 (luciano) -- -packagekit +packagekit (carnil) Matthias Klumpp (mak) uploaded package but needs release -- passenger/stable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8bec7a3792f4af56ad07cbab67eb58848e601ad2 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8bec7a3792f4af56ad07cbab67eb58848e601ad2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d53ee67f by Salvatore Bonaccorso at 2018-05-22T13:14:05+02:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -3,7 +3,7 @@ CVE-2018-11365 (sas/readstat_sas7bcat_read.c in libreadstat.a in ReadStat 0.1.1 CVE-2018-11364 (sav_parse_machine_integer_info_record in spss/readstat_sav_read.c in ...) - r-cran-haven (low) CVE-2018-11363 (jpeg_size in pdfgen.c in PDFGen before 2018-04-09 has a heap-based ...) - TODO: check + NOT-FOR-US: PDFGen CVE-2018-11362 RESERVED CVE-2018-11361 @@ -51,7 +51,7 @@ CVE-2018-11341 (Directory traversal in importuser.cgi in ASUSTOR AS6202T ADM 3.1 CVE-2018-11340 (An unrestricted file upload vulnerability in importuser.cgi in ASUSTOR ...) NOT-FOR-US: ASUSTOR CVE-2018-11339 (An XSS issue was discovered in Frappe ERPNext v11.x.x-develop b1036e5 ...) - TODO: check + NOT-FOR-US: Frappe ERPNext CVE-2018-11338 RESERVED CVE-2018-11337 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d53ee67f947b8211cfc5751bc71a4de5bd2b78d3 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d53ee67f947b8211cfc5751bc71a4de5bd2b78d3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new r-cran-haven issues (via embedded ReadStat copy)
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6aa0af90 by Moritz Muehlenhoff at 2018-05-22T11:18:48+02:00 new r-cran-haven issues (via embedded ReadStat copy) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,7 +1,7 @@ CVE-2018-11365 (sas/readstat_sas7bcat_read.c in libreadstat.a in ReadStat 0.1.1 has an ...) - TODO: check + - r-cran-haven (low) CVE-2018-11364 (sav_parse_machine_integer_info_record in spss/readstat_sav_read.c in ...) - TODO: check + - r-cran-haven (low) CVE-2018-11363 (jpeg_size in pdfgen.c in PDFGen before 2018-04-09 has a heap-based ...) TODO: check CVE-2018-11362 @@ -15333,7 +15333,7 @@ CVE-2018-5699 CVE-2017-18031 RESERVED CVE-2018-5698 (libreadstat.a in WizardMac ReadStat 0.1.1 has a heap-based buffer ...) - NOT-FOR-US: WizardMac ReadStat + - r-cran-haven CVE-2018-5697 (Icy Phoenix 2.2.0.105 allows SQL injection via an unapprove request to ...) NOT-FOR-US: Icy Phoenix CVE-2018-5696 (The iJoomla com_adagency plugin 6.0.9 for Joomla! allows SQL injection ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6aa0af9028c79f9ee1e95d223fe301b34d952a3a --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6aa0af9028c79f9ee1e95d223fe301b34d952a3a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Adjust source package name to amd64-microcode
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0a383973 by Salvatore Bonaccorso at 2018-05-22T11:00:28+02:00 Adjust source package name to amd64-microcode - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -20572,14 +20572,14 @@ CVE-2018-3641 (Escalation of privilege in all versions of the Intel Remote Keybo CVE-2018-3640 [Spectre V3a] RESERVED - intel-microcode - - amd-microcode + - amd64-microcode NOTE: https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability NOTE: No software mitigations planned to be implemented in src:linux NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html CVE-2018-3639 [Speculative Store Bypass] RESERVED - intel-microcode - - amd-microcode + - amd64-microcode - linux - xen NOTE: https://xenbits.xen.org/xsa/advisory-263.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0a3839737050d5d6887e61319deb68c990ec0fba --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0a3839737050d5d6887e61319deb68c990ec0fba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dsa-needed list: Update thunderbird entry
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6f1d2bcf by Salvatore Bonaccorso at 2018-05-22T10:59:28+02:00 dsa-needed list: Update thunderbird entry - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -81,7 +81,7 @@ ruby2.3/stable -- sssd/stable -- -thunderbird +thunderbird (jmm) -- tomcat7/oldstable -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6f1d2bcfeeaf85fe6539b4c2b64141ec53ad395b --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6f1d2bcfeeaf85fe6539b4c2b64141ec53ad395b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add microcode packages for tracking to spectre v3a and v4
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fbab80ac by Moritz Muehlenhoff at 2018-05-22T10:49:05+02:00 Add microcode packages for tracking to spectre v3a and v4 v3s will entirely be fixed by microcode changes and the fix for v4 will equally require updated microcode. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -20571,14 +20571,20 @@ CVE-2018-3641 (Escalation of privilege in all versions of the Intel Remote Keybo NOT-FOR-US: Intel CVE-2018-3640 [Spectre V3a] RESERVED + - intel-microcode + - amd-microcode NOTE: https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability NOTE: No software mitigations planned to be implemented in src:linux + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html CVE-2018-3639 [Speculative Store Bypass] RESERVED + - intel-microcode + - amd-microcode - linux - xen NOTE: https://xenbits.xen.org/xsa/advisory-263.html NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1528 + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html CVE-2018-3638 (Escalation of privilege in all versions of the Intel Remote Keyboard ...) NOT-FOR-US: Intel CVE-2018-3637 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fbab80ac365471ea37b9b48642c04d1ffcf93696 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fbab80ac365471ea37b9b48642c04d1ffcf93696 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c4bbb4ce by Salvatore Bonaccorso at 2018-05-22T10:26:22+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -37,19 +37,19 @@ CVE-2018-11348 CVE-2018-11347 RESERVED CVE-2018-11346 (An insecure direct object reference vulnerability in download.cgi in ...) - TODO: check + NOT-FOR-US: ASUSTOR CVE-2018-11345 (An unrestricted file upload vulnerability in upload.cgi in ASUSTOR ...) - TODO: check + NOT-FOR-US: ASUSTOR CVE-2018-11344 (A path traversal vulnerability in download.cgi in ASUSTOR AS6202T ADM ...) - TODO: check + NOT-FOR-US: ASUSTOR CVE-2018-11343 (A persistent cross site scripting vulnerability in playlistmanger.cgi ...) - TODO: check + NOT-FOR-US: ASUSTOR CVE-2018-11342 (A path traversal vulnerability in fileExplorer.cgi in ASUSTOR AS6202T ...) - TODO: check + NOT-FOR-US: ASUSTOR CVE-2018-11341 (Directory traversal in importuser.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 ...) - TODO: check + NOT-FOR-US: ASUSTOR CVE-2018-11340 (An unrestricted file upload vulnerability in importuser.cgi in ASUSTOR ...) - TODO: check + NOT-FOR-US: ASUSTOR CVE-2018-11339 (An XSS issue was discovered in Frappe ERPNext v11.x.x-develop b1036e5 ...) TODO: check CVE-2018-11338 @@ -67,9 +67,9 @@ CVE-2018-11333 CVE-2018-11332 RESERVED CVE-2018-11331 (An issue was discovered in Pluck before 4.7.6. Remote PHP code ...) - TODO: check + NOT-FOR-US: Pluck CMS CVE-2018-11330 (An issue was discovered in Pluck before 4.7.6. There is authenticated ...) - TODO: check + NOT-FOR-US: Pluck CMS CVE-2018-11329 (The DrugDealer function of a smart contract implementation for Ether ...) TODO: check CVE-2018-11328 @@ -8906,7 +8906,7 @@ CVE-2018-7689 CVE-2018-7688 RESERVED CVE-2018-7687 (The Micro Focus Client for OES before version 2 SP4 IR8a has a ...) - TODO: check + NOT-FOR-US: Micro Focus Client for OES CVE-2018-7686 RESERVED CVE-2018-7685 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c4bbb4cec8f32d876ba8ca8ebcdb881ce0a536a9 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c4bbb4cec8f32d876ba8ca8ebcdb881ce0a536a9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0b477b51 by security tracker role at 2018-05-22T08:10:20+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,5 +1,77 @@ -CVE-2018-11329 +CVE-2018-11365 (sas/readstat_sas7bcat_read.c in libreadstat.a in ReadStat 0.1.1 has an ...) + TODO: check +CVE-2018-11364 (sav_parse_machine_integer_info_record in spss/readstat_sav_read.c in ...) + TODO: check +CVE-2018-11363 (jpeg_size in pdfgen.c in PDFGen before 2018-04-09 has a heap-based ...) + TODO: check +CVE-2018-11362 + RESERVED +CVE-2018-11361 + RESERVED +CVE-2018-11360 + RESERVED +CVE-2018-11359 + RESERVED +CVE-2018-11358 + RESERVED +CVE-2018-11357 + RESERVED +CVE-2018-11356 + RESERVED +CVE-2018-11355 + RESERVED +CVE-2018-11354 + RESERVED +CVE-2018-11353 + RESERVED +CVE-2018-11352 + RESERVED +CVE-2018-11351 + RESERVED +CVE-2018-11350 + RESERVED +CVE-2018-11349 + RESERVED +CVE-2018-11348 + RESERVED +CVE-2018-11347 + RESERVED +CVE-2018-11346 (An insecure direct object reference vulnerability in download.cgi in ...) + TODO: check +CVE-2018-11345 (An unrestricted file upload vulnerability in upload.cgi in ASUSTOR ...) + TODO: check +CVE-2018-11344 (A path traversal vulnerability in download.cgi in ASUSTOR AS6202T ADM ...) + TODO: check +CVE-2018-11343 (A persistent cross site scripting vulnerability in playlistmanger.cgi ...) + TODO: check +CVE-2018-11342 (A path traversal vulnerability in fileExplorer.cgi in ASUSTOR AS6202T ...) + TODO: check +CVE-2018-11341 (Directory traversal in importuser.cgi in ASUSTOR AS6202T ADM 3.1.0.RFQ3 ...) + TODO: check +CVE-2018-11340 (An unrestricted file upload vulnerability in importuser.cgi in ASUSTOR ...) + TODO: check +CVE-2018-11339 (An XSS issue was discovered in Frappe ERPNext v11.x.x-develop b1036e5 ...) + TODO: check +CVE-2018-11338 + RESERVED +CVE-2018-11337 + RESERVED +CVE-2018-11336 + RESERVED +CVE-2018-11335 + RESERVED +CVE-2018-11334 + RESERVED +CVE-2018-11333 RESERVED +CVE-2018-11332 + RESERVED +CVE-2018-11331 (An issue was discovered in Pluck before 4.7.6. Remote PHP code ...) + TODO: check +CVE-2018-11330 (An issue was discovered in Pluck before 4.7.6. There is authenticated ...) + TODO: check +CVE-2018-11329 (The DrugDealer function of a smart contract implementation for Ether ...) + TODO: check CVE-2018-11328 RESERVED CVE-2018-11327 @@ -7981,15 +8053,13 @@ CVE-2018-8014 (The defaults settings for the CORS filter provided in Apache Tomc NOTE: for their einvironment rather than using it in the default configuration CVE-2018-8013 RESERVED -CVE-2018-8012 [Quorum Peer mutual authentication] - RESERVED +CVE-2018-8012 (No authentication/authorization is enforced when a server attempts to ...) - zookeeper 3.4.10-2 NOTE: https://issues.apache.org/jira/browse/ZOOKEEPER-1045 NOTE: http://www.openwall.com/lists/oss-security/2018/05/21/6 CVE-2018-8011 RESERVED -CVE-2018-8010 [XXE vulnerability due to Apache Solr configset upload] - RESERVED +CVE-2018-8010 (This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 ...) - lucene-solr (Do not allow to upload configsets via the API) NOTE: Versions 5.x and earlier are not affected by the vulnerability, since NOTE: those versions do not allow to upload configsets via the API. @@ -8835,8 +8905,8 @@ CVE-2018-7689 RESERVED CVE-2018-7688 RESERVED -CVE-2018-7687 - RESERVED +CVE-2018-7687 (The Micro Focus Client for OES before version 2 SP4 IR8a has a ...) + TODO: check CVE-2018-7686 RESERVED CVE-2018-7685 @@ -27889,8 +27959,7 @@ CVE-2018-1109 NOTE: https://snyk.io/vuln/npm:braces:20180219 NOTE: https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451 NOTE: nodejs not covered by security support -CVE-2018-1108 [random: fix crng_ready() test] - RESERVED +CVE-2018-1108 (kernel drivers before version 4.17-rc1 are vulnerable to a weakness in ...) - linux 4.16.5-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) @@ -75850,8 +75919,7 @@ CVE-2017-2609 CVE-2017-2608 (Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ -CVE-2017-2607 - RESERVED +CVE-2017-2607 (jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE