[Git][security-tracker-team/security-tracker][master] Add CVE-2018-10910/bluez
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 172c5dc4 by Salvatore Bonaccorso at 2018-07-23T08:29:27+02:00 Add CVE-2018-10910/bluez - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -8982,8 +8982,14 @@ CVE-2018-10912 RESERVED CVE-2018-10911 RESERVED -CVE-2018-10910 - RESERVED +CVE-2018-10910 [ailure in disabling Bluetooth discoverability in certain cases may lead to the unauthorized pairing of Bluetooth devices] + RESERVED + - bluez + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1606203 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1602985 + NOTE: Bug in src:bluez itself and would need fixing there, but it is workaroundable in + NOTE: gnome-bluetooth: https://gitlab.gnome.org/GNOME/gnome-bluetooth/commit/6b5086d42ea64d46277f3c93b43984f331d12f89 + TODO: check, might not be a problem with Gnome <= 3.26, i.e. no-dsa for those suites CVE-2018-10909 RESERVED CVE-2018-10908 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/172c5dc499805c722084bd209c894634ff7b4fb8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/172c5dc499805c722084bd209c894634ff7b4fb8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9aac3a92 by Salvatore Bonaccorso at 2018-07-23T07:08:13+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -13,9 +13,9 @@ CVE-2018-14503 CVE-2018-14502 RESERVED CVE-2018-14501 (manager/admin_ajax.php in joyplus-cms 1.6.0 has SQL Injection, as ...) - TODO: check + NOT-FOR-US: joyplus-cms CVE-2018-14500 (joyplus-cms 1.6.0 has XSS via the ...) - TODO: check + NOT-FOR-US: joyplus-cms CVE-2018-1999023 [arbitrary code execution/sandbox escape] - wesnoth-1.14 - wesnoth-1.12 @@ -41,7 +41,7 @@ CVE-2018-14494 CVE-2018-14493 RESERVED CVE-2018-14492 (Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, ...) - TODO: check + NOT-FOR-US: Tenda devices CVE-2018- [CIVI-SA-2018-07: Remote code execution in QuickForm] - civicrm 5.3.1+dfsg-1 (bug #904215) NOTE: https://civicrm.org/advisory/civi-sa-2018-07-remote-code-execution-in-quickform View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9aac3a92191d8ea446a06e6a616fb7781debc99a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9aac3a92191d8ea446a06e6a616fb7781debc99a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2018-12227/asterisk via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 967131d4 by Salvatore Bonaccorso at 2018-07-23T06:20:32+02:00 Add fixed version for CVE-2018-12227/asterisk via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5629,7 +5629,7 @@ CVE-2018-12228 (An issue was discovered in Asterisk Open Source 15.x before 15.4 NOTE: http://downloads.asterisk.org/pub/security/AST-2018-007.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27807 CVE-2018-12227 (An issue was discovered in Asterisk Open Source 13.x before 13.21.1, ...) - - asterisk (bug #902954) + - asterisk 1:13.22.0~dfsg-1 (bug #902954) [jessie] - asterisk (vulnerable code not present) NOTE: http://downloads.asterisk.org/pub/security/AST-2018-008.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27818 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/967131d4fb1d4fedb0ea3f7c8a77f9c88821937e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/967131d4fb1d4fedb0ea3f7c8a77f9c88821937e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2017-16667/backintime
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 20bce205 by Salvatore Bonaccorso at 2018-07-23T06:19:23+02:00 Add fixed version for CVE-2017-16667/backintime - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -41135,7 +41135,7 @@ CVE-2017-16664 (Code injection exists in Kernel/System/Spelling.pm in Open Ticke NOTE: OTRS 5: https://github.com/OTRS/otrs/commit/4c36932d0c42343f21246a107e17a2ebbd9c2c7d NOTE: OTRS 3.3: https://github.com/OTRS/otrs/commit/2e58a4bbd99b2477d72c3b2d9fef009537ab19ce CVE-2017-16667 (backintime (aka Back in Time) before 1.1.24 did improper ...) - - backintime (bug #881205) + - backintime 1.1.24-0.1 (bug #881205) [stretch] - backintime (Minor issue) [jessie] - backintime (Minor issue) [wheezy] - backintime (Vulnerable code does not exist) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/20bce205dc468383a51d5f82dbe0d7cd5634e7b8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/20bce205dc468383a51d5f82dbe0d7cd5634e7b8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert "Triage CVE-2018-10893 (spice-gtk) for wheezy too." which needs to be…
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b55e818 by Salvatore Bonaccorso at 2018-07-23T06:13:51+02:00 Revert "Triage CVE-2018-10893 (spice-gtk) for wheezy too." which needs to be tracked in ELTS tracker This reverts commit 42857e5c64d8cc77752d3c0a19f170770abc9f2c. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -9041,7 +9041,6 @@ CVE-2018-10893 [Insufficient encoding checks for LZ can cause different integer/ - spice-gtk (bug #904161) [stretch] - spice-gtk (Minor issue) [jessie] - spice-gtk (Minor issue) - [wheezy] - spice-gtk (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1598234 NOTE: Ongoing patch review: https://lists.freedesktop.org/archives/spice-devel/2018-July/044489.html CVE-2018-10892 (The default OCI linux spec in oci/defaults{_linux}.go in Docker/Moby ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4b55e818a7b6e3bfb6da84851c13f844303be3ce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4b55e818a7b6e3bfb6da84851c13f844303be3ce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage CVE-2018-10893 (spice-gtk) for wheezy too.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 42857e5c by Chris Lamb at 2018-07-23T11:22:49+08:00 Triage CVE-2018-10893 (spice-gtk) for wheezy too. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -9041,6 +9041,7 @@ CVE-2018-10893 [Insufficient encoding checks for LZ can cause different integer/ - spice-gtk (bug #904161) [stretch] - spice-gtk (Minor issue) [jessie] - spice-gtk (Minor issue) + [wheezy] - spice-gtk (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1598234 NOTE: Ongoing patch review: https://lists.freedesktop.org/archives/spice-devel/2018-July/044489.html CVE-2018-10892 (The default OCI linux spec in oci/defaults{_linux}.go in Docker/Moby ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/42857e5c64d8cc77752d3c0a19f170770abc9f2c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/42857e5c64d8cc77752d3c0a19f170770abc9f2c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage CVE-2018-10893 (spice-gtk) for jessie.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 0306f6c0 by Chris Lamb at 2018-07-23T11:17:07+08:00 Triage CVE-2018-10893 (spice-gtk) for jessie. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -9040,6 +9040,7 @@ CVE-2018-10893 [Insufficient encoding checks for LZ can cause different integer/ RESERVED - spice-gtk (bug #904161) [stretch] - spice-gtk (Minor issue) + [jessie] - spice-gtk (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1598234 NOTE: Ongoing patch review: https://lists.freedesktop.org/archives/spice-devel/2018-July/044489.html CVE-2018-10892 (The default OCI linux spec in oci/defaults{_linux}.go in Docker/Moby ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0306f6c0e009a95e9c4bf4fd00b955e50eb50a76 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0306f6c0e009a95e9c4bf4fd00b955e50eb50a76 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Correct distribution name from previous commit.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 676b71d7 by Chris Lamb at 2018-07-23T11:16:00+08:00 Correct distribution name from previous commit. - - - - - 4c256355 by Chris Lamb at 2018-07-23T11:16:12+08:00 Triage CVE-2017-14989, CVE-2017-12597, CVE-2017-9116, CVE-2017-9115, CVE-2017-9114, CVE-2017-9113, CVE-2017-9112, CVE-2017-9111 & CVE-2017-9110 (openexr) for jessie. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -521,7 +521,7 @@ CVE-2018-14338 (samples/geotag.cpp in the example code of Exiv2 0.26 misuses the CVE-2018-14337 (The CHECK macro in mrbgems/mruby-sprintf/src/sprintf.c in mruby 1.4.1 ...) - mruby (bug #903985) [stretch] - mruby (Minor issue) - [wheezy] - mruby (Minor issue) + [jessie] - mruby (Minor issue) NOTE: https://github.com/mruby/mruby/issues/4062 NOTE: https://github.com/mruby/mruby/commit/695f29cd604787f43be1af16e38d13610bf8312b NOTE: https://github.com/mruby/mruby/commit/adb1eae912659d680a9c5b7832e22cf73d36a69a @@ -46323,6 +46323,7 @@ CVE-2017-14989 (A use-after-free in RenderFreetype in MagickCore/annotate.c in . CVE-2017-14988 (Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote ...) - openexr (bug #878551) [stretch] - openexr (Minor issue) + [jessie] - openexr (Minor issue) [wheezy] - openexr (Should be fixed along in future update) NOTE: https://github.com/openexr/openexr/issues/248 CVE-2017-14987 @@ -53675,6 +53676,7 @@ CVE-2017-12597 (OpenCV (Open Source Computer Vision Library) through 3.3 has an CVE-2017-12596 (In OpenEXR 2.2.0, a crafted image causes a heap-based buffer over-read ...) - openexr 2.2.0-11.1 (bug #877352) [stretch] - openexr (Minor issue) + [jessie] - openexr (Minor issue) [wheezy] - openexr 1.6.1-6+deb7u1 NOTE: https://github.com/openexr/openexr/issues/238 NOTE: Upstream fix https://github.com/openexr/openexr/commit/f09f5f26c1924c4f7e183428ca79c9881afaf53c @@ -64078,23 +64080,27 @@ CVE-2017-9116 (In OpenEXR 2.2.0, an invalid read of size 1 in the uncompress fun {DLA-1083-1} - openexr 2.2.0-11.1 (bug #864078) [stretch] - openexr (Minor issue) + [jessie] - openexr (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/05/12/5 NOTE: https://github.com/openexr/openexr/issues/232 CVE-2017-9115 (In OpenEXR 2.2.0, an invalid write of size 2 in the = operator function ...) - openexr (bug #873885) [stretch] - openexr (Minor issue) + [jessie] - openexr (Minor issue) [wheezy] - openexr (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/05/12/5 NOTE: https://github.com/openexr/openexr/issues/232 CVE-2017-9114 (In OpenEXR 2.2.0, an invalid read of size 1 in the refill function in ...) - openexr (bug #873885) [stretch] - openexr (Minor issue) + [jessie] - openexr (Minor issue) [wheezy] - openexr (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/05/12/5 NOTE: https://github.com/openexr/openexr/issues/232 CVE-2017-9113 (In OpenEXR 2.2.0, an invalid write of size 1 in the bufferedReadPixels ...) - openexr (bug #873885) [stretch] - openexr (Minor issue) + [jessie] - openexr (Minor issue) [wheezy] - openexr (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/05/12/5 NOTE: https://github.com/openexr/openexr/issues/232 @@ -64102,11 +64108,13 @@ CVE-2017-9112 (In OpenEXR 2.2.0, an invalid read of size 1 in the getBits functi {DLA-1083-1} - openexr 2.2.0-11.1 (bug #864078) [stretch] - openexr (Minor issue) + [jessie] - openexr (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/05/12/5 NOTE: https://github.com/openexr/openexr/issues/232 CVE-2017-9111 (In OpenEXR 2.2.0, an invalid write of size 8 in the storeSSE function ...) - openexr (bug #873885) [stretch] - openexr (Minor issue) + [jessie] - openexr (Minor issue) [wheezy] - openexr (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/05/12/5 NOTE: https://github.com/openexr/openexr/issues/232 @@ -64114,6 +64122,7 @@ CVE-2017-9110 (In OpenEXR 2.2.0, an invalid read of size 2 in the hufDecode func {DLA-1083-1} - openexr 2.2.0-11.1 (bug #864078) [stretch] - openexr (Minor issue) + [jessie] - openexr (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2017/05/12/5 NOTE: https://github.com/openexr/openexr/issues/232 CVE-2017-9109 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker
[Git][security-tracker-team/security-tracker][master] Triage CVE-2018-14337 (mruby) for jessie.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 4d5c6999 by Chris Lamb at 2018-07-23T11:10:39+08:00 Triage CVE-2018-14337 (mruby) for jessie. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -521,6 +521,7 @@ CVE-2018-14338 (samples/geotag.cpp in the example code of Exiv2 0.26 misuses the CVE-2018-14337 (The CHECK macro in mrbgems/mruby-sprintf/src/sprintf.c in mruby 1.4.1 ...) - mruby (bug #903985) [stretch] - mruby (Minor issue) + [wheezy] - mruby (Minor issue) NOTE: https://github.com/mruby/mruby/issues/4062 NOTE: https://github.com/mruby/mruby/commit/695f29cd604787f43be1af16e38d13610bf8312b NOTE: https://github.com/mruby/mruby/commit/adb1eae912659d680a9c5b7832e22cf73d36a69a View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4d5c6999ff623547557ec39bdd61089c1b17b383 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4d5c6999ff623547557ec39bdd61089c1b17b383 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f1223a19 by security tracker role at 2018-07-22T20:10:23+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,10 +1,28 @@ +CVE-2018-14509 + RESERVED +CVE-2018-14508 + RESERVED +CVE-2018-14507 + RESERVED +CVE-2018-14506 + RESERVED +CVE-2018-14504 + RESERVED +CVE-2018-14503 + RESERVED +CVE-2018-14502 + RESERVED +CVE-2018-14501 (manager/admin_ajax.php in joyplus-cms 1.6.0 has SQL Injection, as ...) + TODO: check +CVE-2018-14500 (joyplus-cms 1.6.0 has XSS via the ...) + TODO: check CVE-2018-1999023 [arbitrary code execution/sandbox escape] - wesnoth-1.14 - wesnoth-1.12 - wesnoth-1.10 NOTE: http://www.openwall.com/lists/oss-security/2018/07/20/1 NOTE: https://github.com/wesnoth/wesnoth/commit/d911268a783467842d38eae7ac1630f1fea41318 (1.14.x) -CVE-2018-14505 [allowing DNS rebinding attacks] +CVE-2018-14505 (mitmweb in mitmproxy v4.0.3 allows DNS Rebinding attacks, related to ...) - mitmproxy (bug #904293) NOTE: https://github.com/mitmproxy/mitmproxy/issues/3234 NOTE: https://github.com/mitmproxy/mitmproxy/pull/3243 @@ -1049,7 +1067,6 @@ CVE-2018-14073 (libsixel 1.8.1 has a memory leak in sixel_allocator_new in alloc [jessie] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/67#issuecomment-404989926 NOTE: https://github.com/saitoha/libsixel/commit/f94bc6fec696abd77be275226f28409602bd1f27 - CVE-2018-14072 (libsixel 1.8.1 has a memory leak in sixel_decoder_decode in decoder.c, ...) - libsixel (low; bug #903858) [stretch] - libsixel (Minor issue) @@ -24870,13 +24887,13 @@ CVE-2018-5271 (** DISPUTED ** In Malwarebytes Premium 3.3.1.2183, the driver fil CVE-2018-5270 (** DISPUTED ** In Malwarebytes Premium 3.3.1.2183, the driver file ...) NOT-FOR-US: Malwarebytes Premium CVE-2018-5269 (In OpenCV 3.3.1, an assertion failure happens in ...) - {DLA-1354-1} + {DLA-1438-1 DLA-1354-1} - opencv (bug #886675) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/10540 NOTE: 2.4 backport: https://patch-diff.githubusercontent.com/raw/opencv/opencv/pull/10901.patch CVE-2018-5268 (In OpenCV 3.3.1, a heap-based buffer overflow happens in ...) - {DLA-1354-1} + {DLA-1438-1 DLA-1354-1} - opencv (bug #886674) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/10541 @@ -28380,7 +28397,7 @@ CVE-2017-1000452 (An XML Signature Wrapping vulnerability exists in Samlify 2.2. CVE-2017-1000451 (fs-git is a file system like api for git repository. The fs-git ...) NOT-FOR-US: fs-git CVE-2017-1000450 (In opencv/modules/imgcodecs/src/utils.cpp, functions FillUniColor and ...) - {DLA-1235-1} + {DLA-1438-1 DLA-1235-1} - opencv (bug #886282) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9723 @@ -29857,7 +29874,7 @@ CVE-2017-17787 (In GIMP 2.8.22, there is a heap-based buffer over-read in ...) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=790853 NOTE: Crash in desktop tool, no/negligable security impact CVE-2017-17760 (OpenCV 3.3.1 has a Buffer Overflow in the cv::PxMDecoder::readData ...) - {DLA-1235-1} + {DLA-1438-1 DLA-1235-1} - opencv (bug #885843) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/10351 @@ -52783,17 +52800,17 @@ CVE-2017-12865 (Stack-based buffer overflow in "dnsproxy.c" in connman - connman 1.35-1 (bug #872844) NOTE: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=5c281d182ecdd0a424b64f7698f32467f8f67b71 (1.35) CVE-2017-12864 (In opencv/modules/imgcodecs/src/grfmt_pxm.cpp, function ReadNumber did ...) - {DLA-1117-1} + {DLA-1438-1 DLA-1117-1} - opencv (bug #875345) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9372 CVE-2017-12863 (In opencv/modules/imgcodecs/src/grfmt_pxm.cpp, function ...) - {DLA-1117-1} + {DLA-1438-1 DLA-1117-1} - opencv (bug #875344) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9371 CVE-2017-12862 (In modules/imgcodecs/src/grfmt_pxm.cpp, the length of buffer ...) - {DLA-1117-1} + {DLA-1438-1 DLA-1117-1} - opencv (bug #875342) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9370 @@ -53603,22 +53620,22 @@ CVE-2017-12607 (A vulnerability in OpenOffice's PPT file parser before 4.1.4, a
[Git][security-tracker-team/security-tracker][master] Claim openssl in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 686a10d4 by Markus Koschany at 2018-07-22T21:48:12+02:00 Claim openssl in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -106,6 +106,8 @@ openjdk-7 (Emilio Pozuelo) openjpeg2 NOTE: 20180719: there is no patch available for the remaining CVEs -- +openssl (Markus Koschany) +-- phpldapadmin (Mike Gabriel) -- policykit-1 (Abhijith PA) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/686a10d4ae35035cdc5ab6196768451204414071 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/686a10d4ae35035cdc5ab6196768451204414071 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-14505
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cb1b2997 by Salvatore Bonaccorso at 2018-07-22T21:38:26+02:00 Add bug reference for CVE-2018-14505 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5,7 +5,7 @@ CVE-2018-1999023 [arbitrary code execution/sandbox escape] NOTE: http://www.openwall.com/lists/oss-security/2018/07/20/1 NOTE: https://github.com/wesnoth/wesnoth/commit/d911268a783467842d38eae7ac1630f1fea41318 (1.14.x) CVE-2018-14505 [allowing DNS rebinding attacks] - - mitmproxy + - mitmproxy (bug #904293) NOTE: https://github.com/mitmproxy/mitmproxy/issues/3234 NOTE: https://github.com/mitmproxy/mitmproxy/pull/3243 CVE-2018-14499 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cb1b29974cda8bbea7d214510a244d1d54d1ec5a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cb1b29974cda8bbea7d214510a244d1d54d1ec5a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Remove TODO item for CVE-2018-1999023, clarified
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5b0c7110 by Salvatore Bonaccorso at 2018-07-22T21:22:26+02:00 Remove TODO item for CVE-2018-1999023, clarified - - - - - e7660b45 by Salvatore Bonaccorso at 2018-07-22T21:25:01+02:00 Add CVE-2018-14505/mitmproxy - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -4,7 +4,10 @@ CVE-2018-1999023 [arbitrary code execution/sandbox escape] - wesnoth-1.10 NOTE: http://www.openwall.com/lists/oss-security/2018/07/20/1 NOTE: https://github.com/wesnoth/wesnoth/commit/d911268a783467842d38eae7ac1630f1fea41318 (1.14.x) - TODO: check +CVE-2018-14505 [allowing DNS rebinding attacks] + - mitmproxy + NOTE: https://github.com/mitmproxy/mitmproxy/issues/3234 + NOTE: https://github.com/mitmproxy/mitmproxy/pull/3243 CVE-2018-14499 RESERVED CVE-2018-14498 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d7fee7628841a3927ce25ad2a1607fe22a488663...e7660b451bf8a3ece07f9cc605f096dce6e71a3f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d7fee7628841a3927ce25ad2a1607fe22a488663...e7660b451bf8a3ece07f9cc605f096dce6e71a3f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add commit reference for CVE-2018-1999023
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d7fee762 by Salvatore Bonaccorso at 2018-07-22T20:59:31+02:00 Add commit reference for CVE-2018-1999023 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -3,6 +3,7 @@ CVE-2018-1999023 [arbitrary code execution/sandbox escape] - wesnoth-1.12 - wesnoth-1.10 NOTE: http://www.openwall.com/lists/oss-security/2018/07/20/1 + NOTE: https://github.com/wesnoth/wesnoth/commit/d911268a783467842d38eae7ac1630f1fea41318 (1.14.x) TODO: check CVE-2018-14499 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d7fee7628841a3927ce25ad2a1607fe22a488663 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d7fee7628841a3927ce25ad2a1607fe22a488663 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark busybox TEMP issue as fixed in Wheezy.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: e5ab8afc by Markus Koschany at 2018-07-22T19:59:31+02:00 Mark busybox TEMP issue as fixed in Wheezy. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -123458,7 +123458,7 @@ CVE-2015-7944 (The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti CVE-2015- [busybox: pointer misuse unziping files] - busybox 1:1.27.2-1 (bug #803097) [stretch] - busybox (Minor issue) - [wheezy] - busybox (Minor issue) + [wheezy] - busybox 1:1.20.0-7+deb7u1 [squeeze] - busybox 1:1.17.1-8+deb6u11 NOTE: workaround entry for DLA-337-1 until/if CVE assigned NOTE: CVE Request: http://www.openwall.com/lists/oss-security/2015/10/25/3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e5ab8afcff27f0a5897b4469862e2c26e427996f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e5ab8afcff27f0a5897b4469862e2c26e427996f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-1999023 to be checked
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bc2c98dc by Salvatore Bonaccorso at 2018-07-22T17:43:59+02:00 Add CVE-2018-1999023 to be checked - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,9 @@ +CVE-2018-1999023 [arbitrary code execution/sandbox escape] + - wesnoth-1.14 + - wesnoth-1.12 + - wesnoth-1.10 + NOTE: http://www.openwall.com/lists/oss-security/2018/07/20/1 + TODO: check CVE-2018-14499 RESERVED CVE-2018-14498 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bc2c98dc507090ec74af7b58a7573e55514fb92b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bc2c98dc507090ec74af7b58a7573e55514fb92b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 5 commits: Add and take network-manager-vpnc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f22ec648 by Salvatore Bonaccorso at 2018-07-22T13:54:34+02:00 Add and take network-manager-vpnc - - - - - b439e6e5 by Salvatore Bonaccorso at 2018-07-22T13:54:34+02:00 Remove CVE-2017-14136 reference Reason: the opencv update never contained the incomplete fix for CVE-2017-12597 alone in a released version. As such the jessie version as well never got affected by CVE-2017-14136. - - - - - 4cbd2f2f by Salvatore Bonaccorso at 2018-07-22T13:54:35+02:00 Add bug reference for CVE-2018-10900/network-manager-vpnc - - - - - 05cd9f24 by Salvatore Bonaccorso at 2018-07-22T13:54:36+02:00 Reference full commit for CVE-2018-10900 - - - - - 8469ec59 by Salvatore Bonaccorso at 2018-07-22T13:57:57+02:00 libsixel: Add upstream commit and reference to the the backtrace comment Add back the specific reference to comment, which links directly to the backtrace in the upstream issue. In issue/67 two issues are handled. CVE-2018-14072 is for https://github.com/saitoha/libsixel/issues/67#issue-341198610 CVE-2018-14073 is for https://github.com/saitoha/libsixel/issues/67#issuecomment-404989926 Both are adressed by upstream in https://github.com/saitoha/libsixel/commit/f94bc6fec696abd77be275226f28409602bd1f27 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dsa-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1038,11 +1038,13 @@ CVE-2018-14073 (libsixel 1.8.1 has a memory leak in sixel_allocator_new in alloc [stretch] - libsixel (Minor issue) [jessie] - libsixel (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/67#issuecomment-404989926 + NOTE: https://github.com/saitoha/libsixel/commit/f94bc6fec696abd77be275226f28409602bd1f27 + CVE-2018-14072 (libsixel 1.8.1 has a memory leak in sixel_decoder_decode in decoder.c, ...) - libsixel (low; bug #903858) [stretch] - libsixel (Minor issue) [jessie] - libsixel (Minor issue) - NOTE: https://github.com/saitoha/libsixel/issues/67 + NOTE: https://github.com/saitoha/libsixel/issues/67#issue-341198610 NOTE: https://github.com/saitoha/libsixel/commit/f94bc6fec696abd77be275226f28409602bd1f27 CVE-2018-14071 (The Geo Mashup plugin before 1.10.4 for WordPress has insufficient ...) NOT-FOR-US: Geo Mashup plugin for WordPress @@ -8980,9 +8982,9 @@ CVE-2018-10901 RESERVED CVE-2018-10900 [local privilege escalation] RESERVED - - network-manager-vpnc + - network-manager-vpnc (bug #904255) NOTE: http://www.openwall.com/lists/oss-security/2018/07/20/3 - NOTE: https://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/07ac18a32b4 + NOTE: https://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/07ac18a32b4e361a27ef48ac757d36cbb46e8e12 CVE-2018-10899 RESERVED CVE-2018-10898 = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,5 +1,5 @@ [22 Jul 2018] DLA-1438-1 opencv - security update - {CVE-2016-1516 CVE-2017-12597 CVE-2017-12598 CVE-2017-12599 CVE-2017-12601 CVE-2017-12603 CVE-2017-12604 CVE-2017-12605 CVE-2017-12606 CVE-2017-12862 CVE-2017-12863 CVE-2017-12864 CVE-2017-14136 CVE-2017-17760 CVE-2017-1000450 CVE-2018-5268 CVE-2018-5269} + {CVE-2016-1516 CVE-2017-12597 CVE-2017-12598 CVE-2017-12599 CVE-2017-12601 CVE-2017-12603 CVE-2017-12604 CVE-2017-12605 CVE-2017-12606 CVE-2017-12862 CVE-2017-12863 CVE-2017-12864 CVE-2017-17760 CVE-2017-1000450 CVE-2018-5268 CVE-2018-5269} [jessie] - opencv 2.4.9.1+dfsg-1+deb8u2 [21 Jul 2018] DLA-1437-1 slurm-llnl - security update {CVE-2018-7033 CVE-2018-10995} = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -60,6 +60,8 @@ mutt (carnil) We will wait first for upload to unstable, and watch for regression reports Non-urgent need for an update. -- +network-manager-vpnc (carnil) +-- openjdk-8 (jmm) -- openjfx View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/b9e66bd209835758545ab8e8954b735292648c2d...8469ec5959e934d28e88d1fc86de4322986aab55 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/b9e66bd209835758545ab8e8954b735292648c2d...8469ec5959e934d28e88d1fc86de4322986aab55 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-14072/libsixel
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: b9e66bd2 by Henri Salo at 2018-07-22T14:48:38+03:00 CVE-2018-14072/libsixel - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1042,7 +1042,8 @@ CVE-2018-14072 (libsixel 1.8.1 has a memory leak in sixel_decoder_decode in deco - libsixel (low; bug #903858) [stretch] - libsixel (Minor issue) [jessie] - libsixel (Minor issue) - NOTE: https://github.com/saitoha/libsixel/issues/67#issue-341198610 + NOTE: https://github.com/saitoha/libsixel/issues/67 + NOTE: https://github.com/saitoha/libsixel/commit/f94bc6fec696abd77be275226f28409602bd1f27 CVE-2018-14071 (The Geo Mashup plugin before 1.10.4 for WordPress has insufficient ...) NOT-FOR-US: Geo Mashup plugin for WordPress CVE-2018-14070 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b9e66bd209835758545ab8e8954b735292648c2d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b9e66bd209835758545ab8e8954b735292648c2d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] claim vim-syntastic and resiprocate
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: b22284ba by Thorsten Alteholz at 2018-07-22T12:48:26+02:00 claim vim-syntastic and resiprocate - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -112,7 +112,7 @@ policykit-1 (Abhijith PA) -- qemu (Santiago) -- -resiprocate +resiprocate (Thorsten Alteholz) -- ruby2.1 -- @@ -139,7 +139,7 @@ twitter-bootstrap -- twitter-bootstrap3 -- -vim-syntastic +vim-syntastic (Thorsten Alteholz) -- wine NOTE: Consider either fixing wine-development too or marking it as View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b22284badea9766ef33d54df6c63d80dedded06f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b22284badea9766ef33d54df6c63d80dedded06f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1438-1 for opencv
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: b1e6610f by Thorsten Alteholz at 2018-07-22T12:37:25+02:00 Reserve DLA-1438-1 for opencv - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[22 Jul 2018] DLA-1438-1 opencv - security update + {CVE-2016-1516 CVE-2017-12597 CVE-2017-12598 CVE-2017-12599 CVE-2017-12601 CVE-2017-12603 CVE-2017-12604 CVE-2017-12605 CVE-2017-12606 CVE-2017-12862 CVE-2017-12863 CVE-2017-12864 CVE-2017-14136 CVE-2017-17760 CVE-2017-1000450 CVE-2018-5268 CVE-2018-5269} + [jessie] - opencv 2.4.9.1+dfsg-1+deb8u2 [21 Jul 2018] DLA-1437-1 slurm-llnl - security update {CVE-2018-7033 CVE-2018-10995} [jessie] - slurm-llnl 14.03.9-5+deb8u3 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -101,8 +101,6 @@ network-manager-vpnc (Mike Gabriel) NOTE: 20180720: Should IMHO be bundled with NOTE: 20180720: https://gitlab.gnome.org/GNOME/NetworkManager-vpnc/commit/796628f56ab616371156464f4973c8368b388337 -- -opencv (Thorsten Alteholz) --- openjdk-7 (Emilio Pozuelo) -- openjpeg2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b1e6610fe616573d8bda86048d79fa5dceb91969 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b1e6610fe616573d8bda86048d79fa5dceb91969 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b48f0348 by security tracker role at 2018-07-22T08:10:22+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -40814,6 +40814,7 @@ CVE-2017-16792 (Stored cross-site scripting (XSS) vulnerability in "geminab CVE-2017-16791 RESERVED CVE-2017-16790 [Ensure that submitted data are uploaded files] + RESERVED - symfony 3.4.0+dfsg-1 NOTE: https://symfony.com/blog/cve-2017-16790-ensure-that-submitted-data-are-uploaded-files NOTE: https://github.com/symfony/symfony/pull/24993 @@ -41126,10 +41127,12 @@ CVE-2017-16656 CVE-2017-16655 RESERVED CVE-2017-16654 [Intl bundle readers breaking out of paths] + RESERVED - symfony 3.4.0+dfsg-1 NOTE: https://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths NOTE: https://github.com/symfony/symfony/pull/24994 CVE-2017-16653 [CSRF protection does not use different tokens for HTTP and HTTPS] + RESERVED - symfony 3.4.0+dfsg-1 NOTE: https://symfony.com/blog/cve-2017-16653-csrf-protection-does-not-use-different-tokens-for-http-and-https NOTE: https://github.com/symfony/symfony/pull/24992 @@ -57169,6 +57172,7 @@ CVE-2017-11367 (The shoco_decompress function in the API in shoco through 2017-0 CVE-2017-11366 (components/filemanager/class.filemanager.php in Codiad before 2.8.4 is ...) NOT-FOR-US: Codiad CVE-2017-11365 [Empty passwords validation issue] + RESERVED - symfony (introduced in versions that were never packaged in Debian) NOTE: https://symfony.com/blog/cve-2017-11365-empty-passwords-validation-issue CVE-2017-11364 (The CMS installer in Joomla! before 3.7.4 does not verify a user's ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b48f03488ae2aa8db91078e8fd776e9d015e4b55 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b48f03488ae2aa8db91078e8fd776e9d015e4b55 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits