[Git][security-tracker-team/security-tracker][master] Add reference to upstream commit for CVE-2016-2037/cpio
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8d8d213c by Salvatore Bonaccorso at 2018-07-29T06:38:45Z Add reference to upstream commit for CVE-2016-2037/cpio - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -116185,6 +116185,7 @@ CVE-2016-2037 (The cpio_safer_name_suffix function in util.c in cpio 2.11 allows NOTE: http://www.openwall.com/lists/oss-security/2016/01/19/4 NOTE: To reproduce and uncover the issue with unstable version compile with ASAN NOTE: Patch: https://lists.gnu.org/archive/html/bug-cpio/2016-01/msg5.html + NOTE: https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=d36ec5f4e93130efb24fb9678aafd88e8070095b CVE-2016-2050 (The get_abbrev_array_info function in libdwarf-20151114 allows remote ...) {DLA-669-1} - dwarfutils 20160507+git20160523.9086738-1 (unimportant) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8d8d213c6ce1416daca4dfd0e96ad81693447959 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8d8d213c6ce1416daca4dfd0e96ad81693447959 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage fuse
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: c0382ffa by Chris Lamb at 2018-07-29T04:55:54Z data/dla-needed.txt: Triage fuse - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -33,6 +33,8 @@ firefox-esr (Emilio Pozuelo) NOTE: 20180525: We will need an update to Firefox ESR 60 in jessie once 52 goes EOL. NOTE: 20180525: This needs some backports (llvm, rustc, cargo) which need some work. -- +fuse +-- git-annex NOTE: 20180710: See #903037 for more information and a fix for Stretch. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c0382ffa54e502ccbd2732036a0e6332d92bb6c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c0382ffa54e502ccbd2732036a0e6332d92bb6c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2015-5638/h2o
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 849a58c5 by Salvatore Bonaccorso at 2018-07-29T04:12:49Z Update status for CVE-2015-5638/h2o - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -130355,7 +130355,8 @@ CVE-2015-5640 (baserCMS before 3.0.8 allows remote authenticated users to modify CVE-2015-5639 (niconico App for iOS before 6.38 does not verify SSL certificates ...) NOT-FOR-US: niconico App for iOS CVE-2015-5638 (Directory traversal vulnerability in H2O before 1.4.5 and 1.5.x before ...) - NOT-FOR-US: H2O + - h2o (Fixed before initial upload to Debian) + NOTE: https://github.com/h2o/h2o/issues/921 CVE-2015-5637 (The Newphoria Photon application before 1.2 for Android allows ...) NOT-FOR-US: Newphoria CVE-2015-5636 (The Newphoria Reversi application before 1.0.3 for Android and before ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/849a58c55b816f071aee7b8b4a57cce16de8ba06 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/849a58c55b816f071aee7b8b4a57cce16de8ba06 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2016-1133/h2o
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9b4eee23 by Salvatore Bonaccorso at 2018-07-29T04:12:27Z Update status for CVE-2016-1133/h2o - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -118890,7 +118890,10 @@ CVE-2016-1135 (Cross-site scripting (XSS) vulnerability on BUFFALO BHR-4GRV2 dev CVE-2016-1134 (Cross-site request forgery (CSRF) vulnerability on BUFFALO BHR-4GRV2 ...) NOT-FOR-US: BUFFALO CVE-2016-1133 (CRLF injection vulnerability in the on_req function in ...) - NOT-FOR-US: H2O + - h2o (Fixed before initial upload to Debian) + NOTE: https://github.com/h2o/h2o/issues/682 + NOTE: https://github.com/h2o/h2o/issues/684 + NOTE: https://github.com/h2o/h2o/pull/684 CVE-2016-1132 (Shoplat App for iOS 1.10.00 through 1.18.00 does not properly verify ...) NOT-FOR-US: Shoplat App CVE-2016-1131 (Buffer overflow in the CL_vsprintf function in Takumi Yamada DX ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9b4eee238e0590eefa9784d8228a672e429a442a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9b4eee238e0590eefa9784d8228a672e429a442a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2016-4817/h2o
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 182d by Salvatore Bonaccorso at 2018-07-29T04:11:53Z Update status for CVE-2016-4817/h2o - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -106978,7 +106978,9 @@ CVE-2016-4819 (The printfDx function in Takumi Yamada DX Library for Borland C++ CVE-2016-4818 (DMMFX Trade for Android 1.5.0 and earlier, DMMFX DEMO Trade for ...) NOT-FOR-US: DMMFX CVE-2016-4817 (lib/http2/connection.c in H2O before 1.7.3 and 2.x before 2.0.0-beta5 ...) - NOT-FOR-US: H2O + - h2o (Fixed before initial upload to Debian) + NOTE: https://github.com/h2o/h2o/pull/920 + NOTE: https://github.com/h2o/h2o/commit/1c0808d580da09fdec5a9a74ff09e103ea058dd4 CVE-2016-4816 (BUFFALO WZR-600DHP3 devices with firmware 2.16 and earlier and ...) NOT-FOR-US: BUFFALO CVE-2016-4815 (Directory traversal vulnerability on BUFFALO WZR-600DHP3 devices with ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/182deb29dc03132d99bbc20fc9bf6a85b193 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/182deb29dc03132d99bbc20fc9bf6a85b193 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2016-4864/h2o
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3eabf010 by Salvatore Bonaccorso at 2018-07-29T04:07:32Z Update status for CVE-2016-4864/h2o - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -106872,7 +106872,8 @@ CVE-2016-4866 (Cross-site scripting vulnerability in Cybozu Office 9.0.0 to 10.4 CVE-2016-4865 (Cross-site scripting vulnerability in Cybozu Office 9.0.0 to 10.4.0 ...) NOT-FOR-US: Cybozu CVE-2016-4864 (H2O versions 2.0.3 and earlier and 2.1.0-beta2 and earlier allows ...) - NOT-FOR-US: H2O + - h2o (Fixed before initial upload to Debian) + NOTE: https://github.com/h2o/h2o/issues/1077 CVE-2016-4863 (The Toshiba FlashAir SD-WD/WC series Class 6 model with firmware ...) NOT-FOR-US: Toshiba FlashAir CVE-2016-4862 (Twigmo bundled with CS-Cart 4.3.9 and earlier and Twigmo bundled with ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3eabf010af2730bf6b632c7cbfb5dd818692b44c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3eabf010af2730bf6b632c7cbfb5dd818692b44c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-14423
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 90295e88 by Salvatore Bonaccorso at 2018-07-29T04:06:03Z Add bug reference for CVE-2018-14423 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -690,7 +690,7 @@ CVE-2016-10727 (camel/providers/imapx/camel-imapx-server.c in the IMAPx componen CVE-2018-14424 RESERVED CVE-2018-14423 (Division-by-zero vulnerabilities in the functions pi_next_pcrl, ...) - - openjpeg2 + - openjpeg2 (bug #904873) NOTE: https://github.com/uclouvain/openjpeg/issues/1123 CVE-2018-14422 (blog/index.php in SansCMS 0.7 has XSS via the q parameter. ...) NOT-FOR-US: SansCMS View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/90295e8844f9548e4d78f635f60fcdc93645b716 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/90295e8844f9548e4d78f635f60fcdc93645b716 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2018-7835/h2o
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 151df1d7 by Salvatore Bonaccorso at 2018-07-29T04:04:51Z Update information for CVE-2018-7835/h2o - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -96717,7 +96717,8 @@ CVE-2016-7837 (Buffer overflow in BlueZ 5.41 and earlier allows an attacker to . CVE-2016-7836 (SKYSEA Client View Ver.11.221.03 and earlier allows remote code ...) NOT-FOR-US: SKYSEA Client View CVE-2016-7835 (Use-after-free vulnerability in H2O allows remote attackers to cause a ...) - NOT-FOR-US: H2O + - h2o (Fixed before initial upload to Debian) + NOTE: https://github.com/h2o/h2o/issues/1144 CVE-2016-7834 (SONY SNC-CH115, SNC-CH120, SNC-CH160, SNC-CH220, SNC-CH260, SNC-DH120, ...) NOT-FOR-US: SONY CVE-2016-7833 (Cybozu Dezie 8.0.0 to 8.1.1 allows remote attackers to bypass access ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/151df1d7c9ff0071f60426125ef6ce4885fa9e09 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/151df1d7c9ff0071f60426125ef6ce4885fa9e09 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-14423/openjpeg2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eff645a9 by Salvatore Bonaccorso at 2018-07-29T04:03:05Z Add CVE-2018-14423/openjpeg2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -690,7 +690,8 @@ CVE-2016-10727 (camel/providers/imapx/camel-imapx-server.c in the IMAPx componen CVE-2018-14424 RESERVED CVE-2018-14423 (Division-by-zero vulnerabilities in the functions pi_next_pcrl, ...) - TODO: check + - openjpeg2 + NOTE: https://github.com/uclouvain/openjpeg/issues/1123 CVE-2018-14422 (blog/index.php in SansCMS 0.7 has XSS via the q parameter. ...) NOT-FOR-US: SansCMS CVE-2018-14421 (SeaCMS v6.61 allows Remote Code execution by placing PHP code in a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eff645a91eef6f8e9cf791402cd004d4a56efb52 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eff645a91eef6f8e9cf791402cd004d4a56efb52 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f60a32c2 by Salvatore Bonaccorso at 2018-07-29T04:00:59Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -221,13 +221,13 @@ CVE-2018-1002208 (sharplibzip before 1.0 RC1 is vulnerable to directory traversa NOTE: https://github.com/icsharpcode/SharpZipLib/issues/232 TODO: further checks CVE-2018-1002207 (mholt/archiver golang package before ...) - TODO: check + NOT-FOR-US: golang-github-mholt-archiver CVE-2018-1002206 (SharpCompress before 0.21.0 is vulnerable to directory traversal, ...) - TODO: check + NOT-FOR-US: SharpCompress library (for .NET Standard 1.0) CVE-2018-1002205 (DotNetZip.Semvered before 1.11.0 is vulnerable to directory traversal, ...) - TODO: check + NOT-FOR-US: DotNetZip.Semvered library (.NET) CVE-2018-1002203 (unzipper npm library before 0.8.13 is vulnerable to directory ...) - TODO: check + NOT-FOR-US: unzipper nodejs module CVE-2018-14596 (wancms 1.0 through 5.0 allows remote attackers to cause a denial of ...) NOT-FOR-US: wancms CVE-2018-14595 @@ -632,7 +632,7 @@ CVE-2018-14441 (An issue was discovered in cckevincyh SSH CompanyWebsite through CVE-2018-14440 (An issue was discovered in cckevincyh SSH CompanyWebsite through ...) NOT-FOR-US: cckevincyh SSH CompanyWebsite CVE-2018-14439 (espritblock eos4j, an unofficial SDK for EOS, through 2018-07-12 ...) - TODO: check + NOT-FOR-US: eos4j CVE-2018-14438 (In Wireshark through 2.6.2, the create_app_running_mutex function in ...) - wireshark (Problem with SetSecurityDescriptorDacl() is Windows specific issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14921 @@ -1008,7 +1008,7 @@ CVE-2018-14337 (The CHECK macro in mrbgems/mruby-sprintf/src/sprintf.c in mruby CVE-2018-14336 (TP-Link WR840N devices allow remote attackers to cause a denial of ...) NOT-FOR-US: TP-Link CVE-2018-14335 (An issue was discovered in H2 1.4.197. Insecure handling of ...) - TODO: check + NOT-FOR-US: H2 (different from src:python-h2) CVE-2018-14334 (manager/editor/upload.php in joyplus-cms 1.6.0 allows arbitrary file ...) NOT-FOR-US: joyplus-cms CVE-2018-14333 (TeamViewer through 13.1.1548 stores a password in Unicode format within ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f60a32c273b4f032afdf0a90630e5bc5aefd40af -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f60a32c273b4f032afdf0a90630e5bc5aefd40af You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream bug reference for CVE-2018-14432/keystone
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7bd7f878 by Salvatore Bonaccorso at 2018-07-28T21:07:36Z Add upstream bug reference for CVE-2018-14432/keystone - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -662,6 +662,7 @@ CVE-2018-14432 [GET /v3/OS-FEDERATION/projects leaks project information] - keystone (bug #904616) [jessie] - keystone (Not supported in Jessie) NOTE: http://www.openwall.com/lists/oss-security/2018/07/25/2 + NOTE: https://bugs.launchpad.net/keystone/+bug/1779205 CVE-2018-14431 RESERVED CVE-2018-14430 (The Mondula Multi Step Form plugin through 1.2.5 for WordPress allows ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7bd7f878a85ae1a7e92b52bf347130d195d90dc9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7bd7f878a85ae1a7e92b52bf347130d195d90dc9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b879886 by security tracker role at 2018-07-28T20:10:20Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,4 +1,4 @@ -CVE-2018-14678 [XSA-274: Uninitialized state in PV syscall return path] +CVE-2018-14678 (An issue was discovered in the Linux kernel through 4.17.11, as used in ...) - linux NOTE: https://xenbits.xen.org/xsa/advisory-274.html CVE-2018-14677 @@ -22,18 +22,22 @@ CVE-2018-14669 CVE-2018-14668 RESERVED CVE-2018-14679 [off-by-one error in CHM PMGI/PMGL chunk number validity checks] + RESERVED - libmspack (bug #904802) NOTE: https://github.com/kyz/libmspack/commit/72e70a921f0f07fee748aec2274b30784e1d312a NOTE: http://www.openwall.com/lists/oss-security/2018/07/26/1 CVE-2018-14680 [libmspack now rejects blank CHM filenames] + RESERVED - libmspack (bug #904801) NOTE: https://github.com/kyz/libmspack/commit/72e70a921f0f07fee748aec2274b30784e1d312a NOTE: http://www.openwall.com/lists/oss-security/2018/07/26/1 CVE-2018-14682 [Fix off-by-one error in chmd TOLOWER() fallback] + RESERVED - libmspack (bug #904800) NOTE: https://github.com/kyz/libmspack/commit/4fd9ccaa54e1aebde1e4b95fb0163b699fd7bcc8 NOTE: http://www.openwall.com/lists/oss-security/2018/07/26/1 CVE-2018-14681 [kwaj_read_headers(): fix handling of non-terminated strings] + RESERVED - libmspack (bug #904799) NOTE: https://github.com/kyz/libmspack/commit/0b0ef9344255ff5acfac6b7af09198ac9c9756c8 NOTE: http://www.openwall.com/lists/oss-security/2018/07/26/1 @@ -9493,6 +9497,7 @@ CVE-2018-10908 CVE-2018-10907 RESERVED CVE-2018-10906 (In fuse before versions 2.9.8 and 3.x before 3.2.5, fusermount is ...) + {DSA-4257-1} - fuse3 (bug #904216) - fuse 2.9.8-1 (bug #904439) NOTE: https://github.com/libfuse/libfuse/pull/268 @@ -39393,13 +39398,11 @@ CVE-2018-0499 (A cross-site scripting vulnerability in ...) [stretch] - xapian-core 1.4.3-2+deb9u1 [jessie] - xapian-core (vulnerable code not present) NOTE: https://lists.xapian.org/pipermail/xapian-discuss/2018-July/009652.html -CVE-2018-0498 [Plaintext recovery on use of CBC based ciphersuites through a cache based side-channel] - RESERVED +CVE-2018-0498 (ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows ...) - mbedtls 2.12.0-1 (bug #904821) - polarssl NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-02 -CVE-2018-0497 [Remote plaintext recovery on use of CBC based ciphersuites through a timing side-channel] - RESERVED +CVE-2018-0497 (ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows ...) - mbedtls 2.12.0-1 (bug #904821) - polarssl NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-02 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4b879886d671cfe07427b87e100bf8774f03b2bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4b879886d671cfe07427b87e100bf8774f03b2bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVEs assigned for libmspack issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3d5239b5 by Salvatore Bonaccorso at 2018-07-28T19:02:53Z CVEs assigned for libmspack issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -21,19 +21,19 @@ CVE-2018-14669 RESERVED CVE-2018-14668 RESERVED -CVE-2018- [off-by-one error in CHM PMGI/PMGL chunk number validity checks] +CVE-2018-14679 [off-by-one error in CHM PMGI/PMGL chunk number validity checks] - libmspack (bug #904802) NOTE: https://github.com/kyz/libmspack/commit/72e70a921f0f07fee748aec2274b30784e1d312a NOTE: http://www.openwall.com/lists/oss-security/2018/07/26/1 -CVE-2018- [libmspack now rejects blank CHM filenames] +CVE-2018-14680 [libmspack now rejects blank CHM filenames] - libmspack (bug #904801) NOTE: https://github.com/kyz/libmspack/commit/72e70a921f0f07fee748aec2274b30784e1d312a NOTE: http://www.openwall.com/lists/oss-security/2018/07/26/1 -CVE-2018- [Fix off-by-one error in chmd TOLOWER() fallback] +CVE-2018-14682 [Fix off-by-one error in chmd TOLOWER() fallback] - libmspack (bug #904800) NOTE: https://github.com/kyz/libmspack/commit/4fd9ccaa54e1aebde1e4b95fb0163b699fd7bcc8 NOTE: http://www.openwall.com/lists/oss-security/2018/07/26/1 -CVE-2018- [kwaj_read_headers(): fix handling of non-terminated strings] +CVE-2018-14681 [kwaj_read_headers(): fix handling of non-terminated strings] - libmspack (bug #904799) NOTE: https://github.com/kyz/libmspack/commit/0b0ef9344255ff5acfac6b7af09198ac9c9756c8 NOTE: http://www.openwall.com/lists/oss-security/2018/07/26/1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3d5239b5d07dc04b451686868ab045b27065418c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3d5239b5d07dc04b451686868ab045b27065418c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-14678/linux assigned
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 916d2d7f by Salvatore Bonaccorso at 2018-07-28T18:55:07Z CVE-2018-14678/linux assigned - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,6 @@ +CVE-2018-14678 [XSA-274: Uninitialized state in PV syscall return path] + - linux + NOTE: https://xenbits.xen.org/xsa/advisory-274.html CVE-2018-14677 RESERVED CVE-2018-14676 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/916d2d7f80a4c8fe50995c18dff3a4d5af4bb981 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/916d2d7f80a4c8fe50995c18dff3a4d5af4bb981 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] also take ffmpeg
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 18aa0393 by Moritz Muehlenhoff at 2018-07-28T17:44:38Z also take ffmpeg - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -20,7 +20,7 @@ asterisk -- enigmail -- -ffmpeg +ffmpeg (jmm) Maintainer is proposing an update to 3.2.12 based version -- gitlab View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/18aa0393d413f49543d0e81dc9c008d41b2e4688 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/18aa0393d413f49543d0e81dc9c008d41b2e4688 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] take ruby, symfony
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 32691446 by Moritz Muehlenhoff at 2018-07-28T17:42:46Z take ruby, symfony - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -75,7 +75,7 @@ passenger php-horde-image Chris Lamb proposed debdiff adressing CVE-2017-9773, CVE-2017-9774 and CVE-2017-14650 -- -ruby2.3 +ruby2.3 (jmm) santiago and terceiro prepared an update https://salsa.debian.org/ruby-team/ruby/commits/debian/stretch call for tests: https://lists.debian.org/debian-ruby/2018/05/msg00033.html @@ -83,7 +83,7 @@ ruby2.3 sssd Maintainer prepared an update and proposed debdiff, acked for upload, but update needs further testing before release. -- -symfony +symfony (jmm) -- sympa (carnil) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/326914465cc8ada56b788952a6fdf3d9eef98cdf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/326914465cc8ada56b788952a6fdf3d9eef98cdf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-1002208
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 937308a7 by Salvatore Bonaccorso at 2018-07-28T15:22:38Z Add CVE-2018-1002208 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -208,7 +208,11 @@ CVE-2017-18344 (The timer_create syscall implementation in kernel/time/posix-tim CVE-2018-14597 RESERVED CVE-2018-1002208 (sharplibzip before 1.0 RC1 is vulnerable to directory traversal, ...) - TODO: check + - mono + - mono-reference-assemblies (unimportant) + NOTE: https://snyk.io/vuln/SNYK-DOTNET-SHARPZIPLIB-60247 + NOTE: https://github.com/icsharpcode/SharpZipLib/issues/232 + TODO: further checks CVE-2018-1002207 (mholt/archiver golang package before ...) TODO: check CVE-2018-1002206 (SharpCompress before 0.21.0 is vulnerable to directory traversal, ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/937308a714f2ca83f98689ebc6a42c48eb8f78a6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/937308a714f2ca83f98689ebc6a42c48eb8f78a6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-049{7,8}/mbedtls fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0ed7d8e4 by Salvatore Bonaccorso at 2018-07-28T14:59:42Z CVE-2018-049{7,8}/mbedtls fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -39388,12 +39388,12 @@ CVE-2018-0499 (A cross-site scripting vulnerability in ...) NOTE: https://lists.xapian.org/pipermail/xapian-discuss/2018-July/009652.html CVE-2018-0498 [Plaintext recovery on use of CBC based ciphersuites through a cache based side-channel] RESERVED - - mbedtls (bug #904821) + - mbedtls 2.12.0-1 (bug #904821) - polarssl NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-02 CVE-2018-0497 [Remote plaintext recovery on use of CBC based ciphersuites through a timing side-channel] RESERVED - - mbedtls (bug #904821) + - mbedtls 2.12.0-1 (bug #904821) - polarssl NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-02 CVE-2018-0496 (Directory traversal issues in the D-Mod extractor in DFArc and DFArc2 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0ed7d8e464bf6084ffcda38c1c08b88b86b93701 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0ed7d8e464bf6084ffcda38c1c08b88b86b93701 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for fuse
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 63b6e7f7 by Salvatore Bonaccorso at 2018-07-28T14:04:48Z Reserve DSA number for fuse - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,6 @@ +[28 Jul 2018] DSA-4257-1 fuse - security update + {CVE-2018-10906} + [stretch] - fuse 2.9.7-1+deb9u1 [26 Jul 2018] DSA-4256-1 chromium-browser - security update {CVE-2018-4117 CVE-2018-6044 CVE-2018-6150 CVE-2018-6151 CVE-2018-6152 CVE-2018-6153 CVE-2018-6154 CVE-2018-6155 CVE-2018-6156 CVE-2018-6157 CVE-2018-6158 CVE-2018-6159 CVE-2018-6161 CVE-2018-6162 CVE-2018-6163 CVE-2018-6164 CVE-2018-6165 CVE-2018-6166 CVE-2018-6167 CVE-2018-6168 CVE-2018-6169 CVE-2018-6170 CVE-2018-6171 CVE-2018-6172 CVE-2018-6173 CVE-2018-6174 CVE-2018-6175 CVE-2018-6176 CVE-2018-6177 CVE-2018-6178 CVE-2018-6179} [stretch] - chromium-browser 68.0.3440.75-1~deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/63b6e7f7ac552638c0317f935c7c0053338055d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/63b6e7f7ac552638c0317f935c7c0053338055d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add ffmpeg to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1afb672d by Salvatore Bonaccorso at 2018-07-28T14:01:49Z Add ffmpeg to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -20,6 +20,9 @@ asterisk -- enigmail -- +ffmpeg + Maintainer is proposing an update to 3.2.12 based version +-- gitlab -- glusterfs View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1afb672d632b4c90875e1521dd89a74e88410669 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1afb672d632b4c90875e1521dd89a74e88410669 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note for keystone
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eb323843 by Salvatore Bonaccorso at 2018-07-28T14:00:42Z Add note for keystone - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -31,6 +31,9 @@ intel-microcode -- jetty9 (jmm) -- +keystone + Maintainer is proposing an update for CVE-2018-14432 +-- knot-resolver -- libarchive-zip-perl (carnil) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eb323843e134f639ce5e08ac6d582c2b141ba895 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eb323843e134f639ce5e08ac6d582c2b141ba895 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove two ruby2.3 postponed tags which are included in next update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 973a8b31 by Salvatore Bonaccorso at 2018-07-28T13:58:09Z Remove two ruby2.3 postponed tags which are included in next update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -30369,7 +30369,6 @@ CVE-2017-17790 (The lazy_initialize function in lib/resolv.rb in Ruby through 2. {DLA-1421-1 DLA-1222-1 DLA-1221-1} - ruby2.5 2.5.0-1 (bug #884878) - ruby2.3 (bug #884879) - [stretch] - ruby2.3 (Minor issue, can be fixed along in future DSA) - ruby2.1 - ruby1.9.1 - ruby1.8 @@ -36894,7 +36893,6 @@ CVE-2017-17405 (Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#ge {DLA-1421-1 DLA-1222-1 DLA-1221-1} - ruby2.5 2.5.0~rc1-1 (bug #884437) - ruby2.3 2.3.6-1 (bug #884438) - [stretch] - ruby2.3 (Minor issue, can be fixed along in a future update) - ruby2.1 - ruby1.9.1 - ruby1.8 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/973a8b3112b6f65b32e16e896672f8284cc70eb4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/973a8b3112b6f65b32e16e896672f8284cc70eb4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Record fixed version for CVE-2018-1121{2,3,4} via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 359399ec by Salvatore Bonaccorso at 2018-07-28T13:39:14Z Record fixed version for CVE-2018-1121{2,3,4} via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -8750,11 +8750,11 @@ CVE-2018-11216 CVE-2018-11215 RESERVED CVE-2018-11214 (An issue was discovered in libjpeg 9a. The get_text_rgb_row function in ...) - - libjpeg9 (low; bug #902176) + - libjpeg9 1:9c-1 (low; bug #902176) CVE-2018-11213 (An issue was discovered in libjpeg 9a. The get_text_gray_row function ...) - - libjpeg9 (low; bug #902176) + - libjpeg9 1:9c-1 (low; bug #902176) CVE-2018-11212 (An issue was discovered in libjpeg 9a. The alloc_sarray function in ...) - - libjpeg9 (low; bug #902176) + - libjpeg9 1:9c-1 (low; bug #902176) CVE-2018-11211 RESERVED CVE-2018-11210 (TinyXML2 6.2.0 has a heap-based buffer over-read in the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/359399ec6e46b391660e8e76281031f32153485c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/359399ec6e46b391660e8e76281031f32153485c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-049{7,8}/mbedtls: #904821
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8c69e49d by Salvatore Bonaccorso at 2018-07-28T11:02:45Z Add CVE-2018-049{7,8}/mbedtls: #904821 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -39388,10 +39388,16 @@ CVE-2018-0499 (A cross-site scripting vulnerability in ...) [stretch] - xapian-core 1.4.3-2+deb9u1 [jessie] - xapian-core (vulnerable code not present) NOTE: https://lists.xapian.org/pipermail/xapian-discuss/2018-July/009652.html -CVE-2018-0498 +CVE-2018-0498 [Plaintext recovery on use of CBC based ciphersuites through a cache based side-channel] RESERVED -CVE-2018-0497 + - mbedtls (bug #904821) + - polarssl + NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-02 +CVE-2018-0497 [Remote plaintext recovery on use of CBC based ciphersuites through a timing side-channel] RESERVED + - mbedtls (bug #904821) + - polarssl + NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-02 CVE-2018-0496 (Directory traversal issues in the D-Mod extractor in DFArc and DFArc2 ...) - freedink-dfarc 3.14-1 [stretch] - freedink-dfarc 3.12-1+deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8c69e49d3db244d1000f425d07103636eeefedd6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8c69e49d3db244d1000f425d07103636eeefedd6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3347ff67 by security tracker role at 2018-07-28T08:10:19Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,23 @@ +CVE-2018-14677 + RESERVED +CVE-2018-14676 + RESERVED +CVE-2018-14675 + RESERVED +CVE-2018-14674 + RESERVED +CVE-2018-14673 + RESERVED +CVE-2018-14672 + RESERVED +CVE-2018-14671 + RESERVED +CVE-2018-14670 + RESERVED +CVE-2018-14669 + RESERVED +CVE-2018-14668 + RESERVED CVE-2018- [off-by-one error in CHM PMGI/PMGL chunk number validity checks] - libmspack (bug #904802) NOTE: https://github.com/kyz/libmspack/commit/72e70a921f0f07fee748aec2274b30784e1d312a @@ -37035,6 +37055,7 @@ CVE-2018-1118 (Linux kernel vhost since version 4.8 does not properly initialize CVE-2018-1117 (ovirt-ansible-roles before version 1.0.6 has a vulnerability due to a ...) NOT-FOR-US: ovirt-ansible-roles CVE-2018-1116 (A flaw was found in polkit before version 0.116. The implementation of ...) + {DLA-1448-1} - policykit-1 0.105-21 (bug #903563) [stretch] - policykit-1 (Minor issue; can be fixed via point release) NOTE: https://cgit.freedesktop.org/polkit/commit/?id=bc7ffad53643a9c80231fc41f5582d6a8931c32c @@ -38718,6 +38739,7 @@ CVE-2018-0739 (Constructed ASN.1 types with a recursive definition (such as can CVE-2018-0738 RESERVED CVE-2018-0737 (The OpenSSL RSA Key generation algorithm has been shown to be ...) + {DLA-1449-1} - openssl 1.1.0h-3 (low; bug #895844) [stretch] - openssl (Can wait for next DSA and upstream release) [wheezy] - openssl (Can wait for next update) @@ -38742,6 +38764,7 @@ CVE-2018-0733 (Because of an implementation bug the PA-RISC CRYPTO_memcmp functi NOTE: Issue specific to HP-UX NOTE: https://www.openssl.org/news/secadv/20180327.txt CVE-2018-0732 (During key agreement in a TLS handshake using a DH(E) based ...) + {DLA-1449-1} - openssl (low) [stretch] - openssl (Minor issue, can be fixed along with next OpenSSL security release) - openssl1.0 (low) @@ -46338,8 +46361,7 @@ CVE-2017-15119 (The Network Block Device (NBD) server in Quick Emulator (QEMU) b - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code introduced later) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg05044.html -CVE-2017-15118 [stack buffer overflow in NBD server triggered via long export name] - RESERVED +CVE-2017-15118 (A stack-based buffer overflow vulnerability was found in NBD server ...) - qemu 1:2.11+dfsg-1 (bug #883406) [stretch] - qemu (Vulnerable code introduced in 2.10) [jessie] - qemu (Vulnerable code introduced in 2.10) @@ -46409,8 +46431,7 @@ CVE-2017-15102 (The tower_probe function in drivers/usb/misc/legousbtower.c in t [jessie] - linux 3.16.43-1 [wheezy] - linux 3.2.86-1 NOTE: Fixed by: https://git.kernel.org/linus/2fae9e5a7babada041e2e161699ade2447a01989 (4.9-rc1) -CVE-2017-15101 [Incomplete fix for CVE-2014-8184] - RESERVED +CVE-2017-15101 (A missing patch for a stack-based buffer overflow in findTable() was ...) - liblouis (Incomplete fix not applied in Debian) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1492701#c12 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1511023 @@ -46430,8 +46451,7 @@ CVE-2017-15098 (Invalid json_populate_recordset or jsonb_populate_recordset func - postgresql-9.1 [jessie] - postgresql-9.1 (postgresql-9.1 in jessie only provides PL/Perl) [wheezy] - postgresql-9.1 (Vulnerable code does not exist) -CVE-2017-15097 - RESERVED +CVE-2017-15097 (Privilege escalation flaws were found in the Red Hat initialization ...) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1508985 NOTE: Similar issues as CVE-2016-1255 in Debian NOT-FOR-US: Red Hat specific provides scripts for starting the database server during system boot and for initializing the database @@ -84774,8 +84794,7 @@ CVE-2017-2665 (The skyring-setup command creates random password for mongodb sky NOT-FOR-US: Red Hat Storage / skyring CVE-2017-2664 (CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before ...) NOT-FOR-US: Red Hat CloudForms -CVE-2017-2663 - RESERVED +CVE-2017-2663 (It was found that subscription-manager's DBus interface before 1.19.4 ...) NOT-FOR-US: candlepin / subscription-manager CVE-2017-2662 RESERVED @@ -84801,16 +84820,15 @@ CVE-2017-2654 RESERVED CVE-2017-2653 (A number of unused delete routes are present in CloudForms before ...) NOT-FOR-US: Red Hat CloudForms
[Git][security-tracker-team/security-tracker][master] Add bug references for libmspack issues: #904799, #904800, #904801 and #904802
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1bf4285e by Salvatore Bonaccorso at 2018-07-28T07:36:10Z Add bug references for libmspack issues: #904799, #904800, #904801 and #904802 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,17 +1,17 @@ CVE-2018- [off-by-one error in CHM PMGI/PMGL chunk number validity checks] - - libmspack + - libmspack (bug #904802) NOTE: https://github.com/kyz/libmspack/commit/72e70a921f0f07fee748aec2274b30784e1d312a NOTE: http://www.openwall.com/lists/oss-security/2018/07/26/1 CVE-2018- [libmspack now rejects blank CHM filenames] - - libmspack + - libmspack (bug #904801) NOTE: https://github.com/kyz/libmspack/commit/72e70a921f0f07fee748aec2274b30784e1d312a NOTE: http://www.openwall.com/lists/oss-security/2018/07/26/1 CVE-2018- [Fix off-by-one error in chmd TOLOWER() fallback] - - libmspack + - libmspack (bug #904800) NOTE: https://github.com/kyz/libmspack/commit/4fd9ccaa54e1aebde1e4b95fb0163b699fd7bcc8 NOTE: http://www.openwall.com/lists/oss-security/2018/07/26/1 CVE-2018- [kwaj_read_headers(): fix handling of non-terminated strings] - - libmspack + - libmspack (bug #904799) NOTE: https://github.com/kyz/libmspack/commit/0b0ef9344255ff5acfac6b7af09198ac9c9756c8 NOTE: http://www.openwall.com/lists/oss-security/2018/07/26/1 CVE-2018-14667 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1bf4285e4a9f71b4e0703f46519e64dfce978f64 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1bf4285e4a9f71b4e0703f46519e64dfce978f64 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new libmspack issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f833bc79 by Salvatore Bonaccorso at 2018-07-28T07:33:06Z Add new libmspack issues A subset affects clamav, which uses the system library though since Debian Jessie. Any other update should not only cherry-pick the fixes for clamav so they are safe as well. No need to track here clamav for those as all supported suites including LTS switched already to use the system library. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,19 @@ +CVE-2018- [off-by-one error in CHM PMGI/PMGL chunk number validity checks] + - libmspack + NOTE: https://github.com/kyz/libmspack/commit/72e70a921f0f07fee748aec2274b30784e1d312a + NOTE: http://www.openwall.com/lists/oss-security/2018/07/26/1 +CVE-2018- [libmspack now rejects blank CHM filenames] + - libmspack + NOTE: https://github.com/kyz/libmspack/commit/72e70a921f0f07fee748aec2274b30784e1d312a + NOTE: http://www.openwall.com/lists/oss-security/2018/07/26/1 +CVE-2018- [Fix off-by-one error in chmd TOLOWER() fallback] + - libmspack + NOTE: https://github.com/kyz/libmspack/commit/4fd9ccaa54e1aebde1e4b95fb0163b699fd7bcc8 + NOTE: http://www.openwall.com/lists/oss-security/2018/07/26/1 +CVE-2018- [kwaj_read_headers(): fix handling of non-terminated strings] + - libmspack + NOTE: https://github.com/kyz/libmspack/commit/0b0ef9344255ff5acfac6b7af09198ac9c9756c8 + NOTE: http://www.openwall.com/lists/oss-security/2018/07/26/1 CVE-2018-14667 RESERVED CVE-2018-14666 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f833bc7947b072483a9f1f5acb42fb7bec12e148 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f833bc7947b072483a9f1f5acb42fb7bec12e148 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits