[Git][security-tracker-team/security-tracker][master] Reserve DLA-1468-1 for fuse

2018-08-15 Thread Thorsten Alteholz
Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d47c977b by Thorsten Alteholz at 2018-08-15T20:39:35Z
Reserve DLA-1468-1 for fuse

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
--- a/data/DLA/list
+++ b/data/DLA/list
@@ -1,3 +1,6 @@
+[15 Aug 2018] DLA-1468-1 fuse - security update
+   {CVE-2018-10906}
+   [jessie] - fuse 2.9.3-15+deb8u3
 [15 Aug 2018] DLA-1467-1 ruby-zip - security update
{CVE-2018-1000544}
[jessie] - ruby-zip 1.1.6-1+deb8u2


=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -30,8 +30,6 @@ firefox-esr (Emilio Pozuelo)
   NOTE: 20180525: We will need an update to Firefox ESR 60 in jessie once 52 
goes EOL.
   NOTE: 20180525: This needs some backports (llvm, rustc, cargo) which need 
some work.
 --
-fuse (Thorsten Alteholz)
---
 gdm3 (Markus Koschany)
 --
 git-annex



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d47c977b557fd8e7bac4ed821ea98c22dfe4d300

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d47c977b557fd8e7bac4ed821ea98c22dfe4d300
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process NFUs

2018-08-15 Thread Salvatore Bonaccorso
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d167d223 by Salvatore Bonaccorso at 2018-08-15T20:25:45Z
Process NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -406,7 +406,7 @@ CVE-2018-15173 (Nmap through 7.70, when the -sV option is 
used, allows remote at
- nmap  (unimportant)
NOTE: No security impact
 CVE-2018-15172 (TP-Link WR840N devices have a buffer overflow via a long 
Authorization ...)
-   TODO: check
+   NOT-FOR-US: TP-Link WR840N devices
 CVE-2018-15171
RESERVED
 CVE-2018-15170
@@ -438,27 +438,27 @@ CVE-2018-15158
 CVE-2018-15157
RESERVED
 CVE-2018-15156 (OS command injection occurring in versions of OpenEMR before 
5.0.1.4 ...)
-   TODO: check
+   NOT-FOR-US: OpenEMR
 CVE-2018-15155 (OS command injection occurring in versions of OpenEMR before 
5.0.1.4 ...)
-   TODO: check
+   NOT-FOR-US: OpenEMR
 CVE-2018-15154 (OS command injection occurring in versions of OpenEMR before 
5.0.1.4 ...)
-   TODO: check
+   NOT-FOR-US: OpenEMR
 CVE-2018-15153 (OS command injection occurring in versions of OpenEMR before 
5.0.1.4 ...)
-   TODO: check
+   NOT-FOR-US: OpenEMR
 CVE-2018-15152 (Authentication bypass vulnerability in 
portal/account/register.php in ...)
-   TODO: check
+   NOT-FOR-US: OpenEMR
 CVE-2018-15151 (SQL injection vulnerability in ...)
-   TODO: check
+   NOT-FOR-US: OpenEMR
 CVE-2018-15150 (SQL injection vulnerability in ...)
-   TODO: check
+   NOT-FOR-US: OpenEMR
 CVE-2018-15149 (SQL injection vulnerability in ...)
-   TODO: check
+   NOT-FOR-US: OpenEMR
 CVE-2018-15148 (SQL injection vulnerability in ...)
-   TODO: check
+   NOT-FOR-US: OpenEMR
 CVE-2018-15147 (SQL injection vulnerability in 
interface/forms_admin/forms_admin.php ...)
-   TODO: check
+   NOT-FOR-US: OpenEMR
 CVE-2018-15146 (SQL injection vulnerability in ...)
-   TODO: check
+   NOT-FOR-US: OpenEMR
 CVE-2018-15145 (Multiple SQL injection vulnerabilities in ...)
NOT-FOR-US: OpenEMR
 CVE-2018-15144 (SQL injection vulnerability in ...)
@@ -474,7 +474,7 @@ CVE-2018-15140 (Directory traversal in 
portal/import_template.php in versions of
 CVE-2018-15139 (Unrestricted file upload in 
interface/super/manage_site_files.php in ...)
NOT-FOR-US: OpenEMR
 CVE-2018-15138 (Ericsson-LG iPECS NMS 30M allows directory traversal via ...)
-   TODO: check
+   NOT-FOR-US: Ericsson-LG iPECS NMS 30M
 CVE-2018-15137 (CeLa Link CLR-M20 devices allow unauthorized users to upload 
any file ...)
NOT-FOR-US: CeLa Link CLR-M20 devices
 CVE-2018-15136
@@ -4671,9 +4671,9 @@ CVE-2018-13396
 CVE-2018-13395
RESERVED
 CVE-2018-13394 (The acceptAnswer resource in Atlassian Confluence Questions 
before ...)
-   TODO: check
+   NOT-FOR-US: Atlassian Confluence Questions
 CVE-2018-13393 (The convertCommentToAnswer resource in Atlassian Confluence 
Questions ...)
-   TODO: check
+   NOT-FOR-US: Atlassian Confluence Questions
 CVE-2018-13392 (Several resources in Atlassian Fisheye and Crucible before 
version ...)
NOT-FOR-US: Atlassian
 CVE-2018-13391
@@ -8127,7 +8127,7 @@ CVE-2018-12058
 CVE-2018-12057
RESERVED
 CVE-2018-12056 (The maxRandom function of a smart contract implementation for 
All For ...)
-   TODO: check
+   NOT-FOR-US: smart contract implementation for All For One
 CVE-2018-12055 (Multiple SQL Injections exist in PHP Scripts Mall Schools 
Alert ...)
NOT-FOR-US: PHP Scripts Mall Schools Alert Management Script
 CVE-2018-12054 (Arbitrary File Read exists in PHP Scripts Mall Schools Alert 
Management ...)
@@ -9083,7 +9083,7 @@ CVE-2018-11689 (Smart Viewer in Samsung Web Viewer for 
Samsung DVR is vulnerable
 CVE-2018-11688 (Ignite Realtime Openfire 3.7.1 is vulnerable to cross-site 
scripting, ...)
NOT-FOR-US: Ignite Realtime Openfire
 CVE-2018-11687 (An integer overflow in the distributeBTR function of a smart 
contract ...)
-   TODO: check
+   NOT-FOR-US: smart contract implementation for Bitcoin Red (BTCR)
 CVE-2018-11686
RESERVED
 CVE-2018-11685 (Liblouis 3.5.0 has a stack-based Buffer Overflow in the 
function ...)
@@ -10285,7 +10285,7 @@ CVE-2018-11249
 CVE-2018-11248 (util/FileDownloadUtils.java in FileDownloader 1.7.3 does not 
check an ...)
NOT-FOR-US: FileDownloader
 CVE-2018-11247 (The JMX/RMI interface in Nasdaq BWise 5.0 does not require ...)
-   TODO: check
+   NOT-FOR-US: SAP
 CVE-2018-11246
RESERVED
 CVE-2018-11245 (app/webroot/js/misp.js in MISP 2.4.91 has a DOM based XSS with 
cortex ...)
@@ -12308,11 +12308,11 @@ CVE-2018-10514
 CVE-2018-10513
RESERVED
 CVE-2018-10512 (A vulnerability in Trend Micro Control Manager (versions 6.0 
and 7.0) ...)
-   TODO: check

[Git][security-tracker-team/security-tracker][master] automatic update

2018-08-15 Thread Salvatore Bonaccorso
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b3785198 by security tracker role at 2018-08-15T20:10:19Z
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,3 +1,29 @@
+CVE-2018-15362
+   RESERVED
+CVE-2018-15361
+   RESERVED
+CVE-2018-15360
+   RESERVED
+CVE-2018-15359
+   RESERVED
+CVE-2018-15358
+   RESERVED
+CVE-2018-15357
+   RESERVED
+CVE-2018-15356
+   RESERVED
+CVE-2018-15355
+   RESERVED
+CVE-2018-15354
+   RESERVED
+CVE-2018-15353
+   RESERVED
+CVE-2018-15352
+   RESERVED
+CVE-2018-15351
+   RESERVED
+CVE-2018-15350
+   RESERVED
 CVE-2018- [openssh username enumeration]
- openssh  (bug #906236)
NOTE: http://www.openwall.com/lists/oss-security/2018/08/15/5
@@ -379,8 +405,8 @@ CVE-2018-15174 (XnView 2.45 allows remote attackers to 
cause a denial of service
 CVE-2018-15173 (Nmap through 7.70, when the -sV option is used, allows remote 
attackers ...)
- nmap  (unimportant)
NOTE: No security impact
-CVE-2018-15172
-   RESERVED
+CVE-2018-15172 (TP-Link WR840N devices have a buffer overflow via a long 
Authorization ...)
+   TODO: check
 CVE-2018-15171
RESERVED
 CVE-2018-15170
@@ -411,28 +437,28 @@ CVE-2018-15158
RESERVED
 CVE-2018-15157
RESERVED
-CVE-2018-15156
-   RESERVED
-CVE-2018-15155
-   RESERVED
-CVE-2018-15154
-   RESERVED
-CVE-2018-15153
-   RESERVED
-CVE-2018-15152
-   RESERVED
-CVE-2018-15151
-   RESERVED
-CVE-2018-15150
-   RESERVED
-CVE-2018-15149
-   RESERVED
-CVE-2018-15148
-   RESERVED
-CVE-2018-15147
-   RESERVED
-CVE-2018-15146
-   RESERVED
+CVE-2018-15156 (OS command injection occurring in versions of OpenEMR before 
5.0.1.4 ...)
+   TODO: check
+CVE-2018-15155 (OS command injection occurring in versions of OpenEMR before 
5.0.1.4 ...)
+   TODO: check
+CVE-2018-15154 (OS command injection occurring in versions of OpenEMR before 
5.0.1.4 ...)
+   TODO: check
+CVE-2018-15153 (OS command injection occurring in versions of OpenEMR before 
5.0.1.4 ...)
+   TODO: check
+CVE-2018-15152 (Authentication bypass vulnerability in 
portal/account/register.php in ...)
+   TODO: check
+CVE-2018-15151 (SQL injection vulnerability in ...)
+   TODO: check
+CVE-2018-15150 (SQL injection vulnerability in ...)
+   TODO: check
+CVE-2018-15149 (SQL injection vulnerability in ...)
+   TODO: check
+CVE-2018-15148 (SQL injection vulnerability in ...)
+   TODO: check
+CVE-2018-15147 (SQL injection vulnerability in 
interface/forms_admin/forms_admin.php ...)
+   TODO: check
+CVE-2018-15146 (SQL injection vulnerability in ...)
+   TODO: check
 CVE-2018-15145 (Multiple SQL injection vulnerabilities in ...)
NOT-FOR-US: OpenEMR
 CVE-2018-15144 (SQL injection vulnerability in ...)
@@ -447,8 +473,8 @@ CVE-2018-15140 (Directory traversal in 
portal/import_template.php in versions of
NOT-FOR-US: OpenEMR
 CVE-2018-15139 (Unrestricted file upload in 
interface/super/manage_site_files.php in ...)
NOT-FOR-US: OpenEMR
-CVE-2018-15138
-   RESERVED
+CVE-2018-15138 (Ericsson-LG iPECS NMS 30M allows directory traversal via ...)
+   TODO: check
 CVE-2018-15137 (CeLa Link CLR-M20 devices allow unauthorized users to upload 
any file ...)
NOT-FOR-US: CeLa Link CLR-M20 devices
 CVE-2018-15136
@@ -1205,13 +1231,11 @@ CVE-2018-14782 (NetComm Wireless G LTE Light Industrial 
M2M Router (NWL-25) with
NOT-FOR-US: NetComm Wireless G LTE Light Industrial M2M Router
 CVE-2018-14781 (Medtronic MMT 508 MiniMed insulin pump, 522 / MMT - 722 
Paradigm ...)
NOT-FOR-US: Medtronic
-CVE-2018-14780
-   RESERVED
+CVE-2018-14780 (An out-of-bounds read issue was discovered in the Yubico-Piv 
1.5.0 ...)
- yubico-piv-tool  (low; bug #906128)
[stretch] - yubico-piv-tool  (Minor issue)
NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-001-Yubico-Piv/
-CVE-2018-14779
-   RESERVED
+CVE-2018-14779 (A buffer overflow issue was discovered in the Yubico-Piv 1.5.0 
...)
- yubico-piv-tool  (low; bug #906128)
[stretch] - yubico-piv-tool  (Minor issue)
NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-001-Yubico-Piv/
@@ -1407,8 +1431,7 @@ CVE-2018-14724
RESERVED
 CVE-2018-14723
RESERVED
-CVE-2018-14722 [Code execution]
-   RESERVED
+CVE-2018-14722 (An issue was discovered in evaluate_auto_mountpoint in ...)
- btrfsmaintenance 0.4.1-2 (bug #906131)
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1102721
 CVE-2018-14721
@@ -1949,7 +1972,7 @@ CVE-2018-14526 (An issue was discovered in rsn_supp/wpa.c 
in wpa_supplicant 2.0 
NOTE: 
https://w1.fi/security/2018-1/rebased-v2.6-0001-WPA-Ignore-unau

[Git][security-tracker-team/security-tracker][master] Add bug reference for openssh issue

2018-08-15 Thread Salvatore Bonaccorso
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2526da01 by Salvatore Bonaccorso at 2018-08-15T19:52:17Z
Add bug reference for openssh issue

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,5 +1,5 @@
 CVE-2018- [openssh username enumeration]
-   - openssh 
+   - openssh  (bug #906236)
NOTE: http://www.openwall.com/lists/oss-security/2018/08/15/5
NOTE: 
https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0
 CVE-2018-15349



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2526da01e29ee5453547b6c68f5e0908be8a52b4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2526da01e29ee5453547b6c68f5e0908be8a52b4
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVe-2016-9140 finally REJECTED by its CNA as not beeing a security issue

2018-08-15 Thread Salvatore Bonaccorso
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1fbe541d by Salvatore Bonaccorso at 2018-08-15T19:51:07Z
CVe-2016-9140 finally REJECTED by its CNA as not beeing a security issue

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -94182,12 +94182,8 @@ CVE-2016-9122 (go-jose before 1.0.4 suffers from 
multiple signatures exploitatio
- golang-gopkg-square-go-jose.v1 1.0.5-1
 CVE-2016-9121 (go-jose before 1.0.4 suffers from an invalid curve attack for 
the ...)
- golang-gopkg-square-go-jose.v1 1.0.5-1
-CVE-2016-9140 [RCE]
-   RESERVED
-   - zabbix 1:3.0.6+dfsg-1 (bug #842702; unimportant)
-   NOTE: https://www.exploit-db.com/exploits/39937/
-   NOTE: Claimed to be not a vulnerability but a superadmin using a feature
-   NOTE: as intended. 1:3.0.6+dfsg-1 improved the API script.execute 
validation.
+CVE-2016-9140
+   REJECTED
 CVE-2016-9139 (Cross-site scripting (XSS) vulnerability in Open Ticket Request 
System ...)
{DLA-787-1}
- otrs2 5.0.14-1 (bug #843091)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1fbe541d8de4eaf332121977b19c7aa4164bc264

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1fbe541d8de4eaf332121977b19c7aa4164bc264
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] stretch triage

2018-08-15 Thread Moritz Muehlenhoff
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
fd5acd84 by Moritz Muehlenhoff at 2018-08-15T18:47:47Z
stretch triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -853,6 +853,7 @@ CVE-2018- [Heap-based buffer overflow in zutils zcat]
NOTE: Fixed by: upstream/0001-zcat-buffer-overrun.patch (in 1.7-3)
 CVE-2018-14938 (An issue was discovered in wifipcap/wifipcap.cpp in TCPFLOW 
through ...)
- tcpflow  (bug #905483)
+   [stretch] - tcpflow  (Minor issue)
NOTE: 
https://github.com/simsong/tcpflow/commit/a4e1cd14eb5ccc51ed271b65b3420f7d692c40eb
NOTE: https://github.com/simsong/tcpflow/issues/182
 CVE-2018-14937 (The Add page option in my little forum 2.4.12 allows XSS via 
the Menu ...)
@@ -1788,6 +1789,7 @@ CVE-2018-14569
RESERVED
 CVE-2018-1999024 (MathJax version prior to version 2.7.4 contains a Cross Site 
Scripting ...)
- mathjax 2.7.4+dfsg-1
+   [stretch] - mathjax  (Minor issue)
NOTE: 
https://github.com/mathjax/MathJax/commit/a55da396c18cafb767a26aa9ad96f6f4199852f1
 CVE-2018-1999021 (Gleezcms Gleez Cms version 1.3.0 contains a Cross Site 
Scripting (XSS) ...)
NOT-FOR-US: Gleezcms Gleez Cms
@@ -18400,6 +18402,7 @@ CVE-2018-8033
RESERVED
 CVE-2018-8032 (Apache Axis 1.x up to and including 1.4 is vulnerable to a 
cross-site ...)
- axis  (bug #905328)
+   [stretch] - axis  (Minor issue)
NOTE: https://issues.apache.org/jira/browse/AXIS-2924
NOTE: https://svn.apache.org/r1831943
 CVE-2018-8031 (The TomEE console (tomee-webapp) has a XSS vulnerability which 
could ...)


=
data/dsa-needed.txt
=
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -18,6 +18,8 @@ If needed, specify the release by adding a slash after the 
name of the source pa
 asterisk
   berni working on updates
 --
+ceph
+--
 enigmail
 --
 gitlab
@@ -52,6 +54,8 @@ mariadb-10.1/stable
   including some other changes -> Needs review if suitable to include via
   security upload or need an SRM ack first.
 --
+mbedtls
+--
 mercurial
 --
 mosquitto (seb)
@@ -68,6 +72,8 @@ openjfx
 --
 openjpeg2 (luciano)
 --
+otrs2
+--
 passenger
 --
 php-horde-image



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/fd5acd849355c3e87b95df2e09a902a836233b65

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/fd5acd849355c3e87b95df2e09a902a836233b65
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] new openssh issue

2018-08-15 Thread Moritz Muehlenhoff
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
60aad65f by Moritz Muehlenhoff at 2018-08-15T16:36:56Z
new openssh issue

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,3 +1,7 @@
+CVE-2018- [openssh username enumeration]
+   - openssh 
+   NOTE: http://www.openwall.com/lists/oss-security/2018/08/15/5
+   NOTE: 
https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0
 CVE-2018-15349
RESERVED
 CVE-2018-15348



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/60aad65f65f8c144e59e4fee37082321d680d686

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/60aad65f65f8c144e59e4fee37082321d680d686
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] "new" apache issue

2018-08-15 Thread Moritz Muehlenhoff
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
442ba6eb by Moritz Muehlenhoff at 2018-08-15T14:14:06Z
"new" apache issue

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -108176,7 +108176,8 @@ CVE-2016-4977 (When processing authorization requests 
using the whitelabel views
 CVE-2016-4976 (Apache Ambari 2.x before 2.4.0 includes KDC administrator 
passwords on ...)
NOT-FOR-US: Apache Ambari
 CVE-2016-4975 (Possible CRLF injection allowing HTTP response splitting 
attacks for ...)
-   TODO: check
+   - apache2 2.4.25-1 (low)
+   NOTE: 
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2016-4975
 CVE-2016-4974 (Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP 1.0) 
before ...)
- qpid-java  (bug #840131)
 CVE-2016-4973 (Binaries compiled against targets that use the libssp library 
in GCC ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/442ba6eb5369f3f8791816519e4e8e5899ccf524

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/442ba6eb5369f3f8791816519e4e8e5899ccf524
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2018-1000544,ruby-zip: Fixed in unstable

2018-08-15 Thread Markus Koschany
Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5c049dea by Markus Koschany at 2018-08-15T13:26:33Z
CVE-2018-1000544,ruby-zip: Fixed in unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -6403,7 +6403,7 @@ CVE-2018-1000546 (Triplea version <= 1.9.0.0.10291 
contains a XML External En
 CVE-2018-1000545
REJECTED
 CVE-2018-1000544 (rubyzip gem rubyzip version 1.2.1 and earlier contains a 
Directory ...)
-   - ruby-zip  (bug #902720)
+   - ruby-zip 1.2.1-1.1 (bug #902720)
NOTE: https://github.com/rubyzip/rubyzip/issues/369
 CVE-2018-1000543 (Akiee version 0.0.3 contains a XSS leading to code execution 
due to ...)
NOT-FOR-US: Akiee



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/5c049dea3be648c407b561433ecd3c93096c6694

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/5c049dea3be648c407b561433ecd3c93096c6694
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] claim bind9

2018-08-15 Thread Thorsten Alteholz
Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
676e5c19 by Thorsten Alteholz at 2018-08-15T13:14:21Z
claim bind9

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -14,7 +14,7 @@ 
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
   NOTE: 20180810: Patch available at https://pagure.io/389-ds-base/issue/49789.
   NOTE: See debian-lts post: 
https://lists.debian.org/debian-lts/2018/08/msg00023.html
 --
-bind9
+bind9 (Thorsten Alteholz)
 --
 clamav (Santiago)
   NOTE: 0.100.1 uploaded but waiting for ftp-master. Adding this temporary 



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/676e5c19d1c0ae11cbcf316e257bc8c1d8331733

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/676e5c19d1c0ae11cbcf316e257bc8c1d8331733
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2018-1999023,wesnoth-1.10: Games are not supported in Jessie.

2018-08-15 Thread Markus Koschany
Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
193c6f9a by Markus Koschany at 2018-08-15T13:04:42Z
CVE-2018-1999023,wesnoth-1.10: Games are not supported in Jessie.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -2007,6 +2007,7 @@ CVE-2018-1999023 (The Battle for Wesnoth Project version 
1.7.0 through 1.14.3 co
- wesnoth-1.14 1:1.14.4-1
- wesnoth-1.12 
- wesnoth-1.10 
+   [jessie] - wesnoth-1.10  (Games are not supported in 
Jessie)
NOTE: http://www.openwall.com/lists/oss-security/2018/07/20/1
NOTE: 
https://github.com/wesnoth/wesnoth/commit/d911268a783467842d38eae7ac1630f1fea41318
 (1.14.x)
 CVE-2018-14505 (mitmweb in mitmproxy v4.0.3 allows DNS Rebinding attacks, 
related to ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/193c6f9ab41428dfa58d254aa07d2ea60f3f610f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/193c6f9ab41428dfa58d254aa07d2ea60f3f610f
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Claim gdm3 in dla-needed.txt

2018-08-15 Thread Markus Koschany
Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
10865841 by Markus Koschany at 2018-08-15T13:02:47Z
Claim gdm3 in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -32,6 +32,8 @@ firefox-esr (Emilio Pozuelo)
 --
 fuse (Thorsten Alteholz)
 --
+gdm3 (Markus Koschany)
+--
 git-annex
   NOTE: 20180710: See #903037 for more information and a fix for Stretch.
   NOTE: See debian-lts post: 
https://lists.debian.org/debian-lts/2018/07/msg00063.html



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/10865841b4c4f6f0ec7c6f179d312e628fb2b367

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/10865841b4c4f6f0ec7c6f179d312e628fb2b367
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2018-14446,mp4v2: Mark as no-dsa for Jessie.

2018-08-15 Thread Markus Koschany
Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
be8dc989 by Markus Koschany at 2018-08-15T13:01:38Z
CVE-2018-14446,mp4v2: Mark as no-dsa for Jessie.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -2143,6 +2143,7 @@ CVE-2018-14447 (trim_whitespace in lexer.l in libConfuse 
v3.2.1 has an out-of-bo
 CVE-2018-14446 (MP4Integer32Property::Read in atom_avcC.cpp in MP4v2 2.1.0 
allows ...)
- mp4v2  (bug #904896)
[stretch] - mp4v2  (Minor issue)
+   [jessie] - mp4v2  (Minor issue)
NOTE: https://github.com/TechSmith/mp4v2/issues/20
 CVE-2018-14445 (In Bento4 v1.5.1-624, AP4_File::ParseStream in Ap4File.cpp 
allows ...)
NOT-FOR-US: Bento4



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/be8dc9891488713d60554232508f93be2fe12dbd

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/be8dc9891488713d60554232508f93be2fe12dbd
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] libykneomgr is no-dsa in Jessie. Minor issue

2018-08-15 Thread Markus Koschany
Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
98cd31eb by Markus Koschany at 2018-08-15T12:52:00Z
libykneomgr is no-dsa in Jessie. Minor issue

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -81,6 +81,7 @@ CVE-2018-15310
 CVE-2018- [libykneomgr memory corruption]
- libykneomgr  (low; bug #906138)
[stretch] - libykneomgr  (Minor issue)
+   [jessie] - libykneomgr  (Minor issue)
NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-004-libykneomgr/
 CVE-2018- [XSA 272: oxenstored does not apply quota-maxentity]
- xen  (unimportant)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/98cd31eb0cb559f16893caff3df20dd1dc86a8c9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/98cd31eb0cb559f16893caff3df20dd1dc86a8c9
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2018-14447,confuse: Mark as no-dsa for Jessie. Minor issue.

2018-08-15 Thread Markus Koschany
Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6f1de948 by Markus Koschany at 2018-08-15T12:35:39Z
CVE-2018-14447,confuse: Mark as no-dsa for Jessie. Minor issue.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -2137,6 +2137,7 @@ CVE-2018-14448 (Codec::parse in track.cpp in Untrunc 
through 2018-06-07 has a NU
 CVE-2018-14447 (trim_whitespace in lexer.l in libConfuse v3.2.1 has an 
out-of-bounds ...)
- confuse 3.2.1+dfsg-5 (bug #904159)
[stretch] - confuse  (Minor issue)
+   [jessie] - confuse  (Minor issue)
NOTE: https://github.com/martinh/libconfuse/issues/109
 CVE-2018-14446 (MP4Integer32Property::Read in atom_avcC.cpp in MP4v2 2.1.0 
allows ...)
- mp4v2  (bug #904896)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/6f1de9486b50e791e1c9a1de22a21d9db5490fb1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/6f1de9486b50e791e1c9a1de22a21d9db5490fb1
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add bind9 to dla-needed.txt

2018-08-15 Thread Markus Koschany
Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1a6d31a9 by Markus Koschany at 2018-08-15T12:34:54Z
Add bind9 to dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -14,6 +14,8 @@ 
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
   NOTE: 20180810: Patch available at https://pagure.io/389-ds-base/issue/49789.
   NOTE: See debian-lts post: 
https://lists.debian.org/debian-lts/2018/08/msg00023.html
 --
+bind9
+--
 clamav (Santiago)
   NOTE: 0.100.1 uploaded but waiting for ftp-master. Adding this temporary 
   NOTE: to avoid duplicating work.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1a6d31a9d26d785765448b4e6d9b7c6a48f701cd

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1a6d31a9d26d785765448b4e6d9b7c6a48f701cd
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: Add intel-microcode to dla-needed.txt

2018-08-15 Thread Markus Koschany
Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e910cdb4 by Markus Koschany at 2018-08-15T11:03:32Z
Add intel-microcode to dla-needed.txt

- - - - -
d0f82f72 by Markus Koschany at 2018-08-15T11:03:53Z
Merge branch 'master' of 
salsa.debian.org:security-tracker-team/security-tracker

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -34,6 +34,8 @@ git-annex
   NOTE: 20180710: See #903037 for more information and a fix for Stretch.
   NOTE: See debian-lts post: 
https://lists.debian.org/debian-lts/2018/07/msg00063.html
 --
+intel-microcode
+--
 jetty (Hugo Lefeuvre)
   NOTE: 20180702: jetty8 almost never marked as affected whereas jetty and 
jetty9 are. Reason ?
   NOTE: 20180702: CVE-2018-12536 fixed in latest upstream release. Looks like 
upstream



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/98164bdbca9771f640d60fc8031186a29ab69bc3...d0f82f7203349fedfebf8cb7caf5b557f17c20af

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/98164bdbca9771f640d60fc8031186a29ab69bc3...d0f82f7203349fedfebf8cb7caf5b557f17c20af
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Adjust source package name

2018-08-15 Thread Salvatore Bonaccorso
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
98164bdb by Salvatore Bonaccorso at 2018-08-15T10:59:03Z
Adjust source package name

src:azareus did build vuze binary package.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -4586,7 +4586,7 @@ CVE-2018-13419 (An issue has been found in libsndfile 
1.0.28. There is a memory 
 CVE-2018-13418
RESERVED
 CVE-2018-13417 (In Vuze Bittorrent Client 5.7.6.0, the XML parsing engine for 
...)
-   - vuze 
+   - azureus 
 CVE-2018-13416 (In Universal Media Server (UMS) 7.1.0, the XML parsing engine 
for ...)
NOT-FOR-US: Universal Media Server
 CVE-2018-13415 (In Plex Media Server 1.13.2.5154, the XML parsing engine for 
SSDP/UPnP ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/98164bdbca9771f640d60fc8031186a29ab69bc3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/98164bdbca9771f640d60fc8031186a29ab69bc3
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-1467-1 for ruby-zip

2018-08-15 Thread Markus Koschany
Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8c2ed267 by Markus Koschany at 2018-08-15T10:57:05Z
Reserve DLA-1467-1 for ruby-zip

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
--- a/data/DLA/list
+++ b/data/DLA/list
@@ -1,3 +1,6 @@
+[15 Aug 2018] DLA-1467-1 ruby-zip - security update
+   {CVE-2018-1000544}
+   [jessie] - ruby-zip 1.1.6-1+deb8u2
 [13 Aug 2018] DLA-1466-1 linux-4.9 - security update
{CVE-2018-5390 CVE-2018-5391 CVE-2018-13405}
[jessie] - linux-4.9 4.9.110-3+deb9u2~deb8u1


=
data/dla-needed.txt
=
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -94,8 +94,6 @@ phpldapadmin
 --
 qemu (Santiago)
 --
-ruby-zip (Markus Koschany)
---
 ruby2.1
 --
 samba (Holger Levsen)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/8c2ed2677df8204fd45b0bdfb3e113f3522571ef

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/8c2ed2677df8204fd45b0bdfb3e113f3522571ef
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] vuze removed

2018-08-15 Thread Moritz Muehlenhoff
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ab02092a by Moritz Muehlenhoff at 2018-08-15T10:35:29Z
vuze removed

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -4586,7 +4586,7 @@ CVE-2018-13419 (An issue has been found in libsndfile 
1.0.28. There is a memory 
 CVE-2018-13418
RESERVED
 CVE-2018-13417 (In Vuze Bittorrent Client 5.7.6.0, the XML parsing engine for 
...)
-   TODO: check
+   - vuze 
 CVE-2018-13416 (In Universal Media Server (UMS) 7.1.0, the XML parsing engine 
for ...)
NOT-FOR-US: Universal Media Server
 CVE-2018-13415 (In Plex Media Server 1.13.2.5154, the XML parsing engine for 
SSDP/UPnP ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ab02092a78f2434758c2ab351d36aa1f63a7cb71

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ab02092a78f2434758c2ab351d36aa1f63a7cb71
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] NFUs

2018-08-15 Thread Moritz Muehlenhoff
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6d665e85 by Moritz Muehlenhoff at 2018-08-15T09:56:55Z
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -2190,7 +2190,7 @@ CVE-2018-14431
 CVE-2018-14430 (The Mondula Multi Step Form plugin through 1.2.5 for WordPress 
allows ...)
NOT-FOR-US:  Mondula Multi Step Form plugin for WordPress
 CVE-2018-14429 (man-cgi before 1.16 allows Local File Inclusion via absolute 
path ...)
-   TODO: check
+   NOT-FOR-US: man-cgi
 CVE-2018-14428
RESERVED
 CVE-2018-14427
@@ -3309,8 +3309,7 @@ CVE-2018-14008
RESERVED
 CVE-2018-14007 [XAPI HTTP directory traversal]
RESERVED
-   NOTE: https://xenbits.xen.org/xsa/advisory-271.html
-   TODO: check
+   NOT-FOR-US: xapi
 CVE-2018-14006 (An integer overflow vulnerability exists in the function ...)
NOT-FOR-US: Neo Genesis Token (NGT)
 CVE-2018-14005 (An integer overflow vulnerability exists in the function 
transferAny of ...)
@@ -6796,7 +6795,7 @@ CVE-2018-12541
 CVE-2018-12540 (In version from 3.0.0 to 3.5.2 of Eclipse Vert.x, the 
CSRFHandler do ...)
NOT-FOR-US: Eclipse Vertx
 CVE-2018-12539 (In Eclipse OpenJ9 version 0.8, users other than the process 
owner may ...)
-   TODO: check
+   NOT-FOR-US: Eclipse OpenJ9
 CVE-2018-12538 (In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the 
optional ...)
- jetty9  (Only affects 9.4.x)
- jetty8  (Only affects 9.4.x)
@@ -21414,19 +21413,19 @@ CVE-2018-7101
 CVE-2018-7100 (A potential security vulnerability has been identified in HPE 
...)
NOT-FOR-US: HPE OfficeConnect 1810 Switch Series
 CVE-2018-7099 (A security vulnerability was identified in 3PAR Service 
Processor (SP) ...)
-   TODO: check
+   NOT-FOR-US: 3PAR
 CVE-2018-7098 (A security vulnerability was identified in 3PAR Service 
Processor (SP) ...)
-   TODO: check
+   NOT-FOR-US: 3PAR
 CVE-2018-7097 (A security vulnerability was identified in 3PAR Service 
Processor (SP) ...)
-   TODO: check
+   NOT-FOR-US: 3PAR
 CVE-2018-7096 (A security vulnerability was identified in 3PAR Service 
Processor (SP) ...)
-   TODO: check
+   NOT-FOR-US: 3PAR
 CVE-2018-7095 (A security vulnerability was identified in 3PAR Service 
Processor (SP) ...)
-   TODO: check
+   NOT-FOR-US: 3PAR
 CVE-2018-7094 (A security vulnerability was identified in 3PAR Service 
Processor (SP) ...)
-   TODO: check
+   NOT-FOR-US: 3PAR
 CVE-2018-7093 (A security vulnerability in HPE Integrated Lights-Out 3 prior 
to ...)
-   TODO: check
+   NOT-FOR-US: HPE
 CVE-2018-7092 (A potential security vulnerability has been identified in HPE 
...)
NOT-FOR-US: HPE
 CVE-2018-7091 (HPE XP P9000 Command View Advanced Edition Software (CVAE) has 
open ...)
@@ -21458,7 +21457,7 @@ CVE-2018-7079
 CVE-2018-7078 (A remote code execution was identified in HPE Integrated 
Lights-Out 4 ...)
NOT-FOR-US: HPE
 CVE-2018-7077 (A security vulnerability in HPE XP P9000 Command View Advanced 
Edition ...)
-   TODO: check
+   NOT-FOR-US: HPE
 CVE-2018-7076
RESERVED
 CVE-2018-7075 (A remote cross-site scripting (XSS) vulnerability was 
identified in ...)
@@ -30421,9 +30420,9 @@ CVE-2018-3940
 CVE-2018-3939 (An exploitable use-after-free vulnerability exists in the 
JavaScript ...)
NOT-FOR-US: Foxit
 CVE-2018-3938 (An exploitable stack-based buffer overflow vulnerability exists 
in the ...)
-   TODO: check
+   NOT-FOR-US: Sony
 CVE-2018-3937 (An exploitable command injection vulnerability exists in the 
...)
-   TODO: check
+   NOT-FOR-US: Sony
 CVE-2018-3936 (In Antenna House Office Server Document Converter version V6.1 
Pro MR2 ...)
NOT-FOR-US: Antenna House Office Server Document Converter
 CVE-2018-3935
@@ -42134,7 +42133,7 @@ CVE-2018-0133
 CVE-2018-0132 (A vulnerability in the forwarding information base (FIB) code 
of Cisco ...)
NOT-FOR-US: Cisco
 CVE-2018-0131 (A vulnerability in the implementation of RSA-encrypted nonces 
in Cisco ...)
-   TODO: check
+   NOT-FOR-US: Cisco
 CVE-2018-0130 (A vulnerability in the use of JSON web tokens by the web-based 
service ...)
NOT-FOR-US: Cisco
 CVE-2018-0129 (A vulnerability in the web-based management interface of Cisco 
Data ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/6d665e85b9cd98feeb2fd906d78874a1df1b5815

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/6d665e85b9cd98feeb2fd906d78874a1df1b5815
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.n

[Git][security-tracker-team/security-tracker][master] Track proposed update for confuse via stretch-pu

2018-08-15 Thread Salvatore Bonaccorso
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b769894b by Salvatore Bonaccorso at 2018-08-15T09:06:47Z
Track proposed update for confuse via stretch-pu

- - - - -


1 changed file:

- data/next-point-update.txt


Changes:

=
data/next-point-update.txt
=
--- a/data/next-point-update.txt
+++ b/data/next-point-update.txt
@@ -36,3 +36,5 @@ CVE-2018-14526
[stretch] - wpa 2:2.4-1+deb9u2
 CVE-2015-9262
[stretch] - libxcursor 1:1.1.14-1+deb9u2
+CVE-2018-14447
+   [stretch] - confuse 3.0+dfsg-2+deb9u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/b769894b4cf6a69a32394a977a69e37898a6f821

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/b769894b4cf6a69a32394a977a69e37898a6f821
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] btrfsmaintenance fixed

2018-08-15 Thread Moritz Muehlenhoff
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
eae2a566 by Moritz Muehlenhoff at 2018-08-15T08:52:04Z
btrfsmaintenance fixed
mp4v2 no-dsa

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1403,7 +1403,7 @@ CVE-2018-14723
RESERVED
 CVE-2018-14722 [Code execution]
RESERVED
-   - btrfsmaintenance  (bug #906131)
+   - btrfsmaintenance 0.4.1-2 (bug #906131)
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1102721
 CVE-2018-14721
RESERVED
@@ -2140,6 +2140,7 @@ CVE-2018-14447 (trim_whitespace in lexer.l in libConfuse 
v3.2.1 has an out-of-bo
NOTE: https://github.com/martinh/libconfuse/issues/109
 CVE-2018-14446 (MP4Integer32Property::Read in atom_avcC.cpp in MP4v2 2.1.0 
allows ...)
- mp4v2  (bug #904896)
+   [stretch] - mp4v2  (Minor issue)
NOTE: https://github.com/TechSmith/mp4v2/issues/20
 CVE-2018-14445 (In Bento4 v1.5.1-624, AP4_File::ParseStream in Ap4File.cpp 
allows ...)
NOT-FOR-US: Bento4



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/eae2a566f2f7c84a6b6648a6580bff78a07a2c22

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/eae2a566f2f7c84a6b6648a6580bff78a07a2c22
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2018-08-15 Thread Salvatore Bonaccorso
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d319debb by security tracker role at 2018-08-15T08:10:18Z
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -26786,6 +26786,7 @@ CVE-2018-5392 (mingw-w64 version 5.0.4 by default 
produces executables that opt 
NOTE: https://www.kb.cert.org/vuls/id/307144 (describes workaround)
 CVE-2018-5391 [Remote denial of service via improper IP fragment handling]
RESERVED
+   {DSA-4272-1 DLA-1466-1}
- linux 
NOTE: Mitigation: Change the default values of 
net.ipv4.ipfrag_high_thresh and
NOTE: net.ipv4.ipfrag_low_thresh back to 256kB and 192 kB 
(respectively) or
@@ -35158,7 +35159,7 @@ CVE-2018-2418 (SAP MaxDB ODBC driver (all versions 
before 7.9.09.07) allows an .
NOT-FOR-US: SAP MaxDB ODBC driver
 CVE-2018-2417 (Under certain conditions, the SAP Identity Management 8.0 (pass 
of ...)
NOT-FOR-US: SAP Identity Management
-CVE-2018-2416 (SAP Identity Management 7.2 does not sufficiently validate an 
XML ...)
+CVE-2018-2416 (SAP Identity Management 7.2 and 8.0 do not sufficiently 
validate an ...)
NOT-FOR-US: SAP Identity Management
 CVE-2018-2415 (SAP NetWeaver Application Server Java Web Container and HTTP 
Service ...)
NOT-FOR-US: SAP NetWeaver Application Server Java Web Container and 
HTTP Service



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d319debb2be2ddd9329ff35f7cdc6769067bb9b8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d319debb2be2ddd9329ff35f7cdc6769067bb9b8
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] libarchive issue fixed in unstable

2018-08-15 Thread Salvatore Bonaccorso
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3ae6b00f by Salvatore Bonaccorso at 2018-08-15T07:06:26Z
libarchive issue fixed in unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -50219,7 +50219,7 @@ CVE-2017-14502 (read_header in 
archive_read_support_format_rar.c in libarchive 3
NOTE: 
https://github.com/libarchive/libarchive/commit/5562545b5562f6d12a4ef991fae158bf4ccf92b6
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=573
 CVE-2017-14501 (An out-of-bounds read flaw exists in parse_file_info in ...)
-   - libarchive  (bug #875966)
+   - libarchive 3.2.2-4.2 (bug #875966)
[stretch] - libarchive  (Minor issue)
[jessie] - libarchive  (Minor issue)
[wheezy] - libarchive  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3ae6b00fa5f182abb44fe1009970990509c650ef

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3ae6b00fa5f182abb44fe1009970990509c650ef
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits