[Git][security-tracker-team/security-tracker][master] Reserve DLA-1468-1 for fuse
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: d47c977b by Thorsten Alteholz at 2018-08-15T20:39:35Z Reserve DLA-1468-1 for fuse - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[15 Aug 2018] DLA-1468-1 fuse - security update + {CVE-2018-10906} + [jessie] - fuse 2.9.3-15+deb8u3 [15 Aug 2018] DLA-1467-1 ruby-zip - security update {CVE-2018-1000544} [jessie] - ruby-zip 1.1.6-1+deb8u2 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -30,8 +30,6 @@ firefox-esr (Emilio Pozuelo) NOTE: 20180525: We will need an update to Firefox ESR 60 in jessie once 52 goes EOL. NOTE: 20180525: This needs some backports (llvm, rustc, cargo) which need some work. -- -fuse (Thorsten Alteholz) --- gdm3 (Markus Koschany) -- git-annex View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d47c977b557fd8e7bac4ed821ea98c22dfe4d300 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d47c977b557fd8e7bac4ed821ea98c22dfe4d300 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d167d223 by Salvatore Bonaccorso at 2018-08-15T20:25:45Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -406,7 +406,7 @@ CVE-2018-15173 (Nmap through 7.70, when the -sV option is used, allows remote at - nmap (unimportant) NOTE: No security impact CVE-2018-15172 (TP-Link WR840N devices have a buffer overflow via a long Authorization ...) - TODO: check + NOT-FOR-US: TP-Link WR840N devices CVE-2018-15171 RESERVED CVE-2018-15170 @@ -438,27 +438,27 @@ CVE-2018-15158 CVE-2018-15157 RESERVED CVE-2018-15156 (OS command injection occurring in versions of OpenEMR before 5.0.1.4 ...) - TODO: check + NOT-FOR-US: OpenEMR CVE-2018-15155 (OS command injection occurring in versions of OpenEMR before 5.0.1.4 ...) - TODO: check + NOT-FOR-US: OpenEMR CVE-2018-15154 (OS command injection occurring in versions of OpenEMR before 5.0.1.4 ...) - TODO: check + NOT-FOR-US: OpenEMR CVE-2018-15153 (OS command injection occurring in versions of OpenEMR before 5.0.1.4 ...) - TODO: check + NOT-FOR-US: OpenEMR CVE-2018-15152 (Authentication bypass vulnerability in portal/account/register.php in ...) - TODO: check + NOT-FOR-US: OpenEMR CVE-2018-15151 (SQL injection vulnerability in ...) - TODO: check + NOT-FOR-US: OpenEMR CVE-2018-15150 (SQL injection vulnerability in ...) - TODO: check + NOT-FOR-US: OpenEMR CVE-2018-15149 (SQL injection vulnerability in ...) - TODO: check + NOT-FOR-US: OpenEMR CVE-2018-15148 (SQL injection vulnerability in ...) - TODO: check + NOT-FOR-US: OpenEMR CVE-2018-15147 (SQL injection vulnerability in interface/forms_admin/forms_admin.php ...) - TODO: check + NOT-FOR-US: OpenEMR CVE-2018-15146 (SQL injection vulnerability in ...) - TODO: check + NOT-FOR-US: OpenEMR CVE-2018-15145 (Multiple SQL injection vulnerabilities in ...) NOT-FOR-US: OpenEMR CVE-2018-15144 (SQL injection vulnerability in ...) @@ -474,7 +474,7 @@ CVE-2018-15140 (Directory traversal in portal/import_template.php in versions of CVE-2018-15139 (Unrestricted file upload in interface/super/manage_site_files.php in ...) NOT-FOR-US: OpenEMR CVE-2018-15138 (Ericsson-LG iPECS NMS 30M allows directory traversal via ...) - TODO: check + NOT-FOR-US: Ericsson-LG iPECS NMS 30M CVE-2018-15137 (CeLa Link CLR-M20 devices allow unauthorized users to upload any file ...) NOT-FOR-US: CeLa Link CLR-M20 devices CVE-2018-15136 @@ -4671,9 +4671,9 @@ CVE-2018-13396 CVE-2018-13395 RESERVED CVE-2018-13394 (The acceptAnswer resource in Atlassian Confluence Questions before ...) - TODO: check + NOT-FOR-US: Atlassian Confluence Questions CVE-2018-13393 (The convertCommentToAnswer resource in Atlassian Confluence Questions ...) - TODO: check + NOT-FOR-US: Atlassian Confluence Questions CVE-2018-13392 (Several resources in Atlassian Fisheye and Crucible before version ...) NOT-FOR-US: Atlassian CVE-2018-13391 @@ -8127,7 +8127,7 @@ CVE-2018-12058 CVE-2018-12057 RESERVED CVE-2018-12056 (The maxRandom function of a smart contract implementation for All For ...) - TODO: check + NOT-FOR-US: smart contract implementation for All For One CVE-2018-12055 (Multiple SQL Injections exist in PHP Scripts Mall Schools Alert ...) NOT-FOR-US: PHP Scripts Mall Schools Alert Management Script CVE-2018-12054 (Arbitrary File Read exists in PHP Scripts Mall Schools Alert Management ...) @@ -9083,7 +9083,7 @@ CVE-2018-11689 (Smart Viewer in Samsung Web Viewer for Samsung DVR is vulnerable CVE-2018-11688 (Ignite Realtime Openfire 3.7.1 is vulnerable to cross-site scripting, ...) NOT-FOR-US: Ignite Realtime Openfire CVE-2018-11687 (An integer overflow in the distributeBTR function of a smart contract ...) - TODO: check + NOT-FOR-US: smart contract implementation for Bitcoin Red (BTCR) CVE-2018-11686 RESERVED CVE-2018-11685 (Liblouis 3.5.0 has a stack-based Buffer Overflow in the function ...) @@ -10285,7 +10285,7 @@ CVE-2018-11249 CVE-2018-11248 (util/FileDownloadUtils.java in FileDownloader 1.7.3 does not check an ...) NOT-FOR-US: FileDownloader CVE-2018-11247 (The JMX/RMI interface in Nasdaq BWise 5.0 does not require ...) - TODO: check + NOT-FOR-US: SAP CVE-2018-11246 RESERVED CVE-2018-11245 (app/webroot/js/misp.js in MISP 2.4.91 has a DOM based XSS with cortex ...) @@ -12308,11 +12308,11 @@ CVE-2018-10514 CVE-2018-10513 RESERVED CVE-2018-10512 (A vulnerability in Trend Micro Control Manager (versions 6.0 and 7.0) ...) - TODO: check
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b3785198 by security tracker role at 2018-08-15T20:10:19Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,29 @@ +CVE-2018-15362 + RESERVED +CVE-2018-15361 + RESERVED +CVE-2018-15360 + RESERVED +CVE-2018-15359 + RESERVED +CVE-2018-15358 + RESERVED +CVE-2018-15357 + RESERVED +CVE-2018-15356 + RESERVED +CVE-2018-15355 + RESERVED +CVE-2018-15354 + RESERVED +CVE-2018-15353 + RESERVED +CVE-2018-15352 + RESERVED +CVE-2018-15351 + RESERVED +CVE-2018-15350 + RESERVED CVE-2018- [openssh username enumeration] - openssh (bug #906236) NOTE: http://www.openwall.com/lists/oss-security/2018/08/15/5 @@ -379,8 +405,8 @@ CVE-2018-15174 (XnView 2.45 allows remote attackers to cause a denial of service CVE-2018-15173 (Nmap through 7.70, when the -sV option is used, allows remote attackers ...) - nmap (unimportant) NOTE: No security impact -CVE-2018-15172 - RESERVED +CVE-2018-15172 (TP-Link WR840N devices have a buffer overflow via a long Authorization ...) + TODO: check CVE-2018-15171 RESERVED CVE-2018-15170 @@ -411,28 +437,28 @@ CVE-2018-15158 RESERVED CVE-2018-15157 RESERVED -CVE-2018-15156 - RESERVED -CVE-2018-15155 - RESERVED -CVE-2018-15154 - RESERVED -CVE-2018-15153 - RESERVED -CVE-2018-15152 - RESERVED -CVE-2018-15151 - RESERVED -CVE-2018-15150 - RESERVED -CVE-2018-15149 - RESERVED -CVE-2018-15148 - RESERVED -CVE-2018-15147 - RESERVED -CVE-2018-15146 - RESERVED +CVE-2018-15156 (OS command injection occurring in versions of OpenEMR before 5.0.1.4 ...) + TODO: check +CVE-2018-15155 (OS command injection occurring in versions of OpenEMR before 5.0.1.4 ...) + TODO: check +CVE-2018-15154 (OS command injection occurring in versions of OpenEMR before 5.0.1.4 ...) + TODO: check +CVE-2018-15153 (OS command injection occurring in versions of OpenEMR before 5.0.1.4 ...) + TODO: check +CVE-2018-15152 (Authentication bypass vulnerability in portal/account/register.php in ...) + TODO: check +CVE-2018-15151 (SQL injection vulnerability in ...) + TODO: check +CVE-2018-15150 (SQL injection vulnerability in ...) + TODO: check +CVE-2018-15149 (SQL injection vulnerability in ...) + TODO: check +CVE-2018-15148 (SQL injection vulnerability in ...) + TODO: check +CVE-2018-15147 (SQL injection vulnerability in interface/forms_admin/forms_admin.php ...) + TODO: check +CVE-2018-15146 (SQL injection vulnerability in ...) + TODO: check CVE-2018-15145 (Multiple SQL injection vulnerabilities in ...) NOT-FOR-US: OpenEMR CVE-2018-15144 (SQL injection vulnerability in ...) @@ -447,8 +473,8 @@ CVE-2018-15140 (Directory traversal in portal/import_template.php in versions of NOT-FOR-US: OpenEMR CVE-2018-15139 (Unrestricted file upload in interface/super/manage_site_files.php in ...) NOT-FOR-US: OpenEMR -CVE-2018-15138 - RESERVED +CVE-2018-15138 (Ericsson-LG iPECS NMS 30M allows directory traversal via ...) + TODO: check CVE-2018-15137 (CeLa Link CLR-M20 devices allow unauthorized users to upload any file ...) NOT-FOR-US: CeLa Link CLR-M20 devices CVE-2018-15136 @@ -1205,13 +1231,11 @@ CVE-2018-14782 (NetComm Wireless G LTE Light Industrial M2M Router (NWL-25) with NOT-FOR-US: NetComm Wireless G LTE Light Industrial M2M Router CVE-2018-14781 (Medtronic MMT 508 MiniMed insulin pump, 522 / MMT - 722 Paradigm ...) NOT-FOR-US: Medtronic -CVE-2018-14780 - RESERVED +CVE-2018-14780 (An out-of-bounds read issue was discovered in the Yubico-Piv 1.5.0 ...) - yubico-piv-tool (low; bug #906128) [stretch] - yubico-piv-tool (Minor issue) NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-001-Yubico-Piv/ -CVE-2018-14779 - RESERVED +CVE-2018-14779 (A buffer overflow issue was discovered in the Yubico-Piv 1.5.0 ...) - yubico-piv-tool (low; bug #906128) [stretch] - yubico-piv-tool (Minor issue) NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-001-Yubico-Piv/ @@ -1407,8 +1431,7 @@ CVE-2018-14724 RESERVED CVE-2018-14723 RESERVED -CVE-2018-14722 [Code execution] - RESERVED +CVE-2018-14722 (An issue was discovered in evaluate_auto_mountpoint in ...) - btrfsmaintenance 0.4.1-2 (bug #906131) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1102721 CVE-2018-14721 @@ -1949,7 +1972,7 @@ CVE-2018-14526 (An issue was discovered in rsn_supp/wpa.c in wpa_supplicant 2.0 NOTE: https://w1.fi/security/2018-1/rebased-v2.6-0001-WPA-Ignore-unau
[Git][security-tracker-team/security-tracker][master] Add bug reference for openssh issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2526da01 by Salvatore Bonaccorso at 2018-08-15T19:52:17Z Add bug reference for openssh issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,5 +1,5 @@ CVE-2018- [openssh username enumeration] - - openssh + - openssh (bug #906236) NOTE: http://www.openwall.com/lists/oss-security/2018/08/15/5 NOTE: https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 CVE-2018-15349 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2526da01e29ee5453547b6c68f5e0908be8a52b4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2526da01e29ee5453547b6c68f5e0908be8a52b4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVe-2016-9140 finally REJECTED by its CNA as not beeing a security issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1fbe541d by Salvatore Bonaccorso at 2018-08-15T19:51:07Z CVe-2016-9140 finally REJECTED by its CNA as not beeing a security issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -94182,12 +94182,8 @@ CVE-2016-9122 (go-jose before 1.0.4 suffers from multiple signatures exploitatio - golang-gopkg-square-go-jose.v1 1.0.5-1 CVE-2016-9121 (go-jose before 1.0.4 suffers from an invalid curve attack for the ...) - golang-gopkg-square-go-jose.v1 1.0.5-1 -CVE-2016-9140 [RCE] - RESERVED - - zabbix 1:3.0.6+dfsg-1 (bug #842702; unimportant) - NOTE: https://www.exploit-db.com/exploits/39937/ - NOTE: Claimed to be not a vulnerability but a superadmin using a feature - NOTE: as intended. 1:3.0.6+dfsg-1 improved the API script.execute validation. +CVE-2016-9140 + REJECTED CVE-2016-9139 (Cross-site scripting (XSS) vulnerability in Open Ticket Request System ...) {DLA-787-1} - otrs2 5.0.14-1 (bug #843091) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1fbe541d8de4eaf332121977b19c7aa4164bc264 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1fbe541d8de4eaf332121977b19c7aa4164bc264 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] stretch triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fd5acd84 by Moritz Muehlenhoff at 2018-08-15T18:47:47Z stretch triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -853,6 +853,7 @@ CVE-2018- [Heap-based buffer overflow in zutils zcat] NOTE: Fixed by: upstream/0001-zcat-buffer-overrun.patch (in 1.7-3) CVE-2018-14938 (An issue was discovered in wifipcap/wifipcap.cpp in TCPFLOW through ...) - tcpflow (bug #905483) + [stretch] - tcpflow (Minor issue) NOTE: https://github.com/simsong/tcpflow/commit/a4e1cd14eb5ccc51ed271b65b3420f7d692c40eb NOTE: https://github.com/simsong/tcpflow/issues/182 CVE-2018-14937 (The Add page option in my little forum 2.4.12 allows XSS via the Menu ...) @@ -1788,6 +1789,7 @@ CVE-2018-14569 RESERVED CVE-2018-1999024 (MathJax version prior to version 2.7.4 contains a Cross Site Scripting ...) - mathjax 2.7.4+dfsg-1 + [stretch] - mathjax (Minor issue) NOTE: https://github.com/mathjax/MathJax/commit/a55da396c18cafb767a26aa9ad96f6f4199852f1 CVE-2018-1999021 (Gleezcms Gleez Cms version 1.3.0 contains a Cross Site Scripting (XSS) ...) NOT-FOR-US: Gleezcms Gleez Cms @@ -18400,6 +18402,7 @@ CVE-2018-8033 RESERVED CVE-2018-8032 (Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site ...) - axis (bug #905328) + [stretch] - axis (Minor issue) NOTE: https://issues.apache.org/jira/browse/AXIS-2924 NOTE: https://svn.apache.org/r1831943 CVE-2018-8031 (The TomEE console (tomee-webapp) has a XSS vulnerability which could ...) = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -18,6 +18,8 @@ If needed, specify the release by adding a slash after the name of the source pa asterisk berni working on updates -- +ceph +-- enigmail -- gitlab @@ -52,6 +54,8 @@ mariadb-10.1/stable including some other changes -> Needs review if suitable to include via security upload or need an SRM ack first. -- +mbedtls +-- mercurial -- mosquitto (seb) @@ -68,6 +72,8 @@ openjfx -- openjpeg2 (luciano) -- +otrs2 +-- passenger -- php-horde-image View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fd5acd849355c3e87b95df2e09a902a836233b65 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fd5acd849355c3e87b95df2e09a902a836233b65 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new openssh issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 60aad65f by Moritz Muehlenhoff at 2018-08-15T16:36:56Z new openssh issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,7 @@ +CVE-2018- [openssh username enumeration] + - openssh + NOTE: http://www.openwall.com/lists/oss-security/2018/08/15/5 + NOTE: https://github.com/openbsd/src/commit/779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 CVE-2018-15349 RESERVED CVE-2018-15348 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/60aad65f65f8c144e59e4fee37082321d680d686 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/60aad65f65f8c144e59e4fee37082321d680d686 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] "new" apache issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 442ba6eb by Moritz Muehlenhoff at 2018-08-15T14:14:06Z "new" apache issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -108176,7 +108176,8 @@ CVE-2016-4977 (When processing authorization requests using the whitelabel views CVE-2016-4976 (Apache Ambari 2.x before 2.4.0 includes KDC administrator passwords on ...) NOT-FOR-US: Apache Ambari CVE-2016-4975 (Possible CRLF injection allowing HTTP response splitting attacks for ...) - TODO: check + - apache2 2.4.25-1 (low) + NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2016-4975 CVE-2016-4974 (Apache Qpid AMQP 0-x JMS client before 6.0.4 and JMS (AMQP 1.0) before ...) - qpid-java (bug #840131) CVE-2016-4973 (Binaries compiled against targets that use the libssp library in GCC ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/442ba6eb5369f3f8791816519e4e8e5899ccf524 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/442ba6eb5369f3f8791816519e4e8e5899ccf524 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-1000544,ruby-zip: Fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 5c049dea by Markus Koschany at 2018-08-15T13:26:33Z CVE-2018-1000544,ruby-zip: Fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -6403,7 +6403,7 @@ CVE-2018-1000546 (Triplea version <= 1.9.0.0.10291 contains a XML External En CVE-2018-1000545 REJECTED CVE-2018-1000544 (rubyzip gem rubyzip version 1.2.1 and earlier contains a Directory ...) - - ruby-zip (bug #902720) + - ruby-zip 1.2.1-1.1 (bug #902720) NOTE: https://github.com/rubyzip/rubyzip/issues/369 CVE-2018-1000543 (Akiee version 0.0.3 contains a XSS leading to code execution due to ...) NOT-FOR-US: Akiee View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5c049dea3be648c407b561433ecd3c93096c6694 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5c049dea3be648c407b561433ecd3c93096c6694 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] claim bind9
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 676e5c19 by Thorsten Alteholz at 2018-08-15T13:14:21Z claim bind9 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -14,7 +14,7 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues NOTE: 20180810: Patch available at https://pagure.io/389-ds-base/issue/49789. NOTE: See debian-lts post: https://lists.debian.org/debian-lts/2018/08/msg00023.html -- -bind9 +bind9 (Thorsten Alteholz) -- clamav (Santiago) NOTE: 0.100.1 uploaded but waiting for ftp-master. Adding this temporary View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/676e5c19d1c0ae11cbcf316e257bc8c1d8331733 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/676e5c19d1c0ae11cbcf316e257bc8c1d8331733 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-1999023,wesnoth-1.10: Games are not supported in Jessie.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 193c6f9a by Markus Koschany at 2018-08-15T13:04:42Z CVE-2018-1999023,wesnoth-1.10: Games are not supported in Jessie. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -2007,6 +2007,7 @@ CVE-2018-1999023 (The Battle for Wesnoth Project version 1.7.0 through 1.14.3 co - wesnoth-1.14 1:1.14.4-1 - wesnoth-1.12 - wesnoth-1.10 + [jessie] - wesnoth-1.10 (Games are not supported in Jessie) NOTE: http://www.openwall.com/lists/oss-security/2018/07/20/1 NOTE: https://github.com/wesnoth/wesnoth/commit/d911268a783467842d38eae7ac1630f1fea41318 (1.14.x) CVE-2018-14505 (mitmweb in mitmproxy v4.0.3 allows DNS Rebinding attacks, related to ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/193c6f9ab41428dfa58d254aa07d2ea60f3f610f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/193c6f9ab41428dfa58d254aa07d2ea60f3f610f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim gdm3 in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 10865841 by Markus Koschany at 2018-08-15T13:02:47Z Claim gdm3 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -32,6 +32,8 @@ firefox-esr (Emilio Pozuelo) -- fuse (Thorsten Alteholz) -- +gdm3 (Markus Koschany) +-- git-annex NOTE: 20180710: See #903037 for more information and a fix for Stretch. NOTE: See debian-lts post: https://lists.debian.org/debian-lts/2018/07/msg00063.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/10865841b4c4f6f0ec7c6f179d312e628fb2b367 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/10865841b4c4f6f0ec7c6f179d312e628fb2b367 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-14446,mp4v2: Mark as no-dsa for Jessie.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: be8dc989 by Markus Koschany at 2018-08-15T13:01:38Z CVE-2018-14446,mp4v2: Mark as no-dsa for Jessie. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -2143,6 +2143,7 @@ CVE-2018-14447 (trim_whitespace in lexer.l in libConfuse v3.2.1 has an out-of-bo CVE-2018-14446 (MP4Integer32Property::Read in atom_avcC.cpp in MP4v2 2.1.0 allows ...) - mp4v2 (bug #904896) [stretch] - mp4v2 (Minor issue) + [jessie] - mp4v2 (Minor issue) NOTE: https://github.com/TechSmith/mp4v2/issues/20 CVE-2018-14445 (In Bento4 v1.5.1-624, AP4_File::ParseStream in Ap4File.cpp allows ...) NOT-FOR-US: Bento4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/be8dc9891488713d60554232508f93be2fe12dbd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/be8dc9891488713d60554232508f93be2fe12dbd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libykneomgr is no-dsa in Jessie. Minor issue
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 98cd31eb by Markus Koschany at 2018-08-15T12:52:00Z libykneomgr is no-dsa in Jessie. Minor issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -81,6 +81,7 @@ CVE-2018-15310 CVE-2018- [libykneomgr memory corruption] - libykneomgr (low; bug #906138) [stretch] - libykneomgr (Minor issue) + [jessie] - libykneomgr (Minor issue) NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-004-libykneomgr/ CVE-2018- [XSA 272: oxenstored does not apply quota-maxentity] - xen (unimportant) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/98cd31eb0cb559f16893caff3df20dd1dc86a8c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/98cd31eb0cb559f16893caff3df20dd1dc86a8c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-14447,confuse: Mark as no-dsa for Jessie. Minor issue.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 6f1de948 by Markus Koschany at 2018-08-15T12:35:39Z CVE-2018-14447,confuse: Mark as no-dsa for Jessie. Minor issue. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -2137,6 +2137,7 @@ CVE-2018-14448 (Codec::parse in track.cpp in Untrunc through 2018-06-07 has a NU CVE-2018-14447 (trim_whitespace in lexer.l in libConfuse v3.2.1 has an out-of-bounds ...) - confuse 3.2.1+dfsg-5 (bug #904159) [stretch] - confuse (Minor issue) + [jessie] - confuse (Minor issue) NOTE: https://github.com/martinh/libconfuse/issues/109 CVE-2018-14446 (MP4Integer32Property::Read in atom_avcC.cpp in MP4v2 2.1.0 allows ...) - mp4v2 (bug #904896) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6f1de9486b50e791e1c9a1de22a21d9db5490fb1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6f1de9486b50e791e1c9a1de22a21d9db5490fb1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add bind9 to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 1a6d31a9 by Markus Koschany at 2018-08-15T12:34:54Z Add bind9 to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -14,6 +14,8 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues NOTE: 20180810: Patch available at https://pagure.io/389-ds-base/issue/49789. NOTE: See debian-lts post: https://lists.debian.org/debian-lts/2018/08/msg00023.html -- +bind9 +-- clamav (Santiago) NOTE: 0.100.1 uploaded but waiting for ftp-master. Adding this temporary NOTE: to avoid duplicating work. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1a6d31a9d26d785765448b4e6d9b7c6a48f701cd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1a6d31a9d26d785765448b4e6d9b7c6a48f701cd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add intel-microcode to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: e910cdb4 by Markus Koschany at 2018-08-15T11:03:32Z Add intel-microcode to dla-needed.txt - - - - - d0f82f72 by Markus Koschany at 2018-08-15T11:03:53Z Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -34,6 +34,8 @@ git-annex NOTE: 20180710: See #903037 for more information and a fix for Stretch. NOTE: See debian-lts post: https://lists.debian.org/debian-lts/2018/07/msg00063.html -- +intel-microcode +-- jetty (Hugo Lefeuvre) NOTE: 20180702: jetty8 almost never marked as affected whereas jetty and jetty9 are. Reason ? NOTE: 20180702: CVE-2018-12536 fixed in latest upstream release. Looks like upstream View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/98164bdbca9771f640d60fc8031186a29ab69bc3...d0f82f7203349fedfebf8cb7caf5b557f17c20af -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/98164bdbca9771f640d60fc8031186a29ab69bc3...d0f82f7203349fedfebf8cb7caf5b557f17c20af You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Adjust source package name
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 98164bdb by Salvatore Bonaccorso at 2018-08-15T10:59:03Z Adjust source package name src:azareus did build vuze binary package. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -4586,7 +4586,7 @@ CVE-2018-13419 (An issue has been found in libsndfile 1.0.28. There is a memory CVE-2018-13418 RESERVED CVE-2018-13417 (In Vuze Bittorrent Client 5.7.6.0, the XML parsing engine for ...) - - vuze + - azureus CVE-2018-13416 (In Universal Media Server (UMS) 7.1.0, the XML parsing engine for ...) NOT-FOR-US: Universal Media Server CVE-2018-13415 (In Plex Media Server 1.13.2.5154, the XML parsing engine for SSDP/UPnP ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/98164bdbca9771f640d60fc8031186a29ab69bc3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/98164bdbca9771f640d60fc8031186a29ab69bc3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1467-1 for ruby-zip
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 8c2ed267 by Markus Koschany at 2018-08-15T10:57:05Z Reserve DLA-1467-1 for ruby-zip - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[15 Aug 2018] DLA-1467-1 ruby-zip - security update + {CVE-2018-1000544} + [jessie] - ruby-zip 1.1.6-1+deb8u2 [13 Aug 2018] DLA-1466-1 linux-4.9 - security update {CVE-2018-5390 CVE-2018-5391 CVE-2018-13405} [jessie] - linux-4.9 4.9.110-3+deb9u2~deb8u1 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -94,8 +94,6 @@ phpldapadmin -- qemu (Santiago) -- -ruby-zip (Markus Koschany) --- ruby2.1 -- samba (Holger Levsen) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8c2ed2677df8204fd45b0bdfb3e113f3522571ef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8c2ed2677df8204fd45b0bdfb3e113f3522571ef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] vuze removed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ab02092a by Moritz Muehlenhoff at 2018-08-15T10:35:29Z vuze removed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -4586,7 +4586,7 @@ CVE-2018-13419 (An issue has been found in libsndfile 1.0.28. There is a memory CVE-2018-13418 RESERVED CVE-2018-13417 (In Vuze Bittorrent Client 5.7.6.0, the XML parsing engine for ...) - TODO: check + - vuze CVE-2018-13416 (In Universal Media Server (UMS) 7.1.0, the XML parsing engine for ...) NOT-FOR-US: Universal Media Server CVE-2018-13415 (In Plex Media Server 1.13.2.5154, the XML parsing engine for SSDP/UPnP ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ab02092a78f2434758c2ab351d36aa1f63a7cb71 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ab02092a78f2434758c2ab351d36aa1f63a7cb71 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6d665e85 by Moritz Muehlenhoff at 2018-08-15T09:56:55Z NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -2190,7 +2190,7 @@ CVE-2018-14431 CVE-2018-14430 (The Mondula Multi Step Form plugin through 1.2.5 for WordPress allows ...) NOT-FOR-US: Mondula Multi Step Form plugin for WordPress CVE-2018-14429 (man-cgi before 1.16 allows Local File Inclusion via absolute path ...) - TODO: check + NOT-FOR-US: man-cgi CVE-2018-14428 RESERVED CVE-2018-14427 @@ -3309,8 +3309,7 @@ CVE-2018-14008 RESERVED CVE-2018-14007 [XAPI HTTP directory traversal] RESERVED - NOTE: https://xenbits.xen.org/xsa/advisory-271.html - TODO: check + NOT-FOR-US: xapi CVE-2018-14006 (An integer overflow vulnerability exists in the function ...) NOT-FOR-US: Neo Genesis Token (NGT) CVE-2018-14005 (An integer overflow vulnerability exists in the function transferAny of ...) @@ -6796,7 +6795,7 @@ CVE-2018-12541 CVE-2018-12540 (In version from 3.0.0 to 3.5.2 of Eclipse Vert.x, the CSRFHandler do ...) NOT-FOR-US: Eclipse Vertx CVE-2018-12539 (In Eclipse OpenJ9 version 0.8, users other than the process owner may ...) - TODO: check + NOT-FOR-US: Eclipse OpenJ9 CVE-2018-12538 (In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional ...) - jetty9 (Only affects 9.4.x) - jetty8 (Only affects 9.4.x) @@ -21414,19 +21413,19 @@ CVE-2018-7101 CVE-2018-7100 (A potential security vulnerability has been identified in HPE ...) NOT-FOR-US: HPE OfficeConnect 1810 Switch Series CVE-2018-7099 (A security vulnerability was identified in 3PAR Service Processor (SP) ...) - TODO: check + NOT-FOR-US: 3PAR CVE-2018-7098 (A security vulnerability was identified in 3PAR Service Processor (SP) ...) - TODO: check + NOT-FOR-US: 3PAR CVE-2018-7097 (A security vulnerability was identified in 3PAR Service Processor (SP) ...) - TODO: check + NOT-FOR-US: 3PAR CVE-2018-7096 (A security vulnerability was identified in 3PAR Service Processor (SP) ...) - TODO: check + NOT-FOR-US: 3PAR CVE-2018-7095 (A security vulnerability was identified in 3PAR Service Processor (SP) ...) - TODO: check + NOT-FOR-US: 3PAR CVE-2018-7094 (A security vulnerability was identified in 3PAR Service Processor (SP) ...) - TODO: check + NOT-FOR-US: 3PAR CVE-2018-7093 (A security vulnerability in HPE Integrated Lights-Out 3 prior to ...) - TODO: check + NOT-FOR-US: HPE CVE-2018-7092 (A potential security vulnerability has been identified in HPE ...) NOT-FOR-US: HPE CVE-2018-7091 (HPE XP P9000 Command View Advanced Edition Software (CVAE) has open ...) @@ -21458,7 +21457,7 @@ CVE-2018-7079 CVE-2018-7078 (A remote code execution was identified in HPE Integrated Lights-Out 4 ...) NOT-FOR-US: HPE CVE-2018-7077 (A security vulnerability in HPE XP P9000 Command View Advanced Edition ...) - TODO: check + NOT-FOR-US: HPE CVE-2018-7076 RESERVED CVE-2018-7075 (A remote cross-site scripting (XSS) vulnerability was identified in ...) @@ -30421,9 +30420,9 @@ CVE-2018-3940 CVE-2018-3939 (An exploitable use-after-free vulnerability exists in the JavaScript ...) NOT-FOR-US: Foxit CVE-2018-3938 (An exploitable stack-based buffer overflow vulnerability exists in the ...) - TODO: check + NOT-FOR-US: Sony CVE-2018-3937 (An exploitable command injection vulnerability exists in the ...) - TODO: check + NOT-FOR-US: Sony CVE-2018-3936 (In Antenna House Office Server Document Converter version V6.1 Pro MR2 ...) NOT-FOR-US: Antenna House Office Server Document Converter CVE-2018-3935 @@ -42134,7 +42133,7 @@ CVE-2018-0133 CVE-2018-0132 (A vulnerability in the forwarding information base (FIB) code of Cisco ...) NOT-FOR-US: Cisco CVE-2018-0131 (A vulnerability in the implementation of RSA-encrypted nonces in Cisco ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-0130 (A vulnerability in the use of JSON web tokens by the web-based service ...) NOT-FOR-US: Cisco CVE-2018-0129 (A vulnerability in the web-based management interface of Cisco Data ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6d665e85b9cd98feeb2fd906d78874a1df1b5815 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6d665e85b9cd98feeb2fd906d78874a1df1b5815 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.n
[Git][security-tracker-team/security-tracker][master] Track proposed update for confuse via stretch-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b769894b by Salvatore Bonaccorso at 2018-08-15T09:06:47Z Track proposed update for confuse via stretch-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = --- a/data/next-point-update.txt +++ b/data/next-point-update.txt @@ -36,3 +36,5 @@ CVE-2018-14526 [stretch] - wpa 2:2.4-1+deb9u2 CVE-2015-9262 [stretch] - libxcursor 1:1.1.14-1+deb9u2 +CVE-2018-14447 + [stretch] - confuse 3.0+dfsg-2+deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b769894b4cf6a69a32394a977a69e37898a6f821 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b769894b4cf6a69a32394a977a69e37898a6f821 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] btrfsmaintenance fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: eae2a566 by Moritz Muehlenhoff at 2018-08-15T08:52:04Z btrfsmaintenance fixed mp4v2 no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1403,7 +1403,7 @@ CVE-2018-14723 RESERVED CVE-2018-14722 [Code execution] RESERVED - - btrfsmaintenance (bug #906131) + - btrfsmaintenance 0.4.1-2 (bug #906131) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1102721 CVE-2018-14721 RESERVED @@ -2140,6 +2140,7 @@ CVE-2018-14447 (trim_whitespace in lexer.l in libConfuse v3.2.1 has an out-of-bo NOTE: https://github.com/martinh/libconfuse/issues/109 CVE-2018-14446 (MP4Integer32Property::Read in atom_avcC.cpp in MP4v2 2.1.0 allows ...) - mp4v2 (bug #904896) + [stretch] - mp4v2 (Minor issue) NOTE: https://github.com/TechSmith/mp4v2/issues/20 CVE-2018-14445 (In Bento4 v1.5.1-624, AP4_File::ParseStream in Ap4File.cpp allows ...) NOT-FOR-US: Bento4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eae2a566f2f7c84a6b6648a6580bff78a07a2c22 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eae2a566f2f7c84a6b6648a6580bff78a07a2c22 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d319debb by security tracker role at 2018-08-15T08:10:18Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -26786,6 +26786,7 @@ CVE-2018-5392 (mingw-w64 version 5.0.4 by default produces executables that opt NOTE: https://www.kb.cert.org/vuls/id/307144 (describes workaround) CVE-2018-5391 [Remote denial of service via improper IP fragment handling] RESERVED + {DSA-4272-1 DLA-1466-1} - linux NOTE: Mitigation: Change the default values of net.ipv4.ipfrag_high_thresh and NOTE: net.ipv4.ipfrag_low_thresh back to 256kB and 192 kB (respectively) or @@ -35158,7 +35159,7 @@ CVE-2018-2418 (SAP MaxDB ODBC driver (all versions before 7.9.09.07) allows an . NOT-FOR-US: SAP MaxDB ODBC driver CVE-2018-2417 (Under certain conditions, the SAP Identity Management 8.0 (pass of ...) NOT-FOR-US: SAP Identity Management -CVE-2018-2416 (SAP Identity Management 7.2 does not sufficiently validate an XML ...) +CVE-2018-2416 (SAP Identity Management 7.2 and 8.0 do not sufficiently validate an ...) NOT-FOR-US: SAP Identity Management CVE-2018-2415 (SAP NetWeaver Application Server Java Web Container and HTTP Service ...) NOT-FOR-US: SAP NetWeaver Application Server Java Web Container and HTTP Service View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d319debb2be2ddd9329ff35f7cdc6769067bb9b8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d319debb2be2ddd9329ff35f7cdc6769067bb9b8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libarchive issue fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3ae6b00f by Salvatore Bonaccorso at 2018-08-15T07:06:26Z libarchive issue fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -50219,7 +50219,7 @@ CVE-2017-14502 (read_header in archive_read_support_format_rar.c in libarchive 3 NOTE: https://github.com/libarchive/libarchive/commit/5562545b5562f6d12a4ef991fae158bf4ccf92b6 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=573 CVE-2017-14501 (An out-of-bounds read flaw exists in parse_file_info in ...) - - libarchive (bug #875966) + - libarchive 3.2.2-4.2 (bug #875966) [stretch] - libarchive (Minor issue) [jessie] - libarchive (Minor issue) [wheezy] - libarchive (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3ae6b00fa5f182abb44fe1009970990509c650ef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3ae6b00fa5f182abb44fe1009970990509c650ef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits