[Git][security-tracker-team/security-tracker][master] discount DSA
Alessandro Ghedini pushed to branch master at Debian Security Tracker / security-tracker Commits: 34e60adc by Alessandro Ghedini at 2018-09-14T20:15:29Z discount DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[14 Sep 2018] DSA-4293-1 discount - security update + {CVE-2018-11468 CVE-2018-11503 CVE-2018-11504 CVE-2018-12495} + [stretch] - discount 2.2.2-1+deb9u1 [11 Sep 2018] DSA-4292-1 kamailio - security update {CVE-2018-16657} [stretch] - kamailio 4.4.4-2+deb9u3 = data/dsa-needed.txt = @@ -20,8 +20,6 @@ asterisk -- ceph -- -discount (ghedo) --- enigmail -- ghostscript (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/34e60adc2cacd75170d1584f35f195a4c42769ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/34e60adc2cacd75170d1584f35f195a4c42769ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bfdf6da3 by security tracker role at 2018-09-14T20:10:30Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2673,7 +2673,7 @@ CVE-2018-15910 (In Artifex Ghostscript before 9.24, attackers able to supply cra NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699656 NOTE: https://www.kb.cert.org/vuls/id/332928 CVE-2018-15909 (In Artifex Ghostscript 9.23 before 2018-08-24, a type confusion using ...) - {DLA-1504-1} + {DSA-4288-1 DLA-1504-1} - ghostscript 9.22~dfsg-3 (bug #907332) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=0b6cd1918e1ec4ffd087400a754a845180a4522b NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e01e77a36cbb2e0277bc3a63852244bec41be0f6 @@ -40934,8 +40934,8 @@ CVE-2018-1793 RESERVED CVE-2018-1792 RESERVED -CVE-2018-1791 - RESERVED +CVE-2018-1791 (IBM Connections 5.0, 5.5, and 6.0 is vulnerable to an External Service ...) + TODO: check CVE-2018-1790 RESERVED CVE-2018-1789 (IBM API Connect v2018.1.0 through v2018.3.4 could allow an attacker to ...) @@ -41078,8 +41078,8 @@ CVE-2018-1721 RESERVED CVE-2018-1720 RESERVED -CVE-2018-1719 - RESERVED +CVE-2018-1719 (IBM WebSphere Application Server 8.5 and 9.0 could provide weaker than ...) + TODO: check CVE-2018-1718 (IBM Sterling B2B Integrator Standard Edition 5.2.0.1 - 5.2.6.3 is ...) NOT-FOR-US: IBM CVE-2018-1717 @@ -45206,8 +45206,8 @@ CVE-2018-0720 RESERVED CVE-2018-0719 RESERVED -CVE-2018-0718 - RESERVED +CVE-2018-0718 (Command injection vulnerability in Music Station 5.1.2 and earlier ...) + TODO: check CVE-2018-0717 RESERVED CVE-2018-0716 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bfdf6da38c7fb4ea1a55a562d79d785152b41440 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bfdf6da38c7fb4ea1a55a562d79d785152b41440 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Further update for CVE-2018-1051
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f9f72066 by Salvatore Bonaccorso at 2018-09-14T19:42:02Z Further update for CVE-2018-1051 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -43710,9 +43710,10 @@ CVE-2018-1052 (Memory disclosure vulnerability in table partitioning was found i - postgresql-9.4 (code introduced in 10) - postgresql-9.1 (code introduced in 10) CVE-2018-1051 (It was found that the fix for CVE-2016-9606 in versions 3.0.22 and ...) - - resteasy + - resteasy [jessie] - resteasy (Incomplete fix for CVE-2016-9606 wasn't backported) - resteasy3.0 (Incomplete fix for CVE-2016-9606 not applied) + NOTE: Removing deprecated YamlProvider was done in 4.0.0.Beta4 TODO: check CVE-2018-1050 (All versions of Samba from 4.0.0 onwards are vulnerable to a denial of ...) {DSA-4135-1 DLA-1320-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f9f72066ead7964c58adf8a99d3f78e7c88e78f9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f9f72066ead7964c58adf8a99d3f78e7c88e78f9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2018-1051 and CVE-2016-9606
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d3e0a286 by Salvatore Bonaccorso at 2018-09-14T19:32:33Z Update information for CVE-2018-1051 and CVE-2016-9606 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -43712,7 +43712,7 @@ CVE-2018-1052 (Memory disclosure vulnerability in table partitioning was found i CVE-2018-1051 (It was found that the fix for CVE-2016-9606 in versions 3.0.22 and ...) - resteasy [jessie] - resteasy (Incomplete fix for CVE-2016-9606 wasn't backported) - - resteasy3.0 + - resteasy3.0 (Incomplete fix for CVE-2016-9606 not applied) TODO: check CVE-2018-1050 (All versions of Samba from 4.0.0 onwards are vulnerable to a denial of ...) {DSA-4135-1 DLA-1320-1} @@ -96728,7 +96728,7 @@ CVE-2016-9607 CVE-2016-9606 (JBoss RESTEasy before version 3.1.2 could be forced into parsing a ...) - resteasy 3.1.4-1 (bug #851430) [jessie] - resteasy (Minor issue) - - resteasy3.0 + - resteasy3.0 NOTE: See CVE-2018-1051 to address original incomplete fix for CVE-2016-9606 CVE-2016-9605 (A flaw was found in cobbler software component version 2.6.11-1. It ...) - cobbler (bug #858844) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d3e0a286fba5fed94a6cfd9ff72a3a7c5dbce7f0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d3e0a286fba5fed94a6cfd9ff72a3a7c5dbce7f0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2017-7561
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8b941270 by Salvatore Bonaccorso at 2018-09-14T19:28:20Z Update information for CVE-2017-7561 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -75831,10 +75831,11 @@ CVE-2017-7562 (An authentication bypass flaw was found in the way krb5's certaut CVE-2017-7561 (Red Hat JBoss EAP version 3.0.7 through before 4.0.0.Beta1 is ...) - resteasy (bug #873392) [jessie] - resteasy (CORS Filter added in 3.0.7.Final) - - resteasy3.0 + - resteasy3.0 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1483823 NOTE: https://issues.jboss.org/projects/RESTEASY/issues/RESTEASY-1704 NOTE: Fixed by: https://github.com/resteasy/Resteasy/commit/517db971d8f7094124416bf72091fd0b45a13028 + NOTE: Fixed in 4.0.0.Beta1, 3.0.25.Final, 3.5.0.CR1 CVE-2017-7560 (It was found that rhnsd PID files are created as world-writable that ...) - rhnsd (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1480550 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8b94127021e65d8ee695de594884ebfa52c7223f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8b94127021e65d8ee695de594884ebfa52c7223f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-16802/ghostscript fixed in experimental upload as 9.25~dfsg-1~exp1
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a9c7601 by Salvatore Bonaccorso at 2018-09-14T19:17:33Z CVE-2018-16802/ghostscript fixed in experimental upload as 9.25~dfsg-1~exp1 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -564,6 +564,7 @@ CVE-2018-16793 RESERVED CVE-2018-16802 (An issue was discovered in Artifex Ghostscript before 9.25. Incorrect ...) {DLA-1504-1} + [experimental] - ghostscript 9.25~dfsg-1~exp1 - ghostscript NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=3e5d316b72e3965b7968bb1d96baa137cd063ac6 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=643b24dbd002fb9c131313253c307cf3951b3d47 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4a9c76010ee96c9f8c103f2b559d0560a2b7dceb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4a9c76010ee96c9f8c103f2b559d0560a2b7dceb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Further fixes for ghostscript via experimental upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8c12cd69 by Salvatore Bonaccorso at 2018-09-14T19:09:43Z Further fixes for ghostscript via experimental upload - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2762,6 +2762,7 @@ CVE-2017-18345 (The Joomanager component through 2.0.0 for Joomla! has an arbitr NOT-FOR-US: Joomla addon CVE-2018-16543 (In Artifex Ghostscript before 9.24, gssetresolution and gsgetresolution ...) {DSA-4288-1} + [experimental] - ghostscript 9.25~dfsg-1~exp1 - ghostscript (bug #908303) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5b5536fa88a9e885032bc0df3852c3439399a5c0 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699670 @@ -2800,6 +2801,7 @@ CVE-2018-16511 (An issue was discovered in Artifex Ghostscript before 9.24. A ty NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=0edd3d6c634a577db261615a9dc2719bca7f6e01 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699659 CVE-2018-16510 (An issue was discovered in Artifex Ghostscript before 9.24. Incorrect ...) + [experimental] - ghostscript 9.25~dfsg-1~exp1 - ghostscript (bug #908304) [stretch] - ghostscript (Introduced in 9.22) [jessie] - ghostscript (vulnerable code is not present) @@ -2807,6 +2809,7 @@ CVE-2018-16510 (An issue was discovered in Artifex Ghostscript before 9.24. Inco NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699671 CVE-2018-16509 (An issue was discovered in Artifex Ghostscript before 9.24. Incorrect ...) {DLA-1504-1} + [experimental] - ghostscript 9.25~dfsg-1~exp1 - ghostscript (bug #907332; bug #907703) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=78911a01b67d590b4a91afac2e8417360b934156 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5516c614dc33662a2afdc377159f70218e67bde5 @@ -2816,6 +2819,7 @@ CVE-2018-16509 (An issue was discovered in Artifex Ghostscript before 9.24. Inco NOTE: Partially fixed in 9.22~dfsg-3, see #907703 CVE-2018-16585 (An issue was discovered in Artifex Ghostscript before 9.24. The ...) {DSA-4288-1 DLA-1504-1} + [experimental] - ghostscript 9.25~dfsg-1~exp1 - ghostscript (bug #908305) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=1497d65039885a52b598b137dd8622bd4672f9be NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=971472c83a345a16dac9f90f91258bb22dd77f22 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8c12cd69f817e12450d1e138f6e376ff91cf99fd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8c12cd69f817e12450d1e138f6e376ff91cf99fd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: Track r-cran-jsonld embedding jsonld.js
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5f1237cf by Salvatore Bonaccorso at 2018-09-14T19:00:07Z Track r-cran-jsonld embedding jsonld.js - - - - - a0a8a335 by Salvatore Bonaccorso at 2018-09-14T19:01:29Z Track r-cran-webshot embedding Casper.js - - - - - e5ff844f by Salvatore Bonaccorso at 2018-09-14T19:03:54Z Track ruby-rails-assets-bootstrap-markdown embedding bootstrap-markdown.js - - - - - 47902041 by Salvatore Bonaccorso at 2018-09-14T19:04:47Z Track python-chartkick embedding Chartkick.js - - - - - 1 changed file: - data/embedded-code-copies Changes: = data/embedded-code-copies = @@ -3406,3 +3406,15 @@ twitter-bootstrap3 ruby-bootstrap-sass - ruby-rails-assets-bootstrap (embed; bug #838729) + +jsonld.js (not packaged in Debian; no ITP) + - r-cran-jsonld (embed; bug #908548) + +casperjs (RFP: #738827) + - r-cran-webshot (embed; bug #906039) + +bootstrap-markdown.js (not packaged in Debian; no ITP) + - ruby-rails-assets-bootstrap-markdown (embed; bug #838730) + +libjs-chartkick.js + - python-chartkick (embed; bug #836577) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/dc1511344f8cf846f8d5a61b0c351122a792c2e8...47902041f2635590d140f2b6c62af67cc966b65f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/dc1511344f8cf846f8d5a61b0c351122a792c2e8...47902041f2635590d140f2b6c62af67cc966b65f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update tracking information for CVE-2017-11737/rspamd
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dc151134 by Salvatore Bonaccorso at 2018-09-14T18:54:23Z Update tracking information for CVE-2017-11737/rspamd - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -62834,9 +62834,10 @@ CVE-2017-11739 CVE-2017-11738 RESERVED CVE-2017-11737 (interface/js/app/history.js in WebUI in Rspamd before 1.6.3 allows XSS ...) - - rspamd + - rspamd 1.7.6-1 [jessie] - rspamd (Vulnerable code not present) NOTE: https://github.com/vstakhov/rspamd/issues/1738 + NOTE: https://github.com/rspamd/rspamd/pull/1739 CVE-2017-11736 (SQL injection vulnerability in ...) NOT-FOR-US: BigTree CMS CVE-2017-11735 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dc1511344f8cf846f8d5a61b0c351122a792c2e8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dc1511344f8cf846f8d5a61b0c351122a792c2e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2018-15834/radare2 as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 51a07aa0 by Salvatore Bonaccorso at 2018-09-14T18:52:07Z Mark CVE-2018-15834/radare2 as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2957,6 +2957,7 @@ CVE-2018-15835 RESERVED CVE-2018-15834 (In radare2 before 2.9.0, a heap overflow vulnerability exists in the ...) - radare2 2.9.0+dfsg-1 + [stretch] - radare2 (Minor issue) [jessie] - radare2 (Vulnerable code added later in 0.9.8) NOTE: https://github.com/radare/radare2/issues/11274 NOTE: https://github.com/radare/radare2/pull/11300 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/51a07aa02c0ab1976f2b77285b9f2ccbc3cde8f8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/51a07aa02c0ab1976f2b77285b9f2ccbc3cde8f8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark CVE-2018-15834 as not-affected for jessie
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 4dca7fe5 by Thorsten Alteholz at 2018-09-14T13:13:12Z mark CVE-2018-15834 as not-affected for jessie - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2957,6 +2957,7 @@ CVE-2018-15835 RESERVED CVE-2018-15834 (In radare2 before 2.9.0, a heap overflow vulnerability exists in the ...) - radare2 2.9.0+dfsg-1 + [jessie] - radare2 (Vulnerable code added later in 0.9.8) NOTE: https://github.com/radare/radare2/issues/11274 NOTE: https://github.com/radare/radare2/pull/11300 CVE-2018-15833 (In Vanilla before 2.6.1, the polling functionality allows Insecure ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4dca7fe5506e22fbae65a1d800a86ee304e6c430 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4dca7fe5506e22fbae65a1d800a86ee304e6c430 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-14320/libpodofo
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eeda8519 by Salvatore Bonaccorso at 2018-09-14T12:44:33Z Add CVE-2018-14320/libpodofo - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6744,8 +6744,10 @@ CVE-2018-14322 RESERVED CVE-2018-14321 RESERVED -CVE-2018-14320 +CVE-2018-14320 [PoDoFo Library ParseToUnicode Memory Corruption Information Disclosure Vulnerability] RESERVED + - libpodofo + NOTE: https://www.zerodayinitiative.com/advisories/ZDI-18-1046/ CVE-2018-14319 RESERVED CVE-2018-14318 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eeda8519703cbba465efd0bf1e5b93bc600dec52 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eeda8519703cbba465efd0bf1e5b93bc600dec52 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Sort per source package
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 526aeb55 by Salvatore Bonaccorso at 2018-09-14T12:42:36Z Sort per source package - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -43702,8 +43702,8 @@ CVE-2018-1052 (Memory disclosure vulnerability in table partitioning was found i - postgresql-9.1 (code introduced in 10) CVE-2018-1051 (It was found that the fix for CVE-2016-9606 in versions 3.0.22 and ...) - resteasy - - resteasy3.0 [jessie] - resteasy (Incomplete fix for CVE-2016-9606 wasn't backported) + - resteasy3.0 TODO: check CVE-2018-1050 (All versions of Samba from 4.0.0 onwards are vulnerable to a denial of ...) {DSA-4135-1 DLA-1320-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/526aeb55bdaa883e5a2dd9772a60e1eaf376ee3e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/526aeb55bdaa883e5a2dd9772a60e1eaf376ee3e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE ID to ghostscript DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e9724c1 by Moritz Muehlenhoff at 2018-09-14T12:33:28Z Add CVE ID to ghostscript DSA The fixes were already backported to the DSA, but the CVE only assigned later on - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -11,7 +11,7 @@ {CVE-2018-16065 CVE-2018-16066 CVE-2018-16067 CVE-2018-16068 CVE-2018-16069 CVE-2018-16070 CVE-2018-16071 CVE-2018-16073 CVE-2018-16074 CVE-2018-16075 CVE-2018-16076 CVE-2018-16077 CVE-2018-16078 CVE-2018-16079 CVE-2018-16080 CVE-2018-16081 CVE-2018-16082 CVE-2018-16083 CVE-2018-16084 CVE-2018-16085 CVE-2018-16435 CVE-2018-16086 CVE-2018-16087 CVE-2018-16088} [stretch] - chromium-browser 69.0.3497.81-1~deb9u1 [07 Sep 2018] DSA-4288-1 ghostscript - security update - {CVE-2018-15908 CVE-2018-15910 CVE-2018-15911 CVE-2018-16511 CVE-2018-16513 CVE-2018-16539 CVE-2018-16540 CVE-2018-16541 CVE-2018-16542 CVE-2018-16543 CVE-2018-16585} + {CVE-2018-15908 CVE-2018-15910 CVE-2018-15911 CVE-2018-16511 CVE-2018-16513 CVE-2018-16539 CVE-2018-16540 CVE-2018-16541 CVE-2018-16542 CVE-2018-16543 CVE-2018-16585 CVE-2018-15909} [stretch] - ghostscript 9.20~dfsg-3.2+deb9u4 [07 Sep 2018] DSA-4287-1 firefox-esr - security update {CVE-2018-12376 CVE-2018-12377 CVE-2018-12378} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2e9724c1613aac7f59546a206bbda9196569fd66 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2e9724c1613aac7f59546a206bbda9196569fd66 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark CVE-2018-1051 as not-affected for jessie
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: f1008585 by Thorsten Alteholz at 2018-09-14T12:23:18Z mark CVE-2018-1051 as not-affected for jessie - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -43703,6 +43703,7 @@ CVE-2018-1052 (Memory disclosure vulnerability in table partitioning was found i CVE-2018-1051 (It was found that the fix for CVE-2016-9606 in versions 3.0.22 and ...) - resteasy - resteasy3.0 + [jessie] - resteasy (Incomplete fix for CVE-2016-9606 wasn't backported) TODO: check CVE-2018-1050 (All versions of Samba from 4.0.0 onwards are vulnerable to a denial of ...) {DSA-4135-1 DLA-1320-1} @@ -96717,6 +96718,7 @@ CVE-2016-9606 (JBoss RESTEasy before version 3.1.2 could be forced into parsing - resteasy 3.1.4-1 (bug #851430) [jessie] - resteasy (Minor issue) - resteasy3.0 + NOTE: See CVE-2018-1051 to address original incomplete fix for CVE-2016-9606 CVE-2016-9605 (A flaw was found in cobbler software component version 2.6.11-1. It ...) - cobbler (bug #858844) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1433950 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f1008585a9945105723c2531070a36b2469053d9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f1008585a9945105723c2531070a36b2469053d9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] follow security team with postponed for CVE-2018-12384
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: b0706e67 by Thorsten Alteholz at 2018-09-14T11:47:10Z follow security team with postponed for CVE-2018-12384 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11457,6 +11457,7 @@ CVE-2018-12384 [ServerHello.random is all zero when handling a v2-compatible Cli RESERVED - nss 2:3.39-1 (low; bug #908332) [stretch] - nss (Minor issue, can be fixed along in future DSA) + [jessie] - nss (Minor issue, can be fixed along in future DSA) NOTE: https://hg.mozilla.org/projects/nss/rev/2ed9f6afd84e (NSS_3_39_BRANCH) NOTE: https://hg.mozilla.org/projects/nss/rev/46f9a1f40c3d (NSS_3_36_BRANCH) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1483128 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b0706e67cd8f70cb0b13a2a1d3dd42da19feec99 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b0706e67cd8f70cb0b13a2a1d3dd42da19feec99 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-16981
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c4ca8a8a by Salvatore Bonaccorso at 2018-09-14T09:50:19Z Add CVE-2018-16981 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -146,7 +146,9 @@ CVE-2018-16983 (NoScript Classic before 5.1.8.7, as used in Tor Browser 7.x and CVE-2018-16982 (Open Chinese Convert (OpenCC) 1.0.5 allows attackers to cause a denial ...) NOT-FOR-US: Open Chinese Convert (OpenCC) CVE-2018-16981 (stb stb_image.h 2.19, as used in catimg, Emscripten, and other ...) - TODO: check + - catimg + NOTE: https://github.com/nothings/stb/issues/656 + TODO: further check, stb_image.h in older version is embedded in src;catimg CVE-2018-16980 (dotCMS V5.0.1 has XSS in the ...) NOT-FOR-US: dotCMS CVE-2018-16979 (Monstra CMS V3.0.4 allows HTTP header injection in the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c4ca8a8a4947d1376bc31fe183cb8298db26 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c4ca8a8a4947d1376bc31fe183cb8298db26 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 504ab7d2 by Salvatore Bonaccorso at 2018-09-14T09:33:21Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,9 @@ CVE-2018-17051 (K-Net Cisco Configuration Manager through 2014-11-19 has XSS via ...) - TODO: check + NOT-FOR-US: K-Net Cisco Configuration Manager CVE-2018-17050 RESERVED CVE-2018-17049 (CQU-LANKERS through 2017-11-02 has XSS via the public/api.php callback ...) - TODO: check + NOT-FOR-US: CQU-LANKERS CVE-2018-17048 RESERVED CVE-2018-17047 @@ -11,9 +11,9 @@ CVE-2018-17047 CVE-2018-17046 (translate man before 2018-08-21 has XSS via ...) TODO: check CVE-2018-17045 (An issue was discovered in CMS MaeloStore V.1.5.0. There is a CSRF ...) - TODO: check + NOT-FOR-US: CMS MaeloStore CVE-2018-17044 (In YzmCMS 5.1, stored XSS exists via the ...) - TODO: check + NOT-FOR-US: YzmCMS CVE-2018-17043 (An issue has been found in doc2txt through 2014-03-19. It is a ...) TODO: check CVE-2018-17042 (An issue has been found in dbf2txt through 2012-07-19. It is a infinite ...) @@ -23,25 +23,25 @@ CVE-2018-17041 CVE-2018-17040 RESERVED CVE-2018-17039 (MiniCMS 1.10, when Internet Explorer is used, allows XSS via a crafted ...) - TODO: check + NOT-FOR-US: MiniCMS CVE-2018-17038 RESERVED CVE-2018-17037 (user/editpost.php in UCMS 1.4.6 mishandles levels, which allows ...) - TODO: check + NOT-FOR-US: UCMS CVE-2018-17036 (An issue was discovered in UCMS 1.4.6. It allows PHP code injection ...) - TODO: check + NOT-FOR-US: UCMS CVE-2018-17035 (UCMS 1.4.6 has SQL injection during installation via the ...) - TODO: check + NOT-FOR-US: UCMS CVE-2018-17034 (UCMS 1.4.6 has XSS via the install/index.php mysql_dbname parameter. ...) - TODO: check + NOT-FOR-US: UCMS CVE-2018-17033 RESERVED CVE-2018-17032 RESERVED CVE-2018-17031 (In Gogs 0.11.53, an attacker can use a crafted .eml file to trigger ...) - TODO: check + NOT-FOR-US: Go Git Service CVE-2018-17030 (BigTree CMS 4.2.23 allows remote authenticated users, if possessing ...) - TODO: check + NOT-FOR-US: BigTree CMS CVE-2018-17029 RESERVED CVE-2018-17028 @@ -49,11 +49,11 @@ CVE-2018-17028 CVE-2018-17027 RESERVED CVE-2018-17026 (admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title ...) - TODO: check + NOT-FOR-US: Monstra CMS CVE-2018-17025 (admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title ...) - TODO: check + NOT-FOR-US: Monstra CMS CVE-2018-17024 (admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title ...) - TODO: check + NOT-FOR-US: Monstra CMS CVE-2018-17023 (Cross-site request forgery (CSRF) vulnerability on ASUS GT-AC5300 ...) NOT-FOR-US: ASUS GT-AC5300 routers CVE-2018-17022 (Stack-based buffer overflow on the ASUS GT-AC5300 router through ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/504ab7d206fc59e6d165b7605bf160fb89dbe561 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/504ab7d206fc59e6d165b7605bf160fb89dbe561 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9be70af5 by security tracker role at 2018-09-14T08:10:19Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,59 @@ +CVE-2018-17051 (K-Net Cisco Configuration Manager through 2014-11-19 has XSS via ...) + TODO: check +CVE-2018-17050 + RESERVED +CVE-2018-17049 (CQU-LANKERS through 2017-11-02 has XSS via the public/api.php callback ...) + TODO: check +CVE-2018-17048 + RESERVED +CVE-2018-17047 + RESERVED +CVE-2018-17046 (translate man before 2018-08-21 has XSS via ...) + TODO: check +CVE-2018-17045 (An issue was discovered in CMS MaeloStore V.1.5.0. There is a CSRF ...) + TODO: check +CVE-2018-17044 (In YzmCMS 5.1, stored XSS exists via the ...) + TODO: check +CVE-2018-17043 (An issue has been found in doc2txt through 2014-03-19. It is a ...) + TODO: check +CVE-2018-17042 (An issue has been found in dbf2txt through 2012-07-19. It is a infinite ...) + TODO: check +CVE-2018-17041 + RESERVED +CVE-2018-17040 + RESERVED +CVE-2018-17039 (MiniCMS 1.10, when Internet Explorer is used, allows XSS via a crafted ...) + TODO: check +CVE-2018-17038 + RESERVED +CVE-2018-17037 (user/editpost.php in UCMS 1.4.6 mishandles levels, which allows ...) + TODO: check +CVE-2018-17036 (An issue was discovered in UCMS 1.4.6. It allows PHP code injection ...) + TODO: check +CVE-2018-17035 (UCMS 1.4.6 has SQL injection during installation via the ...) + TODO: check +CVE-2018-17034 (UCMS 1.4.6 has XSS via the install/index.php mysql_dbname parameter. ...) + TODO: check +CVE-2018-17033 + RESERVED +CVE-2018-17032 + RESERVED +CVE-2018-17031 (In Gogs 0.11.53, an attacker can use a crafted .eml file to trigger ...) + TODO: check +CVE-2018-17030 (BigTree CMS 4.2.23 allows remote authenticated users, if possessing ...) + TODO: check +CVE-2018-17029 + RESERVED +CVE-2018-17028 + RESERVED +CVE-2018-17027 + RESERVED +CVE-2018-17026 (admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title ...) + TODO: check +CVE-2018-17025 (admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title ...) + TODO: check +CVE-2018-17024 (admin/index.php in Monstra CMS 3.0.4 allows XSS via the page_meta_title ...) + TODO: check CVE-2018-17023 (Cross-site request forgery (CSRF) vulnerability on ASUS GT-AC5300 ...) NOT-FOR-US: ASUS GT-AC5300 routers CVE-2018-17022 (Stack-based buffer overflow on the ASUS GT-AC5300 router through ...) @@ -16203,8 +16259,8 @@ CVE-2018-10639 RESERVED CVE-2018-10638 RESERVED -CVE-2018-10637 - RESERVED +CVE-2018-10637 (A maliciously crafted project file may cause a buffer overflow, which ...) + TODO: check CVE-2018-10636 (CNCSoft Version 1.00.83 and prior with ScreenEditor Version 1.00.54 ...) NOT-FOR-US: CNCSoft CVE-2018-10635 (In Universal Robots Robot Controllers Version CB 3.1, SW Version ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9be70af50f4ec7006262372e8bbecabcd32c3996 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9be70af50f4ec7006262372e8bbecabcd32c3996 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5ae52b51 by Salvatore Bonaccorso at 2018-09-14T07:48:52Z Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -81,7 +81,7 @@ CVE-2018-16987 (Squash TM through 1.18.0 presents the cleartext passwords of ext CVE-2018-16986 RESERVED CVE-2018-16985 (In Lizard (formerly LZ5) 2.0, use of an invalid memory address was ...) - TODO: check + NOT-FOR-US: Lizard CVE-2018-16984 RESERVED CVE-2018-16983 (NoScript Classic before 5.1.8.7, as used in Tor Browser 7.x and other ...) @@ -497,7 +497,7 @@ CVE-2018-16798 CVE-2018-16797 (A heap-based buffer overflow in PotPlayerMini.exe in PotPlayer 1.7.8556 ...) NOT-FOR-US: PotPlayer CVE-2018-16796 (HiScout GRC Suite before 3.1.5 allows Unrestricted Upload of Files ...) - TODO: check + NOT-FOR-US: HiScout GRC Suite CVE-2018-16795 RESERVED CVE-2018-16794 @@ -4102,7 +4102,7 @@ CVE-2018-15312 CVE-2018-15311 RESERVED CVE-2018-15310 (A vulnerability in BIG-IP APM portal access 11.5.1-11.5.7, ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2018- [libykneomgr memory corruption] - libykneomgr (low; bug #906138) [stretch] - libykneomgr (Minor issue) @@ -21887,9 +21887,9 @@ CVE-2018-8369 CVE-2018-8368 RESERVED CVE-2018-8367 (A remote code execution vulnerability exists in the way that the ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-8366 (An information disclosure vulnerability exists when the Microsoft Edge ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-8365 RESERVED CVE-2018-8364 @@ -21913,7 +21913,7 @@ CVE-2018-8356 (A security feature bypass vulnerability exists when Microsoft .NE CVE-2018-8355 (A remote code execution vulnerability exists in the way the scripting ...) NOT-FOR-US: Microsoft CVE-2018-8354 (A remote code execution vulnerability exists in the way that the ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-8353 (A remote code execution vulnerability exists in the way that the ...) NOT-FOR-US: Microsoft CVE-2018-8352 @@ -21947,19 +21947,19 @@ CVE-2018-8339 (An elevation of privilege vulnerability exists in the Windows ... CVE-2018-8338 RESERVED CVE-2018-8337 (A security feature bypass vulnerability exists when Windows Subsystem ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-8336 (An information disclosure vulnerability exists when the Windows kernel ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-8335 (A denial of service vulnerability exists in the Microsoft Server Block ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-8334 RESERVED CVE-2018-8333 RESERVED CVE-2018-8332 (A remote code execution vulnerability exists when the Windows font ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-8331 (A remote code execution vulnerability exists in Microsoft Excel ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-8330 RESERVED CVE-2018-8329 @@ -21991,7 +21991,7 @@ CVE-2018-8317 CVE-2018-8316 (A remote code execution vulnerability exists when Internet Explorer ...) NOT-FOR-US: Microsoft CVE-2018-8315 (An information disclosure vulnerability exists when the browser ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-8314 (An elevation of privilege vulnerability exists when Windows fails a ...) NOT-FOR-US: Microsoft CVE-2018-8313 (An elevation of privilege vulnerability exists in the way that the ...) @@ -22079,7 +22079,7 @@ CVE-2018-8273 (A buffer overflow vulnerability exists in the Microsoft SQL Serve CVE-2018-8272 RESERVED CVE-2018-8271 (An information disclosure vulnerability exists in Windows when the ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-8270 RESERVED CVE-2018-8269 (A denial of service vulnerability exists when OData Library improperly ...) @@ -30826,15 +30826,15 @@ CVE-2015-9247 (An issue was discovered in Skybox Platform before 7.5.401. Reflec CVE-2015-9246 (An issue was discovered in Skybox Platform before 7.5.201. Remote ...) NOT-FOR-US: Skybox Platform CVE-2018-5549 (On BIG-IP APM 11.6.0-11.6.3.1, 12.1.0-12.1.3.3, 13.0.0, and ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2018-5548 (On BIG-IP APM 11.6.0-11.6.3, an insecure AES ECB mode is used for ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2018-5547 (Windows Logon Integration feature of F5 BIG-IP APM client prior to ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5546 (The svpn and policyserver components of the F5 BIG-IP APM client prior ...) NOT-FOR-US: F5 BIG-IP CVE-2018-5545 (On F5 WebSafe Alert Server 1.0.0-4.2.6, a malicious, authenticated
[Git][security-tracker-team/security-tracker][master] 2 commits: Add end-of-life tags for two chromium-browser issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: db2930d1 by Salvatore Bonaccorso at 2018-09-14T07:31:35Z Add end-of-life tags for two chromium-browser issues - - - - - bda87548 by Salvatore Bonaccorso at 2018-09-14T07:34:52Z Add bug references for chromium-browser issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -400,9 +400,11 @@ CVE-2018-16947 (An issue was discovered in OpenAFS before 1.6.23 and 1.8.x befor - openafs 1.8.2-1 (bug #908616) NOTE: http://openafs.org/pages/security/OPENAFS-SA-2018-001.txt CVE-2018- [function signature mismatch in webassembly] - - chromium-browser 69.0.3497.92-1 + - chromium-browser 69.0.3497.92-1 (bug #908806) + [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018- [url spoofing in omnibox] - - chromium-browser 69.0.3497.92-1 + - chromium-browser 69.0.3497.92-1 (bug #908806) + [jessie] - chromium-browser (End of life, see DSA 4020) CVE-2018-1002009 NOTE: Wordpress plugin CVE-2018-1002008 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d0ebf7ca8fa5f9285d409a2ef6ca067466b8b48b...bda87548b6b4918843b9fa63c3c813a7cb5c1cd7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d0ebf7ca8fa5f9285d409a2ef6ca067466b8b48b...bda87548b6b4918843b9fa63c3c813a7cb5c1cd7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits