[Git][security-tracker-team/security-tracker][master] Add firefox-esr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2d026bdc by Salvatore Bonaccorso at 2018-09-22T05:00:17Z Add firefox-esr - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -20,6 +20,8 @@ asterisk -- ceph -- +firefox-esr +-- gitlab -- ghostscript View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2d026bdcea2a20fce4ee55dce80d6567a2b656b6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2d026bdcea2a20fce4ee55dce80d6567a2b656b6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new firefox issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b7b4d658 by Salvatore Bonaccorso at 2018-09-22T04:59:27Z Add new firefox issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12099,6 +12099,10 @@ CVE-2018-12386 RESERVED CVE-2018-12385 RESERVED + - firefox 62.0.2-1 + - firefox-esr 60.2.1esr-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-22/#CVE-2018-12385 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-23/#CVE-2018-12385 CVE-2018-12384 [ServerHello.random is all zero when handling a v2-compatible ClientHello] RESERVED - nss 2:3.39-1 (low; bug #908332) @@ -12111,7 +12115,9 @@ CVE-2018-12384 [ServerHello.random is all zero when handling a v2-compatible Cli CVE-2018-12383 RESERVED - firefox 62.0-1 + - firefox-esr 60.2.1esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-20/#CVE-2018-12383 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-23/#CVE-2018-12383 CVE-2018-12382 RESERVED - firefox (Android-specific) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b7b4d658270505c242d7216490012622d56f3511 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b7b4d658270505c242d7216490012622d56f3511 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add CVE-2018-16597/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4d4d1cc5 by Salvatore Bonaccorso at 2018-09-22T04:52:43Z Add CVE-2018-16597/linux - - - - - 7f1841d7 by Salvatore Bonaccorso at 2018-09-22T04:53:06Z Add workaround entry for texlive-bin (until CVE assigned) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -49,6 +49,7 @@ CVE-2018-17282 (An issue was discovered in Exiv2 v0.26. The function ...) CVE-2018- [writet1 protection against buffer overflow] - texlive-bin 2018.20180907.48586-2 (bug #909317) [stretch] - texlive-bin 2016.20160513.41080.dfsg-2+deb9u1 + [jessie] - texlive-bin 2014.20140926.35254-6+deb8u1 NOTE: http://git.preining.info/texlive/commit/?id=945e3295915cf8a3cbd54872724cab28530e120f CVE-2018-17281 RESERVED @@ -1617,8 +1618,11 @@ CVE-2018-16599 RESERVED CVE-2018-16598 RESERVED -CVE-2018-16597 +CVE-2018-16597 [overlayfs file truncation without permissions] RESERVED + - linux 4.8.5-1 + [jessie] - linux (Vulnerable code not present) + NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1106512 CVE-2018-16596 RESERVED CVE-2018-16595 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/8a46001df0439c6d767e784fb8e02af29bb18b5e...7f1841d7b3a56a65e419823de74a4b4fa293c589 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/8a46001df0439c6d767e784fb8e02af29bb18b5e...7f1841d7b3a56a65e419823de74a4b4fa293c589 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1514-1 for texlive-bin
Ben Hutchings pushed to branch master at Debian Security Tracker / security-tracker Commits: 8a46001d by Ben Hutchings at 2018-09-22T00:39:27Z Reserve DLA-1514-1 for texlive-bin - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[22 Sep 2018] DLA-1514-1 texlive-bin - security update + [jessie] - texlive-bin 2014.20140926.35254-6+deb8u1 [21 Sep 2018] DLA-1513-1 openafs - security update {CVE-2018-16947 CVE-2018-16948 CVE-2018-16949} [jessie] - openafs 1.6.9-2+deb8u8 = data/dla-needed.txt = @@ -94,8 +94,6 @@ spamassassin (Antoine Beaupré) -- symfony (Thorsten Alteholz) -- -texlive-bin (Markus Koschany) --- thunderbird -- xen View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8a46001df0439c6d767e784fb8e02af29bb18b5e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8a46001df0439c6d767e784fb8e02af29bb18b5e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] claim two LTS packages for monday
Antoine Beaupré pushed to branch master at Debian Security Tracker / security-tracker Commits: 91d22781 by Antoine Beaupré at 2018-09-21T20:09:34Z claim two LTS packages for monday - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -77,9 +77,9 @@ phpldapadmin (Mike Gabriel) polarssl (Mike Gabriel) NOTE: 20180902: The no-dsa/postponed issues could be fixed as well. (apo) -- -python2.7 +python2.7 (Antoine Beaupré) -- -python3.4 +python3.4 (Antoine Beaupré) -- salt NOTE: CVE-2017-7893 is not crucial since the managed system must be @@ -90,7 +90,7 @@ samba (Holger Levsen) -- smarty3 (Mike Gabriel) -- -spamassassin +spamassassin (Antoine Beaupré) -- symfony (Thorsten Alteholz) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/91d227819af8f86f1942d651917c30498666920e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/91d227819af8f86f1942d651917c30498666920e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2018-13818
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 71194d32 by Salvatore Bonaccorso at 2018-09-21T19:09:28Z Update information for CVE-2018-13818 MITRE will sync up the entry soon, clarifying the disputed status on the entry. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8526,10 +8526,11 @@ CVE-2018-13820 (A hardcoded passphrase, in CA Unified Infrastructure Management CVE-2018-13819 (A hardcoded secret key, in CA Unified Infrastructure Management 8.5.1, ...) NOT-FOR-US: CA Unified Infrastructure Management CVE-2018-13818 (Twig before 2.4.4 allows Server-Side Template Injection (SSTI) via the ...) - - twig 2.4.4-2 - [stretch] - twig (Minor issue) - [jessie] - twig (Minor issue) + - twig 2.4.4-2 (unimportant) NOTE: Fixed upstream in 2.4.4 + NOTE: Vendor of Twig disputes issue as Twig itself is not a web application and + NOTE: it is the repsonsibility of the web applications using Twig to properly wrap + NOTE: input to it. CVE-2018-13817 RESERVED CVE-2018-13816 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/71194d3222eb4afcaf9ece0ad8d6051506bb87ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/71194d3222eb4afcaf9ece0ad8d6051506bb87ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take openafs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 097370bd by Salvatore Bonaccorso at 2018-09-21T19:01:58Z Take openafs - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -66,7 +66,7 @@ okular -- openjfx -- -openafs +openafs (carnil) -- openjpeg2 (luciano) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/097370bd26c69056c170e5e28a6154e842f349df -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/097370bd26c69056c170e5e28a6154e842f349df You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix typo in state: ignore -> ignored
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6a0874ec by Salvatore Bonaccorso at 2018-09-21T18:57:15Z Fix typo in state: ignore - ignored - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,7 +19,7 @@ CVE-2018-17295 CVE-2018-17294 (The matchCurrentInput function inside lou_translateString.c of Liblouis ...) - liblouis 3.7.0-1 [stretch] - liblouis (Minor issue) - [jessie] - liblouis (Minor issue) + [jessie] - liblouis (Minor issue) NOTE: https://github.com/liblouis/liblouis/commit/5e4089659bb49b3095fa541fa6387b4c40d7396e NOTE: https://github.com/liblouis/liblouis/issues/635 CVE-2018-17293 (An issue was discovered in WAVM before 2018-09-16. The run function in ...) @@ -145,12 +145,12 @@ CVE-2018-17237 (A SIGFPE signal is raised in the function H5D__chunk_set_info_re CVE-2018-17236 (The function MP4Free() in mp4property.cpp in libmp4v2 2.1.0 internally ...) - mp4v2 (bug #909277) [stretch] - mp4v2 (Minor issue) - [jessie] - mp4v2 (Minor issue) + [jessie] - mp4v2 (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1629453 CVE-2018-17235 (The function mp4v2::impl::MP4Track::FinishSdtp() in mp4track.cpp in ...) - mp4v2 (bug #909278) [stretch] - mp4v2 (Minor issue) - [jessie] - mp4v2 (Minor issue) + [jessie] - mp4v2 (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1629451 CVE-2018-17234 (Memory leak in the H5O__chunk_deserialize() function in H5Ocache.c in ...) - hdf5 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6a0874ecb18d4f7ad71aa210c3ad37e023165153 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6a0874ecb18d4f7ad71aa210c3ad37e023165153 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage results.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: d51123f3 by Ola Lundqvist at 2018-09-21T18:46:21Z Triage results. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -79,6 +79,8 @@ polarssl (Mike Gabriel) -- python2.7 -- +python3.4 +-- salt NOTE: CVE-2017-7893 is not crucial since the managed system must be NOTE: compromised first. But the security escalation effect can cause View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d51123f354236aa6bb690ae0bd8c22d24a97c2ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d51123f354236aa6bb690ae0bd8c22d24a97c2ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage results.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: df160c16 by Ola Lundqvist at 2018-09-21T18:44:01Z Triage results. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -19,6 +19,7 @@ CVE-2018-17295 CVE-2018-17294 (The matchCurrentInput function inside lou_translateString.c of Liblouis ...) - liblouis 3.7.0-1 [stretch] - liblouis (Minor issue) + [jessie] - liblouis (Minor issue) NOTE: https://github.com/liblouis/liblouis/commit/5e4089659bb49b3095fa541fa6387b4c40d7396e NOTE: https://github.com/liblouis/liblouis/issues/635 CVE-2018-17293 (An issue was discovered in WAVM before 2018-09-16. The run function in ...) @@ -144,10 +145,12 @@ CVE-2018-17237 (A SIGFPE signal is raised in the function H5D__chunk_set_info_re CVE-2018-17236 (The function MP4Free() in mp4property.cpp in libmp4v2 2.1.0 internally ...) - mp4v2 (bug #909277) [stretch] - mp4v2 (Minor issue) + [jessie] - mp4v2 (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1629453 CVE-2018-17235 (The function mp4v2::impl::MP4Track::FinishSdtp() in mp4track.cpp in ...) - mp4v2 (bug #909278) [stretch] - mp4v2 (Minor issue) + [jessie] - mp4v2 (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1629451 CVE-2018-17234 (Memory leak in the H5O__chunk_deserialize() function in H5Ocache.c in ...) - hdf5 @@ -212,16 +215,19 @@ CVE-2018-17207 (An issue was discovered in Snap Creek Duplicator before 1.2.42. NOT-FOR-US: Snap Creek Duplicator CVE-2018-17206 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6. The ...) - openvswitch + [jessie] - openvswitch (Vulnerable code does not exist) NOTE: https://github.com/openvswitch/ovs/commit/5026a263d7846077eee540de42192d27da513226 (master) NOTE: https://github.com/openvswitch/ovs/commit/20626d38c1a1d4cebb5a6911ea3cb6a7f4f993f8 (branch-2.8) NOTE: https://github.com/openvswitch/ovs/commit/9237a63c47bd314b807cda0bd2216264e82edbe8 (branch-2.7) CVE-2018-17205 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, ...) - openvswitch + [jessie] - openvswitch (Vulnerable code does not exist) NOTE: https://github.com/openvswitch/ovs/commit/9a0ac025de9303334688ff08f01fc08604d2f624 (master) NOTE: https://github.com/openvswitch/ovs/commit/638d406e3b647359f3d82189d7a6ee56b4a54928 (branch-2.8) NOTE: https://github.com/openvswitch/ovs/commit/0befd1f3745055c32940f5faf9559be6a14395e6 (branch-2.7) CVE-2018-17204 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, ...) - openvswitch + [jessie] - openvswitch (Vulnerable code does not exist) NOTE: https://github.com/openvswitch/ovs/commit/9740d81d94888cb158fa99a9366fe2b32b3e4aaa (master) NOTE: https://github.com/openvswitch/ovs/commit/8976ea1d680ab7a2d726a50e5666aa8fefd24168 (branch-2.8) NOTE: https://github.com/openvswitch/ovs/commit/4af6da3b275b764b1afe194df6499b33d2bf4cde (branch-2.7) = data/dla-needed.txt = @@ -77,6 +77,13 @@ phpldapadmin (Mike Gabriel) polarssl (Mike Gabriel) NOTE: 20180902: The no-dsa/postponed issues could be fixed as well. (apo) -- +python2.7 +-- +salt + NOTE: CVE-2017-7893 is not crucial since the managed system must be + NOTE: compromised first. But the security escalation effect can cause + NOTE: a lot of system compromised. +-- samba (Holger Levsen) -- smarty3 (Mike Gabriel) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/df160c16fc6d33bb4c682112747bbeded8eb563d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/df160c16fc6d33bb4c682112747bbeded8eb563d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Correct typo in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 89556cdf by Markus Koschany at 2018-09-21T16:58:39Z Correct typo in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -85,7 +85,7 @@ spamassassin -- symfony (Thorsten Alteholz) -- -textlive-bin (Markus Koschany) +texlive-bin (Markus Koschany) -- thunderbird -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/89556cdf146e40cd56a5e15aaa52c9098074681d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/89556cdf146e40cd56a5e15aaa52c9098074681d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim textlive-bin in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b223dc8 by Markus Koschany at 2018-09-21T16:45:29Z Claim textlive-bin in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -85,6 +85,8 @@ spamassassin -- symfony (Thorsten Alteholz) -- +textlive-bin (Markus Koschany) +-- thunderbird -- xen View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4b223dc83d90e78bc15c454600dffdad3567e9b8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4b223dc83d90e78bc15c454600dffdad3567e9b8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1513-1 for openafs
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 14931c07 by Markus Koschany at 2018-09-21T16:42:12Z Reserve DLA-1513-1 for openafs - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[21 Sep 2018] DLA-1513-1 openafs - security update + {CVE-2018-16947 CVE-2018-16948 CVE-2018-16949} + [jessie] - openafs 1.6.9-2+deb8u8 [21 Sep 2018] DLA-1512-1 sympa - security update {CVE-2018-1000671} [jessie] - sympa 6.1.23~dfsg-2+deb8u3 = data/dla-needed.txt = @@ -66,8 +66,6 @@ mysql-5.5 (Emilio Pozuelo) -- okular (Thorsten Alteholz) -- -openafs (Markus Koschany) --- openjdk-7 (Emilio Pozuelo) -- openjpeg2 (Hugo Lefeuvre) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/14931c07ac99d868ea40d633b8c37a4c23ce3b17 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/14931c07ac99d868ea40d633b8c37a4c23ce3b17 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add bug reference for texlive-bin issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c1190677 by Salvatore Bonaccorso at 2018-09-21T14:52:43Z Add bug reference for texlive-bin issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -46,7 +46,7 @@ CVE-2018-17283 (Zoho ManageEngine OpManager before 12.3 Build 123196 does not re CVE-2018-17282 (An issue was discovered in Exiv2 v0.26. The function ...) TODO: check CVE-2018- [writet1 protection against buffer overflow] - - texlive-bin 2018.20180907.48586-2 + - texlive-bin 2018.20180907.48586-2 (bug #909317) [stretch] - texlive-bin 2016.20160513.41080.dfsg-2+deb9u1 NOTE: http://git.preining.info/texlive/commit/?id=945e3295915cf8a3cbd54872724cab28530e120f CVE-2018-17281 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c1190677500ee335cb829dd25fe072a83b13ffd3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c1190677500ee335cb829dd25fe072a83b13ffd3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Add texlive-bin issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 60a48212 by Salvatore Bonaccorso at 2018-09-21T03:38:48Z Add texlive-bin issue - - - - - d32f1df9 by Salvatore Bonaccorso at 2018-09-21T14:40:03Z Add temporary workaround for DSA 4299-1 until CVE assigned - - - - - dcd26b57 by Salvatore Bonaccorso at 2018-09-21T14:43:47Z Merge branch embargoed/texlive-bin - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -45,6 +45,10 @@ CVE-2018-17283 (Zoho ManageEngine OpManager before 12.3 Build 123196 does not re NOT-FOR-US: Zoho ManageEngine OpManager CVE-2018-17282 (An issue was discovered in Exiv2 v0.26. The function ...) TODO: check +CVE-2018- [writet1 protection against buffer overflow] + - texlive-bin 2018.20180907.48586-2 + [stretch] - texlive-bin 2016.20160513.41080.dfsg-2+deb9u1 + NOTE: http://git.preining.info/texlive/commit/?id=945e3295915cf8a3cbd54872724cab28530e120f CVE-2018-17281 RESERVED CVE-2018-17280 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/8235b4b4f08dc19cd95d37d8ec29cff29b3aed77...dcd26b5726748447b118eb2c9cdc969ca4c9f820 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/8235b4b4f08dc19cd95d37d8ec29cff29b3aed77...dcd26b5726748447b118eb2c9cdc969ca4c9f820 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] allocate DSA for texlive-bin
Yves-Alexis Perez pushed to branch master at Debian Security Tracker / security-tracker Commits: 8235b4b4 by Yves-Alexis Perez at 2018-09-21T12:55:11Z allocate DSA for texlive-bin - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,3 +1,5 @@ +[21 Sep 2018] DSA-4299-1 texlive-bin - security update + [stretch] - texlive-bin 2016.20160513.41080.dfsg-2+deb9u1 [20 Sep 2018] DSA-4298-1 hylafax - security update {CVE-2018-17141} [stretch] - hylafax 3:6.0.6-7+deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8235b4b4f08dc19cd95d37d8ec29cff29b3aed77 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8235b4b4f08dc19cd95d37d8ec29cff29b3aed77 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2017-7893/salt
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 919730a1 by Salvatore Bonaccorso at 2018-09-21T11:23:40Z Update information on CVE-2017-7893/salt - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -75133,12 +75133,16 @@ CVE-2014-9960 (In all Android releases from CAF using the Linux kernel, a buffer CVE-2017-7894 (WinDjView 2.1 might allow user-assisted attackers to execute code via ...) NOT-FOR-US: WinDjView CVE-2017-7893 (In SaltStack Salt before 2016.3.6, compromised salt-minions can ...) - - salt + - salt 2016.11.5+ds-1 NOTE: https://docs.saltstack.com/en/2017.7/topics/releases/2016.3.6.html NOTE: https://github.com/saltstack/salt/issues/48939 NOTE: https://github.com/saltstack/salt/commit/0a0f46fb1478be5eb2f90882a90390cb35ec43cb NOTE: The behaviour though was back off by default in a later commit again NOTE: cf. https://github.com/saltstack/salt/pull/40206 + NOTE: The fix is the second part of the 0a0f46f commit, but the behaviour is turned + NOTE: off by default and needs considerations of admins before enabling. We still + NOTE: consider the issue as fixed starting with this change. Details in + NOTE: https://github.com/saltstack/salt/issues/48939#issuecomment-410777638 CVE-2017-7892 (Sandstorm Cap'n Proto before 0.5.3.1 allows remote crashes related to a ...) - capnproto 0.6.1-1 (unimportant; bug #860960) NOTE: https://github.com/sandstorm-io/capnproto/blob/master/security-advisories/2017-04-17-0-apple-clang-elides-bounds-check.md View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/919730a19f0b6bf65bb88dad3f711a6c06ce315e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/919730a19f0b6bf65bb88dad3f711a6c06ce315e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2018-17294 as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 709a90e8 by Salvatore Bonaccorso at 2018-09-21T08:50:30Z Mark CVE-2018-17294 as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18,6 +18,7 @@ CVE-2018-17295 RESERVED CVE-2018-17294 (The matchCurrentInput function inside lou_translateString.c of Liblouis ...) - liblouis 3.7.0-1 + [stretch] - liblouis (Minor issue) NOTE: https://github.com/liblouis/liblouis/commit/5e4089659bb49b3095fa541fa6387b4c40d7396e NOTE: https://github.com/liblouis/liblouis/issues/635 CVE-2018-17293 (An issue was discovered in WAVM before 2018-09-16. The run function in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/709a90e8432254dd072ac7eccbd916b46b9cfbd6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/709a90e8432254dd072ac7eccbd916b46b9cfbd6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-17294/liblouis
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 026fa999 by Salvatore Bonaccorso at 2018-09-21T08:45:16Z Add CVE-2018-17294/liblouis - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17,7 +17,9 @@ CVE-2018-17296 CVE-2018-17295 RESERVED CVE-2018-17294 (The matchCurrentInput function inside lou_translateString.c of Liblouis ...) - TODO: check + - liblouis 3.7.0-1 + NOTE: https://github.com/liblouis/liblouis/commit/5e4089659bb49b3095fa541fa6387b4c40d7396e + NOTE: https://github.com/liblouis/liblouis/issues/635 CVE-2018-17293 (An issue was discovered in WAVM before 2018-09-16. The run function in ...) NOT-FOR-US: WAVM CVE-2018-17292 (An issue was discovered in WAVM before 2018-09-16. The loadModule ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/026fa999e064f9a012994eb3ebfa23c2024addc0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/026fa999e064f9a012994eb3ebfa23c2024addc0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Take one item
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fd716eea by Salvatore Bonaccorso at 2018-09-21T08:26:01Z Take one item - - - - - 51be2f83 by Salvatore Bonaccorso at 2018-09-21T08:35:49Z Process more NFUs - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -9,7 +9,7 @@ CVE-2018-17300 (Stored XSS exists in CuppaCMS through 2018-09-03 via an ...) CVE-2018-17299 RESERVED CVE-2018-17298 (An issue was discovered in Enalean Tuleap before 10.5. Reset password ...) - TODO: check + NOT-FOR-US: Enalean Tuleap CVE-2018-17297 (The unzip function in ZipUtil.java in Hutool before 4.1.12 allows ...) NOT-FOR-US: Hutool CVE-2018-17296 @@ -19,9 +19,9 @@ CVE-2018-17295 CVE-2018-17294 (The matchCurrentInput function inside lou_translateString.c of Liblouis ...) TODO: check CVE-2018-17293 (An issue was discovered in WAVM before 2018-09-16. The run function in ...) - TODO: check + NOT-FOR-US: WAVM CVE-2018-17292 (An issue was discovered in WAVM before 2018-09-16. The loadModule ...) - TODO: check + NOT-FOR-US: WAVM CVE-2018-17291 RESERVED CVE-2018-17290 @@ -160,7 +160,7 @@ CVE-2018-17230 (Exiv2::ul2Data in types.cpp in Exiv2 v0.26 allows remote attacke CVE-2018-17229 (Exiv2::d2Data in types.cpp in Exiv2 v0.26 allows remote attackers to ...) TODO: check CVE-2018-17228 (nmap4j 1.1.0 allows attackers to execute arbitrary commands via shell ...) - TODO: check + NOT-FOR-US: nmap4j CVE-2018-17227 RESERVED CVE-2018-17226 @@ -1232,7 +1232,7 @@ CVE-2018-16754 CVE-2018-16753 RESERVED CVE-2018-16752 (LINK-NET LW-N605R devices with firmware 12.20.2.1486 allow Remote Code ...) - TODO: check + NOT-FOR-US: LINK-NET LW-N605R devices CVE-2018-16751 RESERVED CVE-2018-16750 (In ImageMagick 7.0.7-29 and earlier, a memory leak in the ...) @@ -2392,7 +2392,7 @@ CVE-2018-16284 CVE-2018-16283 RESERVED CVE-2018-16282 (A command injection vulnerability in the web server functionality of ...) - TODO: check + NOT-FOR-US: Moxa CVE-2018-16281 RESERVED CVE-2018-16280 @@ -3562,7 +3562,7 @@ CVE-2018-15834 (In radare2 before 2.9.0, a heap overflow vulnerability exists in CVE-2018-15833 (In Vanilla before 2.6.1, the polling functionality allows Insecure ...) NOT-FOR-US: Vanilla CVE-2018-15832 (upc.exe in Ubisoft Uplay Desktop Client versions 63.0.5699.0 allows ...) - TODO: check + NOT-FOR-US: upc.exe in Ubisoft Uplay Desktop Client CVE-2018-15831 RESERVED CVE-2018-15830 @@ -5808,11 +5808,11 @@ CVE-2018-14831 CVE-2018-14830 RESERVED CVE-2018-14829 (Rockwell Automation RSLinx Classic Versions 4.00.01 and prior. This ...) - TODO: check + NOT-FOR-US: Rockwell Automation RSLinx Classic CVE-2018-14828 RESERVED CVE-2018-14827 (Rockwell Automation RSLinx Classic Versions 4.00.01 and prior. A ...) - TODO: check + NOT-FOR-US: Rockwell Automation RSLinx Classic CVE-2018-14826 RESERVED CVE-2018-14825 @@ -5824,7 +5824,7 @@ CVE-2018-14823 CVE-2018-14822 RESERVED CVE-2018-14821 (Rockwell Automation RSLinx Classic Versions 4.00.01 and prior. This ...) - TODO: check + NOT-FOR-US: Rockwell Automation RSLinx Classic CVE-2018-14820 RESERVED CVE-2018-14819 @@ -5874,7 +5874,7 @@ CVE-2018-14798 CVE-2018-14797 (Emerson DeltaV DCS versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, R5 allow a ...) NOT-FOR-US: Emerson DeltaV DCS CVE-2018-14796 (Tec4Data SmartCooler, all versions prior to firmware 180806, the ...) - TODO: check + NOT-FOR-US: Tec4Data SmartCooler CVE-2018-14795 (DeltaV Versions 11.3.1, 12.3.1, 13.3.0, 13.3.1, and R5 is vulnerable ...) NOT-FOR-US: DeltaV CVE-2018-14794 @@ -6492,7 +6492,7 @@ CVE-2018-14593 (An issue was discovered in Open Ticket Request System (OTRS) 6.0 NOTE: OTRS-5: https://github.com/OTRS/otrs/commit/7b6802723e1f5d1764b617e9fcf0a8dd21e96216 NOTE: OTRS-4: https://github.com/OTRS/otrs/commit/78331ea187181d6130189d4563a50b4c30256320 CVE-2018-14592 (The CWJoomla CW Article Attachments PRO extension before 2.0.7 and CW ...) - TODO: check + NOT-FOR-US: CWJoomla CVE-2018-14591 RESERVED CVE-2018-14590 (An issue has been discovered in Bento4 1.5.1-624. A SEGV can occur in ...) = data/dsa-needed.txt = @@ -44,7 +44,7 @@ libspring-java libxml2 (carnil) Re-evaluate situation for unstable first, risky to expose some fixes directly -- -linux +linux (carnil) Wait until more issues have piled up -- mariadb-10.1/stable View it on GitLab:
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 79f520f0 by Salvatore Bonaccorso at 2018-09-21T08:24:31Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,17 +1,17 @@ CVE-2018-17303 RESERVED CVE-2018-17302 (Stored XSS exists in views/fields/wysiwyg.js in EspoCRM 5.3.6 via a ...) - TODO: check + NOT-FOR-US: EspoCRM CVE-2018-17301 (Reflected XSS exists in ...) - TODO: check + NOT-FOR-US: EspoCRM CVE-2018-17300 (Stored XSS exists in CuppaCMS through 2018-09-03 via an ...) - TODO: check + NOT-FOR-US: CuppaCMS CVE-2018-17299 RESERVED CVE-2018-17298 (An issue was discovered in Enalean Tuleap before 10.5. Reset password ...) TODO: check CVE-2018-17297 (The unzip function in ZipUtil.java in Hutool before 4.1.12 allows ...) - TODO: check + NOT-FOR-US: Hutool CVE-2018-17296 RESERVED CVE-2018-17295 @@ -39,7 +39,7 @@ CVE-2018-17285 CVE-2018-17284 RESERVED CVE-2018-17283 (Zoho ManageEngine OpManager before 12.3 Build 123196 does not require ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine OpManager CVE-2018-17282 (An issue was discovered in Exiv2 v0.26. The function ...) TODO: check CVE-2018-17281 @@ -95,9 +95,9 @@ CVE-2018-17257 CVE-2018-17256 RESERVED CVE-2018-17255 (Navigate CMS 2.8 has Reflected XSS via the navigate.php fid parameter. ...) - TODO: check + NOT-FOR-US: Navigate CMS CVE-2018-17254 (The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the ...) - TODO: check + NOT-FOR-US: JCK Editor component for Joomla! CVE-2018-17253 RESERVED CVE-2018-17252 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/79f520f0bb273ab62b6641ecb595639854557bf3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/79f520f0bb273ab62b6641ecb595639854557bf3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3f287cbf by security tracker role at 2018-09-21T08:10:16Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,47 @@ +CVE-2018-17303 + RESERVED +CVE-2018-17302 (Stored XSS exists in views/fields/wysiwyg.js in EspoCRM 5.3.6 via a ...) + TODO: check +CVE-2018-17301 (Reflected XSS exists in ...) + TODO: check +CVE-2018-17300 (Stored XSS exists in CuppaCMS through 2018-09-03 via an ...) + TODO: check +CVE-2018-17299 + RESERVED +CVE-2018-17298 (An issue was discovered in Enalean Tuleap before 10.5. Reset password ...) + TODO: check +CVE-2018-17297 (The unzip function in ZipUtil.java in Hutool before 4.1.12 allows ...) + TODO: check +CVE-2018-17296 + RESERVED +CVE-2018-17295 + RESERVED +CVE-2018-17294 (The matchCurrentInput function inside lou_translateString.c of Liblouis ...) + TODO: check +CVE-2018-17293 (An issue was discovered in WAVM before 2018-09-16. The run function in ...) + TODO: check +CVE-2018-17292 (An issue was discovered in WAVM before 2018-09-16. The loadModule ...) + TODO: check +CVE-2018-17291 + RESERVED +CVE-2018-17290 + RESERVED +CVE-2018-17289 + RESERVED +CVE-2018-17288 + RESERVED +CVE-2018-17287 + RESERVED +CVE-2018-17286 + RESERVED +CVE-2018-17285 + RESERVED +CVE-2018-17284 + RESERVED +CVE-2018-17283 (Zoho ManageEngine OpManager before 12.3 Build 123196 does not require ...) + TODO: check +CVE-2018-17282 (An issue was discovered in Exiv2 v0.26. The function ...) + TODO: check CVE-2018-17281 RESERVED CVE-2018-17280 @@ -504,7 +548,7 @@ CVE-2018-17063 (An issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. A NOT-FOR-US: D-Link CVE-2018-17062 (An issue was discovered in SeaCMS 6.64. XSS exists in admin_video.php ...) NOT-FOR-US: SeaCMS -CVE-2018-17061 (BullGuard Safe Browsing 18.1.355 allows XSS on Google, Bing, and Yahoo! ...) +CVE-2018-17061 (BullGuard Safe Browsing before 18.1.355.9 allows XSS on Google, Bing, ...) NOT-FOR-US: BullGuard Safe Browsing CVE-2018-17060 RESERVED @@ -1187,8 +1231,8 @@ CVE-2018-16754 RESERVED CVE-2018-16753 RESERVED -CVE-2018-16752 - RESERVED +CVE-2018-16752 (LINK-NET LW-N605R devices with firmware 12.20.2.1486 allow Remote Code ...) + TODO: check CVE-2018-16751 RESERVED CVE-2018-16750 (In ImageMagick 7.0.7-29 and earlier, a memory leak in the ...) @@ -1652,6 +1696,7 @@ CVE-2018-1000773 (WordPress version 4.9.8 and earlier contains a CWE-20 Input Va CVE-2018-1000673 REJECTED CVE-2018-1000671 (sympa version 6.2.16 and later contains a CWE-601: URL Redirection to ...) + {DLA-1512-1} - sympa (bug #908165) [stretch] - sympa (Minor issue) NOTE: https://github.com/sympa-community/sympa/issues/268 @@ -2346,8 +2391,8 @@ CVE-2018-16284 RESERVED CVE-2018-16283 RESERVED -CVE-2018-16282 - RESERVED +CVE-2018-16282 (A command injection vulnerability in the web server functionality of ...) + TODO: check CVE-2018-16281 RESERVED CVE-2018-16280 @@ -3516,8 +3561,8 @@ CVE-2018-15834 (In radare2 before 2.9.0, a heap overflow vulnerability exists in NOTE: https://github.com/radare/radare2/pull/11300 CVE-2018-15833 (In Vanilla before 2.6.1, the polling functionality allows Insecure ...) NOT-FOR-US: Vanilla -CVE-2018-15832 - RESERVED +CVE-2018-15832 (upc.exe in Ubisoft Uplay Desktop Client versions 63.0.5699.0 allows ...) + TODO: check CVE-2018-15831 RESERVED CVE-2018-15830 @@ -5762,12 +5807,12 @@ CVE-2018-14831 RESERVED CVE-2018-14830 RESERVED -CVE-2018-14829 - RESERVED +CVE-2018-14829 (Rockwell Automation RSLinx Classic Versions 4.00.01 and prior. This ...) + TODO: check CVE-2018-14828 RESERVED -CVE-2018-14827 - RESERVED +CVE-2018-14827 (Rockwell Automation RSLinx Classic Versions 4.00.01 and prior. A ...) + TODO: check CVE-2018-14826 RESERVED CVE-2018-14825 @@ -5778,8 +5823,8 @@ CVE-2018-14823 RESERVED CVE-2018-14822 RESERVED -CVE-2018-14821 - RESERVED +CVE-2018-14821 (Rockwell Automation RSLinx Classic Versions 4.00.01 and prior. This ...) + TODO: check CVE-2018-14820 RESERVED CVE-2018-14819 @@ -6446,8 +6491,8 @@ CVE-2018-14593 (An issue was discovered in Open Ticket Request System (OTRS) 6.0 NOTE: OTRS-6: https://github.com/OTRS/otrs/commit/57cda14db8fdbcbfb8cabb32d85fbc89fde48c62 NOTE: OTRS-5: https://github.com/OTRS/otrs/commit/7b6802723e1f5d1764b617e9fcf0a8dd21e96216 NOTE: OTRS-4: https://github.com/OTRS/otrs/commit/78331ea187181d6130189d4563a50b4c30256320 -CVE-2018-14592 -