[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 12f9c0fd by security tracker role at 2018-09-30T20:10:46Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,21 @@ +CVE-2018-17793 (Virtualenv 16.0.0 allows a sandbox escape via python $(bash 2) and ...) + TODO: check +CVE-2018-17792 + RESERVED +CVE-2018-17791 + RESERVED +CVE-2018-17790 + RESERVED +CVE-2018-17789 + RESERVED +CVE-2018-17788 + RESERVED +CVE-2018-17787 + RESERVED +CVE-2018-17786 + RESERVED +CVE-2018-17785 (In blynk-server in Blynk before 0.39.7, Directory Traversal exists via ...) + TODO: check CVE-2018-17784 RESERVED CVE-2018-17783 @@ -1479,7 +1497,7 @@ CVE-2018-17096 (The BPMDetect class in BPMDetect.cpp in libSoundTouch.a in Olli [jessie] - soundtouch (Minor issue) NOTE: https://gitlab.com/soundtouch/soundtouch/issues/14 CVE-2018-17183 (Artifex Ghostscript before 9.25 allowed a user-writable error exception ...) - {DSA-4294-1} + {DSA-4294-1 DLA-1527-1} - ghostscript 9.25~dfsg-1 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699708 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fb713b3818b52d8a6cf62c951eba2e1795ff9624 @@ -4402,7 +4420,7 @@ CVE-2018-15878 CVE-2017-18345 (The Joomanager component through 2.0.0 for Joomla! has an arbitrary ...) NOT-FOR-US: Joomla addon CVE-2018-16543 (In Artifex Ghostscript before 9.24, gssetresolution and gsgetresolution ...) - {DSA-4288-1} + {DSA-4288-1 DLA-1527-1} [experimental] - ghostscript 9.25~dfsg-1~exp1 - ghostscript 9.25~dfsg-1 (bug #908303) NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5b5536fa88a9e885032bc0df3852c3439399a5c0 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/12f9c0fd5c0a80c7cfb173ccf03fbde2765dd2be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/12f9c0fd5c0a80c7cfb173ccf03fbde2765dd2be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim jekyll in dla-needed.txt
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c764c95 by Abhijith PA at 2018-09-30T13:14:16Z Claim jekyll in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -32,7 +32,7 @@ gnutls28 (Antoine Beaupre) -- imagemagick (Roberto C. Sánchez) -- -jekyll +jekyll (Abhijith PA) -- libav (Hugo Lefeuvre) NOTE: 20180118: Diego Biurrun (from the libav team) was working on patches, but encountered personal issues and had to stop. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2c764c950ff35a5c969c254f07eb68245f27eb45 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2c764c950ff35a5c969c254f07eb68245f27eb45 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2018-1714{2,3}/golang-golang-x-net-dev
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6b37f65f by Salvatore Bonaccorso at 2018-09-30T12:58:16Z Update information for CVE-2018-1714{2,3}/golang-golang-x-net-dev The issue is only introduced after upstream commit 500e7a4f953ddaf55d316b4d3adc516aa0379622, addint in template insertion mode support. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1356,19 +1356,17 @@ CVE-2018-17144 (Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.1 - litecoin 0.16.3-1 NOTE: https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures#CVE-2018-17144 CVE-2018-17143 (The html package (aka x/net/html) through 2018-09-17 in Go mishandles ...) - - golang-golang-x-net-dev - - golang-go.net-dev - [jessie] - golang-go.net-dev (vulnerable code not present) + - golang-golang-x-net-dev (Vulnerable code introduced later) + - golang-go.net-dev (Vulnerable code introduced later) NOTE: https://github.com/golang/go/issues/27704 - NOTE: https://github.com/golang/net/commit/2f5d2388922f370f4355f327fcf4cfe9f5583908 - TODO: check, issue possibly only introduced with the 500e7a4f953ddaf55d316b4d3adc516aa0379622 commit (adding "in template" insertion mode support) + NOTE: Fixed by: https://github.com/golang/net/commit/2f5d2388922f370f4355f327fcf4cfe9f5583908 + NOTE: Introduced by: https://github.com/golang/net/commit/500e7a4f953ddaf55d316b4d3adc516aa0379622 CVE-2018-17142 (The html package (aka x/net/html) through 2018-09-17 in Go mishandles ...) - - golang-golang-x-net-dev - - golang-go.net-dev - [jessie] - golang-go.net-dev (vulnerable code not present) + - golang-golang-x-net-dev (Vulnerable code introduced later) + - golang-go.net-dev (Vulnerable code introduced later) NOTE: https://github.com/golang/go/issues/27702 - NOTE: https://github.com/golang/net/commit/cf3bd585ca2a5a21b057abd8be7eea2204af89d0 - TODO: check, issue possibly only introduced with the 500e7a4f953ddaf55d316b4d3adc516aa0379622 commit (adding "in template" insertion mode support) + NOTE: Fixed by: https://github.com/golang/net/commit/cf3bd585ca2a5a21b057abd8be7eea2204af89d0 + NOTE: Introduced by: https://github.com/golang/net/commit/500e7a4f953ddaf55d316b4d3adc516aa0379622 CVE-2018-17141 (HylaFAX 6.0.6 and HylaFAX+ 5.6.0 allow remote attackers to execute ...) {DSA-4298-1 DLA-1515-1} - hylafax 3:6.0.6-8.1 (bug #909161) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6b37f65fbea2c1a36e91b4c9f5192106df160801 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6b37f65fbea2c1a36e91b4c9f5192106df160801 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add further notes for CVE-2018-13794
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: da5e0880 by Salvatore Bonaccorso at 2018-09-30T12:31:01Z Add further notes for CVE-2018-13794 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9646,6 +9646,8 @@ CVE-2018-13795 (Gravity before 0.5.1 does not support a maximum recursion depth. CVE-2018-13794 (A heap-based buffer overflow exists in stbi__bmp_load_cont in ...) - catimg (bug #903711) NOTE: https://github.com/posva/catimg/issues/34 + NOTE: Upstream fixed the issue by updating the stb_image copy to v2.19. + NOTE: https://github.com/posva/catimg/pull/41 CVE-2018-13793 (Multiple Cross Site Request Forgery (CSRF) vulnerabilities in the HTTP ...) NOT-FOR-US: ABBYY FlexiCapture CVE-2018-13792 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/da5e0880a93a67aab30b0794970a45a713211d26 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/da5e0880a93a67aab30b0794970a45a713211d26 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix typo in TODO
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f8d67ff0 by Salvatore Bonaccorso at 2018-09-30T12:26:22Z Fix typo in TODO - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1746,7 +1746,7 @@ CVE-2018-16982 (Open Chinese Convert (OpenCC) 1.0.5 allows attackers to cause a CVE-2018-16981 (stb stb_image.h 2.19, as used in catimg, Emscripten, and other ...) - catimg NOTE: https://github.com/nothings/stb/issues/656 - TODO: further check, stb_image.h in older version is embedded in src;catimg + TODO: further check, stb_image.h in older version is embedded in src:catimg CVE-2018-16980 (dotCMS V5.0.1 has XSS in the ...) NOT-FOR-US: dotCMS CVE-2018-16979 (Monstra CMS V3.0.4 allows HTTP header injection in the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f8d67ff0cd7d2d8310da8a2468e61d9fe5a4001e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f8d67ff0cd7d2d8310da8a2468e61d9fe5a4001e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track as well php-hord-eturba source package
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e46742be by Salvatore Bonaccorso at 2018-09-30T12:02:35Z Track as well php-hord-eturba source package tuba/search.php is included in the php-horde-turba source package. Still upstream is unable to confirm the SQL injections issues and the CVE might be invalid or disputed at least. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -38427,6 +38427,7 @@ CVE-2017-17782 (In GraphicsMagick 1.3.27a, there is a heap-based buffer over-rea NOTE: https://sourceforge.net/p/graphicsmagick/bugs/530/ CVE-2017-17781 (In Horde Groupware through 5.2.22, SQL Injection exists via the group ...) - php-horde + - php-horde-turba NOTE: http://code610.blogspot.com/2017/12/modus-operandi-horde-52x.html NOTE: https://bugs.horde.org/ticket/14857 CVE-2017-17780 (The Clockwork SMS clockwork-test-message.php component has XSS via a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e46742be8dea35e7cbd81992124126fb2d4e0d0b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e46742be8dea35e7cbd81992124126fb2d4e0d0b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim php-horde packages in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 7fd21741 by Markus Koschany at 2018-09-30T11:43:24Z Claim php-horde packages in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -54,6 +54,12 @@ openjdk-7 (Emilio Pozuelo) openjpeg2 (Hugo Lefeuvre) NOTE: 20180719: there is no patch available for the remaining CVEs -- +php-horde (Markus Koschany) +-- +php-horde-core (Markus Koschany) +-- +php-horde-kronolith (Markus Koschany) +-- phpldapadmin (Mike Gabriel) NOTE: 20180731: See https://lists.debian.org/debian-lts/2018/07/msg00123.html for research already done -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7fd21741f32a43596c486b2d726e702abed28998 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7fd21741f32a43596c486b2d726e702abed28998 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage golang-go.net-dev for Jessie.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 317f46d5 by Markus Koschany at 2018-09-30T11:40:46Z Triage golang-go.net-dev for Jessie. The vulnerable code is not present. The in template insertion mode was introduced in 2018. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1358,12 +1358,14 @@ CVE-2018-17144 (Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.1 CVE-2018-17143 (The html package (aka x/net/html) through 2018-09-17 in Go mishandles ...) - golang-golang-x-net-dev - golang-go.net-dev + [jessie] - golang-go.net-dev (vulnerable code not present) NOTE: https://github.com/golang/go/issues/27704 NOTE: https://github.com/golang/net/commit/2f5d2388922f370f4355f327fcf4cfe9f5583908 TODO: check, issue possibly only introduced with the 500e7a4f953ddaf55d316b4d3adc516aa0379622 commit (adding "in template" insertion mode support) CVE-2018-17142 (The html package (aka x/net/html) through 2018-09-17 in Go mishandles ...) - golang-golang-x-net-dev - golang-go.net-dev + [jessie] - golang-go.net-dev (vulnerable code not present) NOTE: https://github.com/golang/go/issues/27702 NOTE: https://github.com/golang/net/commit/cf3bd585ca2a5a21b057abd8be7eea2204af89d0 TODO: check, issue possibly only introduced with the 500e7a4f953ddaf55d316b4d3adc516aa0379622 commit (adding "in template" insertion mode support) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/317f46d5ef512306e22bd3e185bbe939ce2a4407 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/317f46d5ef512306e22bd3e185bbe939ce2a4407 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add jekyll to dla-needed.txt.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 4aa7698c by Markus Koschany at 2018-09-30T11:20:12Z Add jekyll to dla-needed.txt. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -32,6 +32,8 @@ gnutls28 (Antoine Beaupre) -- imagemagick (Roberto C. Sánchez) -- +jekyll +-- libav (Hugo Lefeuvre) NOTE: 20180118: Diego Biurrun (from the libav team) was working on patches, but encountered personal issues and had to stop. NOTE: 20180118: It is unlikely that he will start again in the next weeks. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4aa7698c894b772315abab0387f0980aa6401ab0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4aa7698c894b772315abab0387f0980aa6401ab0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2018-16412/imagemagick
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7cb75c68 by Salvatore Bonaccorso at 2018-09-30T09:41:45Z Update information on CVE-2018-16412/imagemagick - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3117,9 +3117,13 @@ CVE-2018-16413 (ImageMagick 7.0.8-11 Q16 has a heap-based buffer over-read in th NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/17a1a6f97fd088a71931bdc422f4e96bb6ffc549 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/4745eb1047617330141e9abfd5ae01236a71ae12 CVE-2018-16412 (ImageMagick 7.0.8-11 Q16 has a heap-based buffer over-read in the ...) - - imagemagick + - imagemagick [jessie] - imagemagick (reproducer provided in upstream bug does not trigger described vulnerability) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1250 + NOTE: Fixed with same patch as for issue #1249, as per upstream discussion at + NOTE: https://github.com/ImageMagick/ImageMagick/issues/1250#issuecomment-422361868 + NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/17a1a6f97fd088a71931bdc422f4e96bb6ffc549 + NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/4745eb1047617330141e9abfd5ae01236a71ae12 CVE-2018-16411 RESERVED CVE-2018-16410 (Vanilla before 2.6.1 allows SQL injection via an invitationID array to ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7cb75c68e70777cf77c92d58240f63e815c29877 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7cb75c68e70777cf77c92d58240f63e815c29877 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2018-16413/imagemagick
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bd1e4261 by Salvatore Bonaccorso at 2018-09-30T09:40:10Z Update information on CVE-2018-16413/imagemagick - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3110,11 +3110,12 @@ CVE-2018-16415 CVE-2018-16414 RESERVED CVE-2018-16413 (ImageMagick 7.0.8-11 Q16 has a heap-based buffer over-read in the ...) - - imagemagick + - imagemagick [jessie] - imagemagick (reproducer provided in upstream bug does not trigger described vulnerability) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1249 NOTE: https://github.com/ImageMagick/ImageMagick/issues/1251 - TODO: further check before updating entry, partially fixed (1249), but problem with 1251 + NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/17a1a6f97fd088a71931bdc422f4e96bb6ffc549 + NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/4745eb1047617330141e9abfd5ae01236a71ae12 CVE-2018-16412 (ImageMagick 7.0.8-11 Q16 has a heap-based buffer over-read in the ...) - imagemagick [jessie] - imagemagick (reproducer provided in upstream bug does not trigger described vulnerability) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bd1e4261f310dc1e37899fac7495e75668d4a1cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bd1e4261f310dc1e37899fac7495e75668d4a1cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Indent by the date.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 0a6b3218 by Chris Lamb at 2018-09-30T09:18:58Z data/dla-needed.txt: Indent by the date. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -61,7 +61,7 @@ phpldapadmin (Mike Gabriel) -- poppler NOTE: 20180928: Consider fixing no-dsa/ignored bugs as well since this is - NOTE: frequently used package. + NOTE: 20180928: frequently used package. -- salt NOTE: 20180921: CVE-2017-7893 is not crucial since the managed system must be View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0a6b3218633f7b054bafd043f1b00aeaeb22104b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0a6b3218633f7b054bafd043f1b00aeaeb22104b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-754{8,9}/zsh fixed back in 5.5-1 upload to unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f6f2a290 by Salvatore Bonaccorso at 2018-09-30T09:17:34Z CVE-2018-754{8,9}/zsh fixed back in 5.5-1 upload to unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25967,11 +25967,11 @@ CVE-2018-7550 (The load_multiboot function in hw/i386/multiboot.c in Quick Emula - qemu-kvm NOTE: https://git.qemu.org/?p=qemu.git;a=patch;h=2a8fcd119eb7c6bb3837fc3669eb1b2dfb31daf8 CVE-2018-7549 (In params.c in zsh through 5.4.2, there is a crash during a copy of an ...) - - zsh (unimportant) + - zsh 5.5-1 (unimportant) NOTE: https://sourceforge.net/p/zsh/code/ci/c2cc8b0fbefc9868fa83537f5b6d90fc1ec438dd NOTE: no security impact CVE-2018-7548 (In subst.c in zsh through 5.4.2, there is a NULL pointer dereference ...) - - zsh (unimportant) + - zsh 5.5-1 (unimportant) NOTE: https://sourceforge.net/p/zsh/code/ci/110b13e1090bc31ac1352b28adc2d02b6d25a102 NOTE: no security impact CVE-2018-7547 (lyadmin 1.x has XSS via the config[WEB_SITE_TITLE] parameter to the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f6f2a2904b6f50701e2eb1f1837f552c93538aa8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f6f2a2904b6f50701e2eb1f1837f552c93538aa8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-17567/jekyll
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 89ecdea2 by Salvatore Bonaccorso at 2018-09-30T09:10:43Z Add bug reference for CVE-2018-17567/jekyll - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -433,7 +433,7 @@ CVE-2018-17569 (network/nw_buf.c in ViaBTC Exchange Server before 2018-08-21 has CVE-2018-17568 (utils/ut_rpc.c in ViaBTC Exchange Server before 2018-08-21 has an ...) NOT-FOR-US: ViaBTC Exchange Server CVE-2018-17567 (Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through 3.8.3 ...) - - jekyll + - jekyll (bug #909933) NOTE: https://github.com/jekyll/jekyll/pull/7224 NOTE: https://jekyllrb.com/news/2018/09/19/security-fixes-for-3-6-3-7-3-8/ CVE-2018-17566 (In ThinkPHP 5.1.24, the inner function delete can be used for SQL ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/89ecdea29b09a9bbed107cb4dfef198a853ed8dd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/89ecdea29b09a9bbed107cb4dfef198a853ed8dd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add webkit2gtk issues from WSA-2018-0007
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 40b740ff by Salvatore Bonaccorso at 2018-09-30T09:09:38Z Add webkit2gtk issues from WSA-2018-0007 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -35583,12 +35583,21 @@ CVE-2018-4362 RESERVED CVE-2018-4361 RESERVED + - webkit2gtk 2.22.0-2 (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0007.html + NOTE: Not covered by security support CVE-2018-4360 RESERVED CVE-2018-4359 RESERVED + - webkit2gtk 2.22.0-2 (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0007.html + NOTE: Not covered by security support CVE-2018-4358 RESERVED + - webkit2gtk 2.22.0-2 (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0007.html + NOTE: Not covered by security support CVE-2018-4357 RESERVED CVE-2018-4356 @@ -35649,6 +35658,9 @@ CVE-2018-4329 RESERVED CVE-2018-4328 RESERVED + - webkit2gtk 2.22.0-2 (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0007.html + NOTE: Not covered by security support CVE-2018-4327 RESERVED CVE-2018-4326 @@ -35659,6 +35671,9 @@ CVE-2018-4324 RESERVED CVE-2018-4323 RESERVED + - webkit2gtk 2.22.0-2 (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0007.html + NOTE: Not covered by security support CVE-2018-4322 RESERVED CVE-2018-4321 @@ -35667,32 +35682,62 @@ CVE-2018-4320 RESERVED CVE-2018-4319 RESERVED + - webkit2gtk 2.22.0-2 (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0007.html + NOTE: Not covered by security support CVE-2018-4318 RESERVED + - webkit2gtk 2.22.0-2 (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0007.html + NOTE: Not covered by security support CVE-2018-4317 RESERVED + - webkit2gtk 2.22.0-2 (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0007.html + NOTE: Not covered by security support CVE-2018-4316 RESERVED + - webkit2gtk 2.22.0-2 (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0007.html + NOTE: Not covered by security support CVE-2018-4315 RESERVED + - webkit2gtk 2.22.0-2 (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0007.html + NOTE: Not covered by security support CVE-2018-4314 RESERVED + - webkit2gtk 2.22.0-2 (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0007.html + NOTE: Not covered by security support CVE-2018-4313 RESERVED CVE-2018-4312 RESERVED + - webkit2gtk 2.22.0-2 (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0007.html + NOTE: Not covered by security support CVE-2018-4311 RESERVED + - webkit2gtk 2.22.0-2 (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0007.html + NOTE: Not covered by security support CVE-2018-4310 RESERVED CVE-2018-4309 RESERVED + - webkit2gtk 2.22.0-2 (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0007.html + NOTE: Not covered by security support CVE-2018-4308 RESERVED CVE-2018-4307 RESERVED CVE-2018-4306 RESERVED + - webkit2gtk 2.22.0-2 (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0007.html + NOTE: Not covered by security support CVE-2018-4305 RESERVED CVE-2018-4304 @@ -35709,6 +35754,9 @@ CVE-2018-4300 NOT-FOR-US: Apple CVE-2018-4299 RESERVED + - webkit2gtk 2.22.0-2 (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0007.html + NOTE: Not covered by security support CVE-2018-4298 RESERVED CVE-2018-4297 @@ -35932,18 +35980,36 @@ CVE-2018-4214 (An issue was discovered in certain Apple products. iOS before 11. NOTE: https://webkitgtk.org/security/WSA-2018-0005.html CVE-2018-4213 RESERVED + - webkit2gtk 2.22.0-2 (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0007.html + NOTE: Not covered by security support CVE-2018-4212 RESERVED + - webkit2gtk 2.22.0-2 (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0007.html + NOTE: Not covered by security support CVE-2018-4211 (An issue was discovered in certain Apple products. iOS before 11.4 is ...) NOT-FOR-US: Apple CVE-2018-4210 RESERVED + - webkit2gtk 2.22.0-2 (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0007.html + NOTE: Not covered by security support CVE-2018-4209 RESERVED + - webkit2gtk 2.22.0-2 (unimportant) + NOTE: https://webkitgtk.org/security/WSA-2018-0007.html +
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-17567/jekyll
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f796d2d by Salvatore Bonaccorso at 2018-09-30T08:49:53Z Add CVE-2018-17567/jekyll - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -433,7 +433,9 @@ CVE-2018-17569 (network/nw_buf.c in ViaBTC Exchange Server before 2018-08-21 has CVE-2018-17568 (utils/ut_rpc.c in ViaBTC Exchange Server before 2018-08-21 has an ...) NOT-FOR-US: ViaBTC Exchange Server CVE-2018-17567 (Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through 3.8.3 ...) - TODO: check + - jekyll + NOTE: https://github.com/jekyll/jekyll/pull/7224 + NOTE: https://jekyllrb.com/news/2018/09/19/security-fixes-for-3-6-3-7-3-8/ CVE-2018-17566 (In ThinkPHP 5.1.24, the inner function delete can be used for SQL ...) NOT-FOR-US: ThinkPHP CVE-2018-17565 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f796d2d8599c04a5afc6725f70983b9aca17e1c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f796d2d8599c04a5afc6725f70983b9aca17e1c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: baa7cd42 by Salvatore Bonaccorso at 2018-09-30T08:43:07Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,7 +5,7 @@ CVE-2018-17783 CVE-2018-17782 RESERVED CVE-2018-17781 (Foxit PhantomPDF and Reader before 9.3 allow remote attackers to ...) - TODO: check + NOT-FOR-US: Foxit CVE-2018-17780 (Telegram Desktop (aka tdesktop) 1.3.14, and Telegram 3.3.0.0 WP8.1 on ...) TODO: check CVE-2018-17779 @@ -15,7 +15,7 @@ CVE-2018-17778 CVE-2018-1 RESERVED CVE-2018-17776 (PCProtect Anti-Virus v4.8.35 has Everyone: (F) permission for ...) - TODO: check + NOT-FOR-US: PCProtect Anti-Virus CVE-2018-17775 RESERVED CVE-2018-17774 @@ -417,15 +417,15 @@ CVE-2018-17577 CVE-2018-17576 RESERVED CVE-2018-17575 (SWA SWA.JACAD 3.1.37 Build 024 has SQL Injection via the ...) - TODO: check + NOT-FOR-US: SWA SWA.JACAD CVE-2018-17574 (An issue was discovered in YMFE YApi 1.3.23. There is stored XSS in the ...) - TODO: check + NOT-FOR-US: YMFE YApi CVE-2018-17573 (The Wp-Insert plugin through 2.4.2 for WordPress allows upload of ...) - TODO: check + NOT-FOR-US: Wp-Insert plugin for WordPress CVE-2018-17572 RESERVED CVE-2018-17571 (Vanilla before 2.6.1 allows XSS via the email field of a profile. ...) - TODO: check + NOT-FOR-US: Vanilla CVE-2018-17570 (utils/ut_ws_svr.c in ViaBTC Exchange Server before 2018-08-21 has an ...) NOT-FOR-US: ViaBTC Exchange Server CVE-2018-17569 (network/nw_buf.c in ViaBTC Exchange Server before 2018-08-21 has an ...) @@ -435,7 +435,7 @@ CVE-2018-17568 (utils/ut_rpc.c in ViaBTC Exchange Server before 2018-08-21 has a CVE-2018-17567 (Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through 3.8.3 ...) TODO: check CVE-2018-17566 (In ThinkPHP 5.1.24, the inner function delete can be used for SQL ...) - TODO: check + NOT-FOR-US: ThinkPHP CVE-2018-17565 RESERVED CVE-2018-17564 @@ -749,7 +749,7 @@ CVE-2018-17413 CVE-2018-17412 RESERVED CVE-2018-17411 (An XML External Entity (XXE) vulnerability exists in iWay Data Quality ...) - TODO: check + NOT-FOR-US: iWay Data Quality Suite Web Console CVE-2018-17410 (Horus CMS allows SQL Injection, as demonstrated by a request to the ...) NOT-FOR-US: Horus CMS CVE-2018-17409 @@ -775,19 +775,19 @@ CVE-2018-17399 CVE-2018-17398 RESERVED CVE-2018-17397 (SQL Injection exists in the AlphaIndex Dictionaries 1.0 component for ...) - TODO: check + NOT-FOR-US: AlphaIndex Dictionaries component for Joomla! CVE-2018-17396 RESERVED CVE-2018-17395 RESERVED CVE-2018-17394 (SQL Injection exists in the Timetable Schedule 3.6.8 component for ...) - TODO: check + NOT-FOR-US: Timetable Schedule component for Joomla! CVE-2018-17393 RESERVED CVE-2018-17392 RESERVED CVE-2018-17391 (SQL Injection exists in authors_post.php in Super Cms Blog Pro 1.0 via ...) - TODO: check + NOT-FOR-US: Super Cms Blog Pro CVE-2018-17390 RESERVED CVE-2018-17389 @@ -799,27 +799,27 @@ CVE-2018-17387 CVE-2018-17386 RESERVED CVE-2018-17385 (SQL Injection exists in the Social Factory 3.8.3 component for Joomla! ...) - TODO: check + NOT-FOR-US: Social Factory component for Joomla! CVE-2018-17384 (SQL Injection exists in the Swap Factory 2.2.1 component for Joomla! ...) - TODO: check + NOT-FOR-US: Swap Factory component for Joomla! CVE-2018-17383 (SQL Injection exists in the Collection Factory 4.1.9 component for ...) - TODO: check + NOT-FOR-US: Collection Factory component for Joomla! CVE-2018-17382 (SQL Injection exists in the Jobs Factory 2.0.4 component for Joomla! ...) - TODO: check + NOT-FOR-US: Jobs Factory component for Joomla! CVE-2018-17381 RESERVED CVE-2018-17380 (SQL Injection exists in the Article Factory Manager 4.3.9 component ...) - TODO: check + NOT-FOR-US: Article Factory Manager component for Joomla! CVE-2018-17379 (SQL Injection exists in the Raffle Factory 3.5.2 component for Joomla! ...) - TODO: check + NOT-FOR-US: Raffle Factory component for Joomla! CVE-2018-17378 (SQL Injection exists in the Penny Auction Factory 2.0.4 component for ...) - TODO: check + NOT-FOR-US: Penny Auction Factory component for Joomla! CVE-2018-17377 (SQL Injection exists in the Questions 1.4.3 component for Joomla! via ...) - TODO: check + NOT-FOR-US: Questions component for Joomla! CVE-2018-17376 (SQL Injection exists in the Reverse Auction Factory 4.3.8 component ...) - TODO: check + NOT-FOR-US: Reverse Auction Factory component for Joomla!
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0ce234c2 by security tracker role at 2018-09-30T08:10:26Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2018-17784 + RESERVED CVE-2018-17783 RESERVED CVE-2018-17782 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0ce234c27766cce9589632c78728b64c4e404a28 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0ce234c27766cce9589632c78728b64c4e404a28 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits