[Git][security-tracker-team/security-tracker][master] Add CVE-2018-9206/libjs-jquery-file-upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 887bfd6e by Salvatore Bonaccorso at 2018-10-13T06:13:12Z Add CVE-2018-9206/libjs-jquery-file-upload - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23041,7 +23041,9 @@ CVE-2018-9208 CVE-2018-9207 RESERVED CVE-2018-9206 (Unauthenticated arbitrary file upload vulnerability in Blueimp ...) - TODO: check + - libjs-jquery-file-upload + NOTE: https://github.com/blueimp/jQuery-File-Upload/pull/3514 + NOTE: http://www.vapidlabs.com/advisory.php?v=204 CVE-2018-9205 (Vulnerability in avatar_uploader v7.x-1.0-beta8 , The code in view.php ...) NOT-FOR-US: avatar_uploader CVE-2018-9204 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/887bfd6ed68d2663fa14330c22a3097570a80ae7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/887bfd6ed68d2663fa14330c22a3097570a80ae7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] remaining wireshark issues postponed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 97dcf3ad by Moritz Muehlenhoff at 2018-10-12T21:58:13Z remaining wireshark issues postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -260,16 +260,19 @@ CVE-2018-18228 RESERVED CVE-2018-18227 (In Wireshark 2.6.0 to 2.6.3 and 2.4.0 to 2.4.9, the MS-WSP protocol ...) - wireshark + [stretch] - wireshark (Fix along in next DSA) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15119 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=d443be449a52f95df5754adc39e1f3472fec2f03 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-47.html CVE-2018-18226 (In Wireshark 2.6.0 to 2.6.3, the Steam IHS Discovery dissector could ...) - wireshark + [stretch] - wireshark (Fix along in next DSA) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15171 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=6e920ddc3cad2886ef07ca1a8e50e2a5c50986f7 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-48.html CVE-2018-18225 (In Wireshark 2.6.0 to 2.6.3, the CoAP dissector could crash. This was ...) - wireshark + [stretch] - wireshark (Fix along in next DSA) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15172 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=09a02cc1ea6de9f6c6cae75b3510a5477ef5f555 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-49.html @@ -15394,6 +15397,7 @@ CVE-2018-12087 (Failure to validate certificates in OPC Foundation UA Client ... NOT-FOR-US: OPC UA CVE-2018-12086 (Buffer overflow in OPC UA applications allows remote attackers to ...) - wireshark + [stretch] - wireshark (Fix along in next DSA) NOTE: https://www.wireshark.org/security/wnpa-sec-2018-50.html CVE-2018-12085 (Liblouis 3.6.0 has a stack-based Buffer Overflow in the function ...) - liblouis 3.5.0-4 (bug #901202) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/97dcf3adca03052816b65868a6b5ae374cc9e0ad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/97dcf3adca03052816b65868a6b5ae374cc9e0ad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add commit for CVE-2018-9145/exiv2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9385f06a by Salvatore Bonaccorso at 2018-10-12T21:08:18Z Add commit for CVE-2018-9145/exiv2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23175,6 +23175,7 @@ CVE-2018-9145 (In the DataBuf class in include/exiv2/types.hpp in Exiv2 0.26, an [wheezy] - exiv2 (Minor issue) NOTE: https://github.com/xiaoqx/pocs/tree/master/exiv2 NOTE: https://github.com/Exiv2/exiv2/pull/470 + NOTE: https://github.com/Exiv2/exiv2/commit/c03f73268f65c73f9d3d7b670f13e48e92692750 CVE-2018-9144 (In Exiv2 0.26, there is an out-of-bounds read in ...) - exiv2 (low) [stretch] - exiv2 (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9385f06a609f5908ac8e197d0d1fede06525ec2c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9385f06a609f5908ac8e197d0d1fede06525ec2c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] imagemagick/wireshark DSAs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
aa32e248 by Moritz Muehlenhoff at 2018-10-12T20:37:07Z
imagemagick/wireshark DSAs
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,9 @@
+[12 Oct 2018] DSA-4316-1 imagemagick - security update
+ {CVE-2018-16412 CVE-2018-16413 CVE-2018-16642 CVE-2018-16644
CVE-2018-16645}
+ [stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u6
+[12 Oct 2018] DSA-4315-1 wireshark - security update
+ {CVE-2018-16056 CVE-2018-16057 CVE-2018-16058}
+ [stretch] - wireshark 2.6.3-1~deb9u1
[11 Oct 2018] DSA-4314-1 net-snmp - security update
{CVE-2018-18065}
[stretch] - net-snmp 5.7.3+dfsg-1.7+deb9u1
=
data/dsa-needed.txt
=
@@ -31,8 +31,6 @@ gnutls28
--
graphicsmagick (jmm)
--
-imagemagick (jmm)
---
knot-resolver
--
libidn
@@ -63,7 +61,7 @@ mupdf
--
openjpeg2 (luciano)
--
-otrs2
+otrs2 (jmm)
Maintainer submitted debdiff for reviewe
--
passenger
@@ -84,5 +82,3 @@ thunderbird (jmm)
--
wesnoth-1.12
--
-wireshark (jmm)
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/aa32e2489f3031d2d0db7503605a0237a8c6baa3
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/aa32e2489f3031d2d0db7503605a0237a8c6baa3
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove further wireshark no-dsa entries
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a36bf592 by Moritz Muehlenhoff at 2018-10-12T20:34:33Z Remove further wireshark no-dsa entries - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -71832,7 +71832,6 @@ CVE-2017-9767 (Multiple cross-site scripting (XSS) vulnerabilities in Quali ...) NOT-FOR-US: Quali CloudShell CVE-2017-9766 (In Wireshark 2.2.7, PROFINET IO data with a high recursion depth allows ...) - wireshark 2.4.0-1 (low; bug #870175) - [stretch] - wireshark (Minor issue) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13811 @@ -72411,13 +72410,11 @@ CVE-2017-9618 (The xps_load_sfnt_name function in xps/xpsfont.c in Artifex Ghost NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=3c2aebbedd37fab054e80f2e315de07d7e9b5bdb CVE-2017-9617 (In Wireshark 2.2.7, deeply nested DAAP data may cause stack exhaustion ...) - wireshark 2.4.0-1 (low; bug #870174) - [stretch] - wireshark (Minor issue) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13799 CVE-2017-9616 (In Wireshark 2.2.7, overly deep mp4 chunks may cause stack exhaustion ...) - wireshark 2.4.0-1 (low; bug #870173) - [stretch] - wireshark (Minor issue) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13777 @@ -73195,28 +73192,24 @@ CVE-2017-9355 (XML external entity (XXE) vulnerability in the import playlist fe NOT-FOR-US: Subsonic CVE-2017-9354 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the RGMP dissector ...) - wireshark 2.2.7-1 (bug #864058) - [stretch] - wireshark (Minor issue) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-32.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13646 CVE-2017-9353 (In Wireshark 2.2.0 to 2.2.6, the IPv6 dissector could crash. This was ...) - wireshark 2.2.7-1 (low; bug #864058) - [stretch] - wireshark (Minor issue) [jessie] - wireshark (Only affects 2.2.x) [wheezy] - wireshark (Only affects 2.2.x) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-33.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13675 CVE-2017-9352 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the Bazaar dissector ...) - wireshark 2.2.7-1 (low; bug #864058) - [stretch] - wireshark (Minor issue) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-22.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13599 CVE-2017-9351 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the DHCP dissector ...) - wireshark 2.2.7-1 (low; bug #864058) - [stretch] - wireshark (Minor issue) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-24.html @@ -73224,7 +73217,6 @@ CVE-2017-9351 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the DHCP dissect NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13609 CVE-2017-9350 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the openSAFETY ...) - wireshark 2.2.7-1 (low; bug #864058) - [stretch] - wireshark (Minor issue) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-28.html @@ -73234,14 +73226,12 @@ CVE-2017-9350 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the openSAFETY . NOTE: are opened to CVE-2017-11411, which exists because of an incomplete fix. CVE-2017-9349 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the DICOM dissector ...) - wireshark 2.2.7-1 (low; bug #864058) - [stretch] - wireshark (Minor issue) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-27.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13685 CVE-2017-9348 (In Wireshark 2.2.0 to 2.2.6, the DOF dissector could read past the end ...) - wireshark 2.2.7-1 (bug #864058) - [stretch] - wireshark (Minor issue) [jessie] - wireshark (Only affects 2.2.x) [wheezy] - wireshark (Only affects 2.2.x) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-23.html @@ -73255,28 +73245,24 @@ CVE-2017-9347 (In Wiresha
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1d2bd75f by Salvatore Bonaccorso at 2018-10-12T20:22:52Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,9 @@ CVE-2018-18272 RESERVED CVE-2018-18271 (XSS exists in CMS Made Simple version 2.2.7 via the m1_extra parameter ...) - TODO: check + NOT-FOR-US: CMS Made Simple CVE-2018-18270 (XSS exists in CMS Made Simple version 2.2.7 via the m1_news_url ...) - TODO: check + NOT-FOR-US: CMS Made Simple CVE-2018-18269 RESERVED CVE-2018-18268 @@ -1028,35 +1028,35 @@ CVE-2018-17904 CVE-2018-17903 RESERVED CVE-2018-17902 (Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All ...) - TODO: check + NOT-FOR-US: Yokogawa STARDOM Controllers CVE-2018-17901 RESERVED CVE-2018-17900 (Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All ...) - TODO: check + NOT-FOR-US: Yokogawa STARDOM Controllers CVE-2018-17899 RESERVED CVE-2018-17898 (Yokogawa STARDOM Controllers FCJ,FCN-100, FCN-RTU, FCN-500, All ...) - TODO: check + NOT-FOR-US: Yokogawa STARDOM Controllers CVE-2018-17897 RESERVED CVE-2018-17896 (Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All ...) - TODO: check + NOT-FOR-US: Yokogawa STARDOM Controllers CVE-2018-17895 RESERVED CVE-2018-17894 (NUUO CMS all versions 3.1 and prior, The application creates default ...) - TODO: check + NOT-FOR-US: NUUO CMS CVE-2018-17893 RESERVED CVE-2018-17892 (NUUO CMS all versions 3.1 and prior, The application implements a ...) - TODO: check + NOT-FOR-US: NUUO CMS CVE-2018-17891 (Carestream Vue RIS, RIS Client Builds: Version 11.2 and prior running ...) NOT-FOR-US: Carestream Vue RIS, RIS Client Builds CVE-2018-17890 (NUUO CMS all versions 3.1 and prior, The application uses insecure and ...) - TODO: check + NOT-FOR-US: NUUO CMS CVE-2018-17889 (In WECON Technology Co., Ltd. PI Studio HMI versions 4.1.9 and prior ...) NOT-FOR-US: PI Studio HMI CVE-2018-17888 (NUUO CMS all versions 3.1 and prior, The application uses a session ...) - TODO: check + NOT-FOR-US: NUUO CMS CVE-2018-17887 RESERVED CVE-2018-17886 (An issue was discovered in JEESNS 1.3. The XSS filter in ...) @@ -5565,11 +5565,11 @@ CVE-2018-15970 CVE-2018-15969 RESERVED CVE-2018-15968 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, ...) - TODO: check + NOT-FOR-US: Adobe CVE-2018-15967 (Adobe Flash Player versions 30.0.0.154 and earlier have a privilege ...) NOT-FOR-US: Adobe CVE-2018-15966 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, ...) - TODO: check + NOT-FOR-US: Adobe CVE-2018-15965 (Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 ...) NOT-FOR-US: Adobe CVE-2018-15964 (Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 ...) @@ -5589,79 +5589,79 @@ CVE-2018-15958 (Adobe ColdFusion versions July 12 release (2018.0.0.310739), Upd CVE-2018-15957 (Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 ...) NOT-FOR-US: Adobe CVE-2018-15956 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, ...) - TODO: check + NOT-FOR-US: Adobe CVE-2018-15955 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, ...) - TODO: check + NOT-FOR-US: Adobe CVE-2018-15954 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, ...) - TODO: check + NOT-FOR-US: Adobe CVE-2018-15953 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, ...) - TODO: check + NOT-FOR-US: Adobe CVE-2018-15952 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, ...) - TODO: check + NOT-FOR-US: Adobe CVE-2018-15951 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, ...) - TODO: check + NOT-FOR-US: Adobe CVE-2018-15950 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, ...) - TODO: check + NOT-FOR-US: Adobe CVE-2018-15949 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, ...) - TODO: check + NOT-FOR-US: Adobe CVE-2018-15948 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, ...) - TODO: check + NOT-FOR-US: Adobe CVE-2018-15947 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, ...) - TODO: check + NOT-FOR-US: Adobe CVE-2018-15946 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, ...) - TODO: check + NOT-FOR-US: Adobe CVE-2018-15945 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, ...) - TODO: check + NOT-FOR-US: Adobe CVE-2018-15
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 46ec4ae1 by security tracker role at 2018-10-12T20:12:01Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,17 @@ +CVE-2018-18272 + RESERVED +CVE-2018-18271 (XSS exists in CMS Made Simple version 2.2.7 via the m1_extra parameter ...) + TODO: check +CVE-2018-18270 (XSS exists in CMS Made Simple version 2.2.7 via the m1_news_url ...) + TODO: check +CVE-2018-18269 + RESERVED +CVE-2018-18268 + RESERVED +CVE-2018-18267 + RESERVED +CVE-2018-18266 + RESERVED CVE-2018-18265 RESERVED CVE-2018-18264 @@ -1013,36 +1027,36 @@ CVE-2018-17904 RESERVED CVE-2018-17903 RESERVED -CVE-2018-17902 - RESERVED +CVE-2018-17902 (Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All ...) + TODO: check CVE-2018-17901 RESERVED -CVE-2018-17900 - RESERVED +CVE-2018-17900 (Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All ...) + TODO: check CVE-2018-17899 RESERVED -CVE-2018-17898 - RESERVED +CVE-2018-17898 (Yokogawa STARDOM Controllers FCJ,FCN-100, FCN-RTU, FCN-500, All ...) + TODO: check CVE-2018-17897 RESERVED -CVE-2018-17896 - RESERVED +CVE-2018-17896 (Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All ...) + TODO: check CVE-2018-17895 RESERVED -CVE-2018-17894 - RESERVED +CVE-2018-17894 (NUUO CMS all versions 3.1 and prior, The application creates default ...) + TODO: check CVE-2018-17893 RESERVED -CVE-2018-17892 - RESERVED +CVE-2018-17892 (NUUO CMS all versions 3.1 and prior, The application implements a ...) + TODO: check CVE-2018-17891 (Carestream Vue RIS, RIS Client Builds: Version 11.2 and prior running ...) NOT-FOR-US: Carestream Vue RIS, RIS Client Builds -CVE-2018-17890 - RESERVED +CVE-2018-17890 (NUUO CMS all versions 3.1 and prior, The application uses insecure and ...) + TODO: check CVE-2018-17889 (In WECON Technology Co., Ltd. PI Studio HMI versions 4.1.9 and prior ...) NOT-FOR-US: PI Studio HMI -CVE-2018-17888 - RESERVED +CVE-2018-17888 (NUUO CMS all versions 3.1 and prior, The application uses a session ...) + TODO: check CVE-2018-17887 RESERVED CVE-2018-17886 (An issue was discovered in JEESNS 1.3. The XSS filter in ...) @@ -5550,12 +5564,12 @@ CVE-2018-15970 RESERVED CVE-2018-15969 RESERVED -CVE-2018-15968 - RESERVED +CVE-2018-15968 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, ...) + TODO: check CVE-2018-15967 (Adobe Flash Player versions 30.0.0.154 and earlier have a privilege ...) NOT-FOR-US: Adobe -CVE-2018-15966 - RESERVED +CVE-2018-15966 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, ...) + TODO: check CVE-2018-15965 (Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 ...) NOT-FOR-US: Adobe CVE-2018-15964 (Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 ...) @@ -5574,80 +5588,80 @@ CVE-2018-15958 (Adobe ColdFusion versions July 12 release (2018.0.0.310739), Upd NOT-FOR-US: Adobe CVE-2018-15957 (Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 ...) NOT-FOR-US: Adobe -CVE-2018-15956 - RESERVED -CVE-2018-15955 - RESERVED -CVE-2018-15954 - RESERVED -CVE-2018-15953 - RESERVED -CVE-2018-15952 - RESERVED -CVE-2018-15951 - RESERVED -CVE-2018-15950 - RESERVED -CVE-2018-15949 - RESERVED -CVE-2018-15948 - RESERVED -CVE-2018-15947 - RESERVED -CVE-2018-15946 - RESERVED -CVE-2018-15945 - RESERVED -CVE-2018-15944 - RESERVED -CVE-2018-15943 - RESERVED -CVE-2018-15942 - RESERVED -CVE-2018-15941 - RESERVED -CVE-2018-15940 - RESERVED -CVE-2018-15939 - RESERVED -CVE-2018-15938 - RESERVED -CVE-2018-15937 - RESERVED -CVE-2018-15936 - RESERVED -CVE-2018-15935 - RESERVED -CVE-2018-15934 - RESERVED -CVE-2018-15933 - RESERVED -CVE-2018-15932 - RESERVED -CVE-2018-15931 - RESERVED -CVE-2018-15930 - RESERVED -CVE-2018-15929 - RESERVED -CVE-2018-15928 - RESERVED -CVE-2018-15927 - RESERVED -CVE-2018-15926 - RESERVED -CVE-2018-15925 - RESERVED -CVE-2018-15924 - RESERVED -CVE-2018-15923 - RESERVED -CVE-2018-15922 - RESERVED +CVE-2018-15956 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, ...) + TODO: check +CVE-2018-15955 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, ...) + TODO: check +CVE-2018-15954 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, ...) + TODO: check +CVE-2018-15953 (Adobe
[Git][security-tracker-team/security-tracker][master] stretch triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ec8c21a1 by Moritz Muehlenhoff at 2018-10-12T20:02:35Z
stretch triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -626,6 +626,7 @@ CVE-2018-18056
RESERVED
CVE-2018-1000810 (The Rust Programming Language Standard Library version
1.29.0, 1.28.0, ...)
- rustc
+ [stretch] - rustc (Can be fixed along in future rustc update
for ESR68)
NOTE:
https://blog.rust-lang.org/2018/09/21/Security-advisory-for-std.html
NOTE:
https://groups.google.com/forum/#!topic/rustlang-security-announcements/CmSuTm-SaU0
NOTE: Fixed upstream in 1.29.1
@@ -1732,7 +1733,8 @@ CVE-2018-17568 (utils/ut_rpc.c in ViaBTC Exchange Server
before 2018-08-21 has a
NOT-FOR-US: ViaBTC Exchange Server
CVE-2018-17567 (Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through
3.8.3 ...)
{DLA-1541-1}
- - jekyll (bug #909933)
+ - jekyll (low; bug #909933)
+ [stretch] - jekyll (Minor issue)
NOTE: https://github.com/jekyll/jekyll/pull/7224
NOTE:
https://jekyllrb.com/news/2018/09/19/security-fixes-for-3-6-3-7-3-8/
CVE-2018-17566 (In ThinkPHP 5.1.24, the inner function delete can be used for
SQL ...)
@@ -1971,6 +1973,7 @@ CVE-2018-17456 (Git before 2.14.5, 2.15.x before 2.15.3,
2.16.x before 2.16.5, 2
CVE-2018-17455 [IDOR merge request approvals]
RESERVED
- gitlab
+ [stretch] - gitlab (Scheduled for removal in next point
release)
NOTE:
https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/
CVE-2018-17454 [Persistent XSS on issue details]
RESERVED
@@ -1985,6 +1988,7 @@ CVE-2018-17453 [GRPC::Unknown logging token disclosure]
CVE-2018-17452 [validate_localhost function in url_blocker.rb could be
bypassed]
RESERVED
- gitlab
+ [stretch] - gitlab (Scheduled for removal in next point
release)
NOTE:
https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/
CVE-2018-17451 [Slack integration CSRF Oauth2]
RESERVED
@@ -5056,13 +5060,16 @@ CVE-2018-16048 (An issue was discovered in GitLab
Community and Enterprise Editi
NOTE:
https://about.gitlab.com/2018/08/28/security-release-gitlab-11-dot-2-dot-2-released/
CVE-2018-16051 (An issue was discovered in GitLab Community and Enterprise
Edition ...)
- gitlab
+ [stretch] - gitlab (Scheduled for removal in next point
release)
NOTE: https://gitlab.com/gitlab-org/gitlab-ee/issues/6012
NOTE:
https://about.gitlab.com/2018/08/28/security-release-gitlab-11-dot-2-dot-2-released/
CVE-2018- [gitlab: Missing CSRF in System Hooks]
- gitlab
+ [stretch] - gitlab (Scheduled for removal in next point
release)
NOTE:
https://about.gitlab.com/2018/08/28/security-release-gitlab-11-dot-2-dot-2-released/
CVE-2018-16049 (An issue was discovered in GitLab Community and Enterprise
Edition ...)
- gitlab
+ [stretch] - gitlab (Scheduled for removal in next point
release)
NOTE: https://gitlab.com/gitlab-org/gitlab-ce/issues/46967
NOTE: https://gitlab.com/gitlab-org/gitlab-ce/issues/49272
NOTE:
https://about.gitlab.com/2018/08/28/security-release-gitlab-11-dot-2-dot-2-released/
@@ -6850,6 +6857,7 @@ CVE-2018-15474 (** DISPUTED ** CSV Injection (aka Excel
Macro Injection or Formu
CVE-2018-15472 [Diff formatter DoS in Sidekiq jobs]
RESERVED
- gitlab
+ [stretch] - gitlab (Scheduled for removal in next point
release)
NOTE:
https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/
CVE-2018-15467
RESERVED
@@ -8894,6 +8902,7 @@ CVE-2018-14604 (An issue was discovered in GitLab
Community and Enterprise Editi
NOTE:
https://about.gitlab.com/2018/07/26/security-release-gitlab-11-dot-1-dot-2-released/
CVE-2018-14603 (An issue was discovered in GitLab Community and Enterprise
Edition ...)
- gitlab
+ [stretch] - gitlab (Scheduled for removal in next point
release)
NOTE:
https://about.gitlab.com/2018/07/26/security-release-gitlab-11-dot-1-dot-2-released/
CVE-2018-14602 (An issue was discovered in GitLab Community and Enterprise
Edition ...)
- gitlab
@@ -9606,6 +9615,7 @@ CVE-2018-14365
RESERVED
CVE-2018-14364 (GitLab Community and Enterprise Edition before 10.7.7, 10.8.x
before ...)
- gitlab 10.7.7+dfsg-2 (bug #904026)
+ [stretch] - gitlab (Scheduled for removal in next point
release)
NOTE:
https://about.gitlab.com/2018/07/17/critical-security-release-gitlab-11-dot-0-dot-4-released/
CVE-2018-14363 (An issue was discovered in NeoMutt before 2018-07-16. newsrc.c
does not ...)
{DSA-4277-1 DLA-1455-1}
@@ -13849,9 +13859,11 @@ CVE-201
[Git][security-tracker-team/security-tracker][master] Several gitlab issues adressed now in unstable with the 10.7.7+dfsg-2 upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
05996cdc by Salvatore Bonaccorso at 2018-10-12T19:52:37Z
Several gitlab issues adressed now in unstable with the 10.7.7+dfsg-2 upload
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -9605,7 +9605,7 @@ CVE-2018-14366 (download.cgi in Pulse Secure Pulse
Connect Secure 8.1RX before 8
CVE-2018-14365
RESERVED
CVE-2018-14364 (GitLab Community and Enterprise Edition before 10.7.7, 10.8.x
before ...)
- - gitlab (bug #904026)
+ - gitlab 10.7.7+dfsg-2 (bug #904026)
NOTE:
https://about.gitlab.com/2018/07/17/critical-security-release-gitlab-11-dot-0-dot-4-released/
CVE-2018-14363 (An issue was discovered in NeoMutt before 2018-07-16. newsrc.c
does not ...)
{DSA-4277-1 DLA-1455-1}
@@ -13840,21 +13840,21 @@ CVE-2018-1000402 (Jenkins project Jenkins AWS
CodeDeploy Plugin version 1.19 and
CVE-2018-1000401 (Jenkins project Jenkins AWS CodePipeline Plugin version 0.36
and ...)
NOT-FOR-US: Jenkins plugin
CVE-2018-12607 (An issue was discovered in GitLab Community Edition and
Enterprise ...)
- - gitlab (bug #902726)
+ - gitlab 10.7.7+dfsg-2 (bug #902726)
[stretch] - gitlab (Only affects >= 10.5)
NOTE:
https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released/
CVE-2018- [gitlab: Activity feed publicly displaying internal project
names]
- - gitlab (bug #902726)
+ - gitlab 10.7.7+dfsg-2 (bug #902726)
[stretch] - gitlab (Only affects >= 10.7)
NOTE:
https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released/
CVE-2018- [gitlab: Content injection via username]
- - gitlab (bug #902726)
+ - gitlab 10.7.7+dfsg-2 (bug #902726)
NOTE:
https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released/
CVE-2018-12606 (An issue was discovered in GitLab Community Edition and
Enterprise ...)
- - gitlab (bug #902726)
+ - gitlab 10.7.7+dfsg-2 (bug #902726)
NOTE:
https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released/
CVE-2018-12605 (An issue was discovered in GitLab Community Edition and
Enterprise ...)
- - gitlab (bug #902726)
+ - gitlab 10.7.7+dfsg-2 (bug #902726)
[stretch] - gitlab (Only affects 10.7)
NOTE:
https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released/
CVE-2018-12604 (GreenCMS 2.3.0603 allows remote attackers to obtain sensitive
...)
@@ -16783,36 +16783,36 @@ CVE-2018-11541 (A root privilege escalation
vulnerability in the Sonus SBC 1000
NOT-FOR-US: Sonus SBC 1000 / SBC 2000 / SBC SWe Lite web interface
CVE-2018- [gitlab: Removing public deploy keys regression]
[experimental] - gitlab 10.7.5+dfsg-1
- - gitlab (bug #900522)
+ - gitlab 10.7.7+dfsg-2 (bug #900522)
[stretch] - gitlab (Introduced in 10.1.6)
NOTE:
https://about.gitlab.com/2018/05/29/security-release-gitlab-10-dot-8-dot-2-released/
CVE-2017-0921 (GitLab Community and Enterprise Editions before 10.1.6, 10.2.6,
and ...)
[experimental] - gitlab 10.7.5+dfsg-1
- - gitlab (bug #900522)
+ - gitlab 10.7.7+dfsg-2 (bug #900522)
NOTE:
https://about.gitlab.com/2018/05/29/security-release-gitlab-10-dot-8-dot-2-released/
CVE-2018- [gitlab: Persistent XSS - Selecting users as allowed merge
request approvers]
[experimental] - gitlab 10.7.5+dfsg-1
- - gitlab (bug #900522)
+ - gitlab 10.7.7+dfsg-2 (bug #900522)
[stretch] - gitlab (Introduced in 9.1)
NOTE:
https://about.gitlab.com/2018/05/29/security-release-gitlab-10-dot-8-dot-2-released/
CVE-2018- [gitlab: Persistent XSS - Multiple locations of user selection
drop downs]
[experimental] - gitlab 10.7.5+dfsg-1
- - gitlab (bug #900522)
+ - gitlab 10.7.7+dfsg-2 (bug #900522)
[stretch] - gitlab (Introduced in 9.1)
NOTE:
https://about.gitlab.com/2018/05/29/security-release-gitlab-10-dot-8-dot-2-released/
CVE-2018- [gitlab: include directive in .gitlab-ci.yml allows SSRF
requests]
[experimental] - gitlab 10.7.5+dfsg-1
- - gitlab (bug #900522)
+ - gitlab 10.7.7+dfsg-2 (bug #900522)
[stretch] - gitlab (Introduced in 10.5)
NOTE:
https://about.gitlab.com/2018/05/29/security-release-gitlab-10-dot-8-dot-2-released/
CVE-2018- [gitlab: Permissions issue in Merge Requests Create Service]
[experimental] - gitlab 10.7.5+dfsg-1
- - gitlab (bug #900522)
+ - gitlab 10.7.7+dfsg-2 (bug #900522)
[stretch] - gitlab (Introduced in 10.6)
NOTE:
https://about.gitlab.com/2018/05/29/security-release-gitlab-10-dot-8-dot-2-released/
CVE-2018- [gitlab: Arbitrary assignment of
[Git][security-tracker-team/security-tracker][master] Add note for otrs2 to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: abe7df52 by Salvatore Bonaccorso at 2018-10-12T19:40:20Z Add note for otrs2 to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -64,6 +64,7 @@ mupdf openjpeg2 (luciano) -- otrs2 + Maintainer submitted debdiff for reviewe -- passenger -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/abe7df529ce180f18a0818bcec245215e19c425e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/abe7df529ce180f18a0818bcec245215e19c425e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add bug reference for CVE-2018-16644/imagemagick
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
92636d84 by Salvatore Bonaccorso at 2018-10-12T19:32:20Z
Add bug reference for CVE-2018-16644/imagemagick
- - - - -
3f74d5b1 by Salvatore Bonaccorso at 2018-10-12T19:32:21Z
Add bug reference for CVE-2018-16645/imagemagick
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -3862,12 +3862,12 @@ CVE-2018-16646 (In Poppler 0.68.0, the Parser::getObj()
function in Parser.cc ma
NOTE: Proposed fix:
https://gitlab.freedesktop.org/poppler/poppler/merge_requests/67
CVE-2018-16645 (There is an excessive memory allocation issue in the functions
...)
{DLA-1530-1}
- - imagemagick
+ - imagemagick (bug #910889)
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/ecb31dbad39ccdc65868d5d2a37f0f0521250832
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1268
CVE-2018-16644 (There is a missing check for length in the functions
ReadDCMImage of ...)
{DLA-1530-1}
- - imagemagick
+ - imagemagick (bug #910888)
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/16916c8979c32765c542e216b31cee2671b7afe7
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/afa878a689870c28b6994ecf3bb8dbfb2b76d135
NOTE: ImageMagick6:
https://github.com/ImageMagick/ImageMagick6/commit/00ef0f1bbf9eb1efdf0f38f51c72ecb26cc9a306
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/9ab00e321537dbbd31d334e22cccbcffd235d125...3f74d5b17ccb13fcd2c92de9e9f892e9e0d68dcc
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/9ab00e321537dbbd31d334e22cccbcffd235d125...3f74d5b17ccb13fcd2c92de9e9f892e9e0d68dcc
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Drop pyopenssl after further investigation. Thanks apo!
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 9ab00e32 by Chris Lamb at 2018-10-12T19:26:26Z data/dla-needed.txt: Drop pyopenssl after further investigation. Thanks apo! See 60aaf7c195e0fdaf401b468558fabe84b1f16b3b and 17dab33a7ab383cb7b60ce0a04abbb0720a7ab24 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -634,10 +634,12 @@ CVE-2018-1000809 (privacyIDEA version 2.23.1 and earlier contains a Improper Inp CVE-2018-1000808 (Python Cryptographic Authority pyopenssl version Before 17.5.0 ...) - pyopenssl 17.5.0-1 (low) [stretch] - pyopenssl (Minor issue) + [jessie] - pyopenssl (Minor issue, but also requires at least cryptography 2.1.4 which exposes the X509_up_ref method) NOTE: https://github.com/pyca/pyopenssl/pull/723 NOTE: https://github.com/pyca/pyopenssl/commit/e73818600065821d588af475b024f4eb518c3509 CVE-2018-1000807 (Python Cryptographic Authority pyopenssl version prior to version ...) - pyopenssl 17.5.0-1 + [jessie] - pyopenssl (Minor issue, but also requires at least cryptography 2.1.4 which exposes the X509_up_ref method) NOTE: https://github.com/pyca/pyopenssl/pull/723 NOTE: https://github.com/pyca/pyopenssl/commit/e73818600065821d588af475b024f4eb518c3509 CVE-2018-1000805 (Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9ab00e321537dbbd31d334e22cccbcffd235d125 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9ab00e321537dbbd31d334e22cccbcffd235d125 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-1641{2,3}/imagemagick
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b1c82ff4 by Salvatore Bonaccorso at 2018-10-12T19:19:06Z
Add bug reference for CVE-2018-1641{2,3}/imagemagick
Filled only one bug given the issue is fixed with same commit for both
CVEs. Should be enough for both trackings.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -4474,14 +4474,14 @@ CVE-2018-16414
RESERVED
CVE-2018-16413 (ImageMagick 7.0.8-11 Q16 has a heap-based buffer over-read in
the ...)
{DLA-1530-1}
- - imagemagick
+ - imagemagick (bug #910887)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1249
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1251
NOTE: ImageMagick:
https://github.com/ImageMagick/ImageMagick/commit/17a1a6f97fd088a71931bdc422f4e96bb6ffc549
NOTE: ImageMagick6:
https://github.com/ImageMagick/ImageMagick6/commit/4745eb1047617330141e9abfd5ae01236a71ae12
CVE-2018-16412 (ImageMagick 7.0.8-11 Q16 has a heap-based buffer over-read in
the ...)
{DLA-1530-1}
- - imagemagick
+ - imagemagick (bug #910887)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1250
NOTE: Fixed with same patch as for issue #1249, as per upstream
discussion at
NOTE:
https://github.com/ImageMagick/ImageMagick/issues/1250#issuecomment-422361868
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/b1c82ff49a31a79303926d25c73baa7bbc1007f0
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/b1c82ff49a31a79303926d25c73baa7bbc1007f0
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Partially revert "data/dla-needed.txt: Drop pyopenssl after further investigation."
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 60aaf7c1 by Salvatore Bonaccorso at 2018-10-12T19:07:30Z Partially revert "data/dla-needed.txt: Drop pyopenssl after further investigation." The wheezy entries should from be tracked in the ELTS tracker itself. Was the intention to actually do [jessie] tagged entries? This (partially) reverts commit 17dab33a7ab383cb7b60ce0a04abbb0720a7ab24. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -634,12 +634,10 @@ CVE-2018-1000809 (privacyIDEA version 2.23.1 and earlier contains a Improper Inp CVE-2018-1000808 (Python Cryptographic Authority pyopenssl version Before 17.5.0 ...) - pyopenssl 17.5.0-1 (low) [stretch] - pyopenssl (Minor issue) - [wheezy] - pyopenssl (Minor issue, but also requires at least cryptography 2.1.4 which exposes the X509_up_ref method) NOTE: https://github.com/pyca/pyopenssl/pull/723 NOTE: https://github.com/pyca/pyopenssl/commit/e73818600065821d588af475b024f4eb518c3509 CVE-2018-1000807 (Python Cryptographic Authority pyopenssl version prior to version ...) - pyopenssl 17.5.0-1 - [wheezy] - pyopenssl (Minor issue, but also requires at least cryptography 2.1.4 which exposes the X509_up_ref method) NOTE: https://github.com/pyca/pyopenssl/pull/723 NOTE: https://github.com/pyca/pyopenssl/commit/e73818600065821d588af475b024f4eb518c3509 CVE-2018-1000805 (Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/60aaf7c195e0fdaf401b468558fabe84b1f16b3b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/60aaf7c195e0fdaf401b468558fabe84b1f16b3b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Asked upstream re libpdfbox-java fix.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: bf7398e1 by Chris Lamb at 2018-10-12T16:00:41Z data/dla-needed.txt: Asked upstream re libpdfbox-java fix. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -38,6 +38,7 @@ libav (Hugo Lefeuvre) -- libpdfbox-java NOTE: 20181007: Can't find the upstream fixing commit atm (Chris Lamb) + NOTE: 20181012: Have asked upstream for fixing commit (Chris Lamb) -- libspring-java (Abhijith PA) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bf7398e1f61e18cc404b3eddbde7aeff639ca328 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bf7398e1f61e18cc404b3eddbde7aeff639ca328 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Drop pyopenssl after further investigation.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 17dab33a by Chris Lamb at 2018-10-12T15:48:44Z data/dla-needed.txt: Drop pyopenssl after further investigation. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -634,10 +634,12 @@ CVE-2018-1000809 (privacyIDEA version 2.23.1 and earlier contains a Improper Inp CVE-2018-1000808 (Python Cryptographic Authority pyopenssl version Before 17.5.0 ...) - pyopenssl 17.5.0-1 (low) [stretch] - pyopenssl (Minor issue) + [wheezy] - pyopenssl (Minor issue, but also requires at least cryptography 2.1.4 which exposes the X509_up_ref method) NOTE: https://github.com/pyca/pyopenssl/pull/723 NOTE: https://github.com/pyca/pyopenssl/commit/e73818600065821d588af475b024f4eb518c3509 CVE-2018-1000807 (Python Cryptographic Authority pyopenssl version prior to version ...) - pyopenssl 17.5.0-1 + [wheezy] - pyopenssl (Minor issue, but also requires at least cryptography 2.1.4 which exposes the X509_up_ref method) NOTE: https://github.com/pyca/pyopenssl/pull/723 NOTE: https://github.com/pyca/pyopenssl/commit/e73818600065821d588af475b024f4eb518c3509 CVE-2018-1000805 (Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 ...) = data/dla-needed.txt = @@ -66,8 +66,6 @@ poppler NOTE: 20180928: Consider fixing no-dsa/ignored bugs as well since this is NOTE: 20180928: frequently used package. -- -pyopenssl (Chris Lamb) --- salt NOTE: 20180921: CVE-2017-7893 is not crucial since the managed system must be NOTE: 20180921: compromised first. But the security escalation effect can cause View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/17dab33a7ab383cb7b60ce0a04abbb0720a7ab24 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/17dab33a7ab383cb7b60ce0a04abbb0720a7ab24 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8e126d58 by Moritz Muehlenhoff at 2018-10-12T15:24:15Z NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25085,7 +25085,7 @@ CVE-2018-8362 CVE-2018-8361 RESERVED CVE-2018-8360 (An information disclosure vulnerability exists in Microsoft .NET ...) - TODO: check mono + NOT-FOR-US: Microsoft CVE-2018-8359 (A remote code execution vulnerability exists in the way that the ...) NOT-FOR-US: Microsoft CVE-2018-8358 (A security feature bypass vulnerability exists when Microsoft Edge ...) @@ -25139,15 +25139,15 @@ CVE-2018-8335 (A denial of service vulnerability exists in the Microsoft Server CVE-2018-8334 RESERVED CVE-2018-8333 (An Elevation of Privilege vulnerability exists in Filter Manager when ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-8332 (A remote code execution vulnerability exists when the Windows font ...) NOT-FOR-US: Microsoft CVE-2018-8331 (A remote code execution vulnerability exists in Microsoft Excel ...) NOT-FOR-US: Microsoft CVE-2018-8330 (An information disclosure vulnerability exists when the Windows kernel ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-8329 (An Elevation of Privilege vulnerability exists in Windows Subsystem ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-8328 RESERVED CVE-2018-8327 (A remote code execution vulnerability exists in PowerShell Editor ...) @@ -25165,7 +25165,7 @@ CVE-2018-8322 CVE-2018-8321 RESERVED CVE-2018-8320 (A security feature bypass vulnerability exists in DNS Global Blocklist ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-8319 (A Security Feature Bypass vulnerability exists in MSR JavaScript ...) NOT-FOR-US: Microsoft CVE-2018-8318 @@ -25275,7 +25275,7 @@ CVE-2018-8267 (A remote code execution vulnerability exists in the way that the CVE-2018-8266 (A remote code execution vulnerability exists in the way that the ...) NOT-FOR-US: Microsoft CVE-2018-8265 (A remote code execution vulnerability exists in the way Microsoft ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2018-8264 RESERVED CVE-2018-8263 @@ -26192,7 +26192,7 @@ CVE-2018-7930 (The Near Field Communication (NFC) module in Mate 9 Huawei mobile CVE-2018-7929 (Huawei Mate RS smartphones with the versions before NEO-AL00D ...) NOT-FOR-US: Huawei CVE-2018-7928 (There is a security vulnerability which could lead to Factory Reset ...) - TODO: check + NOT-FOR-US: Huawei CVE-2018-7927 RESERVED CVE-2018-7926 @@ -27084,11 +27084,11 @@ CVE-2018-7635 (Whale Browser before 1.0.41.8 displays no URL information but onl CVE-2018-7634 (An issue was discovered in Enalean Tuleap 9.17. Lack of CSRF attack ...) NOT-FOR-US: Enalean Tuleap CVE-2018-7633 (Code injection in the /ui/login form Language parameter in Epicentro ...) - TODO: check + NOT-FOR-US: Epicentro CVE-2018-7632 (Buffer Overflow in httpd in EpiCentro E_7.3.2+ allows attackers to ...) - TODO: check + NOT-FOR-US: Epicentro CVE-2018-7631 (Buffer Overflow in httpd in EpiCentro E_7.3.2+ allows attackers to ...) - TODO: check + NOT-FOR-US: Epicentro CVE-2018-7630 RESERVED CVE-2018-7629 @@ -28920,23 +28920,23 @@ CVE-2018-7111 CVE-2018-7110 RESERVED CVE-2018-7109 (HPE has addressed a remote arbitrary file modification vulnerability ...) - TODO: check + NOT-FOR-US: HPE CVE-2018-7108 (HPE StorageWorks XP7 Automation Director (AutoDir) version 8.5.2-02 to ...) - TODO: check + NOT-FOR-US: HPE CVE-2018-7107 (A potential security vulnerability has been identified in HPE Device ...) - TODO: check + NOT-FOR-US: HPE CVE-2018-7106 (A security vulnerability in HPE Integrated Lights-Out 5 (iLO 5) for ...) - TODO: check + NOT-FOR-US: HPE CVE-2018-7105 (A security vulnerability in HPE Integrated Lights-Out 5 (iLO 5) for ...) - TODO: check + NOT-FOR-US: HPE CVE-2018-7104 (A Remote Code Execution vulnerability was identified in HPE ...) - TODO: check + NOT-FOR-US: HPE CVE-2018-7103 (A Remote Code Execution vulnerability was identified in HPE ...) - TODO: check + NOT-FOR-US: HPE CVE-2018-7102 (A security vulnerability in HPE Intelligent Management Center (iMC) ...) - TODO: check + NOT-FOR-US: HPE CVE-2018-7101 (A potential remote denial of service security vulnerability has been ...) - TODO: check + NOT-FOR-US: HPE CVE-2018-7100 (A potential security vulnerability has been identified in HPE ...) NOT-FOR-US: HPE OfficeConnect 1810 Switch Series CVE-2018-7099 (A security vulnerability was identified in 3PAR Service Processor (SP) ...) @
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0be994d4 by Moritz Muehlenhoff at 2018-10-12T14:57:23Z NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -278,7 +278,7 @@ CVE-2018-18217 CVE-2018-18216 RESERVED CVE-2018-18215 (In youke365 v1.1.5, admin/user.html has a CSRF vulnerability that can ...) - TODO: check + NOT-FOR-US: youke365 CVE-2018-18214 RESERVED CVE-2018-18213 @@ -957,11 +957,11 @@ CVE-2018-17931 CVE-2018-17930 RESERVED CVE-2018-17929 (In Delta Industrial Automation TPEditor, TPEditor Versions 1.90 and ...) - TODO: check + NOT-FOR-US: TPEditor CVE-2018-17928 RESERVED CVE-2018-17927 (In Delta Industrial Automation TPEditor, TPEditor Versions 1.90 and ...) - TODO: check + NOT-FOR-US: TPEditor CVE-2018-17926 RESERVED CVE-2018-17925 (Multiple instances of this vulnerability (Unsafe ActiveX Control ...) @@ -11026,7 +11026,7 @@ CVE-2018-13791 (The HTTP API in ABBYY FlexiCapture before 12 Release 1 Update 7 CVE-2018-13790 (A Server Side Request Forgery (SSRF) vulnerability in ...) NOT-FOR-US: concrete5 CVE-2018-13789 (An issue was discovered in Descor Infocad FM before 3.1.0.0. An ...) - TODO: check + NOT-FOR-US: Descor Infocad FM CVE-2018-13788 RESERVED CVE-2018-1000623 (JFrog JFrog Artifactory version Prior to version 6.0.3, since version ...) @@ -14035,13 +14035,13 @@ CVE-2018-12546 CVE-2018-12545 RESERVED CVE-2018-12544 (In version from 3.5.Beta1 to 3.5.3 of Eclipse Vert.x, the OpenAPI XML ...) - TODO: check + NOT-FOR-US: Eclipse Vert.x CVE-2018-12543 RESERVED CVE-2018-12542 (In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the StaticHandler ...) - TODO: check + NOT-FOR-US: Eclipse Vert.x CVE-2018-12541 (In version from 3.0.0 to 3.5.3 of Eclipse Vert.x, the WebSocket HTTP ...) - TODO: check + NOT-FOR-US: Eclipse Vert.x CVE-2018-12540 (In version from 3.0.0 to 3.5.2 of Eclipse Vert.x, the CSRFHandler do ...) NOT-FOR-US: Eclipse Vertx CVE-2018-12539 (In Eclipse OpenJ9 version 0.8, users other than the process owner may ...) @@ -14279,7 +14279,7 @@ CVE-2018-12443 CVE-2018-12442 RESERVED CVE-2018-12441 (The CorsairService Service in Corsair Utility Engine is installed with ...) - TODO: check + NOT-FOR-US: Corsair CVE-2017-18341 RESERVED CVE-2017-18340 @@ -14473,7 +14473,7 @@ CVE-2018-12412 CVE-2018-12411 RESERVED CVE-2018-12410 (The web server component of TIBCO Software Inc's Spotfire Statistics ...) - TODO: check + NOT-FOR-US: TIBCO CVE-2018-12409 RESERVED CVE-2018-12408 (The BusinessWorks engine component of TIBCO Software Inc.'s TIBCO ...) @@ -15205,9 +15205,9 @@ CVE-2018-12155 CVE-2018-12154 RESERVED CVE-2018-12153 (Denial of Service in Unified Shader Compiler in Intel Graphics Drivers ...) - TODO: check + NOT-FOR-US: Intel CVE-2018-12152 (Pointer corruption in Unified Shader Compiler in Intel Graphics ...) - TODO: check + NOT-FOR-US: Intel CVE-2018-12151 (Buffer overflow in installer for Intel Extreme Tuning Utility before ...) NOT-FOR-US: Intel CVE-2018-12150 (Escalation of privilege in Installer for Intel Extreme Tuning Utility ...) @@ -15838,7 +15838,7 @@ CVE-2018-11880 CVE-2018-11879 RESERVED CVE-2018-11878 (In all android releases (Android for MSM, Firefox OS for MSM, QRD ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-11877 RESERVED CVE-2018-11876 @@ -15856,9 +15856,9 @@ CVE-2018-11871 CVE-2018-11870 RESERVED CVE-2018-11869 (In all android releases (Android for MSM, Firefox OS for MSM, QRD ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-11868 (In all android releases (Android for MSM, Firefox OS for MSM, QRD ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-11867 RESERVED CVE-2018-11866 @@ -15870,13 +15870,13 @@ CVE-2018-11865 CVE-2018-11864 RESERVED CVE-2018-11863 (In all android releases (Android for MSM, Firefox OS for MSM, QRD ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-11862 RESERVED CVE-2018-11861 RESERVED CVE-2018-11860 (In all android releases (Android for MSM, Firefox OS for MSM, QRD ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-11859 RESERVED CVE-2018-11858 @@ -15895,9 +15895,9 @@ CVE-2018-11854 CVE-2018-11853 RESERVED CVE-2018-11852 (In all android releases (Android for MSM, Firefox OS for MSM, QRD ...) - TODO: check + NOT-FOR-US: Qualcomm components for Android CVE-2018-11851 (In all android releases (Android for MS
[Git][security-tracker-team/security-tracker][master] CVE-2018-11439/taglib: reference upstream fix
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f905fe2c by Salvatore Bonaccorso at 2018-10-12T11:40:14Z CVE-2018-11439/taglib: reference upstream fix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17080,7 +17080,7 @@ CVE-2018-11439 (The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in NOTE: PoC: http://seclists.org/fulldisclosure/2018/May/49 NOTE: Upstream issue: https://github.com/taglib/taglib/issues/868 NOTE: Pull request: https://github.com/taglib/taglib/pull/869 - NOTE: Upstream fix: https://github.com/sgayou/taglib/commit/272648ccfcccae30e002ccf34a22e075dd477278 + NOTE: Upstream fix: https://github.com/taglib/taglib/commit/2c4ae870ec086f2ddd21a47861a3709c36faac45 CVE-2018-11438 (The mobi_decompress_lz77 function in compression.c in Libmobi 0.3 ...) NOT-FOR-US: Libmobi CVE-2018-11437 (The mobi_reconstruct_parts function in parse_rawml.c in Libmobi 0.3 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f905fe2c0138c233e1bc00aa7b4467e13c88ad56 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f905fe2c0138c233e1bc00aa7b4467e13c88ad56 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] one more wireshark CVE
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 54f4a066 by Moritz Muehlenhoff at 2018-10-12T09:40:43Z one more wireshark CVE - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15365,7 +15365,8 @@ CVE-2018-12088 (S3QL before 2.27 mishandles checksumming, and consequently allow CVE-2018-12087 (Failure to validate certificates in OPC Foundation UA Client ...) NOT-FOR-US: OPC UA CVE-2018-12086 (Buffer overflow in OPC UA applications allows remote attackers to ...) - NOT-FOR-US: OPC UA + - wireshark + NOTE: https://www.wireshark.org/security/wnpa-sec-2018-50.html CVE-2018-12085 (Liblouis 3.6.0 has a stack-based Buffer Overflow in the function ...) - liblouis 3.5.0-4 (bug #901202) [stretch] - liblouis 3.0.0-3+deb9u4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/54f4a06669932dd5f1c2af06e8df853c9cae8771 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/54f4a06669932dd5f1c2af06e8df853c9cae8771 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add three new wireshark issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 13e83709 by Salvatore Bonaccorso at 2018-10-12T09:00:01Z Add three new wireshark issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -245,11 +245,20 @@ CVE-2018-18229 CVE-2018-18228 RESERVED CVE-2018-18227 (In Wireshark 2.6.0 to 2.6.3 and 2.4.0 to 2.4.9, the MS-WSP protocol ...) - TODO: check + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15119 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=d443be449a52f95df5754adc39e1f3472fec2f03 + NOTE: https://www.wireshark.org/security/wnpa-sec-2018-47.html CVE-2018-18226 (In Wireshark 2.6.0 to 2.6.3, the Steam IHS Discovery dissector could ...) - TODO: check + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15171 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=6e920ddc3cad2886ef07ca1a8e50e2a5c50986f7 + NOTE: https://www.wireshark.org/security/wnpa-sec-2018-48.html CVE-2018-18225 (In Wireshark 2.6.0 to 2.6.3, the CoAP dissector could crash. This was ...) - TODO: check + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15172 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=09a02cc1ea6de9f6c6cae75b3510a5477ef5f555 + NOTE: https://www.wireshark.org/security/wnpa-sec-2018-49.html CVE-2018-18224 RESERVED CVE-2018-18223 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/13e83709c59c39c60094428cd47e3db7e5c6248b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/13e83709c59c39c60094428cd47e3db7e5c6248b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 32852054 by Salvatore Bonaccorso at 2018-10-12T08:52:19Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,9 +13,9 @@ CVE-2018-18260 CVE-2018-18259 RESERVED CVE-2018-18258 (An issue was discovered in BageCMS 3.1.3. The attacker can execute ...) - TODO: check + NOT-FOR-US: BageCMS CVE-2018-18257 (An issue was discovered in BageCMS 3.1.3. An attacker can delete any ...) - TODO: check + NOT-FOR-US: BageCMS CVE-2018-18256 RESERVED CVE-2018-18255 @@ -215,7 +215,7 @@ CVE-2018-18244 CVE-2018-18243 RESERVED CVE-2018-18242 (youke365 v1.1.5 has SQL injection via admin/login.html, as demonstrated ...) - TODO: check + NOT-FOR-US: youke365 CVE-2018-18241 RESERVED CVE-2018-18240 (Pippo through 1.11.0 allows remote code execution via a command to ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/32852054e08c36e68e1be7b1cfb671f5b7fa1dd7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/32852054e08c36e68e1be7b1cfb671f5b7fa1dd7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixing commit for CVE-2017-17724/exiv2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 07630fd6 by Salvatore Bonaccorso at 2018-10-12T08:49:59Z Add fixing commit for CVE-2017-17724/exiv2 Thanks: Henri Salo - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39998,6 +39998,7 @@ CVE-2017-17724 (In Exiv2 0.26, there is a heap-based buffer over-read in the ... - exiv2 (Introduced in 0.26) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1524107 NOTE: https://github.com/Exiv2/exiv2/issues/210 + NOTE: https://github.com/Exiv2/exiv2/commit/962962a8e9885ccbca28f624492f1427152a0695 CVE-2017-17723 (In Exiv2 0.26, there is a heap-based buffer over-read in the ...) - exiv2 (low) [stretch] - exiv2 (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/07630fd63d8ab83994b3be92c4b8c3c68f34e175 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/07630fd63d8ab83994b3be92c4b8c3c68f34e175 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Move back some fixed version items back to data/CVE/list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
8ea75b4e by Salvatore Bonaccorso at 2018-10-12T08:45:57Z
Move back some fixed version items back to data/CVE/list
The reason we had to split these and not list in the respective DSA was
that the DSA did adress issues in jessie and stretch while beeing
supported by the security-team. The set of CVEs though was not
overlapping for the two suites, having some issues affecting stretch but
not jessie. Thus those for beeing fully correct does not be listed in
data/DSA/list otherwise they appear as to be fixed in the respective
version in the jessie upload as well, which would not be completely
correct.
This situation sometimes arise while the security team supports two
suites, but for a source package only one DSA is issued and the set of
CVEs is not overlapping.
- - - - -
2 changed files:
- data/CVE/list
- data/DSA/list
Changes:
=
data/CVE/list
=
@@ -9584,6 +9584,7 @@ CVE-2018-14368 (In Wireshark 2.6.0 to 2.6.1, 2.4.0 to
2.4.7, and 2.2.0 to 2.2.15
NOTE: https://www.wireshark.org/security/wnpa-sec-2018-40.html
CVE-2018-14367 (In Wireshark 2.6.0 to 2.6.1 and 2.4.0 to 2.4.7, the CoAP
protocol ...)
- wireshark 2.6.2-1
+ [stretch] - wireshark (Vulnerable code not present)
[jessie] - wireshark (Vulnerable code not present)
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14966
NOTE:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=81ce5fcb3e37a0aaeb7532f7a2a09366f16fa310
@@ -17308,8 +17309,8 @@ CVE-2018-11361 (In Wireshark 2.6.0, the IEEE 802.11
protocol dissector could cra
NOTE:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=1b52f9929238ce3948ec924ae4f9456b5e9df558
NOTE: https://www.wireshark.org/security/wnpa-sec-2018-32.html
CVE-2018-11360 (In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the
GSM A DTAP ...)
- {DSA-4217-1}
- wireshark 2.6.1-1 (bug #900708)
+ [stretch] - wireshark 2.2.6+g32dac6a-2+deb9u3
[jessie] - wireshark (vulnerable code not present (uses
static a_bigbuf instead))
[wheezy] - wireshark (vulnerable code not present (uses
static a_bigbuf instead))
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14688
@@ -22735,8 +22736,8 @@ CVE-2018-9274 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to
2.2.13, ui/failure_messa
NOTE:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f38e895dfc0d97bce64f73ce99df706911d9aa07
NOTE: https://www.wireshark.org/security/wnpa-sec-2018-24.html
CVE-2018-9273 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, ...)
- {DSA-4217-1}
- wireshark 2.4.6-1
+ [stretch] - wireshark 2.2.6+g32dac6a-2+deb9u3
[jessie] - wireshark (Vulnerable code not present)
[wheezy] - wireshark (Vulnerable code not present)
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14488
@@ -22799,8 +22800,8 @@ CVE-2018-9265 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to
2.2.13, ...)
NOTE:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=b12cc581cd4878d74b6116ca02c7dbe650c1f242
NOTE: https://www.wireshark.org/security/wnpa-sec-2018-24.html
CVE-2018-9264 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the ADB
dissector ...)
- {DSA-4217-1}
- wireshark 2.4.6-1
+ [stretch] - wireshark 2.2.6+g32dac6a-2+deb9u3
[jessie] - wireshark (Vulnerable code not present (only
adb_cs available))
[wheezy] - wireshark (Vulnerable code not present (only
adb_cs available))
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14460
@@ -28164,8 +28165,8 @@ CVE-2018-7321 (In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to
2.2.12, ...)
NOTE:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=c784d551ad50864de1035ce54e72837301cf6aca
NOTE: https://www.wireshark.org/security/wnpa-sec-2018-06.html
CVE-2018-7320 (In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, the SIGCOMP
protocol ...)
- {DSA-4217-1}
- wireshark 2.4.5-1
+ [stretch] - wireshark 2.2.6+g32dac6a-2+deb9u3
[jessie] - wireshark (Vulnerable code introduced later)
[wheezy] - wireshark (Vulnerable code introduced later)
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14398
@@ -59965,8 +59966,8 @@ CVE-2017-13767 (In Wireshark 2.4.0, 2.2.0 to 2.2.8, and
2.0.0 to 2.0.14, the MSD
NOTE:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=6f18ace2a2683418a9368a8dfd92da6bd8213e15
NOTE: https://www.wireshark.org/security/wnpa-sec-2017-38.html
CVE-2017-13766 (In Wireshark 2.4.0 and 2.2.0 to 2.2.8, the Profinet I/O
dissector could ...)
- {DSA-4060-1}
- wireshark 2.4.1-1
+ [stretch] - wireshark 2.2.6+g32dac6a-2+deb9u1
[
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim pyopenssl.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 881a461c by Chris Lamb at 2018-10-12T08:14:34Z data/dla-needed.txt: Claim pyopenssl. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -66,7 +66,7 @@ poppler NOTE: 20180928: Consider fixing no-dsa/ignored bugs as well since this is NOTE: 20180928: frequently used package. -- -pyopenssl +pyopenssl (Chris Lamb) -- salt NOTE: 20180921: CVE-2017-7893 is not crucial since the managed system must be View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/881a461cee7532f89065e551729d48f0a96dfb67 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/881a461cee7532f89065e551729d48f0a96dfb67 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
606480c6 by security tracker role at 2018-10-12T08:10:19Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,33 @@
+CVE-2018-18265
+ RESERVED
+CVE-2018-18264
+ RESERVED
+CVE-2018-18263
+ RESERVED
+CVE-2018-18262
+ RESERVED
+CVE-2018-18261
+ RESERVED
+CVE-2018-18260
+ RESERVED
+CVE-2018-18259
+ RESERVED
+CVE-2018-18258 (An issue was discovered in BageCMS 3.1.3. The attacker can
execute ...)
+ TODO: check
+CVE-2018-18257 (An issue was discovered in BageCMS 3.1.3. An attacker can
delete any ...)
+ TODO: check
+CVE-2018-18256
+ RESERVED
+CVE-2018-18255
+ RESERVED
+CVE-2018-18254
+ RESERVED
+CVE-2018-18253
+ RESERVED
+CVE-2018-18252
+ RESERVED
+CVE-2018-18251
+ RESERVED
CVE-2019-0085
RESERVED
CVE-2019-0084
@@ -214,12 +244,12 @@ CVE-2018-18229
RESERVED
CVE-2018-18228
RESERVED
-CVE-2018-18227
- RESERVED
-CVE-2018-18226
- RESERVED
-CVE-2018-18225
- RESERVED
+CVE-2018-18227 (In Wireshark 2.6.0 to 2.6.3 and 2.4.0 to 2.4.9, the MS-WSP
protocol ...)
+ TODO: check
+CVE-2018-18226 (In Wireshark 2.6.0 to 2.6.3, the Steam IHS Discovery dissector
could ...)
+ TODO: check
+CVE-2018-18225 (In Wireshark 2.6.0 to 2.6.3, the CoAP dissector could crash.
This was ...)
+ TODO: check
CVE-2018-18224
RESERVED
CVE-2018-18223
@@ -917,12 +947,12 @@ CVE-2018-17931
RESERVED
CVE-2018-17930
RESERVED
-CVE-2018-17929
- RESERVED
+CVE-2018-17929 (In Delta Industrial Automation TPEditor, TPEditor Versions
1.90 and ...)
+ TODO: check
CVE-2018-17928
RESERVED
-CVE-2018-17927
- RESERVED
+CVE-2018-17927 (In Delta Industrial Automation TPEditor, TPEditor Versions
1.90 and ...)
+ TODO: check
CVE-2018-17926
RESERVED
CVE-2018-17925 (Multiple instances of this vulnerability (Unsafe ActiveX
Control ...)
@@ -14238,8 +14268,8 @@ CVE-2018-12443
RESERVED
CVE-2018-12442
RESERVED
-CVE-2018-12441
- RESERVED
+CVE-2018-12441 (The CorsairService Service in Corsair Utility Engine is
installed with ...)
+ TODO: check
CVE-2017-18341
RESERVED
CVE-2017-18340
@@ -17278,6 +17308,7 @@ CVE-2018-11361 (In Wireshark 2.6.0, the IEEE 802.11
protocol dissector could cra
NOTE:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=1b52f9929238ce3948ec924ae4f9456b5e9df558
NOTE: https://www.wireshark.org/security/wnpa-sec-2018-32.html
CVE-2018-11360 (In Wireshark 2.6.0, 2.4.0 to 2.4.6, and 2.2.0 to 2.2.14, the
GSM A DTAP ...)
+ {DSA-4217-1}
- wireshark 2.6.1-1 (bug #900708)
[jessie] - wireshark (vulnerable code not present (uses
static a_bigbuf instead))
[wheezy] - wireshark (vulnerable code not present (uses
static a_bigbuf instead))
@@ -22704,6 +22735,7 @@ CVE-2018-9274 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to
2.2.13, ui/failure_messa
NOTE:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f38e895dfc0d97bce64f73ce99df706911d9aa07
NOTE: https://www.wireshark.org/security/wnpa-sec-2018-24.html
CVE-2018-9273 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, ...)
+ {DSA-4217-1}
- wireshark 2.4.6-1
[jessie] - wireshark (Vulnerable code not present)
[wheezy] - wireshark (Vulnerable code not present)
@@ -22767,6 +22799,7 @@ CVE-2018-9265 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to
2.2.13, ...)
NOTE:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=b12cc581cd4878d74b6116ca02c7dbe650c1f242
NOTE: https://www.wireshark.org/security/wnpa-sec-2018-24.html
CVE-2018-9264 (In Wireshark 2.4.0 to 2.4.5 and 2.2.0 to 2.2.13, the ADB
dissector ...)
+ {DSA-4217-1}
- wireshark 2.4.6-1
[jessie] - wireshark (Vulnerable code not present (only
adb_cs available))
[wheezy] - wireshark (Vulnerable code not present (only
adb_cs available))
@@ -28131,6 +28164,7 @@ CVE-2018-7321 (In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to
2.2.12, ...)
NOTE:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=c784d551ad50864de1035ce54e72837301cf6aca
NOTE: https://www.wireshark.org/security/wnpa-sec-2018-06.html
CVE-2018-7320 (In Wireshark 2.4.0 to 2.4.4 and 2.2.0 to 2.2.12, the SIGCOMP
protocol ...)
+ {DSA-4217-1}
- wireshark 2.4.5-1
[jessie] - wireshark (Vulnerable code introduced later)
[wheezy] - wireshark (Vulnerable code introduced later)
@@ -43954,8 +43988,8 @@ CVE-2018-1840
RESERVED
CVE-2018-1839
RESERVED
-CVE-2018-1838
- RESERVED
+CVE-2018-1838 (IBM WebSphere Application Server 8.5 and 9.0 in IBM Cloud could
allow ...)
+ TODO: check
C
