[Git][security-tracker-team/security-tracker][master] Add CVE-2018-16468/ruby-loofah
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 76845efb by Salvatore Bonaccorso at 2018-10-30T21:53:46Z Add CVE-2018-16468/ruby-loofah - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5777,8 +5777,10 @@ CVE-2018-16470 RESERVED CVE-2018-16469 RESERVED -CVE-2018-16468 +CVE-2018-16468 [Loofah XSS Vulnerability] RESERVED + - ruby-loofah + NOTE: https://github.com/flavorjones/loofah/issues/154 CVE-2018-16467 RESERVED CVE-2018-16466 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/76845efb38d4c3f06d20bb6b6195cf68350e8640 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/76845efb38d4c3f06d20bb6b6195cf68350e8640 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version via unstable for CVE-2017-15691/uimaj
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c538580a by Salvatore Bonaccorso at 2018-10-30T21:27:35Z Add fixed version via unstable for CVE-2017-15691/uimaj - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -55876,7 +55876,7 @@ CVE-2017-15693 (In Apache Geode before v1.4.0, the Geode server stores applicati CVE-2017-15692 (In Apache Geode before v1.4.0, the TcpServer within the Geode locator ...) NOT-FOR-US: Apache Geode CVE-2017-15691 (In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to ...) - - uimaj (bug #897009) + - uimaj 2.10.2-1 (bug #897009) [stretch] - uimaj (Minor issue) [jessie] - uimaj (Minor issue) [wheezy] - uimaj (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c538580a95143e7552a000f6e8c00855ac4da3a1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c538580a95143e7552a000f6e8c00855ac4da3a1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 22bc58ee by Salvatore Bonaccorso at 2018-10-30T20:32:38Z Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2865,7 +2865,7 @@ CVE-2018-17708 CVE-2018-17707 RESERVED CVE-2018-17706 (This vulnerability allows remote attackers to execute arbitrary code ...) - TODO: check + NOT-FOR-US: Foxit PhantomPDF Phantom PDF CVE-2018-17705 RESERVED CVE-2018-17704 @@ -3029,25 +3029,25 @@ CVE-2018-17626 CVE-2018-17625 RESERVED CVE-2018-17624 (This vulnerability allows remote attackers to execute arbitrary code ...) - TODO: check + NOT-FOR-US: Foxit Reader CVE-2018-17623 (This vulnerability allows remote attackers to execute arbitrary code ...) - TODO: check + NOT-FOR-US: Foxit Reader CVE-2018-17622 (This vulnerability allows remote attackers to disclose sensitive ...) - TODO: check + NOT-FOR-US: Foxit Reader CVE-2018-17621 (This vulnerability allows remote attackers to execute arbitrary code ...) - TODO: check + NOT-FOR-US: Foxit Reader CVE-2018-17620 (This vulnerability allows remote attackers to execute arbitrary code ...) - TODO: check + NOT-FOR-US: Foxit Reader CVE-2018-17619 (This vulnerability allows remote attackers to execute arbitrary code ...) - TODO: check + NOT-FOR-US: Foxit Reader CVE-2018-17618 (This vulnerability allows remote attackers to execute arbitrary code ...) - TODO: check + NOT-FOR-US: Foxit Reader CVE-2018-17617 (This vulnerability allows remote attackers to execute arbitrary code ...) - TODO: check + NOT-FOR-US: Foxit Reader CVE-2018-17616 (This vulnerability allows remote attackers to execute arbitrary code ...) - TODO: check + NOT-FOR-US: Foxit Reader CVE-2018-17615 (This vulnerability allows remote attackers to execute arbitrary code ...) - TODO: check + NOT-FOR-US: Foxit Reader CVE-2018-17614 RESERVED CVE-2018-17613 (Telegram Desktop (aka tdesktop) 1.3.16 alpha, when Use proxy is ...) @@ -10608,7 +10608,7 @@ CVE-2018-14560 CVE-2018-14559 RESERVED CVE-2018-14558 (An issue was discovered on Tenda AC7 devices with firmware through ...) - TODO: check + NOT-FOR-US: Tenda AC7 devices CVE-2018-14557 RESERVED CVE-2018-14556 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/22bc58ee151321030147177283ed00496a0837a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/22bc58ee151321030147177283ed00496a0837a5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new libav issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d55fc6f9 by Salvatore Bonaccorso at 2018-10-30T20:31:39Z Add new libav issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -37,13 +37,17 @@ CVE-2018-18831 (An issue was discovered in com\mingsoft\cms\action\GeneraterActi CVE-2018-18830 (An issue was discovered in ...) NOT-FOR-US: MCMS CVE-2018-18829 (There exists a NULL pointer dereference in ...) - TODO: check + - libav + NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1136 CVE-2018-18828 (There exists a heap-based buffer overflow in vc1_decode_i_block_adv in ...) - TODO: check + - libav + NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1135 CVE-2018-18827 (There exists a heap-based buffer over-read in ff_vc1_pred_dc in ...) - TODO: check + - libav + NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1135 CVE-2018-18826 (There exists a heap-based buffer overflow in vc1_decode_p_mb_intfi in ...) - TODO: check + - libav + NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1135 CVE-2018-18825 (Pagoda Linux panel V6.0 has XSS via the verification code associated ...) NOT-FOR-US: Pagoda Linux panel CVE-2018-18824 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d55fc6f962508b1dcf8a35815cf9ec215621 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d55fc6f962508b1dcf8a35815cf9ec215621 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add two new mantis issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6eb33c1a by Salvatore Bonaccorso at 2018-10-30T20:32:09Z Add two new mantis issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2705,9 +2705,13 @@ CVE-2018-17785 (In blynk-server in Blynk before 0.39.7, Directory Traversal exis CVE-2018-17784 (Multiple vulnerabilities in YUI and FlashCanvas embedded in SugarCRM ...) NOT-FOR-US: SugarCRM CVE-2018-17783 (A cross-site scripting (XSS) vulnerability in the Edit Filter page ...) - TODO: check + - mantis + NOTE: https://mantisbt.org/blog/archives/mantisbt/613 + NOTE: https://mantisbt.org/bugs/view.php?id=24814 CVE-2018-17782 (A cross-site scripting (XSS) vulnerability in the Manage Filters page ...) - TODO: check + - mantis + NOTE: https://mantisbt.org/blog/archives/mantisbt/613 + NOTE: https://mantisbt.org/bugs/view.php?id=24813 CVE-2018-17781 (Foxit PhantomPDF and Reader before 9.3 allow remote attackers to ...) NOT-FOR-US: Foxit CVE-2018-17780 (Telegram Desktop (aka tdesktop) 1.3.14, and Telegram 3.3.0.0 WP8.1 on ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6eb33c1a9589daf6b60c7eeb1df5033da5cba139 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6eb33c1a9589daf6b60c7eeb1df5033da5cba139 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add reference for fix for CVE-2018-18661/tiff
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 61efc8d1 by Salvatore Bonaccorso at 2018-10-30T20:26:54Z Add reference for fix for CVE-2018-18661/tiff - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -415,6 +415,7 @@ CVE-2018-18661 (An issue was discovered in LibTIFF 4.0.9. There is a NULL pointe - tiff (bug #912012) - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2819 + NOTE: https://gitlab.com/libtiff/libtiff/commit/99b10edde9a0fc28cc0e7b7757aa18ac4c8c225f CVE-2018-18660 (An issue was discovered in Arcserve Unified Data Protection (UDP) ...) NOT-FOR-US: Arcserve Unified Data Protection CVE-2018-18659 (An issue was discovered in Arcserve Unified Data Protection (UDP) ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/61efc8d1017825fcbe80818258df9d023c2a3cc1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/61efc8d1017825fcbe80818258df9d023c2a3cc1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add proposed update for wesnoth-1.12 via stretch-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 535c1565 by Salvatore Bonaccorso at 2018-10-30T20:21:53Z Add proposed update for wesnoth-1.12 via stretch-pu - - - - - 2 changed files: - data/CVE/list - data/next-point-update.txt Changes: = data/CVE/list = @@ -10747,7 +10747,7 @@ CVE-2018-14500 (joyplus-cms 1.6.0 has XSS via the ...) CVE-2018-1999023 (The Battle for Wesnoth Project version 1.7.0 through 1.14.3 contains a ...) - wesnoth-1.14 1:1.14.4-1 - wesnoth-1.12 - [stretch] - wesnoth-1.12 (Scheduled for removal from stretch) + [stretch] - wesnoth-1.12 (Minor issue) - wesnoth-1.10 [jessie] - wesnoth-1.10 (Games are not supported in Jessie) NOTE: http://www.openwall.com/lists/oss-security/2018/07/20/1 = data/next-point-update.txt = @@ -134,3 +134,5 @@ CVE-2018-11780 [stretch] - spamassassin 3.4.2-1~deb9u1 CVE-2018-11781 [stretch] - spamassassin 3.4.2-1~deb9u1 +CVE-2018-1999023 + [stretch] - wesnoth-1.12 1:1.12.6-1+deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/535c1565bd5ffd1acdb64ba53a00e1dd7aa4c3c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/535c1565bd5ffd1acdb64ba53a00e1dd7aa4c3c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c749d71b by security tracker role at 2018-10-30T20:10:22Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1140,7 +1140,7 @@ CVE-2018-18382 (Advanced HRM 1.6 allows Remote Code Execution via PHP code in a NOT-FOR-US: Advanced HRM CVE-2018-18381 (Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in ...) NOT-FOR-US: Z-BlogPHP -CVE-2018-18380 (A Session Fixation issue was discovered in Bigtree. admin.php accepts ...) +CVE-2018-18380 (A Session Fixation issue was discovered in Bigtree before 4.2.24. ...) NOT-FOR-US: Bigtree CMS CVE-2018-18379 RESERVED @@ -1351,8 +1351,7 @@ CVE-2018-18283 RESERVED CVE-2018-18282 (Next.js 7.0.0 and 7.0.1 has XSS via the 404 or 500 /_error page. ...) NOT-FOR-US: Next.js -CVE-2018-18281 [mremap: properly flush TLB before releasing the page] - RESERVED +CVE-2018-18281 (Since Linux kernel version 3.2, the mremap() syscall performs TLB ...) - linux NOTE: https://git.kernel.org/linus/eb66ae030829605d61fbef1909ce310e29f78821 CVE-2018-18280 @@ -2700,10 +2699,10 @@ CVE-2018-17785 (In blynk-server in Blynk before 0.39.7, Directory Traversal exis NOT-FOR-US: blynk-server in Blynk CVE-2018-17784 (Multiple vulnerabilities in YUI and FlashCanvas embedded in SugarCRM ...) NOT-FOR-US: SugarCRM -CVE-2018-17783 - RESERVED -CVE-2018-17782 - RESERVED +CVE-2018-17783 (A cross-site scripting (XSS) vulnerability in the Edit Filter page ...) + TODO: check +CVE-2018-17782 (A cross-site scripting (XSS) vulnerability in the Manage Filters page ...) + TODO: check CVE-2018-17781 (Foxit PhantomPDF and Reader before 9.3 allow remote attackers to ...) NOT-FOR-US: Foxit CVE-2018-17780 (Telegram Desktop (aka tdesktop) 1.3.14, and Telegram 3.3.0.0 WP8.1 on ...) @@ -10599,8 +10598,8 @@ CVE-2018-14560 RESERVED CVE-2018-14559 RESERVED -CVE-2018-14558 - RESERVED +CVE-2018-14558 (An issue was discovered on Tenda AC7 devices with firmware through ...) + TODO: check CVE-2018-14557 RESERVED CVE-2018-14556 @@ -20405,6 +20404,7 @@ CVE-2018-10847 (prosody before versions 0.10.2, 0.9.14 is vulnerable to an ...) NOTE: https://prosody.im/security/advisory_20180531/issue1147-0.10.1.patch (0.10.1) NOTE: https://prosody.im/security/advisory_20180531/issue1147-0.9.patch (0.9.x) CVE-2018-10846 (A cache-based side channel in GnuTLS implementation that leads to ...) + {DLA-1560-1} [experimental] - gnutls28 3.6.3-1 - gnutls28 - gnutls26 @@ -20414,6 +20414,7 @@ CVE-2018-10846 (A cache-based side channel in GnuTLS implementation that leads t NOTE: instead of correcting the issue. NOTE: https://eprint.iacr.org/2018/747 CVE-2018-10845 (It was found that the GnuTLS implementation of HMAC-SHA-384 was ...) + {DLA-1560-1} - gnutls28 3.5.19-1 [stretch] - gnutls28 (Will be fixed via pu) - gnutls26 @@ -20423,6 +20424,7 @@ CVE-2018-10845 (It was found that the GnuTLS implementation of HMAC-SHA-384 was NOTE: https://gitlab.com/gnutls/gnutls/merge_requests/657 NOTE: https://eprint.iacr.org/2018/747 CVE-2018-10844 (It was found that the GnuTLS implementation of HMAC-SHA-256 was ...) + {DLA-1560-1} - gnutls28 3.5.19-1 [stretch] - gnutls28 (Will be fixed via pu) - gnutls26 @@ -20796,14 +20798,14 @@ CVE-2018-10714 RESERVED CVE-2018-10713 (An issue was discovered on D-Link DSL-3782 EU 1.01 devices. An ...) NOT-FOR-US: D-Link -CVE-2018-10712 - RESERVED -CVE-2018-10711 - RESERVED -CVE-2018-10710 - RESERVED -CVE-2018-10709 - RESERVED +CVE-2018-10712 (The AsrDrv101.sys and AsrDrv102.sys low-level drivers in ASRock RGBLED ...) + TODO: check +CVE-2018-10711 (The AsrDrv101.sys and AsrDrv102.sys low-level drivers in ASRock RGBLED ...) + TODO: check +CVE-2018-10710 (The AsrDrv101.sys and AsrDrv102.sys low-level drivers in ASRock RGBLED ...) + TODO: check +CVE-2018-10709 (The AsrDrv101.sys and AsrDrv102.sys low-level drivers in ASRock RGBLED ...) + TODO: check CVE-2018-10708 RESERVED CVE-2018-10707 @@ -21265,8 +21267,8 @@ CVE-2018-10534 (The _bfd_XX_bfd_copy_private_bfd_data_common function in peXXige NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=aa4a8c2a2a67545e90c877162c53cc9de42dc8b4 CVE-2018-10533 RESERVED -CVE-2018-10532 - RESERVED +CVE-2018-10532 (An issue was discovered on EE 4GEE HH70VB-2BE8GB3 HH70_E1_02.00_19 ...) + TODO: check CVE-2018-10531 RESERVED CVE-2018-10530 @@ -49935,8 +49937,7 @@ CVE-2018-0735 (The OpenSSL ECDSA signature algorithm has been shown
[Git][security-tracker-team/security-tracker][master] mark salt as ignored in jessie
Antoine Beaupré pushed to branch master at Debian Security Tracker / security-tracker Commits: 3d7b2e31 by Antoine Beaupré at 2018-10-30T17:22:32Z mark salt as ignored in jessie Older version of stack dont have master signature verification code at all, so there is no expectation this would be secure in the first place. Also clarify that both the patch that enforces signing and the patch that disables the check by default are necessary. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -79384,12 +79384,14 @@ CVE-2017-7894 (WinDjView 2.1 might allow user-assisted attackers to execute code CVE-2017-7893 (In SaltStack Salt before 2016.3.6, compromised salt-minions can ...) - salt 2016.11.5+ds-1 [stretch] - salt (Minor issue) + [jessie] - salt (Vulnerable code introduced later, but older versions did not verify master anyways) NOTE: https://docs.saltstack.com/en/2017.7/topics/releases/2016.3.6.html NOTE: https://github.com/saltstack/salt/issues/48939 - NOTE: https://github.com/saltstack/salt/commit/0a0f46fb1478be5eb2f90882a90390cb35ec43cb + NOTE: https://patch-diff.githubusercontent.com/raw/saltstack/salt/pull/40159.patch + NOTE: https://patch-diff.githubusercontent.com/raw/saltstack/salt/pull/40206.patch NOTE: The behaviour though was back off by default in a later commit again NOTE: cf. https://github.com/saltstack/salt/pull/40206 - NOTE: The fix is the second part of the 0a0f46f commit, but the behaviour is turned + NOTE: The fix is the second part of the #40159 PR, but the behaviour is turned NOTE: off by default and needs considerations of admins before enabling. We still NOTE: consider the issue as fixed starting with this change. Details in NOTE: https://github.com/saltstack/salt/issues/48939#issuecomment-410777638 = data/dla-needed.txt = @@ -76,10 +76,7 @@ qemu (Santiago) NOTE: 20181026: no fix yet for recent dsa issues, but start working on NOTE: pending no-dsa issues -- -salt (Antoine Beaupre) - NOTE: 20180921: CVE-2017-7893 is not crucial since the managed system must be - NOTE: 20180921: compromised first. But the security escalation effect can cause - NOTE: 20180921: a lot of system compromised. (ola) +salt -- smarty3 (Mike Gabriel) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3d7b2e315f955c4926d7d60c608f9d90c9e6ade9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3d7b2e315f955c4926d7d60c608f9d90c9e6ade9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark network-manager issue as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bb74c59a by Salvatore Bonaccorso at 2018-10-30T16:22:58Z Mark network-manager issue as no-dsa - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -,6 +,7 @@ CVE-2018-15689 RESERVED CVE-2018-15688 (A buffer overflow vulnerability in the dhcp6 client of systemd allows ...) - network-manager 1.14.4-2 + [stretch] - network-manager (Minor issue; internal dhcp implementation not used by default) - systemd 239-11 (bug #912008) [stretch] - systemd (Minor issue; not enabled by default in Debian, will be fixed via point release) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1639067 = data/dsa-needed.txt = @@ -52,8 +52,6 @@ mupdf (jmm) leaf package, might be a candidate for simply moving to 1.13 in stretch Maintainer (koster) is preparing an update -- -network-manager --- openjpeg2 (luciano) -- passenger View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bb74c59a30ed100d74c916007781e1cc91865d50 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bb74c59a30ed100d74c916007781e1cc91865d50 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Mark CVE-2018-15688/systemd as postponed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 479ff089 by Salvatore Bonaccorso at 2018-10-30T16:21:32Z Mark CVE-2018-15688/systemd as postponed - - - - - ddd70085 by Salvatore Bonaccorso at 2018-10-30T16:21:50Z Mark CVE-2018-15686/systemd as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7778,6 +7778,7 @@ CVE-2018-15689 CVE-2018-15688 (A buffer overflow vulnerability in the dhcp6 client of systemd allows ...) - network-manager 1.14.4-2 - systemd 239-11 (bug #912008) + [stretch] - systemd (Minor issue; not enabled by default in Debian, will be fixed via point release) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1639067 NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1795921 NOTE: https://github.com/systemd/systemd/commit/49653743f69658aeeebdb14faf1ab158f1f2cb20 @@ -7792,6 +7793,7 @@ CVE-2018-15687 (A race condition in chown_one() of systemd allows an attacker to NOTE: https://github.com/systemd/systemd/pull/10517 CVE-2018-15686 (A vulnerability in unit_deserialize of systemd allows an attacker to ...) - systemd (bug #912005) + [stretch] - systemd (Minor issue) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1687 NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1796402 NOTE: https://github.com/systemd/systemd/pull/10519 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/77b60292114ab528d5caaebf9e8a8c7c8eb90653...ddd70085e9f9cf7b982027d54f990e6153595c85 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/77b60292114ab528d5caaebf9e8a8c7c8eb90653...ddd70085e9f9cf7b982027d54f990e6153595c85 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1560-1 for gnutls28
Antoine Beaupré pushed to branch master at Debian Security Tracker / security-tracker Commits: 77b60292 by Antoine Beaupré at 2018-10-30T15:50:51Z Reserve DLA-1560-1 for gnutls28 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Oct 2018] DLA-1560-1 gnutls28 - security update + {CVE-2018-10844 CVE-2018-10845 CVE-2018-10846} + [jessie] - gnutls28 3.3.30-0+deb8u1 [29 Oct 2018] DLA-1559-1 xen - security update {CVE-2017-15592 CVE-2017-15593 CVE-2017-15594 CVE-2017-15595 CVE-2017-17044 CVE-2017-17045 CVE-2018-10472 CVE-2018-10981} [jessie] - xen 4.4.4lts3-0+deb8u1 = data/dla-needed.txt = @@ -25,9 +25,6 @@ firefox-esr (Emilio Pozuelo) firmware-nonfree (Ben Hutchings) NOTE: Waiting for approval of Stretch update. -- -gnutls28 (Antoine Beaupre) - NOTE: 20180824: Upstream patch is quite invasive, adding new options etc. (Chris Lamb) --- imagemagick (Thorsten Alteholz) NOTE: 20181023: add additional Ubuntu patch to disable ghostscript handled formats NOTE: 20181023: wait with upload until this is done in unstable -> #907336 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/77b60292114ab528d5caaebf9e8a8c7c8eb90653 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/77b60292114ab528d5caaebf9e8a8c7c8eb90653 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] squid fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: bee318d4 by Moritz Muehlenhoff at 2018-10-30T15:34:25Z squid fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -85,12 +85,12 @@ CVE-2018-18807 CVE-2017-18350 RESERVED CVE-2018- [Squid: SNMP mem leak] - - squid (low; bug #912294) + - squid 4.4-1 (low; bug #912294) - squid3 (low) [stretch] - squid3 (Can be fixed along in a future DSA) NOTE: http://www.squid-cache.org/Advisories/SQUID-2018_5.txt CVE-2018- [Squid: XSS when generating HTTPS response messages about TLS errors] - - squid (unimportant; bug #912293) + - squid 4.4-1 (unimportant; bug #912293) - squid3 (unimportant) NOTE: http://www.squid-cache.org/Advisories/SQUID-2018_4.txt NOTE: Squid in Debian builds without TLS support View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bee318d40c6c94d98f1e307311e9cd35e09b1cf2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bee318d40c6c94d98f1e307311e9cd35e09b1cf2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] one IM issue fixed in recent sid upload
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7114be9c by Moritz Muehlenhoff at 2018-10-30T15:15:25Z one IM issue fixed in recent sid upload - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2108,7 +2108,7 @@ CVE-2018-18027 CVE-2018-18026 (IMFCameraProtect.sys in IObit Malware Fighter 6.2 (and possibly lower ...) NOT-FOR-US: IObit Malware Fighter CVE-2018-18025 (In ImageMagick 7.0.8-13 Q16, there is a heap-based buffer over-read in ...) - - imagemagick (bug #911435) + - imagemagick 8:6.9.10.14+dfsg-1 (low; bug #911435) [stretch] - imagemagick (Fix along in next DSA) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1335 NOTE: https://github.com/ImageMagick/ImageMagick/commit/1a22fc0c8837838e60daecc0bf01648f359dd6fd View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7114be9c163d550bb0dc8f21e500a376782129de -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7114be9c163d550bb0dc8f21e500a376782129de You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libui-dialog-perl fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c71bde2 by Moritz Muehlenhoff at 2018-10-30T15:08:30Z libui-dialog-perl fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -135991,7 +135991,7 @@ CVE-2008-7316 (mm/filemap.c in the Linux kernel before 2.6.25 allows local users - linux-2.6 2.6.25-1 NOTE: https://git.kernel.org/linus/124d3b7041f9a0ca7c43a6293e1cae4576c32fd5 (v2.6.25-rc1) CVE-2008-7315 (UI-Dialog 1.09 and earlier allows remote attackers to execute ...) - - libui-dialog-perl (bug #496448) + - libui-dialog-perl 1.21-0.1 (bug #496448) [jessie] - libui-dialog-perl (Minor issue) [wheezy] - libui-dialog-perl (Minor issue) [squeeze] - libui-dialog-perl (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9c71bde202ee51394d80bea244783a64904a42dd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9c71bde202ee51394d80bea244783a64904a42dd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] gthumb fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 88d78d82 by Moritz Muehlenhoff at 2018-10-30T13:42:36Z gthumb fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -277,7 +277,7 @@ CVE-2018-18720 (An XSS issue was discovered in index.php/admin/system/basic in Y CVE-2018-18719 RESERVED CVE-2018-18718 (An issue was discovered in gThumb through 3.6.2. There is a double-free ...) - - gthumb (unimportant; bug #912290) + - gthumb 3:3.6.2-2 (unimportant; bug #912290) NOTE: https://gitlab.gnome.org/GNOME/gthumb/issues/18 NOTE: Crash in end user application, no security impact CVE-2018-18717 (An issue was discovered in Eleanor CMS through 2015-03-19. XSS exists ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/88d78d820fce95b41cd6ff33ad36f9438a15eea9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/88d78d820fce95b41cd6ff33ad36f9438a15eea9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add commit reference for CVE-2018-15688
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6ede5522 by Salvatore Bonaccorso at 2018-10-30T12:01:59Z Add commit reference for CVE-2018-15688 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7782,6 +7782,7 @@ CVE-2018-15688 (A buffer overflow vulnerability in the dhcp6 client of systemd a NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1795921 NOTE: https://github.com/systemd/systemd/commit/49653743f69658aeeebdb14faf1ab158f1f2cb20 NOTE: systemd-networkd not enabled by default in Debian + NOTE: NetworkManager: https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=01ca2053bbea09f35b958c8cc7631e15469acb79 CVE-2018-15687 (A race condition in chown_one() of systemd allows an attacker to cause ...) - systemd 239-11 (bug #912007) [stretch] - systemd (Vulnerable code introduced later in v235) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6ede552225f4be90754e7db496e9a21f97831cfd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6ede552225f4be90754e7db496e9a21f97831cfd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add NM to dsa-needed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ddaf0984 by Moritz Muehlenhoff at 2018-10-30T11:23:04Z Add NM to dsa-needed - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -52,6 +52,8 @@ mupdf (jmm) leaf package, might be a candidate for simply moving to 1.13 in stretch Maintainer (koster) is preparing an update -- +network-manager +-- openjpeg2 (luciano) -- passenger View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ddaf09843def2f699929592008eff1ddfbf65b86 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ddaf09843def2f699929592008eff1ddfbf65b86 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version via unstable for CVE-2018-15688/network-manager
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1f84d3d8 by Salvatore Bonaccorso at 2018-10-30T09:52:10Z Add fixed version via unstable for CVE-2018-15688/network-manager - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7776,7 +7776,7 @@ CVE-2018-15690 CVE-2018-15689 RESERVED CVE-2018-15688 (A buffer overflow vulnerability in the dhcp6 client of systemd allows ...) - - network-manager + - network-manager 1.14.4-2 - systemd 239-11 (bug #912008) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1639067 NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1795921 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1f84d3d8e1072b7c5cce0814773bbcae1241c2b2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1f84d3d8e1072b7c5cce0814773bbcae1241c2b2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add network-manager for CVE-2018-15688
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dcb1db4a by Salvatore Bonaccorso at 2018-10-30T09:49:32Z Add network-manager for CVE-2018-15688 Unfortunately, even if the package builds against Build against libsystemd-dev the specific embedded copy for networkd is still used in network-manager itself. As such src:network-manager is affected by the same issue as systemd itself. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7776,6 +7776,7 @@ CVE-2018-15690 CVE-2018-15689 RESERVED CVE-2018-15688 (A buffer overflow vulnerability in the dhcp6 client of systemd allows ...) + - network-manager - systemd 239-11 (bug #912008) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1639067 NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1795921 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dcb1db4a9a178af4828c509fff9e6e255ca4ba5c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dcb1db4a9a178af4828c509fff9e6e255ca4ba5c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-0734/openssl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d1c6c695 by Salvatore Bonaccorso at 2018-10-30T07:47:14Z Add CVE-2018-0734/openssl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -49844,8 +49844,16 @@ CVE-2018-0735 (The OpenSSL ECDSA signature algorithm has been shown to be vulner NOTE: https://www.openssl.org/news/secadv/20181029.txt NOTE: OpenSSL_1_1_1-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4 NOTE: OpenSSL_1_1_0-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=56fb454d281a023b3f950d969693553d3f3ceea1 -CVE-2018-0734 +CVE-2018-0734 [Timing vulnerability in DSA signature generation] RESERVED + - openssl + [stretch] - openssl (Wait for next DSA and upstream release) + - openssl1.0 + [stretch] - openssl1.0 (Wait for next DSA and upstream release) + NOTE: https://www.openssl.org/news/secadv/20181030.txt + NOTE: OpenSSL_1_1_1-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=8abfe72e8c1de1b95f50aa0d9134803b4d00070f + NOTE: OpenSSL_1_1_0-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=ef11e19d1365eea2b1851e6f540a0bf365d303e7 + NOTE: OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=43e6a58d4991a451daf4891ff05a48735df871ac CVE-2018-0733 (Because of an implementation bug the PA-RISC CRYPTO_memcmp function is ...) - openssl 1.1.0h-1 (unimportant) [stretch] - openssl 1.1.0f-3+deb9u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d1c6c69568d952b3c214873895b665b80a2f65ed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d1c6c69568d952b3c214873895b665b80a2f65ed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference commit for CVE-2018-18025/imagemagick
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 53cb6612 by Salvatore Bonaccorso at 2018-10-30T07:43:29Z Reference commit for CVE-2018-18025/imagemagick - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2026,6 +2026,7 @@ CVE-2018-18025 (In ImageMagick 7.0.8-13 Q16, there is a heap-based buffer over-r [stretch] - imagemagick (Fix along in next DSA) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1335 NOTE: https://github.com/ImageMagick/ImageMagick/commit/1a22fc0c8837838e60daecc0bf01648f359dd6fd + NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/394b3e6edf74d1337ce338927da053bb40c00ae9 CVE-2018-18024 (In ImageMagick 7.0.8-13 Q16, there is an infinite loop in the ...) - imagemagick 8:6.9.10.14+dfsg-1 (low) [stretch] - imagemagick (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/53cb6612e24488c0714d478c4bbcc786d367bfde -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/53cb6612e24488c0714d478c4bbcc786d367bfde You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits