[Secure-testing-commits] r45247 - data/CVE
Author: jmm Date: 2016-10-12 07:00:24 + (Wed, 12 Oct 2016) New Revision: 45247 Modified: data/CVE/list Log: guile/repl n/a for 1.8, no-dsa for 2.0/jessie Modified: data/CVE/list === --- data/CVE/list 2016-10-12 05:49:22 UTC (rev 45246) +++ data/CVE/list 2016-10-12 07:00:24 UTC (rev 45247) @@ -1,12 +1,14 @@ CVE-2016-8606 [REPL server vulnerable to HTTP inter-protocol attacks] - - guile-2.0 + - guile-2.0 (low) + [jessie] - guile-2.0 (Minor issue) + - guile-1.8 (repl server introduced in 2.0) NOTE: Patch: http://git.savannah.gnu.org/cgit/guile.git/commit/?h=stable-2.0&id=08c021916dbd3a235a9f9cc33df4c418c0724e03 - TODO: check and if this potentially affects guile-1.8 as well CVE-2016-8605 [Thread-unsafe umask modification] - - guile-2.0 + - guile-2.0 (low) + [jessie] - guile-2.0 (Minor issue) + - guile-1.8 (repl server introduced in 2.0) NOTE: http://bugs.gnu.org/24659 NOTE: Patch: http://git.savannah.gnu.org/cgit/guile.git/commit/?h=stable-2.0&id=245608911698adb3472803856019bdd5670b6614 - TODO: check and if this potentially affects guile-1.8 as well CVE-2016-8593 RESERVED CVE-2016-8592 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45248 - data/CVE
Author: carnil Date: 2016-10-12 08:35:13 + (Wed, 12 Oct 2016) New Revision: 45248 Modified: data/CVE/list Log: Update information for CVE-2016-7970 Modified: data/CVE/list === --- data/CVE/list 2016-10-12 07:00:24 UTC (rev 45247) +++ data/CVE/list 2016-10-12 08:35:13 UTC (rev 45248) @@ -2113,6 +2113,7 @@ CVE-2016-7970 RESERVED - libass 0.13.4-1 + [jessie] - libass (Vulnerable code introduced later) [wheezy] - libass (Vulnerable code first introduced in July 2015) NOTE: Fixed by: https://github.com/libass/libass/pull/240/commits/08e754612019ed84d1db0d1fc4f5798248decd75 NOTE: Vulnerable function calc_coeff introduced in: https://github.com/libass/libass/commit/d787615845d78d8f8e6d1a4ffc3dc3eecd8a92f6 (0.13.0) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45249 - data/CVE
Author: carnil
Date: 2016-10-12 11:40:08 + (Wed, 12 Oct 2016)
New Revision: 45249
Modified:
data/CVE/list
Log:
Add commit reference for CVE-2016-5131
Modified: data/CVE/list
===
--- data/CVE/list 2016-10-12 08:35:13 UTC (rev 45248)
+++ data/CVE/list 2016-10-12 11:40:08 UTC (rev 45249)
@@ -11176,6 +11176,8 @@
[wheezy] - chromium-browser (Not supported in Wheezy)
- libxml2
NOTE: Google fix: https://codereview.chromium.org/2127493002
+ NOTE: Fixed by:
https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e
+ NOTE: Requisite for the fix:
https://git.gnome.org/browse/libxml2/commit/?id=a005199330b86dada19d162cae15ef9bdcb6baa8
CVE-2016-5130 (content/renderer/history_controller.cc in Google Chrome before
...)
{DSA-3637-1}
- chromium-browser 52.0.2743.82-1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45250 - data/CVE
Author: carnil Date: 2016-10-12 11:43:08 + (Wed, 12 Oct 2016) New Revision: 45250 Modified: data/CVE/list Log: ffmpeg issues fixed in unstable Modified: data/CVE/list === --- data/CVE/list 2016-10-12 11:40:08 UTC (rev 45249) +++ data/CVE/list 2016-10-12 11:43:08 UTC (rev 45250) @@ -2303,7 +2303,7 @@ NOTE: https://github.com/ImageMagick/ImageMagick/commit/d63a3c5729df59f183e9e110d5d8385d17caaad0 CVE-2016-7905 RESERVED - - ffmpeg (bug #840434) + - ffmpeg 7:3.1.4-1 (bug #840434) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/622ccbd8ab894e3ac6cdf607e3d4f39e406786e9 (n3.1.4) CVE-2016-7904 RESERVED @@ -2589,7 +2589,7 @@ RESERVED CVE-2016-7785 RESERVED - - ffmpeg (bug #840434) + - ffmpeg 7:3.1.4-1 (bug #840434) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/c8c5f66b42edc37474baa5cb51460cbf6f33075b (n3.1.4) CVE-2016-7784 RESERVED @@ -3050,7 +3050,7 @@ NOT-FOR-US: MuJS CVE-2016-7562 RESERVED - - ffmpeg (bug #840434) + - ffmpeg 7:3.1.4-1 (bug #840434) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/496267f8e9ec218351e4359e1fde48722d4fc804 (n3.1.4) CVE-2016-7561 (Fortinet FortiWLC 6.1-2-29 and earlier, 7.0-9-1, 7.0-10-0, 8.0-5-0, ...) TODO: check @@ -3066,7 +3066,7 @@ RESERVED CVE-2016-7555 RESERVED - - ffmpeg (bug #840434) + - ffmpeg 7:3.1.4-1 (bug #840434) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/8834e080c20d3d23c3ffe779371359f9b9b835ec (n3.1.4) CVE-2016-7554 REJECTED @@ -3151,7 +3151,7 @@ RESERVED CVE-2016-7502 RESERVED - - ffmpeg (bug #840434) + - ffmpeg 7:3.1.4-1 (bug #840434) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/9d738e6968757d4e70c8e07e0b720ac0004accc4 (n3.1.4) CVE-2016-7501 RESERVED @@ -3265,7 +3265,7 @@ RESERVED CVE-2016-7450 RESERVED - - ffmpeg (bug #840434) + - ffmpeg 7:3.1.4-1 (bug #840434) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/ac8ac46641adef208485baebc3734463bf0bd266 (n3.1.4) CVE-2016-7449 [all TIFF related problems due to use of strlcpy use] RESERVED @@ -4115,7 +4115,7 @@ RESERVED CVE-2016-7122 RESERVED - - ffmpeg (bug #840434) + - ffmpeg 7:3.1.4-1 (bug #840434) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/ed38046c5c2e3b310980be32287179895c83e0d8 (n3.1.4) CVE-2016-7121 RESERVED ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45251 - data/CVE
Author: jmm Date: 2016-10-12 13:59:18 + (Wed, 12 Oct 2016) New Revision: 45251 Modified: data/CVE/list Log: imagemagick fixes in experimental Modified: data/CVE/list === --- data/CVE/list 2016-10-12 11:43:08 UTC (rev 45250) +++ data/CVE/list 2016-10-12 13:59:18 UTC (rev 45251) @@ -2298,6 +2298,7 @@ NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=fcbd8018e645f3ab1ef9af94dc88a0d3272926d3 (v2.5.0-rc0) CVE-2016-7906 RESERVED + [experimental] - imagemagick 8:6.9.6.2+dfsg-1 - imagemagick (bug #840435) NOTE: https://github.com/ImageMagick/ImageMagick/issues/281 NOTE: https://github.com/ImageMagick/ImageMagick/commit/d63a3c5729df59f183e9e110d5d8385d17caaad0 @@ -2524,6 +2525,7 @@ NOTE: https://sourceforge.net/p/graphicsmagick/code/ci/5c7b6d6094a25e99c57f8b18343914ebfd8213ef/ CVE-2016-7799 [mogrify global buffer overflow] RESERVED + [experimental] - imagemagick 8:6.9.6.2+dfsg-1 - imagemagick (bug #840437) NOTE: https://github.com/ImageMagick/ImageMagick/issues/280 NOTE: https://github.com/ImageMagick/ImageMagick/commit/a7bb158b7bedd1449a34432feb3a67c8f1873bfa ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45252 - in data: . DSA
Author: carnil
Date: 2016-10-12 14:13:59 + (Wed, 12 Oct 2016)
New Revision: 45252
Modified:
data/DSA/list
data/dsa-needed.txt
Log:
Reserve DSA number for ghostscript
Modified: data/DSA/list
===
--- data/DSA/list 2016-10-12 13:59:18 UTC (rev 45251)
+++ data/DSA/list 2016-10-12 14:13:59 UTC (rev 45252)
@@ -1,3 +1,6 @@
+[12 Oct 2016] DSA-3691-1 ghostscript - security update
+ {CVE-2013-5653 CVE-2016-7976 CVE-2016-7977 CVE-2016-7978 CVE-2016-7979
CVE-2016-8602}
+ [jessie] - ghostscript 9.06~dfsg-2+deb8u3
[10 Oct 2016] DSA-3690-1 icedove - security update
{CVE-2016-5257}
[jessie] - icedove 1:45.4.0-1~deb8u1
Modified: data/dsa-needed.txt
===
--- data/dsa-needed.txt 2016-10-12 13:59:18 UTC (rev 45251)
+++ data/dsa-needed.txt 2016-10-12 14:13:59 UTC (rev 45252)
@@ -14,8 +14,6 @@
--
389-ds-base (fw)
--
-ghostscript (carnil)
---
graphicsmagick (luciano)
--
icu
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45253 - data/CVE
Author: carnil Date: 2016-10-12 14:29:46 + (Wed, 12 Oct 2016) New Revision: 45253 Modified: data/CVE/list Log: More revision needed for CVE-2016-7982/spip Modified: data/CVE/list === --- data/CVE/list 2016-10-12 14:13:59 UTC (rev 45252) +++ data/CVE/list 2016-10-12 14:29:46 UTC (rev 45253) @@ -2080,9 +2080,20 @@ CVE-2016-7982 [File Enumeration / Path Traversal] RESERVED - spip + NOTE: https://core.spip.net/projects/spip/repository/revisions/23184 (3.0.x) + NOTE: https://core.spip.net/projects/spip/repository/revisions/23182 (3.1.x) + NOTE: https://core.spip.net/projects/spip/repository/revisions/23185 + NOTE: https://core.spip.net/projects/spip/repository/revisions/23187 + NOTE: https://core.spip.net/projects/spip/repository/revisions/23188 (3.1.x) + NOTE: https://core.spip.net/projects/spip/repository/revisions/23193 (3.0.x) + NOTE: https://core.spip.net/projects/spip/repository/revisions/23190 (3.1.x) + NOTE: https://core.spip.net/projects/spip/repository/revisions/23191 (3.0.x) NOTE: https://core.spip.net/projects/spip/repository/revisions/23200 NOTE: https://core.spip.net/projects/spip/repository/revisions/23201 (3.1.x) NOTE: https://core.spip.net/projects/spip/repository/revisions/23202 (3.0.x) + NOTE: https://core.spip.net/projects/spip/repository/revisions/23206 + NOTE: https://core.spip.net/projects/spip/repository/revisions/23208 (3.0.x) + NOTE: https://core.spip.net/projects/spip/repository/revisions/23207 (3.1.x) CVE-2016-7981 [Reflected Cross-Site Scripting] RESERVED - spip ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45254 - data/CVE
Author: carnil
Date: 2016-10-12 15:00:43 + (Wed, 12 Oct 2016)
New Revision: 45254
Modified:
data/CVE/list
Log:
CVE-2016-5131: clarify comment
Modified: data/CVE/list
===
--- data/CVE/list 2016-10-12 14:29:46 UTC (rev 45253)
+++ data/CVE/list 2016-10-12 15:00:43 UTC (rev 45254)
@@ -11190,7 +11190,7 @@
- libxml2
NOTE: Google fix: https://codereview.chromium.org/2127493002
NOTE: Fixed by:
https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e
- NOTE: Requisite for the fix:
https://git.gnome.org/browse/libxml2/commit/?id=a005199330b86dada19d162cae15ef9bdcb6baa8
+ NOTE: Requisite for the test:
https://git.gnome.org/browse/libxml2/commit/?id=a005199330b86dada19d162cae15ef9bdcb6baa8
CVE-2016-5130 (content/renderer/history_controller.cc in Google Chrome before
...)
{DSA-3637-1}
- chromium-browser 52.0.2743.82-1
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45255 - data/CVE
Author: kitterman Date: 2016-10-12 16:13:19 + (Wed, 12 Oct 2016) New Revision: 45255 Modified: data/CVE/list Log: Add bug # for kdepimlibs CVE-2016-7966 Modified: data/CVE/list === --- data/CVE/list 2016-10-12 15:00:43 UTC (rev 45254) +++ data/CVE/list 2016-10-12 16:13:19 UTC (rev 45255) @@ -2144,7 +2144,7 @@ TODO: check if vulnerable code present, might have been introduced in 4:16.08 CVE-2016-7966 [KMail: HTML injection in plain text viewer] RESERVED - - kdepimlibs + - kdepimlibs (bug #840546) - kcoreaddons NOTE: https://www.kde.org/info/security/advisory-20161006-1.txt TODO: check ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45256 - data/CVE
Author: kitterman Date: 2016-10-12 16:27:44 + (Wed, 12 Oct 2016) New Revision: 45256 Modified: data/CVE/list Log: Add bug # for kcoreaddons CVE-2016-7966 Modified: data/CVE/list === --- data/CVE/list 2016-10-12 16:13:19 UTC (rev 45255) +++ data/CVE/list 2016-10-12 16:27:44 UTC (rev 45256) @@ -2145,7 +2145,7 @@ CVE-2016-7966 [KMail: HTML injection in plain text viewer] RESERVED - kdepimlibs (bug #840546) - - kcoreaddons + - kcoreaddons (bug #840547) NOTE: https://www.kde.org/info/security/advisory-20161006-1.txt TODO: check CVE-2016-7965 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45257 - data
Author: jmm Date: 2016-10-12 17:36:42 + (Wed, 12 Oct 2016) New Revision: 45257 Modified: data/dsa-needed.txt Log: add and take freeimage Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-10-12 16:27:44 UTC (rev 45256) +++ data/dsa-needed.txt 2016-10-12 17:36:42 UTC (rev 45257) @@ -14,6 +14,8 @@ -- 389-ds-base (fw) -- +freeimage (jmm) +-- graphicsmagick (luciano) -- icu ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45258 - data/CVE
Author: carnil Date: 2016-10-12 18:02:20 + (Wed, 12 Oct 2016) New Revision: 45258 Modified: data/CVE/list Log: Fixing commit for CVE-2016-4658 now known Modified: data/CVE/list === --- data/CVE/list 2016-10-12 17:36:42 UTC (rev 45257) +++ data/CVE/list 2016-10-12 18:02:20 UTC (rev 45258) @@ -12702,7 +12702,8 @@ CVE-2016-4659 RESERVED CVE-2016-4658 (libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and ...) - TODO: check + - libxml2 + NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b CVE-2016-4657 (WebKit in Apple iOS before 9.3.5 allows remote attackers to execute ...) TODO: check CVE-2016-4656 (The kernel in Apple iOS before 9.3.5 allows attackers to execute ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45259 - data/CVE
Author: carnil Date: 2016-10-12 18:20:05 + (Wed, 12 Oct 2016) New Revision: 45259 Modified: data/CVE/list Log: Add bug reference for CVE-2016-4658/libxml2 Modified: data/CVE/list === --- data/CVE/list 2016-10-12 18:02:20 UTC (rev 45258) +++ data/CVE/list 2016-10-12 18:20:05 UTC (rev 45259) @@ -12702,7 +12702,7 @@ CVE-2016-4659 RESERVED CVE-2016-4658 (libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and ...) - - libxml2 + - libxml2 (bug #840553) NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=c1d1f7121194036608bf555f08d3062a36fd344b CVE-2016-4657 (WebKit in Apple iOS before 9.3.5 allows remote attackers to execute ...) TODO: check ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45260 - data/CVE
Author: carnil
Date: 2016-10-12 18:22:16 + (Wed, 12 Oct 2016)
New Revision: 45260
Modified:
data/CVE/list
Log:
Add bug reference for CVE-2016-5131/libxml2, #840554
Modified: data/CVE/list
===
--- data/CVE/list 2016-10-12 18:20:05 UTC (rev 45259)
+++ data/CVE/list 2016-10-12 18:22:16 UTC (rev 45260)
@@ -11187,7 +11187,7 @@
{DSA-3637-1}
- chromium-browser 52.0.2743.82-1
[wheezy] - chromium-browser (Not supported in Wheezy)
- - libxml2
+ - libxml2 (bug #840554)
NOTE: Google fix: https://codereview.chromium.org/2127493002
NOTE: Fixed by:
https://git.gnome.org/browse/libxml2/commit/?id=9ab01a277d71f54d3143c2cf333c5c2e9aaedd9e
NOTE: Requisite for the test:
https://git.gnome.org/browse/libxml2/commit/?id=a005199330b86dada19d162cae15ef9bdcb6baa8
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45261 - data/CVE
Author: kitterman Date: 2016-10-12 18:36:28 + (Wed, 12 Oct 2016) New Revision: 45261 Modified: data/CVE/list Log: Add fixed version for CVE-2016-7966/unstable Modified: data/CVE/list === --- data/CVE/list 2016-10-12 18:22:16 UTC (rev 45260) +++ data/CVE/list 2016-10-12 18:36:28 UTC (rev 45261) @@ -2144,10 +2144,12 @@ TODO: check if vulnerable code present, might have been introduced in 4:16.08 CVE-2016-7966 [KMail: HTML injection in plain text viewer] RESERVED - - kdepimlibs (bug #840546) + - kdepimlibs 4:4.14.10-2 (bug #840546) +[jessie] - kdepimlibs +[wheezy] - kdepimlibs - kcoreaddons (bug #840547) NOTE: https://www.kde.org/info/security/advisory-20161006-1.txt - TODO: check + TODO: fix for kdepimlibs for stable - kcoreaddons unstable/testing only CVE-2016-7965 RESERVED CVE-2016-7964 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45262 - data/CVE
Author: kitterman Date: 2016-10-12 18:42:47 + (Wed, 12 Oct 2016) New Revision: 45262 Modified: data/CVE/list Log: Fix fixed version for CVE-2016-7966/unstable Modified: data/CVE/list === --- data/CVE/list 2016-10-12 18:36:28 UTC (rev 45261) +++ data/CVE/list 2016-10-12 18:42:47 UTC (rev 45262) @@ -2144,7 +2144,7 @@ TODO: check if vulnerable code present, might have been introduced in 4:16.08 CVE-2016-7966 [KMail: HTML injection in plain text viewer] RESERVED - - kdepimlibs 4:4.14.10-2 (bug #840546) + - kdepimlibs 4:4.14.10-6 (bug #840546) [jessie] - kdepimlibs [wheezy] - kdepimlibs - kcoreaddons (bug #840547) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45263 - data/CVE
Author: carnil Date: 2016-10-12 18:45:32 + (Wed, 12 Oct 2016) New Revision: 45263 Modified: data/CVE/list Log: Unfixed status for lower suites is automatically given Modified: data/CVE/list === --- data/CVE/list 2016-10-12 18:42:47 UTC (rev 45262) +++ data/CVE/list 2016-10-12 18:45:32 UTC (rev 45263) @@ -2145,8 +2145,6 @@ CVE-2016-7966 [KMail: HTML injection in plain text viewer] RESERVED - kdepimlibs 4:4.14.10-6 (bug #840546) -[jessie] - kdepimlibs -[wheezy] - kdepimlibs - kcoreaddons (bug #840547) NOTE: https://www.kde.org/info/security/advisory-20161006-1.txt TODO: fix for kdepimlibs for stable - kcoreaddons unstable/testing only ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45264 - data/CVE
Author: carnil Date: 2016-10-12 18:46:46 + (Wed, 12 Oct 2016) New Revision: 45264 Modified: data/CVE/list Log: Report bugs for guile-2.0, #840556, #840555 Modified: data/CVE/list === --- data/CVE/list 2016-10-12 18:45:32 UTC (rev 45263) +++ data/CVE/list 2016-10-12 18:46:46 UTC (rev 45264) @@ -1,10 +1,10 @@ CVE-2016-8606 [REPL server vulnerable to HTTP inter-protocol attacks] - - guile-2.0 (low) + - guile-2.0 (low; bug #840555) [jessie] - guile-2.0 (Minor issue) - guile-1.8 (repl server introduced in 2.0) NOTE: Patch: http://git.savannah.gnu.org/cgit/guile.git/commit/?h=stable-2.0&id=08c021916dbd3a235a9f9cc33df4c418c0724e03 CVE-2016-8605 [Thread-unsafe umask modification] - - guile-2.0 (low) + - guile-2.0 (low; bug #840556) [jessie] - guile-2.0 (Minor issue) - guile-1.8 (repl server introduced in 2.0) NOTE: http://bugs.gnu.org/24659 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45265 - data
Author: carnil Date: 2016-10-12 18:48:02 + (Wed, 12 Oct 2016) New Revision: 45265 Modified: data/dsa-needed.txt Log: Add libgd2 to dsa-needed list Modified: data/dsa-needed.txt === --- data/dsa-needed.txt 2016-10-12 18:46:46 UTC (rev 45264) +++ data/dsa-needed.txt 2016-10-12 18:48:02 UTC (rev 45265) @@ -22,6 +22,9 @@ NOTE: In trying to address CVE-2016-7415 for wheezy/lts, I (Roberto C. Sanchez) have been unable to reproduce the crash as described in the PHP bug report -- +libgd2 + Maintainer proposed debdiff, needs review +-- libical -- linux ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45266 - data/CVE
Author: kitterman Date: 2016-10-12 19:28:14 + (Wed, 12 Oct 2016) New Revision: 45266 Modified: data/CVE/list Log: Add fixed version for CVE-2016-7966/kcoreaddons Modified: data/CVE/list === --- data/CVE/list 2016-10-12 18:48:02 UTC (rev 45265) +++ data/CVE/list 2016-10-12 19:28:14 UTC (rev 45266) @@ -2145,7 +2145,7 @@ CVE-2016-7966 [KMail: HTML injection in plain text viewer] RESERVED - kdepimlibs 4:4.14.10-6 (bug #840546) - - kcoreaddons (bug #840547) + - kcoreaddons 5.26-2 (bug #840547) NOTE: https://www.kde.org/info/security/advisory-20161006-1.txt TODO: fix for kdepimlibs for stable - kcoreaddons unstable/testing only CVE-2016-7965 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45267 - data/CVE
Author: carnil Date: 2016-10-12 19:37:58 + (Wed, 12 Oct 2016) New Revision: 45267 Modified: data/CVE/list Log: Correct fixing version for CVE-2016-7966/kcoreaddons Modified: data/CVE/list === --- data/CVE/list 2016-10-12 19:28:14 UTC (rev 45266) +++ data/CVE/list 2016-10-12 19:37:58 UTC (rev 45267) @@ -2145,7 +2145,7 @@ CVE-2016-7966 [KMail: HTML injection in plain text viewer] RESERVED - kdepimlibs 4:4.14.10-6 (bug #840546) - - kcoreaddons 5.26-2 (bug #840547) + - kcoreaddons 5.26.0-2 (bug #840547) NOTE: https://www.kde.org/info/security/advisory-20161006-1.txt TODO: fix for kdepimlibs for stable - kcoreaddons unstable/testing only CVE-2016-7965 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45268 - data/CVE
Author: carnil Date: 2016-10-12 19:50:06 + (Wed, 12 Oct 2016) New Revision: 45268 Modified: data/CVE/list Log: Mark some CVEs as NFU from apsb16-32 https://helpx.adobe.com/security/products/flash-player/apsb16-32.html Modified: data/CVE/list === --- data/CVE/list 2016-10-12 19:37:58 UTC (rev 45267) +++ data/CVE/list 2016-10-12 19:50:06 UTC (rev 45268) @@ -4659,28 +4659,38 @@ RESERVED CVE-2016-6992 RESERVED + NOT-FOR-US: Adobe CVE-2016-6991 RESERVED CVE-2016-6990 RESERVED + NOT-FOR-US: Adobe CVE-2016-6989 RESERVED + NOT-FOR-US: Adobe CVE-2016-6988 RESERVED CVE-2016-6987 RESERVED + NOT-FOR-US: Adobe CVE-2016-6986 RESERVED + NOT-FOR-US: Adobe CVE-2016-6985 RESERVED + NOT-FOR-US: Adobe CVE-2016-6984 RESERVED + NOT-FOR-US: Adobe CVE-2016-6983 RESERVED + NOT-FOR-US: Adobe CVE-2016-6982 RESERVED + NOT-FOR-US: Adobe CVE-2016-6981 RESERVED + NOT-FOR-US: Adobe CVE-2016-6980 (Use-after-free vulnerability in Adobe Digital Editions before 4.5.2 ...) NOT-FOR-US: Adobe CVE-2016-6979 @@ -13898,6 +13908,7 @@ NOT-FOR-US: Adobe Flash CVE-2016-4286 RESERVED + NOT-FOR-US: Adobe CVE-2016-4285 (Adobe Flash Player before 18.0.0.375 and 19.x through 23.x before ...) NOT-FOR-US: Adobe Flash CVE-2016-4284 (Adobe Flash Player before 18.0.0.375 and 19.x through 23.x before ...) @@ -13924,6 +13935,7 @@ NOT-FOR-US: Adobe Flash CVE-2016-4273 RESERVED + NOT-FOR-US: Adobe CVE-2016-4272 (Use-after-free vulnerability in Adobe Flash Player before 18.0.0.375 ...) NOT-FOR-US: Adobe Flash CVE-2016-4271 (Adobe Flash Player before 18.0.0.375 and 19.x through 23.x before ...) ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45269 - data/CVE
Author: carnil Date: 2016-10-12 19:55:40 + (Wed, 12 Oct 2016) New Revision: 45269 Modified: data/CVE/list Log: Remove todo item Modified: data/CVE/list === --- data/CVE/list 2016-10-12 19:50:06 UTC (rev 45268) +++ data/CVE/list 2016-10-12 19:55:40 UTC (rev 45269) @@ -2147,7 +2147,6 @@ - kdepimlibs 4:4.14.10-6 (bug #840546) - kcoreaddons 5.26.0-2 (bug #840547) NOTE: https://www.kde.org/info/security/advisory-20161006-1.txt - TODO: fix for kdepimlibs for stable - kcoreaddons unstable/testing only CVE-2016-7965 RESERVED CVE-2016-7964 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45270 - data/CVE
Author: sectracker
Date: 2016-10-12 21:10:13 + (Wed, 12 Oct 2016)
New Revision: 45270
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===
--- data/CVE/list 2016-10-12 19:55:40 UTC (rev 45269)
+++ data/CVE/list 2016-10-12 21:10:13 UTC (rev 45270)
@@ -232,6 +232,7 @@
- dwarfutils
NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2016/10/08/13
CVE-2016-8602 [type confusion]
+ {DSA-3691-1}
- ghostscript (bug #840451)
NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=697203
NOTE:
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=f5c7555c30393e64ec1f5ab0dfae5b55b3b3fc78
@@ -469,6 +470,7 @@
RESERVED
CVE-2016-7979 [type confusion in .initialize_dsc_parser allows remote code
execution]
RESERVED
+ {DSA-3691-1}
- ghostscript (bug #839846)
NOTE: Upstream bug: http://bugs.ghostscript.com/show_bug.cgi?id=697190
NOTE: Reproducer: http://bugs.ghostscript.com/show_bug.cgi?id=697190#c0
@@ -477,6 +479,7 @@
NOTE: http://www.openwall.com/lists/oss-security/2016/10/05/19
CVE-2016-7978 [reference leak in .setdevice allows use-after-free and remote
code execution]
RESERVED
+ {DSA-3691-1}
- ghostscript (bug #839845)
NOTE: Upstream bug: http://bugs.ghostscript.com/show_bug.cgi?id=697179
NOTE: Reproducer: http://bugs.ghostscript.com/show_bug.cgi?id=697179#c0
@@ -484,6 +487,7 @@
NOTE: http://www.openwall.com/lists/oss-security/2016/10/05/7
CVE-2016-7977 [.libfile doesn't check PermitFileReading array, allowing remote
file disclosure]
RESERVED
+ {DSA-3691-1}
- ghostscript (high; bug #839841)
NOTE: Upstream bug: http://bugs.ghostscript.com/show_bug.cgi?id=697169
NOTE: Reproducer:
http://www.openwall.com/lists/oss-security/2016/09/29/28
@@ -491,6 +495,7 @@
NOTE: http://www.openwall.com/lists/oss-security/2016/10/05/7
CVE-2016-7976 [various userparams allow %pipe% in paths, allowing remote shell
command execution]
RESERVED
+ {DSA-3691-1}
- ghostscript (high; bug #839260)
NOTE: Upstream bug: http://bugs.ghostscript.com/show_bug.cgi?id=697178
NOTE: Reproducer:
http://www.openwall.com/lists/oss-security/2016/09/30/8
@@ -82664,6 +82669,7 @@
- serendipity (Spellcheck plugin not included in 1.5.x)
CVE-2013-5653 [Ghostscript information disclosure through getenv,
filenameforall]
RESERVED
+ {DSA-3691-1}
- ghostscript (low; bug #839118)
NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=694724
NOTE:
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ab109aaeb3ddba59518b036fb288402a65cf7ce8
___
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45271 - data/CVE
Author: kitterman Date: 2016-10-12 21:25:08 + (Wed, 12 Oct 2016) New Revision: 45271 Modified: data/CVE/list Log: Add fixed version for jessie for CVE-2016-7966/kdepimlibs Modified: data/CVE/list === --- data/CVE/list 2016-10-12 21:10:13 UTC (rev 45270) +++ data/CVE/list 2016-10-12 21:25:08 UTC (rev 45271) @@ -2150,6 +2150,7 @@ CVE-2016-7966 [KMail: HTML injection in plain text viewer] RESERVED - kdepimlibs 4:4.14.10-6 (bug #840546) +[jessie] - kdepimlibs 4:4.14.2-2+deb8u1 - kcoreaddons 5.26.0-2 (bug #840547) NOTE: https://www.kde.org/info/security/advisory-20161006-1.txt CVE-2016-7965 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45272 - data/CVE
Author: carnil Date: 2016-10-13 04:27:13 + (Thu, 13 Oct 2016) New Revision: 45272 Modified: data/CVE/list Log: Revert "Add fixed version for jessie for CVE-2016-7966/kdepimlibs" This reverts commit 587b939c0768480e0261e64453c92755dbac5186. Modified: data/CVE/list === --- data/CVE/list 2016-10-12 21:25:08 UTC (rev 45271) +++ data/CVE/list 2016-10-13 04:27:13 UTC (rev 45272) @@ -2150,7 +2150,6 @@ CVE-2016-7966 [KMail: HTML injection in plain text viewer] RESERVED - kdepimlibs 4:4.14.10-6 (bug #840546) -[jessie] - kdepimlibs 4:4.14.2-2+deb8u1 - kcoreaddons 5.26.0-2 (bug #840547) NOTE: https://www.kde.org/info/security/advisory-20161006-1.txt CVE-2016-7965 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45273 - data/CVE
Author: carnil Date: 2016-10-13 06:12:29 + (Thu, 13 Oct 2016) New Revision: 45273 Modified: data/CVE/list Log: Add CVE-2016-7075 Modified: data/CVE/list === --- data/CVE/list 2016-10-13 04:27:13 UTC (rev 45272) +++ data/CVE/list 2016-10-13 06:12:29 UTC (rev 45273) @@ -4474,6 +4474,9 @@ RESERVED CVE-2016-7075 RESERVED + - kubernetes (bug #795652) + NOTE: https://github.com/kubernetes/kubernetes/issues/34517 + NOTE: kubernetes entered experimental only so far CVE-2016-7074 RESERVED CVE-2016-7073 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] r45274 - data/CVE
Author: carnil Date: 2016-10-13 06:13:42 + (Thu, 13 Oct 2016) New Revision: 45274 Modified: data/CVE/list Log: Add CVE-2016-4459 Modified: data/CVE/list === --- data/CVE/list 2016-10-13 06:12:29 UTC (rev 45273) +++ data/CVE/list 2016-10-13 06:13:42 UTC (rev 45274) @@ -13421,6 +13421,7 @@ RESERVED CVE-2016-4459 RESERVED + - libapache2-mod-cluster (bug #731410) CVE-2016-4458 RESERVED CVE-2016-4457 ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
