[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Two CVEs newly rejected
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e086ed1 by Salvatore Bonaccorso at 2018-01-26T08:00:14+01:00 Two CVEs newly rejected DWF project has further retired CVE-2017-1000468 and CVE-2017-1000464 since further analysis did show there wasnt a security issue in those cases. Remove the todo after checking. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -2,10 +2,8 @@ CVE-2017-1000505 (In Jenkins Script Security Plugin version 1.36 and earlier, us NOT-FOR-US: Jenkins Script Security Plugin CVE-2017-1000468 REJECTED - TODO: check CVE-2017-1000464 REJECTED - TODO: check CVE-2017-1000414 (ImpulseAdventure JPEGsnoop version 1.7.5 is vulnerable to a division ...) TODO: check CVE-2018-6312 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5e086ed1df8775902859321c00f1020ee024a81d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5e086ed1df8775902859321c00f1020ee024a81d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Starting from 0.69+repack-1 libyaml-libyaml-perl uses system libyaml
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 835c0445 by Salvatore Bonaccorso at 2018-01-26T08:34:44+01:00 Starting from 0.69+repack-1 libyaml-libyaml-perl uses system libyaml - - - - - 1 changed file: - data/embedded-code-copies Changes: = data/embedded-code-copies = --- a/data/embedded-code-copies +++ b/data/embedded-code-copies @@ -2922,7 +2922,7 @@ eigen3 - r-cran-rcppeigen (modified-embed; bug #729716) libyaml - - libyaml-libyaml-perl (embed; bug #664224) + - libyaml-libyaml-perl 0.69+repack-1 (embed; bug #664224) liblivemedia - vlc (static) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/835c044528a1bbbc3f0d2cc5bbfc228aed763362 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/835c044528a1bbbc3f0d2cc5bbfc228aed763362 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-5750/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e779a79a by Salvatore Bonaccorso at 2018-01-26T08:44:47+01:00 Add CVE-2018-5750/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1417,8 +1417,10 @@ CVE-2017-18034 RESERVED CVE-2017-18033 (The Jira-importers-plugin in Atlassian Jira before version 7.6.1 ...) NOT-FOR-US: Jira-importers-plugin in Atlassian Jira -CVE-2018-5750 +CVE-2018-5750 [ACPI: sbshc: remove raw pointer from printk message] RESERVED + - linux + NOTE: https://patchwork.kernel.org/patch/10174835/ CVE-2018-5749 (install.php in Minecraft Servers List Lite before commit c1cd164 and ...) NOT-FOR-US: Minecraft Servers List Lite CVE-2018-5748 (qemu/qemu_monitor.c in libvirt allows attackers to cause a denial of ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e779a79ab8e543be7ad826dc0f9c27fda5e6bafc --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e779a79ab8e543be7ad826dc0f9c27fda5e6bafc You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 62449d22 by Salvatore Bonaccorso at 2018-01-26T07:59:28+01:00 Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,5 +1,5 @@ CVE-2017-1000505 (In Jenkins Script Security Plugin version 1.36 and earlier, users with ...) - TODO: check + NOT-FOR-US: Jenkins Script Security Plugin CVE-2017-1000468 REJECTED TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/62449d22974210df29a4a4d743e462eddd0dce71 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/62449d22974210df29a4a4d743e462eddd0dce71 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] jackson-databind issues fixed in unstable with 2.9.4 new upstream version
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d57e3cd9 by Salvatore Bonaccorso at 2018-01-26T07:20:29+01:00 jackson-databind issues fixed in unstable with 2.9.4 new upstream version - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -895,7 +895,7 @@ CVE-2018-5970 CVE-2018-5969 (Cross Site Request Forgery (CSRF) exists in Photography CMS 1.0 via ...) NOT-FOR-US: Photography CMS CVE-2018-5968 (FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 ...) - - jackson-databind (bug #888316) + - jackson-databind 2.9.4-1 (bug #888316) NOTE: https://github.com/FasterXML/jackson-databind/issues/1899 NOTE: https://github.com/FasterXML/jackson-databind/commit/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05 CVE-2018-5967 (Netis WF2419 V2.2.36123 devices allow XSS via the Description parameter ...) @@ -12539,7 +12539,7 @@ CVE-2017-17487 CVE-2017-17486 RESERVED CVE-2017-17485 (FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 ...) - - jackson-databind (bug #888318) + - jackson-databind 2.9.4-1 (bug #888318) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1528565#c0 NOTE: https://github.com/FasterXML/jackson-databind/issues/1855 CVE-2017-17484 (The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d57e3cd92b7c8a897c8f358edae7fe2d9328280d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d57e3cd92b7c8a897c8f358edae7fe2d9328280d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add thunderbird to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b4875ff1 by Salvatore Bonaccorso at 2018-01-26T08:55:52+01:00 Add thunderbird to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -68,6 +68,8 @@ sqlite3/oldstable -- sssd/stable -- +thunderbird +-- tiff (jmm) gcs proposed debdiffs for jessie and stretch: need review+ack -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b4875ff188aa8b5c2f1fc62638c1d5d0d12161c5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b4875ff188aa8b5c2f1fc62638c1d5d0d12161c5 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] lts: add an claim thunderbird
Guido Günther pushed to branch master at Debian Security Tracker / security-tracker Commits: 0dfe3a67 by Guido Günther at 2018-01-26T08:47:39+01:00 lts: add an claim thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -55,6 +55,8 @@ swftools (Guido Günther) NOTE: 20171118: At least CVE-2017-16797 is present. (lamby) NOTE: 20171210: likely to be turned into a pkg with limited sec support -- +thunderbird (Guido Günther) +-- tiff (Roberto C. Sánchez) -- tiff3 (Roberto C. Sánchez) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0dfe3a6753af600a112533f0687f6edec5d0ffa5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0dfe3a6753af600a112533f0687f6edec5d0ffa5 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add thunderbird CVEs from mfsa2018-04
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6f7ac3e6 by Salvatore Bonaccorso at 2018-01-26T08:54:43+01:00 Add thunderbird CVEs from mfsa2018-04 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -2937,8 +2937,10 @@ CVE-2018-5117 {DSA-4096-1 DLA-1256-1} - firefox 58.0-1 - firefox-esr 52.6.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5117 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5117 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-04/#CVE-2018-5117 CVE-2018-5116 RESERVED - firefox 58.0-1 @@ -2992,22 +2994,28 @@ CVE-2018-5104 {DSA-4096-1 DLA-1256-1} - firefox 58.0-1 - firefox-esr 52.6.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5104 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5104 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-04/#CVE-2018-5104 CVE-2018-5103 RESERVED {DSA-4096-1 DLA-1256-1} - firefox 58.0-1 - firefox-esr 52.6.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5103 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5103 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-04/#CVE-2018-5103 CVE-2018-5102 RESERVED {DSA-4096-1 DLA-1256-1} - firefox 58.0-1 - firefox-esr 52.6.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5102 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5102 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-04/#CVE-2018-5102 CVE-2018-5101 RESERVED - firefox 58.0-1 @@ -3021,35 +3029,45 @@ CVE-2018-5099 {DSA-4096-1 DLA-1256-1} - firefox 58.0-1 - firefox-esr 52.6.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5099 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5099 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-04/#CVE-2018-5099 CVE-2018-5098 RESERVED {DSA-4096-1 DLA-1256-1} - firefox 58.0-1 - firefox-esr 52.6.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5098 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5098 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-04/#CVE-2018-5098 CVE-2018-5097 RESERVED {DSA-4096-1 DLA-1256-1} - firefox 58.0-1 - firefox-esr 52.6.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5097 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5097 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-04/#CVE-2018-5097 CVE-2018-5096 RESERVED {DSA-4096-1 DLA-1256-1} - firefox-esr 52.6.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5096 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-04/#CVE-2018-5096 CVE-2018-5095 RESERVED {DSA-4096-1 DLA-1256-1} - firefox 58.0-1 - firefox-esr 52.6.0esr-1 + - thunderbird - skia (bug #818180) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5095 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5095 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-04/#CVE-2018-5095 CVE-2018-5094 RESERVED - firefox 58.0-1 @@ -3078,8 +3096,10 @@ CVE-2018-5089 {DSA-4096-1 DLA-1256-1} - firefox 58.0-1 - firefox-esr 52.6.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/#CVE-2018-5089 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-03/#CVE-2018-5089 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-04/#CVE-2018-5089 CVE-2018-5088 (In K7 AntiVirus 15.1.0306, the driver file (K7FWHlpr.sys) allows local ...) NOT-FOR-US: K7 AntiVirus CVE-2018-5087 (In K7 AntiVirus 15.1.0306, the driver file (K7FWHlpr.sys) allows local ...) View it on GitLab:
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: add dovecot and prevent upload
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: b6fc3782 by Thorsten Alteholz at 2018-01-26T08:49:00+01:00 add dovecot and prevent upload - - - - - af1f950e by Thorsten Alteholz at 2018-01-26T08:49:29+01:00 Merge branch master of salsa.debian.org:security-tracker-team/security-tracker - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -12,6 +12,11 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- curl (Thorsten Alteholz) -- +dovecot (Thorsten Alteholz) + NOTE: after applying the patch, login segfaults + NOTE: maintainer and security team are looking into this + NOTE: probably no-dsa +-- exiv2 (Brian May) NOTE: 20180101: built wheezy version with ASAN in jessie and confirmed that CVE-2017-17669 applies to wheezy version -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/a11c5719df3244497002a9567df4369e16496da7...af1f950ed11bc924f0e3ec8bad936c24197bea21 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/a11c5719df3244497002a9567df4369e16496da7...af1f950ed11bc924f0e3ec8bad936c24197bea21 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] follow security team with no-dsa for dnsmasq
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 72fc365f by Thorsten Alteholz at 2018-01-26T08:54:48+01:00 follow security team with no-dsa for dnsmasq - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -22176,6 +22176,7 @@ CVE-2017-15107 (A vulnerability was found in the implementation of DNSSEC in Dns - dnsmasq (bug #888200) [stretch] - dnsmasq (Minor issue) [jessie] - dnsmasq (Minor issue) + [wheezy] - dnsmasq (Minor issue) NOTE: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2018q1/011896.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=4fe6744a220eddd3f1749b40cac3dfc510787de6 CVE-2017-15106 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/72fc365fc55621af0f6b053ab7d824b54cefdb70 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/72fc365fc55621af0f6b053ab7d824b54cefdb70 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add note for dovecot, holding back yet
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a11c5719 by Salvatore Bonaccorso at 2018-01-26T08:49:44+01:00 Add note for dovecot, holding back yet - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -19,6 +19,7 @@ chromium-browser/stable curl (ghedo) -- dovecot (carnil) + holding back upload due to possible regression -- graphicsmagick -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a11c5719df3244497002a9567df4369e16496da7 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a11c5719df3244497002a9567df4369e16496da7 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2017-15703, mark as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 58923432 by Salvatore Bonaccorso at 2018-01-25T21:15:04+01:00 Add CVE-2017-15703, mark as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -20386,6 +20386,7 @@ CVE-2017-15704 REJECTED CVE-2017-15703 RESERVED + NOT-FOR-US: Apache NiFi CVE-2017-15702 (In Apache Qpid Broker-J 0.18 through 0.32, if the broker is configured ...) - qpid-java (bug #840131) CVE-2017-15701 (In Apache Qpid Broker-J versions 6.1.0 through 6.1.4 (inclusive) the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/58923432d7f3447c48242176c8f2381f34023369 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/58923432d7f3447c48242176c8f2381f34023369 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Track jessie-pu proposal for nvidia-graphics-drivers, #887559
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 22f19d25 by Salvatore Bonaccorso at 2018-01-25T21:19:23+01:00 Track jessie-pu proposal for nvidia-graphics-drivers, #887559 - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = --- a/data/next-oldstable-point-update.txt +++ b/data/next-oldstable-point-update.txt @@ -61,3 +61,9 @@ CVE-2017-15602 [jessie] - libextractor 1:1.3-2+deb8u1 CVE-2017-15922 [jessie] - libextractor 1:1.3-2+deb8u1 +CVE-2017-5715 + [jessie] - nvidia-graphics-drivers 340.106-1 +CVE-2017-5753 + [jessie] - nvidia-graphics-drivers 340.106-1 +CVE-2017-5754 + [jessie] - nvidia-graphics-drivers 340.106-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/22f19d250d17fb4863a832604ee18095c3b4e22c --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/22f19d250d17fb4863a832604ee18095c3b4e22c You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2017-15134: #888452
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e957a4ee by Salvatore Bonaccorso at 2018-01-25T21:49:36+01:00 Add bug reference for CVE-2017-15134: #888452 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -22011,7 +22011,7 @@ CVE-2017-15135 (It was found that 389-ds-base since 1.3.6.1 up to and including - 389-ds-base (bug #888451) CVE-2017-15134 [Remote DoS via search filters in slapi_filter_sprintf in slapd/util.c] RESERVED - - 389-ds-base + - 389-ds-base (bug #888452) CVE-2017-15133 RESERVED CVE-2017-15132 [dovecot: auth client leaks memory if SASL authentication is aborted] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e957a4eefccb54b8d46c98dcecef308f058734a7 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e957a4eefccb54b8d46c98dcecef308f058734a7 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add reference for CVE-2017-17858/mupdf
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e3c1256f by Salvatore Bonaccorso at 2018-01-25T21:54:21+01:00 Add reference for CVE-2017-17858/mupdf - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -6753,6 +6753,7 @@ CVE-2017-17858 (Heap-based buffer overflow in the ensure_solid_xref function in - mupdf NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698819 (not public) NOTE: http://git.ghostscript.com/?p=mupdf.git;a=commit;h=55c3f68d638ac1263a386e0aaa004bb6e8bde731 + NOTE: https://github.com/mzet-/Security-Advisories/blob/master/mzet-adv-2017-01.md CVE-2017-17851 RESERVED CVE-2017-17850 (An issue was discovered in Asterisk 13.18.4 and older, 14.7.4 and ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e3c1256fe86ee8b7dd7c38c93af153ceb494f8a1 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e3c1256fe86ee8b7dd7c38c93af153ceb494f8a1 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Update CVE-2018-1000016 information
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 021fae20 by Salvatore Bonaccorso at 2018-01-25T22:01:05+01:00 Update CVE-2018-116 information Turns out that this was a duplicte assigned for the already assigned CVE-2017-17383. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -670,8 +670,8 @@ CVE-2018-6031 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6030 RESERVED -CVE-2018-116 (Jenkins Ant Plugin 1.7 and earlier failed to escape tool names it ...) - NOT-FOR-US: Jenkins plugin +CVE-2018-116 + REJECTED CVE-2018-115 (On Jenkins instances with Authorize Project plugin, the authentication ...) NOT-FOR-US: Jenkins plugin CVE-2018-114 (Jenkins Translation Assistance Plugin 1.15 and earlier did not require ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/021fae200e1a795e1ee81319aa4d6b497dcf4729 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/021fae200e1a795e1ee81319aa4d6b497dcf4729 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4bcd2e22 by security tracker role at 2018-01-25T21:10:21+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,13 @@ +CVE-2017-1000505 (In Jenkins Script Security Plugin version 1.36 and earlier, users with ...) + TODO: check +CVE-2017-1000468 + REJECTED + TODO: check +CVE-2017-1000464 + REJECTED + TODO: check +CVE-2017-1000414 (ImpulseAdventure JPEGsnoop version 1.7.5 is vulnerable to a division ...) + TODO: check CVE-2018-6312 RESERVED CVE-2018-6311 @@ -817,8 +827,8 @@ CVE-2018-5999 (An issue was discovered in AsusWRT before 3.0.0.4.384_10007. In t NOT-FOR-US: AsusWRT CVE-2018-5998 RESERVED -CVE-2018-5997 - RESERVED +CVE-2018-5997 (An issue was discovered in the HTTP Server in RAVPower Filehub ...) + TODO: check CVE-2018-107 (libcurl 7.1 through 7.57.0 might accidentally leak authentication data ...) - curl 7.58.0-1 NOTE: https://curl.haxx.se/docs/adv_2018-b3bf.html @@ -873,8 +883,8 @@ CVE-2018-5975 RESERVED CVE-2018-5974 RESERVED -CVE-2018-5973 - RESERVED +CVE-2018-5973 (SQL Injection exists in Professional Local Directory Script 1.0 via ...) + TODO: check CVE-2018-5972 (SQL Injection exists in Classified Ads CMS Quickad 4.0 via the ...) NOT-FOR-US: Classified Ads CMS Quickad CVE-2018-5971 @@ -891,12 +901,12 @@ CVE-2018-5967 (Netis WF2419 V2.2.36123 devices allow XSS via the Description par NOT-FOR-US: Netis WF2419 V2.2.36123 devices CVE-2018-5966 RESERVED -CVE-2018-5965 - RESERVED -CVE-2018-5964 - RESERVED -CVE-2018-5963 - RESERVED +CVE-2018-5965 (CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/moduleinterface.php via ...) + TODO: check +CVE-2018-5964 (CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/moduleinterface.php via ...) + TODO: check +CVE-2018-5963 (CMS Made Simple (CMSMS) 2.2.5 has XSS in admin/addbookmark.php via the ...) + TODO: check CVE-2018-5962 (index.php in CentOS-WebPanel.com (aka CWP) CentOS Web Panel through ...) NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2018-5961 (CentOS-WebPanel.com (aka CWP) CentOS Web Panel through v0.9.8.12 has ...) @@ -923,8 +933,8 @@ CVE-2016-10708 (sshd in OpenSSH before 7.4 allows remote attackers to cause a de - openssh 1:7.4p1-1 NOTE: https://anongit.mindrot.org/openssh.git/commit/?id=28652bca29046f62c7045e933e6b931de1d16737 NOTE: http://blog.swiecki.net/2018/01/fuzzing-tcp-servers.html -CVE-2018-5954 - RESERVED +CVE-2018-5954 (phpFreeChat 1.7 and earlier allows remote attackers to cause a denial ...) + TODO: check CVE-2018-5953 RESERVED CVE-2018-5952 @@ -1412,8 +1422,7 @@ CVE-2018-5750 RESERVED CVE-2018-5749 (install.php in Minecraft Servers List Lite before commit c1cd164 and ...) NOT-FOR-US: Minecraft Servers List Lite -CVE-2018-5748 [resource exhaustion via qemuMonitorIORead() method] - RESERVED +CVE-2018-5748 (qemu/qemu_monitor.c in libvirt allows attackers to cause a denial of ...) - libvirt 4.0.0-1 (bug #887700) [stretch] - libvirt (Minor issue) [jessie] - libvirt (Minor issue) @@ -3671,12 +3680,12 @@ CVE-2018-4839 RESERVED CVE-2018-4838 RESERVED -CVE-2018-4837 - RESERVED -CVE-2018-4836 - RESERVED -CVE-2018-4835 - RESERVED +CVE-2018-4837 (A vulnerability has been identified in TeleControl Server Basic ...) + TODO: check +CVE-2018-4836 (A vulnerability has been identified in TeleControl Server Basic ...) + TODO: check +CVE-2018-4835 (A vulnerability has been identified in TeleControl Server Basic ...) + TODO: check CVE-2018-4834 (A vulnerability has been identified in Desigo Automation Controllers ...) NOT-FOR-US: Desigo CVE-2018-4833 @@ -5773,7 +5782,7 @@ CVE-2017-1000458 (Bro before Bro v2.5.2 is vulnerable to an out of bounds write CVE-2017-1000457 (Cross-site scripting (XSS) vulnerability in Help.aspx in mojoPortal ...) NOT-FOR-US: mojoPortal CVE-2017-1000456 (freedesktop.org libpoppler 0.60.1 fails to validate boundaries in ...) - {DLA-1228-1} + {DSA-4097-1 DLA-1228-1} - poppler 0.61.1-2 NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=103116 NOTE: Fixed by: https://cgit.freedesktop.org/poppler/poppler/commit/?id=7ee9dadef37b20bca707a6b1e858e17d191e368b @@ -13426,8 +13435,8 @@ CVE-2018-1053 RESERVED CVE-2018-1052 RESERVED -CVE-2018-1051 - RESERVED +CVE-2018-1051 (It was found that the fix for CVE-2016-9606 in versions 3.0.22 and ...) + TODO: check CVE-2018-1050 RESERVED CVE-2018-1049 [automount: access to
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: follow security team with no-dsa for irssi
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 64b06266 by Thorsten Alteholz at 2018-01-25T22:19:19+01:00 follow security team with no-dsa for irssi - - - - - 305de372 by Thorsten Alteholz at 2018-01-25T22:20:00+01:00 follow security team with no-dsa for non-free p7zip-rar - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -838,6 +838,7 @@ CVE-2018-5996 [Memory Corruptions via RAR PPMd] - p7zip-rar (bug #888314) [stretch] - p7zip-rar (Non-free not supported) [jessie] - p7zip-rar (Non-free not supported) + [wheezy] - p7zip-rar (Non-free not supported) NOTE: https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/ CVE-2018-5995 RESERVED @@ -2725,24 +2726,28 @@ CVE-2018-5208 (In Irssi before 1.0.6, a calculation error in the completion code - irssi (bug #886475) [stretch] - irssi (Minor issue) [jessie] - irssi (Minor issue) + [wheezy] - irssi (Minor issue) NOTE: https://irssi.org/security/irssi_sa_2018_01.txt NOTE: https://github.com/irssi/irssi/releases/download/1.0.6/irssi-1.0.5_1.0.6.diff CVE-2018-5207 (When using an incomplete variable argument, Irssi before 1.0.6 may ...) - irssi (bug #886475) [stretch] - irssi (Minor issue) [jessie] - irssi (Minor issue) + [wheezy] - irssi (Minor issue) NOTE: https://irssi.org/security/irssi_sa_2018_01.txt NOTE: https://github.com/irssi/irssi/releases/download/1.0.6/irssi-1.0.5_1.0.6.diff CVE-2018-5206 (When the channel topic is set without specifying a sender, Irssi before ...) - irssi (bug #886475) [stretch] - irssi (Minor issue) [jessie] - irssi (Minor issue) + [wheezy] - irssi (Minor issue) NOTE: https://irssi.org/security/irssi_sa_2018_01.txt NOTE: https://github.com/irssi/irssi/releases/download/1.0.6/irssi-1.0.5_1.0.6.diff CVE-2018-5205 (When using incomplete escape codes, Irssi before 1.0.6 may access data ...) - irssi (bug #886475) [stretch] - irssi (Minor issue) [jessie] - irssi (Minor issue) + [wheezy] - irssi (Minor issue) NOTE: https://irssi.org/security/irssi_sa_2018_01.txt NOTE: https://github.com/irssi/irssi/releases/download/1.0.6/irssi-1.0.5_1.0.6.diff CVE-2018-5204 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/4bcd2e221f60a7ffd8fa43abc8fc052b345bdc6a...305de3729c58e24206a7a57f6254acc270daf622 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/4bcd2e221f60a7ffd8fa43abc8fc052b345bdc6a...305de3729c58e24206a7a57f6254acc270daf622 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Update information for CVE-2017-17858/mupdf
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6a4a65c3 by Salvatore Bonaccorso at 2018-01-26T00:03:29+01:00 Update information for CVE-2017-17858/mupdf To reviewers: double check this update since the http://git.ghostscript.com/?p=mupdf.git;a=commit;h=f595e889b91a674eb94db7ca4d832da54f5194cd is involving and I might have missed something which makes the issue only be covered before. Before that change though the offsets are already checked if they are out of range, ofs of type fz_off_t. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -6764,9 +6764,11 @@ CVE-2017-17860 (In Samsung Gear products, Bluetooth link key is updated to the . CVE-2017-17859 (Samsung Internet Browser 6.2.01.12 allows remote attackers to bypass ...) NOT-FOR-US: Samsung Internet Browser CVE-2017-17858 (Heap-based buffer overflow in the ensure_solid_xref function in ...) - - mupdf + - mupdf (Vulnerable code introduced in 1.11.1) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698819 (not public) - NOTE: http://git.ghostscript.com/?p=mupdf.git;a=commit;h=55c3f68d638ac1263a386e0aaa004bb6e8bde731 + NOTE: Fixed by: http://git.ghostscript.com/?p=mupdf.git;a=commit;h=55c3f68d638ac1263a386e0aaa004bb6e8bde731 + NOTE: Commit http://git.ghostscript.com/?p=mupdf.git;a=commit;h=f595e889b91a674eb94db7ca4d832da54f5194cd + NOTE: switches to use int64_t for public file API offsets and introduced the flaw. NOTE: https://github.com/mzet-/Security-Advisories/blob/master/mzet-adv-2017-01.md CVE-2017-17851 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6a4a65c33f5e2b6bf8ba67c22b0dde0357975821 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6a4a65c33f5e2b6bf8ba67c22b0dde0357975821 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-6187: #888464
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2079a449 by Salvatore Bonaccorso at 2018-01-26T00:22:32+01:00 Add bug reference for CVE-2018-6187: #888464 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -281,7 +281,7 @@ CVE-2018-6189 CVE-2018-6188 RESERVED CVE-2018-6187 (In Artifex MuPDF 1.12.0, there is a heap-based buffer overflow ...) - - mupdf + - mupdf (bug #888464) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698908 CVE-2018-6186 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2079a4494c96edc278cad6b79c48c23414a09c45 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2079a4494c96edc278cad6b79c48c23414a09c45 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] irssi no-dsa
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d9ac92b by Moritz Muehlenhoff at 2018-01-25T16:22:26+01:00 irssi no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -2712,18 +2712,26 @@ CVE-2018-5209 RESERVED CVE-2018-5208 (In Irssi before 1.0.6, a calculation error in the completion code could ...) - irssi (bug #886475) + [stretch] - irssi (Minor issue) + [jessie] - irssi (Minor issue) NOTE: https://irssi.org/security/irssi_sa_2018_01.txt NOTE: https://github.com/irssi/irssi/releases/download/1.0.6/irssi-1.0.5_1.0.6.diff CVE-2018-5207 (When using an incomplete variable argument, Irssi before 1.0.6 may ...) - irssi (bug #886475) + [stretch] - irssi (Minor issue) + [jessie] - irssi (Minor issue) NOTE: https://irssi.org/security/irssi_sa_2018_01.txt NOTE: https://github.com/irssi/irssi/releases/download/1.0.6/irssi-1.0.5_1.0.6.diff CVE-2018-5206 (When the channel topic is set without specifying a sender, Irssi before ...) - irssi (bug #886475) + [stretch] - irssi (Minor issue) + [jessie] - irssi (Minor issue) NOTE: https://irssi.org/security/irssi_sa_2018_01.txt NOTE: https://github.com/irssi/irssi/releases/download/1.0.6/irssi-1.0.5_1.0.6.diff CVE-2018-5205 (When using incomplete escape codes, Irssi before 1.0.6 may access data ...) - irssi (bug #886475) + [stretch] - irssi (Minor issue) + [jessie] - irssi (Minor issue) NOTE: https://irssi.org/security/irssi_sa_2018_01.txt NOTE: https://github.com/irssi/irssi/releases/download/1.0.6/irssi-1.0.5_1.0.6.diff CVE-2018-5204 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5d9ac92b05369e580174c75691628f7e3c8f482d --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5d9ac92b05369e580174c75691628f7e3c8f482d You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] p7zip-rar no-dsa
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0b7afbd3 by Moritz Muehlenhoff at 2018-01-25T16:32:42+01:00 p7zip-rar no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -826,6 +826,8 @@ CVE-2018-107 (libcurl 7.1 through 7.57.0 might accidentally leak authenticat CVE-2018-5996 [Memory Corruptions via RAR PPMd] RESERVED - p7zip-rar (bug #888314) + [stretch] - p7zip-rar (Non-free not supported) + [jessie] - p7zip-rar (Non-free not supported) NOTE: https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/ CVE-2018-5995 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0b7afbd31f25679ee24b0973c4ec6e1c1e02b7d1 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0b7afbd31f25679ee24b0973c4ec6e1c1e02b7d1 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] poppler DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ffe1c712 by Moritz Muehlenhoff at 2018-01-25T13:19:45+01:00 poppler DSA - - - - - 3 changed files: - data/CVE/list - data/DSA/list - data/dsa-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -22776,6 +22776,8 @@ CVE-2017-14930 (Memory leak in decode_line_info in dwarf2.c in the Binary File . NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a26a013f22a19e2c16729e64f40ef8a7dfcc086e CVE-2017-14929 (In Poppler 0.59.0, memory corruption occurs in a call to ...) - poppler 0.61.1-2 (bug #877222) + [stretch] - poppler 0.48.0-2+deb9u2 + [jessie] - poppler (Minor impact, too intrusive to backport) [wheezy] - poppler (unreproducible, requires API change which appears to be too intrusive in this case.) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102969 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=2c92c7b6a828c9db8a38f079ea7a3d51c12a481d = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,7 @@ +[25 Jan 2018] DSA-4097-1 poppler - security update + {CVE-2017-1000456} + [jessie] - poppler 0.26.5-2+deb8u3 + [stretch] - poppler 0.48.0-2+deb9u2 [25 Jan 2018] DSA-4096-1 firefox-esr - security update {CVE-2018-5089 CVE-2018-5091 CVE-2018-5095 CVE-2018-5096 CVE-2018-5097 CVE-2018-5098 CVE-2018-5099 CVE-2018-5102 CVE-2018-5103 CVE-2018-5104 CVE-2018-5117} [jessie] - firefox-esr 52.6.0esr-1~deb8u1 = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -46,9 +46,6 @@ phpmyadmin/oldstable -- pjproject -- -poppler - For regression introduced in DSA-4079: #886733 --- qemu/oldstable -- redmine View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ffe1c712a15f7330ce0401ba7959d11b27720957 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ffe1c712a15f7330ce0401ba7959d11b27720957 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add new dovecot issue (CVE-2017-15132)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e3e58713 by Salvatore Bonaccorso at 2018-01-25T13:24:37+01:00 Add new dovecot issue (CVE-2017-15132) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -21929,8 +21929,11 @@ CVE-2017-15134 [Remote DoS via search filters in slapi_filter_sprintf in slapd/u - 389-ds-base CVE-2017-15133 RESERVED -CVE-2017-15132 +CVE-2017-15132 [dovecot: auth client leaks memory if SASL authentication is aborted] RESERVED + - dovecot + NOTE: https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch + NOTE: http://www.openwall.com/lists/oss-security/2018/01/25/4 CVE-2017-15131 (It was found that system umask policy is not being honored when ...) - xdg-user-dirs (unimportant) NOTE: The CVE relates that created directories by xdg-user-dirs might not View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e3e5871353507402edfb1514759546a41895cf5c --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e3e5871353507402edfb1514759546a41895cf5c You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Update dla-needed entry for lame
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: dc08a19a by Hugo Lefeuvre at 2018-01-25T10:01:19+01:00 Update dla-needed entry for lame - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -24,7 +24,8 @@ isc-dhcp (Thorsten Alteholz) -- lame (Hugo Lefeuvre) NOTE: Couldn't reproduce CVE-2017-{69-72}, but successfully reproduced CVE-2017-150{18,45,46} - NOTE: 20180118: Fabian showed interest in porting lame to libsndfile, but probably didn't have time until now. Just pinged him. + NOTE: 20180125: Fabian showed interest in porting lame to libsndfile and submitted a patch draft for Jessie. + NOTE: I'll test it, submit the update for Jessie and backport the result to Wheezy on time. -- libav (Hugo Lefeuvre) NOTE: 20180118: Diego Biurrun (from the libav team) was working on patches, but encountered personal issues and had to stop. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dc08a19a873d98d046a7cf69866655b0dc410801 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dc08a19a873d98d046a7cf69866655b0dc410801 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d8c5dfb1 by security tracker role at 2018-01-25T09:10:15+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,14 +1,262 @@ -CVE-2018-6198 [insecure temporary files creation when ~/.w3m is unwritable] +CVE-2018-6312 + RESERVED +CVE-2018-6311 + RESERVED +CVE-2018-6310 + RESERVED +CVE-2018-6309 + RESERVED +CVE-2018-6308 (Multiple SQL injections exist in SugarCRM Community Edition 6.5.26 and ...) + TODO: check +CVE-2018-6307 + RESERVED +CVE-2018-6306 + RESERVED +CVE-2018-6305 + RESERVED +CVE-2018-6304 + RESERVED +CVE-2018-6303 + RESERVED +CVE-2018-6302 + RESERVED +CVE-2018-6301 + RESERVED +CVE-2018-6300 + RESERVED +CVE-2018-6299 + RESERVED +CVE-2018-6298 + RESERVED +CVE-2018-6297 + RESERVED +CVE-2018-6296 + RESERVED +CVE-2018-6295 + RESERVED +CVE-2018-6294 + RESERVED +CVE-2018-6293 + RESERVED +CVE-2018-6292 + RESERVED +CVE-2018-6291 + RESERVED +CVE-2018-6290 + RESERVED +CVE-2018-6289 + RESERVED +CVE-2018-6288 + RESERVED +CVE-2018-6287 + RESERVED +CVE-2018-6286 + RESERVED +CVE-2018-6285 + RESERVED +CVE-2018-6284 + RESERVED +CVE-2018-6283 + RESERVED +CVE-2018-6282 + RESERVED +CVE-2018-6281 + RESERVED +CVE-2018-6280 + RESERVED +CVE-2018-6279 + RESERVED +CVE-2018-6278 + RESERVED +CVE-2018-6277 + RESERVED +CVE-2018-6276 + RESERVED +CVE-2018-6275 + RESERVED +CVE-2018-6274 + RESERVED +CVE-2018-6273 + RESERVED +CVE-2018-6272 + RESERVED +CVE-2018-6271 + RESERVED +CVE-2018-6270 + RESERVED +CVE-2018-6269 + RESERVED +CVE-2018-6268 + RESERVED +CVE-2018-6267 + RESERVED +CVE-2018-6266 + RESERVED +CVE-2018-6265 + RESERVED +CVE-2018-6264 + RESERVED +CVE-2018-6263 + RESERVED +CVE-2018-6262 + RESERVED +CVE-2018-6261 + RESERVED +CVE-2018-6260 + RESERVED +CVE-2018-6259 + RESERVED +CVE-2018-6258 + RESERVED +CVE-2018-6257 + RESERVED +CVE-2018-6256 + RESERVED +CVE-2018-6255 + RESERVED +CVE-2018-6254 + RESERVED +CVE-2018-6253 + RESERVED +CVE-2018-6252 + RESERVED +CVE-2018-6251 + RESERVED +CVE-2018-6250 + RESERVED +CVE-2018-6249 + RESERVED +CVE-2018-6248 + RESERVED +CVE-2018-6247 + RESERVED +CVE-2018-6246 + RESERVED +CVE-2018-6245 + RESERVED +CVE-2018-6244 + RESERVED +CVE-2018-6243 + RESERVED +CVE-2018-6242 + RESERVED +CVE-2018-6241 + RESERVED +CVE-2018-6240 + RESERVED +CVE-2018-6239 + RESERVED +CVE-2018-6238 + RESERVED +CVE-2018-6237 + RESERVED +CVE-2018-6236 + RESERVED +CVE-2018-6235 + RESERVED +CVE-2018-6234 + RESERVED +CVE-2018-6233 + RESERVED +CVE-2018-6232 + RESERVED +CVE-2018-6231 + RESERVED +CVE-2018-6230 + RESERVED +CVE-2018-6229 + RESERVED +CVE-2018-6228 + RESERVED +CVE-2018-6227 + RESERVED +CVE-2018-6226 + RESERVED +CVE-2018-6225 + RESERVED +CVE-2018-6224 + RESERVED +CVE-2018-6223 + RESERVED +CVE-2018-6222 + RESERVED +CVE-2018-6221 + RESERVED +CVE-2018-6220 + RESERVED +CVE-2018-6219 + RESERVED +CVE-2018-6218 + RESERVED +CVE-2018-6217 (The WStr::_alloc_iostr_data() function in kso.dll in Kingsoft WPS ...) + TODO: check +CVE-2018-6216 + RESERVED +CVE-2018-6215 + RESERVED +CVE-2018-6214 + RESERVED +CVE-2018-6213 + RESERVED +CVE-2018-6212 + RESERVED +CVE-2018-6211 + RESERVED +CVE-2018-6210 + RESERVED +CVE-2018-6209 (In Max Secure Anti Virus 19.0.3.019,, the driver file (MaxCryptMon.sys) ...) + TODO: check +CVE-2018-6208 (In Max Secure Anti Virus 19.0.3.019,, the driver file ...) + TODO: check +CVE-2018-6207 (In Max Secure Anti Virus 19.0.3.019,, the driver file ...) + TODO: check +CVE-2018-6206 (In Max Secure Anti Virus 19.0.3.019,, the driver file ...) + TODO: check +CVE-2018-6205 (In Max Secure Anti Virus 19.0.3.019,, the driver file ...) + TODO: check +CVE-2018-6204 (In Max Secure Anti Virus 19.0.3.019,, the driver file (SDActMon.sys) ...) + TODO: check +CVE-2018-6203 (In eScan Antivirus 14.0.1400.2029, the driver file (econceal.sys) ...) + TODO: check +CVE-2018-6202 (In eScan Antivirus 14.0.1400.2029, the driver file (econceal.sys) ...) + TODO: check +CVE-2018-6201 (In eScan Antivirus 14.0.1400.2029, the driver file (econceal.sys) ...) + TODO: check +CVE-2018-6200 (vBulletin 3.x.x and 4.2.x through 4.2.5 has an open redirect via the ...) + TODO: check +CVE-2018-6199 + RESERVED
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: follow security with no-dsa for isc-dhcp
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 15c8e95c by Thorsten Alteholz at 2018-01-25T11:13:11+01:00 follow security with no-dsa for isc-dhcp - - - - - d0025168 by Thorsten Alteholz at 2018-01-25T11:13:47+01:00 no-dsa for isc-dhcp - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -58905,6 +58905,7 @@ CVE-2017-3144 [dhcp: omapi code doesn't free socket descriptors when empty messa - isc-dhcp (bug #887413) [stretch] - isc-dhcp (Minor issue) [jessie] - isc-dhcp (Minor issue) + [wheezy] - isc-dhcp (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1522918 NOTE: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=1a6b62fe17a42b00fa234d06b6dfde3d03451894 CVE-2017-3143 [An error in TSIG authentication can permit unauthorized dynamic updates] = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -20,8 +20,6 @@ icu -- irssi (Emilio Pozuelo) -- -isc-dhcp (Thorsten Alteholz) --- lame (Hugo Lefeuvre) NOTE: Couldn't reproduce CVE-2017-{69-72}, but successfully reproduced CVE-2017-150{18,45,46} NOTE: 20180125: Fabian showed interest in porting lame to libsndfile and submitted a patch draft for Jessie. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/c5e428fbc9fd0db0cc94358a9be87b5001f51f63...d0025168fac79aa3806dc83da486f4e4fbb2de84 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/c5e428fbc9fd0db0cc94358a9be87b5001f51f63...d0025168fac79aa3806dc83da486f4e4fbb2de84 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1dc06687 by Salvatore Bonaccorso at 2018-01-25T10:20:43+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -7,7 +7,7 @@ CVE-2018-6310 CVE-2018-6309 RESERVED CVE-2018-6308 (Multiple SQL injections exist in SugarCRM Community Edition 6.5.26 and ...) - TODO: check + NOT-FOR-US: SugarCRM CVE-2018-6307 RESERVED CVE-2018-6306 @@ -189,7 +189,7 @@ CVE-2018-6219 CVE-2018-6218 RESERVED CVE-2018-6217 (The WStr::_alloc_iostr_data() function in kso.dll in Kingsoft WPS ...) - TODO: check + NOT-FOR-US: Kingsoft WPS Office CVE-2018-6216 RESERVED CVE-2018-6215 @@ -205,23 +205,23 @@ CVE-2018-6211 CVE-2018-6210 RESERVED CVE-2018-6209 (In Max Secure Anti Virus 19.0.3.019,, the driver file (MaxCryptMon.sys) ...) - TODO: check + NOT-FOR-US: Max Secure Anti Virus CVE-2018-6208 (In Max Secure Anti Virus 19.0.3.019,, the driver file ...) - TODO: check + NOT-FOR-US: Max Secure Anti Virus CVE-2018-6207 (In Max Secure Anti Virus 19.0.3.019,, the driver file ...) - TODO: check + NOT-FOR-US: Max Secure Anti Virus CVE-2018-6206 (In Max Secure Anti Virus 19.0.3.019,, the driver file ...) - TODO: check + NOT-FOR-US: Max Secure Anti Virus CVE-2018-6205 (In Max Secure Anti Virus 19.0.3.019,, the driver file ...) - TODO: check + NOT-FOR-US: Max Secure Anti Virus CVE-2018-6204 (In Max Secure Anti Virus 19.0.3.019,, the driver file (SDActMon.sys) ...) - TODO: check + NOT-FOR-US: Max Secure Anti Virus CVE-2018-6203 (In eScan Antivirus 14.0.1400.2029, the driver file (econceal.sys) ...) - TODO: check + NOT-FOR-US: eScan Antivirus CVE-2018-6202 (In eScan Antivirus 14.0.1400.2029, the driver file (econceal.sys) ...) - TODO: check + NOT-FOR-US: eScan Antivirus CVE-2018-6201 (In eScan Antivirus 14.0.1400.2029, the driver file (econceal.sys) ...) - TODO: check + NOT-FOR-US: eScan Antivirus CVE-2018-6200 (vBulletin 3.x.x and 4.2.x through 4.2.5 has an open redirect via the ...) TODO: check CVE-2018-6199 @@ -237,7 +237,7 @@ CVE-2018-6192 (In Artifex MuPDF 1.12.0, the pdf_read_new_xref function in ...) CVE-2018-6191 (The js_strtod function in jsdtoa.c in Artifex MuJS through 1.0.2 has an ...) TODO: check CVE-2018-6190 (Netis WF2419 V3.2.41381 devices allow XSS via the Description field on ...) - TODO: check + NOT-FOR-US: Netis WF2419 V3.2.41381 devices CVE-2017-1000504 (A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier ...) TODO: check CVE-2017-1000503 (A race condition during Jenkins 2.81 through 2.94 (inclusive); 2.89.1 ...) @@ -245,7 +245,7 @@ CVE-2017-1000503 (A race condition during Jenkins 2.81 through 2.94 (inclusive); CVE-2017-1000502 (Users with permission to create or configure agents in Jenkins 1.37 ...) TODO: check CVE-2017-1000474 (Soyket Chowdhury Vehicle Sales Management System version 2017-07-30 is ...) - TODO: check + NOT-FOR-US: Soyket Chowdhury Vehicle Sales Management System CVE-2018-6198 (w3m through 0.5.3 does not properly handle temporary files when the ...) - w3m (bug #888097; unimportant) NOTE: https://github.com/tats/w3m/commit/18dcbadf2771cdb0c18509b14e4e73505b242753 @@ -810,7 +810,7 @@ CVE-2018-5968 (FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 NOTE: https://github.com/FasterXML/jackson-databind/issues/1899 NOTE: https://github.com/FasterXML/jackson-databind/commit/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05 CVE-2018-5967 (Netis WF2419 V2.2.36123 devices allow XSS via the Description parameter ...) - TODO: check + NOT-FOR-US: Netis WF2419 V2.2.36123 devices CVE-2018-5966 RESERVED CVE-2018-5965 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1dc06687257008717df0e141e1656bd9651c9263 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1dc06687257008717df0e141e1656bd9651c9263 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-6192/mupdf
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 485ffa35 by Salvatore Bonaccorso at 2018-01-25T10:21:09+01:00 Add CVE-2018-6192/mupdf - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -233,6 +233,8 @@ CVE-2018-6194 CVE-2018-6193 (A Cross-Site Scripting (XSS) vulnerability was found in Routers2 2.24, ...) TODO: check CVE-2018-6192 (In Artifex MuPDF 1.12.0, the pdf_read_new_xref function in ...) + - mupdf + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698916 TODO: check CVE-2018-6191 (The js_strtod function in jsdtoa.c in Artifex MuJS through 1.0.2 has an ...) TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/485ffa35c103485e1847b4bc43eeb624665aafac --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/485ffa35c103485e1847b4bc43eeb624665aafac You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process three jenkins issues (removed)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e350817 by Salvatore Bonaccorso at 2018-01-25T10:21:32+01:00 Process three jenkins issues (removed) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -241,11 +241,11 @@ CVE-2018-6191 (The js_strtod function in jsdtoa.c in Artifex MuJS through 1.0.2 CVE-2018-6190 (Netis WF2419 V3.2.41381 devices allow XSS via the Description field on ...) NOT-FOR-US: Netis WF2419 V3.2.41381 devices CVE-2017-1000504 (A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier ...) - TODO: check + - jenkins CVE-2017-1000503 (A race condition during Jenkins 2.81 through 2.94 (inclusive); 2.89.1 ...) - TODO: check + - jenkins CVE-2017-1000502 (Users with permission to create or configure agents in Jenkins 1.37 ...) - TODO: check + - jenkins CVE-2017-1000474 (Soyket Chowdhury Vehicle Sales Management System version 2017-07-30 is ...) NOT-FOR-US: Soyket Chowdhury Vehicle Sales Management System CVE-2018-6198 (w3m through 0.5.3 does not properly handle temporary files when the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3e350817d35d06ab9462481b737de9e37b5927c1 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3e350817d35d06ab9462481b737de9e37b5927c1 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Drop Guido from frontdesk when he's not available
Raphaël Hertzog pushed to branch master at Debian Security Tracker / security-tracker Commits: c5e428fb by Raphaël Hertzog at 2018-01-25T11:09:10+01:00 Drop Guido from frontdesk when hes not available - - - - - 1 changed file: - org/lts-frontdesk.2018.txt Changes: = org/lts-frontdesk.2018.txt = --- a/org/lts-frontdesk.2018.txt +++ b/org/lts-frontdesk.2018.txt @@ -17,7 +17,7 @@ From 15-01 to 21-01:Guido GüntherFrom 22-01 to 28-01:Thorsten Alteholz From 29-01 to 04-02:Ola Lundqvist From 05-02 to 11-02:Markus Koschany -From 12-02 to 18-02:Guido Günther +From 12-02 to 18-02: From 19-02 to 25-02:Chris Lamb From 26-02 to 04-03:Antoine Beaupré From 05-03 to 11-03:Chris Lamb @@ -28,7 +28,7 @@ From 02-04 to 08-04:Chris Lamb From 09-04 to 15-04:Antoine Beaupré From 16-04 to 22-04:Markus Koschany From 23-04 to 29-04:Thorsten Alteholz -From 30-04 to 06-05:Guido Günther +From 30-04 to 06-05: From 07-05 to 13-05:Ola Lundqvist From 14-05 to 20-05:Chris Lamb From 21-05 to 27-05:Markus Koschany View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c5e428fbc9fd0db0cc94358a9be87b5001f51f63 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c5e428fbc9fd0db0cc94358a9be87b5001f51f63 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] fix syntax
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fbfc9696 by Moritz Muehlenhoff at 2018-01-25T15:14:20+01:00 fix syntax - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -260,7 +260,7 @@ CVE-2018-6197 (w3m through 0.5.3 is prone to a NULL pointer dereference flaw in NOTE: https://github.com/tats/w3m/issues/89 NOTE: https://github.com/tats/w3m/commit/7fdc83b0364005a0b5ed869230dd81752ba022e8 CVE-2018-6196 (w3m through 0.5.3 is prone to an infinite recursion flaw in ...) - - w3m 0.5.3-36 (low + - w3m 0.5.3-36 (low) [stretch] - w3m (Minor issue) [jessie] - w3m (Minor issue) [wheezy] - w3m (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fbfc96966a6d89458d19938efbcf14f23b55e9a7 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fbfc96966a6d89458d19938efbcf14f23b55e9a7 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] add jackson-databind to dsa-needed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 06ea959f by Moritz Muehlenhoff at 2018-01-25T15:16:28+01:00 add jackson-databind to dsa-needed - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -22,6 +22,8 @@ graphicsmagick -- imagemagick/oldstable (jmm) -- +jackson-databind +-- libav/oldstable We can ship the next libav 11.x point release when available -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/06ea959f8738fa2ca019b9273df00e9dd21e69ef --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/06ea959f8738fa2ca019b9273df00e9dd21e69ef You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] add dovecot to dsa-needed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5934fc1d by Moritz Muehlenhoff at 2018-01-25T15:16:57+01:00 add dovecot to dsa-needed - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -18,6 +18,8 @@ chromium-browser/stable -- curl (ghedo) -- +dovecot (carnil) +-- graphicsmagick -- imagemagick/oldstable (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5934fc1d72a4332ec192e13a2517d5e73300cfc3 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5934fc1d72a4332ec192e13a2517d5e73300cfc3 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new chromium issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d0d2cde3 by Moritz Muehlenhoff at 2018-01-25T14:48:07+01:00 new chromium issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -550,52 +550,124 @@ CVE-2018-6055 RESERVED CVE-2018-6054 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6053 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6052 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6051 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6050 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6049 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6048 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6047 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6046 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6045 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6044 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6043 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6042 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6041 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6040 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6039 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6038 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6037 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6036 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6035 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6034 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6033 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6032 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6031 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2018-6030 RESERVED CVE-2018-116 (Jenkins Ant
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] follow security team with CVEs for w3m
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 7d870b82 by Thorsten Alteholz at 2018-01-25T14:02:18+01:00 follow security team with CVEs for w3m - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -256,12 +256,14 @@ CVE-2018-6197 (w3m through 0.5.3 is prone to a NULL pointer dereference flaw in - w3m [stretch] - w3m (Minor issue) [jessie] - w3m (Minor issue) + [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/89 NOTE: https://github.com/tats/w3m/commit/7fdc83b0364005a0b5ed869230dd81752ba022e8 CVE-2018-6196 (w3m through 0.5.3 is prone to an infinite recursion flaw in ...) - w3m [stretch] - w3m (Minor issue) [jessie] - w3m (Minor issue) + [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/88 NOTE: https://github.com/tats/w3m/commit/8354763b90490d4105695df52674d0fcef823e92 CVE-2018-6189 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7d870b8244832e9771b6f5a50727b9b6feddffdc --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7d870b8244832e9771b6f5a50727b9b6feddffdc You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] w3m fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9bebbe94 by Moritz Muehlenhoff at 2018-01-25T14:54:01+01:00 w3m fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -249,18 +249,18 @@ CVE-2017-1000502 (Users with permission to create or configure agents in Jenkins CVE-2017-1000474 (Soyket Chowdhury Vehicle Sales Management System version 2017-07-30 is ...) NOT-FOR-US: Soyket Chowdhury Vehicle Sales Management System CVE-2018-6198 (w3m through 0.5.3 does not properly handle temporary files when the ...) - - w3m (bug #888097; unimportant) + - w3m 0.5.3-36 (bug #888097; unimportant) NOTE: https://github.com/tats/w3m/commit/18dcbadf2771cdb0c18509b14e4e73505b242753 NOTE: Neutralised by kernel hardening CVE-2018-6197 (w3m through 0.5.3 is prone to a NULL pointer dereference flaw in ...) - - w3m + - w3m 0.5.3-36 (low) [stretch] - w3m (Minor issue) [jessie] - w3m (Minor issue) [wheezy] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/89 NOTE: https://github.com/tats/w3m/commit/7fdc83b0364005a0b5ed869230dd81752ba022e8 CVE-2018-6196 (w3m through 0.5.3 is prone to an infinite recursion flaw in ...) - - w3m + - w3m 0.5.3-36 (low [stretch] - w3m (Minor issue) [jessie] - w3m (Minor issue) [wheezy] - w3m (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9bebbe941b7379efa9f5bbe9fcad581f25849c71 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9bebbe941b7379efa9f5bbe9fcad581f25849c71 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add mupdf to dla-needed and claim it.
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 4f2ad4a1 by Hugo Lefeuvre at 2018-01-25T15:34:08+01:00 Add mupdf to dla-needed and claim it. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -45,6 +45,8 @@ ming (Hugo Lefeuvre) NOTE: 20180118: wip, currently working on it with upstream, might take a while NOTE: Some issues currently in upstream's bug tracker are missing a CVE number, so number of issues might increase in the next weeks -- +mupdf (Hugo Lefeuvre) +-- opencv (Thorsten Alteholz) -- openjdk-7 (Emilio Pozuelo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4f2ad4a1be743e2edf9ee8bc3902699e805c410a --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4f2ad4a1be743e2edf9ee8bc3902699e805c410a You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2017-15132/dovecot: #888432
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a9bde9ae by Salvatore Bonaccorso at 2018-01-25T15:45:51+01:00 Add bug reference for CVE-2017-15132/dovecot: #888432 At same time remove oss-security reference, not adding much and already given by cross reference. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -22005,9 +22005,8 @@ CVE-2017-15133 RESERVED CVE-2017-15132 [dovecot: auth client leaks memory if SASL authentication is aborted] RESERVED - - dovecot + - dovecot (bug #888432) NOTE: https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch - NOTE: http://www.openwall.com/lists/oss-security/2018/01/25/4 CVE-2017-15131 (It was found that system umask policy is not being honored when ...) - xdg-user-dirs (unimportant) NOTE: The CVE relates that created directories by xdg-user-dirs might not View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a9bde9ae3054acc715f456ec627ef0079730 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a9bde9ae3054acc715f456ec627ef0079730 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] reclaim agx lts frontdesk weeks
Antoine Beaupré pushed to branch master at Debian Security Tracker / security-tracker Commits: c4a42421 by Antoine Beaupré at 2018-01-25T09:46:30-05:00 reclaim agx lts frontdesk weeks - - - - - 1 changed file: - org/lts-frontdesk.2018.txt Changes: = org/lts-frontdesk.2018.txt = --- a/org/lts-frontdesk.2018.txt +++ b/org/lts-frontdesk.2018.txt @@ -17,7 +17,7 @@ From 15-01 to 21-01:Guido GüntherFrom 22-01 to 28-01:Thorsten Alteholz From 29-01 to 04-02:Ola Lundqvist From 05-02 to 11-02:Markus Koschany -From 12-02 to 18-02: +From 12-02 to 18-02:Antoine Beaupré From 19-02 to 25-02:Chris Lamb From 26-02 to 04-03:Antoine Beaupré From 05-03 to 11-03:Chris Lamb @@ -28,7 +28,7 @@ From 02-04 to 08-04:Chris Lamb From 09-04 to 15-04:Antoine Beaupré From 16-04 to 22-04:Markus Koschany From 23-04 to 29-04:Thorsten Alteholz -From 30-04 to 06-05: +From 30-04 to 06-05:Antoine Beaupré From 07-05 to 13-05:Ola Lundqvist From 14-05 to 20-05:Chris Lamb From 21-05 to 27-05:Markus Koschany View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c4a42421d4c485f9f9ac1cd2de58b66af0ae6d1e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c4a42421d4c485f9f9ac1cd2de58b66af0ae6d1e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: add knot-resolver to dsa-needed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6589de50 by Moritz Muehlenhoff at 2018-01-25T16:08:16+01:00 add knot-resolver to dsa-needed - - - - - 9a39627a by Moritz Muehlenhoff at 2018-01-25T16:09:43+01:00 Merge branch master of salsa.debian.org:security-tracker-team/security-tracker - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -26,6 +26,8 @@ imagemagick/oldstable (jmm) -- jackson-databind -- +knot-resolver +-- libav/oldstable We can ship the next libav 11.x point release when available -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/c4a42421d4c485f9f9ac1cd2de58b66af0ae6d1e...9a39627a49ea305dfe9bd8e420da202afa196521 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/c4a42421d4c485f9f9ac1cd2de58b66af0ae6d1e...9a39627a49ea305dfe9bd8e420da202afa196521 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] add mercurial to dsa-needed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e65fa623 by Moritz Muehlenhoff at 2018-01-25T16:11:34+01:00 add mercurial to dsa-needed - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -38,6 +38,8 @@ libvpx/oldstable linux Wait until more issues have piled up -- +mercurial +-- openjdk-7/oldstable (jmm) -- openjdk-8/stable (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e65fa623bb8e43d5cc4ac9efddb81e8522b34170 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e65fa623bb8e43d5cc4ac9efddb81e8522b34170 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] dnsmasq no-dsa
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7492440e by Moritz Muehlenhoff at 2018-01-25T16:10:58+01:00 dnsmasq no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -22128,6 +22128,8 @@ CVE-2017-15108 (spice-vdagent up to and including 0.17.0 does not properly escap NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1510864 CVE-2017-15107 (A vulnerability was found in the implementation of DNSSEC in Dnsmasq ...) - dnsmasq (bug #888200) + [stretch] - dnsmasq (Minor issue) + [jessie] - dnsmasq (Minor issue) NOTE: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2018q1/011896.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=4fe6744a220eddd3f1749b40cac3dfc510787de6 CVE-2017-15106 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7492440e3e1f924f468e214d6b92c6572c77a676 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7492440e3e1f924f468e214d6b92c6572c77a676 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits