[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b18975bf by security tracker role at 2018-02-14T09:10:13+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,7 @@ +CVE-2018-6956 + RESERVED +CVE-2018-6955 + RESERVED CVE-2018-6954 (systemd-tmpfiles in systemd through 237 mishandles symlinks present in ...) - systemd NOTE: https://github.com/systemd/systemd/issues/7986 @@ -158,8 +162,8 @@ CVE-2018-6912 (The decode_plane function in libavcodec/utvideodec.c in FFmpeg th NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/76cc0f0f673353cd4746cd3b83838ae335e5d9ed CVE-2018-6911 (The VBWinExec function in Node\AspVBObj.dll in Advantech WebAccess ...) NOT-FOR-US: Advantech WebAccess -CVE-2018-6910 - RESERVED +CVE-2018-6910 (DedeCMS 5.7 allows remote attackers to discover the full path via a ...) + TODO: check CVE-2018-6909 RESERVED CVE-2018-6908 @@ -411,6 +415,7 @@ CVE-2018-6801 CVE-2018-6800 RESERVED CVE-2018-6799 (The AcquireCacheNexus function in magick/pixel_cache.c in ...) + {DLA-1282-1} - graphicsmagick 1.3.28-1 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/b41e2efce6d3 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/d30ed06e9b87 @@ -4069,8 +4074,8 @@ CVE-2018-5461 RESERVED CVE-2018-5460 RESERVED -CVE-2018-5459 - RESERVED +CVE-2018-5459 (An Improper Authentication issue was discovered in WAGO PFC200 Series ...) + TODO: check CVE-2018-5458 RESERVED CVE-2018-5457 (A uncontrolled search path element issue was discovered in Vyaire ...) @@ -22573,8 +22578,7 @@ CVE-2017-15701 (In Apache Qpid Broker-J versions 6.1.0 through 6.1.4 (inclusive) - qpid-java (bug #840131) CVE-2017-15700 (A flaw in the org.apache.sling.auth.core.AuthUtil#isRedirectValid ...) NOT-FOR-US: Apache Sling Authentication Service -CVE-2017-15699 - RESERVED +CVE-2017-15699 (A Denial of Service vulnerability was found in Apache Qpid Dispatch ...) - qpid-dispatch (bug #737776) NOTE: http://www.openwall.com/lists/oss-security/2018/02/13/5 CVE-2017-15698 (When parsing the AIA-Extension field of a client certificate, Apache ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b18975bf36c686ef254148318ab83edaf07cc922 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b18975bf36c686ef254148318ab83edaf07cc922 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark CVE-2018-6910 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9f9eed96 by Salvatore Bonaccorso at 2018-02-14T11:10:20+01:00 Mark CVE-2018-6910 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -163,7 +163,7 @@ CVE-2018-6912 (The decode_plane function in libavcodec/utvideodec.c in FFmpeg th CVE-2018-6911 (The VBWinExec function in Node\AspVBObj.dll in Advantech WebAccess ...) NOT-FOR-US: Advantech WebAccess CVE-2018-6910 (DedeCMS 5.7 allows remote attackers to discover the full path via a ...) - TODO: check + NOT-FOR-US: DedeCMS CVE-2018-6909 RESERVED CVE-2018-6908 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9f9eed969d6d83c505075b373282d483cdbe7e06 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9f9eed969d6d83c505075b373282d483cdbe7e06 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-6794/suricata adressed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 26e12932 by Salvatore Bonaccorso at 2018-02-14T12:35:40+01:00 CVE-2018-6794/suricata adressed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -428,7 +428,7 @@ CVE-2018-6796 (PHP Scripts Mall Multilanguage Real Estate MLM Script 3.0 has Sto CVE-2018-6795 (PHP Scripts Mall Naukri Clone Script 3.0.3 has Stored XSS via every ...) NOT-FOR-US: PHP Scripts Mall Naukri Clone Script CVE-2018-6794 (Suricata before 4.1 is prone to an HTTP detection bypass vulnerability ...) - - suricata (bug #889842) + - suricata 1:4.0.4-1 (bug #889842) NOTE: https://redmine.openinfosecfoundation.org/issues/2427 NOTE: https://github.com/OISF/suricata/pull/3202/commits/e1ef57c848bbe4e567d5d4b66d346a742e3f77a1 CVE-2018-6793 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/26e12932863d751043aeb8069c9306f38ee74caa --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/26e12932863d751043aeb8069c9306f38ee74caa You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] puppet no-dsa
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 55dc38d3 by Moritz Muehlenhoff at 2018-02-14T14:49:55+01:00 puppet no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -37654,6 +37654,8 @@ CVE-2017-10690 (In previous versions of Puppet Agent it was possible for the age TODO: check CVE-2017-10689 (In previous versions of Puppet Agent it was possible to install a ...) - puppet + [stretch] - puppet (Minor issue) + [jessie] - puppet (Minor issue) [wheezy] - puppet (vulnerable code not present) NOTE: https://puppet.com/security/cve/CVE-2017-10689 NOTE: https://tickets.puppetlabs.com/browse/PUP-7866 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/55dc38d38f2959d9735875ac74d3cfe60daef056 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/55dc38d38f2959d9735875ac74d3cfe60daef056 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new puppet issue, only affects experimental
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 631987cb by Moritz Muehlenhoff at 2018-02-14T15:10:15+01:00 new puppet issue, only affects experimental - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -37651,7 +37651,10 @@ CVE-2017-10692 CVE-2017-10691 RESERVED CVE-2017-10690 (In previous versions of Puppet Agent it was possible for the agent to ...) - TODO: check + [experimental] - puppet + - puppet (Only affects Puppet 5, only in experimental) + NOTE: https://puppet.com/security/cve/CVE-2017-10690 + NOTE: https://tickets.puppetlabs.com/browse/PUP-8225 CVE-2017-10689 (In previous versions of Puppet Agent it was possible to install a ...) - puppet [stretch] - puppet (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/631987cb6559b66d0d67c74179a42982d71a868e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/631987cb6559b66d0d67c74179a42982d71a868e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] puppet bug
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3a4dcc66 by Moritz Muehlenhoff at 2018-02-14T15:18:34+01:00 puppet bug - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -37656,7 +37656,7 @@ CVE-2017-10690 (In previous versions of Puppet Agent it was possible for the age NOTE: https://puppet.com/security/cve/CVE-2017-10690 NOTE: https://tickets.puppetlabs.com/browse/PUP-8225 CVE-2017-10689 (In previous versions of Puppet Agent it was possible to install a ...) - - puppet + - puppet (bug #890412) [stretch] - puppet (Minor issue) [jessie] - puppet (Minor issue) [wheezy] - puppet (vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3a4dcc667c4c8ae9f7be2177d3ae05dca733ccbc --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3a4dcc667c4c8ae9f7be2177d3ae05dca733ccbc You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reference fix for CVE-2018-5784
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 28ae6fcd by Salvatore Bonaccorso at 2018-02-14T15:43:42+01:00 Reference fix for CVE-2018-5784 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -3256,6 +3256,7 @@ CVE-2018-5784 (In LibTIFF 4.0.9, there is an uncontrolled resource consumption i - tiff3 [wheezy] - tiff3 (Minor issue, revisit once fixed upstream) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2772 + NOTE: Fixed by: https://gitlab.com/libtiff/libtiff/commit/473851d211cf8805a161820337ca74cc9615d6ef CVE-2018-5783 (In PoDoFo 0.9.5, there is an uncontrolled memory allocation in the ...) - libpodofo [stretch] - libpodofo (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/28ae6fcddd1d0d2fcec372d31360532db18b23e1 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/28ae6fcddd1d0d2fcec372d31360532db18b23e1 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new chromium issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9aa97f39 by Moritz Muehlenhoff at 2018-02-14T17:00:14+01:00 new chromium issue Jenkins NFU - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1813,6 +1813,7 @@ CVE-2018-6357 (The acx_asmw_saveorder_callback function in function.php in the . NOT-FOR-US: acurax-social-media-widget plugin for WordPress CVE-2018-6356 RESERVED + - jenkins CVE-2018-6355 (/goform/setLang on iBall 300M devices with "iB-WRB302N_1.0.1-Sep 8 ...) NOT-FOR-US: iBall 300M devices CVE-2018-6354 (templates/forms/thanks.html in Formspree before 2018-01-23 allows XSS ...) @@ -2490,6 +2491,11 @@ CVE-2018-6057 RESERVED CVE-2018-6056 RESERVED + - chromium-browser + [jessie] - chromium-browser (End of life, see DSA 4020) + [wheezy] - chromium-browser (Not supported in Wheezy) + - libv8 (unimportant) + NOTE: libv8 not covered by security support CVE-2018-6055 RESERVED CVE-2018-6054 = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -14,6 +14,8 @@ If needed, specify the release by adding a slash after the name of the source pa -- 389-ds-base (fw) -- +chromium-browser/stable +-- ffmpeg/stable Wait for next 3.2.x release -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9aa97f39240e7c5b7a7271ce3b3250d0644d51a7 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9aa97f39240e7c5b7a7271ce3b3250d0644d51a7 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] kde-runtime n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3dc0abc8 by Moritz Muehlenhoff at 2018-02-14T19:36:11+01:00 kde-runtime n/a add and take plasma-workspace - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -438,8 +438,7 @@ CVE-2018-6792 (Multiple SQL injection vulnerabilities in Saifor CVMS HUB 1.3.1 a CVE-2018-6791 (An issue was discovered in soliduiserver/deviceserviceaction.cpp in KDE ...) [experimental] - plasma-workspace 4:5.12.0-1 - plasma-workspace - - kde-runtime - [wheezy] - kde-runtime (vulnerable code not present) + - kde-runtime (Performs correct escaping) NOTE: https://bugs.kde.org/show_bug.cgi?id=389815 NOTE: https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57 (Plasma/5.12) NOTE: https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212 (Plasma/5.8) = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -70,6 +70,8 @@ phpmyadmin/oldstable -- pjproject -- +plasma-workspace (jmm) +-- plexus-utils -- plexus-utils2/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3dc0abc8a8b4776a45f1b6a71e8a9918a492ad3e --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3dc0abc8a8b4776a45f1b6a71e8a9918a492ad3e You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add further note for CVE-2017-10690
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 533c425f by Salvatore Bonaccorso at 2018-02-14T20:40:48+01:00 Add further note for CVE-2017-10690 The issue might actually be present prior to 5.x in puppet, and only maked before commits in 4.10.5. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -37661,6 +37661,9 @@ CVE-2017-10690 (In previous versions of Puppet Agent it was possible for the age - puppet (Only affects Puppet 5, only in experimental) NOTE: https://puppet.com/security/cve/CVE-2017-10690 NOTE: https://tickets.puppetlabs.com/browse/PUP-8225 + NOTE: Fixed by: https://github.com/puppetlabs/puppet/commit/bd87bef2c3862d333f4c1f2b148b147d449a375b + NOTE: Prior to 4.10.5 the problem was partially masked: + NOTE: https://tickets.puppetlabs.com/browse/PUP-8225?focusedCommentId=525381&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-525381 CVE-2017-10689 (In previous versions of Puppet Agent it was possible to install a ...) - puppet (bug #890412) [stretch] - puppet (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/533c425f24aff21400cf3cc1d92050ac9df2f0a5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/533c425f24aff21400cf3cc1d92050ac9df2f0a5 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2017-10690/puppet
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f582499f by Salvatore Bonaccorso at 2018-02-14T20:48:17+01:00 Add bug reference for CVE-2017-10690/puppet - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -37657,7 +37657,7 @@ CVE-2017-10692 CVE-2017-10691 RESERVED CVE-2017-10690 (In previous versions of Puppet Agent it was possible for the agent to ...) - [experimental] - puppet + [experimental] - puppet (bug #890440) - puppet (Only affects Puppet 5, only in experimental) NOTE: https://puppet.com/security/cve/CVE-2017-10690 NOTE: https://tickets.puppetlabs.com/browse/PUP-8225 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f582499fef473ec0a923ab53bddded9dd1cdaee8 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f582499fef473ec0a923ab53bddded9dd1cdaee8 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-5784/tiff: #890441
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 29d87604 by Salvatore Bonaccorso at 2018-02-14T20:55:37+01:00 Add bug reference for CVE-2018-5784/tiff: #890441 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -3259,7 +3259,7 @@ CVE-2018-5785 (In OpenJPEG 2.3.0, there is an integer overflow caused by an ...) - openjpeg2 (low; bug #888533) NOTE: https://github.com/uclouvain/openjpeg/issues/1057 CVE-2018-5784 (In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the ...) - - tiff + - tiff (bug #890441) [stretch] - tiff (Minor issue, revisit once fixed upstream) [jessie] - tiff (Minor issue, revisit once fixed upstream) [wheezy] - tiff (Minor issue, revisit once fixed upstream) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/29d8760481a121791dc18bdc35d80a84737e3773 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/29d8760481a121791dc18bdc35d80a84737e3773 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-7032/myrepos: #840014
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 49b1b6e4 by Salvatore Bonaccorso at 2018-02-14T20:54:14+01:00 Add CVE-2018-7032/myrepos: #840014 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,8 @@ +CVE-2018-7032 [webcheckout: missing URL sanitization] + - myrepos (bug #840014) + [stretch] - myrepos (Minor issue) + [jessie] - myrepos (Minor issue) + - mr CVE-2018-6956 RESERVED CVE-2018-6955 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/49b1b6e4232843eb6798a47bd86c8537cc0da997 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/49b1b6e4232843eb6798a47bd86c8537cc0da997 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] plasma-workspace moved to unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a30d5ac5 by Salvatore Bonaccorso at 2018-02-14T20:58:30+01:00 plasma-workspace moved to unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -441,15 +441,13 @@ CVE-2018-6793 CVE-2018-6792 (Multiple SQL injection vulnerabilities in Saifor CVMS HUB 1.3.1 allow ...) NOT-FOR-US: Saifor CVMS HUB CVE-2018-6791 (An issue was discovered in soliduiserver/deviceserviceaction.cpp in KDE ...) - [experimental] - plasma-workspace 4:5.12.0-1 - - plasma-workspace + - plasma-workspace 4:5.12.0-2 - kde-runtime (Performs correct escaping) NOTE: https://bugs.kde.org/show_bug.cgi?id=389815 NOTE: https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57 (Plasma/5.12) NOTE: https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212 (Plasma/5.8) CVE-2018-6790 (An issue was discovered in KDE Plasma Workspace before 5.12.0. ...) - [experimental] - plasma-workspace 4:5.12.0-1 - - plasma-workspace + - plasma-workspace 4:5.12.0-2 NOTE: https://phabricator.kde.org/D10188 NOTE: https://cgit.kde.org/plasma-workspace.git/commit/?id=5bc696b5abcdb460c1017592e80b2d7f6ed3107c NOTE: https://cgit.kde.org/plasma-workspace.git/commit/?id=8164beac15ea34ec0d1564f0557fe3e742bdd938 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a30d5ac522a48c2b98a1e4223c21f24857c9a787 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a30d5ac522a48c2b98a1e4223c21f24857c9a787 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] remove comment, unrelated bug
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 62a1b8d1 by Moritz Muehlenhoff at 2018-02-14T21:09:11+01:00 remove comment, unrelated bug - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -37665,8 +37665,6 @@ CVE-2017-10690 (In previous versions of Puppet Agent it was possible for the age NOTE: https://puppet.com/security/cve/CVE-2017-10690 NOTE: https://tickets.puppetlabs.com/browse/PUP-8225 NOTE: Fixed by: https://github.com/puppetlabs/puppet/commit/bd87bef2c3862d333f4c1f2b148b147d449a375b - NOTE: Prior to 4.10.5 the problem was partially masked: - NOTE: https://tickets.puppetlabs.com/browse/PUP-8225?focusedCommentId=525381&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-525381 CVE-2017-10689 (In previous versions of Puppet Agent it was possible to install a ...) - puppet (bug #890412) [stretch] - puppet (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/62a1b8d187e587ed7c6cc1724bacb550b261b91f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/62a1b8d187e587ed7c6cc1724bacb550b261b91f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] one plasma issue ignored
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b97a654 by Moritz Muehlenhoff at 2018-02-14T21:10:06+01:00 one plasma issue ignored remove TODO, different components involved in jessie, but not worth listing explicitly, also ignored anyway - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -448,10 +448,10 @@ CVE-2018-6791 (An issue was discovered in soliduiserver/deviceserviceaction.cpp NOTE: https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212 (Plasma/5.8) CVE-2018-6790 (An issue was discovered in KDE Plasma Workspace before 5.12.0. ...) - plasma-workspace 4:5.12.0-2 + [stretch] - plasma-workspace (Minor issue, too intrusive to backport) NOTE: https://phabricator.kde.org/D10188 NOTE: https://cgit.kde.org/plasma-workspace.git/commit/?id=5bc696b5abcdb460c1017592e80b2d7f6ed3107c NOTE: https://cgit.kde.org/plasma-workspace.git/commit/?id=8164beac15ea34ec0d1564f0557fe3e742bdd938 - TODO: check kde-workspace CVE-2018-6789 (An issue was discovered in the base64d function in the SMTP listener ...) {DSA-4110-1 DLA-1274-1} - exim4 4.90.1-1 (bug #89) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2b97a65487dd23c1b585cc5a73a0a4c166068269 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2b97a65487dd23c1b585cc5a73a0a4c166068269 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-5784/tiff fixed version in unstable
László Böszörményi pushed to branch master at Debian Security Tracker / security-tracker Commits: 15f85c5d by Laszlo Boszormenyi (GCS) at 2018-02-14T20:31:32+00:00 Add CVE-2018-5784/tiff fixed version in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -3257,7 +3257,7 @@ CVE-2018-5785 (In OpenJPEG 2.3.0, there is an integer overflow caused by an ...) - openjpeg2 (low; bug #888533) NOTE: https://github.com/uclouvain/openjpeg/issues/1057 CVE-2018-5784 (In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the ...) - - tiff (bug #890441) + - tiff 4.0.9-4 (bug #890441) [stretch] - tiff (Minor issue, revisit once fixed upstream) [jessie] - tiff (Minor issue, revisit once fixed upstream) [wheezy] - tiff (Minor issue, revisit once fixed upstream) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/15f85c5d48fc74a3cb5a93a1b1031d8cf0d4d339 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/15f85c5d48fc74a3cb5a93a1b1031d8cf0d4d339 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Remove mpv, regression fix issued
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7621b9b1 by Salvatore Bonaccorso at 2018-02-14T22:06:33+01:00 Remove mpv, regression fix issued - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -52,10 +52,6 @@ mbedtls (seb) -- mercurial -- -mpv - Regression fix needed: cf. https://bugs.debian.org/888654#43 - Regression bug: #889892 --- openjdk-7/oldstable (jmm) -- openjdk-8/stable (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7621b9b1ef38a0d1f4e0bbefc75c77fc965c4c5c --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7621b9b1ef38a0d1f4e0bbefc75c77fc965c4c5c You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Remove libreoffice/oldstable, update issued (DSA-4111-2)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 48ffde3c by Salvatore Bonaccorso at 2018-02-14T22:07:38+01:00 Remove libreoffice/oldstable, update issued (DSA-4111-2) - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -39,8 +39,6 @@ libidn -- libmad -- -libreoffice/oldstable (jmm) --- libvpx/oldstable -- linux View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/48ffde3c3bee9f1869bfe8913640f504c4c2ae26 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/48ffde3c3bee9f1869bfe8913640f504c4c2ae26 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 104fb8a2 by security tracker role at 2018-02-14T21:10:24+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,4 +1,192 @@ -CVE-2018-7032 [webcheckout: missing URL sanitization] +CVE-2018-7049 + RESERVED +CVE-2018-7048 + RESERVED +CVE-2018-7047 + RESERVED +CVE-2018-7046 + RESERVED +CVE-2018-7045 + RESERVED +CVE-2018-7044 + RESERVED +CVE-2018-7043 + RESERVED +CVE-2018-7042 + RESERVED +CVE-2018-7041 + RESERVED +CVE-2018-7040 + RESERVED +CVE-2018-7039 (CCN-lite 2.0.0 Beta allows remote attackers to cause a denial of ...) + TODO: check +CVE-2018-7038 + RESERVED +CVE-2018-7037 + RESERVED +CVE-2018-7036 + RESERVED +CVE-2018-7035 + RESERVED +CVE-2018-7034 (TRENDnet TEW-751DR v1.03B03, TEW-752DRU v1.03B01, and TEW733GR v1.03B01 ...) + TODO: check +CVE-2018-7033 + RESERVED +CVE-2018-7031 + RESERVED +CVE-2018-7030 + RESERVED +CVE-2018-7029 + RESERVED +CVE-2018-7028 + RESERVED +CVE-2018-7027 + RESERVED +CVE-2018-7026 + RESERVED +CVE-2018-7025 + RESERVED +CVE-2018-7024 + RESERVED +CVE-2018-7023 + RESERVED +CVE-2018-7022 + RESERVED +CVE-2018-7021 + RESERVED +CVE-2018-7020 + RESERVED +CVE-2018-7019 + RESERVED +CVE-2018-7018 + RESERVED +CVE-2018-7017 + RESERVED +CVE-2018-7016 + RESERVED +CVE-2018-7015 + RESERVED +CVE-2018-7014 + RESERVED +CVE-2018-7013 + RESERVED +CVE-2018-7012 + RESERVED +CVE-2018-7011 + RESERVED +CVE-2018-7010 + RESERVED +CVE-2018-7009 + RESERVED +CVE-2018-7008 + RESERVED +CVE-2018-7007 + RESERVED +CVE-2018-7006 + RESERVED +CVE-2018-7005 + RESERVED +CVE-2018-7004 + RESERVED +CVE-2018-7003 + RESERVED +CVE-2018-7002 + RESERVED +CVE-2018-7001 + RESERVED +CVE-2018-7000 + RESERVED +CVE-2018-6999 + RESERVED +CVE-2018-6998 + RESERVED +CVE-2018-6997 + RESERVED +CVE-2018-6996 + RESERVED +CVE-2018-6995 + RESERVED +CVE-2018-6994 + RESERVED +CVE-2018-6993 + RESERVED +CVE-2018-6992 + RESERVED +CVE-2018-6991 + RESERVED +CVE-2018-6990 + RESERVED +CVE-2018-6989 + RESERVED +CVE-2018-6988 + RESERVED +CVE-2018-6987 + RESERVED +CVE-2018-6986 + RESERVED +CVE-2018-6985 + RESERVED +CVE-2018-6984 + RESERVED +CVE-2018-6983 + RESERVED +CVE-2018-6982 + RESERVED +CVE-2018-6981 + RESERVED +CVE-2018-6980 + RESERVED +CVE-2018-6979 + RESERVED +CVE-2018-6978 + RESERVED +CVE-2018-6977 + RESERVED +CVE-2018-6976 + RESERVED +CVE-2018-6975 + RESERVED +CVE-2018-6974 + RESERVED +CVE-2018-6973 + RESERVED +CVE-2018-6972 + RESERVED +CVE-2018-6971 + RESERVED +CVE-2018-6970 + RESERVED +CVE-2018-6969 + RESERVED +CVE-2018-6968 + RESERVED +CVE-2018-6967 + RESERVED +CVE-2018-6966 + RESERVED +CVE-2018-6965 + RESERVED +CVE-2018-6964 + RESERVED +CVE-2018-6963 + RESERVED +CVE-2018-6962 + RESERVED +CVE-2018-6961 + RESERVED +CVE-2018-6960 + RESERVED +CVE-2018-6959 + RESERVED +CVE-2018-6958 + RESERVED +CVE-2018-6957 + RESERVED +CVE-2017-18188 (OpenRC opentmpfiles through 0.1.3, when the fs.protected_hardlinks ...) + TODO: check +CVE-2017-18187 (In ARM mbed TLS before 2.7.0, there is a bounds-check bypass through an ...) + TODO: check +CVE-2018-7032 (webcheckout in myrepos through 1.20171231 does not sanitize URLs that ...) - myrepos (bug #840014) [stretch] - myrepos (Minor issue) [jessie] - myrepos (Minor issue) @@ -11915,62 +12103,62 @@ CVE-2018-2398 RESERVED CVE-2018-2397 RESERVED -CVE-2018-2396 - RESERVED -CVE-2018-2395 - RESERVED -CVE-2018-2394 - RESERVED -CVE-2018-2393 - RESERVED -CVE-2018-2392 - RESERVED -CVE-2018-2391 - RESERVED -CVE-2018-2390 - RESERVED -CVE-2018-2389 - RESERVED -CVE-2018-2388 - RESERVED -CVE-2018-2387 - RESERVED -CVE-2018-2386 - RESERVED -CVE-2018-2385 - RESERVED -CVE-2018-2384 - RESERVED -CVE-2018-2383 - RESERVED -CVE-2018-2382 - RESERVED -CVE-2018-2381 - RESERVED +CVE-2018-2396 (Under certain conditions a malicious user can prevent legitimate users ...) + TODO: check +CVE-2018-2395 (Under certain conditions a malicious user may retrieve information on ...) + TODO: check +CVE-2018-2394 (Under certain conditions an unauthenticated malicious user can prevent ...) + TODO: check +CVE-2018-2393 (Under certain conditions SAP Internet Graphics Server (IGS) 7.2
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2016-10713/patch fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c2a8afc6 by Salvatore Bonaccorso at 2018-02-14T22:17:11+01:00 CVE-2016-10713/patch fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -296,7 +296,7 @@ CVE-2017-18181 CVE-2017-18180 RESERVED CVE-2016-10713 (An issue was discovered in GNU patch before 2.7.6. Out-of-bounds access ...) - - patch (unimportant) + - patch 2.7.6-1 (unimportant) NOTE: https://git.savannah.gnu.org/cgit/patch.git/commit/src/pch.c?id=a0d7fe4589651c64bd16ddaaa634030bb0455866 NOTE: Crash in CLI tool, no security impact CVE-2015-9252 (An issue was discovered in QPDF before 7.0.0. Endless recursion causes ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c2a8afc6b21c31311dbfeb74e5f67f9461b77e28 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c2a8afc6b21c31311dbfeb74e5f67f9461b77e28 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 35f46c20 by Moritz Muehlenhoff at 2018-02-14T22:27:27+01:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -183,7 +183,7 @@ CVE-2018-6958 CVE-2018-6957 RESERVED CVE-2017-18188 (OpenRC opentmpfiles through 0.1.3, when the fs.protected_hardlinks ...) - TODO: check + NOT-FOR-US: opentmpfiles CVE-2017-18187 (In ARM mbed TLS before 2.7.0, there is a bounds-check bypass through an ...) TODO: check CVE-2018-7032 (webcheckout in myrepos through 1.20171231 does not sanitize URLs that ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/35f46c2012015ad62b3cfc15e071e2177d2de7ff --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/35f46c2012015ad62b3cfc15e071e2177d2de7ff You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c6f1735f by Salvatore Bonaccorso at 2018-02-14T22:28:43+01:00 Process NFUs - - - - - a1026cd8 by Salvatore Bonaccorso at 2018-02-14T22:28:44+01:00 Add CVE-2017-18187/mbedtls - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -19,7 +19,7 @@ CVE-2018-7041 CVE-2018-7040 RESERVED CVE-2018-7039 (CCN-lite 2.0.0 Beta allows remote attackers to cause a denial of ...) - TODO: check + NOT-FOR-US: CCN-lite 2 CVE-2018-7038 RESERVED CVE-2018-7037 @@ -29,7 +29,7 @@ CVE-2018-7036 CVE-2018-7035 RESERVED CVE-2018-7034 (TRENDnet TEW-751DR v1.03B03, TEW-752DRU v1.03B01, and TEW733GR v1.03B01 ...) - TODO: check + NOT-FOR-US: TRENDnet devices CVE-2018-7033 RESERVED CVE-2018-7031 @@ -185,7 +185,10 @@ CVE-2018-6957 CVE-2017-18188 (OpenRC opentmpfiles through 0.1.3, when the fs.protected_hardlinks ...) NOT-FOR-US: opentmpfiles CVE-2017-18187 (In ARM mbed TLS before 2.7.0, there is a bounds-check bypass through an ...) - TODO: check + [experimental] - mbedtls 2.7.0-1 + - mbedtls + - polarssl + NOTE: https://github.com/ARMmbed/mbedtls/commit/83c9f495ffe70c7dd280b41fdfd4881485a3bc28 CVE-2018-7032 (webcheckout in myrepos through 1.20171231 does not sanitize URLs that ...) - myrepos (bug #840014) [stretch] - myrepos (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/35f46c2012015ad62b3cfc15e071e2177d2de7ff...a1026cd8de28cdc2ce37afc70ecea7e8167d77e8 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/35f46c2012015ad62b3cfc15e071e2177d2de7ff...a1026cd8de28cdc2ce37afc70ecea7e8167d77e8 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-048{7, 8}/mbedtls fixed in experimental with 2.7.0 upstream upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ff1b58e8 by Salvatore Bonaccorso at 2018-02-14T22:29:53+01:00 CVE-2018-048{7,8}/mbedtls fixed in experimental with 2.7.0 upstream upload - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -17739,10 +17739,12 @@ CVE-2018-0490 CVE-2018-0489 RESERVED CVE-2018-0488 (ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0, when the ...) + [experimental] - mbedtls 2.7.0-1 - mbedtls (bug #890287) - polarssl NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01 CVE-2018-0487 (ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0 allows ...) + [experimental] - mbedtls 2.7.0-1 - mbedtls (bug #890288) - polarssl NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ff1b58e85aca3bc2a8335c31e686ce30be31eeff --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ff1b58e85aca3bc2a8335c31e686ce30be31eeff You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: vorbis, xen DSAs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 20399f70 by Moritz Muehlenhoff at 2018-02-14T22:32:51+01:00 vorbis, xen DSAs - - - - - 69fc1c92 by Moritz Muehlenhoff at 2018-02-14T22:33:23+01:00 Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,9 @@ +[14 Feb 2018] DSA-4113-1 libvorbis - security update + {CVE-2017-14632 CVE-2017-14633} + [stretch] - libvorbis 1.3.5-4+deb9u1 +[14 Feb 2018] DSA-4112-1 xen - security update + {CVE-2017-17563 CVE-2017-17564 CVE-2017-17565 CVE-2017-17566} + [stretch] - xen 4.8.3+comet2+shim4.10.0+comet3-1+deb9u4.1 [12 Feb 2018] DSA-4111-2 libreoffice - security update {CVE-2018-6871} [jessie] - libreoffice 1:4.3.3-2+deb8u10 = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -95,9 +95,5 @@ unbound (jmm) -- vlc -- -libvorbis (jmm) --- -xen --- zendframework/oldstable -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/ff1b58e85aca3bc2a8335c31e686ce30be31eeff...69fc1c925c4e434650d167f431d8b18a44281973 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/ff1b58e85aca3bc2a8335c31e686ce30be31eeff...69fc1c925c4e434650d167f431d8b18a44281973 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process some SAP specific NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 96840827 by Salvatore Bonaccorso at 2018-02-14T22:37:16+01:00 Process some SAP specific NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -12110,61 +12110,61 @@ CVE-2018-2398 CVE-2018-2397 RESERVED CVE-2018-2396 (Under certain conditions a malicious user can prevent legitimate users ...) - TODO: check + NOT-FOR-US: SAP Internet Graphics Server CVE-2018-2395 (Under certain conditions a malicious user may retrieve information on ...) - TODO: check + NOT-FOR-US: SAP Internet Graphic Server CVE-2018-2394 (Under certain conditions an unauthenticated malicious user can prevent ...) - TODO: check + NOT-FOR-US: SAP Internet Graphics Server CVE-2018-2393 (Under certain conditions SAP Internet Graphics Server (IGS) 7.20, ...) - TODO: check + NOT-FOR-US: SAP Internet Graphics Server CVE-2018-2392 (Under certain conditions SAP Internet Graphics Server (IGS) 7.20, ...) - TODO: check + NOT-FOR-US: SAP Internet Graphics Server CVE-2018-2391 (Under certain conditions a malicious user can prevent legitimate users ...) - TODO: check + NOT-FOR-US: SAP Internet Graphics Server CVE-2018-2390 (Under certain conditions a malicious user can prevent legitimate users ...) - TODO: check + NOT-FOR-US: SAP Internet Graphics Server CVE-2018-2389 (Under certain conditions a malicious user can inject log files of SAP ...) - TODO: check + NOT-FOR-US: SAP Internet Graphics Server CVE-2018-2388 (Stored cross-site scripting vulnerability in SAP internet Graphics ...) - TODO: check + NOT-FOR-US: SAP internet Graphics Server CVE-2018-2387 (A vulnerability in the SAP internet Graphics Server, 7.20, 7.20EXT, ...) - TODO: check + NOT-FOR-US: SAP internet Graphics Server CVE-2018-2386 (Under certain conditions a malicious user provoking an out of bounds ...) - TODO: check + NOT-FOR-US: SAP Internet Graphics Server CVE-2018-2385 (Under certain conditions a malicious user provoking a divide by zero ...) - TODO: check + NOT-FOR-US: SAP Internet Graphics Server CVE-2018-2384 (Under certain conditions a malicious user provoking a Null Pointer ...) - TODO: check + NOT-FOR-US: SAP Internet Graphics Server CVE-2018-2383 (Reflected cross-site scripting vulnerability in SAP internet Graphics ...) - TODO: check + NOT-FOR-US: SAP Internet Graphics Server CVE-2018-2382 (A vulnerability in the SAP internet Graphics Server, 7.20, 7.20EXT, ...) - TODO: check + NOT-FOR-US: SAP internet Graphics Server CVE-2018-2381 (SAP ERP Financials Information System (SAP_APPL 6.00, 6.02, 6.03, ...) - TODO: check + NOT-FOR-US: SAP ERP Financials Information System CVE-2018-2380 RESERVED CVE-2018-2379 (In SAP HANA Extended Application Services, 1.0, an unauthenticated ...) - TODO: check + NOT-FOR-US: SAP HANA Extended Application Services CVE-2018-2378 (In SAP HANA Extended Application Services, 1.0, unauthorized users can ...) - TODO: check + NOT-FOR-US: SAP HANA Extended Application Services CVE-2018-2377 (In SAP HANA Extended Application Services, 1.0, some general server ...) - TODO: check + NOT-FOR-US: SAP HANA Extended Application Services CVE-2018-2376 (In SAP HANA Extended Application Services, 1.0, a controller user who ...) - TODO: check + NOT-FOR-US: SAP HANA Extended Application Services CVE-2018-2375 (In SAP HANA Extended Application Services, 1.0, a controller user who ...) - TODO: check + NOT-FOR-US: SAP HANA Extended Application Services CVE-2018-2374 (In SAP HANA Extended Application Services, 1.0, a controller user who ...) - TODO: check + NOT-FOR-US: SAP HANA Extended Application Services CVE-2018-2373 (Under certain circumstances, a specific endpoint of the Controller's ...) - TODO: check + NOT-FOR-US: SAP HANA Extended Application Services CVE-2018-2372 (A plain keystore password is written to a system log file in SAP HANA ...) - TODO: check + NOT-FOR-US: SAP HANA Extended Application Services CVE-2018-2371 (The SAML 2.0 service provider of SAP Netweaver AS Java Web ...) - TODO: check + NOT-FOR-US: SAP Netweaver AS Java Web Application CVE-2018-2370 (Server Side Request Forgery (SSRF) vulnerability in SAP Central ...) - TODO: check + NOT-FOR-US: SAP Central Management Console CVE-2018-2369 (Under certain conditions SAP HANA, 1.00, 2.00, allows an ...) - TODO: check + NOT-FOR-US: SAP HANA CVE-2018-2368 RESERVED CVE-2018-2367 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark CVE-2018-6942 as not affected for released prior to 2.7.x upstream
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d098e6ca by Salvatore Bonaccorso at 2018-02-14T22:21:46+01:00 Mark CVE-2018-6942 as not affected for released prior to 2.7.x upstream Ins_GETVARIATION function including the problematic code introduced post stretch released version. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -227,6 +227,9 @@ CVE-2018-6943 RESERVED CVE-2018-6942 (An issue was discovered in FreeType 2 through 2.9. A NULL pointer ...) - freetype (bug #890450) + [stretch] - freetype (Vulnerable code introduced later) + [jessie] - freetype (Vulnerable code introduced later) + [wheezy] - freetype (Vulnerable code introduced later) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5736 NOTE: https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=29c759284e305ec428703c9a5831d0b1fc3497ef CVE-2018-6941 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d098e6cad34189f1c0618e0badf35348485b1bb3 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d098e6cad34189f1c0618e0badf35348485b1bb3 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add bug reference for CVE-2018-6942/freetype: #890450
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cd05e56e by Salvatore Bonaccorso at 2018-02-14T22:18:43+01:00 Add bug reference for CVE-2018-6942/freetype: #890450 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -226,7 +226,7 @@ CVE-2018-6944 CVE-2018-6943 RESERVED CVE-2018-6942 (An issue was discovered in FreeType 2 through 2.9. A NULL pointer ...) - - freetype + - freetype (bug #890450) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5736 NOTE: https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=29c759284e305ec428703c9a5831d0b1fc3497ef CVE-2018-6941 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cd05e56e5b73563a27d62521c5de771672a07bcf --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cd05e56e5b73563a27d62521c5de771672a07bcf You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: ffmpeg fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c313afeb by Moritz Muehlenhoff at 2018-02-14T22:48:07+01:00 ffmpeg fixed - - - - - e420ae4b by Moritz Muehlenhoff at 2018-02-14T22:50:23+01:00 Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1153,7 +1153,7 @@ CVE-2017-18124 CVE-2018-6622 RESERVED CVE-2018-6621 (The decode_frame function in libavcodec/utvideodec.c in FFmpeg through ...) - - ffmpeg (low) + - ffmpeg 7:3.4.2-1 (low) [stretch] - ffmpeg (Wait for next 3.2.x release) - libav NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/118e1b0b3370dd1c0da442901b486689efd1654b @@ -1842,7 +1842,7 @@ CVE-2018-6394 CVE-2018-6393 (FreePBX 10.13.66-32bit and 14.0.1.24 (SNG7-PBX-64bit-1712-2) allow ...) NOT-FOR-US: FreePBX CVE-2018-6392 (The filter_slice function in libavfilter/vf_transpose.c in FFmpeg ...) - - ffmpeg + - ffmpeg 7:3.4.2-1 [stretch] - ffmpeg (Wait for next 3.2.x release) - libav NOTE: Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/3f621455d62e46745453568d915badd5b1e5bcd5 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/9684082764b11bdcd38b2ebc7957570f68786bee...e420ae4b8ce6554237c13fbeb726a6fd53c3a2f3 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/9684082764b11bdcd38b2ebc7957570f68786bee...e420ae4b8ce6554237c13fbeb726a6fd53c3a2f3 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] remove TOOD for thrift copy in HHVM, not relevant here
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 518d9e80 by Moritz Muehlenhoff at 2018-02-14T22:57:49+01:00 remove TOOD for thrift copy in HHVM, not relevant here - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -82661,12 +82661,10 @@ CVE-2016-5398 (Cross-site scripting (XSS) vulnerability in Business Process Edit NOT-FOR-US: JBoss BPMS CVE-2016-5397 (The Apache Thrift Go client library exposed the potential during code ...) - thrift-compiler - - hhvm NOTE: https://issues.apache.org/jira/browse/THRIFT-3893 NOTE: https://github.com/apache/thrift/commit/2007783e874d524a46b818598a45078448ecc53e NOTE: Fixed in 0.10.0 upstream, and in experimental src:thrift/0.10.0-1 is present NOTE: src:thrift only present in experimental - TODO: check (hhvm embedds it, used?) CVE-2016-5396 (Apache Traffic Server 6.0.0 to 6.2.0 are affected by an HPACK Bomb ...) - trafficserver 7.0.0-1 [wheezy] - trafficserver (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/518d9e80209f0a93efe466835ae7f9a401a7fda8 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/518d9e80209f0a93efe466835ae7f9a401a7fda8 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DSA-4114-1 for jackson-databind (CVE-2017-17485, CVE-2018-5968)
Sebastien Delafond pushed to branch master at Debian Security Tracker / security-tracker Commits: ad3cd659 by Sébastien Delafond at 2018-02-15T07:51:44+01:00 Reserve DSA-4114-1 for jackson-databind (CVE-2017-17485, CVE-2018-5968) - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,7 @@ +[15 Feb 2018] DSA-4114-1 jackson-databind - security update + {CVE-2017-17485 CVE-2018-5968} + [jessie] - jackson-databind 2.4.2-2+deb8u3 + [stretch] - jackson-databind 2.8.6-1+deb9u3 [14 Feb 2018] DSA-4113-1 libvorbis - security update {CVE-2017-14632 CVE-2017-14633} [stretch] - libvorbis 1.3.5-4+deb9u1 = data/dsa-needed.txt = --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -26,10 +26,6 @@ graphicsmagick imagemagick Wait until more issues have piled up -- -jackson-databind (seb) - Markus Koschany prepared debdiffs and asked for advice/review in particular - for the CVE-2017-17485 backport. --- knot-resolver -- libav/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ad3cd6592ffae8f9ce83bc4f316d410ffc713bf1 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ad3cd6592ffae8f9ce83bc4f316d410ffc713bf1 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Reserve DLA-1283-1 for python-crypto
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 343971b6 by Brian May at 2018-02-15T18:30:28+11:00 Reserve DLA-1283-1 for python-crypto - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[15 Feb 2018] DLA-1283-1 python-crypto - security update + {CVE-2018-6594} + [wheezy] - python-crypto 2.6-4+deb7u8 [13 Feb 2018] DLA-1282-1 graphicsmagick - security update {CVE-2018-6799} [wheezy] - graphicsmagick 1.3.16-1.1+deb7u18 = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -58,8 +58,6 @@ opencv (Thorsten Alteholz) -- openjdk-7 (Emilio Pozuelo) -- -python-crypto (Brian May) --- suricata (Santiago R.R.) NOTE: Hard to tell whether the package is vulnerable. DetectFlow in detect.c NOTE: does not exist. Code seems to be in SigMatchSignatures instead. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/343971b672d8d01e26549c5329d0b5233084bf70 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/343971b672d8d01e26549c5329d0b5233084bf70 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits