[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-7253/wavpack
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 83e2fce0 by Salvatore Bonaccorso at 2018-02-20T06:56:06+01:00 Add CVE-2018-7253/wavpack - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -4,6 +4,12 @@ CVE-2018-7254 [global buffer overflow while running wavpack] [wheezy] - wavpack (Vulnerable code not present) NOTE: https://github.com/dbry/WavPack/issues/26 NOTE: https://github.com/dbry/WavPack/commit/8e3fe45a7bac31d9a3b558ae0079e2d92a04799e +CVE-2018-7253 [heap buffer overflow while running wavpack] + - wavpack (bug #889559) + [jessie] - wavpack (Vulnerable code not present) + [wheezy] - wavpack (Vulnerable code not present) + NOTE: https://github.com/dbry/WavPack/issues/28 + NOTE: https://github.com/dbry/WavPack/commit/36a24c7881427d2e1e4dc1cef58f19eee0d13aec CVE-2018-7248 RESERVED CVE-2018-7247 (An issue was discovered in pixHtmlViewer in prog/htmlviewer.c in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/83e2fce0919797b4356c41265e3aaa0310ff3ecc --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/83e2fce0919797b4356c41265e3aaa0310ff3ecc You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark CVE-2017-16670 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7f4ea5d4 by Salvatore Bonaccorso at 2018-02-20T07:33:31+01:00 Mark CVE-2017-16670 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -20505,7 +20505,7 @@ CVE-2017-16671 (A Buffer Overflow issue was discovered in Asterisk Open Source 1 NOTE: http://downloads.asterisk.org/pub/security/AST-2017-010-13.diff NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27337 CVE-2017-16670 (The project import functionality in SoapUI 5.3.0 allows remote ...) - TODO: check + NOT-FOR-US: SoapUI CVE-2017-16669 (coders/wpg.c in GraphicsMagick 1.3.26 allows remote attackers to cause ...) {DLA-1168-1} - graphicsmagick 1.3.26-19 (bug #881391) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7f4ea5d4ba8e5a6f6cc5be655b4fc5c1bb21a269 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7f4ea5d4ba8e5a6f6cc5be655b4fc5c1bb21a269 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2018-6794/suricata: add note about wheezy
Santiago R.R. pushed to branch master at Debian Security Tracker / security-tracker Commits: 0241ef43 by Santiago R.R at 2018-02-20T00:09:49+01:00 CVE-2018-6794/suricata: add note about wheezy Signed-off-by: Santiago R.R santiag...@riseup.net - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -77,10 +77,8 @@ opencv (Thorsten Alteholz) openjdk-7 (Emilio Pozuelo) -- suricata (Santiago R.R.) - NOTE: Hard to tell whether the package is vulnerable. DetectFlow in detect.c - NOTE: does not exist. Code seems to be in SigMatchSignatures instead. - NOTE: StreamTcpInlineDropInvalid function does not exist at all. Perhaps contact - NOTE: upstream and ask for a clarification? + NOTE: Confirmed to be vulnerable. + NOTE: Follow security-team and tag it no-dsa? -- wordpress NOTE: 20180217: Upstream unsure how to fix at the moment (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0241ef43ac51500f28c75892eae575464d8cd9bc --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0241ef43ac51500f28c75892eae575464d8cd9bc You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-7254/wavpack
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 56e61828 by Salvatore Bonaccorso at 2018-02-20T06:53:42+01:00 Add CVE-2018-7254/wavpack - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,9 @@ +CVE-2018-7254 [global buffer overflow while running wavpack] + - wavpack (bug #889274) + [jessie] - wavpack (Vulnerable code not present) + [wheezy] - wavpack (Vulnerable code not present) + NOTE: https://github.com/dbry/WavPack/issues/26 + NOTE: https://github.com/dbry/WavPack/commit/8e3fe45a7bac31d9a3b558ae0079e2d92a04799e CVE-2018-7248 RESERVED CVE-2018-7247 (An issue was discovered in pixHtmlViewer in prog/htmlviewer.c in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/56e61828a9685d148dc44a1c6fab9e52758deb9b --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/56e61828a9685d148dc44a1c6fab9e52758deb9b You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-5123/bugzilla
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 90c1def3 by Salvatore Bonaccorso at 2018-02-20T07:35:14+01:00 Add CVE-2018-5123/bugzilla - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -5679,6 +5679,8 @@ CVE-2018-5124 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-05/ CVE-2018-5123 RESERVED + - bugzilla4 (bug #669643) + - bugzilla CVE-2018-5122 RESERVED - firefox 58.0-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/90c1def32344fedabe5ceffbcb48adcebe95ec58 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/90c1def32344fedabe5ceffbcb48adcebe95ec58 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add futher note for CVE-2018-6594
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 30445112 by Salvatore Bonaccorso at 2018-02-20T08:02:19+01:00 Add futher note for CVE-2018-6594 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1725,6 +1725,7 @@ CVE-2018-6594 (lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 generat NOTE: The issue is found as well in pycryptodome (fork from python-crypto) NOTE: PyCryptodome: https://github.com/Legrandin/pycryptodome/issues/90 NOTE: PyCrytpodome: https://github.com/Legrandin/pycryptodome/commit/99c27a3b9e8a884bbde0e88c63234b669d4398d8 (3.4.10) + NOTE: See further discussion as per https://github.com/Legrandin/pycryptodome/issues/90#issuecomment-362783537 CVE-2018-6593 (An issue was discovered in MalwareFox AntiMalware 2.74.0.150. Improper ...) NOT-FOR-US: MalwareFox AntiMalware CVE-2018-6592 (Unisys Stealth Windows endpoints before 3.3.016.1 allow local users to ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3044511221d2930a15a8a91a4bbb744cffa96958 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3044511221d2930a15a8a91a4bbb744cffa96958 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process one new NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 440ff044 by Salvatore Bonaccorso at 2018-02-19T10:12:32+01:00 Process one new NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -19305,7 +19305,7 @@ CVE-2017-16926 (Ohcount 3.0.0 is prone to a command injection via specially craf CVE-2017-16925 RESERVED CVE-2017-16924 (Remote Information Disclosure and Escalation of Privileges in ...) - TODO: check + NOT-FOR-US: ManageEngine Desktop Central CVE-2017-16923 (Command Injection vulnerability in app_data_center on Shenzhen Tenda ...) NOT-FOR-US: Shenzhen Tenda CVE-2017-16922 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/440ff0444eac4149886c41980e38f6a4815aace1 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/440ff0444eac4149886c41980e38f6a4815aace1 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 13992df5 by security tracker role at 2018-02-19T09:10:16+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,9 @@ +CVE-2018-7224 + RESERVED +CVE-2018-7223 + RESERVED +CVE-2018-7222 + RESERVED CVE-2018-7221 RESERVED CVE-2018-7220 @@ -19298,8 +19304,8 @@ CVE-2017-16926 (Ohcount 3.0.0 is prone to a command injection via specially craf NOTE: https://github.com/blackducksoftware/ohcount/commit/6bed45d6fb7c080ae5c163c12b4eb8749a3492ac (v3.1.0) CVE-2017-16925 RESERVED -CVE-2017-16924 - RESERVED +CVE-2017-16924 (Remote Information Disclosure and Escalation of Privileges in ...) + TODO: check CVE-2017-16923 (Command Injection vulnerability in app_data_center on Shenzhen Tenda ...) NOT-FOR-US: Shenzhen Tenda CVE-2017-16922 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/13992df52119ede85b24605d013fe786c721f63a --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/13992df52119ede85b24605d013fe786c721f63a You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark CVE-2018-7169 as as no-dsa for shadow in wheezy.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 486bb3ec by Chris Lamb at 2018-02-19T10:48:22+00:00 Mark CVE-2018-7169 as as no-dsa for shadow in wheezy. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -142,6 +142,7 @@ CVE-2018-7169 (An issue was discovered in shadow 4.5. newgidmap (in shadow-utils - shadow (bug #890557) [stretch] - shadow (Minor issue) [jessie] - shadow (Minor issue) + [wheezy] - shadow (Minor issue) NOTE: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1729357 NOTE: https://github.com/shadow-maint/shadow/pull/97 CVE-2018-7168 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/486bb3ecb08903cf5488a82359d8e57d99ce085b --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/486bb3ecb08903cf5488a82359d8e57d99ce085b You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 5 commits: Triage zziplib for LTS
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: f213d3ef by Chris Lamb at 2018-02-19T10:51:25+00:00 Triage zziplib for LTS - - - - - 617b31db by Chris Lamb at 2018-02-19T10:51:41+00:00 data/dla-needed.txt: Correct ordering. - - - - - a489c643 by Chris Lamb at 2018-02-19T10:51:42+00:00 Claim zziplib in data/dla-needed.txt - - - - - c69ee5d0 by Chris Lamb at 2018-02-19T10:51:43+00:00 Mark CVE-2018-7208 in binutils as no-dsa in wheezy. - - - - - 9701f624 by Chris Lamb at 2018-02-19T10:51:43+00:00 Mark CVE-2017-18186, CVE-2017-18185, CVE-2017-18184, CVE-2017-18183 CVE-2015-9252 for qpdf as no-dsa in wheezy. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -34,6 +34,7 @@ CVE-2018-7208 (In the coff_pointerize_aux function in coffgen.c in the Binary Fi - binutils [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) + [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22741 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=eb77f6a4621795367a39cdd30957903af9dbb815 CVE-2018-7207 (National Payments Corporation of India (NPCI) Bharat Interface for ...) @@ -689,24 +690,28 @@ CVE-2017-18186 (An issue was discovered in QPDF before 7.0.0. There is an infini - qpdf 7.0.0-1 [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) + [wheezy] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/commit/85f05cc57ffa0a863d9d9b23e73acea9410b2937 NOTE: https://github.com/qpdf/qpdf/issues/149 CVE-2017-18185 (An issue was discovered in QPDF before 7.0.0. There is a large ...) - qpdf 7.0.0-1 [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) + [wheezy] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/commit/ec7d74a386c0b2f38990079c3b0d2a2b30be0e71 NOTE: https://github.com/qpdf/qpdf/issues/150 CVE-2017-18184 (An issue was discovered in QPDF before 7.0.0. There is a stack-based ...) - qpdf 7.0.0-1 [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) + [wheezy] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/commit/dea704f0ab7f625e1e7b3f9a1110b45b63157317 NOTE: https://github.com/qpdf/qpdf/issues/147 CVE-2017-18183 (An issue was discovered in QPDF before 7.0.0. There is an infinite loop ...) - qpdf 7.0.0-1 [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) + [wheezy] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/commit/8249a26d69f72b9cda584c14cc3f12769985e481 NOTE: https://github.com/qpdf/qpdf/issues/143 CVE-2017-18182 @@ -723,6 +728,7 @@ CVE-2015-9252 (An issue was discovered in QPDF before 7.0.0. Endless recursion c - qpdf 7.0.0-1 [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) + [wheezy] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/commit/701b518d5c56a1449825a3a37a716c58e05e1c3e NOTE: https://github.com/qpdf/qpdf/issues/51 CVE-2018-6927 (The futex_requeue function in kernel/futex.c in the Linux kernel before ...) = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -42,16 +42,16 @@ lame (Hugo Lefeuvre) NOTE: 20180125: Fabian showed interest in porting lame to libsndfile and submitted a patch draft for Jessie. NOTE: I'll test it, submit the update for Jessie and backport the result to Wheezy on time. -- +leptonlib + NOTE: #885704 fix is incomplete and may require a CVE + NOTE: see also https://lists.debian.org/1518730488.2617.129.ca...@decadent.org.uk +-- libav (Hugo Lefeuvre) NOTE: 20180118: Diego Biurrun (from the libav team) was working on patches, but encountered personal issues and had to stop. NOTE: It is unlikely that he will start again in the next weeks. NOTE: I am currently working on CVE triage but I will not be able to process the whole backlog until May. NOTE: Help is welcome, feel free to mail Hugo. -- -leptonlib - NOTE: #885704 fix is incomplete and may require a CVE - NOTE: see also https://lists.debian.org/1518730488.2617.129.ca...@decadent.org.uk --- libgcrypt11 -- libmad (Kurt Roeckx) @@ -86,3 +86,6 @@ suricata (Santiago R.R.) -- wordpress NOTE: 20180217: Upstream unsure how to fix at the moment (lamby) +-- +zziplib (Chris Lamb) +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/486bb3ecb08903cf5488a82359d8e57d99ce085b...9701f624773c56bbe0580bef2d524b2093b6 --- View it on GitLab:
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] new strongswan issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4bd67aff by Moritz Muehlenhoff at 2018-02-19T16:40:13+01:00 new strongswan issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -2133,6 +2133,11 @@ CVE-2018-6460 (Hotspot Shield runs a webserver with a static IP address 127.0.0. NOT-FOR-US: Hotspot Shield CVE-2018-6459 RESERVED + - strongswan + [stretch] - strongswan (Vulnerable code introduced later) + [jessie] - strongswan (Vulnerable code introduced later) + [wheezy] - strongswan (Vulnerable code introduced later) + NOTE: https://www.strongswan.org/blog/2018/02/19/strongswan-vulnerability-(cve-2018-6459).html CVE-2018-6458 RESERVED CVE-2018-6457 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4bd67aff9a545e8b5cd6be4430f8e06d747384ba --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4bd67aff9a545e8b5cd6be4430f8e06d747384ba You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2013-4376/x2goserver fixed version in unstable
László Böszörményi pushed to branch master at Debian Security Tracker / security-tracker Commits: 0355a3e3 by Laszlo Boszormenyi (GCS) at 2018-02-19T18:55:47+00:00 Add CVE-2013-4376/x2goserver fixed version in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -158910,7 +158910,8 @@ CVE-2013-4377 (Use-after-free vulnerability in the virtio-pci implementation in - qemu-kvm (Introduced in 1.4) NOTE: patches: http://thread.gmane.org/gmane.comp.emulators.qemu/234440 CVE-2013-4376 (The setgid wrapper libx2go-server-db-sqlite3-wrapper.c in X2Go Server ...) - - x2goserver + - x2goserver 4.1.0.0-1 + NOTE: Fixed by: https://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=42264c88d7885474ebe3763b2991681ddfcfa69a CVE-2013-4375 (The qdisk PV disk backend in qemu-xen in Xen 4.2.x and 4.3.x before ...) - xen 4.2 [squeeze] - xen (Only affects 4.2 and later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0355a3e3e278fa029b16bc1997fb0baf3dc258d3 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0355a3e3e278fa029b16bc1997fb0baf3dc258d3 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] x2goserver is in the archive, its issues need triage
László Böszörményi pushed to branch master at Debian Security Tracker / security-tracker Commits: 9caffe49 by Laszlo Boszormenyi (GCS) at 2018-02-19T17:57:33+00:00 x2goserver is in the archive, its issues need triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -142594,7 +142594,7 @@ CVE-2014-3221 (Huawei Eudemon8000E firewall with software V200R001C01SPC800 and CVE-2014-3220 (F5 BIG-IQ Cloud and Security 4.0.0 through 4.1.0 allows remote ...) NOT-FOR-US: F5 BIG-IQ CVE-2013-7383 (x2gocleansessions in X2Go Server before 4.0.0.8 and 4.0.1.x before ...) - - x2goserver (bug #465821) + - x2goserver CVE-2013-7375 (SQL injection vulnerability in includes/classes/Authenticate.class.php ...) NOT-FOR-US: PHP-Fusion CVE-2014-3145 (The BPF_S_ANC_NLATTR_NEST extension implementation in the ...) @@ -158908,7 +158908,7 @@ CVE-2013-4377 (Use-after-free vulnerability in the virtio-pci implementation in - qemu-kvm (Introduced in 1.4) NOTE: patches: http://thread.gmane.org/gmane.comp.emulators.qemu/234440 CVE-2013-4376 (The setgid wrapper libx2go-server-db-sqlite3-wrapper.c in X2Go Server ...) - - x2goserver (bug #465821) + - x2goserver CVE-2013-4375 (The qdisk PV disk backend in qemu-xen in Xen 4.2.x and 4.3.x before ...) - xen 4.2 [squeeze] - xen (Only affects 4.2 and later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9caffe49070e285c78d8e06ee2980d37d6245497 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9caffe49070e285c78d8e06ee2980d37d6245497 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2013-7383/x2goserver fixed version in unstable
László Böszörményi pushed to branch master at Debian Security Tracker / security-tracker Commits: c614b1c5 by Laszlo Boszormenyi (GCS) at 2018-02-19T18:42:54+00:00 Add CVE-2013-7383/x2goserver fixed version in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -142594,7 +142594,9 @@ CVE-2014-3221 (Huawei Eudemon8000E firewall with software V200R001C01SPC800 and CVE-2014-3220 (F5 BIG-IQ Cloud and Security 4.0.0 through 4.1.0 allows remote ...) NOT-FOR-US: F5 BIG-IQ CVE-2013-7383 (x2gocleansessions in X2Go Server before 4.0.0.8 and 4.0.1.x before ...) - - x2goserver + - x2goserver 4.1.0.0-1 + NOTE: Fixed by: https://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=80ff6997550749a64dd5db5684acbd47a4127ab3 + NOTE: Fixed by: https://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=c2036a1152a7e57286ffeb8e8859177f8de64a33 CVE-2013-7375 (SQL injection vulnerability in includes/classes/Authenticate.class.php ...) NOT-FOR-US: PHP-Fusion CVE-2014-3145 (The BPF_S_ANC_NLATTR_NEST extension implementation in the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c614b1c5d411561241b7e7c5a1927b97e3581413 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c614b1c5d411561241b7e7c5a1927b97e3581413 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2015-9253/php
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9f431891 by Salvatore Bonaccorso at 2018-02-19T22:25:59+01:00 Add CVE-2015-9253/php - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -46,7 +46,12 @@ CVE-2018-7227 CVE-2017-18191 (An issue was discovered in OpenStack Nova 15.x through 15.1.0 and 16.x ...) TODO: check CVE-2015-9253 (An issue was discovered in PHP through 7.2.2. The php-fpm master ...) - TODO: check + - php7.2 + - php7.1 + - php7.0 + - php5 + NOTE: https://bugs.php.net/bug.php?id=70185 + NOTE: https://bugs.php.net/bug.php?id=75968 CVE-2018-7226 (An issue was discovered in vcSetXCutTextProc() in VNConsole.c in ...) - vncterm NOTE: https://github.com/LibVNC/vncterm/issues/6 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9f431891c450da4e8ee2f24287a3d3d1e38f3089 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9f431891c450da4e8ee2f24287a3d3d1e38f3089 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Remove wrong commit from CVE-2018-7054
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 21098fbe by Salvatore Bonaccorso at 2018-02-19T22:37:51+01:00 Remove wrong commit from CVE-2018-7054 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -439,8 +439,7 @@ CVE-2018-7054 (An issue was discovered in Irssi before 1.0.7 and 1.1.x before 1. [jessie] - irssi (Vulnerable netsplit code introduced in 1.0.0) [wheezy] - irssi (Vulnerable netsplit code introduced in 1.0.0) NOTE: https://irssi.org/security/irssi_sa_2018_02.txt - NOTE: Fixed by: https://github.com/irssi/irssi/commit/e405330e04dc344797f00c12cf8fd7f63b17e0e4 - NOTE: Some (additional) netsplit related changes as introduced in 1.0.0 were reverted: + NOTE: Some netsplit related changes as introduced in 1.0.0 were reverted: NOTE: https://github.com/irssi/irssi/commit/7605f67f95b6ee1ac26dd8fb7f3121f319497943 NOTE: https://github.com/irssi/irssi/commit/fa8508404f4c4a02749cae5148662e2322c2abf0 NOTE: https://github.com/irssi/irssi/commit/a4f99ae746efb121185fe76c392a64d743a9eb92 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/21098fbe4139f1ab3ae56d1fde7e3cabe4abd5cf --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/21098fbe4139f1ab3ae56d1fde7e3cabe4abd5cf You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] libav DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fea789a4 by Moritz Muehlenhoff at 2018-02-19T22:41:14+01:00 libav DSA - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = --- a/data/DSA/list +++ b/data/DSA/list @@ -1,3 +1,6 @@ +[19 Feb 2018] DSA-4119-1 libav - security update + {CVE-2017-16803} + [jessie] - libav 6:11.12-1~deb8u1 [17 Feb 2018] DSA-4118-1 tomcat-native - security update {CVE-2017-15698} [jessie] - tomcat-native 1.1.32~repack-2+deb8u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fea789a4239a8d6a6df35ac60429dd8b648ef8f4 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fea789a4239a8d6a6df35ac60429dd8b648ef8f4 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2017-18191/nova
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 397e2fcb by Salvatore Bonaccorso at 2018-02-19T22:50:45+01:00 Add CVE-2017-18191/nova - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -44,7 +44,9 @@ CVE-2018-7228 CVE-2018-7227 RESERVED CVE-2017-18191 (An issue was discovered in OpenStack Nova 15.x through 15.1.0 and 16.x ...) - TODO: check + - nova + NOTE: https://launchpad.net/bugs/1739593 + NOTE: https://review.openstack.org/539893 CVE-2015-9253 (An issue was discovered in PHP through 7.2.2. The php-fpm master ...) - php7.2 - php7.1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/397e2fcbf73b6d13662ef6c55de179314692d4e1 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/397e2fcbf73b6d13662ef6c55de179314692d4e1 You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7da567d5 by Salvatore Bonaccorso at 2018-02-19T22:53:31+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -14638,11 +14638,11 @@ CVE-2018-1413 CVE-2018-1412 RESERVED CVE-2018-1411 (IBM Notes Diagnostics (IBM Client Application Access and IBM Notes) ...) - TODO: check + NOT-FOR-US: IBM Notes Diagnostics CVE-2018-1410 (IBM Notes Diagnostics (IBM Client Application Access and IBM Notes) ...) - TODO: check + NOT-FOR-US: IBM Notes Diagnostics CVE-2018-1409 (IBM Notes Diagnostics (IBM Client Application Access and IBM Notes) ...) - TODO: check + NOT-FOR-US: IBM Notes Diagnostics CVE-2018-1408 RESERVED CVE-2018-1407 @@ -118829,7 +118829,7 @@ CVE-2015-2325 [heap buffer overflow in compile_branch()] NOTE: Comment from upstream: Probably every version since the support for forward referencing NOTE: was introduced is affected. CVE-2015-2324 (Cross-site scripting (XSS) vulnerability in the filemanager in the ...) - TODO: check + NOT-FOR-US: filemanager in the Photo Gallery plugin for WordPress CVE-2015-2323 (FortiOS 5.0.x before 5.0.12 and 5.2.x before 5.2.4 supports anonymous, ...) NOT-FOR-US: FortiOS CVE-2015-2322 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7da567d56264d96e904feaa226fd72cec09b34fc --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7da567d56264d96e904feaa226fd72cec09b34fc You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ef75b531 by Salvatore Bonaccorso at 2018-02-19T23:01:20+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -71,7 +71,7 @@ CVE-2018-7221 CVE-2018-7220 RESERVED CVE-2018-7219 (application/admin/controller/Admin.php in NoneCms 1.3.0 has CSRF, as ...) - TODO: check + NOT-FOR-US: NoneCms CVE-2018-7218 RESERVED CVE-2018-7217 (In Bravo Tejari Procurement Portal, uploaded files are not properly ...) @@ -120,7 +120,7 @@ CVE-2018-7199 CVE-2018-7198 (October CMS through 1.0.431 allows XSS by entering HTML on the Add ...) NOT-FOR-US: October CMS CVE-2018-7197 (An issue was discovered in Pluck through 4.7.4. A stored cross-site ...) - TODO: check + NOT-FOR-US: Pluck CMS CVE-2018-7196 RESERVED CVE-2018-7195 @@ -1716,7 +1716,7 @@ CVE-2018-6594 (lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 generat CVE-2018-6593 (An issue was discovered in MalwareFox AntiMalware 2.74.0.150. Improper ...) NOT-FOR-US: MalwareFox AntiMalware CVE-2018-6592 (Unisys Stealth Windows endpoints before 3.3.016.1 allow local users to ...) - TODO: check + NOT-FOR-US: Unisys Stealth Windows endpoints CVE-2018-6591 (Converse.js and Inverse.js through 3.3 allow remote attackers to obtain ...) TODO: check CVE-2018-6590 @@ -2099,13 +2099,13 @@ CVE-2017-18097 CVE-2017-18096 RESERVED CVE-2017-18095 (The SnippetRPCServiceImpl class in Atlassian Crucible before version ...) - TODO: check + NOT-FOR-US: Atlassian Crucible CVE-2017-18094 RESERVED CVE-2017-18093 (Various resources in Atlassian Fisheye and Crucible before version ...) - TODO: check + NOT-FOR-US: Atlassian Fisheye and Crucible CVE-2017-18092 (The print snippet resource in Atlassian Crucible before version 4.4.3 ...) - TODO: check + NOT-FOR-US: Atlassian Crucible CVE-2017-18091 (The admin backupprogress action in Atlassian Fisheye and Crucible ...) NOT-FOR-US: Atlassian Fisheye and Crucible CVE-2017-18090 (Various resources in Atlassian Fisheye before version 4.5.1 (the fixed ...) @@ -3515,7 +3515,7 @@ CVE-2018-5989 (SQL Injection exists in the ccNewsletter 2.x component for Joomla CVE-2018-5988 (SQL Injection exists in Flexible Poll 1.2 via the id parameter to ...) NOT-FOR-US: Flexible Poll CVE-2018-5987 (SQL Injection exists in the Pinterest Clone Social Pinboard 2.0 ...) - TODO: check + NOT-FOR-US: Pinterest Clone Social Pinboard component for Joomla! CVE-2018-5986 (SQL Injection exists in Easy Car Script 2014 via the s_order or s_row ...) NOT-FOR-US: Easy Car Script CVE-2018-5985 (SQL Injection exists in the LiveCRM SaaS Cloud 1.0 component for ...) @@ -3523,13 +3523,13 @@ CVE-2018-5985 (SQL Injection exists in the LiveCRM SaaS Cloud 1.0 component for CVE-2018-5984 (SQL Injection exists in the Tumder (An Arcade Games Platform) 2.1 ...) NOT-FOR-US: Tumder CVE-2018-5983 (SQL Injection exists in the JquickContact 1.3.2.2.1 component for ...) - TODO: check + NOT-FOR-US: JquickContact component for Joomla! CVE-2018-5982 (SQL Injection exists in the Advertisement Board 3.1.0 component for ...) - TODO: check + NOT-FOR-US: Advertisement Board component for Joomla! CVE-2018-5981 (SQL Injection exists in the Gallery WD 1.3.6 component for Joomla! via ...) - TODO: check + NOT-FOR-US: Gallery WD component for Joomla! CVE-2018-5980 (SQL Injection exists in the Solidres 2.5.1 component for Joomla! via ...) - TODO: check + NOT-FOR-US: Solidres component for Joomla! CVE-2018-5979 (SQL Injection exists in Wchat Fully Responsive PHP AJAX Chat Script 1.5 ...) NOT-FOR-US: Wchat Fully Responsive PHP AJAX Chat Script CVE-2018-5978 (SQL Injection exists in Facebook Style Php Ajax Chat Zechat 1.5 via the ...) @@ -3539,17 +3539,17 @@ CVE-2018-5977 (SQL Injection exists in Affiligator Affiliate Webshop Management CVE-2018-5976 (Cross Site Request Forgery (CSRF) exists in RSVP Invitation Online 1.0 ...) NOT-FOR-US: RSVP Invitation Online CVE-2018-5975 (SQL Injection exists in the Smart Shoutbox 3.0.0 component for Joomla! ...) - TODO: check + NOT-FOR-US: Smart Shoutbox component for Joomla! CVE-2018-5974 (SQL Injection exists in the SimpleCalendar 3.1.9 component for Joomla! ...) - TODO: check + NOT-FOR-US: SimpleCalendar component for Joomla! CVE-2018-5973 (SQL Injection exists in Professional Local Directory Script 1.0 via ...) NOT-FOR-US: Professional Local Directory Script CVE-2018-5972 (SQL Injection exists in Classified Ads CMS Quickad 4.0 via the ...) NOT-FOR-US: Classified Ads CMS Quickad
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c81330c by security tracker role at 2018-02-19T21:10:20+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,7 +1,55 @@ -CVE-2018-7226 [VNConsole.c: vcSetXCutTextProc() integer overflow and unchecked malloc()] +CVE-2018-7248 + RESERVED +CVE-2018-7247 (An issue was discovered in pixHtmlViewer in prog/htmlviewer.c in ...) + TODO: check +CVE-2018-7246 + RESERVED +CVE-2018-7245 + RESERVED +CVE-2018-7244 + RESERVED +CVE-2018-7243 + RESERVED +CVE-2018-7242 + RESERVED +CVE-2018-7241 + RESERVED +CVE-2018-7240 + RESERVED +CVE-2018-7239 + RESERVED +CVE-2018-7238 + RESERVED +CVE-2018-7237 + RESERVED +CVE-2018-7236 + RESERVED +CVE-2018-7235 + RESERVED +CVE-2018-7234 + RESERVED +CVE-2018-7233 + RESERVED +CVE-2018-7232 + RESERVED +CVE-2018-7231 + RESERVED +CVE-2018-7230 + RESERVED +CVE-2018-7229 + RESERVED +CVE-2018-7228 + RESERVED +CVE-2018-7227 + RESERVED +CVE-2017-18191 (An issue was discovered in OpenStack Nova 15.x through 15.1.0 and 16.x ...) + TODO: check +CVE-2015-9253 (An issue was discovered in PHP through 7.2.2. The php-fpm master ...) + TODO: check +CVE-2018-7226 (An issue was discovered in vcSetXCutTextProc() in VNConsole.c in ...) - vncterm NOTE: https://github.com/LibVNC/vncterm/issues/6 -CVE-2018-7225 [libvncserver/rfbserver.c: rfbProcessClientNormalMessage() case rfbClientCutText doesn't sanitize msg.cct.length] +CVE-2018-7225 (An issue was discovered in LibVNCServer through 0.9.11. ...) - libvncserver NOTE: https://github.com/LibVNC/libvncserver/issues/218 CVE-2018-7224 @@ -14,8 +62,8 @@ CVE-2018-7221 RESERVED CVE-2018-7220 RESERVED -CVE-2018-7219 - RESERVED +CVE-2018-7219 (application/admin/controller/Admin.php in NoneCms 1.3.0 has CSRF, as ...) + TODO: check CVE-2018-7218 RESERVED CVE-2018-7217 (In Bravo Tejari Procurement Portal, uploaded files are not properly ...) @@ -1660,10 +1708,10 @@ CVE-2018-6594 (lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 generat NOTE: PyCrytpodome: https://github.com/Legrandin/pycryptodome/commit/99c27a3b9e8a884bbde0e88c63234b669d4398d8 (3.4.10) CVE-2018-6593 (An issue was discovered in MalwareFox AntiMalware 2.74.0.150. Improper ...) NOT-FOR-US: MalwareFox AntiMalware -CVE-2018-6592 - RESERVED -CVE-2018-6591 - RESERVED +CVE-2018-6592 (Unisys Stealth Windows endpoints before 3.3.016.1 allow local users to ...) + TODO: check +CVE-2018-6591 (Converse.js and Inverse.js through 3.3 allow remote attackers to obtain ...) + TODO: check CVE-2018-6590 RESERVED CVE-2018-6589 @@ -2043,14 +2091,14 @@ CVE-2017-18097 RESERVED CVE-2017-18096 RESERVED -CVE-2017-18095 - RESERVED +CVE-2017-18095 (The SnippetRPCServiceImpl class in Atlassian Crucible before version ...) + TODO: check CVE-2017-18094 RESERVED -CVE-2017-18093 - RESERVED -CVE-2017-18092 - RESERVED +CVE-2017-18093 (Various resources in Atlassian Fisheye and Crucible before version ...) + TODO: check +CVE-2017-18092 (The print snippet resource in Atlassian Crucible before version 4.4.3 ...) + TODO: check CVE-2017-18091 (The admin backupprogress action in Atlassian Fisheye and Crucible ...) NOT-FOR-US: Atlassian Fisheye and Crucible CVE-2017-18090 (Various resources in Atlassian Fisheye before version 4.5.1 (the fixed ...) @@ -4697,12 +4745,12 @@ CVE-2018-5477 RESERVED CVE-2018-5476 RESERVED -CVE-2018-5475 - RESERVED +CVE-2018-5475 (A Stack-based Buffer Overflow issue was discovered in GE D60 Line ...) + TODO: check CVE-2018-5474 RESERVED -CVE-2018-5473 - RESERVED +CVE-2018-5473 (An Improper Restriction of Operations within the Bounds of a Memory ...) + TODO: check CVE-2018-5472 RESERVED CVE-2018-5471 @@ -4769,8 +4817,8 @@ CVE-2018-5441 (An Improper Validation of Integrity Check Value issue was discove NOT-FOR-US: PHOENIX CONTACT mGuard firmware CVE-2018-5440 (A Stack-based Buffer Overflow issue was discovered in 3S-Smart CODESYS ...) NOT-FOR-US: 3S-Smart -CVE-2018-5439 - RESERVED +CVE-2018-5439 (A Command Injection issue was discovered in Nortek Linear eMerge E3 ...) + TODO: check CVE-2018-5438 RESERVED CVE-2018-5437 @@ -4885,26 +4933,22 @@ CVE-2018-5383 RESERVED CVE-2018-5382 RESERVED -CVE-2018-5381 [fix infinite loop on certain invalid OPEN messages] - RESERVED +CVE-2018-5381 (The Quagga BGP daemon (bgpd) prior to version 1.2.3 has a bug in its ...) {DSA-4115-1
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add CVE-2018-7247/leptonlib issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b52fd380 by Salvatore Bonaccorso at 2018-02-19T22:16:04+01:00 Add CVE-2018-7247/leptonlib issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,7 +1,8 @@ CVE-2018-7248 RESERVED CVE-2018-7247 (An issue was discovered in pixHtmlViewer in prog/htmlviewer.c in ...) - TODO: check + - leptonlib + NOTE: https://github.com/DanBloomberg/leptonica/commit/c1079bb8e77cdd426759e466729917ca37a3ed9f CVE-2018-7246 RESERVED CVE-2018-7245 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b52fd380370bf52fb69182830a6bdddad868697f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b52fd380370bf52fb69182830a6bdddad868697f You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: Adjust status for CVE-2013-7383 for x2goserver
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4fd90ca7 by Salvatore Bonaccorso at 2018-02-19T20:40:43+01:00 Adjust status for CVE-2013-7383 for x2goserver The issue was fixed upstream before, and in Debian with the initial commit, thus mark it as not-affected with a note that it was fixed with the first upload to Debian. Thus affected code was never in Debian. Reference the fixing commits as per http://www.openwall.com/lists/oss-security/2014/05/19/9 - - - - - 80bb4608 by Salvatore Bonaccorso at 2018-02-19T20:44:01+01:00 Update status for CVE-2013-4376 Mark this one as well as not-affected since fixed in Debian included with the initial upload (to unstable) and fixed upstream before. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -142595,9 +142595,11 @@ CVE-2014-3221 (Huawei Eudemon8000E firewall with software V200R001C01SPC800 and CVE-2014-3220 (F5 BIG-IQ Cloud and Security 4.0.0 through 4.1.0 allows remote ...) NOT-FOR-US: F5 BIG-IQ CVE-2013-7383 (x2gocleansessions in X2Go Server before 4.0.0.8 and 4.0.1.x before ...) - - x2goserver 4.1.0.0-1 - NOTE: Fixed by: https://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=80ff6997550749a64dd5db5684acbd47a4127ab3 - NOTE: Fixed by: https://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=c2036a1152a7e57286ffeb8e8859177f8de64a33 + - x2goserver (Fixed with first upload to Debian) + NOTE: Fixed by: http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=5a2aa0c36ef7a57d87e3bb6f7c6b2558ed5430f7 (4.0.1.10) + NOTE: Fixed by: http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=b03665513ab1969b069c1351fe17cbb8b5fca256 (4.0.0.8) + NOTE: Fixed by: http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=8347d3fef0e5cbabe4aa48f503612fa7b9d078f8 (4.0.0.8) + NOTE: Fixed by: http://code.x2go.org/gitweb?p=x2goserver.git;a=commit;h=bf44925ecccda436caa1cfc34f89eced9c1bd104 (4.0.0.8) CVE-2013-7375 (SQL injection vulnerability in includes/classes/Authenticate.class.php ...) NOT-FOR-US: PHP-Fusion CVE-2014-3145 (The BPF_S_ANC_NLATTR_NEST extension implementation in the ...) @@ -158911,7 +158913,7 @@ CVE-2013-4377 (Use-after-free vulnerability in the virtio-pci implementation in - qemu-kvm (Introduced in 1.4) NOTE: patches: http://thread.gmane.org/gmane.comp.emulators.qemu/234440 CVE-2013-4376 (The setgid wrapper libx2go-server-db-sqlite3-wrapper.c in X2Go Server ...) - - x2goserver 4.1.0.0-1 + - x2goserver (Fixed with first upload to Debian) NOTE: Fixed by: https://code.x2go.org/gitweb?p=x2goserver.git;a=commitdiff;h=42264c88d7885474ebe3763b2991681ddfcfa69a CVE-2013-4375 (The qdisk PV disk backend in qemu-xen in Xen 4.2.x and 4.3.x before ...) - xen 4.2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/9763c9c0c64129fd94fdb25b84e95e195b47a0ef...80bb4608b58a6b87b30bc31de03e10ae02b459ec --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/9763c9c0c64129fd94fdb25b84e95e195b47a0ef...80bb4608b58a6b87b30bc31de03e10ae02b459ec You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] CVE-2017-18187, polarssl: Wheezy is not affected.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: fbed816b by Markus Koschany at 2018-02-19T20:11:31+01:00 CVE-2017-18187,polarssl: Wheezy is not affected. The vulnerable function and code are not present. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -598,6 +598,7 @@ CVE-2017-18188 (OpenRC opentmpfiles through 0.1.3, when the fs.protected_hardlin CVE-2017-18187 (In ARM mbed TLS before 2.7.0, there is a bounds-check bypass through an ...) - mbedtls 2.7.0-2 - polarssl + [wheezy] - polarssl (vulnerable code not present) NOTE: https://github.com/ARMmbed/mbedtls/commit/83c9f495ffe70c7dd280b41fdfd4881485a3bc28 CVE-2018-7032 (webcheckout in myrepos through 1.20171231 does not sanitize URLs that ...) - myrepos (bug #840014) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fbed816b973269288e107f9bc0eae52dcc462dce --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fbed816b973269288e107f9bc0eae52dcc462dce You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Remove polarssl from dla-needed.txt.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 9763c9c0 by Markus Koschany at 2018-02-19T20:13:00+01:00 Remove polarssl from dla-needed.txt. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -76,8 +76,6 @@ opencv (Thorsten Alteholz) -- openjdk-7 (Emilio Pozuelo) -- -polarssl (Markus Koschany) --- suricata (Santiago R.R.) NOTE: Hard to tell whether the package is vulnerable. DetectFlow in detect.c NOTE: does not exist. Code seems to be in SigMatchSignatures instead. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9763c9c0c64129fd94fdb25b84e95e195b47a0ef --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9763c9c0c64129fd94fdb25b84e95e195b47a0ef You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: Add CVE-2018-7225/libvncserver
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 20027176 by Salvatore Bonaccorso at 2018-02-19T20:55:27+01:00 Add CVE-2018-7225/libvncserver - - - - - 56b7ba12 by Salvatore Bonaccorso at 2018-02-19T20:56:38+01:00 Add CVE-2018-7226/vncterm - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = --- a/data/CVE/list +++ b/data/CVE/list @@ -1,3 +1,9 @@ +CVE-2018-7226 [VNConsole.c: vcSetXCutTextProc() integer overflow and unchecked malloc()] + - vncterm + NOTE: https://github.com/LibVNC/vncterm/issues/6 +CVE-2018-7225 [libvncserver/rfbserver.c: rfbProcessClientNormalMessage() case rfbClientCutText doesn't sanitize msg.cct.length] + - libvncserver + NOTE: https://github.com/LibVNC/libvncserver/issues/218 CVE-2018-7224 RESERVED CVE-2018-7223 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/80bb4608b58a6b87b30bc31de03e10ae02b459ec...56b7ba12d1fa494c647f0529e598f1c5f758137a --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/80bb4608b58a6b87b30bc31de03e10ae02b459ec...56b7ba12d1fa494c647f0529e598f1c5f758137a You're receiving this email because of your account on salsa.debian.org. ___ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits