[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 5 commits: Add CVE-2017-1000455/guix, itp'ed, #850644

Salvatore Bonaccorso carnil at debian.org
Wed Jan 3 06:14:45 UTC 2018 

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
034d182b by Salvatore Bonaccorso at 2018-01-03T07:12:20+01:00
Add CVE-2017-1000455/guix, itp'ed, #850644

- - - - -
ade6c047 by Salvatore Bonaccorso at 2018-01-03T07:12:48+01:00
Add CVE-2017-1000445/imagemagick

- - - - -
c670daa1 by Salvatore Bonaccorso at 2018-01-03T07:13:52+01:00
Add CVE-2017-1000423/b2evolution

- - - - -
837a94f0 by Salvatore Bonaccorso at 2018-01-03T07:14:08+01:00
Add CVE-2017-1000421/gifsicle

- - - - -
97471040 by Salvatore Bonaccorso at 2018-01-03T07:14:29+01:00
Process NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,17 +1,18 @@
 CVE-2017-1000458 (Bro before Bro v2.5.2 is vulnerable to an out of bounds write in the ...)
 	TODO: check
 CVE-2017-1000457 (Cross-site scripting (XSS) vulnerability in Help.aspx in mojoPortal ...)
-	TODO: check
+	NOT-FOR-US: mojoPortal
 CVE-2017-1000456 (freedesktop.org libpoppler 0.60.1 fails to validate boundaries in ...)
 	- poppler 0.61.1-2
 	NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=103116
 	NOTE: Fixed by: https://cgit.freedesktop.org/poppler/poppler/commit/?id=7ee9dadef37b20bca707a6b1e858e17d191e368b
 CVE-2017-1000455 (GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d ...)
-	TODO: check
+	- guix <itp> (bug #850644)
+	NOTE: https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html
 CVE-2017-1000454 (CMS Made Simple 2.1.6, 2.2, 2.2.1 are vulnerable to Smarty Template ...)
-	TODO: check
+	NOT-FOR-US: CMS Made Simple
 CVE-2017-1000453 (CMS Made Simple version 2.1.6 and 2.2 are vulnerable to Smarty ...)
-	TODO: check
+	NOT-FOR-US: CMS Made Simple
 CVE-2017-1000452 (An XML Signature Wrapping vulnerability exists in Samlify 2.2.0 and ...)
 	TODO: check
 CVE-2017-1000451 (fs-git is a file system like api for git repository. The fs-git ...)
@@ -25,7 +26,10 @@ CVE-2017-1000449 (BitThunder 0.9.2 stable is vulnerable to a buffer overflow in 
 CVE-2017-1000448 (Structured Data Linter versions 2.4.1 and older are vulnerable to a ...)
 	TODO: check
 CVE-2017-1000445 (ImageMagick 7.0.7-1 and older version are vulnerable to null pointer ...)
-	TODO: check
+	- imagemagick <unfixed>
+	NOTE: https://github.com/ImageMagick/ImageMagick/issues/775
+	NOTE: https://github.com/ImageMagick/ImageMagick/commit/441fde32557eb3cec573b0f877ac324173feed7f
+	NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/839a14e43d0c88db7b3fffe8aa4ec57d80c93623
 CVE-2017-1000444 (Eleix Openhacker version 0.1.47 is vulnerable to an SQL injection in ...)
 	TODO: check
 CVE-2017-1000443 (Eleix Openhacker version 0.1.47 is vulnerable to a XSS vulnerability ...)
@@ -39,12 +43,14 @@ CVE-2017-1000430 (rust-base64 version <= 0.5.1 is vulnerable to a buffer over
 CVE-2017-1000424 (Github Electron version 1.6.4 - 1.6.11 and 1.7.0 - 1.7.5 is vulnerable ...)
 	TODO: check
 CVE-2017-1000423 (b2evolution version 6.6.0 - 6.8.10 is vulnerable to input validation ...)
-	TODO: check
+	- b2evolution <removed>
 CVE-2017-1000422 (Gnome gdk-pixbuf 2.36.8 and older is vulnerable to several integer ...)
 	- gdk-pixbuf <unfixed>
 	NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=785973
 CVE-2017-1000421 (Gifsicle gifview 1.89 and older is vulnerable to a use-after-free in ...)
-	TODO: check
+	- gifsicle 1.90-1
+	NOTE: https://github.com/kohler/gifsicle/issues/114
+	NOTE: https://github.com/kohler/gifsicle/commit/81fd7823f6d9c85ab598bc850e40382068361185
 CVE-2017-1000420 (Syncthing version 0.14.33 and older is vulnerable to symlink traversal ...)
 	TODO: check
 CVE-2017-1000419 (phpBB version 3.2.0 is vulnerable to SSRF in the Remote Avatar ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/ce20fdde5a0747a2f1d9268eee1765e561b0a1d5...97471040045bb077f56f641070219b151a031c60

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/ce20fdde5a0747a2f1d9268eee1765e561b0a1d5...97471040045bb077f56f641070219b151a031c60
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180103/88f0d158/attachment-0001.html>

More information about the Secure-testing-commits mailing list