[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add more fixes from 9.4
Salvatore Bonaccorso
carnil at debian.org
Sat Mar 10 10:03:11 UTC 2018
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
2309a8eb by Salvatore Bonaccorso at 2018-03-10T11:02:24+01:00
Add more fixes from 9.4
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -2152,7 +2152,7 @@ CVE-2018-1000086
CVE-2018-1000085 [Out-of-bounds heap read in XAR parser]
RESERVED
- clamav 0.99.3~beta1+dfsg-1
- [stretch] - clamav <no-dsa> (clamav is updated via -updates)
+ [stretch] - clamav 0.99.4+dfsg-1+deb9u1
[jessie] - clamav <no-dsa> (clamav is updated via -updates)
NOTE: https://github.com/Cisco-Talos/clamav-devel/commit/d96a6b8bcc7439fa7e3876207aa0a8e79c8451b6
NOTE: http://www.openwall.com/lists/oss-security/2017/09/29/4
@@ -2536,7 +2536,7 @@ CVE-2018-7181
CVE-2017-18190 (A localhost.localdomain whitelist entry in valid_host() in ...)
{DLA-1288-1}
- cups 2.2.3-2
- [stretch] - cups <no-dsa> (Minor issue, can be fixed via pu)
+ [stretch] - cups 2.2.1-8+deb9u1
[jessie] - cups <no-dsa> (Minor issue, can be fixed via pu)
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1048
NOTE: https://github.com/apple/cups/commit/afa80cb2b457bf8d64f775bed307588610476c41 (v2.2.2)
@@ -3812,7 +3812,7 @@ CVE-2018-6658
CVE-2018-6758 (The uwsgi_expand_path function in core/utils.c in Unbit uWSGI through ...)
{DLA-1275-1}
- uwsgi 2.0.15-10.2 (bug #889753)
- [stretch] - uwsgi <no-dsa> (Minor issue)
+ [stretch] - uwsgi 2.0.14+20161117-3+deb9u1
[jessie] - uwsgi <no-dsa> (Minor issue)
NOTE: http://lists.unbit.it/pipermail/uwsgi/2018-February/008835.html
NOTE: https://github.com/unbit/uwsgi/commit/cb4636f7c0af2e97a4eef7a3cdcbd85a71247bfe
@@ -4226,7 +4226,7 @@ CVE-2018-6561 (dijit.Editor in Dojo Toolkit 1.13 allows XSS via the onload attri
NOTE: https://github.com/imsebao/404team/blob/master/dijit_editor_xss.md
CVE-2018-6560 (In dbus-proxy/flatpak-proxy.c in Flatpak before 0.8.9, and 0.9.x and ...)
- flatpak 0.10.3-1 (bug #888842)
- [stretch] - flatpak <no-dsa> (Minor issue; will be fixed via point release)
+ [stretch] - flatpak 0.8.9-0+deb9u1
NOTE: https://github.com/flatpak/flatpak/commit/52346bf187b5a7f1c0fe9075b328b7ad6abe78f6
CVE-2018-6559
RESERVED
@@ -5300,18 +5300,19 @@ CVE-2017-1000474 (Soyket Chowdhury Vehicle Sales Management System version 2017-
NOT-FOR-US: Soyket Chowdhury Vehicle Sales Management System
CVE-2018-6198 (w3m through 0.5.3 does not properly handle temporary files when the ...)
- w3m 0.5.3-36 (bug #888097; unimportant)
+ [stretch] - w3m 0.5.3-34+deb9u1
NOTE: https://github.com/tats/w3m/commit/18dcbadf2771cdb0c18509b14e4e73505b242753
NOTE: Neutralised by kernel hardening
CVE-2018-6197 (w3m through 0.5.3 is prone to a NULL pointer dereference flaw in ...)
- w3m 0.5.3-36 (low)
- [stretch] - w3m <no-dsa> (Minor issue)
+ [stretch] - w3m 0.5.3-34+deb9u1
[jessie] - w3m <no-dsa> (Minor issue)
[wheezy] - w3m <no-dsa> (Minor issue)
NOTE: https://github.com/tats/w3m/issues/89
NOTE: https://github.com/tats/w3m/commit/7fdc83b0364005a0b5ed869230dd81752ba022e8
CVE-2018-6196 (w3m through 0.5.3 is prone to an infinite recursion flaw in ...)
- w3m 0.5.3-36 (low)
- [stretch] - w3m <no-dsa> (Minor issue)
+ [stretch] - w3m 0.5.3-34+deb9u1
[jessie] - w3m <no-dsa> (Minor issue)
[wheezy] - w3m <no-dsa> (Minor issue)
NOTE: https://github.com/tats/w3m/issues/88
@@ -21574,7 +21575,7 @@ CVE-2018-0203 (A vulnerability in the SMTP relay of Cisco Unity Connection could
CVE-2018-0202 [Out-of-bounds access in the PDF parser]
RESERVED
- clamav <unfixed>
- [stretch] - clamav <no-dsa> (clamav is updated via -updates)
+ [stretch] - clamav 0.99.4+dfsg-1+deb9u1
[jessie] - clamav <no-dsa> (clamav is updated via -updates)
NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11973
NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11980
@@ -22004,7 +22005,7 @@ CVE-2017-16928 (The arq_updater binary in Arq 5.10 and earlier for Mac allows lo
CVE-2017-16927 (The scp_v0s_accept function in sesman/libscp/libscp_v0.c in the session ...)
{DLA-1203-1}
- xrdp 0.9.4-3 (bug #882463)
- [stretch] - xrdp <no-dsa> (Minor issue)
+ [stretch] - xrdp 0.9.1-9+deb9u2
[jessie] - xrdp <no-dsa> (Minor issue)
NOTE: Proposed pull request: https://github.com/neutrinolabs/xrdp/pull/958
NOTE: https://groups.google.com/forum/#!topic/xrdp-devel/PmVfMuy_xBA
@@ -22322,7 +22323,7 @@ CVE-2017-16867 (Amazon Key through 2017-11-16 mishandles Cloud Cam 802.11 ...)
NOT-FOR-US: Amazon Key
CVE-2017-1000248 (Redis-store <=v1.3.0 allows unsafe objects to be loaded from redis ...)
- ruby-redis-store 1.1.6-2 (bug #882034)
- [stretch] - ruby-redis-store <no-dsa> (Minor issue)
+ [stretch] - ruby-redis-store 1.1.6-1+deb9u1
NOTE: https://github.com/redis-store/redis-store/commit/e0c1398d54a9661c8c70267c3a925ba6b192142e
CVE-2017-1000247 (British Columbia Institute of Technology CodeIgniter 3.1.3 is ...)
NOT-FOR-US: CodeIgniter
@@ -25427,7 +25428,7 @@ CVE-2017-15917 (In Paessler PRTG Network Monitor 17.3.33.2830, it's possible to
NOT-FOR-US: Paessler PRTG Network Monitor
CVE-2017-15908 (In systemd 223 through 235, a remote DNS server can respond with a ...)
- systemd 235-3 (bug #880026)
- [stretch] - systemd <no-dsa> (Minor issue; systemd-resolved not enabled by default)
+ [stretch] - systemd 232-25+deb9u2
[jessie] - systemd <not-affected> (Vulnerable code introduced later)
[wheezy] - systemd <not-affected> (Vulnerable code introduced later)
NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1725351
@@ -25457,7 +25458,7 @@ CVE-2017-15907 (SQL injection vulnerability in phpCollab 2.5.1 and earlier allow
NOT-FOR-US: phpCollab
CVE-2017-15906 (The process_open function in sftp-server.c in OpenSSH before 7.6 does ...)
- openssh 1:7.6p1-1 (low)
- [stretch] - openssh <no-dsa> (Minor issue)
+ [stretch] - openssh 1:7.4p1-10+deb9u3
[jessie] - openssh <no-dsa> (Minor issue)
[wheezy] - openssh <no-dsa> (Minor issue)
NOTE: https://github.com/openbsd/src/commit/a6981567e8e215acc1ef690c8dbb30f2d9b00a19
@@ -36149,7 +36150,7 @@ CVE-2017-12381
CVE-2017-12380 (ClamAV AntiVirus software versions 0.99.2 and prior contain a ...)
{DLA-1261-1}
- clamav 0.99.3~beta2+dfsg-1 (bug #888484)
- [stretch] - clamav <no-dsa> (clamav is updated via -updates)
+ [stretch] - clamav 0.99.2+dfsg-6+deb9u1
[jessie] - clamav <no-dsa> (clamav is updated via -updates)
NOTE: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html
NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11945
@@ -36157,7 +36158,7 @@ CVE-2017-12380 (ClamAV AntiVirus software versions 0.99.2 and prior contain a ..
CVE-2017-12379 (ClamAV AntiVirus software versions 0.99.2 and prior contain a ...)
{DLA-1261-1}
- clamav 0.99.3~beta2+dfsg-1 (bug #888484)
- [stretch] - clamav <no-dsa> (clamav is updated via -updates)
+ [stretch] - clamav 0.99.2+dfsg-6+deb9u1
[jessie] - clamav <no-dsa> (clamav is updated via -updates)
NOTE: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html
NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11944
@@ -36165,7 +36166,7 @@ CVE-2017-12379 (ClamAV AntiVirus software versions 0.99.2 and prior contain a ..
CVE-2017-12378 (ClamAV AntiVirus software versions 0.99.2 and prior contain a ...)
{DLA-1261-1}
- clamav 0.99.3~beta2+dfsg-1 (bug #888484)
- [stretch] - clamav <no-dsa> (clamav is updated via -updates)
+ [stretch] - clamav 0.99.2+dfsg-6+deb9u1
[jessie] - clamav <no-dsa> (clamav is updated via -updates)
NOTE: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html
NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11946
@@ -36174,7 +36175,7 @@ CVE-2017-12378 (ClamAV AntiVirus software versions 0.99.2 and prior contain a ..
CVE-2017-12377 (ClamAV AntiVirus software versions 0.99.2 and prior contain a ...)
{DLA-1261-1}
- clamav 0.99.3~beta2+dfsg-1 (bug #888484)
- [stretch] - clamav <no-dsa> (clamav is updated via -updates)
+ [stretch] - clamav 0.99.2+dfsg-6+deb9u1
[jessie] - clamav <no-dsa> (clamav is updated via -updates)
NOTE: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html
NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11943
@@ -36183,7 +36184,7 @@ CVE-2017-12377 (ClamAV AntiVirus software versions 0.99.2 and prior contain a ..
CVE-2017-12376 (ClamAV AntiVirus software versions 0.99.2 and prior contain a ...)
{DLA-1261-1}
- clamav 0.99.3~beta2+dfsg-1 (bug #888484)
- [stretch] - clamav <no-dsa> (clamav is updated via -updates)
+ [stretch] - clamav 0.99.2+dfsg-6+deb9u1
[jessie] - clamav <no-dsa> (clamav is updated via -updates)
NOTE: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html
NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11942
@@ -36191,7 +36192,7 @@ CVE-2017-12376 (ClamAV AntiVirus software versions 0.99.2 and prior contain a ..
CVE-2017-12375 (The ClamAV AntiVirus software versions 0.99.2 and prior contain a ...)
{DLA-1261-1}
- clamav 0.99.3~beta2+dfsg-1 (bug #888484)
- [stretch] - clamav <no-dsa> (clamav is updated via -updates)
+ [stretch] - clamav 0.99.2+dfsg-6+deb9u1
[jessie] - clamav <no-dsa> (clamav is updated via -updates)
NOTE: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html
NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11940
@@ -36199,7 +36200,7 @@ CVE-2017-12375 (The ClamAV AntiVirus software versions 0.99.2 and prior contain
CVE-2017-12374 (The ClamAV AntiVirus software versions 0.99.2 and prior contain a ...)
{DLA-1261-1}
- clamav 0.99.3~beta2+dfsg-1 (bug #888484)
- [stretch] - clamav <no-dsa> (clamav is updated via -updates)
+ [stretch] - clamav 0.99.2+dfsg-6+deb9u1
[jessie] - clamav <no-dsa> (clamav is updated via -updates)
NOTE: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html
NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11939
@@ -38842,6 +38843,7 @@ CVE-2017-11423 (The cabd_read_string function in mspack/cabd.c in libmspack 0.5a
{DSA-3946-1 DLA-1279-1}
- libmspack 0.6-1 (bug #868956)
- clamav 0.99.3~beta1+dfsg-1 (unimportant)
+ [stretch] - clamav 0.99.4+dfsg-1+deb9u1
NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11873 (not public)
NOTE: https://github.com/kyz/libmspack/commit/17038206fcc384dcee6dd9e3a75f08fd3ddc6a38
NOTE: https://github.com/hackerlib/hackerlib-vul/tree/master/clamav-vul
@@ -54564,7 +54566,7 @@ CVE-2017-6421 (In the touch controller function in all Qualcomm products with An
CVE-2017-6420 (The wwunpack function in libclamav/wwunpack.c in ClamAV 0.99.2 allows ...)
{DLA-1261-1 DLA-1105-1}
- clamav 0.99.3~beta1+dfsg-1
- [stretch] - clamav <no-dsa> (Gets updated via -updates)
+ [stretch] - clamav 0.99.2+dfsg-6+deb9u1
[jessie] - clamav <no-dsa> (Gets updated via -updates)
NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11798
NOTE: https://github.com/vrtadmin/clamav-devel/commit/dfc00cd3301a42b571454b51a6102eecf58407bc
@@ -54573,6 +54575,7 @@ CVE-2017-6419 (mspack/lzxd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2, al
{DSA-3946-1 DLA-1279-1}
- libmspack 0.6-1 (bug #871263)
- clamav 0.99.3~beta1+dfsg-1 (unimportant)
+ [stretch] - clamav 0.99.4+dfsg-1+deb9u1
NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11701
NOTE: https://github.com/vrtadmin/clamav-devel/commit/a83773682e856ad6529ba6db8d1792e6d515d7f1
NOTE: ClamAV uses the libmspack system library when available. This is the
@@ -54583,7 +54586,7 @@ CVE-2017-6419 (mspack/lzxd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2, al
CVE-2017-6418 (libclamav/message.c in ClamAV 0.99.2 allows remote attackers to cause a ...)
{DLA-1261-1 DLA-1105-1}
- clamav 0.99.3~beta1+dfsg-1
- [stretch] - clamav <no-dsa> (Gets updated via -updates)
+ [stretch] - clamav 0.99.2+dfsg-6+deb9u1
[jessie] - clamav <no-dsa> (Gets updated via -updates)
NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11797
NOTE: https://github.com/vrtadmin/clamav-devel/commit/586a5180287262070637c8943f2f7efd652e4a2c
@@ -56466,7 +56469,7 @@ CVE-2017-5754 (Systems with microprocessors utilizing speculative execution and
[jessie] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
[wheezy] - nvidia-graphics-drivers <end-of-life> (Non-free not supported)
- nvidia-graphics-drivers-legacy-340xx 340.106-1
- [stretch] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
+ [stretch] - nvidia-graphics-drivers-legacy-340xx 340.106-1~deb9u1
- nvidia-graphics-drivers-legacy-304xx <unfixed>
[stretch] - nvidia-graphics-drivers-legacy-304xx <no-dsa> (Non-free not supported)
[jessie] - nvidia-graphics-drivers-legacy-304xx <no-dsa> (Non-free not supported)
@@ -56484,7 +56487,7 @@ CVE-2017-5753 (Systems with microprocessors utilizing speculative execution and
[jessie] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
[wheezy] - nvidia-graphics-drivers <end-of-life> (Non-free not supported)
- nvidia-graphics-drivers-legacy-340xx 340.106-1
- [stretch] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
+ [stretch] - nvidia-graphics-drivers-legacy-340xx 340.106-1~deb9u1
- nvidia-graphics-drivers-legacy-304xx <unfixed>
[stretch] - nvidia-graphics-drivers-legacy-304xx <no-dsa> (Non-free not supported)
[jessie] - nvidia-graphics-drivers-legacy-304xx <no-dsa> (Non-free not supported)
@@ -56594,7 +56597,7 @@ CVE-2017-5715 (Systems with microprocessors utilizing speculative execution and
[jessie] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
[wheezy] - nvidia-graphics-drivers <end-of-life> (Non-free not supported)
- nvidia-graphics-drivers-legacy-340xx 340.106-1
- [stretch] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
+ [stretch] - nvidia-graphics-drivers-legacy-340xx 340.106-1~deb9u1
- nvidia-graphics-drivers-legacy-304xx <unfixed>
[stretch] - nvidia-graphics-drivers-legacy-304xx <no-dsa> (Non-free not supported)
[jessie] - nvidia-graphics-drivers-legacy-304xx <no-dsa> (Non-free not supported)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2309a8eb2de74f79cdd5eee556931c3cb74c4657
---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2309a8eb2de74f79cdd5eee556931c3cb74c4657
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180310/908652c3/attachment-0001.html>
More information about the Secure-testing-commits
mailing list