[Git][security-tracker-team/security-tracker][master] At least the jessie version is vulnerable to CVE-2018-19969 and since it is...

Ola Lundqvist Sun, 12 May 2019 12:00:13 -0700


Ola Lundqvist pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
2faba7b3 by Ola Lundqvist at 2019-05-12T18:59:41Z
At least the jessie version is vulnerable to CVE-2018-19969 and since it is the 
oldest version I think all later are also vulnerable. Therefore changing 
undetermined to unfixed and adding phpmyadmin to the list of packages to fix 
for jessie. Probably the same should be done for later releases.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -26242,9 +26242,10 @@ CVE-2018-19970 (In phpMyAdmin before 4.8.4, an XSS 
vulnerability was found in th
        NOTE: https://www.phpmyadmin.net/security/PMASA-2018-8/
        NOTE: 
https://github.com/phpmyadmin/phpmyadmin/commit/b293ff5f234ef493336ed8638f623a12164d359e
 CVE-2018-19969 (phpMyAdmin 4.7.x and 4.8.x versions prior to 4.8.4 are 
affected by a s ...)
-       - phpmyadmin <undetermined>
+       - phpmyadmin <unfixed>
        NOTE: https://www.phpmyadmin.net/security/PMASA-2018-7/
-       TODO: check, upstream explicitly fixed only the 4.7/4.8 branch but not 
entirely clear if only introduced in 4.7.0, and older versions are EOLed, and 
only on best-effort mentioned in affected versions informations.
+       NOTE: Upstream explicitly fixed only the 4.7/4.8 branch but the problem 
exists in
+       NOTE: earlier versions as well. At least parts of the listed commits 
are needed.
 CVE-2018-19968 (An attacker can exploit phpMyAdmin before 4.8.4 to leak the 
contents o ...)
        {DLA-1658-1}
        - phpmyadmin <unfixed>


=====================================
data/dla-needed.txt
=====================================
@@ -81,6 +81,8 @@ openjdk-7
 --
 php5 (Thorsten Alteholz)
 --
+phpmyadmin
+--
 polarssl
   NOTE: 20181207: Not 100% sure if vulnerable. Upstream would prefer us to 
move to latest version, etc. (!). (lamby)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2faba7b34f816314dbc33ee9a07c42164c885001

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2faba7b34f816314dbc33ee9a07c42164c885001
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] At least the jessie version is vulnerable to CVE-2018-19969 and since it is...

Reply via email to