[Git][security-tracker-team/security-tracker][master] Add CVE-2019-1010060/cfitsio

Tue, 16 Jul 2019 12:24:16 -0700 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
437baa1d by Salvatore Bonaccorso at 2019-07-16T19:20:26Z
Add CVE-2019-1010060/cfitsio

After query to MITRE the reason behind that there is one additional CVE,
is that there were other security wise sensitive issues fixed in 3.43
but not covered by the CVEs  CVE-2018-3846, CVE-2018-3847,
CVE-2018-3848, and CVE-2018-3849. One example is given in the NOTE
itself.

The above CVEs were only to adress issues in the gphd, ffgtkn, ffgkyn,
ffghbn, and ffghtb functions. However, the upgrade from 3.42 to 3.43
also has many other changes.

As CVE-2019-1010060 mentions: "over 40 source code files were 
changed."

It is not woth trying to trackle all those for stretch (and probably
older). So marking stretch as no-dsa in accordance with the setting for
CVE-2018-3846, CVE-2018-3847, CVE-2018-3848, and CVE-2018-3849.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -11116,8 +11116,14 @@ CVE-2019-1010062
        RESERVED
 CVE-2019-1010061
        RESERVED
-CVE-2019-1010060
+CVE-2019-1010060 [issues in cfitsio not covered by CVE-2018-3846, 
CVE-2018-3847, CVE-2018-3848, and CVE-2018-3849]
        RESERVED
+       - cfitsio 3.430-1 (low; bug #892458)
+       [stretch] - cfitsio <no-dsa> (Minor issue)
+       NOTE: The issue is specifically to other issues not covered by 
CVE-2018-3846,
+       NOTE: CVE-2018-3847, CVE-2018-3848, and CVE-2018-3849 but fixed in 
3.43. One
+       NOTE: example is ftp_status in drvrnet.c mishandling a long string 
beginning
+       NOTE: with a '4' character.
 CVE-2019-1010059
        RESERVED
 CVE-2019-1010058



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/437baa1d52e7ab33eb248bd2358895e745ae5da3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/437baa1d52e7ab33eb248bd2358895e745ae5da3
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to