[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2018-20839/{systemd,xorg-server}

Mon, 22 Jul 2019 21:53:00 -0700 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
90438d65 by Salvatore Bonaccorso at 2019-07-23T04:50:32Z
Update notes for CVE-2018-20839/{systemd,xorg-server}

The status is overall not yet fully clear. What is clear is that the
original fix introduces regressions and is not the right approach.

Unclear if the tracking and fixing should happen in xorg-server or in
systemd. For now track both source packages an monitor how the
discussion evolve.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -6015,12 +6015,16 @@ CVE-2018-20839 (systemd 242 changes the VT1 mode upon a 
logout, which allows att
        [buster] - systemd <no-dsa> (Minor issue)
        [stretch] - systemd <no-dsa> (Minor issue)
        [jessie] - systemd <no-dsa> (Not reproducible without Ubuntu-style 
persistant VT1 greeter; too invasive to fix)
+       - xorg-server <unfixed>
        NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1803993
        NOTE: 
https://github.com/systemd/systemd/commit/9725f1a10f80f5e0ae7d9b60547458622aeb322f
        NOTE: https://github.com/systemd/systemd/pull/12378
        NOTE: The fix introduced a regression, cf. 
https://bugs.debian.org/929229
        NOTE: Issue was originally fixed for unstable in 241-4 but was reverted 
in 241-5
        NOTE: https://gitlab.freedesktop.org/xorg/xserver/issues/857
+       NOTE: Upstream from systemd claimed originally it's not an issue in 
systemd, but
+       NOTE: might revisit. Furthermore the issue might be fixed in the xorg 
xserver.
+       NOTE: Tentative merge request: 
https://gitlab.freedesktop.org/xorg/xserver/merge_requests/241
 CVE-2019-12149 (SQL injection vulnerability in silverstripe/restfulserver 
module 1.0.x ...)
        NOT-FOR-US: SilverStripe
 CVE-2019-12148



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/90438d65f866be55bb7759c5f391bc75bcb835c9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/90438d65f866be55bb7759c5f391bc75bcb835c9
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to