[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-10086 as no-dsa for stretch and buster

Sun, 29 Dec 2019 13:07:12 -0800 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
da2c227c by Salvatore Bonaccorso at 2019-12-29T21:03:21Z
Mark CVE-2019-10086 as no-dsa for stretch and buster

When applying the patch for CVE-2019-10086 the library switches the
default to be secured, and instead one needs to opt-out vs. opt-in and
allow access to the 'class' property.

Might need investigation of affected reverse dependencies for functional
regressions if this is applied for stable releases. This might be safe,
as at least Red Hat and SUSE seem to have done the switch in some of
their products.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -36644,9 +36644,14 @@ CVE-2019-10087 (On Apache JSPWiki, up to version 
2.11.0.M4, a carefully crafted
 CVE-2019-10086 (In Apache Commons Beanutils 1.9.2, a special BeanIntrospector 
class wa ...)
        {DLA-1896-1}
        - commons-beanutils 1.9.4-1
+       [buster] - commons-beanutils <no-dsa> (Minor issue; can be fixed via 
point release)
+       [stretch] - commons-beanutils <no-dsa> (Minor issue; can be fixed via 
point release)
        NOTE: https://issues.apache.org/jira/browse/BEANUTILS-520
        NOTE: https://github.com/apache/commons-beanutils/pull/7
        NOTE: 
https://github.com/apache/commons-beanutils/commit/dd48f4e589462a8cdb1f29bbbccb35d6b0291d58
+       NOTE: With the patch applied, the libary is secured by default. To 
opt-out and allow
+       NOTE: access to the 'class' property one needs to remove the feature 
explicitly. Cf.
+       NOTE: https://github.com/apache/commons-beanutils/pull/7#issue-281406699
 CVE-2019-10085 (In Apache Allura prior to 1.11.0, a vulnerability exists for 
stored XS ...)
        NOT-FOR-US: Apache Allura
 CVE-2019-10084 (In Apache Impala 2.7.0 to 3.2.0, an authenticated user with 
access to  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/da2c227c4d6f3db12ced207d6d41fd2feadcb49d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/da2c227c4d6f3db12ced207d6d41fd2feadcb49d
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to