Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker
Commits: 570671f5 by Ola Lundqvist at 2020-01-20T22:27:53+01:00 Added information about the squid3 patch analysis made. - - - - - 1 changed file: - data/dla-needed.txt Changes: ===================================== data/dla-needed.txt ===================================== @@ -113,12 +113,18 @@ sqlite3 (Thorsten Alteholz) NOTE: 20200112: WIP -- squid3 - NOTE: 20191210: Requires new API SBuf. + NOTE: 20191210: CVE-2019-12523 and CVE-2019-18676 Requires new API SBuf. NOTE: 20200116: Researched other distros to see if any had backported the fixes. No luck. NOTE: 20200116: Tried for some time to reproduce the vulnerabilities, but did not succeed. NOTE: 20200116: The change is rather involved when considering the new SBuf API, so not NOTE: 20200116: being able to reproduce makes it impossible isolate the minimal change that NOTE: 20200116: addresses the vulnerabilities. (roberto) + NOTE: 20200120: CVE-2019-12523 It looks like the only new checks is the introduction of NID + NOTE: 20200120: checks in parseUrn. This function replaces parseFinish. It should be easy + NOTE: 20200120: to add those checks without introducing SBuf. (Ola) + NOTE: 20200120: CVE-2019-18676 however is more complicated to locate. Potentially the // skipping + NOTE: 20200120: or the absolute function is the issue but it is hard to tell without more + NOTE: 20200120: details on the intention. (Ola) -- storebackup (Utkarsh Gupta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/570671f57054d4cb93b5100a0e3e5f0f54686a88 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/570671f57054d4cb93b5100a0e3e5f0f54686a88 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
