Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits: 0d2f7109 by Markus Koschany at 2020-11-10T22:53:42+01:00 Remove fossil from dla-needed.txt Follow the security team and mark this CVE as ignored. According to upstream the vulnerability can only be exploited by site admins and users with check-in privileges: The attacks can only be carried out by a site administrator or by someone with check-in privileges on the repository, not by random passers-by on the internet. https://fossil-scm.org/forum/info/a05ae3ce7760daf6 Thus the risk is rather low. The patch itself is quite invasive. Although we could remove all the unrelated fixes to not allow symlinks anymore, the risk/regression factor is higher than the potential benefit for users. - - - - - 04b9d2f4 by Markus Koschany at 2020-11-10T23:44:06+01:00 CVE-2020-24614,fossil: Mark as no-dsa for Stretch. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -10505,6 +10505,7 @@ CVE-2020-24556 (A vulnerability in Trend Micro Apex One and OfficeScan XG SP1 on CVE-2020-24614 (Fossil before 2.10.2, 2.11.x before 2.11.2, and 2.12.x before 2.12.1 a ...) - fossil 1:2.12.1-1 [buster] - fossil <no-dsa> (Minor issue) + [stretch] - fossil <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2020/08/20/1 NOTE: https://fossil-scm.org/forum/info/a05ae3ce7760daf6 NOTE: https://fossil-scm.org/fossil/vdiff?branch=sec2020-2.12-patch&diff=1&w ===================================== data/dla-needed.txt ===================================== @@ -48,11 +48,6 @@ f2fs-tools -- firefox-esr (Roberto C. Sánchez) -- -fossil (Markus Koschany) - NOTE: 20200903: looked into CVE-2020-24614: the fix for this CVE partially applies, but does not apply around a - NOTE: 20200903: database query in src/add.c. In fact, the patch fixing this CVE is quite invasive. Maybe decide - NOTE: 20200903: not to fix it? --- freerdp (Abhijith PA) -- golang-1.7 (Thorsten Alteholz) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c556435c583d734c3ecd64219aa027834caa8f2d...04b9d2f45359e344fd8d0d1c719eb87b6881b619 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c556435c583d734c3ecd64219aa027834caa8f2d...04b9d2f45359e344fd8d0d1c719eb87b6881b619 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits