[Git][security-tracker-team/security-tracker][master] Update information on CVE-2016-11086

Tue, 15 Dec 2020 12:47:43 -0800 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
674a8861 by Salvatore Bonaccorso at 2020-12-15T21:47:23+01:00
Update information on CVE-2016-11086

Mark it as unimportant as it does not affect the binary packages in
Debian (by default, unless a user has removed the certificates).

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -13901,19 +13901,14 @@ CVE-2020-26099 (cPanel before 88.0.3 allows attackers 
to bypass the SMTP greylis
 CVE-2020-26098 (cPanel before 88.0.3 mishandles the Exim filter path, leading 
to remot ...)
        NOT-FOR-US: cPanel
 CVE-2016-11086 (lib/oauth/consumer.rb in the oauth-ruby gem through 0.5.4 for 
Ruby doe ...)
-       - ruby-oauth <unfixed> (bug #970932)
-       [stretch] - ruby-oauth <no-dsa> (Minor issue)
+       - ruby-oauth <unfixed> (unimportant; bug #970932)
        NOTE: https://github.com/oauth-xx/oauth-ruby/issues/137
-       NOTE: For jessie it is declared as minor issue since the package that
-       NOTE: must exist is generated by ca-certificates package and
-       NOTE: ca-certificates in the package dependency list. Hence even though
-       NOTE: the package is vulnerable the problem do not exist in Debian
-       NOTE: unless the admin has explicitly removed the file from the 
filesystem.
-       NOTE: Should probably be handled the same in other releases.
+       NOTE: Likely minor issue since the package that exist is generated by 
ca-certificates
+       NOTE: package and ca-certificates in the package dependency list. Hence 
even though the
+       NOTE: package is vulnerable the problem do not exist in Debian unless 
the admin has
+       NOTE: explicitly removed the file from the filesystem.
        NOTE: Fixing this vulnerability can cause a regression in the case the
        NOTE: admin has intentionally removed this file to not check 
certificates.
-       NOTE: It could therefore be considered as to be ignored but more should
-       NOTE: have an opinion about this before deciding that.
 CVE-2020-26097 (** UNSUPPORTED WHEN ASSIGNED ** The firmware of the PLANET 
Technology  ...)
        NOT-FOR-US: PLANET Technology Corp NVR-915 and NVR-1615
 CVE-2020-26096



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/674a88619be83525e20b29c46693d859226fade3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/674a88619be83525e20b29c46693d859226fade3
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to