Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker
Commits: fe0bce11 by Roberto C. Sánchez at 2020-12-18T22:28:13-05:00 LTS: triage {CVE-2020-35490,CVE-2020-35491}/jackson-databind as <no-dsa> This is consistent with both how the same CVEs were handled for buster by the security team and how previous similar CVEs (CVE-2020-24616 and CVE-2020-24750) were handled by the LTS team. - - - - - 76d5aa7f by Roberto C. Sánchez at 2020-12-18T22:31:49-05:00 LTS: triage CVE-2020-29652/golang-go.crypto as <not-affected> - - - - - c61cdb7f by Roberto C. Sánchez at 2020-12-18T22:41:08-05:00 LTS: triage golang-1.8 and golang-1.7 - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -2040,12 +2040,14 @@ CVE-2020-35492 CVE-2020-35491 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...) - jackson-databind <unfixed> [buster] - jackson-databind <no-dsa> (Minor issue) + [stretch] - jackson-databind <no-dsa> (Minor issue) NOTE: https://github.com/FasterXML/jackson-databind/issues/2986 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. CVE-2020-35490 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...) - jackson-databind <unfixed> [buster] - jackson-databind <no-dsa> (Minor issue) + [stretch] - jackson-databind <no-dsa> (Minor issue) NOTE: https://github.com/FasterXML/jackson-databind/issues/2986 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -4065,6 +4067,7 @@ CVE-2020-29653 RESERVED CVE-2020-29652 (A nil pointer dereference in the golang.org/x/crypto/ssh component thr ...) - golang-go.crypto <unfixed> + [stretch] - golang-go.crypto <not-affected> (Vulnerable code not present) - kubernetes <unfixed> NOTE: https://go-review.googlesource.com/c/crypto/+/278852 NOTE: https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1 ===================================== data/dla-needed.txt ===================================== @@ -58,6 +58,12 @@ flac (Adrian Bunk) NOTE: 20201215: when preparing fix/advisory note that the same code change fixes both CVE-2020-0487 and CVE-2017-6888 (roberto) NOTE: 20201215: stretch and buster versions are very close; perhaps consider coordinating with security team and helping them by preparing an update for buster (roberto) -- +golang-1.7 + NOTE: 20201219: new CVEs may not be getting fixed, might need to ignore (roberto) +-- +golang-1.8 + NOTE: 20201219: new CVEs may not be getting fixed, might need to ignore (roberto) +-- golang-websocket -- imagemagick (Sylvain Beucler) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ced4449781949729fc5d3225e95df39fa111597e...c61cdb7f53756c142b4466bd95e5b0067bce9807 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ced4449781949729fc5d3225e95df39fa111597e...c61cdb7f53756c142b4466bd95e5b0067bce9807 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits