Roberto C. Sánchez pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
fe0bce11 by Roberto C. Sánchez at 2020-12-18T22:28:13-05:00
LTS: triage {CVE-2020-35490,CVE-2020-35491}/jackson-databind as <no-dsa>
This is consistent with both how the same CVEs were handled for buster
by the security team and how previous similar CVEs (CVE-2020-24616 and
CVE-2020-24750) were handled by the LTS team.
- - - - -
76d5aa7f by Roberto C. Sánchez at 2020-12-18T22:31:49-05:00
LTS: triage CVE-2020-29652/golang-go.crypto as <not-affected>
- - - - -
c61cdb7f by Roberto C. Sánchez at 2020-12-18T22:41:08-05:00
LTS: triage golang-1.8 and golang-1.7
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -2040,12 +2040,14 @@ CVE-2020-35492
CVE-2020-35491 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the
interact ...)
- jackson-databind <unfixed>
[buster] - jackson-databind <no-dsa> (Minor issue)
+ [stretch] - jackson-databind <no-dsa> (Minor issue)
NOTE: https://github.com/FasterXML/jackson-databind/issues/2986
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is
enabled by default
NOTE: but still an issue when Default Typing is enabled.
CVE-2020-35490 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the
interact ...)
- jackson-databind <unfixed>
[buster] - jackson-databind <no-dsa> (Minor issue)
+ [stretch] - jackson-databind <no-dsa> (Minor issue)
NOTE: https://github.com/FasterXML/jackson-databind/issues/2986
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is
enabled by default
NOTE: but still an issue when Default Typing is enabled.
@@ -4065,6 +4067,7 @@ CVE-2020-29653
RESERVED
CVE-2020-29652 (A nil pointer dereference in the golang.org/x/crypto/ssh
component thr ...)
- golang-go.crypto <unfixed>
+ [stretch] - golang-go.crypto <not-affected> (Vulnerable code not
present)
- kubernetes <unfixed>
NOTE: https://go-review.googlesource.com/c/crypto/+/278852
NOTE: https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1
=====================================
data/dla-needed.txt
=====================================
@@ -58,6 +58,12 @@ flac (Adrian Bunk)
NOTE: 20201215: when preparing fix/advisory note that the same code change
fixes both CVE-2020-0487 and CVE-2017-6888 (roberto)
NOTE: 20201215: stretch and buster versions are very close; perhaps consider
coordinating with security team and helping them by preparing an update for
buster (roberto)
--
+golang-1.7
+ NOTE: 20201219: new CVEs may not be getting fixed, might need to ignore
(roberto)
+--
+golang-1.8
+ NOTE: 20201219: new CVEs may not be getting fixed, might need to ignore
(roberto)
+--
golang-websocket
--
imagemagick (Sylvain Beucler)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ced4449781949729fc5d3225e95df39fa111597e...c61cdb7f53756c142b4466bd95e5b0067bce9807
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ced4449781949729fc5d3225e95df39fa111597e...c61cdb7f53756c142b4466bd95e5b0067bce9807
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
