Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
93603045 by Sylvain Beucler at 2021-01-21T18:15:12+01:00
dla: claim spotweb
- - - - -
e63a1a48 by Sylvain Beucler at 2021-01-21T18:15:40+01:00
CVE-2020-35545/spotweb: regression patch
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -13050,6 +13050,7 @@ CVE-2020-35545 (Time-based SQL injection exists in
Spotweb 1.4.9 via the query s
[buster] - spotweb <no-dsa> (Minor issue)
NOTE: https://github.com/spotweb/spotweb/issues/629
NOTE:
https://github.com/spotweb/spotweb/commit/fefb39ad143caad021ad496427617db79c42aff2
+ NOTE:
https://github.com/spotweb/spotweb/commit/25c1f89f0202af5d5d224b906ff9d9313f017aa6
CVE-2020-35544
RESERVED
CVE-2020-35543
=====================================
data/dla-needed.txt
=====================================
@@ -127,7 +127,7 @@ slirp (pu-Thorsten Alteholz)
NOTE: update has to done in sid->buster->stretch
NOTE: 20200417: still waiting for pu, probably 30.01.2021
--
-spotweb
+spotweb (Sylvain Beucler)
NOTE: 20201220: The affected code (PHP!) uses string concatenation to
construct a SQL query.
NOTE: 20201220: Upstream's "fix" is to blacklist all the "bad" SQL commands.
NOTE: 20201220: Yes, this is a dumpster fire. Claim this package at your
own peril. (roberto)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1ddd4dc687cc05c7658b10e169157d33861bf940...e63a1a4810d80b08edcd2fda267ce3e3e671892f
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1ddd4dc687cc05c7658b10e169157d33861bf940...e63a1a4810d80b08edcd2fda267ce3e3e671892f
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
