[Git][security-tracker-team/security-tracker][master] 2 commits: Marked CVE-2020-35546 as no-dsa for stretch following decision for buster....

Fri, 28 May 2021 14:32:46 -0700 


Ola Lundqvist pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7a3b8f0d by Ola Lundqvist at 2021-05-28T23:32:22+02:00
Marked CVE-2020-35546 as no-dsa for stretch following decision for buster. 
Removed from dla-needed accordingly.

- - - - -
56b99482 by Ola Lundqvist at 2021-05-28T23:32:22+02:00
Investigated squid3 to check whether stretch is affected and it looks so even 
though source code has moved from one file to another.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -33649,6 +33649,7 @@ CVE-2020-35546
 CVE-2020-35545 (Time-based SQL injection exists in Spotweb 1.4.9 via the query 
string. ...)
        - spotweb <removed> (bug #977719)
        [buster] - spotweb <no-dsa> (Minor issue)
+       [stretch] - spotweb <no-dsa> (Minor issue)
        NOTE: https://github.com/spotweb/spotweb/issues/629
        NOTE: 
https://github.com/spotweb/spotweb/commit/fefb39ad143caad021ad496427617db79c42aff2
        NOTE: 
https://github.com/spotweb/spotweb/commit/25c1f89f0202af5d5d224b906ff9d9313f017aa6


=====================================
data/dla-needed.txt
=====================================
@@ -123,14 +123,10 @@ shiro (Roberto C. Sánchez)
 --
 slapi-nis (Thorsten Alteholz)
 --
-spotweb
-  NOTE: 20201220: The affected code uses string concatenation to construct a 
SQL query.
-  NOTE: 20201220: Upstream's "fix" is to blacklist all the "bad" SQL commands. 
(roberto)
-  NOTE: 20210122: Upstream fix trivially bypassed, reported under CVE-2021-3286
-  NOTE: 20210127: Upstream says "we can fix this but it may take some time", 
revisit later (Beuc)
---
 squid3
   NOTE: 20210523:  not sure whether all CVEs realy affect Stretch
+  NOTE: 20210528: Looks like all CVEs affect stretch. (Ola)
+  NOTE: 20210528: For some buildRangeHeader has just moved from one file to 
another. (Ola)
 --
 thunderbird (Emilio)
   NOTE: wait for 78.11.0 (Emilio)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9cca46655c07624d7d041e24ea37e2d18f6262c6...56b9948235cf9efd6b853b16c9810dfd0c56cb31

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9cca46655c07624d7d041e24ea37e2d18f6262c6...56b9948235cf9efd6b853b16c9810dfd0c56cb31
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to