[Git][security-tracker-team/security-tracker][master] LTS: mark CVE-2021-28544/subversion as for stretch

Mon, 06 Jun 2022 14:16:33 -0700 


Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
503e2b2b by Roberto C. Sánchez at 2022-06-06T17:15:36-04:00
LTS: mark CVE-2021-28544/subversion as <not-affected> for stretch

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -81144,6 +81144,7 @@ CVE-2021-28545 (Acrobat Reader DC versions versions 
2020.013.20074 (and earlier)
 CVE-2021-28544 (Apache Subversion SVN authz protected copyfrom paths 
regression Subver ...)
        {DSA-5119-1}
        - subversion 1.14.2-1
+       [stretch] - subversion <not-affected> (New upstream regression/unit 
test passes, so no leak in this version)
        NOTE: https://subversion.apache.org/security/CVE-2021-28544-advisory.txt
 CVE-2021-28543 (Varnish varnish-modules before 0.17.1 allows remote attackers 
to cause ...)
        - varnish-modules <not-affected> (Vulnerable code ot present; bug 
#985947)


=====================================
data/dla-needed.txt
=====================================
@@ -304,16 +304,6 @@ sox
 spip
   NOTE: 20220529: Programming language: PHP.
 --
-subversion (Roberto C. Sánchez)
-  NOTE: 20220529: Programming language: C.
-  NOTE: 20220422: Upstream's patch for CVE-2021-28544 does not cleanly apply 
(eg. "copyfrom_path = apr_pstrdup(...)" assignment)
-  NOTE: 20220422: and, once applied manually, appears to break multiple and 
possibly unrelated parts of the testsuite. (lamby)
-  NOTE: 20220501: Done some analysis, worked on a patch, cannot find a way to 
test it, mailed results to Roberto C. Sánchez (enrico)
-  NOTE: 20220525: Based on the results of Enrico's analysis and some further 
work, I was able to have the test execute reliably (roberto)
-  NOTE: 20220525: The test passes, which seems to indicate that the 
vulnerability does not affect 1.9.5 (roberto)
-  NOTE: 20220525: I have asked Enrico to replicate my findings (roberto)
-  NOTE: 20220606: I replicated and confirm Roberto's findings (enrico)
---
 systemd
   NOTE: 20220529: Programming language: C.
   NOTE: 20220524: CVE-2020-1712 marked for update but didn't make it to 9.13



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/503e2b2b36a85c5635ce28123eb492c6f5fcfdaa

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/503e2b2b36a85c5635ce28123eb492c6f5fcfdaa
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to