Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: af8a3868 by Salvatore Bonaccorso at 2025-04-25T09:14:21+02:00 Update status for CVE-2020-26880/sympa Upstream's take is that the issue is considered fixed with the combination of <https://github.com/sympa-community/sympa/issues/946> and <https://github.com/sympa-community/sympa/issues/1086> with both changes first included in 6.2.60~dfsg-2. >From Debian point of view consider this as sufficient coverage for the CVE-2020-26880 fix. - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -370789,9 +370789,7 @@ CVE-2020-26882 (In Play Framework 2.6.0 through 2.8.2, data amplification can oc CVE-2020-26881 RESERVED CVE-2020-26880 (Sympa through 6.2.57b.2 allows a local privilege escalation from the s ...) - - sympa <unfixed> (bug #972114) - [bookworm] - sympa <postponed> (Revisit when fixed upstream; most setups mitigated) - [bullseye] - sympa <postponed> (Revisit when fixed upstream; most setups mitigated) + - sympa 6.2.60~dfsg-2 (bug #972114) [buster] - sympa <postponed> (Revisit when fixed upstream; most setups mitigated) [stretch] - sympa <postponed> (Mitigated, revisit when fixed upstream) NOTE: https://github.com/sympa-community/sympa/issues/1009 @@ -370800,6 +370798,11 @@ CVE-2020-26880 (Sympa through 6.2.57b.2 allows a local privilege escalation from NOTE: Mitigation: https://salsa.debian.org/sympa-team/sympa/-/commit/b904d5257beb135127f663ad8f6865c1b59efd50 NOTE: Mitigation present in 6.2.58~dfsg-2, 6.2.40~dfsg-1+deb10u1 and 6.2.16~dfsg-3+deb9u4 NOTE: uploads. + NOTE: Upstream's take is that the issue is considered fixed with the combination of + NOTE: https://github.com/sympa-community/sympa/issues/946 + NOTE: https://github.com/sympa-community/sympa/issues/1086 + NOTE: with both changes first included in 6.2.60~dfsg-2. From Debian point of view + NOTE: consider this as sufficient coverage for the CVE-2020-26880 fix. CVE-2020-26879 (Ruckus vRioT through 1.5.1.0.21 has an API backdoor that is hardcoded ...) NOT-FOR-US: Ruckus CVE-2020-26878 (Ruckus through 1.5.1.0.21 is affected by remote command injection. An ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af8a3868553c251c07f7923a014ad370fb4005ca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af8a3868553c251c07f7923a014ad370fb4005ca You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
