Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker
Commits: a6877d8d by Guilhem Moulin at 2023-10-16T00:04:34+02:00 DLA-3610-1: Also mark CVE-2018-25091/python-urllib3 as fixed. MITRE just assigned that ID for the non-titlecase variant of CVE-2018-20060. - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: ===================================== data/CVE/list ===================================== @@ -1,7 +1,11 @@ CVE-2023-38312 (A directory traversal vulnerability in Valve Counter-Strike 8684 allow ...) TODO: check CVE-2018-25091 (urllib3 before 1.24.2 does not remove the authorization HTTP header wh ...) - TODO: check + {DLA-3610-1} + - python-urllib3 1.25.6-1 + NOTE: https://github.com/urllib3/urllib3/issues/1510 + NOTE: This issue exists because of an incomplete fix for CVE-2018-20060 (which was case-sensitive). + NOTE: Fixed by https://github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc (1.24.2) CVE-2023-5586 (NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.3.0 ...) TODO: check CVE-2023-5585 (A vulnerability was found in SourceCodester Online Motorcycle Rental S ...) @@ -335232,7 +335236,7 @@ CVE-2018-20060 (urllib3 before version 1.23 does not remove the Authorization HT NOTE: https://github.com/urllib3/urllib3/commit/63948f3a607ed8e7a3ce9ac4e20782359896e27e NOTE: https://github.com/urllib3/urllib3/commit/560bd227b90f74417ffaedebf5f8d05a8ee4f532 NOTE: Fixed upstream in 1.23 - NOTE: https://github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc (follow-up for lowercase headers, 1.24.2) + NOTE: https://github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc (follow-up from 1.24.2 to avoid CVE-2018-25091) CVE-2018-20059 (jaxb/JaxbEngine.java in Pippo 1.11.0 allows XXE.) NOT-FOR-US: Pippo CVE-2018-20058 (In Evernote before 7.6 on macOS, there is a local file path traversal ...) ===================================== data/DLA/list ===================================== @@ -26,7 +26,7 @@ {CVE-2019-0053 CVE-2023-40303} [buster] - inetutils 2:1.9.4-7+deb10u3 [08 Oct 2023] DLA-3610-1 python-urllib3 - security update - {CVE-2019-11236 CVE-2019-11324 CVE-2020-26137 CVE-2023-43804} + {CVE-2018-25091 CVE-2019-11236 CVE-2019-11324 CVE-2020-26137 CVE-2023-43804} [buster] - python-urllib3 1.24.1-1+deb10u1 [08 Oct 2023] DLA-3609-1 prometheus-alertmanager - security update {CVE-2023-40577} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a6877d8dfeddaac6a04257d0d5ea12639459cd7c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a6877d8dfeddaac6a04257d0d5ea12639459cd7c You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits