[Git][security-tracker-team/security-tracker][master] DLA-3610-1: Also mark CVE-2018-25091/python-urllib3 as fixed.

Sun, 15 Oct 2023 15:05:07 -0700 


Guilhem Moulin pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a6877d8d by Guilhem Moulin at 2023-10-16T00:04:34+02:00
DLA-3610-1: Also mark CVE-2018-25091/python-urllib3 as fixed.

MITRE just assigned that ID for the non-titlecase variant of
CVE-2018-20060.

- - - - -


2 changed files:

- data/CVE/list
- data/DLA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,7 +1,11 @@
 CVE-2023-38312 (A directory traversal vulnerability in Valve Counter-Strike 
8684 allow ...)
        TODO: check
 CVE-2018-25091 (urllib3 before 1.24.2 does not remove the authorization HTTP 
header wh ...)
-       TODO: check
+       {DLA-3610-1}
+       - python-urllib3 1.25.6-1
+       NOTE: https://github.com/urllib3/urllib3/issues/1510
+       NOTE: This issue exists because of an incomplete fix for CVE-2018-20060 
(which was case-sensitive).
+       NOTE: Fixed by 
https://github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc
 (1.24.2)
 CVE-2023-5586 (NULL Pointer Dereference in GitHub repository gpac/gpac prior 
to 2.3.0 ...)
        TODO: check
 CVE-2023-5585 (A vulnerability was found in SourceCodester Online Motorcycle 
Rental S ...)
@@ -335232,7 +335236,7 @@ CVE-2018-20060 (urllib3 before version 1.23 does not 
remove the Authorization HT
        NOTE: 
https://github.com/urllib3/urllib3/commit/63948f3a607ed8e7a3ce9ac4e20782359896e27e
        NOTE: 
https://github.com/urllib3/urllib3/commit/560bd227b90f74417ffaedebf5f8d05a8ee4f532
        NOTE: Fixed upstream in 1.23
-       NOTE: 
https://github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc
 (follow-up for lowercase headers, 1.24.2)
+       NOTE: 
https://github.com/urllib3/urllib3/commit/adb358f8e06865406d1f05e581a16cbea2136fbc
 (follow-up from 1.24.2 to avoid CVE-2018-25091)
 CVE-2018-20059 (jaxb/JaxbEngine.java in Pippo 1.11.0 allows XXE.)
        NOT-FOR-US: Pippo
 CVE-2018-20058 (In Evernote before 7.6 on macOS, there is a local file path 
traversal  ...)


=====================================
data/DLA/list
=====================================
@@ -26,7 +26,7 @@
        {CVE-2019-0053 CVE-2023-40303}
        [buster] - inetutils 2:1.9.4-7+deb10u3
 [08 Oct 2023] DLA-3610-1 python-urllib3 - security update
-       {CVE-2019-11236 CVE-2019-11324 CVE-2020-26137 CVE-2023-43804}
+       {CVE-2018-25091 CVE-2019-11236 CVE-2019-11324 CVE-2020-26137 
CVE-2023-43804}
        [buster] - python-urllib3 1.24.1-1+deb10u1
 [08 Oct 2023] DLA-3609-1 prometheus-alertmanager - security update
        {CVE-2023-40577}



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a6877d8dfeddaac6a04257d0d5ea12639459cd7c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a6877d8dfeddaac6a04257d0d5ea12639459cd7c
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to