Brian May pushed to branch master at Debian Security Tracker / security-tracker
Commits: ef2f8d10 by Brian May at 2018-05-07T17:09:04+10:00 Mark calibre CVE-2018-7889 in wheezy There is no known fix for this, and a true fix is not possible without changing the configuration file formats not to allow executable code. See: * https://lists.debian.org/debian-lts/2018/04/msg00098.html * https://lists.debian.org/debian-lts/2018/05/msg00009.html - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== --- a/data/CVE/list +++ b/data/CVE/list @@ -6829,6 +6829,7 @@ CVE-2018-7890 (A remote code execution issue was discovered in Zoho ManageEngine NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2018-7889 (gui2/viewer/bookmarkmanager.py in Calibre 3.18 calls cPickle.load on ...) - calibre 3.19.0+dfsg-1 (bug #892242) + [wheezy] - calibre <no-dsa> (Minor issue) NOTE: https://bugs.launchpad.net/calibre/+bug/1753870 NOTE: deserialization fix https://github.com/kovidgoyal/calibre/commit/aeb5b036a0bf657951756688b3c72bd68b6e4a7d NOTE: insufficient as import also loads configuration files, which are python executables, ===================================== data/dla-needed.txt ===================================== --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -12,10 +12,6 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- apache2 (Roberto C. Sánchez) -- -calibre (Brian May) - NOTE: 20180321: Instead of replacing pickle with json, maybe disable bookmarking (apo) - NOTE: 20180321: completely and invest the time to fix the Jessie version instead? (apo) --- cups (Thorsten Alteholz) NOTE: 20180318: not clear whether patch is fine, so no email to maintainer sent (alteholz) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ef2f8d10c6b656f307e6331a5e9767f4183824dc --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ef2f8d10c6b656f307e6331a5e9767f4183824dc You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits