Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: f3ed278c by Salvatore Bonaccorso at 2018-04-06T07:07:54+02:00 CVE-2018-1000156/patch specifically assigned for GNU patch Queried MITRE which informed they can either update the desciption to match GNU patch. OTOH, DWF project has already assigned CVE-2018-1000156 for specifically GNU patch with the reason that as both have though same root, the code has substantially diverged over time by now, thus the seprate CVE id. Follow that decision by marking CVE-2015-1418 NFU (specifically for patch in FreeBSD) and add CVE-2018-1000156 entry for patch. Updated https://bugs.debian.org/894993 accordingly. - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== --- a/data/CVE/list +++ b/data/CVE/list @@ -128158,11 +128158,14 @@ CVE-2015-1419 (Unspecified vulnerability in vsftpd 3.0.2 and earlier allows remo NOTE: http://seclists.org/oss-sec/2015/q1/389 NOTE: Not a real security feature according the manpage and upstream CVE-2015-1418 (patch in FreeBSD 10.1 before 10.1-RELEASE-p17, 10.2 before ...) + NOT-FOR-US: patch as used in FreeBSD specifically +CVE-2018-1000156 [input validation vulnerability when processing patch files] - patch <unfixed> (bug #894993) NOTE: https://rachelbythebay.com/w/2018/04/05/bangpatch/ - NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:18.bsdpatch.asc - NOTE: https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/013_patch.patch.sig - TODO: The CVE is actually specifically for "bsdpatch", asked MITRE for clarification on scope (i.e. if we should get a new CVE for src:patch) + NOTE: https://twitter.com/kurtseifried/status/982028968877436928 + NOTE: This CVE is specifically for GNU patch and relates to CVE-2015-1418 + NOTE: Respective patch in FreeBSD: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:18.bsdpatch.asc + NOTE: Respective patch in OpenBSD: https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/013_patch.patch.sig CVE-2015-1417 (The inet module in FreeBSD 10.2x before 10.2-PRERELEASE, ...) - kfreebsd-10 10.2-1 (unimportant) NOTE: kfreebsd not covered by security support in Jessie View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f3ed278cd5aa2a49a1d686d495c03e3f8d91d51f --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f3ed278cd5aa2a49a1d686d495c03e3f8d91d51f You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
