<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<h3>

Salvatore Bonaccorso pushed to branch master

at <a href="https://salsa.debian.org/security-tracker-team/security-tracker">Debian Security Tracker / security-tracker</a>

</h3>

<h4>

Commits:

</h4>

<ul>

<li>

<strong><a href="https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c511de24594a6e1e6a1b4a9bcc7348c0feec7b9a">c511de24</a></strong>

<div>

<span>by Salvatore Bonaccorso</span>

<i>at 2020-12-16T21:41:31+01:00</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update tracking for lxml issue

After checking with Red Hat secalert and upstream lxml they it is not

agreed to thread those two as different issues but both vectors covered

by CVE-2020-27783.

According to upstream both issues were discovered togheter. Nor the

choosen description nor the bugzilla back then threaded them

differently.

Red Hat secalert has updated accordingly comment #0 in bugzilla.

Upstream comment:

https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7

..

That said: no idea why then only one commit landed in 4.6.1 and the

other in 4.6.2.

For Debian LTS this means: upload another iteration of lxml with the

second fix applied and use DLA-2467-2 accordingly as 'security update'

(and not regression update).

</pre>

</li>

</ul>

<h4>1 changed file:</h4>

<ul>

<li class="file-stats">

<a href="#4716ef5aa8f2742228ba3b3633215c8b808565e3">

data/CVE/list

</a>

</li>

</ul>

<h4>Changes:</h4>

<li id="4716ef5aa8f2742228ba3b3633215c8b808565e3">

<a href="https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c511de24594a6e1e6a1b4a9bcc7348c0feec7b9a#4716ef5aa8f2742228ba3b3633215c8b808565e3"><strong>data/CVE/list</strong></a>

<hr>

No preview for this file type

<br>

</li>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #666;">

—

<br>

<a href="https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c511de24594a6e1e6a1b4a9bcc7348c0feec7b9a">View it on GitLab</a>.

<br>

You're receiving this email because of your account on salsa.debian.org.

If you'd like to receive fewer emails, you can

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Commit","url":"https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c511de24594a6e1e6a1b4a9bcc7348c0feec7b9a"}}</script>

</p>

</div>

</body>

</html>