[Secure-testing-commits] r58531 - data/CVE
Salvatore Bonaccorso
carnil at moszumanska.debian.org
Wed Dec 13 21:08:32 UTC 2017
Author: carnil
Date: 2017-12-13 21:08:32 +0000 (Wed, 13 Dec 2017)
New Revision: 58531
Modified:
data/CVE/list
Log:
Mark CVE-2017-17520 as unimportant
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-12-13 21:03:13 UTC (rev 58530)
+++ data/CVE/list 2017-12-13 21:08:32 UTC (rev 58531)
@@ -158,8 +158,12 @@
RESERVED
CVE-2017-17520 [argument injection]
RESERVED
- - tin <unfixed>
+ - tin <unfixed> (unimportant)
NOTE: https://sources.debian.org/src/tin/1:2.4.1-1/tools/url_handler.pl/?hl=120#L120
+ NOTE: Documentation has a clear SECURITY section mentioning that [...] url_handler
+ NOTE: does not try hard to shell escape its input nor does it convert relative URLs
+ NOTE: into abosulte ones. If you use url_handler.pl from other applications be sure to
+ NOTE: at least shell escaped its input.
CVE-2017-17519 [argument injection]
RESERVED
- ocaml-batteries <unfixed>
More information about the Secure-testing-commits
mailing list