[Secure-testing-commits] r58688 - data/CVE
Raphaël Hertzog
hertzog at moszumanska.debian.org
Tue Dec 19 11:33:23 UTC 2017
Author: hertzog
Date: 2017-12-19 11:33:23 +0000 (Tue, 19 Dec 2017)
New Revision: 58688
Modified:
data/CVE/list
Log:
Mark CVE-2017-17718 as ignored in wheezy/jessie
The documentation of the ruby-net-ldap module in wheezy/jessie
states that no SSL/TLS validation is done, neither for the
certificate signature nor for the associated hostname.
This CVE is only about newer versions which dropped this
part of the documentation when in fact only the certificate
signature is checked, and not the associated hostname.
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-12-19 09:29:16 UTC (rev 58687)
+++ data/CVE/list 2017-12-19 11:33:23 UTC (rev 58688)
@@ -87,7 +87,11 @@
RESERVED
CVE-2017-17718 (The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL ...)
- ruby-net-ldap <unfixed> (bug #884693)
+ [wheezy] - ruby-net-ldap <ignored> (Doc always said that there is no validation)
+ [jessie] - ruby-net-ldap <ignored> (Doc always said that there is no validation)
NOTE: https://github.com/ruby-ldap/ruby-net-ldap/issues/258
+ NOTE: Versions < 0.10 properly acknowledge in their documentation the lack of any SSL validation, see https://sources.debian.org/src/ruby-net-ldap/0.8.0-1/lib/net/ldap.rb/#L476
+ NOTE: In wheezy/jessie, only reverse dependencies are redmine (which is unsupported in wheezy) and ruby-omniauth-ldap (which has no reverse dep either).
CVE-2017-17717 (Sonatype Nexus Repository Manager through 2.14.5 has weak password ...)
NOT-FOR-US: Sonatype Nexus
CVE-2017-17716 (GitLab 9.4.x before 9.4.2 does not support LDAP SSL certificate ...)
More information about the Secure-testing-commits
mailing list