[Secure-testing-commits] r48402 - data/CVE
Salvatore Bonaccorso
carnil at moszumanska.debian.org
Thu Jan 26 06:11:59 UTC 2017
Author: carnil
Date: 2017-01-26 06:11:59 +0000 (Thu, 26 Jan 2017)
New Revision: 48402
Modified:
data/CVE/list
Log:
Update for CVE-2014-3539
This way the tracking is not fully correct. Maybe we should revert it,
mark still as <unfixed> and/but downgrade the bug severity since some
mitigation was added.
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-01-26 05:49:12 UTC (rev 48401)
+++ data/CVE/list 2017-01-26 06:11:59 UTC (rev 48402)
@@ -86192,11 +86192,15 @@
REJECTED
CVE-2014-3539 [pickle.load of remotely supplied data with no authentication required]
RESERVED
- - rope <unfixed> (bug #777525)
+ - rope 0.10.3-1 (bug #777525)
[jessie] - rope <no-dsa> (Minor issue)
[squeeze] - rope <no-dsa> (Minor issue)
[wheezy] - rope <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1116485
+ NOTE: https://github.com/python-rope/rope/issues/105
+ NOTE: 0.10.3-1 only adds a mitigation for the issue, so not completely fixed.
+ NOTE: Still mark it as fixed in this version because patch limits socket
+ NOTE: connections to localhost only
CVE-2014-3538 (file before 5.19 does not properly restrict the amount of data read ...)
{DSA-3021-1 DSA-3008-1 DLA-67-1 DLA-50-1}
- file 1:5.19-1
More information about the Secure-testing-commits
mailing list