[Secure-testing-commits] r56990 - in data: . CVE

Raphaël Hertzog hertzog at moszumanska.debian.org
Thu Oct 26 15:36:28 UTC 2017 

Author: hertzog
Date: 2017-10-26 15:36:28 +0000 (Thu, 26 Oct 2017)
New Revision: 56990

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
Triage check-mk CVE on wheezy

All XSS issues have been ignored up to now, I don't see why CVE-2017-9781
should be treated differently.

For CVE-2017-14955, the issue is in code which doesn't exist in 1.1.12p7-1.

With those changes, I can drop check-mk from dla-needed.txt.

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-10-26 15:34:27 UTC (rev 56989)
+++ data/CVE/list	2017-10-26 15:36:28 UTC (rev 56990)
@@ -2393,6 +2393,7 @@
 	NOT-FOR-US: AlienVault
 CVE-2017-14955 (Check_MK before 1.2.8p26 mishandles certain errors within the ...)
 	- check-mk 1.2.8p26-1
+	[wheezy] - check-mk <not-affected> (Vulnerable code not present)
 	NOTE: http://mathias-kettner.com/check_mk_werks.php?edition_id=raw&branch=1.2.8
 	NOTE: https://mathias-kettner.de/check_mk_werks.php?werk_id=5208&HTML=yes
 	NOTE: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=a4a2cc1f30ff6032899ca80eed29fa26b8898c54
@@ -16978,6 +16979,7 @@
 CVE-2017-9781 (A cross site scripting (XSS) vulnerability exists in Check_MK versions ...)
 	[experimental] - check-mk 1.4.0p9-1
 	- check-mk <unfixed> (bug #865497)
+	[wheezy] - check-mk <ignored> (Minor issue)
 	NOTE: http://mathias-kettner.com/check_mk_werks.php?werk_id=4757
 	NOTE: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=c248f0b6ff7b15ced9f07a3df8a80fad656ea5b1
 CVE-2017-9779 (OCaml compiler allows attackers to have unspecified impact via unknown ...)

Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt	2017-10-26 15:34:27 UTC (rev 56989)
+++ data/dla-needed.txt	2017-10-26 15:36:28 UTC (rev 56990)
@@ -13,12 +13,6 @@
 ca-certificates
   NOTE: 20170719: maintainer will handle the upload, see https://lists.debian.org/d0b9674a-ac5b-5cc9-1982-fb6f36155c5a@pbandjelly.org
 --
-check-mk
-  NOTE: the code is different in wheezy but from a cursory look, there
-  NOTE: might be multiple places where error messages are not properly
-  NOTE: HTML escaped. Without trying, it's hard to know if the error
-  NOTE: messages do include user controllable content.
---
 exiv2 (Raphaël Hertzog)
   NOTE: 20170702, no upstream fix yet, so no need to bother maintainer yet, sent email later
 --

More information about the Secure-testing-commits mailing list