[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Update entry for CVE-2015-1418, keep TODO until clarified with MITRE

Salvatore Bonaccorso carnil at debian.org
Fri Apr 6 05:04:30 BST 2018 

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a6ac9a25 by Salvatore Bonaccorso at 2018-04-06T06:04:03+02:00
Update entry for CVE-2015-1418, keep TODO until clarified with MITRE

Same issue is in src:patch as well as shown by
https://bugs.debian.org/894993 and
https://rachelbythebay.com/w/2018/04/05/bangpatch/ with a crafted patch
file.

For now associate CVE-2015-1418 as well with src:patch but clarfication
with MITRE is pending if the src:patch issue should get a new
identifier bsdpatch and GNU patch being different sources.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -128158,7 +128158,11 @@ CVE-2015-1419 (Unspecified vulnerability in vsftpd 3.0.2 and earlier allows remo
 	NOTE: http://seclists.org/oss-sec/2015/q1/389
 	NOTE: Not a real security feature according the manpage and upstream
 CVE-2015-1418 (patch in FreeBSD 10.1 before 10.1-RELEASE-p17, 10.2 before ...)
-	TODO: check
+	- patch <unfixed> (bug #894993)
+	NOTE: https://rachelbythebay.com/w/2018/04/05/bangpatch/
+	NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-15:18.bsdpatch.asc
+	NOTE: https://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/013_patch.patch.sig
+	TODO: The CVE is actually specifically for "bsdpatch", asked MITRE for clarification on scope (i.e. if we should get a new CVE for src:patch)
 CVE-2015-1417 (The inet module in FreeBSD 10.2x before 10.2-PRERELEASE, ...)
 	- kfreebsd-10 10.2-1 (unimportant)
 	NOTE: kfreebsd not covered by security support in Jessie



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a6ac9a25a288b83168ec1cc1ea7441341face70e

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a6ac9a25a288b83168ec1cc1ea7441341face70e
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180406/26733f44/attachment.html>

More information about the debian-security-tracker-commits mailing list