[Git][security-tracker-team/security-tracker][master] Triage CVE-2018-14574 for jessie LTS.
Chris Lamb
lamby at debian.org
Fri Aug 3 13:31:18 BST 2018
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker
Commits:
3d6ddbe8 by Chris Lamb at 2018-08-03T12:30:59Z
Triage CVE-2018-14574 for jessie LTS.
Tried backporting the patch/PoC/unittests to test:
https://gist.github.com/lamby/79baa689aa3f6b5a30cb3a747e1f45be/raw
.. but pretty sure because it uses path over path_info Django never
even "sees" the leading double //.
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -741,10 +741,12 @@ CVE-2018-14575
CVE-2018-14574 [Open redirect possibility in CommonMiddleware]
RESERVED
- python-django 1:1.11.15-1 (bug #905216)
+ [jessie] - python-django <not-affected> (Vulnerable code not present)
NOTE: https://www.djangoproject.com/weblog/2018/aug/01/security-releases/
NOTE: https://github.com/django/django/commit/a656a681272f8f3734b6eb38e9a88aa0d91806f1 (master)
NOTE: https://github.com/django/django/commit/c4e5ff7fdb5fce447675e90291fd33fddd052b3c (2.1 release branch)
NOTE: https://github.com/django/django/commit/d6eaee092709aad477a9894598496c6deec532ff (1.11 release branch)
+ NOTE: https://github.com/django/django/commit/434d309ef6dbecbfd2b322d3a1da78aa5cb05fa8 (vuln. introduced here?)
CVE-2018-14573 (A Local File Inclusion (LFI) vulnerability exists in the Web Interface ...)
NOT-FOR-US: TightRope Media Carousel Digital Signage
CVE-2018-14572
=====================================
data/dla-needed.txt
=====================================
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -91,8 +91,6 @@ php5 (Roberto C. Sánchez)
phpldapadmin
NOTE: 20180731: See https://lists.debian.org/debian-lts/2018/07/msg00123.html for research already done
--
-python-django (Chris Lamb)
---
qemu (Santiago)
--
ruby-zip
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3d6ddbe8a434ab4dfb5ee391128e12e581240f90
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3d6ddbe8a434ab4dfb5ee391128e12e581240f90
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180803/39ae29b8/attachment.html>
More information about the debian-security-tracker-commits
mailing list