[Git][security-tracker-team/security-tracker][master] 2 commits: Align severity of CVE-2018-1000845 with CVE-2017-6519

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3f08dc0a by Salvatore Bonaccorso at 2018-12-22T07:09:54Z
Align severity of CVE-2018-1000845 with CVE-2017-6519

- - - - -
3dcfb466 by Salvatore Bonaccorso at 2018-12-22T07:10:47Z
Add references for CVE-2017-6519 and CVE-2018-1000845

The two CVE are possibly duplicats, at least tye are belonging to the
same class already. In previous commit aligned thus the severity and
they are handled with same commit upstream.

Note though that upstream has reopened as well the bug for further
investigation, so this is likely not the last commit for CVE-2017-6519
and CVE-2018-1000845.

MITRE was asked on their opinion on both CVEs.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -179,9 +179,9 @@ CVE-2018-1000847 (FreshDNS version 1.0.3 and prior contains a Cross Site Scripti
 CVE-2018-1000846 (FreshDNS version 1.0.3 and earlier contains a Cross ite Request ...)
 	NOT-FOR-US: FreshDNS
 CVE-2018-1000845 (Avahi version 0.7 contains a Incorrect Access Control vulnerability in ...)
-	- avahi <unfixed> (low; bug #917047)
-	[stretch] - avahi <no-dsa> (Minor issue)
+	- avahi <unfixed> (unimportant; bug #917047)
 	NOTE: https://github.com/lathiat/avahi/issues/203
+	NOTE: https://github.com/lathiat/avahi/commit/e111def44a7df4624a4aa3f85fe98054bffb6b4f
 CVE-2018-1000844 (Square Open Source Retrofit version Prior to commit ...)
 	NOT-FOR-US: Square Retrofit
 CVE-2018-1000843 (Luigi version prior to version 2.8.0; after commit ...)
@@ -95161,6 +95161,7 @@ CVE-2017-6520 (The Multicast DNS (mDNS) responder used in BOSE Soundtouch 30 ...
 CVE-2017-6519 (avahi-daemon in Avahi through 0.6.32 inadvertently responds to IPv6 ...)
 	- avahi <unfixed> (unimportant)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1426712
+	NOTE: https://github.com/lathiat/avahi/commit/e111def44a7df4624a4aa3f85fe98054bffb6b4f
 CVE-2017-6518 (Cross-site scripting (XSS) vulnerability in /sanadata/seo/index.asp in ...)
 	NOT-FOR-US: SanaCMS
 CVE-2017-6517 (Microsoft Skype 7.16.0.102 contains a vulnerability that could allow ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/e2a05e50ea1f1ca3cfc73451700c68b6ea28a3a7...3dcfb466aa17fa0d3801a94866307f21d88100fe

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/e2a05e50ea1f1ca3cfc73451700c68b6ea28a3a7...3dcfb466aa17fa0d3801a94866307f21d88100fe
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20181222/e324540b/attachment.html>