[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 2 commits: Add CVE-2018-78187/golang

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d332d95c by Salvatore Bonaccorso at 2018-02-17T08:58:58+01:00
Add CVE-2018-78187/golang

This is same class of issue as in CVE-2017-15042. Follow thus the
decision there on ignoring the issue for stretch and jessie.

But since this is an issue in go get, we might need to revisit the
decision, this is ongoing within the team.

- - - - -
899037b9 by Salvatore Bonaccorso at 2018-02-17T09:01:07+01:00
Update CVE-2018-6574

This is same class of issue as in CVE-2017-15042. Follow thus the
decision there on ignoring the issue for stretch and jessie.

But since this is an issue in go get, we might need to revisit the
decision, this is ongoing within the team.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -5,7 +5,16 @@ CVE-2018-7189
 CVE-2018-7188 (An XSS vulnerability (via an SVG image) in Tiki before 18 allows an ...)
 	NOT-FOR-US: Tiki
 CVE-2018-7187 (The "go get" implementation in Go 1.9.4, when the -insecure ...)
-	TODO: check
+	- golang-1.10 <unfixed>
+	- golang-1.9 <unfixed>
+	- golang-1.8 <unfixed>
+	[stretch] - golang-1.8 <ignored> (Minor issue)
+	- golang-1.7 <unfixed>
+	[stretch] - golang-1.7 <ignored> (Minor issue)
+	- golang <removed>
+	[jessie] - golang <ignored> (Minor issue)
+	NOTE: https://github.com/golang/go/issues/23867
+	NOTE: https://github.com/golang/go/commit/c941e27e70c3e06e1011d2dd71d72a7a06a9bcbc
 CVE-2018-7185
 	RESERVED
 CVE-2018-7184
@@ -1631,10 +1640,14 @@ CVE-2018-6574 (Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases 
 	- golang-1.10 1.10~rc2-1
 	- golang-1.9 1.9.4-1
 	- golang-1.8 <unfixed>
+	[stretch] - golang-1.8 <ignored> (Minor issue)
 	- golang-1.7 <unfixed>
+	[stretch] - golang-1.7 <ignored> (Minor issue)
 	- golang <removed>
+	[jessie] - golang <ignored> (Minor issue)
 	NOTE: https://github.com/golang/go/issues/23672
-	NOTE: similar to CVE-2017-15041, which was fixed in wheezy, but no-dsa in jessie and ignored in stretch
+	NOTE: https://go.googlesource.com/go/+/44821583bc16ff2508664fab94360bb856e9e9d6
+	NOTE: https://go.googlesource.com/go/+/867fb18b6d5bc73266b68c9a695558a04e060a8a
 CVE-2018-6573
 	RESERVED
 CVE-2018-6572



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/404be00d122546a4aedda6b52aaf1dacdb53d3fe...899037b953478da69c3b13a67ce4f6fb3a6530eb

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/404be00d122546a4aedda6b52aaf1dacdb53d3fe...899037b953478da69c3b13a67ce4f6fb3a6530eb
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180217/a711d362/attachment-0001.html>