[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Mark rails issues as unimportante, non-issues/negliglible imapct

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1b883fa9 by Salvatore Bonaccorso at 2018-01-01T14:19:18+01:00
Mark rails issues as unimportante, non-issues/negliglible imapct

All of the methods are confirmed from upstream to be designed such to
accept arbitrary SQL.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -666,23 +666,23 @@ CVE-2017-17922
 CVE-2017-17921
 	RESERVED
 CVE-2017-17920 (SQL injection vulnerability in the 'reorder' method in Ruby on Rails ...)
-	- rails <undetermined>
+	- rails <unfixed> (unimportant)
 	NOTE: https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/
-	TODO: check (and other possible earlier source packages)
+	NOTE: All of those methods accept arbitrary SQL by design.
 CVE-2017-17919 (SQL injection vulnerability in the 'order' method in Ruby on Rails ...)
-	- rails <undetermined>
+	- rails <unfixed> (unimportant)
 	NOTE: https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/
-	TODO: check (and other possible earlier source packages)
+	NOTE: All of those methods accept arbitrary SQL by design.
 CVE-2017-17918
 	RESERVED
 CVE-2017-17917 (SQL injection vulnerability in the 'where' method in Ruby on Rails ...)
-	- rails <undetermined>
+	- rails <unfixed> (unimportant)
 	NOTE: https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/
-	TODO: check (and other possible earlier source packages)
+	NOTE: All of those methods accept arbitrary SQL by design.
 CVE-2017-17916 (SQL injection vulnerability in the 'find_by' method in Ruby on Rails ...)
-	- rails <undetermined>
+	- rails <unfixed> (unimportant)
 	NOTE: https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/
-	TODO: check (and other possible earlier source packages)
+	NOTE: All of those methods accept arbitrary SQL by design.
 CVE-2017-17915 (In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a heap-based ...)
 	- graphicsmagick 1.3.27-3
 	NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/1721f1b7e67a



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1b883fa9901c215135fdc70db345986bf16e6098

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1b883fa9901c215135fdc70db345986bf16e6098
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180101/881f8e9c/attachment.html>