[Git][security-tracker-team/security-tracker][master] Add CVE-2018-17187/qpid-proton

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f068e100 by Salvatore Bonaccorso at 2018-11-14T22:10:08Z
Add CVE-2018-17187/qpid-proton

The source is thus present in older suites and in the stable release.

If the source is present but proton-j does not land in any of the
produced binary packages this can be markded as unimportant severity.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -5384,7 +5384,13 @@ CVE-2018-17189
 CVE-2018-17188
 	RESERVED
 CVE-2018-17187 (The Apache Qpid Proton-J transport includes an optional wrapper layer ...)
-	TODO: check
+	- qpid-proton 0.22.0-1
+	NOTE: https://qpid.apache.org/cves/CVE-2018-17187.html
+	NOTE: https://issues.apache.org/jira/browse/PROTON-1962
+	NOTE: https://github.com/apache/qpid-proton-j/commit/0cb8ca03cec42120dcfc434561592d89a89a805e
+	NOTE: Up to 0.17.0-rc1 upstream proton-j was included in the qpid-proton distribution
+	NOTE: but then moved out to a own repository.
+	NOTE: Cf. https://github.com/apache/qpid-proton/commit/ccdcf32932f04b387da9d4dbd810da29cae223aa
 CVE-2018-17186 (An administrator with workflow definition entitlements can use DTD to ...)
 	NOT-FOR-US: Apache Syncope
 CVE-2018-17185



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f068e1001eff289c375b3298c971d729afa9be3b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f068e1001eff289c375b3298c971d729afa9be3b
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20181114/cdfb74dc/attachment.html>