[Git][security-tracker-team/security-tracker][master] Mark CVE -2018-19205 as ignored for stretch

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8ce6124e by Salvatore Bonaccorso at 2018-11-24T07:44:35Z
Mark CVE -2018-19205 as ignored for stretch

The respective feature would rely on a properly working php-crypt-gpg
installation. Those might be custom on the system (as php-crypt-gpg is
not in stretch). But plugins/enigma/lib/enigma_driver_gnupg.php from
1.2.x has bigger issues anyway, since it's decrypt() function doesn't
verify signatures on encrypted message.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1058,6 +1058,7 @@ CVE-2018-19206 (steps/mail/func.inc in Roundcube before 1.3.8 has XSS via crafte
 	NOTE: https://github.com/roundcube/roundcubemail/commit/adcac3b9de2728c34c4d2b107e54823b6a7f6a5b (master)
 CVE-2018-19205 (Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection ...)
 	- roundcube 1.3.8+dfsg.1-1
+	[stretch] - roundcube <ignored> (Relies on properly working php-crypt-gpg)
 	NOTE: https://roundcube.net/news/2018/07/27/update-1.3.7-released
 	NOTE: https://github.com/roundcube/roundcubemail/issues/6289
 	NOTE: https://github.com/roundcube/roundcubemail/commit/94da947855329c5062ec2a7098eb86fb675aac37 (release-1.3)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8ce6124efe67d37c0138eb04f72d4e258559348a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8ce6124efe67d37c0138eb04f72d4e258559348a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20181124/ed42675d/attachment.html>