[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-384{3,4}/systemd as no-dsa
Salvatore Bonaccorso
carnil at debian.org
Sun Apr 28 08:03:54 BST 2019
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
32a4a628 by Salvatore Bonaccorso at 2019-04-28T07:01:19Z
Mark CVE-2019-384{3,4}/systemd as no-dsa
Attack vector requires control both of an exploitable service and a
helper outside. Futhermore DynamicUsers are not widely used. As per
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1814596/comments/7
in Debian itself those are yet limited, but still present.
The version in stretch (v232) is the version introducing support for
DynamicUsers, earlier versions as for jessie mght thus even not be
affected but would need to be checked.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -19057,12 +19057,14 @@ CVE-2019-3845 (A lack of access control was found in the message queues maintain
NOT-FOR-US: qpid dispatch router
CVE-2019-3844 (It was discovered that a systemd service that uses DynamicUser propert ...)
- systemd <unfixed>
+ [stretch] - systemd <no-dsa> (Minor issue; exploit vector needs control both of the service and a helper outside)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1684610
NOTE: https://github.com/systemd/systemd/commit/bf65b7e0c9fc215897b676ab9a7c9d1c688143ba
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1771
NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1814596
CVE-2019-3843 (It was discovered that a systemd service that uses DynamicUser propert ...)
- systemd <unfixed>
+ [stretch] - systemd <no-dsa> (Minor issue; exploit vector needs control both of the service and a helper outside)
NOTE: https://github.com/systemd/systemd/commit/3c27973b13724ede05a06a5d346a569794cda433
NOTE: https://github.com/systemd/systemd/commit/f69567cbe26d09eac9d387c0be0fc32c65a83ada
NOTE: https://github.com/systemd/systemd/commit/9d880b70ba5c6ca83c82952f4c90e86e56c7b70c
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/32a4a62898f80c4680f087792970a95f2e727f6e
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/32a4a62898f80c4680f087792970a95f2e727f6e
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190428/b3bc01f3/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list