[Git][security-tracker-team/security-tracker][master] 2 commits: Clarify state for CVE-2018-1000656 and CVE-2019-1010083 in flask

Sun Aug 25 19:32:37 BST 2019


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a7b41295 by Salvatore Bonaccorso at 2019-08-25T18:27:55Z
Clarify state for CVE-2018-1000656 and CVE-2019-1010083 in flask

Unfortunately upstream remained silend on questions back. And the scope
of CVE-2019-1010083, which was assigned by DWF CNA, remains unclear. It
only reference the 1.0 upstream release. It might be duplicate of
CVE-2018-1000656 or not. It might as well just refer to a incomplete fix
for CVE-2018-1000656 which was released in 1.0.

MITRE decided thus to only add a note of "may overlap" for it as per the
above it is very unclear for which scope CVE-2019-1010083 was assigned.

- - - - -
fb98f5be by Salvatore Bonaccorso at 2019-08-25T18:32:04Z
Mark CVE-2019-1010083/flask as no-dsa

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -17080,8 +17080,16 @@ CVE-2019-1010084 (Dancer::Plugin::SimpleCRUD 1.14 and earlier is affected by: In
 	NOT-FOR-US: Dancer::Plugin::SimpleCRUD
 CVE-2019-1010083 (The Pallets Project Flask before 1.0 is affected by: unexpected memory ...)
 	- flask 1.0.2-1
+	[stretch] - flask <no-dsa> (Minor issue)
 	NOTE: https://www.palletsprojects.com/blog/flask-1-0-released/
 	NOTE: https://github.com/pallets/flask/pull/2691/commits/ab4142215d836b0298fc47fa1e4b75408b9c37a0
+	NOTE: After communication with MITRE, this CVE *might* overlap CVE-2018-1000656.
+	NOTE: CVE-2019-1010083 was back then assigned by the DWF CNA, but the exact scope
+	NOTE: of the CVE is unclear and might for instance be for an incomplete fix of
+	NOTE: CVE-2018-1000656. As such it was only noted with a "may overlap". The
+	NOTE: CVE-2019-1010083 only refers to the 1.0 release announcement and it is
+	NOTE: guaranteed that it relates as well to pull request 2691. Upstream itself did
+	NOTE: not comment on direct pings/questions back.
 CVE-2019-1010082
 	RESERVED
 CVE-2019-1010081



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/11f2a9c0af07972a3fa08177433fa6188d9d3e43...fb98f5be02d7493270eea5a38dff992ef321b7a8

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/11f2a9c0af07972a3fa08177433fa6188d9d3e43...fb98f5be02d7493270eea5a38dff992ef321b7a8
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190825/b93d4ebc/attachment-0001.html>
