[Git][security-tracker-team/security-tracker][master] Add rexical to CVE-2019-5477

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7b895dd3 by Salvatore Bonaccorso at 2019-08-30T19:52:53Z
Add rexical to CVE-2019-5477

The CVE was originally focused on Nokogiri itself and it's use of the
generated code. But MITRE CNA confirmed that the scope can cover the
rexical change itself as vulnerability.

Thus track the issue for src:rexical itself.

Thanks: Mike Gabriel for the additional input to make this change.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -29625,10 +29625,13 @@ CVE-2019-5479
 CVE-2019-5478
 	RESERVED
 CVE-2019-5477 (A command injection vulnerability in Nokogiri v1.10.3 and earlier allo ...)
+	- rexical <unfixed>
 	- ruby-nokogiri 1.10.4+dfsg1-1 (bug #934802)
 	NOTE: https://github.com/sparklemotion/nokogiri/issues/1915
 	NOTE: Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file
 	NOTE: is being passed untrusted user input.
+	NOTE: https://github.com/tenderlove/rexical/commit/a652474dbc66be350055db3e8f9b3a7b3fd75926
+	NOTE: Change in rexical is covered by the scope of this CVE.
 CVE-2019-5476 (An SQL Injection in the Nextcloud Lookup-Server < v0.3.0 (running o ...)
 	TODO: check
 CVE-2019-5475



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7b895dd394de0b79d235556efcfadf800f070dac

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7b895dd394de0b79d235556efcfadf800f070dac
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190830/ca65c776/attachment-0001.html>