[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-10086 as no-dsa for stretch and buster

Salvatore Bonaccorso carnil at debian.org
Sun Dec 29 21:06:13 GMT 2019 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
da2c227c by Salvatore Bonaccorso at 2019-12-29T21:03:21Z
Mark CVE-2019-10086 as no-dsa for stretch and buster

When applying the patch for CVE-2019-10086 the library switches the
default to be secured, and instead one needs to opt-out vs. opt-in and
allow access to the 'class' property.

Might need investigation of affected reverse dependencies for functional
regressions if this is applied for stable releases. This might be safe,
as at least Red Hat and SUSE seem to have done the switch in some of
their products.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -36644,9 +36644,14 @@ CVE-2019-10087 (On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted
 CVE-2019-10086 (In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class wa ...)
 	{DLA-1896-1}
 	- commons-beanutils 1.9.4-1
+	[buster] - commons-beanutils <no-dsa> (Minor issue; can be fixed via point release)
+	[stretch] - commons-beanutils <no-dsa> (Minor issue; can be fixed via point release)
 	NOTE: https://issues.apache.org/jira/browse/BEANUTILS-520
 	NOTE: https://github.com/apache/commons-beanutils/pull/7
 	NOTE: https://github.com/apache/commons-beanutils/commit/dd48f4e589462a8cdb1f29bbbccb35d6b0291d58
+	NOTE: With the patch applied, the libary is secured by default. To opt-out and allow
+	NOTE: access to the 'class' property one needs to remove the feature explicitly. Cf.
+	NOTE: https://github.com/apache/commons-beanutils/pull/7#issue-281406699
 CVE-2019-10085 (In Apache Allura prior to 1.11.0, a vulnerability exists for stored XS ...)
 	NOT-FOR-US: Apache Allura
 CVE-2019-10084 (In Apache Impala 2.7.0 to 3.2.0, an authenticated user with access to  ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/da2c227c4d6f3db12ced207d6d41fd2feadcb49d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/da2c227c4d6f3db12ced207d6d41fd2feadcb49d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191229/90b1ab8c/attachment.html>

More information about the debian-security-tracker-commits mailing list