[Git][security-tracker-team/security-tracker][master] Add notes for CVE-2019-6446/python-numpy

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c6605422 by Salvatore Bonaccorso at 2019-02-02T13:25:46Z
Add notes for CVE-2019-6446/python-numpy

The proposed switch will only be in a major bump version, e.g. 1.17.0
and documented in the release notes.

Changing the default in a stable release is not sensible.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -2022,6 +2022,10 @@ CVE-2019-6446 (An issue was discovered in NumPy 1.16.0 and earlier. It uses the
 	NOTE: For upstream this works as intended and is documented. Proposed
 	NOTE: solution of switching the default might be dangerous for users who rely on
 	NOTE: the current behavior.
+	NOTE: https://github.com/numpy/numpy/commit/a2bd3a7eabfe053d6d16a2130fdcad9e5211f6bb
+	NOTE: adds already support to disable use of picke in load/save.
+	NOTE: Proposed fix/partial mitigation via:
+	NOTE: https://github.com/numpy/numpy/pull/12889
 CVE-2019-6445 (An issue was discovered in NTPsec before 1.1.3. An authenticated ...)
 	- ntpsec 1.1.3+dfsg1-1 (bug #919513)
 CVE-2019-6444 (An issue was discovered in NTPsec before 1.1.3. process_control() in ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c66054220154522b6af3474695fb57577ac125b9

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c66054220154522b6af3474695fb57577ac125b9
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190202/58d5081a/attachment.html>