[Git][security-tracker-team/security-tracker][master] Add notes for CVE-2019-6446/python-numpy
Salvatore Bonaccorso
carnil at debian.org
Sat Feb 2 13:26:54 GMT 2019
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
c6605422 by Salvatore Bonaccorso at 2019-02-02T13:25:46Z
Add notes for CVE-2019-6446/python-numpy
The proposed switch will only be in a major bump version, e.g. 1.17.0
and documented in the release notes.
Changing the default in a stable release is not sensible.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -2022,6 +2022,10 @@ CVE-2019-6446 (An issue was discovered in NumPy 1.16.0 and earlier. It uses the
NOTE: For upstream this works as intended and is documented. Proposed
NOTE: solution of switching the default might be dangerous for users who rely on
NOTE: the current behavior.
+ NOTE: https://github.com/numpy/numpy/commit/a2bd3a7eabfe053d6d16a2130fdcad9e5211f6bb
+ NOTE: adds already support to disable use of picke in load/save.
+ NOTE: Proposed fix/partial mitigation via:
+ NOTE: https://github.com/numpy/numpy/pull/12889
CVE-2019-6445 (An issue was discovered in NTPsec before 1.1.3. An authenticated ...)
- ntpsec 1.1.3+dfsg1-1 (bug #919513)
CVE-2019-6444 (An issue was discovered in NTPsec before 1.1.3. process_control() in ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c66054220154522b6af3474695fb57577ac125b9
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c66054220154522b6af3474695fb57577ac125b9
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190202/58d5081a/attachment.html>
More information about the debian-security-tracker-commits
mailing list