[Git][security-tracker-team/security-tracker][master] Mark CVE-2018-10897/yum-utils as unfixed

Salvatore Bonaccorso carnil at debian.org
Mon Feb 11 15:13:14 GMT 2019 

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
dae9c3b5 by Salvatore Bonaccorso at 2019-02-11T15:11:56Z
Mark CVE-2018-10897/yum-utils as unfixed

Second half of the patch was not applied 1.1.31-2.1 but not clear if
it's relevant to fix/address the issue. There will be a followup fix
including both commits and we can be on safe side by marking it fixed
with both commits applied.

Thanks: Holger Levsen

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -42478,16 +42478,13 @@ CVE-2018-10899
 CVE-2018-10898 (A vulnerability was found in openstack-tripleo-heat-templates before ...)
 	- tripleo-heat-templates <removed>
 CVE-2018-10897 (A directory traversal issue was found in reposync, a part of ...)
-	- yum-utils 1.1.31-2.1 (bug #921131)
+	- yum-utils <unfixed> (bug #921131)
 	[stretch] - yum-utils <ignored> (Minor issue)
 	[jessie] - yum-utils <ignored> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1600221
 	NOTE: https://github.com/rpm-software-management/yum-utils/commit/7554c0133eb830a71dc01846037cc047d0acbc2c
 	NOTE: https://github.com/rpm-software-management/yum-utils/commit/6a8de061f8fdc885e74ebe8c94625bf53643b71c
 	NOTE: https://github.com/rpm-software-management/yum-utils/pull/43
-	NOTE: Second part of the patch seems missing in 1.1.31-2.1 but possibly not
-	NOTE: needed to address the issue.
-	TODO: check
 CVE-2018-10896 (The default cloud-init configuration, in cloud-init 0.6.2 and newer, ...)
 	NOT-FOR-US: Red Hat-specific packaging flaw of cloud-init default config
 CVE-2018-10895 (qutebrowser before version 1.4.1 is vulnerable to a cross-site request ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dae9c3b51355167a0f45b3a1c3e7d6045f990f2a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dae9c3b51355167a0f45b3a1c3e7d6045f990f2a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190211/2e86d78d/attachment.html>

More information about the debian-security-tracker-commits mailing list