[Git][security-tracker-team/security-tracker][master] Clarify status for CVE-2019-9929/cfengine3 as confirmed to upstream

Salvatore Bonaccorso carnil at debian.org
Tue Jul 2 14:21:00 BST 2019 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
612bf97c by Salvatore Bonaccorso at 2019-07-02T13:20:41Z
Clarify status for CVE-2019-9929/cfengine3 as confirmed to upstream

The CVE-2019-9929 issue is very specific to leaking CFE_ROBOT user
secrets on installation of CFEngine Enterprise Hub package.

Thanks: Mike Gabriel for the query to upstream.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -8154,14 +8154,9 @@ CVE-2019-9931
 CVE-2019-9930
 	RESERVED
 CVE-2019-9929 (Northern.tech CFEngine Enterprise 3.12.1 has Insecure Permissions. ...)
-	- cfengine3 <undetermined>
-	NOTE: older cfengine variants (cfengine2) affected? Only Enterprise version affected (same version as src:cfengine3)?
-	NOTE: cfengine2 has various publicly readable files in $STATEDIR that reveal info on the modifications done by cfengine2. No credentials found in such files, so far.
-	NOTE: https://github.com/cfengine/core/commit/f7556bf1a0061644e35114a07a91e9b0c3267c48#diff-291cd8f3f0f8a5c1875630ef64a667a2
-	NOTE: related: https://github.com/cfengine/core/commit/461dc7019ab5acebabc341143838a2307d9b92db#diff-a877a71a0122c0ea1c66c03883130b86
-	NOTE: above commits probably unrelated to CVE-2019-9929, but worth another CVE (communication with upstream ongoing)
-	NOTE: as CVE-2019-9929 is about secret leakage in the enterprise edition's installer log, Debian's cfengine3 package is likely not affected
-	NOTE: waiting for confirmation (or such) from upstream
+	- cfengine3 <not-affected> (Issue only affecting CFEngine Enterprise 3.x version)
+	NOTE: Issue is specific to Enterprise version leaking CFE_ROBOT user secrets on
+	NOTE: installation of CFEngine Enterprise Hub package.
 CVE-2019-9928 (GStreamer before 1.16.0 has a heap-based buffer overflow in the RTSP c ...)
 	{DSA-4437-1 DLA-1770-1 DLA-1769-1}
 	[experimental] - gst-plugins-base1.0 1.15.90-1



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/612bf97ca59b59983139a7c53352e598399cbc7d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/612bf97ca59b59983139a7c53352e598399cbc7d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190702/456bce05/attachment.html>

More information about the debian-security-tracker-commits mailing list