[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2018-20839/{systemd,xorg-server}

Salvatore Bonaccorso carnil at debian.org
Tue Jul 23 05:52:18 BST 2019 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
90438d65 by Salvatore Bonaccorso at 2019-07-23T04:50:32Z
Update notes for CVE-2018-20839/{systemd,xorg-server}

The status is overall not yet fully clear. What is clear is that the
original fix introduces regressions and is not the right approach.

Unclear if the tracking and fixing should happen in xorg-server or in
systemd. For now track both source packages an monitor how the
discussion evolve.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -6015,12 +6015,16 @@ CVE-2018-20839 (systemd 242 changes the VT1 mode upon a logout, which allows att
 	[buster] - systemd <no-dsa> (Minor issue)
 	[stretch] - systemd <no-dsa> (Minor issue)
 	[jessie] - systemd <no-dsa> (Not reproducible without Ubuntu-style persistant VT1 greeter; too invasive to fix)
+	- xorg-server <unfixed>
 	NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1803993
 	NOTE: https://github.com/systemd/systemd/commit/9725f1a10f80f5e0ae7d9b60547458622aeb322f
 	NOTE: https://github.com/systemd/systemd/pull/12378
 	NOTE: The fix introduced a regression, cf. https://bugs.debian.org/929229
 	NOTE: Issue was originally fixed for unstable in 241-4 but was reverted in 241-5
 	NOTE: https://gitlab.freedesktop.org/xorg/xserver/issues/857
+	NOTE: Upstream from systemd claimed originally it's not an issue in systemd, but
+	NOTE: might revisit. Furthermore the issue might be fixed in the xorg xserver.
+	NOTE: Tentative merge request: https://gitlab.freedesktop.org/xorg/xserver/merge_requests/241
 CVE-2019-12149 (SQL injection vulnerability in silverstripe/restfulserver module 1.0.x ...)
 	NOT-FOR-US: SilverStripe
 CVE-2019-12148



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/90438d65f866be55bb7759c5f391bc75bcb835c9

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/90438d65f866be55bb7759c5f391bc75bcb835c9
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190723/dfa830c3/attachment.html>

More information about the debian-security-tracker-commits mailing list