[Git][security-tracker-team/security-tracker][master] Investigated CVE-2019-9858 and determined that Debian is vulnerable but

Sun Jun 9 23:42:04 BST 2019


Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e49e5e69 by Ola Lundqvist at 2019-06-09T22:40:29Z
Investigated CVE-2019-9858 and determined that Debian is vulnerable but
not in the mentioned way. The path does not exist so a backdoor is not possible
to place but it is possible to manipulate the path but the severity is much less.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -7824,8 +7824,10 @@ CVE-2019-9860 (Due to unencrypted signal communication and predictability of rol
 CVE-2019-9859
 	RESERVED
 CVE-2019-9858 (Remote code execution was discovered in Horde Groupware Webmail 5.2.22 ...)
-	- php-horde-form <undetermined>
-	TODO: check
+	- php-horde-form 2.0.8-2
+	NOTE: It is not possible install a backdoor on a Debian installed wordpress since
+	NOTE: the mentioned path do not exist and is not writeable. It is still possible
+	NOTE: to overwrite files, but the severity is much less.
 CVE-2019-9856
 	RESERVED
 CVE-2019-9855



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e49e5e6921de566bd7a295b34e5b9af6d615f0bb

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e49e5e6921de566bd7a295b34e5b9af6d615f0bb
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190609/a0d53168/attachment-0001.html>
