[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2019-10735/claws-mail postponed on jessie

Emilio Pozuelo Monfort pochu at debian.org
Tue Jun 18 12:02:40 BST 2019 


Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ce1ca2d8 by Emilio Pozuelo Monfort at 2019-06-18T10:26:55Z
CVE-2019-10735/claws-mail postponed on jessie

- - - - -
9d5182bb by Emilio Pozuelo Monfort at 2019-06-18T10:30:30Z
CVE-2018-19608/polarssl no-dsa on jessie

- - - - -
334d73d8 by Emilio Pozuelo Monfort at 2019-06-18T10:57:33Z
CVE-2015-9284/ruby-omniauth no-dsa on jessie

So far it looks like the fix needs to happen in omniauth users, which
need to ensure requests are done using HTTP POST and include a CSRF
token. For the rails omniauth users a new gem is available that helps
with this. However since there are no omniauth users in jessie that
we would need to address and since there's no fix in omniauth itself
(at least for now), let's mark this as no-dsa. We can revisit it later
if a better fix gets implemented in omniauth itself.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -4575,6 +4575,7 @@ CVE-2019-11028 (GAT-Ship Web Module before 1.40 suffers from a vulnerability all
 	NOT-FOR-US: GAT-Ship Web Module
 CVE-2015-9284 (The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site ...)
 	- ruby-omniauth <unfixed>
+	[jessie] - ruby-omniauth <no-dsa> (Fix is in additional gem and needs CSRF protection in apps)
 	NOTE: https://github.com/omniauth/omniauth/pull/809
 	NOTE: https://www.openwall.com/lists/oss-security/2015/05/26/11
 CVE-2019-11027 (Ruby OpenID (aka ruby-openid) through 2.8.0 has a remotely exploitable ...)
@@ -5316,6 +5317,7 @@ CVE-2019-10735 (In Claws Mail 3.14.1, an attacker in possession of S/MIME or PGP
 	- claws-mail <unfixed> (low; bug #926705)
 	[buster] - claws-mail <postponed> (Revisit when fixed upstream)
 	[stretch] - claws-mail <postponed> (Revisit when fixed upstream)
+	[jessie] - claws-mail <postponed> (Revisit when fixed upstream)
 	NOTE: https://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=4159
 CVE-2019-10734 (In KDE Trojita 0.7, an attacker in possession of S/MIME or PGP encrypt ...)
 	- trojita <itp> (bug #795701)
@@ -30990,6 +30992,7 @@ CVE-2018-19608 (Arm Mbed TLS before 2.14.1, before 2.7.8, and before 2.1.17 allo
 	- mbedtls 2.14.1-1 (bug #915796)
 	[stretch] - mbedtls <no-dsa> (Minor issue)
 	- polarssl <removed>
+	[jessie] - polarssl <no-dsa> (Minor issue)
 	NOTE: http://cat.eyalro.net/
 	NOTE: https://tls.mbed.org/tech-updates/releases/mbedtls-2.14.1-2.7.8-and-2.1.17-released
 	NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-03


=====================================
data/dla-needed.txt
=====================================
@@ -17,9 +17,6 @@ bind9 (Thorsten Alteholz)
   NOTE: 20190526: test package failed, probably not vulnerable
   NOTE: 20190609: upstream patches do not seem to work
 --
-claws-mail
-  NOTE: 20190408: patch not yet available
---
 faad2 (Hugo Lefeuvre)
   NOTE: 20190519: I have a few patches pending for open issues. Will be PR-ed soon.
   NOTE: 20190525: see https://github.com/knik0/faad2/pull/36
@@ -89,9 +86,6 @@ mupdf
   NOTE: 20190529: Upload candidate: http://packages.sunweavers.net/debian/pool/main/m/mupdf/mupdf_1.5-1+deb8u5.dsc
   NOTE: 20190529: Not yet fully tested.
 --
-polarssl
-  NOTE: 20181207: Not 100% sure if vulnerable. Upstream would prefer us to move to latest version, etc. (!). (lamby)
---
 python-urllib3 (Roberto C. Sánchez)
   NOTE: 20190601: Packages built. (roberto)
 --
@@ -109,13 +103,6 @@ qemu
   NOTE: 20190529: Upload candidate: http://packages.sunweavers.net/debian/pool/main/q/qemu/qemu_2.1+dfsg-12+deb8u12.dsc
   NOTE: 20190529: More testing needed.
 --
-ruby-omniauth
-  NOTE: CVE-2015-9284: The vulnerability is rathar bad, especially in combination with other
-  NOTE: CVE-2015-9284: known vulnerabilities. However the issue is rather old and the impact
-  NOTE: CVE-2015-9284: may be rather large. When fixing this needs to be further investigated.
-  NOTE: CVE-2015-9284: This issue fixed in rails community by introducing a new gem called omniauth-
-  NOTE: CVE-2015-9284: rails.
---
 sdl-image1.2
   NOTE: see libsdl2 entry.
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/2cf9813d021dff397e05aed1d34584b6cec9a691...334d73d86d6fd760ad90d7f38fb2cd7031d7f14f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/2cf9813d021dff397e05aed1d34584b6cec9a691...334d73d86d6fd760ad90d7f38fb2cd7031d7f14f
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190618/9adad91c/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list