[Git][security-tracker-team/security-tracker][master] 3 commits: data/dla-needed.txt: add cfengine3 and claim it.

Fri Jun 28 14:19:32 BST 2019


Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker


Commits:
24effa6e by Mike Gabriel at 2019-06-28T13:17:38Z
data/dla-needed.txt: add cfengine3 and claim it.

- - - - -
395b3845 by Mike Gabriel at 2019-06-28T13:17:39Z
data/CVE/list: update available info on CVE-2019-9929/cfengine3

- - - - -
6d658208 by Mike Gabriel at 2019-06-28T13:19:12Z
data/dla-needed.txt: Add further note about cfengine3.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -7738,6 +7738,9 @@ CVE-2019-9929 (Northern.tech CFEngine Enterprise 3.12.1 has Insecure Permissions
 	NOTE: cfengine2 has various publicly readable files in $STATEDIR that reveal info on the modifications done by cfengine2. No credentials found in such files, so far.
 	NOTE: https://github.com/cfengine/core/commit/f7556bf1a0061644e35114a07a91e9b0c3267c48#diff-291cd8f3f0f8a5c1875630ef64a667a2
 	NOTE: related: https://github.com/cfengine/core/commit/461dc7019ab5acebabc341143838a2307d9b92db#diff-a877a71a0122c0ea1c66c03883130b86
+	NOTE: above commits probably unrelated to CVE-2019-9929, but worth another CVE (communication with upstream ongoing)
+	NOTE: as CVE-2019-9929 is about secret leakage in the enterprise edition's installer log, Debian's cfengine3 package is likely not affected
+	NOTE: waiting for confirmation (or such) from upstream
 CVE-2019-9928 (GStreamer before 1.16.0 has a heap-based buffer overflow in the RTSP c ...)
 	{DSA-4437-1 DLA-1770-1 DLA-1769-1}
 	[experimental] - gst-plugins-base1.0 1.15.90-1


=====================================
data/dla-needed.txt
=====================================
@@ -15,6 +15,9 @@ ansible (Abhijith PA)
 bind9 (Thorsten Alteholz)
   NOTE: 20190623: test package
 --
+cfengine3 (Mike Gabriel)
+  NOTE: 20190628: likely not affected by CVE-2019-9929, but other not-yet-CVE'ed issues ahead
+--
 expat (Markus Koschany)
 --
 faad2 (Hugo Lefeuvre)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/bd59fefdb4c350f855a65cf976cdbd7746161f7d...6d6582087c775b03b39d6a73f1d2e775f15a6604

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/bd59fefdb4c350f855a65cf976cdbd7746161f7d...6d6582087c775b03b39d6a73f1d2e775f15a6604
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190628/053492d6/attachment-0001.html>
