[Git][security-tracker-team/security-tracker][master] CVE-2018-16838: jessie not-affected

Hugo Lefeuvre hle at debian.org
Sat Mar 16 13:17:51 GMT 2019 

Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker


Commits:
01e0d8b7 by Hugo Lefeuvre at 2019-03-16T13:17:29Z
CVE-2018-16838: jessie not-affected

GPO access control was introduced later around 1.11.90

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -32100,7 +32100,11 @@ CVE-2018-16839 (Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer o
 CVE-2018-16838 [improper implementation of GPOs due to too restrictive permissions]
 	RESERVED
 	- sssd <unfixed>
+	[jessie] - sssd <not-affected> (GPO based access control introduced later)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1640820
+	NOTE: GPO based access control introduced in https://github.com/SSSD/sssd/commit/60cab26b12
+	NOTE: seems to presuppose configuration mistake: if sssd is not given enough permissions
+	NOTE: to read GPO, access is systematically granted instead of denied
 	TODO: check, Bugzilla entry does not provide details
 CVE-2018-16837 (Ansible "User" module leaks any data which is passed on as a parameter ...)
 	{DSA-4396-1 DLA-1576-1}


=====================================
data/dla-needed.txt
=====================================
@@ -119,8 +119,6 @@ sqlalchemy
   NOTE: 20190312:   https://gerrit.sqlalchemy.org/#/c/sqlalchemy/sqlalchemy/+/1165/
   NOTE: 20190312:   https://github.com/sqlalchemy/sqlalchemy/issues/4481
 --
-sssd (Hugo Lefeuvre)
---
 wireshark (Thorsten Alteholz)
 --
 wordpress



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/01e0d8b763d5414ff3223b2b96a83f0bb442b6f5

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/01e0d8b763d5414ff3223b2b96a83f0bb442b6f5
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190316/f8eef86f/attachment.html>

More information about the debian-security-tracker-commits mailing list