[Git][security-tracker-team/security-tracker][master] jinja2 sandbox escape: no-dsa in jessie/stretch

Thu May 2 16:32:07 BST 2019


Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9cdc634a by Hugo Lefeuvre at 2019-05-02T15:31:48Z
jinja2 sandbox escape: no-dsa in jessie/stretch

mark CVE-2016-10745 and CVE-2019-10906 no-dsa in jessie.

mark CVE-2019-10906 no-dsa in stretch for a matter of consistency:
Moritz already marked CVE-2016-10745 no-dsa in stretch and fixing
CVE-2019-10906 does not make sense if CVE-2016-10745 is not fixed
as well.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1846,12 +1846,16 @@ CVE-2019-10907 (Airsonic 10.2.1 uses Spring's default remember-me mechanism base
 CVE-2016-10745 (In Pallets Jinja before 2.8.1, str.format allows a sandbox escape. ...)
 	- jinja2 2.9.4-1
 	[stretch] - jinja2 <no-dsa> (Minor issue)
+	[jessie] - jinja2 <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/pallets/jinja/commit/9b53045c34e61013dc8f09b7e52a555fa16bed16
 	NOTE: Followup bugfix: https://github.com/pallets/jinja/commit/74bd64e56387f5b2931040dc7235a3509cde1611
 CVE-2019-10906 (In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape ...)
 	- jinja2 2.10-2 (bug #926602)
+	[stretch] - jinja2 <no-dsa> (Minor issue)
+	[jessie] - jinja2 <no-dsa> (Minor issue)
 	NOTE: https://palletsprojects.com/blog/jinja-2-10-1-released/
 	NOTE: https://github.com/pallets/jinja/commit/a2a6c930bcca591a25d2b316fcfd2d6793897b26
+	NOTE: https://lists.debian.org/debian-lts/2019/04/msg00107.html
 CVE-2019-10905 (Parsedown before 1.7.2, when safe mode is used and HTML markup is disa ...)
 	NOT-FOR-US: Parsedown
 CVE-2019-10904 (Roundup 1.6 allows XSS via the URI because frontends/roundup.cgi and r ...)


=====================================
data/dla-needed.txt
=====================================
@@ -52,9 +52,6 @@ imagemagick
   NOTE: Stretch. (apo)
   NOTE: 20190408: Still waiting on security team response to inquiries from (apo) and (roberto)
 --
-jinja2 (Hugo Lefeuvre)
-  NOTE: 20190430: should probably be no-dsa https://lists.debian.org/debian-lts/2019/04/msg00107.html
---
 jquery (Brian May)
   NOTE: 20190425: probably embedded versions need to be checked as well
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9cdc634aaab722f97fb7eb923cba19f11cb5e19a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9cdc634aaab722f97fb7eb923cba19f11cb5e19a
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190502/2640aa6f/attachment.html>
