[Git][security-tracker-team/security-tracker][master] At least the jessie version is vulnerable to CVE-2018-19969 and since it is...

Ola Lundqvist opal at debian.org
Sun May 12 19:59:56 BST 2019 


Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2faba7b3 by Ola Lundqvist at 2019-05-12T18:59:41Z
At least the jessie version is vulnerable to CVE-2018-19969 and since it is the oldest version I think all later are also vulnerable. Therefore changing undetermined to unfixed and adding phpmyadmin to the list of packages to fix for jessie. Probably the same should be done for later releases.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -26242,9 +26242,10 @@ CVE-2018-19970 (In phpMyAdmin before 4.8.4, an XSS vulnerability was found in th
 	NOTE: https://www.phpmyadmin.net/security/PMASA-2018-8/
 	NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/b293ff5f234ef493336ed8638f623a12164d359e
 CVE-2018-19969 (phpMyAdmin 4.7.x and 4.8.x versions prior to 4.8.4 are affected by a s ...)
-	- phpmyadmin <undetermined>
+	- phpmyadmin <unfixed>
 	NOTE: https://www.phpmyadmin.net/security/PMASA-2018-7/
-	TODO: check, upstream explicitly fixed only the 4.7/4.8 branch but not entirely clear if only introduced in 4.7.0, and older versions are EOLed, and only on best-effort mentioned in affected versions informations.
+	NOTE: Upstream explicitly fixed only the 4.7/4.8 branch but the problem exists in
+	NOTE: earlier versions as well. At least parts of the listed commits are needed.
 CVE-2018-19968 (An attacker can exploit phpMyAdmin before 4.8.4 to leak the contents o ...)
 	{DLA-1658-1}
 	- phpmyadmin <unfixed>


=====================================
data/dla-needed.txt
=====================================
@@ -81,6 +81,8 @@ openjdk-7
 --
 php5 (Thorsten Alteholz)
 --
+phpmyadmin
+--
 polarssl
   NOTE: 20181207: Not 100% sure if vulnerable. Upstream would prefer us to move to latest version, etc. (!). (lamby)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2faba7b34f816314dbc33ee9a07c42164c885001

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2faba7b34f816314dbc33ee9a07c42164c885001
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190512/afd98a4e/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list