[Git][security-tracker-team/security-tracker][master] CVE-2019-9917,znc: Change status from not-affected to no-dsa

Markus Koschany apo at debian.org
Tue May 14 23:04:21 BST 2019 


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
eee09f95 by Markus Koschany at 2019-05-14T22:00:45Z
CVE-2019-9917,znc: Change status from not-affected to no-dsa

After discussion with upstream clarify that the version of znc in Jessie is
affected by CVE-2019-9917. Although users cannot set the encoding because this
feature does not exist, the modpython module is still vulnerable when parsing
non-UTF-8 strings. The workaround is to disable modpython or to deinstall the
znc-python package. Backporting the encoding feature to Jessie is probably not
worth the time. We could consider to upgrade to a newer version instead should another
serious issue be discovered.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -5178,7 +5178,7 @@ CVE-2019-9918 (An issue was discovered in the Harmis JE Messenger component 1.2.
 	NOT-FOR-US: Harmis JE Messenger component for Joomla!
 CVE-2019-9917 (ZNC before 1.7.3-rc1 allows an existing remote user to cause a Denial  ...)
 	- znc 1.7.2-2 (bug #925285)
-	[jessie] - znc <not-affected> (The vulnerable code is not present)
+	[jessie] - znc <no-dsa> (Minor issue, workaround is to disable modpython)
 	NOTE: https://github.com/znc/znc/commit/64613bc8b6b4adf1e32231f9844d99cd512b8973
 CVE-2019-9916
 	RESERVED



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eee09f95ea090663cf3338a44ae1215e2b2c0f79

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eee09f95ea090663cf3338a44ae1215e2b2c0f79
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190514/2b2add07/attachment.html>

More information about the debian-security-tracker-commits mailing list