[Git][security-tracker-team/security-tracker][master] CVE-2019-1020001 was introduced in yard 0.9.6

Adrian Bunk bunk at debian.org
Sat Nov 30 19:31:25 GMT 2019 


Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7648f4c4 by Adrian Bunk at 2019-11-30T19:24:12Z
CVE-2019-1020001 was introduced in yard 0.9.6

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -18211,6 +18211,7 @@ CVE-2019-1020001 (yard before 0.9.20 allows path traversal. ...)
 	- yard <unfixed> (low; bug #945369)
 	[buster] - yard <no-dsa> (Minor issue)
 	[stretch] - yard <no-dsa> (Minor issue)
+	[jessie] - yard <not-affected> (Bug was introduced in 0.9.6) 
 	NOTE: https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr
 CVE-2018-20857 (Zendesk Samlr before 2.6.2 allows an XML nodes comment attack such as  ...)
 	NOT-FOR-US: Zendesk Samlr


=====================================
data/dla-needed.txt
=====================================
@@ -138,11 +138,3 @@ xcftools (hle)
 --
 xen
 --
-yard (Adrian Bunk)
-  NOTE: 20190830: second reviewer / triager needed. The security announcement states that the fix
-  NOTE: 20190830: was done between 0.9.19 and 0.9.20. Meaningful commits are
-  NOTE: 20190830: https://github.com/lsegal/yard/commit/225ded9ef38c6d2be5a3b0fc7effbc7d6644768d
-  NOTE: 20190830: https://github.com/lsegal/yard/commit/6d8b9b9c71e45fd1c887545b579399931dc2466e (well..)
-  NOTE: 20190830: Maybe someone with more knowledge of what yard is and does might know better
-  NOTE: 20190830: what the exact fix here could be. (sunweaver)
---



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7648f4c4c83998e694b661d852cdd5e4f718a692

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7648f4c4c83998e694b661d852cdd5e4f718a692
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191130/741aecc5/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list