[Git][security-tracker-team/security-tracker][master] Move severity for CVE-2019-18348 to unimportant

Salvatore Bonaccorso carnil at debian.org
Sat Oct 26 16:27:31 BST 2019 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
59d47a06 by Salvatore Bonaccorso at 2019-10-26T15:27:16Z
Move severity for CVE-2019-18348 to unimportant

Technically the issue is sourcewise unfixed in the python source code,
but it is made not exploitable where CVE-2016-10739 was already fixed.
Given the no-dsa markings for the respective older suites as the issue
is minor, switch to the more "correct" (in sense of source affectness)
and mark it as unimportant as the issue is unexploitable.

This adjusts the initial marking done by Moritz in
a2cc636c37ac9a643604a66474860a552dabab8a and if it is disagreement with
this commit it can be discussed if tracking should be reverted.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -235,17 +235,15 @@ CVE-2019-18350 (In Ant Design Pro 4.0.0, reflected XSS in the user/login redirec
 CVE-2019-18349
 	RESERVED
 CVE-2019-18348 (An issue was discovered in urllib2 in Python 2.x through 2.7.17 and ur ...)
-	- python3.8 <unfixed>
-	- python3.7 <unfixed>
-	[buster] - python3.7 <not-affected> (Not exploitable, has CVE-2016-10739 fixed)
-	- python3.5 <removed>
-	[stretch] - python3.5 <no-dsa> (Minor issue)
-	- python3.4 <removed>
-	- python2.7 <unfixed>
-	[buster] - python2.7 <not-affected> (Not exploitable, has CVE-2016-10739 fixed)
-	[stretch] - python2.7 <no-dsa> (Minor issue)
-	[jessie] - python2.7 <no-dsa> (Minor issue)
+	- python3.8 <unfixed> (unimportant)
+	- python3.7 <unfixed> (unimportant)
+	- python3.5 <removed> (unimportant)
+	- python3.4 <removed> (unimportant)
+	- python2.7 <unfixed> (unimportant)
 	NOTE: https://bugs.python.org/issue38576
+	NOTE: Issue only exploitable if CVE-2016-10739 is unfixed in src:glibc. This is
+	NOTE: not the case in all suites, but the issue is minor in general and would
+	NOTE: tend to a no-dsa/ignored tag in those suites.
 CVE-2019-18347
 	RESERVED
 CVE-2019-18346



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/59d47a066020fd35322811d5defd1e0a2b2d7484

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/59d47a066020fd35322811d5defd1e0a2b2d7484
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191026/5f5df965/attachment.html>

More information about the debian-security-tracker-commits mailing list