[Git][security-tracker-team/security-tracker][master] data/{dla-needed.txt,CVE/list}: Mark nghttp2/jessie as <not-affected> by...

Wed Oct 30 11:16:43 GMT 2019


Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker


Commits:
da357999 by Mike Gabriel at 2019-10-30T11:16:22Z
data/{dla-needed.txt,CVE/list}: Mark nghttp2/jessie as <not-affected> by CVE-2019-95{11,13}. Remove nghttp2 from dla-needed.txt.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -28280,6 +28280,7 @@ CVE-2019-9513 (Some HTTP/2 implementations are vulnerable to resource loops, pot
 	[stretch] - nodejs <not-affected> (No HTTP2 support yet)
 	[jessie] - nodejs <not-affected> (No HTTP2 support yet)
 	- nghttp2 1.39.2-1
+	[jessie] - nghttp2 <not-affected> (Vulnerable code not present)
 	NOTE: https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/
 	NOTE: https://github.com/nginx/nginx/commit/5ae726912654da10a9a81b2c8436829f3e94f69f (master)
 	NOTE: https://github.com/nginx/nginx/commit/39bb3b9d4a33bd03c8ae0134dedc8a7700ae7b2b (release-1.16.1)
@@ -28317,6 +28318,7 @@ CVE-2019-9511 (Some HTTP/2 implementations are vulnerable to window size manipul
 	[stretch] - nodejs <not-affected> (No HTTP2 support yet)
 	[jessie] - nodejs <not-affected> (No HTTP2 support yet)
 	- nghttp2 1.39.2-1
+	[jessie] - nghttp2 <not-affected> (Vulnerable code not present)
 	NOTE: https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/
 	NOTE: https://github.com/nginx/nginx/commit/a987f81dd19210bc30b62591db331e31d3d74089 (master)
 	NOTE: https://github.com/nginx/nginx/commit/94c5eb142e58a86f81eb1369fa6fcb96c2f23d6b (release-1.16.1)


=====================================
data/dla-needed.txt
=====================================
@@ -79,11 +79,6 @@ linux (Ben Hutchings)
 --
 linux-4.9 (Ben Hutchings)
 --
-nghttp2
-  NOTE: 20190930: nghttp2 in jessie is likely not affected by CVE-2019-95{11,13}.
-  NOTE: 20190930: waiting for feedback from Thorsten and Abhijith as they put
-  NOTE: 20190930: work into the pkg triaging, too. (sunweaver)
---
 opendmarc (Thorsten Alteholz)
   NOTE: 20191027: still testing package
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/da3579990df06f10c5423973cc563437efdfdd22

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/da3579990df06f10c5423973cc563437efdfdd22
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191030/0ea36989/attachment.html>
