[Git][security-tracker-team/security-tracker][master] 2 commits: Annotate CVE-2019-12402/libcommons-compress-java as not affecting jessie

Roberto C. Sánchez roberto at debian.org
Fri Sep 6 15:36:55 BST 2019 


Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ac6143d3 by Roberto C. Sánchez at 2019-09-06T14:35:16Z
Annotate CVE-2019-12402/libcommons-compress-java as not affecting jessie

- - - - -
a68cea00 by Roberto C. Sánchez at 2019-09-06T14:36:22Z
LTS/libcommons-compress-java, remove from dla-needed.txt as no open issues remain

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -11062,6 +11062,7 @@ CVE-2019-12402 (The file name encoding algorithm used internally in Apache Commo
 	- libcommons-compress-java <unfixed> (low)
 	[buster] - libcommons-compress-java <no-dsa> (Minor issue)
 	[stretch] - libcommons-compress-java <no-dsa> (Minor issue)
+	[jessie] - libcommons-compress-java <not-affected> (Vulnerable code introduced later)
 	NOTE: https://www.openwall.com/lists/oss-security/2019/08/27/1
 	NOTE: Fixed in upstream commit: https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commitdiff;h=4ad5d80a6272e007f64a6ac66829ca189a8093b9;hp=16a0c84e84b93cc8c107b7ff3080bd11317ab581
 CVE-2019-12401


=====================================
data/dla-needed.txt
=====================================
@@ -70,9 +70,6 @@ libav (Mike Gabriel)
   NOTE: 20190831: might fix the issue. Furthermore, most libav bugs have PoCs,
   NOTE: 20190831: so there is something one can test with and see if the fix worked.
 --
-libcommons-compress-java (Roberto C. Sánchez)
-  NOTE: 20190830: no patch reference found (sunweaver)
---
 libcrypto++
 --
 libgcrypt20 (Mike Gabriel)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/9bfdee4f45ebedac20450c330f3b23211eadd4f8...a68cea00f5797103d0625d9ff6eeadc3286a0a59

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/9bfdee4f45ebedac20450c330f3b23211eadd4f8...a68cea00f5797103d0625d9ff6eeadc3286a0a59
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190906/2bfbb73a/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list