[Git][security-tracker-team/security-tracker][master] Track CVE-2019-20788/libvncserver as different issue from CVE-2019-15690

Thu Apr 23 21:37:51 BST 2020


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f3345165 by Salvatore Bonaccorso at 2020-04-23T22:34:19+02:00
Track CVE-2019-20788/libvncserver as different issue from CVE-2019-15690

There is a procedural issue here, as the CVE-2019-20788 is strongly
possible to be a duplicate of CVE-2019-15690. As CVE-2019-15690 was
tough assigned by the CVE-2019-15690 assigning CNA (Kaspersky) which did
not populate the entry, it cannot be said for sure that CVE-2019-15690
and CVE-2019-20788 do not exactly cover the same issue or a different
aspect of the issue.

Thee will be an update of the CVE entry adding ""NOTE: this may overlap
CVE-2019-15690" to CVE-2019-20788."

- - - - -


4 changed files:

- data/CVE/list
- data/DLA/list
- data/next-oldstable-point-update.txt
- data/next-point-update.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -67,8 +67,10 @@ CVE-2020-12081
 CVE-2020-12080
 	RESERVED
 CVE-2019-20788 (libvncclient/cursor.c in LibVNCServer through 0.9.12 has a HandleCurso ...)
-	NOTE: Duplicate of CVE-2019-15690, contacted MITRE
-	TODO: wait for confirmation from MITRE
+	- libvncserver 0.9.12+dfsg-9 (bug #954163)
+	[buster] - libvncserver <no-dsa> (Minor issue)
+	[stretch] - libvncserver <no-dsa> (Minor issue)
+	NOTE: https://github.com/LibVNC/libvncserver/commit/54220248886b5001fbbb9fa73c4e1a2cb9413fed
 CVE-2020-XXXX [GNU Mailman 2.x stored XSS in attachments]
 	- mailman <unfixed>
 	NOTE: https://www.openwall.com/lists/oss-security/2020/02/24/2


=====================================
data/DLA/list
=====================================
@@ -106,7 +106,7 @@
 	{CVE-2019-17546}
 	[jessie] - gdal 1.10.1+dfsg-8+deb8u2
 [18 Mar 2020] DLA-2146-1 libvncserver - security update
-	{CVE-2019-15690}
+	{CVE-2019-15690 CVE-2019-20788}
 	[jessie] - libvncserver 0.9.9+dfsg2-6.1+deb8u7
 [17 Mar 2020] DLA-2145-1 twisted - security update
 	{CVE-2020-10108 CVE-2020-10109}


=====================================
data/next-oldstable-point-update.txt
=====================================
@@ -70,6 +70,8 @@ CVE-2017-11747
 	[stretch] - tinyproxy 1.8.4-3~deb9u2
 CVE-2019-15690
 	[stretch] - libvncserver 0.9.11+dfsg-1.3~deb9u4
+CVE-2019-20788
+	[stretch] - libvncserver 0.9.11+dfsg-1.3~deb9u4
 CVE-2020-8518
 	[stretch] - php-horde-data 2.1.4-3+deb9u1
 CVE-2020-8866


=====================================
data/next-point-update.txt
=====================================
@@ -69,6 +69,8 @@ CVE-2019-15522
 	[buster] - csync2 2.0-22-gce67c55-1+deb10u1
 CVE-2019-15690
 	[buster] - libvncserver 0.9.11+dfsg-1.3+deb10u3
+CVE-2019-20788
+	[buster] - libvncserver 0.9.11+dfsg-1.3+deb10u3
 CVE-2020-1712
 	[buster] - systemd 241-7~deb10u4
 CVE-2020-8518



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3345165a6f3433ded5a55416bcac3f2fb471d91

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3345165a6f3433ded5a55416bcac3f2fb471d91
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200423/a676cafb/attachment-0001.html>
