[Git][security-tracker-team/security-tracker][master] 2 commits: remove no-dsa and postponed tags that are fixed in latest python2.7 upload

Sat Aug 22 15:43:22 BST 2020


Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker


Commits:
6c48e35e by Thorsten Alteholz at 2020-08-22T16:42:13+02:00
remove no-dsa and postponed tags that are fixed in latest python2.7 upload

- - - - -
57b80af5 by Thorsten Alteholz at 2020-08-22T16:43:10+02:00
Reserve DLA-2337-1 for python2.7

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -68565,7 +68565,6 @@ CVE-2019-16056 (An issue was discovered in Python through 2.7.16, 3.x through 3.
 	- python3.4 <removed>
 	- python2.7 2.7.17~rc1-1 (bug #940901)
 	[buster] - python2.7 2.7.16-2+deb10u1
-	[stretch] - python2.7 <no-dsa> (Minor issue)
 	NOTE: https://bugs.python.org/issue34155
 	NOTE: https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9 (master)
 	NOTE: https://github.com/python/cpython/commit/217077440a6938a0b428f67cfef6e053c4f8673c (v3.8.0b4)
@@ -77770,7 +77769,6 @@ CVE-2018-20852 (http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookie
 	- python3.4 <removed>
 	- python2.7 2.7.16-3
 	[buster] - python2.7 2.7.16-2+deb10u1
-	[stretch] - python2.7 <no-dsa> (Minor issue)
 	NOTE: https://bugs.python.org/issue35121
 	NOTE: https://python-security.readthedocs.io/vuln/cookie-domain-check.html
 	NOTE: https://github.com/python/cpython/commit/979daae300916adb399ab5b51410b6ebd0888f13 (2.7.x branch)
@@ -87334,7 +87332,6 @@ CVE-2019-10160 (A security regression of CVE-2019-9636 was discovered in python
 	- python3.4 <not-affected> (Vulnerable fix to regression introduced by fix for CVE-2019-9636 not applied)
 	- python2.7 2.7.16-3
 	[buster] - python2.7 2.7.16-2+deb10u1
-	[stretch] - python2.7 <not-affected> (Incomplete fix for CVE-2019-9636 not applied)
 	[jessie] - python2.7 <not-affected> (Incomplete fix for CVE-2019-9636 not applied)
 	NOTE: Introduced by: https://github.com/python/cpython/commit/d537ab0ff9767ef024f26246899728f0116b1ec3 (v3.8.0a4)
 	NOTE: Fixed by: https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e (v3.8.0b1)
@@ -87996,7 +87993,6 @@ CVE-2019-9948 (urllib in Python 2.x through 2.7.16 supports the local_file: sche
 	- python3.5 <removed>
 	- python3.4 <removed>
 	- python2.7 2.7.16-2
-	[stretch] - python2.7 <no-dsa> (Minor issue)
 	NOTE: https://bugs.python.org/issue35907
 	NOTE: https://github.com/python/cpython/pull/11842
 	NOTE: https://github.com/python/cpython/commit/34bab215596671d0dec2066ae7d7450cd73f638b (3.7)
@@ -88012,7 +88008,6 @@ CVE-2019-9947 (An issue was discovered in urllib2 in Python 2.x through 2.7.16 a
 	- python3.4 <removed>
 	- python2.7 2.7.16-3
 	[buster] - python2.7 2.7.16-2+deb10u1
-	[stretch] - python2.7 <no-dsa> (Minor issue)
 	NOTE: https://bugs.python.org/issue35906
 	NOTE: Introduced by: https://github.com/python/cpython/commit/cc54c1c0d2d05fe7404ba64c53df4b1352ed2262
 	NOTE: CVE-2019-9947 issue fixed with same fix as for CVE-2019-9740
@@ -89563,7 +89558,6 @@ CVE-2019-9740 (An issue was discovered in urllib2 in Python 2.x through 2.7.16 a
 	- python3.4 <removed>
 	- python2.7 2.7.16-3
 	[buster] - python2.7 2.7.16-2+deb10u1
-	[stretch] - python2.7 <no-dsa> (Minor issue)
 	NOTE: https://bugs.python.org/issue30458
 	NOTE: https://bugs.python.org/issue36276 (duplicate)
 	NOTE: https://bugs.python.org/issue36274 (common regression fix)
@@ -89840,7 +89834,6 @@ CVE-2019-9636 (Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by:
 	- python3.5 <removed>
 	- python3.4 <removed>
 	- python2.7 2.7.16-2 (bug #924073)
-	[stretch] - python2.7 <no-dsa> (Minor issue)
 	NOTE: https://bugs.python.org/issue36216
 	NOTE: https://github.com/python/cpython/pull/12201
 	NOTE: https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html
@@ -102035,7 +102028,6 @@ CVE-2019-5010 (An exploitable denial-of-service vulnerability exists in the X509
 	- python3.5 <removed>
 	- python3.4 <removed>
 	- python2.7 2.7.15-6 (bug #921040)
-	[stretch] - python2.7 <postponed> (Minor issue, can be fixed along in a future DSA)
 	NOTE: https://bugs.python.org/issue35746
 	NOTE: https://github.com/python/cpython/pull/11569
 	NOTE: https://github.com/python/cpython/commit/be5de958e9052e322b0087c6dba81cdad0c3e031 (3.7.x)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[22 Aug 2020] DLA-2337-1 python2.7 - security update
+	{CVE-2018-20852 CVE-2019-5010 CVE-2019-9636 CVE-2019-9740 CVE-2019-9947 CVE-2019-9948 CVE-2019-10160 CVE-2019-16056 CVE-2019-20907}
+	[stretch] - python2.7 2.7.13-2+deb9u4
 [22 Aug 2020] DLA-2336-1 firejail - security update
 	{CVE-2020-17367 CVE-2020-17368}
 	[stretch] - firejail 0.9.44.8-2+deb9u1


=====================================
data/dla-needed.txt
=====================================
@@ -134,9 +134,6 @@ openexr (Adrian Bunk)
 puma
   NOTE: 20200708: Vulnerable to (at least) CVE-2020-11076. (lamby)
 --
-python2.7 (Thorsten Alteholz)
- NOTE: 20200809: Consider fixing CVE-2019-20907 (abhijith)
---
 qemu (Abhijith PA)
 --
 qt4-x11 (Adrian Bunk)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6aaece3cce56ede9ece2ea1d7c8d5926f6752159...57b80af58d244040fd7c3dcba9981f58ccd27a17

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6aaece3cce56ede9ece2ea1d7c8d5926f6752159...57b80af58d244040fd7c3dcba9981f58ccd27a17
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200822/72c7a987/attachment-0001.html>
