[Git][security-tracker-team/security-tracker][master] 2 commits: remove no-dsa and postponed tags that are fixed in latest python2.7 upload
Thorsten Alteholz
alteholz at debian.org
Sat Aug 22 15:43:22 BST 2020
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker
Commits:
6c48e35e by Thorsten Alteholz at 2020-08-22T16:42:13+02:00
remove no-dsa and postponed tags that are fixed in latest python2.7 upload
- - - - -
57b80af5 by Thorsten Alteholz at 2020-08-22T16:43:10+02:00
Reserve DLA-2337-1 for python2.7
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -68565,7 +68565,6 @@ CVE-2019-16056 (An issue was discovered in Python through 2.7.16, 3.x through 3.
- python3.4 <removed>
- python2.7 2.7.17~rc1-1 (bug #940901)
[buster] - python2.7 2.7.16-2+deb10u1
- [stretch] - python2.7 <no-dsa> (Minor issue)
NOTE: https://bugs.python.org/issue34155
NOTE: https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9 (master)
NOTE: https://github.com/python/cpython/commit/217077440a6938a0b428f67cfef6e053c4f8673c (v3.8.0b4)
@@ -77770,7 +77769,6 @@ CVE-2018-20852 (http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookie
- python3.4 <removed>
- python2.7 2.7.16-3
[buster] - python2.7 2.7.16-2+deb10u1
- [stretch] - python2.7 <no-dsa> (Minor issue)
NOTE: https://bugs.python.org/issue35121
NOTE: https://python-security.readthedocs.io/vuln/cookie-domain-check.html
NOTE: https://github.com/python/cpython/commit/979daae300916adb399ab5b51410b6ebd0888f13 (2.7.x branch)
@@ -87334,7 +87332,6 @@ CVE-2019-10160 (A security regression of CVE-2019-9636 was discovered in python
- python3.4 <not-affected> (Vulnerable fix to regression introduced by fix for CVE-2019-9636 not applied)
- python2.7 2.7.16-3
[buster] - python2.7 2.7.16-2+deb10u1
- [stretch] - python2.7 <not-affected> (Incomplete fix for CVE-2019-9636 not applied)
[jessie] - python2.7 <not-affected> (Incomplete fix for CVE-2019-9636 not applied)
NOTE: Introduced by: https://github.com/python/cpython/commit/d537ab0ff9767ef024f26246899728f0116b1ec3 (v3.8.0a4)
NOTE: Fixed by: https://github.com/python/cpython/commit/8d0ef0b5edeae52960c7ed05ae8a12388324f87e (v3.8.0b1)
@@ -87996,7 +87993,6 @@ CVE-2019-9948 (urllib in Python 2.x through 2.7.16 supports the local_file: sche
- python3.5 <removed>
- python3.4 <removed>
- python2.7 2.7.16-2
- [stretch] - python2.7 <no-dsa> (Minor issue)
NOTE: https://bugs.python.org/issue35907
NOTE: https://github.com/python/cpython/pull/11842
NOTE: https://github.com/python/cpython/commit/34bab215596671d0dec2066ae7d7450cd73f638b (3.7)
@@ -88012,7 +88008,6 @@ CVE-2019-9947 (An issue was discovered in urllib2 in Python 2.x through 2.7.16 a
- python3.4 <removed>
- python2.7 2.7.16-3
[buster] - python2.7 2.7.16-2+deb10u1
- [stretch] - python2.7 <no-dsa> (Minor issue)
NOTE: https://bugs.python.org/issue35906
NOTE: Introduced by: https://github.com/python/cpython/commit/cc54c1c0d2d05fe7404ba64c53df4b1352ed2262
NOTE: CVE-2019-9947 issue fixed with same fix as for CVE-2019-9740
@@ -89563,7 +89558,6 @@ CVE-2019-9740 (An issue was discovered in urllib2 in Python 2.x through 2.7.16 a
- python3.4 <removed>
- python2.7 2.7.16-3
[buster] - python2.7 2.7.16-2+deb10u1
- [stretch] - python2.7 <no-dsa> (Minor issue)
NOTE: https://bugs.python.org/issue30458
NOTE: https://bugs.python.org/issue36276 (duplicate)
NOTE: https://bugs.python.org/issue36274 (common regression fix)
@@ -89840,7 +89834,6 @@ CVE-2019-9636 (Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by:
- python3.5 <removed>
- python3.4 <removed>
- python2.7 2.7.16-2 (bug #924073)
- [stretch] - python2.7 <no-dsa> (Minor issue)
NOTE: https://bugs.python.org/issue36216
NOTE: https://github.com/python/cpython/pull/12201
NOTE: https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html
@@ -102035,7 +102028,6 @@ CVE-2019-5010 (An exploitable denial-of-service vulnerability exists in the X509
- python3.5 <removed>
- python3.4 <removed>
- python2.7 2.7.15-6 (bug #921040)
- [stretch] - python2.7 <postponed> (Minor issue, can be fixed along in a future DSA)
NOTE: https://bugs.python.org/issue35746
NOTE: https://github.com/python/cpython/pull/11569
NOTE: https://github.com/python/cpython/commit/be5de958e9052e322b0087c6dba81cdad0c3e031 (3.7.x)
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[22 Aug 2020] DLA-2337-1 python2.7 - security update
+ {CVE-2018-20852 CVE-2019-5010 CVE-2019-9636 CVE-2019-9740 CVE-2019-9947 CVE-2019-9948 CVE-2019-10160 CVE-2019-16056 CVE-2019-20907}
+ [stretch] - python2.7 2.7.13-2+deb9u4
[22 Aug 2020] DLA-2336-1 firejail - security update
{CVE-2020-17367 CVE-2020-17368}
[stretch] - firejail 0.9.44.8-2+deb9u1
=====================================
data/dla-needed.txt
=====================================
@@ -134,9 +134,6 @@ openexr (Adrian Bunk)
puma
NOTE: 20200708: Vulnerable to (at least) CVE-2020-11076. (lamby)
--
-python2.7 (Thorsten Alteholz)
- NOTE: 20200809: Consider fixing CVE-2019-20907 (abhijith)
---
qemu (Abhijith PA)
--
qt4-x11 (Adrian Bunk)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6aaece3cce56ede9ece2ea1d7c8d5926f6752159...57b80af58d244040fd7c3dcba9981f58ccd27a17
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6aaece3cce56ede9ece2ea1d7c8d5926f6752159...57b80af58d244040fd7c3dcba9981f58ccd27a17
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200822/72c7a987/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list