[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: triage tomcat7 CVEs in stretch; none affect libservlet3.0-java, which is...

Sun Aug 23 01:21:33 BST 2020


Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker


Commits:
227dec84 by Roberto C. Sánchez at 2020-08-22T20:18:30-04:00
LTS: triage tomcat7 CVEs in stretch; none affect libservlet3.0-java, which is the only binary package built from the tomcat7 source package in stretch

- - - - -
09345bb5 by Roberto C. Sánchez at 2020-08-22T20:19:12-04:00
LTS: remove tomcat7 from dla-needed.txt, no open issues remain

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -35398,6 +35398,7 @@ CVE-2020-9484 (When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M
 	- tomcat9 9.0.35-1 (bug #961209)
 	- tomcat8 <removed>
 	- tomcat7 <removed>
+	[stretch] - tomcat7 <ignored> (No components in libservlet3.0-java binary package are affected)
 	NOTE: https://github.com/apache/tomcat/commit/bb33048e3f9b4f2b70e4da2e6c4e34ca89023b1b (10.0.0-M5)
 	NOTE: https://github.com/apache/tomcat/commit/3aa8f28db7efb311cdd1b6fe15a9cd3b167a2222 (9.0.35)
 	NOTE: https://github.com/apache/tomcat/commit/ec08af18d0f9ddca3f2d800ef66fe7fd20afef2f (8.5.55)
@@ -55160,6 +55161,7 @@ CVE-2020-1938 (When using the Apache JServ Protocol (AJP), care must be taken wh
 	- tomcat9 9.0.31-1 (bug #952437)
 	- tomcat8 <removed> (bug #952438)
 	- tomcat7 <removed> (bug #952436)
+	[stretch] - tomcat7 <ignored> (No components in libservlet3.0-java binary package are affected)
 	NOTE: AJP disabled in Debian in default configuration since 2008
 	NOTE: fixed in upstream versions 9.0.31, 8.5.51, 7.0.100
 	NOTE: https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487
@@ -55186,6 +55188,7 @@ CVE-2020-1935 (In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to
 	- tomcat9 9.0.31-1
 	- tomcat8 <removed>
 	- tomcat7 <removed>
+	[stretch] - tomcat7 <ignored> (No components in libservlet3.0-java binary package are affected)
 	NOTE: https://github.com/apache/tomcat/commit/8bfb0ff7f25fe7555a5eb2f7984f73546c11aa26 (9.0.31)
 	NOTE: https://github.com/apache/tomcat/commit/8fbe2e962f0ea138d92361921643fe5abe0c4f56 (8.5.51)
 	NOTE: https://github.com/apache/tomcat/commit/702bf15bea292915684d931526d95d4990b2e73d (7.0.100)
@@ -64175,6 +64178,7 @@ CVE-2019-17569 (The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.4
 	- tomcat8 <removed>
 	[jessie] - tomcat8 <not-affected> (vulnerable code introduced in later version)
 	- tomcat7 <removed>
+	[stretch] - tomcat7 <ignored> (No components in libservlet3.0-java binary package are affected)
 	NOTE: https://github.com/apache/tomcat/commit/060ecc5eb839208687b7fcc9e35287ac8eb46998 (9.0.31)
 	NOTE: https://github.com/apache/tomcat/commit/959f1dfd767bf3cb64776b44f7395d1d8d8f7ab3 (8.5.51)
 	NOTE: https://github.com/apache/tomcat/commit/b191a0d9cf06f4e04257c221bfe41d2b108a9cc8 (7.0.100)
@@ -64202,6 +64206,7 @@ CVE-2019-17563 (When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.
 	- tomcat9 9.0.31-1
 	- tomcat8 <removed>
 	- tomcat7 <removed>
+	[stretch] - tomcat7 <ignored> (No components in libservlet3.0-java binary package are affected)
 	NOTE: https://github.com/apache/tomcat/commit/1ecba14e690cf5f3f143eef6ae7037a6d3c16652 (9.0.30)
 	NOTE: https://github.com/apache/tomcat/commit/e19a202ee43b6e2a538be5515ae0ab32d8ef112c (8.5.50)
 	NOTE: https://github.com/apache/tomcat/commit/ab72a106fe5d992abddda954e30849d7cf8cc583 (7.0.99)
@@ -81001,6 +81006,7 @@ CVE-2019-12418 (When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 an
 	- tomcat9 9.0.31-1
 	- tomcat8 <removed>
 	- tomcat7 <removed>
+	[stretch] - tomcat7 <ignored> (No components in libservlet3.0-java binary package are affected)
 	NOTE: https://github.com/apache/tomcat/commit/1fc9f589dbdd8295cf313b2667ab041c425f99c3 (9.0.29)
 	NOTE: https://github.com/apache/tomcat/commit/a91d7db4047d372b2f12999d3cf2bc3254c20d00 (8.5.48)
 	NOTE: https://github.com/apache/tomcat/commit/bef3f40400243348d12f4abfe9b413f43897c02b (7.0.98)
@@ -116675,6 +116681,7 @@ CVE-2019-0221 (The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8
 	- tomcat9 9.0.16-4 (bug #929895)
 	- tomcat8 <removed>
 	- tomcat7 <removed>
+	[stretch] - tomcat7 <ignored> (No components in libservlet3.0-java binary package are affected)
 	NOTE: affects debug channel, unlikely to be present in production websites:
 	NOTE: https://mail-archives.apache.org/mod_mbox/www-announce/201905.mbox/%3Cb1905aa6-f340-8d0b-58c4-8ac3ebcbfa54@apache.org%3E
 	NOTE: https://github.com/apache/tomcat/commit/15fcd16 (9.0.19)


=====================================
data/dla-needed.txt
=====================================
@@ -197,8 +197,6 @@ sympa
   NOTE: 20200604: the non-public patch is being discussed internally. (utkarsh)
   NOTE: 20200604: shall process the upload once the confirmation is given. (utkarsh)
 --
-tomcat7 (Roberto C. Sánchez)
---
 wordpress
   NOTE: 20200710: Vulnerable to at least CVE-2020-4046. (lamby)
   NOTE: 20200710: During triage noticed that CVE-2020-4046 was marked as fixed



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ccdff3a4b7042f419304f947f419d8b634f75ed7...09345bb5cac5860756378c10dec99138206570bd

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ccdff3a4b7042f419304f947f419d8b634f75ed7...09345bb5cac5860756378c10dec99138206570bd
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200823/5e7b7a3b/attachment.html>
