[Git][security-tracker-team/security-tracker][master] Update information on CVE-2016-11086

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
674a8861 by Salvatore Bonaccorso at 2020-12-15T21:47:23+01:00
Update information on CVE-2016-11086

Mark it as unimportant as it does not affect the binary packages in
Debian (by default, unless a user has removed the certificates).

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -13901,19 +13901,14 @@ CVE-2020-26099 (cPanel before 88.0.3 allows attackers to bypass the SMTP greylis
 CVE-2020-26098 (cPanel before 88.0.3 mishandles the Exim filter path, leading to remot ...)
 	NOT-FOR-US: cPanel
 CVE-2016-11086 (lib/oauth/consumer.rb in the oauth-ruby gem through 0.5.4 for Ruby doe ...)
-	- ruby-oauth <unfixed> (bug #970932)
-	[stretch] - ruby-oauth <no-dsa> (Minor issue)
+	- ruby-oauth <unfixed> (unimportant; bug #970932)
 	NOTE: https://github.com/oauth-xx/oauth-ruby/issues/137
-	NOTE: For jessie it is declared as minor issue since the package that
-	NOTE: must exist is generated by ca-certificates package and
-	NOTE: ca-certificates in the package dependency list. Hence even though
-	NOTE: the package is vulnerable the problem do not exist in Debian
-	NOTE: unless the admin has explicitly removed the file from the filesystem.
-	NOTE: Should probably be handled the same in other releases.
+	NOTE: Likely minor issue since the package that exist is generated by ca-certificates
+	NOTE: package and ca-certificates in the package dependency list. Hence even though the
+	NOTE: package is vulnerable the problem do not exist in Debian unless the admin has
+	NOTE: explicitly removed the file from the filesystem.
 	NOTE: Fixing this vulnerability can cause a regression in the case the
 	NOTE: admin has intentionally removed this file to not check certificates.
-	NOTE: It could therefore be considered as to be ignored but more should
-	NOTE: have an opinion about this before deciding that.
 CVE-2020-26097 (** UNSUPPORTED WHEN ASSIGNED ** The firmware of the PLANET Technology  ...)
 	NOT-FOR-US: PLANET Technology Corp NVR-915 and NVR-1615
 CVE-2020-26096



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/674a88619be83525e20b29c46693d859226fade3

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/674a88619be83525e20b29c46693d859226fade3
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201215/603b55e4/attachment.html>