[Git][security-tracker-team/security-tracker][master] 3 commits: LTS: triage {CVE-2020-35490,CVE-2020-35491}/jackson-databind as <no-dsa>

[Roberto C. Sánchez]

Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker


Commits:
fe0bce11 by Roberto C. Sánchez at 2020-12-18T22:28:13-05:00
LTS: triage {CVE-2020-35490,CVE-2020-35491}/jackson-databind as <no-dsa>

This is consistent with both how the same CVEs were handled for buster
by the security team and how previous similar CVEs (CVE-2020-24616 and
CVE-2020-24750) were handled by the LTS team.

- - - - -
76d5aa7f by Roberto C. Sánchez at 2020-12-18T22:31:49-05:00
LTS: triage CVE-2020-29652/golang-go.crypto as <not-affected>

- - - - -
c61cdb7f by Roberto C. Sánchez at 2020-12-18T22:41:08-05:00
LTS: triage golang-1.8 and golang-1.7

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -2040,12 +2040,14 @@ CVE-2020-35492
 CVE-2020-35491 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...)
 	- jackson-databind <unfixed>
 	[buster] - jackson-databind <no-dsa> (Minor issue)
+	[stretch] - jackson-databind <no-dsa> (Minor issue)
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2986
 	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
 	NOTE: but still an issue when Default Typing is enabled.
 CVE-2020-35490 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...)
 	- jackson-databind <unfixed>
 	[buster] - jackson-databind <no-dsa> (Minor issue)
+	[stretch] - jackson-databind <no-dsa> (Minor issue)
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2986
 	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
 	NOTE: but still an issue when Default Typing is enabled.
@@ -4065,6 +4067,7 @@ CVE-2020-29653
 	RESERVED
 CVE-2020-29652 (A nil pointer dereference in the golang.org/x/crypto/ssh component thr ...)
 	- golang-go.crypto <unfixed>
+	[stretch] - golang-go.crypto <not-affected> (Vulnerable code not present)
 	- kubernetes <unfixed>
 	NOTE: https://go-review.googlesource.com/c/crypto/+/278852
 	NOTE: https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1


=====================================
data/dla-needed.txt
=====================================
@@ -58,6 +58,12 @@ flac (Adrian Bunk)
   NOTE: 20201215: when preparing fix/advisory note that the same code change fixes both CVE-2020-0487 and CVE-2017-6888 (roberto)
   NOTE: 20201215: stretch and buster versions are very close; perhaps consider coordinating with security team and helping them by preparing an update for buster (roberto)
 --
+golang-1.7
+  NOTE: 20201219: new CVEs may not be getting fixed, might need to ignore (roberto)
+--
+golang-1.8
+  NOTE: 20201219: new CVEs may not be getting fixed, might need to ignore (roberto)
+--
 golang-websocket
 --
 imagemagick (Sylvain Beucler)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ced4449781949729fc5d3225e95df39fa111597e...c61cdb7f53756c142b4466bd95e5b0067bce9807

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ced4449781949729fc5d3225e95df39fa111597e...c61cdb7f53756c142b4466bd95e5b0067bce9807
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201219/fe93ce3a/attachment.html>