[Git][security-tracker-team/security-tracker][master] Add information on CVE-2019-10782/checkstyle

Tue Feb 4 07:23:53 GMT 2020


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8b65d5b9 by Salvatore Bonaccorso at 2020-02-04T08:20:12+01:00
Add information on CVE-2019-10782/checkstyle

This did affect unstable as the incomplete fix was applied, likely as
well the one for which a DLA was released. Not (yet) buster and stretch
as the incomplete fix was not applied at all. If it's going to be fixed
in those releases via a point release the fix should be made complete.

Add note thus as well into the entry for CVE-2019-9658.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -45831,8 +45831,6 @@ CVE-2019-10784
 	RESERVED
 CVE-2019-10783 (All versions including 0.0.4 of lsof npm module are vulnerable to Comm ...)
 	TODO: check
-CVE-2019-10782 (All versions of com.puppycrawl.tools:checkstyle before 8.29 are vulner ...)
-	TODO: check
 CVE-2019-10781 (In schema-inspector before 1.6.9, a maliciously crafted JavaScript obj ...)
 	TODO: check
 CVE-2019-10780 (BibTeX-ruby before 5.1.0 allows shell command injection due to unsanit ...)
@@ -49906,6 +49904,13 @@ CVE-2019-9660 (Stored XSS exists in YzmCMS 5.2 via the admin/category/edit.html
 	NOT-FOR-US: YzmCMS
 CVE-2019-9659 (The Chuango 433 MHz burglar-alarm product line uses static codes in th ...)
 	NOT-FOR-US: Chuango
+CVE-2019-10782
+	- checkstyle <unfixed>
+	[buster] - checkstyle <not-affected> (Incomplete fix for CVE-2019-9658 not applied)
+	[stretch] - checkstyle <not-affected> (Incomplete fix for CVE-2019-9658 not applied)
+	NOTE: https://snyk.io/vuln/SNYK-JAVA-COMPUPPYCRAWLTOOLS-543266
+	NOTE: https://github.com/checkstyle/checkstyle/issues/7468
+	NOTE: https://github.com/checkstyle/checkstyle/security/advisories/GHSA-763g-fqq7-48wg
 CVE-2019-9658 (Checkstyle before 8.18 loads external DTDs by default. ...)
 	{DLA-1768-1}
 	- checkstyle 8.26-1 (low; bug #924598)
@@ -49915,6 +49920,8 @@ CVE-2019-9658 (Checkstyle before 8.18 loads external DTDs by default. ...)
 	NOTE: https://github.com/checkstyle/checkstyle/issues/6478
 	NOTE: https://github.com/checkstyle/checkstyle/pull/6476
 	NOTE: https://github.com/checkstyle/checkstyle/commit/180b4fe37a2249d4489d584505f2b7b3ab162ec6
+	NOTE: When fixing this issue make sure to apply the complete fix to not open
+	NOTE: CVE-2019-10782.
 CVE-2019-9657 (Alarm.com ADC-V522IR 0100b9 devices have Incorrect Access Control, a d ...)
 	NOT-FOR-US: Alarm.com ADC-V522IR 0100b9 devices
 CVE-2019-9656 (An issue was discovered in LibOFX 0.9.14. There is a NULL pointer dere ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8b65d5b9d665da1ef31561d285169e4665f94711

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8b65d5b9d665da1ef31561d285169e4665f94711
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200204/3654a1c6/attachment-0001.html>
