[Git][security-tracker-team/security-tracker][master] 3 commits: Mark netty-3.9 as removed from the archive

Salvatore Bonaccorso carnil at debian.org
Thu Feb 6 15:33:46 GMT 2020



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
0af6fccc by Salvatore Bonaccorso at 2020-02-06T16:30:37+01:00
Mark netty-3.9 as removed from the archive

- - - - -
12cce536 by Salvatore Bonaccorso at 2020-02-06T16:31:00+01:00
Track fixed version for CVE-2014-3488

In Debian initially 3.9.0.Final-1 was uploaded which is affected. The
issue got fixed in 3.9.2, which was included in the unstable upload as
3.9.9.Final-1.

- - - - -
b4da11ee by Salvatore Bonaccorso at 2020-02-06T16:33:04+01:00
Add reference to upstream issue an commit for CVE-2014-3488

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -509,11 +509,11 @@ CVE-2020-8433
 	RESERVED
 CVE-2019-20445 (HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length  ...)
 	- netty <unfixed>
-	- netty-3.9 <unfixed>
+	- netty-3.9 <removed>
 	NOTE: https://github.com/netty/netty/issues/9861
 CVE-2019-20444 (HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header th ...)
 	- netty <unfixed>
-	- netty-3.9 <unfixed>
+	- netty-3.9 <removed>
 	NOTE: https://github.com/netty/netty/issues/9866
 CVE-2020-8432 (In Das U-Boot through 2020.01, a double free has been found in the cmd ...)
 	- u-boot <unfixed> (low)
@@ -3144,7 +3144,7 @@ CVE-2019-20382
 	RESERVED
 CVE-2020-7238 (Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles ...)
 	- netty <unfixed>
-	- netty-3.9 <unfixed>
+	- netty-3.9 <removed>
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1796225
 	NOTE: https://github.com/jdordonezn/CVE-2020-72381/issues/1
 	NOTE: Issue exists because of incomplete fix for CVE-2019-16869.
@@ -26976,7 +26976,7 @@ CVE-2019-16870
 CVE-2019-16869 (Netty before 4.1.42.Final mishandles whitespace before the colon in HT ...)
 	{DSA-4597-1 DLA-1941-1}
 	- netty 1:4.1.33-2 (bug #941266)
-	- netty-3.9 <unfixed>
+	- netty-3.9 <removed>
 	NOTE: https://github.com/netty/netty/issues/9571
 	NOTE: https://github.com/netty/netty/commit/39cafcb05c99f2aa9fce7e6597664c9ed6a63a95
 CVE-2019-16868 (emlog through 6.0.0beta has an arbitrary file deletion vulnerability v ...)
@@ -254147,9 +254147,11 @@ CVE-2014-3489 (lib/util/miq-password.rb in Red Hat CloudForms 3.0 Management Eng
 	NOT-FOR-US: Red Hat CloudForms Management Engine
 CVE-2014-3488 (The SslHandler in Netty before 3.9.2 allows remote attackers to cause  ...)
 	- netty <not-affected> (Introduced in 3.9.0)
-	- netty-3.9 <unfixed>
-	[stretch] - netty-3.9 <not-affected>
-	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1107983 says only affects 3.9.0 and 3.9.1
+	- netty-3.9 3.9.9.Final-1
+	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1107983 says only affects
+	NOTE: 3.9.0 and 3.9.1.
+	NOTE: https://github.com/netty/netty/issues/2562
+	NOTE: https://github.com/netty/netty/commit/2fa9400a59d0563a66908aba55c41e7285a04994
 CVE-2014-3487 (The cdf_read_property_info function in file before 5.19, as used in th ...)
 	{DSA-3021-1 DSA-2974-1 DLA-27-1}
 	- file 1:5.19-1
@@ -263765,7 +263767,7 @@ CVE-2014-0194
 	REJECTED
 CVE-2014-0193 (WebSocket08FrameDecoder in Netty 3.6.x before 3.6.9, 3.7.x before 3.7. ...)
 	- netty <not-affected> (WebSocket08FrameDecoder function not present; bug #746639)
-	- netty-3.9 <unfixed>
+	- netty-3.9 <removed>
 CVE-2014-0192 (Foreman 1.4.0 before 1.5.0 does not properly restrict access to provis ...)
 	- foreman <itp> (bug #663101)
 CVE-2014-0191 (The xmlParserHandlePEReference function in parser.c in libxml2 before  ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/638a2324f26adfa8754313b471af9315216b724f...b4da11ee6e143253c02f6f36bd43a83b71fbba74

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/638a2324f26adfa8754313b471af9315216b724f...b4da11ee6e143253c02f6f36bd43a83b71fbba74
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200206/8d224e8a/attachment.html>


More information about the debian-security-tracker-commits mailing list