[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-14822/ibus as ignored on jessie

Emilio Pozuelo Monfort pochu at debian.org
Fri Feb 21 10:09:41 GMT 2020 


Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2c2fc79d by Emilio Pozuelo Monfort at 2020-02-21T11:08:26+01:00
Mark CVE-2019-14822/ibus as ignored on jessie

The fix requires changes to glib, with a potential risk of
regression on both ibus and glib rdeps (as happened on stretch).
Given that this requires a complicated scenario in order to exploit,
the risks are not worth the benefits, so let's ignore this one.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -35109,6 +35109,7 @@ CVE-2019-14823 (A flaw was found in the "Leaf and Chain" OCSP policy implementat
 CVE-2019-14822 (A flaw was discovered in ibus that allows any unprivileged user to mon ...)
 	{DSA-4525-1}
 	- ibus 1.5.21-1 (bug #940267)
+	[jessie] - ibus <ignored> (Hard to exploit, regression risk)
 	NOTE: https://www.openwall.com/lists/oss-security/2019/09/13/1
 	NOTE: Fixed by: https://github.com/ibus/ibus/commit/3d442dbf936d197aa11ca0a71663c2bc61696151
 	NOTE: The original fix introduces regression with Qt applications (the fix uncovered an


=====================================
data/dla-needed.txt
=====================================
@@ -17,11 +17,6 @@ collabtive (Thorsten Alteholz)
 --
 http-parser (Sylvain Beucler)
 --
-ibus
-  NOTE: 20191210: Requires glib2.0 to be patched also.
-  NOTE: 20191210: See https://bugs.debian.org/941018
-  NOTE: 20191210: See https://gitlab.gnome.org/GNOME/glib/merge_requests/1176
---
 libmatio (Adrian Bunk)
   NOTE: fairly high number of open issues. Not sure why we never had a look at them.
   NOTE: triage work needed, help security team for fixes if needed.



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2c2fc79d4f67267196966ee7369691f223f0d05a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2c2fc79d4f67267196966ee7369691f223f0d05a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200221/dacbc407/attachment.html>

More information about the debian-security-tracker-commits mailing list