[Git][security-tracker-team/security-tracker][master] Mark several 389-ds-base issues as no-dsa

Salvatore Bonaccorso carnil at debian.org
Thu Jan 2 18:48:01 GMT 2020 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
14be0b43 by Salvatore Bonaccorso at 2020-01-02T19:47:46+01:00
Mark several 389-ds-base issues as no-dsa

Those are almost all minor issues. Marking those as no-dsa is surely not
the optimal solution, but 389-ds-base has outside Red Hat worlds
defintivel less imapct as OpenLDAP is almost the prefered solution.

Furthermore those 389-ds-base bugs are quite weird cases to cover and
backporting single patches for 389-ds-base have high potential for
regressions.

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -24953,6 +24953,8 @@ CVE-2019-14825 (A cleartext password storage issue was discovered in Katello, ve
 CVE-2019-14824 (A flaw was found in the 'deref' plugin of 389-ds-base where it could u ...)
 	{DLA-2004-1}
 	- 389-ds-base 1.4.2.4-1 (bug #944150)
+	[buster] - 389-ds-base <no-dsa> (Minor issue)
+	[stretch] - 389-ds-base <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1747448
 	NOTE: https://pagure.io/freeipa/issue/8050
 CVE-2019-14823 (A flaw was found in the "Leaf and Chain" OCSP policy implementation in ...)
@@ -39023,6 +39025,7 @@ CVE-2019-10225
 	NOT-FOR-US: OpenShift
 CVE-2019-10224 (A flaw has been found in 389-ds-base versions 1.4.x.x before 1.4.1.3.  ...)
 	- 389-ds-base 1.4.1.5-1
+	[buster] - 389-ds-base <no-dsa> (Minor issue)
 	[stretch] - 389-ds-base <not-affected> (vulnerable code not present)
 	[jessie] - 389-ds-base <not-affected> (vulnerable code not present)
 	- python-lib389 <removed>
@@ -56137,6 +56140,8 @@ CVE-2019-3884 (A vulnerability exists in the garbage collection mechanism of ato
 CVE-2019-3883 (In 389-ds-base up to version 1.4.1.2, requests are handled by workers  ...)
 	{DLA-1779-1}
 	- 389-ds-base 1.4.1.5-1 (bug #927939)
+	[buster] - 389-ds-base <no-dsa> (Minor issue)
+	[stretch] - 389-ds-base <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1693612
 	NOTE: https://pagure.io/389-ds-base/issue/50329
 	NOTE: https://pagure.io/389-ds-base/c/4d9cc24da (master)
@@ -80801,6 +80806,7 @@ CVE-2018-14649 (It was found that ceph-isci-cli package as shipped by Red Hat Ce
 CVE-2018-14648 (A flaw was found in 389 Directory Server. A specially crafted search q ...)
 	{DLA-1554-1}
 	- 389-ds-base 1.4.0.18-1
+	[stretch] - 389-ds-base <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1630668
 	NOTE: https://pagure.io/389-ds-base/c/a49bd03d6 (1.4.0.17)
 	NOTE: 1.3.7: https://pagure.io/389-ds-base/c/c8ec6e58c
@@ -80854,6 +80860,7 @@ CVE-2018-14639
 	RESERVED
 CVE-2018-14638 (A flaw was found in 389-ds-base before version 1.3.8.4-13. The process ...)
 	- 389-ds-base 1.4.0.18-1 (bug #908859)
+	[stretch] - 389-ds-base <no-dsa> (Minor issue)
 	[jessie] - 389-ds-base <not-affected> (Vulnerable code not present)
 	NOTE: https://pagure.io/389-ds-base/c/78fc627accacfa4061ce48977e22301f81ea8d73
 CVE-2018-14637 (The SAML broker consumer endpoint in Keycloak before version 4.6.0.Fin ...)
@@ -80913,6 +80920,7 @@ CVE-2018-14625 (A flaw was found in the Linux Kernel where an attacker may be ab
 CVE-2018-14624 (A vulnerability was discovered in 389-ds-base through versions 1.3.7.1 ...)
 	{DLA-1526-1}
 	- 389-ds-base 1.4.0.18-1 (bug #907778)
+	[stretch] - 389-ds-base <no-dsa> (Minor issue)
 	NOTE: https://pagure.io/389-ds-base/issue/49937
 	NOTE: https://pagure.io/389-ds-base/c/8ff8cb850 (master)
 	NOTE: https://pagure.io/389-ds-base/c/c5e78249d (389-ds-base-1.3.8)
@@ -90944,6 +90952,7 @@ CVE-2018-10936 (A weakness was found in postgresql-jdbc before version 42.2.5. I
 CVE-2018-10935 (A flaw was found in the 389 Directory Server that allows users to caus ...)
 	{DLA-1483-1}
 	- 389-ds-base 1.4.0.15-1 (bug #906985)
+	[stretch] - 389-ds-base <no-dsa> (Minor issue)
 	NOTE: https://pagure.io/389-ds-base/issue/49890
 CVE-2018-10934 (A cross-site scripting (XSS) vulnerability was found in the JBoss Mana ...)
 	- wildfly <itp> (bug #752018)
@@ -91266,6 +91275,7 @@ CVE-2018-10871 (389-ds-base before versions 1.3.8.5, 1.4.0.12 is vulnerable to a
 	{DLA-1483-1}
 	[experimental] - 389-ds-base 1.4.0.13-1
 	- 389-ds-base 1.4.0.15-1
+	[stretch] - 389-ds-base <no-dsa> (Minor issue)
 	NOTE: https://pagure.io/389-ds-base/issue/49789
 CVE-2018-10870 (redhat-certification does not properly sanitize paths in rhcertStore.p ...)
 	NOT-FOR-US: Red Hat Certification
@@ -91353,6 +91363,7 @@ CVE-2018-10850 (389-ds-base before versions 1.4.0.10, 1.3.8.3 is vulnerable to a
 	{DLA-1428-1}
 	[experimental] - 389-ds-base 1.4.0.13-1
 	- 389-ds-base 1.4.0.15-1 (bug #903501)
+	[stretch] - 389-ds-base <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1588056
 	NOTE: https://pagure.io/389-ds-base/c/8f04487f99a
 	NOTE: https://pagure.io/389-ds-base/issue/49768
@@ -119419,6 +119430,7 @@ CVE-2018-1090 (In Pulp before version 2.16.2, secrets are passed into override_c
 CVE-2018-1089 (389-ds-base before versions 1.4.0.9, 1.3.8.1, 1.3.6.15 did not properl ...)
 	{DLA-1428-1}
 	- 389-ds-base 1.3.8.2-1 (bug #898138)
+	[stretch] - 389-ds-base <no-dsa> (Minor issue)
 	NOTE: http://www.openwall.com/lists/oss-security/2018/05/07/2
 CVE-2018-1088 (A privilege escalation flaw was found in gluster 3.x snapshot schedule ...)
 	- glusterfs 4.0.2-1 (bug #896128)
@@ -119605,6 +119617,7 @@ CVE-2018-1055
 CVE-2018-1054 (An out-of-bounds memory read flaw was found in the way 389-ds-base han ...)
 	{DLA-1428-1}
 	- 389-ds-base 1.3.7.10-1 (bug #892124)
+	[stretch] - 389-ds-base <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1537314
 	NOTE: https://pagure.io/389-ds-base/issue/49545
 	NOTE: https://pagure.io/389-ds-base/c/14ce2fe0dfa67405dae0ae2e7fde13f6a1360d30?branch=master
@@ -128570,6 +128583,7 @@ CVE-2017-15135 (It was found that 389-ds-base since 1.3.6.1 up to and including
 CVE-2017-15134 (A stack buffer overflow flaw was found in the way 389-ds-base 1.3.6.x  ...)
 	{DLA-1428-1}
 	- 389-ds-base 1.3.7.9-1 (bug #888452)
+	[stretch] - 389-ds-base <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://pagure.io/389-ds-base/c/6aa2acdc3cad9
 CVE-2017-15133 (A denial of service flaw was found in miekg-dns before 1.0.4. A remote ...)
 	- golang-github-miekg-dns 0.0~git20170501.0.f282f80-3 (bug #888777)
@@ -151909,6 +151923,7 @@ CVE-2017-7552 (A flaw was discovered in the file editor of millicore, affecting
 	NOT-FOR-US: Red Hat Mobile Application Platform
 CVE-2017-7551 (389-ds-base version before 1.3.5.19 and 1.3.6.7 are vulnerable to pass ...)
 	- 389-ds-base 1.3.6.7-1 (bug #870752)
+	[stretch] - 389-ds-base <no-dsa> (Minor issue)
 	[jessie] - 389-ds-base <not-affected> (vulnerable code not present)
 	NOTE: https://pagure.io/389-ds-base/issue/49336
 CVE-2017-7550 (A flaw was found in the way Ansible (2.3.x before 2.3.3, and 2.4.x bef ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -11,9 +11,6 @@ To pick an issue, simply add your uid behind it.
 
 If needed, specify the release by adding a slash after the name of the source package.
 
---
-389-ds-base (fw)
-  Thorsten Alteholz proposed an update
 --
 cacti (hle)
   Maintainer proposed an update, currently reviewing it.



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/14be0b434fc8c41f70074d7517c233a532108019

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/14be0b434fc8c41f70074d7517c233a532108019
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200102/8a6ba024/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list