[Git][security-tracker-team/security-tracker][master] Added information about the squid3 patch analysis made.

Ola Lundqvist opal at debian.org
Mon Jan 20 21:28:09 GMT 2020 


Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker


Commits:
570671f5 by Ola Lundqvist at 2020-01-20T22:27:53+01:00
Added information about the squid3 patch analysis made.

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=====================================
data/dla-needed.txt
=====================================
@@ -113,12 +113,18 @@ sqlite3 (Thorsten Alteholz)
   NOTE: 20200112: WIP
 --
 squid3
-  NOTE: 20191210: Requires new API SBuf.
+  NOTE: 20191210: CVE-2019-12523 and CVE-2019-18676 Requires new API SBuf.
   NOTE: 20200116: Researched other distros to see if any had backported the fixes.  No luck.
   NOTE: 20200116: Tried for some time to reproduce the vulnerabilities, but did not succeed.
   NOTE: 20200116: The change is rather involved when considering the new SBuf API, so not
   NOTE: 20200116: being able to reproduce makes it impossible isolate the minimal change that
   NOTE: 20200116: addresses the vulnerabilities. (roberto)
+  NOTE: 20200120: CVE-2019-12523 It looks like the only new checks is the introduction of NID
+  NOTE: 20200120: checks in parseUrn. This function replaces parseFinish. It should be easy
+  NOTE: 20200120: to add those checks without introducing SBuf. (Ola)
+  NOTE: 20200120: CVE-2019-18676 however is more complicated to locate. Potentially the // skipping
+  NOTE: 20200120: or the absolute function is the issue but it is hard to tell without more
+  NOTE: 20200120: details on the intention. (Ola)
 --
 storebackup (Utkarsh Gupta)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/570671f57054d4cb93b5100a0e3e5f0f54686a88

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/570671f57054d4cb93b5100a0e3e5f0f54686a88
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200120/231b16ae/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list