[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2020-7106/cacti: postponed in stretch & buster

Hugo Lefeuvre hle at debian.org
Thu Jan 23 07:15:34 GMT 2020 


Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a3df52a2 by Hugo Lefeuvre at 2020-01-23T08:09:03+01:00
CVE-2020-7106/cacti: postponed in stretch & buster

XSS can only be triggered in administration areas only accessible by
users with administration privileges. Fix this along with more
important issues in a future DSA.

- - - - -
79e2cd5b by Hugo Lefeuvre at 2020-01-23T08:14:43+01:00
dla-needed: update cacti notes (regression update)

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1625,6 +1625,8 @@ CVE-2020-7107 (The Ultimate FAQ plugin before 1.8.30 for WordPress allows XSS vi
 CVE-2020-7106 (Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.p ...)
 	{DLA-2069-1}
 	- cacti <unfixed>
+	[buster] - cacti <postponed> (can be fixed along with more important issues)
+	[stretch] - cacti <postponed> (can be fixed along with more important issues)
 	NOTE: https://github.com/Cacti/cacti/issues/3191
 	NOTE: https://github.com/Cacti/cacti/commit/4cbb045e03ee20a2bd09094a201a925fbb8a39d9
 	NOTE: https://github.com/Cacti/cacti/commit/47a000b5aba4af16967e249b25f25397506e3464


=====================================
data/dla-needed.txt
=====================================
@@ -11,6 +11,10 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues
 
 --
 cacti (Chris Lamb)
+  NOTE: CVE-2020-7106: one more followup fix is coming (currently PRed by
+  NOTE: @smutranchi), we should probably wait for the fix to stabilize &
+  NOTE: potential regression reports to come up before releasing a regression
+  NOTE: update (2020-01-23, hle)
 --
 clamav (Hugo Lefeuvre)
   NOTE: 20200111: waiting for 0.102.1 to enter stretch/buster.



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/e334c939d43c225c3c253aa275e037f9fbd03ebc...79e2cd5b82bc0dfaabc4ff1b29ae5a772e5772b1

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/e334c939d43c225c3c253aa275e037f9fbd03ebc...79e2cd5b82bc0dfaabc4ff1b29ae5a772e5772b1
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200123/910773d8/attachment.html>

More information about the debian-security-tracker-commits mailing list