[Git][security-tracker-team/security-tracker][master] 4 commits: Tagged CVE-2020-8432 as ignored in jessie for u-boot following decision for stretch.

Fri Jan 31 20:24:03 GMT 2020


Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d042d8f8 by Ola Lundqvist at 2020-01-31T21:23:02+01:00
Tagged CVE-2020-8432 as ignored in jessie for u-boot following decision for stretch.

- - - - -
aece597c by Ola Lundqvist at 2020-01-31T21:23:03+01:00
Marked CVE-2019-20421 for exiv2 as ignored in jessie. Similar issues have been marked the same many times before.

- - - - -
0886753e by Ola Lundqvist at 2020-01-31T21:23:03+01:00
Netty added to DLA needed file.

- - - - -
e3137df9 by Ola Lundqvist at 2020-01-31T21:23:04+01:00
Decided to mark CVE-2020-8492 for python ignored in jessie. It is a client side DoS problem and with any decent client it would be impossible to exploit. If new client it written it is possible but then DoS can be implemented by other means. However I may have missed something so I sent an email about it asking for advice.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -22,6 +22,8 @@ CVE-2020-8492 (Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10,
 	- python3.5 <removed>
 	- python3.4 <removed>
 	- python2.7 <unfixed>
+	[jessie] - python3.4 <ignored> (Minor issue, client side DoS and hard to exploit)
+	[jessie] - python2.7 <ignored> (Minor issue, client side DoS and hard to exploit)
 	NOTE: https://bugs.python.org/issue39503
 	NOTE: https://github.com/python/cpython/pull/18284
 	NOTE: https://python-security.readthedocs.io/vuln/urllib-basic-auth-regex.html
@@ -153,6 +155,7 @@ CVE-2020-8432 (In Das U-Boot through 2020.01, a double free has been found in th
 	- u-boot <unfixed> (low)
 	[buster] - u-boot <no-dsa> (Minor issue)
 	[stretch] - u-boot <no-dsa> (Minor issue)
+	[jessie] - u-boot <ignored> (Minor issue)
 	NOTE: https://lists.denx.de/pipermail/u-boot/2020-January/396799.html
 	NOTE: https://lists.denx.de/pipermail/u-boot/2020-January/396853.html
 CVE-2020-8431
@@ -1118,6 +1121,7 @@ CVE-2019-20422 (In the Linux kernel before 5.3.4, fib6_rule_lookup in net/ipv6/i
 	NOTE: https://git.kernel.org/linus/7b09c2d052db4b4ad0b27b97918b46a7746966fa
 CVE-2019-20421 (In Jp2Image::readMetadata() in jp2image.cpp in Exiv2 0.27.2, an input  ...)
 	- exiv2 0.27.2-8 (bug #950183)
+	[jessie] - exiv2 <ignored> (Minor issue)
 	NOTE: https://github.com/Exiv2/exiv2/commit/a82098f4f90cd86297131b5663c3dec6a34470e8
 	NOTE: https://github.com/Exiv2/exiv2/issues/1011
 CVE-2020-7982


=====================================
data/dla-needed.txt
=====================================
@@ -58,6 +58,10 @@ linux (Ben Hutchings)
 --
 linux-4.9 (Ben Hutchings)
 --
+netty
+  NOTE: Have not checked if the jessie code is vulnerable since the explicit patches could not
+  NOTE: be found. So that remains. The issues however looks important enough to fix.
+--
 nss (Markus Koschany)
   NOTE: 20200127: Fix for CVE-2019-17023 requires more work and testing but
   NOTE: release is planned for this week.



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/28223c0d904661cd4d6f05fef4bc6b637719178e...e3137df976dd5314effa0b577672e5a07e6910e8

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/28223c0d904661cd4d6f05fef4bc6b637719178e...e3137df976dd5314effa0b577672e5a07e6910e8
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200131/edce35d5/attachment-0001.html>
