[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2018-15751 and CVE-2018-15750 will be fixed with the same patch

Tue Jul 28 21:22:50 BST 2020


Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker


Commits:
60152959 by Thorsten Alteholz at 2020-07-28T22:22:27+02:00
CVE-2018-15751 and CVE-2018-15750 will be fixed with the same patch

- - - - -
5592ead1 by Thorsten Alteholz at 2020-07-28T22:22:27+02:00
Reserve DLA-2294-1 for salt

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -108676,7 +108676,6 @@ CVE-2018-15751 (SaltStack Salt before 2017.7.8 and 2018.3.x before 2018.3.3 allo
 	NOTE: minimal patch: https://github.com/saltstack/salt/compare/v2016.11.9..v2016.11.10
 CVE-2018-15750 (Directory Traversal vulnerability in salt-api in SaltStack Salt before ...)
 	- salt 2018.3.3+dfsg1-1 (bug #913476)
-	[stretch] - salt <no-dsa> (Minor issue)
 	[jessie] - salt <not-affected> (REST netapi code was first introduced with v2014.7)
 	NOTE: Fixed in 2016.11.10, 2017.7.8, 2018.3.3
 	NOTE: https://docs.saltstack.com/en/latest/topics/releases/2016.11.10.html#security-fix


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[28 Jul 2020] DLA-2294-1 salt - security update
+	{CVE-2018-15750 CVE-2018-15751}
+	[stretch] - salt 2016.11.2+ds-1+deb9u5
 [27 Jul 2020] DLA-2293-1 mercurial - security update
 	{CVE-2017-17458 CVE-2018-13346 CVE-2018-13347 CVE-2018-13348 CVE-2018-1000132 CVE-2019-3902}
 	[stretch] - mercurial 4.0-1+deb9u2


=====================================
data/dla-needed.txt
=====================================
@@ -123,11 +123,6 @@ ruby-zip
   NOTE: 20200710: Vulnerable to at least CVE-2018-1000544. (lamby)
   NOTE: 20200710: Was fixed in jessie LTS via DLA-1467-1. (lamby)
 --
-salt (Thorsten Alteholz)
-  NOTE: 20200710: Vulnerable to at least CVE-2018-15751, which was
-  NOTE: 20200710: not an issue in jessie LTS. (lamby)
-  NOTE: 20200726: trying to run the test suite (thorsten)
---
 samba (Roberto C. Sánchez)
   NOTE: 20200703: Check with security team so that there's no clash for Stretch update. (utkarsh)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b5bac823dacacf3e516eda77308efab7951fbc1f...5592ead1e5d411ceab65f6e068f9e77d4e8a8a0f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b5bac823dacacf3e516eda77308efab7951fbc1f...5592ead1e5d411ceab65f6e068f9e77d4e8a8a0f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200728/f9c1690d/attachment-0001.html>
