[Git][security-tracker-team/security-tracker][master] Mark jquery/CVE-2020-7656 ignored in Jessie
Brian May
bam at debian.org
Thu Jun 18 22:23:08 BST 2020
Brian May pushed to branch master at Debian Security Tracker / security-tracker
Commits:
2e566eb8 by Brian May at 2020-06-19T07:21:39+10:00
Mark jquery/CVE-2020-7656 ignored in Jessie
While the fix itself is simple enough, it requires extra functionality
that is missing or broken in the Jessie version.
For more details, see thread starting at:
https://lists.debian.org/debian-lts/2020/06/msg00056.html
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -17837,7 +17837,9 @@ CVE-2020-7657
RESERVED
CVE-2020-7656 (jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load ...)
- jquery 2.2.4+dfsg-1
+ [jessie] - jquery <ignored> (Too intrusive to backport)
NOTE: https://snyk.io/vuln/SNYK-JS-JQUERY-569619
+ NOTE: See debian-lts discussion starting at: https://lists.debian.org/debian-lts/2020/06/msg00025.html
CVE-2020-7655 (netius prior to 1.17.58 is vulnerable to HTTP Request Smuggling. HTTP ...)
NOT-FOR-US: netius
CVE-2020-7654 (All versions of snyk-broker before 4.73.1 are vulnerable to Informatio ...)
=====================================
data/dla-needed.txt
=====================================
@@ -46,17 +46,6 @@ glib-networking
--
imagemagick (Markus Koschany)
--
-jquery
- NOTE: 20200606: This was fixed upstream in a set of wider changes
- NOTE: 20200606: (a938d7b128) which cannot be applied. Even the specific part
- NOTE: 20200606: cannot be cherry picked as it calls out to jQuery.parseHTML
- NOTE: 20200606: which has a keepScripts argument. We could easily change the
- NOTE: 20200606: the rscript regex to also match the problematic whitespace, but
- NOTE: 20200606: this may not be complete as it does not do all the other checks
- NOTE: 20200606: and magic that parseHTML does (eg. hacking document.implementation)
- NOTE: 20200606: I do not know enough about this sanitisation and we don't want
- NOTE: 20200606: to be playing whack-a-mole here. (lamby)
---
libdatetime-timezone-perl
NOTE: 20200514: LTS update must wait on oldstable update first (via point release) to prevent newer version in LTS (roberto)
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e566eb8abcb548cf7020f18e4dce28aabfc5265
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e566eb8abcb548cf7020f18e4dce28aabfc5265
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200618/e4ea8e97/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list