[Git][security-tracker-team/security-tracker][master] Associate Apache Spark issues with an itp/rfp bug

Salvatore Bonaccorso carnil at debian.org
Wed Jun 24 21:21:11 BST 2020



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f3bd89b1 by Salvatore Bonaccorso at 2020-06-24T22:20:30+02:00
Associate Apache Spark issues with an itp/rfp bug

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -15013,7 +15013,7 @@ CVE-2020-9481 (Apache ATS 6.0.0 to 6.2.3, 7.0.0 to 7.1.9, and 8.0.0 to 8.0.6 is
 	NOTE: https://lists.apache.org/thread.html/rcb8bae0b289d71d18a3220be256c1dfcc4d9ab49d2d6e07d1eac7c9d%40%3Cannounce.trafficserver.apache.org%3E
 	NOTE: https://github.com/apache/trafficserver/commit/50441b39e6631389ef95c4133f06bbf94544879c
 CVE-2020-9480 (In Apache Spark 2.4.5 and earlier, a standalone resource manager's mas ...)
-	NOT-FOR-US: Apache Spark
+	- apache-spark <itp> (bug #802194)
 CVE-2020-9479
 	RESERVED
 CVE-2019-20485 (qemu/qemu_driver.c in libvirt before 6.0.0 mishandles the holding of a ...)
@@ -66748,7 +66748,7 @@ CVE-2016-10749 (parse_string in cJSON.c in cJSON before 2016-10-02 has a buffer
 CVE-2016-10744 (In Select2 through 4.0.5, as used in Snipe-IT and other products, rich ...)
 	NOT-FOR-US: Snipe-IT
 CVE-2019-10099 (Prior to Spark 2.3.3, in certain situations Spark would write user dat ...)
-	NOT-FOR-US: Apache Spark
+	- apache-spark <itp> (bug #802194)
 CVE-2019-10098 (In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_r ...)
 	{DSA-4509-1 DLA-1900-1}
 	- apache2 2.4.41-1
@@ -101588,7 +101588,7 @@ CVE-2018-17191 (Apache NetBeans (incubating) 9.0 NetBeans Proxy Auto-Configurati
 	NOTE: Fixed upstream in version 10.0
 	NOTE: https://www.openwall.com/lists/oss-security/2018/12/30/1
 CVE-2018-17190 (In all versions of Apache Spark, its standalone resource manager accep ...)
-	NOT-FOR-US: Apache Spark
+	- apache-spark <itp> (bug #802194)
 CVE-2018-17189 (In Apache HTTP server versions 2.4.37 and prior, by sending request bo ...)
 	{DSA-4422-1}
 	- apache2 2.4.38-1 (low; bug #920302)
@@ -115899,7 +115899,7 @@ CVE-2018-11805 (In Apache SpamAssassin before 3.4.3, nefarious CF files can be c
 	NOTE: https://markmail.org/message/pyp425yrulfxyhrn
 	NOTE: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7648 (not public)
 CVE-2018-11804 (Spark's Apache Maven-based build includes a convenience script, 'build ...)
-	NOT-FOR-US: Apache Spark
+	- apache-spark <itp> (bug #802194)
 CVE-2018-11803 (Subversion's mod_dav_svn Apache HTTPD module versions 1.11.0 and 1.10. ...)
 	- subversion 1.10.4-1
 	[stretch] - subversion <not-affected> (Vulnerable code introduced in 1.10.0)
@@ -116019,7 +116019,7 @@ CVE-2018-11771 (When reading a specially crafted ZIP archive, the read method of
 	[jessie] - libcommons-compress-java <no-dsa> (Minor issue)
 	NOTE: http://www.openwall.com/lists/oss-security/2018/08/16/2
 CVE-2018-11770 (From version 1.3.0 onward, Apache Spark's standalone master exposes a  ...)
-	NOT-FOR-US: Apache Spark
+	- apache-spark <itp> (bug #802194)
 CVE-2018-11769 (CouchDB administrative users before 2.2.0 can configure the database s ...)
 	- couchdb <removed>
 	NOTE: http://www.openwall.com/lists/oss-security/2018/08/08/2
@@ -116050,7 +116050,7 @@ CVE-2018-11761 (In Apache Tika 0.1 to 1.18, the XML parsers were not configured
 	NOTE: When fixing this issue the fix needs to be made complete to not open
 	NOTE: CVE-2018-11796. The full fix is only in 1.19.1 onwards.
 CVE-2018-11760 (When using PySpark , it's possible for a different local user to conne ...)
-	NOT-FOR-US: Apache Spark
+	- apache-spark <itp> (bug #802194)
 CVE-2018-11759 (The Apache Web Server (httpd) specific code that normalised the reques ...)
 	{DSA-4357-1 DLA-1609-1}
 	- libapache-mod-jk 1:1.2.46-1
@@ -125977,7 +125977,7 @@ CVE-2018-8026 (This vulnerability in Apache Solr 6.0.0 to 6.6.4 and 7.0.0 to 7.3
 CVE-2018-8025 (CVE-2018-8025 describes an issue in Apache HBase that affects the opti ...)
 	NOT-FOR-US: Apache HBase
 CVE-2018-8024 (In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possib ...)
-	NOT-FOR-US: Apache Spark
+	- apache-spark <itp> (bug #802194)
 CVE-2018-8023 (Apache Mesos can be configured to require authentication to call the E ...)
 	- apache-mesos <itp> (bug #760315)
 CVE-2018-8022 (A carefully crafted invalid TLS handshake can cause Apache Traffic Ser ...)
@@ -145862,7 +145862,7 @@ CVE-2018-1335 (From Apache Tika versions 1.7 to 1.17, clients could send careful
 	[jessie] - tika <not-affected> (Server functionality not present)
 	NOTE: http://www.openwall.com/lists/oss-security/2018/04/25/8
 CVE-2018-1334 (In Apache Spark 1.0.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, when using  ...)
-	NOT-FOR-US: Apache Spark
+	- apache-spark <itp> (bug #802194)
 CVE-2018-1333 (By specially crafting HTTP/2 requests, workers would be allocated 60 s ...)
 	- apache2 2.4.34-1 (bug #904106)
 	[stretch] - apache2 2.4.25-3+deb9u6
@@ -163959,7 +163959,7 @@ CVE-2017-12613 (When apr_time_exp*() or apr_os_exp_time*() functions are invoked
 	NOTE: mail-archives.apache.org/mod_mbox/apr-dev/201710.mbox/%3CCACsi252POs4toeJJciwg09_eu2cO3XFg%3DUqsPjXsfjDoeC3-UQ%40mail.gmail.com%3E
 	NOTE: Fixed by: https://github.com/apache/apr/commit/ad958385a4180d7a83d90589689fcd36e3bbc57a
 CVE-2017-12612 (In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe de ...)
-	NOT-FOR-US: Apache Spark
+	- apache-spark <itp> (bug #802194)
 CVE-2017-12611 (In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using  ...)
 	- libstruts1.2-java <removed>
 	[wheezy] - libstruts1.2-java <ignored> (Minor issue)
@@ -178832,7 +178832,7 @@ CVE-2017-7679 (In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_
 	{DSA-3896-1 DLA-1009-1}
 	- apache2 2.4.25-4
 CVE-2017-7678 (In Apache Spark before 2.2.0, it is possible for an attacker to take a ...)
-	NOT-FOR-US: Apache Spark
+	- apache-spark <itp> (bug #802194)
 CVE-2017-7677 (In environments that use external location for hive tables, Hive Autho ...)
 	NOT-FOR-US: Apache Ranger
 CVE-2017-7676 (Policy resource matcher in Apache Ranger before 0.7.1 ignores characte ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3bd89b1c7512963849cc436832bcd425c387371

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3bd89b1c7512963849cc436832bcd425c387371
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200624/25421455/attachment-0001.html>


More information about the debian-security-tracker-commits mailing list