[Git][security-tracker-team/security-tracker][master] 2 commits: dla: tidy statuses a bit

[Sylvain Beucler]

Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7cec8b2a by Sylvain Beucler at 2020-03-03T15:43:30+01:00
dla: tidy statuses a bit

- - - - -
5f8143e5 by Sylvain Beucler at 2020-03-03T15:44:54+01:00
CVE-2014-10399,CVE-2014-10400/lua-cgi: not-affected

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -2990,9 +2990,11 @@ CVE-2020-8669
 CVE-2020-8668
 	RESERVED
 CVE-2014-10400 (The session.lua library in CGILua 5.0.x uses sequential session IDs, w ...)
-	- lua-cgi <unfixed>
+	- lua-cgi <not-affected> (session generation changed in 5.1.x, cf. CVE-2014-10399)
+	NOTE: https://seclists.org/fulldisclosure/2014/Apr/318
 CVE-2014-10399 (The session.lua library in CGILua 5.1.x uses the same ID for each sess ...)
-	- lua-cgi <unfixed>
+	- lua-cgi <not-affected> (session generation changed in 5.2.x, cf. CVE-2014-2875)
+	NOTE: https://seclists.org/fulldisclosure/2014/Apr/318
 CVE-2020-8667
 	RESERVED
 CVE-2020-8666


=====================================
data/dla-needed.txt
=====================================
@@ -39,8 +39,8 @@ linux (Ben Hutchings)
 linux-4.9 (Ben Hutchings)
 --
 lua-cgi
-  NOTE: The package do not seem to be used much, but the popcon data in this case
-  NOTE: may not be entirelly reliable. One possibility is to declare it unsupported. (Ola)
+  NOTE: 20200227: The package do not seem to be used much, but the popcon data in this case
+  NOTE: 20200227: may not be entirelly reliable. One possibility is to declare it unsupported. (Ola)
 --
 lxc (Roberto C. Sánchez)
   NOTE: 20200221: CVE-2017-18641 is probably to extensive to fix in Jessie
@@ -75,7 +75,7 @@ slirp (Utkarsh Gupta)
 --
 slurm-llnl
   NOTE: 20191125: up for testing https://people.debian.org/~abhijith/upload/slurm-llnl_14.03.9-5+deb8u5.dsc
-  NOTE: Regression found. (abhijith)
+  NOTE: 20191218: Regression found. (abhijith)
 --
 squid3 (Markus Koschany)
   NOTE: 20191210: CVE-2019-12523 and CVE-2019-18676 Requires new API SBuf.
@@ -103,7 +103,7 @@ weechat (Thorsten Alteholz)
 --
 wpa
   NOTE: 20200218: fix for CVE-2019-5061 removes IAPP functionality from hostapd, which is
-  NOTE:           normally fine, but should be carefully considered for Jessie
+  NOTE:           normally fine, but should be carefully considered for Jessie (alteholz)
 --
 xcftools
   NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for review.
@@ -112,7 +112,8 @@ xcftools
   NOTE: 20200127: ongoing
 --
 xen (Roberto C. Sánchez)
-  NOTE: 20200222: requested update from Credativ; likely xen will be end-of-life. (roberto)
+  NOTE: 20200302: xen 4.4 EOL'd, needs public announcement (roberto)
+  NOTE: 20200302: https://lists.debian.org/debian-lts/2020/03/msg00024.html
 --
 xerces-c
   NOTE: 20191231: There is no upstream patch yet. (apo)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a7a4b3e7f0bd76f803f1109f69bc98efbe630e8b...5f8143e5b1080c185bac1b96b7bf9102612cede4

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a7a4b3e7f0bd76f803f1109f69bc98efbe630e8b...5f8143e5b1080c185bac1b96b7bf9102612cede4
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200303/7e107b7c/attachment-0001.html>