[Git][security-tracker-team/security-tracker][master] 2 commits: Update status of squid3 in dla-needed.txt.

Markus Koschany apo at debian.org
Mon Mar 9 10:27:54 GMT 2020 


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2c048c8c by Markus Koschany at 2020-03-09T11:26:37+01:00
Update status of squid3 in dla-needed.txt.

- - - - -
03239c99 by Markus Koschany at 2020-03-09T11:27:27+01:00
Claim wpa in dla-needed.txt.

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=====================================
data/dla-needed.txt
=====================================
@@ -70,19 +70,7 @@ slirp (Utkarsh Gupta)
   NOTE: 20200223: WIP.
 --
 squid3 (Markus Koschany)
-  NOTE: 20191210: CVE-2019-12523 and CVE-2019-18676 Requires new API SBuf.
-  NOTE: 20200116: Researched other distros to see if any had backported the fixes.  No luck.
-  NOTE: 20200116: Tried for some time to reproduce the vulnerabilities, but did not succeed.
-  NOTE: 20200116: The change is rather involved when considering the new SBuf API, so not
-  NOTE: 20200116: being able to reproduce makes it impossible isolate the minimal change that
-  NOTE: 20200116: addresses the vulnerabilities. (roberto)
-  NOTE: 20200120: CVE-2019-12523 It looks like the only new checks is the introduction of NID
-  NOTE: 20200120: checks in parseUrn. This function replaces parseFinish. It should be easy
-  NOTE: 20200120: to add those checks without introducing SBuf. (Ola)
-  NOTE: 20200120: CVE-2019-18676 however is more complicated to locate. Potentially the // skipping
-  NOTE: 20200120: or the absolute function is the issue but it is hard to tell without more
-  NOTE: 20200120: details on the intention. (Ola)
-  NOTE: 20200224: Ongoing work. (apo)
+  NOTE: 20200309: Requires more tests. (apo)
 --
 tomcat8 (Abhijith PA)
  NOTE: 20200106: Almost done. Working on failing testcase.
@@ -92,7 +80,7 @@ tomcat8 (Abhijith PA)
 weechat (Thorsten Alteholz)
   NOTE: 20200309: work is ongoing
 --
-wpa
+wpa (Markus Koschany)
   NOTE: 20200218: fix for CVE-2019-5061 removes IAPP functionality from hostapd, which is
   NOTE:           normally fine, but should be carefully considered for Jessie (alteholz)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/76bfb7f0c135c4b1d053aab799713767298ae7df...03239c99e4781067975f5bbdd4b3535316180682

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/76bfb7f0c135c4b1d053aab799713767298ae7df...03239c99e4781067975f5bbdd4b3535316180682
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200309/e01b224b/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list