[Git][security-tracker-team/security-tracker][master] Revaluate state for CVE-2019-13456/freeradius

Wed Mar 18 14:09:51 GMT 2020


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
96e6f728 by Salvatore Bonaccorso at 2020-03-18T15:07:00+01:00
Revaluate state for CVE-2019-13456/freeradius

I cannot say for sure where we got first the respective commits related
to CVE-2019-11234 and CVE-2019-11235 but as well the description[1] and
the relevant reference to the Red Hat bugzilla[2] shows that this is
related to the commit[3].

 [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13456
 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1737663
 [3] https://github.com/FreeRADIUS/freeradius-server/commit/3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa

Contact with MITRE regarding CVE-2019-13456 and CVE-2019-20510 if they
are considered on purpose different CVEs.

Thanks: Thorsten Alteholz for pointing out this inconsistency.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -43878,14 +43878,11 @@ CVE-2019-13457 (An issue was discovered in Open Ticket Request System (OTRS) 7.0
 	- otrs2 <not-affected> (Only affects 7.x series)
 	NOTE: https://otrs.com/release-notes/otrs-security-advisory-2019-11/
 CVE-2019-13456 (In FreeRADIUS 3.0 through 3.0.19, on average 1 in every 2048 EAP-pwd h ...)
-	- freeradius 3.0.17+dfsg-1.1
-	[stretch] - freeradius <no-dsa> (Minor issue; plugin not enabled by default)
-	[jessie] - freeradius <not-affected> (Vulnerable code added later)
+	- freeradius 3.0.20+dfsg-1
+	[jessie] - freeradius <not-affected> (Vulnerable code introduced later in version 3.0.0)
+	NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa (release_3_0_20)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1737663
 	NOTE: https://wpa3.mathyvanhoef.com/#new
-	NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/a99746c93b8b3ae3be367af0e46f0d6a9626f566 (master)
-	NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/85497b5ff37ccb656895b826b88585898c209586 (3.0.x)
-	NOTE: Issue seems to be treated as different issue than CVE-2019-11234 and CVE-2019-11235
 CVE-2019-13455 (In Xymon through 4.3.28, a stack-based buffer overflow vulnerability e ...)
 	{DLA-1898-1}
 	- xymon 4.3.29-1



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96e6f728c485284b319e7b48e270227b61110940

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96e6f728c485284b319e7b48e270227b61110940
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200318/def712e9/attachment.html>
