[Git][security-tracker-team/security-tracker][master] 3 commits: Demote CVE-2014-2875 to unimportant

Tue Mar 31 21:51:59 BST 2020


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d905c4d0 by Salvatore Bonaccorso at 2020-03-31T22:41:38+02:00
Demote CVE-2014-2875 to unimportant

Reasoning: as per previous commit the issue is present, but due to the
code beeing broken the issue is unexploitable. Mark the issue as unfixed
but demote it to unimportant.

- - - - -
d9302b16 by Salvatore Bonaccorso at 2020-03-31T22:49:59+02:00
Add Debian bug reference for CVE-2019-15522/csync2

- - - - -
07494345 by Salvatore Bonaccorso at 2020-03-31T22:51:17+02:00
Add Debian bug reference for CVE-2020-5291/bubblewrap

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -658,7 +658,7 @@ CVE-2020-11115
 CVE-2020-11114
 	RESERVED
 CVE-2020-5291 (Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode a ...)
-	- bubblewrap 0.4.1-1 (low)
+	- bubblewrap 0.4.1-1 (low; bug #955441)
 	[buster] - bubblewrap <not-affected> (Introduced in 0.4.0)
 	[stretch] - bubblewrap <not-affected> (Introduced in 0.4.0)
 	NOTE: https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj
@@ -38126,7 +38126,7 @@ CVE-2019-15524 (CSZ CMS 1.2.3 allows arbitrary file upload, as demonstrated by a
 CVE-2019-15523
 	RESERVED
 CVE-2019-15522 (An issue was discovered in LINBIT csync2 through 2.0. csync_daemon_ses ...)
-	- csync2 <unfixed>
+	- csync2 <unfixed> (bug #955445)
 	[buster] - csync2 <no-dsa> (Minor issue)
 	[stretch] - csync2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/LINBIT/csync2/pull/13/commits/0ecfc333da51575f188dd7cf6ac4974d13a800b1
@@ -263081,10 +263081,11 @@ CVE-2014-2877
 CVE-2014-2876
 	RESERVED
 CVE-2014-2875 (The session.lua library in CGILua 5.2 alpha 1 and 5.2 alpha 2 uses wea ...)
-	- lua-cgi <not-affected> (code is broken and cannot be exploited)
+	- lua-cgi <unfixed> (unimportant)
 	NOTE: https://github.com/keplerproject/cgilua/issues/17
 	NOTE: https://bugs.debian.org/953037
 	NOTE: https://bugs.debian.org/954300
+	NOTE: The code itself is broken and thus cannot be exploited per se if not fixed.
 CVE-2013-7369 (SQL injection vulnerability in an unspecified DLL in the FSDBCom Activ ...)
 	NOT-FOR-US: F-Secure Anti-Virus
 CVE-2012-6647 (The futex_wait_requeue_pi function in kernel/futex.c in the Linux kern ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ce8d060f5fcc344889020a797a665b911b62ccf4...07494345ffa78ffb60a641c5c35ee29ed6f8564a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ce8d060f5fcc344889020a797a665b911b62ccf4...07494345ffa78ffb60a641c5c35ee29ed6f8564a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200331/1bb79345/attachment-0001.html>
