[Git][security-tracker-team/security-tracker][master] 2 commits: Triage result for jquery. CVE-2020-11023 and CVE-2020-11023 are fixed with the...

Ola Lundqvist opal at debian.org
Fri May 1 20:01:05 BST 2020



Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f77705f6 by Ola Lundqvist at 2020-05-01T20:39:01+02:00
Triage result for jquery. CVE-2020-11023 and CVE-2020-11023 are fixed with the same patch. The extend function htmlPrefilter does not exist in the jessie version. Marked them as not-affected.

- - - - -
e28c9766 by Ola Lundqvist at 2020-05-01T21:00:03+02:00
Triage result for salt. Added commit notes and package to dla-needed.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -3116,9 +3116,13 @@ CVE-2020-11653 (An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x
 CVE-2020-11652 (An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 bef ...)
 	- salt 3000.2+dfsg1-1
 	NOTE: https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst
+	NOTE: https://github.com/saltstack/salt/commit/cce7abad9c22d9d50ccee2813acabff8deca35dd
 CVE-2020-11651 (An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 bef ...)
 	- salt 3000.2+dfsg1-1
 	NOTE: https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst
+	NOTE: https://github.com/saltstack/salt/commit/a67d76b15615983d467ed81371b38b4a17e4f3b7
+	NOTE: There is a typo (for more info see the release notes) in the official correction.
+	NOTE: This should be fixed too since this typo causes a regression.
 CVE-2020-11650 (An issue was discovered in iXsystems FreeNAS (and TrueNAS) 11.2 before ...)
 	NOT-FOR-US: FreeNAS
 CVE-2020-11649 (An issue was discovered in GitLab CE and EE 8.15 through 12.9.2. Membe ...)
@@ -4765,9 +4769,11 @@ CVE-2020-11024 (In Moonlight iOS/tvOS before 4.0.1, the pairing process is vulne
 	NOT-FOR-US: Moonlight iOS/tvOS
 CVE-2020-11023 (In jQuery before 3.5.0, passing HTML containing <option> element ...)
 	- jquery <unfixed>
+	[jessie] - jquery <not-affected> (Vulnerable code note present)
 	NOTE: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6
 CVE-2020-11022 (In jQuery versions greater than or equal to 1.2 and before 3.5.0, pass ...)
 	- jquery <unfixed>
+	[jessie] - jquery <not-affected> (Vulnerable code note present)
 	NOTE: https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2
 	NOTE: https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77
 CVE-2020-11021 (Actions Http-Client (NPM @actions/http-client) before version 1.0.8 ca ...)


=====================================
data/dla-needed.txt
=====================================
@@ -72,6 +72,9 @@ php5 (Thorsten Alteholz)
 --
 qemu (Adrian Bunk)
 --
+salt
+  NOTE: Upstream fix for CVE-CVE-2020-11651 causes a regression. Should be fixed too.
+--
 sqlite3 (Mike Gabriel)
 --
 squid3 (Markus Koschany)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f21b1165aead7a310cf13daff9cb36e2601c0339...e28c97660d0485bc16410f653cbc73c5ad860d3e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f21b1165aead7a310cf13daff9cb36e2601c0339...e28c97660d0485bc16410f653cbc73c5ad860d3e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200501/a22080ae/attachment-0001.html>


More information about the debian-security-tracker-commits mailing list