[Git][security-tracker-team/security-tracker][master] 2 commits: Remove fossil from dla-needed.txt

Tue Nov 10 22:44:40 GMT 2020


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
0d2f7109 by Markus Koschany at 2020-11-10T22:53:42+01:00
Remove fossil from dla-needed.txt

Follow the security team and mark this CVE as ignored.

According to upstream the vulnerability can only be exploited by site admins
and users with check-in privileges:

 The attacks can only be carried out by a site administrator or by someone with
 check-in privileges on the repository, not by random passers-by on the
 internet.

 https://fossil-scm.org/forum/info/a05ae3ce7760daf6

Thus the risk is rather low. The patch itself is quite invasive. Although we
could remove all the unrelated fixes to not allow symlinks anymore, the
risk/regression factor is higher than the potential benefit for users.

- - - - -
04b9d2f4 by Markus Koschany at 2020-11-10T23:44:06+01:00
CVE-2020-24614,fossil: Mark as no-dsa for Stretch.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -10505,6 +10505,7 @@ CVE-2020-24556 (A vulnerability in Trend Micro Apex One and OfficeScan XG SP1 on
 CVE-2020-24614 (Fossil before 2.10.2, 2.11.x before 2.11.2, and 2.12.x before 2.12.1 a ...)
 	- fossil 1:2.12.1-1
 	[buster] - fossil <no-dsa> (Minor issue)
+	[stretch] - fossil <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2020/08/20/1
 	NOTE: https://fossil-scm.org/forum/info/a05ae3ce7760daf6
 	NOTE: https://fossil-scm.org/fossil/vdiff?branch=sec2020-2.12-patch&diff=1&w


=====================================
data/dla-needed.txt
=====================================
@@ -48,11 +48,6 @@ f2fs-tools
 --
 firefox-esr (Roberto C. Sánchez)
 --
-fossil (Markus Koschany)
-  NOTE: 20200903: looked into CVE-2020-24614: the fix for this CVE partially applies, but does not apply around a
-  NOTE: 20200903: database query in src/add.c. In fact, the patch fixing this CVE is quite invasive. Maybe decide
-  NOTE: 20200903: not to fix it?
---
 freerdp (Abhijith PA)
 --
 golang-1.7 (Thorsten Alteholz)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c556435c583d734c3ecd64219aa027834caa8f2d...04b9d2f45359e344fd8d0d1c719eb87b6881b619

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c556435c583d734c3ecd64219aa027834caa8f2d...04b9d2f45359e344fd8d0d1c719eb87b6881b619
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201110/03e8fde4/attachment.html>
