[Git][security-tracker-team/security-tracker][master] new junit4 issue

Moritz Muehlenhoff jmm at debian.org
Wed Oct 14 22:21:53 BST 2020 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
564aefd4 by Moritz Mühlenhoff at 2020-10-14T23:21:10+02:00
new junit4 issue
solr n/a
jruby bugnums
remove stray gitaly issue, there's no reference other than gitlab for that CVE

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3320,7 +3320,7 @@ CVE-2020-25613 (An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6
 	- ruby2.5 <removed>
 	[buster] - ruby2.5 <no-dsa> (Minor issue)
 	- ruby2.3 <removed>
-	- jruby <unfixed>
+	- jruby <unfixed> (bug #972230)
 	NOTE: https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/
 	NOTE: Fix in webrick: https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7
 CVE-2020-25612
@@ -25028,7 +25028,7 @@ CVE-2020-15252
 CVE-2020-15251 (In the Channelmgnt plug-in for Sopel (a Python IRC bot) before version ...)
 	NOT-FOR-US: Channelmgnt plug-in for Sopel
 CVE-2020-15250 (In JUnit4 before version 4.13.1, the test rule TemporaryFolder contain ...)
-	TODO: check
+	- junit4 <unfixed>
 CVE-2020-15249
 	RESERVED
 CVE-2020-15248
@@ -28566,7 +28566,7 @@ CVE-2020-13959
 CVE-2020-13958
 	RESERVED
 CVE-2020-13957 (Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 ...)
-	TODO: check
+	- lucene-solr <not-affected> (Vulnerable functionality not yet present)
 CVE-2020-13956 [incorrect handling of malformed authority component in request URIs]
 	RESERVED
 	{DLA-2405-1}
@@ -62806,7 +62806,6 @@ CVE-2019-19260 (GitLab Community Edition (CE) and Enterprise Edition (EE) throug
 	[buster] - gitlab-workhorse <ignored> (Minor issue)
 	[stretch] - gitlab-workhorse <ignored> (Minor issue)
 	[experimental] - gitaly 1.65.2+dfsg-1
-	- gitaly <unfixed>
 	NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
 CVE-2019-19259 (GitLab Enterprise Edition (EE) 11.3 and later through 12.5 allows an I ...)
 	- gitlab <not-affected> (Only affects Gitlab EE)
@@ -74268,7 +74267,7 @@ CVE-2019-16255 (Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4
 	- ruby2.5 2.5.7-1
 	- ruby2.3 <removed>
 	- ruby2.1 <removed>
-	- jruby <unfixed>
+	- jruby <unfixed> (bug #972230)
 	NOTE: https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/
 	NOTE: ruby2.5: https://github.com/ruby/ruby/commit/3af01ae1101e0b8815ae5a106be64b0e82a58640
 CVE-2019-16254 (Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allow ...)
@@ -74276,7 +74275,7 @@ CVE-2019-16254 (Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4
 	- ruby2.5 2.5.7-1
 	- ruby2.3 <removed>
 	- ruby2.1 <removed>
-	- jruby <unfixed>
+	- jruby <unfixed> (bug #972230)
 	NOTE: https://github.com/ruby/ruby/commit/3ce238b5f9795581eb84114dcfbdf4aa086bfecc
 	NOTE: https://hackerone.com/reports/331984
 	NOTE: https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
@@ -74467,7 +74466,7 @@ CVE-2019-16201 (WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x throu
 	- ruby2.5 2.5.7-1
 	- ruby2.3 <removed>
 	- ruby2.1 <removed>
-	- jruby <unfixed>
+	- jruby <unfixed> (bug #972230)
 	NOTE: https://github.com/ruby/ruby/commit/36e057e26ef2104bc2349799d6c52d22bb1c7d03
 	NOTE: https://hackerone.com/reports/661722
 	NOTE: https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/
@@ -167194,7 +167193,7 @@ CVE-2017-17743 (Improper input sanitization within the restricted administration
 	NOT-FOR-US: UCOPIA Wireless Appliance
 CVE-2017-17742 (Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x befo ...)
 	{DSA-4259-1 DLA-2330-1 DLA-2027-1 DLA-1421-1 DLA-1359-1 DLA-1358-1}
-	- jruby <unfixed>
+	- jruby <unfixed> (bug #972230)
 	- ruby2.5 2.5.1-1
 	- ruby2.3 <removed>
 	- ruby2.1 <removed>
@@ -167202,6 +167201,7 @@ CVE-2017-17742 (Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.
 	- ruby1.8 <removed>
 	NOTE: https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/
 	NOTE: https://github.com/jruby/jruby/releases/tag/9.2.12.0
+	NOTE: https://github.com/ruby/ruby/commit/d9d4a28f1cdd05a0e8dabb36d747d40bbcc30f16
 CVE-2017-17741 (The KVM implementation in the Linux kernel through 4.14.7 allows attac ...)
 	{DSA-4082-1 DSA-4073-1 DLA-1232-1}
 	- linux 4.14.7-1



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/564aefd419ad7775af2665cfe0064c2f2ab7ecb7

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/564aefd419ad7775af2665cfe0064c2f2ab7ecb7
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201014/25456767/attachment.html>

More information about the debian-security-tracker-commits mailing list