[Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: take samba from Ola and look into Samba AD related CVEs

[Mike Gabriel]

Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f1e11b90 by Mike Gabriel at 2020-09-03T14:40:03+02:00
data/dla-needed.txt: take samba from Ola and look into Samba AD related CVEs

- - - - -
5f4994db by Mike Gabriel at 2020-09-03T14:42:49+02:00
data/dla-needed.txt: unclaim fossil instead

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=====================================
data/dla-needed.txt
=====================================
@@ -63,7 +63,10 @@ firefox-esr (Emilio)
   NOTE: 20200720: working on ESR 78 backport. (pochu)
   NOTE: 20200831: backported llvm 10 and wasi-libc, looking into rustc/cargo (pochu)
 --
-fossil (Mike Gabriel)
+fossil
+  NOTE: 20200903: looked into CVE-2020-24614: the fix for this CVE partially applies, but does not apply around a
+  NOTE: 20200903: database query in src/add.c. In fact, the patch fixing this CVE is quite invasive. Maybe decide
+  NOTE: 20200903: not to fix it?
 --
 freerdp (Mike Gabriel)
 --
@@ -154,12 +157,13 @@ ruby-rack-cors (Utkarsh Gupta)
  NOTE: 20200817: Was fixed in DLA-2096-1 for jessie LTS but is now re-vulnerable again in stretch LTS AFAICT. (lamby)
  NOTE: 20200831: got a reproducer very recently. (utkarsh)
 --
-samba (Ola Lundqvist)
+samba (Mike Gabriel)
   NOTE: 20200703: Check with security team so that there's no clash for Stretch update. (utkarsh)
   NOTE: 20200801: Stretch update already released, so no conflict. (roberto)
   NOTE: 20200801: Patches for CVE-2020-14303, CVE-2020-10760, CVE-2020-10745, and CVE-2020-10740, are ready. (roberto)
   NOTE: 20200801: Best to wait for additional CVEs before uploading; check with Roberto for patches. (roberto)
   NOTE: 20200830: Will remove this entry and mark all current CVEs as postponed. But first I need to know were the patches are (ola).
+  NOTE: 20200903: As discussed internally, I will look into Samba AD CVEs and revisit the risk assessment, plus fix the more severe issues (sunweaver)
 --
 shiro
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f332654ee928678ed666de2316998a0bcce57f3b...5f4994db4e0aab92666095e2b0393be5f5bbcdde

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f332654ee928678ed666de2316998a0bcce57f3b...5f4994db4e0aab92666095e2b0393be5f5bbcdde
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200903/f61b8e43/attachment.html>