[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2020-7039 will be fixed in slirp/stretch with next upload

Thorsten Alteholz alteholz at debian.org
Tue Feb 9 20:54:16 GMT 2021 


Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker


Commits:
234d972a by Thorsten Alteholz at 2021-02-09T21:53:16+01:00
CVE-2020-7039 will be fixed in slirp/stretch with next upload

- - - - -
e4aeba64 by Thorsten Alteholz at 2021-02-09T21:54:05+01:00
Reserve DLA-2551-1 for slirp

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -77363,7 +77363,6 @@ CVE-2020-7039 (tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, m
 	- qemu-kvm <removed>
 	- slirp 1:1.0.17-10 (bug #949085)
 	[buster] - slirp 1:1.0.17-8+deb10u1
-	[stretch] - slirp <no-dsa> (Minor issue; can be fixed via point release)
 	NOTE: https://www.openwall.com/lists/oss-security/2020/01/16/2
 	NOTE: https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289
 	NOTE: https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[09 Feb 2021] DLA-2551-1 slirp - security update
+	{CVE-2020-7039 CVE-2020-8608}
+	[stretch] - slirp 1:1.0.17-8+deb9u1
 [09 Feb 2021] DLA-2550-1 openjpeg2 - security update
 	{CVE-2020-27814 CVE-2020-27823 CVE-2020-27824 CVE-2020-27841 CVE-2020-27844 CVE-2020-27845}
 	[stretch] - openjpeg2 2.1.2-1.1+deb9u6


=====================================
data/dla-needed.txt
=====================================
@@ -89,13 +89,6 @@ shiro (Roberto C. Sánchez)
   NOTE: 20201004: Sent additional request to upstream dev list; stil no response. (roberto)
   NOTE: 20201220: Upstream has responded.  Working with them to backport fixes. (roberto)
 --
-slirp (Thorsten Alteholz)
-  NOTE: Upstream patch for CVE-2020-8608 requires patches for
-  NOTE: CVE-2020-7039 to be applied patched first, as they both patch
-  NOTE: the same lines of code in tcp_subr.c (bam).
-  NOTE: update has to done in sid->buster->stretch
-  NOTE: 20210124: pu will be done 06.02.2021
---
 spotweb
   NOTE: 20201220: The affected code uses string concatenation to construct a SQL query.
   NOTE: 20201220: Upstream's "fix" is to blacklist all the "bad" SQL commands. (roberto)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9f70fae1d55bfff4ab9cadb5c8d3070b88809709...e4aeba64b608b7967dd1afb44b6f4dc4d9ae7afe

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9f70fae1d55bfff4ab9cadb5c8d3070b88809709...e4aeba64b608b7967dd1afb44b6f4dc4d9ae7afe
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210209/085a87ed/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list