[Git][security-tracker-team/security-tracker][master] 4 commits: Triage CVE-2020-26247 in ruby-nokogiri for stretch LTS.

Mon Jan 4 09:38:54 GMT 2021


Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
84c94691 by Chris Lamb at 2021-01-04T09:34:09+00:00
Triage CVE-2020-26247 in ruby-nokogiri for stretch LTS.

- - - - -
439be4c3 by Chris Lamb at 2021-01-04T09:37:07+00:00
data/dla-needed.txt: Triage wavpack for stretch LTS (CVE-2020-35738).

- - - - -
754ab062 by Chris Lamb at 2021-01-04T09:38:26+00:00
dla-needed.txt: Add triage note for wavpack.

- - - - -
5164e0d2 by Chris Lamb at 2021-01-04T09:38:41+00:00
data/dla-needed.txt: Triage csync2 for stretch LTS (CVE-2019-15523).

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -17832,6 +17832,7 @@ CVE-2020-26248 (In the PrestaShop module "productcomments" before version 4.2.1,
 CVE-2020-26247 (Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers wit ...)
 	- ruby-nokogiri <unfixed> (low; bug #978967)
 	[buster] - ruby-nokogiri <no-dsa> (Minor issue)
+	[stretch] - ruby-nokogiri <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
 	NOTE: https://github.com/sparklemotion/nokogiri/commit/9c87439d9afa14a365ff13e73adc809cb2c3d97b (v1.11.0.rc4)
 CVE-2020-26246 (Pimcore is an open source digital experience platform. In Pimcore befo ...)


=====================================
data/dla-needed.txt
=====================================
@@ -41,6 +41,8 @@ condor
   NOTE: 20200712: Requested input on path forward from debian-lts at l.d.o (roberto)
   NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto)
 --
+csync2
+--
 f2fs-tools
   NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 and 1.13.0, but it is not trivial to
   NOTE: 20200815: to detect which of the patches correlates to the CVE. Contacting upstream might be necessary. (sunweaver)
@@ -166,6 +168,11 @@ spotweb
 --
 tzdata (Emilio)
 --
+wavpack
+  NOTE: 20210104: Upstream patch does not cleanly apply, possibly because
+  NOTE: 20210104: it is missing previously-added overflow checks on the
+  NOTE: 20210104: value of config->num_channels which may need to be added. (lamby)
+--
 wireshark
   NOTE: 20201007: during last triage, I marked some CVEs as no-dsa, it'd be great to include
   NOTE: 20201007: those fixes as well! \o/ (utkarsh)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5130e2cccc77cf25a6edd209127be8b6d2b1ecab...5164e0d267bdc0fb12d53568ee1c55928100e7ad

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5130e2cccc77cf25a6edd209127be8b6d2b1ecab...5164e0d267bdc0fb12d53568ee1c55928100e7ad
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210104/bf0cb981/attachment-0001.html>
