[Git][security-tracker-team/security-tracker][master] 2 commits: dla: claim spotweb

Sylvain Beucler beuc at debian.org
Thu Jan 21 17:16:03 GMT 2021 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
93603045 by Sylvain Beucler at 2021-01-21T18:15:12+01:00
dla: claim spotweb

- - - - -
e63a1a48 by Sylvain Beucler at 2021-01-21T18:15:40+01:00
CVE-2020-35545/spotweb: regression patch

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -13050,6 +13050,7 @@ CVE-2020-35545 (Time-based SQL injection exists in Spotweb 1.4.9 via the query s
 	[buster] - spotweb <no-dsa> (Minor issue)
 	NOTE: https://github.com/spotweb/spotweb/issues/629
 	NOTE: https://github.com/spotweb/spotweb/commit/fefb39ad143caad021ad496427617db79c42aff2
+	NOTE: https://github.com/spotweb/spotweb/commit/25c1f89f0202af5d5d224b906ff9d9313f017aa6
 CVE-2020-35544
 	RESERVED
 CVE-2020-35543


=====================================
data/dla-needed.txt
=====================================
@@ -127,7 +127,7 @@ slirp (pu-Thorsten Alteholz)
   NOTE: update has to done in sid->buster->stretch
   NOTE: 20200417: still waiting for pu, probably 30.01.2021
 --
-spotweb
+spotweb (Sylvain Beucler)
   NOTE: 20201220: The affected code (PHP!) uses string concatenation to construct a SQL query.
   NOTE: 20201220: Upstream's "fix" is to blacklist all the "bad" SQL commands.
   NOTE: 20201220: Yes, this is a dumpster fire.  Claim this package at your own peril. (roberto)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1ddd4dc687cc05c7658b10e169157d33861bf940...e63a1a4810d80b08edcd2fda267ce3e3e671892f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1ddd4dc687cc05c7658b10e169157d33861bf940...e63a1a4810d80b08edcd2fda267ce3e3e671892f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210121/9d958ada/attachment.html>

More information about the debian-security-tracker-commits mailing list