[Git][security-tracker-team/security-tracker][master] 2 commits: dla: drop reel (support-ended, cf. debian-lts@)

Sylvain Beucler beuc at debian.org
Fri Jan 22 14:24:29 GMT 2021 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7874896e by Sylvain Beucler at 2021-01-22T15:23:46+01:00
dla: drop reel (support-ended, cf. debian-lts@)

- - - - -
7ee0c2f0 by Sylvain Beucler at 2021-01-22T15:23:46+01:00
dla: update spotweb status

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=====================================
data/dla-needed.txt
=====================================
@@ -84,10 +84,6 @@ openjpeg2 (Thorsten Alteholz)
   NOTE: 20201220: more CVEs appeared
   NOTE: 20210117: testing package
 --
-reel
-  NOTE: 20200909: it is now unmaintained. last commit was in Aug 2018. (utkarsh)
-  NOTE: 20201226: Should be declared unsupported since we just have 5 users in total according to popcon (ola)
---
 ruby-actionpack-page-caching (Brian May)
   NOTE: 20200819: Upstream's patch on does not apply due to subsequent
   NOTE: 20200819: refactoring. However, a quick look at the private
@@ -129,8 +125,8 @@ slirp (pu-Thorsten Alteholz)
 --
 spotweb (Sylvain Beucler)
   NOTE: 20201220: The affected code (PHP!) uses string concatenation to construct a SQL query.
-  NOTE: 20201220: Upstream's "fix" is to blacklist all the "bad" SQL commands.
-  NOTE: 20201220: Yes, this is a dumpster fire.  Claim this package at your own peril. (roberto)
+  NOTE: 20201220: Upstream's "fix" is to blacklist all the "bad" SQL commands. (roberto)
+  NOTE: 20210122: Upstream fix trivially bypassed, reported at https://github.com/spotweb/spotweb/issues/653
 --
 wireshark
   NOTE: 20201007: during last triage, I marked some CVEs as no-dsa, it'd be great to include



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1155705e6d4b705f6dee9c2acc6f1ee029fedde3...7ee0c2f0f8367b95b9a926f9d35b92f66ed53f69

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1155705e6d4b705f6dee9c2acc6f1ee029fedde3...7ee0c2f0f8367b95b9a926f9d35b92f66ed53f69
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210122/bbc7d910/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list