[Git][security-tracker-team/security-tracker][master] 2 commits: dla: spotweb: postponed

Sylvain Beucler beuc at debian.org
Wed Jan 27 13:42:08 GMT 2021



Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
25a28f8a by Sylvain Beucler at 2021-01-27T14:21:37+01:00
dla: spotweb: postponed

- - - - -
6ac18e78 by Sylvain Beucler at 2021-01-27T14:22:22+01:00
dla: claim qemu
~20 CVEs piled-up since last upload

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=====================================
data/dla-needed.txt
=====================================
@@ -94,6 +94,8 @@ openldap (Utkarsh)
 --
 python-pysaml2
 --
+qemu (Sylvain Beucler)
+--
 ruby-actionpack-page-caching (Brian May)
   NOTE: 20200819: Upstream's patch on does not apply due to subsequent
   NOTE: 20200819: refactoring. However, a quick look at the private
@@ -133,10 +135,11 @@ slirp (pu-Thorsten Alteholz)
   NOTE: update has to done in sid->buster->stretch
   NOTE: 20210124: pu will be done 06.02.2021
 --
-spotweb (Sylvain Beucler)
-  NOTE: 20201220: The affected code (PHP!) uses string concatenation to construct a SQL query.
+spotweb
+  NOTE: 20201220: The affected code uses string concatenation to construct a SQL query.
   NOTE: 20201220: Upstream's "fix" is to blacklist all the "bad" SQL commands. (roberto)
-  NOTE: 20210122: Upstream fix trivially bypassed, reported at https://github.com/spotweb/spotweb/issues/653
+  NOTE: 20210122: Upstream fix trivially bypassed, reported under CVE-2021-3286
+  NOTE: 20210127: Upstream says "we can fix this but it may take some time", revisit later (Beuc)
 --
 thunderbird (Emilio)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f00960326b0b49e2672d0a7c63f0535596025ed3...6ac18e78c5f7df526f2e8e70a2aa05cf196281de

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f00960326b0b49e2672d0a7c63f0535596025ed3...6ac18e78c5f7df526f2e8e70a2aa05cf196281de
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210127/25794515/attachment-0001.html>


More information about the debian-security-tracker-commits mailing list