[Git][security-tracker-team/security-tracker][master] 2 commits: dla: spotweb: postponed
Sylvain Beucler
beuc at debian.org
Wed Jan 27 13:42:08 GMT 2021
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker
Commits:
25a28f8a by Sylvain Beucler at 2021-01-27T14:21:37+01:00
dla: spotweb: postponed
- - - - -
6ac18e78 by Sylvain Beucler at 2021-01-27T14:22:22+01:00
dla: claim qemu
~20 CVEs piled-up since last upload
- - - - -
1 changed file:
- data/dla-needed.txt
Changes:
=====================================
data/dla-needed.txt
=====================================
@@ -94,6 +94,8 @@ openldap (Utkarsh)
--
python-pysaml2
--
+qemu (Sylvain Beucler)
+--
ruby-actionpack-page-caching (Brian May)
NOTE: 20200819: Upstream's patch on does not apply due to subsequent
NOTE: 20200819: refactoring. However, a quick look at the private
@@ -133,10 +135,11 @@ slirp (pu-Thorsten Alteholz)
NOTE: update has to done in sid->buster->stretch
NOTE: 20210124: pu will be done 06.02.2021
--
-spotweb (Sylvain Beucler)
- NOTE: 20201220: The affected code (PHP!) uses string concatenation to construct a SQL query.
+spotweb
+ NOTE: 20201220: The affected code uses string concatenation to construct a SQL query.
NOTE: 20201220: Upstream's "fix" is to blacklist all the "bad" SQL commands. (roberto)
- NOTE: 20210122: Upstream fix trivially bypassed, reported at https://github.com/spotweb/spotweb/issues/653
+ NOTE: 20210122: Upstream fix trivially bypassed, reported under CVE-2021-3286
+ NOTE: 20210127: Upstream says "we can fix this but it may take some time", revisit later (Beuc)
--
thunderbird (Emilio)
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f00960326b0b49e2672d0a7c63f0535596025ed3...6ac18e78c5f7df526f2e8e70a2aa05cf196281de
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f00960326b0b49e2672d0a7c63f0535596025ed3...6ac18e78c5f7df526f2e8e70a2aa05cf196281de
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210127/25794515/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list