[Git][security-tracker-team/security-tracker][master] one libonig issue was retracted

Fri Jan 29 19:29:37 GMT 2021


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
66b9ede2 by Moritz Muehlenhoff at 2021-01-29T20:29:05+01:00
one libonig issue was retracted

- - - - -


2 changed files:

- data/CVE/list
- data/DLA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -29314,11 +29314,11 @@ CVE-2020-26160 (jwt-go before 4.0.0-preview1 allows attackers to bypass intended
 	NOTE: https://github.com/dgrijalva/jwt-go/issues/422
 	NOTE: https://github.com/dgrijalva/jwt-go/pull/286
 CVE-2020-26159 (In Oniguruma 6.9.5_rev1, an attacker able to supply a regular expressi ...)
-	{DLA-2431-1}
-	- libonig <unfixed> (bug #972113)
-	[buster] - libonig <no-dsa> (Minor issue)
-	NOTE: https://github.com/kkos/oniguruma/commit/cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0
-	NOTE: https://github.com/kkos/oniguruma/issues/207
+	NOTE: This was a false positive, see #972113
+	NOTE: original report: https://github.com/kkos/oniguruma/issues/207
+	NOTE: original patch: https://github.com/kkos/oniguruma/commit/cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0
+	NOTE: followup report: https://github.com/kkos/oniguruma/issues/221
+	NOTE: revert: https://github.com/kkos/oniguruma/commit/3603d78f0a3dc80e4d450509120c26a5ffcd293b
 CVE-2019-20922 (Handlebars before 4.4.5 allows Regular Expression Denial of Service (R ...)
 	- node-handlebars <not-affected> (Introduced in 4.4.4 and fixed in 4.4.5, no vulnerable version uploaded)
 	- libjs-handlebars <not-affected> (Introduced in 4.4.4 and fixed in 4.4.5, no vulnerable version uploaded)


=====================================
data/DLA/list
=====================================
@@ -318,7 +318,7 @@
 	{CVE-2018-8768 CVE-2018-19351 CVE-2018-21030}
 	[stretch] - jupyter-notebook 4.2.3-4+deb9u1
 [03 Nov 2020] DLA-2431-1 libonig - security update
-	{CVE-2019-13224 CVE-2019-16163 CVE-2019-19012 CVE-2019-19203 CVE-2019-19204 CVE-2019-19246 CVE-2020-26159}
+	{CVE-2019-13224 CVE-2019-16163 CVE-2019-19012 CVE-2019-19203 CVE-2019-19204 CVE-2019-19246}
 	[stretch] - libonig 6.1.3-2+deb9u1
 [03 Nov 2020] DLA-2430-1 blueman - security update
 	{CVE-2020-15238}



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66b9ede2991df06ac53ae6bcbd5ddb1005cc695a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66b9ede2991df06ac53ae6bcbd5ddb1005cc695a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210129/878fb4a5/attachment.html>
