[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2018-1000211/ruby-doorkeeper: stretch ignored

Sylvain Beucler (@beuc) beuc at debian.org
Thu Jun 17 21:15:40 BST 2021 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3c44f06a by Sylvain Beucler at 2021-06-17T22:15:19+02:00
CVE-2018-1000211/ruby-doorkeeper: stretch ignored

- - - - -
7e0d8190 by Sylvain Beucler at 2021-06-17T22:15:20+02:00
CVE-2018-1000088/ruby-doorkeeper: stretch ignored

- - - - -
db061756 by Sylvain Beucler at 2021-06-17T22:15:20+02:00
dla: drop ruby-doorkeeper
only 2018 minor issues that require changes in reverse dependencies, which in fact we don't have

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -188122,10 +188122,11 @@ CVE-2018-14037 (Cross-site scripting (XSS) vulnerability in Progress Kendo UI Ed
 	NOT-FOR-US: Progress Kendo UI Editor
 CVE-2018-1000211 (Doorkeeper version 4.2.0 and later contains a Incorrect Access Control ...)
 	- ruby-doorkeeper 4.4.2-1 (bug #903980)
-	[stretch] - ruby-doorkeeper <no-dsa> (Minor issue)
+	[stretch] - ruby-doorkeeper <ignored> (Minor issue, invasive, no reverse dependencies, require changes in calling code)
 	NOTE: https://github.com/doorkeeper-gem/doorkeeper/issues/891
 	NOTE: https://github.com/doorkeeper-gem/doorkeeper/pull/1119
-	NOTE: https://github.com/doorkeeper-gem/doorkeeper/pull/1031
+	NOTE: https://github.com/doorkeeper-gem/doorkeeper/commit/16e76e666b63e0e5e2704dd45b59e426190ddc78 (v4.4.0)
+	NOTE: Requires changes in the reverse dependencies
 CVE-2018-1000210 (YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object ...)
 	NOT-FOR-US: YamlDotNet
 CVE-2018-1000209 (Sensu, Inc. Sensu Core version Before version 1.4.2-3 contains a Insec ...)
@@ -206418,9 +206419,11 @@ CVE-2018-1000089 (Anymail django-anymail version version 0.2 through 1.3 contain
 	NOTE: https://github.com/anymail/django-anymail/commit/1a6086f2b58478d71f89bf27eb034ed81aefe5ef
 CVE-2018-1000088 (Doorkeeper version 2.1.0 through 4.2.5 contains a Cross Site Scripting ...)
 	- ruby-doorkeeper 4.3.1-1 (bug #891069)
-	[stretch] - ruby-doorkeeper <no-dsa> (Minor issue)
+	[stretch] - ruby-doorkeeper <ignored> (Minor issue, no reverse dependencies, requires changes in calling code)
 	NOTE: https://github.com/doorkeeper-gem/doorkeeper/issues/969
-	NOTE: https://github.com/doorkeeper-gem/doorkeeper/pull/970
+	NOTE: https://github.com/doorkeeper-gem/doorkeeper/commit/7b1a8373ecd69768c896000c7971dbf48948c1b5 (v4.2.6)
+	NOTE: https://blog.justinbull.ca/cve-2018-1000088-stored-xss-in-doorkeeper/
+	NOTE: Most reverse dependencies need to manual update their templates
 CVE-2018-1000087 (WolfCMS version version 0.8.3.1 contains a Reflected Cross Site Script ...)
 	NOT-FOR-US: WolfCMS
 CVE-2018-1000086 (NPR Visuals Team Pym.js version versions 0.4.2 up to 1.3.1 contains a  ...)


=====================================
data/dla-needed.txt
=====================================
@@ -87,8 +87,6 @@ ruby-actionpack-page-caching (Markus Koschany)
   NOTE: 20200819: uses the path without normalising any "../" etc., simply
   NOTE: 20200819: URI.parser.unescap-ing it. Requires more investigation. (lamby)
 --
-ruby-doorkeeper (Sylvain Beucler)
---
 ruby-kaminari (Markus Koschany)
   NOTE: 20200819: The source in Debian (at least in LTS) appears to have a different lineage to
   NOTE: 20200819: the one upstream or in its many forks. For example, both dthe



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/091647824525db75ebde1cad6060b3827fbeaf86...db061756f1759c6b539c8655cb553bedd7206a65

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/091647824525db75ebde1cad6060b3827fbeaf86...db061756f1759c6b539c8655cb553bedd7206a65
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210617/55ca21bb/attachment.htm>

More information about the debian-security-tracker-commits mailing list