[Git][security-tracker-team/security-tracker][master] 3 commits: Mark CVE-2020-12695/libupnp as no-dsa; invasive changes

Sun Mar 7 20:45:41 GMT 2021


Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker


Commits:
02f66a6e by Utkarsh Gupta at 2021-03-08T02:14:02+05:30
Mark CVE-2020-12695/libupnp as no-dsa; invasive changes

- - - - -
01f9665c by Utkarsh Gupta at 2021-03-08T02:14:31+05:30
Take libupnp

- - - - -
711debd3 by Utkarsh Gupta at 2021-03-08T02:15:20+05:30
Remove no-dsa tag which'll get an update

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -61439,7 +61439,6 @@ CVE-2020-13848 (Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote
 	- pupnp-1.8 <unfixed> (bug #962282)
 	[buster] - pupnp-1.8 <no-dsa> (Minor issue)
 	- libupnp <removed>
-	[stretch] - libupnp <no-dsa> (Minor issue)
 	NOTE: https://github.com/pupnp/pupnp/issues/177
 	NOTE: https://github.com/pupnp/pupnp/commit/c805c1de1141cb22f74c0d94dd5664bda37398e0
 CVE-2020-13847 (Sylabs Singularity 3.0 through 3.5 lacks support for an Integrity Chec ...)
@@ -64421,6 +64420,7 @@ CVE-2020-12695 (The Open Connectivity Foundation UPnP specification before 2020-
 	- pupnp-1.8 <unfixed> (bug #983206)
 	[buster] - pupnp-1.8 <no-dsa> (Minor issue)
 	- libupnp <removed>
+	[stretch] - libupnp <no-dsa> (Invasive change, hard to backport; chances of regression)
 	NOTE: https://w1.fi/security/2020-1/upnp-subscribe-misbehavior-wps-ap.txt
 	NOTE: https://w1.fi/security/2020-1/0001-WPS-UPnP-Do-not-allow-event-subscriptions-with-URLs-.patch
 	NOTE: https://w1.fi/security/2020-1/0002-WPS-UPnP-Fix-event-message-generation-using-a-long-U.patch


=====================================
data/dla-needed.txt
=====================================
@@ -58,7 +58,7 @@ gsoap
 libebml (Thorsten Alteholz)
   NOTE: 20210221: testing package
 --
-libupnp
+libupnp (Utkarsh)
   NOTE: 20210302: since utkarsh working on wpa, might want to handle this as well ? (abhijith)
 --
 linux (Ben Hutchings)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a055a404512e4d2636a4736f870d7325fb6842ba...711debd34a310e9f04bdc3fb324a589da3959e6e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a055a404512e4d2636a4736f870d7325fb6842ba...711debd34a310e9f04bdc3fb324a589da3959e6e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210307/b33bd8c9/attachment-0001.htm>
