[Git][security-tracker-team/security-tracker][master] Marked CVE-2021-30130 as not-affected, with a note, for stretch and removed...

[Ola Lundqvist (@opal)]

Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker


Commits:
0d5db72c by Ola Lundqvist at 2021-05-26T13:47:48+02:00
Marked CVE-2021-30130 as not-affected, with a note, for stretch and removed *phpseclib from dla-needed file.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -8046,11 +8046,14 @@ CVE-2021-30131
 	RESERVED
 CVE-2021-30130 (phpseclib before 2.0.31 and 3.x before 3.0.7 mishandles RSA PKCS#1 v1. ...)
 	- phpseclib 1.0.19-3
+	[stretch] - phpseclib <not-affected> (Only affects 3.x branch)
 	- php-phpseclib 2.0.30-2
+	[stretch] - php-phpseclib <not-affected> (Only affects 3.x branch)
 	- php-phpseclib3 3.0.7-1
 	NOTE: https://github.com/phpseclib/phpseclib/pull/1635#issuecomment-826994890
 	NOTE: Introduced by: https://github.com/phpseclib/phpseclib/commit/cc32cd2e95b18a0c0118bbf1928327675c9e64a9 (v3.0 / RSA::SIGNATURE_RELAXED_PKCS1)
 	NOTE: According to upstream, 1.x and 2.x are not vulnerable, the fix on these branches only backports more exhaustive PKCS#1 v1.5 support (functional change)
+	NOTE: According to upstream, 1.x and 2.x have the problem described as "incompatibility issue in phpseclib v1, v2, v3 (strict mode)'s RSA PKCS#1 v1.5 signature verification suffering from rejecting valid signatures whose encoded message uses implicit hash algorithm's NULL parameter." but this is not considered as a security problem.
 CVE-2021-30129
 	RESERVED
 CVE-2021-30128 (Apache OFBiz has unsafe deserialization prior to 17.12.07 version ...)


=====================================
data/dla-needed.txt
=====================================
@@ -68,12 +68,6 @@ nvidia-graphics-drivers
   NOTE: package is in non-free but also in packages-to-support
   NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077
 --
-php-phpseclib (Ola Lundqvist)
-  NOTE: 20210503: unclear if 2.x is affected, double check (pochu)
---
-phpseclib (Ola Lundqvist)
-  NOTE: 20210503: apparently 1.x is not affected, but double check (pochu)
---
 prosody (Anton Gladky)
   NOTE: 20210519: at least the 10MB limit mentioned in CVE-2021-32918 is present 
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d5db72c7954c09b4a86bcd42da5f2ea067fdef9

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d5db72c7954c09b4a86bcd42da5f2ea067fdef9
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210526/a4bea755/attachment-0001.htm>