[Git][security-tracker-team/security-tracker][master] 2 commits: Marked CVE-2020-35546 as no-dsa for stretch following decision for buster....

Fri May 28 22:32:35 BST 2021


Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7a3b8f0d by Ola Lundqvist at 2021-05-28T23:32:22+02:00
Marked CVE-2020-35546 as no-dsa for stretch following decision for buster. Removed from dla-needed accordingly.

- - - - -
56b99482 by Ola Lundqvist at 2021-05-28T23:32:22+02:00
Investigated squid3 to check whether stretch is affected and it looks so even though source code has moved from one file to another.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -33649,6 +33649,7 @@ CVE-2020-35546
 CVE-2020-35545 (Time-based SQL injection exists in Spotweb 1.4.9 via the query string. ...)
 	- spotweb <removed> (bug #977719)
 	[buster] - spotweb <no-dsa> (Minor issue)
+	[stretch] - spotweb <no-dsa> (Minor issue)
 	NOTE: https://github.com/spotweb/spotweb/issues/629
 	NOTE: https://github.com/spotweb/spotweb/commit/fefb39ad143caad021ad496427617db79c42aff2
 	NOTE: https://github.com/spotweb/spotweb/commit/25c1f89f0202af5d5d224b906ff9d9313f017aa6


=====================================
data/dla-needed.txt
=====================================
@@ -123,14 +123,10 @@ shiro (Roberto C. Sánchez)
 --
 slapi-nis (Thorsten Alteholz)
 --
-spotweb
-  NOTE: 20201220: The affected code uses string concatenation to construct a SQL query.
-  NOTE: 20201220: Upstream's "fix" is to blacklist all the "bad" SQL commands. (roberto)
-  NOTE: 20210122: Upstream fix trivially bypassed, reported under CVE-2021-3286
-  NOTE: 20210127: Upstream says "we can fix this but it may take some time", revisit later (Beuc)
---
 squid3
   NOTE: 20210523:  not sure whether all CVEs realy affect Stretch
+  NOTE: 20210528: Looks like all CVEs affect stretch. (Ola)
+  NOTE: 20210528: For some buildRangeHeader has just moved from one file to another. (Ola)
 --
 thunderbird (Emilio)
   NOTE: wait for 78.11.0 (Emilio)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9cca46655c07624d7d041e24ea37e2d18f6262c6...56b9948235cf9efd6b853b16c9810dfd0c56cb31

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9cca46655c07624d7d041e24ea37e2d18f6262c6...56b9948235cf9efd6b853b16c9810dfd0c56cb31
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210528/c9f21ad8/attachment.htm>
