[Git][security-tracker-team/security-tracker][master] Update status for CVE-2021-40818/glewlwyd in buster

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
450244aa by Salvatore Bonaccorso at 2021-11-24T07:00:56+01:00
Update status for CVE-2021-40818/glewlwyd in buster

The FIDO2 signature validation code has been added only later making
this CVE not affected for the buster version based on 1.4.9.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -11525,7 +11525,7 @@ CVE-2021-XXXX [jws alg:none signature verification issue]
 CVE-2021-40818 (scheme/webauthn.c in Glewlwyd SSO server through 2.5.3 has a buffer ov ...)
 	- glewlwyd 2.5.2-3 (bug #993867)
 	[bullseye] - glewlwyd 2.5.2-2+deb11u1
-	[buster] - glewlwyd <no-dsa> (Minor issue; can be fixed via point release)
+	[buster] - glewlwyd <not-affected> (Vulnerable code for FIDO2 signature validation introduced later)
 	NOTE: https://github.com/babelouest/glewlwyd/commit/0efd112bb62f566877750ad62ee828bff579b4e2
 CVE-2021-40683 (In Akamai EAA (Enterprise Application Access) Client before 2.3.1, 2.4 ...)
 	NOT-FOR-US: Akamai EAA (Enterprise Application Access) Client



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/450244aa9bee94573141b25dbf000dd79401b938

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/450244aa9bee94573141b25dbf000dd79401b938
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20211124/8c5860ac/attachment-0001.htm>