[Git][security-tracker-team/security-tracker][master] Review status for caddy issues

Salvatore Bonaccorso (@carnil) carnil at debian.org
Tue Dec 20 07:13:26 GMT 2022



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
64fcbd56 by Salvatore Bonaccorso at 2022-12-20T08:06:24+01:00
Review status for caddy issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -53451,7 +53451,9 @@ CVE-2022-29720 (74cmsSE v3.5.1 was discovered to contain an arbitrary file read
 CVE-2022-29719
 	RESERVED
 CVE-2022-29718 (Caddy v2.4 was discovered to contain an open redirect vulnerability. A ...)
-	- caddy <unfixed>
+	- caddy <not-affected> (Fixed before initial upload to Debian to unstable; did affect experimental upload)
+	NOTE: https://github.com/caddyserver/caddy/pull/4499
+	NOTE: https://github.com/caddyserver/caddy/commit/3fe2c73dd04f7769a9d9673236cb94b79ac45659 (v2.5.0-beta.1)
 CVE-2022-29717
 	RESERVED
 CVE-2022-29716
@@ -193252,7 +193254,7 @@ CVE-2019-20838 (libpcre in PCRE before 8.43 allows a subject buffer over-read in
 	NOTE: Fixed by: https://vcs.pcre.org/pcre?view=revision&revision=1740 (8.43)
 	NOTE: Only an issue when UTF support disabled
 CVE-2018-21246 (Caddy before 0.10.13 mishandles TLS client authentication, as demonstr ...)
-	- caddy <unfixed>
+	- caddy <not-affected> (Fixed before initial upload to Debian)
 CVE-2018-21245 (Pound before 2.8 allows HTTP request smuggling, a related issue to CVE ...)
 	- pound 2.8-2
 	[stretch] - pound 2.7-1.3+deb9u1
@@ -289499,7 +289501,7 @@ CVE-2018-19149 (Poppler before 0.70.0 has a NULL pointer dereference in _poppler
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649457#c3
 	NOTE: https://github.com/freedesktop/poppler/commit/f162ecdea0dda5dbbdb45503c1d55d9afaa41d44 (poppler-0.70.0)
 CVE-2018-19148 (Caddy through 0.11.0 sends incorrect certificates for certain invalid  ...)
-	- caddy <unfixed>
+	- caddy <not-affected> (Fixed before initial upload to Debian)
 CVE-2018-19147
 	RESERVED
 CVE-2018-19146 (Concrete5 8.4.3 has XSS because config/concrete.php allows uploads (by ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64fcbd569dc6f18db3ec51cf24846868cdc59fdd

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64fcbd569dc6f18db3ec51cf24846868cdc59fdd
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221220/7ebcf3f5/attachment.htm>


More information about the debian-security-tracker-commits mailing list