[Git][security-tracker-team/security-tracker][master] Mark CVE-2022-42916 and CVE-2022-43551 as ignored

Salvatore Bonaccorso (@carnil) carnil at debian.org
Wed Dec 28 06:08:09 GMT 2022 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
cd554c7b by Salvatore Bonaccorso at 2022-12-28T07:02:24+01:00
Mark CVE-2022-42916 and CVE-2022-43551 as ignored

Rationale: If HSTS support would have been disabled in all suites we
could use unimportant severity. As we track issues at source level and
HSTS support is enabled by default since 7.77 mark the issues as ignored
(as the issue is present). Not-affected would imply that the issue is
not present at source level.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -16784,8 +16784,8 @@ CVE-2022-43552 [HTTP Proxy deny use-after-free]
 	NOTE: Fixed by: https://github.com/curl/curl/commit/4f20188ac644afe174be6005ef4f6ffba232b8b2 (curl-7_87_0)
 CVE-2022-43551 (A vulnerability exists in curl <7.87.0 HSTS check that could be byp ...)
 	- curl 7.86.0-3 (bug #1026829)
-	[bullseye] - curl <not-affected> (curl is not built with HSTS support)
-	[buster] - curl <not-affected> (curl is not built with HSTS support)
+	[bullseye] - curl <ignored> (curl is not built with HSTS support)
+	[buster] - curl <ignored> (curl is not built with HSTS support)
 	NOTE: https://curl.se/docs/CVE-2022-43551.html
 	NOTE: Introduced by: https://github.com/curl/curl/commit/7385610d0c74c6a254fea5e4cd6e1d559d848c8c (curl-7_74_0)
 	NOTE: Enabled by default since: https://github.com/curl/curl/commit/d71ff2b9db566b3f4b2eb29441c2df86715d4339 (curl-7_77_0)
@@ -18668,8 +18668,8 @@ CVE-2022-42917
 	RESERVED
 CVE-2022-42916 (In curl before 7.86.0, the HSTS check could be bypassed to trick it in ...)
 	- curl 7.86.0-1
-	[bullseye] - curl <not-affected> (curl is not built with HSTS support)
-	[buster] - curl <not-affected> (curl is not built with HSTS support)
+	[bullseye] - curl <ignored> (curl is not built with HSTS support)
+	[buster] - curl <ignored> (curl is not built with HSTS support)
 	NOTE: https://curl.se/docs/CVE-2022-42916.html
 	NOTE: Introduced with: https://github.com/curl/curl/commit/7385610d0c74c6a254fea5e4cd6e1d559d848c8c (curl-7_74_0)
 	NOTE: Enabled by default since: https://github.com/curl/curl/commit/d71ff2b9db566b3f4b2eb29441c2df86715d4339 (curl-7_77_0)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd554c7b453a82352297b48f8acc5c3a617e87d2

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd554c7b453a82352297b48f8acc5c3a617e87d2
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221228/807dcd7d/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list