[Git][security-tracker-team/security-tracker][master] LTS: mark CVE-2021-28544/subversion as <not-affected> for stretch

Roberto C. Sánchez (@roberto) roberto at debian.org
Mon Jun 6 22:16:22 BST 2022 


Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker


Commits:
503e2b2b by Roberto C. Sánchez at 2022-06-06T17:15:36-04:00
LTS: mark CVE-2021-28544/subversion as <not-affected> for stretch

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -81144,6 +81144,7 @@ CVE-2021-28545 (Acrobat Reader DC versions versions 2020.013.20074 (and earlier)
 CVE-2021-28544 (Apache Subversion SVN authz protected copyfrom paths regression Subver ...)
 	{DSA-5119-1}
 	- subversion 1.14.2-1
+	[stretch] - subversion <not-affected> (New upstream regression/unit test passes, so no leak in this version)
 	NOTE: https://subversion.apache.org/security/CVE-2021-28544-advisory.txt
 CVE-2021-28543 (Varnish varnish-modules before 0.17.1 allows remote attackers to cause ...)
 	- varnish-modules <not-affected> (Vulnerable code ot present; bug #985947)


=====================================
data/dla-needed.txt
=====================================
@@ -304,16 +304,6 @@ sox
 spip
   NOTE: 20220529: Programming language: PHP.
 --
-subversion (Roberto C. Sánchez)
-  NOTE: 20220529: Programming language: C.
-  NOTE: 20220422: Upstream's patch for CVE-2021-28544 does not cleanly apply (eg. "copyfrom_path = apr_pstrdup(...)" assignment)
-  NOTE: 20220422: and, once applied manually, appears to break multiple and possibly unrelated parts of the testsuite. (lamby)
-  NOTE: 20220501: Done some analysis, worked on a patch, cannot find a way to test it, mailed results to Roberto C. Sánchez (enrico)
-  NOTE: 20220525: Based on the results of Enrico's analysis and some further work, I was able to have the test execute reliably (roberto)
-  NOTE: 20220525: The test passes, which seems to indicate that the vulnerability does not affect 1.9.5 (roberto)
-  NOTE: 20220525: I have asked Enrico to replicate my findings (roberto)
-  NOTE: 20220606: I replicated and confirm Roberto's findings (enrico)
---
 systemd
   NOTE: 20220529: Programming language: C.
   NOTE: 20220524: CVE-2020-1712 marked for update but didn't make it to 9.13



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/503e2b2b36a85c5635ce28123eb492c6f5fcfdaa

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/503e2b2b36a85c5635ce28123eb492c6f5fcfdaa
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220606/00d5fec3/attachment.htm>

More information about the debian-security-tracker-commits mailing list