[Git][security-tracker-team/security-tracker][master] Adjust not-affected reason for CVE-2022-30780

Salvatore Bonaccorso (@carnil) carnil at debian.org
Mon Jun 20 19:33:46 BST 2022 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
b89d6aea by Salvatore Bonaccorso at 2022-06-20T20:31:38+02:00
Adjust not-affected reason for CVE-2022-30780

lighttpd 1.4.53 not vulnerable does not explain here why the source is
not affected. While "Vulnerable code introduced later" is as well not
yet too specific, looking at the source the problematic code was
seemigly introduced when adding connection_read_header_more() which is
not yet present in the buster and stretch version. Pin pointing the
exact introducing commit would be even better though.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -8695,8 +8695,8 @@ CVE-2022-30781 (Gitea before 1.16.7 does not escape git fetch remote. ...)
 	- gitea <removed>
 CVE-2022-30780 (Lighttpd 1.4.56 through 1.4.58 allows a remote attacker to cause a den ...)
 	- lighttpd 1.4.59-1
-	[buster] - lighttpd <not-affected> (lighttpd 1.4.53 not vulnerable)
-	[stretch] - lighttpd <not-affected> (lighttpd 1.4.45 not vulnerable)
+	[buster] - lighttpd <not-affected> (Vulnerable code introduced later)
+	[stretch] - lighttpd <not-affected> (Vulnerable code introduced later)
 	NOTE: https://podalirius.net/en/cves/2022-30780/
 	NOTE: https://github.com/p0dalirius/CVE-2022-30780-lighttpd-denial-of-service
 	NOTE: https://redmine.lighttpd.net/issues/3059



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b89d6aea3ae3c69f66982701ef94322aa7a6aed4

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b89d6aea3ae3c69f66982701ef94322aa7a6aed4
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220620/7f17189b/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list