[Git][security-tracker-team/security-tracker][master] CVE-2018-1311/xerces-c: harmonize triaging with buster

Sylvain Beucler (@beuc) beuc at debian.org
Mon May 23 10:03:34 BST 2022 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
6e3c133e by Sylvain Beucler at 2022-05-23T11:03:03+02:00
CVE-2018-1311/xerces-c: harmonize triaging with buster

- - - - -


2 changed files:

- data/CVE/list
- data/DLA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -288636,11 +288636,10 @@ CVE-2018-1312 (In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest a
 CVE-2018-1311 (The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-fre ...)
 	{DSA-4814-1}
 	- xerces-c 3.2.3+debian-2 (bug #947431)
-	[stretch] - xerces-c <postponed> (Minor issue, revisit when fixed upstream, fixed with memory leak in DLA 2498-1)
 	[jessie] - xerces-c <postponed> (slow upstream interest, proper fix likely to break ABI compatibility)
 	NOTE: http://xerces.apache.org/xerces-c/secadv/CVE-2018-1311.txt
 	NOTE: https://issues.apache.org/jira/browse/XERCESC-2188
-	NOTE: http://vault.centos.org/7.7.1908/updates/Source/SPackages/xerces-c-3.1.1-10.el7_7.src.rpm (fix with memory leak)
+	NOTE: http://vault.centos.org/7.7.1908/updates/Source/SPackages/xerces-c-3.1.1-10.el7_7.src.rpm (fix with memory leak, applied in DLA-2498-1 and DSA-4814-1)
 	NOTE: Mitigation by setting the XERCES_DISABLE_DTD environment variable
 CVE-2018-1310 (Apache NiFi JMS Deserialization issue because of ActiveMQ client vulne ...)
 	NOT-FOR-US: Apache NiFi


=====================================
data/DLA/list
=====================================
@@ -1590,6 +1590,7 @@
 	{CVE-2020-29668}
 	[stretch] - sympa 6.2.16~dfsg-3+deb9u5
 [17 Dec 2020] DLA-2498-1 xerces-c - security update
+	{CVE-2018-1311}
 	[stretch] - xerces-c 3.1.4+debian-2+deb9u2
 [17 Dec 2020] DLA-2497-1 thunderbird - security update
 	{CVE-2020-16042 CVE-2020-26971 CVE-2020-26973 CVE-2020-26974 CVE-2020-26978 CVE-2020-35111 CVE-2020-35113}



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e3c133e06bce7137843010446b2f778fdce8b8e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e3c133e06bce7137843010446b2f778fdce8b8e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220523/e5ed6441/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list