[Git][security-tracker-team/security-tracker][master] Update information for CVE-2022-36069

Salvatore Bonaccorso (@carnil) carnil at debian.org
Fri Nov 18 20:11:58 GMT 2022 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
0fa9fc25 by Salvatore Bonaccorso at 2022-11-18T21:11:19+01:00
Update information for CVE-2022-36069

The issue is actually in poetry-core: From poetry 1.1.9 release notes
there is the according reference:

Fixed an issue where unsafe parameters could be passed to git commands.
(python-poetry/poetry-core#203)

https://github.com/python-poetry/poetry-core/pull/203 is in poetry core
and fixed for the 1.0 branch in the 1.0.5 upstream version. First
included in poetry-core/1.0.7-1 upload to unstable.

Update tracking to associate it to poetry-core.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -27732,8 +27732,12 @@ CVE-2022-36070 (Poetry is a dependency manager for Python. To handle dependencie
 	- poetry <not-affected> (Windows-specific)
 	NOTE: https://github.com/python-poetry/poetry/security/advisories/GHSA-j4j9-7hg9-97g6
 CVE-2022-36069 (Poetry is a dependency manager for Python. When handling dependencies  ...)
-	- poetry <not-affected> (Fixed before initial upload to the archive)
+	- poetry-core 1.0.7-1
 	NOTE: https://github.com/python-poetry/poetry/security/advisories/GHSA-9xgj-fcgf-x6mw
+	NOTE: https://github.com/python-poetry/poetry-core/pull/202
+	NOTE: Backport to 1.0 branch: https://github.com/python-poetry/poetry-core/pull/203
+	NOTE: https://github.com/python-poetry/poetry-core/commit/cc84be60ac9af549664051c2684621db51d05ff1 (1.1.0a7)
+	NOTE: https://github.com/python-poetry/poetry-core/commit/13a13ac7f8f2b596c68830da6fa8c059af59e1ac (1.0.5)
 CVE-2022-36068 (Discourse is an open source discussion platform. In versions prior to  ...)
 	NOT-FOR-US: Discourse
 CVE-2022-36067 (vm2 is a sandbox that can run untrusted code with whitelisted Node's b ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fa9fc25da4abafaef5487097017dc28a6d8be98

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fa9fc25da4abafaef5487097017dc28a6d8be98
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221118/00c24aa8/attachment.htm>

More information about the debian-security-tracker-commits mailing list