[Git][security-tracker-team/security-tracker][master] 2 commits: Triage CVE-2020-36659 and CVE-2020-36658.

Fri Jan 27 12:08:29 GMT 2023


Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1a340f93 by Guilhem Moulin at 2023-01-27T13:08:13+01:00
Triage CVE-2020-36659 and CVE-2020-36658.

- - - - -
01c0d4f7 by Guilhem Moulin at 2023-01-27T13:08:13+01:00
LTS: claim libapache-session-{browseable,ldap}-perl in dla-needed.txt

These are blocking the complete fix for lemonldap-ng's CVE-2020-16093,
see https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2250#note_57084 .

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -43,9 +43,13 @@ CVE-2023-0519 (Cross-site Scripting (XSS) - Stored in GitHub repository modoboa/
 CVE-2023-0518
 	RESERVED
 CVE-2020-36659 (In Apache::Session::Browseable before 1.3.6, validity of the X.509 cer ...)
-	TODO: check
+	- libapache-session-browseable-perl 1.3.7-1
+	NOTE: Fixed by: https://github.com/LemonLDAPNG/Apache-Session-Browseable/commit/fdf393235140b293cae5578ef136055a78f3574f
+	NOTE: Regression follow-up: https://github.com/LemonLDAPNG/Apache-Session-Browseable/commit/c73e05c1363cd59e437aa1ea5ea0d260d62d5ee6
 CVE-2020-36658 (In Apache::Session::LDAP before 0.5, validity of the X.509 certificate ...)
-	TODO: check
+	- libapache-session-ldap-perl 0.5-1
+	NOTE: https://github.com/LemonLDAPNG/Apache-Session-LDAP/commit/490722b71eed1ed1ab33d58c78578f23e043561f
+	NOTE: Fixed by: https://github.com/LemonLDAPNG/Apache-Session-LDAP/commit/490722b71eed1ed1ab33d58c78578f23e043561f
 CVE-2023-24576
 	RESERVED
 CVE-2023-24575


=====================================
data/dla-needed.txt
=====================================
@@ -134,6 +134,14 @@ libgit2
   NOTE: 20230126: VCS: https://salsa.debian.org/lts-team/packages/libgit2.git
   NOTE: 20230126: Please fix also CVE-2020* (gladk).
 --
+libapache-session-browseable-perl (guilhem)
+  NOTE: 20230127: Programming language: Perl.
+  NOTE: 20230127: Blocking complete fix for lemonldap-ng's CVE-2020-16093.
+--
+libapache-session-ldap-perl (guilhem)
+  NOTE: 20230127: Programming language: Perl.
+  NOTE: 20230127: Blocking complete fix for lemonldap-ng's CVE-2020-16093.
+--
 libhtml-stripscripts-perl (Utkarsh)
   NOTE: 20230125: Programming language: Perl.
   NOTE: 20230125: VCS: https://salsa.debian.org/lts-team/packages/libhtml-stripscripts-perl.git



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/65fd2192c79cc4aae2f6f99b1884b5f48bc90a0c...01c0d4f7256e3ec0b21a76d1a318130de2fc2054

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/65fd2192c79cc4aae2f6f99b1884b5f48bc90a0c...01c0d4f7256e3ec0b21a76d1a318130de2fc2054
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230127/f2b85599/attachment.htm>
