[Git][security-tracker-team/security-tracker][master] 2 commits: Add note for ruby-rails-html-sanitizer

Sun Mar 12 20:39:18 GMT 2023


Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker


Commits:
998b1e5e by Utkarsh Gupta at 2023-03-13T02:08:00+05:30
Add note for ruby-rails-html-sanitizer

- - - - -
4dacbb52 by Utkarsh Gupta at 2023-03-13T02:08:55+05:30
Reserve DLA-3359-1 for libapache2-mod-auth-mellon

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -127080,7 +127080,6 @@ CVE-2021-3640 (A flaw use-after-free in function sco_sock_sendmsg() of the Linux
 CVE-2021-3639 (A flaw was found in mod_auth_mellon where it does not sanitize logout  ...)
 	- libapache2-mod-auth-mellon 0.18.0-1 (bug #991730)
 	[bullseye] - libapache2-mod-auth-mellon 0.17.0-1+deb11u1
-	[buster] - libapache2-mod-auth-mellon <no-dsa> (Minor issue)
 	[stretch] - libapache2-mod-auth-mellon <no-dsa> (Minor issue)
 	NOTE: https://github.com/latchset/mod_auth_mellon/commit/42a11261b9dad2e48d70bdff7c53dd57a12db6f5
 CVE-2021-36350 (Dell PowerScale OneFS, versions 8.2.2-9.3.0.x, contain an authenticati ...)
@@ -270799,7 +270798,6 @@ CVE-2019-13039
 	RESERVED
 CVE-2019-13038 (mod_auth_mellon through 0.14.2 has an Open Redirect via the login?Retu ...)
 	- libapache2-mod-auth-mellon 0.15.0-1 (low; bug #931265)
-	[buster] - libapache2-mod-auth-mellon <no-dsa> (Minor issue)
 	[stretch] - libapache2-mod-auth-mellon <no-dsa> (Minor issue)
 	[jessie] - libapache2-mod-auth-mellon <ignored> (Open Redirect protection not implemented yet)
 	NOTE: https://github.com/Uninett/mod_auth_mellon/issues/35#issuecomment-503974885


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[13 Mar 2023] DLA-3359-1 libapache2-mod-auth-mellon - security update
+	{CVE-2019-13038 CVE-2021-3639}
+	[buster] - libapache2-mod-auth-mellon 0.14.2-1+deb10u1
 [12 Mar 2023] DLA-3358-1 mpv - security update
 	{CVE-2020-19824}
 	[buster] - mpv 0.29.1-1+deb10u1


=====================================
data/dla-needed.txt
=====================================
@@ -102,12 +102,6 @@ intel-microcode (tobi)
   NOTE: 20230310: will first fix unstable and stable, then proceed with LTS and ELTS, using the same new upstream version. (tobi)
   NOTE: 20230312: uploaded to DELAYED/5 for unstable.
 --
-libapache2-mod-auth-mellon (Utkarsh)
-  NOTE: 20230105: Programming language: C.
-  NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk)
-  NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/libapache2-mod-auth-mellon.git
-  NOTE: 20230220: upload prepped, testing remains. (utkarsh)
---
 libreoffice
   NOTE: 20221012: Programming language: C++.
   NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/libreoffice.git
@@ -263,6 +257,7 @@ ruby-loofah (Daniel Leidert)
 ruby-rails-html-sanitizer
   NOTE: 20221231: Programming language: Ruby.
   NOTE: 20221231: VCS: https://salsa.debian.org/lts-team/packages/ruby-rails-html-sanitizer.git
+  NOTE: 20230303: this cannot be fixed unless ruby-loofah is fixed with appropriate methods. (utkarsh)
 --
 ruby-sidekiq (Utkarsh)
   NOTE: 20221231: Programming language: Ruby.



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/23a9d48016bd0218a366177fd3cdd5051347ed17...4dacbb52b1761a042d3085dc122626e08b9288ca

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/23a9d48016bd0218a366177fd3cdd5051347ed17...4dacbb52b1761a042d3085dc122626e08b9288ca
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230312/6ceec9c8/attachment-0001.htm>
