Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker
Commits: 5f812d9c by Utkarsh Gupta at 2020-09-01T18:21:41+05:30 Mark CVE-2020-{9490,11993}/apache2 as <ignored> for stretch - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -28733,6 +28733,7 @@ CVE-2020-11994 (Server-Side Template Injection and arbitrary file disclosure on CVE-2020-11993 (Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enab ...) {DSA-4757-1} - apache2 2.4.46-1 + [stretch] - apache2 <ignored> (Too intrusive to backport) NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-11993 NOTE: https://www.openwall.com/lists/oss-security/2020/08/07/3 NOTE: https://svn.apache.org/r1879642 @@ -36528,6 +36529,7 @@ CVE-2020-9491 CVE-2020-9490 (Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted valu ...) {DSA-4757-1} - apache2 2.4.46-1 + [stretch] - apache2 <ignored> (Too intrusive to backport) NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-9490 NOTE: https://www.openwall.com/lists/oss-security/2020/08/07/4 NOTE: https://svn.apache.org/r1880396 ===================================== data/dla-needed.txt ===================================== @@ -21,13 +21,6 @@ ansible NOTE: 20200508: bam: Upstream fix was reverted - https://github.com/ansible/ansible/pull/68983 NOTE: 20200508: bam: See https://github.com/ansible/ansible/issues/67794 -- -apache2 - NOTE: 20200808: Seems affected by CVE-2020-9490, CVE-2020-11993 (abhijith) - NOTE: 20200817: Too intrusive. Re-visit back later -> experimenting fixes for ELTS. (utkarsh) - NOTE: 20200831: sadly, the fix for http2 features requires whole modules/http2 backport. - NOTE: 20200831: for other things, we might need to import CVE-20{19,20}-* files from - NOTE: 20200831: buster-security branch (from yadd) (utkarsh) --- ark (Abhijith PA) NOTE: 20200731: given PoC not working as intended. (abhijith) NOTE: 20200801: though testing with other PoC's available over internet seems exploitable (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f812d9c8b290c6f368eea455598d0b7c10850b6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f812d9c8b290c6f368eea455598d0b7c10850b6 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits