Author: hertzog Date: 2017-10-26 15:36:28 +0000 (Thu, 26 Oct 2017) New Revision: 56990
Modified: data/CVE/list data/dla-needed.txt Log: Triage check-mk CVE on wheezy All XSS issues have been ignored up to now, I don't see why CVE-2017-9781 should be treated differently. For CVE-2017-14955, the issue is in code which doesn't exist in 1.1.12p7-1. With those changes, I can drop check-mk from dla-needed.txt. Modified: data/CVE/list =================================================================== --- data/CVE/list 2017-10-26 15:34:27 UTC (rev 56989) +++ data/CVE/list 2017-10-26 15:36:28 UTC (rev 56990) @@ -2393,6 +2393,7 @@ NOT-FOR-US: AlienVault CVE-2017-14955 (Check_MK before 1.2.8p26 mishandles certain errors within the ...) - check-mk 1.2.8p26-1 + [wheezy] - check-mk <not-affected> (Vulnerable code not present) NOTE: http://mathias-kettner.com/check_mk_werks.php?edition_id=raw&branch=1.2.8 NOTE: https://mathias-kettner.de/check_mk_werks.php?werk_id=5208&HTML=yes NOTE: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=a4a2cc1f30ff6032899ca80eed29fa26b8898c54 @@ -16978,6 +16979,7 @@ CVE-2017-9781 (A cross site scripting (XSS) vulnerability exists in Check_MK versions ...) [experimental] - check-mk 1.4.0p9-1 - check-mk <unfixed> (bug #865497) + [wheezy] - check-mk <ignored> (Minor issue) NOTE: http://mathias-kettner.com/check_mk_werks.php?werk_id=4757 NOTE: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=c248f0b6ff7b15ced9f07a3df8a80fad656ea5b1 CVE-2017-9779 (OCaml compiler allows attackers to have unspecified impact via unknown ...) Modified: data/dla-needed.txt =================================================================== --- data/dla-needed.txt 2017-10-26 15:34:27 UTC (rev 56989) +++ data/dla-needed.txt 2017-10-26 15:36:28 UTC (rev 56990) @@ -13,12 +13,6 @@ ca-certificates NOTE: 20170719: maintainer will handle the upload, see https://lists.debian.org/d0b9674a-ac5b-5cc9-1982-fb6f36155...@pbandjelly.org -- -check-mk - NOTE: the code is different in wheezy but from a cursory look, there - NOTE: might be multiple places where error messages are not properly - NOTE: HTML escaped. Without trying, it's hard to know if the error - NOTE: messages do include user controllable content. --- exiv2 (Raphaël Hertzog) NOTE: 20170702, no upstream fix yet, so no need to bother maintainer yet, sent email later -- _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits