Author: hertzog
Date: 2017-10-26 15:36:28 +0000 (Thu, 26 Oct 2017)
New Revision: 56990

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
Triage check-mk CVE on wheezy

All XSS issues have been ignored up to now, I don't see why CVE-2017-9781
should be treated differently.

For CVE-2017-14955, the issue is in code which doesn't exist in 1.1.12p7-1.

With those changes, I can drop check-mk from dla-needed.txt.

Modified: data/CVE/list
===================================================================
--- data/CVE/list       2017-10-26 15:34:27 UTC (rev 56989)
+++ data/CVE/list       2017-10-26 15:36:28 UTC (rev 56990)
@@ -2393,6 +2393,7 @@
        NOT-FOR-US: AlienVault
 CVE-2017-14955 (Check_MK before 1.2.8p26 mishandles certain errors within the 
...)
        - check-mk 1.2.8p26-1
+       [wheezy] - check-mk <not-affected> (Vulnerable code not present)
        NOTE: 
http://mathias-kettner.com/check_mk_werks.php?edition_id=raw&branch=1.2.8
        NOTE: 
https://mathias-kettner.de/check_mk_werks.php?werk_id=5208&HTML=yes
        NOTE: 
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=a4a2cc1f30ff6032899ca80eed29fa26b8898c54
@@ -16978,6 +16979,7 @@
 CVE-2017-9781 (A cross site scripting (XSS) vulnerability exists in Check_MK 
versions ...)
        [experimental] - check-mk 1.4.0p9-1
        - check-mk <unfixed> (bug #865497)
+       [wheezy] - check-mk <ignored> (Minor issue)
        NOTE: http://mathias-kettner.com/check_mk_werks.php?werk_id=4757
        NOTE: 
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=c248f0b6ff7b15ced9f07a3df8a80fad656ea5b1
 CVE-2017-9779 (OCaml compiler allows attackers to have unspecified impact via 
unknown ...)

Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt 2017-10-26 15:34:27 UTC (rev 56989)
+++ data/dla-needed.txt 2017-10-26 15:36:28 UTC (rev 56990)
@@ -13,12 +13,6 @@
 ca-certificates
   NOTE: 20170719: maintainer will handle the upload, see 
https://lists.debian.org/d0b9674a-ac5b-5cc9-1982-fb6f36155...@pbandjelly.org
 --
-check-mk
-  NOTE: the code is different in wheezy but from a cursory look, there
-  NOTE: might be multiple places where error messages are not properly
-  NOTE: HTML escaped. Without trying, it's hard to know if the error
-  NOTE: messages do include user controllable content.
---
 exiv2 (Raphaël Hertzog)
   NOTE: 20170702, no upstream fix yet, so no need to bother maintainer yet, 
sent email later
 --


_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

Reply via email to