Author: jmm Date: 2017-10-29 21:37:30 +0000 (Sun, 29 Oct 2017) New Revision: 57121
Modified: data/CVE/list Log: dulwich CVEfied Modified: data/CVE/list =================================================================== --- data/CVE/list 2017-10-29 21:10:17 UTC (rev 57120) +++ data/CVE/list 2017-10-29 21:37:30 UTC (rev 57121) @@ -1,5 +1,10 @@ CVE-2017-16228 (Dulwich before 0.18.5, when an SSH subprocess is used, allows remote ...) - TODO: check + - dulwich 0.18.5-1 + [stretch] - dulwich <no-dsa> (Minor issue) + [jessie] - dulwich <no-dsa> (Minor issue) + NOTE: https://www.dulwich.io/code/dulwich/commit/7116a0cbbda571f7dac863f4b1c00b6e16d6d8d6/ + NOTE: This is similar class of issue as for CVE-2017-1000117/git + NOTE: But needs a separate CVE since different codebasis. CVE-2017-16227 (The aspath_put function in bgpd/bgp_aspath.c in Quagga before 1.2.2 ...) TODO: check CVE-2017-16226 @@ -9912,13 +9917,6 @@ NOTE: Introduced by: https://git.kernel.org/linus/8913336a7e8d56e984109a3137d6c0e3362596a4 (2.6.27-rc1) NOTE: Fixed by: https://git.kernel.org/linus/c27927e372f0785f3303e8fad94b85945e2c97b7 NOTE: Non-privileged user namespaces disabled by default, only exploitable by arbitrary user if sysctl kernel.unprivileged_userns_clone=1 -CVE-2017-XXXX [dulwich: Prevents setting SSH arguments from SSH URLs when using SSH through a subprocess] - - dulwich 0.18.5-1 - [stretch] - dulwich <no-dsa> (Minor issue) - [jessie] - dulwich <no-dsa> (Minor issue) - NOTE: https://www.dulwich.io/code/dulwich/commit/7116a0cbbda571f7dac863f4b1c00b6e16d6d8d6/ - NOTE: This is similar class of issue as for CVE-2017-1000117/git - NOTE: But needs a separate CVE since different codebasis. CVE-2017-1000117 (A malicious third-party can give a crafted "ssh://..." URL to an ...) {DSA-3934-1 DLA-1068-1} - git 1:2.14.1-1 _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
