From ba11c104257d6909e608dee9382228ec1e5a1d36 Mon Sep 17 00:00:00 2001 From: Stefano Rivera Date: Thu, 12 May 2022 17:07:04 -0400 Subject: Reserve DLA-3000-1 for waitress --- data/CVE/list | 4 ---- data/DLA/list | 3 +++ data/dla-needed.txt | 7 ------- 3 files changed, 3 insertions(+), 11 deletions(-) diff --git a/data/CVE/list b/data/CVE/list index 6d2db30006..900b160f46 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -186070,7 +186070,6 @@ CVE-2019-16793 CVE-2019-16792 (Waitress through version 1.3.1 allows request smuggling by sending the ...) - waitress 1.4.1-1 [buster] - waitress (Minor issue) - [stretch] - waitress (Minor issue) [jessie] - waitress (Minor issue) NOTE: https://github.com/Pylons/waitress/security/advisories/GHSA-4ppp-gpcr-7qf6 NOTE: https://github.com/Pylons/waitress/commit/575994cd42e83fd772a5f7ec98b2c56751bd3f65 @@ -186083,7 +186082,6 @@ CVE-2019-16789 (In Waitress through version 1.4.0, if a proxy server is used in {DLA-2056-1} - waitress 1.4.1-1 (bug #947433) [buster] - waitress (Minor issue) - [stretch] - waitress (Minor issue) NOTE: https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 NOTE: https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017 CVE-2019-16788 @@ -186091,14 +186089,12 @@ CVE-2019-16788 CVE-2019-16786 (Waitress through version 1.3.1 would parse the Transfer-Encoding heade ...) - waitress 1.4.1-1 (bug #947306) [buster] - waitress (Minor issue) - [stretch] - waitress (Minor issue) [jessie] - waitress (Minor issue) NOTE: https://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p NOTE: https://github.com/Pylons/waitress/commit/f11093a6b3240fc26830b6111e826128af7771c3 CVE-2019-16785 (Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230 ...) - waitress 1.4.1-1 (bug #947306) [buster] - waitress (Minor issue) - [stretch] - waitress (Minor issue) [jessie] - waitress (Minor issue) NOTE: https://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p NOTE: https://github.com/Pylons/waitress/commit/8eba394ad75deaf9e5cd15b78a3d16b12e6b0eba diff --git a/data/DLA/list b/data/DLA/list index 54528ef5da..6cff024e6a 100644 --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[12 May 2022] DLA-3000-1 waitress - security update + {CVE-2019-16785 CVE-2019-16786 CVE-2019-16789 CVE-2019-16792 CVE-2022-24761} + [stretch] - waitress 1.0.1-1+deb9u1 [11 May 2022] DLA-2999-1 mutt - security update {CVE-2022-1328} [stretch] - mutt 1.7.2-1+deb9u6 diff --git a/data/dla-needed.txt b/data/dla-needed.txt index 128d8e156c..14823b0e94 100644 --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -214,10 +214,3 @@ unzip (Dominik George) -- vim (Markus Koschany) -- -waitress (Stefano Rivera) - NOTE: 20220320: I am not sure if we should ignore CVE-2022-24761 as it is - NOTE: 20220320: basically another HTTP parsing error and a workaround exists - NOTE: 20220320: or if we should overhaul the package and fix everything - NOTE: 20220320: instead. Someone with more Python knowledge should take another look - NOTE: 20220320: at it. (apo) --- -- cgit v1.2.3