Ubuntu CVE Tracker

Merge ~mainek00n/ubuntu-cve-tracker:patch-1 into ubuntu-cve-tracker:master

  1. Git
  2. lp:~mainek00n/ubuntu-cve-tracker
  3. patch-1
  4. Merge into master
Proposed by MaineK00n
Status: Merged
Merged at revision: bc5c3475c71a157243b70b9439cb11782d3acbbf
Proposed branch: ~mainek00n/ubuntu-cve-tracker:patch-1
Merge into: ubuntu-cve-tracker:master
Diff against target: 73 lines (+9/-6)
4 files modified
active/CVE-2020-26137 (+3/-2)
active/CVE-2021-33503 (+3/-2)
active/CVE-2022-0085 (+1/-1)
retired/CVE-2021-28363 (+2/-1)
Reviewer Review Type Date Requested Status
Alex Murray Approve
Mark Esler Needs Fixing
Review via email: mp+428156@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Mark Esler (eslerm) wrote :

For active/CVE-2021-33503, it should be `upstream_python-urllib3: released (1.26.5)`.

This is a bit clearer if you look at:
 - https://github.com/urllib3/urllib3/releases/tag/1.26.4
 - https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec
 - https://github.com/urllib3/urllib3/releases/tag/1.26.5
(notice the dates)

You can also verify the commit with:
 - https://github.com/urllib3/urllib3/commits/1.26.4
 - https://github.com/urllib3/urllib3/commits/1.26.5

For the upstream field we want to know the upstream version number. What is the difference between an upstream version number and Debian's version number? What is the difference between those and Ubuntu?

https://www.ducea.com/2006/06/17/ubuntu-package-version-naming-explanation/

review: Needs Fixing
Revision history for this message
Mark Esler (eslerm) wrote :

A colleague corrected my suggestion.

For upstream_*, either the the actual upstream or Debian version is allowed (as you have it).

Revision history for this message
MaineK00n (mainek00n) wrote (last edit ):

Thanks for the review.

I put the actual fixed version or the version that includes the fixed version in upstream_*. In some cases, the URL to the commit is added so that the user can find them.

In CVE-2020-26137, the version of python-urllib3 is changed to the actual upstream version instead of the Debian Version to match python-pip.

Revision history for this message
Alex Murray (alexmurray) wrote :

LGTM - thanks!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/active/CVE-2020-26137 b/active/CVE-2020-26137
2index a04d6b5..f713097 100644
3--- a/active/CVE-2020-26137
4+++ b/active/CVE-2020-26137
5@@ -26,7 +26,7 @@ CVSS:
6
7 Patches_python-urllib3:
8 upstream: https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b (1.25.9)
9-upstream_python-urllib3: released (1.25.9-1)
10+upstream_python-urllib3: released (1.25.9)
11 precise/esm_python-urllib3: DNE
12 trusty_python-urllib3: ignored (reached end-of-life)
13 trusty/esm_python-urllib3: needed
14@@ -41,7 +41,8 @@ jammy_python-urllib3: not-affected (1.25.9-1)
15 devel_python-urllib3: not-affected (1.25.9-1)
16
17 Patches_python-pip:
18-upstream_python-pip: needs-triage
19+ upstream: https://github.com/pypa/pip/commit/072b70b9bf7819e87995728b480eaa71622b16a8 (20.2)
20+upstream_python-pip: released (20.2)
21 precise/esm_python-pip: DNE
22 trusty_python-pip: ignored (reached end of life)
23 trusty/esm_python-pip: needed
24diff --git a/active/CVE-2021-33503 b/active/CVE-2021-33503
25index 1e23fa5..07d45ff 100644
26--- a/active/CVE-2021-33503
27+++ b/active/CVE-2021-33503
28@@ -28,7 +28,7 @@ CVSS:
29 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]
30
31 Patches_python-urllib3:
32-upstream_python-urllib3:
33+upstream_python-urllib3: released (1.26.5)
34 trusty_python-urllib3: ignored (reached end-of-life)
35 trusty/esm_python-urllib3: not-affected
36 xenial_python-urllib3: not-affected
37@@ -42,7 +42,8 @@ jammy_python-urllib3: not-affected (1.26.5-1~exp1)
38 devel_python-urllib3: not-affected (1.26.5-1~exp1)
39
40 Patches_python-pip:
41-upstream_python-pip:
42+ upstream: https://github.com/pypa/pip/commit/5394d340fb3a0b31a8e1909dd6872ecc36f75fbe (21.2)
43+upstream_python-pip: released (21.2)
44 trusty_python-pip: ignored (reached end of life)
45 trusty/esm_python-pip: not-affected (embedded urllib3 not affected)
46 xenial_python-pip: not-affected (embedded urllib3 not affected)
47diff --git a/active/CVE-2022-0085 b/active/CVE-2022-0085
48index 37b6a2f..4d6eec7 100644
49--- a/active/CVE-2022-0085
50+++ b/active/CVE-2022-0085
51@@ -19,7 +19,7 @@ CVSS:
52
53
54 Patches_php-dompdf:
55-upstream_php-dompdf:
56+upstream_php-dompdf: released (2.0.0)
57 trusty/esm_php-dompdf: DNE (trusty was needs-triage)
58 trusty_php-dompdf: ignored (out of standard support, was needs-triage)
59 xenial_php-dompdf: ignored (end of standard support, was needs-triage)
60diff --git a/retired/CVE-2021-28363 b/retired/CVE-2021-28363
61index 51194a5..af59628 100644
62--- a/retired/CVE-2021-28363
63+++ b/retired/CVE-2021-28363
64@@ -41,7 +41,8 @@ groovy_python-urllib3: not-affected (code not present)
65 devel_python-urllib3: released (1.26.2-1ubuntu1)
66
67 Patches_python-pip:
68-upstream_python-pip:
69+ upstream: https://github.com/pypa/pip/commit/960c01adce491de00ef7a8d02a32fea31b15a1dc (21.1)
70+upstream_python-pip: released (21.1)
71 precise/esm_python-pip: DNE
72 trusty_python-pip: ignored (reached end of life)
73 trusty/esm_python-pip: not-affected (code not present)

Subscribers

People subscribed via source and target branches