Ubuntu CVE Tracker

Merge ~mainek00n/ubuntu-cve-tracker:patch-1 into ubuntu-cve-tracker:master

  1. Git
  2. lp:~mainek00n/ubuntu-cve-tracker
  3. patch-1
  4. Merge into master
Proposed by MaineK00n
Status: Merged
Merged at revision: bc5c3475c71a157243b70b9439cb11782d3acbbf
Proposed branch: ~mainek00n/ubuntu-cve-tracker:patch-1
Merge into: ubuntu-cve-tracker:master
Diff against target: 73 lines (+9/-6)
4 files modified
active/CVE-2020-26137 (+3/-2)
active/CVE-2021-33503 (+3/-2)
active/CVE-2022-0085 (+1/-1)
retired/CVE-2021-28363 (+2/-1)
Reviewer Review Type Date Requested Status
Alex Murray Approve
Mark Esler Needs Fixing
Review via email: mp+428156@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Mark Esler (eslerm) wrote :

For active/CVE-2021-33503, it should be `upstream_python-urllib3: released (1.26.5)`.

This is a bit clearer if you look at:
 - https://github.com/urllib3/urllib3/releases/tag/1.26.4
 - https://github.com/urllib3/urllib3/commit/2d4a3fee6de2fa45eb82169361918f759269b4ec
 - https://github.com/urllib3/urllib3/releases/tag/1.26.5
(notice the dates)

You can also verify the commit with:
 - https://github.com/urllib3/urllib3/commits/1.26.4
 - https://github.com/urllib3/urllib3/commits/1.26.5

For the upstream field we want to know the upstream version number. What is the difference between an upstream version number and Debian's version number? What is the difference between those and Ubuntu?

https://www.ducea.com/2006/06/17/ubuntu-package-version-naming-explanation/

review: Needs Fixing
Revision history for this message
Mark Esler (eslerm) wrote :

A colleague corrected my suggestion.

For upstream_*, either the the actual upstream or Debian version is allowed (as you have it).

Revision history for this message
MaineK00n (mainek00n) wrote (last edit ):

Thanks for the review.

I put the actual fixed version or the version that includes the fixed version in upstream_*. In some cases, the URL to the commit is added so that the user can find them.

In CVE-2020-26137, the version of python-urllib3 is changed to the actual upstream version instead of the Debian Version to match python-pip.

Revision history for this message
Alex Murray (alexmurray) wrote :

LGTM - thanks!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/active/CVE-2020-26137 b/active/CVE-2020-26137
index a04d6b5..f713097 100644
--- a/active/CVE-2020-26137
+++ b/active/CVE-2020-26137
@@ -26,7 +26,7 @@ CVSS:
2626
27Patches_python-urllib3:27Patches_python-urllib3:
28 upstream: https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b (1.25.9)28 upstream: https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b (1.25.9)
29upstream_python-urllib3: released (1.25.9-1)29upstream_python-urllib3: released (1.25.9)
30precise/esm_python-urllib3: DNE30precise/esm_python-urllib3: DNE
31trusty_python-urllib3: ignored (reached end-of-life)31trusty_python-urllib3: ignored (reached end-of-life)
32trusty/esm_python-urllib3: needed32trusty/esm_python-urllib3: needed
@@ -41,7 +41,8 @@ jammy_python-urllib3: not-affected (1.25.9-1)
41devel_python-urllib3: not-affected (1.25.9-1)41devel_python-urllib3: not-affected (1.25.9-1)
4242
43Patches_python-pip:43Patches_python-pip:
44upstream_python-pip: needs-triage44 upstream: https://github.com/pypa/pip/commit/072b70b9bf7819e87995728b480eaa71622b16a8 (20.2)
45upstream_python-pip: released (20.2)
45precise/esm_python-pip: DNE46precise/esm_python-pip: DNE
46trusty_python-pip: ignored (reached end of life)47trusty_python-pip: ignored (reached end of life)
47trusty/esm_python-pip: needed48trusty/esm_python-pip: needed
diff --git a/active/CVE-2021-33503 b/active/CVE-2021-33503
index 1e23fa5..07d45ff 100644
--- a/active/CVE-2021-33503
+++ b/active/CVE-2021-33503
@@ -28,7 +28,7 @@ CVSS:
28 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]28 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]
2929
30Patches_python-urllib3:30Patches_python-urllib3:
31upstream_python-urllib3:31upstream_python-urllib3: released (1.26.5)
32trusty_python-urllib3: ignored (reached end-of-life)32trusty_python-urllib3: ignored (reached end-of-life)
33trusty/esm_python-urllib3: not-affected33trusty/esm_python-urllib3: not-affected
34xenial_python-urllib3: not-affected34xenial_python-urllib3: not-affected
@@ -42,7 +42,8 @@ jammy_python-urllib3: not-affected (1.26.5-1~exp1)
42devel_python-urllib3: not-affected (1.26.5-1~exp1)42devel_python-urllib3: not-affected (1.26.5-1~exp1)
4343
44Patches_python-pip:44Patches_python-pip:
45upstream_python-pip:45 upstream: https://github.com/pypa/pip/commit/5394d340fb3a0b31a8e1909dd6872ecc36f75fbe (21.2)
46upstream_python-pip: released (21.2)
46trusty_python-pip: ignored (reached end of life)47trusty_python-pip: ignored (reached end of life)
47trusty/esm_python-pip: not-affected (embedded urllib3 not affected)48trusty/esm_python-pip: not-affected (embedded urllib3 not affected)
48xenial_python-pip: not-affected (embedded urllib3 not affected)49xenial_python-pip: not-affected (embedded urllib3 not affected)
diff --git a/active/CVE-2022-0085 b/active/CVE-2022-0085
index 37b6a2f..4d6eec7 100644
--- a/active/CVE-2022-0085
+++ b/active/CVE-2022-0085
@@ -19,7 +19,7 @@ CVSS:
1919
2020
21Patches_php-dompdf:21Patches_php-dompdf:
22upstream_php-dompdf: 22upstream_php-dompdf: released (2.0.0)
23trusty/esm_php-dompdf: DNE (trusty was needs-triage)23trusty/esm_php-dompdf: DNE (trusty was needs-triage)
24trusty_php-dompdf: ignored (out of standard support, was needs-triage)24trusty_php-dompdf: ignored (out of standard support, was needs-triage)
25xenial_php-dompdf: ignored (end of standard support, was needs-triage)25xenial_php-dompdf: ignored (end of standard support, was needs-triage)
diff --git a/retired/CVE-2021-28363 b/retired/CVE-2021-28363
index 51194a5..af59628 100644
--- a/retired/CVE-2021-28363
+++ b/retired/CVE-2021-28363
@@ -41,7 +41,8 @@ groovy_python-urllib3: not-affected (code not present)
41devel_python-urllib3: released (1.26.2-1ubuntu1)41devel_python-urllib3: released (1.26.2-1ubuntu1)
4242
43Patches_python-pip:43Patches_python-pip:
44upstream_python-pip:44 upstream: https://github.com/pypa/pip/commit/960c01adce491de00ef7a8d02a32fea31b15a1dc (21.1)
45upstream_python-pip: released (21.1)
45precise/esm_python-pip: DNE46precise/esm_python-pip: DNE
46trusty_python-pip: ignored (reached end of life)47trusty_python-pip: ignored (reached end of life)
47trusty/esm_python-pip: not-affected (code not present)48trusty/esm_python-pip: not-affected (code not present)

Subscribers

People subscribed via source and target branches