Ubuntu Seeds

Code review comment for ~rbalint/ubuntu-seeds/+git/platform:demote-devscripts-lintian

Revision history for this message

Balint Reczey (rbalint) wrote on 2020-10-01:

Lintian had one security update since Precise:

lintian (2.5.43ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: code execution via YAML parsing
    - checks/upstream-metadata.pm: disable YAML parser.
    - t/tests/upstream-metadata-invalid-yml/skip: skip test.
    - 0a2f38ecbc70d34a4b77c93a030555b310bd34ff
    - CVE-2017-8829

-- Marc Deslauriers <email address hidden> Mon, 05 Jun 2017 14:33:13 -0400

Devscripts had a few:

devscripts (2.17.12ubuntu1.1) bionic-security; urgency=medium

* SECURITY UPDATE: Code execution through unsafe YAML loading
- CVE-2018-13043
---
devscripts (2.14.1ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: directory traversal issue in uupdate
    - scripts/uupdate.sh: remove symlinks before applying patches, and
      restore them afterwards.
    - http://anonscm.debian.org/cgit/collab-maint/devscripts.git/commit/?id=0fef671
    - CVE-2014-1833

---
devscripts (2.11.6ubuntu1.7) precise-security; urgency=medium

-- Marc Deslauriers <email address hidden> Mon, 15 Jun 2015 13:15:39 -0400

devscripts (2.11.6ubuntu1.6) precise-security; urgency=low

  * SECURITY UPDATE: arbitrary code execution in uscan via crafted tarball
    - scripts/uscan.pl: improve tarball handling.
    - 02c6850d973e3e1246fde72edab27f03d63acc52
    - 4b7e58ee6000cdefac0682601cec6ecce0137467
    - CVE-2013-6888

-- Marc Deslauriers <email address hidden> Fri, 10 Jan 2014 13:02:15 -0500

devscripts (2.11.6ubuntu1.4) precise-security; urgency=low

  * SECURITY UPDATE: arbitrary code execution via insufficient validation
    in dscverify
    - scripts/dscverify.pl: perform better validation.
    - 9fba4788933475185df5e58b7fa557e5e3fb15e4
    - CVE-2012-2240
  * SECURITY UPDATE: arbitrary file deletion via insufficient validation
    in dget
    - scripts/dget.pl: strip invalid characters
    - 0fd15bdec07b085f9ef438dacd18e159ac60b810
    - CVE-2012-2241
  * SECURITY UPDATE: file alteration via TOCTOU in annotate-output
    - scripts/annotate-output.sh: prevent symlink attack.
    - 4d23a5e6c90f7a37b0972b30f5d31dce97a93eb0
    - CVE-2012-3500
  * REGRESSION FIX: improper exit code in CVE-2012-0212 debdiff.pl fix
    - f9a1a4c468671827d2650161cc33324fe0247a98

Lintian had one security update since Precise:

lintian (2.5.43ubuntu0.1) xenial-security; urgency=medium

-- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 05 Jun 2017 14:33:13 -0400

Devscripts had a few:

devscripts (2.17.12ubuntu1.1) bionic-security; urgency=medium

* SECURITY UPDATE: Code execution through unsafe YAML loading
    - CVE-2018-13043
---
devscripts (2.14.1ubuntu0.1) trusty-security; urgency=medium

---
devscripts (2.11.6ubuntu1.7) precise-security; urgency=medium

-- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Mon, 15 Jun 2015 13:15:39 -0400

devscripts (2.11.6ubuntu1.6) precise-security; urgency=low

-- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Fri, 10 Jan 2014 13:02:15 -0500

devscripts (2.11.6ubuntu1.4) precise-security; urgency=low

« Back to merge proposal