Re: Any updates on CVE-2018-1000021

To: Leoš Sokolowski <leos@sklw.de>
Cc: debian-security-tracker <debian-security-tracker@lists.debian.org>
Subject: Re: Any updates on CVE-2018-1000021
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Fri, 5 May 2023 20:12:51 +0200
Message-id: <[🔎] 20230505181251.GA23748@inutil.org>
In-reply-to: <[🔎] PgNl0Mp2b_NIMFYAk9EwNcnCEgG-gUy3dHtzfFCzMPkuAkv28iEnSWL3qIJVmlSpz_1fWiZ8Nigmw0zRSt1L0azELlhkTlFf4xQ5BAzYHOE=@sklw.de>
References: <[🔎] PgNl0Mp2b_NIMFYAk9EwNcnCEgG-gUy3dHtzfFCzMPkuAkv28iEnSWL3qIJVmlSpz_1fWiZ8Nigmw0zRSt1L0azELlhkTlFf4xQ5BAzYHOE=@sklw.de>

Hi Leoš,

On Fri, May 05, 2023 at 01:48:29PM +0000, Leoš Sokolowski wrote:
> Hi,
> 
> I'd like to ask if there's any update on the git-vulnerability CVE-2018-100002. According to the description on both the tracker and the NVD it has been fixed since Version 2.15.1, but the security trackers of both Debian and Ubuntu still list it as vulnerable on all Versions, up to 1:2.40.1-1. I'm pretty sure that's wrong. Is that a problem that has been kept in the application for legacy-reasons or something that has been fixed upstream, copied, but not marked as fixed in the tracker? The last update on the linked bug-report (889680) is from 2018 and appears to be spam.

The CVE description says the issue is _in_ 2.15.1, not that it's fixed. If you have any confirmations
about this being addressed (changelogs/commits etc), please let us know and we're happy to review it.

Cheers,
        Moritz

Reply to:

References:
- Any updates on CVE-2018-1000021
  - From: Leoš Sokolowski <leos@sklw.de>

Prev by Date: Any updates on CVE-2018-1000021
Next by Date: External check
Previous by thread: Any updates on CVE-2018-1000021
Next by thread: Continued-
Index(es):
- Date
- Thread