From 170e9a13b215a71494e546d81838b9c7e476c936 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20R=C3=B6hling?= <timo.roehling@fkie.fraunhofer.de>
Date: Wed, 16 Feb 2022 11:26:02 +0100
Subject: Mark rpyc as not affected by CVE-2019-16328

---
 data/CVE/2019.list | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/data/CVE/2019.list b/data/CVE/2019.list
index 2a510abb8c..a759bee4cc 100644
--- a/data/CVE/2019.list
+++ b/data/CVE/2019.list
@@ -11973,7 +11973,8 @@ CVE-2019-16330 (In NCH Express Accounts Accounting v7.02, persistent cross site
 CVE-2019-16329
 	RESERVED
 CVE-2019-16328 (In RPyC 4.1.x through 4.1.1, a remote attacker can dynamically modify  ...)
-	- rpyc <removed>
+	- rpyc <not-affected>
+	NOTE: Affected versions have not been packaged for Debian
 CVE-2019-16327 (D-Link DIR-601 B1 2.00NA devices are vulnerable to authentication bypa ...)
 	NOT-FOR-US: D-Link
 CVE-2019-16326 (D-Link DIR-601 B1 2.00NA devices have CSRF because no anti-CSRF token  ...)
-- 
cgit v1.2.3


From eb0e595a779d29ae6dd1ede01eb1c8fb0d268386 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 16 Feb 2022 13:13:14 +0100
Subject: Add reason for not-affected and expand notes covering upstream
 information

---
 data/CVE/2019.list | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/data/CVE/2019.list b/data/CVE/2019.list
index a759bee4cc..9faef3abdf 100644
--- a/data/CVE/2019.list
+++ b/data/CVE/2019.list
@@ -11973,8 +11973,9 @@ CVE-2019-16330 (In NCH Express Accounts Accounting v7.02, persistent cross site
 CVE-2019-16329
 	RESERVED
 CVE-2019-16328 (In RPyC 4.1.x through 4.1.1, a remote attacker can dynamically modify  ...)
-	- rpyc <not-affected>
-	NOTE: Affected versions have not been packaged for Debian
+	- rpyc <not-affected> (Vulnerable code newer in a released Debian version)
+	NOTE: Issue only affected 4.1.0 and 4.1.1 upstream and fixed in 4.1.2
+	NOTE: https://rpyc.readthedocs.io/en/latest/docs/security.html#security
 CVE-2019-16327 (D-Link DIR-601 B1 2.00NA devices are vulnerable to authentication bypa ...)
 	NOT-FOR-US: D-Link
 CVE-2019-16326 (D-Link DIR-601 B1 2.00NA devices have CSRF because no anti-CSRF token  ...)
-- 
cgit v1.2.3