From 014459cc50cd063b7bbdf0db6861dc20c967a493 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 28 Feb 2021 13:25:47 +0100
Subject: Update information for CVE-2020-29509 and track
 golang-github-russellhaering-gosaml2

---
 data/CVE/2020.list | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

(limited to 'data/CVE/2020.list')

diff --git a/data/CVE/2020.list b/data/CVE/2020.list
index c83326395a..26c6d05766 100644
--- a/data/CVE/2020.list
+++ b/data/CVE/2020.list
@@ -3198,12 +3198,13 @@ CVE-2020-29510 (The encoding/xml package in Go versions 1.15 and earlier does no
 	NOTE: https://github.com/golang/go/issues/43168
 	NOTE: https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
 CVE-2020-29509 (The encoding/xml package in Go (all versions) does not correctly prese ...)
-	- golang-1.15 <unfixed>
-	- golang-1.11 <removed>
-	- golang-1.8 <removed>
-	[stretch] - golang-1.8 <ignored> (deemed unfixable by upstream who shifts responsibility to saml packages we don't ship)
-	- golang-1.7 <removed>
-	[stretch] - golang-1.7 <ignored> (deemed unfixable by upstream who shifts responsibility to saml packages we don't ship)
+	- golang-github-russellhaering-gosaml2 <itp> (bug #948190)
+	- golang-1.15 <unfixed> (unimportant)
+	- golang-1.11 <removed> (unimportant)
+	- golang-1.8 <removed> (unimportant)
+	- golang-1.7 <removed> (unimportant)
+	NOTE: Golang upstream does not consider the issue to be fixable in Go, instread
+	NOTE: shifts responsibility to saml packages.
 	NOTE: https://github.com/golang/go/issues/43168
 	NOTE: https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
 	NOTE: https://github.com/russellhaering/gosaml2/security/advisories/GHSA-xhqq-x44f-9fgg
-- 
cgit v1.2.3