Commit That Are Likely to Have Contributed to a Vulnerability Missed Duration Curation

[nuthanmunaiah]

Description

In the qualitative analysis of archeogit using http-vulnerabilities, we found certain commits that likely contributed to a vulnerability but were not curated as such. The issue is a summary of all such commits for consideration.

• CVE-2007-3304
  • 187e9ae3b9d2e7c62d535c928db73fee597080d0 is a contributing commit. 187e9ae3b9d2e7c62d535c928db73fee597080d0 did indeed modify a line that was refactored to fix the vulnerability.
• CVE-2007-6421
  • 568bee156b4329169b706250bb9588c8797c4c2f is a contributing commit. 568bee156b4329169b706250bb9588c8797c4c2f seems like it refactored the lines that were later modified to fix the vulnerability but the contributing commit did more than refactor the code. Therefore, it is reasonable to expect 568bee156b4329169b706250bb9588c8797c4c2f to be characterized as a contributing commit.
• CVE-2009-3094
  • 69ad06ffee46b92c87fc53fbc813fa2d2f0256fd is a contributing commit. 69ad06ffee46b92c87fc53fbc813fa2d2f0256fd did indeed modify the lines that were deleted to fix the vulnerability.
• CVE-2012-4558
  • 63c7cfdf0d8a7cd88d36639d586c337e90f78feb is a contributing commit. 63c7cfdf0d8a7cd88d36639d586c337e90f78feb did indeed introduce the lines that were modified to fix the vulnerability.
• CVE-2015-0253
  • 761ef9ee176aef1a236f7f747ee9360acdcadeaf is a contributing commit. 761ef9ee176aef1a236f7f747ee9360acdcadeaf did indeed introduce the lines that were later modified to fix the vulnerability.
• CVE-2015-3183
  • 924367c21005fadc8f8a19689c6673bcfd5821dd is a contributing commit. 924367c21005fadc8f8a19689c6673bcfd5821dd did indeed introduce the lines that were modified to fix the vulnerability in d0dccd8815002f9fd10adb932fe40f34c4d4fff4
  • 69f198a6ea039ad1ea23784db8baa1be09f8fda4 is a contributing commit. 69f198a6ea039ad1ea23784db8baa1be09f8fda4 did indeed introduce the line that was later modified to fix the vulnerability in d0dccd8815002f9fd10adb932fe40f34c4d4fff4
  • c56e381967c3e2435d803d0aeb30ede00e9b923e is a contributing commit. c56e381967c3e2435d803d0aeb30ede00e9b923e did indeed introduce the lines that were later removed to fix the vulnerability in d0dccd8815002f9fd10adb932fe40f34c4d4fff4
• CVE-2016-2161
  • e3e87d34a0280b4e88c87b86b715d2c710ffb7ec is a contributing commit. 4354842828c7f9133238d11a6279960986d1bd5e (the trunk version of the 2.4.x fix curated as d049e3ce42b89ba66c17b0cd8c4c5992ec2b12fe) fixed the vulnerability by, among other things, adding code to static long gc(server_rec *s) function that was first introduced in e3e87d34a0280b4e88c87b86b715d2c710ffb7ec, which was correctly identified as a contributing commit.
• CVE-2016-8740
  • 2d12cf2d7a9635961cc3c46cfa7921da9c83d14c is a contributing commit. 2d12cf2d7a9635961cc3c46cfa7921da9c83d14c did indeed modify an if conditional that was missing an additional check leading to the vulnerability.
• CVE-2016-8743
  • 4647e5f71a4b2d1d62238b9bce854a501b5477fb is a contributing commit. 4647e5f71a4b2d1d62238b9bce854a501b5477fb did indeed add few lines that were deleted/modified when fixing the vulnerability. Although the contributing commit is a reversion of a previous change, the change is still a valid candidate to be a contributing commit.
  • 3987f79eb6a5d8ec7223d978c16221f80e81d465 is a contributing commit. 3987f79eb6a5d8ec7223d978c16221f80e81d465 is a contributing commit because the comment specifically states that the change is related to ""Strictly observe spec on obs-fold"". The if conditional change introduced in the contributing commit was indeed removed to fix the vulnerability so the commit must be considered a candidate for contributing to the vulnerability.