Mike Gabriel · Mike Gabriel · Mike Gabriel · 6d658208 · 6d658208
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -7738,6 +7738,9 @@ CVE-2019-9929 (Northern.tech CFEngine Enterprise 3.12.1 has Insecure Permissions
 	NOTE: cfengine2 has various publicly readable files in $STATEDIR that reveal info on the modifications done by cfengine2. No credentials found in such files, so far.
 	NOTE: https://github.com/cfengine/core/commit/f7556bf1a0061644e35114a07a91e9b0c3267c48#diff-291cd8f3f0f8a5c1875630ef64a667a2
 	NOTE: related: https://github.com/cfengine/core/commit/461dc7019ab5acebabc341143838a2307d9b92db#diff-a877a71a0122c0ea1c66c03883130b86
+	NOTE: above commits probably unrelated to CVE-2019-9929, but worth another CVE (communication with upstream ongoing)
+	NOTE: as CVE-2019-9929 is about secret leakage in the enterprise edition's installer log, Debian's cfengine3 package is likely not affected
+	NOTE: waiting for confirmation (or such) from upstream
 CVE-2019-9928 (GStreamer before 1.16.0 has a heap-based buffer overflow in the RTSP c ...)
 	{DSA-4437-1 DLA-1770-1 DLA-1769-1}
 	[experimental] - gst-plugins-base1.0 1.15.90-1
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -15,6 +15,9 @@ ansible (Abhijith PA)
 bind9 (Thorsten Alteholz)
  NOTE: 20190623: test package
 --
+cfengine3 (Mike Gabriel)
+  NOTE: 20190628: likely not affected by CVE-2019-9929, but other not-yet-CVE'ed issues ahead
+--
 expat (Markus Koschany)
 --
 faad2 (Hugo Lefeuvre)