summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSalvatore Bonaccorso <carnil@debian.org>2021-10-09 10:39:17 +0200
committerSalvatore Bonaccorso <carnil@debian.org>2021-10-09 10:39:17 +0200
commit2201c6c930125cac57f75573a79c5c87e1123e8a (patch)
tree349a654e4adaf70bcf33e4a3c6feca19906a2650
parent7f883bc5eb933e981e4d363b174f4cf6b776b366 (diff)
Merge in the accepted packages from bullseye 11.1
Though the release has not been happened yet, this is the list of packages which were copied over from bullseye-pu to bullseye. The final 11.1 changes need to still be verifed for any missing additional ones.
Diffstat
-rw-r--r--data/CVE/list55
-rw-r--r--data/next-point-update.txt56
2 files changed, 28 insertions, 83 deletions
diff --git a/data/CVE/list b/data/CVE/list
index 6d36069010..49e9f4ef50 100644
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1893,7 +1893,7 @@ CVE-2021-3808
RESERVED
CVE-2021-3807 (ansi-regex is vulnerable to Inefficient Regular Expression Complexity ...)
- node-ansi-regex 5.0.1-1 (bug #994568)
- [bullseye] - node-ansi-regex <no-dsa> (Minor issue)
+ [bullseye] - node-ansi-regex 5.0.1-1~deb11u1
[buster] - node-ansi-regex <no-dsa> (Minor issue)
[stretch] - node-ansi-regex <not-affected> (Vulnerable code introduced later)
NOTE: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994
@@ -1902,7 +1902,7 @@ CVE-2021-3806 (A path traversal vulnerability on Pardus Software Center's "extra
NOT-FOR-US: Pardus Software Center
CVE-2021-3805 (object-path is vulnerable to Improperly Controlled Modification of Obj ...)
- node-object-path 0.11.8-1
- [bullseye] - node-object-path <no-dsa> (Minor issue)
+ [bullseye] - node-object-path 0.11.5-3+deb11u1
[buster] - node-object-path <no-dsa> (Minor issue)
[stretch] - node-object-path <no-dsa> (Minor issue)
NOTE: https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053
@@ -2391,6 +2391,7 @@ CVE-2021-41078
RESERVED
CVE-2021-3801 (prism is vulnerable to Inefficient Regular Expression Complexity ...)
- node-prismjs 1.25.0+dfsg-1
+ [bullseye] - node-prismjs 1.23.0+dfsg-1+deb11u1
NOTE: https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9
CVE-2021-41077 (The activation process in Travis CI, for certain 2021-09-03 through 20 ...)
NOT-FOR-US: Travis CI
@@ -2846,7 +2847,7 @@ CVE-2021-3799 (grav-plugin-admin is vulnerable to Improper Restriction of Render
NOT-FOR-US: Grav CMS
CVE-2021-41054 (tftpd_file.c in atftp through 0.7.4 has a buffer overflow because buff ...)
- atftp 0.7.git20210915-1 (bug #994895)
- [bullseye] - atftp <no-dsa> (Minor issue; can be fixed via point release)
+ [bullseye] - atftp 0.7.git20120829-3.3+deb11u1
[buster] - atftp <no-dsa> (Minor issue; can be fixed via point release)
[stretch] - atftp <postponed> (Minor issue)
NOTE: https://sourceforge.net/p/atftp/code/ci/d255bf90834fb45be52decf9bc0b4fb46c90f205/
@@ -3297,7 +3298,7 @@ CVE-2021-XXXX [jws alg:none signature verification issue]
NOTE: https://github.com/babelouest/rhonabwy/commit/ff9ecad4c9a031c8369acde67ea52d558899e51e (v1.0.0)
CVE-2021-40818 (scheme/webauthn.c in Glewlwyd SSO server through 2.5.3 has a buffer ov ...)
- glewlwyd 2.5.2-3 (bug #993867)
- [bullseye] - glewlwyd <no-dsa> (Minor issue; can be fixed via point release)
+ [bullseye] - glewlwyd 2.5.2-2+deb11u1
[buster] - glewlwyd <no-dsa> (Minor issue; can be fixed via point release)
NOTE: https://github.com/babelouest/glewlwyd/commit/0efd112bb62f566877750ad62ee828bff579b4e2
CVE-2021-40683 (In Akamai EAA (Enterprise Application Access) Client before 2.3.1, 2.4 ...)
@@ -3600,7 +3601,7 @@ CVE-2021-40541
RESERVED
CVE-2021-40540 (ulfius_uri_logger in Ulfius HTTP Framework before 2.7.4 omits con_info ...)
- ulfius 2.7.1-2 (bug #993851)
- [bullseye] - ulfius <no-dsa> (Minor issue)
+ [bullseye] - ulfius 2.7.1-1+deb11u1
[buster] - ulfius <no-dsa> (Minor issue)
NOTE: https://github.com/babelouest/ulfius/commit/c83f564c184a27145e07c274b305cabe943bbfaa
CVE-2021-40539 (Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnera ...)
@@ -4189,7 +4190,7 @@ CVE-2021-3750 [hcd-ehci: DMA reentrancy issue leads to use-after-free]
NOTE: Patchset: https://lists.nongnu.org/archive/html/qemu-devel/2021-08/msg03692.html
CVE-2021-3749 (axios is vulnerable to Inefficient Regular Expression Complexity ...)
- node-axios 0.21.3+dfsg-1
- [bullseye] - node-axios <no-dsa> (Minor issue)
+ [bullseye] - node-axios 0.21.1+dfsg-1+deb11u1
[buster] - node-axios <no-dsa> (Minor issue)
NOTE: https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/
NOTE: https://github.com/axios/axios/commit/5b457116e31db0e88fede6c428e969e87f290929
@@ -8275,7 +8276,7 @@ CVE-2021-38562
RESERVED
- request-tracker5 <unfixed> (bug #995167)
- request-tracker4 4.4.4+dfsg-3 (bug #995175)
- [bullseye] - request-tracker4 <no-dsa> (Minor issue; will be fixed via point release)
+ [bullseye] - request-tracker4 4.4.4+dfsg-2+deb11u1
[buster] - request-tracker4 <no-dsa> (Minor issue; will be fixed via point release)
[stretch] - request-tracker4 <no-dsa> (Minor issue)
NOTE: https://github.com/bestpractical/rt/commit/70749bb66cb13dd70bd53340c371038a5f3ca57c (rt-5.0.2)
@@ -9315,7 +9316,7 @@ CVE-2020-36432 (An issue was discovered in the alg_ds crate through 2020-08-25 f
CVE-2021-38173 (Btrbk before 0.31.2 allows command execution because of the mishandlin ...)
{DLA-2755-1}
- btrbk 0.27.1-2
- [bullseye] - btrbk <no-dsa> (Minor issue; can be fixed via point release)
+ [bullseye] - btrbk 0.27.1-1.1+deb11u1
[buster] - btrbk <no-dsa> (Minor issue; can be fixed via point release)
NOTE: Fixed by: https://github.com/digint/btrbk/commit/58212de771c381cd4fa05625927080bf264e9584 (v0.31.2)
NOTE: Introduced by: https://github.com/digint/btrbk/commit/ccb5ed5e7191a083da52998df4c880f693451144 (v0.23.0-rc1)
@@ -10094,7 +10095,7 @@ CVE-2021-37844
CVE-2021-3677 [Memory disclosure in certain queries]
RESERVED
- postgresql-13 13.4-1
- [bullseye] - postgresql-13 <no-dsa> (Minor issue; will be fixed via point release)
+ [bullseye] - postgresql-13 13.4-0+deb11u1
- postgresql-11 <removed>
[buster] - postgresql-11 <no-dsa> (Minor issue)
NOTE: https://www.postgresql.org/about/news/postgresql-134-128-1113-1018-9623-and-14-beta-3-released-2277/
@@ -10305,7 +10306,7 @@ CVE-2021-37751
CVE-2021-37750 (The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before ...)
{DLA-2771-1}
- krb5 1.18.3-7 (bug #992607)
- [bullseye] - krb5 <no-dsa> (Minor issue)
+ [bullseye] - krb5 1.18.3-6+deb11u1
[buster] - krb5 <no-dsa> (Minor issue)
NOTE: https://github.com/krb5/krb5/commit/d775c95af7606a51bf79547a94fa52ddd1cb7f49
CVE-2021-37749 (MapService.svc in Hexagon GeoMedia WebMap 2020 before Update 2 (aka 16 ...)
@@ -12528,7 +12529,7 @@ CVE-2021-36774
RESERVED
CVE-2021-36773 (uBlock Origin before 1.36.2 and nMatrix before 4.4.9 support an arbitr ...)
- ublock-origin 1.37.0+dfsg-1 (bug #991386)
- [bullseye] - ublock-origin <no-dsa> (Minor issue)
+ [bullseye] - ublock-origin 1.37.0+dfsg-1~deb11u1
[buster] - ublock-origin <no-dsa> (Minor issue)
[stretch] - ublock-origin <no-dsa> (Minor issue)
- umatrix <unfixed> (bug #991344)
@@ -14558,7 +14559,7 @@ CVE-2021-3627
RESERVED
CVE-2021-35940 (An out-of-bounds array read in the apr_time_exp*() functions was fixed ...)
- apr 1.7.0-7 (bug #992789)
- [bullseye] - apr <no-dsa> (Minor issue)
+ [bullseye] - apr 1.7.0-6+deb11u1
[buster] - apr <not-affected> (Vulnerable code re-introduced in 1.7.0)
[stretch] - apr <not-affected> (Vulnerable code re-introduced in 1.7.0)
NOTE: The issue exists because the CVE-2017-12613 fix was not carried forward
@@ -15845,7 +15846,7 @@ CVE-2021-35369
CVE-2021-35368 [CRS Request Body Bypass]
RESERVED
- modsecurity-crs 3.3.2-1 (bug #992000)
- [bullseye] - modsecurity-crs <no-dsa> (Minor issue)
+ [bullseye] - modsecurity-crs 3.3.0-1+deb11u1
[buster] - modsecurity-crs <no-dsa> (Minor issue)
[stretch] - modsecurity-crs <no-dsa> (Minor issue)
NOTE: https://coreruleset.org/20210630/cve-2021-35368-crs-request-body-bypass/
@@ -17653,7 +17654,7 @@ CVE-2021-3596
CVE-2021-3595 (An invalid pointer initialization issue was found in the SLiRP network ...)
{DLA-2753-1}
- libslirp 4.6.1-1 (bug #989996)
- [bullseye] - libslirp <no-dsa> (Minor issue)
+ [bullseye] - libslirp 4.4.0-1+deb11u2
- qemu 1:4.1-2
[buster] - qemu <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0)
@@ -17663,7 +17664,7 @@ CVE-2021-3595 (An invalid pointer initialization issue was found in the SLiRP ne
CVE-2021-3594 (An invalid pointer initialization issue was found in the SLiRP network ...)
{DLA-2753-1}
- libslirp 4.6.1-1 (bug #989995)
- [bullseye] - libslirp <no-dsa> (Minor issue)
+ [bullseye] - libslirp 4.4.0-1+deb11u2
- qemu 1:4.1-2
[buster] - qemu <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0)
@@ -17671,7 +17672,7 @@ CVE-2021-3594 (An invalid pointer initialization issue was found in the SLiRP ne
NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed.
CVE-2021-3593 (An invalid pointer initialization issue was found in the SLiRP network ...)
- libslirp 4.6.1-1 (bug #989994)
- [bullseye] - libslirp <no-dsa> (Minor issue)
+ [bullseye] - libslirp 4.4.0-1+deb11u2
- qemu 1:4.1-2
[buster] - qemu <no-dsa> (Minor issue)
[stretch] - qemu <no-dsa> (Minor issue)
@@ -17680,7 +17681,7 @@ CVE-2021-3593 (An invalid pointer initialization issue was found in the SLiRP ne
NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed.
CVE-2021-3592 (An invalid pointer initialization issue was found in the SLiRP network ...)
- libslirp 4.6.1-1 (bug #989993)
- [bullseye] - libslirp <no-dsa> (Minor issue)
+ [bullseye] - libslirp 4.4.0-1+deb11u2
- qemu 1:4.1-2
[buster] - qemu <no-dsa> (Minor issue)
[stretch] - qemu <ignored> (Introduces a regression. See Debian bug #994080)
@@ -19956,7 +19957,7 @@ CVE-2021-33583 (REINER timeCard 6.05.07 installs a Microsoft SQL Server with an
NOT-FOR-US: REINER
CVE-2021-33582 (Cyrus IMAP before 3.4.2 allows remote attackers to cause a denial of s ...)
- cyrus-imapd 3.4.2-1 (bug #993433)
- [bullseye] - cyrus-imapd <no-dsa> (Minor issue; pending fix via point release)
+ [bullseye] - cyrus-imapd 3.2.6-2+deb11u1
[buster] - cyrus-imapd <no-dsa> (Minor issue; can be fixed via point release)
[stretch] - cyrus-imapd <no-dsa> (Minor issue; can be fixed via point release)
- cyrus-imapd-2.4 <removed>
@@ -21885,14 +21886,14 @@ CVE-2021-32805 (Flask-AppBuilder is an application development framework, built
NOT-FOR-US: Flask-AppBuilder
CVE-2021-32804 (The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4 ...)
- node-tar 6.1.7+~cs11.3.10-1 (bug #992111)
- [bullseye] - node-tar <no-dsa> (Minor issue)
+ [bullseye] - node-tar 6.0.5+ds1+~cs11.3.9-1+deb11u1
[buster] - node-tar <no-dsa> (Minor issue)
[stretch] - node-tar <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9
NOTE: https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4
CVE-2021-32803 (The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4 ...)
- node-tar 6.1.7+~cs11.3.10-1 (bug #992110)
- [bullseye] - node-tar <no-dsa> (Minor issue)
+ [bullseye] - node-tar 6.0.5+ds1+~cs11.3.9-1+deb11u1
[buster] - node-tar <no-dsa> (Minor issue)
[stretch] - node-tar <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw
@@ -30603,7 +30604,7 @@ CVE-2021-29489 (Highcharts JS is a JavaScript charting library based on SVG. In
NOT-FOR-US: Highcharts JS
CVE-2021-29488 (SABnzbd is an open source binary newsreader. A vulnerability was disco ...)
- sabnzbdplus 3.2.1+dfsg-1
- [bullseye] - sabnzbdplus <no-dsa> (Minor issue; non-free/contrib not security supported)
+ [bullseye] - sabnzbdplus 3.1.1+dfsg-2+deb11u1
[buster] - sabnzbdplus <no-dsa> (Minor issue; non-free/contrib not security supported)
[stretch] - sabnzbdplus <no-dsa> (Minor issue; contrib not supported)
NOTE: https://github.com/sabnzbd/sabnzbd/security/advisories/GHSA-jwj3-wrvf-v3rp
@@ -45202,7 +45203,7 @@ CVE-2021-23441 (All versions of package com.jsoniter:jsoniter are vulnerable to
NOT-FOR-US: com.jsoniter:jsoniter
CVE-2021-23440 (This affects the package set-value before 4.0.1. A type confusion vuln ...)
- node-set-value 3.0.1-3 (bug #994448)
- [bullseye] - node-set-value <no-dsa> (Minor issue)
+ [bullseye] - node-set-value 3.0.1-2+deb11u1
[buster] - node-set-value <no-dsa> (Minor issue)
[stretch] - node-set-value <no-dsa> (Minor issue)
NOTE: https://github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f952823b4576452 (v4.0.1)
@@ -45223,7 +45224,7 @@ CVE-2021-23435 (This affects the package clearance before 2.5.0. The vulnerabili
NOT-FOR-US: Rails clearance gem
CVE-2021-23434 (This affects the package object-path before 0.11.6. A type confusion v ...)
- node-object-path 0.11.7-1
- [bullseye] - node-object-path <no-dsa> (Minor issue)
+ [bullseye] - node-object-path 0.11.5-3+deb11u1
[buster] - node-object-path <no-dsa> (Minor issue)
[stretch] - node-object-path <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://snyk.io/vuln/SNYK-JS-OBJECTPATH-1569453
@@ -88811,7 +88812,7 @@ CVE-2020-17511 (In Airflow versions prior to 1.10.13, when creating a user using
CVE-2020-17510 (Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a spec ...)
{DLA-2726-1}
- shiro 1.3.2-5 (bug #988728)
- [bullseye] - shiro <no-dsa> (Minor issue)
+ [bullseye] - shiro 1.3.2-4+deb11u1
[buster] - shiro <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2020/11/04/7
NOTE: https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E
@@ -98055,7 +98056,7 @@ CVE-2020-13934 (An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6
CVE-2020-13933 (Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafte ...)
{DLA-2726-1}
- shiro 1.3.2-5 (bug #968753)
- [bullseye] - shiro <no-dsa> (Minor issue)
+ [bullseye] - shiro 1.3.2-4+deb11u1
[buster] - shiro <no-dsa> (Minor issue)
NOTE: https://lists.apache.org/thread.html/r539f87706094e79c5da0826030384373f0041068936912876856835f%40%3Cdev.shiro.apache.org%3E
CVE-2020-13932 (In Apache ActiveMQ Artemis 2.5.0 to 2.13.0, a specially crafted MQTT p ...)
@@ -103229,7 +103230,7 @@ CVE-2020-11990 (We have resolved a security issue in the camera plugin that coul
CVE-2020-11989 (Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic ...)
{DLA-2273-1}
- shiro 1.3.2-5 (bug #988728)
- [bullseye] - shiro <no-dsa> (Minor issue)
+ [bullseye] - shiro 1.3.2-4+deb11u1
[buster] - shiro <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2020/06/22/1
NOTE: https://github.com/apache/shiro/pull/211
@@ -131299,7 +131300,7 @@ CVE-2020-1958 (When LDAP authentication is enabled in Apache Druid 0.17.0, calle
CVE-2020-1957 (Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic ...)
{DLA-2273-1 DLA-2181-1}
- shiro 1.3.2-5 (bug #955018)
- [bullseye] - shiro <no-dsa> (Minor issue)
+ [bullseye] - shiro 1.3.2-4+deb11u1
[buster] - shiro <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2020/03/23/2
NOTE: Fixed by: https://github.com/apache/shiro/commit/3708d7907016bf2fa12691dff6ff0def1249b8ce#diff-98f7bc5c0391389e56531f8b3754081aL139
diff --git a/data/next-point-update.txt b/data/next-point-update.txt
index 5732045040..51a2a13183 100644
--- a/data/next-point-update.txt
+++ b/data/next-point-update.txt
@@ -1,59 +1,3 @@
-CVE-2021-32803
- [bullseye] - node-tar 6.0.5+ds1+~cs11.3.9-1+deb11u1
-CVE-2021-32804
- [bullseye] - node-tar 6.0.5+ds1+~cs11.3.9-1+deb11u1
-CVE-2021-3677
- [bullseye] - postgresql-13 13.4-0+deb11u1
-CVE-2021-35940
- [bullseye] - apr 1.7.0-6+deb11u1
-CVE-2021-35368
- [bullseye] - modsecurity-crs 3.3.0-1+deb11u1
-CVE-2021-29488
- [bullseye] - sabnzbdplus 3.1.1+dfsg-2+deb11u1
-CVE-2020-1957
- [bullseye] - shiro 1.3.2-4+deb11u1
-CVE-2020-11989
- [bullseye] - shiro 1.3.2-4+deb11u1
-CVE-2020-13933
- [bullseye] - shiro 1.3.2-4+deb11u1
-CVE-2020-17510
- [bullseye] - shiro 1.3.2-4+deb11u1
-CVE-2021-36773
- [bullseye] - ublock-origin 1.37.0+dfsg-1~deb11u1
-CVE-2021-37750
- [bullseye] - krb5 1.18.3-6+deb11u1
-CVE-2021-33582
- [bullseye] - cyrus-imapd 3.2.6-2+deb11u1
-CVE-2021-3749
- [bullseye] - node-axios 0.21.1+dfsg-1+deb11u1
-CVE-2021-38173
- [bullseye] - btrbk 0.27.1-1.1+deb11u1
-CVE-2021-23434
- [bullseye] - node-object-path 0.11.5-3+deb11u1
-CVE-2021-3805
- [bullseye] - node-object-path 0.11.5-3+deb11u1
-CVE-2021-23440
- [bullseye] - node-set-value 3.0.1-2+deb11u1
-CVE-2021-41054
- [bullseye] - atftp 0.7.git20120829-3.3+deb11u1
-CVE-2021-40818
- [bullseye] - glewlwyd 2.5.2-2+deb11u1
-CVE-2021-40540
- [bullseye] - ulfius 2.7.1-1+deb11u1
-CVE-2021-3807
- [bullseye] - node-ansi-regex 5.0.1-1~deb11u1
-CVE-2021-3801
- [bullseye] - node-prismjs 1.23.0+dfsg-1+deb11u1
-CVE-2021-3592
- [bullseye] - libslirp 4.4.0-1+deb11u2
-CVE-2021-3595
- [bullseye] - libslirp 4.4.0-1+deb11u2
-CVE-2021-3594
- [bullseye] - libslirp 4.4.0-1+deb11u2
-CVE-2021-3593
- [bullseye] - libslirp 4.4.0-1+deb11u2
-CVE-2021-38562
- [bullseye] - request-tracker4 4.4.4+dfsg-2+deb11u1
CVE-2019-11098
[bullseye] - edk2 2020.11-2+deb11u1
CVE-2021-38155

© 2014-2024 Faster IT GmbH | imprint | privacy policy