diff options
author | Salvatore Bonaccorso <carnil@debian.org> | 2021-06-19 10:59:00 +0200 |
---|---|---|
committer | Salvatore Bonaccorso <carnil@debian.org> | 2021-06-19 10:59:00 +0200 |
commit | 55d4a6bb113a0028d39c30bd635be25f6bcc3578 (patch) | |
tree | 41a129885b31851b39bb160da0fa5cd5c732c596 | |
parent | e7cc22af902cd45b11bb39c071b3a25ffe2df382 (diff) |
Merge already accepted packages for 10.10
-rw-r--r-- | data/CVE/list | 145 | ||||
-rw-r--r-- | data/next-point-update.txt | 144 |
2 files changed, 73 insertions, 216 deletions
diff --git a/data/CVE/list b/data/CVE/list index 06a1a4304b..f75166991c 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -2657,7 +2657,7 @@ CVE-2021-33834 RESERVED CVE-2021-33833 (ConnMan (aka Connection Manager) 1.30 through 1.39 has a stack-based b ...) - connman 1.36-2.2 (bug #989662) - [buster] - connman <no-dsa> (Minor issue) + [buster] - connman 1.36-2.1~deb10u2 [stretch] - connman <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2021/06/09/1 NOTE: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=eceb2e8d2341c041df55a5e2f047d9a8c491463c @@ -2729,7 +2729,7 @@ CVE-2021-3579 CVE-2021-3578 [possible remote code execution in isync/mbsync] RESERVED - isync 1.3.0-2.2 (bug #989564) - [buster] - isync <no-dsa> (Minor issue) + [buster] - isync 1.3.0-2.2~deb10u1 [stretch] - isync <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2021/06/07/1 CVE-2021-33806 (The BDew BdLib library before 1.16.1.7 for Minecraft allows remote cod ...) @@ -3341,7 +3341,7 @@ CVE-2021-33561 (A stored cross-site scripting (XSS) vulnerability in Shopizer be NOT-FOR-US: Shopizer CVE-2021-33560 (Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encry ...) - libgcrypt20 1.8.7-6 - [buster] - libgcrypt20 <no-dsa> (Minor issue) + [buster] - libgcrypt20 1.8.4-5+deb10u1 [stretch] - libgcrypt20 <no-dsa> (Minor issue) NOTE: https://dev.gnupg.org/T5328 (not yet public) NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=3462280f2e23e16adf3ed5176e0f2413d8861320 @@ -3535,7 +3535,7 @@ CVE-2021-33478 RESERVED CVE-2021-3561 (An Out of Bounds flaw was found fig2dev version 3.2.8a. A flawed bound ...) - fig2dev 1:3.2.8-3 - [buster] - fig2dev <no-dsa> (Minor issue) + [buster] - fig2dev 1:3.2.7a-5+deb10u4 [stretch] - fig2dev <no-dsa> (Minor issue) - transfig <removed> NOTE: https://sourceforge.net/p/mcj/tickets/116/ @@ -4209,10 +4209,10 @@ CVE-2021-33477 (rxvt-unicode 9.22, rxvt 2.7.10, mrxvt 0.5.4, and Eterm 0.9.7 all {DLA-2683-1 DLA-2682-1 DLA-2681-1 DLA-2671-1} - rxvt <removed> - rxvt-unicode 9.22-11 (bug #988763) - [buster] - rxvt-unicode <no-dsa> (Minor issue) + [buster] - rxvt-unicode 9.22-6+deb10u1 - mrxvt <removed> - eterm 0.9.6-6.1 (bug #989041) - [buster] - eterm <no-dsa> (Minor issue) + [buster] - eterm 0.9.6-5+deb10u1 NOTE: https://www.openwall.com/lists/oss-security/2021/05/17/1 NOTE: Mentioned first in: https://www.openwall.com/lists/oss-security/2017/05/01/20 NOTE: Fixed by: http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.582&r2=1.583 @@ -5390,7 +5390,7 @@ CVE-2021-32641 (auth0-lock is Auth0's signin solution. Versions of nauth0-lock b NOT-FOR-US: auth0-lock CVE-2021-32640 (ws is an open source WebSocket client and server library for Node.js. ...) - node-ws 7.4.2+~cs18.0.8-2 - [buster] - node-ws <no-dsa> (Minor issue) + [buster] - node-ws 1.1.0+ds1.e6ddaae4-5+deb10u1 [stretch] - node-ws <no-dsa> (Minor issue) NOTE: https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693 NOTE: https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff @@ -5817,7 +5817,7 @@ CVE-2021-3541 RESERVED {DLA-2669-1} - libxml2 2.9.10+dfsg-6.7 (bug #988603) - [buster] - libxml2 <no-dsa> (Minor issue) + [buster] - libxml2 2.9.4+dfsg1-7+deb10u2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1950515 NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/228 (currently private) @@ -6691,7 +6691,7 @@ CVE-2019-25043 (ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, CVE-2021-3537 (A vulnerability found in libxml2 in versions before 2.9.11 shows that ...) {DLA-2653-1} - libxml2 2.9.10+dfsg-6.6 (bug #988123) - [buster] - libxml2 <no-dsa> (Minor issue) + [buster] - libxml2 2.9.4+dfsg1-7+deb10u2 NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/243 NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/244 NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/245 @@ -7236,25 +7236,25 @@ CVE-2021-31874 RESERVED CVE-2021-31873 (An issue was discovered in klibc before 2.0.9. Additions in the malloc ...) - klibc 2.0.8-6 (bug #989505) - [buster] - klibc <no-dsa> (Minor issue; only used in initramfs and not dealing with untrusted data) + [buster] - klibc 2.0.6-1+deb10u1 [stretch] - klibc <no-dsa> (Minor issue; only used in initramfs and not dealing with untrusted data) NOTE: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=a31ae8c508fc8d1bca4f57e9f9f88127572d5202 NOTE: https://www.openwall.com/lists/oss-security/2021/04/30/1 CVE-2021-31872 (An issue was discovered in klibc before 2.0.9. Multiple possible integ ...) - klibc 2.0.8-6 (bug #989505) - [buster] - klibc <no-dsa> (Minor issue; only used in initramfs and not dealing with untrusted data) + [buster] - klibc 2.0.6-1+deb10u1 [stretch] - klibc <no-dsa> (Minor issue; only used in initramfs and not dealing with untrusted data) NOTE: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=9b1c91577aef7f2e72c3aa11a27749160bd278ff NOTE: https://www.openwall.com/lists/oss-security/2021/04/30/1 CVE-2021-31871 (An issue was discovered in klibc before 2.0.9. An integer overflow in ...) - klibc 2.0.8-6 (bug #989505) - [buster] - klibc <no-dsa> (Minor issue; only used in initramfs and not dealing with untrusted data) + [buster] - klibc 2.0.6-1+deb10u1 [stretch] - klibc <no-dsa> (Minor issue; only used in initramfs and not dealing with untrusted data) NOTE: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=2e48a12ab1e30d43498c2d53e878a11a1b5102d5 NOTE: https://www.openwall.com/lists/oss-security/2021/04/30/1 CVE-2021-31870 (An issue was discovered in klibc before 2.0.9. Multiplication in the c ...) - klibc 2.0.8-6 (bug #989505) - [buster] - klibc <no-dsa> (Minor issue; only used in initramfs and not dealing with untrusted data) + [buster] - klibc 2.0.6-1+deb10u1 [stretch] - klibc <no-dsa> (Minor issue; only used in initramfs and not dealing with untrusted data) NOTE: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=292650f04c2b5348b4efbad61fb014ed09b4f3f2 NOTE: https://www.openwall.com/lists/oss-security/2021/04/30/1 @@ -7406,19 +7406,19 @@ CVE-2020-36326 (PHPMailer 6.1.8 through 6.4.0 allows object injection through Ph CVE-2021-3518 (There's a flaw in libxml2 in versions before 2.9.11. An attacker who i ...) {DLA-2653-1} - libxml2 2.9.10+dfsg-6.6 (bug #987737) - [buster] - libxml2 <no-dsa> (Minor issue) + [buster] - libxml2 2.9.4+dfsg1-7+deb10u2 NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/237 NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7 CVE-2021-3517 (There is a flaw in the xml entity encoding functionality of libxml2 in ...) {DLA-2653-1} - libxml2 2.9.10+dfsg-6.6 (bug #987738) - [buster] - libxml2 <no-dsa> (Minor issue) + [buster] - libxml2 2.9.4+dfsg1-7+deb10u2 NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/235 NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2 CVE-2021-3516 (There's a flaw in libxml2's xmllint in versions before 2.9.11. An atta ...) {DLA-2653-1} - libxml2 2.9.10+dfsg-6.6 (bug #987739) - [buster] - libxml2 <no-dsa> (Minor issue) + [buster] - libxml2 2.9.4+dfsg1-7+deb10u2 NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/230 NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539 CVE-2021-3515 (A shell injection flaw was found in pglogical in versions before 2.3.4 ...) @@ -13215,7 +13215,7 @@ CVE-2021-29470 (Exiv2 is a command-line utility and C++ library for reading, wri NOTE: https://github.com/Exiv2/exiv2/commit/c372f2677d6f7cf88a8f26ef6bc175561e406ee2 CVE-2021-29469 (Node-redis is a Node.js Redis client. Before version 3.1.1, when a cli ...) - node-redis 3.0.2+~cs5.18.1-3 - [buster] - node-redis <no-dsa> (Minor issue) + [buster] - node-redis 2.8.0-1+deb10u1 NOTE: https://github.com/NodeRedis/node-redis/issues/1569 NOTE: https://github.com/NodeRedis/node-redis/security/advisories/GHSA-35q2-47q7-3pc3 NOTE: https://github.com/NodeRedis/node-redis/commit/2d11b6dc9b9774464a91fb4b448bad8bf699629e @@ -13503,10 +13503,10 @@ CVE-2021-29377 CVE-2021-29376 (ircII before 20210314 allows remote attackers to cause a denial of ser ...) - ircii-pana <removed> - ircii 20210314-1 (bug #986214) - [buster] - ircii <no-dsa> (Minor issue) + [buster] - ircii 20190117-1+deb10u1 [stretch] - ircii <postponed> (Minor issue; can be fixed in next update) - scrollz 2.2.3-2 (bug #986215) - [buster] - scrollz <no-dsa> (Minor issue) + [buster] - scrollz 2.2.3-1+deb10u1 [stretch] - scrollz <postponed> (Minor issue; can be fixed in next update) NOTE: https://www.openwall.com/lists/oss-security/2021/03/24/2 NOTE: https://github.com/ScrollZ/ScrollZ/issues/25 @@ -15733,7 +15733,7 @@ CVE-2021-28422 RESERVED CVE-2021-28421 (FluidSynth 2.1.7 contains a use after free vulnerability in sfloader/f ...) - fluidsynth 2.1.7-1.1 (bug #987168) - [buster] - fluidsynth <no-dsa> (Minor issue) + [buster] - fluidsynth 1.1.11-1+deb10u1 [stretch] - fluidsynth <postponed> (Minor issue; can be fixed in next update) NOTE: https://github.com/FluidSynth/fluidsynth/issues/808 NOTE: https://github.com/FluidSynth/fluidsynth/pull/810 @@ -16384,7 +16384,7 @@ CVE-2016-20009 (** UNSUPPORTED WHEN ASSIGNED ** A DNS client stack-based buffer NOT-FOR-US: Wind River VxWorks CVE-2021-28153 (An issue was discovered in GNOME GLib before 2.66.8. When g_file_repla ...) - glib2.0 2.66.7-2 (bug #984969) - [buster] - glib2.0 <no-dsa> (Minor issue) + [buster] - glib2.0 2.58.3-2+deb10u3 [stretch] - glib2.0 <postponed> (Minor issue, directory traversal exploitable in file-roller) NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2325 CVE-2021-3435 @@ -18558,7 +18558,7 @@ CVE-2021-27230 (ExpressionEngine before 5.4.2 and 6.x before 6.0.3 allows PHP Co CVE-2021-27229 (Mumble before 1.3.4 allows remote code execution if a victim navigates ...) {DLA-2562-1} - mumble 1.3.4-1 (bug #982904) - [buster] - mumble <no-dsa> (Minor issue) + [buster] - mumble 1.3.0~git20190125.440b173+dfsg-2+deb10u1 NOTE: https://github.com/mumble-voip/mumble/commit/e59ee87abe249f345908c7d568f6879d16bfd648 NOTE: https://github.com/mumble-voip/mumble/pull/4733 CVE-2021-27228 (An issue was discovered in Shinobi through ocean version 1. lib/auth.j ...) @@ -18848,7 +18848,7 @@ CVE-2021-27105 CVE-2021-3407 (A flaw was found in mupdf 1.18.0. Double free of object during lineari ...) {DLA-2589-1} - mupdf 1.17.0+ds1-1.3 (bug #983684) - [buster] - mupdf <no-dsa> (Minor issue) + [buster] - mupdf 1.14.0+ds1-4+deb10u3 NOTE: http://git.ghostscript.com/?p=mupdf.git;h=cee7cefc610d42fd383b3c80c12cbc675443176a NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=703366 (not public yet) CVE-2021-3406 (A flaw was found in keylime 5.8.1 and older. The issue in the Keylime ...) @@ -19267,7 +19267,7 @@ CVE-2021-26930 (An issue was discovered in the Linux kernel 3.11 through 5.10.16 CVE-2021-26929 (An XSS issue was discovered in Horde Groupware Webmail Edition through ...) {DLA-2564-1} - php-horde-text-filter 2.3.7-1 (bug #982769) - [buster] - php-horde-text-filter <no-dsa> (Minor issue) + [buster] - php-horde-text-filter 2.3.5-3+deb10u2 NOTE: https://lists.horde.org/archives/announce/2021/001298.html NOTE: https://github.com/horde/Text_Filter/commit/c26f938854c36b981558a3b1b9b2f81403cff60e (master) NOTE: https://github.com/horde/Text_Filter/commit/a2f67da064d7a91440b7a2448e56a6387ab94c67 (v2.3.7) @@ -19489,13 +19489,13 @@ CVE-2021-21299 (hyper is an open-source HTTP library for Rust (crates.io). In hy NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0020.html CVE-2021-27218 (An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before ...) - glib2.0 2.66.7-1 (bug #982779) - [buster] - glib2.0 <no-dsa> (Minor issue) + [buster] - glib2.0 2.58.3-2+deb10u3 [stretch] - glib2.0 <postponed> (fix along with CVE-2021-27219) NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1942 NOTE: Test case depends on CVE-2021-27219 fix CVE-2021-27219 (An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before ...) - glib2.0 2.66.6-1 (bug #982778) - [buster] - glib2.0 <no-dsa> (Minor issue) + [buster] - glib2.0 2.58.3-2+deb10u3 [stretch] - glib2.0 <postponed> (requires fixing vulnerable rdeps, follow buster strategy) NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2319 NOTE: Fix introduces new API 'g_memdup2' @@ -23690,7 +23690,7 @@ CVE-2021-25218 CVE-2021-25217 (In ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16, ISC DHCP 4.4.0 -> 4.4.2 ( ...) {DLA-2674-1} - isc-dhcp 4.4.1-2.3 (bug #989157) - [buster] - isc-dhcp <no-dsa> (Can be fixed via point release) + [buster] - isc-dhcp 4.4.1-2+deb10u1 NOTE: https://kb.isc.org/docs/cve-2021-25217 NOTE: https://www.openwall.com/lists/oss-security/2021/05/26/6 NOTE: https://downloads.isc.org/isc/dhcp/4.4.2-P1/patches/4.4.2.CVE-2021-25217.patch @@ -27755,7 +27755,7 @@ CVE-2021-23370 (This affects the package swiper before 6.5.1. ...) NOT-FOR-US: swiper CVE-2021-23369 (The package handlebars before 4.7.7 are vulnerable to Remote Code Exec ...) - node-handlebars 3:4.7.6+~4.1.0-2 - [buster] - node-handlebars <no-dsa> (Minor issue; will be fixed via point release) + [buster] - node-handlebars 3:4.1.0-1+deb10u3 - libjs-handlebars <removed> [stretch] - libjs-handlebars <ignored> (Minor issue and too intrusive to backport) NOTE: https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8 @@ -27783,7 +27783,7 @@ CVE-2021-23363 (This affects the package kill-by-port before 0.0.2. If (attacker NOT-FOR-US: Node kill-by-port CVE-2021-23362 (The package hosted-git-info before 3.0.8 are vulnerable to Regular Exp ...) - node-hosted-git-info 3.0.8-1 - [buster] - node-hosted-git-info <no-dsa> (Minor issue) + [buster] - node-hosted-git-info 2.7.1-1+deb10u1 [stretch] - node-hosted-git-info <not-affected> (Vulnerable code introduced later) NOTE: Fixed by: https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3 NOTE: https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355 @@ -29194,7 +29194,7 @@ CVE-2021-22697 (A CWE-434: Unrestricted Upload of File with Dangerous Type vulne CVE-2020-36189 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...) {DLA-2638-1} - jackson-databind 2.12.1-1 - [buster] - jackson-databind <no-dsa> (Minor issue) + [buster] - jackson-databind 2.9.8-3+deb10u3 NOTE: https://github.com/FasterXML/jackson-databind/issues/2996 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -29202,7 +29202,7 @@ CVE-2020-36189 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the in CVE-2020-36188 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...) {DLA-2638-1} - jackson-databind 2.12.1-1 - [buster] - jackson-databind <no-dsa> (Minor issue) + [buster] - jackson-databind 2.9.8-3+deb10u3 NOTE: https://github.com/FasterXML/jackson-databind/issues/2996 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -29210,7 +29210,7 @@ CVE-2020-36188 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the in CVE-2020-36187 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...) {DLA-2638-1} - jackson-databind 2.12.1-1 - [buster] - jackson-databind <no-dsa> (Minor issue) + [buster] - jackson-databind 2.9.8-3+deb10u3 NOTE: https://github.com/FasterXML/jackson-databind/issues/2997 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -29218,7 +29218,7 @@ CVE-2020-36187 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the in CVE-2020-36186 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...) {DLA-2638-1} - jackson-databind 2.12.1-1 - [buster] - jackson-databind <no-dsa> (Minor issue) + [buster] - jackson-databind 2.9.8-3+deb10u3 NOTE: https://github.com/FasterXML/jackson-databind/issues/2997 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -29226,7 +29226,7 @@ CVE-2020-36186 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the in CVE-2020-36185 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...) {DLA-2638-1} - jackson-databind 2.12.1-1 - [buster] - jackson-databind <no-dsa> (Minor issue) + [buster] - jackson-databind 2.9.8-3+deb10u3 NOTE: https://github.com/FasterXML/jackson-databind/issues/2998 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -29234,7 +29234,7 @@ CVE-2020-36185 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the in CVE-2020-36184 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...) {DLA-2638-1} - jackson-databind 2.12.1-1 - [buster] - jackson-databind <no-dsa> (Minor issue) + [buster] - jackson-databind 2.9.8-3+deb10u3 NOTE: https://github.com/FasterXML/jackson-databind/issues/2998 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -29242,7 +29242,7 @@ CVE-2020-36184 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the in CVE-2020-36183 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...) {DLA-2638-1} - jackson-databind 2.12.1-1 - [buster] - jackson-databind <no-dsa> (Minor issue) + [buster] - jackson-databind 2.9.8-3+deb10u3 NOTE: https://github.com/FasterXML/jackson-databind/issues/3003 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -29250,7 +29250,7 @@ CVE-2020-36183 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the in CVE-2020-36182 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...) {DLA-2638-1} - jackson-databind 2.12.1-1 - [buster] - jackson-databind <no-dsa> (Minor issue) + [buster] - jackson-databind 2.9.8-3+deb10u3 NOTE: https://github.com/FasterXML/jackson-databind/issues/3004 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -29258,7 +29258,7 @@ CVE-2020-36182 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the in CVE-2020-36181 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...) {DLA-2638-1} - jackson-databind 2.12.1-1 - [buster] - jackson-databind <no-dsa> (Minor issue) + [buster] - jackson-databind 2.9.8-3+deb10u3 NOTE: https://github.com/FasterXML/jackson-databind/issues/3004 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -29266,7 +29266,7 @@ CVE-2020-36181 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the in CVE-2020-36180 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...) {DLA-2638-1} - jackson-databind 2.12.1-1 - [buster] - jackson-databind <no-dsa> (Minor issue) + [buster] - jackson-databind 2.9.8-3+deb10u3 NOTE: https://github.com/FasterXML/jackson-databind/issues/3004 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -29274,7 +29274,7 @@ CVE-2020-36180 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the in CVE-2020-36179 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...) {DLA-2638-1} - jackson-databind 2.12.1-1 - [buster] - jackson-databind <no-dsa> (Minor issue) + [buster] - jackson-databind 2.9.8-3+deb10u3 NOTE: https://github.com/FasterXML/jackson-databind/issues/3004 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -32979,7 +32979,7 @@ CVE-2020-35729 (KLog Server 2.4.1 allows OS command injection via shell metachar CVE-2020-35728 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...) {DLA-2638-1} - jackson-databind 2.12.1-1 - [buster] - jackson-databind <no-dsa> (Minor issue) + [buster] - jackson-databind 2.9.8-3+deb10u3 NOTE: https://github.com/FasterXML/jackson-databind/issues/2999 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -36384,7 +36384,7 @@ CVE-2021-20248 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1927740 CVE-2021-20247 (A flaw was found in mbsync before v1.3.5 and v1.4.1. Validations of th ...) - isync 1.3.0-2.1 (bug #983351) - [buster] - isync <no-dsa> (Minor issue) + [buster] - isync 1.3.0-2.2~deb10u1 [stretch] - isync <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2021/02/22/1 CVE-2021-20246 (A flaw was found in ImageMagick in MagickCore/resample.c. An attacker ...) @@ -36481,13 +36481,13 @@ CVE-2021-20233 (A flaw was found in grub2 in versions prior to 2.06. Setparam_pr [stretch] - grub2 <ignored> (No SecureBoot support in stretch) CVE-2021-20232 (A flaw was found in gnutls. A use after free issue in client_send_para ...) - gnutls28 3.7.1-1 - [buster] - gnutls28 <no-dsa> (Minor issue) + [buster] - gnutls28 3.6.7-4+deb10u7 [stretch] - gnutls28 <not-affected> (Vulnerable code introduced later) NOTE: https://www.gnutls.org/security-new.html#GNUTLS-SA-2021-03-10 NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1151 CVE-2021-20231 (A flaw was found in gnutls. A use after free issue in client sending k ...) - gnutls28 3.7.1-1 - [buster] - gnutls28 <no-dsa> (Minor issue) + [buster] - gnutls28 3.6.7-4+deb10u7 [stretch] - gnutls28 <not-affected> (Vulnerable code introduced later) NOTE: https://www.gnutls.org/security-new.html#GNUTLS-SA-2021-03-10 NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1151 @@ -36625,7 +36625,7 @@ CVE-2021-20205 (Libjpeg-turbo versions 2.0.91 and 2.0.90 is vulnerable to a deni CVE-2021-20204 (A heap memory corruption problem (use after free) can be triggered in ...) {DLA-2660-1} - libgetdata 0.10.0-10 (bug #988239) - [buster] - libgetdata <no-dsa> (Minor issue) + [buster] - libgetdata 0.10.0-5+deb10u1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1956348 NOTE: https://bugs.launchpad.net/ubuntu/+source/libgetdata/+bug/1912050 CVE-2021-20203 (An integer overflow issue was found in the vmxnet3 NIC emulator of the ...) @@ -36700,7 +36700,7 @@ CVE-2021-20191 (A flaw was found in ansible. Credentials, such as secrets, are b CVE-2021-20190 (A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishan ...) {DLA-2638-1} - jackson-databind 2.12.1-1 - [buster] - jackson-databind <no-dsa> (Minor issue) + [buster] - jackson-databind 2.9.8-3+deb10u3 NOTE: https://github.com/FasterXML/jackson-databind/issues/2854 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -37207,7 +37207,7 @@ CVE-2020-35492 (A flaw was found in cairo's image-compositor.c in all versions p CVE-2020-35491 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...) {DLA-2638-1} - jackson-databind 2.12.1-1 - [buster] - jackson-databind <no-dsa> (Minor issue) + [buster] - jackson-databind 2.9.8-3+deb10u3 NOTE: https://github.com/FasterXML/jackson-databind/issues/2986 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -37215,7 +37215,7 @@ CVE-2020-35491 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the in CVE-2020-35490 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...) {DLA-2638-1} - jackson-databind 2.12.1-1 - [buster] - jackson-databind <no-dsa> (Minor issue) + [buster] - jackson-databind 2.9.8-3+deb10u3 NOTE: https://github.com/FasterXML/jackson-databind/issues/2986 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -37434,7 +37434,7 @@ CVE-2020-35460 (common/InputStreamHelper.java in Packwood MPXJ before 8.3.5 allo CVE-2020-35459 (An issue was discovered in ClusterLabs crmsh through 4.2.1. Local atta ...) {DLA-2533-1} - crmsh 4.2.1-2 (bug #985376) - [buster] - crmsh <no-dsa> (Minor issue) + [buster] - crmsh 4.0.0~git20190108.3d56538-3+deb10u1 NOTE: https://www.openwall.com/lists/oss-security/2021/01/12/3 CVE-2020-35458 (An issue was discovered in ClusterLabs Hawk 2.x through 2.3.0-x. There ...) - hawk <itp> (bug #634344) @@ -38025,7 +38025,7 @@ CVE-2020-35177 (HashiCorp Vault and Vault Enterprise 1.4.1 and newer allowed the CVE-2020-35176 (In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial a ...) {DLA-2506-1} - awstats 7.8-2 (bug #977190) - [buster] - awstats <no-dsa> (Minor issue; can be fixed via point release) + [buster] - awstats 7.6+dfsg-2+deb10u1 NOTE: https://github.com/eldy/awstats/issues/195 NOTE: https://github.com/eldy/AWStats/commit/96756d7f40e002cc1e6ba72c633fb66b92e54f49 CVE-2020-35175 (Frappe Framework 12 and 13 does not properly validate the HTTP method ...) @@ -39975,7 +39975,7 @@ CVE-2020-29601 (The official notary docker images before signer-0.6.1-1 contain CVE-2020-29600 (In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute ...) {DLA-2506-1} - awstats 7.8-1 (bug #891469) - [buster] - awstats <no-dsa> (Minor issue; can be fixed via point release) + [buster] - awstats 7.6+dfsg-2+deb10u1 NOTE: https://github.com/eldy/awstats/issues/90 NOTE: https://github.com/eldy/awstats/commit/d4d815d0caae3dbae83ac70a1ae4581bd57cf376 CVE-2020-29599 (ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the - ...) @@ -42885,7 +42885,7 @@ CVE-2021-1406 (A vulnerability in Cisco Unified Communications Manager (Unified CVE-2021-1405 (A vulnerability in the email parsing module in Clam AntiVirus (ClamAV) ...) {DLA-2626-1} - clamav 0.103.2+dfsg-1 (bug #986622; bug #986790) - [buster] - clamav <no-dsa> (clamav is updated via -updates) + [buster] - clamav 0.103.2+dfsg-0+deb10u1 NOTE: https://blog.clamav.net/2021/04/clamav-01032-security-patch-release.html CVE-2021-1404 (A vulnerability in the PDF parsing module in Clam AntiVirus (ClamAV) S ...) - clamav 0.103.2+dfsg-1 (bug #986622; bug #986790) @@ -43711,12 +43711,12 @@ CVE-2021-1077 (NVIDIA GPU Display Driver for Windows and Linux, R450 and R460 dr - nvidia-graphics-drivers-tesla-460 460.73.01-1 (bug #987222) CVE-2021-1076 (NVIDIA GPU Display Driver for Windows and Linux, all versions, contain ...) - nvidia-graphics-drivers 460.73.01-1 (bug #987216) - [buster] - nvidia-graphics-drivers <no-dsa> (Non-free not supported) + [buster] - nvidia-graphics-drivers 418.197.02-1 - nvidia-graphics-drivers-legacy-340xx <unfixed> (bug #987217) [buster] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported) [stretch] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported) - nvidia-graphics-drivers-legacy-390xx 390.143-1 (bug #987218) - [buster] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported) + [buster] - nvidia-graphics-drivers-legacy-390xx 390.143-1~deb10u1 - nvidia-graphics-drivers-tesla-418 418.197.02-1 (bug #987219) - nvidia-graphics-drivers-tesla-440 <unfixed> (bug #987220) - nvidia-graphics-drivers-tesla-450 450.119.03-1 (bug #987221) @@ -44037,7 +44037,7 @@ CVE-2020-28470 (This affects the package @scullyio/scully before 1.0.9. The tran NOT-FOR-US: scully CVE-2020-28469 (This affects the package glob-parent before 5.1.2. The enclosure regex ...) - node-glob-parent 5.1.1+~5.1.0-2 - [buster] - node-glob-parent <no-dsa> (Minor issue) + [buster] - node-glob-parent 3.1.0-1+deb10u1 [stretch] - node-glob-parent <postponed> (Minor issue; can be fixed in next update) NOTE: https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905 NOTE: https://github.com/gulpjs/glob-parent/commit/f9231168b0041fea3f8f954b3cceb56269fc6366 @@ -51782,7 +51782,7 @@ CVE-2019-20921 (bootstrap-select before 1.13.6 allows Cross-Site Scripting (XSS) NOT-FOR-US: bootstrap-select CVE-2019-20920 (Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrar ...) - node-handlebars 3:4.5.3-1 - [buster] - node-handlebars <no-dsa> (Minor issue) + [buster] - node-handlebars 3:4.1.0-1+deb10u3 - libjs-handlebars <removed> [stretch] - libjs-handlebars <ignored> (Only reverse depends was diaspora which not in stretch and too intrusive to backport) NOTE: https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478 @@ -53165,7 +53165,7 @@ CVE-2020-25650 (A flaw was found in the way the spice-vdagentd daemon handled fi CVE-2020-25649 (A flaw was found in FasterXML Jackson Databind, where it did not have ...) {DLA-2406-1} - jackson-databind 2.11.1-1 - [buster] - jackson-databind <no-dsa> (Minor issue) + [buster] - jackson-databind 2.9.8-3+deb10u3 NOTE: https://github.com/FasterXML/jackson-databind/issues/2589 NOTE: https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59 (jackson-databind-2.11.0.rc1) CVE-2020-25648 (A flaw was found in the way NSS handled CCS (ChangeCipherSpec) message ...) @@ -54766,6 +54766,7 @@ CVE-2020-24978 (In NASM 2.15.04rc3, there is a double-free vulnerability in pp_t CVE-2020-24977 (GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerabil ...) {DLA-2369-1} - libxml2 2.9.10+dfsg-6.2 (unimportant; bug #969529) + [buster] - libxml2 2.9.4+dfsg1-7+deb10u2 NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/178 NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2 NOTE: The issue is specific and restricted to xmllint: @@ -55252,7 +55253,7 @@ CVE-2020-24751 CVE-2020-24750 (FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interact ...) {DLA-2638-1} - jackson-databind 2.12.1-1 - [buster] - jackson-databind <no-dsa> (Minor issue) + [buster] - jackson-databind 2.9.8-3+deb10u3 NOTE: https://github.com/FasterXML/jackson-databind/issues/2798 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -55451,7 +55452,7 @@ CVE-2020-24660 (An issue was discovered in LemonLDAP::NG through 2.0.8, when NGI NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2290 CVE-2020-24659 (An issue was discovered in GnuTLS before 3.6.15. A server can trigger ...) - gnutls28 3.6.15-1 (bug #969547) - [buster] - gnutls28 <no-dsa> (Minor issue) + [buster] - gnutls28 3.6.7-4+deb10u7 [stretch] - gnutls28 <not-affected> (Vulnerable code introduced later) NOTE: https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-09-04 NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1071 @@ -55547,7 +55548,7 @@ CVE-2020-24617 (Mailtrain through 1.24.1 allows SQL Injection in statsClickedSub CVE-2020-24616 (FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interact ...) {DLA-2638-1} - jackson-databind 2.12.1-1 - [buster] - jackson-databind <no-dsa> (Minor issue) + [buster] - jackson-databind 2.9.8-3+deb10u3 NOTE: https://github.com/FasterXML/jackson-databind/issues/2814 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -72039,7 +72040,7 @@ CVE-2020-16601 RESERVED CVE-2020-16600 (A Use After Free vulnerability exists in Artifex Software, Inc. MuPDF ...) - mupdf 1.17.0+ds1-1 (bug #989526) - [buster] - mupdf <no-dsa> (only reads formerly used memory) + [buster] - mupdf 1.14.0+ds1-4+deb10u3 [stretch] - mupdf <not-affected> (Vulnerable code not present) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=702253 NOTE: http://git.ghostscript.com/?p=mupdf.git;h=96751b25462f83d6e16a9afaf8980b0c3f979c8b @@ -76044,7 +76045,7 @@ CVE-2020-15079 (In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, t NOT-FOR-US: PrestaShop CVE-2020-15078 (OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass ...) - openvpn 2.5.1-2 (bug #987380) - [buster] - openvpn <no-dsa> (Minor issue) + [buster] - openvpn 2.4.7-1+deb10u1 [stretch] - openvpn <no-dsa> (Minor issue) NOTE: https://github.com/OpenVPN/openvpn/commit/f7b3bf067ffce72e7de49a4174fd17a3a83f0573 (v2.5.2) NOTE: https://github.com/OpenVPN/openvpn/commit/3d18e308c4e7e6f7ab7c2826c70d2d07b031c18a (v2.5.2) @@ -79343,7 +79344,7 @@ CVE-2020-13937 (Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2. CVE-2020-13936 (An attacker that is able to modify Velocity templates may execute arbi ...) {DLA-2595-1} - velocity 1.7-6 (bug #985220) - [buster] - velocity <no-dsa> (Minor issue) + [buster] - velocity 1.7-5+deb10u1 NOTE: https://www.openwall.com/lists/oss-security/2021/03/10/1 NOTE: Fixed by: https://github.com/apache/velocity-engine/commit/1ba60771d23dae7e6b3138ae6bee09cf6f9d2485 CVE-2020-13935 (The payload length in a WebSocket frame was not correctly validated in ...) @@ -81517,7 +81518,7 @@ CVE-2020-13125 (An issue was discovered in the "Ultimate Addons for Elementor" p NOT-FOR-US: "Ultimate Addons for Elementor" plugin for WordPress CVE-2020-13124 (SABnzbd 2.3.9 and 3.0.0Alpha2 has a command injection vulnerability in ...) - sabnzbdplus 3.1.1+dfsg-1 - [buster] - sabnzbdplus <no-dsa> (Minor issue, can be fixed via point release, contrib not supported) + [buster] - sabnzbdplus 2.3.6+dfsg-1+deb10u1 [stretch] - sabnzbdplus <ignored> (contrib not supported) NOTE: https://github.com/sabnzbd/sabnzbd/security/advisories/GHSA-9x87-96gg-33w2 NOTE: https://github.com/sabnzbd/sabnzbd/commit/dfcba6e2fb37f58fea06b453b1ba258c7f110429 @@ -83178,7 +83179,7 @@ CVE-2020-12461 (PHP-Fusion 9.03.50 allows SQL Injection because maincore.php has CVE-2020-12460 (OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 has improper nul ...) {DLA-2639-1} - opendmarc 1.4.0~beta1+dfsg-3 (bug #966464) - [buster] - opendmarc <no-dsa> (Minor issue) + [buster] - opendmarc 1.3.2-6+deb10u2 NOTE: https://github.com/trusteddomainproject/OpenDMARC/issues/64 NOTE: https://github.com/trusteddomainproject/OpenDMARC/commit/50d28af25d8735504b6103537228ce7f76ad765f CVE-2020-12459 (In certain Red Hat packages for Grafana 6.x through 6.3.6, the configu ...) @@ -85616,7 +85617,7 @@ CVE-2020-11811 (In qdPM 9.1, an attacker can upload a malicious .php file to the NOT-FOR-US: qdPM CVE-2020-11810 (An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can ...) - openvpn 2.4.9-1 (low) - [buster] - openvpn <no-dsa> (Minor issue) + [buster] - openvpn 2.4.7-1+deb10u1 [stretch] - openvpn <no-dsa> (Minor issue) [jessie] - openvpn <no-dsa> (Minor issue) NOTE: https://github.com/OpenVPN/openvpn/commit/37bc691e7d26ea4eb61a8a434ebd7a9ae76225ab @@ -97069,7 +97070,7 @@ CVE-2020-7664 (In all versions of the package github.com/unknwon/cae/zip, the Ex CVE-2020-7663 (websocket-extensions ruby module prior to 0.1.5 allows Denial of Servi ...) {DLA-2334-1} - ruby-websocket-extensions 0.1.5-1 (bug #964274) - [buster] - ruby-websocket-extensions <no-dsa> (Minor issue) + [buster] - ruby-websocket-extensions 0.1.2-1+deb10u1 NOTE: https://github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2 NOTE: https://github.com/faye/websocket-extensions-ruby/commit/aa156a439da681361ed6f53f1a8131892418838b CVE-2020-7662 (websocket-extensions npm module prior to 0.1.4 allows Denial of Servic ...) @@ -101161,7 +101162,7 @@ CVE-2020-6099 RESERVED CVE-2020-6098 (An exploitable denial of service vulnerability exists in the freeDiame ...) - freediameter 1.2.1-8 (bug #985088) - [buster] - freediameter <no-dsa> (Minor issue) + [buster] - freediameter 1.2.1-7+deb10u1 NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1030 NOTE: Possible fix: http://www.freediameter.net/trac/changeset/19ab8ac08a361642e7f9ec9f2657202c6f8ef9ee/freeDiameter?old=edfb2b662b91af94b2fccc48b11eec904ccab370 CVE-2020-6097 (An exploitable denial of service vulnerability exists in the atftpd da ...) @@ -103278,7 +103279,7 @@ CVE-2020-5209 (In NetHack before 3.6.5, unknown options starting with -de and -i CVE-2020-5208 (It's been found that multiple functions in ipmitool before 1.8.19 negl ...) {DLA-2098-1} - ipmitool 1.8.18-10.1 (bug #950761) - [buster] - ipmitool <no-dsa> (Minor issue) + [buster] - ipmitool 1.8.18-6+deb10u1 [stretch] - ipmitool <no-dsa> (Minor issue) NOTE: https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp NOTE: https://github.com/ipmitool/ipmitool/commit/e824c23316ae50beb7f7488f2055ac65e8b341f2 @@ -115170,7 +115171,7 @@ CVE-2019-18850 (TrevorC2 v1.1/v1.2 fails to prevent fingerprinting primarily via CVE-2019-18849 (In tnef before 1.4.18, an attacker may be able to write to the victim' ...) {DLA-2005-1} - tnef 1.4.18-1 (bug #944851) - [buster] - tnef <no-dsa> (Minor issue; can be fixed via point release) + [buster] - tnef 1.4.12-1.2+deb10u1 [stretch] - tnef <no-dsa> (Minor issue; can be fixed via point release) NOTE: https://github.com/verdammelt/tnef/pull/40 CVE-2019-18848 (The json-jwt gem before 1.11.0 for Ruby lacks an element count during ...) @@ -132462,7 +132463,7 @@ CVE-2019-1020015 (graphql-engine (aka Hasura GraphQL Engine) before 1.0.0-beta.3 NOT-FOR-US: graphql-engine (aka Hasura GraphQL Engine) CVE-2019-1020014 (docker-credential-helpers before 0.6.3 has a double free in the List f ...) - golang-github-docker-docker-credential-helpers 0.6.1-3 (bug #933801) - [buster] - golang-github-docker-docker-credential-helpers <no-dsa> (Minor issue, can be fixed in point release) + [buster] - golang-github-docker-docker-credential-helpers 0.6.1-2+deb10u1 [stretch] - golang-github-docker-docker-credential-helpers <not-affected> (Vulnerable code introduced later) NOTE: https://github.com/docker/docker-credential-helpers/commit/1c9f7ede70a5ab9851f4c9cb37d317fd89cd318a CVE-2019-1020013 (parse-server before 3.6.0 allows account enumeration. ...) @@ -174336,7 +174337,7 @@ CVE-2019-0222 (In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT fra - activemq 5.15.9-1 (bug #925964; unimportant) [jessie] - activemq <not-affected> (MQTT support not enabled) - mqtt-client 1.16-1 (bug #988109) - [buster] - mqtt-client <no-dsa> (Minor issue) + [buster] - mqtt-client 1.14-1+deb10u1 NOTE: http://activemq.apache.org/security-advisories.data/CVE-2019-0222-announcement.txt NOTE: activemq disabled MQTT transport in 5.6.0+dfsg-1 (d/patches/exclude_mqtt.diff) NOTE: but enabled activemq-mqtt in 5.13.2+dfsg-2 using the external mqtt-client. diff --git a/data/next-point-update.txt b/data/next-point-update.txt index 69190a0e0e..abcdeeb5cf 100644 --- a/data/next-point-update.txt +++ b/data/next-point-update.txt @@ -1,147 +1,3 @@ -CVE-2019-1020014 - [buster] - golang-github-docker-docker-credential-helpers 0.6.1-2+deb10u1 -CVE-2020-29600 - [buster] - awstats 7.6+dfsg-2+deb10u1 -CVE-2020-35176 - [buster] - awstats 7.6+dfsg-2+deb10u1 -CVE-2020-5208 - [buster] - ipmitool 1.8.18-6+deb10u1 -CVE-2020-13124 - [buster] - sabnzbdplus 2.3.6+dfsg-1+deb10u1 -CVE-2021-23362 - [buster] - node-hosted-git-info 2.7.1-1+deb10u1 -CVE-2021-28153 - [buster] - glib2.0 2.58.3-2+deb10u3 -CVE-2021-27219 - [buster] - glib2.0 2.58.3-2+deb10u3 -CVE-2021-27218 - [buster] - glib2.0 2.58.3-2+deb10u3 -CVE-2020-35459 - [buster] - crmsh 4.0.0~git20190108.3d56538-3+deb10u1 -CVE-2020-6098 - [buster] - freediameter 1.2.1-7+deb10u1 -CVE-2021-1405 - [buster] - clamav 0.103.2+dfsg-0+deb10u1 -CVE-2019-20920 - [buster] - node-handlebars 3:4.1.0-1+deb10u3 -CVE-2021-23369 - [buster] - node-handlebars 3:4.1.0-1+deb10u3 -CVE-2020-28469 - [buster] - node-glob-parent 3.1.0-1+deb10u1 -CVE-2019-18849 - [buster] - tnef 1.4.12-1.2+deb10u1 -CVE-2020-24616 - [buster] - jackson-databind 2.9.8-3+deb10u3 -CVE-2020-24750 - [buster] - jackson-databind 2.9.8-3+deb10u3 -CVE-2020-25649 - [buster] - jackson-databind 2.9.8-3+deb10u3 -CVE-2020-35490 - [buster] - jackson-databind 2.9.8-3+deb10u3 -CVE-2020-35491 - [buster] - jackson-databind 2.9.8-3+deb10u3 -CVE-2020-35728 - [buster] - jackson-databind 2.9.8-3+deb10u3 -CVE-2020-36179 - [buster] - jackson-databind 2.9.8-3+deb10u3 -CVE-2020-36180 - [buster] - jackson-databind 2.9.8-3+deb10u3 -CVE-2020-36181 - [buster] - jackson-databind 2.9.8-3+deb10u3 -CVE-2020-36182 - [buster] - jackson-databind 2.9.8-3+deb10u3 -CVE-2020-36183 - [buster] - jackson-databind 2.9.8-3+deb10u3 -CVE-2020-36184 - [buster] - jackson-databind 2.9.8-3+deb10u3 -CVE-2020-36185 - [buster] - jackson-databind 2.9.8-3+deb10u3 -CVE-2020-36186 - [buster] - jackson-databind 2.9.8-3+deb10u3 -CVE-2020-36187 - [buster] - jackson-databind 2.9.8-3+deb10u3 -CVE-2020-36188 - [buster] - jackson-databind 2.9.8-3+deb10u3 -CVE-2020-36189 - [buster] - jackson-databind 2.9.8-3+deb10u3 -CVE-2021-20190 - [buster] - jackson-databind 2.9.8-3+deb10u3 -CVE-2021-28421 - [buster] - fluidsynth 1.1.11-1+deb10u1 -CVE-2020-12460 - [buster] - opendmarc 1.3.2-6+deb10u2 -CVE-2021-29469 - [buster] - node-redis 2.8.0-1+deb10u1 -CVE-2021-1076 - [buster] - nvidia-graphics-drivers 418.197.02-1 - [buster] - nvidia-graphics-drivers-legacy-390xx 390.143-1~deb10u1 -CVE-2020-11810 - [buster] - openvpn 2.4.7-1+deb10u1 -CVE-2020-15078 - [buster] - openvpn 2.4.7-1+deb10u1 -CVE-2021-27229 - [buster] - mumble 1.3.0~git20190125.440b173+dfsg-2+deb10u1 -CVE-2020-13936 - [buster] - velocity 1.7-5+deb10u1 - CVE-2020-7663 - [buster] - ruby-websocket-extensions 0.1.2-1+deb10u1 -CVE-2021-20204 - [buster] - libgetdata 0.10.0-5+deb10u1 -CVE-2021-29376 - [buster] - ircii 20190117-1+deb10u1 - [buster] - scrollz 2.2.3-1+deb10u1 -CVE-2020-24659 - [buster] - gnutls28 3.6.7-4+deb10u7 -CVE-2021-20231 - [buster] - gnutls28 3.6.7-4+deb10u7 -CVE-2021-20232 - [buster] - gnutls28 3.6.7-4+deb10u7 -CVE-2019-0222 - [buster] - mqtt-client 1.14-1+deb10u1 -CVE-2021-33477 - [buster] - rxvt-unicode 9.22-6+deb10u1 -CVE-2021-3561 - [buster] - fig2dev 1:3.2.7a-5+deb10u4 -CVE-2021-26929 - [buster] - php-horde-text-filter 2.3.5-3+deb10u2 -CVE-2021-32640 - [buster] - node-ws 1.1.0+ds1.e6ddaae4-5+deb10u1 -CVE-2021-25217 - [buster] - isc-dhcp 4.4.1-2+deb10u1 -CVE-2021-33560 - [buster] - libgcrypt20 1.8.4-5+deb10u1 -CVE-2021-31871 - [buster] - klibc 2.0.6-1+deb10u1 -CVE-2021-31872 - [buster] - klibc 2.0.6-1+deb10u1 -CVE-2021-31873 - [buster] - klibc 2.0.6-1+deb10u1 -CVE-2021-31874 - [buster] - klibc 2.0.6-1+deb10u1 -CVE-2020-16600 - [buster] - mupdf 1.14.0+ds1-4+deb10u3 -CVE-2021-3407 - [buster] - mupdf 1.14.0+ds1-4+deb10u3 -CVE-2021-20247 - [buster] - isync 1.3.0-2.2~deb10u1 -CVE-2021-3578 - [buster] - isync 1.3.0-2.2~deb10u1 -CVE-2021-33477 - [buster] - eterm 0.9.6-5+deb10u1 -CVE-2020-24977 - [buster] - libxml2 2.9.4+dfsg1-7+deb10u2 -CVE-2021-3516 - [buster] - libxml2 2.9.4+dfsg1-7+deb10u2 -CVE-2021-3517 - [buster] - libxml2 2.9.4+dfsg1-7+deb10u2 -CVE-2021-3518 - [buster] - libxml2 2.9.4+dfsg1-7+deb10u2 -CVE-2021-3537 - [buster] - libxml2 2.9.4+dfsg1-7+deb10u2 -CVE-2021-3541 - [buster] - libxml2 2.9.4+dfsg1-7+deb10u2 -CVE-2021-33833 - [buster] - connman 1.36-2.1~deb10u2 CVE-2019-20446 [buster] - librsvg 2.44.10-2.1+deb10u1 CVE-2019-17134 |