diff options
| author | Salvatore Bonaccorso <carnil@debian.org> | 2020-02-08 09:31:23 +0000 |
|---|---|---|
| committer | Salvatore Bonaccorso <carnil@debian.org> | 2020-02-08 09:31:23 +0000 |
| commit | 7e227c580595fcc6b712126620c7d130cf9cfa4e (patch) | |
| tree | 37d11d319223c6c838e6f007b2b29796a0af0dca | |
| parent | 7018ad9d6498b9eeab8f532c51412e25b2523cae (diff) | |
| parent | 79faeefa981a0e8df5de9bb460211635e80bf615 (diff) | |
Merge branch '2020-02-08-stretch-9.12-buster-10.3' into 'master'
Track perparations for 9.12 and 10.3 point release
See merge request security-tracker-team/security-tracker!51
| -rw-r--r-- | data/CVE/list | 420 | ||||
| -rw-r--r-- | data/next-oldstable-point-update.txt | 252 | ||||
| -rw-r--r-- | data/next-point-update.txt | 284 |
3 files changed, 267 insertions, 689 deletions
diff --git a/data/CVE/list b/data/CVE/list index 46109bef06..8667843677 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -2953,8 +2953,8 @@ CVE-2019-20388 (xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlS CVE-2019-20387 (repodata_schema2id in repodata.c in libsolv before 0.7.6 has a heap-ba ...) {DLA-2088-1} - libsolv 0.6.36-2 (bug #949611) - [buster] - libsolv <no-dsa> (Minor issue) - [stretch] - libsolv <no-dsa> (Minor issue) + [buster] - libsolv 0.6.35-2+deb10u1 + [stretch] - libsolv 0.6.24-1+deb9u2 NOTE: https://github.com/openSUSE/libsolv/commit/fdb9c9c03508990e4583046b590c30d958f272da (0.7.6) CVE-2020-7471 (Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 al ...) - python-django 2:2.2.10-1 (bug #950581) @@ -10898,7 +10898,7 @@ CVE-2020-3940 (VMware Workspace ONE SDK and dependent mobile application updates NOT-FOR-US: VMware CVE-2019-20149 (ctorName in index.js in kind-of v6.0.2 allows external user input to o ...) - node-kind-of 6.0.3+dfsg-1 (bug #948095) - [buster] - node-kind-of <no-dsa> (Minor issue; can be fixed via point release) + [buster] - node-kind-of 6.0.2+dfsg-1+deb10u1 [stretch] - node-kind-of <no-dsa> (Minor issue; can be fixed via point release) NOTE: https://github.com/jonschlinkert/kind-of/issues/30 NOTE: https://github.com/jonschlinkert/kind-of/pull/31 @@ -11024,6 +11024,8 @@ CVE-2019-20097 (Bitbucket Server and Bitbucket Data Center versions starting fro NOT-FOR-US: Bitbucket Server and Bitbucket Data Center CVE-2019-20096 (In the Linux kernel before 5.1, there is a memory leak in __feat_regis ...) - linux 5.2.6-1 + [buster] - linux 4.19.98-1 + [stretch] - linux 4.9.210-1 [jessie] - linux 3.16.72-1 NOTE: https://git.kernel.org/linus/1d3ff0950e2b40dc861b1739029649d03f591820 CVE-2019-20095 (mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c in t ...) @@ -11109,7 +11111,7 @@ CVE-2019-20064 RESERVED CVE-2019-20063 (hdf/dataobject.c in libmysofa before 0.8 has an uninitialized use of m ...) - libmysofa 0.8~dfsg0-1 - [buster] - libmysofa <no-dsa> (Minor issue; will be fixed in point release) + [buster] - libmysofa 0.6~dfsg0-3+deb10u1 NOTE: https://github.com/hoene/libmysofa/issues/67 NOTE: https://github.com/hoene/libmysofa/commit/ecb7b743b6f6d47b93a7bc680a60071a0f9524c6 CVE-2019-20062 @@ -11360,6 +11362,8 @@ CVE-2019-19966 (In the Linux kernel before 5.1.6, there is a use-after-free in c CVE-2019-19965 (In the Linux kernel through 5.4.6, there is a NULL pointer dereference ...) {DLA-2068-1} - linux 5.4.13-1 + [buster] - linux 4.19.98-1 + [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/f70267f379b5e5e11bdc5d72a56bf17e5feed01f CVE-2019-19964 RESERVED @@ -11439,6 +11443,8 @@ CVE-2019-19948 (In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer overfl CVE-2019-19947 (In the Linux kernel through 5.4.6, there are information leaks of unin ...) {DLA-2068-1} - linux 5.4.8-1 + [buster] - linux 4.19.98-1 + [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/da2311a6385c3b499da2ed5d9be59ce331fa93e9 CVE-2019-19946 RESERVED @@ -11480,6 +11486,7 @@ CVE-2019-19928 RESERVED CVE-2019-19927 (In the Linux kernel 5.0.0-rc7 (as distributed in ubuntu/linux.git on k ...) - linux 5.2.6-1 + [buster] - linux 4.19.98-1 CVE-2019-19926 (multiSelect in select.c in SQLite 3.30.1 mishandles certain errors dur ...) - sqlite3 <not-affected> (Incomplete fix for CVE-2019-19880 not applied) NOTE: https://github.com/sqlite/sqlite/commit/8428b3b437569338a9d1e10c4cd8154acbe33089 @@ -11508,6 +11515,7 @@ CVE-2019-19923 (flattenSubquery in select.c in SQLite 3.30.1 mishandles certain CVE-2019-19922 (kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quo ...) {DLA-2068-1} - linux 5.3.9-1 + [buster] - linux 4.19.87-1 [stretch] - linux <not-affected> (Vulnerability introduced later) NOTE: https://git.kernel.org/linus/de53fd7aedb100f03e5d2231cfce0e4993282425 CVE-2019-19921 [Volume mount race condition with shared mounts] @@ -11837,7 +11845,7 @@ CVE-2019-19887 (bitstr_tell at bitstr.c in ffjpeg through 2019-08-21 has a NULL NOT-FOR-US: ffjpeg CVE-2019-19886 (Trustwave ModSecurity 3.0.0 through 3.0.3 allows an attacker to send c ...) - modsecurity 3.0.4-1 (bug #949682) - [buster] - modsecurity <no-dsa> (Minor issue) + [buster] - modsecurity 3.0.3-1+deb10u1 NOTE: https://github.com/SpiderLabs/ModSecurity/pull/2202 NOTE: https://github.com/SpiderLabs/ModSecurity/commit/7ba77631f9a37e0680d23ee57c455c6a35c65cb9 CVE-2019-19885 @@ -12513,7 +12521,7 @@ CVE-2019-19798 RESERVED CVE-2019-19797 (read_colordef in read.c in Xfig fig2dev 3.2.7b has an out-of-bounds wr ...) - fig2dev 1:3.2.7b-3 (bug #946866) - [buster] - fig2dev <no-dsa> (Minor issue) + [buster] - fig2dev 1:3.2.7a-5+deb10u3 [stretch] - fig2dev <no-dsa> (Minor issue) - transfig <removed> [jessie] - transfig <no-dsa> (Minor issue) @@ -13617,6 +13625,8 @@ CVE-2019-19768 (In the Linux kernel 5.4.0-rc2, there is a use-after-free (read) CVE-2019-19767 (The Linux kernel before 5.4.2 mishandles ext4_expand_extra_isize, as d ...) {DLA-2068-1} - linux 5.3.15-1 + [buster] - linux 4.19.98-1 + [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/4ea99936a1630f51fc3a2d61a58ec4a1c4b7d55a CVE-2019-19766 (The Bitwarden server through 1.32.0 has a potentially unwanted KDF. ...) NOT-FOR-US: Bitwarden server @@ -13660,6 +13670,7 @@ CVE-2019-19747 (NeuVector 3.1 when configured to allow authentication via Active NOT-FOR-US: NeuVector CVE-2019-19746 (make_arrow in arrow.c in Xfig fig2dev 3.2.7b allows a segmentation fau ...) - fig2dev 1:3.2.7b-3 (unimportant; bug #946628) + [buster] - fig2dev 1:3.2.7a-5+deb10u3 - transfig <removed> (unimportant) NOTE: https://sourceforge.net/p/mcj/tickets/57/ NOTE: https://sourceforge.net/p/mcj/fig2dev/ci/3065abc7b4f740ed6532322843531317de782a26/ @@ -14864,7 +14875,9 @@ CVE-2020-2575 CVE-2020-2574 (Vulnerability in the MySQL Client product of Oracle MySQL (component: ...) - mysql-5.7 <unfixed> (bug #949994) - mariadb-10.3 1:10.3.22-1 + [buster] - mariadb-10.3 1:10.3.22-0+deb10u1 - mariadb-10.1 <removed> + [stretch] - mariadb-10.1 10.1.44-0+deb9u1 NOTE: https://www.oracle.com/security-alerts/cpujan2020.html#AppendixMSQL NOTE: Fixed in MariaDB: 5.5.67, 10.1.44, 10.2.31, 10.3.22, 10.4.12 CVE-2020-2573 (Vulnerability in the MySQL Client product of Oracle MySQL (component: ...) @@ -15204,8 +15217,6 @@ CVE-2019-19648 (In the macho_parse_file functionality in macho/macho.c of YARA 3 NOTE: https://github.com/VirusTotal/yara/issues/1178 CVE-2019-19647 (radare2 through 4.0.0 lacks validation of the content variable in the ...) - radare2 <unfixed> (bug #947402) - [buster] - radare2 <no-dsa> (Minor issue) - [stretch] - radare2 <no-dsa> (Minor issue) NOTE: https://github.com/radareorg/radare2/issues/15545 NOTE: https://github.com/radareorg/radare2/commit/07b5e062f2d4a00403ff031302cb18dfa58e3805 (4.1.0) CVE-2019-19646 (pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_ ...) @@ -16411,8 +16422,6 @@ CVE-2019-19591 RESERVED CVE-2019-19590 (In radare2 through 4.0, there is an integer overflow for the variable ...) - radare2 <unfixed> (bug #947791) - [buster] - radare2 <no-dsa> (Minor issue) - [stretch] - radare2 <no-dsa> (Minor issue) NOTE: https://github.com/radareorg/radare2/issues/15543 NOTE: https://github.com/radareorg/radare2/commit/9bbc63ffa0e93aa054e262cdfb973326935a2d70 CVE-2019-19589 (The Lever PDF Embedder plugin 4.4 for WordPress does not block the dis ...) @@ -16500,6 +16509,8 @@ CVE-2019-19556 CVE-2019-19555 (read_textobject in read.c in Xfig fig2dev 3.2.7b has a stack-based buf ...) {DLA-2073-1} - fig2dev 1:3.2.7b-2 (unimportant; bug #946176) + [buster] - fig2dev 1:3.2.7a-5+deb10u2 + [stretch] - fig2dev 1:3.2.6a-2+deb9u3 - transfig <removed> (unimportant) NOTE: https://sourceforge.net/p/mcj/tickets/55/ NOTE: https://sourceforge.net/p/mcj/fig2dev/ci/19db5fe6f77ebad91af4b4ef0defd61bd0bb358f/ @@ -16571,69 +16582,93 @@ CVE-2019-19538 CVE-2019-19537 (In the Linux kernel before 5.2.10, there is a race condition bug that ...) {DLA-2068-1} - linux 5.2.17-1 + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/303911cfc5b95d33687d9046133ff184cf5043ff CVE-2019-19536 (In the Linux kernel before 5.2.9, there is an info-leak bug that can b ...) {DLA-2068-1} - linux 5.2.9-1 [buster] - linux 4.19.67-1 + [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/ead16e53c2f0ed946d82d4037c630e2f60f4ab69 CVE-2019-19535 (In the Linux kernel before 5.2.9, there is an info-leak bug that can b ...) - linux 5.2.9-1 [buster] - linux 4.19.67-1 + [stretch] - linux 4.9.210-1 [jessie] - linux <not-affected> (Vulnerable code not present) NOTE: https://git.kernel.org/linus/30a8beeb3042f49d0537b7050fd21b490166a3d9 CVE-2019-19534 (In the Linux kernel before 5.3.11, there is an info-leak bug that can ...) {DLA-2068-1} - linux 5.3.15-1 + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/f7a1337f0d29b98733c8824e165fca3371d7d4fd CVE-2019-19533 (In the Linux kernel before 5.3.4, there is an info-leak bug that can b ...) {DLA-2068-1} - linux 5.3.7-1 + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/a10feaf8c464c3f9cfdd3a8a7ce17e1c0d498da1 CVE-2019-19532 (In the Linux kernel before 5.3.9, there are multiple out-of-bounds wri ...) {DLA-2068-1} - linux 5.3.9-1 + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/d9d4b1e46d9543a82c23f6df03f4ad697dab361b CVE-2019-19531 (In the Linux kernel before 5.2.9, there is a use-after-free bug that c ...) {DLA-2068-1} - linux 5.2.9-1 [buster] - linux 4.19.67-1 + [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/fc05481b2fcabaaeccf63e32ac1baab54e5b6963 CVE-2019-19530 (In the Linux kernel before 5.2.10, there is a use-after-free bug that ...) {DLA-2068-1} - linux 5.2.17-1 + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/c52873e5a1ef72f845526d9f6a50704433f9c625 CVE-2019-19529 (In the Linux kernel before 5.3.11, there is a use-after-free bug that ...) - linux 5.3.15-1 + [buster] - linux 4.19.87-1 [stretch] - linux <not-affected> (Vulnerable code not present) [jessie] - linux <not-affected> (Vulnerable code not present) NOTE: https://git.kernel.org/linus/4d6636498c41891d0482a914dd570343a838ad79 CVE-2019-19528 (In the Linux kernel before 5.3.7, there is a use-after-free bug that c ...) - linux 5.3.7-1 + [buster] - linux 4.19.87-1 [stretch] - linux <not-affected> (Vulnerable code not yet present in released version) [jessie] - linux <not-affected> (Vulnerable code not present) NOTE: https://git.kernel.org/linus/edc4746f253d907d048de680a621e121517f484b CVE-2019-19527 (In the Linux kernel before 5.2.10, there is a use-after-free bug that ...) {DLA-2068-1} - linux 5.2.17-1 + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/6d4472d7bec39917b54e4e80245784ea5d60ce49 NOTE: https://git.kernel.org/linus/9c09b214f30e3c11f9b0b03f89442df03643794d CVE-2019-19526 (In the Linux kernel before 5.3.9, there is a use-after-free bug that c ...) - linux 5.3.9-1 + [buster] - linux 4.19.87-1 [stretch] - linux <not-affected> (Vulnerability introduced later) [jessie] - linux <not-affected> (Vulnerability introduced later) NOTE: https://git.kernel.org/linus/6af3aa57a0984e061f61308fe181a9a12359fecc CVE-2019-19525 (In the Linux kernel before 5.3.6, there is a use-after-free bug that c ...) - linux 5.3.7-1 + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 [jessie] - linux <not-affected> (Vulnerable code not present) NOTE: https://git.kernel.org/linus/7fd25e6fc035f4b04b75bca6d7e8daa069603a76 CVE-2019-19524 (In the Linux kernel before 5.3.12, there is a use-after-free bug that ...) {DLA-2068-1} - linux 5.3.15-1 + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/fa3a5a1880c91bb92594ad42dfe9eedad7996b86 CVE-2019-19523 (In the Linux kernel before 5.3.7, there is a use-after-free bug that c ...) {DLA-2068-1} - linux 5.3.7-1 + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/44efc269db7929f6275a1fa927ef082e533ecde0 CVE-2019-19522 (OpenBSD 6.6, in a non-default configuration where S/Key or YubiKey aut ...) NOT-FOR-US: OpenBSD @@ -17183,6 +17218,8 @@ CVE-2019-19448 (In the Linux kernel 5.0.21 and 5.3.11, mounting a crafted btrfs NOTE: https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19448 CVE-2019-19447 (In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, ...) - linux 5.4.6-1 + [buster] - linux 4.19.98-1 + [stretch] - linux 4.9.210-1 NOTE: https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19447 NOTE: https://git.kernel.org/linus/c7df4a1ecb8579838ec8c56b2bb6a6716e974f37 CVE-2019-19446 @@ -17698,6 +17735,8 @@ CVE-2019-19333 (In all versions of libyang before 1.0-r5, a stack-based buffer o CVE-2019-19332 (An out-of-bounds memory write issue was found in the Linux Kernel, ver ...) {DLA-2068-1} - linux 5.4.6-1 + [buster] - linux 4.19.98-1 + [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/433f4ba1904100da65a311033f17a9bf586b287e CVE-2019-19331 (knot-resolver before version 4.3.0 is vulnerable to denial of service ...) - knot-resolver <unfixed> (bug #946181) @@ -17866,7 +17905,7 @@ CVE-2019-19271 (An issue was discovered in tls_verify_crl in ProFTPD before 1.3. NOTE: Introduced in: https://github.com/proftpd/proftpd/commit/474075d2cb8c8ced7764b1b4b5ad63a49284d61f (v1.3.5c) CVE-2019-19270 (An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. F ...) - proftpd-dfsg 1.3.6b-2 (bug #946346) - [buster] - proftpd-dfsg <no-dsa> (Minor issue) + [buster] - proftpd-dfsg 1.3.6-4+deb10u3 [stretch] - proftpd-dfsg <not-affected> (Bug was introduced in 1.3.5c) [jessie] - proftpd-dfsg <not-affected> (Bug was introduced in 1.3.5c) NOTE: https://github.com/proftpd/proftpd/issues/859 @@ -17876,8 +17915,8 @@ CVE-2019-19270 (An issue was discovered in tls_verify_crl in ProFTPD through 1.3 CVE-2019-19269 (An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. A ...) {DLA-2018-1} - proftpd-dfsg 1.3.6b-2 (bug #946345) - [buster] - proftpd-dfsg <no-dsa> (Minor issue) - [stretch] - proftpd-dfsg <no-dsa> (Minor issue) + [buster] - proftpd-dfsg 1.3.6-4+deb10u3 + [stretch] - proftpd-dfsg 1.3.5b-4+deb9u3 NOTE: https://github.com/proftpd/proftpd/issues/861 NOTE: https://github.com/proftpd/proftpd/commit/81cc5dce4fc0285629a1b08a07a109af10c208dd (master) NOTE: https://github.com/proftpd/proftpd/commit/be8e1687819cb665359bd62b4c896ff4b1a09c3f (1.3.6 branch) @@ -17935,6 +17974,7 @@ CVE-2019-19253 NOT-FOR-US: Apereo CAS CVE-2019-19252 (vcs_write in drivers/tty/vt/vc_screen.c in the Linux kernel through 5. ...) - linux <unfixed> + [buster] - linux 4.19.98-1 [stretch] - linux <not-affected> (Vulnerability introduced later) [jessie] - linux <not-affected> (Vulnerability introduced later) NOTE: https://lore.kernel.org/lkml/c30fc539-68a8-65d7-226c-6f8e6fd8bdfb@suse.com/ @@ -18013,6 +18053,8 @@ CVE-2019-19228 (Fronius Solar Inverter devices before 3.14.1 (HM 1.12.1) allow a CVE-2019-19227 (In the AppleTalk subsystem in the Linux kernel before 5.1, there is a ...) {DLA-2068-1} - linux 5.2.6-1 + [buster] - linux 4.19.98-1 + [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/9804501fa1228048857910a6bf23e085aade37cc CVE-2019-19226 RESERVED @@ -18358,25 +18400,30 @@ CVE-2019-19082 (Memory leaks in *create_resource_pool() functions under drivers/ NOTE: https://git.kernel.org/linus/104c307147ad379617472dd91a5bcb368d72bd6d CVE-2019-19081 (A memory leak in the nfp_flower_spawn_vnic_reprs() function in drivers ...) - linux 5.3.7-1 + [buster] - linux 4.19.87-1 [stretch] - linux <not-affected> (Vulnerable code not present) [jessie] - linux <not-affected> (Vulnerable code not present) NOTE: https://git.kernel.org/linus/8ce39eb5a67aee25d9f05b40b673c95b23502e3e CVE-2019-19080 (Four memory leaks in the nfp_flower_spawn_phy_reprs() function in driv ...) - linux 5.3.7-1 + [buster] - linux 4.19.87-1 [stretch] - linux <not-affected> (Vulnerable code not present) [jessie] - linux <not-affected> (Vulnerable code not present) NOTE: https://git.kernel.org/linus/8572cea1461a006bce1d06c0c4b0575869125fa4 CVE-2019-19079 (A memory leak in the qrtr_tun_write_iter() function in net/qrtr/tun.c ...) - linux 5.3.7-1 + [buster] - linux 4.19.98-1 [stretch] - linux <not-affected> (Vulnerable code not present) [jessie] - linux <not-affected> (Vulnerable code not present) NOTE: https://git.kernel.org/linus/a21b7f0cff1906a93a0130b74713b15a0b36481d CVE-2019-19078 (A memory leak in the ath10k_usb_hif_tx_sg() function in drivers/net/wi ...) - linux 5.4.13-1 + [buster] - linux 4.19.98-1 [stretch] - linux <not-affected> (Vulnerable code not present) [jessie] - linux <not-affected> (Vulnerable code not present) CVE-2019-19077 (A memory leak in the bnxt_re_create_srq() function in drivers/infiniba ...) - linux 5.4.6-1 + [buster] - linux 4.19.98-1 [stretch] - linux <not-affected> (Vulnerable code not present) [jessie] - linux <not-affected> (Vulnerable code not present) NOTE: https://git.kernel.org/linus/4a9d46a9fe14401f21df69cea97c62396d5fb053 @@ -18388,6 +18435,7 @@ CVE-2019-19076 (A memory leak in the nfp_abm_u32_knode_replace() function in dri NOTE: https://git.kernel.org/linus/78beef629fd95be4ed853b2d37b832f766bd96ca CVE-2019-19075 (A memory leak in the ca8210_probe() function in drivers/net/ieee802154 ...) - linux 5.3.9-1 (unimportant) + [buster] - linux 4.19.87-1 NOTE: https://git.kernel.org/linus/6402939ec86eaf226c8b8ae00ed983936b164908 CVE-2019-19074 (A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ ...) - linux 5.4.6-1 @@ -18402,6 +18450,7 @@ CVE-2019-19072 (A memory leak in the predicate_parse() function in kernel/trace/ NOTE: https://git.kernel.org/linus/96c5c6e6a5b6db592acae039fed54b5c8844cd35 CVE-2019-19071 (A memory leak in the rsi_send_beacon() function in drivers/net/wireles ...) - linux 5.4.6-1 + [buster] - linux 4.19.98-1 [stretch] - linux <not-affected> (Vulnerable code not present) [jessie] - linux <not-affected> (Vulnerable code not present) CVE-2019-19070 (** DISPUTED ** A memory leak in the spi_gpio_probe() function in drive ...) @@ -18414,6 +18463,8 @@ CVE-2019-19069 (A memory leak in the fastrpc_dma_buf_attach() function in driver NOTE: https://git.kernel.org/linus/fc739a058d99c9297ef6bfd923b809d85855b9a9 CVE-2019-19068 (A memory leak in the rtl8xxxu_submit_int_urb() function in drivers/net ...) - linux 5.4.13-1 + [buster] - linux 4.19.98-1 + [stretch] - linux 4.9.210-1 [jessie] - linux <not-affected> (Vulnerable code not present) CVE-2019-19067 (** DISPUTED ** Four memory leaks in the acp_hw_init() function in driv ...) - linux 5.3.9-1 (unimportant) @@ -18421,8 +18472,11 @@ CVE-2019-19067 (** DISPUTED ** Four memory leaks in the acp_hw_init() function i CVE-2019-19066 (A memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/ ...) {DLA-2068-1} - linux 5.4.13-1 + [buster] - linux 4.19.98-1 + [stretch] - linux 4.9.210-1 CVE-2019-19065 (A memory leak in the sdma_init() function in drivers/infiniband/hw/hfi ...) - linux 5.3.9-1 + [buster] - linux 4.19.87-1 [stretch] - linux <not-affected> (Vulnerability introduced later) [jessie] - linux <not-affected> (Vulnerability introduced later) NOTE: https://git.kernel.org/linus/34b3be18a04ecdc610aae4c48e5d1b799d8689f6 @@ -18430,31 +18484,42 @@ CVE-2019-19064 (** DISPUTED ** A memory leak in the fsl_lpspi_probe() function i - linux 5.4.13-1 (unimportant) CVE-2019-19063 (Two memory leaks in the rtl_usb_probe() function in drivers/net/wirele ...) - linux 5.4.8-1 (unimportant) + [buster] - linux 4.19.98-1 + [stretch] - linux 4.9.210-1 CVE-2019-19062 (A memory leak in the crypto_report() function in crypto/crypto_user_ba ...) {DLA-2068-1} - linux 5.4.6-1 + [buster] - linux 4.19.98-1 + [stretch] - linux 4.9.210-1 CVE-2019-19061 (A memory leak in the adis_update_scan_mode_burst() function in drivers ...) - linux 5.3.9-1 (unimportant) NOTE: https://git.kernel.org/linus/9c0530e898f384c5d279bfcebd8bb17af1105873 CVE-2019-19060 (A memory leak in the adis_update_scan_mode() function in drivers/iio/i ...) - linux 5.3.9-1 (unimportant) + [buster] - linux 4.19.87-1 NOTE: https://git.kernel.org/linus/ab612b1daf415b62c58e130cb3d0f30b255a14d0 CVE-2019-19059 (Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function i ...) - linux 5.4.6-1 + [buster] - linux 4.19.98-1 [stretch] - linux <not-affected> (Vulnerable code not present) [jessie] - linux <not-affected> (Vulnerable code not present) NOTE: https://git.kernel.org/linus/0f4f199443faca715523b0659aa536251d8b978f CVE-2019-19058 (A memory leak in the alloc_sgtable() function in drivers/net/wireless/ ...) - linux 5.4.6-1 + [buster] - linux 4.19.98-1 [stretch] - linux <not-affected> (Vulnerable code not present) [jessie] - linux <not-affected> (Vulnerable code not present) NOTE: https://git.kernel.org/linus/b4b814fec1a5a849383f7b3886b654a13abbda7d CVE-2019-19057 (Two memory leaks in the mwifiex_pcie_init_evt_ring() function in drive ...) {DLA-2068-1} - linux 5.4.8-1 + [buster] - linux 4.19.98-1 + [stretch] - linux 4.9.210-1 CVE-2019-19056 (A memory leak in the mwifiex_pcie_alloc_cmdrsp_buf() function in drive ...) {DLA-2068-1} - linux 5.4.13-1 + [buster] - linux 4.19.98-1 + [stretch] - linux 4.9.210-1 CVE-2019-19055 (** DISPUTED ** A memory leak in the nl80211_get_ftm_responder_stats() ...) - linux 5.4.6-1 (unimportant) [buster] - linux <not-affected> (Vulnerable code introduced later) @@ -18472,10 +18537,14 @@ CVE-2019-19053 (A memory leak in the rpmsg_eptdev_write_iter() function in drive CVE-2019-19052 (A memory leak in the gs_can_open() function in drivers/net/can/usb/gs_ ...) {DLA-2068-1} - linux 5.3.15-1 + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/fb5be6a7b4863ecc44963bb80ca614584b6c7817 CVE-2019-19051 (A memory leak in the i2400m_op_rfkill_sw_toggle() function in drivers/ ...) {DLA-2068-1} - linux 5.3.15-1 + [buster] - linux 4.19.98-1 + [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/6f3ef5c25cc762687a7341c18cbea5af54461407 CVE-2019-19050 (A memory leak in the crypto_reportstat() function in crypto/crypto_use ...) - linux <unfixed> @@ -18483,10 +18552,13 @@ CVE-2019-19050 (A memory leak in the crypto_reportstat() function in crypto/cryp [jessie] - linux <not-affected> (Vulnerable code not present) CVE-2019-19049 (** DISPUTED ** A memory leak in the unittest_data_add() function in dr ...) - linux 5.3.15-1 (unimportant) + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/e13de8fe0d6a51341671bbe384826d527afe8d44 NOTE: unittest.c can only be reached during boot. CVE-2019-19048 (A memory leak in the crypto_reportstat() function in drivers/virt/vbox ...) - linux 5.3.9-1 + [buster] - linux 4.19.87-1 [stretch] - linux <not-affected> (Vulnerable code not present) [jessie] - linux <not-affected> (Vulnerable code not present) NOTE: https://git.kernel.org/linus/e0b0cb9388642c104838fac100a4af32745621e2 @@ -18501,6 +18573,7 @@ CVE-2019-19046 (** DISPUTED ** A memory leak in the __ipmi_bmc_register() functi NOTE: Only a memory leak on the probe path CVE-2019-19045 (A memory leak in the mlx5_fpga_conn_create_cq() function in drivers/ne ...) - linux 5.3.15-1 + [buster] - linux 4.19.87-1 [stretch] - linux <not-affected> (Vulnerable code not present) [jessie] - linux <not-affected> (Vulnerable code not present) NOTE: https://git.kernel.org/linus/c8c2a057fdc7de1cd16f4baa51425b932a42eb39 @@ -18527,6 +18600,8 @@ CVE-2019-19038 RESERVED CVE-2019-19037 (ext4_empty_dir in fs/ext4/namei.c in the Linux kernel through 5.3.12 a ...) - linux 5.4.8-1 + [buster] - linux 4.19.98-1 + [stretch] - linux 4.9.210-1 [jessie] - linux <not-affected> (Vulnerability introduced later) CVE-2019-19036 (btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel through 5.3.12 ...) - linux <unfixed> @@ -18593,8 +18668,8 @@ CVE-2019-19011 (MiniUPnP ngiflib 0.4 has a NULL pointer dereference in GifIndexT NOT-FOR-US: ngiflib CVE-2019-19010 (Eval injection in the Math plugin of Limnoria (before 2019.11.09) and ...) - limnoria 2019.11.09-1 - [buster] - limnoria <no-dsa> (Minor issue, can be fixed via point release) - [stretch] - limnoria <no-dsa> (Minor issue, can be fixed via point release) + [buster] - limnoria 2019.02.23-1+deb10u1 + [stretch] - limnoria 2017.01.10-1+deb9u1 NOTE: https://github.com/ProgVal/Limnoria/commit/3848ae78de45b35c029cc333963d436b9d2f0a35 NOTE: https://github.com/ProgVal/Limnoria/wiki/math-eval-vulnerability CVE-2019-19009 @@ -19058,6 +19133,7 @@ CVE-2019-18814 (An issue was discovered in the Linux kernel through 5.3.9. There NOTE: https://lore.kernel.org/patchwork/patch/1142523/ CVE-2019-18813 (A memory leak in the dwc3_pci_probe() function in drivers/usb/dwc3/dwc ...) - linux 5.3.15-1 (unimportant) + [buster] - linux 4.19.87-1 [stretch] - linux <not-affected> (Bug introduced later) [jessie] - linux <not-affected> (Bug introduced later) NOTE: https://git.kernel.org/linus/9bbfceea12a8f145097a27d7c7267af25893c060 @@ -19082,6 +19158,8 @@ CVE-2019-18810 (A memory leak in the komeda_wb_connector_add() function in drive NOTE: CONFIG_DRM_KOMEDA not enabled in Debian builds. CVE-2019-18809 (A memory leak in the af9005_identify_state() function in drivers/media ...) - linux 5.4.13-1 + [buster] - linux 4.19.98-1 + [stretch] - linux 4.9.210-1 [jessie] - linux <not-affected> (Bug introduced later) CVE-2019-18808 (A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ ...) - linux <unfixed> (unimportant) @@ -19094,6 +19172,8 @@ CVE-2019-18807 (Two memory leaks in the sja1105_static_config_upload() function NOTE: https://git.kernel.org/linus/68501df92d116b760777a2cfda314789f926476f CVE-2019-18806 (A memory leak in the ql_alloc_large_buffers() function in drivers/net/ ...) - linux 5.3.7-1 (unimportant) + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/1acb8f2a7a9f10543868ddd737e37424d5c36cf4 CVE-2019-18805 (An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Linux ker ...) - linux 5.2.6-1 @@ -19175,6 +19255,7 @@ CVE-2019-18781 (An open redirect vulnerability was discovered in Zoho ManageEngi NOT-FOR-US: Zoho ManageEngine ADSelfService Plus CVE-2019-18786 (In the Linux kernel through 5.3.8, f->fmt.sdr.reserved is uninitial ...) - linux 5.4.8-1 + [buster] - linux 4.19.98-1 [stretch] - linux <not-affected> (Vulnerable code not present) [jessie] - linux <not-affected> (Vulnerable code not present) NOTE: https://patchwork.linuxtv.org/patch/59542/ @@ -21585,6 +21666,8 @@ CVE-2019-18676 (An issue was discovered in Squid 3.x and 4.x through 4.8. Due to NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-fbbdf75efd7a5cc244b4886a9d42ea458c5a3a73.patch CVE-2019-18683 (An issue was discovered in drivers/media/platform/vivid in the Linux k ...) - linux 5.3.15-1 + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 [jessie] - linux <not-affected> (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2019/11/02/1 CVE-2019-18675 (The Linux kernel through 5.3.13 has a start_offset+size Integer Overfl ...) @@ -21622,6 +21705,8 @@ CVE-2019-18661 (Fastweb FASTGate 1.0.1b devices allow partial authentication byp NOT-FOR-US: Fastweb FASTGate CVE-2019-18660 (The Linux kernel before 5.4.1 on powerpc allows Information Exposure b ...) - linux 5.3.15-1 + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 [jessie] - linux <ignored> (powerpc not supported in LTS) NOTE: https://www.openwall.com/lists/oss-security/2019/11/27/1 CVE-2019-18659 (The Wireless Emergency Alerts (WEA) protocol allows remote attackers t ...) @@ -21680,7 +21765,7 @@ CVE-2019-18635 (An issue was discovered in Mooltipass Moolticute through v0.42.1 CVE-2019-18634 (In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users ...) {DSA-4614-1 DLA-2094-1} - sudo 1.8.31-1 (bug #950371) - [buster] - sudo <no-dsa> (Minor issue; will be fixed in a point release) + [buster] - sudo 1.8.27-1+deb10u2 NOTE: https://www.sudo.ws/alerts/pwfeedback.html NOTE: https://www.openwall.com/lists/oss-security/2020/01/30/6 NOTE: https://github.com/sudo-project/sudo/commit/fa8ffeb17523494f0e8bb49a25e53635f4509078 (master) @@ -22742,6 +22827,8 @@ CVE-2019-18283 (A vulnerability has been identified in SPPA-T3000 Application Se NOT-FOR-US: Siemens CVE-2019-18282 (The flow_dissector feature in the Linux kernel 4.3 through 5.x before ...) - linux 5.3.15-1 + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 [jessie] - linux <not-affected> (Vulnerability introduced later) NOTE: https://git.kernel.org/linus/55667441c84fa5e0911a0aac44fb059c15ba6da2 CVE-2019-18281 (An out-of-bounds memory access in the generateDirectionalRuns() functi ...) @@ -22944,7 +23031,7 @@ CVE-2019-18197 (In xsltCopyText in transform.c in libxslt 1.1.33, a pointer vari {DLA-1973-1} - libxslt 1.1.32-2.2 (bug #942646) [buster] - libxslt 1.1.32-2.2~deb10u1 - [stretch] - libxslt <no-dsa> (Minor issue) + [stretch] - libxslt 1.1.29-2.1+deb9u2 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15746 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15768 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15914 @@ -23904,6 +23991,7 @@ CVE-2020-0031 CVE-2020-0030 RESERVED - linux 4.15.11-1 + [stretch] - linux 4.9.210-1 NOTE: Fixed by: https://git.kernel.org/linus/5eeb2ca02a2f6084fc57ae5c244a38baab07033a CVE-2020-0029 RESERVED @@ -25014,6 +25102,8 @@ CVE-2019-17667 (Comtech H8 Heights Remote Gateway 2.5.1 devices allow XSS and HT CVE-2019-17666 (rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Lin ...) {DLA-2068-1} - linux 5.3.9-1 + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 NOTE: https://lkml.org/lkml/2019/10/16/1226 CVE-2019-17665 (NSA Ghidra before 9.0.2 is vulnerable to DLL hijacking because it load ...) - ghidra <itp> (bug #923851) @@ -26424,7 +26514,7 @@ CVE-2019-17178 (HuffmanTree_makeFromFrequencies in lodepng.c in LodePNG through TODO: check CVE-2019-17177 (libfreerdp/codec/region.c in FreeRDP through 1.1.x and 2.x through 2.0 ...) - freerdp2 2.0.0~git20190204.1.2693389a+dfsg1-2 (low) - [buster] - freerdp2 <no-dsa> (Minor issue) + [buster] - freerdp2 2.0.0~git20190204.1.2693389a+dfsg1-1+deb10u1 - freerdp <removed> (low) [stretch] - freerdp <no-dsa> (Minor issue) [jessie] - freerdp <no-dsa> (Minor issue) @@ -26526,6 +26616,8 @@ CVE-2019-17130 (vBulletin through 5.5.4 mishandles external URLs within the /cor CVE-2019-17133 (In the Linux kernel through 5.3.2, cfg80211_mgd_wext_giwessid in net/w ...) {DLA-2068-1} - linux 5.3.9-1 + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 NOTE: https://marc.info/?l=linux-wireless&m=157018270915487&w=2 CVE-2019-17129 RESERVED @@ -26572,8 +26664,6 @@ CVE-2019-17110 REJECTED CVE-2019-17109 (Koji through 1.18.0 allows remote Directory Traversal, with resultant ...) - koji <unfixed> (bug #942146) - [buster] - koji <no-dsa> (Minor issue; can be fixed via point release) - [stretch] - koji <no-dsa> (Minor issue; can be fixed via point release) NOTE: https://docs.pagure.org/koji/CVE-2019-17109/ NOTE: https://pagure.io/koji/issue/1634 CVE-2019-17108 (Local file inclusion in brokerPerformance.php in Centreon Web before 2 ...) @@ -26656,6 +26746,8 @@ CVE-2019-17076 (An issue was discovered in Jamf Pro 9.x and 10.x before 10.15.1. NOT-FOR-US: Jamf Pro CVE-2019-17075 (An issue was discovered in write_tpt_entry in drivers/infiniband/hw/cx ...) - linux 5.3.7-1 + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 [jessie] - linux <ignored> (Not a problem in practice) NOTE: https://lore.kernel.org/lkml/20191001165611.GA3542072@kroah.com CVE-2019-17074 (An issue was discovered in XunRuiCMS 4.3.1. There is a stored XSS in t ...) @@ -26707,22 +26799,32 @@ CVE-2019-17057 (Footy Tipping Software AFL Web Edition 2019 allows XSS. ...) CVE-2019-17056 (llcp_sock_create in net/nfc/llcp_sock.c in the AF_NFC network module i ...) {DLA-2068-1} - linux 5.3.7-1 + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/3a359798b176183ef09efb7a3dc59abad1cc7104 CVE-2019-17055 (base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network ...) {DLA-2068-1} - linux 5.3.7-1 + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/b91ee4aa2a2199ba4d4650706c272985a5a32d80 CVE-2019-17054 (atalk_create in net/appletalk/ddp.c in the AF_APPLETALK network module ...) {DLA-2068-1} - linux 5.3.7-1 + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/6cc03e8aa36c51f3b26a0d21a3c4ce2809c842ac CVE-2019-17053 (ieee802154_create in net/ieee802154/socket.c in the AF_IEEE802154 netw ...) {DLA-2068-1} - linux 5.3.7-1 + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/e69dbd4619e7674c1679cba49afd9dd9ac347eef CVE-2019-17052 (ax25_create in net/ax25/af_ax25.c in the AF_AX25 network module in the ...) {DLA-2068-1} - linux 5.3.7-1 + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/0614e2b73768b502fc32a75349823356d98aae2c CVE-2019-17051 (Evernote before 7.13 GA on macOS allows code execution because the com ...) NOT-FOR-US: Evernote @@ -27084,7 +27186,7 @@ CVE-2019-16936 CVE-2019-16935 (The documentation XML-RPC server in Python through 2.7.16, 3.x through ...) - python3.8 3.8.0~rc1-1 - python3.7 3.7.5~rc1-1 - [buster] - python3.7 <no-dsa> (Minor issue) + [buster] - python3.7 3.7.3-2+deb10u1 - python3.5 <removed> - python3.4 <removed> [jessie] - python3.4 <ignored> (Minor Issue, XSS in an unlikely use-case) @@ -27721,6 +27823,8 @@ CVE-2019-16728 (DOMPurify before 2.0.1 allows XSS because of innerHTML mutation CVE-2019-16746 (An issue was discovered in net/wireless/nl80211.c in the Linux kernel ...) {DLA-2068-1} - linux 5.3.7-1 + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 NOTE: https://marc.info/?l=linux-wireless&m=156901391225058&w=2 CVE-2019-16727 RESERVED @@ -27801,6 +27905,7 @@ CVE-2019-16729 (pam-python before 1.0.7-1 has an issue in regard to the default NOTE: https://sourceforge.net/p/pam-python/code/ci/0247ab687b4347cc52859ca461fb0126dd7e2ebe/ CVE-2019-16714 (In the Linux kernel before 5.2.14, rds6_inc_info_copy in net/rds/recv. ...) - linux 5.2.17-1 + [buster] - linux 4.19.87-1 [stretch] - linux <not-affected> (Vulnerable code not present) [jessie] - linux <not-affected> (Vulnerable code not present) NOTE: https://git.kernel.org/linus/7d0a06586b2686ba80c4a2da5f91cb10ffbea736 @@ -29553,19 +29658,19 @@ CVE-2019-16096 (Kilo 0.0.1 has a heap-based buffer overflow because there is an NOT-FOR-US: Kilo CVE-2019-16095 (Symonics libmysofa 0.7 has an invalid read in getDimension in hrtf/rea ...) - libmysofa 0.8~dfsg0-1 (bug #939735) - [buster] - libmysofa <no-dsa> (Minor issue; can be fixed via point release) + [buster] - libmysofa 0.6~dfsg0-3+deb10u1 CVE-2019-16094 (Symonics libmysofa 0.7 has an invalid read in readOHDRHeaderMessageDat ...) - libmysofa 0.8~dfsg0-1 (bug #939735) - [buster] - libmysofa <no-dsa> (Minor issue; can be fixed via point release) + [buster] - libmysofa 0.6~dfsg0-3+deb10u1 CVE-2019-16093 (Symonics libmysofa 0.7 has an invalid write in readOHDRHeaderMessageDa ...) - libmysofa 0.8~dfsg0-1 (bug #939735) - [buster] - libmysofa <no-dsa> (Minor issue; can be fixed via point release) + [buster] - libmysofa 0.6~dfsg0-3+deb10u1 CVE-2019-16092 (Symonics libmysofa 0.7 has a NULL pointer dereference in getHrtf in hr ...) - libmysofa 0.8~dfsg0-1 (bug #939735) - [buster] - libmysofa <no-dsa> (Minor issue; can be fixed via point release) + [buster] - libmysofa 0.6~dfsg0-3+deb10u1 CVE-2019-16091 (Symonics libmysofa 0.7 has an out-of-bounds read in directblockRead in ...) - libmysofa 0.8~dfsg0-1 (bug #939735) - [buster] - libmysofa <no-dsa> (Minor issue; can be fixed via point release) + [buster] - libmysofa 0.6~dfsg0-3+deb10u1 CVE-2019-16090 RESERVED CVE-2019-16088 (Xpdf 3.04 has a SIGSEGV in XRef::fetch in XRef.cc after many recursive ...) @@ -29645,7 +29750,7 @@ CVE-2019-16056 (An issue was discovered in Python through 2.7.16, 3.x through 3. {DLA-1925-1 DLA-1924-1} - python3.8 3.8.0~b4-1 - python3.7 3.7.4-4 - [buster] - python3.7 <no-dsa> (Minor issue) + [buster] - python3.7 3.7.3-2+deb10u1 - python3.5 <removed> - python3.4 <removed> - python2.7 2.7.17~rc1-1 (bug #940901) @@ -29848,8 +29953,8 @@ CVE-2019-15962 (A vulnerability in the CLI of Cisco TelePresence Collaboration E NOT-FOR-US: Cisco CVE-2019-15961 (A vulnerability in the email parsing module Clam AntiVirus (ClamAV) So ...) - clamav 0.102.1+dfsg-1 (bug #945265) - [buster] - clamav <no-dsa> (ClamAV is updated via -updates) - [stretch] - clamav <no-dsa> (ClamAV is updated via -updates) + [buster] - clamav 0.102.1+dfsg-0+deb10u1 + [stretch] - clamav 0.102.1+dfsg-0+deb9u2 NOTE: https://blog.clamav.net/2019/11/clamav-01021-and-01015-patches-have.html CVE-2019-15960 (A vulnerability in the Webex Network Recording Admin page of Cisco Web ...) NOT-FOR-US: Cisco @@ -29957,8 +30062,8 @@ CVE-2019-15925 (An issue was discovered in the Linux kernel before 5.2.3. An out CVE-2018-21010 (OpenJPEG before 2.3.1 has a heap buffer overflow in color_apply_icc_pr ...) {DLA-1950-1} - openjpeg2 2.3.1-1 (bug #939553) - [buster] - openjpeg2 <no-dsa> (Minor issue) - [stretch] - openjpeg2 <no-dsa> (Minor issue) + [buster] - openjpeg2 2.3.0-2+deb10u1 + [stretch] - openjpeg2 2.1.2-1.1+deb9u4 NOTE: https://github.com/uclouvain/openjpeg/commit/2e5ab1d9987831c981ff05862e8ccf1381ed58ea CVE-2018-21009 (Poppler before 0.66.0 has an integer overflow in Parser::makeStream in ...) {DLA-1939-1} @@ -29967,6 +30072,7 @@ CVE-2018-21009 (Poppler before 0.66.0 has an integer overflow in Parser::makeStr CVE-2018-21008 (An issue was discovered in the Linux kernel before 4.16.7. A use-after ...) {DLA-1930-1} - linux 4.18.6-1 + [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/abd39c6ded9db53aa44c2540092bdd5fb6590fa8 CVE-2017-18595 (An issue was discovered in the Linux kernel before 4.14.11. A double f ...) - linux 4.14.12-1 @@ -30006,12 +30112,14 @@ CVE-2019-15919 (An issue was discovered in the Linux kernel before 5.0.10. SMB2_ NOTE: https://git.kernel.org/linus/6a3eb3360667170988f8a6477f6686242061488a CVE-2019-15918 (An issue was discovered in the Linux kernel before 5.0.10. SMB2_negoti ...) - linux 5.2.6-1 + [buster] - linux 4.19.87-1 [stretch] - linux <not-affected> (Vulnerability introduced later) [jessie] - linux <not-affected> (Vulnerability introduced later) NOTE: https://git.kernel.org/linus/b57a55e2200ede754e4dc9cce4ba9402544b9365 CVE-2019-15917 (An issue was discovered in the Linux kernel before 5.0.5. There is a u ...) {DLA-1930-1} - linux 4.19.37-1 + [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/56897b217a1d0a91c9920cb418d6b3fe922f590a CVE-2019-15916 (An issue was discovered in the Linux kernel before 5.0.1. There is a m ...) - linux 4.19.28-1 @@ -30677,36 +30785,36 @@ CVE-2019-15696 RESERVED CVE-2019-15695 (TigerVNC version prior to 1.10.1 is vulnerable to stack buffer overflo ...) - tigervnc 1.10.1+dfsg-1 (bug #947428) - [buster] - tigervnc <no-dsa> (Minor issue; can be fixed via point release) - [stretch] - tigervnc <no-dsa> (Minor issue; can be fixed via point release) + [buster] - tigervnc 1.9.0+dfsg-3+deb10u1 + [stretch] - tigervnc 1.7.0+dfsg-7+deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2 NOTE: https://github.com/TigerVNC/tigervnc/commit/05e28490873a861379c943bf616614b78b558b89 (master) NOTE: https://github.com/TigerVNC/tigervnc/commit/6c47340e095258a959c95db9aa2a6c715d62bf7c (v1.10.1) CVE-2019-15694 (TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow ...) - tigervnc 1.10.1+dfsg-1 (bug #947428) - [buster] - tigervnc <no-dsa> (Minor issue; can be fixed via point release) - [stretch] - tigervnc <no-dsa> (Minor issue; can be fixed via point release) + [buster] - tigervnc 1.9.0+dfsg-3+deb10u1 + [stretch] - tigervnc 1.7.0+dfsg-7+deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2 NOTE: https://github.com/TigerVNC/tigervnc/commit/0943c006c7d900dfc0281639e992791d6c567438 (master) NOTE: https://github.com/TigerVNC/tigervnc/commit/f287032d3643a6437f7de0ed35f4c45bb735522d (v1.10.1) CVE-2019-15693 (TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow ...) - tigervnc 1.10.1+dfsg-1 (bug #947428) - [buster] - tigervnc <no-dsa> (Minor issue; can be fixed via point release) - [stretch] - tigervnc <no-dsa> (Minor issue; can be fixed via point release) + [buster] - tigervnc 1.9.0+dfsg-3+deb10u1 + [stretch] - tigervnc 1.7.0+dfsg-7+deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2 NOTE: https://github.com/TigerVNC/tigervnc/commit/b4ada8d0c6dac98c8b91fc64d112569a8ae5fb95 (master) NOTE: https://github.com/TigerVNC/tigervnc/commit/46c081926efd83c90a45c0a96b1b5bc1927e1346 (v1.10.1) CVE-2019-15692 (TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow ...) - tigervnc 1.10.1+dfsg-1 (bug #947428) - [buster] - tigervnc <no-dsa> (Minor issue; can be fixed via point release) - [stretch] - tigervnc <no-dsa> (Minor issue; can be fixed via point release) + [buster] - tigervnc 1.9.0+dfsg-3+deb10u1 + [stretch] - tigervnc 1.7.0+dfsg-7+deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2 NOTE: https://github.com/TigerVNC/tigervnc/commit/996356b6c65ca165ee1ea46a571c32a1dc3c3821 (master) NOTE: https://github.com/TigerVNC/tigervnc/commit/ff08ca78b24b5a4ed5263245c7ce8744059ff4ad (v1.10.1) CVE-2019-15691 (TigerVNC version prior to 1.10.1 is vulnerable to stack use-after-retu ...) - tigervnc 1.10.1+dfsg-1 (bug #947428) - [buster] - tigervnc <no-dsa> (Minor issue; can be fixed via point release) - [stretch] - tigervnc <no-dsa> (Minor issue; can be fixed via point release) + [buster] - tigervnc 1.9.0+dfsg-3+deb10u1 + [stretch] - tigervnc 1.7.0+dfsg-7+deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2 NOTE: https://github.com/TigerVNC/tigervnc/commit/d61a767d6842b530ffb532ddd5a3d233119aad40 (master) NOTE: https://github.com/TigerVNC/tigervnc/commit/042de4642293df9b72a08189c249e2da79cbca91 (v1.10.1) @@ -30734,13 +30842,13 @@ CVE-2019-15681 (LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a co {DLA-2045-1 DLA-2014-1 DLA-1979-1 DLA-1977-1} [experimental] - libvncserver 0.9.12+dfsg-1 - libvncserver 0.9.12+dfsg-3 (low; bug #943793) - [buster] - libvncserver <no-dsa> (Minor issue) - [stretch] - libvncserver <no-dsa> (Minor issue) + [buster] - libvncserver 0.9.11+dfsg-1.3+deb10u1 + [stretch] - libvncserver 0.9.11+dfsg-1.3~deb9u2 - italc <removed> - [stretch] - italc <no-dsa> (Minor issue) + [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 - tightvnc 1:1.3.9-9.1 - [buster] - tightvnc <no-dsa> (Minor issue) - [stretch] - tightvnc <no-dsa> (Minor issue) + [buster] - tightvnc 1:1.3.9-9deb10u1 + [stretch] - tightvnc 1:1.3.9-9+deb9u1 - vino <unfixed> (bug #945784) [buster] - vino <no-dsa> (Minor issue) [stretch] - vino <no-dsa> (Minor issue) @@ -30748,6 +30856,8 @@ CVE-2019-15681 (LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a co CVE-2019-15680 (TightVNC code version 1.3.10 contains null pointer dereference in Hand ...) {DLA-2045-1} - tightvnc 1:1.3.9-9.1 (unimportant; bug #945364) + [buster] - tightvnc 1:1.3.9-9deb10u1 + [stretch] - tightvnc 1:1.3.9-9+deb9u1 - italc <removed> (unimportant) - libvncserver <unfixed> (unimportant) NOTE: https://www.openwall.com/lists/oss-security/2018/12/10/5 @@ -30755,16 +30865,16 @@ CVE-2019-15680 (TightVNC code version 1.3.10 contains null pointer dereference i CVE-2019-15679 (TightVNC code version 1.3.10 contains heap buffer overflow in Initiali ...) {DLA-2045-1} - tightvnc 1:1.3.9-9.1 (bug #945364) - [buster] - tightvnc <no-dsa> (Minor issue; will be fixed via point release) - [stretch] - tightvnc <no-dsa> (Minor issue; will be fixed via point release) + [buster] - tightvnc 1:1.3.9-9deb10u1 + [stretch] - tightvnc 1:1.3.9-9+deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2018/12/10/5 NOTE: https://github.com/LibVNC/libvncserver/commit/c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7 NOTE: part of CVE-2018-20748/libvncserver CVE-2019-15678 (TightVNC code version 1.3.10 contains heap buffer overflow in rfbServe ...) {DLA-2045-1} - tightvnc 1:1.3.9-9.1 (bug #945364) - [buster] - tightvnc <no-dsa> (Minor issue; will be fixed via point release) - [stretch] - tightvnc <no-dsa> (Minor issue; will be fixed via point release) + [buster] - tightvnc 1:1.3.9-9deb10u1 + [stretch] - tightvnc 1:1.3.9-9+deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2018/12/10/5 NOTE: https://github.com/LibVNC/libvncserver/commit/c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a NOTE: part of CVE-2018-20748/libvnvserver @@ -31270,8 +31380,11 @@ CVE-2019-15506 (An issue was discovered in Kaseya Virtual System Administrator ( CVE-2019-15505 (drivers/media/usb/dvb-usb/technisat-usb2.c in the Linux kernel through ...) {DLA-2068-1} - linux 5.2.17-1 + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 CVE-2019-15504 (drivers/net/wireless/rsi/rsi_91x_usb.c in the Linux kernel through 5.2 ...) - linux 5.2.17-1 + [buster] - linux 4.19.87-1 [stretch] - linux <not-affected> (Vulnerability introduced later) [jessie] - linux <not-affected> (Vulnerability introduced later) CVE-2019-15503 (cgi-cpn/xcoding/prontus_videocut.cgi in AltaVoz Prontus (aka ProntusCM ...) @@ -31961,6 +32074,8 @@ CVE-2019-15292 (An issue was discovered in the Linux kernel before 5.0.9. There CVE-2019-15291 (An issue was discovered in the Linux kernel through 5.2.9. There is a ...) {DLA-2068-1} - linux 5.3.15-1 + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 NOTE: https://www.openwall.com/lists/oss-security/2019/08/20/2 CVE-2019-15290 REJECTED @@ -32041,6 +32156,8 @@ CVE-2019-15218 (An issue was discovered in the Linux kernel before 5.1.8. There CVE-2019-15217 (An issue was discovered in the Linux kernel before 5.2.3. There is a N ...) {DLA-2068-1} - linux 5.2.6-1 + [buster] - linux 4.19.98-1 + [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/5d2e73a5f80a5b5aff3caf1ec6d39b5b3f54b26e CVE-2019-15216 (An issue was discovered in the Linux kernel before 5.0.14. There is a ...) {DLA-1919-1 DLA-1884-1} @@ -32314,6 +32431,7 @@ CVE-2019-15149 (** DISPUTED ** core.py in Mitogen before 0.2.8 has a typo that d CVE-2018-20976 (An issue was discovered in fs/xfs/xfs_super.c in the Linux kernel befo ...) {DLA-1930-1} - linux 4.18.6-1 + [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/c9fbd7bbc23dbdd73364be4d045e5d3612cf6e82 CVE-2017-18552 (An issue was discovered in net/rds/af_rds.c in the Linux kernel before ...) - linux 4.11.6-1 @@ -32622,12 +32740,15 @@ CVE-2014-10376 (The i-recommend-this plugin before 3.7.3 for WordPress has SQL i NOT-FOR-US: i-recommend-this plugin for WordPress CVE-2019-15099 (drivers/net/wireless/ath/ath10k/usb.c in the Linux kernel through 5.2. ...) - linux 5.3.15-1 + [buster] - linux 4.19.87-1 [stretch] - linux <not-affected> (Vulnerable code not present) [jessie] - linux <not-affected> (Vulnerable code not present) NOTE: https://lore.kernel.org/linux-wireless/20190804003101.11541-1-benquike@gmail.com/T/#u CVE-2019-15098 (drivers/net/wireless/ath/ath6kl/usb.c in the Linux kernel through 5.2. ...) {DLA-2068-1} - linux 5.3.7-1 + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 NOTE: https://lore.kernel.org/linux-wireless/20190804002905.11292-1-benquike@gmail.com/T/#u CVE-2019-15090 (An issue was discovered in drivers/scsi/qedi/qedi_dbg.c in the Linux k ...) - linux 5.2.6-1 @@ -32790,11 +32911,14 @@ CVE-2019-15032 (Pydio 6.0.8 mishandles error reporting when a directory allows u - ajaxplorer <itp> (bug #668381) CVE-2019-15031 (In the Linux kernel through 5.2.14 on the powerpc platform, a local us ...) - linux 5.2.17-1 + [buster] - linux 4.19.87-1 [stretch] - linux <not-affected> (Vulnerable code introduced later) [jessie] - linux <not-affected> (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/a8318c13e79badb92bc6640704a64cc022a6eb97 CVE-2019-15030 (In the Linux kernel through 5.2.14 on the powerpc platform, a local us ...) - linux 5.2.17-1 + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 [jessie] - linux <not-affected> (Vulnerable code not present) NOTE: https://git.kernel.org/linus/8205d5d98ef7f155de211f5e2eb6ca03d95a5a60 CVE-2019-15029 (FusionPBX 4.4.8 allows an attacker to execute arbitrary system command ...) @@ -33289,6 +33413,8 @@ CVE-2019-14902 (There is an issue in all samba 4.11.x versions before 4.11.5, al CVE-2019-14901 (A heap overflow flaw was found in the Linux kernel, all versions 3.x.x ...) {DLA-2068-1} - linux 5.4.13-1 + [buster] - linux 4.19.98-1 + [stretch] - linux 4.9.210-1 NOTE: https://www.openwall.com/lists/oss-security/2019/11/22/2 CVE-2019-14900 RESERVED @@ -33300,14 +33426,20 @@ CVE-2019-14898 [RHEL-7 specific incompete fix issue for CVE-2019-11599] CVE-2019-14897 (A stack-based buffer overflow was found in the Linux kernel, version k ...) {DLA-2068-1} - linux <unfixed> + [buster] - linux 4.19.98-1 + [stretch] - linux 4.9.210-1 NOTE: https://www.openwall.com/lists/oss-security/2019/11/22/1 CVE-2019-14896 (A heap-based buffer overflow vulnerability was found in the Linux kern ...) {DLA-2068-1} - linux <unfixed> + [buster] - linux 4.19.98-1 + [stretch] - linux 4.9.210-1 NOTE: https://www.openwall.com/lists/oss-security/2019/11/22/1 CVE-2019-14895 (A heap-based buffer overflow was discovered in the Linux kernel, all v ...) {DLA-2068-1} - linux 5.4.13-1 + [buster] - linux 4.19.98-1 + [stretch] - linux 4.9.210-1 NOTE: https://www.openwall.com/lists/oss-security/2019/11/22/1 CVE-2019-14894 RESERVED @@ -33708,13 +33840,19 @@ CVE-2019-14817 (A flaw was found in, ghostscript versions prior to 9.50, in the CVE-2019-14816 (There is heap-based buffer overflow in kernel, all versions up to, exc ...) {DLA-1930-1} - linux 5.2.17-1 + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 CVE-2019-14815 (A vulnerability was found in Linux Kernel, where a Heap Overflow was f ...) {DLA-1930-1} - linux 5.2.17-1 + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 [jessie] - linux <not-affected> (Vulnerability introduced later) CVE-2019-14814 (There is heap-based buffer overflow in Linux kernel, all versions up t ...) {DLA-1930-1} - linux 5.2.17-1 + [buster] - linux 4.19.87-1 + [stretch] - linux 4.9.210-1 CVE-2019-14813 (A flaw was found in ghostscript, versions 9.x before 9.50, in the sets ...) {DSA-4518-1 DLA-1915-1} - ghostscript 9.28~~rc2~dfsg-1 @@ -33765,7 +33903,7 @@ CVE-2019-14807 (In the MobileFrontend extension 1.31 through 1.33 for MediaWiki, CVE-2019-14806 (Pallets Werkzeug before 0.15.3, when used with Docker, has insufficien ...) - python-werkzeug 0.15.6+dfsg1-1 (low; bug #940935) [buster] - python-werkzeug 0.14.1+dfsg1-4+deb10u1 - [stretch] - python-werkzeug <no-dsa> (Minor issue) + [stretch] - python-werkzeug 0.11.15+dfsg1-1+deb9u1 [jessie] - python-werkzeug <not-affected> (Vulnerable code not present) NOTE: https://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246 CVE-2019-14805 (studio/builder_menu.php?page=sets in UNA 10.0.0-RC1 allows XSS via the ...) @@ -33921,8 +34059,6 @@ CVE-2019-14746 (A issue was discovered in KuaiFanCMS 5.0. It allows eval injecti NOT-FOR-US: KuaiFanCMS CVE-2019-14745 (In radare2 before 3.7.0, a command injection vulnerability exists in b ...) - radare2 3.9.0+dfsg-1 (bug #934204) - [buster] - radare2 <no-dsa> (Minor issue) - [stretch] - radare2 <no-dsa> (Minor issue) NOTE: https://github.com/radare/radare2/pull/14690 NOTE: When fixing this ussue make sure to not only apply the initial commits but NOTE: as well the followups to avoid opening CVE-2019-16718: @@ -34270,6 +34406,8 @@ CVE-2019-14616 RESERVED CVE-2019-14615 (Insufficient control flow in certain data structures for some Intel(R) ...) - linux 5.4.13-1 + [buster] - linux 4.19.98-1 + [stretch] - linux 4.9.210-1 [jessie] - linux <not-affected> (Driver doesn't support this hardware) NOTE: https://git.kernel.org/linus/bc8a76a152c5f9ef3b48104154a65a68a8b76946 CVE-2019-14614 @@ -38752,8 +38890,8 @@ CVE-2019-13567 (The Zoom Client before 4.4.53932.0709 on macOS allows remote cod NOT-FOR-US: Zoom CVE-2019-13566 (An issue was discovered in the ROS communications-related packages (ak ...) - ros-ros-comm 1.14.3+ds1-10 (bug #945361) - [buster] - ros-ros-comm <no-dsa> (Minor issue) - [stretch] - ros-ros-comm <no-dsa> (Minor issue) + [buster] - ros-ros-comm 1.14.3+ds1-5+deb10u1 + [stretch] - ros-ros-comm 1.12.6-2+deb9u1 NOTE: https://github.com/ros/ros_comm/issues/1735 NOTE: https://github.com/ros/ros_comm/pull/1771 CVE-2019-13565 (An issue was discovered in OpenLDAP 2.x before 2.4.48. When using SASL ...) @@ -38877,7 +39015,7 @@ CVE-2019-13509 (In Docker CE and EE before 18.09.8 (as well as Docker EE before - docker.io 18.09.1+dfsg1-8 (bug #932673) CVE-2019-13508 (FreeTDS through 1.1.11 has a Buffer Overflow. ...) - freetds 1.1.6-1.1 (bug #944012) - [buster] - freetds <no-dsa> (Minor issue) + [buster] - freetds 1.00.104-1+deb10u1 [stretch] - freetds <not-affected> (Vulnerable code introduced in 0.95 upstream) [jessie] - freetds <not-affected> (Vulnerable code introduced in 0.95 upstream) NOTE: https://github.com/FreeTDS/freetds/commit/0df4eb82a0e3ff844e373d7c9f9c6c813925e2ac @@ -38993,8 +39131,8 @@ CVE-2019-13466 (Western Digital SSD Dashboard before 2.5.1.0 and SanDisk SSD Das NOT-FOR-US: Western Digital SSD Dashboard and SanDisk SSD Dashboard CVE-2019-13465 (An issue was discovered in the ROS communications-related packages (ak ...) - ros-ros-comm 1.14.3+ds1-10 (bug #947946) - [buster] - ros-ros-comm <no-dsa> (Minor issue) - [stretch] - ros-ros-comm <no-dsa> (Minor issue) + [buster] - ros-ros-comm 1.14.3+ds1-5+deb10u1 + [stretch] - ros-ros-comm 1.12.6-2+deb9u1 NOTE: https://github.com/ros/ros_comm/issues/1752 NOTE: https://github.com/ros/ros_comm/pull/1763 CVE-2019-13464 (An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2 ...) @@ -39080,8 +39218,8 @@ CVE-2019-13446 REJECTED CVE-2019-13445 (An issue was discovered in the ROS communications-related packages (ak ...) - ros-ros-comm 1.14.3+ds1-11 (bug #947947) - [buster] - ros-ros-comm <no-dsa> (Minor issue) - [stretch] - ros-ros-comm <no-dsa> (Minor issue) + [buster] - ros-ros-comm 1.14.3+ds1-5+deb10u1 + [stretch] - ros-ros-comm 1.12.6-2+deb9u2 NOTE: https://github.com/ros/ros_comm/issues/1738 NOTE: https://github.com/ros/ros_comm/pull/1741 CVE-2019-13444 @@ -39604,7 +39742,7 @@ CVE-2019-13242 (IrfanView 4.52 has a User Mode Write AV starting at image0040000 CVE-2019-13241 (FlightCrew v0.9.2 and older are vulnerable to a directory traversal, a ...) - flightcrew 0.7.2+dfsg-14 [buster] - flightcrew 0.7.2+dfsg-13+deb10u1 - [stretch] - flightcrew <no-dsa> (Minor issue, can be fixed via point release) + [stretch] - flightcrew 0.7.2+dfsg-9+deb9u1 NOTE: https://github.com/Sigil-Ebook/flightcrew/issues/52 CVE-2019-13240 (An issue was discovered in GLPI before 9.4.1. After a successful passw ...) - glpi <removed> (unimportant) @@ -39813,7 +39951,7 @@ CVE-2019-13174 CVE-2019-13173 (fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extra ...) - node-fstream 1.0.12-1 (bug #931408) [buster] - node-fstream 1.0.10-1+deb10u1 - [stretch] - node-fstream <ignored> (Nodejs in stretch not covered by security support) + [stretch] - node-fstream 1.0.10-1+deb9u1 [jessie] - node-fstream <ignored> (Nodejs in jessie not covered by security support) NOTE: https://www.npmjs.com/advisories/886 NOTE: https://github.com/npm/fstream/commit/6a77d2fa6e1462693cf8e46f930da96ec1b0bb22 @@ -40232,6 +40370,7 @@ CVE-2019-13033 CVE-2019-13032 (An issue was discovered in FlightCrew v0.9.2 and earlier. A NULL point ...) - flightcrew 0.7.2+dfsg-14 (unimportant; bug #931246) [buster] - flightcrew 0.7.2+dfsg-13+deb10u1 + [stretch] - flightcrew 0.7.2+dfsg-9+deb9u1 NOTE: https://github.com/Sigil-Ebook/flightcrew/issues/53 NOTE: https://github.com/Sigil-Ebook/flightcrew/commit/c75c100218ed5c0e7652947051e28b54a75212ae NOTE: https://github.com/Sigil-Ebook/flightcrew/commit/b4f4a70f604ddcb4e8e343aa0e690764fc46d780 @@ -40428,8 +40567,8 @@ CVE-2019-12966 (FeHelper through 2019-06-19 allows arbitrary code execution duri CVE-2018-20847 (An improper computation of p_tx0, p_tx1, p_ty0 and p_ty1 in the functi ...) {DLA-1851-1} - openjpeg2 2.3.1-1 (low; bug #931294) - [buster] - openjpeg2 <no-dsa> (Minor issue) - [stretch] - openjpeg2 <no-dsa> (Minor issue) + [buster] - openjpeg2 2.3.0-2+deb10u1 + [stretch] - openjpeg2 2.1.2-1.1+deb9u4 NOTE: https://github.com/uclouvain/openjpeg/issues/431 NOTE: https://github.com/uclouvain/openjpeg/commit/5d00b719f4b93b1445e6fb4c766b9a9883c57949 NOTE: https://github.com/uclouvain/openjpeg/commit/2d24b6000d5611615e3e6d799e20d5fdbe4e2a1e @@ -40703,8 +40842,6 @@ CVE-2019-12866 (An Insecure Direct Object Reference, with Authorization Bypass t NOT-FOR-US: JetBrains YouTrack CVE-2019-12865 (In radare2 through 3.5.1, cmd_mount in libr/core/cmd_mount.c has a dou ...) - radare2 3.8.0+dfsg-1 (bug #930704) - [buster] - radare2 <no-dsa> (Minor issue) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <no-dsa> (Minor issue) NOTE: https://github.com/radare/radare2/issues/14334 NOTE: https://github.com/radare/radare2/commit/40453029179d230cf02ffed205f2d63e33981b8f @@ -40798,8 +40935,6 @@ CVE-2019-12830 (In MyBB before 1.8.21, an attacker can exploit a parsing flaw in NOT-FOR-US: MyBB CVE-2019-12829 (radare2 through 3.5.1 mishandles the RParse API, which allows remote a ...) - radare2 3.8.0+dfsg-1 (bug #930590) - [buster] - radare2 <no-dsa> (Minor issue) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <no-dsa> (Minor issue) NOTE: https://github.com/radare/radare2/issues/14303 NOTE: https://github.com/radare/radare2/commit/b282620b7a8818910c42a29b8f0855a2d13eec14 @@ -40872,8 +41007,6 @@ CVE-2019-12803 (In Hunesion i-oneNet version 3.0.7 ~ 3.0.53 and 4.0.4 ~ 4.0.16, NOT-FOR-US: Hunesion i-oneNet CVE-2019-12802 (In radare2 through 3.5.1, the rcc_context function of libr/egg/egg_lan ...) - radare2 3.8.0+dfsg-1 (bug #930510) - [buster] - radare2 <no-dsa> (Minor issue) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <no-dsa> (Minor issue) NOTE: https://github.com/radare/radare2/issues/14296 CVE-2019-12801 (out/out.GroupMgr.php in SeedDMS 5.1.11 has Stored XSS by making a new ...) @@ -40938,8 +41071,6 @@ CVE-2019-12791 (A directory traversal vulnerability in the v-list-user script in NOT-FOR-US: Vesta Control Panel CVE-2019-12790 (In radare2 through 3.5.1, there is a heap-based buffer over-read in th ...) - radare2 3.8.0+dfsg-1 (bug #930344) - [buster] - radare2 <no-dsa> (Minor issue) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <no-dsa> (Minor issue) NOTE: https://github.com/radare/radare2/issues/14211 CVE-2019-12789 (An issue was discovered on Actiontec T2200H T2200H-31.128L.08 devices, ...) @@ -41369,6 +41500,8 @@ CVE-2019-12615 (An issue was discovered in get_vdev_port_node_info in arch/sparc NOTE: only be invoked by root or the hypervisor. Probably no security impact. CVE-2019-12614 (An issue was discovered in dlpar_parse_cc_property in arch/powerpc/pla ...) - linux 5.3.7-1 (unimportant) + [buster] - linux 4.19.98-1 + [stretch] - linux 4.9.210-1 NOTE: https://lkml.org/lkml/2019/6/3/526 NOTE: This is a potential null pointer dereference that looks like it can NOTE: only be invoked by root or the hypervisor. Probably no security impact. @@ -42826,8 +42959,8 @@ CVE-2019-12095 (Horde Trean, as used in Horde Groupware Webmail Edition through [stretch] - php-horde-trean <no-dsa> (Minor issue) [jessie] - php-horde-trean <no-dsa> (Minor issue) - php-horde 5.2.21+debian0-1 - [buster] - php-horde <no-dsa> (Minor issue; can be fixed via point release) - [stretch] - php-horde <no-dsa> (Minor issue; can be fixed via point release) + [buster] - php-horde 5.2.20+debian0-1+deb10u1 + [stretch] - php-horde 5.2.13+debian0-1+deb9u1 NOTE: https://github.com/horde/base/commit/81a7b53973506856db67e7f0b0263be29528aa75 NOTE: https://bugs.horde.org/ticket/14926 (for the stored XSS) CVE-2019-12094 (Horde Groupware Webmail Edition through 5.2.22 allows XSS via an admin ...) @@ -44717,6 +44850,7 @@ CVE-2019-11460 (An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and 3 CVE-2019-11459 (The tiff_document_render() and tiff_document_get_thumbnail() functions ...) {DLA-1882-1 DLA-1881-1} - atril 1.22.3-1 (unimportant; bug #927821) + [buster] - atril 1.20.3-1+deb10u1 - evince 3.32.0-3 (unimportant; bug #927820) NOTE: https://gitlab.gnome.org/GNOME/evince/issues/1129 NOTE: Fixed by: https://gitlab.gnome.org/GNOME/evince/commit/3e38d5ad724a042eebadcba8c2d57b0f48b7a8c7 @@ -46633,7 +46767,7 @@ CVE-2019-10747 (set-value is vulnerable to Prototype Pollution in versions lower CVE-2019-10746 (mixin-deep is vulnerable to Prototype Pollution in versions before 1.3 ...) - node-mixin-deep 2.0.1-1 (bug #932500) [buster] - node-mixin-deep 1.1.3-3+deb10u1 - [stretch] - node-mixin-deep <ignored> (Nodejs in stretch not covered by security support) + [stretch] - node-mixin-deep 1.1.3-1+deb9u1 NOTE: https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212 NOTE: https://github.com/jonschlinkert/mixin-deep/commit/8f464c8ce9761a8c9c2b3457eaeee9d404fa7af9 NOTE: https://github.com/jonschlinkert/mixin-deep/issues/6 @@ -46658,7 +46792,7 @@ CVE-2019-10741 (K-9 Mail v5.600 can include the original quoted HTML code of a s NOT-FOR-US: K-9 Mail CVE-2019-10740 (In Roundcube Webmail before 1.3.10, an attacker in possession of S/MIM ...) - roundcube 1.3.10+dfsg.1-1 (bug #927713) - [buster] - roundcube <ignored> (Relies on php-crypt-gpg, not in buster) + [buster] - roundcube 1.3.10+dfsg.1-1~deb10u1 [stretch] - roundcube <ignored> (Relies on php-crypt-gpg, not in stretch. Old version in 1.3 doesn't verify signature anyway) NOTE: https://github.com/roundcube/roundcubemail/issues/6638 NOTE: https://github.com/roundcube/roundcubemail/commit/de25226d310de11f6a9eb0aa7ea1c90d82dc70d8 (release-1.3) @@ -47937,6 +48071,8 @@ CVE-2019-10221 CVE-2019-10220 (Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a rel ...) {DLA-2068-1} - linux 5.3.9-1 + [buster] - linux 4.19.98-1 + [stretch] - linux 4.9.210-1 CVE-2019-10219 (A vulnerability was found in Hibernate-Validator. The SafeHtml validat ...) - libhibernate-validator-java <unfixed> (bug #948235) [buster] - libhibernate-validator-java <not-affected> (Vulnerable code was introduced later.) @@ -48204,7 +48340,7 @@ CVE-2019-10161 (It was discovered that libvirtd before versions 4.10.1 and 5.4.1 NOTE: https://libvirt.org/git/?p=libvirt.git;a=commit;h=aed6a032cead4386472afb24b16196579e239580 CVE-2019-10160 (A security regression of CVE-2019-9636 was discovered in python since ...) - python3.7 3.7.4~rc2-2 - [buster] - python3.7 <no-dsa> (Minor issue) + [buster] - python3.7 3.7.3-2+deb10u1 - python3.6 <not-affected> (Incomplete fix for CVE-2019-9636 not applied) - python3.5 <not-affected> (Incomplete fix for CVE-2019-9636 not applied) - python3.4 <not-affected> (Incomplete fix for CVE-2019-9636 not applied) @@ -48856,7 +48992,7 @@ CVE-2019-9949 (Western Digital My Cloud Cloud, Mirror Gen2, EX2 Ultra, EX2100, E CVE-2019-9948 (urllib in Python 2.x through 2.7.16 supports the local_file: scheme, w ...) {DLA-1852-1 DLA-1834-1} - python3.7 3.7.4~rc2-2 - [buster] - python3.7 <no-dsa> (Minor issue) + [buster] - python3.7 3.7.3-2+deb10u1 - python3.6 <removed> - python3.5 <removed> - python3.4 <removed> @@ -48871,7 +49007,7 @@ CVE-2019-9948 (urllib in Python 2.x through 2.7.16 supports the local_file: sche CVE-2019-9947 (An issue was discovered in urllib2 in Python 2.x through 2.7.16 and ur ...) {DLA-1835-1 DLA-1834-1} - python3.7 3.7.4~rc2-2 - [buster] - python3.7 <no-dsa> (Minor issue) + [buster] - python3.7 3.7.3-2+deb10u1 - python3.6 <removed> - python3.5 <removed> - python3.4 <removed> @@ -49836,6 +49972,7 @@ CVE-2019-1010007 CVE-2019-1010006 (Evince 3.26.0 is affected by buffer overflow. The impact is: DOS / Pos ...) {DLA-1882-1 DLA-1881-1} - atril 1.22.2-1 + [buster] - atril 1.20.3-1+deb10u1 - evince 3.27.92-1 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=788980 NOTE: https://gitlab.gnome.org/GNOME/evince/commit/e6ed0d4cdb6326e329c8f61f9cc19ff9331cb0ce (3.27.91) @@ -50414,7 +50551,7 @@ CVE-2019-9741 (An issue was discovered in net/http in Go 1.11.5. CRLF injection CVE-2019-9740 (An issue was discovered in urllib2 in Python 2.x through 2.7.16 and ur ...) {DLA-1835-1 DLA-1834-1} - python3.7 3.7.4~rc2-2 - [buster] - python3.7 <no-dsa> (Minor issue) + [buster] - python3.7 3.7.3-2+deb10u1 - python3.6 <removed> - python3.5 <removed> - python3.4 <removed> @@ -50653,6 +50790,7 @@ CVE-2019-9656 (An issue was discovered in LibOFX 0.9.14. There is a NULL pointer {DLA-2001-1} - libofx 1:0.9.15-1 (unimportant; bug #924350) [buster] - libofx 1:0.9.14-1+deb10u1 + [stretch] - libofx 1:0.9.10-2+deb9u2 NOTE: https://github.com/libofx/libofx/issues/22 NOTE: Negligible security impact CVE-2019-9655 @@ -51083,7 +51221,6 @@ CVE-2019-9519 CVE-2019-9518 (Some HTTP/2 implementations are vulnerable to a flood of empty frames, ...) {DSA-4520-1} - trafficserver 8.0.5+ds-1 (bug #935314) - [stretch] - trafficserver <end-of-life> (see DSA 4520) NOTE: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md NOTE: https://github.com/apache/trafficserver/pull/5850 NOTE: https://github.com/apache/trafficserver/blob/8.0.x/CHANGELOG-8.0.5 @@ -51105,7 +51242,6 @@ CVE-2019-9516 (Some HTTP/2 implementations are vulnerable to a header leak, pote CVE-2019-9515 (Some HTTP/2 implementations are vulnerable to a settings flood, potent ...) {DSA-4520-1 DSA-4508-1} - trafficserver 8.0.5+ds-1 (bug #934887) - [stretch] - trafficserver <end-of-life> (see DSA 4520) - h2o 2.2.5+dfsg2-3 (bug #934886) NOTE: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md NOTE: https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/ @@ -51128,7 +51264,6 @@ CVE-2019-9514 (Some HTTP/2 implementations are vulnerable to a reset flood, pote [stretch] - nodejs <not-affected> (No HTTP2 support yet) [jessie] - nodejs <not-affected> (No HTTP2 support yet) - trafficserver 8.0.5+ds-1 (bug #934887) - [stretch] - trafficserver <end-of-life> (see DSA 4520) - h2o 2.2.5+dfsg2-3 (bug #934886) NOTE: Issue: https://github.com/golang/go/issues/33606 NOTE: https://github.com/golang/go/commit/e152b01a468a1c18a290bf9aec52ccea7693c7f2 (golang-1.11) @@ -51166,7 +51301,6 @@ CVE-2019-9512 (Some HTTP/2 implementations are vulnerable to ping floods, potent [jessie] - golang <not-affected> (No HTTP2 support yet) - golang-golang-x-net-dev 1:0.0+git20190811.74dc4d7+dfsg-1 - trafficserver 8.0.5+ds-1 (bug #934887) - [stretch] - trafficserver <end-of-life> (see DSA 4520) - h2o 2.2.5+dfsg2-3 (bug #934886) NOTE: Issue: https://github.com/golang/go/issues/33606 NOTE: https://github.com/golang/go/commit/e152b01a468a1c18a290bf9aec52ccea7693c7f2 (golang-1.11) @@ -51378,6 +51512,7 @@ CVE-2019-9446 (In the Android kernel in the FingerTipS touchscreen driver there NOT-FOR-US: Android kernel CVE-2019-9445 (In the Android kernel in F2FS driver there is a possible out of bounds ...) - linux 5.2.6-1 + [buster] - linux 4.19.98-1 NOTE: https://git.kernel.org/linus/720db068634c91553a8e1d9a0fcd8c7050e06d2b CVE-2019-9444 (In the Android kernel in sync debug fs driver there is a kernel pointe ...) - linux 4.15.4-1 @@ -54581,8 +54716,8 @@ CVE-2019-8288 (Vulnerability in Online Store v1.0, Stored XSS in user_view.php w CVE-2019-8287 (TightVNC code version 1.3.10 contains global buffer overflow in Handle ...) {DLA-2045-1} - tightvnc 1:1.3.9-9.1 (bug #945364) - [buster] - tightvnc <no-dsa> (Minor issue; will be fixed via point release) - [stretch] - tightvnc <no-dsa> (Minor issue; will be fixed via point release) + [buster] - tightvnc 1:1.3.9-9deb10u1 + [stretch] - tightvnc 1:1.3.9-9+deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2018/12/10/5 NOTE: same as CVE-2018-20020/libvncserver CVE-2019-8286 (Information Disclosure in Kaspersky Anti-Virus, Kaspersky Internet Sec ...) @@ -62304,7 +62439,7 @@ CVE-2019-5189 RESERVED CVE-2019-5188 (A code execution vulnerability exists in the directory rehashing funct ...) - e2fsprogs 1.45.5-1 (bug #948508) - [buster] - e2fsprogs <no-dsa> (Minor issue) + [buster] - e2fsprogs 1.44.5-1+deb10u3 [stretch] - e2fsprogs <no-dsa> (Minor issue) [jessie] - e2fsprogs <no-dsa> (Minor issue; exploit would require providing malicious filesystem) NOTE: Fixed by: https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?id=8dd73c149f418238f19791f9d666089ef9734dff @@ -62571,7 +62706,7 @@ CVE-2019-5069 (A code execution vulnerability exists in Epignosis eFront LMS v5. CVE-2019-5068 (An exploitable shared memory permissions vulnerability exists in the f ...) {DLA-1993-1} - mesa 19.2.6-1 (low; bug #944298) - [buster] - mesa <no-dsa> (Minor issue) + [buster] - mesa 18.3.6-2+deb10u1 [stretch] - mesa <no-dsa> (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0857 NOTE: https://lists.freedesktop.org/pipermail/mesa-dev/2019-October/223704.html @@ -65998,13 +66133,13 @@ CVE-2019-3575 (Sqla_yaml_fixtures 0.9.1 allows local users to execute arbitrary CVE-2019-3574 (In libsixel v1.8.2, there is a heap-based buffer over-read in the func ...) - libsixel 1.8.2-2 (low; bug #922460) [buster] - libsixel 1.8.2-1+deb10u1 - [stretch] - libsixel <no-dsa> (Minor issue) + [stretch] - libsixel 1.5.2-2+deb9u1 [jessie] - libsixel <no-dsa> (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/83 CVE-2019-3573 (In libsixel v1.8.2, there is an infinite loop in the function sixel_de ...) - libsixel 1.8.2-2 (low; bug #922460) [buster] - libsixel 1.8.2-1+deb10u1 - [stretch] - libsixel <no-dsa> (Minor issue) + [stretch] - libsixel 1.5.2-2+deb9u1 [jessie] - libsixel <postponed> (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/83 CVE-2019-3572 (An issue was discovered in libming 0.4.8. There is a heap-based buffer ...) @@ -66981,43 +67116,36 @@ CVE-2018-20462 (An issue was discovered in the JSmol2WP plugin 1.07 for WordPres NOT-FOR-US: JSmol2WP plugin for WordPress CVE-2018-20461 (In radare2 prior to 3.1.1, core_anal_bytes in libr/core/cmd_anal.c all ...) - radare2 3.1.2+dfsg-1 (low) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <not-affected> (vulnerable code not present) NOTE: https://github.com/radare/radare2/commit/a1bc65c3db593530775823d6d7506a457ed95267 NOTE: https://github.com/radare/radare2/issues/12375 CVE-2018-20460 (In radare2 prior to 3.1.2, the parseOperands function in libr/asm/arch ...) - radare2 3.1.2+dfsg-1 (low) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <not-affected> (vulnerable code not present) NOTE: https://github.com/radare/radare2/commit/df167c7db545953bb7f71c72e98e7a3ca0c793bf NOTE: https://github.com/radare/radare2/issues/12376 CVE-2018-20459 (In radare2 through 3.1.3, the armass_assemble function in libr/asm/arc ...) - radare2 3.2.1+dfsg-1 (low; bug #917322) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <not-affected> (vulnerable code not present) NOTE: https://github.com/radare/radare2/commit/e5c14c167b0dcf0a53d76bd50bacbbcc0dfc1ae7 NOTE: https://github.com/radare/radare2/issues/12418 CVE-2018-20458 (In radare2 prior to 3.1.1, r_bin_dyldcache_extract in libr/bin/format/ ...) - radare2 3.1.2+dfsg-1 (low) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <not-affected> (vulnerable code not present) NOTE: https://github.com/radare/radare2/commit/30f4c7b52a4e2dc0d0b1bae487d90f5437c69d19 NOTE: https://github.com/radare/radare2/issues/12374 CVE-2018-20457 (In radare2 through 3.1.3, the assemble function inside libr/asm/p/asm_ ...) - radare2 3.2.1+dfsg-1 (low; bug #917322) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <not-affected> (vulnerable code not present) NOTE: https://github.com/radare/radare2/commit/e5c14c167b0dcf0a53d76bd50bacbbcc0dfc1ae7 NOTE: https://github.com/radare/radare2/issues/12417 CVE-2018-20456 (In radare2 prior to 3.1.1, the parseOperand function inside libr/asm/p ...) - radare2 3.1.2+dfsg-1 (low) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <not-affected> (vulnerable code not present) NOTE: https://github.com/radare/radare2/commit/9b46d38dd3c4de6048a488b655c7319f845af185 NOTE: https://github.com/radare/radare2/issues/12372 CVE-2018-20455 (In radare2 prior to 3.1.1, the parseOperand function inside libr/asm/p ...) - radare2 3.1.2+dfsg-1 (low) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <not-affected> (vulnerable code not present) NOTE: https://github.com/radare/radare2/commit/9b46d38dd3c4de6048a488b655c7319f845af185 NOTE: https://github.com/radare/radare2/issues/12373 @@ -68946,7 +69074,9 @@ CVE-2019-2975 (Vulnerability in the Java SE, Java SE Embedded product of Oracle - openjdk-8 8u232-b09-1 CVE-2019-2974 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mariadb-10.3 1:10.3.19-1 + [buster] - mariadb-10.3 1:10.3.22-0+deb10u1 - mariadb-10.1 <removed> + [stretch] - mariadb-10.1 10.1.44-0+deb9u1 - mysql-5.7 <unfixed> (bug #942443) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL NOTE: MySQL: https://github.com/mysql/mysql-server/commit/52d9daf06478851548251ec2103cdc22178c48c4 @@ -69048,6 +69178,7 @@ CVE-2019-2939 (Vulnerability in the Core RDBMS component of Oracle Database Serv CVE-2019-2938 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-5.7 <unfixed> (bug #942443) - mariadb-10.3 1:10.3.19-1 + [buster] - mariadb-10.3 1:10.3.22-0+deb10u1 NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL CVE-2019-2937 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle @@ -71009,8 +71140,8 @@ CVE-2019-2229 (In updateWidget of BaseWidgetProvider.java, there is a possible l CVE-2019-2228 (In array_find of array.c, there is a possible out-of-bounds read due t ...) {DLA-2047-1} - cups 2.3.1-1 (bug #946782) - [buster] - cups <no-dsa> (Minor issue) - [stretch] - cups <no-dsa> (Minor issue) + [buster] - cups 2.2.10-6+deb10u2 + [stretch] - cups 2.2.1-8+deb9u5 NOTE: https://github.com/apple/cups/commit/b018978c278d42c7abf78941251b887c95dfdb07 (master, v2.3.1) NOTE: https://github.com/apple/cups/commit/8c9b3606cca99e5dfc51784a9de1634345db7579 (v2.2.13) CVE-2019-2227 (In DeepCopy of btif_av.cc, there is a possible out of bounds read due ...) @@ -71040,6 +71171,7 @@ CVE-2019-2216 CVE-2019-2215 (A use-after-free in binder.c allows an elevation of privilege from an ...) {DLA-2068-1} - linux 4.15.4-1 + [stretch] - linux 4.9.210-1 NOTE: Fixed by: https://git.kernel.org/linus/f5cb779ba16334b45ba8946d6bfa6d9834d1527f CVE-2019-2214 (In binder_transaction of binder.c, there is a possible out of bounds w ...) - linux 5.2.6-1 @@ -71564,6 +71696,7 @@ CVE-2018-20024 (LibVNC before commit 4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 co {DSA-4383-1 DLA-2016-1 DLA-1979-1 DLA-1617-1} - libvncserver 0.9.11+dfsg-1.2 (bug #916941) - italc <removed> + [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 - ssvnc 1.0.29-5 (bug #945827) - veyon 4.1.4+repack1-1 NOTE: https://github.com/LibVNC/libvncserver/issues/254 @@ -71573,6 +71706,7 @@ CVE-2018-20023 (LibVNC before 8b06f835e259652b0ff026898014fc7297ade858 contains {DSA-4383-1 DLA-1979-1 DLA-1617-1} - libvncserver 0.9.11+dfsg-1.2 (bug #916941) - italc <removed> + [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 - veyon 4.1.4+repack1-1 NOTE: https://github.com/LibVNC/libvncserver/issues/253 NOTE: https://github.com/LibVNC/libvncserver/commit/8b06f835e259652b0ff026898014fc7297ade858 @@ -71581,10 +71715,11 @@ CVE-2018-20022 (LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains {DSA-4383-1 DLA-2045-1 DLA-2016-1 DLA-1979-1 DLA-1617-1} - libvncserver 0.9.11+dfsg-1.2 (bug #916941) - italc <removed> + [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 - ssvnc 1.0.29-5 (bug #945827) - tightvnc 1:1.3.9-9.1 - [buster] - tightvnc <no-dsa> (Minor issue; will be fixed via point release) - [stretch] - tightvnc <no-dsa> (Minor issue; will be fixed via point release) + [buster] - tightvnc 1:1.3.9-9deb10u1 + [stretch] - tightvnc 1:1.3.9-9+deb9u1 - veyon 4.1.4+repack1-1 NOTE: https://github.com/LibVNC/libvncserver/issues/252 NOTE: https://github.com/LibVNC/libvncserver/commit/2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 @@ -71593,10 +71728,11 @@ CVE-2018-20021 (LibVNC before commit c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c co {DSA-4383-1 DLA-2045-1 DLA-2016-1 DLA-1979-1 DLA-1617-1} - libvncserver 0.9.11+dfsg-1.2 (bug #916941) - italc <removed> + [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 - ssvnc 1.0.29-5 (bug #945827) - tightvnc 1:1.3.9-9.1 - [buster] - tightvnc <no-dsa> (Minor issue; will be fixed via point release) - [stretch] - tightvnc <no-dsa> (Minor issue; will be fixed via point release) + [buster] - tightvnc 1:1.3.9-9deb10u1 + [stretch] - tightvnc 1:1.3.9-9+deb9u1 - veyon 4.1.4+repack1-1 NOTE: https://github.com/LibVNC/libvncserver/issues/251 NOTE: https://github.com/LibVNC/libvncserver/commit/c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c @@ -71628,6 +71764,7 @@ CVE-2018-20019 (LibVNC before commit a83439b9fbe0f03c48eb94ed05729cb016f8b72f co {DSA-4383-1 DLA-1979-1 DLA-1617-1} - libvncserver 0.9.11+dfsg-1.2 (bug #916941) - italc <removed> + [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 NOTE: https://github.com/LibVNC/libvncserver/issues/247 NOTE: https://github.com/LibVNC/libvncserver/commit/a83439b9fbe0f03c48eb94ed05729cb016f8b72f NOTE: https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-029-libvnc-multiple-heap-out-of-bound-vulnerabilities/ @@ -73015,13 +73152,11 @@ CVE-2018-19844 (FROG CMS 0.9.5 has XSS via the admin/?/snippet/add name paramete NOT-FOR-US: FROG CMS CVE-2018-19843 (opmov in libr/asm/p/asm_x86_nz.c in radare2 before 3.1.0 allows attack ...) - radare2 3.1.0+dfsg-1 (low) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <not-affected> (Vulnerable code not present in libr/asm/p/asm_x86_nz.c) NOTE: https://github.com/radare/radare2/commit/f17bfd9f1da05f30f23a4dd05e9d2363e1406948 NOTE: https://github.com/radare/radare2/issues/12242 CVE-2018-19842 (getToken in libr/asm/p/asm_x86_nz.c in radare2 before 3.1.0 allows att ...) - radare2 3.1.0+dfsg-1 (low) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <not-affected> (Vulnerable code not present in libr/asm/p/asm_x86_nz.c) NOTE: https://github.com/radare/radare2/commit/66191f780863ea8c66ace4040d0d04a8842e8432 NOTE: https://github.com/radare/radare2/issues/12239 @@ -73237,21 +73372,21 @@ CVE-2018-19764 CVE-2018-19763 (There is a heap-based buffer over-read at writer.c (function: write_pn ...) - libsixel 1.8.2-2 (bug #931311) [buster] - libsixel 1.8.2-1+deb10u1 - [stretch] - libsixel <no-dsa> (Minor issue) + [stretch] - libsixel 1.5.2-2+deb9u1 [jessie] - libsixel <not-affected> (The vulnerable code is not present) NOTE: https://github.com/saitoha/libsixel/issues/82 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649201 (reproducer) CVE-2018-19762 (There is a heap-based buffer overflow at fromsixel.c (function: image_ ...) - libsixel 1.8.2-2 (bug #931311) [buster] - libsixel 1.8.2-1+deb10u1 - [stretch] - libsixel <no-dsa> (Minor issue) + [stretch] - libsixel 1.5.2-2+deb9u1 [jessie] - libsixel <not-affected> (The vulnerable code is not present) NOTE: https://github.com/saitoha/libsixel/issues/81 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649199 (reproducer) CVE-2018-19761 (There is an illegal address access at fromsixel.c (function: sixel_dec ...) - libsixel 1.8.2-2 (bug #931311) [buster] - libsixel 1.8.2-1+deb10u1 - [stretch] - libsixel <no-dsa> (Minor issue) + [stretch] - libsixel 1.5.2-2+deb9u1 [jessie] - libsixel <no-dsa> (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/78 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649200 (reproducer) @@ -73265,7 +73400,7 @@ CVE-2018-19760 (cfg_init in confuse.c in libConfuse 3.2.2 has a memory leak. ... CVE-2018-19759 (There is a heap-based buffer over-read at stb_image_write.h (function: ...) - libsixel 1.8.2-2 (bug #931311) [buster] - libsixel 1.8.2-1+deb10u1 - [stretch] - libsixel <no-dsa> (Minor issue) + [stretch] - libsixel 1.5.2-2+deb9u1 [jessie] - libsixel <no-dsa> (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/77 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649202 (reproducer) @@ -73281,14 +73416,14 @@ CVE-2018-19758 (There is a heap-based buffer over-read at wav.c in wav_write_hea CVE-2018-19757 (There is a NULL pointer dereference at function sixel_helper_set_addit ...) - libsixel 1.8.2-2 (bug #931311) [buster] - libsixel 1.8.2-1+deb10u1 - [stretch] - libsixel <no-dsa> (Minor issue) + [stretch] - libsixel 1.5.2-2+deb9u1 [jessie] - libsixel <no-dsa> (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/79 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649197 (reproducer) CVE-2018-19756 (There is a heap-based buffer over-read at stb_image.h (function: stbi_ ...) - libsixel 1.8.2-2 (bug #931311) [buster] - libsixel 1.8.2-1+deb10u1 - [stretch] - libsixel <no-dsa> (Minor issue) + [stretch] - libsixel 1.5.2-2+deb9u1 [jessie] - libsixel <not-affected> (The vulnerable code is not present) NOTE: https://github.com/saitoha/libsixel/issues/80 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649198 (reproducer) @@ -77636,7 +77771,7 @@ CVE-2019-0136 (Insufficient access control in the Intel(R) PROSet/Wireless WiFi {DLA-1930-1 DLA-1919-1} - linux 5.2.6-1 [buster] - linux 4.19.67-1 - [stretch] - linux 4.9.185-1 + [stretch] - linux 4.9.210-1 NOTE: https://git.kernel.org/linus/79c92ca42b5a3e0ea172ea2ce8df8e125af237da NOTE: https://git.kernel.org/linus/588f7d39b3592a36fb7702ae3b8bdd9be4621e2f CVE-2019-0135 (Improper permissions in the installer for Intel(R) Accelerated Storage ...) @@ -86877,7 +87012,6 @@ CVE-2018-15835 (Android 1.0 through 9.0 has Insecure Permissions. The Android bu NOT-FOR-US: Android CVE-2018-15834 (In radare2 before 2.9.0, a heap overflow vulnerability exists in the r ...) - radare2 2.9.0+dfsg-1 - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <not-affected> (Vulnerable code added later in 0.9.8) NOTE: https://github.com/radare/radare2/issues/11274 NOTE: https://github.com/radare/radare2/pull/11300 @@ -88575,6 +88709,7 @@ CVE-2018-15127 (LibVNC before commit 502821828ed00b4a2c4bef90683d0fd88ce495de co {DSA-4383-1 DLA-1979-1 DLA-1617-1} - libvncserver 0.9.11+dfsg-1.2 (bug #916941) - italc <removed> + [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 NOTE: https://github.com/LibVNC/libvncserver/issues/243 NOTE: https://github.com/LibVNC/libvncserver/commit/502821828ed00b4a2c4bef90683d0fd88ce495de NOTE: https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-028-libvnc-heap-out-of-bound-write/ @@ -91512,13 +91647,13 @@ CVE-2018-14074 RESERVED CVE-2018-14073 (libsixel 1.8.1 has a memory leak in sixel_allocator_new in allocator.c ...) - libsixel 1.8.2-1 (low; bug #903858) - [stretch] - libsixel <no-dsa> (Minor issue) + [stretch] - libsixel 1.5.2-2+deb9u1 [jessie] - libsixel <postponed> (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/67#issuecomment-404989926 NOTE: https://github.com/saitoha/libsixel/commit/f94bc6fec696abd77be275226f28409602bd1f27 CVE-2018-14072 (libsixel 1.8.1 has a memory leak in sixel_decoder_decode in decoder.c, ...) - libsixel 1.8.2-1 (low; bug #903858) - [stretch] - libsixel <no-dsa> (Minor issue) + [stretch] - libsixel 1.5.2-2+deb9u1 [jessie] - libsixel <postponed> (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/67#issue-341198610 NOTE: https://github.com/saitoha/libsixel/commit/f94bc6fec696abd77be275226f28409602bd1f27 @@ -91721,19 +91856,16 @@ CVE-2018-14018 RESERVED CVE-2018-14017 (The r_bin_java_annotation_new function in shlr/java/class.c in radare2 ...) - radare2 2.8.0+dfsg-1 (bug #903726) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <no-dsa> (Minor issue) NOTE: https://github.com/radare/radare2/commit/e9ce0d64faf19fa4e9c260250fbdf25e3c11e152 NOTE: https://github.com/radare/radare2/issues/10498 CVE-2018-14016 (The r_bin_mdmp_init_directory_entry function in mdmp.c in radare2 2.7. ...) - radare2 2.8.0+dfsg-1 (bug #903725) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <no-dsa> (Minor issue) NOTE: https://github.com/radare/radare2/commit/eb7deb281df54771fb8ecf5890dc325a7d22d3e2 NOTE: https://github.com/radare/radare2/issues/10464 CVE-2018-14015 (The sdb_set_internal function in sdb.c in radare2 2.7.0 allows remote ...) - radare2 2.8.0+dfsg-1 (bug #903724) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <no-dsa> (Minor issue) NOTE: https://github.com/radare/radare2/commit/d37d2b858ac47f2f108034be0bcecadaddfbc8b3 NOTE: https://github.com/radare/radare2/issues/10465 @@ -93773,12 +93905,14 @@ CVE-2018-13095 (An issue was discovered in fs/xfs/libxfs/xfs_inode_buf.c in the CVE-2018-13094 (An issue was discovered in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux ...) {DLA-1529-1} - linux 4.17.14-1 + [stretch] - linux 4.9.210-1 [jessie] - linux-4.9 <unfixed> NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199969 NOTE: https://git.kernel.org/pub/scm/fs/xfs/xfs-linux.git/commit/?h=for-next&id=bb3d48dcf86a97dc25fe9fc2c11938e19cb4399a CVE-2018-13093 (An issue was discovered in fs/xfs/xfs_icache.c in the Linux kernel thr ...) {DLA-1529-1} - linux 4.17.14-1 + [stretch] - linux 4.9.210-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199367 NOTE: https://git.kernel.org/pub/scm/fs/xfs/xfs-linux.git/commit/?h=for-next&id=afca6c5b2595fc44383919fba740c194b0b76aff CVE-2018-13092 (The mintToken function of a smart contract implementation for Reimburs ...) @@ -96127,19 +96261,16 @@ CVE-2018-12323 (An issue was discovered on Momentum Axel 720P 5.1.8 devices. A p NOT-FOR-US: Momentum Axel 720P 5.1.8 devices CVE-2018-12322 (There is a heap out of bounds read in radare2 2.6.0 in _6502_op() in l ...) - radare2 2.7.0+dfsg-1 (low; bug #901628) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <no-dsa> (Minor issue) NOTE: https://github.com/radare/radare2/commit/bbb4af56003c1afdad67af0c4339267ca38b1017 NOTE: https://github.com/radare/radare2/issues/10294 CVE-2018-12321 (There is a heap out of bounds read in radare2 2.6.0 in java_switch_op( ...) - radare2 2.7.0+dfsg-1 (low; bug #901629) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <no-dsa> (Minor issue) NOTE: https://github.com/radare/radare2/commit/224e6bc13fa353dd3b7f7a2334588f1c4229e58d NOTE: https://github.com/radare/radare2/issues/10296 CVE-2018-12320 (There is a use after free in radare2 2.6.0 in r_anal_bb_free() in libr ...) - radare2 2.7.0+dfsg-1 (low; bug #901630) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <no-dsa> (Minor issue) NOTE: https://github.com/radare/radare2/commit/90b71c017a7fa9732fe45fd21b245ee051b1f548 NOTE: https://github.com/radare/radare2/issues/10293 @@ -97564,7 +97695,6 @@ CVE-2018-11784 (When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9 NOTE: https://svn.apache.org/r1840057 (7.0.x) CVE-2018-11783 (sslheaders plugin extracts information from the client certificate and ...) - trafficserver 8.0.2+ds-1 - [stretch] - trafficserver <end-of-life> (see DSA 4520) NOTE: https://github.com/apache/trafficserver/pull/4701 NOTE: https://www.openwall.com/lists/oss-security/2019/02/13/6 CVE-2018-11782 (In Apache Subversion versions up to and including 1.9.10, 1.10.4, 1.12 ...) @@ -98722,14 +98852,12 @@ CVE-2018-11385 (An issue was discovered in the Security component in Symfony 2.7 NOTE: https://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-guard-authentication CVE-2018-11384 (The sh_op() function in radare2 2.5.0 allows remote attackers to cause ...) - radare2 2.6.0+dfsg-1 (low) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <no-dsa> (Minor issue) [wheezy] - radare2 <no-dsa> (Minor issue) NOTE: https://github.com/radare/radare2/commit/77c47cf873dd55b396da60baa2ca83bbd39e4add NOTE: https://github.com/radare/radare2/issues/9903 CVE-2018-11383 (The r_strbuf_fini() function in radare2 2.5.0 allows remote attackers ...) - radare2 2.6.0+dfsg-1 (low) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <no-dsa> (Minor issue) [wheezy] - radare2 <no-dsa> (Minor issue) NOTE: https://github.com/radare/radare2/commit/9d348bcc2c4bbd3805e7eec97b594be9febbdf9a @@ -98740,35 +98868,30 @@ CVE-2018-11382 (The _inst__sts() function in radare2 2.5.0 allows remote attacke NOTE: https://github.com/radare/radare2/issues/10091 CVE-2018-11381 (The string_scan_range() function in radare2 2.5.0 allows remote attack ...) - radare2 2.6.0+dfsg-1 (low) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <no-dsa> (Minor issue) [wheezy] - radare2 <no-dsa> (Minor issue) NOTE: https://github.com/radare/radare2/commit/3fcf41ed96ffa25b38029449520c8d0a198745f3 NOTE: https://github.com/radare/radare2/issues/9902 CVE-2018-11380 (The parse_import_ptr() function in radare2 2.5.0 allows remote attacke ...) - radare2 2.6.0+dfsg-1 (low) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <no-dsa> (Minor issue) [wheezy] - radare2 <no-dsa> (Minor issue) NOTE: https://github.com/radare/radare2/commit/60208765887f5f008b3b9a883f3addc8bdb9c134 NOTE: https://github.com/radare/radare2/issues/9970 CVE-2018-11379 (The get_debug_info() function in radare2 2.5.0 allows remote attackers ...) - radare2 2.6.0+dfsg-1 (low) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <no-dsa> (Minor issue) [wheezy] - radare2 <no-dsa> (Minor issue) NOTE: https://github.com/radare/radare2/commit/4e1cf0d3e6f6fe2552a269def0af1cd2403e266c NOTE: https://github.com/radare/radare2/issues/9926 CVE-2018-11378 (The wasm_dis() function in libr/asm/arch/wasm/wasm.c in or possibly ha ...) - radare2 2.6.0+dfsg-1 (low) - [stretch] - radare2 <not-affected> (Vulnerable code not present) [jessie] - radare2 <not-affected> (Vulnerable code not present) [wheezy] - radare2 <not-affected> (Vulnerable code not present) NOTE: https://github.com/radare/radare2/commit/bd276ef2fd8ac3401e65be7c126a43175ccfbcd7 NOTE: https://github.com/radare/radare2/issues/9969 CVE-2018-11377 (The avr_op_analyze() function in radare2 2.5.0 allows remote attackers ...) - radare2 2.6.0+dfsg-1 (low) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <no-dsa> (Minor issue) [wheezy] - radare2 <no-dsa> (Minor issue) NOTE: https://github.com/radare/radare2/commit/25a3703ef2e015bbe1d1f16f6b2f63bb10dd34f4 @@ -98776,7 +98899,6 @@ CVE-2018-11377 (The avr_op_analyze() function in radare2 2.5.0 allows remote att NOTE: https://github.com/radare/radare2/issues/9901 CVE-2018-11376 (The r_read_le32() function in radare2 2.5.0 allows remote attackers to ...) - radare2 2.6.0+dfsg-1 (low) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <no-dsa> (Minor issue) [wheezy] - radare2 <no-dsa> (Minor issue) NOTE: https://github.com/radare/radare2/commit/1f37c04f2a762500222dda2459e6a04646feeedf @@ -102125,14 +102247,12 @@ CVE-2018-10188 (phpMyAdmin 4.8.0 before 4.8.0-1 has CSRF, allowing an attacker t NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/c6dd6b56e236a3aff953cee4135ecaa67130e641 CVE-2018-10187 (In radare2 2.5.0, there is a heap-based buffer over-read in the dalvik ...) - radare2 2.6.0+dfsg-1 (low; bug #897305) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <no-dsa> (Minor issue) [wheezy] - radare2 <no-dsa> (Minor issue) NOTE: https://github.com/radare/radare2/issues/9913 NOTE: https://github.com/radare/radare2/commit/cdb278059b7b0aaaaa2315b82d0fa6ad50433db0 CVE-2018-10186 (In radare2 2.5.0, there is a heap-based buffer over-read in the r_hex_ ...) - radare2 2.6.0+dfsg-1 (low; bug #897305) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <no-dsa> (Minor issue) [wheezy] - radare2 <no-dsa> (Minor issue) NOTE: https://github.com/radare/radare2/issues/9915 @@ -105612,21 +105732,18 @@ CVE-2018-8811 (Cross-site request forgery (CSRF) vulnerability in system/workpla NOT-FOR-US: OpenCMS CVE-2018-8810 (In radare2 2.4.0, there is a heap-based buffer over-read in the get_iv ...) - radare2 2.6.0+dfsg-1 (bug #895749) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <no-dsa> (Minor issue) [wheezy] - radare2 <not-affected> (vulnerable code not present) NOTE: https://github.com/radare/radare2/issues/9727 NOTE: https://github.com/radare/radare2/commit/06c9903be9a1ca46b74571d49027bee2168fbd69 CVE-2018-8809 (In radare2 2.4.0, there is a heap-based buffer over-read in the dalvik ...) - radare2 2.6.0+dfsg-1 (low; bug #895751) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <no-dsa> (Minor issue) [wheezy] - radare2 <no-dsa> (minor issue, likely not even affected) NOTE: https://github.com/radare/radare2/issues/9726 NOTE: https://github.com/radare/radare2/commit/24282de142000d2ed2c19783b40a1351872dfc54 CVE-2018-8808 (In radare2 2.4.0, there is a heap-based buffer over-read in the r_asm_ ...) - radare2 2.6.0+dfsg-1 (low; bug #895752) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <no-dsa> (Minor issue) [wheezy] - radare2 <no-dsa> (minor issue, likely not even affected) NOTE: https://github.com/radare/radare2/issues/9725 @@ -110023,6 +110140,7 @@ CVE-2018-1000072 (iRedMail version prior to commit f04b8ef contains a Insecure P NOT-FOR-US: iRedMail CVE-2018-1000071 (roundcube version 1.3.4 and earlier contains an Insecure Permissions v ...) - roundcube 1.3.10+dfsg.1-1 (unimportant; bug #897014) + [buster] - roundcube 1.3.10+dfsg.1-1~deb10u1 [stretch] - roundcube 1.2.3+dfsg.1-4+deb9u2 NOTE: https://github.com/roundcube/roundcubemail/issues/6173 NOTE: https://github.com/roundcube/roundcubemail/commit/48417c5fc9f6eb4b90500c09596606d489c700b5 @@ -110213,9 +110331,10 @@ CVE-2018-7225 (An issue was discovered in LibVNCServer through 0.9.11. rfbProces {DSA-4221-1 DLA-2045-1 DLA-2014-1 DLA-1979-1 DLA-1332-1} - libvncserver 0.9.11+dfsg-1.1 (bug #894045) - italc <removed> + [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 - tightvnc 1:1.3.9-9.1 - [buster] - tightvnc <no-dsa> (Minor issue; will be fixed via point release) - [stretch] - tightvnc <no-dsa> (Minor issue; will be fixed via point release) + [buster] - tightvnc 1:1.3.9-9deb10u1 + [stretch] - tightvnc 1:1.3.9-9+deb9u1 - vino <unfixed> (bug #945784) NOTE: https://github.com/LibVNC/libvncserver/issues/218 NOTE: https://github.com/LibVNC/libvncserver/commit/b0c77391e6bd0a2305bbc9b37a2499af74ddd9ee @@ -113065,6 +113184,7 @@ CVE-2018-6307 (LibVNC before commit ca2a5ac02fbbadd0a21fabba779c1ea69173d10b con {DSA-4383-1 DLA-1979-1 DLA-1617-1} - libvncserver 0.9.11+dfsg-1.2 (bug #916941) - italc <removed> + [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 NOTE: https://github.com/LibVNC/libvncserver/issues/241 NOTE: https://github.com/LibVNC/libvncserver/commit/ca2a5ac02fbbadd0a21fabba779c1ea69173d10b NOTE: https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-026-libvnc-heap-use-after-free/ @@ -120440,7 +120560,7 @@ CVE-2018-3720 (assign-deep node module before 0.4.7 suffers from a Modification NOT-FOR-US: assign-deep node module CVE-2018-3719 (mixin-deep node module before 1.3.1 suffers from a Modification of Ass ...) - node-mixin-deep 1.1.3-2 (bug #898315) - [stretch] - node-mixin-deep <ignored> (Nodejs in stretch not covered by security support) + [stretch] - node-mixin-deep 1.1.3-1+deb9u1 NOTE: https://nodesecurity.io/advisories/578 CVE-2018-3718 (serve node module suffers from Improper Handling of URL Encoding by pe ...) NOT-FOR-US: serve node module @@ -132706,7 +132826,6 @@ CVE-2017-16806 (The Process function in RemoteTaskServer/WebServer/HttpServer.cs NOT-FOR-US: Ulterius CVE-2017-16805 (In radare2 2.0.1, libr/bin/dwarf.c allows remote attackers to cause a ...) - radare2 2.1.0+dfsg-1 (bug #882134) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <no-dsa> (Minor issue) [wheezy] - radare2 <not-affected> (Vulnerable code does not exist; no dwarf support) NOTE: https://github.com/radare/radare2/commit/2ca9ab45891b6ae8e32b6c28c81eebca059cbe5d @@ -133915,7 +134034,6 @@ CVE-2017-16360 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20 NOT-FOR-US: Adobe CVE-2017-16359 (In radare 2.0.1, a pointer wraparound vulnerability exists in store_ve ...) - radare2 2.1.0+dfsg-1 (bug #880616) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <not-affected> (Vulnerable code introduced later) [wheezy] - radare2 <not-affected> (Vulnerable code introduced later) NOTE: https://github.com/radare/radare2/commit/62e39f34b2705131a2d08aff0c2e542c6a52cf0e @@ -133924,14 +134042,12 @@ CVE-2017-16359 (In radare 2.0.1, a pointer wraparound vulnerability exists in st NOTE: https://github.com/radare/radare2/issues/8764 CVE-2017-16358 (In radare 2.0.1, an out-of-bounds read vulnerability exists in string_ ...) - radare2 2.1.0+dfsg-1 (bug #880619) - [stretch] - radare2 <not-affected> (Vulnerable code introduced later) [jessie] - radare2 <not-affected> (Vulnerable code introduced later) [wheezy] - radare2 <not-affected> (Vulnerable code introduced later) NOTE: https://github.com/radare/radare2/commit/d31c4d3cbdbe01ea3ded16a584de94149ecd31d9 NOTE: https://github.com/radare/radare2/issues/8748 CVE-2017-16357 (In radare 2.0.1, a memory corruption vulnerability exists in store_ver ...) - radare2 2.1.0+dfsg-1 (bug #880620) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <not-affected> (Vulnerable code introduced later) [wheezy] - radare2 <not-affected> (Vulnerable code introduced later) NOTE: https://github.com/radare/radare2/commit/0b973e28166636e0ff1fad80baa0385c9c09c53a @@ -135351,14 +135467,12 @@ CVE-2017-15933 (SQL injection vulnerability vulnerability in the EyesOfNetwork w NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-15932 (In radare2 2.0.1, an integer exception (negative number leading to an ...) - radare2 2.1.0+dfsg-1 (bug #880024) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <not-affected> (Vulnerable code introduced in 0.10.2) [wheezy] - radare2 <not-affected> (Vulnerable code introduced in 0.10.2) NOTE: https://github.com/radare/radare2/commit/44ded3ff35b8264f54b5a900cab32ec489d9e5b9 NOTE: https://github.com/radare/radare2/issues/8743 CVE-2017-15931 (In radare2 2.0.1, an integer exception (negative number leading to an ...) - radare2 2.1.0+dfsg-1 (bug #880025) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <not-affected> (Vulnerable code introduced in 0.10.2) [wheezy] - radare2 <not-affected> (Vulnerable code introduced in 0.10.2) NOTE: https://github.com/radare/radare2/commit/c6d0076c924891ad9948a62d89d0bcdaf965f0cd @@ -136826,7 +136940,6 @@ CVE-2017-15386 (Incorrect implementation in Blink in Google Chrome prior to 62.0 [wheezy] - chromium-browser <end-of-life> (Not supported in Wheezy) CVE-2017-15385 (The store_versioninfo_gnu_verdef function in libr/bin/format/elf/elf.c ...) - radare2 2.1.0+dfsg-1 (bug #879119) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <not-affected> (Vulnerable code introduced in 0.10.2) [wheezy] - radare2 <not-affected> (Vulnerable code introduced in 0.10.2) NOTE: https://github.com/radare/radare2/issues/8685 @@ -136886,7 +136999,6 @@ CVE-2017-15369 (The build_filter_chain function in pdf/pdf-stream.c in Artifex M NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698592 CVE-2017-15368 (The wasm_dis function in libr/asm/arch/wasm/wasm.c in radare2 2.0.0 al ...) - radare2 2.1.0+dfsg-1 (bug #878767) - [stretch] - radare2 <not-affected> (Vulnerable code introduced in 2.0.0) [jessie] - radare2 <not-affected> (Vulnerable code introduced in 2.0.0) [wheezy] - radare2 <not-affected> (Vulnerable code introduced in 2.0.0) NOTE: https://github.com/radare/radare2/issues/8673 @@ -141047,7 +141159,7 @@ CVE-2017-14062 (Integer overflow in the decode_digit function in puny_decode.c i {DSA-3988-1 DLA-1447-1 DLA-1085-1 DLA-1084-1} - libidn2-0 2.0.2-4 (bug #873902) - libidn 1.33-2 (bug #873903) - [stretch] - libidn <no-dsa> (Minor issue; can be fixed in point release) + [stretch] - libidn 1.33-1+deb9u1 NOTE: https://gitlab.com/libidn/libidn2/commit/3284eb342cd0ed1a18786e3fcdf0cdd7e76676bd CVE-2017-14061 (Integer overflow in the _isBidi function in bidi.c in Libidn2 before 2 ...) - libidn2-0 2.0.2-4 (bug #873904) @@ -146731,7 +146843,7 @@ CVE-2017-12174 (It was found that when Artemis and HornetQ before 2.4.0 are conf NOT-FOR-US: Artemis and HornetQ CVE-2017-12173 (It was found that sssd's sysdb_search_user_by_upn_res() function befor ...) - sssd 1.15.3-2 (bug #877885) - [stretch] - sssd <no-dsa> (Minor issue) + [stretch] - sssd 1.15.0-3+deb9u1 [jessie] - sssd <not-affected> (Vulnerable code introduced later) [wheezy] - sssd <not-affected> (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1498173 @@ -150636,7 +150748,6 @@ CVE-2016-10396 (The racoon daemon in IPsec-Tools 0.8.2 contains a remotely explo CVE-2017-10929 (The grub_memmove function in shlr/grub/kern/misc.c in radare2 1.5.0 al ...) {DLA-1016-1} - radare2 1.6.0+dfsg-1 (low; bug #867369) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <no-dsa> (Minor issue) NOTE: https://github.com/radare/radare2/issues/7855 NOTE: https://github.com/radare/radare2/commit/c57997e76ec70862174a1b3b3aeb62a6f8570e85 @@ -151568,7 +151679,6 @@ CVE-2017-9950 RESERVED CVE-2017-9949 (The grub_memmove function in shlr/grub/kern/misc.c in radare2 1.5.0 al ...) - radare2 1.6.0+dfsg-1 (bug #866068) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <no-dsa> (Minor issue) [wheezy] - radare2 <no-dsa> (Minor issue) NOTE: https://github.com/radare/radare2/issues/7683 @@ -153729,7 +153839,6 @@ CVE-2017-1000381 (The c-ares function `ares_parse_naptr_reply()`, which is used CVE-2017-9763 (The grub_ext2_read_block function in fs/ext2.c in GNU GRUB before 2013 ...) - grub2 2.02~beta2-8 (unimportant) - radare2 1.6.0+dfsg-1 (bug #869423) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <no-dsa> (Minor issue) [wheezy] - radare2 <no-dsa> (Minor issue) NOTE: https://github.com/radare/radare2/commit/65000a7fd9eea62359e6d6714f17b94a99a82edd @@ -153737,14 +153846,12 @@ CVE-2017-9763 (The grub_ext2_read_block function in fs/ext2.c in GNU GRUB before NOTE: Not a security issue for Grub CVE-2017-9762 (The cmd_info function in libr/core/cmd_info.c in radare2 1.5.0 allows ...) - radare2 1.6.0+dfsg-1 (low; bug #869426) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <no-dsa> (Minor issue) [wheezy] - radare2 <no-dsa> (Minor issue) NOTE: https://github.com/radare/radare2/issues/7726 NOTE: https://github.com/radare/radare2/commit/f85bc674b2a2256a364fe796351bc1971e106005 CVE-2017-9761 (The find_eoq function in libr/core/cmd.c in radare2 1.5.0 allows remot ...) - radare2 1.6.0+dfsg-1 (low; bug #869428) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <no-dsa> (Minor issue) [wheezy] - radare2 <no-dsa> (Minor issue) NOTE: https://github.com/radare/radare2/commit/00e8f205475332d7842d0f0d1481eeab4e83017c @@ -154493,7 +154600,6 @@ CVE-2017-9521 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P NOT-FOR-US: Comcast firmware on various devices CVE-2017-9520 (The r_config_set function in libr/config/config.c in radare2 1.5.0 all ...) - radare2 1.6.0+dfsg-1 (low; bug #864533) - [stretch] - radare2 <no-dsa> (Minor issue) [jessie] - radare2 <no-dsa> (Minor issue) [wheezy] - radare2 <no-dsa> (Minor issue) NOTE: https://github.com/radare/radare2/commit/f85bc674b2a2256a364fe796351bc1971e106005 @@ -183744,7 +183850,7 @@ CVE-2016-9113 (There is a NULL pointer dereference in function imagetobmp of con CVE-2016-9112 (Floating Point Exception (aka FPE or divide by zero) in opj_pi_next_cp ...) {DLA-1851-1} - openjpeg2 2.1.2-1.2 (bug #844551) - [stretch] - openjpeg2 <no-dsa> (Minor issue) + [stretch] - openjpeg2 2.1.2-1.1+deb9u4 NOTE: https://github.com/uclouvain/openjpeg/commit/d27ccf01c68a31ad62b33d2dc1ba2bb1eeaafe7b NOTE: https://github.com/uclouvain/openjpeg/issues/855 CVE-2016-9111 (Incorrect access control mechanisms in Citrix Receiver Desktop Lock 4. ...) @@ -248032,8 +248138,8 @@ CVE-2014-6053 (The rfbProcessClientNormalMessage function in libvncserver/rfbser - libvncserver 0.9.9+dfsg-6.1 (bug #762745) - italc 1:3.0.1+dfsg1-1 - tightvnc 1:1.3.9-9.1 - [buster] - tightvnc <no-dsa> (Minor issue; will be fixed via point release) - [stretch] - tightvnc <no-dsa> (Minor issue; will be fixed via point release) + [buster] - tightvnc 1:1.3.9-9deb10u1 + [stretch] - tightvnc 1:1.3.9-9+deb9u1 - vino <unfixed> (bug #945784) NOTE: https://github.com/newsoft/libvncserver/commit/6037a9074d52b1963c97cb28ea1096c7c14cbf28 CVE-2014-6052 (The HandleRFBServerMessage function in libvncclient/rfbproto.c in LibV ...) diff --git a/data/next-oldstable-point-update.txt b/data/next-oldstable-point-update.txt index 52918aa9e7..9991b5f530 100644 --- a/data/next-oldstable-point-update.txt +++ b/data/next-oldstable-point-update.txt @@ -26,44 +26,6 @@ CVE-2019-14267 [stretch] - pdfresurrect 0.12-6+deb9u1 CVE-2019-11187 [stretch] - gosa 2.7.4+reloaded2-13+deb9u2 -CVE-2019-13173 - [stretch] - node-fstream 1.0.10-1+deb9u1 -CVE-2019-13241 - [stretch] - flightcrew 0.7.2+dfsg-9+deb9u1 -CVE-2019-13032 - [stretch] - flightcrew 0.7.2+dfsg-9+deb9u1 -CVE-2018-3719 - [stretch] - node-mixin-deep 1.1.3-1+deb9u1 -CVE-2019-10746 - [stretch] - node-mixin-deep 1.1.3-1+deb9u1 -CVE-2018-19756 - [stretch] - libsixel 1.5.2-2+deb9u1 -CVE-2018-19757 - [stretch] - libsixel 1.5.2-2+deb9u1 -CVE-2018-19759 - [stretch] - libsixel 1.5.2-2+deb9u1 -CVE-2018-19761 - [stretch] - libsixel 1.5.2-2+deb9u1 -CVE-2018-19762 - [stretch] - libsixel 1.5.2-2+deb9u1 -CVE-2018-19763 - [stretch] - libsixel 1.5.2-2+deb9u1 -CVE-2019-3573 - [stretch] - libsixel 1.5.2-2+deb9u1 -CVE-2019-3574 - [stretch] - libsixel 1.5.2-2+deb9u1 -CVE-2018-14072 - [stretch] - libsixel 1.5.2-2+deb9u1 -CVE-2018-14073 - [stretch] - libsixel 1.5.2-2+deb9u1 -CVE-2018-21010 - [stretch] - openjpeg2 2.1.2-1.1+deb9u4 -CVE-2018-20847 - [stretch] - openjpeg2 2.1.2-1.1+deb9u4 -CVE-2016-9112 - [stretch] - openjpeg2 2.1.2-1.1+deb9u4 -CVE-2019-14806 - [stretch] - python-werkzeug 0.11.15+dfsg1-1+deb9u1 CVE-2018-7260 [stretch] - phpmyadmin 4:4.6.6-4+deb9u1 CVE-2018-19968 @@ -78,223 +40,9 @@ CVE-2019-11768 [stretch] - phpmyadmin 4:4.6.6-4+deb9u1 CVE-2019-12616 [stretch] - phpmyadmin 4:4.6.6-4+deb9u1 -CVE-2019-19010 - [stretch] - limnoria 2017.01.10-1+deb9u1 -CVE-2019-13566 - [stretch] - ros-ros-comm 1.12.6-2+deb9u1 -CVE-2019-13465 - [stretch] - ros-ros-comm 1.12.6-2+deb9u1 -CVE-2019-13445 - [stretch] - ros-ros-comm 1.12.6-2+deb9u2 -CVE-2019-9656 - [stretch] - libofx 1:0.9.10-2+deb9u2 -CVE-2019-18197 - [stretch] - libxslt 1.1.29-2.1+deb9u2 -CVE-2019-19555 - [stretch] - fig2dev 1:3.2.6a-2+deb9u3 -CVE-2019-15961 - [stretch] - clamav 0.102.1+dfsg-0+deb9u1 -CVE-2019-19269 - [stretch] - proftpd-dfsg 1.3.5b-4+deb9u3 -CVE-2019-12095 - [stretch] - php-horde 5.2.13+debian0-1+deb9u1 -CVE-2019-15681 - [stretch] - libvncserver 0.9.11+dfsg-1.3~deb9u2 -CVE-2017-12173 - [stretch] - sssd 1.15.0-3+deb9u1 -CVE-2014-6053 - [stretch] - tightvnc 1:1.3.9-9+deb9u1 -CVE-2019-8287 - [stretch] - tightvnc 1:1.3.9-9+deb9u1 -CVE-2018-20021 - [stretch] - tightvnc 1:1.3.9-9+deb9u1 -CVE-2018-20022 - [stretch] - tightvnc 1:1.3.9-9+deb9u1 -CVE-2018-7225 - [stretch] - tightvnc 1:1.3.9-9+deb9u1 -CVE-2019-15678 - [stretch] - tightvnc 1:1.3.9-9+deb9u1 -CVE-2019-15679 - [stretch] - tightvnc 1:1.3.9-9+deb9u1 -CVE-2019-15680 - [stretch] - tightvnc 1:1.3.9-9+deb9u1 -CVE-2019-15681 - [stretch] - tightvnc 1:1.3.9-9+deb9u1 -CVE-2019-2228 - [stretch] - cups 2.2.1-8+deb9u5 CVE-2019-20372 [stretch] - nginx 1.10.3-1+deb9u4 -CVE-2017-14062 - [stretch] - libidn 1.33-1+deb9u1 CVE-2016-10894 [stretch] - xtrlock 2.8+deb9u1 CVE-2019-16275 [stretch] - wpa 2:2.4-1+deb9u5 -CVE-2018-13093 - [stretch] - linux 4.9.210-1 -CVE-2018-13094 - [stretch] - linux 4.9.210-1 -CVE-2018-20976 - [stretch] - linux 4.9.210-1 -CVE-2018-21008 - [stretch] - linux 4.9.210-1 -CVE-2019-0136 - [stretch] - linux 4.9.210-1 -CVE-2019-10220 - [stretch] - linux 4.9.210-1 -CVE-2019-14615 - [stretch] - linux 4.9.210-1 -CVE-2019-14814 - [stretch] - linux 4.9.210-1 -CVE-2019-14815 - [stretch] - linux 4.9.210-1 -CVE-2019-14816 - [stretch] - linux 4.9.210-1 -CVE-2019-14895 - [stretch] - linux 4.9.210-1 -CVE-2019-14896 - [stretch] - linux 4.9.210-1 -CVE-2019-14897 - [stretch] - linux 4.9.210-1 -CVE-2019-14901 - [stretch] - linux 4.9.210-1 -CVE-2019-15030 - [stretch] - linux 4.9.210-1 -CVE-2019-15098 - [stretch] - linux 4.9.210-1 -CVE-2019-15217 - [stretch] - linux 4.9.210-1 -CVE-2019-15291 - [stretch] - linux 4.9.210-1 -CVE-2019-15505 - [stretch] - linux 4.9.210-1 -CVE-2019-15917 - [stretch] - linux 4.9.210-1 -CVE-2019-16746 - [stretch] - linux 4.9.210-1 -CVE-2019-17052 - [stretch] - linux 4.9.210-1 -CVE-2019-17053 - [stretch] - linux 4.9.210-1 -CVE-2019-17054 - [stretch] - linux 4.9.210-1 -CVE-2019-17055 - [stretch] - linux 4.9.210-1 -CVE-2019-17056 - [stretch] - linux 4.9.210-1 -CVE-2019-17075 - [stretch] - linux 4.9.210-1 -CVE-2019-17133 - [stretch] - linux 4.9.210-1 -CVE-2019-17666 - [stretch] - linux 4.9.210-1 -CVE-2019-18282 - [stretch] - linux 4.9.210-1 -CVE-2019-18660 - [stretch] - linux 4.9.210-1 -CVE-2019-18683 - [stretch] - linux 4.9.210-1 -CVE-2019-18806 - [stretch] - linux 4.9.210-1 -CVE-2019-18809 - [stretch] - linux 4.9.210-1 -CVE-2019-19037 - [stretch] - linux 4.9.210-1 -CVE-2019-19049 - [stretch] - linux 4.9.210-1 -CVE-2019-19051 - [stretch] - linux 4.9.210-1 -CVE-2019-19052 - [stretch] - linux 4.9.210-1 -CVE-2019-19056 - [stretch] - linux 4.9.210-1 -CVE-2019-19057 - [stretch] - linux 4.9.210-1 -CVE-2019-19062 - [stretch] - linux 4.9.210-1 -CVE-2019-19063 - [stretch] - linux 4.9.210-1 -CVE-2019-19066 - [stretch] - linux 4.9.210-1 -CVE-2019-19068 - [stretch] - linux 4.9.210-1 -CVE-2019-19227 - [stretch] - linux 4.9.210-1 -CVE-2019-19332 - [stretch] - linux 4.9.210-1 -CVE-2019-19447 - [stretch] - linux 4.9.210-1 -CVE-2019-19523 - [stretch] - linux 4.9.210-1 -CVE-2019-19524 - [stretch] - linux 4.9.210-1 -CVE-2019-19525 - [stretch] - linux 4.9.210-1 -CVE-2019-19527 - [stretch] - linux 4.9.210-1 -CVE-2019-19530 - [stretch] - linux 4.9.210-1 -CVE-2019-19531 - [stretch] - linux 4.9.210-1 -CVE-2019-19532 - [stretch] - linux 4.9.210-1 -CVE-2019-19533 - [stretch] - linux 4.9.210-1 -CVE-2019-19534 - [stretch] - linux 4.9.210-1 -CVE-2019-19535 - [stretch] - linux 4.9.210-1 -CVE-2019-19536 - [stretch] - linux 4.9.210-1 -CVE-2019-19537 - [stretch] - linux 4.9.210-1 -CVE-2019-19767 - [stretch] - linux 4.9.210-1 -CVE-2019-19947 - [stretch] - linux 4.9.210-1 -CVE-2019-19965 - [stretch] - linux 4.9.210-1 -CVE-2019-20096 - [stretch] - linux 4.9.210-1 -CVE-2019-2215 - [stretch] - linux 4.9.210-1 -CVE-2019-12614 - [stretch] - linux 4.9.210-1 -CVE-2020-0030 - [stretch] - linux 4.9.210-1 -CVE-2019-15695 - [stretch] - tigervnc 1.7.0+dfsg-7+deb9u1 -CVE-2019-15694 - [stretch] - tigervnc 1.7.0+dfsg-7+deb9u1 -CVE-2019-15693 - [stretch] - tigervnc 1.7.0+dfsg-7+deb9u1 -CVE-2019-15692 - [stretch] - tigervnc 1.7.0+dfsg-7+deb9u1 -CVE-2019-15691 - [stretch] - tigervnc 1.7.0+dfsg-7+deb9u1 -CVE-2018-7225 - [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 -CVE-2018-15127 - [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 -CVE-2018-20019 - [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 -CVE-2018-20020 - [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 -CVE-2018-20021 - [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 -CVE-2018-20022 - [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 -CVE-2018-20023 - [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 -CVE-2018-20024 - [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 -CVE-2018-6307 - [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 -CVE-2019-15681 - [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 -CVE-2019-20387 - [stretch] - libsolv 0.6.24-1+deb9u2 -CVE-2020-2574 - [stretch] - mariadb-10.1 10.1.44-0+deb9u1 -CVE-2019-2974 - [stretch] - mariadb-10.1 10.1.44-0+deb9u1 diff --git a/data/next-point-update.txt b/data/next-point-update.txt index 4d30bb5e58..b8086f8b8b 100644 --- a/data/next-point-update.txt +++ b/data/next-point-update.txt @@ -1,59 +1,17 @@ +CVE-2019-19919 + [buster] - node-handlebars 3:4.1.0-1+deb10u1 +CVE-2019-18277 + [buster] - haproxy 1.8.19-1+deb10u2 CVE-2019-14267 [buster] - pdfresurrect 0.15-2+deb10u1 CVE-2019-1020014 [buster] - golang-github-docker-docker-credential-helpers 0.6.1-2+deb10u1 -CVE-2019-16091 - [buster] - libmysofa 0.6~dfsg0-3+deb10u1 -CVE-2019-16092 - [buster] - libmysofa 0.6~dfsg0-3+deb10u1 -CVE-2019-16093 - [buster] - libmysofa 0.6~dfsg0-3+deb10u1 -CVE-2019-16094 - [buster] - libmysofa 0.6~dfsg0-3+deb10u1 -CVE-2019-16095 - [buster] - libmysofa 0.6~dfsg0-3+deb10u1 -CVE-2019-20063 - [buster] - libmysofa 0.6~dfsg0-3+deb10u1 CVE-2019-17134 [buster] - octavia 3.0.0-3+deb10u1 -CVE-2018-21010 - [buster] - openjpeg2 2.3.0-2+deb10u1 -CVE-2018-20847 - [buster] - openjpeg2 2.3.0-2+deb10u1 CVE-2019-14433 [buster] - nova 2:18.1.0-6+deb10u1 -CVE-2019-19010 - [buster] - limnoria 2019.02.23-1+deb10u1 -CVE-2019-13566 - [buster] - ros-ros-comm 1.14.3+ds1-5+deb10u1 -CVE-2019-13465 - [buster] - ros-ros-comm 1.14.3+ds1-5+deb10u1 -CVE-2019-13445 - [buster] - ros-ros-comm 1.14.3+ds1-5+deb10u1 CVE-2019-14857 [buster] - libapache2-mod-auth-openidc 2.3.10.2-1+deb10u1 -CVE-2019-19555 - [buster] - fig2dev 1:3.2.7a-5+deb10u2 -CVE-2019-19746 - [buster] - fig2dev 1:3.2.7a-5+deb10u3 -CVE-2019-19797 - [buster] - fig2dev 1:3.2.7a-5+deb10u3 -CVE-2019-15961 - [buster] - clamav 0.102.1+dfsg-0+deb10u1 -CVE-2019-19269 - [buster] - proftpd-dfsg 1.3.6-4+deb10u3 -CVE-2019-19270 - [buster] - proftpd-dfsg 1.3.6-4+deb10u3 -CVE-2019-12095 - [buster] - php-horde 5.2.20+debian0-1+deb10u1 -CVE-2019-1010006 - [buster] - atril 1.20.3-1+deb10u1 -CVE-2019-11459 - [buster] - atril 1.20.3-1+deb10u1 -CVE-2019-15681 - [buster] - libvncserver 0.9.11+dfsg-1.3+deb10u1 -CVE-2019-17177 - [buster] - freerdp2 2.0.0~git20190204.1.2693389a+dfsg1-1+deb10u1 CVE-2019-3866 [buster] - python-oslo.utils 3.36.4+2019.11.15.git.c49a426b66-1+deb10u1 [buster] - python-mistral-lib 1.0.0-1+deb10u1 @@ -65,249 +23,15 @@ CVE-2019-16776 [buster] - npm 5.8.0+ds6-4+deb10u1 CVE-2019-16777 [buster] - npm 5.8.0+ds6-4+deb10u1 -CVE-2019-10740 - [buster] - roundcube 1.3.10+dfsg.1-1~deb10u1 -CVE-2018-1000071 - [buster] - roundcube 1.3.10+dfsg.1-1~deb10u1 -CVE-2014-6053 - [buster] - tightvnc 1:1.3.9-9deb10u1 -CVE-2019-8287 - [buster] - tightvnc 1:1.3.9-9deb10u1 -CVE-2018-20021 - [buster] - tightvnc 1:1.3.9-9deb10u1 -CVE-2018-20022 - [buster] - tightvnc 1:1.3.9-9deb10u1 -CVE-2018-7225 - [buster] - tightvnc 1:1.3.9-9deb10u1 -CVE-2019-15678 - [buster] - tightvnc 1:1.3.9-9deb10u1 -CVE-2019-15679 - [buster] - tightvnc 1:1.3.9-9deb10u1 -CVE-2019-15680 - [buster] - tightvnc 1:1.3.9-9deb10u1 -CVE-2019-15681 - [buster] - tightvnc 1:1.3.9-9deb10u1 -CVE-2019-19919 - [buster] - node-handlebars 3:4.1.0-1+deb10u1 -CVE-2019-2228 - [buster] - cups 2.2.10-6+deb10u2 -CVE-2019-9740 - [buster] - python3.7 3.7.3-2+deb10u1 -CVE-2019-9947 - [buster] - python3.7 3.7.3-2+deb10u1 -CVE-2019-9948 - [buster] - python3.7 3.7.3-2+deb10u1 -CVE-2019-10160 - [buster] - python3.7 3.7.3-2+deb10u1 -CVE-2019-16056 - [buster] - python3.7 3.7.3-2+deb10u1 -CVE-2019-16935 - [buster] - python3.7 3.7.3-2+deb10u1 -CVE-2019-5188 - [buster] - e2fsprogs 1.44.5-1+deb10u3 CVE-2019-20372 [buster] - nginx 1.14.2-2+deb10u2 CVE-2016-10894 [buster] - xtrlock 2.8+deb10u1 -CVE-2019-20149 - [buster] - node-kind-of 6.0.2+dfsg-1+deb10u1 -CVE-2019-5068 - [buster] - mesa 18.3.6-2+deb10u1 CVE-2019-19791 [buster] - lemonldap-ng 2.0.2+ds-7+deb10u3 -CVE-2019-19886 - [buster] - modsecurity 3.0.3-1+deb10u1 CVE-2020-5202 [buster] - apt-cacher-ng 3.2.1-1 -CVE-2019-15695 - [buster] - tigervnc 1.9.0+dfsg-3+deb10u1 -CVE-2019-15694 - [buster] - tigervnc 1.9.0+dfsg-3+deb10u1 -CVE-2019-15693 - [buster] - tigervnc 1.9.0+dfsg-3+deb10u1 -CVE-2019-15692 - [buster] - tigervnc 1.9.0+dfsg-3+deb10u1 -CVE-2019-15691 - [buster] - tigervnc 1.9.0+dfsg-3+deb10u1 -CVE-2019-18277 - [buster] - haproxy 1.8.19-1+deb10u1 -CVE-2019-13508 - [buster] - freetds 1.00.104-1+deb10u1 -CVE-2019-18634 - [buster] - sudo 1.8.27-1+deb10u2 -CVE-2019-20387 - [buster] - libsolv 0.6.35-2+deb10u1 -CVE-2020-2574 - [buster] - mariadb-10.3 1:10.3.22-0+deb10u1 -CVE-2019-2974 - [buster] - mariadb-10.3 1:10.3.22-0+deb10u1 -CVE-2019-2938 - [buster] - mariadb-10.3 1:10.3.22-0+deb10u1 CVE-2020-8116 [buster] - node-dot-prop 4.1.1-1+deb10u1 CVE-2019-16770 [buster] - puma 3.12.0-2+deb10u1 -CVE-2019-14814 - [buster] - linux 4.19.87-1 -CVE-2019-14815 - [buster] - linux 4.19.87-1 -CVE-2019-14816 - [buster] - linux 4.19.87-1 -CVE-2019-15030 - [buster] - linux 4.19.87-1 -CVE-2019-15031 - [buster] - linux 4.19.87-1 -CVE-2019-15098 - [buster] - linux 4.19.87-1 -CVE-2019-15099 - [buster] - linux 4.19.87-1 -CVE-2019-15291 - [buster] - linux 4.19.87-1 -CVE-2019-15504 - [buster] - linux 4.19.87-1 -CVE-2019-15505 - [buster] - linux 4.19.87-1 -CVE-2019-15918 - [buster] - linux 4.19.87-1 -CVE-2019-16714 - [buster] - linux 4.19.87-1 -CVE-2019-16746 - [buster] - linux 4.19.87-1 -CVE-2019-17052 - [buster] - linux 4.19.87-1 -CVE-2019-17053 - [buster] - linux 4.19.87-1 -CVE-2019-17054 - [buster] - linux 4.19.87-1 -CVE-2019-17055 - [buster] - linux 4.19.87-1 -CVE-2019-17056 - [buster] - linux 4.19.87-1 -CVE-2019-17075 - [buster] - linux 4.19.87-1 -CVE-2019-17133 - [buster] - linux 4.19.87-1 -CVE-2019-17666 - [buster] - linux 4.19.87-1 -CVE-2019-18282 - [buster] - linux 4.19.87-1 -CVE-2019-18660 - [buster] - linux 4.19.87-1 -CVE-2019-18683 - [buster] - linux 4.19.87-1 -CVE-2019-18806 - [buster] - linux 4.19.87-1 -CVE-2019-18813 - [buster] - linux 4.19.87-1 -CVE-2019-19045 - [buster] - linux 4.19.87-1 -CVE-2019-19048 - [buster] - linux 4.19.87-1 -CVE-2019-19049 - [buster] - linux 4.19.87-1 -CVE-2019-19052 - [buster] - linux 4.19.87-1 -CVE-2019-19065 - [buster] - linux 4.19.87-1 -CVE-2019-19080 - [buster] - linux 4.19.87-1 -CVE-2019-19081 - [buster] - linux 4.19.87-1 -CVE-2019-19523 - [buster] - linux 4.19.87-1 -CVE-2019-19524 - [buster] - linux 4.19.87-1 -CVE-2019-19525 - [buster] - linux 4.19.87-1 -CVE-2019-19526 - [buster] - linux 4.19.87-1 -CVE-2019-19527 - [buster] - linux 4.19.87-1 -CVE-2019-19528 - [buster] - linux 4.19.87-1 -CVE-2019-19529 - [buster] - linux 4.19.87-1 -CVE-2019-19530 - [buster] - linux 4.19.87-1 -CVE-2019-19532 - [buster] - linux 4.19.87-1 -CVE-2019-19533 - [buster] - linux 4.19.87-1 -CVE-2019-19534 - [buster] - linux 4.19.87-1 -CVE-2019-19537 - [buster] - linux 4.19.87-1 -CVE-2019-19922 - [buster] - linux 4.19.87-1 -CVE-2019-19060 - [buster] - linux 4.19.87-1 -CVE-2019-19075 - [buster] - linux 4.19.87-1 -CVE-2019-10220 - [buster] - linux 4.19.98-1 -CVE-2019-14615 - [buster] - linux 4.19.98-1 -CVE-2019-14895 - [buster] - linux 4.19.98-1 -CVE-2019-14896 - [buster] - linux 4.19.98-1 -CVE-2019-14897 - [buster] - linux 4.19.98-1 -CVE-2019-14901 - [buster] - linux 4.19.98-1 -CVE-2019-15217 - [buster] - linux 4.19.98-1 -CVE-2019-18786 - [buster] - linux 4.19.98-1 -CVE-2019-18809 - [buster] - linux 4.19.98-1 -CVE-2019-19037 - [buster] - linux 4.19.98-1 -CVE-2019-19051 - [buster] - linux 4.19.98-1 -CVE-2019-19056 - [buster] - linux 4.19.98-1 -CVE-2019-19057 - [buster] - linux 4.19.98-1 -CVE-2019-19058 - [buster] - linux 4.19.98-1 -CVE-2019-19059 - [buster] - linux 4.19.98-1 -CVE-2019-19062 - [buster] - linux 4.19.98-1 -CVE-2019-19063 - [buster] - linux 4.19.98-1 -CVE-2019-19066 - [buster] - linux 4.19.98-1 -CVE-2019-19068 - [buster] - linux 4.19.98-1 -CVE-2019-19071 - [buster] - linux 4.19.98-1 -CVE-2019-19077 - [buster] - linux 4.19.98-1 -CVE-2019-19078 - [buster] - linux 4.19.98-1 -CVE-2019-19079 - [buster] - linux 4.19.98-1 -CVE-2019-19227 - [buster] - linux 4.19.98-1 -CVE-2019-19252 - [buster] - linux 4.19.98-1 -CVE-2019-19332 - [buster] - linux 4.19.98-1 -CVE-2019-19447 - [buster] - linux 4.19.98-1 -CVE-2019-19767 - [buster] - linux 4.19.98-1 -CVE-2019-19927 - [buster] - linux 4.19.98-1 -CVE-2019-19947 - [buster] - linux 4.19.98-1 -CVE-2019-19965 - [buster] - linux 4.19.98-1 -CVE-2019-20096 - [buster] - linux 4.19.98-1 -CVE-2019-9445 - [buster] - linux 4.19.98-1 -CVE-2019-12614 - [buster] - linux 4.19.98-1 |