diff options
author | Salvatore Bonaccorso <carnil@debian.org> | 2022-03-26 10:55:49 +0100 |
---|---|---|
committer | Salvatore Bonaccorso <carnil@debian.org> | 2022-03-26 10:55:49 +0100 |
commit | aa3a45174391efb10f0e4b66248856ca9d971b32 (patch) | |
tree | ef95fcce186fcc1f60280385c041ad37de7b3abf | |
parent | ba1cccccc6ede50e6175c6777370b9e974600829 (diff) |
Merge bullseye point release updates as previously reviewed and acked
-rw-r--r-- | data/CVE/list | 147 | ||||
-rw-r--r-- | data/next-point-update.txt | 150 |
2 files changed, 75 insertions, 222 deletions
diff --git a/data/CVE/list b/data/CVE/list index 32257c249a..afe64cb6eb 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -1581,7 +1581,7 @@ CVE-2022-1020 RESERVED CVE-2022-27240 (scheme/webauthn.c in Glewlwyd SSO server 2.x before 2.6.2 has a buffer ...) - glewlwyd 2.6.1-2 - [bullseye] - glewlwyd <no-dsa> (Minor issue) + [bullseye] - glewlwyd 2.5.2-2+deb11u3 [buster] - glewlwyd <no-dsa> (Minor issue) NOTE: https://github.com/babelouest/glewlwyd/commit/4c5597c155bfbaf6491cf6b83479d241ae66940a (v2.6.2) CVE-2022-27239 @@ -2413,7 +2413,7 @@ CVE-2022-0938 (Stored XSS via file upload in GitHub repository star7th/showdoc p NOT-FOR-US: ShowDoc CVE-2021-46709 (phpLiteAdmin through 1.9.8.2 allows XSS via the index.php newRows para ...) - phpliteadmin 1.9.8.2-2 - [bullseye] - phpliteadmin <no-dsa> (Minor issue) + [bullseye] - phpliteadmin 1.9.8.2-1+deb11u1 [buster] - phpliteadmin <no-dsa> (Minor issue) NOTE: https://bitbucket.org/phpliteadmin/public/issues/399/xss-vulnerability NOTE: https://bitbucket.org/phpliteadmin/public/pull-requests/16/fix-an-xss-vulnerability-with-the-newrows @@ -5882,7 +5882,7 @@ CVE-2022-25641 RESERVED CVE-2022-25640 (In wolfSSL before 5.2.0, a TLS 1.3 server cannot properly enforce a re ...) - wolfssl 5.2.0-1 - [bullseye] - wolfssl <no-dsa> (Minor issue; can be fixed via point release) + [bullseye] - wolfssl 4.6.0+p1-0+deb11u1 NOTE: https://github.com/wolfSSL/wolfssl/pull/4831 NOTE: https://github.com/wolfSSL/wolfssl/commit/3cdb1c639da94a9dc8c75590d0ec475e7f27c226 (v5.2.0-stable) NOTE: https://github.com/wolfSSL/wolfssl/commit/b60d2dccce9110fd2b985d99063e524e39bdf6f7 (v5.2.0-stable) @@ -5890,7 +5890,7 @@ CVE-2022-25639 RESERVED CVE-2022-25638 (In wolfSSL before 5.2.0, certificate validation may be bypassed during ...) - wolfssl 5.2.0-1 - [bullseye] - wolfssl <no-dsa> (Minor issue; can be fixed via point release) + [bullseye] - wolfssl 4.6.0+p1-0+deb11u1 NOTE: https://github.com/wolfSSL/wolfssl/pull/4813 NOTE: https://github.com/wolfSSL/wolfssl/commit/e13861bcde8015bb99ddb034224afb66e2fb89b8 (v5.2.0-stable) NOTE: https://github.com/wolfSSL/wolfssl/commit/08047b2d959ee5e21a4a2c672308f45fec61f059 (v5.2.0-stable) @@ -7929,7 +7929,7 @@ CVE-2022-24954 (Foxit PDF Reader before 11.2.1 and Foxit PDF Editor before 11.2. NOT-FOR-US: Foxit CVE-2022-24953 (The Crypt_GPG extension before 1.6.7 for PHP does not prevent addition ...) - php-crypt-gpg 1.6.7-1 (bug #1005921) - [bullseye] - php-crypt-gpg <no-dsa> (Minor issue; can be fixed via point release) + [bullseye] - php-crypt-gpg 1.6.4-2+deb11u1 NOTE: https://github.com/pear/Crypt_GPG/commit/74c8f989cefbe0887274b461dc56197e121bfd04 (v1.6.7) CVE-2022-24952 RESERVED @@ -7997,7 +7997,7 @@ CVE-2022-24921 (regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 all - golang-1.18 1.18~rc1-1 - golang-1.17 1.17.8-1 - golang-1.15 <removed> - [bullseye] - golang-1.15 <no-dsa> (Minor issue) + [bullseye] - golang-1.15 1.15.15-1~deb11u4 - golang-1.11 <removed> [buster] - golang-1.11 <no-dsa> (Minor issue) - golang-1.8 <removed> @@ -8691,7 +8691,7 @@ CVE-2022-0537 RESERVED CVE-2022-0536 (Exposure of Sensitive Information to an Unauthorized Actor in NPM foll ...) - node-follow-redirects 1.14.8+~1.14.0-1 - [bullseye] - node-follow-redirects <no-dsa> (Minor issue) + [bullseye] - node-follow-redirects 1.13.1-1+deb11u1 [buster] - node-follow-redirects <no-dsa> (Minor issue) NOTE: https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db/ NOTE: https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445 (v1.14.8) @@ -8700,6 +8700,7 @@ CVE-2022-0535 (The E2Pdf WordPress plugin before 1.16.45 does not sanitise and e CVE-2022-0534 (A vulnerability was found in htmldoc version 1.9.15 where the stack ou ...) {DLA-2928-1} - htmldoc 1.9.15-1 (unimportant) + [bullseye] - htmldoc 1.9.11-4+deb11u2 NOTE: https://github.com/michaelrsweet/htmldoc/issues/463 NOTE: Fixed by: https://github.com/michaelrsweet/htmldoc/commit/776cf0fc4c760f1fb7b966ce28dc92dd7d44ed50 (v1.9.15) NOTE: Fixed by: https://github.com/michaelrsweet/htmldoc/commit/312f0f9c12f26fbe015cd0e6cefa40e4b99017d9 (v1.9.15) @@ -9380,7 +9381,7 @@ CVE-2022-0493 RESERVED CVE-2021-46671 (options.c in atftp before 0.7.5 reads past the end of an array, and co ...) - atftp 0.7.git20210915-1 (bug #1004974) - [bullseye] - atftp <no-dsa> (Minor issue) + [bullseye] - atftp 0.7.git20120829-3.3+deb11u2 [buster] - atftp <no-dsa> (Minor issue) [stretch] - atftp <no-dsa> (Minor issue) NOTE: https://sourceforge.net/p/atftp/code/ci/9cf799c40738722001552618518279e9f0ef62e5 (v0.7.5) @@ -9908,14 +9909,14 @@ CVE-2021-46669 (MariaDB through 10.5.9 allows attackers to trigger a convert_con CVE-2021-46668 (MariaDB through 10.5.9 allows an application crash via certain long SE ...) - mariadb-10.6 1:10.6.7-1 - mariadb-10.5 <removed> - [bullseye] - mariadb-10.5 <no-dsa> (Minor issue, will be fixed in next point release) + [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 - mariadb-10.3 <removed> NOTE: https://jira.mariadb.org/browse/MDEV-25787 NOTE: Fixed in MariaDB: 10.7.3, 10.6.7, 10.5.15, 10.4.24, 10.3.34, 10.2.43 CVE-2021-46667 (MariaDB before 10.6.5 has a sql_lex.cc integer overflow, leading to an ...) - mariadb-10.6 1:10.6.5-1 - mariadb-10.5 <removed> - [bullseye] - mariadb-10.5 <no-dsa> (Minor issue, will be fixed in next point release) + [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 - mariadb-10.3 <removed> NOTE: https://jira.mariadb.org/browse/MDEV-26350 NOTE: Fixed in MariaDB: 10.2.41, 10.3.32, 10.4.22, 10.5.13, 10.6.5 @@ -9930,28 +9931,28 @@ CVE-2021-46666 (MariaDB before 10.6.2 allows an application crash because of mis CVE-2021-46665 (MariaDB through 10.5.9 allows a sql_parse.cc application crash because ...) - mariadb-10.6 1:10.6.7-1 - mariadb-10.5 <removed> - [bullseye] - mariadb-10.5 <no-dsa> (Minor issue, will be fixed in next point release) + [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 - mariadb-10.3 <removed> NOTE: https://jira.mariadb.org/browse/MDEV-25636 NOTE: Fixed in MariaDB: 10.7.3, 10.6.7, 10.5.15, 10.4.24, 10.3.34, 10.2.43 CVE-2021-46664 (MariaDB through 10.5.9 allows an application crash in sub_select_postj ...) - mariadb-10.6 1:10.6.7-1 - mariadb-10.5 <removed> - [bullseye] - mariadb-10.5 <no-dsa> (Minor issue, will be fixed in next point release) + [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 - mariadb-10.3 <removed> NOTE: https://jira.mariadb.org/browse/MDEV-25761 NOTE: Fixed in MariaDB: 10.7.3, 10.6.7, 10.5.15, 10.4.24, 10.3.34, 10.2.43 CVE-2021-46663 (MariaDB through 10.5.13 allows a ha_maria::extra application crash via ...) - mariadb-10.6 1:10.6.7-1 - mariadb-10.5 <removed> - [bullseye] - mariadb-10.5 <no-dsa> (Minor issue, will be fixed in next point release) + [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 - mariadb-10.3 <removed> NOTE: https://jira.mariadb.org/browse/MDEV-26351 NOTE: Fixed in MariaDB: 10.7.3, 10.6.7, 10.5.15, 10.4.24, 10.3.34, 10.2.43 CVE-2021-46662 (MariaDB through 10.5.9 allows a set_var.cc application crash via certa ...) - mariadb-10.6 1:10.6.5-1 - mariadb-10.5 <removed> - [bullseye] - mariadb-10.5 <no-dsa> (Minor issue, will be fixed in next point release) + [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 - mariadb-10.3 <removed> NOTE: https://jira.mariadb.org/browse/MDEV-25637 NOTE: https://jira.mariadb.org/browse/MDEV-22464 @@ -9959,7 +9960,7 @@ CVE-2021-46662 (MariaDB through 10.5.9 allows a set_var.cc application crash via CVE-2021-46661 (MariaDB through 10.5.9 allows an application crash in find_field_in_ta ...) - mariadb-10.6 1:10.6.7-1 - mariadb-10.5 <removed> - [bullseye] - mariadb-10.5 <no-dsa> (Minor issue, will be fixed in next point release) + [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 - mariadb-10.3 <removed> NOTE: https://jira.mariadb.org/browse/MDEV-25766 NOTE: Fixed in MariaDB: 10.7.3, 10.6.7, 10.5.15, 10.4.24, 10.3.34, 10.2.43 @@ -10339,7 +10340,7 @@ CVE-2022-0415 (Remote Command Execution in uploading repository file in GitHub r CVE-2022-24130 (xterm through Patch 370, when Sixel support is enabled, allows attacke ...) {DLA-2913-1} - xterm 370-2 (bug #1004689) - [bullseye] - xterm <no-dsa> (Minor issue) + [bullseye] - xterm 366-1+deb11u1 [buster] - xterm <no-dsa> (Minor issue) NOTE: https://twitter.com/nickblack/status/1487731459398025216 NOTE: https://www.openwall.com/lists/oss-security/2022/01/30/2 @@ -10366,7 +10367,7 @@ CVE-2021-46660 (Signiant Manager+Agents before 15.1 allows XML External Entity ( CVE-2021-46659 (MariaDB before 10.7.2 allows an application crash because it does not ...) - mariadb-10.6 1:10.6.7-1 - mariadb-10.5 <removed> - [bullseye] - mariadb-10.5 <no-dsa> (Minor issue, will be fixed in next point release) + [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 - mariadb-10.3 <removed> NOTE: https://jira.mariadb.org/browse/MDEV-25631 NOTE: Fixed in MariaDB: 10.2.42, 10.3.33, 10.4.23, 10.5.14, 10.6.6, 10.7.2 @@ -10624,14 +10625,14 @@ CVE-2022-24053 CVE-2022-24052 (MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Es ...) - mariadb-10.6 1:10.6.7-1 - mariadb-10.5 <removed> - [bullseye] - mariadb-10.5 <no-dsa> (Minor issue, will be fixed in next point release) + [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 - mariadb-10.3 <removed> NOTE: Fixed in MariaDB: 10.6.6, 10.5.14, 10.4.23, 10.3.33, 10.2.42 NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-366/ CVE-2022-24051 (MariaDB CONNECT Storage Engine Format String Privilege Escalation Vuln ...) - mariadb-10.6 1:10.6.7-1 - mariadb-10.5 <removed> - [bullseye] - mariadb-10.5 <no-dsa> (Minor issue, will be fixed in next point release) + [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 - mariadb-10.3 <removed> NOTE: Fixed in MariaDB: 10.6.6, 10.5.14, 10.4.23, 10.3.33, 10.2.42 NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-318/ @@ -10639,7 +10640,7 @@ CVE-2022-24051 (MariaDB CONNECT Storage Engine Format String Privilege Escalatio CVE-2022-24050 (MariaDB CONNECT Storage Engine Use-After-Free Privilege Escalation Vul ...) - mariadb-10.6 1:10.6.7-1 - mariadb-10.5 <removed> - [bullseye] - mariadb-10.5 <no-dsa> (Minor issue, will be fixed in next point release) + [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 - mariadb-10.3 <removed> NOTE: Fixed in MariaDB: 10.6.6, 10.5.14, 10.4.23, 10.3.33, 10.2.42 NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-364/ @@ -10648,7 +10649,7 @@ CVE-2022-24049 (This vulnerability allows remote attackers to execute arbitrary CVE-2022-24048 (MariaDB CONNECT Storage Engine Stack-based Buffer Overflow Privilege E ...) - mariadb-10.6 1:10.6.7-1 - mariadb-10.5 <removed> - [bullseye] - mariadb-10.5 <no-dsa> (Minor issue, will be fixed in next point release) + [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 - mariadb-10.3 <removed> NOTE: Fixed in MariaDB: 10.6.6, 10.5.14, 10.4.23, 10.3.33, 10.2.42 NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-363/ @@ -11175,7 +11176,7 @@ CVE-2022-23944 (User can access /plugin api without authentication. This issue a CVE-2022-23943 (Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server all ...) {DLA-2960-1} - apache2 2.4.53-1 - [bullseye] - apache2 <no-dsa> (Minor issue) + [bullseye] - apache2 2.4.53-1~deb11u1 [buster] - apache2 <no-dsa> (Minor issue) NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-23943 NOTE: Fixed by: https://svn.apache.org/r1898695 @@ -11979,7 +11980,7 @@ CVE-2022-23806 (Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17 - golang-1.18 1.18~rc1-1 - golang-1.17 1.17.7-1 - golang-1.15 <removed> - [bullseye] - golang-1.15 <no-dsa> (Minor issue) + [bullseye] - golang-1.15 1.15.15-1~deb11u3 - golang-1.11 <removed> [buster] - golang-1.11 <no-dsa> (Minor issue) - golang-1.8 <removed> @@ -12107,7 +12108,7 @@ CVE-2022-23773 (cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinte - golang-1.18 1.18~rc1-1 - golang-1.17 1.17.7-1 - golang-1.15 <removed> - [bullseye] - golang-1.15 <no-dsa> (Minor issue) + [bullseye] - golang-1.15 1.15.15-1~deb11u3 - golang-1.11 <removed> [buster] - golang-1.11 <no-dsa> (Minor issue) - golang-1.8 <removed> @@ -12119,7 +12120,7 @@ CVE-2022-23772 (Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before - golang-1.18 1.18~beta2-1 - golang-1.17 1.17.7-1 - golang-1.15 <removed> - [bullseye] - golang-1.15 <no-dsa> (Minor issue) + [bullseye] - golang-1.15 1.15.15-1~deb11u3 - golang-1.11 <removed> [buster] - golang-1.11 <no-dsa> (Minor issue) - golang-1.8 <removed> @@ -12380,7 +12381,7 @@ CVE-2022-23648 (containerd is a container runtime available as a daemon for Linu NOTE: https://www.openwall.com/lists/oss-security/2022/03/02/1 CVE-2022-23647 (Prism is a syntax highlighting library. Starting with version 1.14.0 a ...) - node-prismjs 1.27.0+dfsg+~1.26.0-1 - [bullseye] - node-prismjs <no-dsa> (Minor issue) + [bullseye] - node-prismjs 1.23.0+dfsg-1+deb11u2 NOTE: https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99 NOTE: https://github.com/PrismJS/prism/issues/3340 NOTE: https://github.com/PrismJS/prism/pull/3341 @@ -13545,7 +13546,7 @@ CVE-2022-23309 RESERVED CVE-2022-23308 (valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF ...) - libxml2 2.9.13+dfsg-1 (bug #1006489) - [bullseye] - libxml2 <no-dsa> (Minor issue; can be fixed via point release) + [bullseye] - libxml2 2.9.10+dfsg-6.7+deb11u1 [buster] - libxml2 <no-dsa> (Minor issue; can be fixed via point release) NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/327 NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12a858989b14eed4e84e453059cd3ba340e (v2.9.13) @@ -13558,7 +13559,7 @@ CVE-2022-0265 (Improper Restriction of XML External Entity Reference in GitHub r CVE-2022-23307 (CVE-2020-9493 identified a deserialization issue that was present in A ...) {DLA-2905-1} - apache-log4j1.2 1.2.17-11 (bug #1004482) - [bullseye] - apache-log4j1.2 <no-dsa> (Minor issue) + [bullseye] - apache-log4j1.2 1.2.17-10+deb11u1 [buster] - apache-log4j1.2 <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/01/18/5 CVE-2022-23306 @@ -13566,7 +13567,7 @@ CVE-2022-23306 CVE-2022-23305 (By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as ...) {DLA-2905-1} - apache-log4j1.2 1.2.17-11 (bug #1004482) - [bullseye] - apache-log4j1.2 <no-dsa> (Minor issue) + [bullseye] - apache-log4j1.2 1.2.17-10+deb11u1 [buster] - apache-log4j1.2 <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/01/18/4 CVE-2022-0263 (Unrestricted Upload of File with Dangerous Type in Packagist pimcore/p ...) @@ -13639,7 +13640,7 @@ CVE-2022-0243 (Cross-site Scripting (XSS) - Stored in NuGet OrchardCore.Applicat CVE-2022-23302 (JMSSink in all versions of Log4j 1.x is vulnerable to deserialization ...) {DLA-2905-1} - apache-log4j1.2 1.2.17-11 (bug #1004482) - [bullseye] - apache-log4j1.2 <no-dsa> (Minor issue) + [bullseye] - apache-log4j1.2 1.2.17-10+deb11u1 [buster] - apache-log4j1.2 <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/01/18/3 CVE-2022-22142 (Reflected cross-site scripting vulnerability in the checkbox of php_ma ...) @@ -13839,7 +13840,7 @@ CVE-2022-0236 (The WP Import Export WordPress plugin (both free and premium vers NOT-FOR-US: WordPress plugin CVE-2022-0235 (node-fetch is vulnerable to Exposure of Sensitive Information to an Un ...) - node-fetch 2.6.1-7 - [bullseye] - node-fetch <no-dsa> (Minor issue) + [bullseye] - node-fetch 2.6.1-5+deb11u1 [buster] - node-fetch <no-dsa> (Minor issue) NOTE: https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7/ NOTE: Fixed by: https://github.com/node-fetch/node-fetch/commit/f5d3cf5e2579cb8f4c76c291871e69696aef8f80 (v3.1.1) @@ -13867,13 +13868,13 @@ CVE-2022-23222 (kernel/bpf/verifier.c in the Linux kernel through 5.15.14 allows NOTE: https://www.openwall.com/lists/oss-security/2022/01/13/1 CVE-2022-23219 (The deprecated compatibility function clnt_create in the sunrpc module ...) - glibc 2.33-3 - [bullseye] - glibc <no-dsa> (Minor issue) + [bullseye] - glibc 2.31-13+deb11u3 [buster] - glibc <no-dsa> (Minor issue) [stretch] - glibc <no-dsa> (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22542 CVE-2022-23218 (The deprecated compatibility function svcunix_create in the sunrpc mod ...) - glibc 2.33-3 - [bullseye] - glibc <no-dsa> (Minor issue) + [bullseye] - glibc 2.31-13+deb11u3 [buster] - glibc <no-dsa> (Minor issue) [stretch] - glibc <no-dsa> (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28768 @@ -15402,7 +15403,7 @@ CVE-2022-22814 (The System Diagnosis service of MyASUS before 3.1.2.0 allows pri NOT-FOR-US: ASUS CVE-2022-0155 (follow-redirects is vulnerable to Exposure of Private Personal Informa ...) - node-follow-redirects 1.14.7+~1.13.1-1 - [bullseye] - node-follow-redirects <no-dsa> (Minor issue) + [bullseye] - node-follow-redirects 1.13.1-1+deb11u1 [buster] - node-follow-redirects <ignored> (Minor issue, too intrusive to backport) NOTE: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406 NOTE: https://github.com/follow-redirects/follow-redirects/issues/183 @@ -15823,21 +15824,21 @@ CVE-2022-22722 (A CWE-798: Use of Hard-coded Credentials vulnerability exists th CVE-2022-22721 (If LimitXMLRequestBody is set to allow request bodies larger than 350M ...) {DLA-2960-1} - apache2 2.4.53-1 - [bullseye] - apache2 <no-dsa> (Minor issue) + [bullseye] - apache2 2.4.53-1~deb11u1 [buster] - apache2 <no-dsa> (Minor issue) NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-22721 NOTE: Fixed by: https://svn.apache.org/r1898693 CVE-2022-22720 (Apache HTTP Server 2.4.52 and earlier fails to close inbound connectio ...) {DLA-2960-1} - apache2 2.4.53-1 - [bullseye] - apache2 <no-dsa> (Minor issue) + [bullseye] - apache2 2.4.53-1~deb11u1 [buster] - apache2 <no-dsa> (Minor issue) NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-22720 NOTE: Fixed by: https://svn.apache.org/r1898692 CVE-2022-22719 (A carefully crafted request body can cause a read to a random memory a ...) {DLA-2960-1} - apache2 2.4.53-1 - [bullseye] - apache2 <no-dsa> (Minor issue) + [bullseye] - apache2 2.4.53-1~deb11u1 [buster] - apache2 <no-dsa> (Minor issue) NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-22719 NOTE: Fixed by: https://svn.apache.org/r1898694 @@ -19448,7 +19449,7 @@ CVE-2021-45453 RESERVED CVE-2021-45452 (Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 b ...) - python-django 2:3.2.11-1 (bug #1003113) - [bullseye] - python-django <postponed> (Minor issue; fix in next update) + [bullseye] - python-django 2:2.2.26-1~deb11u1 [buster] - python-django <postponed> (Minor issue; fix in next update) [stretch] - python-django <postponed> (Minor issue; fix in next update) NOTE: https://www.djangoproject.com/weblog/2022/jan/04/security-releases/ @@ -20487,7 +20488,7 @@ CVE-2021-45117 (The OPC autogenerated ANSI C stack stubs (in the NodeSets) do no NOT-FOR-US: OPCFoundation/UA-Nodeset CVE-2021-45116 (An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11 ...) - python-django 2:3.2.11-1 (bug #1003113) - [bullseye] - python-django <postponed> (Minor issue; fix in next update) + [bullseye] - python-django 2:2.2.26-1~deb11u1 [buster] - python-django <postponed> (Minor issue; fix in next update) [stretch] - python-django <postponed> (Minor issue; fix in next update) NOTE: https://www.djangoproject.com/weblog/2022/jan/04/security-releases/ @@ -20495,7 +20496,7 @@ CVE-2021-45116 (An issue was discovered in Django 2.2 before 2.2.26, 3.2 before NOTE: https://github.com/django/django/commit/c9f648ccfac5ab90fb2829a66da4f77e68c7f93a (2.2.26) CVE-2021-45115 (An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11 ...) - python-django 2:3.2.11-1 (bug #1003113) - [bullseye] - python-django <postponed> (Minor issue; fix in next update) + [bullseye] - python-django 2:2.2.26-1~deb11u1 [buster] - python-django <postponed> (Minor issue; fix in next update) [stretch] - python-django <postponed> (Minor issue; fix in next update) NOTE: https://www.djangoproject.com/weblog/2022/jan/04/security-releases/ @@ -20556,7 +20557,7 @@ CVE-2021-23138 (WECON LeviStudioU Versions 2019-09-21 and prior are vulnerable t NOT-FOR-US: WECON LeviStudioU CVE-2021-45379 (Glewlwyd 2.0.0, fixed in 2.6.1 is affected by an incorrect access cont ...) - glewlwyd 2.6.1-1 - [bullseye] - glewlwyd <no-dsa> (Minor issue; can be fixed via point release) + [bullseye] - glewlwyd 2.5.2-2+deb11u2 [buster] - glewlwyd <not-affected> (Vulnerable code introduced later) NOTE: https://github.com/babelouest/glewlwyd/commit/125281f1c0d4b6a8b49f7e55a757205a2ef01fbe (v2.6.1) CVE-2022-21953 @@ -20587,7 +20588,7 @@ CVE-2021-45105 (Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12 CVE-2021-31566 [symbolic links incorrectly followed when changing modes, times, ACL and flags of a file while extracting an archive] RESERVED - libarchive 3.5.2-1 (bug #1001990) - [bullseye] - libarchive <no-dsa> (Minor issue) + [bullseye] - libarchive 3.4.3-2+deb11u1 [buster] - libarchive <no-dsa> (Minor issue) NOTE: https://github.com/libarchive/libarchive/issues/1566 NOTE: https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043 (v3.5.2) @@ -20595,7 +20596,7 @@ CVE-2021-31566 [symbolic links incorrectly followed when changing modes, times, CVE-2021-23177 [extracting a symlink with ACLs modifies ACLs of target] RESERVED - libarchive 3.5.2-1 (bug #1001986) - [bullseye] - libarchive <no-dsa> (Minor issue) + [bullseye] - libarchive 3.4.3-2+deb11u1 [buster] - libarchive <no-dsa> (Minor issue) NOTE: https://github.com/libarchive/libarchive/issues/1565 NOTE: https://github.com/libarchive/libarchive/commit/fba4f123cc456d2b2538f811bb831483bf336bad (v3.5.2) @@ -21159,7 +21160,7 @@ CVE-2021-45006 RESERVED CVE-2021-45005 (Artifex MuJS v1.1.3 was discovered to contain a heap buffer overflow w ...) - mujs 1.1.3-4 - [bullseye] - mujs <no-dsa> (Minor issue; can be fixed via point release) + [bullseye] - mujs 1.1.0-1+deb11u1 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=704749 (not public) NOTE: http://git.ghostscript.com/?p=mujs.git;h=df8559e7bdbc6065276e786217eeee70f28fce66 (1.2.0) CVE-2021-45004 @@ -21382,6 +21383,7 @@ CVE-2021-44918 (A Null Pointer Dereference vulnerability exists in gpac 1.1.0 in NOTE: https://github.com/gpac/gpac/commit/75474199cf7187868fa4be4e76377db3c659ee9a (v2.0.0) CVE-2021-44917 (A Divide by Zero vulnerability exists in gnuplot 5.4 in the boundary3d ...) - gnuplot 5.4.2+dfsg2-2 (unimportant; bug #1002539) + [bullseye] - gnuplot 5.4.1+dfsg1-1+deb11u1 NOTE: https://sourceforge.net/p/gnuplot/bugs/2474/ NOTE: https://sourceforge.net/p/gnuplot/gnuplot-main/ci/8938dfc937348f1d4e7b3d6ef6d44209b1d89473/ (master) NOTE: https://sourceforge.net/p/gnuplot/gnuplot-main/ci/acab14de21e323254507fca85f964e471258ac82/ (master) @@ -21618,7 +21620,7 @@ CVE-2021-44833 (The CLI 1.0.0 for Amazon AWS OpenSearch has weak permissions for CVE-2021-4104 (JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted ...) {DLA-2905-1} - apache-log4j1.2 1.2.17-11 - [bullseye] - apache-log4j1.2 <no-dsa> (Minor issue; JMSAppender not configured to be used by default) + [bullseye] - apache-log4j1.2 1.2.17-10+deb11u1 [buster] - apache-log4j1.2 <no-dsa> (Minor issue; JMSAppender not configured to be used by default) NOTE: https://www.openwall.com/lists/oss-security/2021/12/13/1 NOTE: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 @@ -21629,7 +21631,7 @@ CVE-2021-4103 (Cross-site Scripting (XSS) - Stored in GitHub repository vanessa2 CVE-2021-44832 (Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fi ...) {DLA-2870-1} - apache-log4j2 2.17.1-1 (bug #1002813) - [bullseye] - apache-log4j2 <no-dsa> (Minor issue; requires attacker with permissions to modify the logging configuration file) + [bullseye] - apache-log4j2 2.17.1-1~deb11u1 [buster] - apache-log4j2 <no-dsa> (Minor issue; requires attacker with permissions to modify the logging configuration file) NOTE: https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44832 NOTE: https://issues.apache.org/jira/browse/LOG4J2-3293 @@ -21785,7 +21787,7 @@ CVE-2022-21814 (NVIDIA GPU Display Driver for Linux contains a vulnerability in - nvidia-graphics-drivers-tesla-460 <unfixed> (bug #1004852) [bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported) - nvidia-graphics-drivers-tesla-450 450.172.01-1 (bug #1004851) - [bullseye] - nvidia-graphics-drivers-tesla-450 <no-dsa> (Non-free not supported) + [bullseye] - nvidia-graphics-drivers-tesla-450 450.172.01-1~deb11u1 - nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1004850) [bullseye] - nvidia-graphics-drivers-tesla-418 <no-dsa> (Non-free not supported) CVE-2022-21813 (NVIDIA GPU Display Driver for Linux contains a vulnerability in the ke ...) @@ -21802,7 +21804,7 @@ CVE-2022-21813 (NVIDIA GPU Display Driver for Linux contains a vulnerability in - nvidia-graphics-drivers-tesla-460 <unfixed> (bug #1004852) [bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported) - nvidia-graphics-drivers-tesla-450 450.172.01-1 (bug #1004851) - [bullseye] - nvidia-graphics-drivers-tesla-450 <no-dsa> (Non-free not supported) + [bullseye] - nvidia-graphics-drivers-tesla-450 450.172.01-1~deb11u1 - nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1004850) [bullseye] - nvidia-graphics-drivers-tesla-418 <no-dsa> (Non-free not supported) CVE-2021-44795 (Single Connect does not perform an authorization check when using the ...) @@ -22078,7 +22080,7 @@ CVE-2021-44719 CVE-2021-44718 RESERVED - wolfssl 5.1.1-1 - [bullseye] - wolfssl <no-dsa> (Minor issue; will be fixed via point release) + [bullseye] - wolfssl 4.6.0+p1-0+deb11u1 NOTE: https://github.com/wolfSSL/wolfssl/pull/4629 CVE-2021-44717 (Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operat ...) {DLA-2892-1 DLA-2891-1} @@ -23322,7 +23324,7 @@ CVE-2021-44274 RESERVED CVE-2021-44273 (e2guardian v5.4.x <= v5.4.3r is affected by missing SSL certificate ...) - e2guardian 5.3.5-3 (bug #1003125) - [bullseye] - e2guardian <no-dsa> (Minor issue) + [bullseye] - e2guardian 5.3.4-1+deb11u1 [buster] - e2guardian <no-dsa> (Minor issue) [stretch] - e2guardian <ignored> (SSL MITM engine not enabled in stretch) NOTE: https://www.openwall.com/lists/oss-security/2021/12/23/2 @@ -24030,7 +24032,7 @@ CVE-2021-3998 [Unexpected return value from realpath() for too long results] CVE-2021-3997 [Uncontrolled recursion in systemd's systemd-tmpfiles] RESERVED - systemd 250.2-1 (bug #1003467) - [bullseye] - systemd <no-dsa> (Minor issue; can be fixed via point release) + [bullseye] - systemd 247.3-7 [buster] - systemd <ignored> (Minor issue; not exploitable before upstream commit e535840) [stretch] - systemd <ignored> (Minor issue; utility segfault; not exploitable before upstream commit e535840, PoC doesn't segfault on stretch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2024639 @@ -24638,7 +24640,7 @@ CVE-2022-21671 (@replit/crosis is a JavaScript client that speaks Replit's conta NOT-FOR-US: crosis CVE-2022-21670 (markdown-it is a Markdown parser. Prior to version 1.3.2, special patt ...) - node-markdown-it 10.0.0+dfsg-6 - [bullseye] - node-markdown-it <no-dsa> (Minor issue) + [bullseye] - node-markdown-it 10.0.0+dfsg-2+deb11u1 NOTE: https://github.com/markdown-it/markdown-it/security/advisories/GHSA-6vfc-qv3f-vr6c NOTE: https://github.com/markdown-it/markdown-it/commit/ffc49ab46b5b751cd2be0aabb146f2ef84986101 (12.3.2) CVE-2022-21669 (PuddingBot is a group management bot. In version 0.0.6-b933652 and pri ...) @@ -25081,7 +25083,7 @@ CVE-2021-43809 (`Bundler` is a package for managing application dependencies in NOTE: https://github.com/rubygems/rubygems/pull/5142 CVE-2021-43808 (Laravel is a web application framework. Laravel prior to versions 8.75 ...) - php-laravel-framework 6.20.14+dfsg-3 (bug #1001333) - [bullseye] - php-laravel-framework <no-dsa> (Minor issue; can be fixed via point release) + [bullseye] - php-laravel-framework 6.20.14+dfsg-2+deb11u1 NOTE: https://github.com/laravel/framework/security/advisories/GHSA-66hf-2p6w-jqfw NOTE: https://github.com/laravel/framework/commit/b8174169b1807f36de1837751599e2828ceddb9b (v6.20.42) CVE-2021-43807 (Opencast is an Open Source Lecture Capture & Video Management for ...) @@ -26382,7 +26384,7 @@ CVE-2021-43618 (GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 ha NOTE: https://gmplib.org/repo/gmp-6.2/rev/561a9c25298e CVE-2021-43617 (Laravel Framework through 8.70.2 does not sufficiently block the uploa ...) - php-laravel-framework 6.20.14+dfsg-3 (bug #1002728) - [bullseye] - php-laravel-framework <no-dsa> (Can be fixed via point release) + [bullseye] - php-laravel-framework 6.20.14+dfsg-2+deb11u1 NOTE: https://hosein-vita.medium.com/laravel-8-x-image-upload-bypass-zero-day-852bd806019b CVE-2021-3957 (kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) ...) NOT-FOR-US: kimai2 @@ -27102,6 +27104,7 @@ CVE-2021-43392 (STMicroelectronics STSAFE-J 1.1.4, J-SAFE3 1.2.5, and J-SIGN som NOT-FOR-US: STMicroelectronics CVE-2021-43396 (** DISPUTED ** In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka ...) - glibc 2.32-5 (unimportant; bug #998622) + [bullseye] - glibc 2.31-13+deb11u3 [buster] - glibc <not-affected> (Vulnerable code not present) [stretch] - glibc <not-affected> (Vulnerable code not present) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28524 @@ -28308,7 +28311,7 @@ CVE-2022-20699 (Multiple vulnerabilities in Cisco Small Business RV160, RV260, R NOT-FOR-US: Cisco Small Business RV Series Routers CVE-2022-20698 (A vulnerability in the OOXML parsing module in Clam AntiVirus (ClamAV) ...) - clamav 0.103.5+dfsg-1 - [bullseye] - clamav <no-dsa> (clamav is updated via -updates) + [bullseye] - clamav 0.103.5+dfsg-0+deb11u1 [buster] - clamav <no-dsa> (clamav is updated via -updates) [stretch] - clamav <postponed> (Minor issue; clean crash; follow stable updates) NOTE: https://blog.clamav.net/2022/01/clamav-01035-and-01042-security-patch.html @@ -31662,7 +31665,7 @@ CVE-2021-42344 RESERVED CVE-2021-42343 (An issue was discovered in the Dask distributed package before 2021.10 ...) - dask.distributed 2021.09.1+ds.1-2 - [bullseye] - dask.distributed <no-dsa> (Minor issue; can be fixed via point release) + [bullseye] - dask.distributed 2021.01.0+ds.1-2.1+deb11u1 [buster] - dask.distributed <no-dsa> (Minor issue; can be fixed via point release) NOTE: https://github.com/dask/distributed/pull/5427 NOTE: https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr @@ -34503,7 +34506,7 @@ CVE-2021-41271 (Discourse is a platform for community discussion. In affected ve NOT-FOR-US: Discourse CVE-2021-41270 (Symfony/Serializer handles serializing and deserializing data structur ...) - symfony 4.4.19+dfsg-3 - [bullseye] - symfony <no-dsa> (Minor issue; can be fixed via point release) + [bullseye] - symfony 4.4.19+dfsg-2+deb11u1 [buster] - symfony <not-affected> (Vulnerable code and support for csv_escape_formulas introduced in 4.1) [stretch] - symfony <not-affected> (Vulnerable code and support for csv_escape_formulas introduced in 4.1) NOTE: https://github.com/symfony/symfony/security/advisories/GHSA-2xhg-w2g5-w95x @@ -35025,7 +35028,7 @@ CVE-2021-41079 (Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 NOTE: https://github.com/apache/tomcat/commit/b90d4fc1ff44f30e4b3aba622ba6677e3f003822 (8.5.64) CVE-2021-3803 (nth-check is vulnerable to Inefficient Regular Expression Complexity ...) - node-nth-check 2.0.1-1 - [bullseye] - node-nth-check <no-dsa> (Minor issue) + [bullseye] - node-nth-check 2.0.0-1+deb11u1 [buster] - node-nth-check <no-dsa> (Minor issue) [stretch] - node-nth-check <end-of-life> (Nodejs in stretch not covered by security support) NOTE: https://github.com/fb55/nth-check/commit/9894c1d2010870c351f66c6f6efcf656e26bb726 (v2.0.1) @@ -35505,7 +35508,7 @@ CVE-2021-40874 [RESTServer pwdConfirm always returns true with Combination + Ker RESERVED [experimental] - lemonldap-ng 2.0.14~exp+ds-1 - lemonldap-ng 2.0.14+ds-1 (bug #1005302) - [bullseye] - lemonldap-ng <no-dsa> (Minor issue) + [bullseye] - lemonldap-ng 2.0.11+ds-4+deb11u1 [buster] - lemonldap-ng <no-dsa> (Minor issue) [stretch] - lemonldap-ng <no-dsa> (Minor issue) NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2612 @@ -36427,7 +36430,7 @@ CVE-2021-40517 (Airangel HSMX Gateway devices through 5.2.04 is vulnerable to st CVE-2021-40516 (WeeChat before 3.2.1 allows remote attackers to cause a denial of serv ...) {DLA-2770-1} - weechat 3.2.1-1 (bug #993803) - [bullseye] - weechat <no-dsa> (Minor issue; can be fixed via point release) + [bullseye] - weechat 3.0-1+deb11u1 [buster] - weechat <no-dsa> (Minor issue; can be fixed via point release) NOTE: https://github.com/weechat/weechat/commit/8b1331f98de1714bae15a9ca2e2b393ba49d735b CVE-2021-40515 @@ -41075,7 +41078,7 @@ CVE-2021-38598 (OpenStack Neutron before 16.4.1, 17.x before 17.1.3, and 18.0.0 NOTE: https://review.opendev.org/c/openstack/neutron/+/785917/ CVE-2021-38597 (wolfSSL before 4.8.1 incorrectly skips OCSP verification in certain si ...) - wolfssl 5.0.0-1 (bug #992174) - [bullseye] - wolfssl <no-dsa> (Minor issue) + [bullseye] - wolfssl 4.6.0+p1-0+deb11u1 NOTE: https://github.com/wolfSSL/wolfssl/commit/f93083be72a3b3d956b52a7ec13f307a27b6e093 CVE-2021-38596 RESERVED @@ -44857,7 +44860,7 @@ CVE-2021-37156 (Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue NOTE: https://github.com/redmine/redmine/commit/ee0d822517154878a2ad33be66b820c6b68d077b CVE-2021-37155 (wolfSSL 4.6.x through 4.7.x before 4.8.0 does not produce a failure ou ...) - wolfssl 5.0.0-1 (bug #991443) - [bullseye] - wolfssl <no-dsa> (Minor issue) + [bullseye] - wolfssl 4.6.0+p1-0+deb11u1 NOTE: https://github.com/wolfSSL/wolfssl/pull/3990 NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v4.8.0-stable CVE-2021-37154 (In ForgeRock Access Management (AM) before 7.0.2, the SAML2 implementa ...) @@ -45277,7 +45280,7 @@ CVE-2021-23184 RESERVED CVE-2021-36980 (Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has a use-after-f ...) - openvswitch 2.15.0+ds1-10 (bug #991308) - [bullseye] - openvswitch <no-dsa> (Minor issue) + [bullseye] - openvswitch 2.15.0+ds1-2+deb11u1 [buster] - openvswitch <not-affected> (Vulnerable code not present, introduced in 2.11) [stretch] - openvswitch <not-affected> (Vulnerable code not present, introduced in 2.11) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851 @@ -48552,7 +48555,7 @@ CVE-2021-35605 RESERVED CVE-2021-35604 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mariadb-10.5 <removed> - [bullseye] - mariadb-10.5 <no-dsa> (Minor issue) + [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 - mariadb-10.3 <removed> [buster] - mariadb-10.3 <no-dsa> (Minor issue) - mysql-8.0 <unfixed> @@ -53228,7 +53231,7 @@ CVE-2021-33624 (In kernel/bpf/verifier.c in the Linux kernel before 5.12.13, a b NOTE: https://www.openwall.com/lists/oss-security/2021/06/21/1 CVE-2021-33623 (The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.j ...) - node-trim-newlines 3.0.0+~3.0.0-1 - [bullseye] - node-trim-newlines <no-dsa> (Minor issue) + [bullseye] - node-trim-newlines 3.0.0-1+deb11u1 [buster] - node-trim-newlines <no-dsa> (Minor issue) [stretch] - node-trim-newlines <end-of-life> (Nodejs in stretch not covered by security support) NOTE: https://github.com/advisories/GHSA-7p7h-4mm5-852v @@ -53359,7 +53362,7 @@ CVE-2021-33575 (The Pixar ruby-jss gem before 1.6.0 allows remote attackers to e CVE-2021-33574 (The mq_notify function in the GNU C Library (aka glibc) versions 2.32 ...) [experimental] - glibc 2.32-0experimental0 - glibc 2.32-1 (bug #989147) - [bullseye] - glibc <no-dsa> (Minor issue) + [bullseye] - glibc 2.31-13+deb11u3 [buster] - glibc <no-dsa> (Minor issue) [stretch] - glibc <no-dsa> (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=27896 @@ -54520,7 +54523,7 @@ CVE-2021-33121 RESERVED CVE-2021-33120 (Out of bounds read under complex microarchitectural condition in memor ...) - intel-microcode 3.20220207.1 - [bullseye] - intel-microcode <postponed> (Wait until exposed in unstable; tendency to point release) + [bullseye] - intel-microcode 3.20220207.1~deb11u1 [buster] - intel-microcode <postponed> (Wait until exposed in unstable; tendency point release) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00589.html CVE-2021-33119 (Improper access control in the Intel(R) RealSense(TM) DCM before versi ...) @@ -78890,7 +78893,7 @@ CVE-2021-23519 RESERVED CVE-2021-23518 (The package cached-path-relative before 1.1.0 are vulnerable to Protot ...) - node-cached-path-relative 1.1.0+~1.0.0-1 (bug #1004338) - [bullseye] - node-cached-path-relative <no-dsa> (Minor issue) + [bullseye] - node-cached-path-relative 1.0.2-1+deb11u1 [buster] - node-cached-path-relative <no-dsa> (Minor issue) NOTE: https://github.com/ashaffer/cached-path-relative/commit/40c73bf70c58add5aec7d11e4f36b93d144bb760 NOTE: results from incomplete fix for https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573 @@ -97511,7 +97514,7 @@ CVE-2021-0562 (In RasterIntraUpdate of motion_est.cpp, there is a possible out o CVE-2021-0561 (In append_to_verify_fifo_interleaved_ of stream_encoder.c, there is a ...) {DLA-2951-1} - flac 1.3.4-1 (bug #1006339) - [bullseye] - flac <no-dsa> (Minor issue) + [bullseye] - flac 1.3.3-2+deb11u1 [buster] - flac <no-dsa> (Minor issue) NOTE: https://github.com/xiph/flac/commit/e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be (1.3.4) NOTE: https://xiph.org/flac/changelog.html#flac_1.3.4 @@ -100245,7 +100248,7 @@ CVE-2021-0146 (Hardware allows activation of test or debug logic at runtime for NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20220207 CVE-2021-0145 (Improper initialization of shared resources in some Intel(R) Processor ...) - intel-microcode 3.20220207.1 - [bullseye] - intel-microcode <postponed> (Wait until exposed in unstable; tendency to point release) + [bullseye] - intel-microcode 3.20220207.1~deb11u1 [buster] - intel-microcode <postponed> (Wait until exposed in unstable; tendency point release) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00561.html NOTE: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/fast-store-forwarding-predictor.html @@ -100291,7 +100294,7 @@ CVE-2021-0128 RESERVED CVE-2021-0127 (Insufficient control flow management in some Intel(R) Processors may a ...) - intel-microcode 3.20220207.1 - [bullseye] - intel-microcode <postponed> (Wait until exposed in unstable; tendency to point release) + [bullseye] - intel-microcode 3.20220207.1~deb11u1 [buster] - intel-microcode <postponed> (Wait until exposed in unstable; tendency point release) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00532.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20220207 @@ -121221,7 +121224,7 @@ CVE-2020-18443 CVE-2020-18442 (Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a d ...) {DLA-2859-1} - zziplib 0.13.72+dfsg.1-1 - [bullseye] - zziplib <no-dsa> (Minor issue) + [bullseye] - zziplib 0.13.62-3.3+deb11u1 [buster] - zziplib <no-dsa> (Minor issue) NOTE: https://github.com/gdraheim/zziplib/issues/68 NOTE: https://github.com/gdraheim/zziplib/commit/ac9ae39ef419e9f0f83da1e583314d8c7cda34a6 diff --git a/data/next-point-update.txt b/data/next-point-update.txt index c69984f44a..5a6aa6b0f7 100644 --- a/data/next-point-update.txt +++ b/data/next-point-update.txt @@ -1,153 +1,3 @@ -CVE-2021-42343 - [bullseye] - dask.distributed 2021.01.0+ds.1-2.1+deb11u1 -CVE-2021-41270 - [bullseye] - symfony 4.4.19+dfsg-2+deb11u1 -CVE-2021-35604 - [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 -CVE-2021-46667 - [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 -CVE-2021-46662 - [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 -CVE-2021-46659 - [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 -CVE-2022-24048 - [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 -CVE-2022-24050 - [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 -CVE-2022-24051 - [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 -CVE-2022-24052 - [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 -CVE-2021-46661 - [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 -CVE-2021-46663 - [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 -CVE-2021-46664 - [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 -CVE-2021-46665 - [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 -CVE-2021-46668 - [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 -CVE-2021-44917 - [bullseye] - gnuplot 5.4.1+dfsg1-1+deb11u1 -CVE-2021-45379 - [bullseye] - glewlwyd 2.5.2-2+deb11u2 -CVE-2021-23177 - [bullseye] - libarchive 3.4.3-2+deb11u1 -CVE-2021-31566 - [bullseye] - libarchive 3.4.3-2+deb11u1 -CVE-2021-43808 - [bullseye] - php-laravel-framework 6.20.14+dfsg-2+deb11u1 -CVE-2021-43617 - [bullseye] - php-laravel-framework 6.20.14+dfsg-2+deb11u1 -CVE-2021-36980 - [bullseye] - openvswitch 2.15.0+ds1-2+deb11u1 -CVE-2022-0155 - [bullseye] - node-follow-redirects 1.13.1-1+deb11u1 -CVE-2022-0536 - [bullseye] - node-follow-redirects 1.13.1-1+deb11u1 -CVE-2021-45115 - [bullseye] - python-django 2:2.2.26-1~deb11u1 -CVE-2021-45116 - [bullseye] - python-django 2:2.2.26-1~deb11u1 -CVE-2021-45452 - [bullseye] - python-django 2:2.2.26-1~deb11u1 -CVE-2022-21670 - [bullseye] - node-markdown-it 10.0.0+dfsg-2+deb11u1 -CVE-2022-20698 - [bullseye] - clamav 0.103.5+dfsg-0+deb11u1 -CVE-2021-3997 - [bullseye] - systemd 247.3-7 -CVE-2020-18442 - [bullseye] - zziplib 0.13.62-3.3+deb11u1 -CVE-2022-0235 - [bullseye] - node-fetch 2.6.1-5+deb11u1 -CVE-2021-40516 - [bullseye] - weechat 3.0-1+deb11u1 -CVE-2021-23518 - [bullseye] - node-cached-path-relative 1.0.2-1+deb11u1 -CVE-2021-44273 - [bullseye] - e2guardian 5.3.4-1+deb11u1 -CVE-2021-46671 - [bullseye] - atftp 0.7.git20120829-3.3+deb11u2 -CVE-2022-24130 - [bullseye] - xterm 366-1+deb11u1 -CVE-2022-21814 - [bullseye] - nvidia-graphics-drivers-tesla-450 450.172.01-1~deb11u1 -CVE-2022-21813 - [bullseye] - nvidia-graphics-drivers-tesla-450 450.172.01-1~deb11u1 -CVE-2021-3803 - [bullseye] - node-nth-check 2.0.0-1+deb11u1 -CVE-2021-33623 - [bullseye] - node-trim-newlines 3.0.0-1+deb11u1 -CVE-2022-23806 - [bullseye] - golang-1.15 1.15.15-1~deb11u3 -CVE-2022-23772 - [bullseye] - golang-1.15 1.15.15-1~deb11u3 -CVE-2022-23773 - [bullseye] - golang-1.15 1.15.15-1~deb11u3 -CVE-2022-24921 - [bullseye] - golang-1.15 1.15.15-1~deb11u4 -CVE-2021-4104 - [bullseye] - apache-log4j1.2 1.2.17-10+deb11u1 -CVE-2022-23302 - [bullseye] - apache-log4j1.2 1.2.17-10+deb11u1 -CVE-2022-23305 - [bullseye] - apache-log4j1.2 1.2.17-10+deb11u1 -CVE-2022-23307 - [bullseye] - apache-log4j1.2 1.2.17-10+deb11u1 -CVE-2021-44832 - [bullseye] - apache-log4j2 2.17.1-1~deb11u1 -CVE-2021-43396 - [bullseye] - glibc 2.31-13+deb11u3 -CVE-2022-23218 - [bullseye] - glibc 2.31-13+deb11u3 -CVE-2022-23219 - [bullseye] - glibc 2.31-13+deb11u3 -CVE-2021-33574 - [bullseye] - glibc 2.31-13+deb11u3 -CVE-2022-24953 - [bullseye] - php-crypt-gpg 1.6.4-2+deb11u1 -CVE-2022-23647 - [bullseye] - node-prismjs 1.23.0+dfsg-1+deb11u2 -CVE-2021-40874 - [bullseye] - lemonldap-ng 2.0.11+ds-4+deb11u1 -CVE-2022-0534 - [bullseye] - htmldoc 1.9.11-4+deb11u2 -CVE-2022-22719 - [bullseye] - apache2 2.4.53-1~deb11u1 -CVE-2022-22720 - [bullseye] - apache2 2.4.53-1~deb11u1 -CVE-2022-22721 - [bullseye] - apache2 2.4.53-1~deb11u1 -CVE-2022-23943 - [bullseye] - apache2 2.4.53-1~deb11u1 -CVE-2021-37155 - [bullseye] - wolfssl 4.6.0+p1-0+deb11u1 -CVE-2021-38597 - [bullseye] - wolfssl 4.6.0+p1-0+deb11u1 -CVE-2021-44718 - [bullseye] - wolfssl 4.6.0+p1-0+deb11u1 -CVE-2022-25638 - [bullseye] - wolfssl 4.6.0+p1-0+deb11u1 -CVE-2022-25640 - [bullseye] - wolfssl 4.6.0+p1-0+deb11u1 -CVE-2022-23308 - [bullseye] - libxml2 2.9.10+dfsg-6.7+deb11u1 -CVE-2021-0561 - [bullseye] - flac 1.3.3-2+deb11u1 -CVE-2021-45005 - [bullseye] - mujs 1.1.0-1+deb11u1 -CVE-2022-27240 - [bullseye] - glewlwyd 2.5.2-2+deb11u3 -CVE-2021-46709 - [bullseye] - phpliteadmin 1.9.8.2-1+deb11u1 -CVE-2021-33120 - [bullseye] - intel-microcode 3.20220207.1~deb11u1 -CVE-2021-0145 - [bullseye] - intel-microcode 3.20220207.1~deb11u1 -CVE-2021-0127 - [bullseye] - intel-microcode 3.20220207.1~deb11u1 CVE-2021-43861 [bullseye] - node-mermaid 8.7.0+ds+~cs27.17.17-3+deb11u1 CVE-2021-44906 |