summaryrefslogtreecommitdiffstats
path: root/data/CVE
diff options
context:
space:
mode:
authorSalvatore Bonaccorso <carnil@debian.org>2020-08-01 09:51:11 +0000
committerSalvatore Bonaccorso <carnil@debian.org>2020-08-01 09:51:11 +0000
commit84aa7267202bbf25f41fd69b09fca6eb4d84ebf7 (patch)
tree5e7091d4cb864b97795746974632014bbb985696 /data/CVE
parentb7961454868705e7e20cbab8b1a377d3c4c61fca (diff)
parent46ef4feef326c78a3e6de877748c791c53ccdfe2 (diff)
Merge branch 'buster-10.5' into 'master'
Track buster 10.5 point release See merge request security-tracker-team/security-tracker!61
Diffstat (limited to 'data/CVE')
-rw-r--r--data/CVE/list195
1 files changed, 98 insertions, 97 deletions
diff --git a/data/CVE/list b/data/CVE/list
index e1dcea8368..d612b17644 100644
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1301,13 +1301,14 @@ CVE-2020-15687
RESERVED
CVE-2019-20908 (An issue was discovered in drivers/firmware/efi/efi.c in the Linux ker ...)
- linux 5.2.6-1
+ [buster] - linux 4.19.132-1
NOTE: https://www.openwall.com/lists/oss-security/2020/06/14/1
NOTE: Fixed by: https://git.kernel.org/linus/1957a85b0032a81e6482ca4aab883643b8dae06e
CVE-2019-20907 (In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craf ...)
- python3.9 3.9.0~b5-1 (low)
- python3.8 3.8.5-1 (low)
- python3.7 <removed> (low)
- [buster] - python3.7 <no-dsa> (Minor issue)
+ [buster] - python3.7 3.7.3-2+deb10u2
- python3.5 <removed> (low)
- python2.7 <unfixed> (low)
[buster] - python2.7 <no-dsa> (Minor issue)
@@ -2062,6 +2063,7 @@ CVE-2017-18922 (It was discovered that websockets.c in LibVNCServer prior to 0.9
NOTE: https://www.openwall.com/lists/oss-security/2020/06/30/2
CVE-2020-15393 (In the Linux kernel through 5.7.6, usbtest_disconnect in drivers/usb/m ...)
- linux 5.7.10-1
+ [buster] - linux 4.19.131-1
NOTE: https://git.kernel.org/linus/28ebeb8db77035e058a510ce9bd17c2b9a009dba
CVE-2020-15392 (A user enumeration vulnerability flaw was found in Venki Supravizio BP ...)
NOT-FOR-US: Venki
@@ -4458,7 +4460,7 @@ CVE-2020-14422 (Lib/ipaddress.py in Python through 3.8.3 improperly computes has
{DLA-2280-1}
- python3.8 3.8.4~rc1-1
- python3.7 <removed>
- [buster] - python3.7 <no-dsa> (Minor issue)
+ [buster] - python3.7 3.7.3-2+deb10u2
- python3.5 <removed>
- python3.4 <removed>
[jessie] - python3.4 <postponed> (Minor issue, DoS with constraints)
@@ -5056,7 +5058,7 @@ CVE-2020-14196 (In PowerDNS Recursor versions up to and including 4.3.1, 4.2.2 a
CVE-2020-14195 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interact ...)
{DLA-2270-1}
- jackson-databind 2.11.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+ [buster] - jackson-databind 2.9.8-3+deb10u2
[stretch] - jackson-databind 2.8.6-1+deb9u7
NOTE: https://github.com/FasterXML/jackson-databind/issues/2765
NOTE: https://github.com/FasterXML/jackson-databind/commit/f6d9c664f6d481703138319f6a0f1fdbddb3a259
@@ -5392,7 +5394,7 @@ CVE-2020-14063 (A stored Cross-Site Scripting (XSS) vulnerability in the TC Cust
CVE-2020-14062 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interact ...)
{DLA-2270-1}
- jackson-databind 2.11.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+ [buster] - jackson-databind 2.9.8-3+deb10u2
[stretch] - jackson-databind 2.8.6-1+deb9u7
NOTE: https://github.com/FasterXML/jackson-databind/issues/2704
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
@@ -5400,7 +5402,7 @@ CVE-2020-14062 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the in
CVE-2020-14061 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interact ...)
{DLA-2270-1}
- jackson-databind 2.11.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+ [buster] - jackson-databind 2.9.8-3+deb10u2
[stretch] - jackson-databind 2.8.6-1+deb9u7
NOTE: https://github.com/FasterXML/jackson-databind/issues/2698
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
@@ -5408,7 +5410,7 @@ CVE-2020-14061 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the in
CVE-2020-14060 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interact ...)
{DLA-2270-1}
- jackson-databind 2.11.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+ [buster] - jackson-databind 2.9.8-3+deb10u2
[stretch] - jackson-databind 2.8.6-1+deb9u7
NOTE: https://github.com/FasterXML/jackson-databind/issues/2688
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
@@ -5516,12 +5518,10 @@ CVE-2020-14035
RESERVED
CVE-2020-14034 (An issue was discovered in janus-gateway (aka Janus WebRTC Server) thr ...)
- janus 0.10.2-1
- [buster] - janus <ignored> (Will be removed in next point release)
NOTE: https://github.com/meetecho/janus-gateway/pull/2229
NOTE: https://github.com/meetecho/janus-gateway/commit/dacb4edfad8e77f73b64d8c175cca0a7796ebf80
CVE-2020-14033 (An issue was discovered in janus-gateway (aka Janus WebRTC Server) thr ...)
- janus 0.10.2-1
- [buster] - janus <ignored> (Will be removed in next point release)
NOTE: https://github.com/meetecho/janus-gateway/pull/2229
NOTE: https://github.com/meetecho/janus-gateway/commit/dacb4edfad8e77f73b64d8c175cca0a7796ebf80
CVE-2020-14032
@@ -5661,6 +5661,7 @@ CVE-2020-13975
RESERVED
CVE-2020-13974 (** DISPUTED ** An issue was discovered in the Linux kernel through 5.7 ...)
- linux 5.7.6-1
+ [buster] - linux 4.19.131-1
[stretch] - linux 4.9.228-1
NOTE: https://git.kernel.org/linus/b86dab054059b970111b5516ae548efaae5b3aae
CVE-2020-13973 (OWASP json-sanitizer before 1.2.1 allows XSS. An attacker who controls ...)
@@ -5833,22 +5834,18 @@ CVE-2020-13902 (ImageMagick 7.0.9-27 through 7.0.10-17 has a heap-based buffer o
NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/218d6abc4e36596c90a07463bfb2ab9e8312efbb
CVE-2020-13901 (An issue was discovered in janus-gateway (aka Janus WebRTC Server) thr ...)
- janus 0.10.1-1 (bug #962680)
- [buster] - janus <ignored> (Will be removed in next point release)
NOTE: https://github.com/meetecho/janus-gateway/pull/2214
NOTE: https://github.com/meetecho/janus-gateway/pull/2214/commits/90cc2ada775c4d4d8f6ae66f96b4ec7588e4bc86
CVE-2020-13900 (An issue was discovered in janus-gateway (aka Janus WebRTC Server) thr ...)
- janus 0.10.1-1 (bug #962680)
- [buster] - janus <ignored> (Will be removed in next point release)
NOTE: https://github.com/meetecho/janus-gateway/pull/2214
NOTE: https://github.com/meetecho/janus-gateway/pull/2214/commits/5f33d5e1073207f7275a726b7bb4cd7dbb08d13a
CVE-2020-13899 (An issue was discovered in janus-gateway (aka Janus WebRTC Server) thr ...)
- janus 0.10.1-1 (bug #962680)
- [buster] - janus <ignored> (Will be removed in next point release)
NOTE: https://github.com/meetecho/janus-gateway/pull/2214
NOTE: https://github.com/meetecho/janus-gateway/pull/2214/commits/f46f27fb129fd1b3744830b4fc6e75ab78794636
CVE-2020-13898 (An issue was discovered in janus-gateway (aka Janus WebRTC Server) thr ...)
- janus 0.10.1-1 (bug #962680)
- [buster] - janus <ignored> (Will be removed in next point release)
NOTE: https://github.com/meetecho/janus-gateway/pull/2214
NOTE: https://github.com/meetecho/janus-gateway/pull/2214/commits/2ed485d04630b9ee9de7c96517135654b7f32120
CVE-2020-13897 (HESK before 3.1.10 allows reflected XSS. ...)
@@ -6294,6 +6291,7 @@ CVE-2019-20811 (An issue was discovered in the Linux kernel before 5.0.6. In rx_
NOTE: https://git.kernel.org/linus/a3e23f719f5c4a38ffb3d30c8d7632a4ed8ccd9e
CVE-2019-20810 (go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux ...)
- linux 5.6.7-1
+ [buster] - linux 4.19.131-1
[stretch] - linux 4.9.228-1
NOTE: https://git.kernel.org/linus/9453264ef58638ce8976121ac44c07a3ef375983
CVE-2020-13759 (rust-vmm vm-memory before 0.1.1 and 0.2.x before 0.2.1 allows attacker ...)
@@ -6560,7 +6558,7 @@ CVE-2020-13646 (In Cheetah free WiFi 5.1, the driver file (liebaonat.sys) allows
NOT-FOR-US: cheetah free wifi
CVE-2020-13645 (In GNOME glib-networking through 2.64.2, the implementation of GTlsCli ...)
- glib-networking 2.64.3-2 (bug #961756)
- [buster] - glib-networking <no-dsa> (Minor issue; will be fixed via point release)
+ [buster] - glib-networking 2.58.0-2+deb10u1
[stretch] - glib-networking 2.50.0-1+deb9u1
NOTE: https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135
NOTE: Updating glib-networking to address CVE-2020-13645 will need a compatibility
@@ -7472,7 +7470,7 @@ CVE-2020-13250 (HashiCorp Consul and Consul Enterprise include an HTTP API (intr
NOTE: https://github.com/hashicorp/consul/pull/8023
CVE-2020-13249 (libmariadb/mariadb_lib.c in MariaDB Connector/C before 3.1.8 does not ...)
- mariadb-10.3 1:10.3.23-1
- [buster] - mariadb-10.3 <no-dsa> (Minor issue; will be fixed via point release)
+ [buster] - mariadb-10.3 1:10.3.23-0+deb10u1
- mariadb-10.1 <not-affected> (Vulnerable code introduced later)
NOTE: Fixed by: https://github.com/mariadb-corporation/mariadb-connector-c/commit/2759b87d72926b7c9b5426437a7c8dd15ff57945 (v3.1.8)
NOTE: Introduced around: https://github.com/mariadb-corporation/mariadb-connector-c/commit/b4efe73c9e725f97b3550371f8a78a10a20bf2fd (v3.0-cc-server-integ-0)
@@ -7512,12 +7510,12 @@ CVE-2020-13232
RESERVED
CVE-2020-13231 (In Cacti before 1.2.11, auth_profile.php?action=edit allows CSRF for a ...)
- cacti 1.2.11+ds1-1
- [buster] - cacti <no-dsa> (Minor issue)
+ [buster] - cacti 1.2.2+ds1-2+deb10u3
[stretch] - cacti <no-dsa> (Minor issue)
NOTE: https://github.com/Cacti/cacti/issues/3342
CVE-2020-13230 (In Cacti before 1.2.11, disabling a user account does not immediately ...)
- cacti 1.2.11+ds1-1
- [buster] - cacti <no-dsa> (Minor issue)
+ [buster] - cacti 1.2.2+ds1-2+deb10u3
[stretch] - cacti <no-dsa> (Minor issue)
NOTE: https://github.com/Cacti/cacti/issues/3343
CVE-2020-13229 (An issue was discovered in Sysax Multi Server 6.90. A session can be h ...)
@@ -7787,19 +7785,19 @@ CVE-2020-13115
CVE-2020-13114 (An issue was discovered in libexif before 0.6.22. An unrestricted size ...)
{DLA-2222-1}
- libexif 0.6.21-9 (bug #961410)
- [buster] - libexif <no-dsa> (Minor issue)
+ [buster] - libexif 0.6.21-5.1+deb10u3
[stretch] - libexif 0.6.21-2+deb9u3
NOTE: https://github.com/libexif/libexif/commit/e6a38a1a23ba94d139b1fa2cd4519fdcfe3c9bab (0.6.22)
CVE-2020-13113 (An issue was discovered in libexif before 0.6.22. Use of uninitialized ...)
{DLA-2222-1}
- libexif 0.6.21-9 (bug #961409)
- [buster] - libexif <no-dsa> (Minor issue)
+ [buster] - libexif 0.6.21-5.1+deb10u3
[stretch] - libexif 0.6.21-2+deb9u3
NOTE: https://github.com/libexif/libexif/commit/ec412aa4583ad71ecabb967d3c77162760169d1f (0.6.22)
CVE-2020-13112 (An issue was discovered in libexif before 0.6.22. Several buffer over- ...)
{DLA-2222-1}
- libexif 0.6.21-9 (bug #961407)
- [buster] - libexif <no-dsa> (Minor issue)
+ [buster] - libexif 0.6.21-5.1+deb10u3
[stretch] - libexif 0.6.21-2+deb9u3
NOTE: https://github.com/libexif/libexif/commit/435e21f05001fb03f9f186fa7cbc69454afd00d1 (0.6.22)
CVE-2020-13111 (NaviServer 4.99.4 to 4.99.19 allows denial of service due to the nsd/d ...)
@@ -8576,7 +8574,7 @@ CVE-2020-12772 (An issue was discovered in Ignite Realtime Spark 2.8.3 (and the
CVE-2020-12767 (exif_entry_get_value in exif-entry.c in libexif 0.6.21 has a divide-by ...)
{DLA-2214-1}
- libexif 0.6.21-7 (bug #960199)
- [buster] - libexif <no-dsa> (Minor issue)
+ [buster] - libexif 0.6.21-5.1+deb10u2
[stretch] - libexif 0.6.21-2+deb9u2
NOTE: https://github.com/libexif/libexif/issues/31
NOTE: https://github.com/libexif/libexif/commit/e22f73064f804c94e90b642cd0db4697c827da72
@@ -8593,6 +8591,7 @@ CVE-2020-XXXX [unspecified fexsrv security issue]
[stretch] - fex 20160919-2~deb9u1
CVE-2020-12771 (An issue was discovered in the Linux kernel through 5.6.11. btree_gc_c ...)
- linux 5.7.6-1
+ [buster] - linux 4.19.131-1
NOTE: https://lkml.org/lkml/2020/4/26/87
NOTE: https://git.kernel.org/linus/be23e837333a914df3f24bf0b32e87b0331ab8d1 (5.8-rc2)
CVE-2020-12770 (An issue was discovered in the Linux kernel through 5.6.11. sg_write l ...)
@@ -8729,7 +8728,7 @@ CVE-2020-12724
RESERVED
CVE-2020-12723 (regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted ...)
- perl 5.30.3-1 (bug #962005)
- [buster] - perl <no-dsa> (Minor issue)
+ [buster] - perl 5.28.1-6+deb10u1
[stretch] - perl 5.24.1-3+deb9u7
NOTE: https://github.com/perl/perl5/commit/66bbb51b93253a3f87d11c2695cfb7bdb782184a (v5.30.3)
CVE-2020-12722
@@ -8937,6 +8936,7 @@ CVE-2020-12656 (** DISPUTED ** gss_mech_free in net/sunrpc/auth_gss/gss_mech_swi
NOTE: Issue is triggered only at module reloading / rebinding
CVE-2020-12655 (An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c ...)
- linux 5.6.14-1
+ [buster] - linux 4.19.131-1
NOTE: https://git.kernel.org/linus/d0c7feaf87678371c2c09b3709400be416b2dc62 (5.7-rc1)
CVE-2020-12654 (An issue was found in Linux kernel before 5.5.4. mwifiex_ret_wmm_get_s ...)
{DSA-4698-1 DLA-2242-1 DLA-2241-1}
@@ -10457,7 +10457,7 @@ CVE-2020-12050 (SQLiteODBC 0.9996, as packaged for certain Linux distributions a
CVE-2020-12049 (An issue was discovered in dbus &gt;= 1.3.0 before 1.12.18. The DBusSe ...)
{DLA-2235-1}
- dbus 1.12.18-1
- [buster] - dbus <no-dsa> (Minor issue)
+ [buster] - dbus 1.12.20-0+deb10u1
[stretch] - dbus 1.10.32-0+deb9u1
NOTE: https://www.openwall.com/lists/oss-security/2020/06/04/3
NOTE: https://gitlab.freedesktop.org/dbus/dbus/-/issues/294
@@ -11425,7 +11425,7 @@ CVE-2020-11889 (An issue was discovered in Joomla! before 3.9.17. Incorrect ACL
NOT-FOR-US: Joomla!
CVE-2020-11888 (python-markdown2 through 2.3.8 allows XSS because element names are mi ...)
- python-markdown2 2.3.9-1 (bug #959445)
- [buster] - python-markdown2 <no-dsa> (Minor issue)
+ [buster] - python-markdown2 2.3.7-2+deb10u1
NOTE: https://github.com/trentm/python-markdown2/issues/348
CVE-2020-11887 (svg2png 4.1.1 allows XSS with resultant SSRF via JavaScript inside an ...)
NOT-FOR-US: svg2png
@@ -12129,7 +12129,7 @@ CVE-2020-11735 (The private-key operations in ecc.c in wolfSSL before 4.4.0 do n
CVE-2020-11736 (fr-archive-libarchive.c in GNOME file-roller through 3.36.1 allows Dir ...)
{DLA-2180-1}
- file-roller 3.36.2-1 (bug #956638)
- [buster] - file-roller <no-dsa> (Minor issue, will be fixed via spu)
+ [buster] - file-roller 3.30.1-2+deb10u1
[stretch] - file-roller 3.22.3-1+deb9u2
NOTE: https://gitlab.gnome.org/GNOME/file-roller/-/commit/21dfcdbfe258984db89fb65243a1a888924e45a0
CVE-2020-11734 (cgi-bin/go in CyberSolutions CyberMail 5 or later allows XSS via the A ...)
@@ -12449,7 +12449,7 @@ CVE-2020-11621
CVE-2020-11620 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
{DLA-2179-1}
- jackson-databind 2.11.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+ [buster] - jackson-databind 2.9.8-3+deb10u2
[stretch] - jackson-databind 2.8.6-1+deb9u7
NOTE: https://github.com/FasterXML/jackson-databind/issues/2682
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
@@ -12457,7 +12457,7 @@ CVE-2020-11620 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in
CVE-2020-11619 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
{DLA-2179-1}
- jackson-databind 2.11.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+ [buster] - jackson-databind 2.9.8-3+deb10u2
[stretch] - jackson-databind 2.8.6-1+deb9u7
NOTE: https://github.com/FasterXML/jackson-databind/issues/2680
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
@@ -12926,7 +12926,7 @@ CVE-2020-11539 (An issue was discovered on Tata Sonata Smart SF Rush 1.12 device
NOT-FOR-US: Tata Sonata Smart SF Rush 1.12 devices
CVE-2020-11538 (In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out- ...)
- pillow 7.2.0-1 (low)
- [buster] - pillow <no-dsa> (Will be fixed via spu)
+ [buster] - pillow 5.4.1-2+deb10u2
NOTE: https://github.com/python-pillow/Pillow/pull/4504
NOTE: https://github.com/python-pillow/Pillow/pull/4538
CVE-2020-11537 (A SQL Injection issue was discovered in ONLYOFFICE Document Server 5.5 ...)
@@ -12953,7 +12953,7 @@ CVE-2020-11527 (In Zoho ManageEngine OpManager before 12.4.181, an unauthenticat
NOT-FOR-US: Zoho
CVE-2020-11526 (libfreerdp/core/update.c in FreeRDP versions &gt; 1.1 through 2.0.0-rc ...)
- freerdp2 2.1.1+dfsg1-1
- [buster] - freerdp2 <no-dsa> (Minor issue)
+ [buster] - freerdp2 2.0.0~git20190204.1.2693389a+dfsg1-1+deb10u2
- freerdp <removed>
[stretch] - freerdp <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-97jw-m5w5-xvf9
@@ -12961,35 +12961,35 @@ CVE-2020-11526 (libfreerdp/core/update.c in FreeRDP versions &gt; 1.1 through 2.
NOTE: https://github.com/FreeRDP/FreeRDP/issues/6012
CVE-2020-11525 (libfreerdp/cache/bitmap.c in FreeRDP versions &gt; 1.0 through 2.0.0-r ...)
- freerdp2 2.1.1+dfsg1-1
- [buster] - freerdp2 <no-dsa> (Minor issue)
+ [buster] - freerdp2 2.0.0~git20190204.1.2693389a+dfsg1-1+deb10u2
- freerdp <removed>
[stretch] - freerdp <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9755-fphh-gmjg
NOTE: https://github.com/FreeRDP/FreeRDP/commit/0b6b92a25a77d533b8a92d6acc840a81e103684e
CVE-2020-11524 (libfreerdp/codec/interleaved.c in FreeRDP versions &gt; 1.0 through 2. ...)
- freerdp2 2.1.1+dfsg1-1
- [buster] - freerdp2 <no-dsa> (Minor issue)
+ [buster] - freerdp2 2.0.0~git20190204.1.2693389a+dfsg1-1+deb10u2
- freerdp <removed>
[stretch] - freerdp <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cgw8-3mp2-p5qw
NOTE: https://github.com/FreeRDP/FreeRDP/commit/7b1d4b49391b4512402840431757703a96946820
CVE-2020-11523 (libfreerdp/gdi/region.c in FreeRDP versions &gt; 1.0 through 2.0.0-rc4 ...)
- freerdp2 2.1.1+dfsg1-1
- [buster] - freerdp2 <no-dsa> (Minor issue)
+ [buster] - freerdp2 2.0.0~git20190204.1.2693389a+dfsg1-1+deb10u2
- freerdp <removed>
[stretch] - freerdp <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4qrh-8cp8-4x42
NOTE: https://github.com/FreeRDP/FreeRDP/commit/ce21b9d7ecd967e0bc98ed31a6b3757848aa6c9e
CVE-2020-11522 (libfreerdp/gdi/gdi.c in FreeRDP &gt; 1.0 through 2.0.0-rc4 has an Out- ...)
- freerdp2 2.1.1+dfsg1-1
- [buster] - freerdp2 <no-dsa> (Minor issue)
+ [buster] - freerdp2 2.0.0~git20190204.1.2693389a+dfsg1-1+deb10u2
- freerdp <removed>
[stretch] - freerdp <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-48wx-7vgj-fffh
NOTE: https://github.com/FreeRDP/FreeRDP/commit/907640a924fa7a9a99c80a48ac225e9d8e41548b
CVE-2020-11521 (libfreerdp/codec/planar.c in FreeRDP version &gt; 1.0 through 2.0.0-rc ...)
- freerdp2 2.1.1+dfsg1-1
- [buster] - freerdp2 <no-dsa> (Minor issue)
+ [buster] - freerdp2 2.0.0~git20190204.1.2693389a+dfsg1-1+deb10u2
- freerdp <removed>
[stretch] - freerdp <no-dsa> (Minor issue)
NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5cwc-6wc9-255w
@@ -13834,7 +13834,7 @@ CVE-2020-5291 (Bubblewrap (bwrap) before version 0.4.1, if installed in setuid m
CVE-2020-11113 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
{DLA-2179-1}
- jackson-databind 2.11.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+ [buster] - jackson-databind 2.9.8-3+deb10u2
[stretch] - jackson-databind 2.8.6-1+deb9u7
NOTE: https://github.com/FasterXML/jackson-databind/issues/2670
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
@@ -13842,7 +13842,7 @@ CVE-2020-11113 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in
CVE-2020-11112 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
{DLA-2179-1}
- jackson-databind 2.11.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+ [buster] - jackson-databind 2.9.8-3+deb10u2
[stretch] - jackson-databind 2.8.6-1+deb9u7
NOTE: https://github.com/FasterXML/jackson-databind/issues/2666
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
@@ -13850,7 +13850,7 @@ CVE-2020-11112 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in
CVE-2020-11111 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
{DLA-2179-1}
- jackson-databind 2.11.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+ [buster] - jackson-databind 2.9.8-3+deb10u2
[stretch] - jackson-databind 2.8.6-1+deb9u7
NOTE: https://github.com/FasterXML/jackson-databind/issues/2664
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
@@ -14404,7 +14404,7 @@ CVE-2020-10970
CVE-2020-10969 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
{DLA-2179-1}
- jackson-databind 2.11.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+ [buster] - jackson-databind 2.9.8-3+deb10u2
[stretch] - jackson-databind 2.8.6-1+deb9u7
NOTE: https://github.com/FasterXML/jackson-databind/issues/2642
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
@@ -14412,7 +14412,7 @@ CVE-2020-10969 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in
CVE-2020-10968 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
{DLA-2179-1}
- jackson-databind 2.11.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+ [buster] - jackson-databind 2.9.8-3+deb10u2
[stretch] - jackson-databind 2.8.6-1+deb9u7
NOTE: https://github.com/FasterXML/jackson-databind/issues/2662
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
@@ -14690,7 +14690,7 @@ CVE-2020-10879 (rConfig before 3.9.5 allows command injection by sending a craft
NOT-FOR-US: rConfig
CVE-2020-10878 (Perl before 5.30.3 has an integer overflow related to mishandling of a ...)
- perl 5.30.3-1 (bug #962005)
- [buster] - perl <no-dsa> (Minor issue)
+ [buster] - perl 5.28.1-6+deb10u1
[stretch] - perl 5.24.1-3+deb9u7
NOTE: https://github.com/perl/perl5/commit/0a320d753fe7fca03df259a4dfd8e641e51edaa8 (v5.30.3)
NOTE: https://github.com/perl/perl5/commit/3295b48defa0f8570114877b063fe546dd348b3c (v5.30.3)
@@ -15167,18 +15167,21 @@ CVE-2020-10769 (A buffer over-read flaw was found in RH kernel versions before 5
CVE-2020-10768 [Indirect branch speculation can be enabled after it was force-disabled by the PR_SPEC_FORCE_DISABLE prctl command]
RESERVED
- linux 5.7.6-1
+ [buster] - linux 4.19.131-1
[stretch] - linux 4.9.228-1
NOTE: https://www.openwall.com/lists/oss-security/2020/06/10/1
NOTE: https://git.kernel.org/linus/4d8df8cbb9156b0a0ab3f802b80cb5db57acc0bf
CVE-2020-10767 [Indirect Branch Prediction Barrier is force-disabled when STIBP is unavailable or enhanced IBRS is available]
RESERVED
- linux 5.7.6-1
+ [buster] - linux 4.19.131-1
[stretch] - linux 4.9.228-1
NOTE: https://www.openwall.com/lists/oss-security/2020/06/10/1
NOTE: https://git.kernel.org/linus/21998a351512eba4ed5969006f0c55882d995ada
CVE-2020-10766 [Rogue cross-process SSBD shutdown]
RESERVED
- linux 5.7.6-1
+ [buster] - linux 4.19.131-1
[stretch] - linux 4.9.228-1
NOTE: https://www.openwall.com/lists/oss-security/2020/06/10/1
NOTE: https://git.kernel.org/linus/dbbe2ad02e9df26e372f38cc3e70dab9222c832e
@@ -15207,7 +15210,7 @@ CVE-2020-10759 [Possible bypass in signature verification]
RESERVED
{DLA-2274-1}
- fwupd 1.3.10-1 (bug #962517)
- [buster] - fwupd <no-dsa> (Will be fixed via point release)
+ [buster] - fwupd 1.2.13-1
- libjcat 0.1.3-1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1844316
NOTE: https://github.com/justinsteven/advisories/blob/master/2020_fwupd_dangling_s3_bucket_and_CVE-2020-10759_signature_verification_bypass.md
@@ -15562,7 +15565,7 @@ CVE-2020-10675 (The Library API in buger jsonparser through 2019-12-04 allows at
CVE-2020-10673 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
{DLA-2153-1}
- jackson-databind 2.11.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+ [buster] - jackson-databind 2.9.8-3+deb10u2
[stretch] - jackson-databind 2.8.6-1+deb9u7
NOTE: https://github.com/FasterXML/jackson-databind/issues/2660
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
@@ -15570,7 +15573,7 @@ CVE-2020-10673 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in
CVE-2020-10672 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
{DLA-2153-1}
- jackson-databind 2.11.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+ [buster] - jackson-databind 2.9.8-3+deb10u2
[stretch] - jackson-databind 2.8.6-1+deb9u7
NOTE: https://github.com/FasterXML/jackson-databind/issues/2659
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
@@ -15598,7 +15601,7 @@ CVE-2020-10664 (The IGMP component in VxWorks 6.8.3 IPNET CVE patches created in
CVE-2020-10663 (The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9 ...)
{DSA-4721-1 DLA-2192-1 DLA-2190-1}
- ruby-json 2.3.0+dfsg-1
- [buster] - ruby-json <no-dsa> (Minor issue)
+ [buster] - ruby-json 2.1.0+dfsg-2+deb10u1
[stretch] - ruby-json 2.0.1+dfsg-3+deb9u1
- ruby2.7 <not-affected> (Fixed before initial upload to Debian)
- ruby2.5 <removed>
@@ -15841,23 +15844,18 @@ CVE-2020-10578 (An arbitrary file read vulnerability exists in system/controller
NOT-FOR-US: QCMS
CVE-2020-10577 (An issue was discovered in Janus through 0.9.1. janus.c has multiple c ...)
- janus 0.9.2-1 (bug #954668)
- [buster] - janus <ignored> (Will be removed in next point release)
NOTE: https://github.com/meetecho/janus-gateway/pull/1990
CVE-2020-10576 (An issue was discovered in Janus through 0.9.1. plugins/janus_voicemai ...)
- janus 0.9.1+20200313-1
- [buster] - janus <ignored> (Will be removed in next point release)
NOTE: https://github.com/meetecho/janus-gateway/pull/1993
CVE-2020-10575 (An issue was discovered in Janus through 0.9.1. plugins/janus_videocal ...)
- janus 0.9.1+20200313-1
- [buster] - janus <ignored> (Will be removed in next point release)
NOTE: https://github.com/meetecho/janus-gateway/pull/1994
CVE-2020-10574 (An issue was discovered in Janus through 0.9.1. janus.c tries to use a ...)
- janus 0.9.1+20200313-1
- [buster] - janus <ignored> (Will be removed in next point release)
NOTE: https://github.com/meetecho/janus-gateway/pull/1989
CVE-2020-10573 (An issue was discovered in Janus through 0.9.1. janus_audiobridge.c ha ...)
- janus 0.9.1+20200313-1
- [buster] - janus <ignored> (Will be removed in next point release)
NOTE: https://github.com/meetecho/janus-gateway/pull/1988
CVE-2020-10572
RESERVED
@@ -15923,7 +15921,7 @@ CVE-2009-5159 (Invision Power Board (aka IPB or IP.Board) 2.x through 3.0.4, whe
NOT-FOR-US: Invision Power Board
CVE-2020-10543 (Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer over ...)
- perl 5.30.3-1 (bug #962005)
- [buster] - perl <no-dsa> (Minor issue)
+ [buster] - perl 5.28.1-6+deb10u1
[stretch] - perl 5.24.1-3+deb9u7
NOTE: https://github.com/perl/perl5/commit/897d1f7fd515b828e4b198d8b8bef76c6faf03ed (v5.30.3)
CVE-2020-10542
@@ -16273,7 +16271,7 @@ CVE-2020-10379 (In Pillow before 7.1.0, there are two Buffer Overflows in libIma
NOTE: Fixed in 6.2.3 and 7.1.0
CVE-2020-10378 (In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds rea ...)
- pillow 7.2.0-1
- [buster] - pillow <no-dsa> (Will be fixed via spu)
+ [buster] - pillow 5.4.1-2+deb10u2
[stretch] - pillow <not-affected> (Vulnerable code not present)
[jessie] - pillow <no-dsa> (Minor issue)
NOTE: https://github.com/python-pillow/Pillow/pull/4538
@@ -16746,7 +16744,7 @@ CVE-2020-10178
REJECTED
CVE-2020-10177 (Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/Fli ...)
- pillow 7.2.0-1
- [buster] - pillow <no-dsa> (Will be fixed via spu)
+ [buster] - pillow 5.4.1-2+deb10u2
[jessie] - pillow <no-dsa> (Minor issue)
NOTE: https://github.com/python-pillow/Pillow/pull/4503
NOTE: https://github.com/python-pillow/Pillow/pull/4538
@@ -18177,7 +18175,7 @@ CVE-2020-9549 (In PDFResurrect 0.12 through 0.19, get_type in pdf.c has an out-o
CVE-2020-9548 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
{DLA-2135-1}
- jackson-databind 2.11.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+ [buster] - jackson-databind 2.9.8-3+deb10u2
[stretch] - jackson-databind 2.8.6-1+deb9u7
NOTE: https://github.com/FasterXML/jackson-databind/issues/2634
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
@@ -18185,7 +18183,7 @@ CVE-2020-9548 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the int
CVE-2020-9547 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
{DLA-2135-1}
- jackson-databind 2.11.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+ [buster] - jackson-databind 2.9.8-3+deb10u2
[stretch] - jackson-databind 2.8.6-1+deb9u7
NOTE: https://github.com/FasterXML/jackson-databind/issues/2634
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
@@ -18193,7 +18191,7 @@ CVE-2020-9547 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the int
CVE-2020-9546 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
{DLA-2135-1}
- jackson-databind 2.11.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+ [buster] - jackson-databind 2.9.8-3+deb10u2
[stretch] - jackson-databind 2.8.6-1+deb9u7
NOTE: https://github.com/FasterXML/jackson-databind/issues/2631
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
@@ -19902,7 +19900,7 @@ CVE-2020-8841 (An issue was discovered in TestLink 1.9.19. The relation_type par
CVE-2020-8840 (FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean- ...)
{DLA-2111-1}
- jackson-databind 2.11.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+ [buster] - jackson-databind 2.9.8-3+deb10u2
[stretch] - jackson-databind 2.8.6-1+deb9u7
NOTE: https://github.com/FasterXML/jackson-databind/issues/2620
NOTE: https://github.com/FasterXML/jackson-databind/commit/914e7c9f2cb8ce66724bf26a72adc7e958992497
@@ -19913,7 +19911,7 @@ CVE-2020-8839 (Stored XSS was discovered on CHIYU BF-430 232/485 TCP/IP Converte
CVE-2015-9542 (add_password in pam_radius_auth.c in pam_radius 1.4.0 does not correct ...)
{DLA-2116-1}
- libpam-radius-auth 1.4.0-3 (bug #951396)
- [buster] - libpam-radius-auth <no-dsa> (Minor issue)
+ [buster] - libpam-radius-auth 1.4.0-3~deb10u1
NOTE: https://github.com/FreeRADIUS/pam_radius/commit/01173ec
NOTE: https://github.com/FreeRADIUS/pam_radius/commit/6bae92d
NOTE: https://github.com/FreeRADIUS/pam_radius/commit/ac2c1677
@@ -20758,7 +20756,7 @@ CVE-2020-8492 (Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10,
{DLA-2280-1}
- python3.8 3.8.3~rc1-1
- python3.7 <removed>
- [buster] - python3.7 <no-dsa> (Minor issue)
+ [buster] - python3.7 3.7.3-2+deb10u2
- python3.5 <removed>
- python3.4 <removed>
[jessie] - python3.4 <postponed> (Minor issue)
@@ -21834,14 +21832,14 @@ CVE-2020-8036
CVE-2020-8035 (The image view functionality in Horde Groupware Webmail Edition before ...)
{DLA-2230-1}
- php-horde 5.2.23+debian0-1 (bug #963809)
- [buster] - php-horde <no-dsa> (Minor issue; can be fixed via point release)
+ [buster] - php-horde 5.2.20+debian0-1+deb10u2
[stretch] - php-horde 5.2.13+debian0-1+deb9u2
NOTE: https://github.com/horde/base/commit/64127fe3c2b9843c9760218e59dae9731cc56bdf
NOTE: https://lists.horde.org/archives/announce/2020/001290.html
CVE-2020-8034 (Gollem before 3.0.13, as used in Horde Groupware Webmail Edition 5.2.2 ...)
{DLA-2229-1}
- php-horde-gollem 3.0.12-6 (bug #961649)
- [buster] - php-horde-gollem <no-dsa> (Minor issue)
+ [buster] - php-horde-gollem 3.0.12-3+deb10u1
[stretch] - php-horde-gollem 3.0.10-1+deb9u1
NOTE: https://lists.horde.org/archives/announce/2020/001289.html
NOTE: https://github.com/horde/gollem/commit/a73bef1aef27d4cbfc7b939c2a81dea69aabb083
@@ -22938,7 +22936,7 @@ CVE-2020-7599 (All versions of com.gradle.plugin-publish before 0.11.0 are vulne
NOT-FOR-US: com.gradle.plugin-publish
CVE-2020-7598 (minimist before 1.2.2 could be tricked into adding or modifying proper ...)
- node-minimist 1.2.5-1 (bug #953762)
- [buster] - node-minimist <no-dsa> (Minor issue)
+ [buster] - node-minimist 1.2.0-1+deb10u1
[stretch] - node-minimist <ignored> (Nodejs in stretch not covered by security support)
NOTE: https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
NOTE: POC: https://gist.github.com/Kirill89/47feb345b09bf081317f08dd43403a8a
@@ -23731,7 +23729,7 @@ CVE-2020-7238 (Netty 4.1.43.Final allows HTTP Request Smuggling because it misha
NOTE: https://github.com/netty/netty/issues/9861#issuecomment-582307539 (same fix as CVE-2019-20445)
CVE-2020-7237 (Cacti 1.2.8 allows Remote Code Execution (by privileged users) via she ...)
- cacti 1.2.9+ds1-1 (bug #949997)
- [buster] - cacti <no-dsa> (Minor issue)
+ [buster] - cacti 1.2.2+ds1-2+deb10u3
[stretch] - cacti <no-dsa> (Minor issue)
[jessie] - cacti <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/Cacti/cacti/issues/3201
@@ -24016,7 +24014,7 @@ CVE-2020-7107 (The Ultimate FAQ plugin before 1.8.30 for WordPress allows XSS vi
CVE-2020-7106 (Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_item.p ...)
{DLA-2069-1}
- cacti 1.2.9+ds1-1 (bug #949996)
- [buster] - cacti <postponed> (can be fixed along with more important issues)
+ [buster] - cacti 1.2.2+ds1-2+deb10u3
[stretch] - cacti <postponed> (can be fixed along with more important issues)
NOTE: https://github.com/Cacti/cacti/issues/3191
NOTE: https://github.com/Cacti/cacti/commit/4cbb045e03ee20a2bd09094a201a925fbb8a39d9
@@ -24249,7 +24247,7 @@ CVE-2020-7041 (An issue was discovered in openfortivpn 1.11.0 when used with Ope
CVE-2020-7040 (storeBackup.pl in storeBackup through 3.5 relies on the /tmp/storeBack ...)
{DLA-2095-1}
- storebackup 3.2.1-2 (bug #949393)
- [buster] - storebackup <no-dsa> (Minor issue)
+ [buster] - storebackup 3.2.1-2~deb10u1
[stretch] - storebackup 3.2.1-2~deb9u1
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1156767
NOTE: https://www.openwall.com/lists/oss-security/2020/01/20/3
@@ -25008,7 +25006,7 @@ CVE-2019-20374 (A mutation cross-site scripting (XSS) issue in Typora through 0.
NOT-FOR-US: Typora
CVE-2019-20372 (NGINX before 1.17.7, with certain error_page configurations, allows HT ...)
- nginx 1.16.1-3 (low; bug #948579)
- [buster] - nginx <no-dsa> (Minor issue)
+ [buster] - nginx 1.14.2-2+deb10u2
[stretch] - nginx 1.10.3-1+deb9u4
[jessie] - nginx <no-dsa> (Minor issue)
NOTE: https://bertjwregeer.keybase.pub/2019-12-10%20-%20error_page%20request%20smuggling.pdf
@@ -27056,11 +27054,11 @@ CVE-2020-5968 (NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU p
NOT-FOR-US: NVIDIA Virtual GPU Manager
CVE-2020-5967 (NVIDIA Linux GPU Display Driver, all versions, contains a vulnerabilit ...)
- nvidia-graphics-drivers 440.100-1 (bug #963766)
- [buster] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
+ [buster] - nvidia-graphics-drivers 418.152.00-1
[stretch] - nvidia-graphics-drivers 390.138-1
[jessie] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-legacy-390xx 390.138-1 (bug #963908)
- [buster] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported)
+ [buster] - nvidia-graphics-drivers-legacy-390xx 390.138-1~deb10u1
- nvidia-graphics-drivers-legacy-340xx <unfixed>
[buster] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
[stretch] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
@@ -27078,11 +27076,11 @@ CVE-2020-5964 (NVIDIA Windows GPU Display Driver, all versions, contains a vulne
NOT-FOR-US: NVIDIA Windows GPU Display Driver
CVE-2020-5963 (NVIDIA Windows GPU Display Driver, all versions, contains a vulnerabil ...)
- nvidia-graphics-drivers 440.100-1 (bug #963766)
- [buster] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
+ [buster] - nvidia-graphics-drivers 418.152.00-1
[stretch] - nvidia-graphics-drivers 390.138-1
[jessie] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-legacy-390xx 390.138-1 (bug #963908)
- [buster] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported)
+ [buster] - nvidia-graphics-drivers-legacy-390xx 390.138-1~deb10u1
- nvidia-graphics-drivers-legacy-340xx <unfixed>
[buster] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
[stretch] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
@@ -28857,7 +28855,7 @@ CVE-2020-5201
CVE-2019-20330 (FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.eh ...)
{DLA-2111-1}
- jackson-databind 2.10.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+ [buster] - jackson-databind 2.9.8-3+deb10u2
[stretch] - jackson-databind 2.8.6-1+deb9u7
NOTE: https://github.com/FasterXML/jackson-databind/issues/2526
NOTE: https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e
@@ -32497,7 +32495,7 @@ CVE-2019-19921 (runc through 1.0.0-rc9 has Incorrect Access Control leading to E
NOTE: https://github.com/opencontainers/runc/pull/2190
CVE-2019-19919 (Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Poll ...)
- node-handlebars 3:4.5.3-1
- [buster] - node-handlebars <no-dsa> (Minor issue; will be fixed via point release)
+ [buster] - node-handlebars 3:4.1.0-1+deb10u1
NOTE: https://www.npmjs.com/advisories/1164
CVE-2019-19918 (Lout 3.40 has a heap-based buffer overflow in the srcnext() function i ...)
- lout <unfixed> (bug #947113)
@@ -33926,7 +33924,7 @@ CVE-2020-3482
RESERVED
CVE-2020-3481 (A vulnerability in the EGG archive parsing module in Clam AntiVirus (C ...)
- clamav 0.102.4+dfsg-1
- [buster] - clamav <no-dsa> (ClamAV is updated via -updates)
+ [buster] - clamav 0.102.4+dfsg-0+deb10u1
NOTE: https://blog.clamav.net/2020/07/clamav-01024-security-patch-released.html
CVE-2020-3480
RESERVED
@@ -34190,7 +34188,7 @@ CVE-2020-3351 (A vulnerability in Cisco SD-WAN Solution Software could allow an
NOT-FOR-US: Cisco
CVE-2020-3350 (A vulnerability in the endpoint software of Cisco AMP for Endpoints an ...)
- clamav 0.102.4+dfsg-1
- [buster] - clamav <no-dsa> (ClamAV is updated via -updates)
+ [buster] - clamav 0.102.4+dfsg-0+deb10u1
NOTE: https://blog.clamav.net/2020/07/clamav-01024-security-patch-released.html
CVE-2020-3349 (Multiple vulnerabilities in the web-based management interface of Cisc ...)
NOT-FOR-US: Cisco
@@ -34211,7 +34209,7 @@ CVE-2020-3342 (A vulnerability in the software update feature of Cisco Webex Mee
CVE-2020-3341 (A vulnerability in the PDF archive parsing module in Clam AntiVirus (C ...)
{DLA-2215-1}
- clamav 0.102.3+dfsg-1
- [buster] - clamav <no-dsa> (ClamAV is updated via -updates)
+ [buster] - clamav 0.102.3+dfsg-0~deb10u1
[stretch] - clamav 0.102.3+dfsg-0~deb9u1
NOTE: https://blog.clamav.net/2020/05/clamav-01023-security-patch-released.html
CVE-2020-3340 (Multiple vulnerabilities in the web-based management interface of Cisc ...)
@@ -34243,7 +34241,7 @@ CVE-2020-3328
CVE-2020-3327 (A vulnerability in the ARJ archive parsing module in Clam AntiVirus (C ...)
{DLA-2215-1}
- clamav 0.102.4+dfsg-1
- [buster] - clamav <no-dsa> (ClamAV is updated via -updates)
+ [buster] - clamav 0.102.4+dfsg-0+deb10u1
[stretch] - clamav 0.102.3+dfsg-0~deb9u1
NOTE: https://blog.clamav.net/2020/05/clamav-01023-security-patch-released.html
NOTE: https://blog.clamav.net/2020/07/clamav-01024-security-patch-released.html
@@ -35470,7 +35468,7 @@ CVE-2020-2815 (Vulnerability in the Oracle iSupport product of Oracle E-Business
NOT-FOR-US: Oracle
CVE-2020-2814 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...)
- mariadb-10.3 1:10.3.23-1 (bug #961849)
- [buster] - mariadb-10.3 <no-dsa> (Minor issue; will be fixed via point release)
+ [buster] - mariadb-10.3 1:10.3.23-0+deb10u1
- mariadb-10.1 <removed>
[stretch] - mariadb-10.1 10.1.45-0+deb9u1
- mysql-5.7 <unfixed> (bug #956832)
@@ -35480,7 +35478,7 @@ CVE-2020-2813 (Vulnerability in the Oracle Email Center product of Oracle E-Busi
NOT-FOR-US: Oracle
CVE-2020-2812 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...)
- mariadb-10.3 1:10.3.23-1 (bug #961849)
- [buster] - mariadb-10.3 <no-dsa> (Minor issue; will be fixed via point release)
+ [buster] - mariadb-10.3 1:10.3.23-0+deb10u1
- mariadb-10.1 <removed>
[stretch] - mariadb-10.1 10.1.45-0+deb9u1
- mysql-5.7 <unfixed> (bug #956832)
@@ -35626,7 +35624,7 @@ CVE-2020-2761 (Vulnerability in the MySQL Server product of Oracle MySQL (compon
NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL
CVE-2020-2760 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...)
- mariadb-10.3 1:10.3.23-1 (bug #961849)
- [buster] - mariadb-10.3 <no-dsa> (Minor issue; will be fixed via point release)
+ [buster] - mariadb-10.3 1:10.3.23-0+deb10u1
- mysql-5.7 <unfixed> (bug #956832)
NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL
NOTE: Fixed in MariaDB 10.3.23
@@ -35662,7 +35660,7 @@ CVE-2020-2753 (Vulnerability in the Oracle Workflow product of Oracle E-Business
NOT-FOR-US: Oracle
CVE-2020-2752 (Vulnerability in the MySQL Client product of Oracle MySQL (component: ...)
- mariadb-10.3 1:10.3.23-1 (bug #961849)
- [buster] - mariadb-10.3 <no-dsa> (Minor issue; will be fixed via point release)
+ [buster] - mariadb-10.3 1:10.3.23-0+deb10u1
- mariadb-10.1 <removed>
[stretch] - mariadb-10.1 10.1.45-0+deb9u1
- mysql-5.7 <unfixed> (bug #956832)
@@ -37956,7 +37954,7 @@ CVE-2020-1954 (Apache CXF has the ability to integrate with JMX by registering a
NOT-FOR-US: Apache CXF
CVE-2020-1953 (Apache Commons Configuration uses a third-party library to parse YAML ...)
- commons-configuration2 2.7-1 (bug #954713)
- [buster] - commons-configuration2 <no-dsa> (Minor issue, will be fixed via spu)
+ [buster] - commons-configuration2 2.2-1+deb10u1
NOTE: https://www.openwall.com/lists/oss-security/2020/03/13/1
CVE-2020-1952 (An issue was found in Apache IoTDB .9.0 to 0.9.1 and 0.8.0 to 0.8.2. W ...)
NOT-FOR-US: Apache IoTDB
@@ -39199,11 +39197,11 @@ CVE-2019-19335 (During installation of an OpenShift 4 cluster, the `openshift-in
NOT-FOR-US: OpenShift
CVE-2019-19334 (In all versions of libyang before 1.0-r5, a stack-based buffer overflo ...)
- libyang 0.16.105-2 (bug #946217)
- [buster] - libyang <no-dsa> (Minor issue)
+ [buster] - libyang 0.16.105-1+deb10u1
NOTE: https://github.com/CESNET/libyang/commit/6980afae2ff9fcd6d67508b0a3f694d75fd059d6
CVE-2019-19333 (In all versions of libyang before 1.0-r5, a stack-based buffer overflo ...)
- libyang 0.16.105-2 (bug #946217)
- [buster] - libyang <no-dsa> (Minor issue)
+ [buster] - libyang 0.16.105-1+deb10u1
NOTE: https://github.com/CESNET/libyang/commit/f6d684ade99dd37b21babaa8a856f64faa1e2e0d
CVE-2019-19332 (An out-of-bounds memory write issue was found in the Linux Kernel, ver ...)
{DLA-2114-1 DLA-2068-1}
@@ -40457,6 +40455,7 @@ CVE-2019-18886 (An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to
NOTE: Fixed by: https://github.com/symfony/symfony/commit/7bd4a92fc9cc15d9a9fbb9eb1041e01b977f8332 (v4.2.12)
CVE-2019-18885 (fs/btrfs/volumes.c in the Linux kernel before 5.1 allows a btrfs_verif ...)
- linux 5.2.6-1
+ [buster] - linux 4.19.131-1
[stretch] - linux <not-affected> (Vulnerable code not present)
[jessie] - linux <not-affected> (Vulnerable code not present)
NOTE: https://git.kernel.org/linus/09ba3bc9dd150457c506e4661380a6183af651c1 (5.1-rc1)
@@ -40633,6 +40632,7 @@ CVE-2019-18815 (PopojiCMS 2.0.1 allows refer= Open Redirection. ...)
NOT-FOR-US: PopojiCMS
CVE-2019-18814 (An issue was discovered in the Linux kernel through 5.3.9. There is a ...)
- linux 5.7.6-1
+ [buster] - linux 4.19.131-1
[stretch] - linux <not-affected> (Vulnerability introduced later)
[jessie] - linux <not-affected> (Vulnerability introduced later)
NOTE: https://lore.kernel.org/patchwork/patch/1142523/
@@ -45215,7 +45215,7 @@ CVE-2020-0199 (In TimeCheck::TimeCheckThread::threadLoop of TimeCheck.cpp, there
CVE-2020-0198 (In exif_data_load_data_content of exif-data.c, there is a possible UBS ...)
{DLA-2249-1}
- libexif 0.6.22-2 (bug #962345)
- [buster] - libexif <no-dsa> (Minor issue)
+ [buster] - libexif 0.6.21-5.1+deb10u4
[stretch] - libexif 0.6.21-2+deb9u4
NOTE: https://android.googlesource.com/platform/external/libexif/+/1e187b62682ffab5003c702657d6d725b4278f16%5E%21/#F0
NOTE: https://github.com/libexif/libexif/commit/ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c
@@ -45252,7 +45252,7 @@ CVE-2020-0183 (In handleMessage of BluetoothManagerService, there is an incomple
CVE-2020-0182 (In exif_entry_get_value of exif-entry.c, there is a possible out of bo ...)
{DLA-2249-1}
- libexif 0.6.22-1 (low)
- [buster] - libexif <no-dsa> (Minor issue)
+ [buster] - libexif 0.6.21-5.1+deb10u4
[stretch] - libexif 0.6.21-2+deb9u4
NOTE: https://github.com/libexif/libexif/commit/f9bb9f263fb00f0603ecbefa8957cad24168cbff (0.6.22)
NOTE: CVE originally originally reported by Android where a different patch was shipped
@@ -45443,7 +45443,7 @@ CVE-2020-0094 (In setImageHeight and setImageWidth of ExifUtils.cpp, there is a
CVE-2020-0093 (In exif_data_save_data_entry of exif-data.c, there is a possible out o ...)
{DLA-2214-1}
- libexif 0.6.21-8
- [buster] - libexif <no-dsa> (Minor issue)
+ [buster] - libexif 0.6.21-5.1+deb10u2
[stretch] - libexif 0.6.21-2+deb9u2
NOTE: https://github.com/libexif/libexif/issues/42
NOTE: https://github.com/libexif/libexif/commit/5ae5973bed1947f4d447dc80b76d5cefadd90133
@@ -47027,7 +47027,7 @@ CVE-2019-17567
CVE-2019-17566 [SSRF vulnerability]
RESERVED
- batik 1.12-1.1 (bug #964510)
- [buster] - batik <no-dsa> (Minor issue, will be fixed via point update)
+ [buster] - batik 1.10-2+deb10u1
[stretch] - batik 1.8-4+deb9u2
NOTE: https://www.openwall.com/lists/oss-security/2020/06/15/2
NOTE: patch: http://svn.apache.org/viewvc?view=revision&revision=1871084
@@ -47266,7 +47266,7 @@ CVE-2019-17532 (An issue was discovered on Belkin Wemo Switch 28B WW_2.00.11057.
CVE-2019-17531 (A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...)
{DLA-2030-1}
- jackson-databind 2.10.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+ [buster] - jackson-databind 2.9.8-3+deb10u2
[stretch] - jackson-databind 2.8.6-1+deb9u7
NOTE: https://github.com/FasterXML/jackson-databind/issues/2498
NOTE: https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0
@@ -47485,7 +47485,7 @@ CVE-2019-17456
CVE-2019-17455 (Libntlm through 1.5 relies on a fixed buffer size for tSmbNtlmAuthRequ ...)
{DLA-2207-1}
- libntlm 1.6-1 (bug #942145)
- [buster] - libntlm <no-dsa> (Minor issue)
+ [buster] - libntlm 1.5-1+deb10u1
[stretch] - libntlm <no-dsa> (Minor issue)
NOTE: https://gitlab.com/jas/libntlm/issues/2
NOTE: https://gitlab.com/jas/libntlm/-/commit/b967886873fcf19f816b9c0868465f2d9e5df85e
@@ -47950,7 +47950,7 @@ CVE-2019-17268 (The omniauth-weibo-oauth2 gem 0.4.6 for Ruby, as distributed on
CVE-2019-17267 (A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...)
{DLA-2030-1}
- jackson-databind 2.10.0-1
- [buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+ [buster] - jackson-databind 2.9.8-3+deb10u2
[stretch] - jackson-databind 2.8.6-1+deb9u7
NOTE: https://github.com/FasterXML/jackson-databind/issues/2460
NOTE: https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb
@@ -55296,7 +55296,7 @@ CVE-2019-14869 (A flaw was found in all versions of ghostscript 9.x before 9.50,
CVE-2019-14868 (In ksh version 20120801, a flaw was found in the way it evaluates cert ...)
{DLA-2284-1}
- ksh 2020.0.0-2.1 (bug #948989)
- [buster] - ksh <no-dsa> (Minor issue)
+ [buster] - ksh 93u+20120801-3.4+deb10u1
[jessie] - ksh <ignored> (Minor issue)
- ksh93 <removed> (bug #964034)
NOTE: https://github.com/att/ast/commit/c7de8b641266bac7c77942239ac659edfee9ecd2
@@ -60940,7 +60940,7 @@ CVE-2019-13454 (ImageMagick 7.0.8-54 Q16 allows Division by Zero in RemoveDuplic
NOTE: https://github.com/ImageMagick/ImageMagick6/commit/4f31d78716ac94c85c244efcea368fea202e2ed4
CVE-2019-13453 (Zipios before 0.1.7 does not properly handle certain malformed zip arc ...)
- zipios++ 0.1.5.9+cvs.2007.04.28-11 (low; bug #932556)
- [buster] - zipios++ <no-dsa> (Minor issue)
+ [buster] - zipios++ 0.1.5.9+cvs.2007.04.28-10+deb10u1
[stretch] - zipios++ <no-dsa> (Minor issue)
[jessie] - zipios++ <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/zipios/news/2019/07/version-017-cve-/
@@ -87110,6 +87110,7 @@ CVE-2019-3906 (Premisys Identicard version 3.1.190 contains hardcoded credential
NOT-FOR-US: Premisys Identicard
CVE-2018-20669 (An issue where a provided address with access_ok() is not checked was ...)
- linux 5.2.6-1 (unimportant)
+ [buster] - linux 4.19.131-1
NOTE: Fixed by: https://git.kernel.org/linus/594cc251fdd0d231d342d88b2fdff4bc42fb0690
CVE-2018-20668
RESERVED
@@ -87859,7 +87860,7 @@ CVE-2019-3690 (The chkstat tool in the permissions package followed symlinks bef
CVE-2019-3689 (The nfs-utils package in SUSE Linux Enterprise Server 12 before and in ...)
{DLA-1965-1}
- nfs-utils 1:1.3.4-3 (bug #940848)
- [buster] - nfs-utils <no-dsa> (Minor issue)
+ [buster] - nfs-utils 1:1.3.4-2.5+deb10u1
[stretch] - nfs-utils 1:1.3.4-2.1+deb9u1
NOTE: https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commitdiff;h=fee2cc29e888f2ced6a76990923aef19d326dc0e
CVE-2019-3688 (The /usr/sbin/pinger binary packaged with squid in SUSE Linux Enterpri ...)
@@ -93695,7 +93696,7 @@ CVE-2018-20024 (LibVNC before commit 4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 co
- italc <removed>
[stretch] - italc 1:3.0.3+dfsg1-1+deb9u1
- ssvnc 1.0.29-5 (bug #945827)
- [buster] - ssvnc <no-dsa> (Minor issue)
+ [buster] - ssvnc 1.0.29-4+deb10u1
[stretch] - ssvnc 1.0.29-3+deb9u1
- veyon 4.1.4+repack1-1
NOTE: https://github.com/LibVNC/libvncserver/issues/254
@@ -93716,7 +93717,7 @@ CVE-2018-20022 (LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains
- italc <removed>
[stretch] - italc 1:3.0.3+dfsg1-1+deb9u1
- ssvnc 1.0.29-5 (bug #945827)
- [buster] - ssvnc <no-dsa> (Minor issue)
+ [buster] - ssvnc 1.0.29-4+deb10u1
[stretch] - ssvnc 1.0.29-3+deb9u1
- tightvnc 1:1.3.9-9.1
[buster] - tightvnc 1:1.3.9-9deb10u1
@@ -93731,7 +93732,7 @@ CVE-2018-20021 (LibVNC before commit c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c co
- italc <removed>
[stretch] - italc 1:3.0.3+dfsg1-1+deb9u1
- ssvnc 1.0.29-5 (bug #945827)
- [buster] - ssvnc <no-dsa> (Minor issue)
+ [buster] - ssvnc 1.0.29-4+deb10u1
[stretch] - ssvnc 1.0.29-3+deb9u1
- tightvnc 1:1.3.9-9.1
[buster] - tightvnc 1:1.3.9-9deb10u1
@@ -93746,7 +93747,7 @@ CVE-2018-20020 (LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d co
- italc <removed>
[stretch] - italc <not-affected> (Incomplete fix for CVE-2018-20019 not applied)
- ssvnc 1.0.29-5 (bug #945827)
- [buster] - ssvnc <no-dsa> (Minor issue)
+ [buster] - ssvnc 1.0.29-4+deb10u1
[stretch] - ssvnc 1.0.29-3+deb9u1
- veyon 4.1.4+repack1-1
NOTE: https://github.com/LibVNC/libvncserver/issues/250
@@ -107740,7 +107741,7 @@ CVE-2018-16337 (An issue was discovered in Cscms V4.1.8. There is a CSRF vulnera
CVE-2018-16336 (Exiv2::Internal::PngChunk::parseTXTChunk in Exiv2 v0.26 allows remote ...)
{DLA-1551-1}
- exiv2 0.27.2-6 (bug #916081)
- [buster] - exiv2 <ignored> (Minor issue)
+ [buster] - exiv2 0.25-4+deb10u1
[stretch] - exiv2 0.25-3.1+deb9u2
NOTE: https://github.com/Exiv2/exiv2/issues/400
NOTE: https://github.com/Exiv2/exiv2/commit/35b3e596edacd2437c2c5d3dd2b5c9502626163d
@@ -122845,7 +122846,7 @@ CVE-2018-10757 (CSP MySQL User Manager 2.3.1 allows SQL injection, and resultant
CVE-2018-10756 (Use-after-free in libtransmission/variant.c in Transmission before 3.0 ...)
{DLA-2218-1}
- transmission 3.00-1 (bug #961461)
- [buster] - transmission <no-dsa> (Minor issue, will be fixed via spu)
+ [buster] - transmission 2.94-2+deb10u1
NOTE: https://github.com/transmission/transmission/commit/2123adf8e5e1c2b48791f9d22fc8c747e974180e (3.00)
NOTE: https://tomrichards.net/2020/05/cve-2018-10756-transmission/
CVE-2018-10755

© 2014-2024 Faster IT GmbH | imprint | privacy policy