summaryrefslogtreecommitdiffstats
path: root/data
diff options
context:
space:
mode:
authorSalvatore Bonaccorso <carnil@debian.org>2023-10-06 22:58:33 +0200
committerSalvatore Bonaccorso <carnil@debian.org>2023-10-06 22:58:33 +0200
commit027c1e33dae1363b3665b1b0d5444526a91da201 (patch)
tree478a3e08ebf20e3adb2d0b816739263a6c489f8d /data
parent3376376c177596275cc56b354d803e647ffd661a (diff)
Merge changes for updates with CVEs via bullseye 11.8
Diffstat (limited to 'data')
-rw-r--r--data/CVE/list168
-rw-r--r--data/next-oldstable-point-update.txt162
2 files changed, 84 insertions, 246 deletions
diff --git a/data/CVE/list b/data/CVE/list
index f93b9e8fd3..5232b756dd 100644
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1124,7 +1124,7 @@ CVE-2023-4316 (Zod in version 3.22.2 allows an attacker to perform a denial of s
CVE-2023-44469 (A Server-Side Request Forgery issue in the OpenID Connect Issuer in Le ...)
- lemonldap-ng 2.17.1+ds-1
[bookworm] - lemonldap-ng 2.16.1+ds-deb12u2
- [bullseye] - lemonldap-ng <no-dsa> (Minor issue)
+ [bullseye] - lemonldap-ng 2.0.11+ds-4+deb11u5
[buster] - lemonldap-ng <no-dsa> (Minor issue)
NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2998
NOTE: https://security.lauritz-holtmann.de/post/sso-security-ssrf/
@@ -2598,7 +2598,7 @@ CVE-2023-4504 (Due to failure in validating the length provided by an attacker-c
{DLA-3594-1}
- cups 2.4.2-6
[bookworm] - cups 2.4.2-3+deb12u2
- [bullseye] - cups <no-dsa> (Minor issue)
+ [bullseye] - cups 2.3.3op2-3+deb11u4
- libppd <not-affected> (Vulnerable code introduced later)
NOTE: https://www.openwall.com/lists/oss-security/2023/09/20/3
NOTE: https://takeonme.org/cves/CVE-2023-4504.html
@@ -2828,7 +2828,7 @@ CVE-2023-43770 (Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.
{DLA-3577-1}
- roundcube 1.6.3+dfsg-1 (bug #1052059)
[bookworm] - roundcube 1.6.3+dfsg-1~deb12u1
- [bullseye] - roundcube <no-dsa> (Minor issue)
+ [bullseye] - roundcube 1.4.14+dfsg.1-1~deb11u1
NOTE: https://roundcube.net/news/2023/09/15/security-update-1.6.3-released
NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/e92ec206a886461245e1672d8530cc93c618a49b (1.6.3)
CVE-2023-5036 (Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos ...)
@@ -2848,7 +2848,7 @@ CVE-2023-5029 (A vulnerability, which was classified as critical, was found in m
CVE-2023-43115 (In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead ...)
- ghostscript 10.02.0~dfsg-1
[bookworm] - ghostscript 10.0.0~dfsg-11+deb12u2
- [bullseye] - ghostscript <no-dsa> (Minor issue; documented risks, can be fixed in later update)
+ [bullseye] - ghostscript 9.53.3~dfsg-7+deb11u6
[buster] - ghostscript <ignored> (Minor issue; documented risks, have done refactoring in later versions)
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=707051
NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5
@@ -3281,7 +3281,7 @@ CVE-2023-41081 (Important: Authentication Bypass CVE-2023-41081 The mod_jk comp
{DLA-3580-1}
- libapache-mod-jk 1:1.2.49-1 (bug #1051956)
[bookworm] - libapache-mod-jk 1:1.2.48-2+deb12u1
- [bullseye] - libapache-mod-jk <no-dsa> (Minor issue)
+ [bullseye] - libapache-mod-jk 1:1.2.48-1+deb11u1
NOTE: https://lists.apache.org/thread/rd1r26w7271jyqgzr4492tooyt583d8b
NOTE: http://www.openwall.com/lists/oss-security/2023/09/13/2
NOTE: https://tomcat.apache.org/security-jk.html#Fixed_in_Apache_Tomcat_JK_Connector_1.2.49
@@ -6219,7 +6219,7 @@ CVE-2023-40217 (An issue was discovered in Python before 3.8.18, 3.9.x before 3.
- python3.9 <removed>
- python3.7 <removed>
- python2.7 <removed>
- [bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
+ [bullseye] - python2.7 2.7.18-8+deb11u1
- pypy3 7.3.13+dfsg-1
NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/
NOTE: https://github.com/python/cpython/issues/108310
@@ -6397,10 +6397,10 @@ CVE-2023-40477
{DLA-3543-1 DLA-3542-1}
- rar 2:6.23-1
[bookworm] - rar 2:6.23-1~deb12u1
- [bullseye] - rar <no-dsa> (Non-free not supported)
+ [bullseye] - rar 2:6.23-1~deb11u1
- unrar-nonfree 1:6.2.10-1
[bookworm] - unrar-nonfree 1:6.2.6-1+deb12u1
- [bullseye] - unrar-nonfree <no-dsa> (Non-free not supported)
+ [bullseye] - unrar-nonfree 1:6.0.3-1+deb11u3
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1152/
NOTE: https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=232&cHash=c5bf79590657e32554c6683296a8e8aa
CVE-2023-38831 (RARLabs WinRAR before 6.23 allows attackers to execute arbitrary code ...)
@@ -6591,7 +6591,7 @@ CVE-2022-48566 (An issue was discovered in compare_digest in Lib/hmac.py in Pyth
- python3.9 3.9.1~rc1-1
- python3.7 <removed>
- python2.7 <removed>
- [bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
+ [bullseye] - python2.7 2.7.18-8+deb11u1
NOTE: https://bugs.python.org/issue40791
NOTE: https://github.com/python/cpython/commit/8183e11d87388e4e44e3242c42085b87a878f781 (v3.9.0b2)
NOTE: https://github.com/python/cpython/commit/c1bbca5b004b3f74d240ef8a76ff445cc1a27efb (v3.9.1rc1)
@@ -6603,7 +6603,7 @@ CVE-2022-48565 (An XML External Entity (XXE) issue was discovered in Python thro
- python3.9 3.9.1~rc1-1
- python3.7 <removed>
- python2.7 <removed>
- [bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
+ [bullseye] - python2.7 2.7.18-8+deb11u1
NOTE: https://bugs.python.org/issue42051
NOTE: https://github.com/python/cpython/issues/86217
NOTE: https://github.com/python/cpython/commit/05ee790f4d1cd8725a90b54268fc1dfe5b4d1fa2 (v3.10.0a2)
@@ -6627,7 +6627,7 @@ CVE-2022-48560 (A use-after-free exists in Python through 3.9 via heappushpop in
- python3.9 <not-affected> (Fixed before initial upload to the archive)
- python3.7 3.7.7-1
- python2.7 <removed>
- [bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
+ [bullseye] - python2.7 2.7.18-8+deb11u1
NOTE: https://bugs.python.org/issue39421
NOTE: https://github.com/python/cpython/issues/83602
NOTE: https://github.com/python/cpython/commit/79f89e6e5a659846d1068e8b1bd8e491ccdef861 (v3.9.0a3)
@@ -7537,7 +7537,7 @@ CVE-2023-40305 (GNU indent 2.2.13 has a heap-based buffer overflow in search_bra
CVE-2023-40303 (GNU inetutils through 2.4 may allow privilege escalation because of un ...)
- inetutils 2:2.4-3 (bug #1049365)
[bookworm] - inetutils 2:2.4-2+deb12u1
- [bullseye] - inetutils <no-dsa> (Minor issue)
+ [bullseye] - inetutils 2:2.0-1+deb11u2
[buster] - inetutils <no-dsa> (Minor issue)
NOTE: https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6
NOTE: https://lists.gnu.org/archive/html/bug-inetutils/2023-07/msg00000.html
@@ -8756,7 +8756,7 @@ CVE-2023-36220 (Directory Traversal vulnerability in Textpattern CMS v4.8.8 allo
CVE-2023-36054 (lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 an ...)
- krb5 1.20.1-3 (bug #1043431)
[bookworm] - krb5 1.20.1-2+deb12u1
- [bullseye] - krb5 <no-dsa> (Minor issue)
+ [bullseye] - krb5 1.18.3-6+deb11u4
[buster] - krb5 <postponed> (Minor issue, DoS)
NOTE: https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd
CVE-2023-34477 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
@@ -8796,7 +8796,7 @@ CVE-2023-33906 (In Contacts Service, there is a possible missing permission chec
CVE-2022-48579 (UnRAR before 6.2.3 allows extraction of files outside of the destinati ...)
{DLA-3535-1}
- unrar-nonfree 1:6.2.3-1 (bug #1050080)
- [bullseye] - unrar-nonfree <no-dsa> (Non-free not supported)
+ [bullseye] - unrar-nonfree 1:6.0.3-1+deb11u2
NOTE: https://github.com/pmachapman/unrar/commit/2ecab6bb5ac4f3b88f270218445496662020205f#diff-ca3086f578522062d7e390ed2cd7e10f646378a8b8cbf287a6e4db5966df68ee
CVE-2023-4196 (Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/co ...)
NOT-FOR-US: Cockpit CMS
@@ -9141,7 +9141,7 @@ CVE-2023-3180 (A flaw was found in the QEMU virtual crypto device while handling
{DLA-3604-1}
- qemu 1:8.0.4+dfsg-1
[bookworm] - qemu 1:7.2+dfsg-7+deb12u2
- [bullseye] - qemu <no-dsa> (Minor issue)
+ [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/04b9b37edda85964cca033a48dcc0298036782f2 (v2.8.0-rc0)
NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/9d38a8434721a6479fe03fb5afb150ca793d3980 (master)
NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f (v8.0.4)
@@ -9435,7 +9435,7 @@ CVE-2023-3364 (An issue has been discovered in GitLab CE/EE affecting all versio
CVE-2023-3301 (A flaw was found in QEMU. The async nature of hot-unplug enables a rac ...)
- qemu 1:8.0.3+dfsg-1
[bookworm] - qemu <no-dsa> (Minor issue)
- [bullseye] - qemu <no-dsa> (Minor issue)
+ [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
[buster] - qemu <not-affected> (vhost-vdpa introduced in v5.1)
NOTE: https://github.com/qemu/qemu/commit/a0d7215e339b61c7d7a7b3fcf754954d80d93eb8 (v8.1.0-rc0)
NOTE: https://github.com/qemu/qemu/commit/aab37b2002811f112d5c26337473486d7d585881 (v8.0.3)
@@ -9458,7 +9458,7 @@ CVE-2023-38559 (A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn
{DLA-3519-1}
- ghostscript 10.02.0~dfsg-1 (bug #1043033)
[bookworm] - ghostscript 10.0.0~dfsg-11+deb12u2
- [bullseye] - ghostscript <postponed> (Minor issue; can be batched together in a later update)
+ [bullseye] - ghostscript 9.53.3~dfsg-7+deb11u6
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=706897
NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f (ghostpdl-10.02.0rc1)
CVE-2023-38357 (Session tokens in RWS WorldServer 11.7.3 and earlier have a low entrop ...)
@@ -9657,7 +9657,7 @@ CVE-2023-3817 (Issue summary: Checking excessively long DH keys or parameters ma
{DLA-3530-1}
- openssl 3.0.10-1
[bookworm] - openssl 3.0.10-1~deb12u1
- [bullseye] - openssl <postponed> (Minor issue, fix along with future DSA)
+ [bullseye] - openssl 1.1.1v-0~deb11u1
NOTE: https://www.openssl.org/news/secadv/20230731.txt
NOTE: https://www.openwall.com/lists/oss-security/2023/07/31/1
NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1c16253f3c3a8d1e25918c3f404aae6a5b0893de (master)
@@ -10772,7 +10772,7 @@ CVE-2023-38408 (The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an
{DLA-3532-1}
- openssh 1:9.3p2-1 (bug #1042460)
[bookworm] - openssh 1:9.2p1-2+deb12u1
- [bullseye] - openssh <no-dsa> (Minor issue; needs specific conditions and forwarding was always subject to caution warning)
+ [bullseye] - openssh 1:8.4p1-5+deb11u2
NOTE: https://www.openwall.com/lists/oss-security/2023/07/19/9
NOTE: https://github.com/openssh/openssh-portable/commit/892506b13654301f69f9545f48213fc210e5c5cc
NOTE: https://github.com/openssh/openssh-portable/commit/1f2731f5d7a8f8a8385c6031667ed29072c0d92a
@@ -10909,7 +10909,7 @@ CVE-2023-3446 (Issue summary: Checking excessively long DH keys or parameters ma
{DLA-3530-1}
- openssl 3.0.10-1 (bug #1041817)
[bookworm] - openssl 3.0.10-1~deb12u1
- [bullseye] - openssl <postponed> (Minor issue, fix along with future DSA)
+ [bullseye] - openssl 1.1.1v-0~deb11u1
NOTE: https://www.openssl.org/news/secadv/20230719.txt
NOTE: https://github.com/openssl/openssl/commit/9e0094e2aa1b3428a12d5095132f133c078d3c3d (master)
NOTE: https://github.com/openssl/openssl/commit/1fa20cf2f506113c761777127a38bce5068740eb (openssl-3.0.10)
@@ -13120,7 +13120,7 @@ CVE-2023-35936 (Pandoc is a Haskell library for converting from one markup forma
{DLA-3507-1}
- pandoc 2.17.1.1-2 (bug #1041976)
[bookworm] - pandoc 2.17.1.1-2~deb12u1
- [bullseye] - pandoc <no-dsa> (Minor issue)
+ [bullseye] - pandoc 2.9.2.1-1+deb11u1
NOTE: https://github.com/jgm/pandoc/security/advisories/GHSA-xj5q-fv23-575g
NOTE: Fixed by: https://github.com/jgm/pandoc/commit/5e381e3878b5da87ee7542f7e51c3c1a7fd84b89 (3.1.4)
NOTE: Regression: https://github.com/jgm/pandoc/commit/54561e9a6667b36a8452b01d2def9e3642013dd6 (3.1.4)
@@ -13555,7 +13555,7 @@ CVE-2023-3478 (A vulnerability classified as critical was found in IBOS OA 4.5.5
CVE-2023-37365 (Hnswlib 0.7.0 has a double free in init_index when the M argument is a ...)
- hnswlib 0.7.0-1 (bug #1041426)
[bookworm] - hnswlib 0.6.2-2+deb12u1
- [bullseye] - hnswlib <no-dsa> (Minor issue)
+ [bullseye] - hnswlib 0.4.0-3+deb11u1
NOTE: https://github.com/nmslib/hnswlib/issues/467
CVE-2023-37360 (pacparser_find_proxy in Pacparser before 1.4.2 allows JavaScript injec ...)
- pacparser <unfixed> (bug #1041425)
@@ -13921,7 +13921,7 @@ CVE-2023-3355 (A NULL pointer dereference flaw was found in the Linux kernel's d
CVE-2023-3354 (A flaw was found in the QEMU built-in VNC server. When a client connec ...)
- qemu 1:8.0.4+dfsg-1
[bookworm] - qemu 1:7.2+dfsg-7+deb12u2
- [bullseye] - qemu <no-dsa> (Minor issue)
+ [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
[buster] - qemu <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2216478
NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2023-07/msg01014.html
@@ -14449,7 +14449,7 @@ CVE-2023-32360 (An authentication issue was addressed with improved state manage
{DLA-3594-1}
- cups 2.4.2-6 (bug #1051953)
[bookworm] - cups 2.4.2-3+deb12u2
- [bullseye] - cups <no-dsa> (Workaround exist; patch changes only default cupsd.conf; can be fixed via point release)
+ [bullseye] - cups 2.3.3op2-3+deb11u4
NOTE: https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913 (v2.4.3)
CVE-2023-32357 (An authorization issue was addressed with improved state management. T ...)
NOT-FOR-US: Apple
@@ -15185,7 +15185,7 @@ CVE-2023-34241 (OpenPrinting CUPS is a standards-based, open source printing sys
{DLA-3476-1}
- cups 2.4.2-5 (bug #1038885)
[bookworm] - cups 2.4.2-3+deb12u1
- [bullseye] - cups <no-dsa> (Minor issue; exploitable under specific conditions; can be fixed via point release)
+ [bullseye] - cups 2.3.3op2-3+deb11u3
NOTE: https://www.openwall.com/lists/oss-security/2023/06/22/4
NOTE: https://github.com/OpenPrinting/cups/commit/9809947a959e18409dcf562a3466ef246cb90cb2
NOTE: Introduced by: https://github.com/OpenPrinting/cups/commit/996acce8760c538b9fee69c99f274ffc27744386#diff-ea18088a3c3df78fec37244a94c58754b6e5cb7fbfd7066f6124de51a73c284d (v2.2b1)
@@ -15950,7 +15950,7 @@ CVE-2023-34969 (D-Bus before 1.15.6 sometimes allows unprivileged users to crash
[experimental] - dbus 1.15.6-1
- dbus 1.14.8-1 (bug #1037151)
[bookworm] - dbus 1.14.8-1~deb12u1
- [bullseye] - dbus <no-dsa> (Minor issue)
+ [bullseye] - dbus 1.12.28-0+deb11u1
[buster] - dbus <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/dbus/dbus/-/issues/457
CVE-2023-34239 (Gradio is an open-source Python library that is used to build machine ...)
@@ -16356,7 +16356,7 @@ CVE-2023-33460 (There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse
{DLA-3492-1 DLA-3478-1}
- yajl 2.1.0-5 (bug #1039984)
[bookworm] - yajl 2.1.0-3+deb12u2
- [bullseye] - yajl <no-dsa> (Minor issue)
+ [bullseye] - yajl 2.1.0-3+deb11u2
NOTE: https://github.com/lloyd/yajl/issues/250
NOTE: Introduced with: https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb (2.0.0)
NOTE: The original fix uploaded as 2.1.0-3.1 was incomplete.
@@ -16820,7 +16820,7 @@ CVE-2023-32324 (OpenPrinting CUPS is an open source printing system. In versions
{DLA-3440-1}
- cups 2.4.2-4
[bookworm] - cups 2.4.2-3+deb12u1
- [bullseye] - cups <no-dsa> (Can be fixed via point release; exploitable when setting loglevel to DEBUG)
+ [bullseye] - cups 2.3.3op2-3+deb11u3
NOTE: https://github.com/OpenPrinting/cups/security/advisories/GHSA-cxc6-w2g7-69p7
NOTE: Fixed by: https://github.com/OpenPrinting/cups/commit/fd8bc2d32589d1fd91fe1c0521be2a7c0462109e
CVE-2023-3029 (A vulnerability has been found in Guangdong Pythagorean OA Office Syst ...)
@@ -21915,7 +21915,7 @@ CVE-2022-48438 (In cp_dump driver, there is a possible out of bounds write due t
CVE-2023-30570 (pluto in Libreswan before 4.11 allows a denial of service (responder S ...)
- libreswan 4.11-1 (bug #1035542)
[bookworm] - libreswan 4.10-2+deb12u1
- [bullseye] - libreswan <no-dsa> (Minor issue; can be fixed via point release)
+ [bullseye] - libreswan 4.3-1+deb11u4
[buster] - libreswan <not-affected> (The vulnerable code was introduced in version 3.28)
NOTE: https://libreswan.org/security/CVE-2023-30570/CVE-2023-30570.txt
NOTE: https://github.com/libreswan/libreswan/issues/1039
@@ -24543,7 +24543,7 @@ CVE-2023-29492 (Novi Survey before 8.9.43676 allows remote attackers to execute
NOT-FOR-US: Novi Survey
CVE-2023-29491 (ncurses before 6.4 20230408, when used by a setuid application, allows ...)
- ncurses 6.4-3 (bug #1034372)
- [bullseye] - ncurses <no-dsa> (Minor issue)
+ [bullseye] - ncurses 6.2+20201114-2+deb11u2
[buster] - ncurses <no-dsa> (Minor issue)
NOTE: https://invisible-island.net/ncurses/NEWS.html#index-t20230408
NOTE: http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commitdiff;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56
@@ -25734,10 +25734,10 @@ CVE-2023-29198 (Electron is a framework which lets you write cross-platform desk
- electron <itp> (bug #842420)
CVE-2023-29197 (guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. ...)
- php-guzzlehttp-psr7 2.4.5-1 (bug #1034581)
- [bullseye] - php-guzzlehttp-psr7 <no-dsa> (Minor issue; can be fixed via point release)
+ [bullseye] - php-guzzlehttp-psr7 1.7.0-1+deb11u2
[buster] - php-guzzlehttp-psr7 <no-dsa> (Minor issue)
- php-nyholm-psr7 1.5.1-2 (bug #1034597)
- [bullseye] - php-nyholm-psr7 <no-dsa> (Minor issue; can be fixed via point release)
+ [bullseye] - php-nyholm-psr7 1.3.2-2+deb11u1
NOTE: https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw
NOTE: https://github.com/guzzle/psr7/commit/0454e12ef0cd597ccd2adb036f7bda4e7fface66 (2.4.5)
NOTE: https://github.com/Nyholm/psr7/security/advisories/GHSA-wjfc-pgfp-pv9c
@@ -26614,7 +26614,7 @@ CVE-2023-28744 (A use-after-free vulnerability exists in the JavaScript engine o
CVE-2023-1672 (A race condition exists in the Tang server functionality for key gener ...)
- tang 14-1 (bug #1038119)
[bookworm] - tang 11-2+deb12u1
- [bullseye] - tang <no-dsa> (Minor issue)
+ [bullseye] - tang 8-3+deb11u2
[buster] - tang <no-dsa> (Minor issue)
NOTE: Fixed by: https://github.com/latchset/tang/commit/8dbbed10870378f1b2c3cf3df2ea7edca7617096
NOTE: https://census-labs.com/news/2023/06/15/race-tang/
@@ -27552,7 +27552,7 @@ CVE-2023-1545 (SQL Injection in GitHub repository nilsteampassnet/teampass prior
CVE-2023-1544 (A flaw was found in the QEMU implementation of VMWare's paravirtual RD ...)
- qemu 1:8.0.2+dfsg-1 (bug #1034179)
[bookworm] - qemu <no-dsa> (Minor issue)
- [bullseye] - qemu <no-dsa> (Minor issue)
+ [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
[buster] - qemu <no-dsa> (Minor issue)
NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html
NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/31c4b6fb0293e359f9ef8a61892667e76eea4c99 (v8.0.0-rc0)
@@ -27844,7 +27844,7 @@ CVE-2023-28617 (org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1
{DLA-3416-1}
[experimental] - org-mode 9.6.6+dfsg-1~exp1
- org-mode 9.5.2+dfsh-5 (bug #1033341)
- [bullseye] - org-mode <no-dsa> (Minor issue)
+ [bullseye] - org-mode 9.4.0+dfsg-1+deb11u1
[buster] - org-mode <no-dsa> (Minor issue)
- emacs 1:28.2+1-14 (bug #1033342)
[bullseye] - emacs <no-dsa> (Minor issue)
@@ -28950,14 +28950,14 @@ CVE-2023-28323 (A deserialization of untrusted data exists in EPM 2022 Su3 and a
NOT-FOR-US: Ivanti
CVE-2023-28322 (An information disclosure vulnerability exists in curl <v8.1.0 when do ...)
- curl 7.88.1-10 (bug #1036239)
- [bullseye] - curl <no-dsa> (Minor issue)
+ [bullseye] - curl 7.74.0-1.3+deb11u9
[buster] - curl <no-dsa> (Minor issue)
NOTE: https://curl.se/docs/CVE-2023-28322.html
NOTE: Introduced by: https://github.com/curl/curl/commit/546572da0457f37c698c02d0a08d90fdfcbeedec (curl-7_7)
NOTE: Fixed by: https://github.com/curl/curl/commit/7815647d6582c0a4900be2e1de6c5e61272c496b (curl-8_1_0)
CVE-2023-28321 (An improper certificate validation vulnerability exists in curl <v8.1. ...)
- curl 7.88.1-10 (bug #1036239)
- [bullseye] - curl <no-dsa> (Minor issue)
+ [bullseye] - curl 7.74.0-1.3+deb11u9
[buster] - curl <no-dsa> (Minor issue)
NOTE: https://curl.se/docs/CVE-2023-28321.html
NOTE: Introduced by: https://github.com/curl/curl/commit/9631fa740708b1890197fad01e25b34b7e8eb80e (curl-7_12_0)
@@ -31507,7 +31507,7 @@ CVE-2023-27539
CVE-2023-27538 (An authentication bypass vulnerability exists in libcurl prior to v8.0 ...)
{DLA-3398-1}
- curl 7.88.1-7
- [bullseye] - curl <no-dsa> (Minor issue)
+ [bullseye] - curl 7.74.0-1.3+deb11u8
NOTE: https://curl.se/docs/CVE-2023-27538.html
NOTE: Fixed by: https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb (curl-8_0_0)
CVE-2023-27537 (A double free vulnerability exists in libcurl <8.0.0 when sharing HSTS ...)
@@ -31520,20 +31520,20 @@ CVE-2023-27537 (A double free vulnerability exists in libcurl <8.0.0 when sharin
CVE-2023-27536 (An authentication bypass vulnerability exists libcurl <8.0.0 in the co ...)
{DLA-3398-1}
- curl 7.88.1-7
- [bullseye] - curl <no-dsa> (Minor issue)
+ [bullseye] - curl 7.74.0-1.3+deb11u8
NOTE: https://curl.se/docs/CVE-2023-27536.html
NOTE: Introduced by: https://github.com/curl/curl/commit/ebf42c4be76df40ec6d3bf32f229bbb274e2c32f (curl-7_22_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 (curl-8_0_0)
CVE-2023-27535 (An authentication bypass vulnerability exists in libcurl <8.0.0 in the ...)
{DLA-3398-1}
- curl 7.88.1-7
- [bullseye] - curl <no-dsa> (Minor issue)
+ [bullseye] - curl 7.74.0-1.3+deb11u8
NOTE: https://curl.se/docs/CVE-2023-27535.html
NOTE: Introduced by: https://github.com/curl/curl/commit/177dbc7be07125582ddb7416dba7140b88ab9f62 (curl-7_13_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/8f4608468b890dce2dad9f91d5607ee7e9c1aba1 (curl-8_0_0)
CVE-2023-27534 (A path traversal vulnerability exists in curl <8.0.0 SFTP implementati ...)
- curl 7.88.1-7
- [bullseye] - curl <no-dsa> (Minor issue)
+ [bullseye] - curl 7.74.0-1.3+deb11u8
[buster] - curl <no-dsa> (Minor issue)
NOTE: https://curl.se/docs/CVE-2023-27534.html
NOTE: Introduced by: https://github.com/curl/curl/commit/ba6f20a2442ab1ebfe947cff19a552f92114a29a (curl-7_18_0)
@@ -31541,7 +31541,7 @@ CVE-2023-27534 (A path traversal vulnerability exists in curl <8.0.0 SFTP implem
CVE-2023-27533 (A vulnerability in input validation exists in curl <8.0 during communi ...)
{DLA-3398-1}
- curl 7.88.1-7
- [bullseye] - curl <no-dsa> (Minor issue)
+ [bullseye] - curl 7.74.0-1.3+deb11u8
NOTE: https://curl.se/docs/CVE-2023-27533.html
NOTE: Introduced by: https://github.com/curl/curl/commit/a1d6ad26100bc493c7b04f1301b1634b7f5aa8b4 (curl-7_7_alpha2)
NOTE: Fixed by: https://github.com/curl/curl/commit/538b1e79a6e7b0bb829ab4cecc828d32105d0684 (curl-8_0_0)
@@ -37465,12 +37465,12 @@ CVE-2023-25516 (NVIDIA GPU Display Driver for Linux contains a vulnerability in
[bookworm] - nvidia-graphics-drivers-tesla 525.125.06-1~deb12u1
- nvidia-graphics-drivers-tesla-470 470.199.02-1 (bug #1039684)
[bookworm] - nvidia-graphics-drivers-tesla-470 470.199.02-1~deb12u1
- [bullseye] - nvidia-graphics-drivers-tesla-470 <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers-tesla-470 470.199.02-1
- nvidia-graphics-drivers-tesla-460 460.106.00-3 (bug #1039683)
[bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported)
NOTE: 460.106.00-3 turned the package into a metapackage to aid switching to nvidia-graphics-drivers-tesla-470
- nvidia-graphics-drivers-tesla-450 450.248.02-1 (bug #1039682)
- [bullseye] - nvidia-graphics-drivers-tesla-450 <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers-tesla-450 450.248.02-1~deb11u1
- nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1039681)
[bullseye] - nvidia-graphics-drivers-tesla-418 <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-legacy-390xx <unfixed> (bug #1039680)
@@ -37480,7 +37480,7 @@ CVE-2023-25516 (NVIDIA GPU Display Driver for Linux contains a vulnerability in
[buster] - nvidia-graphics-drivers-legacy-340xx <ignored> (Non-free not supported, no updates provided by Nvidia anymore)
- nvidia-graphics-drivers 525.125.06-1 (bug #1039678)
[bookworm] - nvidia-graphics-drivers 525.125.06-1~deb12u1
- [bullseye] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers 470.199.02-1
[buster] - nvidia-graphics-drivers <postponed> (Minor issue, revisit when/if fixed upstream)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5468
CVE-2023-25515 (NVIDIA GPU Display Driver for Windows and Linux contains a vulnerabili ...)
@@ -37490,12 +37490,12 @@ CVE-2023-25515 (NVIDIA GPU Display Driver for Windows and Linux contains a vulne
[bookworm] - nvidia-graphics-drivers-tesla 525.125.06-1~deb12u1
- nvidia-graphics-drivers-tesla-470 470.199.02-1 (bug #1039684)
[bookworm] - nvidia-graphics-drivers-tesla-470 470.199.02-1~deb12u1
- [bullseye] - nvidia-graphics-drivers-tesla-470 <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers-tesla-470 470.199.02-1
- nvidia-graphics-drivers-tesla-460 460.106.00-3 (bug #1039683)
[bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported)
NOTE: 460.106.00-3 turned the package into a metapackage to aid switching to nvidia-graphics-drivers-tesla-470
- nvidia-graphics-drivers-tesla-450 450.248.02-1 (bug #1039682)
- [bullseye] - nvidia-graphics-drivers-tesla-450 <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers-tesla-450 450.248.02-1~deb11u1
- nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1039681)
[bullseye] - nvidia-graphics-drivers-tesla-418 <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-legacy-390xx <unfixed> (bug #1039680)
@@ -37505,7 +37505,7 @@ CVE-2023-25515 (NVIDIA GPU Display Driver for Windows and Linux contains a vulne
[buster] - nvidia-graphics-drivers-legacy-340xx <ignored> (Non-free not supported, no updates provided by Nvidia anymore)
- nvidia-graphics-drivers 525.125.06-1 (bug #1039678)
[bookworm] - nvidia-graphics-drivers 525.125.06-1~deb12u1
- [bullseye] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers 470.199.02-1
[buster] - nvidia-graphics-drivers <postponed> (Minor issue, revisit when/if fixed upstream)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5468
CVE-2023-25514 (NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability in ...)
@@ -41025,7 +41025,7 @@ CVE-2023-24329 (An issue in the urllib.parse component of Python before 3.11.4 a
- python3.7 <removed>
[buster] - python3.7 <ignored> (Cf. related CVE-2022-0391)
- python2.7 <removed>
- [bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
+ [bullseye] - python2.7 2.7.18-8+deb11u1
NOTE: https://pointernull.com/security/python-url-parse-problem.html
NOTE: https://github.com/python/cpython/pull/99421
NOTE: https://github.com/python/cpython/pull/99446 (backport for 3.11 branch)
@@ -41117,7 +41117,7 @@ CVE-2023-24292
CVE-2023-24291 [A crafted save file can cause a buffer overrun in Simon Tatham's Portable Puzzle Collection]
RESERVED
- sgt-puzzles 20230122.806ae71-1 (bug #1028986)
- [bullseye] - sgt-puzzles <no-dsa> (Minor issue)
+ [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1
[buster] - sgt-puzzles <no-dsa> (Minor issue)
CVE-2023-24290
RESERVED
@@ -41126,12 +41126,12 @@ CVE-2023-24289
CVE-2023-24288 [A crafted save file can cause a buffer overrun in Simon Tatham's Portable Puzzle Collection]
RESERVED
- sgt-puzzles 20230122.806ae71-1 (bug #1028986)
- [bullseye] - sgt-puzzles <no-dsa> (Minor issue)
+ [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1
[buster] - sgt-puzzles <no-dsa> (Minor issue)
CVE-2023-24287 [A crafted save file can cause a buffer overrun in the Undead puzzle]
RESERVED
- sgt-puzzles 20230122.806ae71-1 (bug #1028986)
- [bullseye] - sgt-puzzles <no-dsa> (Minor issue)
+ [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1
[buster] - sgt-puzzles <no-dsa> (Minor issue)
CVE-2023-24286 [A crafted save file can cause a buffer overrun in the Mosaic puzzle]
RESERVED
@@ -41141,17 +41141,17 @@ CVE-2023-24286 [A crafted save file can cause a buffer overrun in the Mosaic puz
CVE-2023-24285 [A crafted save file can cause a buffer overrun in the Netslide puzzle]
RESERVED
- sgt-puzzles 20230122.806ae71-1 (bug #1028986)
- [bullseye] - sgt-puzzles <no-dsa> (Minor issue)
+ [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1
[buster] - sgt-puzzles <no-dsa> (Minor issue)
CVE-2023-24284 [A crafted save file can cause a buffer overrun in the Guess puzzle]
RESERVED
- sgt-puzzles 20230122.806ae71-1 (bug #1028986)
- [bullseye] - sgt-puzzles <no-dsa> (Minor issue)
+ [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1
[buster] - sgt-puzzles <no-dsa> (Minor issue)
CVE-2023-24283 [A crafted save file can cause a buffer overrun in the Guess puzzle]
RESERVED
- sgt-puzzles 20230122.806ae71-1 (bug #1028986)
- [bullseye] - sgt-puzzles <no-dsa> (Minor issue)
+ [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1
[buster] - sgt-puzzles <no-dsa> (Minor issue)
CVE-2023-24282 (An arbitrary file upload vulnerability in Poly Trio 8800 7.2.2.1094 al ...)
NOT-FOR-US: Poly Trio 8800
@@ -42895,7 +42895,7 @@ CVE-2023-0330 (A vulnerability in the lsi53c895a device affects the latest versi
{DLA-3604-1}
- qemu 1:8.0.2+dfsg-1 (bug #1029155)
[bookworm] - qemu 1:7.2+dfsg-7+deb12u1
- [bullseye] - qemu <no-dsa> (Minor issue)
+ [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2160151
NOTE: Proposed patch: https://lists.nongnu.org/archive/html/qemu-devel/2023-01/msg03411.html
NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/e49884a90987744ddb54b2fadc770633eb6a4d62 (v8.0.1)
@@ -52457,7 +52457,7 @@ CVE-2022-47015 (MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denia
- mariadb 1:10.11.3-1 (bug #1034889)
- mariadb-10.6 <removed>
- mariadb-10.5 <removed>
- [bullseye] - mariadb-10.5 <no-dsa> (Minor issue)
+ [bullseye] - mariadb-10.5 1:10.5.20-0+deb11u1
- mariadb-10.3 <removed>
NOTE: https://jira.mariadb.org/browse/MDEV-29644
CVE-2022-47014
@@ -55341,7 +55341,7 @@ CVE-2022-46176 (Cargo is a Rust package manager. The Rust Security Response WG w
NOTE: https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176
CVE-2022-46175 (JSON5 is an extension to the popular JSON file format that aims to be ...)
- node-json5 2.2.3+dfsg-1 (bug #1027145)
- [bullseye] - node-json5 <no-dsa> (Minor issue)
+ [bullseye] - node-json5 2.1.3-2+deb11u1
[buster] - node-json5 <no-dsa> (Minor issue)
NOTE: https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h
NOTE: https://github.com/json5/json5/issues/199
@@ -56815,7 +56815,7 @@ CVE-2022-45583
CVE-2022-45582 (Open Redirect vulnerability in Horizon Web Dashboard 19.4.0 thru 20.1. ...)
- horizon 3:23.1.0-3
[bookworm] - horizon 3:23.0.0-5+deb12u1
- [bullseye] - horizon <no-dsa> (Minor issue)
+ [bullseye] - horizon 3:18.6.2-5+deb11u2
[buster] - horizon <no-dsa> (Minor issue)
NOTE: https://bugs.launchpad.net/horizon/+bug/1982676
NOTE: https://opendev.org/openstack/horizon/commit/beed6bf6f6f83df9972db5fb539d64175ce12ce9 (19.4.0)
@@ -59532,14 +59532,14 @@ CVE-2022-44731 (A vulnerability has been identified in SIMATIC WinCC OA V3.15 (A
CVE-2022-44730 (Server-Side Request Forgery (SSRF) vulnerability in Apache Software Fo ...)
- batik 1.17+dfsg-1
[bookworm] - batik 1.16+dfsg-1+deb12u1
- [bullseye] - batik <no-dsa> (Minor issue)
+ [bullseye] - batik 1.12-4+deb11u2
[buster] - batik <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2023/08/22/3
NOTE: https://issues.apache.org/jira/browse/BATIK-1347
CVE-2022-44729 (Server-Side Request Forgery (SSRF) vulnerability in Apache Software Fo ...)
- batik 1.17+dfsg-1
[bookworm] - batik 1.16+dfsg-1+deb12u1
- [bullseye] - batik <no-dsa> (Minor issue)
+ [bullseye] - batik 1.12-4+deb11u2
[buster] - batik <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2023/08/22/2
NOTE: https://issues.apache.org/jira/browse/BATIK-1349
@@ -63957,7 +63957,7 @@ CVE-2023-20197 (A vulnerability in the filesystem image parser for Hierarchical
{DLA-3544-1}
- clamav 1.0.2+dfsg-1 (bug #1050057)
[bookworm] - clamav 1.0.2+dfsg-1~deb12u1
- [bullseye] - clamav <no-dsa> (clamav is updated via -updates)
+ [bullseye] - clamav 0.103.9+dfsg-0+deb11u1
NOTE: https://blog.clamav.net/2023/07/2023-08-16-releases.html
CVE-2023-20196
RESERVED
@@ -97693,7 +97693,7 @@ CVE-2022-1941 (A parsing vulnerability for the MessageSet type in the ProtocolBu
{DLA-3393-1}
[experimental] - protobuf 3.20.2-1
- protobuf 3.21.9-3
- [bullseye] - protobuf <no-dsa> (Minor issue)
+ [bullseye] - protobuf 3.12.4-1+deb11u1
NOTE: https://www.openwall.com/lists/oss-security/2022/09/27/1
NOTE: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf
NOTE: https://github.com/protocolbuffers/protobuf/commit/806d7e4ce6f1fd0545cae226b94cb0249ea495c7 (v3.20.2)
@@ -102303,7 +102303,7 @@ CVE-2022-30333 (RARLAB UnRAR before 6.12 on Linux and UNIX allows directory trav
[buster] - unrar-nonfree 1:5.6.6-1+deb10u1
[stretch] - unrar-nonfree <no-dsa> (Non-free not supported)
- rar 2:6.20~b1-0.1 (bug #1012228)
- [bullseye] - rar <no-dsa> (Non-free not supported)
+ [bullseye] - rar 2:6.20-0.1~deb11u1
[stretch] - rar <no-dsa> (Non-free not supported)
NOTE: 6.12 application version corresponds to 6.1.7 source version:
NOTE: https://github.com/debian-calibre/unrar-nonfree/compare/upstream/6.1.6...upstream/6.1.7
@@ -103532,7 +103532,7 @@ CVE-2022-1538
CVE-2022-1537 (file.copy operations in GruntJS are vulnerable to a TOCTOU race condit ...)
{DLA-3383-1}
- grunt 1.5.3-1
- [bullseye] - grunt <no-dsa> (Minor issue)
+ [bullseye] - grunt 1.3.0-1+deb11u2
NOTE: https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d/
NOTE: https://github.com/gruntjs/grunt/commit/58016ffac5ed9338b63ecc2a63710f5027362bae (v1.5.3)
CVE-2022-1536 (A vulnerability has been found in automad up to 1.10.9 and classified ...)
@@ -115533,7 +115533,7 @@ CVE-2022-21223 (The package cocoapods-downloader before 1.6.2 are vulnerable to
CVE-2022-21222 (The package css-what before 2.1.3 are vulnerable to Regular Expression ...)
{DLA-3350-1}
- node-css-what 5.0.1-1 (bug #1032188)
- [bullseye] - node-css-what <no-dsa> (Minor issue)
+ [bullseye] - node-css-what 4.0.0-3+deb11u1
NOTE: https://security.snyk.io/vuln/SNYK-JS-CSSWHAT-3035488
NOTE: ReDoS issue fixed with rewrite of module to TypeScript
NOTE: Not fixed in 4.0.0 see https://sources.debian.org/src/node-css-what/4.0.0-3/src/parse.ts/#L84
@@ -118663,7 +118663,7 @@ CVE-2022-24795 (yajl-ruby is a C binding to the YAJL JSON parsing and generation
[stretch] - ruby-yajl <no-dsa> (Minor issue)
- yajl 2.1.0-4 (bug #1040036)
[bookworm] - yajl 2.1.0-3+deb12u2
- [bullseye] - yajl <no-dsa> (Minor issue)
+ [bullseye] - yajl 2.1.0-3+deb11u2
- burp <unfixed> (bug #1040146)
[bookworm] - burp <no-dsa> (Minor issue)
[bullseye] - burp <no-dsa> (Minor issue)
@@ -121308,7 +121308,7 @@ CVE-2022-0391 (A flaw was found in Python, specifically within the urllib.parse
- python3.5 <removed>
- python3.4 <removed>
- python2.7 <removed>
- [bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
+ [bullseye] - python2.7 2.7.18-8+deb11u1
NOTE: https://bugs.python.org/issue43882
NOTE: Regressions reported for django, boto-core and cloud-init
NOTE: Fixed by: https://github.com/python/cpython/commit/76cd81d60310d65d01f9d7b48a8985d8ab89c8b4 (v3.10.0b1)
@@ -124744,7 +124744,7 @@ CVE-2022-0218 (The WP HTML Mail WordPress plugin is vulnerable to unauthorized a
CVE-2022-0216 (A use-after-free vulnerability was found in the LSI53C895A SCSI Host B ...)
{DLA-3362-1}
- qemu 1:7.1+dfsg-1 (bug #1014590)
- [bullseye] - qemu <no-dsa> (Minor issue)
+ [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2036953
NOTE: https://starlabs.sg/advisories/22/22-0216/
NOTE: https://gitlab.com/qemu-project/qemu/-/issues/972
@@ -130567,7 +130567,7 @@ CVE-2021-45424
RESERVED
CVE-2021-45423 (A Buffer Overflow vulnerabilityexists in Pev 0.81 via the pe_exports f ...)
- pev 0.81-9 (bug #1034725)
- [bullseye] - pev <no-dsa> (Minor issue, will be fixed in next point release)
+ [bullseye] - pev 0.81-3+deb11u1
[buster] - pev <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/merces/libpe/issues/35
NOTE: https://github.com/merces/libpe/commit/9b5fedc37ccbcd23695a0e97c0fe46c999e26100
@@ -138460,7 +138460,7 @@ CVE-2021-3931 (snipe-it is vulnerable to Cross-Site Request Forgery (CSRF))
CVE-2021-3930 (An off-by-one error was found in the SCSI device emulation in QEMU. It ...)
{DLA-3099-1 DLA-2970-1}
- qemu 1:6.2+dfsg-1
- [bullseye] - qemu <postponed> (Minor issue)
+ [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2020588
NOTE: https://gitlab.com/qemu-project/qemu/-/issues/546
NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 (v6.2.0-rc0)
@@ -154141,7 +154141,7 @@ CVE-2021-38186 (An issue was discovered in the comrak crate before 0.10.1 for Ru
CVE-2021-38185 (GNU cpio through 2.13 allows attackers to execute arbitrary code via a ...)
{DLA-3445-1}
- cpio 2.13+dfsg-5 (bug #992045)
- [bullseye] - cpio <no-dsa> (Minor issue)
+ [bullseye] - cpio 2.13+dfsg-7.1~deb11u1
[stretch] - cpio <no-dsa> (Minor issue)
NOTE: https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dd96882877721703e19272fe25034560b794061b
NOTE: https://github.com/fangqyi/cpiopwn
@@ -165045,7 +165045,7 @@ CVE-2021-33798 (A null pointer dereference was found in libpano13, version libpa
NOTE: duplicate of CVE-2021-33293, pinged Fedora for reject
CVE-2021-33797 (Buffer-overflow in jsdtoa.c in Artifex MuJS in versions 1.0.1 to 1.1.1 ...)
- mujs 1.1.3-2
- [bullseye] - mujs <no-dsa> (Minor issue)
+ [bullseye] - mujs 1.1.0-1+deb11u3
NOTE: https://github.com/ccxvii/mujs/issues/148
NOTE: https://github.com/ccxvii/mujs/commit/833b6f1672b4f2991a63c4d05318f0b84ef4d550 (1.1.2)
CVE-2021-33796 (In MuJS before version 1.1.2, a use-after-free flaw in the regexp sour ...)
@@ -165589,7 +165589,7 @@ CVE-2021-33588
CVE-2021-33587 (The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure t ...)
{DLA-3350-1}
- node-css-what 5.0.1-1 (bug #989264)
- [bullseye] - node-css-what <ignored> (Minor issue, intrusive to backport fixes to older series)
+ [bullseye] - node-css-what 4.0.0-3+deb11u1
[buster] - node-css-what <ignored> (Minor issue, intrusive to backport fixes to older series)
[stretch] - node-css-what <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://github.com/fb55/css-what/commit/4cdaacfd0d4b6fd00614be030da0dea6c2994655
@@ -171301,7 +171301,7 @@ CVE-2021-3508 (A flaw was found in PDFResurrect in version 0.22b. There is an in
CVE-2021-3507 (A heap buffer overflow was found in the floppy disk emulator of QEMU u ...)
{DLA-3099-1}
- qemu 1:7.1+dfsg-1 (bug #987410)
- [bullseye] - qemu <no-dsa> (Minor issue)
+ [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
[stretch] - qemu <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1951118
NOTE: https://gitlab.com/qemu-project/qemu/-/commit/defac5e2fbddf8423a354ff0454283a2115e1367 (v7.1.0-rc0)
@@ -191947,7 +191947,7 @@ CVE-2021-23336 (The package python/cpython from 0 and before 3.6.13, from 3.7.0
- python3.5 <removed>
[experimental] - python2.7 2.7.18-13.1~exp1
- python2.7 2.7.18-13.1
- [bullseye] - python2.7 <ignored> (Python 2.7 in Bullseye not covered by security support)
+ [bullseye] - python2.7 2.7.18-8+deb11u1
- pypy3 7.3.3+dfsg-3
[buster] - pypy3 <no-dsa> (Minor issue)
NOTE: https://github.com/python/cpython/pull/24297
@@ -193780,7 +193780,7 @@ CVE-2021-22570 (Nullptr dereference when a null char is present in a proto symbo
{DLA-3393-1}
[experimental] - protobuf 3.17.1-1
- protobuf 3.21.9-3
- [bullseye] - protobuf <no-dsa> (Minor issue)
+ [bullseye] - protobuf 3.12.4-1+deb11u1
[stretch] - protobuf <postponed> (Minor issue; clean crash / Dos; patch needs to be isolated)
NOTE: Fixed upstream in v3.15.0: https://github.com/protocolbuffers/protobuf/releases/tag/v3.15.0
NOTE: Fixed in merge commit https://github.com/protocolbuffers/protobuf/a00125024e9231d76746bd394fef8876f5cc15e2
@@ -193789,7 +193789,7 @@ CVE-2021-22569 (An issue in protobuf-java allowed the interleaving of com.google
{DLA-3393-1}
[experimental] - protobuf 3.19.3-1
- protobuf 3.21.9-3
- [bullseye] - protobuf <no-dsa> (Minor issue)
+ [bullseye] - protobuf 3.12.4-1+deb11u1
[stretch] - protobuf <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2022/01/12/4
NOTE: https://cloud.google.com/support/bulletins#gcp-2022-001
@@ -201284,7 +201284,7 @@ CVE-2021-20204 (A heap memory corruption problem (use after free) can be trigger
CVE-2021-20203 (An integer overflow issue was found in the vmxnet3 NIC emulator of the ...)
{DLA-3099-1 DLA-2623-1}
- qemu 1:6.2+dfsg-1 (bug #984452)
- [bullseye] - qemu <postponed> (Minor issue)
+ [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
NOTE: https://bugs.launchpad.net/qemu/+bug/1913873
NOTE: https://gitlab.com/qemu-project/qemu/-/issues/308
NOTE: https://bugs.launchpad.net/qemu/+bug/1890152
@@ -201324,7 +201324,7 @@ CVE-2021-20197 (There is an open race window when writing output in the followin
CVE-2021-20196 (A NULL pointer dereference flaw was found in the floppy disk emulator ...)
{DLA-3099-1 DLA-2970-1}
- qemu 1:6.2+dfsg-1 (bug #984453)
- [bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream)
+ [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1919210
NOTE: https://bugs.launchpad.net/qemu/+bug/1912780
NOTE: https://gitlab.com/qemu-project/qemu/-/issues/338
@@ -221422,7 +221422,7 @@ CVE-2020-24370 (ldebug.c in Lua 5.4.0 allows a negation overflow and segmentatio
{DLA-3469-1 DLA-2381-1}
- lua5.4 5.4.1-1 (bug #971613)
- lua5.3 5.3.6-1 (bug #988734)
- [bullseye] - lua5.3 <no-dsa> (Minor issue)
+ [bullseye] - lua5.3 5.3.3-1.1+deb11u1
NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00324.html
NOTE: (lua5.4) https://github.com/lua/lua/commit/a585eae6e7ada1ca9271607a4f48dfb17868ab7b
NOTE: (lua5.3) https://github.com/lua/lua/commit/b5bc89846721375fe30772eb8c5ab2786f362bf9
@@ -244025,7 +244025,7 @@ CVE-2020-14395
CVE-2020-14394 (An infinite loop flaw was found in the USB xHCI controller emulation o ...)
{DLA-3362-1}
- qemu 1:7.1+dfsg-1 (bug #979677)
- [bullseye] - qemu <postponed> (Minor issue)
+ [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1908004
NOTE: https://gitlab.com/qemu-project/qemu/-/issues/646
NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/effaf5a240e03020f4ae953e10b764622c3e87cc (v7.1.0-rc3)
@@ -321467,7 +321467,7 @@ CVE-2019-6707 (PHPSHE 1.7 has SQL injection via the admin.php?mod=product&act=st
CVE-2019-6706 (Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For examp ...)
{DLA-3469-1}
- lua5.3 5.3.6-1 (bug #920321)
- [bullseye] - lua5.3 <postponed> (Minor issue, revisit when fixed upstream)
+ [bullseye] - lua5.3 5.3.3-1.1+deb11u1
- lua5.2 <not-affected> (Vulnerable code introduced later)
- lua5.1 <not-affected> (Vulnerable code introduced later)
- lua50 <not-affected> (Vulnerable code introduced later)
@@ -396823,7 +396823,7 @@ CVE-2017-16516 (In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is
[jessie] - ruby-yajl <no-dsa> (Minor issue)
- yajl 2.1.0-4 (bug #1040036)
[bookworm] - yajl 2.1.0-3+deb12u2
- [bullseye] - yajl <no-dsa> (Minor issue)
+ [bullseye] - yajl 2.1.0-3+deb11u2
- burp <unfixed> (bug #1040146)
[bookworm] - burp <no-dsa> (Minor issue)
[bullseye] - burp <no-dsa> (Minor issue)
diff --git a/data/next-oldstable-point-update.txt b/data/next-oldstable-point-update.txt
index 8456a25724..768ff4c914 100644
--- a/data/next-oldstable-point-update.txt
+++ b/data/next-oldstable-point-update.txt
@@ -1,167 +1,5 @@
-CVE-2022-46175
- [bullseye] - node-json5 2.1.3-2+deb11u1
-CVE-2022-21222
- [bullseye] - node-css-what 4.0.0-3+deb11u1
-CVE-2021-33587
- [bullseye] - node-css-what 4.0.0-3+deb11u1
-CVE-2021-22569
- [bullseye] - protobuf 3.12.4-1+deb11u1
-CVE-2021-22570
- [bullseye] - protobuf 3.12.4-1+deb11u1
-CVE-2022-1941
- [bullseye] - protobuf 3.12.4-1+deb11u1
-CVE-2023-29197
- [bullseye] - php-guzzlehttp-psr7 1.7.0-1+deb11u2
- [bullseye] - php-nyholm-psr7 1.3.2-2+deb11u1
-CVE-2021-45423
- [bullseye] - pev 0.81-3+deb11u1
-CVE-2023-24291
- [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1
-CVE-2023-24288
- [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1
-CVE-2023-24287
- [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1
-CVE-2023-24285
- [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1
-CVE-2023-24284
- [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1
-CVE-2023-24283
- [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1
-CVE-2023-27533
- [bullseye] - curl 7.74.0-1.3+deb11u8
-CVE-2023-27534
- [bullseye] - curl 7.74.0-1.3+deb11u8
-CVE-2023-27535
- [bullseye] - curl 7.74.0-1.3+deb11u8
-CVE-2023-27536
- [bullseye] - curl 7.74.0-1.3+deb11u8
-CVE-2023-27538
- [bullseye] - curl 7.74.0-1.3+deb11u8
-CVE-2021-33797
- [bullseye] - mujs 1.1.0-1+deb11u3
-CVE-2023-29491
- [bullseye] - ncurses 6.2+20201114-2+deb11u2
-CVE-2022-1537
- [bullseye] - grunt 1.3.0-1+deb11u2
-CVE-2023-30570
- [bullseye] - libreswan 4.3-1+deb11u4
-CVE-2022-47015
- [bullseye] - mariadb-10.5 1:10.5.20-0+deb11u1
-CVE-2023-28617
- [bullseye] - org-mode 9.4.0+dfsg-1+deb11u1
-CVE-2023-34969
- [bullseye] - dbus 1.12.28-0+deb11u1
-CVE-2023-34241
- [bullseye] - cups 2.3.3op2-3+deb11u3
-CVE-2023-32324
- [bullseye] - cups 2.3.3op2-3+deb11u3
-CVE-2023-4504
- [bullseye] - cups 2.3.3op2-3+deb11u4
-CVE-2023-32360
- [bullseye] - cups 2.3.3op2-3+deb11u4
-CVE-2023-33460
- [bullseye] - yajl 2.1.0-3+deb11u2
-CVE-2017-16516
- [bullseye] - yajl 2.1.0-3+deb11u2
-CVE-2022-24795
- [bullseye] - yajl 2.1.0-3+deb11u2
-CVE-2019-6706
- [bullseye] - lua5.3 5.3.3-1.1+deb11u1
-CVE-2020-24370
- [bullseye] - lua5.3 5.3.3-1.1+deb11u1
-CVE-2023-25516
- [bullseye] - nvidia-graphics-drivers-tesla-470 470.199.02-1
- [bullseye] - nvidia-graphics-drivers-tesla-450 450.248.02-1~deb11u1
- [bullseye] - nvidia-graphics-drivers 470.199.02-1
-CVE-2023-25515
- [bullseye] - nvidia-graphics-drivers-tesla-470 470.199.02-1
- [bullseye] - nvidia-graphics-drivers-tesla-450 450.248.02-1~deb11u1
- [bullseye] - nvidia-graphics-drivers 470.199.02-1
-CVE-2023-1672
- [bullseye] - tang 8-3+deb11u2
CVE-2023-XXXX [spip: Use a dedicated function to clean author data when preparing a session]
[bullseye] - spip 3.2.11-3+deb11u9
-CVE-2023-37365
- [bullseye] - hnswlib 0.4.0-3+deb11u1
-CVE-2023-35936
- [bullseye] - pandoc 2.9.2.1-1+deb11u1
-CVE-2023-36054
- [bullseye] - krb5 1.18.3-6+deb11u4
-CVE-2022-30333
- [bullseye] - rar 2:6.20-0.1~deb11u1
-CVE-2023-40477
- [bullseye] - rar 2:6.23-1~deb11u1
- [bullseye] - unrar-nonfree 1:6.0.3-1+deb11u3
-CVE-2022-48579
- [bullseye] - unrar-nonfree 1:6.0.3-1+deb11u2
-CVE-2023-40303
- [bullseye] - inetutils 2:2.0-1+deb11u2
-CVE-2022-44729
- [bullseye] - batik 1.12-4+deb11u2
-CVE-2022-44730
- [bullseye] - batik 1.12-4+deb11u2
-CVE-2023-3446
- [bullseye] - openssl 1.1.1v-0~deb11u1
-CVE-2023-3817
- [bullseye] - openssl 1.1.1v-0~deb11u1
-CVE-2023-20197
- [bullseye] - clamav 0.103.9+dfsg-0+deb11u1
-CVE-2023-38408
- [bullseye] - openssh 1:8.4p1-5+deb11u2
-CVE-2022-45582
- [bullseye] - horizon 3:18.6.2-5+deb11u2
-CVE-2021-23336
- [bullseye] - python2.7 2.7.18-8+deb11u1
-CVE-2022-0391
- [bullseye] - python2.7 2.7.18-8+deb11u1
-CVE-2022-48560
- [bullseye] - python2.7 2.7.18-8+deb11u1
-CVE-2022-48565
- [bullseye] - python2.7 2.7.18-8+deb11u1
-CVE-2022-48566
- [bullseye] - python2.7 2.7.18-8+deb11u1
-CVE-2023-24329
- [bullseye] - python2.7 2.7.18-8+deb11u1
-CVE-2023-40217
- [bullseye] - python2.7 2.7.18-8+deb11u1
-CVE-2021-20196
- [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
-CVE-2023-0330
- [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
-CVE-2023-1544
- [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
-CVE-2023-3354
- [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
-CVE-2021-3930
- [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
-CVE-2023-3180
- [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
-CVE-2021-20203
- [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
-CVE-2021-3507
- [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
-CVE-2020-14394
- [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
-CVE-2023-3301
- [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
-CVE-2022-0216
- [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
-CVE-2023-41081
- [bullseye] - libapache-mod-jk 1:1.2.48-1+deb11u1
-CVE-2023-43770
- [bullseye] - roundcube 1.4.14+dfsg.1-1~deb11u1
-CVE-2023-38559
- [bullseye] - ghostscript 9.53.3~dfsg-7+deb11u6
-CVE-2023-43115
- [bullseye] - ghostscript 9.53.3~dfsg-7+deb11u6
-CVE-2023-44469
- [bullseye] - lemonldap-ng 2.0.11+ds-4+deb11u5
-CVE-2021-38185
- [bullseye] - cpio 2.13+dfsg-7.1~deb11u1
-CVE-2023-28322
- [bullseye] - curl 7.74.0-1.3+deb11u9
-CVE-2023-28321
- [bullseye] - curl 7.74.0-1.3+deb11u9
CVE-2023-32665
[bullseye] - glib2.0 2.66.8-1+deb11u1
CVE-2023-32611

© 2014-2024 Faster IT GmbH | imprint | privacy policy