diff options
author | Salvatore Bonaccorso <carnil@debian.org> | 2023-10-06 22:58:33 +0200 |
---|---|---|
committer | Salvatore Bonaccorso <carnil@debian.org> | 2023-10-06 22:58:33 +0200 |
commit | 027c1e33dae1363b3665b1b0d5444526a91da201 (patch) | |
tree | 478a3e08ebf20e3adb2d0b816739263a6c489f8d /data | |
parent | 3376376c177596275cc56b354d803e647ffd661a (diff) |
Merge changes for updates with CVEs via bullseye 11.8
Diffstat (limited to 'data')
-rw-r--r-- | data/CVE/list | 168 | ||||
-rw-r--r-- | data/next-oldstable-point-update.txt | 162 |
2 files changed, 84 insertions, 246 deletions
diff --git a/data/CVE/list b/data/CVE/list index f93b9e8fd3..5232b756dd 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -1124,7 +1124,7 @@ CVE-2023-4316 (Zod in version 3.22.2 allows an attacker to perform a denial of s CVE-2023-44469 (A Server-Side Request Forgery issue in the OpenID Connect Issuer in Le ...) - lemonldap-ng 2.17.1+ds-1 [bookworm] - lemonldap-ng 2.16.1+ds-deb12u2 - [bullseye] - lemonldap-ng <no-dsa> (Minor issue) + [bullseye] - lemonldap-ng 2.0.11+ds-4+deb11u5 [buster] - lemonldap-ng <no-dsa> (Minor issue) NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2998 NOTE: https://security.lauritz-holtmann.de/post/sso-security-ssrf/ @@ -2598,7 +2598,7 @@ CVE-2023-4504 (Due to failure in validating the length provided by an attacker-c {DLA-3594-1} - cups 2.4.2-6 [bookworm] - cups 2.4.2-3+deb12u2 - [bullseye] - cups <no-dsa> (Minor issue) + [bullseye] - cups 2.3.3op2-3+deb11u4 - libppd <not-affected> (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2023/09/20/3 NOTE: https://takeonme.org/cves/CVE-2023-4504.html @@ -2828,7 +2828,7 @@ CVE-2023-43770 (Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1. {DLA-3577-1} - roundcube 1.6.3+dfsg-1 (bug #1052059) [bookworm] - roundcube 1.6.3+dfsg-1~deb12u1 - [bullseye] - roundcube <no-dsa> (Minor issue) + [bullseye] - roundcube 1.4.14+dfsg.1-1~deb11u1 NOTE: https://roundcube.net/news/2023/09/15/security-update-1.6.3-released NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/e92ec206a886461245e1672d8530cc93c618a49b (1.6.3) CVE-2023-5036 (Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos ...) @@ -2848,7 +2848,7 @@ CVE-2023-5029 (A vulnerability, which was classified as critical, was found in m CVE-2023-43115 (In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead ...) - ghostscript 10.02.0~dfsg-1 [bookworm] - ghostscript 10.0.0~dfsg-11+deb12u2 - [bullseye] - ghostscript <no-dsa> (Minor issue; documented risks, can be fixed in later update) + [bullseye] - ghostscript 9.53.3~dfsg-7+deb11u6 [buster] - ghostscript <ignored> (Minor issue; documented risks, have done refactoring in later versions) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=707051 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5 @@ -3281,7 +3281,7 @@ CVE-2023-41081 (Important: Authentication Bypass CVE-2023-41081 The mod_jk comp {DLA-3580-1} - libapache-mod-jk 1:1.2.49-1 (bug #1051956) [bookworm] - libapache-mod-jk 1:1.2.48-2+deb12u1 - [bullseye] - libapache-mod-jk <no-dsa> (Minor issue) + [bullseye] - libapache-mod-jk 1:1.2.48-1+deb11u1 NOTE: https://lists.apache.org/thread/rd1r26w7271jyqgzr4492tooyt583d8b NOTE: http://www.openwall.com/lists/oss-security/2023/09/13/2 NOTE: https://tomcat.apache.org/security-jk.html#Fixed_in_Apache_Tomcat_JK_Connector_1.2.49 @@ -6219,7 +6219,7 @@ CVE-2023-40217 (An issue was discovered in Python before 3.8.18, 3.9.x before 3. - python3.9 <removed> - python3.7 <removed> - python2.7 <removed> - [bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications) + [bullseye] - python2.7 2.7.18-8+deb11u1 - pypy3 7.3.13+dfsg-1 NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/ NOTE: https://github.com/python/cpython/issues/108310 @@ -6397,10 +6397,10 @@ CVE-2023-40477 {DLA-3543-1 DLA-3542-1} - rar 2:6.23-1 [bookworm] - rar 2:6.23-1~deb12u1 - [bullseye] - rar <no-dsa> (Non-free not supported) + [bullseye] - rar 2:6.23-1~deb11u1 - unrar-nonfree 1:6.2.10-1 [bookworm] - unrar-nonfree 1:6.2.6-1+deb12u1 - [bullseye] - unrar-nonfree <no-dsa> (Non-free not supported) + [bullseye] - unrar-nonfree 1:6.0.3-1+deb11u3 NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1152/ NOTE: https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=232&cHash=c5bf79590657e32554c6683296a8e8aa CVE-2023-38831 (RARLabs WinRAR before 6.23 allows attackers to execute arbitrary code ...) @@ -6591,7 +6591,7 @@ CVE-2022-48566 (An issue was discovered in compare_digest in Lib/hmac.py in Pyth - python3.9 3.9.1~rc1-1 - python3.7 <removed> - python2.7 <removed> - [bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications) + [bullseye] - python2.7 2.7.18-8+deb11u1 NOTE: https://bugs.python.org/issue40791 NOTE: https://github.com/python/cpython/commit/8183e11d87388e4e44e3242c42085b87a878f781 (v3.9.0b2) NOTE: https://github.com/python/cpython/commit/c1bbca5b004b3f74d240ef8a76ff445cc1a27efb (v3.9.1rc1) @@ -6603,7 +6603,7 @@ CVE-2022-48565 (An XML External Entity (XXE) issue was discovered in Python thro - python3.9 3.9.1~rc1-1 - python3.7 <removed> - python2.7 <removed> - [bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications) + [bullseye] - python2.7 2.7.18-8+deb11u1 NOTE: https://bugs.python.org/issue42051 NOTE: https://github.com/python/cpython/issues/86217 NOTE: https://github.com/python/cpython/commit/05ee790f4d1cd8725a90b54268fc1dfe5b4d1fa2 (v3.10.0a2) @@ -6627,7 +6627,7 @@ CVE-2022-48560 (A use-after-free exists in Python through 3.9 via heappushpop in - python3.9 <not-affected> (Fixed before initial upload to the archive) - python3.7 3.7.7-1 - python2.7 <removed> - [bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications) + [bullseye] - python2.7 2.7.18-8+deb11u1 NOTE: https://bugs.python.org/issue39421 NOTE: https://github.com/python/cpython/issues/83602 NOTE: https://github.com/python/cpython/commit/79f89e6e5a659846d1068e8b1bd8e491ccdef861 (v3.9.0a3) @@ -7537,7 +7537,7 @@ CVE-2023-40305 (GNU indent 2.2.13 has a heap-based buffer overflow in search_bra CVE-2023-40303 (GNU inetutils through 2.4 may allow privilege escalation because of un ...) - inetutils 2:2.4-3 (bug #1049365) [bookworm] - inetutils 2:2.4-2+deb12u1 - [bullseye] - inetutils <no-dsa> (Minor issue) + [bullseye] - inetutils 2:2.0-1+deb11u2 [buster] - inetutils <no-dsa> (Minor issue) NOTE: https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6 NOTE: https://lists.gnu.org/archive/html/bug-inetutils/2023-07/msg00000.html @@ -8756,7 +8756,7 @@ CVE-2023-36220 (Directory Traversal vulnerability in Textpattern CMS v4.8.8 allo CVE-2023-36054 (lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 an ...) - krb5 1.20.1-3 (bug #1043431) [bookworm] - krb5 1.20.1-2+deb12u1 - [bullseye] - krb5 <no-dsa> (Minor issue) + [bullseye] - krb5 1.18.3-6+deb11u4 [buster] - krb5 <postponed> (Minor issue, DoS) NOTE: https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd CVE-2023-34477 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) @@ -8796,7 +8796,7 @@ CVE-2023-33906 (In Contacts Service, there is a possible missing permission chec CVE-2022-48579 (UnRAR before 6.2.3 allows extraction of files outside of the destinati ...) {DLA-3535-1} - unrar-nonfree 1:6.2.3-1 (bug #1050080) - [bullseye] - unrar-nonfree <no-dsa> (Non-free not supported) + [bullseye] - unrar-nonfree 1:6.0.3-1+deb11u2 NOTE: https://github.com/pmachapman/unrar/commit/2ecab6bb5ac4f3b88f270218445496662020205f#diff-ca3086f578522062d7e390ed2cd7e10f646378a8b8cbf287a6e4db5966df68ee CVE-2023-4196 (Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/co ...) NOT-FOR-US: Cockpit CMS @@ -9141,7 +9141,7 @@ CVE-2023-3180 (A flaw was found in the QEMU virtual crypto device while handling {DLA-3604-1} - qemu 1:8.0.4+dfsg-1 [bookworm] - qemu 1:7.2+dfsg-7+deb12u2 - [bullseye] - qemu <no-dsa> (Minor issue) + [bullseye] - qemu 1:5.2+dfsg-11+deb11u3 NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/04b9b37edda85964cca033a48dcc0298036782f2 (v2.8.0-rc0) NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/9d38a8434721a6479fe03fb5afb150ca793d3980 (master) NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f (v8.0.4) @@ -9435,7 +9435,7 @@ CVE-2023-3364 (An issue has been discovered in GitLab CE/EE affecting all versio CVE-2023-3301 (A flaw was found in QEMU. The async nature of hot-unplug enables a rac ...) - qemu 1:8.0.3+dfsg-1 [bookworm] - qemu <no-dsa> (Minor issue) - [bullseye] - qemu <no-dsa> (Minor issue) + [bullseye] - qemu 1:5.2+dfsg-11+deb11u3 [buster] - qemu <not-affected> (vhost-vdpa introduced in v5.1) NOTE: https://github.com/qemu/qemu/commit/a0d7215e339b61c7d7a7b3fcf754954d80d93eb8 (v8.1.0-rc0) NOTE: https://github.com/qemu/qemu/commit/aab37b2002811f112d5c26337473486d7d585881 (v8.0.3) @@ -9458,7 +9458,7 @@ CVE-2023-38559 (A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn {DLA-3519-1} - ghostscript 10.02.0~dfsg-1 (bug #1043033) [bookworm] - ghostscript 10.0.0~dfsg-11+deb12u2 - [bullseye] - ghostscript <postponed> (Minor issue; can be batched together in a later update) + [bullseye] - ghostscript 9.53.3~dfsg-7+deb11u6 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=706897 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f (ghostpdl-10.02.0rc1) CVE-2023-38357 (Session tokens in RWS WorldServer 11.7.3 and earlier have a low entrop ...) @@ -9657,7 +9657,7 @@ CVE-2023-3817 (Issue summary: Checking excessively long DH keys or parameters ma {DLA-3530-1} - openssl 3.0.10-1 [bookworm] - openssl 3.0.10-1~deb12u1 - [bullseye] - openssl <postponed> (Minor issue, fix along with future DSA) + [bullseye] - openssl 1.1.1v-0~deb11u1 NOTE: https://www.openssl.org/news/secadv/20230731.txt NOTE: https://www.openwall.com/lists/oss-security/2023/07/31/1 NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1c16253f3c3a8d1e25918c3f404aae6a5b0893de (master) @@ -10772,7 +10772,7 @@ CVE-2023-38408 (The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an {DLA-3532-1} - openssh 1:9.3p2-1 (bug #1042460) [bookworm] - openssh 1:9.2p1-2+deb12u1 - [bullseye] - openssh <no-dsa> (Minor issue; needs specific conditions and forwarding was always subject to caution warning) + [bullseye] - openssh 1:8.4p1-5+deb11u2 NOTE: https://www.openwall.com/lists/oss-security/2023/07/19/9 NOTE: https://github.com/openssh/openssh-portable/commit/892506b13654301f69f9545f48213fc210e5c5cc NOTE: https://github.com/openssh/openssh-portable/commit/1f2731f5d7a8f8a8385c6031667ed29072c0d92a @@ -10909,7 +10909,7 @@ CVE-2023-3446 (Issue summary: Checking excessively long DH keys or parameters ma {DLA-3530-1} - openssl 3.0.10-1 (bug #1041817) [bookworm] - openssl 3.0.10-1~deb12u1 - [bullseye] - openssl <postponed> (Minor issue, fix along with future DSA) + [bullseye] - openssl 1.1.1v-0~deb11u1 NOTE: https://www.openssl.org/news/secadv/20230719.txt NOTE: https://github.com/openssl/openssl/commit/9e0094e2aa1b3428a12d5095132f133c078d3c3d (master) NOTE: https://github.com/openssl/openssl/commit/1fa20cf2f506113c761777127a38bce5068740eb (openssl-3.0.10) @@ -13120,7 +13120,7 @@ CVE-2023-35936 (Pandoc is a Haskell library for converting from one markup forma {DLA-3507-1} - pandoc 2.17.1.1-2 (bug #1041976) [bookworm] - pandoc 2.17.1.1-2~deb12u1 - [bullseye] - pandoc <no-dsa> (Minor issue) + [bullseye] - pandoc 2.9.2.1-1+deb11u1 NOTE: https://github.com/jgm/pandoc/security/advisories/GHSA-xj5q-fv23-575g NOTE: Fixed by: https://github.com/jgm/pandoc/commit/5e381e3878b5da87ee7542f7e51c3c1a7fd84b89 (3.1.4) NOTE: Regression: https://github.com/jgm/pandoc/commit/54561e9a6667b36a8452b01d2def9e3642013dd6 (3.1.4) @@ -13555,7 +13555,7 @@ CVE-2023-3478 (A vulnerability classified as critical was found in IBOS OA 4.5.5 CVE-2023-37365 (Hnswlib 0.7.0 has a double free in init_index when the M argument is a ...) - hnswlib 0.7.0-1 (bug #1041426) [bookworm] - hnswlib 0.6.2-2+deb12u1 - [bullseye] - hnswlib <no-dsa> (Minor issue) + [bullseye] - hnswlib 0.4.0-3+deb11u1 NOTE: https://github.com/nmslib/hnswlib/issues/467 CVE-2023-37360 (pacparser_find_proxy in Pacparser before 1.4.2 allows JavaScript injec ...) - pacparser <unfixed> (bug #1041425) @@ -13921,7 +13921,7 @@ CVE-2023-3355 (A NULL pointer dereference flaw was found in the Linux kernel's d CVE-2023-3354 (A flaw was found in the QEMU built-in VNC server. When a client connec ...) - qemu 1:8.0.4+dfsg-1 [bookworm] - qemu 1:7.2+dfsg-7+deb12u2 - [bullseye] - qemu <no-dsa> (Minor issue) + [bullseye] - qemu 1:5.2+dfsg-11+deb11u3 [buster] - qemu <no-dsa> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2216478 NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2023-07/msg01014.html @@ -14449,7 +14449,7 @@ CVE-2023-32360 (An authentication issue was addressed with improved state manage {DLA-3594-1} - cups 2.4.2-6 (bug #1051953) [bookworm] - cups 2.4.2-3+deb12u2 - [bullseye] - cups <no-dsa> (Workaround exist; patch changes only default cupsd.conf; can be fixed via point release) + [bullseye] - cups 2.3.3op2-3+deb11u4 NOTE: https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913 (v2.4.3) CVE-2023-32357 (An authorization issue was addressed with improved state management. T ...) NOT-FOR-US: Apple @@ -15185,7 +15185,7 @@ CVE-2023-34241 (OpenPrinting CUPS is a standards-based, open source printing sys {DLA-3476-1} - cups 2.4.2-5 (bug #1038885) [bookworm] - cups 2.4.2-3+deb12u1 - [bullseye] - cups <no-dsa> (Minor issue; exploitable under specific conditions; can be fixed via point release) + [bullseye] - cups 2.3.3op2-3+deb11u3 NOTE: https://www.openwall.com/lists/oss-security/2023/06/22/4 NOTE: https://github.com/OpenPrinting/cups/commit/9809947a959e18409dcf562a3466ef246cb90cb2 NOTE: Introduced by: https://github.com/OpenPrinting/cups/commit/996acce8760c538b9fee69c99f274ffc27744386#diff-ea18088a3c3df78fec37244a94c58754b6e5cb7fbfd7066f6124de51a73c284d (v2.2b1) @@ -15950,7 +15950,7 @@ CVE-2023-34969 (D-Bus before 1.15.6 sometimes allows unprivileged users to crash [experimental] - dbus 1.15.6-1 - dbus 1.14.8-1 (bug #1037151) [bookworm] - dbus 1.14.8-1~deb12u1 - [bullseye] - dbus <no-dsa> (Minor issue) + [bullseye] - dbus 1.12.28-0+deb11u1 [buster] - dbus <no-dsa> (Minor issue) NOTE: https://gitlab.freedesktop.org/dbus/dbus/-/issues/457 CVE-2023-34239 (Gradio is an open-source Python library that is used to build machine ...) @@ -16356,7 +16356,7 @@ CVE-2023-33460 (There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse {DLA-3492-1 DLA-3478-1} - yajl 2.1.0-5 (bug #1039984) [bookworm] - yajl 2.1.0-3+deb12u2 - [bullseye] - yajl <no-dsa> (Minor issue) + [bullseye] - yajl 2.1.0-3+deb11u2 NOTE: https://github.com/lloyd/yajl/issues/250 NOTE: Introduced with: https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb (2.0.0) NOTE: The original fix uploaded as 2.1.0-3.1 was incomplete. @@ -16820,7 +16820,7 @@ CVE-2023-32324 (OpenPrinting CUPS is an open source printing system. In versions {DLA-3440-1} - cups 2.4.2-4 [bookworm] - cups 2.4.2-3+deb12u1 - [bullseye] - cups <no-dsa> (Can be fixed via point release; exploitable when setting loglevel to DEBUG) + [bullseye] - cups 2.3.3op2-3+deb11u3 NOTE: https://github.com/OpenPrinting/cups/security/advisories/GHSA-cxc6-w2g7-69p7 NOTE: Fixed by: https://github.com/OpenPrinting/cups/commit/fd8bc2d32589d1fd91fe1c0521be2a7c0462109e CVE-2023-3029 (A vulnerability has been found in Guangdong Pythagorean OA Office Syst ...) @@ -21915,7 +21915,7 @@ CVE-2022-48438 (In cp_dump driver, there is a possible out of bounds write due t CVE-2023-30570 (pluto in Libreswan before 4.11 allows a denial of service (responder S ...) - libreswan 4.11-1 (bug #1035542) [bookworm] - libreswan 4.10-2+deb12u1 - [bullseye] - libreswan <no-dsa> (Minor issue; can be fixed via point release) + [bullseye] - libreswan 4.3-1+deb11u4 [buster] - libreswan <not-affected> (The vulnerable code was introduced in version 3.28) NOTE: https://libreswan.org/security/CVE-2023-30570/CVE-2023-30570.txt NOTE: https://github.com/libreswan/libreswan/issues/1039 @@ -24543,7 +24543,7 @@ CVE-2023-29492 (Novi Survey before 8.9.43676 allows remote attackers to execute NOT-FOR-US: Novi Survey CVE-2023-29491 (ncurses before 6.4 20230408, when used by a setuid application, allows ...) - ncurses 6.4-3 (bug #1034372) - [bullseye] - ncurses <no-dsa> (Minor issue) + [bullseye] - ncurses 6.2+20201114-2+deb11u2 [buster] - ncurses <no-dsa> (Minor issue) NOTE: https://invisible-island.net/ncurses/NEWS.html#index-t20230408 NOTE: http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commitdiff;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56 @@ -25734,10 +25734,10 @@ CVE-2023-29198 (Electron is a framework which lets you write cross-platform desk - electron <itp> (bug #842420) CVE-2023-29197 (guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. ...) - php-guzzlehttp-psr7 2.4.5-1 (bug #1034581) - [bullseye] - php-guzzlehttp-psr7 <no-dsa> (Minor issue; can be fixed via point release) + [bullseye] - php-guzzlehttp-psr7 1.7.0-1+deb11u2 [buster] - php-guzzlehttp-psr7 <no-dsa> (Minor issue) - php-nyholm-psr7 1.5.1-2 (bug #1034597) - [bullseye] - php-nyholm-psr7 <no-dsa> (Minor issue; can be fixed via point release) + [bullseye] - php-nyholm-psr7 1.3.2-2+deb11u1 NOTE: https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw NOTE: https://github.com/guzzle/psr7/commit/0454e12ef0cd597ccd2adb036f7bda4e7fface66 (2.4.5) NOTE: https://github.com/Nyholm/psr7/security/advisories/GHSA-wjfc-pgfp-pv9c @@ -26614,7 +26614,7 @@ CVE-2023-28744 (A use-after-free vulnerability exists in the JavaScript engine o CVE-2023-1672 (A race condition exists in the Tang server functionality for key gener ...) - tang 14-1 (bug #1038119) [bookworm] - tang 11-2+deb12u1 - [bullseye] - tang <no-dsa> (Minor issue) + [bullseye] - tang 8-3+deb11u2 [buster] - tang <no-dsa> (Minor issue) NOTE: Fixed by: https://github.com/latchset/tang/commit/8dbbed10870378f1b2c3cf3df2ea7edca7617096 NOTE: https://census-labs.com/news/2023/06/15/race-tang/ @@ -27552,7 +27552,7 @@ CVE-2023-1545 (SQL Injection in GitHub repository nilsteampassnet/teampass prior CVE-2023-1544 (A flaw was found in the QEMU implementation of VMWare's paravirtual RD ...) - qemu 1:8.0.2+dfsg-1 (bug #1034179) [bookworm] - qemu <no-dsa> (Minor issue) - [bullseye] - qemu <no-dsa> (Minor issue) + [bullseye] - qemu 1:5.2+dfsg-11+deb11u3 [buster] - qemu <no-dsa> (Minor issue) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/31c4b6fb0293e359f9ef8a61892667e76eea4c99 (v8.0.0-rc0) @@ -27844,7 +27844,7 @@ CVE-2023-28617 (org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 {DLA-3416-1} [experimental] - org-mode 9.6.6+dfsg-1~exp1 - org-mode 9.5.2+dfsh-5 (bug #1033341) - [bullseye] - org-mode <no-dsa> (Minor issue) + [bullseye] - org-mode 9.4.0+dfsg-1+deb11u1 [buster] - org-mode <no-dsa> (Minor issue) - emacs 1:28.2+1-14 (bug #1033342) [bullseye] - emacs <no-dsa> (Minor issue) @@ -28950,14 +28950,14 @@ CVE-2023-28323 (A deserialization of untrusted data exists in EPM 2022 Su3 and a NOT-FOR-US: Ivanti CVE-2023-28322 (An information disclosure vulnerability exists in curl <v8.1.0 when do ...) - curl 7.88.1-10 (bug #1036239) - [bullseye] - curl <no-dsa> (Minor issue) + [bullseye] - curl 7.74.0-1.3+deb11u9 [buster] - curl <no-dsa> (Minor issue) NOTE: https://curl.se/docs/CVE-2023-28322.html NOTE: Introduced by: https://github.com/curl/curl/commit/546572da0457f37c698c02d0a08d90fdfcbeedec (curl-7_7) NOTE: Fixed by: https://github.com/curl/curl/commit/7815647d6582c0a4900be2e1de6c5e61272c496b (curl-8_1_0) CVE-2023-28321 (An improper certificate validation vulnerability exists in curl <v8.1. ...) - curl 7.88.1-10 (bug #1036239) - [bullseye] - curl <no-dsa> (Minor issue) + [bullseye] - curl 7.74.0-1.3+deb11u9 [buster] - curl <no-dsa> (Minor issue) NOTE: https://curl.se/docs/CVE-2023-28321.html NOTE: Introduced by: https://github.com/curl/curl/commit/9631fa740708b1890197fad01e25b34b7e8eb80e (curl-7_12_0) @@ -31507,7 +31507,7 @@ CVE-2023-27539 CVE-2023-27538 (An authentication bypass vulnerability exists in libcurl prior to v8.0 ...) {DLA-3398-1} - curl 7.88.1-7 - [bullseye] - curl <no-dsa> (Minor issue) + [bullseye] - curl 7.74.0-1.3+deb11u8 NOTE: https://curl.se/docs/CVE-2023-27538.html NOTE: Fixed by: https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb (curl-8_0_0) CVE-2023-27537 (A double free vulnerability exists in libcurl <8.0.0 when sharing HSTS ...) @@ -31520,20 +31520,20 @@ CVE-2023-27537 (A double free vulnerability exists in libcurl <8.0.0 when sharin CVE-2023-27536 (An authentication bypass vulnerability exists libcurl <8.0.0 in the co ...) {DLA-3398-1} - curl 7.88.1-7 - [bullseye] - curl <no-dsa> (Minor issue) + [bullseye] - curl 7.74.0-1.3+deb11u8 NOTE: https://curl.se/docs/CVE-2023-27536.html NOTE: Introduced by: https://github.com/curl/curl/commit/ebf42c4be76df40ec6d3bf32f229bbb274e2c32f (curl-7_22_0) NOTE: Fixed by: https://github.com/curl/curl/commit/cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 (curl-8_0_0) CVE-2023-27535 (An authentication bypass vulnerability exists in libcurl <8.0.0 in the ...) {DLA-3398-1} - curl 7.88.1-7 - [bullseye] - curl <no-dsa> (Minor issue) + [bullseye] - curl 7.74.0-1.3+deb11u8 NOTE: https://curl.se/docs/CVE-2023-27535.html NOTE: Introduced by: https://github.com/curl/curl/commit/177dbc7be07125582ddb7416dba7140b88ab9f62 (curl-7_13_0) NOTE: Fixed by: https://github.com/curl/curl/commit/8f4608468b890dce2dad9f91d5607ee7e9c1aba1 (curl-8_0_0) CVE-2023-27534 (A path traversal vulnerability exists in curl <8.0.0 SFTP implementati ...) - curl 7.88.1-7 - [bullseye] - curl <no-dsa> (Minor issue) + [bullseye] - curl 7.74.0-1.3+deb11u8 [buster] - curl <no-dsa> (Minor issue) NOTE: https://curl.se/docs/CVE-2023-27534.html NOTE: Introduced by: https://github.com/curl/curl/commit/ba6f20a2442ab1ebfe947cff19a552f92114a29a (curl-7_18_0) @@ -31541,7 +31541,7 @@ CVE-2023-27534 (A path traversal vulnerability exists in curl <8.0.0 SFTP implem CVE-2023-27533 (A vulnerability in input validation exists in curl <8.0 during communi ...) {DLA-3398-1} - curl 7.88.1-7 - [bullseye] - curl <no-dsa> (Minor issue) + [bullseye] - curl 7.74.0-1.3+deb11u8 NOTE: https://curl.se/docs/CVE-2023-27533.html NOTE: Introduced by: https://github.com/curl/curl/commit/a1d6ad26100bc493c7b04f1301b1634b7f5aa8b4 (curl-7_7_alpha2) NOTE: Fixed by: https://github.com/curl/curl/commit/538b1e79a6e7b0bb829ab4cecc828d32105d0684 (curl-8_0_0) @@ -37465,12 +37465,12 @@ CVE-2023-25516 (NVIDIA GPU Display Driver for Linux contains a vulnerability in [bookworm] - nvidia-graphics-drivers-tesla 525.125.06-1~deb12u1 - nvidia-graphics-drivers-tesla-470 470.199.02-1 (bug #1039684) [bookworm] - nvidia-graphics-drivers-tesla-470 470.199.02-1~deb12u1 - [bullseye] - nvidia-graphics-drivers-tesla-470 <no-dsa> (Non-free not supported) + [bullseye] - nvidia-graphics-drivers-tesla-470 470.199.02-1 - nvidia-graphics-drivers-tesla-460 460.106.00-3 (bug #1039683) [bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported) NOTE: 460.106.00-3 turned the package into a metapackage to aid switching to nvidia-graphics-drivers-tesla-470 - nvidia-graphics-drivers-tesla-450 450.248.02-1 (bug #1039682) - [bullseye] - nvidia-graphics-drivers-tesla-450 <no-dsa> (Non-free not supported) + [bullseye] - nvidia-graphics-drivers-tesla-450 450.248.02-1~deb11u1 - nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1039681) [bullseye] - nvidia-graphics-drivers-tesla-418 <no-dsa> (Non-free not supported) - nvidia-graphics-drivers-legacy-390xx <unfixed> (bug #1039680) @@ -37480,7 +37480,7 @@ CVE-2023-25516 (NVIDIA GPU Display Driver for Linux contains a vulnerability in [buster] - nvidia-graphics-drivers-legacy-340xx <ignored> (Non-free not supported, no updates provided by Nvidia anymore) - nvidia-graphics-drivers 525.125.06-1 (bug #1039678) [bookworm] - nvidia-graphics-drivers 525.125.06-1~deb12u1 - [bullseye] - nvidia-graphics-drivers <no-dsa> (Non-free not supported) + [bullseye] - nvidia-graphics-drivers 470.199.02-1 [buster] - nvidia-graphics-drivers <postponed> (Minor issue, revisit when/if fixed upstream) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5468 CVE-2023-25515 (NVIDIA GPU Display Driver for Windows and Linux contains a vulnerabili ...) @@ -37490,12 +37490,12 @@ CVE-2023-25515 (NVIDIA GPU Display Driver for Windows and Linux contains a vulne [bookworm] - nvidia-graphics-drivers-tesla 525.125.06-1~deb12u1 - nvidia-graphics-drivers-tesla-470 470.199.02-1 (bug #1039684) [bookworm] - nvidia-graphics-drivers-tesla-470 470.199.02-1~deb12u1 - [bullseye] - nvidia-graphics-drivers-tesla-470 <no-dsa> (Non-free not supported) + [bullseye] - nvidia-graphics-drivers-tesla-470 470.199.02-1 - nvidia-graphics-drivers-tesla-460 460.106.00-3 (bug #1039683) [bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported) NOTE: 460.106.00-3 turned the package into a metapackage to aid switching to nvidia-graphics-drivers-tesla-470 - nvidia-graphics-drivers-tesla-450 450.248.02-1 (bug #1039682) - [bullseye] - nvidia-graphics-drivers-tesla-450 <no-dsa> (Non-free not supported) + [bullseye] - nvidia-graphics-drivers-tesla-450 450.248.02-1~deb11u1 - nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1039681) [bullseye] - nvidia-graphics-drivers-tesla-418 <no-dsa> (Non-free not supported) - nvidia-graphics-drivers-legacy-390xx <unfixed> (bug #1039680) @@ -37505,7 +37505,7 @@ CVE-2023-25515 (NVIDIA GPU Display Driver for Windows and Linux contains a vulne [buster] - nvidia-graphics-drivers-legacy-340xx <ignored> (Non-free not supported, no updates provided by Nvidia anymore) - nvidia-graphics-drivers 525.125.06-1 (bug #1039678) [bookworm] - nvidia-graphics-drivers 525.125.06-1~deb12u1 - [bullseye] - nvidia-graphics-drivers <no-dsa> (Non-free not supported) + [bullseye] - nvidia-graphics-drivers 470.199.02-1 [buster] - nvidia-graphics-drivers <postponed> (Minor issue, revisit when/if fixed upstream) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5468 CVE-2023-25514 (NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability in ...) @@ -41025,7 +41025,7 @@ CVE-2023-24329 (An issue in the urllib.parse component of Python before 3.11.4 a - python3.7 <removed> [buster] - python3.7 <ignored> (Cf. related CVE-2022-0391) - python2.7 <removed> - [bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications) + [bullseye] - python2.7 2.7.18-8+deb11u1 NOTE: https://pointernull.com/security/python-url-parse-problem.html NOTE: https://github.com/python/cpython/pull/99421 NOTE: https://github.com/python/cpython/pull/99446 (backport for 3.11 branch) @@ -41117,7 +41117,7 @@ CVE-2023-24292 CVE-2023-24291 [A crafted save file can cause a buffer overrun in Simon Tatham's Portable Puzzle Collection] RESERVED - sgt-puzzles 20230122.806ae71-1 (bug #1028986) - [bullseye] - sgt-puzzles <no-dsa> (Minor issue) + [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1 [buster] - sgt-puzzles <no-dsa> (Minor issue) CVE-2023-24290 RESERVED @@ -41126,12 +41126,12 @@ CVE-2023-24289 CVE-2023-24288 [A crafted save file can cause a buffer overrun in Simon Tatham's Portable Puzzle Collection] RESERVED - sgt-puzzles 20230122.806ae71-1 (bug #1028986) - [bullseye] - sgt-puzzles <no-dsa> (Minor issue) + [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1 [buster] - sgt-puzzles <no-dsa> (Minor issue) CVE-2023-24287 [A crafted save file can cause a buffer overrun in the Undead puzzle] RESERVED - sgt-puzzles 20230122.806ae71-1 (bug #1028986) - [bullseye] - sgt-puzzles <no-dsa> (Minor issue) + [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1 [buster] - sgt-puzzles <no-dsa> (Minor issue) CVE-2023-24286 [A crafted save file can cause a buffer overrun in the Mosaic puzzle] RESERVED @@ -41141,17 +41141,17 @@ CVE-2023-24286 [A crafted save file can cause a buffer overrun in the Mosaic puz CVE-2023-24285 [A crafted save file can cause a buffer overrun in the Netslide puzzle] RESERVED - sgt-puzzles 20230122.806ae71-1 (bug #1028986) - [bullseye] - sgt-puzzles <no-dsa> (Minor issue) + [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1 [buster] - sgt-puzzles <no-dsa> (Minor issue) CVE-2023-24284 [A crafted save file can cause a buffer overrun in the Guess puzzle] RESERVED - sgt-puzzles 20230122.806ae71-1 (bug #1028986) - [bullseye] - sgt-puzzles <no-dsa> (Minor issue) + [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1 [buster] - sgt-puzzles <no-dsa> (Minor issue) CVE-2023-24283 [A crafted save file can cause a buffer overrun in the Guess puzzle] RESERVED - sgt-puzzles 20230122.806ae71-1 (bug #1028986) - [bullseye] - sgt-puzzles <no-dsa> (Minor issue) + [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1 [buster] - sgt-puzzles <no-dsa> (Minor issue) CVE-2023-24282 (An arbitrary file upload vulnerability in Poly Trio 8800 7.2.2.1094 al ...) NOT-FOR-US: Poly Trio 8800 @@ -42895,7 +42895,7 @@ CVE-2023-0330 (A vulnerability in the lsi53c895a device affects the latest versi {DLA-3604-1} - qemu 1:8.0.2+dfsg-1 (bug #1029155) [bookworm] - qemu 1:7.2+dfsg-7+deb12u1 - [bullseye] - qemu <no-dsa> (Minor issue) + [bullseye] - qemu 1:5.2+dfsg-11+deb11u3 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2160151 NOTE: Proposed patch: https://lists.nongnu.org/archive/html/qemu-devel/2023-01/msg03411.html NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/e49884a90987744ddb54b2fadc770633eb6a4d62 (v8.0.1) @@ -52457,7 +52457,7 @@ CVE-2022-47015 (MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denia - mariadb 1:10.11.3-1 (bug #1034889) - mariadb-10.6 <removed> - mariadb-10.5 <removed> - [bullseye] - mariadb-10.5 <no-dsa> (Minor issue) + [bullseye] - mariadb-10.5 1:10.5.20-0+deb11u1 - mariadb-10.3 <removed> NOTE: https://jira.mariadb.org/browse/MDEV-29644 CVE-2022-47014 @@ -55341,7 +55341,7 @@ CVE-2022-46176 (Cargo is a Rust package manager. The Rust Security Response WG w NOTE: https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176 CVE-2022-46175 (JSON5 is an extension to the popular JSON file format that aims to be ...) - node-json5 2.2.3+dfsg-1 (bug #1027145) - [bullseye] - node-json5 <no-dsa> (Minor issue) + [bullseye] - node-json5 2.1.3-2+deb11u1 [buster] - node-json5 <no-dsa> (Minor issue) NOTE: https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h NOTE: https://github.com/json5/json5/issues/199 @@ -56815,7 +56815,7 @@ CVE-2022-45583 CVE-2022-45582 (Open Redirect vulnerability in Horizon Web Dashboard 19.4.0 thru 20.1. ...) - horizon 3:23.1.0-3 [bookworm] - horizon 3:23.0.0-5+deb12u1 - [bullseye] - horizon <no-dsa> (Minor issue) + [bullseye] - horizon 3:18.6.2-5+deb11u2 [buster] - horizon <no-dsa> (Minor issue) NOTE: https://bugs.launchpad.net/horizon/+bug/1982676 NOTE: https://opendev.org/openstack/horizon/commit/beed6bf6f6f83df9972db5fb539d64175ce12ce9 (19.4.0) @@ -59532,14 +59532,14 @@ CVE-2022-44731 (A vulnerability has been identified in SIMATIC WinCC OA V3.15 (A CVE-2022-44730 (Server-Side Request Forgery (SSRF) vulnerability in Apache Software Fo ...) - batik 1.17+dfsg-1 [bookworm] - batik 1.16+dfsg-1+deb12u1 - [bullseye] - batik <no-dsa> (Minor issue) + [bullseye] - batik 1.12-4+deb11u2 [buster] - batik <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/08/22/3 NOTE: https://issues.apache.org/jira/browse/BATIK-1347 CVE-2022-44729 (Server-Side Request Forgery (SSRF) vulnerability in Apache Software Fo ...) - batik 1.17+dfsg-1 [bookworm] - batik 1.16+dfsg-1+deb12u1 - [bullseye] - batik <no-dsa> (Minor issue) + [bullseye] - batik 1.12-4+deb11u2 [buster] - batik <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/08/22/2 NOTE: https://issues.apache.org/jira/browse/BATIK-1349 @@ -63957,7 +63957,7 @@ CVE-2023-20197 (A vulnerability in the filesystem image parser for Hierarchical {DLA-3544-1} - clamav 1.0.2+dfsg-1 (bug #1050057) [bookworm] - clamav 1.0.2+dfsg-1~deb12u1 - [bullseye] - clamav <no-dsa> (clamav is updated via -updates) + [bullseye] - clamav 0.103.9+dfsg-0+deb11u1 NOTE: https://blog.clamav.net/2023/07/2023-08-16-releases.html CVE-2023-20196 RESERVED @@ -97693,7 +97693,7 @@ CVE-2022-1941 (A parsing vulnerability for the MessageSet type in the ProtocolBu {DLA-3393-1} [experimental] - protobuf 3.20.2-1 - protobuf 3.21.9-3 - [bullseye] - protobuf <no-dsa> (Minor issue) + [bullseye] - protobuf 3.12.4-1+deb11u1 NOTE: https://www.openwall.com/lists/oss-security/2022/09/27/1 NOTE: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf NOTE: https://github.com/protocolbuffers/protobuf/commit/806d7e4ce6f1fd0545cae226b94cb0249ea495c7 (v3.20.2) @@ -102303,7 +102303,7 @@ CVE-2022-30333 (RARLAB UnRAR before 6.12 on Linux and UNIX allows directory trav [buster] - unrar-nonfree 1:5.6.6-1+deb10u1 [stretch] - unrar-nonfree <no-dsa> (Non-free not supported) - rar 2:6.20~b1-0.1 (bug #1012228) - [bullseye] - rar <no-dsa> (Non-free not supported) + [bullseye] - rar 2:6.20-0.1~deb11u1 [stretch] - rar <no-dsa> (Non-free not supported) NOTE: 6.12 application version corresponds to 6.1.7 source version: NOTE: https://github.com/debian-calibre/unrar-nonfree/compare/upstream/6.1.6...upstream/6.1.7 @@ -103532,7 +103532,7 @@ CVE-2022-1538 CVE-2022-1537 (file.copy operations in GruntJS are vulnerable to a TOCTOU race condit ...) {DLA-3383-1} - grunt 1.5.3-1 - [bullseye] - grunt <no-dsa> (Minor issue) + [bullseye] - grunt 1.3.0-1+deb11u2 NOTE: https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d/ NOTE: https://github.com/gruntjs/grunt/commit/58016ffac5ed9338b63ecc2a63710f5027362bae (v1.5.3) CVE-2022-1536 (A vulnerability has been found in automad up to 1.10.9 and classified ...) @@ -115533,7 +115533,7 @@ CVE-2022-21223 (The package cocoapods-downloader before 1.6.2 are vulnerable to CVE-2022-21222 (The package css-what before 2.1.3 are vulnerable to Regular Expression ...) {DLA-3350-1} - node-css-what 5.0.1-1 (bug #1032188) - [bullseye] - node-css-what <no-dsa> (Minor issue) + [bullseye] - node-css-what 4.0.0-3+deb11u1 NOTE: https://security.snyk.io/vuln/SNYK-JS-CSSWHAT-3035488 NOTE: ReDoS issue fixed with rewrite of module to TypeScript NOTE: Not fixed in 4.0.0 see https://sources.debian.org/src/node-css-what/4.0.0-3/src/parse.ts/#L84 @@ -118663,7 +118663,7 @@ CVE-2022-24795 (yajl-ruby is a C binding to the YAJL JSON parsing and generation [stretch] - ruby-yajl <no-dsa> (Minor issue) - yajl 2.1.0-4 (bug #1040036) [bookworm] - yajl 2.1.0-3+deb12u2 - [bullseye] - yajl <no-dsa> (Minor issue) + [bullseye] - yajl 2.1.0-3+deb11u2 - burp <unfixed> (bug #1040146) [bookworm] - burp <no-dsa> (Minor issue) [bullseye] - burp <no-dsa> (Minor issue) @@ -121308,7 +121308,7 @@ CVE-2022-0391 (A flaw was found in Python, specifically within the urllib.parse - python3.5 <removed> - python3.4 <removed> - python2.7 <removed> - [bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications) + [bullseye] - python2.7 2.7.18-8+deb11u1 NOTE: https://bugs.python.org/issue43882 NOTE: Regressions reported for django, boto-core and cloud-init NOTE: Fixed by: https://github.com/python/cpython/commit/76cd81d60310d65d01f9d7b48a8985d8ab89c8b4 (v3.10.0b1) @@ -124744,7 +124744,7 @@ CVE-2022-0218 (The WP HTML Mail WordPress plugin is vulnerable to unauthorized a CVE-2022-0216 (A use-after-free vulnerability was found in the LSI53C895A SCSI Host B ...) {DLA-3362-1} - qemu 1:7.1+dfsg-1 (bug #1014590) - [bullseye] - qemu <no-dsa> (Minor issue) + [bullseye] - qemu 1:5.2+dfsg-11+deb11u3 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2036953 NOTE: https://starlabs.sg/advisories/22/22-0216/ NOTE: https://gitlab.com/qemu-project/qemu/-/issues/972 @@ -130567,7 +130567,7 @@ CVE-2021-45424 RESERVED CVE-2021-45423 (A Buffer Overflow vulnerabilityexists in Pev 0.81 via the pe_exports f ...) - pev 0.81-9 (bug #1034725) - [bullseye] - pev <no-dsa> (Minor issue, will be fixed in next point release) + [bullseye] - pev 0.81-3+deb11u1 [buster] - pev <not-affected> (Vulnerable code introduced later) NOTE: https://github.com/merces/libpe/issues/35 NOTE: https://github.com/merces/libpe/commit/9b5fedc37ccbcd23695a0e97c0fe46c999e26100 @@ -138460,7 +138460,7 @@ CVE-2021-3931 (snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)) CVE-2021-3930 (An off-by-one error was found in the SCSI device emulation in QEMU. It ...) {DLA-3099-1 DLA-2970-1} - qemu 1:6.2+dfsg-1 - [bullseye] - qemu <postponed> (Minor issue) + [bullseye] - qemu 1:5.2+dfsg-11+deb11u3 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2020588 NOTE: https://gitlab.com/qemu-project/qemu/-/issues/546 NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 (v6.2.0-rc0) @@ -154141,7 +154141,7 @@ CVE-2021-38186 (An issue was discovered in the comrak crate before 0.10.1 for Ru CVE-2021-38185 (GNU cpio through 2.13 allows attackers to execute arbitrary code via a ...) {DLA-3445-1} - cpio 2.13+dfsg-5 (bug #992045) - [bullseye] - cpio <no-dsa> (Minor issue) + [bullseye] - cpio 2.13+dfsg-7.1~deb11u1 [stretch] - cpio <no-dsa> (Minor issue) NOTE: https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dd96882877721703e19272fe25034560b794061b NOTE: https://github.com/fangqyi/cpiopwn @@ -165045,7 +165045,7 @@ CVE-2021-33798 (A null pointer dereference was found in libpano13, version libpa NOTE: duplicate of CVE-2021-33293, pinged Fedora for reject CVE-2021-33797 (Buffer-overflow in jsdtoa.c in Artifex MuJS in versions 1.0.1 to 1.1.1 ...) - mujs 1.1.3-2 - [bullseye] - mujs <no-dsa> (Minor issue) + [bullseye] - mujs 1.1.0-1+deb11u3 NOTE: https://github.com/ccxvii/mujs/issues/148 NOTE: https://github.com/ccxvii/mujs/commit/833b6f1672b4f2991a63c4d05318f0b84ef4d550 (1.1.2) CVE-2021-33796 (In MuJS before version 1.1.2, a use-after-free flaw in the regexp sour ...) @@ -165589,7 +165589,7 @@ CVE-2021-33588 CVE-2021-33587 (The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure t ...) {DLA-3350-1} - node-css-what 5.0.1-1 (bug #989264) - [bullseye] - node-css-what <ignored> (Minor issue, intrusive to backport fixes to older series) + [bullseye] - node-css-what 4.0.0-3+deb11u1 [buster] - node-css-what <ignored> (Minor issue, intrusive to backport fixes to older series) [stretch] - node-css-what <end-of-life> (Nodejs in stretch not covered by security support) NOTE: https://github.com/fb55/css-what/commit/4cdaacfd0d4b6fd00614be030da0dea6c2994655 @@ -171301,7 +171301,7 @@ CVE-2021-3508 (A flaw was found in PDFResurrect in version 0.22b. There is an in CVE-2021-3507 (A heap buffer overflow was found in the floppy disk emulator of QEMU u ...) {DLA-3099-1} - qemu 1:7.1+dfsg-1 (bug #987410) - [bullseye] - qemu <no-dsa> (Minor issue) + [bullseye] - qemu 1:5.2+dfsg-11+deb11u3 [stretch] - qemu <no-dsa> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1951118 NOTE: https://gitlab.com/qemu-project/qemu/-/commit/defac5e2fbddf8423a354ff0454283a2115e1367 (v7.1.0-rc0) @@ -191947,7 +191947,7 @@ CVE-2021-23336 (The package python/cpython from 0 and before 3.6.13, from 3.7.0 - python3.5 <removed> [experimental] - python2.7 2.7.18-13.1~exp1 - python2.7 2.7.18-13.1 - [bullseye] - python2.7 <ignored> (Python 2.7 in Bullseye not covered by security support) + [bullseye] - python2.7 2.7.18-8+deb11u1 - pypy3 7.3.3+dfsg-3 [buster] - pypy3 <no-dsa> (Minor issue) NOTE: https://github.com/python/cpython/pull/24297 @@ -193780,7 +193780,7 @@ CVE-2021-22570 (Nullptr dereference when a null char is present in a proto symbo {DLA-3393-1} [experimental] - protobuf 3.17.1-1 - protobuf 3.21.9-3 - [bullseye] - protobuf <no-dsa> (Minor issue) + [bullseye] - protobuf 3.12.4-1+deb11u1 [stretch] - protobuf <postponed> (Minor issue; clean crash / Dos; patch needs to be isolated) NOTE: Fixed upstream in v3.15.0: https://github.com/protocolbuffers/protobuf/releases/tag/v3.15.0 NOTE: Fixed in merge commit https://github.com/protocolbuffers/protobuf/a00125024e9231d76746bd394fef8876f5cc15e2 @@ -193789,7 +193789,7 @@ CVE-2021-22569 (An issue in protobuf-java allowed the interleaving of com.google {DLA-3393-1} [experimental] - protobuf 3.19.3-1 - protobuf 3.21.9-3 - [bullseye] - protobuf <no-dsa> (Minor issue) + [bullseye] - protobuf 3.12.4-1+deb11u1 [stretch] - protobuf <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/01/12/4 NOTE: https://cloud.google.com/support/bulletins#gcp-2022-001 @@ -201284,7 +201284,7 @@ CVE-2021-20204 (A heap memory corruption problem (use after free) can be trigger CVE-2021-20203 (An integer overflow issue was found in the vmxnet3 NIC emulator of the ...) {DLA-3099-1 DLA-2623-1} - qemu 1:6.2+dfsg-1 (bug #984452) - [bullseye] - qemu <postponed> (Minor issue) + [bullseye] - qemu 1:5.2+dfsg-11+deb11u3 NOTE: https://bugs.launchpad.net/qemu/+bug/1913873 NOTE: https://gitlab.com/qemu-project/qemu/-/issues/308 NOTE: https://bugs.launchpad.net/qemu/+bug/1890152 @@ -201324,7 +201324,7 @@ CVE-2021-20197 (There is an open race window when writing output in the followin CVE-2021-20196 (A NULL pointer dereference flaw was found in the floppy disk emulator ...) {DLA-3099-1 DLA-2970-1} - qemu 1:6.2+dfsg-1 (bug #984453) - [bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream) + [bullseye] - qemu 1:5.2+dfsg-11+deb11u3 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1919210 NOTE: https://bugs.launchpad.net/qemu/+bug/1912780 NOTE: https://gitlab.com/qemu-project/qemu/-/issues/338 @@ -221422,7 +221422,7 @@ CVE-2020-24370 (ldebug.c in Lua 5.4.0 allows a negation overflow and segmentatio {DLA-3469-1 DLA-2381-1} - lua5.4 5.4.1-1 (bug #971613) - lua5.3 5.3.6-1 (bug #988734) - [bullseye] - lua5.3 <no-dsa> (Minor issue) + [bullseye] - lua5.3 5.3.3-1.1+deb11u1 NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00324.html NOTE: (lua5.4) https://github.com/lua/lua/commit/a585eae6e7ada1ca9271607a4f48dfb17868ab7b NOTE: (lua5.3) https://github.com/lua/lua/commit/b5bc89846721375fe30772eb8c5ab2786f362bf9 @@ -244025,7 +244025,7 @@ CVE-2020-14395 CVE-2020-14394 (An infinite loop flaw was found in the USB xHCI controller emulation o ...) {DLA-3362-1} - qemu 1:7.1+dfsg-1 (bug #979677) - [bullseye] - qemu <postponed> (Minor issue) + [bullseye] - qemu 1:5.2+dfsg-11+deb11u3 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1908004 NOTE: https://gitlab.com/qemu-project/qemu/-/issues/646 NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/effaf5a240e03020f4ae953e10b764622c3e87cc (v7.1.0-rc3) @@ -321467,7 +321467,7 @@ CVE-2019-6707 (PHPSHE 1.7 has SQL injection via the admin.php?mod=product&act=st CVE-2019-6706 (Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For examp ...) {DLA-3469-1} - lua5.3 5.3.6-1 (bug #920321) - [bullseye] - lua5.3 <postponed> (Minor issue, revisit when fixed upstream) + [bullseye] - lua5.3 5.3.3-1.1+deb11u1 - lua5.2 <not-affected> (Vulnerable code introduced later) - lua5.1 <not-affected> (Vulnerable code introduced later) - lua50 <not-affected> (Vulnerable code introduced later) @@ -396823,7 +396823,7 @@ CVE-2017-16516 (In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is [jessie] - ruby-yajl <no-dsa> (Minor issue) - yajl 2.1.0-4 (bug #1040036) [bookworm] - yajl 2.1.0-3+deb12u2 - [bullseye] - yajl <no-dsa> (Minor issue) + [bullseye] - yajl 2.1.0-3+deb11u2 - burp <unfixed> (bug #1040146) [bookworm] - burp <no-dsa> (Minor issue) [bullseye] - burp <no-dsa> (Minor issue) diff --git a/data/next-oldstable-point-update.txt b/data/next-oldstable-point-update.txt index 8456a25724..768ff4c914 100644 --- a/data/next-oldstable-point-update.txt +++ b/data/next-oldstable-point-update.txt @@ -1,167 +1,5 @@ -CVE-2022-46175 - [bullseye] - node-json5 2.1.3-2+deb11u1 -CVE-2022-21222 - [bullseye] - node-css-what 4.0.0-3+deb11u1 -CVE-2021-33587 - [bullseye] - node-css-what 4.0.0-3+deb11u1 -CVE-2021-22569 - [bullseye] - protobuf 3.12.4-1+deb11u1 -CVE-2021-22570 - [bullseye] - protobuf 3.12.4-1+deb11u1 -CVE-2022-1941 - [bullseye] - protobuf 3.12.4-1+deb11u1 -CVE-2023-29197 - [bullseye] - php-guzzlehttp-psr7 1.7.0-1+deb11u2 - [bullseye] - php-nyholm-psr7 1.3.2-2+deb11u1 -CVE-2021-45423 - [bullseye] - pev 0.81-3+deb11u1 -CVE-2023-24291 - [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1 -CVE-2023-24288 - [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1 -CVE-2023-24287 - [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1 -CVE-2023-24285 - [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1 -CVE-2023-24284 - [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1 -CVE-2023-24283 - [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1 -CVE-2023-27533 - [bullseye] - curl 7.74.0-1.3+deb11u8 -CVE-2023-27534 - [bullseye] - curl 7.74.0-1.3+deb11u8 -CVE-2023-27535 - [bullseye] - curl 7.74.0-1.3+deb11u8 -CVE-2023-27536 - [bullseye] - curl 7.74.0-1.3+deb11u8 -CVE-2023-27538 - [bullseye] - curl 7.74.0-1.3+deb11u8 -CVE-2021-33797 - [bullseye] - mujs 1.1.0-1+deb11u3 -CVE-2023-29491 - [bullseye] - ncurses 6.2+20201114-2+deb11u2 -CVE-2022-1537 - [bullseye] - grunt 1.3.0-1+deb11u2 -CVE-2023-30570 - [bullseye] - libreswan 4.3-1+deb11u4 -CVE-2022-47015 - [bullseye] - mariadb-10.5 1:10.5.20-0+deb11u1 -CVE-2023-28617 - [bullseye] - org-mode 9.4.0+dfsg-1+deb11u1 -CVE-2023-34969 - [bullseye] - dbus 1.12.28-0+deb11u1 -CVE-2023-34241 - [bullseye] - cups 2.3.3op2-3+deb11u3 -CVE-2023-32324 - [bullseye] - cups 2.3.3op2-3+deb11u3 -CVE-2023-4504 - [bullseye] - cups 2.3.3op2-3+deb11u4 -CVE-2023-32360 - [bullseye] - cups 2.3.3op2-3+deb11u4 -CVE-2023-33460 - [bullseye] - yajl 2.1.0-3+deb11u2 -CVE-2017-16516 - [bullseye] - yajl 2.1.0-3+deb11u2 -CVE-2022-24795 - [bullseye] - yajl 2.1.0-3+deb11u2 -CVE-2019-6706 - [bullseye] - lua5.3 5.3.3-1.1+deb11u1 -CVE-2020-24370 - [bullseye] - lua5.3 5.3.3-1.1+deb11u1 -CVE-2023-25516 - [bullseye] - nvidia-graphics-drivers-tesla-470 470.199.02-1 - [bullseye] - nvidia-graphics-drivers-tesla-450 450.248.02-1~deb11u1 - [bullseye] - nvidia-graphics-drivers 470.199.02-1 -CVE-2023-25515 - [bullseye] - nvidia-graphics-drivers-tesla-470 470.199.02-1 - [bullseye] - nvidia-graphics-drivers-tesla-450 450.248.02-1~deb11u1 - [bullseye] - nvidia-graphics-drivers 470.199.02-1 -CVE-2023-1672 - [bullseye] - tang 8-3+deb11u2 CVE-2023-XXXX [spip: Use a dedicated function to clean author data when preparing a session] [bullseye] - spip 3.2.11-3+deb11u9 -CVE-2023-37365 - [bullseye] - hnswlib 0.4.0-3+deb11u1 -CVE-2023-35936 - [bullseye] - pandoc 2.9.2.1-1+deb11u1 -CVE-2023-36054 - [bullseye] - krb5 1.18.3-6+deb11u4 -CVE-2022-30333 - [bullseye] - rar 2:6.20-0.1~deb11u1 -CVE-2023-40477 - [bullseye] - rar 2:6.23-1~deb11u1 - [bullseye] - unrar-nonfree 1:6.0.3-1+deb11u3 -CVE-2022-48579 - [bullseye] - unrar-nonfree 1:6.0.3-1+deb11u2 -CVE-2023-40303 - [bullseye] - inetutils 2:2.0-1+deb11u2 -CVE-2022-44729 - [bullseye] - batik 1.12-4+deb11u2 -CVE-2022-44730 - [bullseye] - batik 1.12-4+deb11u2 -CVE-2023-3446 - [bullseye] - openssl 1.1.1v-0~deb11u1 -CVE-2023-3817 - [bullseye] - openssl 1.1.1v-0~deb11u1 -CVE-2023-20197 - [bullseye] - clamav 0.103.9+dfsg-0+deb11u1 -CVE-2023-38408 - [bullseye] - openssh 1:8.4p1-5+deb11u2 -CVE-2022-45582 - [bullseye] - horizon 3:18.6.2-5+deb11u2 -CVE-2021-23336 - [bullseye] - python2.7 2.7.18-8+deb11u1 -CVE-2022-0391 - [bullseye] - python2.7 2.7.18-8+deb11u1 -CVE-2022-48560 - [bullseye] - python2.7 2.7.18-8+deb11u1 -CVE-2022-48565 - [bullseye] - python2.7 2.7.18-8+deb11u1 -CVE-2022-48566 - [bullseye] - python2.7 2.7.18-8+deb11u1 -CVE-2023-24329 - [bullseye] - python2.7 2.7.18-8+deb11u1 -CVE-2023-40217 - [bullseye] - python2.7 2.7.18-8+deb11u1 -CVE-2021-20196 - [bullseye] - qemu 1:5.2+dfsg-11+deb11u3 -CVE-2023-0330 - [bullseye] - qemu 1:5.2+dfsg-11+deb11u3 -CVE-2023-1544 - [bullseye] - qemu 1:5.2+dfsg-11+deb11u3 -CVE-2023-3354 - [bullseye] - qemu 1:5.2+dfsg-11+deb11u3 -CVE-2021-3930 - [bullseye] - qemu 1:5.2+dfsg-11+deb11u3 -CVE-2023-3180 - [bullseye] - qemu 1:5.2+dfsg-11+deb11u3 -CVE-2021-20203 - [bullseye] - qemu 1:5.2+dfsg-11+deb11u3 -CVE-2021-3507 - [bullseye] - qemu 1:5.2+dfsg-11+deb11u3 -CVE-2020-14394 - [bullseye] - qemu 1:5.2+dfsg-11+deb11u3 -CVE-2023-3301 - [bullseye] - qemu 1:5.2+dfsg-11+deb11u3 -CVE-2022-0216 - [bullseye] - qemu 1:5.2+dfsg-11+deb11u3 -CVE-2023-41081 - [bullseye] - libapache-mod-jk 1:1.2.48-1+deb11u1 -CVE-2023-43770 - [bullseye] - roundcube 1.4.14+dfsg.1-1~deb11u1 -CVE-2023-38559 - [bullseye] - ghostscript 9.53.3~dfsg-7+deb11u6 -CVE-2023-43115 - [bullseye] - ghostscript 9.53.3~dfsg-7+deb11u6 -CVE-2023-44469 - [bullseye] - lemonldap-ng 2.0.11+ds-4+deb11u5 -CVE-2021-38185 - [bullseye] - cpio 2.13+dfsg-7.1~deb11u1 -CVE-2023-28322 - [bullseye] - curl 7.74.0-1.3+deb11u9 -CVE-2023-28321 - [bullseye] - curl 7.74.0-1.3+deb11u9 CVE-2023-32665 [bullseye] - glib2.0 2.66.8-1+deb11u1 CVE-2023-32611 |