diff options
| author | Salvatore Bonaccorso <carnil@debian.org> | 2022-09-09 21:31:09 +0200 |
|---|---|---|
| committer | Salvatore Bonaccorso <carnil@debian.org> | 2022-09-10 12:42:03 +0200 |
| commit | 33265aca4e68006fbf610a776e8166a2e25e6132 (patch) | |
| tree | 3178fbcc16c0de18661ffcfa1568b104b166910b /data | |
| parent | 77d7165a85b03e1217dad210440976cea06334c6 (diff) | |
Merge changes accepted for buster 10.13 release
Diffstat (limited to 'data')
| -rw-r--r-- | data/CVE/list | 163 | ||||
| -rw-r--r-- | data/next-oldstable-point-update.txt | 166 |
2 files changed, 83 insertions, 246 deletions
diff --git a/data/CVE/list b/data/CVE/list index 441c5e4f2a..5ef58924ef 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -20500,7 +20500,7 @@ CVE-2022-32308 (Cross Site Scripting (XSS) vulnerability in uBlock Origin extens {DLA-3062-1} - ublock-origin 1.42.0+dfsg-1 [bullseye] - ublock-origin 1.42.0+dfsg-1~deb11u1 - [buster] - ublock-origin <no-dsa> (Minor issue; pending via buster-pu) + [buster] - ublock-origin 1.42.0+dfsg-1~deb10u1 NOTE: https://github.com/uBlockOrigin/uBlock-issues/issues/1992 NOTE: https://github.com/gorhill/uBlock/commit/e1e2ba3d5d00112f74464ddcc9f561f065dd3623 (1.41.5b2) NOTE: https://github.com/gorhill/uBlock/commit/60072e7996e58cd7cca5186fde742d83cc6a612c (1.41.7b0) @@ -21913,7 +21913,7 @@ CVE-2022-1946 (The Gallery WordPress plugin before 2.0.0 does not sanitise and e CVE-2022-31813 (Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* h ...) - apache2 2.4.54-1 (bug #1012513) [bullseye] - apache2 2.4.54-1~deb11u1 - [buster] - apache2 <no-dsa> (Minor issue; can be fixed in point release) + [buster] - apache2 2.4.38-3+deb10u8 NOTE: https://www.openwall.com/lists/oss-security/2022/06/08/8 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-31813 NOTE: https://github.com/apache/httpd/commit/956f708b094698ac9ad570d640d4f30eb0df7305 @@ -22743,7 +22743,7 @@ CVE-2022-31615 [buster] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported) - nvidia-graphics-drivers-legacy-390xx 390.154-1 (bug #1016616) [bullseye] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb11u1 - [buster] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported) + [buster] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb10u1 - nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1016617) [bullseye] - nvidia-graphics-drivers-tesla-418 <no-dsa> (Non-free not supported) - nvidia-graphics-drivers-tesla-450 450.203.03-1 (bug #1016618) @@ -22775,7 +22775,7 @@ CVE-2022-31608 [buster] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported) - nvidia-graphics-drivers-legacy-390xx 390.154-1 (bug #1016616) [bullseye] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb11u1 - [buster] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported) + [buster] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb10u1 - nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1016617) [bullseye] - nvidia-graphics-drivers-tesla-418 <no-dsa> (Non-free not supported) - nvidia-graphics-drivers-tesla-450 450.203.03-1 (bug #1016618) @@ -22795,7 +22795,7 @@ CVE-2022-31607 [buster] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported) - nvidia-graphics-drivers-legacy-390xx 390.154-1 (bug #1016616) [bullseye] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb11u1 - [buster] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported) + [buster] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb10u1 - nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1016617) [bullseye] - nvidia-graphics-drivers-tesla-418 <no-dsa> (Non-free not supported) - nvidia-graphics-drivers-tesla-450 450.203.03-1 (bug #1016618) @@ -25848,7 +25848,7 @@ CVE-2022-30594 (The Linux kernel before 5.17.2 mishandles seccomp permissions. T CVE-2022-30556 (Apache HTTP Server 2.4.53 and earlier may return lengths to applicatio ...) - apache2 2.4.54-1 (bug #1012513) [bullseye] - apache2 2.4.54-1~deb11u1 - [buster] - apache2 <no-dsa> (Minor issue; can be fixed in point release) + [buster] - apache2 2.4.38-3+deb10u8 NOTE: https://www.openwall.com/lists/oss-security/2022/06/08/7 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-30556 NOTE: https://github.com/apache/httpd/commit/3a561759fcb37af179585adb8478922dc9bc6a85 @@ -26038,7 +26038,7 @@ CVE-2022-30523 (Trend Micro Password Manager (Consumer) version 5.0.0.1266 and b CVE-2022-30522 (If Apache HTTP Server 2.4.53 is configured to do transformations with ...) - apache2 2.4.54-1 (bug #1012513) [bullseye] - apache2 2.4.54-1~deb11u1 - [buster] - apache2 <no-dsa> (Minor issue; can be fixed in point release) + [buster] - apache2 2.4.38-3+deb10u8 NOTE: https://www.openwall.com/lists/oss-security/2022/06/08/6 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-30522 NOTE: https://github.com/apache/httpd/commit/db47781128e42bd49f55076665b3f6ca4e2bc5e2 @@ -26528,7 +26528,7 @@ CVE-2022-30334 (Brave before 1.34, when a Private Window with Tor Connectivity i CVE-2022-30333 (RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal ...) - unrar-nonfree 1:6.1.7-1 (bug #1010837) [bullseye] - unrar-nonfree 1:6.0.3-1+deb11u1 - [buster] - unrar-nonfree <no-dsa> (Non-free not supported) + [buster] - unrar-nonfree 1:5.6.6-1+deb10u1 [stretch] - unrar-nonfree <no-dsa> (Non-free not supported) - rar <unfixed> (bug #1012228) [bullseye] - rar <no-dsa> (Non-free not supported) @@ -29372,7 +29372,7 @@ CVE-2022-1382 (NULL Pointer Dereference in GitHub repository radareorg/radare2 p CVE-2022-29404 (In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua ...) - apache2 2.4.54-1 (bug #1012513) [bullseye] - apache2 2.4.54-1~deb11u1 - [buster] - apache2 <no-dsa> (Minor issue) + [buster] - apache2 2.4.38-3+deb10u8 NOTE: https://www.openwall.com/lists/oss-security/2022/06/08/5 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-29404 NOTE: https://github.com/apache/httpd/commit/ce259c4061905bf834f9af51c92456cfe8335ddc @@ -30278,7 +30278,7 @@ CVE-2022-1328 (Buffer Overflow in uudecoder in Mutt affecting all versions start {DLA-2999-1} - mutt 2.2.3-1 (bug #1009734) [bullseye] - mutt 2.0.5-4.1+deb11u1 - [buster] - mutt <no-dsa> (Minor issue) + [buster] - mutt 1.10.1-2.1+deb10u6 - neomutt <unfixed> (bug #1009735) [bullseye] - neomutt <no-dsa> (Minor issue) [buster] - neomutt <no-dsa> (Minor issue) @@ -30315,7 +30315,7 @@ CVE-2022-29079 CVE-2022-29078 (The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js ...) - node-ejs 3.1.7-1 (bug #1010359) [bullseye] - node-ejs 2.5.7-3+deb11u1 - [buster] - node-ejs <no-dsa> (Minor issue; can be fixed via point release) + [buster] - node-ejs 2.5.7-1+deb10u1 [stretch] - node-ejs <end-of-life> (Node not covered by security support) NOTE: https://eslam.io/posts/ejs-server-side-template-injection-rce/ NOTE: https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf (v3.1.7) @@ -31190,7 +31190,7 @@ CVE-2022-28736 RESERVED - grub2 2.06-3 [bullseye] - grub2 2.06-3~deb11u1 - [buster] - grub2 <no-dsa> (Minor issue, fix via point release) + [buster] - grub2 2.06-3~deb10u1 [stretch] - grub2 <ignored> (No SecureBoot support in stretch) [jessie] - grub2 <ignored> (No SecureBoot support in jessie) NOTE: https://www.openwall.com/lists/oss-security/2022/06/07/5 @@ -31198,7 +31198,7 @@ CVE-2022-28735 RESERVED - grub2 2.06-3 (bug #1001057) [bullseye] - grub2 2.06-3~deb11u1 - [buster] - grub2 <no-dsa> (Minor issue, fix via point release) + [buster] - grub2 2.06-3~deb10u1 [stretch] - grub2 <ignored> (No SecureBoot support in stretch) [jessie] - grub2 <ignored> (No SecureBoot support in jessie) NOTE: https://www.openwall.com/lists/oss-security/2022/06/07/5 @@ -31206,7 +31206,7 @@ CVE-2022-28734 RESERVED - grub2 2.06-3 [bullseye] - grub2 2.06-3~deb11u1 - [buster] - grub2 <no-dsa> (Minor issue, fix via point release) + [buster] - grub2 2.06-3~deb10u1 [stretch] - grub2 <ignored> (No SecureBoot support in stretch) [jessie] - grub2 <ignored> (No SecureBoot support in jessie) NOTE: https://www.openwall.com/lists/oss-security/2022/06/07/5 @@ -31214,7 +31214,7 @@ CVE-2022-28733 RESERVED - grub2 2.06-3 [bullseye] - grub2 2.06-3~deb11u1 - [buster] - grub2 <no-dsa> (Minor issue, fix via point release) + [buster] - grub2 2.06-3~deb10u1 [stretch] - grub2 <ignored> (No SecureBoot support in stretch) [jessie] - grub2 <ignored> (No SecureBoot support in jessie) NOTE: https://www.openwall.com/lists/oss-security/2022/06/07/5 @@ -31612,14 +31612,14 @@ CVE-2022-28616 (A remote server-side request forgery (ssrf) vulnerability was di CVE-2022-28615 (Apache HTTP Server 2.4.53 and earlier may crash or disclose informatio ...) - apache2 2.4.54-1 (bug #1012513) [bullseye] - apache2 2.4.54-1~deb11u1 - [buster] - apache2 <no-dsa> (Minor issue; can be fixed in point release) + [buster] - apache2 2.4.38-3+deb10u8 NOTE: https://www.openwall.com/lists/oss-security/2022/06/08/9 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-28615 NOTE: https://github.com/apache/httpd/commit/6503d09ab51047554c384a6d03646ce1a8848120 CVE-2022-28614 (The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may ...) - apache2 2.4.54-1 (bug #1012513) [bullseye] - apache2 2.4.54-1~deb11u1 - [buster] - apache2 <no-dsa> (Minor issue; can be fixed in point release) + [buster] - apache2 2.4.38-3+deb10u8 NOTE: https://www.openwall.com/lists/oss-security/2022/06/08/4 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-28614 NOTE: https://github.com/apache/httpd/commit/8c14927162cf3b4f810683e1c5505e9ef9e1f123 @@ -32934,7 +32934,7 @@ CVE-2022-28185 (NVIDIA GPU Display Driver for Windows and Linux contains a vulne [stretch] - nvidia-graphics-drivers-legacy-340xx <ignored> (Non-free not supported, no updates provided by Nvidia anymore) - nvidia-graphics-drivers-legacy-390xx 390.151-1 (bug #1011142) [bullseye] - nvidia-graphics-drivers-legacy-390xx 390.151-1~deb11u1 - [buster] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported) + [buster] - nvidia-graphics-drivers-legacy-390xx 390.151-1~deb10u1 - nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1011143) [bullseye] - nvidia-graphics-drivers-tesla-418 <ignored> (Non-free not supported, driver is EOLed and updates impossible) - nvidia-graphics-drivers-tesla-450 450.191.01-1 (bug #1011144) @@ -32979,7 +32979,7 @@ CVE-2022-28181 (NVIDIA GPU Display Driver for Windows and Linux contains a vulne [stretch] - nvidia-graphics-drivers-legacy-340xx <ignored> (Non-free not supported, no updates provided by Nvidia anymore) - nvidia-graphics-drivers-legacy-390xx 390.151-1 (bug #1011142) [bullseye] - nvidia-graphics-drivers-legacy-390xx 390.151-1~deb11u1 - [buster] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported) + [buster] - nvidia-graphics-drivers-legacy-390xx 390.151-1~deb10u1 - nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1011143) [bullseye] - nvidia-graphics-drivers-tesla-418 <ignored> (Non-free not supported, driver is EOLed and updates impossible) - nvidia-graphics-drivers-tesla-450 450.191.01-1 (bug #1011144) @@ -33389,6 +33389,7 @@ CVE-2022-28086 CVE-2022-28085 (A flaw was found in htmldoc commit 31f7804. A heap buffer overflow in ...) - htmldoc 1.9.15-2 (unimportant) [bullseye] - htmldoc 1.9.11-4+deb11u3 + [buster] - htmldoc 1.9.3-1+deb10u4 NOTE: https://github.com/michaelrsweet/htmldoc/issues/480 NOTE: https://github.com/michaelrsweet/htmldoc/commit/46c8ec2b9bccb8ccabff52d998c5eee77a228348 NOTE: Crash in CLI tool, no security impact @@ -35141,21 +35142,21 @@ CVE-2022-27407 CVE-2022-27406 (FreeType commit 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 was discovere ...) - freetype 2.11.1+dfsg-2 (bug #1010183) [bullseye] - freetype 2.10.4+dfsg-1+deb11u1 - [buster] - freetype <no-dsa> (Minor issue) + [buster] - freetype 2.9.1-3+deb10u3 [stretch] - freetype <no-dsa> (Minor issue) NOTE: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1140 NOTE: Fixed by: https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2 (VER-2-12-0) CVE-2022-27405 (FreeType commit 53dfdcd8198d2b3201a23c4bad9190519ba918db was discovere ...) - freetype 2.11.1+dfsg-2 (bug #1010183) [bullseye] - freetype 2.10.4+dfsg-1+deb11u1 - [buster] - freetype <no-dsa> (Minor issue) + [buster] - freetype 2.9.1-3+deb10u3 [stretch] - freetype <no-dsa> (Minor issue) NOTE: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1139 NOTE: Fixed by: https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 (VER-2-12-0) CVE-2022-27404 (FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovere ...) - freetype 2.11.1+dfsg-2 (bug #1010183) [bullseye] - freetype 2.10.4+dfsg-1+deb11u1 - [buster] - freetype <no-dsa> (Minor issue) + [buster] - freetype 2.9.1-3+deb10u3 [stretch] - freetype <no-dsa> (Minor issue) NOTE: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1138 NOTE: Fixed by: https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db (VER-2-12-0) @@ -36174,7 +36175,7 @@ CVE-2022-27114 (There is a vulnerability in htmldoc 1.9.16. In image_load_jpeg f {DLA-3004-1} - htmldoc 1.9.15-2 [bullseye] - htmldoc 1.9.11-4+deb11u3 - [buster] - htmldoc <no-dsa> (Minor issue) + [buster] - htmldoc 1.9.3-1+deb10u4 NOTE: https://github.com/michaelrsweet/htmldoc/issues/471 NOTE: https://github.com/michaelrsweet/htmldoc/commit/31f780487e5ddc426888638786cdc47631687275 CVE-2022-27113 @@ -37698,7 +37699,7 @@ CVE-2022-26505 (A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1 {DLA-2973-1} - minidlna 1.3.0+dfsg-2.2 (bug #1006798) [bullseye] - minidlna 1.3.0+dfsg-2+deb11u1 - [buster] - minidlna <no-dsa> (Minor issue) + [buster] - minidlna 1.2.1+dfsg-2+deb10u3 NOTE: https://sourceforge.net/p/minidlna/git/ci/c21208508dbc131712281ec5340687e5ae89e940/ NOTE: https://www.openwall.com/lists/oss-security/2022/03/03/1 CVE-2022-26504 (Improper authentication in Veeam Backup & Replication 9.5U3, 9.5U4 ...) @@ -38122,7 +38123,7 @@ CVE-2022-26378 CVE-2022-26377 (Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling' ...) - apache2 2.4.54-1 (bug #1012513) [bullseye] - apache2 2.4.54-1~deb11u1 - [buster] - apache2 <no-dsa> (Minor issue; can be fixed in point release) + [buster] - apache2 2.4.38-3+deb10u8 NOTE: https://www.openwall.com/lists/oss-security/2022/06/08/2 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-26377 NOTE: https://github.com/apache/httpd/commit/f7f15f3d8bfe3032926c8c39eb8434529f680bd4 @@ -41055,7 +41056,7 @@ CVE-2022-25310 (A segmentation fault (SEGV) flaw was found in the Fribidi packag {DLA-2974-1} - fribidi 1.0.8-2.1 (bug #1008793) [bullseye] - fribidi 1.0.8-2+deb11u1 - [buster] - fribidi <no-dsa> (Minor issue) + [buster] - fribidi 1.0.5-3.1+deb10u2 NOTE: https://github.com/fribidi/fribidi/issues/183 NOTE: https://github.com/fribidi/fribidi/pull/186 NOTE: https://github.com/fribidi/fribidi/commit/175850b03e1af251d705c1d04b2b9b3c1c06e48f @@ -41063,7 +41064,7 @@ CVE-2022-25309 (A heap-based buffer overflow flaw was found in the Fribidi packa {DLA-2974-1} - fribidi 1.0.8-2.1 (bug #1008793) [bullseye] - fribidi 1.0.8-2+deb11u1 - [buster] - fribidi <no-dsa> (Minor issue) + [buster] - fribidi 1.0.5-3.1+deb10u2 NOTE: https://github.com/fribidi/fribidi/issues/182 NOTE: https://github.com/fribidi/fribidi/pull/185 NOTE: https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3 @@ -41071,7 +41072,7 @@ CVE-2022-25308 (A stack-based buffer overflow flaw was found in the Fribidi pack {DLA-2974-1} - fribidi 1.0.8-2.1 (bug #1008793) [bullseye] - fribidi 1.0.8-2+deb11u1 - [buster] - fribidi <no-dsa> (Minor issue) + [buster] - fribidi 1.0.5-3.1+deb10u2 NOTE: https://github.com/fribidi/fribidi/issues/181 NOTE: https://github.com/fribidi/fribidi/pull/184 NOTE: https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1 @@ -42079,14 +42080,14 @@ CVE-2022-0586 (Infinite loop in RTMPT protocol dissector in Wireshark 3.6.0 to 3 {DLA-2967-1} - wireshark 3.6.2-1 [bullseye] - wireshark <no-dsa> (Minor issue) - [buster] - wireshark <no-dsa> (Minor issue) + [buster] - wireshark 2.6.20-0+deb10u4 NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17813 NOTE: https://www.wireshark.org/security/wnpa-sec-2022-01.html CVE-2022-0585 (Large loops in multiple protocol dissectors in Wireshark 3.6.0 to 3.6. ...) {DLA-2967-1} - wireshark 3.6.2-1 [bullseye] - wireshark <no-dsa> (Minor issue) - [buster] - wireshark <no-dsa> (Minor issue) + [buster] - wireshark 2.6.20-0+deb10u4 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2054049 NOTE: https://www.wireshark.org/security/wnpa-sec-2022-02.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17829 @@ -42105,21 +42106,21 @@ CVE-2022-0583 (Crash in the PVFS protocol dissector in Wireshark 3.6.0 to 3.6.1 {DLA-2967-1} - wireshark 3.6.2-1 [bullseye] - wireshark <no-dsa> (Minor issue) - [buster] - wireshark <no-dsa> (Minor issue) + [buster] - wireshark 2.6.20-0+deb10u4 NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17840 NOTE: https://www.wireshark.org/security/wnpa-sec-2022-03.html CVE-2022-0582 (Unaligned access in the CSN.1 protocol dissector in Wireshark 3.6.0 to ...) {DLA-2967-1} - wireshark 3.6.2-1 [bullseye] - wireshark <no-dsa> (Minor issue) - [buster] - wireshark <no-dsa> (Minor issue) + [buster] - wireshark 2.6.20-0+deb10u4 NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17882 NOTE: https://www.wireshark.org/security/wnpa-sec-2022-04.html CVE-2022-0581 (Crash in the CMS protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3. ...) {DLA-2967-1} - wireshark 3.6.2-1 [bullseye] - wireshark <no-dsa> (Minor issue) - [buster] - wireshark <no-dsa> (Minor issue) + [buster] - wireshark 2.6.20-0+deb10u4 NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17935 NOTE: https://www.wireshark.org/security/wnpa-sec-2022-05.html CVE-2022-0580 (Improper Access Control in Packagist librenms/librenms prior to 22.2.0 ...) @@ -42147,7 +42148,7 @@ CVE-2022-0577 (Exposure of Sensitive Information to an Unauthorized Actor in Git {DLA-2950-1} - python-scrapy 2.6.1-1 (bug #1008234) [bullseye] - python-scrapy 2.4.1-2+deb11u1 - [buster] - python-scrapy <no-dsa> (Minor issue) + [buster] - python-scrapy 1.5.1-1+deb10u1 NOTE: https://github.com/advisories/GHSA-cjvr-mfj7-j4j8 NOTE: https://huntr.dev/bounties/3da527b1-2348-4f69-9e88-2e11a96ac585 NOTE: https://github.com/scrapy/scrapy/commit/8ce01b3b76d4634f55067d6cfdf632ec70ba304a @@ -42563,7 +42564,7 @@ CVE-2022-24829 (Garden is an automation platform for Kubernetes development and CVE-2022-24828 (Composer is a dependency manager for the PHP programming language. Int ...) - composer 2.2.12-1 (bug #1009960) [bullseye] - composer 2.0.9-2+deb11u1 - [buster] - composer <no-dsa> (Minor issue) + [buster] - composer 1.8.4-1+deb10u2 [stretch] - composer <no-dsa> (Minor issue) NOTE: https://github.com/composer/composer/commit/2c40c53637c5c7e43fff7c09d3d324d632734709 (2.2.12) NOTE: https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6 @@ -42661,7 +42662,7 @@ CVE-2022-24801 (Twisted is an event-based framework for internet applications, s {DLA-2991-1} - twisted 22.4.0-1 (bug #1009030) [bullseye] - twisted 20.3.0-7+deb11u1 - [buster] - twisted <no-dsa> (Minor issue) + [buster] - twisted 18.9.0-3+deb10u1 NOTE: https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq NOTE: https://github.com/twisted/twisted/releases/tag/twisted-22.4.0rc1 NOTE: https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043ac (twisted-22.04.0rc1) @@ -42757,26 +42758,26 @@ CVE-2022-24776 (Flask-AppBuilder is an application development framework, built CVE-2022-24775 (guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8 ...) - php-guzzlehttp-psr7 1.8.5-1 (bug #1008236) [bullseye] - php-guzzlehttp-psr7 1.7.0-1+deb11u1 - [buster] - php-guzzlehttp-psr7 <no-dsa> (Minor issue) + [buster] - php-guzzlehttp-psr7 1.4.2-0.1+deb10u1 NOTE: https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96 CVE-2022-24774 (CycloneDX BOM Repository Server is a bill of materials (BOM) repositor ...) NOT-FOR-US: CycloneDX BOM Repository Server CVE-2022-24773 (Forge (also called `node-forge`) is a native implementation of Transpo ...) - node-node-forge 1.3.0~dfsg-1 [bullseye] - node-node-forge 0.10.0~dfsg-3+deb11u1 - [buster] - node-node-forge <no-dsa> (Minor issue) + [buster] - node-node-forge 0.8.1~dfsg-1+deb10u1 NOTE: https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr NOTE: https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1 (v1.3.0) CVE-2022-24772 (Forge (also called `node-forge`) is a native implementation of Transpo ...) - node-node-forge 1.3.0~dfsg-1 [bullseye] - node-node-forge 0.10.0~dfsg-3+deb11u1 - [buster] - node-node-forge <no-dsa> (Minor issue) + [buster] - node-node-forge 0.8.1~dfsg-1+deb10u1 NOTE: https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g NOTE: https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1 (v1.3.0) CVE-2022-24771 (Forge (also called `node-forge`) is a native implementation of Transpo ...) - node-node-forge 1.3.0~dfsg-1 [bullseye] - node-node-forge 0.10.0~dfsg-3+deb11u1 - [buster] - node-node-forge <no-dsa> (Minor issue) + [buster] - node-node-forge 0.8.1~dfsg-1+deb10u1 NOTE: https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765 NOTE: https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1 (v1.3.0) CVE-2022-24770 (`gradio` is an open source framework for building interactive machine ...) @@ -44763,6 +44764,7 @@ CVE-2022-24192 CVE-2022-24191 (In HTMLDOC 1.9.14, an infinite loop in the gif_read_lzw function can l ...) - htmldoc 1.9.15-1 (unimportant) [bullseye] - htmldoc 1.9.11-4+deb11u3 + [buster] - htmldoc 1.9.3-1+deb10u4 NOTE: https://github.com/michaelrsweet/htmldoc/commit/fb0334a51300988e9b83b9870d4063e86002b077 (v1.9.15) NOTE: https://github.com/michaelrsweet/htmldoc/issues/470 NOTE: Hang in CLI tool, no security impact @@ -45760,7 +45762,7 @@ CVE-2022-23943 (Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Serv {DLA-2960-1} - apache2 2.4.53-1 [bullseye] - apache2 2.4.53-1~deb11u1 - [buster] - apache2 <no-dsa> (Minor issue) + [buster] - apache2 2.4.38-3+deb10u8 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-23943 NOTE: Fixed by: https://svn.apache.org/r1898695 NOTE: Fixed by: https://svn.apache.org/r1898772 @@ -50544,21 +50546,21 @@ CVE-2022-22721 (If LimitXMLRequestBody is set to allow request bodies larger tha {DLA-2960-1} - apache2 2.4.53-1 [bullseye] - apache2 2.4.53-1~deb11u1 - [buster] - apache2 <no-dsa> (Minor issue) + [buster] - apache2 2.4.38-3+deb10u8 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-22721 NOTE: Fixed by: https://svn.apache.org/r1898693 CVE-2022-22720 (Apache HTTP Server 2.4.52 and earlier fails to close inbound connectio ...) {DLA-2960-1} - apache2 2.4.53-1 [bullseye] - apache2 2.4.53-1~deb11u1 - [buster] - apache2 <no-dsa> (Minor issue) + [buster] - apache2 2.4.38-3+deb10u8 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-22720 NOTE: Fixed by: https://svn.apache.org/r1898692 CVE-2022-22719 (A carefully crafted request body can cause a read to a random memory a ...) {DLA-2960-1} - apache2 2.4.53-1 [bullseye] - apache2 2.4.53-1~deb11u1 - [buster] - apache2 <no-dsa> (Minor issue) + [buster] - apache2 2.4.38-3+deb10u8 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-22719 NOTE: Fixed by: https://svn.apache.org/r1898694 CVE-2022-22718 (Windows Print Spooler Elevation of Privilege Vulnerability. This CVE I ...) @@ -52660,17 +52662,17 @@ CVE-2021-45911 (An issue was discovered in gif2apng 1.9. There is a heap-based b {DLA-2937-1} - gif2apng <removed> (bug #1002687) [bullseye] - gif2apng 1.9+srconly-3+deb11u1 - [buster] - gif2apng <no-dsa> (Minor issue) + [buster] - gif2apng 1.9+srconly-2+deb10u1 CVE-2021-45910 (An issue was discovered in gif2apng 1.9. There is a heap-based buffer ...) {DLA-2937-1} - gif2apng <removed> (bug #1002667) [bullseye] - gif2apng 1.9+srconly-3+deb11u1 - [buster] - gif2apng <no-dsa> (Minor issue) + [buster] - gif2apng 1.9+srconly-2+deb10u1 CVE-2021-45909 (An issue was discovered in gif2apng 1.9. There is a heap-based buffer ...) {DLA-2937-1} - gif2apng <removed> (bug #1002668) [bullseye] - gif2apng 1.9+srconly-3+deb11u1 - [buster] - gif2apng <no-dsa> (Minor issue) + [buster] - gif2apng 1.9+srconly-2+deb10u1 CVE-2021-45908 (An issue was discovered in gif2apng 1.9. There is a stack-based buffer ...) - gif2apng <removed> (bug #1002669; unimportant) NOTE: Negligible security impact @@ -52732,14 +52734,14 @@ CVE-2021-4185 (Infinite loop in the RTMPT dissector in Wireshark 3.6.0 and 3.4.0 {DLA-2967-1} - wireshark 3.6.2-1 [bullseye] - wireshark <no-dsa> (Minor issue) - [buster] - wireshark <no-dsa> (Minor issue) + [buster] - wireshark 2.6.20-0+deb10u4 NOTE: https://www.wireshark.org/security/wnpa-sec-2021-17.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17745 CVE-2021-4184 (Infinite loop in the BitTorrent DHT dissector in Wireshark 3.6.0 and 3 ...) {DLA-2967-1} - wireshark 3.6.2-1 [bullseye] - wireshark <no-dsa> (Minor issue) - [buster] - wireshark <no-dsa> (Minor issue) + [buster] - wireshark 2.6.20-0+deb10u4 NOTE: https://www.wireshark.org/security/wnpa-sec-2021-18.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17754 CVE-2021-4183 (Crash in the pcapng file parser in Wireshark 3.6.0 allows denial of se ...) @@ -52760,7 +52762,7 @@ CVE-2021-4181 (Crash in the Sysdig Event dissector in Wireshark 3.6.0 and 3.4.0 {DLA-2967-1} - wireshark 3.6.2-1 [bullseye] - wireshark <no-dsa> (Minor issue) - [buster] - wireshark <no-dsa> (Minor issue) + [buster] - wireshark 2.6.20-0+deb10u4 NOTE: https://www.wireshark.org/security/wnpa-sec-2021-21.html NOTE: https://gitlab.com/wireshark/wireshark/-/merge_requests/5429 CVE-2021-45884 (In Brave Desktop 1.17 through 1.33 before 1.33.106, when CNAME-based a ...) @@ -56283,7 +56285,7 @@ CVE-2021-44907 CVE-2021-44906 (Minimist <=1.2.5 is vulnerable to Prototype Pollution via file inde ...) - node-minimist 1.2.6+~cs5.3.2-1 [bullseye] - node-minimist 1.2.5+~cs5.3.1-2+deb11u1 - [buster] - node-minimist <no-dsa> (Minor issue) + [buster] - node-minimist 1.2.0-1+deb10u2 [stretch] - node-minimist <end-of-life> (Nodejs in stretch not covered by security support) NOTE: https://github.com/substack/minimist/issues/164 NOTE: https://snyk.io/vuln/SNYK-JS-MINIMIST-559764 @@ -59497,7 +59499,7 @@ CVE-2022-21716 (Twisted is an event-based framework for internet applications, s {DLA-2938-1} - twisted 22.2.0-1 [bullseye] - twisted 20.3.0-7+deb11u1 - [buster] - twisted <no-dsa> (Minor issue) + [buster] - twisted 18.9.0-3+deb10u1 NOTE: https://github.com/twisted/twisted/security/advisories/GHSA-rv6r-3f5q-9rgx NOTE: https://github.com/twisted/twisted/commit/98387b39e9f0b21462f6abc7a1325dc370fcdeb1 NOTE: https://twistedmatrix.com/trac/ticket/10284 @@ -59511,7 +59513,7 @@ CVE-2022-21712 (twisted is an event-driven networking engine written in Python. {DLA-2927-1} - twisted 22.1.0-1 [bullseye] - twisted 20.3.0-7+deb11u1 - [buster] - twisted <no-dsa> (Minor issue) + [buster] - twisted 18.9.0-3+deb10u1 NOTE: https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx NOTE: https://github.com/twisted/twisted/commit/af8fe78542a6f2bf2235ccee8158d9c88d31e8e2 (twisted-22.1.0rc1) CVE-2022-21711 (elfspirit is an ELF static analysis and injection framework that parse ...) @@ -63267,7 +63269,7 @@ CVE-2022-20796 (On May 4, 2022, the following vulnerability in the ClamAV scanni {DLA-3042-1} - clamav 0.103.6+dfsg-1 [bullseye] - clamav 0.103.6+dfsg-0+deb11u1 - [buster] - clamav <no-dsa> (clamav is updated via -updates) + [buster] - clamav 0.103.6+dfsg-0+deb10u1 NOTE: https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html CVE-2022-20795 (A vulnerability in the implementation of the Datagram TLS (DTLS) proto ...) NOT-FOR-US: Cisco @@ -63279,7 +63281,7 @@ CVE-2022-20792 (A vulnerability in the regex module used by the signature databa {DLA-3042-1} - clamav 0.103.6+dfsg-1 [bullseye] - clamav 0.103.6+dfsg-0+deb11u1 - [buster] - clamav <no-dsa> (clamav is updated via -updates) + [buster] - clamav 0.103.6+dfsg-0+deb10u1 NOTE: https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html CVE-2022-20791 (A vulnerability in the database user privileges of Cisco Unified Commu ...) NOT-FOR-US: Cisco @@ -63297,7 +63299,7 @@ CVE-2022-20785 (On April 20, 2022, the following vulnerability in the ClamAV sca {DLA-3042-1} - clamav 0.103.6+dfsg-1 [bullseye] - clamav 0.103.6+dfsg-0+deb11u1 - [buster] - clamav <no-dsa> (clamav is updated via -updates) + [buster] - clamav 0.103.6+dfsg-0+deb10u1 NOTE: https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html CVE-2022-20784 (A vulnerability in the Web-Based Reputation Score (WBRS) engine of Cis ...) NOT-FOR-US: Cisco @@ -63329,13 +63331,13 @@ CVE-2022-20771 (On April 20, 2022, the following vulnerability in the ClamAV sca {DLA-3042-1} - clamav 0.103.6+dfsg-1 [bullseye] - clamav 0.103.6+dfsg-0+deb11u1 - [buster] - clamav <no-dsa> (clamav is updated via -updates) + [buster] - clamav 0.103.6+dfsg-0+deb10u1 NOTE: https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html CVE-2022-20770 (On April 20, 2022, the following vulnerability in the ClamAV scanning ...) {DLA-3042-1} - clamav 0.103.6+dfsg-1 [bullseye] - clamav 0.103.6+dfsg-0+deb11u1 - [buster] - clamav <no-dsa> (clamav is updated via -updates) + [buster] - clamav 0.103.6+dfsg-0+deb10u1 NOTE: https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html CVE-2022-20769 RESERVED @@ -70323,7 +70325,7 @@ CVE-2021-41125 (Scrapy is a high-level web crawling and scraping framework for P {DLA-2950-1} - python-scrapy 2.5.1-1 [bullseye] - python-scrapy 2.4.1-2+deb11u1 - [buster] - python-scrapy <no-dsa> (Minor issue) + [buster] - python-scrapy 1.5.1-1+deb10u1 NOTE: https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498 NOTE: Fixed by: https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6 (1.8) CVE-2021-41124 (Scrapy-splash is a library which provides Scrapy and JavaScript integr ...) @@ -77275,21 +77277,21 @@ CVE-2021-3698 (A flaw was found in Cockpit in versions prior to 260 in the way i CVE-2021-3697 (A crafted JPEG image may lead the JPEG reader to underflow its data po ...) - grub2 2.06-3 [bullseye] - grub2 2.06-3~deb11u1 - [buster] - grub2 <no-dsa> (Minor issue, fix via point release) + [buster] - grub2 2.06-3~deb10u1 [stretch] - grub2 <ignored> (No SecureBoot support in stretch) [jessie] - grub2 <ignored> (No SecureBoot support in jessie) NOTE: https://www.openwall.com/lists/oss-security/2022/06/07/5 CVE-2021-3696 (A heap out-of-bounds write may heppen during the handling of Huffman t ...) - grub2 2.06-3 [bullseye] - grub2 2.06-3~deb11u1 - [buster] - grub2 <no-dsa> (Minor issue, fix via point release) + [buster] - grub2 2.06-3~deb10u1 [stretch] - grub2 <ignored> (No SecureBoot support in stretch) [jessie] - grub2 <ignored> (No SecureBoot support in jessie) NOTE: https://www.openwall.com/lists/oss-security/2022/06/07/5 CVE-2021-3695 (A crafted 16-bit grayscale PNG image may lead to a out-of-bounds write ...) - grub2 2.06-3 [bullseye] - grub2 2.06-3~deb11u1 - [buster] - grub2 <no-dsa> (Minor issue, fix via point release) + [buster] - grub2 2.06-3~deb10u1 [stretch] - grub2 <ignored> (No SecureBoot support in stretch) [jessie] - grub2 <ignored> (No SecureBoot support in jessie) NOTE: https://www.openwall.com/lists/oss-security/2022/06/07/5 @@ -80446,7 +80448,7 @@ CVE-2021-3657 (A flaw was found in mbsync versions prior to 1.4.4. Due to inadeq {DLA-3066-1} - isync 1.4.4-1 [bullseye] - isync 1.3.0-2.2+deb11u1 - [buster] - isync <no-dsa> (Minor issue) + [buster] - isync 1.3.0-2.2~deb10u2 NOTE: https://www.openwall.com/lists/oss-security/2021/12/03/1 CVE-2021-37159 (hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel throu ...) {DLA-2843-1 DLA-2785-1} @@ -84401,7 +84403,7 @@ CVE-2021-3623 (A flaw was found in libtpms. The flaw can be triggered by special NOTE: https://github.com/stefanberger/libtpms/commit/2e6173c273ca14adb11386db4e47622552b1c00e CVE-2021-35525 (PostSRSd before 1.11 allows a denial of service (subprocess hang) if P ...) - postsrsd 1.10-2 (bug #990439) - [buster] - postsrsd <no-dsa> (Minor issue; can be fixed via point release) + [buster] - postsrsd 1.5-2+deb10u2 [stretch] - postsrsd <no-dsa> (Minor issue) NOTE: https://bugs.gentoo.org/793674 NOTE: https://github.com/roehling/postsrsd/commit/077be98d8c8a9847e4ae0c7dc09e7474cbe27db2 @@ -99713,7 +99715,7 @@ CVE-2021-29626 (In FreeBSD 13.0-STABLE before n245117, 12.2-STABLE before r36955 - kfreebsd-10 <unfixed> (unimportant) CVE-2021-29625 (Adminer is open-source database management software. A cross-site scri ...) - adminer 4.7.9-2 (bug #988886) - [buster] - adminer <no-dsa> (Minor issue) + [buster] - adminer 4.7.1-1+deb10u1 [stretch] - adminer <no-dsa> (Minor issue) NOTE: https://github.com/vrana/adminer/security/advisories/GHSA-2v82-5746-vwqc NOTE: https://github.com/vrana/adminer/commit/4043092ec2c0de2258d60a99d0c5958637d051a7 @@ -117827,7 +117829,7 @@ CVE-2021-22192 (An issue has been discovered in GitLab CE/EE affecting all versi CVE-2021-22191 (Improper URL handling in Wireshark 3.4.0 to 3.4.3 and 3.2.0 to 3.2.11 ...) {DLA-2967-1} - wireshark 3.4.4-1 - [buster] - wireshark <no-dsa> (Minor issue) + [buster] - wireshark 2.6.20-0+deb10u4 NOTE: https://www.wireshark.org/security/wnpa-sec-2021-03.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17232 CVE-2021-22190 (A path traversal vulnerability via the GitLab Workhorse in all version ...) @@ -121393,7 +121395,7 @@ CVE-2021-21312 (GLPI is open source software which stands for Gestionnaire Libre CVE-2021-21311 (Adminer is an open-source database management in a single PHP file. In ...) {DLA-2580-1} - adminer 4.7.9-1 - [buster] - adminer <no-dsa> (Minor issue) + [buster] - adminer 4.7.1-1+deb10u1 NOTE: https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6 NOTE: https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351 (v4.7.9) CVE-2021-21310 (NextAuth.js (next-auth) is am open source authentication solution for ...) @@ -122248,7 +122250,7 @@ CVE-2020-35574 RESERVED CVE-2020-35572 (Adminer through 4.7.8 allows XSS via the history parameter to the defa ...) - adminer 4.7.9-1 - [buster] - adminer <no-dsa> (Minor issue) + [buster] - adminer 4.7.1-1+deb10u1 [stretch] - adminer <not-affected> (Vulnerable code introduced in v4.7.0) NOTE: https://sourceforge.net/p/adminer/bugs-and-features/775/ NOTE: https://github.com/vrana/adminer/security/advisories/GHSA-9pgx-gcph-mpqr @@ -133488,6 +133490,7 @@ CVE-2021-0561 (In append_to_verify_fifo_interleaved_ of stream_encoder.c, there {DLA-3094-1 DLA-2951-1} - flac 1.3.4-1 (bug #1006339) [bullseye] - flac 1.3.3-2+deb11u1 + [buster] - flac 1.3.2-3+deb10u2 NOTE: https://github.com/xiph/flac/commit/e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be (1.3.4) NOTE: https://xiph.org/flac/changelog.html#flac_1.3.4 NOTE: https://android.googlesource.com/platform/external/flac/+/368eb3f5bec249a197c95a95583ff8153aa6a87f @@ -180006,13 +180009,13 @@ CVE-2020-10110 (** DISPUTED ** Citrix Gateway 11.1, 12.0, and 12.1 allows Inform CVE-2020-10109 (In Twisted Web through 19.10.0, there was an HTTP request splitting vu ...) {DLA-2927-1 DLA-2145-1} - twisted 18.9.0-7 (bug #953950) - [buster] - twisted <no-dsa> (Minor issue) + [buster] - twisted 18.9.0-3+deb10u1 NOTE: https://know.bishopfox.com/advisories/twisted-version-19.10.0#INOR NOTE: https://github.com/twisted/twisted/commit/4a7d22e490bb8ff836892cc99a1f54b85ccb0281 CVE-2020-10108 (In Twisted Web through 19.10.0, there was an HTTP request splitting vu ...) {DLA-2927-1 DLA-2145-1} - twisted 18.9.0-7 (bug #953950) - [buster] - twisted <no-dsa> (Minor issue) + [buster] - twisted 18.9.0-3+deb10u1 NOTE: https://know.bishopfox.com/advisories/twisted-version-19.10.0#INOR NOTE: https://github.com/twisted/twisted/commit/4a7d22e490bb8ff836892cc99a1f54b85ccb0281 CVE-2020-10107 (PHPGurukul Daily Expense Tracker System 1.0 is vulnerable to stored XS ...) @@ -183935,7 +183938,7 @@ CVE-2020-8516 (** DISPUTED ** The daemon in Tor through 0.4.1.8 and 0.4.2.x thro CVE-2019-20446 (In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nest ...) {DLA-2285-1} - librsvg 2.46.4-1 - [buster] - librsvg <no-dsa> (Will be fixed via spu) + [buster] - librsvg 2.44.10-2.1+deb10u1 [jessie] - librsvg <no-dsa> (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/librsvg/issues/515 NOTE: https://gitlab.gnome.org/GNOME/librsvg/commit/572f95f739529b865e2717664d6fefcef9493135 @@ -185362,7 +185365,7 @@ CVE-2019-20420 RESERVED CVE-2015-9541 (Qt through 5.14 allows an exponential XML entity expansion attack via ...) - qtbase-opensource-src 5.12.5+dfsg-9 (low; bug #951066) - [buster] - qtbase-opensource-src <no-dsa> (Minor issue) + [buster] - qtbase-opensource-src 5.11.3+dfsg1-1+deb10u5 [stretch] - qtbase-opensource-src <no-dsa> (Minor issue) [jessie] - qtbase-opensource-src <ignored> (Minor issue; upstream patches use not-yet-available QStringView API) NOTE: https://bugreports.qt.io/browse/QTBUG-47417 @@ -186051,7 +186054,7 @@ CVE-2020-7712 (This affects the package json before 10.0.0. It is possible to in CVE-2020-7711 (This affects all versions of package github.com/russellhaering/goxmlds ...) - golang-github-russellhaering-goxmldsig 1.1.1-1 (bug #968928) [bullseye] - golang-github-russellhaering-goxmldsig 1.1.0-1+deb11u1 - [buster] - golang-github-russellhaering-goxmldsig <no-dsa> (Minor issue) + [buster] - golang-github-russellhaering-goxmldsig 0.0~git20170911.b7efc62-1+deb10u1 NOTE: https://github.com/russellhaering/goxmldsig/issues/48 NOTE: https://github.com/russellhaering/goxmldsig/commit/fb23e0af61c023e3a6dae8ad30dbd0f04d8a4d8f CVE-2020-7710 (This affects all versions of package safe-eval. It is possible for an ...) @@ -211981,7 +211984,7 @@ CVE-2019-17186 (/var/WEB-GUI/cgi-bin/telnet.cgi on FiberHome HG2201T 1.00.M5007_ NOT-FOR-US: FiberHome HG2201T devices CVE-2019-17185 (In FreeRADIUS 3.0.x before 3.0.20, the EAP-pwd module used a global Op ...) - freeradius 3.0.20+dfsg-1 - [buster] - freeradius <no-dsa> (Minor issue) + [buster] - freeradius 3.0.17+dfsg-1.1+deb10u1 [stretch] - freeradius <no-dsa> (Minor issue) [jessie] - freeradius <not-affected> (Vulnerable code not present; EAP-pwd module introduced in later version) NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/6b522f8780813726799e6b8cf0f1f8e0ce2c8ebf @@ -212101,7 +212104,7 @@ CVE-2019-17135 (This vulnerability allows remote attackers to execute arbitrary NOT-FOR-US: Foxit PhantomPDF CVE-2019-17134 (Amphora Images in OpenStack Octavia >=0.10.0 <2.1.2, >=3.0.0 ...) - octavia 4.0.0-6 (bug #941897) - [buster] - octavia <no-dsa> (Minor issue in regular setups, can be fixed via point release) + [buster] - octavia 3.0.0-3+deb10u1 CVE-2019-17132 (vBulletin through 5.5.4 mishandles custom avatars. ...) NOT-FOR-US: vBulletin CVE-2019-17131 (vBulletin before 5.5.4 allows clickjacking. ...) @@ -219236,7 +219239,7 @@ CVE-2019-14858 (A vulnerability was found in Ansible engine 2.x up to 2.8 and An CVE-2019-14857 (A flaw was found in mod_auth_openidc before version 2.4.0.1. An open r ...) {DLA-2298-1 DLA-1996-1} - libapache2-mod-auth-openidc 2.4.0.3-1 (bug #942165) - [buster] - libapache2-mod-auth-openidc <no-dsa> (Minor issue) + [buster] - libapache2-mod-auth-openidc 2.3.10.2-1+deb10u1 NOTE: https://github.com/zmartzone/mod_auth_openidc/commit/5c15dfb08106c2451c2c44ce7ace6813c216ba75 NOTE: https://github.com/zmartzone/mod_auth_openidc/commit/ce37080c6aea30aabae8b4a9b4eea7808445cc8e NOTE: https://github.com/zmartzone/mod_auth_openidc/pull/451 @@ -224801,7 +224804,7 @@ CVE-2019-13457 (An issue was discovered in Open Ticket Request System (OTRS) 7.0 NOTE: https://otrs.com/release-notes/otrs-security-advisory-2019-11/ CVE-2019-13456 (In FreeRADIUS 3.0 through 3.0.19, on average 1 in every 2048 EAP-pwd h ...) - freeradius 3.0.20+dfsg-1 - [buster] - freeradius <no-dsa> (Minor issue) + [buster] - freeradius 3.0.17+dfsg-1.1+deb10u1 [stretch] - freeradius <no-dsa> (Minor issue) [jessie] - freeradius <not-affected> (Vulnerable code introduced later in version 3.0.0) NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa (release_3_0_20) @@ -226276,7 +226279,7 @@ CVE-2019-12954 (SolarWinds Network Performance Monitor (Orion Platform 2018, NPM NOT-FOR-US: SolarWinds CVE-2019-12953 (Dropbear 2011.54 through 2018.76 has an inconsistent failure delay tha ...) - dropbear 2019.78-1 (bug #1009062) - [buster] - dropbear <no-dsa> (Minor issue) + [buster] - dropbear 2018.76-5+deb10u1 [stretch] - dropbear <postponed> (Minor issue but fixed along next DLA) NOTE: https://hg.ucc.asn.au/dropbear/rev/228b086794b7 CVE-2019-12952 @@ -226525,7 +226528,7 @@ CVE-2019-12856 RESERVED CVE-2019-12855 (In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP su ...) - twisted 18.9.0-7 (bug #930626) - [buster] - twisted <no-dsa> (Minor issue) + [buster] - twisted 18.9.0-3+deb10u1 [stretch] - twisted <no-dsa> (Minor issue) [jessie] - twisted <no-dsa> (Minor issue) NOTE: https://github.com/twisted/twisted/pull/1147 @@ -227811,7 +227814,7 @@ CVE-2019-12388 (Anviz access control devices perform cleartext transmission of s NOT-FOR-US: Anviz CVE-2019-12387 (In Twisted before 19.2.1, twisted.web did not validate or sanitize URI ...) - twisted 18.9.0-7 (bug #930389) - [buster] - twisted <no-dsa> (Minor issue) + [buster] - twisted 18.9.0-3+deb10u1 [stretch] - twisted <no-dsa> (Minor issue) [jessie] - twisted <no-dsa> (Minor issue) NOTE: https://github.com/twisted/twisted/commit/6c61fc4503ae39ab8ecee52d10f10ee2c371d7e2 diff --git a/data/next-oldstable-point-update.txt b/data/next-oldstable-point-update.txt index 8e09490c4d..6067a5b172 100644 --- a/data/next-oldstable-point-update.txt +++ b/data/next-oldstable-point-update.txt @@ -1,169 +1,3 @@ -CVE-2021-44906 - [buster] - node-minimist 1.2.0-1+deb10u2 -CVE-2022-24773 - [buster] - node-node-forge 0.8.1~dfsg-1+deb10u1 -CVE-2022-24772 - [buster] - node-node-forge 0.8.1~dfsg-1+deb10u1 -CVE-2022-24771 - [buster] - node-node-forge 0.8.1~dfsg-1+deb10u1 -CVE-2019-17134 - [buster] - octavia 3.0.0-3+deb10u1 -CVE-2019-14857 - [buster] - libapache2-mod-auth-openidc 2.3.10.2-1+deb10u1 -CVE-2020-35572 - [buster] - adminer 4.7.1-1+deb10u1 -CVE-2021-21311 - [buster] - adminer 4.7.1-1+deb10u1 -CVE-2021-29625 - [buster] - adminer 4.7.1-1+deb10u1 -CVE-2021-35525 - [buster] - postsrsd 1.5-2+deb10u2 -CVE-2015-9541 - [buster] - qtbase-opensource-src 5.11.3+dfsg1-1+deb10u5 -CVE-2020-7711 - [buster] - golang-github-russellhaering-goxmldsig 0.0~git20170911.b7efc62-1+deb10u1 -CVE-2022-25308 - [buster] - fribidi 1.0.5-3.1+deb10u2 -CVE-2022-25309 - [buster] - fribidi 1.0.5-3.1+deb10u2 -CVE-2022-25310 - [buster] - fribidi 1.0.5-3.1+deb10u2 -CVE-2022-26505 - [buster] - minidlna 1.2.1+dfsg-2+deb10u3 -CVE-2019-12953 - [buster] - dropbear 2018.76-5+deb10u1 -CVE-2022-1328 - [buster] - mutt 1.10.1-2.1+deb10u6 -CVE-2022-27406 - [buster] - freetype 2.9.1-3+deb10u3 -CVE-2022-27405 - [buster] - freetype 2.9.1-3+deb10u3 -CVE-2022-27404 - [buster] - freetype 2.9.1-3+deb10u3 -CVE-2021-0561 - [buster] - flac 1.3.2-3+deb10u2 -CVE-2022-29078 - [buster] - node-ejs 2.5.7-1+deb10u1 -CVE-2019-12387 - [buster] - twisted 18.9.0-3+deb10u1 -CVE-2019-12855 - [buster] - twisted 18.9.0-3+deb10u1 -CVE-2020-10108 - [buster] - twisted 18.9.0-3+deb10u1 -CVE-2020-10109 - [buster] - twisted 18.9.0-3+deb10u1 -CVE-2022-21712 - [buster] - twisted 18.9.0-3+deb10u1 -CVE-2022-21716 - [buster] - twisted 18.9.0-3+deb10u1 -CVE-2022-24801 - [buster] - twisted 18.9.0-3+deb10u1 -CVE-2022-30333 - [buster] - unrar-nonfree 1:5.6.6-1+deb10u1 -CVE-2021-41125 - [buster] - python-scrapy 1.5.1-1+deb10u1 -CVE-2022-0577 - [buster] - python-scrapy 1.5.1-1+deb10u1 -CVE-2022-24191 - [buster] - htmldoc 1.9.3-1+deb10u4 -CVE-2022-27114 - [buster] - htmldoc 1.9.3-1+deb10u4 -CVE-2022-28085 - [buster] - htmldoc 1.9.3-1+deb10u4 -CVE-2022-20770 - [buster] - clamav 0.103.6+dfsg-0+deb10u1 -CVE-2022-20796 - [buster] - clamav 0.103.6+dfsg-0+deb10u1 -CVE-2022-20771 - [buster] - clamav 0.103.6+dfsg-0+deb10u1 -CVE-2022-20785 - [buster] - clamav 0.103.6+dfsg-0+deb10u1 -CVE-2022-20792 - [buster] - clamav 0.103.6+dfsg-0+deb10u1 -CVE-2022-24828 - [buster] - composer 1.8.4-1+deb10u2 -CVE-2022-24775 - [buster] - php-guzzlehttp-psr7 1.4.2-0.1+deb10u1 -CVE-2021-4181 - [buster] - wireshark 2.6.20-0+deb10u4 -CVE-2021-4184 - [buster] - wireshark 2.6.20-0+deb10u4 -CVE-2021-4185 - [buster] - wireshark 2.6.20-0+deb10u4 -CVE-2021-22191 - [buster] - wireshark 2.6.20-0+deb10u4 -CVE-2022-0581 - [buster] - wireshark 2.6.20-0+deb10u4 -CVE-2022-0582 - [buster] - wireshark 2.6.20-0+deb10u4 -CVE-2022-0583 - [buster] - wireshark 2.6.20-0+deb10u4 -CVE-2022-0585 - [buster] - wireshark 2.6.20-0+deb10u4 -CVE-2022-0586 - [buster] - wireshark 2.6.20-0+deb10u4 -CVE-2022-28181 - [buster] - nvidia-graphics-drivers-legacy-390xx 390.151-1~deb10u1 -CVE-2022-28185 - [buster] - nvidia-graphics-drivers-legacy-390xx 390.151-1~deb10u1 -CVE-2022-22719 - [buster] - apache2 2.4.38-3+deb10u8 -CVE-2022-22720 - [buster] - apache2 2.4.38-3+deb10u8 -CVE-2022-22721 - [buster] - apache2 2.4.38-3+deb10u8 -CVE-2022-23943 - [buster] - apache2 2.4.38-3+deb10u8 -CVE-2022-26377 - [buster] - apache2 2.4.38-3+deb10u8 -CVE-2022-28615 - [buster] - apache2 2.4.38-3+deb10u8 -CVE-2022-28614 - [buster] - apache2 2.4.38-3+deb10u8 -CVE-2022-29404 - [buster] - apache2 2.4.38-3+deb10u8 -CVE-2022-30522 - [buster] - apache2 2.4.38-3+deb10u8 -CVE-2022-30556 - [buster] - apache2 2.4.38-3+deb10u8 -CVE-2022-31813 - [buster] - apache2 2.4.38-3+deb10u8 -CVE-2021-3657 - [buster] - isync 1.3.0-2.2~deb10u2 -CVE-2022-32308 - [buster] - ublock-origin 1.42.0+dfsg-1~deb10u1 -CVE-2021-45911 - [buster] - gif2apng 1.9+srconly-2+deb10u1 -CVE-2021-45910 - [buster] - gif2apng 1.9+srconly-2+deb10u1 -CVE-2021-45909 - [buster] - gif2apng 1.9+srconly-2+deb10u1 -CVE-2022-28736 - [buster] - grub2 2.06-3~deb10u1 -CVE-2022-28735 - [buster] - grub2 2.06-3~deb10u1 -CVE-2022-28734 - [buster] - grub2 2.06-3~deb10u1 -CVE-2022-28733 - [buster] - grub2 2.06-3~deb10u1 -CVE-2021-3697 - [buster] - grub2 2.06-3~deb10u1 -CVE-2021-3696 - [buster] - grub2 2.06-3~deb10u1 -CVE-2021-3695 - [buster] - grub2 2.06-3~deb10u1 -CVE-2022-31607 - [buster] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb10u1 -CVE-2022-31608 - [buster] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb10u1 -CVE-2022-31615 - [buster] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb10u1 -CVE-2019-13456 - [buster] - freeradius 3.0.17+dfsg-1.1+deb10u1 -CVE-2019-17185 - [buster] - freeradius 3.0.17+dfsg-1.1+deb10u1 -CVE-2019-20446 - [buster] - librsvg 2.44.10-2.1+deb10u1 CVE-2019-14433 [buster] - nova 2:18.1.0-6+deb10u1 CVE-2022-28737 |