diff options
| author | Salvatore Bonaccorso <carnil@debian.org> | 2020-02-08 09:47:07 +0100 |
|---|---|---|
| committer | Salvatore Bonaccorso <carnil@debian.org> | 2020-02-08 09:47:07 +0100 |
| commit | 79faeefa981a0e8df5de9bb460211635e80bf615 (patch) | |
| tree | e85870287f1bece037f8ece378567b8ce94a3faa /data | |
| parent | b7dbc47d5a9ac201767d5e4f12a7e3886a138a70 (diff) | |
Merge stretch-pu fixes with ACCEPTED comment
Diffstat (limited to 'data')
| -rw-r--r-- | data/CVE/list | 104 | ||||
| -rw-r--r-- | data/next-oldstable-point-update.txt | 120 |
2 files changed, 59 insertions, 165 deletions
diff --git a/data/CVE/list b/data/CVE/list index 4ad0fb4947..ac3774d59d 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -2886,7 +2886,7 @@ CVE-2019-20387 (repodata_schema2id in repodata.c in libsolv before 0.7.6 has a h {DLA-2088-1} - libsolv 0.6.36-2 (bug #949611) [buster] - libsolv 0.6.35-2+deb10u1 - [stretch] - libsolv <no-dsa> (Minor issue) + [stretch] - libsolv 0.6.24-1+deb9u2 NOTE: https://github.com/openSUSE/libsolv/commit/fdb9c9c03508990e4583046b590c30d958f272da (0.7.6) CVE-2020-7471 (Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 al ...) - python-django 2:2.2.10-1 (bug #950581) @@ -14809,6 +14809,7 @@ CVE-2020-2574 (Vulnerability in the MySQL Client product of Oracle MySQL (compon - mariadb-10.3 1:10.3.22-1 [buster] - mariadb-10.3 1:10.3.22-0+deb10u1 - mariadb-10.1 <removed> + [stretch] - mariadb-10.1 10.1.44-0+deb9u1 NOTE: https://www.oracle.com/security-alerts/cpujan2020.html#AppendixMSQL NOTE: Fixed in MariaDB: 5.5.67, 10.1.44, 10.2.31, 10.3.22, 10.4.12 CVE-2020-2573 (Vulnerability in the MySQL Client product of Oracle MySQL (component: ...) @@ -16441,6 +16442,7 @@ CVE-2019-19555 (read_textobject in read.c in Xfig fig2dev 3.2.7b has a stack-bas {DLA-2073-1} - fig2dev 1:3.2.7b-2 (unimportant; bug #946176) [buster] - fig2dev 1:3.2.7a-5+deb10u2 + [stretch] - fig2dev 1:3.2.6a-2+deb9u3 - transfig <removed> (unimportant) NOTE: https://sourceforge.net/p/mcj/tickets/55/ NOTE: https://sourceforge.net/p/mcj/fig2dev/ci/19db5fe6f77ebad91af4b4ef0defd61bd0bb358f/ @@ -17847,7 +17849,7 @@ CVE-2019-19269 (An issue was discovered in tls_verify_crl in ProFTPD through 1.3 {DLA-2018-1} - proftpd-dfsg 1.3.6b-2 (bug #946345) [buster] - proftpd-dfsg 1.3.6-4+deb10u3 - [stretch] - proftpd-dfsg <no-dsa> (Minor issue) + [stretch] - proftpd-dfsg 1.3.5b-4+deb9u3 NOTE: https://github.com/proftpd/proftpd/issues/861 NOTE: https://github.com/proftpd/proftpd/commit/81cc5dce4fc0285629a1b08a07a109af10c208dd (master) NOTE: https://github.com/proftpd/proftpd/commit/be8e1687819cb665359bd62b4c896ff4b1a09c3f (1.3.6 branch) @@ -18600,7 +18602,7 @@ CVE-2019-19011 (MiniUPnP ngiflib 0.4 has a NULL pointer dereference in GifIndexT CVE-2019-19010 (Eval injection in the Math plugin of Limnoria (before 2019.11.09) and ...) - limnoria 2019.11.09-1 [buster] - limnoria 2019.02.23-1+deb10u1 - [stretch] - limnoria <no-dsa> (Minor issue, can be fixed via point release) + [stretch] - limnoria 2017.01.10-1+deb9u1 NOTE: https://github.com/ProgVal/Limnoria/commit/3848ae78de45b35c029cc333963d436b9d2f0a35 NOTE: https://github.com/ProgVal/Limnoria/wiki/math-eval-vulnerability CVE-2019-19009 @@ -22962,7 +22964,7 @@ CVE-2019-18197 (In xsltCopyText in transform.c in libxslt 1.1.33, a pointer vari {DLA-1973-1} - libxslt 1.1.32-2.2 (bug #942646) [buster] - libxslt 1.1.32-2.2~deb10u1 - [stretch] - libxslt <no-dsa> (Minor issue) + [stretch] - libxslt 1.1.29-2.1+deb9u2 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15746 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15768 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15914 @@ -29884,7 +29886,7 @@ CVE-2019-15962 (A vulnerability in the CLI of Cisco TelePresence Collaboration E CVE-2019-15961 (A vulnerability in the email parsing module Clam AntiVirus (ClamAV) So ...) - clamav 0.102.1+dfsg-1 (bug #945265) [buster] - clamav 0.102.1+dfsg-0+deb10u1 - [stretch] - clamav <no-dsa> (ClamAV is updated via -updates) + [stretch] - clamav 0.102.1+dfsg-0+deb9u2 NOTE: https://blog.clamav.net/2019/11/clamav-01021-and-01015-patches-have.html CVE-2019-15960 (A vulnerability in the Webex Network Recording Admin page of Cisco Web ...) NOT-FOR-US: Cisco @@ -29993,7 +29995,7 @@ CVE-2018-21010 (OpenJPEG before 2.3.1 has a heap buffer overflow in color_apply_ {DLA-1950-1} - openjpeg2 2.3.1-1 (bug #939553) [buster] - openjpeg2 2.3.0-2+deb10u1 - [stretch] - openjpeg2 <no-dsa> (Minor issue) + [stretch] - openjpeg2 2.1.2-1.1+deb9u4 NOTE: https://github.com/uclouvain/openjpeg/commit/2e5ab1d9987831c981ff05862e8ccf1381ed58ea CVE-2018-21009 (Poppler before 0.66.0 has an integer overflow in Parser::makeStream in ...) {DLA-1939-1} @@ -30716,35 +30718,35 @@ CVE-2019-15696 CVE-2019-15695 (TigerVNC version prior to 1.10.1 is vulnerable to stack buffer overflo ...) - tigervnc 1.10.1+dfsg-1 (bug #947428) [buster] - tigervnc 1.9.0+dfsg-3+deb10u1 - [stretch] - tigervnc <no-dsa> (Minor issue; can be fixed via point release) + [stretch] - tigervnc 1.7.0+dfsg-7+deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2 NOTE: https://github.com/TigerVNC/tigervnc/commit/05e28490873a861379c943bf616614b78b558b89 (master) NOTE: https://github.com/TigerVNC/tigervnc/commit/6c47340e095258a959c95db9aa2a6c715d62bf7c (v1.10.1) CVE-2019-15694 (TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow ...) - tigervnc 1.10.1+dfsg-1 (bug #947428) [buster] - tigervnc 1.9.0+dfsg-3+deb10u1 - [stretch] - tigervnc <no-dsa> (Minor issue; can be fixed via point release) + [stretch] - tigervnc 1.7.0+dfsg-7+deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2 NOTE: https://github.com/TigerVNC/tigervnc/commit/0943c006c7d900dfc0281639e992791d6c567438 (master) NOTE: https://github.com/TigerVNC/tigervnc/commit/f287032d3643a6437f7de0ed35f4c45bb735522d (v1.10.1) CVE-2019-15693 (TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow ...) - tigervnc 1.10.1+dfsg-1 (bug #947428) [buster] - tigervnc 1.9.0+dfsg-3+deb10u1 - [stretch] - tigervnc <no-dsa> (Minor issue; can be fixed via point release) + [stretch] - tigervnc 1.7.0+dfsg-7+deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2 NOTE: https://github.com/TigerVNC/tigervnc/commit/b4ada8d0c6dac98c8b91fc64d112569a8ae5fb95 (master) NOTE: https://github.com/TigerVNC/tigervnc/commit/46c081926efd83c90a45c0a96b1b5bc1927e1346 (v1.10.1) CVE-2019-15692 (TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow ...) - tigervnc 1.10.1+dfsg-1 (bug #947428) [buster] - tigervnc 1.9.0+dfsg-3+deb10u1 - [stretch] - tigervnc <no-dsa> (Minor issue; can be fixed via point release) + [stretch] - tigervnc 1.7.0+dfsg-7+deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2 NOTE: https://github.com/TigerVNC/tigervnc/commit/996356b6c65ca165ee1ea46a571c32a1dc3c3821 (master) NOTE: https://github.com/TigerVNC/tigervnc/commit/ff08ca78b24b5a4ed5263245c7ce8744059ff4ad (v1.10.1) CVE-2019-15691 (TigerVNC version prior to 1.10.1 is vulnerable to stack use-after-retu ...) - tigervnc 1.10.1+dfsg-1 (bug #947428) [buster] - tigervnc 1.9.0+dfsg-3+deb10u1 - [stretch] - tigervnc <no-dsa> (Minor issue; can be fixed via point release) + [stretch] - tigervnc 1.7.0+dfsg-7+deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2 NOTE: https://github.com/TigerVNC/tigervnc/commit/d61a767d6842b530ffb532ddd5a3d233119aad40 (master) NOTE: https://github.com/TigerVNC/tigervnc/commit/042de4642293df9b72a08189c249e2da79cbca91 (v1.10.1) @@ -30773,12 +30775,12 @@ CVE-2019-15681 (LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a co [experimental] - libvncserver 0.9.12+dfsg-1 - libvncserver 0.9.12+dfsg-3 (low; bug #943793) [buster] - libvncserver 0.9.11+dfsg-1.3+deb10u1 - [stretch] - libvncserver <no-dsa> (Minor issue) + [stretch] - libvncserver 0.9.11+dfsg-1.3~deb9u2 - italc <removed> - [stretch] - italc <no-dsa> (Minor issue) + [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 - tightvnc 1:1.3.9-9.1 [buster] - tightvnc 1:1.3.9-9deb10u1 - [stretch] - tightvnc <no-dsa> (Minor issue) + [stretch] - tightvnc 1:1.3.9-9+deb9u1 - vino <unfixed> (bug #945784) [buster] - vino <no-dsa> (Minor issue) [stretch] - vino <no-dsa> (Minor issue) @@ -30787,6 +30789,7 @@ CVE-2019-15680 (TightVNC code version 1.3.10 contains null pointer dereference i {DLA-2045-1} - tightvnc 1:1.3.9-9.1 (unimportant; bug #945364) [buster] - tightvnc 1:1.3.9-9deb10u1 + [stretch] - tightvnc 1:1.3.9-9+deb9u1 - italc <removed> (unimportant) - libvncserver <unfixed> (unimportant) NOTE: https://www.openwall.com/lists/oss-security/2018/12/10/5 @@ -30795,7 +30798,7 @@ CVE-2019-15679 (TightVNC code version 1.3.10 contains heap buffer overflow in In {DLA-2045-1} - tightvnc 1:1.3.9-9.1 (bug #945364) [buster] - tightvnc 1:1.3.9-9deb10u1 - [stretch] - tightvnc <no-dsa> (Minor issue; will be fixed via point release) + [stretch] - tightvnc 1:1.3.9-9+deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2018/12/10/5 NOTE: https://github.com/LibVNC/libvncserver/commit/c2c4b81e6cb3b485fb1ec7ba9e7defeb889f6ba7 NOTE: part of CVE-2018-20748/libvncserver @@ -30803,7 +30806,7 @@ CVE-2019-15678 (TightVNC code version 1.3.10 contains heap buffer overflow in rf {DLA-2045-1} - tightvnc 1:1.3.9-9.1 (bug #945364) [buster] - tightvnc 1:1.3.9-9deb10u1 - [stretch] - tightvnc <no-dsa> (Minor issue; will be fixed via point release) + [stretch] - tightvnc 1:1.3.9-9+deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2018/12/10/5 NOTE: https://github.com/LibVNC/libvncserver/commit/c5ba3fee85a7ecbbca1df5ffd46d32b92757bc2a NOTE: part of CVE-2018-20748/libvnvserver @@ -33832,7 +33835,7 @@ CVE-2019-14807 (In the MobileFrontend extension 1.31 through 1.33 for MediaWiki, CVE-2019-14806 (Pallets Werkzeug before 0.15.3, when used with Docker, has insufficien ...) - python-werkzeug 0.15.6+dfsg1-1 (low; bug #940935) [buster] - python-werkzeug 0.14.1+dfsg1-4+deb10u1 - [stretch] - python-werkzeug <no-dsa> (Minor issue) + [stretch] - python-werkzeug 0.11.15+dfsg1-1+deb9u1 [jessie] - python-werkzeug <not-affected> (Vulnerable code not present) NOTE: https://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246 CVE-2019-14805 (studio/builder_menu.php?page=sets in UNA 10.0.0-RC1 allows XSS via the ...) @@ -38820,7 +38823,7 @@ CVE-2019-13567 (The Zoom Client before 4.4.53932.0709 on macOS allows remote cod CVE-2019-13566 (An issue was discovered in the ROS communications-related packages (ak ...) - ros-ros-comm 1.14.3+ds1-10 (bug #945361) [buster] - ros-ros-comm 1.14.3+ds1-5+deb10u1 - [stretch] - ros-ros-comm <no-dsa> (Minor issue) + [stretch] - ros-ros-comm 1.12.6-2+deb9u1 NOTE: https://github.com/ros/ros_comm/issues/1735 NOTE: https://github.com/ros/ros_comm/pull/1771 CVE-2019-13565 (An issue was discovered in OpenLDAP 2.x before 2.4.48. When using SASL ...) @@ -39061,7 +39064,7 @@ CVE-2019-13466 (Western Digital SSD Dashboard before 2.5.1.0 and SanDisk SSD Das CVE-2019-13465 (An issue was discovered in the ROS communications-related packages (ak ...) - ros-ros-comm 1.14.3+ds1-10 (bug #947946) [buster] - ros-ros-comm 1.14.3+ds1-5+deb10u1 - [stretch] - ros-ros-comm <no-dsa> (Minor issue) + [stretch] - ros-ros-comm 1.12.6-2+deb9u1 NOTE: https://github.com/ros/ros_comm/issues/1752 NOTE: https://github.com/ros/ros_comm/pull/1763 CVE-2019-13464 (An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2 ...) @@ -39148,7 +39151,7 @@ CVE-2019-13446 CVE-2019-13445 (An issue was discovered in the ROS communications-related packages (ak ...) - ros-ros-comm 1.14.3+ds1-11 (bug #947947) [buster] - ros-ros-comm 1.14.3+ds1-5+deb10u1 - [stretch] - ros-ros-comm <no-dsa> (Minor issue) + [stretch] - ros-ros-comm 1.12.6-2+deb9u2 NOTE: https://github.com/ros/ros_comm/issues/1738 NOTE: https://github.com/ros/ros_comm/pull/1741 CVE-2019-13444 @@ -39671,7 +39674,7 @@ CVE-2019-13242 (IrfanView 4.52 has a User Mode Write AV starting at image0040000 CVE-2019-13241 (FlightCrew v0.9.2 and older are vulnerable to a directory traversal, a ...) - flightcrew 0.7.2+dfsg-14 [buster] - flightcrew 0.7.2+dfsg-13+deb10u1 - [stretch] - flightcrew <no-dsa> (Minor issue, can be fixed via point release) + [stretch] - flightcrew 0.7.2+dfsg-9+deb9u1 NOTE: https://github.com/Sigil-Ebook/flightcrew/issues/52 CVE-2019-13240 (An issue was discovered in GLPI before 9.4.1. After a successful passw ...) - glpi <removed> (unimportant) @@ -39880,7 +39883,7 @@ CVE-2019-13174 CVE-2019-13173 (fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extra ...) - node-fstream 1.0.12-1 (bug #931408) [buster] - node-fstream 1.0.10-1+deb10u1 - [stretch] - node-fstream <ignored> (Nodejs in stretch not covered by security support) + [stretch] - node-fstream 1.0.10-1+deb9u1 [jessie] - node-fstream <ignored> (Nodejs in jessie not covered by security support) NOTE: https://www.npmjs.com/advisories/886 NOTE: https://github.com/npm/fstream/commit/6a77d2fa6e1462693cf8e46f930da96ec1b0bb22 @@ -40299,6 +40302,7 @@ CVE-2019-13033 CVE-2019-13032 (An issue was discovered in FlightCrew v0.9.2 and earlier. A NULL point ...) - flightcrew 0.7.2+dfsg-14 (unimportant; bug #931246) [buster] - flightcrew 0.7.2+dfsg-13+deb10u1 + [stretch] - flightcrew 0.7.2+dfsg-9+deb9u1 NOTE: https://github.com/Sigil-Ebook/flightcrew/issues/53 NOTE: https://github.com/Sigil-Ebook/flightcrew/commit/c75c100218ed5c0e7652947051e28b54a75212ae NOTE: https://github.com/Sigil-Ebook/flightcrew/commit/b4f4a70f604ddcb4e8e343aa0e690764fc46d780 @@ -40496,7 +40500,7 @@ CVE-2018-20847 (An improper computation of p_tx0, p_tx1, p_ty0 and p_ty1 in the {DLA-1851-1} - openjpeg2 2.3.1-1 (low; bug #931294) [buster] - openjpeg2 2.3.0-2+deb10u1 - [stretch] - openjpeg2 <no-dsa> (Minor issue) + [stretch] - openjpeg2 2.1.2-1.1+deb9u4 NOTE: https://github.com/uclouvain/openjpeg/issues/431 NOTE: https://github.com/uclouvain/openjpeg/commit/5d00b719f4b93b1445e6fb4c766b9a9883c57949 NOTE: https://github.com/uclouvain/openjpeg/commit/2d24b6000d5611615e3e6d799e20d5fdbe4e2a1e @@ -42888,7 +42892,7 @@ CVE-2019-12095 (Horde Trean, as used in Horde Groupware Webmail Edition through [jessie] - php-horde-trean <no-dsa> (Minor issue) - php-horde 5.2.21+debian0-1 [buster] - php-horde 5.2.20+debian0-1+deb10u1 - [stretch] - php-horde <no-dsa> (Minor issue; can be fixed via point release) + [stretch] - php-horde 5.2.13+debian0-1+deb9u1 NOTE: https://github.com/horde/base/commit/81a7b53973506856db67e7f0b0263be29528aa75 NOTE: https://bugs.horde.org/ticket/14926 (for the stored XSS) CVE-2019-12094 (Horde Groupware Webmail Edition through 5.2.22 allows XSS via an admin ...) @@ -46698,7 +46702,7 @@ CVE-2019-10747 (set-value is vulnerable to Prototype Pollution in versions lower CVE-2019-10746 (mixin-deep is vulnerable to Prototype Pollution in versions before 1.3 ...) - node-mixin-deep 2.0.1-1 (bug #932500) [buster] - node-mixin-deep 1.1.3-3+deb10u1 - [stretch] - node-mixin-deep <ignored> (Nodejs in stretch not covered by security support) + [stretch] - node-mixin-deep 1.1.3-1+deb9u1 NOTE: https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212 NOTE: https://github.com/jonschlinkert/mixin-deep/commit/8f464c8ce9761a8c9c2b3457eaeee9d404fa7af9 NOTE: https://github.com/jonschlinkert/mixin-deep/issues/6 @@ -50721,6 +50725,7 @@ CVE-2019-9656 (An issue was discovered in LibOFX 0.9.14. There is a NULL pointer {DLA-2001-1} - libofx 1:0.9.15-1 (unimportant; bug #924350) [buster] - libofx 1:0.9.14-1+deb10u1 + [stretch] - libofx 1:0.9.10-2+deb9u2 NOTE: https://github.com/libofx/libofx/issues/22 NOTE: Negligible security impact CVE-2019-9655 @@ -54647,7 +54652,7 @@ CVE-2019-8287 (TightVNC code version 1.3.10 contains global buffer overflow in H {DLA-2045-1} - tightvnc 1:1.3.9-9.1 (bug #945364) [buster] - tightvnc 1:1.3.9-9deb10u1 - [stretch] - tightvnc <no-dsa> (Minor issue; will be fixed via point release) + [stretch] - tightvnc 1:1.3.9-9+deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2018/12/10/5 NOTE: same as CVE-2018-20020/libvncserver CVE-2019-8286 (Information Disclosure in Kaspersky Anti-Virus, Kaspersky Internet Sec ...) @@ -66063,13 +66068,13 @@ CVE-2019-3575 (Sqla_yaml_fixtures 0.9.1 allows local users to execute arbitrary CVE-2019-3574 (In libsixel v1.8.2, there is a heap-based buffer over-read in the func ...) - libsixel 1.8.2-2 (low; bug #922460) [buster] - libsixel 1.8.2-1+deb10u1 - [stretch] - libsixel <no-dsa> (Minor issue) + [stretch] - libsixel 1.5.2-2+deb9u1 [jessie] - libsixel <no-dsa> (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/83 CVE-2019-3573 (In libsixel v1.8.2, there is an infinite loop in the function sixel_de ...) - libsixel 1.8.2-2 (low; bug #922460) [buster] - libsixel 1.8.2-1+deb10u1 - [stretch] - libsixel <no-dsa> (Minor issue) + [stretch] - libsixel 1.5.2-2+deb9u1 [jessie] - libsixel <postponed> (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/83 CVE-2019-3572 (An issue was discovered in libming 0.4.8. There is a heap-based buffer ...) @@ -69006,6 +69011,7 @@ CVE-2019-2974 (Vulnerability in the MySQL Server product of Oracle MySQL (compon - mariadb-10.3 1:10.3.19-1 [buster] - mariadb-10.3 1:10.3.22-0+deb10u1 - mariadb-10.1 <removed> + [stretch] - mariadb-10.1 10.1.44-0+deb9u1 - mysql-5.7 <unfixed> (bug #942443) NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL NOTE: MySQL: https://github.com/mysql/mysql-server/commit/52d9daf06478851548251ec2103cdc22178c48c4 @@ -71070,7 +71076,7 @@ CVE-2019-2228 (In array_find of array.c, there is a possible out-of-bounds read {DLA-2047-1} - cups 2.3.1-1 (bug #946782) [buster] - cups 2.2.10-6+deb10u2 - [stretch] - cups <no-dsa> (Minor issue) + [stretch] - cups 2.2.1-8+deb9u5 NOTE: https://github.com/apple/cups/commit/b018978c278d42c7abf78941251b887c95dfdb07 (master, v2.3.1) NOTE: https://github.com/apple/cups/commit/8c9b3606cca99e5dfc51784a9de1634345db7579 (v2.2.13) CVE-2019-2227 (In DeepCopy of btif_av.cc, there is a possible out of bounds read due ...) @@ -71625,6 +71631,7 @@ CVE-2018-20024 (LibVNC before commit 4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 co {DSA-4383-1 DLA-2016-1 DLA-1979-1 DLA-1617-1} - libvncserver 0.9.11+dfsg-1.2 (bug #916941) - italc <removed> + [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 - ssvnc 1.0.29-5 (bug #945827) - veyon 4.1.4+repack1-1 NOTE: https://github.com/LibVNC/libvncserver/issues/254 @@ -71634,6 +71641,7 @@ CVE-2018-20023 (LibVNC before 8b06f835e259652b0ff026898014fc7297ade858 contains {DSA-4383-1 DLA-1979-1 DLA-1617-1} - libvncserver 0.9.11+dfsg-1.2 (bug #916941) - italc <removed> + [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 - veyon 4.1.4+repack1-1 NOTE: https://github.com/LibVNC/libvncserver/issues/253 NOTE: https://github.com/LibVNC/libvncserver/commit/8b06f835e259652b0ff026898014fc7297ade858 @@ -71642,10 +71650,11 @@ CVE-2018-20022 (LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains {DSA-4383-1 DLA-2045-1 DLA-2016-1 DLA-1979-1 DLA-1617-1} - libvncserver 0.9.11+dfsg-1.2 (bug #916941) - italc <removed> + [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 - ssvnc 1.0.29-5 (bug #945827) - tightvnc 1:1.3.9-9.1 [buster] - tightvnc 1:1.3.9-9deb10u1 - [stretch] - tightvnc <no-dsa> (Minor issue; will be fixed via point release) + [stretch] - tightvnc 1:1.3.9-9+deb9u1 - veyon 4.1.4+repack1-1 NOTE: https://github.com/LibVNC/libvncserver/issues/252 NOTE: https://github.com/LibVNC/libvncserver/commit/2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 @@ -71654,10 +71663,11 @@ CVE-2018-20021 (LibVNC before commit c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c co {DSA-4383-1 DLA-2045-1 DLA-2016-1 DLA-1979-1 DLA-1617-1} - libvncserver 0.9.11+dfsg-1.2 (bug #916941) - italc <removed> + [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 - ssvnc 1.0.29-5 (bug #945827) - tightvnc 1:1.3.9-9.1 [buster] - tightvnc 1:1.3.9-9deb10u1 - [stretch] - tightvnc <no-dsa> (Minor issue; will be fixed via point release) + [stretch] - tightvnc 1:1.3.9-9+deb9u1 - veyon 4.1.4+repack1-1 NOTE: https://github.com/LibVNC/libvncserver/issues/251 NOTE: https://github.com/LibVNC/libvncserver/commit/c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c @@ -71689,6 +71699,7 @@ CVE-2018-20019 (LibVNC before commit a83439b9fbe0f03c48eb94ed05729cb016f8b72f co {DSA-4383-1 DLA-1979-1 DLA-1617-1} - libvncserver 0.9.11+dfsg-1.2 (bug #916941) - italc <removed> + [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 NOTE: https://github.com/LibVNC/libvncserver/issues/247 NOTE: https://github.com/LibVNC/libvncserver/commit/a83439b9fbe0f03c48eb94ed05729cb016f8b72f NOTE: https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-029-libvnc-multiple-heap-out-of-bound-vulnerabilities/ @@ -73296,21 +73307,21 @@ CVE-2018-19764 CVE-2018-19763 (There is a heap-based buffer over-read at writer.c (function: write_pn ...) - libsixel 1.8.2-2 (bug #931311) [buster] - libsixel 1.8.2-1+deb10u1 - [stretch] - libsixel <no-dsa> (Minor issue) + [stretch] - libsixel 1.5.2-2+deb9u1 [jessie] - libsixel <not-affected> (The vulnerable code is not present) NOTE: https://github.com/saitoha/libsixel/issues/82 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649201 (reproducer) CVE-2018-19762 (There is a heap-based buffer overflow at fromsixel.c (function: image_ ...) - libsixel 1.8.2-2 (bug #931311) [buster] - libsixel 1.8.2-1+deb10u1 - [stretch] - libsixel <no-dsa> (Minor issue) + [stretch] - libsixel 1.5.2-2+deb9u1 [jessie] - libsixel <not-affected> (The vulnerable code is not present) NOTE: https://github.com/saitoha/libsixel/issues/81 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649199 (reproducer) CVE-2018-19761 (There is an illegal address access at fromsixel.c (function: sixel_dec ...) - libsixel 1.8.2-2 (bug #931311) [buster] - libsixel 1.8.2-1+deb10u1 - [stretch] - libsixel <no-dsa> (Minor issue) + [stretch] - libsixel 1.5.2-2+deb9u1 [jessie] - libsixel <no-dsa> (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/78 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649200 (reproducer) @@ -73324,7 +73335,7 @@ CVE-2018-19760 (cfg_init in confuse.c in libConfuse 3.2.2 has a memory leak. ... CVE-2018-19759 (There is a heap-based buffer over-read at stb_image_write.h (function: ...) - libsixel 1.8.2-2 (bug #931311) [buster] - libsixel 1.8.2-1+deb10u1 - [stretch] - libsixel <no-dsa> (Minor issue) + [stretch] - libsixel 1.5.2-2+deb9u1 [jessie] - libsixel <no-dsa> (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/77 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649202 (reproducer) @@ -73340,14 +73351,14 @@ CVE-2018-19758 (There is a heap-based buffer over-read at wav.c in wav_write_hea CVE-2018-19757 (There is a NULL pointer dereference at function sixel_helper_set_addit ...) - libsixel 1.8.2-2 (bug #931311) [buster] - libsixel 1.8.2-1+deb10u1 - [stretch] - libsixel <no-dsa> (Minor issue) + [stretch] - libsixel 1.5.2-2+deb9u1 [jessie] - libsixel <no-dsa> (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/79 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649197 (reproducer) CVE-2018-19756 (There is a heap-based buffer over-read at stb_image.h (function: stbi_ ...) - libsixel 1.8.2-2 (bug #931311) [buster] - libsixel 1.8.2-1+deb10u1 - [stretch] - libsixel <no-dsa> (Minor issue) + [stretch] - libsixel 1.5.2-2+deb9u1 [jessie] - libsixel <not-affected> (The vulnerable code is not present) NOTE: https://github.com/saitoha/libsixel/issues/80 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649198 (reproducer) @@ -88633,6 +88644,7 @@ CVE-2018-15127 (LibVNC before commit 502821828ed00b4a2c4bef90683d0fd88ce495de co {DSA-4383-1 DLA-1979-1 DLA-1617-1} - libvncserver 0.9.11+dfsg-1.2 (bug #916941) - italc <removed> + [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 NOTE: https://github.com/LibVNC/libvncserver/issues/243 NOTE: https://github.com/LibVNC/libvncserver/commit/502821828ed00b4a2c4bef90683d0fd88ce495de NOTE: https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-028-libvnc-heap-out-of-bound-write/ @@ -91570,13 +91582,13 @@ CVE-2018-14074 RESERVED CVE-2018-14073 (libsixel 1.8.1 has a memory leak in sixel_allocator_new in allocator.c ...) - libsixel 1.8.2-1 (low; bug #903858) - [stretch] - libsixel <no-dsa> (Minor issue) + [stretch] - libsixel 1.5.2-2+deb9u1 [jessie] - libsixel <postponed> (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/67#issuecomment-404989926 NOTE: https://github.com/saitoha/libsixel/commit/f94bc6fec696abd77be275226f28409602bd1f27 CVE-2018-14072 (libsixel 1.8.1 has a memory leak in sixel_decoder_decode in decoder.c, ...) - libsixel 1.8.2-1 (low; bug #903858) - [stretch] - libsixel <no-dsa> (Minor issue) + [stretch] - libsixel 1.5.2-2+deb9u1 [jessie] - libsixel <postponed> (Minor issue) NOTE: https://github.com/saitoha/libsixel/issues/67#issue-341198610 NOTE: https://github.com/saitoha/libsixel/commit/f94bc6fec696abd77be275226f28409602bd1f27 @@ -110254,9 +110266,10 @@ CVE-2018-7225 (An issue was discovered in LibVNCServer through 0.9.11. rfbProces {DSA-4221-1 DLA-2045-1 DLA-2014-1 DLA-1979-1 DLA-1332-1} - libvncserver 0.9.11+dfsg-1.1 (bug #894045) - italc <removed> + [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 - tightvnc 1:1.3.9-9.1 [buster] - tightvnc 1:1.3.9-9deb10u1 - [stretch] - tightvnc <no-dsa> (Minor issue; will be fixed via point release) + [stretch] - tightvnc 1:1.3.9-9+deb9u1 - vino <unfixed> (bug #945784) NOTE: https://github.com/LibVNC/libvncserver/issues/218 NOTE: https://github.com/LibVNC/libvncserver/commit/b0c77391e6bd0a2305bbc9b37a2499af74ddd9ee @@ -113106,6 +113119,7 @@ CVE-2018-6307 (LibVNC before commit ca2a5ac02fbbadd0a21fabba779c1ea69173d10b con {DSA-4383-1 DLA-1979-1 DLA-1617-1} - libvncserver 0.9.11+dfsg-1.2 (bug #916941) - italc <removed> + [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 NOTE: https://github.com/LibVNC/libvncserver/issues/241 NOTE: https://github.com/LibVNC/libvncserver/commit/ca2a5ac02fbbadd0a21fabba779c1ea69173d10b NOTE: https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-026-libvnc-heap-use-after-free/ @@ -120481,7 +120495,7 @@ CVE-2018-3720 (assign-deep node module before 0.4.7 suffers from a Modification NOT-FOR-US: assign-deep node module CVE-2018-3719 (mixin-deep node module before 1.3.1 suffers from a Modification of Ass ...) - node-mixin-deep 1.1.3-2 (bug #898315) - [stretch] - node-mixin-deep <ignored> (Nodejs in stretch not covered by security support) + [stretch] - node-mixin-deep 1.1.3-1+deb9u1 NOTE: https://nodesecurity.io/advisories/578 CVE-2018-3718 (serve node module suffers from Improper Handling of URL Encoding by pe ...) NOT-FOR-US: serve node module @@ -141080,7 +141094,7 @@ CVE-2017-14062 (Integer overflow in the decode_digit function in puny_decode.c i {DSA-3988-1 DLA-1447-1 DLA-1085-1 DLA-1084-1} - libidn2-0 2.0.2-4 (bug #873902) - libidn 1.33-2 (bug #873903) - [stretch] - libidn <no-dsa> (Minor issue; can be fixed in point release) + [stretch] - libidn 1.33-1+deb9u1 NOTE: https://gitlab.com/libidn/libidn2/commit/3284eb342cd0ed1a18786e3fcdf0cdd7e76676bd CVE-2017-14061 (Integer overflow in the _isBidi function in bidi.c in Libidn2 before 2 ...) - libidn2-0 2.0.2-4 (bug #873904) @@ -146764,7 +146778,7 @@ CVE-2017-12174 (It was found that when Artemis and HornetQ before 2.4.0 are conf NOT-FOR-US: Artemis and HornetQ CVE-2017-12173 (It was found that sssd's sysdb_search_user_by_upn_res() function befor ...) - sssd 1.15.3-2 (bug #877885) - [stretch] - sssd <no-dsa> (Minor issue) + [stretch] - sssd 1.15.0-3+deb9u1 [jessie] - sssd <not-affected> (Vulnerable code introduced later) [wheezy] - sssd <not-affected> (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1498173 @@ -183771,7 +183785,7 @@ CVE-2016-9113 (There is a NULL pointer dereference in function imagetobmp of con CVE-2016-9112 (Floating Point Exception (aka FPE or divide by zero) in opj_pi_next_cp ...) {DLA-1851-1} - openjpeg2 2.1.2-1.2 (bug #844551) - [stretch] - openjpeg2 <no-dsa> (Minor issue) + [stretch] - openjpeg2 2.1.2-1.1+deb9u4 NOTE: https://github.com/uclouvain/openjpeg/commit/d27ccf01c68a31ad62b33d2dc1ba2bb1eeaafe7b NOTE: https://github.com/uclouvain/openjpeg/issues/855 CVE-2016-9111 (Incorrect access control mechanisms in Citrix Receiver Desktop Lock 4. ...) @@ -248062,7 +248076,7 @@ CVE-2014-6053 (The rfbProcessClientNormalMessage function in libvncserver/rfbser - italc 1:3.0.1+dfsg1-1 - tightvnc 1:1.3.9-9.1 [buster] - tightvnc 1:1.3.9-9deb10u1 - [stretch] - tightvnc <no-dsa> (Minor issue; will be fixed via point release) + [stretch] - tightvnc 1:1.3.9-9+deb9u1 - vino <unfixed> (bug #945784) NOTE: https://github.com/newsoft/libvncserver/commit/6037a9074d52b1963c97cb28ea1096c7c14cbf28 CVE-2014-6052 (The HandleRFBServerMessage function in libvncclient/rfbproto.c in LibV ...) diff --git a/data/next-oldstable-point-update.txt b/data/next-oldstable-point-update.txt index 35de02fb85..9991b5f530 100644 --- a/data/next-oldstable-point-update.txt +++ b/data/next-oldstable-point-update.txt @@ -1,123 +1,3 @@ -CVE-2019-13173 - [stretch] - node-fstream 1.0.10-1+deb9u1 -CVE-2019-13241 - [stretch] - flightcrew 0.7.2+dfsg-9+deb9u1 -CVE-2019-13032 - [stretch] - flightcrew 0.7.2+dfsg-9+deb9u1 -CVE-2018-3719 - [stretch] - node-mixin-deep 1.1.3-1+deb9u1 -CVE-2019-10746 - [stretch] - node-mixin-deep 1.1.3-1+deb9u1 -CVE-2018-19756 - [stretch] - libsixel 1.5.2-2+deb9u1 -CVE-2018-19757 - [stretch] - libsixel 1.5.2-2+deb9u1 -CVE-2018-19759 - [stretch] - libsixel 1.5.2-2+deb9u1 -CVE-2018-19761 - [stretch] - libsixel 1.5.2-2+deb9u1 -CVE-2018-19762 - [stretch] - libsixel 1.5.2-2+deb9u1 -CVE-2018-19763 - [stretch] - libsixel 1.5.2-2+deb9u1 -CVE-2019-3573 - [stretch] - libsixel 1.5.2-2+deb9u1 -CVE-2019-3574 - [stretch] - libsixel 1.5.2-2+deb9u1 -CVE-2018-14072 - [stretch] - libsixel 1.5.2-2+deb9u1 -CVE-2018-14073 - [stretch] - libsixel 1.5.2-2+deb9u1 -CVE-2018-21010 - [stretch] - openjpeg2 2.1.2-1.1+deb9u4 -CVE-2018-20847 - [stretch] - openjpeg2 2.1.2-1.1+deb9u4 -CVE-2016-9112 - [stretch] - openjpeg2 2.1.2-1.1+deb9u4 -CVE-2019-14806 - [stretch] - python-werkzeug 0.11.15+dfsg1-1+deb9u1 -CVE-2019-19010 - [stretch] - limnoria 2017.01.10-1+deb9u1 -CVE-2019-13566 - [stretch] - ros-ros-comm 1.12.6-2+deb9u1 -CVE-2019-13465 - [stretch] - ros-ros-comm 1.12.6-2+deb9u1 -CVE-2019-13445 - [stretch] - ros-ros-comm 1.12.6-2+deb9u2 -CVE-2019-9656 - [stretch] - libofx 1:0.9.10-2+deb9u2 -CVE-2019-18197 - [stretch] - libxslt 1.1.29-2.1+deb9u2 -CVE-2019-19555 - [stretch] - fig2dev 1:3.2.6a-2+deb9u3 -CVE-2019-15961 - [stretch] - clamav 0.102.1+dfsg-0+deb9u1 -CVE-2019-19269 - [stretch] - proftpd-dfsg 1.3.5b-4+deb9u3 -CVE-2019-12095 - [stretch] - php-horde 5.2.13+debian0-1+deb9u1 -CVE-2019-15681 - [stretch] - libvncserver 0.9.11+dfsg-1.3~deb9u2 -CVE-2017-12173 - [stretch] - sssd 1.15.0-3+deb9u1 -CVE-2014-6053 - [stretch] - tightvnc 1:1.3.9-9+deb9u1 -CVE-2019-8287 - [stretch] - tightvnc 1:1.3.9-9+deb9u1 -CVE-2018-20021 - [stretch] - tightvnc 1:1.3.9-9+deb9u1 -CVE-2018-20022 - [stretch] - tightvnc 1:1.3.9-9+deb9u1 -CVE-2018-7225 - [stretch] - tightvnc 1:1.3.9-9+deb9u1 -CVE-2019-15678 - [stretch] - tightvnc 1:1.3.9-9+deb9u1 -CVE-2019-15679 - [stretch] - tightvnc 1:1.3.9-9+deb9u1 -CVE-2019-15680 - [stretch] - tightvnc 1:1.3.9-9+deb9u1 -CVE-2019-15681 - [stretch] - tightvnc 1:1.3.9-9+deb9u1 -CVE-2019-2228 - [stretch] - cups 2.2.1-8+deb9u5 -CVE-2017-14062 - [stretch] - libidn 1.33-1+deb9u1 -CVE-2019-15695 - [stretch] - tigervnc 1.7.0+dfsg-7+deb9u1 -CVE-2019-15694 - [stretch] - tigervnc 1.7.0+dfsg-7+deb9u1 -CVE-2019-15693 - [stretch] - tigervnc 1.7.0+dfsg-7+deb9u1 -CVE-2019-15692 - [stretch] - tigervnc 1.7.0+dfsg-7+deb9u1 -CVE-2019-15691 - [stretch] - tigervnc 1.7.0+dfsg-7+deb9u1 -CVE-2018-7225 - [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 -CVE-2018-15127 - [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 -CVE-2018-20019 - [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 -CVE-2018-20020 - [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 -CVE-2018-20021 - [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 -CVE-2018-20022 - [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 -CVE-2018-20023 - [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 -CVE-2018-20024 - [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 -CVE-2018-6307 - [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 -CVE-2019-15681 - [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 -CVE-2019-20387 - [stretch] - libsolv 0.6.24-1+deb9u2 -CVE-2020-2574 - [stretch] - mariadb-10.1 10.1.44-0+deb9u1 -CVE-2019-2974 - [stretch] - mariadb-10.1 10.1.44-0+deb9u1 CVE-2017-12424 [stretch] - shadow 1:4.4-4.1+deb9u1 CVE-2015-9261 [busybox: pointer misuse unziping files] |