Merge acked and included CVE fixes for buster 10.4

author: Salvatore Bonaccorso <carnil@debian.org> 2020-05-08 14:40:21 +0200
committer: Salvatore Bonaccorso <carnil@debian.org> 2020-05-08 14:40:21 +0200
commit: aa610955b75f8e349dbd8489a0d81f8d88378518 (patch)
tree: 5c3fc352561afa4f1417acc2a4c895776a129777 /data
parent: b01a6d60883db75ae55e73ee3f5e9e278fc7c79e (diff)
2 files changed, 40 insertions, 118 deletions
diff --git a/data/CVE/list b/data/CVE/list
index 54dbe231c9..314fc2db5e 100644
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1517,7 +1517,7 @@ CVE-2020-12080
 CVE-2019-20788 (libvncclient/cursor.c in LibVNCServer through 0.9.12 has a HandleCurso ...)
 	{DLA-2146-1}
 	- libvncserver 0.9.12+dfsg-9 (bug #954163)
-	[buster] - libvncserver <no-dsa> (Minor issue)
+	[buster] - libvncserver 0.9.11+dfsg-1.3+deb10u3
 	[stretch] - libvncserver <no-dsa> (Minor issue)
 	NOTE: https://github.com/LibVNC/libvncserver/commit/54220248886b5001fbbb9fa73c4e1a2cb9413fed
 CVE-2020-12137 (GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed app ...)
@@ -7502,7 +7502,7 @@ CVE-2020-10175
 	REJECTED
 CVE-2020-10174 (init_tmp in TeeJee.FileSystem.vala in Timeshift before 20.03 unsafely  ...)
 	- timeshift 20.03+ds-1 (bug #953385)
-	[buster] - timeshift <no-dsa> (Will be fixed via point release)
+	[buster] - timeshift 19.01+ds-2+deb10u1
 	NOTE: https://www.openwall.com/lists/oss-security/2020/03/06/3
 	NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1165802
 	NOTE: https://github.com/teejee2008/timeshift/commit/335b3d5398079278b8f7094c77bfd148b315b462
@@ -8879,7 +8879,7 @@ CVE-2020-9544 (An issue was discovered on D-Link DSL-2640B E1 EU_1.01 devices. T
 	NOT-FOR-US: D-Link
 CVE-2020-9543 (OpenStack Manila &lt;7.4.1, &gt;=8.0.0 &lt;8.1.1, and &gt;=9.0.0 &lt;9 ...)
 	- manila 1:9.0.0-5 (bug #953581)
-	[buster] - manila <no-dsa> (Minor issue)
+	[buster] - manila 1:7.0.0-1+deb10u1
 	[stretch] - manila <no-dsa> (Minor issue)
 	NOTE: https://bugs.launchpad.net/manila/+bug/1861485
 	NOTE: https://security.openstack.org/ossa/OSSA-2020-002.html
@@ -10490,7 +10490,7 @@ CVE-2020-8867 (This vulnerability allows remote attackers to create a denial-of-
 CVE-2020-8866 (This vulnerability allows remote attackers to create arbitrary files o ...)
 	{DLA-2162-1}
 	- php-horde-form <removed> (bug #955020)
-	[buster] - php-horde-form <no-dsa> (Minor issue)
+	[buster] - php-horde-form 2.0.18-3.1+deb10u1
 	[stretch] - php-horde-form <no-dsa> (Minor issue)
 	NOTE: https://lists.horde.org/archives/announce/2020/001288.html
 	NOTE: https://www.zerodayinitiative.com/advisories/ZDI-20-275/
@@ -10498,7 +10498,7 @@ CVE-2020-8866 (This vulnerability allows remote attackers to create arbitrary fi
 CVE-2020-8865 (This vulnerability allows remote attackers to execute local PHP files  ...)
 	{DLA-2175-1}
 	- php-horde-trean <removed> (bug #955019)
-	[buster] - php-horde-trean <no-dsa> (Minor issue)
+	[buster] - php-horde-trean 1.1.9-3+deb10u1
 	[stretch] - php-horde-trean <no-dsa> (Minor issue)
 	NOTE: https://lists.horde.org/archives/announce/2020/001286.html
 	NOTE: https://www.zerodayinitiative.com/advisories/ZDI-20-276/
@@ -11144,7 +11144,7 @@ CVE-2020-8598 (Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Busines
 CVE-2020-8597 (eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overf ...)
 	{DSA-4632-1 DLA-2097-1}
 	- lwip 2.1.2+dfsg1-5 (bug #951291)
-	[buster] - lwip <no-dsa> (Minor issue)
+	[buster] - lwip 2.0.3-3+deb10u1
 	[experimental] - ppp 2.4.8-1+1~exp1
 	- ppp <unfixed> (bug #950618)
 	NOTE: http://git.savannah.nongnu.org/cgit/lwip.git/commit/?id=2ee3cbe69c6d2805e64e7cac2a1c1706e49ffd86
@@ -11310,7 +11310,7 @@ CVE-2020-8519
 CVE-2020-8518 (Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary P ...)
 	{DLA-2174-1}
 	- php-horde-data <removed> (bug #951537)
-	[buster] - php-horde-data <no-dsa> (Minor issue)
+	[buster] - php-horde-data 2.1.4-5+deb10u1
 	[stretch] - php-horde-data <no-dsa> (Minor issue)
 	NOTE: https://lists.horde.org/archives/announce/2020/001285.html
 	NOTE: https://github.com/horde/Data/commit/78ad0c2390176cdde7260a271bc6ddd86f4c9c0e
@@ -12133,7 +12133,7 @@ CVE-2020-8142 (A security restriction bypass vulnerability has been discovered i
 	NOT-FOR-US: Revive Adserver
 CVE-2020-8141 (The dot package v1.1.2 uses Function() to compile templates. This can  ...)
 	- node-dot 1.1.3+ds-1
-	[buster] - node-dot <no-dsa> (Will be fixed via point release)
+	[buster] - node-dot 1.1.1-1+deb10u1
 	NOTE: https://hackerone.com/reports/390929
 CVE-2020-8140 (A code injection in Nextcloud Desktop Client 2.6.2 for macOS allowed t ...)
 	- nextcloud-desktop <not-affected> (MacOS-specific)
@@ -12160,7 +12160,7 @@ CVE-2020-8131 (Arbitrary filesystem write vulnerability in Yarn before 1.22.0 al
 CVE-2020-8130 (There is an OS command injection vulnerability in Ruby Rake &lt; 12.3. ...)
 	{DLA-2120-1}
 	- rake 12.3.3-1
-	[buster] - rake <no-dsa> (Minor issue)
+	[buster] - rake 12.3.1-3+deb10u1
 	[stretch] - rake <no-dsa> (Minor issue)
 	NOTE: https://hackerone.com/reports/651518
 	NOTE: Fixed by: https://github.com/ruby/rake/commit/5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee (v12.3.3)
@@ -12196,7 +12196,7 @@ CVE-2020-8117 (Improper preservation of permissions in Nextcloud Server 14.0.3 c
 	- nextcloud-server <itp> (bug #941708)
 CVE-2020-8116 (Prototype pollution vulnerability in dot-prop npm package version 5.1. ...)
 	- node-dot-prop 5.2.0-1
-	[buster] - node-dot-prop <no-dsa> (Minor issue)
+	[buster] - node-dot-prop 4.1.1-1+deb10u1
 	NOTE: https://hackerone.com/reports/719856
 	NOTE: https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2
 CVE-2020-8115 (A reflected XSS vulnerability has been discovered in the publicly acce ...)
@@ -13421,7 +13421,7 @@ CVE-2020-7611 (All versions of io.micronaut:micronaut-http-client before 1.2.11
 CVE-2020-7610 (All versions of bson before 1.1.4 are vulnerable to Deserialization of ...)
 	[experimental] - node-mongodb 3.5.5+~cs11.12.19-1
 	- node-mongodb 3.5.6+~cs11.12.19-1
-	[buster] - node-mongodb <no-dsa> (Minor issue)
+	[buster] - node-mongodb 3.1.13+~3.1.11-2+deb10u1
 	NOTE: Fixed in js-bson v1.1.4 included in 3.5.5+~cs11.12.19
 	NOTE: https://snyk.io/vuln/SNYK-JS-BSON-561052
 	NOTE: https://github.com/mongodb/js-bson/commit/3809c1313a7b2a8001065f0271199df9fa3d16a8
@@ -13429,7 +13429,7 @@ CVE-2020-7609 (node-rules including 3.0.0 and prior to 5.0.0 allows injection of
 	NOT-FOR-US: Node node-rules
 CVE-2020-7608 (yargs-parser could be tricked into adding or modifying properties of O ...)
 	- node-yargs-parser 18.1.1-1
-	[buster] - node-yargs-parser <no-dsa> (Minor issue; can be fixed via point release)
+	[buster] - node-yargs-parser 11.1.1-1+deb10u1
 	[stretch] - node-yargs-parser <ignored> (Nodejs in stretch not covered by security support)
 	NOTE: https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381
 	NOTE: https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2
@@ -18896,7 +18896,7 @@ CVE-2020-5268 (In Saml2 Authentication Services for ASP.NET versions before 1.0.
 CVE-2020-5267 (In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible ...)
 	{DLA-2149-1}
 	- rails 2:5.2.4.1+dfsg-2 (bug #954304)
-	[buster] - rails <no-dsa> (Minor issue)
+	[buster] - rails 2:5.2.2.1+dfsg-1+deb10u1
 	[stretch] - rails <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2020/03/19/1
 	NOTE: https://github.com/rails/rails/commit/033a738817abd6e446e1b320cb7d1a5c15224e9a (master)
@@ -19119,7 +19119,7 @@ CVE-2020-5203 (In Fat-Free Framework 3.7.1, attackers can achieve arbitrary code
 	NOT-FOR-US: Fat-Free Framework
 CVE-2020-5202 (apt-cacher-ng through 3.3 allows local users to obtain sensitive infor ...)
 	- apt-cacher-ng 3.3.1-1
-	[buster] - apt-cacher-ng <no-dsa> (Minor issue)
+	[buster] - apt-cacher-ng 3.2.1-1
 	[stretch] - apt-cacher-ng <no-dsa> (Minor issue)
 	[jessie] - apt-cacher-ng <no-dsa> (Minor issue)
 	NOTE: https://salsa.debian.org/blade/apt-cacher-ng/commit/3b91874b0c099b0ded1a94f1784fe1265082efbc
@@ -22928,7 +22928,7 @@ CVE-2020-3899 (A memory consumption issue was addressed with improved memory han
 CVE-2020-3898 [heap based buffer overflow in libcups's ppdFindOption() in ppd-mark.c]
 	RESERVED
 	- cups 2.3.1-12
-	[buster] - cups <no-dsa> (Minor issue)
+	[buster] - cups 2.2.10-6+deb10u3
 	[stretch] - cups <no-dsa> (Minor issue)
 	[jessie] - cups <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1823964
@@ -23857,7 +23857,7 @@ CVE-2019-19792 (A permissions issue in ESET Cyber Security before 6.8.300.0 for
 CVE-2019-19791 [Apache access rules and SOAP/REST endpoints issue]
 	RESERVED
 	- lemonldap-ng 2.0.7+ds-1
-	[buster] - lemonldap-ng <no-dsa> (Minor issue)
+	[buster] - lemonldap-ng 2.0.2+ds-7+deb10u3
 	[stretch] - lemonldap-ng <no-dsa> (Minor issue)
 	[jessie] - lemonldap-ng <no-dsa> (Minor issue)
 	NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1943
@@ -24891,7 +24891,7 @@ CVE-2020-3124
 	RESERVED
 CVE-2020-3123 (A vulnerability in the Data-Loss-Prevention (DLP) module in Clam AntiV ...)
 	- clamav 0.102.2+dfsg-1 (bug #950944)
-	[buster] - clamav <no-dsa> (ClamAV is updated via -updates)
+	[buster] - clamav 0.102.2+dfsg-0+deb10u1
 	[stretch] - clamav <no-dsa> (ClamAV is updated via -updates)
 	[jessie] - clamav <not-affected> (Vulnerable code introduced in 0.102.x)
 	NOTE: https://blog.clamav.net/2020/02/clamav-01022-security-patch-released.html
@@ -29158,7 +29158,7 @@ CVE-2020-1731 (A flaw was found in all versions of the Keycloak operator, before
 	NOT-FOR-US: Keycloak
 CVE-2020-1730 (A flaw was found in libssh versions before 0.8.9 and before 0.9.4 in t ...)
 	- libssh 0.9.4-1 (bug #956308)
-	[buster] - libssh <no-dsa> (Minor issue, can be fixed via point release)
+	[buster] - libssh 0.8.7-1+deb10u1
 	[stretch] - libssh <not-affected> (Vulnerable code introduced later)
 	[jessie] - libssh <not-affected> (Vulnerable code introduced later)
 	NOTE: https://www.libssh.org/security/advisories/CVE-2020-1730.txt
@@ -29216,7 +29216,7 @@ CVE-2020-1713
 	RESERVED
 CVE-2020-1712 (A heap use-after-free vulnerability was found in systemd before versio ...)
 	- systemd 244.2-1 (bug #950732)
-	[buster] - systemd <no-dsa> (Can be fixed via point release)
+	[buster] - systemd 241-7~deb10u4
 	[stretch] - systemd <no-dsa> (Can be fixed via point release)
 	[jessie] - systemd <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/systemd/systemd/commit/773b1a7916bfce3aa2a21ecf534d475032e8528e (preparation)
@@ -39485,21 +39485,21 @@ CVE-2019-16778 (In TensorFlow before 1.15, a heap buffer overflow in UnsortedSeg
 CVE-2019-16777 (Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary ...)
 	[experimental] - npm 6.13.4+ds-1
 	- npm 6.13.4+ds-2 (bug #947127)
-	[buster] - npm <no-dsa> (Minor issue)
+	[buster] - npm 5.8.0+ds6-4+deb10u1
 	[jessie] - npm <end-of-life> (Nodejs in jessie not covered by security support)
 	NOTE: https://github.com/npm/cli/security/advisories/GHSA-4328-8hgf-7wjr
 	NOTE: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
 CVE-2019-16776 (Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary ...)
 	[experimental] - npm 6.13.4+ds-1
 	- npm 6.13.4+ds-2 (bug #947127)
-	[buster] - npm <no-dsa> (Minor issue)
+	[buster] - npm 5.8.0+ds6-4+deb10u1
 	[jessie] - npm <end-of-life> (Nodejs in jessie not covered by security support)
 	NOTE: https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46
 	NOTE: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
 CVE-2019-16775 (Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary ...)
 	[experimental] - npm 6.13.4+ds-1
 	- npm 6.13.4+ds-2 (bug #947127)
-	[buster] - npm <no-dsa> (Minor issue)
+	[buster] - npm 5.8.0+ds6-4+deb10u1
 	[jessie] - npm <end-of-life> (Nodejs in jessie not covered by security support)
 	NOTE: https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx
 	NOTE: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
@@ -39517,7 +39517,7 @@ CVE-2019-16771 (Versions of Armeria 0.85.0 through and including 0.96.0 are vuln
 	NOT-FOR-US: Armeria
 CVE-2019-16770 (In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client coul ...)
 	- puma 3.12.0-4 (bug #946312)
-	[buster] - puma <no-dsa> (Minor issue)
+	[buster] - puma 3.12.0-2+deb10u1
 	[stretch] - puma <no-dsa> (Minor issue)
 	NOTE: https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
 	NOTE: https://github.com/puma/puma/commit/06053e60908074bb38293d4449ea261cb009b53e
@@ -42612,7 +42612,7 @@ CVE-2019-15690
 	RESERVED
 	{DLA-2146-1}
 	- libvncserver 0.9.12+dfsg-9 (bug #954163)
-	[buster] - libvncserver <no-dsa> (Minor issue)
+	[buster] - libvncserver 0.9.11+dfsg-1.3+deb10u3
 	[stretch] - libvncserver <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2
 	NOTE: https://github.com/LibVNC/libvncserver/issues/381
@@ -43167,7 +43167,7 @@ CVE-2019-15523
 	RESERVED
 CVE-2019-15522 (An issue was discovered in LINBIT csync2 through 2.0. csync_daemon_ses ...)
 	- csync2 2.0-25-gc0faaf9-1 (bug #955445)
-	[buster] - csync2 <no-dsa> (Minor issue)
+	[buster] - csync2 2.0-22-gce67c55-1+deb10u1
 	[stretch] - csync2 <no-dsa> (Minor issue)
 	[jessie] - csync2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/LINBIT/csync2/pull/13/commits/0ecfc333da51575f188dd7cf6ac4974d13a800b1
@@ -44645,7 +44645,7 @@ CVE-2017-18516 (The bws-linkedin plugin before 1.0.5 for WordPress has multiple
 CVE-2016-10894 (xtrlock through 2.10 does not block multitouch events. Consequently, a ...)
 	{DLA-1959-1}
 	- xtrlock 2.12 (bug #830726)
-	[buster] - xtrlock <no-dsa> (Minor issue; can be fixed via point release)
+	[buster] - xtrlock 2.8+deb10u1
 	[stretch] - xtrlock <no-dsa> (Minor issue; can be fixed via point release)
 CVE-2016-10893 (The crayon-syntax-highlighter plugin before 2.8.4 for WordPress has mu ...)
 	NOT-FOR-US: Wordpress plugin
@@ -45445,6 +45445,7 @@ CVE-2019-14863 (There is a vulnerability in all angular versions before 1.5.0-be
 	NOTE: https://github.com/angular/angular.js/pull/12524
 CVE-2019-14862 (There is a vulnerability in knockout before version 3.5.0-beta, where  ...)
 	- node-knockout 3.4.2-3 (unimportant; bug #943560)
+	[buster] - node-knockout 3.4.2-2+deb10u1
 	NOTE: https://github.com/knockout/knockout/issues/1244
 	NOTE: https://github.com/knockout/knockout/pull/2345
 	NOTE: https://github.com/knockout/knockout/commit/7e280b2b8a04cc19176b5171263a5c68bda98efb
@@ -46298,13 +46299,13 @@ CVE-2019-14588
 CVE-2019-14587
 	RESERVED
 	- edk2 0~20200229.4c0f6e34-1
-	[buster] - edk2 <no-dsa> (Minor issue)
+	[buster] - edk2 0~20181115.85588389-3+deb10u1
 	[stretch] - edk2 <no-dsa> (Minor issue)
 	[jessie] - edk2 <end-of-life> (non-free)
 CVE-2019-14586
 	RESERVED
 	- edk2 0~20200229.4c0f6e34-1
-	[buster] - edk2 <no-dsa> (Minor issue)
+	[buster] - edk2 0~20181115.85588389-3+deb10u1
 	[stretch] - edk2 <no-dsa> (Minor issue)
 	[jessie] - edk2 <end-of-life> (non-free)
 CVE-2019-14585
@@ -46330,7 +46331,7 @@ CVE-2019-14576
 CVE-2019-14575 [DxeImageVerificationHandler() fails open in case of dbx signature check]
 	RESERVED
 	- edk2 0~20200229.4c0f6e34-1 (low; bug #952935)
-	[buster] - edk2 <no-dsa> (Minor issue)
+	[buster] - edk2 0~20181115.85588389-3+deb10u1
 	[stretch] - edk2 <no-dsa> (Minor issue)
 	[jessie] - edk2 <end-of-life> (non-free)
 	NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
@@ -46359,7 +46360,7 @@ CVE-2019-14564
 CVE-2019-14563 [numeric truncation in MdeModulePkg/PiDxeS3BootScriptLib]
 	RESERVED
 	- edk2 0~20200229.4c0f6e34-1 (low; bug #952934)
-	[buster] - edk2 <no-dsa> (Minor issue)
+	[buster] - edk2 0~20181115.85588389-3+deb10u1
 	[stretch] - edk2 <no-dsa> (Minor issue)
 	[jessie] - edk2 <end-of-life> (non-free)
 	NOTE: https://github.com/tianocore/edk2/commit/322ac05f8bbc1bce066af1dabd1b70ccdbe28891
@@ -46373,7 +46374,7 @@ CVE-2019-14560
 CVE-2019-14559 [memory leak in ArpOnFrameRcvdDpc]
 	RESERVED
 	- edk2 0~20200229.4c0f6e34-1 (bug #952926; low)
-	[buster] - edk2 <no-dsa> (Minor issue)
+	[buster] - edk2 0~20181115.85588389-3+deb10u1
 	[stretch] - edk2 <no-dsa> (Minor issue)
 	[jessie] - edk2 <end-of-life> (non-free)
 	NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2550
@@ -46381,7 +46382,7 @@ CVE-2019-14559 [memory leak in ArpOnFrameRcvdDpc]
 CVE-2019-14558
 	RESERVED
 	- edk2 0~20200229.4c0f6e34-1
-	[buster] - edk2 <no-dsa> (Minor issue)
+	[buster] - edk2 0~20181115.85588389-3+deb10u1
 	[stretch] - edk2 <no-dsa> (Minor issue)
 	[jessie] - edk2 <end-of-life> (non-free)
 CVE-2019-14557
@@ -46683,6 +46684,7 @@ CVE-2019-14467 (The Social Photo Gallery plugin 1.0 for WordPress allows Remote
 CVE-2019-14466 (The GOsa_Filter_Settings cookie in GONICUS GOsa 2.7.5.2 is vulnerable  ...)
 	{DLA-1905-1}
 	- gosa 2.7.4+reloaded3-10
+	[buster] - gosa 2.7.4+reloaded3-8+deb10u2
 	NOTE: https://github.com/gosa-project/gosa-core/commit/e1504e9765db2adde8b4685b5c93fbba57df868b (fix)
 	NOTE: https://github.com/gosa-project/gosa-core/commit/90b674960335d888c76ca5e99027df8e7fa66f3a (fixing the prev commit)
 	NOTE: https://github.com/gosa-project/gosa-core/pull/30#issuecomment-521975100
@@ -58563,7 +58565,7 @@ CVE-2019-10786 (network-manager through 1.0.2 allows remote attackers to execute
 CVE-2019-10785 (dojox is vulnerable to Cross-site Scripting in all versions before ver ...)
 	{DLA-2127-1}
 	- dojo 1.15.2+dfsg1-1 (bug #952771)
-	[buster] - dojo <no-dsa> (Minor issue)
+	[buster] - dojo 1.15.0+dfsg1-1+deb10u1
 	NOTE: https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr
 	NOTE: https://snyk.io/vuln/SNYK-JS-DOJOX-548257
 	NOTE: https://github.com/dojo/dojox/pull/315
@@ -62688,7 +62690,7 @@ CVE-2019-10782 (All versions of com.puppycrawl.tools:checkstyle before 8.29 are
 CVE-2019-9658 (Checkstyle before 8.18 loads external DTDs by default. ...)
 	{DLA-1768-1}
 	- checkstyle 8.26-1 (low; bug #924598)
-	[buster] - checkstyle <no-dsa> (Minor issue)
+	[buster] - checkstyle 8.15-1+deb10u1
 	[stretch] - checkstyle <no-dsa> (Minor issue)
 	NOTE: https://github.com/checkstyle/checkstyle/issues/6474
 	NOTE: https://github.com/checkstyle/checkstyle/issues/6478
@@ -65076,7 +65078,7 @@ CVE-2019-8843
 CVE-2019-8842 [he `ippReadIO` function may under-read an extension field]
 	RESERVED
 	- cups 2.3.1-12
-	[buster] - cups <no-dsa> (Minor issue)
+	[buster] - cups 2.2.10-6+deb10u3
 	[stretch] - cups <no-dsa> (Minor issue)
 	[jessie] - cups <no-dsa> (Minor issue)
 	NOTE: https://github.com/apple/cups/commit/82e3ee0e3230287b76a76fb8f16b92ca6e50b444 (cups/ipp.c: ippReadIO)
@@ -73857,7 +73859,7 @@ CVE-2019-5430 (In UniFi Video 3.10.0 and prior, due to the lack of CSRF protecti
 	NOT-FOR-US: Ubiquiti Networks UniFi Video
 CVE-2019-5429 (Untrusted search path in FileZilla before 3.41.0-rc1 allows an attacke ...)
 	- filezilla 3.45.1-1 (low; bug #928282)
-	[buster] - filezilla <no-dsa> (Minor issue)
+	[buster] - filezilla 3.39.0-2+deb10u1
 	[stretch] - filezilla <no-dsa> (Minor issue)
 	[jessie] - filezilla <no-dsa> (Minor issue)
 	NOTE: https://svn.filezilla-project.org/filezilla?revision=9097&view=revision
@@ -77264,7 +77266,7 @@ CVE-2019-3867
 	NOT-FOR-US: OpenShift (web-cosnole issue specific to OpenShift only)
 CVE-2019-3866 (An information-exposure vulnerability was discovered where openstack-m ...)
 	- python-oslo.utils 3.41.3-1 (low; bug #946060)
-	[buster] - python-oslo.utils <no-dsa> (Minor issue; can be fixed via point release)
+	[buster] - python-oslo.utils 3.36.5-0+deb10u1
 	[stretch] - python-oslo.utils <no-dsa> (Minor issue; can be fixed via point release)
 	[jessie] - python-oslo.utils <not-affected> (regex pattern rewrite)
 	- python-mistral-lib 1.2.0-3
@@ -82754,7 +82756,7 @@ CVE-2019-2392
 CVE-2019-2391 (Incorrect parsing of certain JSON input may result in js-bson not corr ...)
 	[experimental] - node-mongodb 3.5.5+~cs11.12.19-1
 	- node-mongodb 3.5.6+~cs11.12.19-1
-	[buster] - node-mongodb <no-dsa> (Minor issue)
+	[buster] - node-mongodb 3.1.13+~3.1.11-2+deb10u1
 	NOTE: Fixed in js-bson v1.1.4 included in 3.5.5+~cs11.12.19
 CVE-2019-2390 (An unprivileged user or program on Microsoft Windows which can create  ...)
 	NOT-FOR-US: Microsoft
diff --git a/data/next-point-update.txt b/data/next-point-update.txt
index c0e8d89547..853b31172c 100644
--- a/data/next-point-update.txt
+++ b/data/next-point-update.txt
@@ -1,83 +1,3 @@
-CVE-2019-3866
-	[buster] - python-oslo.utils 3.36.5-0+deb10u1
-CVE-2019-5429
-	[buster] - filezilla 3.39.0-2+deb10u1
-CVE-2019-16775
-	[buster] - npm 5.8.0+ds6-4+deb10u1
-CVE-2019-16776
-	[buster] - npm 5.8.0+ds6-4+deb10u1
-CVE-2019-16777
-	[buster] - npm 5.8.0+ds6-4+deb10u1
-CVE-2016-10894
-	[buster] - xtrlock 2.8+deb10u1
-CVE-2019-19791
-	[buster] - lemonldap-ng 2.0.2+ds-7+deb10u3
-CVE-2020-5202
-	[buster] - apt-cacher-ng 3.2.1-1
-CVE-2020-8116
-	[buster] - node-dot-prop 4.1.1-1+deb10u1
-CVE-2019-16770
-	[buster] - puma 3.12.0-2+deb10u1
-CVE-2020-3123
-	[buster] - clamav 0.102.2+dfsg-0+deb10u1
-CVE-2019-10785
-	[buster] - dojo 1.15.0+dfsg1-1+deb10u1
-CVE-2020-8130
-	[buster] - rake 12.3.1-3+deb10u1
-CVE-2020-10174
-	[buster] - timeshift 19.01+ds-2+deb10u1
-CVE-2020-9543
-	[buster] - manila 1:7.0.0-1+deb10u1
-CVE-2020-8141
-	[buster] - node-dot 1.1.1-1+deb10u1
-CVE-2020-5267
-	[buster] - rails 2:5.2.2.1+dfsg-1+deb10u1
-CVE-2020-8597
-	[buster] - lwip 2.0.3-3+deb10u1
-CVE-2020-7608
-	[buster] - node-yargs-parser 11.1.1-1+deb10u1
-CVE-2019-14862
-	[buster] - node-knockout 3.4.2-2+deb10u1
-CVE-2019-9658
-	[buster] - checkstyle 8.15-1+deb10u1
-CVE-2019-15522
-	[buster] - csync2 2.0-22-gce67c55-1+deb10u1
-CVE-2019-15690
-	[buster] - libvncserver 0.9.11+dfsg-1.3+deb10u3
-CVE-2019-20788
-	[buster] - libvncserver 0.9.11+dfsg-1.3+deb10u3
-CVE-2020-1712
-	[buster] - systemd 241-7~deb10u4
-CVE-2020-8518
-	[buster] - php-horde-data 2.1.4-5+deb10u1
-CVE-2020-8866
-	[buster] - php-horde-form 2.0.18-3.1+deb10u1
-CVE-2020-8865
-	[buster] - php-horde-trean 1.1.9-3+deb10u1
-CVE-2019-14587
-	[buster] - edk2 0~20181115.85588389-3+deb10u1
-CVE-2019-14586
-	[buster] - edk2 0~20181115.85588389-3+deb10u1
-CVE-2019-14558
-	[buster] - edk2 0~20181115.85588389-3+deb10u1
-CVE-2019-14563
-	[buster] - edk2 0~20181115.85588389-3+deb10u1
-CVE-2019-14559
-	[buster] - edk2 0~20181115.85588389-3+deb10u1
-CVE-2019-14575
-	[buster] - edk2 0~20181115.85588389-3+deb10u1
-CVE-2020-3898
-	[buster] - cups 2.2.10-6+deb10u3
-CVE-2019-8842
-	[buster] - cups 2.2.10-6+deb10u3
-CVE-2020-1730
-	[buster] - libssh 0.8.7-1+deb10u1
-CVE-2020-7610
-	[buster] - node-mongodb 3.1.13+~3.1.11-2+deb10u1
-CVE-2019-2391
-	[buster] - node-mongodb 3.1.13+~3.1.11-2+deb10u1
-CVE-2019-14466
-	[buster] - gosa 2.7.4+reloaded3-8+deb10u2
 CVE-2019-19919
 	[buster] - node-handlebars 3:4.1.0-1+deb10u1
 CVE-2019-18277
author	Salvatore Bonaccorso <carnil@debian.org>	2020-05-08 14:40:21 +0200
committer	Salvatore Bonaccorso <carnil@debian.org>	2020-05-08 14:40:21 +0200
commit	aa610955b75f8e349dbd8489a0d81f8d88378518 (patch)
tree	5c3fc352561afa4f1417acc2a4c895776a129777 /data
parent	b01a6d60883db75ae55e73ee3f5e9e278fc7c79e (diff)