diff options
author | Salvatore Bonaccorso <carnil@debian.org> | 2020-05-08 14:40:21 +0200 |
---|---|---|
committer | Salvatore Bonaccorso <carnil@debian.org> | 2020-05-08 14:40:21 +0200 |
commit | aa610955b75f8e349dbd8489a0d81f8d88378518 (patch) | |
tree | 5c3fc352561afa4f1417acc2a4c895776a129777 /data | |
parent | b01a6d60883db75ae55e73ee3f5e9e278fc7c79e (diff) |
Merge acked and included CVE fixes for buster 10.4
Diffstat (limited to 'data')
-rw-r--r-- | data/CVE/list | 78 | ||||
-rw-r--r-- | data/next-point-update.txt | 80 |
2 files changed, 40 insertions, 118 deletions
diff --git a/data/CVE/list b/data/CVE/list index 54dbe231c9..314fc2db5e 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -1517,7 +1517,7 @@ CVE-2020-12080 CVE-2019-20788 (libvncclient/cursor.c in LibVNCServer through 0.9.12 has a HandleCurso ...) {DLA-2146-1} - libvncserver 0.9.12+dfsg-9 (bug #954163) - [buster] - libvncserver <no-dsa> (Minor issue) + [buster] - libvncserver 0.9.11+dfsg-1.3+deb10u3 [stretch] - libvncserver <no-dsa> (Minor issue) NOTE: https://github.com/LibVNC/libvncserver/commit/54220248886b5001fbbb9fa73c4e1a2cb9413fed CVE-2020-12137 (GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed app ...) @@ -7502,7 +7502,7 @@ CVE-2020-10175 REJECTED CVE-2020-10174 (init_tmp in TeeJee.FileSystem.vala in Timeshift before 20.03 unsafely ...) - timeshift 20.03+ds-1 (bug #953385) - [buster] - timeshift <no-dsa> (Will be fixed via point release) + [buster] - timeshift 19.01+ds-2+deb10u1 NOTE: https://www.openwall.com/lists/oss-security/2020/03/06/3 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1165802 NOTE: https://github.com/teejee2008/timeshift/commit/335b3d5398079278b8f7094c77bfd148b315b462 @@ -8879,7 +8879,7 @@ CVE-2020-9544 (An issue was discovered on D-Link DSL-2640B E1 EU_1.01 devices. T NOT-FOR-US: D-Link CVE-2020-9543 (OpenStack Manila <7.4.1, >=8.0.0 <8.1.1, and >=9.0.0 <9 ...) - manila 1:9.0.0-5 (bug #953581) - [buster] - manila <no-dsa> (Minor issue) + [buster] - manila 1:7.0.0-1+deb10u1 [stretch] - manila <no-dsa> (Minor issue) NOTE: https://bugs.launchpad.net/manila/+bug/1861485 NOTE: https://security.openstack.org/ossa/OSSA-2020-002.html @@ -10490,7 +10490,7 @@ CVE-2020-8867 (This vulnerability allows remote attackers to create a denial-of- CVE-2020-8866 (This vulnerability allows remote attackers to create arbitrary files o ...) {DLA-2162-1} - php-horde-form <removed> (bug #955020) - [buster] - php-horde-form <no-dsa> (Minor issue) + [buster] - php-horde-form 2.0.18-3.1+deb10u1 [stretch] - php-horde-form <no-dsa> (Minor issue) NOTE: https://lists.horde.org/archives/announce/2020/001288.html NOTE: https://www.zerodayinitiative.com/advisories/ZDI-20-275/ @@ -10498,7 +10498,7 @@ CVE-2020-8866 (This vulnerability allows remote attackers to create arbitrary fi CVE-2020-8865 (This vulnerability allows remote attackers to execute local PHP files ...) {DLA-2175-1} - php-horde-trean <removed> (bug #955019) - [buster] - php-horde-trean <no-dsa> (Minor issue) + [buster] - php-horde-trean 1.1.9-3+deb10u1 [stretch] - php-horde-trean <no-dsa> (Minor issue) NOTE: https://lists.horde.org/archives/announce/2020/001286.html NOTE: https://www.zerodayinitiative.com/advisories/ZDI-20-276/ @@ -11144,7 +11144,7 @@ CVE-2020-8598 (Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Busines CVE-2020-8597 (eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overf ...) {DSA-4632-1 DLA-2097-1} - lwip 2.1.2+dfsg1-5 (bug #951291) - [buster] - lwip <no-dsa> (Minor issue) + [buster] - lwip 2.0.3-3+deb10u1 [experimental] - ppp 2.4.8-1+1~exp1 - ppp <unfixed> (bug #950618) NOTE: http://git.savannah.nongnu.org/cgit/lwip.git/commit/?id=2ee3cbe69c6d2805e64e7cac2a1c1706e49ffd86 @@ -11310,7 +11310,7 @@ CVE-2020-8519 CVE-2020-8518 (Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary P ...) {DLA-2174-1} - php-horde-data <removed> (bug #951537) - [buster] - php-horde-data <no-dsa> (Minor issue) + [buster] - php-horde-data 2.1.4-5+deb10u1 [stretch] - php-horde-data <no-dsa> (Minor issue) NOTE: https://lists.horde.org/archives/announce/2020/001285.html NOTE: https://github.com/horde/Data/commit/78ad0c2390176cdde7260a271bc6ddd86f4c9c0e @@ -12133,7 +12133,7 @@ CVE-2020-8142 (A security restriction bypass vulnerability has been discovered i NOT-FOR-US: Revive Adserver CVE-2020-8141 (The dot package v1.1.2 uses Function() to compile templates. This can ...) - node-dot 1.1.3+ds-1 - [buster] - node-dot <no-dsa> (Will be fixed via point release) + [buster] - node-dot 1.1.1-1+deb10u1 NOTE: https://hackerone.com/reports/390929 CVE-2020-8140 (A code injection in Nextcloud Desktop Client 2.6.2 for macOS allowed t ...) - nextcloud-desktop <not-affected> (MacOS-specific) @@ -12160,7 +12160,7 @@ CVE-2020-8131 (Arbitrary filesystem write vulnerability in Yarn before 1.22.0 al CVE-2020-8130 (There is an OS command injection vulnerability in Ruby Rake < 12.3. ...) {DLA-2120-1} - rake 12.3.3-1 - [buster] - rake <no-dsa> (Minor issue) + [buster] - rake 12.3.1-3+deb10u1 [stretch] - rake <no-dsa> (Minor issue) NOTE: https://hackerone.com/reports/651518 NOTE: Fixed by: https://github.com/ruby/rake/commit/5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee (v12.3.3) @@ -12196,7 +12196,7 @@ CVE-2020-8117 (Improper preservation of permissions in Nextcloud Server 14.0.3 c - nextcloud-server <itp> (bug #941708) CVE-2020-8116 (Prototype pollution vulnerability in dot-prop npm package version 5.1. ...) - node-dot-prop 5.2.0-1 - [buster] - node-dot-prop <no-dsa> (Minor issue) + [buster] - node-dot-prop 4.1.1-1+deb10u1 NOTE: https://hackerone.com/reports/719856 NOTE: https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2 CVE-2020-8115 (A reflected XSS vulnerability has been discovered in the publicly acce ...) @@ -13421,7 +13421,7 @@ CVE-2020-7611 (All versions of io.micronaut:micronaut-http-client before 1.2.11 CVE-2020-7610 (All versions of bson before 1.1.4 are vulnerable to Deserialization of ...) [experimental] - node-mongodb 3.5.5+~cs11.12.19-1 - node-mongodb 3.5.6+~cs11.12.19-1 - [buster] - node-mongodb <no-dsa> (Minor issue) + [buster] - node-mongodb 3.1.13+~3.1.11-2+deb10u1 NOTE: Fixed in js-bson v1.1.4 included in 3.5.5+~cs11.12.19 NOTE: https://snyk.io/vuln/SNYK-JS-BSON-561052 NOTE: https://github.com/mongodb/js-bson/commit/3809c1313a7b2a8001065f0271199df9fa3d16a8 @@ -13429,7 +13429,7 @@ CVE-2020-7609 (node-rules including 3.0.0 and prior to 5.0.0 allows injection of NOT-FOR-US: Node node-rules CVE-2020-7608 (yargs-parser could be tricked into adding or modifying properties of O ...) - node-yargs-parser 18.1.1-1 - [buster] - node-yargs-parser <no-dsa> (Minor issue; can be fixed via point release) + [buster] - node-yargs-parser 11.1.1-1+deb10u1 [stretch] - node-yargs-parser <ignored> (Nodejs in stretch not covered by security support) NOTE: https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381 NOTE: https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2 @@ -18896,7 +18896,7 @@ CVE-2020-5268 (In Saml2 Authentication Services for ASP.NET versions before 1.0. CVE-2020-5267 (In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible ...) {DLA-2149-1} - rails 2:5.2.4.1+dfsg-2 (bug #954304) - [buster] - rails <no-dsa> (Minor issue) + [buster] - rails 2:5.2.2.1+dfsg-1+deb10u1 [stretch] - rails <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2020/03/19/1 NOTE: https://github.com/rails/rails/commit/033a738817abd6e446e1b320cb7d1a5c15224e9a (master) @@ -19119,7 +19119,7 @@ CVE-2020-5203 (In Fat-Free Framework 3.7.1, attackers can achieve arbitrary code NOT-FOR-US: Fat-Free Framework CVE-2020-5202 (apt-cacher-ng through 3.3 allows local users to obtain sensitive infor ...) - apt-cacher-ng 3.3.1-1 - [buster] - apt-cacher-ng <no-dsa> (Minor issue) + [buster] - apt-cacher-ng 3.2.1-1 [stretch] - apt-cacher-ng <no-dsa> (Minor issue) [jessie] - apt-cacher-ng <no-dsa> (Minor issue) NOTE: https://salsa.debian.org/blade/apt-cacher-ng/commit/3b91874b0c099b0ded1a94f1784fe1265082efbc @@ -22928,7 +22928,7 @@ CVE-2020-3899 (A memory consumption issue was addressed with improved memory han CVE-2020-3898 [heap based buffer overflow in libcups's ppdFindOption() in ppd-mark.c] RESERVED - cups 2.3.1-12 - [buster] - cups <no-dsa> (Minor issue) + [buster] - cups 2.2.10-6+deb10u3 [stretch] - cups <no-dsa> (Minor issue) [jessie] - cups <no-dsa> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1823964 @@ -23857,7 +23857,7 @@ CVE-2019-19792 (A permissions issue in ESET Cyber Security before 6.8.300.0 for CVE-2019-19791 [Apache access rules and SOAP/REST endpoints issue] RESERVED - lemonldap-ng 2.0.7+ds-1 - [buster] - lemonldap-ng <no-dsa> (Minor issue) + [buster] - lemonldap-ng 2.0.2+ds-7+deb10u3 [stretch] - lemonldap-ng <no-dsa> (Minor issue) [jessie] - lemonldap-ng <no-dsa> (Minor issue) NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1943 @@ -24891,7 +24891,7 @@ CVE-2020-3124 RESERVED CVE-2020-3123 (A vulnerability in the Data-Loss-Prevention (DLP) module in Clam AntiV ...) - clamav 0.102.2+dfsg-1 (bug #950944) - [buster] - clamav <no-dsa> (ClamAV is updated via -updates) + [buster] - clamav 0.102.2+dfsg-0+deb10u1 [stretch] - clamav <no-dsa> (ClamAV is updated via -updates) [jessie] - clamav <not-affected> (Vulnerable code introduced in 0.102.x) NOTE: https://blog.clamav.net/2020/02/clamav-01022-security-patch-released.html @@ -29158,7 +29158,7 @@ CVE-2020-1731 (A flaw was found in all versions of the Keycloak operator, before NOT-FOR-US: Keycloak CVE-2020-1730 (A flaw was found in libssh versions before 0.8.9 and before 0.9.4 in t ...) - libssh 0.9.4-1 (bug #956308) - [buster] - libssh <no-dsa> (Minor issue, can be fixed via point release) + [buster] - libssh 0.8.7-1+deb10u1 [stretch] - libssh <not-affected> (Vulnerable code introduced later) [jessie] - libssh <not-affected> (Vulnerable code introduced later) NOTE: https://www.libssh.org/security/advisories/CVE-2020-1730.txt @@ -29216,7 +29216,7 @@ CVE-2020-1713 RESERVED CVE-2020-1712 (A heap use-after-free vulnerability was found in systemd before versio ...) - systemd 244.2-1 (bug #950732) - [buster] - systemd <no-dsa> (Can be fixed via point release) + [buster] - systemd 241-7~deb10u4 [stretch] - systemd <no-dsa> (Can be fixed via point release) [jessie] - systemd <not-affected> (Vulnerable code introduced later) NOTE: https://github.com/systemd/systemd/commit/773b1a7916bfce3aa2a21ecf534d475032e8528e (preparation) @@ -39485,21 +39485,21 @@ CVE-2019-16778 (In TensorFlow before 1.15, a heap buffer overflow in UnsortedSeg CVE-2019-16777 (Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary ...) [experimental] - npm 6.13.4+ds-1 - npm 6.13.4+ds-2 (bug #947127) - [buster] - npm <no-dsa> (Minor issue) + [buster] - npm 5.8.0+ds6-4+deb10u1 [jessie] - npm <end-of-life> (Nodejs in jessie not covered by security support) NOTE: https://github.com/npm/cli/security/advisories/GHSA-4328-8hgf-7wjr NOTE: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli CVE-2019-16776 (Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary ...) [experimental] - npm 6.13.4+ds-1 - npm 6.13.4+ds-2 (bug #947127) - [buster] - npm <no-dsa> (Minor issue) + [buster] - npm 5.8.0+ds6-4+deb10u1 [jessie] - npm <end-of-life> (Nodejs in jessie not covered by security support) NOTE: https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46 NOTE: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli CVE-2019-16775 (Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary ...) [experimental] - npm 6.13.4+ds-1 - npm 6.13.4+ds-2 (bug #947127) - [buster] - npm <no-dsa> (Minor issue) + [buster] - npm 5.8.0+ds6-4+deb10u1 [jessie] - npm <end-of-life> (Nodejs in jessie not covered by security support) NOTE: https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx NOTE: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli @@ -39517,7 +39517,7 @@ CVE-2019-16771 (Versions of Armeria 0.85.0 through and including 0.96.0 are vuln NOT-FOR-US: Armeria CVE-2019-16770 (In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client coul ...) - puma 3.12.0-4 (bug #946312) - [buster] - puma <no-dsa> (Minor issue) + [buster] - puma 3.12.0-2+deb10u1 [stretch] - puma <no-dsa> (Minor issue) NOTE: https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994 NOTE: https://github.com/puma/puma/commit/06053e60908074bb38293d4449ea261cb009b53e @@ -42612,7 +42612,7 @@ CVE-2019-15690 RESERVED {DLA-2146-1} - libvncserver 0.9.12+dfsg-9 (bug #954163) - [buster] - libvncserver <no-dsa> (Minor issue) + [buster] - libvncserver 0.9.11+dfsg-1.3+deb10u3 [stretch] - libvncserver <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2 NOTE: https://github.com/LibVNC/libvncserver/issues/381 @@ -43167,7 +43167,7 @@ CVE-2019-15523 RESERVED CVE-2019-15522 (An issue was discovered in LINBIT csync2 through 2.0. csync_daemon_ses ...) - csync2 2.0-25-gc0faaf9-1 (bug #955445) - [buster] - csync2 <no-dsa> (Minor issue) + [buster] - csync2 2.0-22-gce67c55-1+deb10u1 [stretch] - csync2 <no-dsa> (Minor issue) [jessie] - csync2 <no-dsa> (Minor issue) NOTE: https://github.com/LINBIT/csync2/pull/13/commits/0ecfc333da51575f188dd7cf6ac4974d13a800b1 @@ -44645,7 +44645,7 @@ CVE-2017-18516 (The bws-linkedin plugin before 1.0.5 for WordPress has multiple CVE-2016-10894 (xtrlock through 2.10 does not block multitouch events. Consequently, a ...) {DLA-1959-1} - xtrlock 2.12 (bug #830726) - [buster] - xtrlock <no-dsa> (Minor issue; can be fixed via point release) + [buster] - xtrlock 2.8+deb10u1 [stretch] - xtrlock <no-dsa> (Minor issue; can be fixed via point release) CVE-2016-10893 (The crayon-syntax-highlighter plugin before 2.8.4 for WordPress has mu ...) NOT-FOR-US: Wordpress plugin @@ -45445,6 +45445,7 @@ CVE-2019-14863 (There is a vulnerability in all angular versions before 1.5.0-be NOTE: https://github.com/angular/angular.js/pull/12524 CVE-2019-14862 (There is a vulnerability in knockout before version 3.5.0-beta, where ...) - node-knockout 3.4.2-3 (unimportant; bug #943560) + [buster] - node-knockout 3.4.2-2+deb10u1 NOTE: https://github.com/knockout/knockout/issues/1244 NOTE: https://github.com/knockout/knockout/pull/2345 NOTE: https://github.com/knockout/knockout/commit/7e280b2b8a04cc19176b5171263a5c68bda98efb @@ -46298,13 +46299,13 @@ CVE-2019-14588 CVE-2019-14587 RESERVED - edk2 0~20200229.4c0f6e34-1 - [buster] - edk2 <no-dsa> (Minor issue) + [buster] - edk2 0~20181115.85588389-3+deb10u1 [stretch] - edk2 <no-dsa> (Minor issue) [jessie] - edk2 <end-of-life> (non-free) CVE-2019-14586 RESERVED - edk2 0~20200229.4c0f6e34-1 - [buster] - edk2 <no-dsa> (Minor issue) + [buster] - edk2 0~20181115.85588389-3+deb10u1 [stretch] - edk2 <no-dsa> (Minor issue) [jessie] - edk2 <end-of-life> (non-free) CVE-2019-14585 @@ -46330,7 +46331,7 @@ CVE-2019-14576 CVE-2019-14575 [DxeImageVerificationHandler() fails open in case of dbx signature check] RESERVED - edk2 0~20200229.4c0f6e34-1 (low; bug #952935) - [buster] - edk2 <no-dsa> (Minor issue) + [buster] - edk2 0~20181115.85588389-3+deb10u1 [stretch] - edk2 <no-dsa> (Minor issue) [jessie] - edk2 <end-of-life> (non-free) NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1608 @@ -46359,7 +46360,7 @@ CVE-2019-14564 CVE-2019-14563 [numeric truncation in MdeModulePkg/PiDxeS3BootScriptLib] RESERVED - edk2 0~20200229.4c0f6e34-1 (low; bug #952934) - [buster] - edk2 <no-dsa> (Minor issue) + [buster] - edk2 0~20181115.85588389-3+deb10u1 [stretch] - edk2 <no-dsa> (Minor issue) [jessie] - edk2 <end-of-life> (non-free) NOTE: https://github.com/tianocore/edk2/commit/322ac05f8bbc1bce066af1dabd1b70ccdbe28891 @@ -46373,7 +46374,7 @@ CVE-2019-14560 CVE-2019-14559 [memory leak in ArpOnFrameRcvdDpc] RESERVED - edk2 0~20200229.4c0f6e34-1 (bug #952926; low) - [buster] - edk2 <no-dsa> (Minor issue) + [buster] - edk2 0~20181115.85588389-3+deb10u1 [stretch] - edk2 <no-dsa> (Minor issue) [jessie] - edk2 <end-of-life> (non-free) NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2550 @@ -46381,7 +46382,7 @@ CVE-2019-14559 [memory leak in ArpOnFrameRcvdDpc] CVE-2019-14558 RESERVED - edk2 0~20200229.4c0f6e34-1 - [buster] - edk2 <no-dsa> (Minor issue) + [buster] - edk2 0~20181115.85588389-3+deb10u1 [stretch] - edk2 <no-dsa> (Minor issue) [jessie] - edk2 <end-of-life> (non-free) CVE-2019-14557 @@ -46683,6 +46684,7 @@ CVE-2019-14467 (The Social Photo Gallery plugin 1.0 for WordPress allows Remote CVE-2019-14466 (The GOsa_Filter_Settings cookie in GONICUS GOsa 2.7.5.2 is vulnerable ...) {DLA-1905-1} - gosa 2.7.4+reloaded3-10 + [buster] - gosa 2.7.4+reloaded3-8+deb10u2 NOTE: https://github.com/gosa-project/gosa-core/commit/e1504e9765db2adde8b4685b5c93fbba57df868b (fix) NOTE: https://github.com/gosa-project/gosa-core/commit/90b674960335d888c76ca5e99027df8e7fa66f3a (fixing the prev commit) NOTE: https://github.com/gosa-project/gosa-core/pull/30#issuecomment-521975100 @@ -58563,7 +58565,7 @@ CVE-2019-10786 (network-manager through 1.0.2 allows remote attackers to execute CVE-2019-10785 (dojox is vulnerable to Cross-site Scripting in all versions before ver ...) {DLA-2127-1} - dojo 1.15.2+dfsg1-1 (bug #952771) - [buster] - dojo <no-dsa> (Minor issue) + [buster] - dojo 1.15.0+dfsg1-1+deb10u1 NOTE: https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr NOTE: https://snyk.io/vuln/SNYK-JS-DOJOX-548257 NOTE: https://github.com/dojo/dojox/pull/315 @@ -62688,7 +62690,7 @@ CVE-2019-10782 (All versions of com.puppycrawl.tools:checkstyle before 8.29 are CVE-2019-9658 (Checkstyle before 8.18 loads external DTDs by default. ...) {DLA-1768-1} - checkstyle 8.26-1 (low; bug #924598) - [buster] - checkstyle <no-dsa> (Minor issue) + [buster] - checkstyle 8.15-1+deb10u1 [stretch] - checkstyle <no-dsa> (Minor issue) NOTE: https://github.com/checkstyle/checkstyle/issues/6474 NOTE: https://github.com/checkstyle/checkstyle/issues/6478 @@ -65076,7 +65078,7 @@ CVE-2019-8843 CVE-2019-8842 [he `ippReadIO` function may under-read an extension field] RESERVED - cups 2.3.1-12 - [buster] - cups <no-dsa> (Minor issue) + [buster] - cups 2.2.10-6+deb10u3 [stretch] - cups <no-dsa> (Minor issue) [jessie] - cups <no-dsa> (Minor issue) NOTE: https://github.com/apple/cups/commit/82e3ee0e3230287b76a76fb8f16b92ca6e50b444 (cups/ipp.c: ippReadIO) @@ -73857,7 +73859,7 @@ CVE-2019-5430 (In UniFi Video 3.10.0 and prior, due to the lack of CSRF protecti NOT-FOR-US: Ubiquiti Networks UniFi Video CVE-2019-5429 (Untrusted search path in FileZilla before 3.41.0-rc1 allows an attacke ...) - filezilla 3.45.1-1 (low; bug #928282) - [buster] - filezilla <no-dsa> (Minor issue) + [buster] - filezilla 3.39.0-2+deb10u1 [stretch] - filezilla <no-dsa> (Minor issue) [jessie] - filezilla <no-dsa> (Minor issue) NOTE: https://svn.filezilla-project.org/filezilla?revision=9097&view=revision @@ -77264,7 +77266,7 @@ CVE-2019-3867 NOT-FOR-US: OpenShift (web-cosnole issue specific to OpenShift only) CVE-2019-3866 (An information-exposure vulnerability was discovered where openstack-m ...) - python-oslo.utils 3.41.3-1 (low; bug #946060) - [buster] - python-oslo.utils <no-dsa> (Minor issue; can be fixed via point release) + [buster] - python-oslo.utils 3.36.5-0+deb10u1 [stretch] - python-oslo.utils <no-dsa> (Minor issue; can be fixed via point release) [jessie] - python-oslo.utils <not-affected> (regex pattern rewrite) - python-mistral-lib 1.2.0-3 @@ -82754,7 +82756,7 @@ CVE-2019-2392 CVE-2019-2391 (Incorrect parsing of certain JSON input may result in js-bson not corr ...) [experimental] - node-mongodb 3.5.5+~cs11.12.19-1 - node-mongodb 3.5.6+~cs11.12.19-1 - [buster] - node-mongodb <no-dsa> (Minor issue) + [buster] - node-mongodb 3.1.13+~3.1.11-2+deb10u1 NOTE: Fixed in js-bson v1.1.4 included in 3.5.5+~cs11.12.19 CVE-2019-2390 (An unprivileged user or program on Microsoft Windows which can create ...) NOT-FOR-US: Microsoft diff --git a/data/next-point-update.txt b/data/next-point-update.txt index c0e8d89547..853b31172c 100644 --- a/data/next-point-update.txt +++ b/data/next-point-update.txt @@ -1,83 +1,3 @@ -CVE-2019-3866 - [buster] - python-oslo.utils 3.36.5-0+deb10u1 -CVE-2019-5429 - [buster] - filezilla 3.39.0-2+deb10u1 -CVE-2019-16775 - [buster] - npm 5.8.0+ds6-4+deb10u1 -CVE-2019-16776 - [buster] - npm 5.8.0+ds6-4+deb10u1 -CVE-2019-16777 - [buster] - npm 5.8.0+ds6-4+deb10u1 -CVE-2016-10894 - [buster] - xtrlock 2.8+deb10u1 -CVE-2019-19791 - [buster] - lemonldap-ng 2.0.2+ds-7+deb10u3 -CVE-2020-5202 - [buster] - apt-cacher-ng 3.2.1-1 -CVE-2020-8116 - [buster] - node-dot-prop 4.1.1-1+deb10u1 -CVE-2019-16770 - [buster] - puma 3.12.0-2+deb10u1 -CVE-2020-3123 - [buster] - clamav 0.102.2+dfsg-0+deb10u1 -CVE-2019-10785 - [buster] - dojo 1.15.0+dfsg1-1+deb10u1 -CVE-2020-8130 - [buster] - rake 12.3.1-3+deb10u1 -CVE-2020-10174 - [buster] - timeshift 19.01+ds-2+deb10u1 -CVE-2020-9543 - [buster] - manila 1:7.0.0-1+deb10u1 -CVE-2020-8141 - [buster] - node-dot 1.1.1-1+deb10u1 -CVE-2020-5267 - [buster] - rails 2:5.2.2.1+dfsg-1+deb10u1 -CVE-2020-8597 - [buster] - lwip 2.0.3-3+deb10u1 -CVE-2020-7608 - [buster] - node-yargs-parser 11.1.1-1+deb10u1 -CVE-2019-14862 - [buster] - node-knockout 3.4.2-2+deb10u1 -CVE-2019-9658 - [buster] - checkstyle 8.15-1+deb10u1 -CVE-2019-15522 - [buster] - csync2 2.0-22-gce67c55-1+deb10u1 -CVE-2019-15690 - [buster] - libvncserver 0.9.11+dfsg-1.3+deb10u3 -CVE-2019-20788 - [buster] - libvncserver 0.9.11+dfsg-1.3+deb10u3 -CVE-2020-1712 - [buster] - systemd 241-7~deb10u4 -CVE-2020-8518 - [buster] - php-horde-data 2.1.4-5+deb10u1 -CVE-2020-8866 - [buster] - php-horde-form 2.0.18-3.1+deb10u1 -CVE-2020-8865 - [buster] - php-horde-trean 1.1.9-3+deb10u1 -CVE-2019-14587 - [buster] - edk2 0~20181115.85588389-3+deb10u1 -CVE-2019-14586 - [buster] - edk2 0~20181115.85588389-3+deb10u1 -CVE-2019-14558 - [buster] - edk2 0~20181115.85588389-3+deb10u1 -CVE-2019-14563 - [buster] - edk2 0~20181115.85588389-3+deb10u1 -CVE-2019-14559 - [buster] - edk2 0~20181115.85588389-3+deb10u1 -CVE-2019-14575 - [buster] - edk2 0~20181115.85588389-3+deb10u1 -CVE-2020-3898 - [buster] - cups 2.2.10-6+deb10u3 -CVE-2019-8842 - [buster] - cups 2.2.10-6+deb10u3 -CVE-2020-1730 - [buster] - libssh 0.8.7-1+deb10u1 -CVE-2020-7610 - [buster] - node-mongodb 3.1.13+~3.1.11-2+deb10u1 -CVE-2019-2391 - [buster] - node-mongodb 3.1.13+~3.1.11-2+deb10u1 -CVE-2019-14466 - [buster] - gosa 2.7.4+reloaded3-8+deb10u2 CVE-2019-19919 [buster] - node-handlebars 3:4.1.0-1+deb10u1 CVE-2019-18277 |