From 2201c6c930125cac57f75573a79c5c87e1123e8a Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Sat, 9 Oct 2021 10:39:17 +0200 Subject: Merge in the accepted packages from bullseye 11.1 Though the release has not been happened yet, this is the list of packages which were copied over from bullseye-pu to bullseye. The final 11.1 changes need to still be verifed for any missing additional ones. --- data/CVE/list | 55 +++++++++++++++++++++++---------------------- data/next-point-update.txt | 56 ---------------------------------------------- 2 files changed, 28 insertions(+), 83 deletions(-) diff --git a/data/CVE/list b/data/CVE/list index 6d36069010..49e9f4ef50 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -1893,7 +1893,7 @@ CVE-2021-3808 RESERVED CVE-2021-3807 (ansi-regex is vulnerable to Inefficient Regular Expression Complexity ...) - node-ansi-regex 5.0.1-1 (bug #994568) - [bullseye] - node-ansi-regex (Minor issue) + [bullseye] - node-ansi-regex 5.0.1-1~deb11u1 [buster] - node-ansi-regex (Minor issue) [stretch] - node-ansi-regex (Vulnerable code introduced later) NOTE: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994 @@ -1902,7 +1902,7 @@ CVE-2021-3806 (A path traversal vulnerability on Pardus Software Center's "extra NOT-FOR-US: Pardus Software Center CVE-2021-3805 (object-path is vulnerable to Improperly Controlled Modification of Obj ...) - node-object-path 0.11.8-1 - [bullseye] - node-object-path (Minor issue) + [bullseye] - node-object-path 0.11.5-3+deb11u1 [buster] - node-object-path (Minor issue) [stretch] - node-object-path (Minor issue) NOTE: https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053 @@ -2391,6 +2391,7 @@ CVE-2021-41078 RESERVED CVE-2021-3801 (prism is vulnerable to Inefficient Regular Expression Complexity ...) - node-prismjs 1.25.0+dfsg-1 + [bullseye] - node-prismjs 1.23.0+dfsg-1+deb11u1 NOTE: https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9 CVE-2021-41077 (The activation process in Travis CI, for certain 2021-09-03 through 20 ...) NOT-FOR-US: Travis CI @@ -2846,7 +2847,7 @@ CVE-2021-3799 (grav-plugin-admin is vulnerable to Improper Restriction of Render NOT-FOR-US: Grav CMS CVE-2021-41054 (tftpd_file.c in atftp through 0.7.4 has a buffer overflow because buff ...) - atftp 0.7.git20210915-1 (bug #994895) - [bullseye] - atftp (Minor issue; can be fixed via point release) + [bullseye] - atftp 0.7.git20120829-3.3+deb11u1 [buster] - atftp (Minor issue; can be fixed via point release) [stretch] - atftp (Minor issue) NOTE: https://sourceforge.net/p/atftp/code/ci/d255bf90834fb45be52decf9bc0b4fb46c90f205/ @@ -3297,7 +3298,7 @@ CVE-2021-XXXX [jws alg:none signature verification issue] NOTE: https://github.com/babelouest/rhonabwy/commit/ff9ecad4c9a031c8369acde67ea52d558899e51e (v1.0.0) CVE-2021-40818 (scheme/webauthn.c in Glewlwyd SSO server through 2.5.3 has a buffer ov ...) - glewlwyd 2.5.2-3 (bug #993867) - [bullseye] - glewlwyd (Minor issue; can be fixed via point release) + [bullseye] - glewlwyd 2.5.2-2+deb11u1 [buster] - glewlwyd (Minor issue; can be fixed via point release) NOTE: https://github.com/babelouest/glewlwyd/commit/0efd112bb62f566877750ad62ee828bff579b4e2 CVE-2021-40683 (In Akamai EAA (Enterprise Application Access) Client before 2.3.1, 2.4 ...) @@ -3600,7 +3601,7 @@ CVE-2021-40541 RESERVED CVE-2021-40540 (ulfius_uri_logger in Ulfius HTTP Framework before 2.7.4 omits con_info ...) - ulfius 2.7.1-2 (bug #993851) - [bullseye] - ulfius (Minor issue) + [bullseye] - ulfius 2.7.1-1+deb11u1 [buster] - ulfius (Minor issue) NOTE: https://github.com/babelouest/ulfius/commit/c83f564c184a27145e07c274b305cabe943bbfaa CVE-2021-40539 (Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnera ...) @@ -4189,7 +4190,7 @@ CVE-2021-3750 [hcd-ehci: DMA reentrancy issue leads to use-after-free] NOTE: Patchset: https://lists.nongnu.org/archive/html/qemu-devel/2021-08/msg03692.html CVE-2021-3749 (axios is vulnerable to Inefficient Regular Expression Complexity ...) - node-axios 0.21.3+dfsg-1 - [bullseye] - node-axios (Minor issue) + [bullseye] - node-axios 0.21.1+dfsg-1+deb11u1 [buster] - node-axios (Minor issue) NOTE: https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/ NOTE: https://github.com/axios/axios/commit/5b457116e31db0e88fede6c428e969e87f290929 @@ -8275,7 +8276,7 @@ CVE-2021-38562 RESERVED - request-tracker5 (bug #995167) - request-tracker4 4.4.4+dfsg-3 (bug #995175) - [bullseye] - request-tracker4 (Minor issue; will be fixed via point release) + [bullseye] - request-tracker4 4.4.4+dfsg-2+deb11u1 [buster] - request-tracker4 (Minor issue; will be fixed via point release) [stretch] - request-tracker4 (Minor issue) NOTE: https://github.com/bestpractical/rt/commit/70749bb66cb13dd70bd53340c371038a5f3ca57c (rt-5.0.2) @@ -9315,7 +9316,7 @@ CVE-2020-36432 (An issue was discovered in the alg_ds crate through 2020-08-25 f CVE-2021-38173 (Btrbk before 0.31.2 allows command execution because of the mishandlin ...) {DLA-2755-1} - btrbk 0.27.1-2 - [bullseye] - btrbk (Minor issue; can be fixed via point release) + [bullseye] - btrbk 0.27.1-1.1+deb11u1 [buster] - btrbk (Minor issue; can be fixed via point release) NOTE: Fixed by: https://github.com/digint/btrbk/commit/58212de771c381cd4fa05625927080bf264e9584 (v0.31.2) NOTE: Introduced by: https://github.com/digint/btrbk/commit/ccb5ed5e7191a083da52998df4c880f693451144 (v0.23.0-rc1) @@ -10094,7 +10095,7 @@ CVE-2021-37844 CVE-2021-3677 [Memory disclosure in certain queries] RESERVED - postgresql-13 13.4-1 - [bullseye] - postgresql-13 (Minor issue; will be fixed via point release) + [bullseye] - postgresql-13 13.4-0+deb11u1 - postgresql-11 [buster] - postgresql-11 (Minor issue) NOTE: https://www.postgresql.org/about/news/postgresql-134-128-1113-1018-9623-and-14-beta-3-released-2277/ @@ -10305,7 +10306,7 @@ CVE-2021-37751 CVE-2021-37750 (The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before ...) {DLA-2771-1} - krb5 1.18.3-7 (bug #992607) - [bullseye] - krb5 (Minor issue) + [bullseye] - krb5 1.18.3-6+deb11u1 [buster] - krb5 (Minor issue) NOTE: https://github.com/krb5/krb5/commit/d775c95af7606a51bf79547a94fa52ddd1cb7f49 CVE-2021-37749 (MapService.svc in Hexagon GeoMedia WebMap 2020 before Update 2 (aka 16 ...) @@ -12528,7 +12529,7 @@ CVE-2021-36774 RESERVED CVE-2021-36773 (uBlock Origin before 1.36.2 and nMatrix before 4.4.9 support an arbitr ...) - ublock-origin 1.37.0+dfsg-1 (bug #991386) - [bullseye] - ublock-origin (Minor issue) + [bullseye] - ublock-origin 1.37.0+dfsg-1~deb11u1 [buster] - ublock-origin (Minor issue) [stretch] - ublock-origin (Minor issue) - umatrix (bug #991344) @@ -14558,7 +14559,7 @@ CVE-2021-3627 RESERVED CVE-2021-35940 (An out-of-bounds array read in the apr_time_exp*() functions was fixed ...) - apr 1.7.0-7 (bug #992789) - [bullseye] - apr (Minor issue) + [bullseye] - apr 1.7.0-6+deb11u1 [buster] - apr (Vulnerable code re-introduced in 1.7.0) [stretch] - apr (Vulnerable code re-introduced in 1.7.0) NOTE: The issue exists because the CVE-2017-12613 fix was not carried forward @@ -15845,7 +15846,7 @@ CVE-2021-35369 CVE-2021-35368 [CRS Request Body Bypass] RESERVED - modsecurity-crs 3.3.2-1 (bug #992000) - [bullseye] - modsecurity-crs (Minor issue) + [bullseye] - modsecurity-crs 3.3.0-1+deb11u1 [buster] - modsecurity-crs (Minor issue) [stretch] - modsecurity-crs (Minor issue) NOTE: https://coreruleset.org/20210630/cve-2021-35368-crs-request-body-bypass/ @@ -17653,7 +17654,7 @@ CVE-2021-3596 CVE-2021-3595 (An invalid pointer initialization issue was found in the SLiRP network ...) {DLA-2753-1} - libslirp 4.6.1-1 (bug #989996) - [bullseye] - libslirp (Minor issue) + [bullseye] - libslirp 4.4.0-1+deb11u2 - qemu 1:4.1-2 [buster] - qemu (Minor issue) NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0) @@ -17663,7 +17664,7 @@ CVE-2021-3595 (An invalid pointer initialization issue was found in the SLiRP ne CVE-2021-3594 (An invalid pointer initialization issue was found in the SLiRP network ...) {DLA-2753-1} - libslirp 4.6.1-1 (bug #989995) - [bullseye] - libslirp (Minor issue) + [bullseye] - libslirp 4.4.0-1+deb11u2 - qemu 1:4.1-2 [buster] - qemu (Minor issue) NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0) @@ -17671,7 +17672,7 @@ CVE-2021-3594 (An invalid pointer initialization issue was found in the SLiRP ne NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed. CVE-2021-3593 (An invalid pointer initialization issue was found in the SLiRP network ...) - libslirp 4.6.1-1 (bug #989994) - [bullseye] - libslirp (Minor issue) + [bullseye] - libslirp 4.4.0-1+deb11u2 - qemu 1:4.1-2 [buster] - qemu (Minor issue) [stretch] - qemu (Minor issue) @@ -17680,7 +17681,7 @@ CVE-2021-3593 (An invalid pointer initialization issue was found in the SLiRP ne NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed. CVE-2021-3592 (An invalid pointer initialization issue was found in the SLiRP network ...) - libslirp 4.6.1-1 (bug #989993) - [bullseye] - libslirp (Minor issue) + [bullseye] - libslirp 4.4.0-1+deb11u2 - qemu 1:4.1-2 [buster] - qemu (Minor issue) [stretch] - qemu (Introduces a regression. See Debian bug #994080) @@ -19956,7 +19957,7 @@ CVE-2021-33583 (REINER timeCard 6.05.07 installs a Microsoft SQL Server with an NOT-FOR-US: REINER CVE-2021-33582 (Cyrus IMAP before 3.4.2 allows remote attackers to cause a denial of s ...) - cyrus-imapd 3.4.2-1 (bug #993433) - [bullseye] - cyrus-imapd (Minor issue; pending fix via point release) + [bullseye] - cyrus-imapd 3.2.6-2+deb11u1 [buster] - cyrus-imapd (Minor issue; can be fixed via point release) [stretch] - cyrus-imapd (Minor issue; can be fixed via point release) - cyrus-imapd-2.4 @@ -21885,14 +21886,14 @@ CVE-2021-32805 (Flask-AppBuilder is an application development framework, built NOT-FOR-US: Flask-AppBuilder CVE-2021-32804 (The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4 ...) - node-tar 6.1.7+~cs11.3.10-1 (bug #992111) - [bullseye] - node-tar (Minor issue) + [bullseye] - node-tar 6.0.5+ds1+~cs11.3.9-1+deb11u1 [buster] - node-tar (Minor issue) [stretch] - node-tar (Vulnerable code introduced later) NOTE: https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9 NOTE: https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4 CVE-2021-32803 (The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4 ...) - node-tar 6.1.7+~cs11.3.10-1 (bug #992110) - [bullseye] - node-tar (Minor issue) + [bullseye] - node-tar 6.0.5+ds1+~cs11.3.9-1+deb11u1 [buster] - node-tar (Minor issue) [stretch] - node-tar (Vulnerable code introduced later) NOTE: https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw @@ -30603,7 +30604,7 @@ CVE-2021-29489 (Highcharts JS is a JavaScript charting library based on SVG. In NOT-FOR-US: Highcharts JS CVE-2021-29488 (SABnzbd is an open source binary newsreader. A vulnerability was disco ...) - sabnzbdplus 3.2.1+dfsg-1 - [bullseye] - sabnzbdplus (Minor issue; non-free/contrib not security supported) + [bullseye] - sabnzbdplus 3.1.1+dfsg-2+deb11u1 [buster] - sabnzbdplus (Minor issue; non-free/contrib not security supported) [stretch] - sabnzbdplus (Minor issue; contrib not supported) NOTE: https://github.com/sabnzbd/sabnzbd/security/advisories/GHSA-jwj3-wrvf-v3rp @@ -45202,7 +45203,7 @@ CVE-2021-23441 (All versions of package com.jsoniter:jsoniter are vulnerable to NOT-FOR-US: com.jsoniter:jsoniter CVE-2021-23440 (This affects the package set-value before 4.0.1. A type confusion vuln ...) - node-set-value 3.0.1-3 (bug #994448) - [bullseye] - node-set-value (Minor issue) + [bullseye] - node-set-value 3.0.1-2+deb11u1 [buster] - node-set-value (Minor issue) [stretch] - node-set-value (Minor issue) NOTE: https://github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f952823b4576452 (v4.0.1) @@ -45223,7 +45224,7 @@ CVE-2021-23435 (This affects the package clearance before 2.5.0. The vulnerabili NOT-FOR-US: Rails clearance gem CVE-2021-23434 (This affects the package object-path before 0.11.6. A type confusion v ...) - node-object-path 0.11.7-1 - [bullseye] - node-object-path (Minor issue) + [bullseye] - node-object-path 0.11.5-3+deb11u1 [buster] - node-object-path (Minor issue) [stretch] - node-object-path (Nodejs in stretch not covered by security support) NOTE: https://snyk.io/vuln/SNYK-JS-OBJECTPATH-1569453 @@ -88811,7 +88812,7 @@ CVE-2020-17511 (In Airflow versions prior to 1.10.13, when creating a user using CVE-2020-17510 (Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a spec ...) {DLA-2726-1} - shiro 1.3.2-5 (bug #988728) - [bullseye] - shiro (Minor issue) + [bullseye] - shiro 1.3.2-4+deb11u1 [buster] - shiro (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2020/11/04/7 NOTE: https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E @@ -98055,7 +98056,7 @@ CVE-2020-13934 (An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6 CVE-2020-13933 (Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafte ...) {DLA-2726-1} - shiro 1.3.2-5 (bug #968753) - [bullseye] - shiro (Minor issue) + [bullseye] - shiro 1.3.2-4+deb11u1 [buster] - shiro (Minor issue) NOTE: https://lists.apache.org/thread.html/r539f87706094e79c5da0826030384373f0041068936912876856835f%40%3Cdev.shiro.apache.org%3E CVE-2020-13932 (In Apache ActiveMQ Artemis 2.5.0 to 2.13.0, a specially crafted MQTT p ...) @@ -103229,7 +103230,7 @@ CVE-2020-11990 (We have resolved a security issue in the camera plugin that coul CVE-2020-11989 (Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic ...) {DLA-2273-1} - shiro 1.3.2-5 (bug #988728) - [bullseye] - shiro (Minor issue) + [bullseye] - shiro 1.3.2-4+deb11u1 [buster] - shiro (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2020/06/22/1 NOTE: https://github.com/apache/shiro/pull/211 @@ -131299,7 +131300,7 @@ CVE-2020-1958 (When LDAP authentication is enabled in Apache Druid 0.17.0, calle CVE-2020-1957 (Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic ...) {DLA-2273-1 DLA-2181-1} - shiro 1.3.2-5 (bug #955018) - [bullseye] - shiro (Minor issue) + [bullseye] - shiro 1.3.2-4+deb11u1 [buster] - shiro (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2020/03/23/2 NOTE: Fixed by: https://github.com/apache/shiro/commit/3708d7907016bf2fa12691dff6ff0def1249b8ce#diff-98f7bc5c0391389e56531f8b3754081aL139 diff --git a/data/next-point-update.txt b/data/next-point-update.txt index 5732045040..51a2a13183 100644 --- a/data/next-point-update.txt +++ b/data/next-point-update.txt @@ -1,59 +1,3 @@ -CVE-2021-32803 - [bullseye] - node-tar 6.0.5+ds1+~cs11.3.9-1+deb11u1 -CVE-2021-32804 - [bullseye] - node-tar 6.0.5+ds1+~cs11.3.9-1+deb11u1 -CVE-2021-3677 - [bullseye] - postgresql-13 13.4-0+deb11u1 -CVE-2021-35940 - [bullseye] - apr 1.7.0-6+deb11u1 -CVE-2021-35368 - [bullseye] - modsecurity-crs 3.3.0-1+deb11u1 -CVE-2021-29488 - [bullseye] - sabnzbdplus 3.1.1+dfsg-2+deb11u1 -CVE-2020-1957 - [bullseye] - shiro 1.3.2-4+deb11u1 -CVE-2020-11989 - [bullseye] - shiro 1.3.2-4+deb11u1 -CVE-2020-13933 - [bullseye] - shiro 1.3.2-4+deb11u1 -CVE-2020-17510 - [bullseye] - shiro 1.3.2-4+deb11u1 -CVE-2021-36773 - [bullseye] - ublock-origin 1.37.0+dfsg-1~deb11u1 -CVE-2021-37750 - [bullseye] - krb5 1.18.3-6+deb11u1 -CVE-2021-33582 - [bullseye] - cyrus-imapd 3.2.6-2+deb11u1 -CVE-2021-3749 - [bullseye] - node-axios 0.21.1+dfsg-1+deb11u1 -CVE-2021-38173 - [bullseye] - btrbk 0.27.1-1.1+deb11u1 -CVE-2021-23434 - [bullseye] - node-object-path 0.11.5-3+deb11u1 -CVE-2021-3805 - [bullseye] - node-object-path 0.11.5-3+deb11u1 -CVE-2021-23440 - [bullseye] - node-set-value 3.0.1-2+deb11u1 -CVE-2021-41054 - [bullseye] - atftp 0.7.git20120829-3.3+deb11u1 -CVE-2021-40818 - [bullseye] - glewlwyd 2.5.2-2+deb11u1 -CVE-2021-40540 - [bullseye] - ulfius 2.7.1-1+deb11u1 -CVE-2021-3807 - [bullseye] - node-ansi-regex 5.0.1-1~deb11u1 -CVE-2021-3801 - [bullseye] - node-prismjs 1.23.0+dfsg-1+deb11u1 -CVE-2021-3592 - [bullseye] - libslirp 4.4.0-1+deb11u2 -CVE-2021-3595 - [bullseye] - libslirp 4.4.0-1+deb11u2 -CVE-2021-3594 - [bullseye] - libslirp 4.4.0-1+deb11u2 -CVE-2021-3593 - [bullseye] - libslirp 4.4.0-1+deb11u2 -CVE-2021-38562 - [bullseye] - request-tracker4 4.4.4+dfsg-2+deb11u1 CVE-2019-11098 [bullseye] - edk2 2020.11-2+deb11u1 CVE-2021-38155 -- cgit v1.2.3