From 7f560f6e741245c9ac7a39cfc91d63a81b13029c Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Sat, 26 Mar 2022 11:20:36 +0100 Subject: Track updates included for buster point release --- data/CVE/list | 211 +++++++++++++++++--------------- data/next-oldstable-point-update.txt | 226 ----------------------------------- 2 files changed, 113 insertions(+), 324 deletions(-) diff --git a/data/CVE/list b/data/CVE/list index 58bdc3533b..00eb43c2cc 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -2414,7 +2414,7 @@ CVE-2022-0938 (Stored XSS via file upload in GitHub repository star7th/showdoc p CVE-2021-46709 (phpLiteAdmin through 1.9.8.2 allows XSS via the index.php newRows para ...) - phpliteadmin 1.9.8.2-2 [bullseye] - phpliteadmin 1.9.8.2-1+deb11u1 - [buster] - phpliteadmin (Minor issue) + [buster] - phpliteadmin 1.9.7.1-2+deb10u1 NOTE: https://bitbucket.org/phpliteadmin/public/issues/399/xss-vulnerability NOTE: https://bitbucket.org/phpliteadmin/public/pull-requests/16/fix-an-xss-vulnerability-with-the-newrows CVE-2022-26979 @@ -8701,6 +8701,7 @@ CVE-2022-0534 (A vulnerability was found in htmldoc version 1.9.15 where the sta {DLA-2928-1} - htmldoc 1.9.15-1 (unimportant) [bullseye] - htmldoc 1.9.11-4+deb11u2 + [buster] - htmldoc 1.9.3-1+deb10u3 NOTE: https://github.com/michaelrsweet/htmldoc/issues/463 NOTE: Fixed by: https://github.com/michaelrsweet/htmldoc/commit/776cf0fc4c760f1fb7b966ce28dc92dd7d44ed50 (v1.9.15) NOTE: Fixed by: https://github.com/michaelrsweet/htmldoc/commit/312f0f9c12f26fbe015cd0e6cefa40e4b99017d9 (v1.9.15) @@ -9382,7 +9383,7 @@ CVE-2022-0493 CVE-2021-46671 (options.c in atftp before 0.7.5 reads past the end of an array, and co ...) - atftp 0.7.git20210915-1 (bug #1004974) [bullseye] - atftp 0.7.git20120829-3.3+deb11u2 - [buster] - atftp (Minor issue) + [buster] - atftp 0.7.git20120829-3.2~deb10u3 [stretch] - atftp (Minor issue) NOTE: https://sourceforge.net/p/atftp/code/ci/9cf799c40738722001552618518279e9f0ef62e5 (v0.7.5) CVE-2022-24407 (In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does ...) @@ -9911,6 +9912,7 @@ CVE-2021-46668 (MariaDB through 10.5.9 allows an application crash via certain l - mariadb-10.5 [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 - mariadb-10.3 + [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 NOTE: https://jira.mariadb.org/browse/MDEV-25787 NOTE: Fixed in MariaDB: 10.7.3, 10.6.7, 10.5.15, 10.4.24, 10.3.34, 10.2.43 CVE-2021-46667 (MariaDB before 10.6.5 has a sql_lex.cc integer overflow, leading to an ...) @@ -9918,6 +9920,7 @@ CVE-2021-46667 (MariaDB before 10.6.5 has a sql_lex.cc integer overflow, leading - mariadb-10.5 [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 - mariadb-10.3 + [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 NOTE: https://jira.mariadb.org/browse/MDEV-26350 NOTE: Fixed in MariaDB: 10.2.41, 10.3.32, 10.4.22, 10.5.13, 10.6.5 CVE-2021-46666 (MariaDB before 10.6.2 allows an application crash because of mishandli ...) @@ -9933,6 +9936,7 @@ CVE-2021-46665 (MariaDB through 10.5.9 allows a sql_parse.cc application crash b - mariadb-10.5 [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 - mariadb-10.3 + [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 NOTE: https://jira.mariadb.org/browse/MDEV-25636 NOTE: Fixed in MariaDB: 10.7.3, 10.6.7, 10.5.15, 10.4.24, 10.3.34, 10.2.43 CVE-2021-46664 (MariaDB through 10.5.9 allows an application crash in sub_select_postj ...) @@ -9940,6 +9944,7 @@ CVE-2021-46664 (MariaDB through 10.5.9 allows an application crash in sub_select - mariadb-10.5 [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 - mariadb-10.3 + [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 NOTE: https://jira.mariadb.org/browse/MDEV-25761 NOTE: Fixed in MariaDB: 10.7.3, 10.6.7, 10.5.15, 10.4.24, 10.3.34, 10.2.43 CVE-2021-46663 (MariaDB through 10.5.13 allows a ha_maria::extra application crash via ...) @@ -9947,6 +9952,7 @@ CVE-2021-46663 (MariaDB through 10.5.13 allows a ha_maria::extra application cra - mariadb-10.5 [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 - mariadb-10.3 + [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 NOTE: https://jira.mariadb.org/browse/MDEV-26351 NOTE: Fixed in MariaDB: 10.7.3, 10.6.7, 10.5.15, 10.4.24, 10.3.34, 10.2.43 CVE-2021-46662 (MariaDB through 10.5.9 allows a set_var.cc application crash via certa ...) @@ -9954,6 +9960,7 @@ CVE-2021-46662 (MariaDB through 10.5.9 allows a set_var.cc application crash via - mariadb-10.5 [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 - mariadb-10.3 + [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 NOTE: https://jira.mariadb.org/browse/MDEV-25637 NOTE: https://jira.mariadb.org/browse/MDEV-22464 NOTE: Fixed in MariaDB: 10.3.32, 10.4.22, 10.5.13, 10.6.5 @@ -9962,6 +9969,7 @@ CVE-2021-46661 (MariaDB through 10.5.9 allows an application crash in find_field - mariadb-10.5 [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 - mariadb-10.3 + [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 NOTE: https://jira.mariadb.org/browse/MDEV-25766 NOTE: Fixed in MariaDB: 10.7.3, 10.6.7, 10.5.15, 10.4.24, 10.3.34, 10.2.43 CVE-2021-4218 @@ -10341,7 +10349,7 @@ CVE-2022-24130 (xterm through Patch 370, when Sixel support is enabled, allows a {DLA-2913-1} - xterm 370-2 (bug #1004689) [bullseye] - xterm 366-1+deb11u1 - [buster] - xterm (Minor issue) + [buster] - xterm 344-1+deb10u2 NOTE: https://twitter.com/nickblack/status/1487731459398025216 NOTE: https://www.openwall.com/lists/oss-security/2022/01/30/2 NOTE: https://www.openwall.com/lists/oss-security/2022/01/30/3 @@ -10369,6 +10377,7 @@ CVE-2021-46659 (MariaDB before 10.7.2 allows an application crash because it doe - mariadb-10.5 [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 - mariadb-10.3 + [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 NOTE: https://jira.mariadb.org/browse/MDEV-25631 NOTE: Fixed in MariaDB: 10.2.42, 10.3.33, 10.4.23, 10.5.14, 10.6.6, 10.7.2 CVE-2021-46658 (save_window_function_values in MariaDB before 10.6.3 allows an applica ...) @@ -10627,6 +10636,7 @@ CVE-2022-24052 (MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privil - mariadb-10.5 [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 - mariadb-10.3 + [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 NOTE: Fixed in MariaDB: 10.6.6, 10.5.14, 10.4.23, 10.3.33, 10.2.42 NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-366/ CVE-2022-24051 (MariaDB CONNECT Storage Engine Format String Privilege Escalation Vuln ...) @@ -10634,6 +10644,7 @@ CVE-2022-24051 (MariaDB CONNECT Storage Engine Format String Privilege Escalatio - mariadb-10.5 [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 - mariadb-10.3 + [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 NOTE: Fixed in MariaDB: 10.6.6, 10.5.14, 10.4.23, 10.3.33, 10.2.42 NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-318/ NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-365/ @@ -10642,6 +10653,7 @@ CVE-2022-24050 (MariaDB CONNECT Storage Engine Use-After-Free Privilege Escalati - mariadb-10.5 [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 - mariadb-10.3 + [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 NOTE: Fixed in MariaDB: 10.6.6, 10.5.14, 10.4.23, 10.3.33, 10.2.42 NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-364/ CVE-2022-24049 (This vulnerability allows remote attackers to execute arbitrary code o ...) @@ -10651,6 +10663,7 @@ CVE-2022-24048 (MariaDB CONNECT Storage Engine Stack-based Buffer Overflow Privi - mariadb-10.5 [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 - mariadb-10.3 + [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 NOTE: Fixed in MariaDB: 10.6.6, 10.5.14, 10.4.23, 10.3.33, 10.2.42 NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-363/ CVE-2022-24047 (This vulnerability allows remote attackers to bypass authentication on ...) @@ -13547,7 +13560,7 @@ CVE-2022-23309 CVE-2022-23308 (valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF ...) - libxml2 2.9.13+dfsg-1 (bug #1006489) [bullseye] - libxml2 2.9.10+dfsg-6.7+deb11u1 - [buster] - libxml2 (Minor issue; can be fixed via point release) + [buster] - libxml2 2.9.4+dfsg1-7+deb10u3 NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/327 NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12a858989b14eed4e84e453059cd3ba340e (v2.9.13) CVE-2022-0266 (Authorization Bypass Through User-Controlled Key in Packagist remdex/l ...) @@ -13560,7 +13573,7 @@ CVE-2022-23307 (CVE-2020-9493 identified a deserialization issue that was presen {DLA-2905-1} - apache-log4j1.2 1.2.17-11 (bug #1004482) [bullseye] - apache-log4j1.2 1.2.17-10+deb11u1 - [buster] - apache-log4j1.2 (Minor issue) + [buster] - apache-log4j1.2 1.2.17-8+deb10u2 NOTE: https://www.openwall.com/lists/oss-security/2022/01/18/5 CVE-2022-23306 RESERVED @@ -13568,7 +13581,7 @@ CVE-2022-23305 (By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statem {DLA-2905-1} - apache-log4j1.2 1.2.17-11 (bug #1004482) [bullseye] - apache-log4j1.2 1.2.17-10+deb11u1 - [buster] - apache-log4j1.2 (Minor issue) + [buster] - apache-log4j1.2 1.2.17-8+deb10u2 NOTE: https://www.openwall.com/lists/oss-security/2022/01/18/4 CVE-2022-0263 (Unrestricted Upload of File with Dangerous Type in Packagist pimcore/p ...) NOT-FOR-US: pimcore @@ -13641,7 +13654,7 @@ CVE-2022-23302 (JMSSink in all versions of Log4j 1.x is vulnerable to deserializ {DLA-2905-1} - apache-log4j1.2 1.2.17-11 (bug #1004482) [bullseye] - apache-log4j1.2 1.2.17-10+deb11u1 - [buster] - apache-log4j1.2 (Minor issue) + [buster] - apache-log4j1.2 1.2.17-8+deb10u2 NOTE: https://www.openwall.com/lists/oss-security/2022/01/18/3 CVE-2022-22142 (Reflected cross-site scripting vulnerability in the checkbox of php_ma ...) NOT-FOR-US: php_mailform @@ -21621,7 +21634,7 @@ CVE-2021-4104 (JMSAppender in Log4j 1.2 is vulnerable to deserialization of untr {DLA-2905-1} - apache-log4j1.2 1.2.17-11 [bullseye] - apache-log4j1.2 1.2.17-10+deb11u1 - [buster] - apache-log4j1.2 (Minor issue; JMSAppender not configured to be used by default) + [buster] - apache-log4j1.2 1.2.17-8+deb10u2 NOTE: https://www.openwall.com/lists/oss-security/2021/12/13/1 NOTE: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126 NOTE: Issue for Log4j 1.2 when specifically configured to use JMSAppender (not the default) @@ -21632,7 +21645,7 @@ CVE-2021-44832 (Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding secur {DLA-2870-1} - apache-log4j2 2.17.1-1 (bug #1002813) [bullseye] - apache-log4j2 2.17.1-1~deb11u1 - [buster] - apache-log4j2 (Minor issue; requires attacker with permissions to modify the logging configuration file) + [buster] - apache-log4j2 2.17.1-1~deb10u1 NOTE: https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44832 NOTE: https://issues.apache.org/jira/browse/LOG4J2-3293 NOTE: https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143 @@ -22620,7 +22633,7 @@ CVE-2021-44543 (An XSS vulnerability was found in Privoxy which was fixed in cgi {DLA-2844-1} - privoxy 3.0.33-1 [bullseye] - privoxy 3.0.32-2+deb11u1 - [buster] - privoxy (Minor issue) + [buster] - privoxy 3.0.28-2+deb10u2 NOTE: https://www.openwall.com/lists/oss-security/2021/12/09/1 NOTE: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=0e668e9409cbf4ab8bf2d79be204bd4e81a00d85 (v_3_0_33) CVE-2021-44542 (A memory leak vulnerability was found in Privoxy when handling errors. ...) @@ -22641,7 +22654,7 @@ CVE-2021-44540 (A vulnerability was found in Privoxy which was fixed in get_url_ {DLA-2844-1} - privoxy 3.0.33-1 [bullseye] - privoxy 3.0.32-2+deb11u1 - [buster] - privoxy (Minor issue) + [buster] - privoxy 3.0.28-2+deb10u2 NOTE: https://www.openwall.com/lists/oss-security/2021/12/09/1 NOTE: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=652b4b7cb07592c0912cf938a50fcd009fa29a0a (v_3_0_33) CVE-2021-43353 (The Crisp Live Chat WordPress plugin is vulnerable to Cross-Site Reque ...) @@ -23566,7 +23579,7 @@ CVE-2021-4024 (A flaw was found in podman. The `podman machine` function (used t NOTE: Fixed by: https://github.com/containers/podman/commit/57c5e2246efeaf2fef820a482241f1cc43960c7a (v3.4.3) CVE-2021-44227 (In GNU Mailman before 2.1.38, a list member or moderator can get a CSR ...) - mailman - [buster] - mailman (Minor issue) + [buster] - mailman 1:2.1.29-1+deb10u4 [stretch] - mailman (Minor issue; can be fixed with the next DLA) NOTE: https://bugs.launchpad.net/mailman/+bug/1952384 NOTE: Patch: https://launchpadlibrarian.net/570827498/patch.txt @@ -26379,7 +26392,7 @@ CVE-2021-43618 (GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 ha {DLA-2837-1} - gmp 2:6.2.1+dfsg-3 (bug #994405) [bullseye] - gmp 2:6.2.1+dfsg-1+deb11u1 - [buster] - gmp (Minor issue) + [buster] - gmp 2:6.1.2+dfsg-4+deb10u1 NOTE: https://gmplib.org/list-archives/gmp-bugs/2021-September/005077.html NOTE: https://gmplib.org/repo/gmp-6.2/rev/561a9c25298e CVE-2021-43617 (Laravel Framework through 8.70.2 does not sufficiently block the uploa ...) @@ -26490,6 +26503,7 @@ CVE-2021-43579 (A stack-based buffer overflow in image_load_bmp() in HTMLDOC < {DLA-2928-1} - htmldoc 1.9.13-1 (unimportant) [bullseye] - htmldoc 1.9.11-4+deb11u1 + [buster] - htmldoc 1.9.3-1+deb10u3 NOTE: https://github.com/michaelrsweet/htmldoc/commit/27d08989a5a567155d506ac870ae7d8cc88fa58b (v1.9.13) NOTE: https://github.com/michaelrsweet/htmldoc/issues/453 NOTE: Crash in CLI tool, no security impact @@ -27251,13 +27265,13 @@ CVE-2021-43333 (The Datalogic DXU service on (for example) DL-Axist devices does NOT-FOR-US: Datalogic CVE-2021-43332 (In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py ad ...) - mailman (bug #1000367) - [buster] - mailman (Minor issue) + [buster] - mailman 1:2.1.29-1+deb10u3 [stretch] - mailman (Minor issue) NOTE: https://mail.python.org/archives/list/mailman-announce@python.org/message/I2X7PSFXIEPLM3UMKZMGOEO3UFYETGRL/ NOTE: https://bugs.launchpad.net/mailman/+bug/1949403 CVE-2021-43331 (In GNU Mailman before 2.1.36, a crafted URL to the Cgi/options.py user ...) - mailman (bug #1000367) - [buster] - mailman (Minor issue) + [buster] - mailman 1:2.1.29-1+deb10u3 [stretch] - mailman (Minor issue) NOTE: https://mail.python.org/archives/list/mailman-announce@python.org/message/I2X7PSFXIEPLM3UMKZMGOEO3UFYETGRL/ NOTE: https://bugs.launchpad.net/mailman/+bug/1949401 @@ -28312,7 +28326,7 @@ CVE-2022-20699 (Multiple vulnerabilities in Cisco Small Business RV160, RV260, R CVE-2022-20698 (A vulnerability in the OOXML parsing module in Clam AntiVirus (ClamAV) ...) - clamav 0.103.5+dfsg-1 [bullseye] - clamav 0.103.5+dfsg-0+deb11u1 - [buster] - clamav (clamav is updated via -updates) + [buster] - clamav 0.103.5+dfsg-0+deb10u1 [stretch] - clamav (Minor issue; clean crash; follow stable updates) NOTE: https://blog.clamav.net/2022/01/clamav-01035-and-01042-security-patch.html NOTE: https://github.com/Cisco-Talos/clamav/commit/9a6bb57f89721db637f4ddb5b233c1c4e23d223a (0.103.5) @@ -35265,6 +35279,7 @@ CVE-2021-40985 (A stack-based buffer under-read in htmldoc before 1.9.12, allows {DLA-2928-1} - htmldoc 1.9.13-1 (unimportant) [bullseye] - htmldoc 1.9.11-4+deb11u1 + [buster] - htmldoc 1.9.3-1+deb10u3 NOTE: https://github.com/michaelrsweet/htmldoc/issues/444 NOTE: https://github.com/michaelrsweet/htmldoc/commit/f12b9666e582a8e7b70f11b28e5ffc49ad625d43 (v1.9.13) NOTE: Crash in CLI tool, no security impact @@ -35509,7 +35524,7 @@ CVE-2021-40874 [RESTServer pwdConfirm always returns true with Combination + Ker [experimental] - lemonldap-ng 2.0.14~exp+ds-1 - lemonldap-ng 2.0.14+ds-1 (bug #1005302) [bullseye] - lemonldap-ng 2.0.11+ds-4+deb11u1 - [buster] - lemonldap-ng (Minor issue) + [buster] - lemonldap-ng 2.0.2+ds-7+deb10u7 [stretch] - lemonldap-ng (Minor issue) NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2612 NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/66946e8f754812b375768c2124937137c856fe0c @@ -35551,7 +35566,7 @@ CVE-2021-3796 (vim is vulnerable to Use After Free ...) {DLA-2876-1} - vim 2:8.2.3455-1 (bug #994497) [bullseye] - vim 2:8.2.2434-3+deb11u1 - [buster] - vim (Minor issue) + [buster] - vim 2:8.1.0875-5+deb10u1 NOTE: https://huntr.dev/bounties/ab60b7f3-6fb1-4ac2-a4fa-4d592e08008d/ NOTE: https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3 (v8.2.3428) NOTE: https://www.openwall.com/lists/oss-security/2021/10/01/1 @@ -36005,7 +36020,7 @@ CVE-2021-3778 (vim is vulnerable to Heap-based Buffer Overflow ...) {DLA-2876-1} - vim 2:8.2.3455-1 (bug #994498) [bullseye] - vim 2:8.2.2434-3+deb11u1 - [buster] - vim (Minor issue) + [buster] - vim 2:8.1.0875-5+deb10u1 NOTE: https://huntr.dev/bounties/d9c17308-2c99-4f9f-a706-f7f72c24c273 NOTE: https://github.com/vim/vim/commit/65b605665997fad54ef39a93199e305af2fe4d7f (v8.2.3409) NOTE: https://www.openwall.com/lists/oss-security/2021/10/01/1 @@ -36431,14 +36446,14 @@ CVE-2021-40516 (WeeChat before 3.2.1 allows remote attackers to cause a denial o {DLA-2770-1} - weechat 3.2.1-1 (bug #993803) [bullseye] - weechat 3.0-1+deb11u1 - [buster] - weechat (Minor issue; can be fixed via point release) + [buster] - weechat 2.3-1+deb10u1 NOTE: https://github.com/weechat/weechat/commit/8b1331f98de1714bae15a9ca2e2b393ba49d735b CVE-2021-40515 RESERVED CVE-2021-3770 (vim is vulnerable to Heap-based Buffer Overflow ...) - vim 2:8.2.3455-1 (bug #994076) [bullseye] - vim 2:8.2.2434-3+deb11u1 - [buster] - vim (Minor issue) + [buster] - vim 2:8.1.0875-5+deb10u1 [stretch] - vim (Vulnerable code not present) NOTE: https://huntr.dev/bounties/016ad2f2-07c1-4d14-a8ce-6eed10729365/ NOTE: Fixed by: https://github.com/vim/vim/commit/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9 (v8.2.3402) @@ -36760,7 +36775,7 @@ CVE-2021-40391 (An out-of-bounds write vulnerability exists in the drill format {DLA-2839-1} - gerbv 2.7.1-1 [bullseye] - gerbv 2.7.0-2+deb11u1 - [buster] - gerbv (Minor issue) + [buster] - gerbv 2.7.0-1+deb10u1 NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1402 NOTE: https://github.com/gerbv/gerbv/commit/9f83950b772b37b49ee188300e444546e6aab17e NOTE: https://github.com/gerbv/gerbv/issues/30 @@ -37872,13 +37887,13 @@ CVE-2021-39930 (Missing authorization in GitLab EE versions between 12.4 and 14. CVE-2021-39929 (Uncontrolled Recursion in the Bluetooth DHT dissector in Wireshark 3.4 ...) {DSA-5019-1 DLA-2849-1} - wireshark 3.6.0-1 - [buster] - wireshark (Minor issue) + [buster] - wireshark 2.6.20-0+deb10u3 NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17651 NOTE: https://www.wireshark.org/security/wnpa-sec-2021-07.html CVE-2021-39928 (NULL pointer exception in the IEEE 802.11 dissector in Wireshark 3.4.0 ...) {DSA-5019-1 DLA-2849-1} - wireshark 3.6.0-1 - [buster] - wireshark (Minor issue) + [buster] - wireshark 2.6.20-0+deb10u3 NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17704 NOTE: https://www.wireshark.org/security/wnpa-sec-2021-13.html CVE-2021-39927 (Server side request forgery protections in GitLab CE/EE versions betwe ...) @@ -37899,25 +37914,25 @@ CVE-2021-39925 (Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4. CVE-2021-39924 (Large loop in the Bluetooth DHT dissector in Wireshark 3.4.0 to 3.4.9 ...) {DSA-5019-1 DLA-2849-1} - wireshark 3.6.0-1 - [buster] - wireshark (Minor issue) + [buster] - wireshark 2.6.20-0+deb10u3 NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17677 NOTE: https://www.wireshark.org/security/wnpa-sec-2021-10.html CVE-2021-39923 (Large loop in the PNRP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 ...) {DSA-5019-1 DLA-2849-1} - wireshark 3.6.0-1 - [buster] - wireshark (Minor issue) + [buster] - wireshark 2.6.20-0+deb10u3 NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17684 NOTE: https://www.wireshark.org/security/wnpa-sec-2021-11.html CVE-2021-39922 (Buffer overflow in the C12.22 dissector in Wireshark 3.4.0 to 3.4.9 an ...) {DSA-5019-1 DLA-2849-1} - wireshark 3.6.0-1 - [buster] - wireshark (Minor issue) + [buster] - wireshark 2.6.20-0+deb10u3 NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17636 NOTE: https://www.wireshark.org/security/wnpa-sec-2021-12.html CVE-2021-39921 (NULL pointer exception in the Modbus dissector in Wireshark 3.4.0 to 3 ...) {DSA-5019-1 DLA-2849-1} - wireshark 3.6.0-1 - [buster] - wireshark (Minor issue) + [buster] - wireshark 2.6.20-0+deb10u3 NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17703 NOTE: https://www.wireshark.org/security/wnpa-sec-2021-14.html CVE-2021-39920 (NULL pointer exception in the IPPUSB dissector in Wireshark 3.4.0 to 3 ...) @@ -40802,7 +40817,7 @@ CVE-2021-38714 (In Plib through 1.85, there is an integer overflow vulnerability {DLA-2775-1} - plib 1.8.5-10 (bug #992973) [bullseye] - plib 1.8.5-8+deb11u1 - [buster] - plib (Minor issue) + [buster] - plib 1.8.5-8+deb10u1 NOTE: https://sourceforge.net/p/plib/bugs/55/ CVE-2021-38713 (imgURL 2.31 allows XSS via an X-Forwarded-For HTTP header. ...) NOT-FOR-US: imgURL @@ -44907,7 +44922,7 @@ CVE-2021-37146 (An infinite loop in Open Robotics ros_comm XMLRPC server in ROS [experimental] - ros-ros-comm 1.15.13+ds1-1 - ros-ros-comm 1.15.13+ds1-2 [bullseye] - ros-ros-comm 1.15.9+ds1-7+deb11u1 - [buster] - ros-ros-comm (Minor issue) + [buster] - ros-ros-comm 1.14.3+ds1-5+deb10u3 [stretch] - ros-ros-comm (Minor issue) NOTE: https://discourse.ros.org/t/new-packages-for-melodic-2021-09-27/22446 NOTE: https://discourse.ros.org/t/new-packages-for-noetic-2021-09-27/22447 @@ -48557,7 +48572,7 @@ CVE-2021-35604 (Vulnerability in the MySQL Server product of Oracle MySQL (compo - mariadb-10.5 [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1 - mariadb-10.3 - [buster] - mariadb-10.3 (Minor issue) + [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 - mysql-8.0 - mysql-5.7 NOTE: Fixed in MariaDB: 10.5.13, 10.3.32 @@ -51060,7 +51075,7 @@ CVE-2021-34553 (Sonatype Nexus Repository Manager 3.x before 3.31.0 allows a rem CVE-2021-34552 (Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1. ...) {DLA-2716-1} - pillow 8.1.2+dfsg-0.3 (bug #991293) - [buster] - pillow (Minor issue, mitigated by FORTIFY_SOURCE) + [buster] - pillow 5.4.1-2+deb10u3 NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow NOTE: https://github.com/python-pillow/Pillow/pull/5567 NOTE: https://github.com/python-pillow/Pillow/commit/31c473898c29d1b7cb6555ce67d9503a4906b83f (8.3.0) @@ -54524,7 +54539,7 @@ CVE-2021-33121 CVE-2021-33120 (Out of bounds read under complex microarchitectural condition in memor ...) - intel-microcode 3.20220207.1 [bullseye] - intel-microcode 3.20220207.1~deb11u1 - [buster] - intel-microcode (Wait until exposed in unstable; tendency point release) + [buster] - intel-microcode 3.20220207.1~deb10u1 NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00589.html CVE-2021-33119 (Improper access control in the Intel(R) RealSense(TM) DCM before versi ...) NOT-FOR-US: Intel @@ -66325,7 +66340,7 @@ CVE-2021-28679 CVE-2021-28678 (An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImage ...) [experimental] - pillow 8.2.0-1 - pillow 8.1.2+dfsg-0.2 (bug #989062) - [buster] - pillow (Minor issue) + [buster] - pillow 5.4.1-2+deb10u3 [stretch] - pillow (Vulnerable code introduced later) NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos NOTE: https://github.com/python-pillow/Pillow/commit/496245aa4365d0827390bd0b6fbd11287453b3a1 @@ -66333,7 +66348,7 @@ CVE-2021-28677 (An issue was discovered in Pillow before 8.2.0. For EPS data, th {DLA-2716-1} [experimental] - pillow 8.2.0-1 - pillow 8.1.2+dfsg-0.2 (bug #989062) - [buster] - pillow (Minor issue) + [buster] - pillow 5.4.1-2+deb10u3 NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open NOTE: https://github.com/python-pillow/Pillow/commit/5a5e6db0abf4e7a638fb1b3408c4e495a096cb92 CVE-2021-28676 (An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecod ...) @@ -67589,31 +67604,31 @@ CVE-2020-36282 (JMS Client for RabbitMQ 1.x before 1.15.2 and 2.x before 2.2.0 i CVE-2020-36281 (Leptonica before 1.80.0 allows a heap-based buffer over-read in pixFew ...) {DLA-2612-1} - leptonlib 1.79.0-1.1 (bug #985089) - [buster] - leptonlib (Minor issue) + [buster] - leptonlib 1.76.0-1+deb10u1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22140 NOTE: https://github.com/DanBloomberg/leptonica/commit/5ee24b398bb67666f6d173763eaaedd9c36fb1e5 CVE-2020-36280 (Leptonica before 1.80.0 allows a heap-based buffer over-read in pixRea ...) - leptonlib 1.79.0-1.1 (bug #985089) - [buster] - leptonlib (Minor issue) + [buster] - leptonlib 1.76.0-1+deb10u1 [stretch] - leptonlib (Vulnerable code introduced later) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23654 NOTE: https://github.com/DanBloomberg/leptonica/commit/5ba34b1fe741d69d43a6c8cf767756997eadd87c CVE-2020-36279 (Leptonica before 1.80.0 allows a heap-based buffer over-read in raster ...) {DLA-2612-1} - leptonlib 1.79.0-1.1 (bug #985089) - [buster] - leptonlib (Minor issue) + [buster] - leptonlib 1.76.0-1+deb10u1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22512 NOTE: https://github.com/DanBloomberg/leptonica/commit/3c18c43b6a3f753f0dfff99610d46ad46b8bfac4 CVE-2020-36278 (Leptonica before 1.80.0 allows a heap-based buffer over-read in findNe ...) {DLA-2612-1} - leptonlib 1.79.0-1.1 (bug #985089) - [buster] - leptonlib (Minor issue) + [buster] - leptonlib 1.76.0-1+deb10u1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23433 NOTE: https://github.com/DanBloomberg/leptonica/commit/8d6e1755518cfb98536d6c3daf0601f226d16842 CVE-2020-36277 (Leptonica before 1.80.0 allows a denial of service (application crash) ...) {DLA-2612-1} - leptonlib 1.79.0-1.1 (bug #985089) - [buster] - leptonlib (Minor issue) + [buster] - leptonlib 1.76.0-1+deb10u1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21997 NOTE: https://github.com/DanBloomberg/leptonica/pull/499 CVE-2016-20009 (** UNSUPPORTED WHEN ASSIGNED ** A DNS client stack-based buffer overfl ...) @@ -68240,19 +68255,19 @@ CVE-2021-27924 (An issue was discovered in Couchbase Server 6.x through 6.6.1. T NOT-FOR-US: Couchbase Server CVE-2021-27923 (Pillow before 8.1.1 allows attackers to cause a denial of service (mem ...) - pillow 8.1.2-1 - [buster] - pillow (Minor issue) + [buster] - pillow 5.4.1-2+deb10u3 [stretch] - pillow (Minor issue, risk of regression, _decompression_bomb_check only warned, see CVE-2019-16865) NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.2.html NOTE: https://github.com/python-pillow/Pillow/commit/756fff33128a0b643d10518a26ad04b726dd8973 CVE-2021-27922 (Pillow before 8.1.1 allows attackers to cause a denial of service (mem ...) - pillow 8.1.2-1 - [buster] - pillow (Minor issue) + [buster] - pillow 5.4.1-2+deb10u3 [stretch] - pillow (Minor issue, risk of regression, _decompression_bomb_check only warned, see CVE-2019-16865) NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.2.html NOTE: https://github.com/python-pillow/Pillow/commit/756fff33128a0b643d10518a26ad04b726dd8973 CVE-2021-27921 (Pillow before 8.1.1 allows attackers to cause a denial of service (mem ...) - pillow 8.1.2-1 - [buster] - pillow (Minor issue) + [buster] - pillow 5.4.1-2+deb10u3 [stretch] - pillow (Vulnerable code introduced later) NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.2.html NOTE: https://github.com/python-pillow/Pillow/commit/756fff33128a0b643d10518a26ad04b726dd8973 @@ -74852,7 +74867,7 @@ CVE-2021-25293 (An issue was discovered in Pillow before 8.1.1. There is an out- NOTE: Introduced in https://github.com/python-pillow/Pillow/commit/a90dc4910045f5c6c119b582d4fd2e4841cd51f8 (v4.3.0) CVE-2021-25292 (An issue was discovered in Pillow before 8.1.1. The PDF parser allows ...) - pillow 8.1.1-1 - [buster] - pillow (Minor issue) + [buster] - pillow 5.4.1-2+deb10u3 [stretch] - pillow (Vulnerable code introduced later) NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html NOTE: https://github.com/python-pillow/Pillow/commit/521dab94c7ab72b037bd9a83e9663401e0fd2cee @@ -74867,7 +74882,7 @@ CVE-2021-25291 (An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, CVE-2021-25290 (An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there ...) {DLA-2716-1} - pillow 8.1.1-1 - [buster] - pillow (Minor issue) + [buster] - pillow 5.4.1-2+deb10u3 NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html NOTE: https://github.com/python-pillow/Pillow/commit/e25be1e33dc526bfd1094bc778a54d8e29bf66c9 CVE-2021-25289 (An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap- ...) @@ -74946,7 +74961,7 @@ CVE-2021-XXXX [Unexpected database bindings via requests (follow-up)] CVE-2021-21263 (Laravel is a web application framework. Versions of Laravel before 6.2 ...) - php-laravel-framework 6.20.11+dfsg-1 (bug #980095) - php-illuminate-database (bug #980899) - [buster] - php-illuminate-database (Minor issue) + [buster] - php-illuminate-database 5.7.27-1+deb10u1 NOTE: https://blog.laravel.com/security-laravel-62011-7302-8221-released NOTE: https://github.com/laravel/framework/security/advisories/GHSA-3p32-j457-pg5x NOTE: https://github.com/laravel/framework/pull/35865 @@ -81877,7 +81892,7 @@ CVE-2021-22235 (Crash in DNP dissector in Wireshark 3.4.0 to 3.4.6 and 3.2.0 to {DSA-5019-1 DLA-2849-1} [experimental] - wireshark 3.4.7-1~exp1 - wireshark 3.4.7-1 - [buster] - wireshark (Minor issue) + [buster] - wireshark 2.6.20-0+deb10u3 NOTE: https://www.wireshark.org/security/wnpa-sec-2021-06.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17462 NOTE: Regression fix: https://gitlab.com/wireshark/wireshark/-/merge_requests/3616 @@ -81949,7 +81964,7 @@ CVE-2021-22207 (Excessive memory consumption in MS-WSP dissector in Wireshark 3. {DSA-5019-1 DLA-2849-1} [experimental] - wireshark 3.4.6-1~exp1 - wireshark 3.4.7-1 (bug #987853) - [buster] - wireshark (Minor issue) + [buster] - wireshark 2.6.20-0+deb10u3 NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17331 NOTE: https://gitlab.com/wireshark/wireshark/-/commit/b7a0650e061b5418ab4a8f72c6e4b00317aff623 NOTE: https://www.wireshark.org/security/wnpa-sec-2021-04.html @@ -85091,7 +85106,7 @@ CVE-2020-35656 (Jaws through 1.8.0 allows remote authenticated administrators to NOT-FOR-US: Jaws CVE-2020-35655 (In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read whe ...) - pillow 8.1.0-1 - [buster] - pillow (Minor issue) + [buster] - pillow 5.4.1-2+deb10u3 [stretch] - pillow (Vulnerable code introduced later) NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security NOTE: https://github.com/python-pillow/Pillow/pull/5173 @@ -85108,7 +85123,7 @@ CVE-2020-35654 (In Pillow before 8.1.0, TiffDecode has a heap-based buffer overf CVE-2020-35653 (In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding ...) {DLA-2716-1} - pillow 8.1.0-1 - [buster] - pillow (Minor issue) + [buster] - pillow 5.4.1-2+deb10u3 NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security NOTE: https://github.com/python-pillow/Pillow/pull/5174 NOTE: https://github.com/python-pillow/Pillow/commit/2f409261eb1228e166868f8f0b5da5cda52e55bf @@ -95640,14 +95655,14 @@ CVE-2020-28601 (A code execution vulnerability exists in the Nef polygon-parsing NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225 CVE-2020-28600 (An out-of-bounds write vulnerability exists in the import_stl.cc:impor ...) - openscad 2021.01-1 (bug #996020) - [buster] - openscad (Minor issue) + [buster] - openscad 2019.01~RC2-2+deb10u1 [stretch] - openscad (Vulnerable code introduced later) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1224 NOTE: introduced at https://github.com/openscad/openscad/commit/25ec72ce0770115ad62c17fe10ee7464ac256391 NOTE: vulnerable code removed at https://github.com/openscad/openscad/commit/07ea60f82e94a155f4926f17fad8e8366bc74874 CVE-2020-28599 (A stack-based buffer overflow vulnerability exists in the import_stl.c ...) - openscad 2021.01-1 (bug #996020) - [buster] - openscad (Minor issue) + [buster] - openscad 2019.01~RC2-2+deb10u1 [stretch] - openscad (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1223 NOTE: https://github.com/openscad/openscad/commit/07ea60f82e94a155f4926f17fad8e8366bc74874 @@ -98173,7 +98188,7 @@ CVE-2020-28283 (Prototype pollution vulnerability in 'libnested' versions 0.0.0 CVE-2020-28282 (Prototype pollution vulnerability in 'getobject' version 0.1.0 allows ...) - node-getobject 1.0.2-1 [bullseye] - node-getobject 0.1.0-2+deb11u1 - [buster] - node-getobject (Minor issue) + [buster] - node-getobject 0.1.0-2+deb10u1 [stretch] - node-getobject (Minor issue) NOTE: https://github.com/cowboy/node-getobject/commit/84071748fa407caa8f824e0d0b9c1cde9ec56633 (v1.0.0) CVE-2020-28281 (Prototype pollution vulnerability in 'set-object-value' versions 0.0.0 ...) @@ -100249,7 +100264,7 @@ CVE-2021-0146 (Hardware allows activation of test or debug logic at runtime for CVE-2021-0145 (Improper initialization of shared resources in some Intel(R) Processor ...) - intel-microcode 3.20220207.1 [bullseye] - intel-microcode 3.20220207.1~deb11u1 - [buster] - intel-microcode (Wait until exposed in unstable; tendency point release) + [buster] - intel-microcode 3.20220207.1~deb10u1 NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00561.html NOTE: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/fast-store-forwarding-predictor.html CVE-2021-0144 (Insecure default variable initialization for the Intel BSSA DFT featur ...) @@ -100295,7 +100310,7 @@ CVE-2021-0128 CVE-2021-0127 (Insufficient control flow management in some Intel(R) Processors may a ...) - intel-microcode 3.20220207.1 [bullseye] - intel-microcode 3.20220207.1~deb11u1 - [buster] - intel-microcode (Wait until exposed in unstable; tendency point release) + [buster] - intel-microcode 3.20220207.1~deb10u1 NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00532.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20220207 CVE-2021-0126 @@ -103103,19 +103118,19 @@ CVE-1999-0199 (manual/search.texi in the GNU C Library (aka glibc) before 2.2 la CVE-2020-26572 (The TCOS smart card software driver in OpenSC before 0.21.0-rc1 has a ...) {DLA-2832-1} - opensc 0.21.0-1 (bug #972035) - [buster] - opensc (Minor issue) + [buster] - opensc 0.19.0-1+deb10u1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22967 NOTE: https://github.com/OpenSC/OpenSC/commit/9d294de90d1cc66956389856e60b6944b27b4817 (0.21.0-rc1) CVE-2020-26571 (The gemsafe GPK smart card software driver in OpenSC before 0.21.0-rc1 ...) {DLA-2832-1} - opensc 0.21.0-1 (bug #972036) - [buster] - opensc (Minor issue) + [buster] - opensc 0.19.0-1+deb10u1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20612 NOTE: https://github.com/OpenSC/OpenSC/commit/ed55fcd2996930bf58b9bb57e9ba7b1f3a753c43 (0.21.0-rc1) CVE-2020-26570 (The Oberthur smart card software driver in OpenSC before 0.21.0-rc1 ha ...) {DLA-2832-1} - opensc 0.21.0-1 (bug #972037) - [buster] - opensc (Minor issue) + [buster] - opensc 0.19.0-1+deb10u1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24316 NOTE: https://github.com/OpenSC/OpenSC/commit/6903aebfddc466d966c7b865fae34572bf3ed23e (0.21.0-rc1) CVE-2020-26569 (In EVPN VxLAN setups in Arista EOS, specific malformed packets can lea ...) @@ -105213,7 +105228,7 @@ CVE-2020-25713 (A malformed input file can lead to a segfault due to an out of b {DLA-2846-1} - raptor - raptor2 2.0.14-1.2 (bug #974664) - [buster] - raptor2 (Minor issue) + [buster] - raptor2 2.0.14-1.1~deb10u2 NOTE: https://bugs.librdf.org/mantis/view.php?id=650 CVE-2020-25712 (A flaw was found in xorg-x11-server before 1.20.10. A heap-buffer over ...) {DSA-4803-1 DLA-2486-1} @@ -105295,7 +105310,7 @@ CVE-2020-25694 (A flaw was found in PostgreSQL versions before 13.1, before 12.5 CVE-2020-25693 (A flaw was found in CImg in versions prior to 2.9.3. Integer overflows ...) {DLA-2462-1} - cimg 2.9.4+dfsg-2 (bug #973770) - [buster] - cimg (Minor issue) + [buster] - cimg 2.4.5+dfsg-1+deb10u1 NOTE: https://github.com/dtschump/CImg/pull/295 NOTE: https://bugs.launchpad.net/ubuntu/+source/cimg/+bug/1900983 NOTE: Fixed by: https://github.com/dtschump/CImg/commit/4f184f89f9ab6785a6c90fd238dbaa6d901d3505 @@ -121225,7 +121240,7 @@ CVE-2020-18442 (Infinite Loop in zziplib v0.13.69 allows remote attackers to cau {DLA-2859-1} - zziplib 0.13.72+dfsg.1-1 [bullseye] - zziplib 0.13.62-3.3+deb11u1 - [buster] - zziplib (Minor issue) + [buster] - zziplib 0.13.62-3.2+deb10u1 NOTE: https://github.com/gdraheim/zziplib/issues/68 NOTE: https://github.com/gdraheim/zziplib/commit/ac9ae39ef419e9f0f83da1e583314d8c7cda34a6 NOTE: https://github.com/gdraheim/zziplib/commit/7e786544084548da7fcfcd9090d3c4e7f5777f7e @@ -126189,7 +126204,7 @@ CVE-2020-16118 (In GNOME Balsa before 2.6.0, a malicious server operator or man CVE-2020-16117 (In GNOME evolution-data-server before 3.35.91, a malicious server can ...) {DLA-2309-1} - evolution-data-server 3.36.0-1 - [buster] - evolution-data-server (Minor issue) + [buster] - evolution-data-server 3.30.5-1+deb10u2 NOTE: https://gitlab.gnome.org/GNOME/evolution-data-server/-/commit/2cc39592b532cf0dc994fd3694b8e6bf924c9ab5 NOTE: https://gitlab.gnome.org/GNOME/evolution-data-server/-/commit/627c3cdbfd077e59aa288c85ff8272950577f1d7 NOTE: https://gitlab.gnome.org/GNOME/evolution-data-server/-/issues/189 @@ -126731,7 +126746,7 @@ CVE-2020-15954 (KDE KMail 19.12.3 (aka 5.13.3) engages in unencrypted POP3 commu CVE-2020-15953 (LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other ...) {DLA-2329-1} - libetpan 1.9.4-3 (bug #966647) - [buster] - libetpan (Minor issue) + [buster] - libetpan 1.9.3-2+deb10u1 NOTE: https://github.com/dinhvh/libetpan/issues/386 NOTE: https://github.com/dinhvh/libetpan/pull/387 NOTE: https://github.com/dinhvh/libetpan/pull/388 @@ -133261,7 +133276,7 @@ CVE-2019-20808 (In QEMU 4.1.0, an out-of-bounds read flaw was found in the ATI V CVE-2019-20807 (In Vim before 8.1.0881, users can circumvent the rvim restricted mode ...) {DLA-2876-1} - vim 2:8.1.2136-1 - [buster] - vim (Minor issue) + [buster] - vim 2:8.1.0875-5+deb10u1 [jessie] - vim (Minor issue) NOTE: https://github.com/vim/vim/commit/8c62a08faf89663e5633dc5036cd8695c80f1075 CVE-2020-13644 (An issue was discovered in the Accordion plugin before 2.2.9 for WordP ...) @@ -135722,7 +135737,7 @@ CVE-2020-12689 (An issue was discovered in OpenStack Keystone before 15.0.1, and CVE-2020-12672 (GraphicsMagick through 1.3.35 has a heap-based buffer overflow in Read ...) {DLA-2902-1 DLA-2236-1} - graphicsmagick 1.4+really1.3.35-2 (bug #960000) - [buster] - graphicsmagick (Minor issue; can be fixed along in future DSA) + [buster] - graphicsmagick 1.4+really1.3.35-1~deb10u2 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19025 NOTE: Fixed by: https://sourceforge.net/p/graphicsmagick/code/ci/50395430a37188d0d197e71bd85ed6dd0f649ee3/ CVE-2020-12671 @@ -136309,7 +136324,7 @@ CVE-2020-12430 (An issue was discovered in qemuDomainGetStatsIOThread in qemu/qe NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1828190 CVE-2019-20792 (OpenSC before 0.20.0 has a double free in coolkey_free_private_data be ...) - opensc 0.20.0-1 (low) - [buster] - opensc (Minor issue) + [buster] - opensc 0.19.0-1+deb10u1 [stretch] - opensc (Coolkey driver added in 0.17.0) [jessie] - opensc (Minor issue but can be worth fixing later) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19208 @@ -136912,7 +136927,7 @@ CVE-2020-12269 CVE-2020-12268 (jbig2_image_compose in jbig2_image.c in Artifex jbig2dec before 0.18 h ...) {DLA-2796-1} - jbig2dec 0.18-1 - [buster] - jbig2dec (Minor issue) + [buster] - jbig2dec 0.16-1+deb10u1 [jessie] - jbig2dec (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20332 NOTE: https://github.com/ArtifexSoftware/jbig2dec/commit/0726320a4b55078e9d8deb590e477d598b3da66e @@ -144849,7 +144864,7 @@ CVE-2020-10002 (A logic issue was addressed with improved state management. This CVE-2020-10001 (An input validation issue was addressed with improved memory handling. ...) {DLA-2800-1} - cups 2.3.3op2-1 - [buster] - cups (Minor issue) + [buster] - cups 2.2.10-6+deb10u5 NOTE: https://github.com/OpenPrinting/cups/commit/efbea1742bd30f842fbbfb87a473e5c84f4162f9 (v2.3.3op2) CVE-2020-10000 RESERVED @@ -144868,12 +144883,12 @@ CVE-2020-9761 (An issue was discovered in UNCTAD ASYCUDA World 2001 through 2020 CVE-2020-9760 (An issue was discovered in WeeChat before 2.7.1 (0.3.4 to 2.7 are affe ...) {DLA-2770-1 DLA-2157-1} - weechat 2.7.1-1 - [buster] - weechat (Minor issue) + [buster] - weechat 2.3-1+deb10u1 NOTE: https://github.com/weechat/weechat/commit/694b5c9f874d7337cd2e03761e0de435275dd64d CVE-2020-9759 (A Vulnerability of LG Electronic web OS TV Emulator could allow an att ...) {DLA-2770-1 DLA-2157-1} - weechat 2.7.1-1 - [buster] - weechat (Minor issue) + [buster] - weechat 2.3-1+deb10u1 NOTE: https://github.com/weechat/weechat/commit/c827d6fa864e2c0b79cea640c45272e83703081e CVE-2020-9758 (An issue was discovered in chat.php in LiveZilla Live Chat 8.0.1.3 (He ...) NOT-FOR-US: LiveZilla Live Chat @@ -146790,7 +146805,7 @@ CVE-2020-8956 (Pulse Secure Desktop Client 9.0Rx before 9.0R5 and 9.1Rx before 9 CVE-2020-8955 (irc_mode_channel_update in plugins/irc/irc-mode.c in WeeChat through 2 ...) {DLA-2770-1 DLA-2157-1} - weechat 2.7.1-1 (bug #951289) - [buster] - weechat (Minor issue) + [buster] - weechat 2.3-1+deb10u1 NOTE: https://github.com/weechat/weechat/commit/6f4f147d8e86adf9ad34a8ffd7e7f1f23a7e74da CVE-2020-8954 (OpenSearch Web browser 1.0.4.9 allows Intent Scheme Hijacking.[a link ...) NOT-FOR-US: OpenSearch Web browser @@ -165994,7 +166009,7 @@ CVE-2019-19480 (An issue was discovered in OpenSC through 0.19.0 and 0.20.x thro CVE-2019-19479 (An issue was discovered in OpenSC through 0.19.0 and 0.20.x through 0. ...) {DLA-2832-1 DLA-2046-1} - opensc 0.20.0-1 (bug #947383) - [buster] - opensc (Minor issue) + [buster] - opensc 0.19.0-1+deb10u1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18693 NOTE: https://github.com/OpenSC/OpenSC/commit/c3f23b836e5a1766c36617fe1da30d22f7b63de2 CVE-2019-19478 @@ -172396,7 +172411,7 @@ CVE-2020-0500 (In startInputUncheckedLocked of InputMethodManager.java, there is CVE-2020-0499 (In FLAC__bitreader_read_rice_signed_block of bitreader.c, there is a p ...) {DLA-2514-1} - flac 1.3.3-2 (bug #977764) - [buster] - flac (Minor issue) + [buster] - flac 1.3.2-3+deb10u1 NOTE: https://github.com/xiph/flac/commit/2e7931c27eb15e387da440a37f12437e35b22dd4 NOTE: https://android.googlesource.com/platform/external/flac/+/029048f823ced50f63a92e25073427ec3a9bd909%5E%21/#F0 NOTE: https://source.android.com/security/bulletin/pixel/2020-12-01 @@ -176347,12 +176362,12 @@ CVE-2019-17043 (An issue was discovered in BMC Patrol Agent 9.0.10i. Weak execut CVE-2019-17042 (An issue was discovered in Rsyslog v8.1908.0. contrib/pmcisconames/pmc ...) {DLA-2835-1 DLA-1952-1} - rsyslog 8.1910.0-1 (bug #942065) - [buster] - rsyslog (Minor issue, pmcisconames module not loaded by default) + [buster] - rsyslog 8.1901.0-1+deb10u1 NOTE: https://github.com/rsyslog/rsyslog/pull/3883 CVE-2019-17041 (An issue was discovered in Rsyslog v8.1908.0. contrib/pmaixforwardedfr ...) {DLA-2835-1 DLA-1952-1} - rsyslog 8.1910.0-1 (bug #942067) - [buster] - rsyslog (Minor issue, pmaixforwardedfrom module not loaded by default) + [buster] - rsyslog 8.1901.0-1+deb10u1 NOTE: https://github.com/rsyslog/rsyslog/pull/3884 CVE-2019-17040 (contrib/pmdb2diag/pmdb2diag.c in Rsyslog v8.1908.0 allows out-of-bound ...) - rsyslog 8.1910.0-1 (unimportant) @@ -179518,12 +179533,12 @@ CVE-2019-15947 (In Bitcoin Core 0.18.0, bitcoin-qt stores wallet.dat data unencr CVE-2019-15946 (OpenSC before 0.20.0-rc1 has an out-of-bounds access of an ASN.1 Octet ...) {DLA-2832-1 DLA-1916-1} - opensc 0.20.0-1 (bug #939669) - [buster] - opensc (Minor issue) + [buster] - opensc 0.19.0-1+deb10u1 NOTE: https://github.com/OpenSC/OpenSC/commit/a3fc7693f3a035a8a7921cffb98432944bb42740 CVE-2019-15945 (OpenSC before 0.20.0-rc1 has an out-of-bounds access of an ASN.1 Bitst ...) {DLA-2832-1 DLA-1916-1} - opensc 0.20.0-1 (bug #939668) - [buster] - opensc (Minor issue) + [buster] - opensc 0.19.0-1+deb10u1 NOTE: https://github.com/OpenSC/OpenSC/commit/412a6142c27a5973c61ba540e33cdc22d5608e68 CVE-2019-15944 (In Counter-Strike: Global Offensive before 8/29/2019, community game s ...) NOT-FOR-US: Counter-Strike: Global Offensive @@ -180888,7 +180903,7 @@ CVE-2019-15532 (CyberChef before 8.31.2 allows XSS in core/operations/TextEncodi CVE-2019-15531 (GNU Libextractor through 1.9 has a heap-based buffer over-read in the ...) {DLA-2851-1 DLA-1904-1} - libextractor 1:1.9-2 (bug #935553) - [buster] - libextractor (Minor issue) + [buster] - libextractor 1:1.8-2+deb10u1 NOTE: https://bugs.gnunet.org/view.php?id=5846 NOTE: https://git.gnunet.org/libextractor.git/commit/?id=d2b032452241708bee68d02aa02092cfbfba951a CVE-2019-15530 (An issue was discovered on D-Link DIR-823G devices with firmware V1.0. ...) @@ -181941,7 +181956,7 @@ CVE-2019-15166 (lmp_print_data_link_subobjs() in print-lmp.c in tcpdump before 4 CVE-2019-15165 (sf-pcapng.c in libpcap before 1.9.1 does not properly validate the PHB ...) {DLA-2850-1 DLA-1967-1} - libpcap 1.9.1-1 (low; bug #941697) - [buster] - libpcap (Minor issue) + [buster] - libpcap 1.8.1-6+deb10u1 NOTE: https://github.com/the-tcpdump-group/libpcap/commit/87d6bef033062f969e70fa40c43dfd945d5a20ab NOTE: https://github.com/the-tcpdump-group/libpcap/commit/a5a36d9e82dde7265e38fe1f87b7f11c461c29f6 CVE-2019-15164 (rpcapd/daemon.c in libpcap before 1.9.1 allows SSRF because a URL may ...) @@ -184471,7 +184486,7 @@ CVE-2019-14464 (XMFile::read in XMFile.cpp in milkyplay in MilkyTracker 1.02.00 CVE-2019-14463 (An issue was discovered in libmodbus before 3.0.7 and 3.1.x before 3.1 ...) {DLA-2825-1} - libmodbus 3.1.6-1 (bug #933805) - [buster] - libmodbus (Minor issue) + [buster] - libmodbus 3.1.4-2+deb10u1 [jessie] - libmodbus (Minor issue) NOTE: https://github.com/stephane/libmodbus/commit/5ccdf5ef79d742640355d1132fa9e2abc7fbaefc (3.1.5) NOTE: https://github.com/stephane/libmodbus/commit/6f915d4215c06be3c719761423d9b5e8aa3cb820 (3.1.5) @@ -184480,7 +184495,7 @@ CVE-2019-14463 (An issue was discovered in libmodbus before 3.0.7 and 3.1.x befo CVE-2019-14462 (An issue was discovered in libmodbus before 3.0.7 and 3.1.x before 3.1 ...) {DLA-2825-1} - libmodbus 3.1.6-1 (bug #933805) - [buster] - libmodbus (Minor issue) + [buster] - libmodbus 3.1.4-2+deb10u1 [jessie] - libmodbus (Minor issue) NOTE: https://github.com/stephane/libmodbus/commit/5ccdf5ef79d742640355d1132fa9e2abc7fbaefc (3.1.5) NOTE: https://github.com/stephane/libmodbus/commit/6f915d4215c06be3c719761423d9b5e8aa3cb820 (3.1.5) @@ -187381,7 +187396,7 @@ CVE-2019-13616 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2. [buster] - libsdl2 (Minor issue) [jessie] - libsdl2 (can be fixed along with more important patches) - libsdl1.2 1.2.15+dfsg2-5 - [buster] - libsdl1.2 (Minor issue) + [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 [jessie] - libsdl1.2 (can be fixed along with more important patches) - libsdl2-image 2.0.5+dfsg1-2 (bug #940934) [buster] - libsdl2-image (Minor issue) @@ -198027,7 +198042,7 @@ CVE-2019-10173 (It was found that xstream API version 1.4.10 before 1.4.11 intro CVE-2019-10172 (A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libr ...) {DLA-2342-1 DLA-2091-1} - libjackson-json-java 1.9.13-2 - [buster] - libjackson-json-java (Minor issue) + [buster] - libjackson-json-java 1.9.13-2~deb10u1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1715075 NOTE: https://stackoverflow.com/questions/38017676/small-fix-for-cve-2016-3720-with-older-versions-of-jackson-all-1-9-11-and-in-ja/38017721 NOTE: https://github.com/FasterXML/jackson-1/pull/1 @@ -198963,7 +198978,7 @@ CVE-2019-9888 CVE-2019-1010319 (WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialize ...) {DLA-2525-1} - wavpack 5.1.0-7 (low; bug #932061) - [buster] - wavpack (Minor issue) + [buster] - wavpack 5.1.0-6+deb10u1 NOTE: https://github.com/dbry/WavPack/commit/33a0025d1d63ccd05d9dbaa6923d52b1446a62fe NOTE: https://github.com/dbry/WavPack/issues/68 CVE-2019-1010318 @@ -198971,7 +198986,7 @@ CVE-2019-1010318 CVE-2019-1010317 (WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialize ...) {DLA-2525-1} - wavpack 5.1.0-7 (low; bug #932060) - [buster] - wavpack (Minor issue) + [buster] - wavpack 5.1.0-6+deb10u1 NOTE: https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b NOTE: https://github.com/dbry/WavPack/issues/66 CVE-2019-1010316 (pyxtrlock 0.3 and earlier is affected by: Incorrect Access Control. Th ...) @@ -205910,7 +205925,7 @@ CVE-2019-7639 (An issue was discovered in gsi-openssh-server 7.9p1 on Fedora 29. CVE-2019-7638 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...) {DLA-2804-1 DLA-2536-1 DLA-1714-1 DLA-1713-1} - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) - [buster] - libsdl1.2 (Minor issue) + [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 - libsdl2 2.0.10+dfsg1-1 (bug #924610) [buster] - libsdl2 (Minor issue) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4500 @@ -205919,7 +205934,7 @@ CVE-2019-7638 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0 CVE-2019-7637 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...) {DLA-2804-1 DLA-2803-1 DLA-1714-1 DLA-1713-1} - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) - [buster] - libsdl1.2 (Minor issue) + [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 - libsdl2 2.0.6+dfsg1-4 (bug #924610) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4497 NOTE: https://hg.libsdl.org/SDL/rev/9b0e5c555c0f (SDL-1.2) @@ -205931,7 +205946,7 @@ CVE-2019-7637 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0 CVE-2019-7636 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...) {DLA-2804-1 DLA-2536-1 DLA-1714-1 DLA-1713-1} - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) - [buster] - libsdl1.2 (Minor issue) + [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 - libsdl2 2.0.10+dfsg1-1 (bug #924610) [buster] - libsdl2 (Minor issue) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4499 @@ -205940,7 +205955,7 @@ CVE-2019-7636 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0 CVE-2019-7635 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...) {DLA-2804-1 DLA-2536-1 DLA-1865-1 DLA-1861-1 DLA-1714-1 DLA-1713-1} - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) - [buster] - libsdl1.2 (Minor issue) + [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 - libsdl2 2.0.10+dfsg1-1 (bug #924610) [buster] - libsdl2 (Minor issue) - sdl-image1.2 1.2.12-11 (bug #932755) @@ -206082,7 +206097,7 @@ CVE-2019-7579 (An issue was discovered on Linksys WRT1900ACS 1.0.3.187766 device CVE-2019-7578 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...) {DLA-2804-1 DLA-2536-1 DLA-1714-1 DLA-1713-1} - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) - [buster] - libsdl1.2 (Minor issue) + [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 - libsdl2 2.0.10+dfsg1-1 (bug #924610) [buster] - libsdl2 (Minor issue) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4494 @@ -206091,7 +206106,7 @@ CVE-2019-7578 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0 CVE-2019-7577 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...) {DLA-2804-1 DLA-2536-1 DLA-1714-1 DLA-1713-1} - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) - [buster] - libsdl1.2 (Minor issue) + [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 - libsdl2 2.0.10+dfsg1-1 (bug #924610) [buster] - libsdl2 (Minor issue) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4492 @@ -206102,7 +206117,7 @@ CVE-2019-7577 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0 CVE-2019-7576 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...) {DLA-2804-1 DLA-1714-1 DLA-1713-1} - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) - [buster] - libsdl1.2 (Minor issue) + [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 - libsdl2 2.0.10+dfsg1-1 (bug #924610) [buster] - libsdl2 (Minor issue) [stretch] - libsdl2 (Minor issue) @@ -206112,7 +206127,7 @@ CVE-2019-7576 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0 CVE-2019-7575 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...) {DLA-2804-1 DLA-2536-1 DLA-1714-1 DLA-1713-1} - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) - [buster] - libsdl1.2 (Minor issue) + [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 - libsdl2 2.0.10+dfsg1-1 (bug #924610) [buster] - libsdl2 (Minor issue) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4493 @@ -206122,7 +206137,7 @@ CVE-2019-7575 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0 CVE-2019-7574 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...) {DLA-2804-1 DLA-1714-1 DLA-1713-1} - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) - [buster] - libsdl1.2 (Minor issue) + [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 - libsdl2 2.0.10+dfsg1-1 (bug #924610) [buster] - libsdl2 (Minor issue) [stretch] - libsdl2 (Minor issue) @@ -206133,7 +206148,7 @@ CVE-2019-7574 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0 CVE-2019-7573 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...) {DLA-2804-1 DLA-1714-1 DLA-1713-1} - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) - [buster] - libsdl1.2 (Minor issue) + [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 - libsdl2 2.0.10+dfsg1-1 (bug #924610) [buster] - libsdl2 (Minor issue) [stretch] - libsdl2 (Minor issue) @@ -206145,7 +206160,7 @@ CVE-2019-7573 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0 CVE-2019-7572 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...) {DLA-2804-1 DLA-1714-1 DLA-1713-1} - libsdl1.2 1.2.15+dfsg2-5 (bug #924609) - [buster] - libsdl1.2 (Minor issue) + [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 - libsdl2 2.0.10+dfsg1-1 (bug #924610) [buster] - libsdl2 (Minor issue) [stretch] - libsdl2 (Minor issue) @@ -287980,7 +287995,7 @@ CVE-2017-15095 (A deserialization flaw was discovered in the jackson-databind in {DSA-4037-1 DLA-2342-1 DLA-2091-1} - jackson-databind 2.9.1-1 - libjackson-json-java 1.9.13-2 - [buster] - libjackson-json-java (Minor issue) + [buster] - libjackson-json-java 1.9.13-2~deb10u1 NOTE: The Debian upload for stretch (2.8.6-1+deb9u1) and jessie (2.4.2-2+deb8u1) NOTE: misses the further sets of blacklists, in particular as well NOTE: https://github.com/FasterXML/jackson-databind/commit/3bfbb835 @@ -311189,7 +311204,7 @@ CVE-2017-7525 (A deserialization flaw was discovered in the jackson-databind, ve {DSA-4004-1 DLA-2342-1 DLA-2091-1} - jackson-databind 2.9.1-1 (bug #870848) - libjackson-json-java 1.9.13-2 - [buster] - libjackson-json-java (Minor issue) + [buster] - libjackson-json-java 1.9.13-2~deb10u1 NOTE: https://github.com/FasterXML/jackson-databind/issues/1599 NOTE: For libjackson-json-java: NOTE: https://github.com/FasterXML/jackson-1/commit/9ac68db819bce7b9546bc4bf1c44f82ca910fa31 diff --git a/data/next-oldstable-point-update.txt b/data/next-oldstable-point-update.txt index a1f2773394..d219156d5a 100644 --- a/data/next-oldstable-point-update.txt +++ b/data/next-oldstable-point-update.txt @@ -1,229 +1,3 @@ -CVE-2019-20807 - [buster] - vim 2:8.1.0875-5+deb10u1 -CVE-2021-3770 - [buster] - vim 2:8.1.0875-5+deb10u1 -CVE-2021-3778 - [buster] - vim 2:8.1.0875-5+deb10u1 -CVE-2021-3796 - [buster] - vim 2:8.1.0875-5+deb10u1 -CVE-2020-36277 - [buster] - leptonlib 1.76.0-1+deb10u1 -CVE-2020-36278 - [buster] - leptonlib 1.76.0-1+deb10u1 -CVE-2020-36279 - [buster] - leptonlib 1.76.0-1+deb10u1 -CVE-2020-36280 - [buster] - leptonlib 1.76.0-1+deb10u1 -CVE-2020-36281 - [buster] - leptonlib 1.76.0-1+deb10u1 -CVE-2020-35653 - [buster] - pillow 5.4.1-2+deb10u3 -CVE-2020-35655 - [buster] - pillow 5.4.1-2+deb10u3 -CVE-2021-27921 - [buster] - pillow 5.4.1-2+deb10u3 -CVE-2021-27922 - [buster] - pillow 5.4.1-2+deb10u3 -CVE-2021-27923 - [buster] - pillow 5.4.1-2+deb10u3 -CVE-2021-25290 - [buster] - pillow 5.4.1-2+deb10u3 -CVE-2021-25292 - [buster] - pillow 5.4.1-2+deb10u3 -CVE-2021-28677 - [buster] - pillow 5.4.1-2+deb10u3 -CVE-2021-28678 - [buster] - pillow 5.4.1-2+deb10u3 -CVE-2021-34552 - [buster] - pillow 5.4.1-2+deb10u3 -CVE-2020-28600 - [buster] - openscad 2019.01~RC2-2+deb10u1 -CVE-2020-28599 - [buster] - openscad 2019.01~RC2-2+deb10u1 -CVE-2020-28282 - [buster] - node-getobject 0.1.0-2+deb10u1 -CVE-2021-38714 - [buster] - plib 1.8.5-8+deb10u1 -CVE-2020-12268 - [buster] - jbig2dec 0.16-1+deb10u1 -CVE-2019-1010317 - [buster] - wavpack 5.1.0-6+deb10u1 -CVE-2019-1010319 - [buster] - wavpack 5.1.0-6+deb10u1 -CVE-2021-35604 - [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 -CVE-2021-46662 - [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 -CVE-2021-46667 - [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 -CVE-2021-46659 - [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 -CVE-2022-24048 - [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 -CVE-2022-24050 - [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 -CVE-2022-24051 - [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 -CVE-2022-24052 - [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 -CVE-2021-46661 - [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 -CVE-2021-46663 - [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 -CVE-2021-46664 - [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 -CVE-2021-46665 - [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 -CVE-2021-46668 - [buster] - mariadb-10.3 1:10.3.34-0+deb10u1 -CVE-2021-43331 - [buster] - mailman 1:2.1.29-1+deb10u3 -CVE-2021-43332 - [buster] - mailman 1:2.1.29-1+deb10u3 -CVE-2021-44227 - [buster] - mailman 1:2.1.29-1+deb10u4 -CVE-2019-14462 - [buster] - libmodbus 3.1.4-2+deb10u1 -CVE-2019-14463 - [buster] - libmodbus 3.1.4-2+deb10u1 -CVE-2021-43618 - [buster] - gmp 2:6.1.2+dfsg-4+deb10u1 -CVE-2021-37146 - [buster] - ros-ros-comm 1.14.3+ds1-5+deb10u3 -CVE-2021-40391 - [buster] - gerbv 2.7.0-1+deb10u1 -CVE-2021-44540 - [buster] - privoxy 3.0.28-2+deb10u2 -CVE-2021-44543 - [buster] - privoxy 3.0.28-2+deb10u2 -CVE-2020-12672 - [buster] - graphicsmagick 1.4+really1.3.35-1~deb10u2 -CVE-2020-16117 - [buster] - evolution-data-server 3.30.5-1+deb10u2 -CVE-2020-15953 - [buster] - libetpan 1.9.3-2+deb10u1 -CVE-2019-10172 - [buster] - libjackson-json-java 1.9.13-2~deb10u1 -CVE-2017-15095 - [buster] - libjackson-json-java 1.9.13-2~deb10u1 -CVE-2017-7525 - [buster] - libjackson-json-java 1.9.13-2~deb10u1 -CVE-2021-22207 - [buster] - wireshark 2.6.20-0+deb10u3 -CVE-2021-22235 - [buster] - wireshark 2.6.20-0+deb10u3 -CVE-2021-39921 - [buster] - wireshark 2.6.20-0+deb10u3 -CVE-2021-39922 - [buster] - wireshark 2.6.20-0+deb10u3 -CVE-2021-39923 - [buster] - wireshark 2.6.20-0+deb10u3 -CVE-2021-39924 - [buster] - wireshark 2.6.20-0+deb10u3 -CVE-2021-39928 - [buster] - wireshark 2.6.20-0+deb10u3 -CVE-2021-39929 - [buster] - wireshark 2.6.20-0+deb10u3 -CVE-2020-25693 - [buster] - cimg 2.4.5+dfsg-1+deb10u1 -CVE-2020-0499 - [buster] - flac 1.3.2-3+deb10u1 -CVE-2022-20698 - [buster] - clamav 0.103.5+dfsg-0+deb10u1 -CVE-2020-25713 - [buster] - raptor2 2.0.14-1.1~deb10u2 -CVE-2019-7572 - [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 -CVE-2019-7573 - [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 -CVE-2019-7574 - [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 -CVE-2019-7575 - [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 -CVE-2019-7576 - [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 -CVE-2019-7577 - [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 -CVE-2019-7578 - [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 -CVE-2019-7635 - [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 -CVE-2019-7636 - [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 -CVE-2019-7637 - [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 -CVE-2019-7638 - [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 -CVE-2019-13616 - [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1 -CVE-2020-18442 - [buster] - zziplib 0.13.62-3.2+deb10u1 -CVE-2020-8955 - [buster] - weechat 2.3-1+deb10u1 -CVE-2020-9759 - [buster] - weechat 2.3-1+deb10u1 -CVE-2020-9760 - [buster] - weechat 2.3-1+deb10u1 -CVE-2021-40516 - [buster] - weechat 2.3-1+deb10u1 -CVE-2019-15945 - [buster] - opensc 0.19.0-1+deb10u1 -CVE-2019-15946 - [buster] - opensc 0.19.0-1+deb10u1 -CVE-2019-19479 - [buster] - opensc 0.19.0-1+deb10u1 -CVE-2019-20792 - [buster] - opensc 0.19.0-1+deb10u1 -CVE-2020-26570 - [buster] - opensc 0.19.0-1+deb10u1 -CVE-2020-26571 - [buster] - opensc 0.19.0-1+deb10u1 -CVE-2020-26572 - [buster] - opensc 0.19.0-1+deb10u1 -CVE-2019-17041 - [buster] - rsyslog 8.1901.0-1+deb10u1 -CVE-2019-17042 - [buster] - rsyslog 8.1901.0-1+deb10u1 -CVE-2019-15165 - [buster] - libpcap 1.8.1-6+deb10u1 -CVE-2019-15531 - [buster] - libextractor 1:1.8-2+deb10u1 -CVE-2021-46671 - [buster] - atftp 0.7.git20120829-3.2~deb10u3 -CVE-2022-24130 - [buster] - xterm 344-1+deb10u2 -CVE-2021-4104 - [buster] - apache-log4j1.2 1.2.17-8+deb10u2 -CVE-2022-23302 - [buster] - apache-log4j1.2 1.2.17-8+deb10u2 -CVE-2022-23305 - [buster] - apache-log4j1.2 1.2.17-8+deb10u2 -CVE-2022-23307 - [buster] - apache-log4j1.2 1.2.17-8+deb10u2 -CVE-2021-44832 - [buster] - apache-log4j2 2.17.1-1~deb10u1 -CVE-2021-40874 - [buster] - lemonldap-ng 2.0.2+ds-7+deb10u7 -CVE-2021-21263 - [buster] - php-illuminate-database 5.7.27-1+deb10u1 -CVE-2022-0534 - [buster] - htmldoc 1.9.3-1+deb10u3 -CVE-2021-43579 - [buster] - htmldoc 1.9.3-1+deb10u3 -CVE-2021-40985 - [buster] - htmldoc 1.9.3-1+deb10u3 -CVE-2022-23308 - [buster] - libxml2 2.9.4+dfsg1-7+deb10u3 -CVE-2020-10001 - [buster] - cups 2.2.10-6+deb10u5 -CVE-2021-46709 - [buster] - phpliteadmin 1.9.7.1-2+deb10u1 -CVE-2021-33120 - [buster] - intel-microcode 3.20220207.1~deb10u1 -CVE-2021-0145 - [buster] - intel-microcode 3.20220207.1~deb10u1 -CVE-2021-0127 - [buster] - intel-microcode 3.20220207.1~deb10u1 CVE-2021-44906 [buster] - node-minimist 1.2.0-1+deb10u2 CVE-2022-24773 -- cgit v1.2.3