From 258ee40e73606f1bde04cc7b56265c704337289a Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Fri, 17 Jul 2020 16:45:41 +0200 Subject: Merge fixes included in 9.13 --- data/CVE/list | 195 +++++++++++++++++---------------- data/next-oldstable-point-update.txt | 205 ----------------------------------- 2 files changed, 103 insertions(+), 297 deletions(-) (limited to 'data') diff --git a/data/CVE/list b/data/CVE/list index 3223e0c564..4d7363bd24 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -618,7 +618,7 @@ CVE-2020-15541 (SolarWinds Serv-U FTP server before 15.2.1 allows remote command CVE-2020-15562 (An issue was discovered in Roundcube Webmail before 1.2.11, 1.3.x befo ...) {DSA-4720-1} - roundcube 1.4.7+dfsg.1-1 (bug #964355) - [stretch] - roundcube (Minor issue; will be fixed via point release) + [stretch] - roundcube 1.2.3+dfsg.1-4+deb9u6 NOTE: 1.4.x https://github.com/roundcube/roundcubemail/commit/3e8832d029b035e3fcfb4c75839567a9580b4f82 NOTE: 1.3.x https://github.com/roundcube/roundcubemail/commit/19502419757a976dbd55ce5a746610c5bab7896b NOTE: 1.2.x https://github.com/roundcube/roundcubemail/commit/f3d1566cf223eb04f47b6dfffcd88753f66c36ee @@ -3897,7 +3897,7 @@ CVE-2020-14195 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the in {DLA-2270-1} - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) - [stretch] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2765 NOTE: https://github.com/FasterXML/jackson-databind/commit/f6d9c664f6d481703138319f6a0f1fdbddb3a259 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default @@ -4231,7 +4231,7 @@ CVE-2020-14062 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the in {DLA-2270-1} - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) - [stretch] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2704 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -4239,7 +4239,7 @@ CVE-2020-14061 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the in {DLA-2270-1} - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) - [stretch] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2698 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -4247,7 +4247,7 @@ CVE-2020-14060 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the in {DLA-2270-1} - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) - [stretch] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2688 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -4495,6 +4495,7 @@ CVE-2020-13975 RESERVED CVE-2020-13974 (** DISPUTED ** An issue was discovered in the Linux kernel through 5.7 ...) - linux 5.7.6-1 + [stretch] - linux 4.9.228-1 NOTE: https://git.kernel.org/linus/b86dab054059b970111b5516ae548efaae5b3aae CVE-2020-13973 (OWASP json-sanitizer before 1.2.1 allows XSS. An attacker who controls ...) NOT-FOR-US: OWASP json-sanitizer @@ -5124,6 +5125,7 @@ CVE-2019-20811 (An issue was discovered in the Linux kernel before 5.0.6. In rx_ NOTE: https://git.kernel.org/linus/a3e23f719f5c4a38ffb3d30c8d7632a4ed8ccd9e CVE-2019-20810 (go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux ...) - linux 5.6.7-1 + [stretch] - linux 4.9.228-1 NOTE: https://git.kernel.org/linus/9453264ef58638ce8976121ac44c07a3ef375983 CVE-2020-13759 (rust-vmm vm-memory before 0.1.1 and 0.2.x before 0.2.1 allows attacker ...) NOT-FOR-US: rust-vmm @@ -5390,7 +5392,7 @@ CVE-2020-13646 (In Cheetah free WiFi 5.1, the driver file (liebaonat.sys) allows CVE-2020-13645 (In GNOME glib-networking through 2.64.2, the implementation of GTlsCli ...) - glib-networking 2.64.3-2 (bug #961756) [buster] - glib-networking (Minor issue; will be fixed via point release) - [stretch] - glib-networking (Minor issue; will be fixed via point release) + [stretch] - glib-networking 2.50.0-1+deb9u1 NOTE: https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135 NOTE: Updating glib-networking to address CVE-2020-13645 will need a compatibility NOTE: update as well for balsa (cf. https://bugs.debian.org/961792) @@ -6616,19 +6618,19 @@ CVE-2020-13114 (An issue was discovered in libexif before 0.6.22. An unrestricte {DLA-2222-1} - libexif 0.6.21-9 (bug #961410) [buster] - libexif (Minor issue) - [stretch] - libexif (Minor issue) + [stretch] - libexif 0.6.21-2+deb9u3 NOTE: https://github.com/libexif/libexif/commit/e6a38a1a23ba94d139b1fa2cd4519fdcfe3c9bab (0.6.22) CVE-2020-13113 (An issue was discovered in libexif before 0.6.22. Use of uninitialized ...) {DLA-2222-1} - libexif 0.6.21-9 (bug #961409) [buster] - libexif (Minor issue) - [stretch] - libexif (Minor issue) + [stretch] - libexif 0.6.21-2+deb9u3 NOTE: https://github.com/libexif/libexif/commit/ec412aa4583ad71ecabb967d3c77162760169d1f (0.6.22) CVE-2020-13112 (An issue was discovered in libexif before 0.6.22. Several buffer over- ...) {DLA-2222-1} - libexif 0.6.21-9 (bug #961407) [buster] - libexif (Minor issue) - [stretch] - libexif (Minor issue) + [stretch] - libexif 0.6.21-2+deb9u3 NOTE: https://github.com/libexif/libexif/commit/435e21f05001fb03f9f186fa7cbc69454afd00d1 (0.6.22) CVE-2020-13111 (NaviServer 4.99.4 to 4.99.19 allows denial of service due to the nsd/d ...) NOT-FOR-US: NaviServer @@ -7111,7 +7113,7 @@ CVE-2020-12873 RESERVED CVE-2020-12872 (yaws_config.erl in Yaws through 2.0.2 and/or 2.0.7 loads obsolete TLS ...) - erlang 1:21.2.6+dfsg-1 (low) - [stretch] - erlang (Minor issue) + [stretch] - erlang 1:19.2.1+dfsg-2+deb9u3 [jessie] - erlang (Minor issue) NOTE: https://medium.com/@charlielabs101/cve-2020-12872-df315411aa70 NOTE: https://github.com/erlyaws/yaws/issues/402 @@ -7257,6 +7259,7 @@ CVE-2020-12826 (A signal access-control issue was discovered in the Linux kernel {DLA-2241-1} - linux 5.6.7-1 [buster] - linux 4.19.118-1 + [stretch] - linux 4.9.228-1 NOTE: https://git.kernel.org/linus/d1e7fd6462ca9fc76650fbe6ca800e35b24267da CVE-2020-12825 (libcroco through 0.6.13 has excessive recursion in cr_parser_parse_any ...) - libcroco (low; bug #960527) @@ -7396,7 +7399,7 @@ CVE-2020-12767 (exif_entry_get_value in exif-entry.c in libexif 0.6.21 has a div {DLA-2214-1} - libexif 0.6.21-7 (bug #960199) [buster] - libexif (Minor issue) - [stretch] - libexif (Minor issue) + [stretch] - libexif 0.6.21-2+deb9u2 NOTE: https://github.com/libexif/libexif/issues/31 NOTE: https://github.com/libexif/libexif/commit/e22f73064f804c94e90b642cd0db4697c827da72 CVE-2019-20795 (iproute2 before 5.1.0 has a use-after-free in get_netnsid_from_name in ...) @@ -7409,7 +7412,7 @@ CVE-2019-20795 (iproute2 before 5.1.0 has a use-after-free in get_netnsid_from_n CVE-2020-XXXX [unspecified fexsrv security issue] - fex 20160919-2 [buster] - fex 20160919-2~deb10u1 - [stretch] - fex (Non-free not supported) + [stretch] - fex 20160919-2~deb9u1 CVE-2020-12771 (An issue was discovered in the Linux kernel through 5.6.11. btree_gc_c ...) - linux 5.7.6-1 NOTE: https://lkml.org/lkml/2020/4/26/87 @@ -7422,6 +7425,7 @@ CVE-2020-12769 (An issue was discovered in the Linux kernel before 5.4.17. drive {DLA-2241-1} - linux 5.4.19-1 [buster] - linux 4.19.118-1 + [stretch] - linux 4.9.228-1 NOTE: https://git.kernel.org/linus/19b61392c5a852b4e8a0bf35aecb969983c5932d (5.5-rc6) CVE-2020-12768 (** DISPUTED ** An issue was discovered in the Linux kernel before 5.6. ...) {DSA-4699-1} @@ -7548,7 +7552,7 @@ CVE-2020-12724 CVE-2020-12723 (regcomp.c in Perl before 5.30.3 allows a buffer overflow via a crafted ...) - perl 5.30.3-1 (bug #962005) [buster] - perl (Minor issue) - [stretch] - perl (Minor issue) + [stretch] - perl 5.24.1-3+deb9u7 NOTE: https://github.com/perl/perl5/commit/66bbb51b93253a3f87d11c2695cfb7bdb782184a (v5.30.3) CVE-2020-12722 RESERVED @@ -9174,7 +9178,7 @@ CVE-2019-20788 (libvncclient/cursor.c in LibVNCServer through 0.9.12 has a Handl {DLA-2146-1} - libvncserver 0.9.12+dfsg-9 (bug #954163) [buster] - libvncserver 0.9.11+dfsg-1.3+deb10u3 - [stretch] - libvncserver (Minor issue) + [stretch] - libvncserver 0.9.11+dfsg-1.3~deb9u4 NOTE: https://github.com/LibVNC/libvncserver/commit/54220248886b5001fbbb9fa73c4e1a2cb9413fed CVE-2020-12137 (GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed app ...) {DSA-4664-1 DLA-2200-1} @@ -9266,7 +9270,7 @@ CVE-2020-12049 (An issue was discovered in dbus >= 1.3.0 before 1.12.18. The {DLA-2235-1} - dbus 1.12.18-1 [buster] - dbus (Minor issue) - [stretch] - dbus (Minor issue) + [stretch] - dbus 1.10.32-0+deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2020/06/04/3 NOTE: https://gitlab.freedesktop.org/dbus/dbus/-/issues/294 NOTE: Fixed by: https://gitlab.freedesktop.org/dbus/dbus/-/commit/272d484283883fa9ff95b69d924fff6cd34842f5 @@ -10938,7 +10942,7 @@ CVE-2020-11736 (fr-archive-libarchive.c in GNOME file-roller through 3.36.1 allo {DLA-2180-1} - file-roller 3.36.2-1 (bug #956638) [buster] - file-roller (Minor issue, will be fixed via spu) - [stretch] - file-roller (Minor issue, will be fixed via spu) + [stretch] - file-roller 3.22.3-1+deb9u2 NOTE: https://gitlab.gnome.org/GNOME/file-roller/-/commit/21dfcdbfe258984db89fb65243a1a888924e45a0 CVE-2020-11734 (cgi-bin/go in CyberSolutions CyberMail 5 or later allows XSS via the A ...) NOT-FOR-US: CyberSolutions CyberMail @@ -11257,7 +11261,7 @@ CVE-2020-11620 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in {DLA-2179-1} - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) - [stretch] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2682 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -11265,7 +11269,7 @@ CVE-2020-11619 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in {DLA-2179-1} - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) - [stretch] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2680 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -12642,7 +12646,7 @@ CVE-2020-11113 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in {DLA-2179-1} - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) - [stretch] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2670 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -12650,7 +12654,7 @@ CVE-2020-11112 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in {DLA-2179-1} - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) - [stretch] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2666 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -12658,7 +12662,7 @@ CVE-2020-11111 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in {DLA-2179-1} - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) - [stretch] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2664 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -13209,7 +13213,7 @@ CVE-2020-10969 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in {DLA-2179-1} - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) - [stretch] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2642 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -13217,7 +13221,7 @@ CVE-2020-10968 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in {DLA-2179-1} - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) - [stretch] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2662 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -13491,7 +13495,7 @@ CVE-2020-10879 (rConfig before 3.9.5 allows command injection by sending a craft CVE-2020-10878 (Perl before 5.30.3 has an integer overflow related to mishandling of a ...) - perl 5.30.3-1 (bug #962005) [buster] - perl (Minor issue) - [stretch] - perl (Minor issue) + [stretch] - perl 5.24.1-3+deb9u7 NOTE: https://github.com/perl/perl5/commit/0a320d753fe7fca03df259a4dfd8e641e51edaa8 (v5.30.3) NOTE: https://github.com/perl/perl5/commit/3295b48defa0f8570114877b063fe546dd348b3c (v5.30.3) CVE-2020-10877 @@ -13861,7 +13865,7 @@ CVE-2016-11022 (NETGEAR Prosafe WC9500 5.1.0.17, WC7600 5.1.0.17, and WC7520 2.5 NOT-FOR-US: Netgear CVE-2020-10804 (In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection v ...) - phpmyadmin 4:4.9.5+dfsg1-1 (bug #954667) - [stretch] - phpmyadmin (Minor issue) + [stretch] - phpmyadmin 4:4.6.6-4+deb9u1 [jessie] - phpmyadmin (Vulnerable code not present) NOTE: Introduced-by: https://github.com/phpmyadmin/phpmyadmin/commit/56b43527196b0349ec2bea8ca711667e5aa75c65 NOTE: Introduced-by: https://github.com/phpmyadmin/phpmyadmin/commit/d55abcd5ffa1ea8785f1217f5b7d78a8a54b8542 @@ -13871,14 +13875,14 @@ CVE-2020-10804 (In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injec CVE-2020-10803 (In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection v ...) {DLA-2154-1} - phpmyadmin 4:4.9.5+dfsg1-1 (bug #954666) - [stretch] - phpmyadmin (Minor issue) + [stretch] - phpmyadmin 4:4.6.6-4+deb9u1 NOTE: https://www.phpmyadmin.net/security/PMASA-2020-4/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/46a7aa7cd4ff2be0eeb23721fbf71567bebe69a5 NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/6b9b2601d8af916659cde8aefd3a6eaadd10284a CVE-2020-10802 (In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection v ...) {DLA-2154-1} - phpmyadmin 4:4.9.5+dfsg1-1 (bug #954665) - [stretch] - phpmyadmin (Minor issue) + [stretch] - phpmyadmin 4:4.6.6-4+deb9u1 NOTE: https://www.phpmyadmin.net/security/PMASA-2020-3/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/a8acd7a42cf743186528b0453f90aaa32bfefabe CVE-2020-10801 @@ -13963,16 +13967,19 @@ CVE-2020-10769 (A buffer over-read flaw was found in RH kernel versions before 5 CVE-2020-10768 [Indirect branch speculation can be enabled after it was force-disabled by the PR_SPEC_FORCE_DISABLE prctl command] RESERVED - linux 5.7.6-1 + [stretch] - linux 4.9.228-1 NOTE: https://www.openwall.com/lists/oss-security/2020/06/10/1 NOTE: https://git.kernel.org/linus/4d8df8cbb9156b0a0ab3f802b80cb5db57acc0bf CVE-2020-10767 [Indirect Branch Prediction Barrier is force-disabled when STIBP is unavailable or enhanced IBRS is available] RESERVED - linux 5.7.6-1 + [stretch] - linux 4.9.228-1 NOTE: https://www.openwall.com/lists/oss-security/2020/06/10/1 NOTE: https://git.kernel.org/linus/21998a351512eba4ed5969006f0c55882d995ada CVE-2020-10766 [Rogue cross-process SSBD shutdown] RESERVED - linux 5.7.6-1 + [stretch] - linux 4.9.228-1 NOTE: https://www.openwall.com/lists/oss-security/2020/06/10/1 NOTE: https://git.kernel.org/linus/dbbe2ad02e9df26e372f38cc3e70dab9222c832e CVE-2020-10765 @@ -14290,6 +14297,7 @@ CVE-2020-10690 (There is a use-after-free in kernel versions before 5.5 due to a {DLA-2241-1} - linux 5.4.8-1 [buster] - linux 4.19.98-1 + [stretch] - linux 4.9.228-1 NOTE: Fixed by: https://git.kernel.org/linus/a33121e5487b424339636b25c35d3a180eaa5f5e CVE-2020-10689 (A flaw was found in the Eclipse Che up to version 7.8.x, where it did ...) NOT-FOR-US: Eclipse Che @@ -14349,7 +14357,7 @@ CVE-2020-10673 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in {DLA-2153-1} - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) - [stretch] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2660 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -14357,7 +14365,7 @@ CVE-2020-10672 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in {DLA-2153-1} - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) - [stretch] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2659 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -14385,11 +14393,11 @@ CVE-2020-10663 (The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through {DSA-4721-1 DLA-2192-1 DLA-2190-1} - ruby-json 2.3.0+dfsg-1 [buster] - ruby-json (Minor issue) - [stretch] - ruby-json (Minor issue) + [stretch] - ruby-json 2.0.1+dfsg-3+deb9u1 - ruby2.7 (Fixed before initial upload to Debian) - ruby2.5 - ruby2.3 - [stretch] - ruby2.3 (Minor issue) + [stretch] - ruby2.3 2.3.3-1+deb9u8 - ruby2.1 NOTE: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/ NOTE: https://hackerone.com/reports/706934 @@ -14710,7 +14718,7 @@ CVE-2009-5159 (Invision Power Board (aka IPB or IP.Board) 2.x through 3.0.4, whe CVE-2020-10543 (Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer over ...) - perl 5.30.3-1 (bug #962005) [buster] - perl (Minor issue) - [stretch] - perl (Minor issue) + [stretch] - perl 5.24.1-3+deb9u7 NOTE: https://github.com/perl/perl5/commit/897d1f7fd515b828e4b198d8b8bef76c6faf03ed (v5.30.3) CVE-2020-10542 RESERVED @@ -16934,7 +16942,7 @@ CVE-2020-9548 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the int {DLA-2135-1} - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) - [stretch] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2634 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -16942,7 +16950,7 @@ CVE-2020-9547 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the int {DLA-2135-1} - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) - [stretch] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2634 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -16950,7 +16958,7 @@ CVE-2020-9546 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the int {DLA-2135-1} - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) - [stretch] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2631 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. @@ -18592,7 +18600,7 @@ CVE-2020-8866 (This vulnerability allows remote attackers to create arbitrary fi {DLA-2162-1} - php-horde-form 2.0.20-1 (bug #955020) [buster] - php-horde-form 2.0.18-3.1+deb10u1 - [stretch] - php-horde-form (Minor issue) + [stretch] - php-horde-form 2.0.15-1+deb9u2 NOTE: https://lists.horde.org/archives/announce/2020/001288.html NOTE: https://www.zerodayinitiative.com/advisories/ZDI-20-275/ NOTE: https://github.com/horde/Form/commit/813f8e7e9479fad4546b89c569325ee9eef60b0f @@ -18600,7 +18608,7 @@ CVE-2020-8865 (This vulnerability allows remote attackers to execute local PHP f {DLA-2175-1} - php-horde-trean 1.1.10-1 (bug #955019) [buster] - php-horde-trean 1.1.9-3+deb10u1 - [stretch] - php-horde-trean (Minor issue) + [stretch] - php-horde-trean 1.1.7-1+deb9u1 NOTE: https://lists.horde.org/archives/announce/2020/001286.html NOTE: https://www.zerodayinitiative.com/advisories/ZDI-20-276/ NOTE: https://github.com/horde/trean/commit/db0714a0c04d87bda9e2852f1b0d259fc281ca75 @@ -18657,7 +18665,7 @@ CVE-2020-8840 (FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain x {DLA-2111-1} - jackson-databind 2.11.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) - [stretch] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2620 NOTE: https://github.com/FasterXML/jackson-databind/commit/914e7c9f2cb8ce66724bf26a72adc7e958992497 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default @@ -19442,7 +19450,7 @@ CVE-2020-8518 (Horde Groupware Webmail Edition 5.2.22 allows injection of arbitr {DLA-2174-1} - php-horde-data (bug #951537) [buster] - php-horde-data 2.1.4-5+deb10u1 - [stretch] - php-horde-data (Minor issue) + [stretch] - php-horde-data 2.1.4-3+deb9u1 NOTE: https://lists.horde.org/archives/announce/2020/001285.html NOTE: https://github.com/horde/Data/commit/78ad0c2390176cdde7260a271bc6ddd86f4c9c0e CVE-2020-8517 (An issue was discovered in Squid before 4.10. Due to incorrect input v ...) @@ -20356,7 +20364,7 @@ CVE-2020-8130 (There is an OS command injection vulnerability in Ruby Rake < {DLA-2120-1} - rake 12.3.3-1 [buster] - rake 12.3.1-3+deb10u1 - [stretch] - rake (Minor issue) + [stretch] - rake 10.5.0-2+deb9u1 NOTE: https://hackerone.com/reports/651518 NOTE: Fixed by: https://github.com/ruby/rake/commit/5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee (v12.3.3) CVE-2020-8129 (An unintended require vulnerability in script-manager npm package vers ...) @@ -20587,14 +20595,14 @@ CVE-2020-8035 (The image view functionality in Horde Groupware Webmail Edition b {DLA-2230-1} - php-horde 5.2.23+debian0-1 (bug #963809) [buster] - php-horde (Minor issue; can be fixed via point release) - [stretch] - php-horde (Minor issue; can be fixed via point release) + [stretch] - php-horde 5.2.13+debian0-1+deb9u2 NOTE: https://github.com/horde/base/commit/64127fe3c2b9843c9760218e59dae9731cc56bdf NOTE: https://lists.horde.org/archives/announce/2020/001290.html CVE-2020-8034 (Gollem before 3.0.13, as used in Horde Groupware Webmail Edition 5.2.2 ...) {DLA-2229-1} - php-horde-gollem 3.0.12-6 (bug #961649) [buster] - php-horde-gollem (Minor issue) - [stretch] - php-horde-gollem (Minor issue) + [stretch] - php-horde-gollem 3.0.10-1+deb9u1 NOTE: https://lists.horde.org/archives/announce/2020/001289.html NOTE: https://github.com/horde/gollem/commit/a73bef1aef27d4cbfc7b939c2a81dea69aabb083 CVE-2020-8033 (Ruckus R500 3.4.2.0.384 devices allow XSS via the index.asp Device Nam ...) @@ -23003,7 +23011,7 @@ CVE-2020-7040 (storeBackup.pl in storeBackup through 3.5 relies on the /tmp/stor {DLA-2095-1} - storebackup 3.2.1-2 (bug #949393) [buster] - storebackup (Minor issue) - [stretch] - storebackup (Minor issue) + [stretch] - storebackup 3.2.1-2~deb9u1 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1156767 NOTE: https://www.openwall.com/lists/oss-security/2020/01/20/3 NOTE: SuSE provided patch: https://www.openwall.com/lists/oss-security/2020/01/20/3/1 @@ -23757,7 +23765,7 @@ CVE-2019-20374 (A mutation cross-site scripting (XSS) issue in Typora through 0. CVE-2019-20372 (NGINX before 1.17.7, with certain error_page configurations, allows HT ...) - nginx 1.16.1-3 (low; bug #948579) [buster] - nginx (Minor issue) - [stretch] - nginx (Minor issue) + [stretch] - nginx 1.10.3-1+deb9u4 [jessie] - nginx (Minor issue) NOTE: https://bertjwregeer.keybase.pub/2019-12-10%20-%20error_page%20request%20smuggling.pdf NOTE: https://github.com/nginx/nginx/commit/c1be55f97211d38b69ac0c2027e6812ab8b1b94e @@ -25778,7 +25786,7 @@ CVE-2020-5968 (NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU p CVE-2020-5967 (NVIDIA Linux GPU Display Driver, all versions, contains a vulnerabilit ...) - nvidia-graphics-drivers 440.100-1 (bug #963766) [buster] - nvidia-graphics-drivers (Non-free not supported) - [stretch] - nvidia-graphics-drivers (Non-free not supported) + [stretch] - nvidia-graphics-drivers 390.138-1 [jessie] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-390xx 390.138-1 (bug #963908) [buster] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) @@ -25800,7 +25808,7 @@ CVE-2020-5964 (NVIDIA Windows GPU Display Driver, all versions, contains a vulne CVE-2020-5963 (NVIDIA Windows GPU Display Driver, all versions, contains a vulnerabil ...) - nvidia-graphics-drivers 440.100-1 (bug #963766) [buster] - nvidia-graphics-drivers (Non-free not supported) - [stretch] - nvidia-graphics-drivers (Non-free not supported) + [stretch] - nvidia-graphics-drivers 390.138-1 [jessie] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-390xx 390.138-1 (bug #963908) [buster] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) @@ -26786,7 +26794,7 @@ CVE-2020-5505 (Freelancy v1.0.0 allows remote command execution via the "file":" CVE-2020-5504 (In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists ...) {DLA-2060-1} - phpmyadmin 4:4.9.4+dfsg1-1 (bug #948718) - [stretch] - phpmyadmin (Minor issue; can be fixed via point release) + [stretch] - phpmyadmin 4:4.6.6-4+deb9u1 NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/c86acbf3ed49f69cf38b31879886dd5eb86b6983 NOTE: https://gist.github.com/ibennetch/4c1b701f4b766e4dd5556e8e26200b6b NOTE: https://www.phpmyadmin.net/security/PMASA-2020-1/ @@ -27331,7 +27339,7 @@ CVE-2020-5267 (In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a pos {DLA-2149-1} - rails 2:5.2.4.1+dfsg-2 (bug #954304) [buster] - rails 2:5.2.2.1+dfsg-1+deb10u1 - [stretch] - rails (Minor issue) + [stretch] - rails 2:4.2.7.1-1+deb9u2 NOTE: https://www.openwall.com/lists/oss-security/2020/03/19/1 NOTE: https://github.com/rails/rails/commit/033a738817abd6e446e1b320cb7d1a5c15224e9a (master) CVE-2020-5266 (In the ps_link module for PrestaShop before version 3.1.0, there is a ...) @@ -27576,7 +27584,7 @@ CVE-2019-20330 (FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net {DLA-2111-1} - jackson-databind 2.10.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) - [stretch] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2526 NOTE: https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e CVE-2019-20329 (OpenLambda 2019-09-10 allows DNS rebinding attacks against the OL serv ...) @@ -31395,7 +31403,7 @@ CVE-2020-3898 [heap based buffer overflow in libcups's ppdFindOption() in ppd-ma {DLA-2237-1} - cups 2.3.1-12 [buster] - cups 2.2.10-6+deb10u3 - [stretch] - cups (Minor issue) + [stretch] - cups 2.2.1-8+deb9u6 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1823964 NOTE: https://src.fedoraproject.org/rpms/cups/blob/c1920d09b842bd2d0611559d00d595abd8aa2424/f/cups-ppdopen-heap-overflow.patch NOTE: https://github.com/apple/cups/commit/82e3ee0e3230287b76a76fb8f16b92ca6e50b444 (cups/ppd.c, ppdc/ppdc-source.cxx) @@ -32924,7 +32932,7 @@ CVE-2020-3341 (A vulnerability in the PDF archive parsing module in Clam AntiVir {DLA-2215-1} - clamav 0.102.3+dfsg-1 [buster] - clamav (ClamAV is updated via -updates) - [stretch] - clamav (ClamAV is updated via -updates) + [stretch] - clamav 0.102.3+dfsg-0~deb9u1 NOTE: https://blog.clamav.net/2020/05/clamav-01023-security-patch-released.html CVE-2020-3340 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco @@ -32956,7 +32964,7 @@ CVE-2020-3327 (A vulnerability in the ARJ archive parsing module in Clam AntiVir {DLA-2215-1} - clamav 0.102.3+dfsg-1 [buster] - clamav (ClamAV is updated via -updates) - [stretch] - clamav (ClamAV is updated via -updates) + [stretch] - clamav 0.102.3+dfsg-0~deb9u1 NOTE: https://blog.clamav.net/2020/05/clamav-01023-security-patch-released.html CVE-2020-3326 RESERVED @@ -33367,7 +33375,7 @@ CVE-2020-3124 CVE-2020-3123 (A vulnerability in the Data-Loss-Prevention (DLP) module in Clam AntiV ...) - clamav 0.102.2+dfsg-1 (bug #950944) [buster] - clamav 0.102.2+dfsg-0+deb10u1 - [stretch] - clamav (ClamAV is updated via -updates) + [stretch] - clamav 0.102.2+dfsg-0~deb9u1 [jessie] - clamav (Vulnerable code introduced in 0.102.x) NOTE: https://blog.clamav.net/2020/02/clamav-01022-security-patch-released.html CVE-2020-3122 @@ -34182,7 +34190,7 @@ CVE-2020-2814 (Vulnerability in the MySQL Server product of Oracle MySQL (compon - mariadb-10.3 1:10.3.23-1 (bug #961849) [buster] - mariadb-10.3 (Minor issue; will be fixed via point release) - mariadb-10.1 - [stretch] - mariadb-10.1 (Will be fixed via point release) + [stretch] - mariadb-10.1 10.1.45-0+deb9u1 - mysql-5.7 (bug #956832) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL NOTE: Fixed in MariaDB 10.3.23, 10.1.45 @@ -34192,7 +34200,7 @@ CVE-2020-2812 (Vulnerability in the MySQL Server product of Oracle MySQL (compon - mariadb-10.3 1:10.3.23-1 (bug #961849) [buster] - mariadb-10.3 (Minor issue; will be fixed via point release) - mariadb-10.1 - [stretch] - mariadb-10.1 (Will be fixed via point release) + [stretch] - mariadb-10.1 10.1.45-0+deb9u1 - mysql-5.7 (bug #956832) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL NOTE: Fixed in MariaDB 10.3.23, 10.1.45 @@ -34374,7 +34382,7 @@ CVE-2020-2752 (Vulnerability in the MySQL Client product of Oracle MySQL (compon - mariadb-10.3 1:10.3.23-1 (bug #961849) [buster] - mariadb-10.3 (Minor issue; will be fixed via point release) - mariadb-10.1 - [stretch] - mariadb-10.1 (Will be fixed via point release) + [stretch] - mariadb-10.1 10.1.45-0+deb9u1 - mysql-5.7 (bug #956832) NOTE: https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixMSQL NOTE: Fixed in MariaDB 10.3.23, 10.1.45 @@ -37590,6 +37598,7 @@ CVE-2020-1749 [net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup {DLA-2241-1} - linux 5.4.6-1 [buster] - linux 4.19.118-1 + [stretch] - linux 4.9.228-1 NOTE: https://git.kernel.org/linus/6c8991f41546c3c472503dff1ea9daaddf9331c2 CVE-2020-1748 RESERVED @@ -43933,7 +43942,7 @@ CVE-2020-0198 (In exif_data_load_data_content of exif-data.c, there is a possibl {DLA-2249-1} - libexif 0.6.22-2 (bug #962345) [buster] - libexif (Minor issue) - [stretch] - libexif (Minor issue) + [stretch] - libexif 0.6.21-2+deb9u4 NOTE: https://android.googlesource.com/platform/external/libexif/+/1e187b62682ffab5003c702657d6d725b4278f16%5E%21/#F0 NOTE: https://github.com/libexif/libexif/commit/ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c CVE-2020-0197 (In InitDataParser::parsePssh of InitDataParser.cpp, there is a possibl ...) @@ -43970,7 +43979,7 @@ CVE-2020-0182 (In exif_entry_get_value of exif-entry.c, there is a possible out {DLA-2249-1} - libexif 0.6.22-1 (low) [buster] - libexif (Minor issue) - [stretch] - libexif (Minor issue) + [stretch] - libexif 0.6.21-2+deb9u4 NOTE: https://github.com/libexif/libexif/commit/f9bb9f263fb00f0603ecbefa8957cad24168cbff (0.6.22) NOTE: CVE originally originally reported by Android where a different patch was shipped CVE-2020-0181 (In exif_data_load_data_thumbnail of exif-data.c, there is a possible d ...) @@ -44164,7 +44173,7 @@ CVE-2020-0093 (In exif_data_save_data_entry of exif-data.c, there is a possible {DLA-2214-1} - libexif 0.6.21-8 [buster] - libexif (Minor issue) - [stretch] - libexif (Minor issue) + [stretch] - libexif 0.6.21-2+deb9u2 NOTE: https://github.com/libexif/libexif/issues/42 NOTE: https://github.com/libexif/libexif/commit/5ae5973bed1947f4d447dc80b76d5cefadd90133 CVE-2020-0092 (In setHideSensitive of NotificationStackScrollLayout.java, there is a ...) @@ -44351,7 +44360,7 @@ CVE-2020-0009 (In calc_vm_may_flags of ashmem.c, there is a possible arbitrary w {DLA-2241-1} - linux 5.5.13-1 [buster] - linux 4.19.118-1 - [stretch] - linux (Driver is not enabled or supported) + [stretch] - linux 4.9.228-1 NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1949 CVE-2020-0008 (In LowEnergyClient::MtuChangedCallback of low_energy_client.cc, there ...) NOT-FOR-US: Android @@ -45748,7 +45757,7 @@ CVE-2019-17566 [SSRF vulnerability] RESERVED - batik 1.12-1.1 (bug #964510) [buster] - batik (Minor issue, will be fixed via point update) - [stretch] - batik (Minor issue, will be fixed via point update) + [stretch] - batik 1.8-4+deb9u2 NOTE: https://www.openwall.com/lists/oss-security/2020/06/15/2 NOTE: patch: http://svn.apache.org/viewvc?view=revision&revision=1871084 NOTE: corresponding bug: https://issues.apache.org/jira/browse/BATIK-1276 @@ -45988,7 +45997,7 @@ CVE-2019-17531 (A Polymorphic Typing issue was discovered in FasterXML jackson-d {DLA-2030-1} - jackson-databind 2.10.1-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) - [stretch] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2498 NOTE: https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default @@ -46672,7 +46681,7 @@ CVE-2019-17267 (A Polymorphic Typing issue was discovered in FasterXML jackson-d {DLA-2030-1} - jackson-databind 2.10.0-1 [buster] - jackson-databind (Minor issue; can be fixed via a point release) - [stretch] - jackson-databind (Minor issue; can be fixed via a point release) + [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2460 NOTE: https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb CVE-2019-17266 (libsoup from versions 2.65.1 until 2.68.1 have a heap-based buffer ove ...) @@ -49587,7 +49596,7 @@ CVE-2019-16378 (OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 is prone t CVE-2019-16275 (hostapd before 2.10 and wpa_supplicant before 2.10 allow an incorrect ...) {DSA-4538-1 DLA-1922-1} - wpa 2:2.9-2 (bug #940080) - [stretch] - wpa (Minor issue; can be fixed via point release) + [stretch] - wpa 2:2.4-1+deb9u6 NOTE: https://www.openwall.com/lists/oss-security/2019/09/11/7 NOTE: https://w1.fi/security/2019-7/ CVE-2019-16238 (Afterlogic Aurora through 8.3.9-build-a3 has XSS that can be leveraged ...) @@ -51197,7 +51206,7 @@ CVE-2019-15690 {DLA-2146-1} - libvncserver 0.9.12+dfsg-9 (bug #954163) [buster] - libvncserver 0.9.11+dfsg-1.3+deb10u3 - [stretch] - libvncserver (Minor issue) + [stretch] - libvncserver 0.9.11+dfsg-1.3~deb9u4 NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2 NOTE: https://github.com/LibVNC/libvncserver/issues/381 NOTE: https://github.com/LibVNC/libvncserver/commit/54220248886b5001fbbb9fa73c4e1a2cb9413fed @@ -51753,7 +51762,7 @@ CVE-2019-15523 CVE-2019-15522 (An issue was discovered in LINBIT csync2 through 2.0. csync_daemon_ses ...) - csync2 2.0-25-gc0faaf9-1 (bug #955445) [buster] - csync2 2.0-22-gce67c55-1+deb10u1 - [stretch] - csync2 (Minor issue) + [stretch] - csync2 2.0-8-g175a01c-4+deb9u1 [jessie] - csync2 (Minor issue) NOTE: https://github.com/LINBIT/csync2/pull/13/commits/0ecfc333da51575f188dd7cf6ac4974d13a800b1 CVE-2019-15521 (Spoon Library through 2014-02-06, as used in Fork CMS before 1.4.1 and ...) @@ -53231,7 +53240,7 @@ CVE-2016-10894 (xtrlock through 2.10 does not block multitouch events. Consequen {DLA-1959-1} - xtrlock 2.12 (bug #830726) [buster] - xtrlock 2.8+deb10u1 - [stretch] - xtrlock (Minor issue; can be fixed via point release) + [stretch] - xtrlock 2.8+deb9u1 CVE-2016-10893 (The crayon-syntax-highlighter plugin before 2.8.4 for WordPress has mu ...) NOT-FOR-US: Wordpress plugin CVE-2016-10892 (The chained-quiz plugin before 1.0 for WordPress has multiple XSS issu ...) @@ -55282,6 +55291,7 @@ CVE-2019-14466 (The GOsa_Filter_Settings cookie in GONICUS GOsa 2.7.5.2 is vulne {DLA-1905-1} - gosa 2.7.4+reloaded3-10 [buster] - gosa 2.7.4+reloaded3-8+deb10u2 + [stretch] - gosa 2.7.4+reloaded2-13+deb9u3 NOTE: https://github.com/gosa-project/gosa-core/commit/e1504e9765db2adde8b4685b5c93fbba57df868b (fix) NOTE: https://github.com/gosa-project/gosa-core/commit/90b674960335d888c76ca5e99027df8e7fa66f3a (fixing the prev commit) NOTE: https://github.com/gosa-project/gosa-core/pull/30#issuecomment-521975100 @@ -61957,7 +61967,7 @@ CVE-2019-12617 (In SilverStripe through 4.3.3, there is access escalation for CM CVE-2019-12616 (An issue was discovered in phpMyAdmin before 4.9.0. A vulnerability wa ...) {DLA-1821-1} - phpmyadmin 4:4.9.1+dfsg1-2 (bug #930017) - [stretch] - phpmyadmin (Minor issue; can be fixed via point release) + [stretch] - phpmyadmin 4:4.6.6-4+deb9u1 NOTE: https://www.phpmyadmin.net/security/PMASA-2019-4/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/015c404038c44279d95b6430ee5a0dddc97691ec CVE-2019-12613 @@ -64196,7 +64206,7 @@ CVE-2019-11769 (An issue was discovered in TeamViewer 14.2.2558. Updating the pr NOT-FOR-US: TeamViewer CVE-2019-11768 (An issue was discovered in phpMyAdmin before 4.9.0.1. A vulnerability ...) - phpmyadmin 4:4.9.1+dfsg1-2 (bug #930048) - [stretch] - phpmyadmin (Minor issue; can be fixed via point release) + [stretch] - phpmyadmin 4:4.6.6-4+deb9u1 [jessie] - phpmyadmin (vulnerable code is not present) NOTE: https://www.phpmyadmin.net/security/PMASA-2019-3/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/c1ecafc38319e8f768c9259d4d580e42acd5ee86 @@ -65347,7 +65357,7 @@ CVE-2019-11459 (The tiff_document_render() and tiff_document_get_thumbnail() fun {DSA-4624-1 DLA-1882-1 DLA-1881-1} - atril 1.22.3-1 (unimportant; bug #927821) [buster] - atril 1.20.3-1+deb10u1 - [stretch] - atril (Will be fixed via spu) + [stretch] - atril 1.16.1-2+deb9u2 - evince 3.32.0-3 (unimportant; bug #927820) [buster] - evince 3.30.2-3+deb10u1 NOTE: https://gitlab.gnome.org/GNOME/evince/issues/1129 @@ -66061,7 +66071,7 @@ CVE-2019-11187 (Incorrect Access Control in the LDAP class of GONICUS GOsa throu [stretch] - fusiondirectory 1.0.19-1+deb9u1 - gosa 2.7.4+reloaded3-9 [buster] - gosa 2.7.4+reloaded3-8+deb10u1 - [stretch] - gosa (Minor issue) + [stretch] - gosa 2.7.4+reloaded2-13+deb9u2 CVE-2019-11186 RESERVED CVE-2019-11185 (The WP Live Chat Support Pro plugin through 8.0.26 for WordPress conta ...) @@ -70521,7 +70531,7 @@ CVE-2019-1010006 (Evince 3.26.0 is affected by buffer overflow. The impact is: D {DSA-4624-1 DLA-1882-1 DLA-1881-1} - atril 1.22.2-1 [buster] - atril 1.20.3-1+deb10u1 - [stretch] - atril (Will be fixed via spu) + [stretch] - atril 1.16.1-2+deb9u2 - evince 3.27.92-1 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=788980 NOTE: https://gitlab.gnome.org/GNOME/evince/commit/e6ed0d4cdb6326e329c8f61f9cc19ff9331cb0ce (3.27.91) @@ -71333,7 +71343,7 @@ CVE-2019-9658 (Checkstyle before 8.18 loads external DTDs by default. ...) {DLA-1768-1} - checkstyle 8.26-1 (low; bug #924598) [buster] - checkstyle 8.15-1+deb10u1 - [stretch] - checkstyle (Minor issue) + [stretch] - checkstyle 6.15-1+deb9u1 NOTE: https://github.com/checkstyle/checkstyle/issues/6474 NOTE: https://github.com/checkstyle/checkstyle/issues/6478 NOTE: https://github.com/checkstyle/checkstyle/pull/6476 @@ -73736,7 +73746,7 @@ CVE-2019-8842 [he `ippReadIO` function may under-read an extension field] {DLA-2237-1} - cups 2.3.1-12 [buster] - cups 2.2.10-6+deb10u3 - [stretch] - cups (Minor issue) + [stretch] - cups 2.2.1-8+deb9u6 NOTE: https://github.com/apple/cups/commit/82e3ee0e3230287b76a76fb8f16b92ca6e50b444 (cups/ipp.c: ippReadIO) CVE-2019-8841 RESERVED @@ -78919,13 +78929,13 @@ CVE-2019-6800 (In TitanHQ SpamTitan through 7.03, a vulnerability exists in the CVE-2019-6799 (An issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbi ...) {DLA-1692-1} - phpmyadmin 4:4.9.1+dfsg1-2 (bug #920823) - [stretch] - phpmyadmin (Minor issue; can be fixed via point release) + [stretch] - phpmyadmin 4:4.6.6-4+deb9u1 NOTE: https://www.phpmyadmin.net/security/PMASA-2019-1/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/aeac90623e525057a7672ab3d98154b5c57c15ec NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/c5e01f84ad48c5c626001cb92d7a95500920a900 CVE-2019-6798 (An issue was discovered in phpMyAdmin before 4.8.5. A vulnerability wa ...) - phpmyadmin 4:4.9.1+dfsg1-2 (bug #920822) - [stretch] - phpmyadmin (Minor issue; can be fixed via point release) + [stretch] - phpmyadmin 4:4.6.6-4+deb9u1 [jessie] - phpmyadmin (Vulnerable code introduced later >= 4.5.0) NOTE: https://www.phpmyadmin.net/security/PMASA-2019-2/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/469934cf7d3bd19a839eb78670590f7511399435 @@ -86124,7 +86134,7 @@ CVE-2019-3830 (A vulnerability was found in ceilometer before version 12.0.0.0rc CVE-2019-3829 (A vulnerability was found in gnutls versions from 3.5.8 before 3.6.7. ...) [experimental] - gnutls28 3.6.7-1 - gnutls28 3.6.7-2 - [stretch] - gnutls28 (Minor issue, can be fixed via point release) + [stretch] - gnutls28 3.5.8-5+deb9u5 [jessie] - gnutls28 (vulnerable code was introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1677048 NOTE: https://gitlab.com/gnutls/gnutls/issues/694 @@ -86497,7 +86507,7 @@ CVE-2019-3689 (The nfs-utils package in SUSE Linux Enterprise Server 12 before a {DLA-1965-1} - nfs-utils 1:1.3.4-3 (bug #940848) [buster] - nfs-utils (Minor issue) - [stretch] - nfs-utils (Minor issue) + [stretch] - nfs-utils 1:1.3.4-2.1+deb9u1 NOTE: https://git.linux-nfs.org/?p=steved/nfs-utils.git;a=commitdiff;h=fee2cc29e888f2ced6a76990923aef19d326dc0e CVE-2019-3688 (The /usr/sbin/pinger binary packaged with squid in SUSE Linux Enterpri ...) - squid (/usr/lib/squid/pinger permissions are root:root) @@ -91421,7 +91431,7 @@ CVE-2018-20031 (A Denial of Service vulnerability related to preemptive item del CVE-2018-20030 (An error when processing the EXIF_IFD_INTEROPERABILITY and EXIF_IFD_EX ...) {DLA-2222-1 DLA-2214-1} - libexif 0.6.21-5.1 (bug #918730) - [stretch] - libexif (Minor issue) + [stretch] - libexif 0.6.21-2+deb9u2 NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-28/ NOTE: https://github.com/libexif/libexif/commit/6aa11df549114ebda520dde4cdaea2f9357b2c89 CVE-2018-20029 (The nxfs.sys driver in the DokanFS library 0.6.0 in NoMachine before 6 ...) @@ -92333,7 +92343,7 @@ CVE-2018-20024 (LibVNC before commit 4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 co [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 - ssvnc 1.0.29-5 (bug #945827) [buster] - ssvnc (Minor issue) - [stretch] - ssvnc (Minor issue) + [stretch] - ssvnc 1.0.29-3+deb9u1 - veyon 4.1.4+repack1-1 NOTE: https://github.com/LibVNC/libvncserver/issues/254 NOTE: https://github.com/LibVNC/libvncserver/commit/4a21bbd097ef7c44bb000c3bd0907f96a10e4ce7 @@ -92354,7 +92364,7 @@ CVE-2018-20022 (LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 - ssvnc 1.0.29-5 (bug #945827) [buster] - ssvnc (Minor issue) - [stretch] - ssvnc (Minor issue) + [stretch] - ssvnc 1.0.29-3+deb9u1 - tightvnc 1:1.3.9-9.1 [buster] - tightvnc 1:1.3.9-9deb10u1 [stretch] - tightvnc 1:1.3.9-9+deb9u1 @@ -92369,7 +92379,7 @@ CVE-2018-20021 (LibVNC before commit c3115350eb8bb635d0fdb4dbbb0d0541f38ed19c co [stretch] - italc 1:3.0.3+dfsg1-1+deb9u1 - ssvnc 1.0.29-5 (bug #945827) [buster] - ssvnc (Minor issue) - [stretch] - ssvnc (Minor issue) + [stretch] - ssvnc 1.0.29-3+deb9u1 - tightvnc 1:1.3.9-9.1 [buster] - tightvnc 1:1.3.9-9deb10u1 [stretch] - tightvnc 1:1.3.9-9+deb9u1 @@ -92384,7 +92394,7 @@ CVE-2018-20020 (LibVNC before commit 7b1ef0ffc4815cab9a96c7278394152bdc89dc4d co [stretch] - italc (Incomplete fix for CVE-2018-20019 not applied) - ssvnc 1.0.29-5 (bug #945827) [buster] - ssvnc (Minor issue) - [stretch] - ssvnc (Minor issue) + [stretch] - ssvnc 1.0.29-3+deb9u1 - veyon 4.1.4+repack1-1 NOTE: https://github.com/LibVNC/libvncserver/issues/250 NOTE: https://github.com/LibVNC/libvncserver/commit/09f2f3fb6a5a163e453e5c2979054670c39694bc @@ -92569,7 +92579,7 @@ CVE-2018-19971 (JFrog Artifactory Pro 6.5.9 has Incorrect Access Control. ...) CVE-2018-19970 (In phpMyAdmin before 4.8.4, an XSS vulnerability was found in the navi ...) {DLA-1658-1} - phpmyadmin 4:4.9.1+dfsg1-2 - [stretch] - phpmyadmin (Minor issue; can be fixed via point release) + [stretch] - phpmyadmin 4:4.6.6-4+deb9u1 NOTE: https://www.phpmyadmin.net/security/PMASA-2018-8/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/b293ff5f234ef493336ed8638f623a12164d359e CVE-2018-19969 (phpMyAdmin 4.7.x and 4.8.x versions prior to 4.8.4 are affected by a s ...) @@ -92582,7 +92592,7 @@ CVE-2018-19969 (phpMyAdmin 4.7.x and 4.8.x versions prior to 4.8.4 are affected CVE-2018-19968 (An attacker can exploit phpMyAdmin before 4.8.4 to leak the contents o ...) {DLA-1658-1} - phpmyadmin 4:4.9.1+dfsg1-2 - [stretch] - phpmyadmin (Minor issue; can be fixed via point release) + [stretch] - phpmyadmin 4:4.6.6-4+deb9u1 NOTE: https://www.phpmyadmin.net/security/PMASA-2018-6/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/6a1ba61e29002f0305a9322a8af4eaaeb11c0732 CVE-2018-19959 @@ -106375,7 +106385,7 @@ CVE-2018-16336 (Exiv2::Internal::PngChunk::parseTXTChunk in Exiv2 v0.26 allows r {DLA-1551-1} - exiv2 0.27.2-6 (bug #916081) [buster] - exiv2 (Minor issue) - [stretch] - exiv2 (Minor issue) + [stretch] - exiv2 0.25-3.1+deb9u2 NOTE: https://github.com/Exiv2/exiv2/issues/400 NOTE: https://github.com/Exiv2/exiv2/commit/35b3e596edacd2437c2c5d3dd2b5c9502626163d CVE-2018-16335 (newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c ...) @@ -124498,6 +124508,7 @@ CVE-2018-9518 (In nfc_llcp_build_sdreq_tlv of llcp_commands.c, there is a possib NOTE: Fixed by: https://git.kernel.org/linus/fe9c842695e26d8116b61b80bfb905356f07834b (4.16-rc3) CVE-2018-9517 (In pppol2tp_connect, there is possible memory corruption due to a use ...) - linux 4.14.2-1 + [stretch] - linux 4.9.228-1 [jessie] - linux 3.16.51-1 NOTE: https://git.kernel.org/linus/f026bc29a8e093edfbb2a77700454b285c97e8ad NOTE: https://source.android.com/security/bulletin/pixel/2018-09-01 @@ -130900,7 +130911,7 @@ CVE-2018-7261 (There are multiple Persistent XSS vulnerabilities in Radiant CMS NOT-FOR-US: Radiant CMS CVE-2018-7260 (Cross-site scripting (XSS) vulnerability in db_central_columns.php in ...) - phpmyadmin 4:4.9.1+dfsg1-2 (bug #893539) - [stretch] - phpmyadmin (Minor issue) + [stretch] - phpmyadmin 4:4.6.6-4+deb9u1 [jessie] - phpmyadmin (Vulnerable code not present) [wheezy] - phpmyadmin (Vulnerable code not present) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/d2886a3e8745e8845633ae8a0054b5ee4d8babd5 @@ -141105,7 +141116,7 @@ CVE-2018-3775 (Improper Authentication in Nextcloud Server prior to version 12.0 - nextcloud (bug #835086) CVE-2018-3774 (Incorrect parsing in url-parse <1.4.3 returns wrong hostname which ...) - node-url-parse 1.2.0-2 (bug #906058) - [stretch] - node-url-parse (Nodejs in stretch not covered by security support) + [stretch] - node-url-parse 1.0.5-2+deb9u1 NOTE: https://hackerone.com/reports/384029 NOTE: https://github.com/unshiftio/url-parse/commit/53b1794e54d0711ceb52505e0f74145270570d5a NOTE: https://github.com/unshiftio/url-parse/commit/d7b582ec1243e8024e60ac0b62d2569c939ef5de @@ -151676,7 +151687,7 @@ CVE-2017-1000207 (A vulnerability in Swagger-Parser's version <= 1.0.30 and S CVE-2017-1000159 (Command injection in evince via filename when printing to PDF. This af ...) {DSA-4624-1 DLA-1882-1 DLA-1881-1 DLA-1204-1} - atril 1.20.0-1 (low) - [stretch] - atril (Minor issue; will be fixed via spu) + [stretch] - atril 1.16.1-2+deb9u2 - evince 3.25.92-1 (low) [stretch] - evince (Minor issue) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=784947 @@ -168633,7 +168644,7 @@ CVE-2017-11748 (VIT Spider Player 2.5.3 has an untrusted search path, allowing D CVE-2017-11747 (main.c in Tinyproxy 1.8.4 and earlier creates a /run/tinyproxy/tinypro ...) {DLA-2163-1} - tinyproxy 1.10.0-1 (bug #870307) - [stretch] - tinyproxy (Minor issue) + [stretch] - tinyproxy 1.8.4-3~deb9u2 [wheezy] - tinyproxy (Minor issue) NOTE: https://github.com/tinyproxy/tinyproxy/issues/106 CVE-2017-11746 (Tenshi 0.15 creates a tenshi.pid file after dropping privileges to a n ...) @@ -181755,7 +181766,7 @@ CVE-2017-7545 (It was discovered that the XmlUtils class in jbpmmigration 6.5 pe CVE-2017-7544 (libexif through 0.6.21 is vulnerable to out-of-bounds heap read vulner ...) {DLA-2214-1} - libexif 0.6.21-2.1 (bug #876466) - [stretch] - libexif (Minor issue) + [stretch] - libexif 0.6.21-2+deb9u2 [wheezy] - libexif (Minor issue) NOTE: https://sourceforge.net/p/libexif/bugs/130/ CVE-2017-7543 (A race-condition flaw was discovered in openstack-neutron before 7.2.0 ...) @@ -213279,7 +213290,7 @@ CVE-2016-6329 (OpenVPN, when using a 64-bit block cipher, makes it easier for re CVE-2016-6328 (A vulnerability was found in libexif. An integer overflow when parsing ...) {DLA-2214-1} - libexif 0.6.21-2.1 (bug #873022) - [stretch] - libexif (Minor issue) + [stretch] - libexif 0.6.21-2+deb9u2 [wheezy] - libexif (Minor issue) NOTE: http://libexif.cvs.sourceforge.net/viewvc/libexif/libexif/libexif/pentax/mnote-pentax-entry.c?r1=1.26&r2=1.27 CVE-2016-6327 (drivers/infiniband/ulp/srpt/ib_srpt.c in the Linux kernel before 4.5.1 ...) diff --git a/data/next-oldstable-point-update.txt b/data/next-oldstable-point-update.txt index fc18485fb2..e69de29bb2 100644 --- a/data/next-oldstable-point-update.txt +++ b/data/next-oldstable-point-update.txt @@ -1,205 +0,0 @@ -CVE-2018-16336 - [stretch] - exiv2 0.25-3.1+deb9u2 -CVE-2018-3774 - [stretch] - node-url-parse 1.0.5-2+deb9u1 -CVE-2019-11187 - [stretch] - gosa 2.7.4+reloaded2-13+deb9u2 -CVE-2019-14466 - [stretch] - gosa 2.7.4+reloaded2-13+deb9u3 -CVE-2018-7260 - [stretch] - phpmyadmin 4:4.6.6-4+deb9u1 -CVE-2018-19968 - [stretch] - phpmyadmin 4:4.6.6-4+deb9u1 -CVE-2018-19970 - [stretch] - phpmyadmin 4:4.6.6-4+deb9u1 -CVE-2019-6799 - [stretch] - phpmyadmin 4:4.6.6-4+deb9u1 -CVE-2019-6798 - [stretch] - phpmyadmin 4:4.6.6-4+deb9u1 -CVE-2019-11768 - [stretch] - phpmyadmin 4:4.6.6-4+deb9u1 -CVE-2019-12616 - [stretch] - phpmyadmin 4:4.6.6-4+deb9u1 -CVE-2020-5504 - [stretch] - phpmyadmin 4:4.6.6-4+deb9u1 -CVE-2020-10802 - [stretch] - phpmyadmin 4:4.6.6-4+deb9u1 -CVE-2020-10803 - [stretch] - phpmyadmin 4:4.6.6-4+deb9u1 -CVE-2020-10804 - [stretch] - phpmyadmin 4:4.6.6-4+deb9u1 -CVE-2019-20372 - [stretch] - nginx 1.10.3-1+deb9u4 -CVE-2016-10894 - [stretch] - xtrlock 2.8+deb9u1 -CVE-2019-16275 - [stretch] - wpa 2:2.4-1+deb9u6 -CVE-2020-3123 - [stretch] - clamav 0.102.2+dfsg-0~deb9u1 -CVE-2020-3327 - [stretch] - clamav 0.102.3+dfsg-0~deb9u1 -CVE-2020-3341 - [stretch] - clamav 0.102.3+dfsg-0~deb9u1 -CVE-2020-8130 - [stretch] - rake 10.5.0-2+deb9u1 -CVE-2020-5267 - [stretch] - rails 2:4.2.7.1-1+deb9u2 -CVE-2019-9658 - [stretch] - checkstyle 6.15-1+deb9u1 -CVE-2019-15522 - [stretch] - csync2 2.0-8-g175a01c-4+deb9u1 -CVE-2017-11747 - [stretch] - tinyproxy 1.8.4-3~deb9u2 -CVE-2019-15690 - [stretch] - libvncserver 0.9.11+dfsg-1.3~deb9u4 -CVE-2019-20788 - [stretch] - libvncserver 0.9.11+dfsg-1.3~deb9u4 -CVE-2020-8518 - [stretch] - php-horde-data 2.1.4-3+deb9u1 -CVE-2020-8866 - [stretch] - php-horde-form 2.0.15-1+deb9u2 -CVE-2020-8865 - [stretch] - php-horde-trean 1.1.7-1+deb9u1 -CVE-2020-3898 - [stretch] - cups 2.2.1-8+deb9u6 -CVE-2019-8842 - [stretch] - cups 2.2.1-8+deb9u6 -CVE-2020-XXXX - [stretch] - fex 20160919-2~deb9u1 -CVE-2016-6328 - [stretch] - libexif 0.6.21-2+deb9u2 -CVE-2017-7544 - [stretch] - libexif 0.6.21-2+deb9u2 -CVE-2018-20030 - [stretch] - libexif 0.6.21-2+deb9u2 -CVE-2020-12767 - [stretch] - libexif 0.6.21-2+deb9u2 -CVE-2020-0093 - [stretch] - libexif 0.6.21-2+deb9u2 -CVE-2020-8034 - [stretch] - php-horde-gollem 3.0.10-1+deb9u1 -CVE-2018-20020 - [stretch] - ssvnc 1.0.29-3+deb9u1 -CVE-2018-20021 - [stretch] - ssvnc 1.0.29-3+deb9u1 -CVE-2018-20022 - [stretch] - ssvnc 1.0.29-3+deb9u1 -CVE-2018-20024 - [stretch] - ssvnc 1.0.29-3+deb9u1 -CVE-2020-8035 - [stretch] - php-horde 5.2.13+debian0-1+deb9u2 -CVE-2020-13112 - [stretch] - libexif 0.6.21-2+deb9u3 -CVE-2020-13113 - [stretch] - libexif 0.6.21-2+deb9u3 -CVE-2020-13114 - [stretch] - libexif 0.6.21-2+deb9u3 -CVE-2020-12872 - [stretch] - erlang 1:19.2.1+dfsg-2+deb9u3 -CVE-2020-10543 - [stretch] - perl 5.24.1-3+deb9u7 -CVE-2020-10878 - [stretch] - perl 5.24.1-3+deb9u7 -CVE-2020-12723 - [stretch] - perl 5.24.1-3+deb9u7 -CVE-2020-10663 - [stretch] - ruby-json 2.0.1+dfsg-3+deb9u1 - [stretch] - ruby2.3 2.3.3-1+deb9u8 -CVE-2020-12049 - [stretch] - dbus 1.10.32-0+deb9u1 -CVE-2019-3689 - [stretch] - nfs-utils 1:1.3.4-2.1+deb9u1 -CVE-2019-3829 - [stretch] - gnutls28 3.5.8-5+deb9u5 -CVE-2020-0182 - [stretch] - libexif 0.6.21-2+deb9u4 -CVE-2020-0198 - [stretch] - libexif 0.6.21-2+deb9u4 -CVE-2020-5963 - [stretch] - nvidia-graphics-drivers 390.138-1 -CVE-2020-5967 - [stretch] - nvidia-graphics-drivers 390.138-1 -CVE-2020-2752 - [stretch] - mariadb-10.1 10.1.45-0+deb9u1 -CVE-2020-2812 - [stretch] - mariadb-10.1 10.1.45-0+deb9u1 -CVE-2020-2814 - [stretch] - mariadb-10.1 10.1.45-0+deb9u1 -CVE-2018-9517 - [stretch] - linux 4.9.228-1 -CVE-2019-20810 - [stretch] - linux 4.9.228-1 -CVE-2020-10690 - [stretch] - linux 4.9.228-1 -CVE-2020-10766 - [stretch] - linux 4.9.228-1 -CVE-2020-10767 - [stretch] - linux 4.9.228-1 -CVE-2020-10768 - [stretch] - linux 4.9.228-1 -CVE-2020-12769 - [stretch] - linux 4.9.228-1 -CVE-2020-12826 - [stretch] - linux 4.9.228-1 -CVE-2020-13974 - [stretch] - linux 4.9.228-1 -CVE-2020-1749 - [stretch] - linux 4.9.228-1 -CVE-2020-0009 - [stretch] - linux 4.9.228-1 -CVE-2020-15562 - [stretch] - roundcube 1.2.3+dfsg.1-4+deb9u6 -CVE-2020-7040 - [stretch] - storebackup 3.2.1-2~deb9u1 -CVE-2020-9548 - [stretch] - jackson-databind 2.8.6-1+deb9u7 -CVE-2020-9547 - [stretch] - jackson-databind 2.8.6-1+deb9u7 -CVE-2020-9546 - [stretch] - jackson-databind 2.8.6-1+deb9u7 -CVE-2020-8840 - [stretch] - jackson-databind 2.8.6-1+deb9u7 -CVE-2020-14195 - [stretch] - jackson-databind 2.8.6-1+deb9u7 -CVE-2020-14062 - [stretch] - jackson-databind 2.8.6-1+deb9u7 -CVE-2020-14061 - [stretch] - jackson-databind 2.8.6-1+deb9u7 -CVE-2020-14060 - [stretch] - jackson-databind 2.8.6-1+deb9u7 -CVE-2020-11620 - [stretch] - jackson-databind 2.8.6-1+deb9u7 -CVE-2020-11619 - [stretch] - jackson-databind 2.8.6-1+deb9u7 -CVE-2020-11113 - [stretch] - jackson-databind 2.8.6-1+deb9u7 -CVE-2020-11112 - [stretch] - jackson-databind 2.8.6-1+deb9u7 -CVE-2020-11111 - [stretch] - jackson-databind 2.8.6-1+deb9u7 -CVE-2020-10969 - [stretch] - jackson-databind 2.8.6-1+deb9u7 -CVE-2020-10968 - [stretch] - jackson-databind 2.8.6-1+deb9u7 -CVE-2020-10673 - [stretch] - jackson-databind 2.8.6-1+deb9u7 -CVE-2020-10672 - [stretch] - jackson-databind 2.8.6-1+deb9u7 -CVE-2019-20330 - [stretch] - jackson-databind 2.8.6-1+deb9u7 -CVE-2019-17531 - [stretch] - jackson-databind 2.8.6-1+deb9u7 -CVE-2019-17267 - [stretch] - jackson-databind 2.8.6-1+deb9u7 -CVE-2020-11736 - [stretch] - file-roller 3.22.3-1+deb9u2 -CVE-2017-1000159 - [stretch] - atril 1.16.1-2+deb9u2 -CVE-2019-1010006 - [stretch] - atril 1.16.1-2+deb9u2 -CVE-2019-11459 - [stretch] - atril 1.16.1-2+deb9u2 -CVE-2019-17566 - [stretch] - batik 1.8-4+deb9u2 -CVE-2020-13645 - [stretch] - glib-networking 2.50.0-1+deb9u1 -- cgit v1.2.3