diff options
author | Salvatore Bonaccorso <carnil@debian.org> | 2021-10-09 10:39:17 +0200 |
---|---|---|
committer | Salvatore Bonaccorso <carnil@debian.org> | 2021-10-09 10:39:17 +0200 |
commit | 927958bc936c5a14ed74a47460f7d7ef38dfa3c0 (patch) | |
tree | 9d89189ef8322b5ba3f87e2fb485342541299610 /data | |
parent | 8afed6821500cd7a2aba6c9e56617ed4d01d7aff (diff) |
Merge in the accepted packages from bullseye 11.1
Though the release has not been happened yet, this is the list of
packages which were copied over from bullseye-pu to bullseye.
The final 11.1 changes need to still be verifed for any missing
additional ones.
Diffstat (limited to 'data')
-rw-r--r-- | data/CVE/list.2020 | 8 | ||||
-rw-r--r-- | data/CVE/list.2021 | 47 | ||||
-rw-r--r-- | data/next-point-update.txt | 56 |
3 files changed, 28 insertions, 83 deletions
diff --git a/data/CVE/list.2020 b/data/CVE/list.2020 index 50d91d768f..e175b98b8f 100644 --- a/data/CVE/list.2020 +++ b/data/CVE/list.2020 @@ -30611,7 +30611,7 @@ CVE-2020-17511 (In Airflow versions prior to 1.10.13, when creating a user using CVE-2020-17510 (Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a spec ...) {DLA-2726-1} - shiro 1.3.2-5 (bug #988728) - [bullseye] - shiro <no-dsa> (Minor issue) + [bullseye] - shiro 1.3.2-4+deb11u1 [buster] - shiro <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2020/11/04/7 NOTE: https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E @@ -39426,7 +39426,7 @@ CVE-2020-13934 (An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6 CVE-2020-13933 (Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafte ...) {DLA-2726-1} - shiro 1.3.2-5 (bug #968753) - [bullseye] - shiro <no-dsa> (Minor issue) + [bullseye] - shiro 1.3.2-4+deb11u1 [buster] - shiro <no-dsa> (Minor issue) NOTE: https://lists.apache.org/thread.html/r539f87706094e79c5da0826030384373f0041068936912876856835f%40%3Cdev.shiro.apache.org%3E CVE-2020-13932 (In Apache ActiveMQ Artemis 2.5.0 to 2.13.0, a specially crafted MQTT p ...) @@ -44362,7 +44362,7 @@ CVE-2020-11990 (We have resolved a security issue in the camera plugin that coul CVE-2020-11989 (Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic ...) {DLA-2273-1} - shiro 1.3.2-5 (bug #988728) - [bullseye] - shiro <no-dsa> (Minor issue) + [bullseye] - shiro 1.3.2-4+deb11u1 [buster] - shiro <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2020/06/22/1 NOTE: https://github.com/apache/shiro/pull/211 @@ -67962,7 +67962,7 @@ CVE-2020-1958 (When LDAP authentication is enabled in Apache Druid 0.17.0, calle CVE-2020-1957 (Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic ...) {DLA-2273-1 DLA-2181-1} - shiro 1.3.2-5 (bug #955018) - [bullseye] - shiro <no-dsa> (Minor issue) + [bullseye] - shiro 1.3.2-4+deb11u1 [buster] - shiro <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2020/03/23/2 NOTE: Fixed by: https://github.com/apache/shiro/commit/3708d7907016bf2fa12691dff6ff0def1249b8ce#diff-98f7bc5c0391389e56531f8b3754081aL139 diff --git a/data/CVE/list.2021 b/data/CVE/list.2021 index 47443fb7e9..3cdf811a48 100644 --- a/data/CVE/list.2021 +++ b/data/CVE/list.2021 @@ -1871,7 +1871,7 @@ CVE-2021-3808 RESERVED CVE-2021-3807 (ansi-regex is vulnerable to Inefficient Regular Expression Complexity ...) - node-ansi-regex 5.0.1-1 (bug #994568) - [bullseye] - node-ansi-regex <no-dsa> (Minor issue) + [bullseye] - node-ansi-regex 5.0.1-1~deb11u1 [buster] - node-ansi-regex <no-dsa> (Minor issue) [stretch] - node-ansi-regex <not-affected> (Vulnerable code introduced later) NOTE: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994 @@ -1880,7 +1880,7 @@ CVE-2021-3806 (A path traversal vulnerability on Pardus Software Center's "extra NOT-FOR-US: Pardus Software Center CVE-2021-3805 (object-path is vulnerable to Improperly Controlled Modification of Obj ...) - node-object-path 0.11.8-1 - [bullseye] - node-object-path <no-dsa> (Minor issue) + [bullseye] - node-object-path 0.11.5-3+deb11u1 [buster] - node-object-path <no-dsa> (Minor issue) [stretch] - node-object-path <no-dsa> (Minor issue) NOTE: https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053 @@ -2365,6 +2365,7 @@ CVE-2021-41078 RESERVED CVE-2021-3801 (prism is vulnerable to Inefficient Regular Expression Complexity ...) - node-prismjs 1.25.0+dfsg-1 + [bullseye] - node-prismjs 1.23.0+dfsg-1+deb11u1 NOTE: https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9 CVE-2021-41077 (The activation process in Travis CI, for certain 2021-09-03 through 20 ...) NOT-FOR-US: Travis CI @@ -2820,7 +2821,7 @@ CVE-2021-3799 (grav-plugin-admin is vulnerable to Improper Restriction of Render NOT-FOR-US: Grav CMS CVE-2021-41054 (tftpd_file.c in atftp through 0.7.4 has a buffer overflow because buff ...) - atftp 0.7.git20210915-1 (bug #994895) - [bullseye] - atftp <no-dsa> (Minor issue; can be fixed via point release) + [bullseye] - atftp 0.7.git20120829-3.3+deb11u1 [buster] - atftp <no-dsa> (Minor issue; can be fixed via point release) [stretch] - atftp <postponed> (Minor issue) NOTE: https://sourceforge.net/p/atftp/code/ci/d255bf90834fb45be52decf9bc0b4fb46c90f205/ @@ -3271,7 +3272,7 @@ CVE-2021-XXXX [jws alg:none signature verification issue] NOTE: https://github.com/babelouest/rhonabwy/commit/ff9ecad4c9a031c8369acde67ea52d558899e51e (v1.0.0) CVE-2021-40818 (scheme/webauthn.c in Glewlwyd SSO server through 2.5.3 has a buffer ov ...) - glewlwyd 2.5.2-3 (bug #993867) - [bullseye] - glewlwyd <no-dsa> (Minor issue; can be fixed via point release) + [bullseye] - glewlwyd 2.5.2-2+deb11u1 [buster] - glewlwyd <no-dsa> (Minor issue; can be fixed via point release) NOTE: https://github.com/babelouest/glewlwyd/commit/0efd112bb62f566877750ad62ee828bff579b4e2 CVE-2021-40683 (In Akamai EAA (Enterprise Application Access) Client before 2.3.1, 2.4 ...) @@ -3574,7 +3575,7 @@ CVE-2021-40541 RESERVED CVE-2021-40540 (ulfius_uri_logger in Ulfius HTTP Framework before 2.7.4 omits con_info ...) - ulfius 2.7.1-2 (bug #993851) - [bullseye] - ulfius <no-dsa> (Minor issue) + [bullseye] - ulfius 2.7.1-1+deb11u1 [buster] - ulfius <no-dsa> (Minor issue) NOTE: https://github.com/babelouest/ulfius/commit/c83f564c184a27145e07c274b305cabe943bbfaa CVE-2021-40539 (Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnera ...) @@ -4163,7 +4164,7 @@ CVE-2021-3750 [hcd-ehci: DMA reentrancy issue leads to use-after-free] NOTE: Patchset: https://lists.nongnu.org/archive/html/qemu-devel/2021-08/msg03692.html CVE-2021-3749 (axios is vulnerable to Inefficient Regular Expression Complexity ...) - node-axios 0.21.3+dfsg-1 - [bullseye] - node-axios <no-dsa> (Minor issue) + [bullseye] - node-axios 0.21.1+dfsg-1+deb11u1 [buster] - node-axios <no-dsa> (Minor issue) NOTE: https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/ NOTE: https://github.com/axios/axios/commit/5b457116e31db0e88fede6c428e969e87f290929 @@ -8235,7 +8236,7 @@ CVE-2021-38562 RESERVED - request-tracker5 <unfixed> (bug #995167) - request-tracker4 4.4.4+dfsg-3 (bug #995175) - [bullseye] - request-tracker4 <no-dsa> (Minor issue; will be fixed via point release) + [bullseye] - request-tracker4 4.4.4+dfsg-2+deb11u1 [buster] - request-tracker4 <no-dsa> (Minor issue; will be fixed via point release) [stretch] - request-tracker4 <no-dsa> (Minor issue) NOTE: https://github.com/bestpractical/rt/commit/70749bb66cb13dd70bd53340c371038a5f3ca57c (rt-5.0.2) @@ -9188,7 +9189,7 @@ CVE-2021-3689 (yii2 is vulnerable to Use of Predictable Algorithm in Random Numb CVE-2021-38173 (Btrbk before 0.31.2 allows command execution because of the mishandlin ...) {DLA-2755-1} - btrbk 0.27.1-2 - [bullseye] - btrbk <no-dsa> (Minor issue; can be fixed via point release) + [bullseye] - btrbk 0.27.1-1.1+deb11u1 [buster] - btrbk <no-dsa> (Minor issue; can be fixed via point release) NOTE: Fixed by: https://github.com/digint/btrbk/commit/58212de771c381cd4fa05625927080bf264e9584 (v0.31.2) NOTE: Introduced by: https://github.com/digint/btrbk/commit/ccb5ed5e7191a083da52998df4c880f693451144 (v0.23.0-rc1) @@ -9967,7 +9968,7 @@ CVE-2021-37844 CVE-2021-3677 [Memory disclosure in certain queries] RESERVED - postgresql-13 13.4-1 - [bullseye] - postgresql-13 <no-dsa> (Minor issue; will be fixed via point release) + [bullseye] - postgresql-13 13.4-0+deb11u1 - postgresql-11 <removed> [buster] - postgresql-11 <no-dsa> (Minor issue) NOTE: https://www.postgresql.org/about/news/postgresql-134-128-1113-1018-9623-and-14-beta-3-released-2277/ @@ -10178,7 +10179,7 @@ CVE-2021-37751 CVE-2021-37750 (The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before ...) {DLA-2771-1} - krb5 1.18.3-7 (bug #992607) - [bullseye] - krb5 <no-dsa> (Minor issue) + [bullseye] - krb5 1.18.3-6+deb11u1 [buster] - krb5 <no-dsa> (Minor issue) NOTE: https://github.com/krb5/krb5/commit/d775c95af7606a51bf79547a94fa52ddd1cb7f49 CVE-2021-37749 (MapService.svc in Hexagon GeoMedia WebMap 2020 before Update 2 (aka 16 ...) @@ -12335,7 +12336,7 @@ CVE-2021-36774 RESERVED CVE-2021-36773 (uBlock Origin before 1.36.2 and nMatrix before 4.4.9 support an arbitr ...) - ublock-origin 1.37.0+dfsg-1 (bug #991386) - [bullseye] - ublock-origin <no-dsa> (Minor issue) + [bullseye] - ublock-origin 1.37.0+dfsg-1~deb11u1 [buster] - ublock-origin <no-dsa> (Minor issue) [stretch] - ublock-origin <no-dsa> (Minor issue) - umatrix <unfixed> (bug #991344) @@ -14268,7 +14269,7 @@ CVE-2021-3627 RESERVED CVE-2021-35940 (An out-of-bounds array read in the apr_time_exp*() functions was fixed ...) - apr 1.7.0-7 (bug #992789) - [bullseye] - apr <no-dsa> (Minor issue) + [bullseye] - apr 1.7.0-6+deb11u1 [buster] - apr <not-affected> (Vulnerable code re-introduced in 1.7.0) [stretch] - apr <not-affected> (Vulnerable code re-introduced in 1.7.0) NOTE: The issue exists because the CVE-2017-12613 fix was not carried forward @@ -15555,7 +15556,7 @@ CVE-2021-35369 CVE-2021-35368 [CRS Request Body Bypass] RESERVED - modsecurity-crs 3.3.2-1 (bug #992000) - [bullseye] - modsecurity-crs <no-dsa> (Minor issue) + [bullseye] - modsecurity-crs 3.3.0-1+deb11u1 [buster] - modsecurity-crs <no-dsa> (Minor issue) [stretch] - modsecurity-crs <no-dsa> (Minor issue) NOTE: https://coreruleset.org/20210630/cve-2021-35368-crs-request-body-bypass/ @@ -17338,7 +17339,7 @@ CVE-2021-3596 CVE-2021-3595 (An invalid pointer initialization issue was found in the SLiRP network ...) {DLA-2753-1} - libslirp 4.6.1-1 (bug #989996) - [bullseye] - libslirp <no-dsa> (Minor issue) + [bullseye] - libslirp 4.4.0-1+deb11u2 - qemu 1:4.1-2 [buster] - qemu <no-dsa> (Minor issue) NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0) @@ -17348,7 +17349,7 @@ CVE-2021-3595 (An invalid pointer initialization issue was found in the SLiRP ne CVE-2021-3594 (An invalid pointer initialization issue was found in the SLiRP network ...) {DLA-2753-1} - libslirp 4.6.1-1 (bug #989995) - [bullseye] - libslirp <no-dsa> (Minor issue) + [bullseye] - libslirp 4.4.0-1+deb11u2 - qemu 1:4.1-2 [buster] - qemu <no-dsa> (Minor issue) NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0) @@ -17356,7 +17357,7 @@ CVE-2021-3594 (An invalid pointer initialization issue was found in the SLiRP ne NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed. CVE-2021-3593 (An invalid pointer initialization issue was found in the SLiRP network ...) - libslirp 4.6.1-1 (bug #989994) - [bullseye] - libslirp <no-dsa> (Minor issue) + [bullseye] - libslirp 4.4.0-1+deb11u2 - qemu 1:4.1-2 [buster] - qemu <no-dsa> (Minor issue) [stretch] - qemu <no-dsa> (Minor issue) @@ -17365,7 +17366,7 @@ CVE-2021-3593 (An invalid pointer initialization issue was found in the SLiRP ne NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed. CVE-2021-3592 (An invalid pointer initialization issue was found in the SLiRP network ...) - libslirp 4.6.1-1 (bug #989993) - [bullseye] - libslirp <no-dsa> (Minor issue) + [bullseye] - libslirp 4.4.0-1+deb11u2 - qemu 1:4.1-2 [buster] - qemu <no-dsa> (Minor issue) [stretch] - qemu <ignored> (Introduces a regression. See Debian bug #994080) @@ -19571,7 +19572,7 @@ CVE-2021-33583 (REINER timeCard 6.05.07 installs a Microsoft SQL Server with an NOT-FOR-US: REINER CVE-2021-33582 (Cyrus IMAP before 3.4.2 allows remote attackers to cause a denial of s ...) - cyrus-imapd 3.4.2-1 (bug #993433) - [bullseye] - cyrus-imapd <no-dsa> (Minor issue; pending fix via point release) + [bullseye] - cyrus-imapd 3.2.6-2+deb11u1 [buster] - cyrus-imapd <no-dsa> (Minor issue; can be fixed via point release) [stretch] - cyrus-imapd <no-dsa> (Minor issue; can be fixed via point release) - cyrus-imapd-2.4 <removed> @@ -21487,14 +21488,14 @@ CVE-2021-32805 (Flask-AppBuilder is an application development framework, built NOT-FOR-US: Flask-AppBuilder CVE-2021-32804 (The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4 ...) - node-tar 6.1.7+~cs11.3.10-1 (bug #992111) - [bullseye] - node-tar <no-dsa> (Minor issue) + [bullseye] - node-tar 6.0.5+ds1+~cs11.3.9-1+deb11u1 [buster] - node-tar <no-dsa> (Minor issue) [stretch] - node-tar <not-affected> (Vulnerable code introduced later) NOTE: https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9 NOTE: https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4 CVE-2021-32803 (The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4 ...) - node-tar 6.1.7+~cs11.3.10-1 (bug #992110) - [bullseye] - node-tar <no-dsa> (Minor issue) + [bullseye] - node-tar 6.0.5+ds1+~cs11.3.9-1+deb11u1 [buster] - node-tar <no-dsa> (Minor issue) [stretch] - node-tar <not-affected> (Vulnerable code introduced later) NOTE: https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw @@ -29837,7 +29838,7 @@ CVE-2021-29489 (Highcharts JS is a JavaScript charting library based on SVG. In NOT-FOR-US: Highcharts JS CVE-2021-29488 (SABnzbd is an open source binary newsreader. A vulnerability was disco ...) - sabnzbdplus 3.2.1+dfsg-1 - [bullseye] - sabnzbdplus <no-dsa> (Minor issue; non-free/contrib not security supported) + [bullseye] - sabnzbdplus 3.1.1+dfsg-2+deb11u1 [buster] - sabnzbdplus <no-dsa> (Minor issue; non-free/contrib not security supported) [stretch] - sabnzbdplus <no-dsa> (Minor issue; contrib not supported) NOTE: https://github.com/sabnzbd/sabnzbd/security/advisories/GHSA-jwj3-wrvf-v3rp @@ -44108,7 +44109,7 @@ CVE-2021-23441 (All versions of package com.jsoniter:jsoniter are vulnerable to NOT-FOR-US: com.jsoniter:jsoniter CVE-2021-23440 (This affects the package set-value before 4.0.1. A type confusion vuln ...) - node-set-value 3.0.1-3 (bug #994448) - [bullseye] - node-set-value <no-dsa> (Minor issue) + [bullseye] - node-set-value 3.0.1-2+deb11u1 [buster] - node-set-value <no-dsa> (Minor issue) [stretch] - node-set-value <no-dsa> (Minor issue) NOTE: https://github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f952823b4576452 (v4.0.1) @@ -44129,7 +44130,7 @@ CVE-2021-23435 (This affects the package clearance before 2.5.0. The vulnerabili NOT-FOR-US: Rails clearance gem CVE-2021-23434 (This affects the package object-path before 0.11.6. A type confusion v ...) - node-object-path 0.11.7-1 - [bullseye] - node-object-path <no-dsa> (Minor issue) + [bullseye] - node-object-path 0.11.5-3+deb11u1 [buster] - node-object-path <no-dsa> (Minor issue) [stretch] - node-object-path <end-of-life> (Nodejs in stretch not covered by security support) NOTE: https://snyk.io/vuln/SNYK-JS-OBJECTPATH-1569453 diff --git a/data/next-point-update.txt b/data/next-point-update.txt index 5732045040..51a2a13183 100644 --- a/data/next-point-update.txt +++ b/data/next-point-update.txt @@ -1,59 +1,3 @@ -CVE-2021-32803 - [bullseye] - node-tar 6.0.5+ds1+~cs11.3.9-1+deb11u1 -CVE-2021-32804 - [bullseye] - node-tar 6.0.5+ds1+~cs11.3.9-1+deb11u1 -CVE-2021-3677 - [bullseye] - postgresql-13 13.4-0+deb11u1 -CVE-2021-35940 - [bullseye] - apr 1.7.0-6+deb11u1 -CVE-2021-35368 - [bullseye] - modsecurity-crs 3.3.0-1+deb11u1 -CVE-2021-29488 - [bullseye] - sabnzbdplus 3.1.1+dfsg-2+deb11u1 -CVE-2020-1957 - [bullseye] - shiro 1.3.2-4+deb11u1 -CVE-2020-11989 - [bullseye] - shiro 1.3.2-4+deb11u1 -CVE-2020-13933 - [bullseye] - shiro 1.3.2-4+deb11u1 -CVE-2020-17510 - [bullseye] - shiro 1.3.2-4+deb11u1 -CVE-2021-36773 - [bullseye] - ublock-origin 1.37.0+dfsg-1~deb11u1 -CVE-2021-37750 - [bullseye] - krb5 1.18.3-6+deb11u1 -CVE-2021-33582 - [bullseye] - cyrus-imapd 3.2.6-2+deb11u1 -CVE-2021-3749 - [bullseye] - node-axios 0.21.1+dfsg-1+deb11u1 -CVE-2021-38173 - [bullseye] - btrbk 0.27.1-1.1+deb11u1 -CVE-2021-23434 - [bullseye] - node-object-path 0.11.5-3+deb11u1 -CVE-2021-3805 - [bullseye] - node-object-path 0.11.5-3+deb11u1 -CVE-2021-23440 - [bullseye] - node-set-value 3.0.1-2+deb11u1 -CVE-2021-41054 - [bullseye] - atftp 0.7.git20120829-3.3+deb11u1 -CVE-2021-40818 - [bullseye] - glewlwyd 2.5.2-2+deb11u1 -CVE-2021-40540 - [bullseye] - ulfius 2.7.1-1+deb11u1 -CVE-2021-3807 - [bullseye] - node-ansi-regex 5.0.1-1~deb11u1 -CVE-2021-3801 - [bullseye] - node-prismjs 1.23.0+dfsg-1+deb11u1 -CVE-2021-3592 - [bullseye] - libslirp 4.4.0-1+deb11u2 -CVE-2021-3595 - [bullseye] - libslirp 4.4.0-1+deb11u2 -CVE-2021-3594 - [bullseye] - libslirp 4.4.0-1+deb11u2 -CVE-2021-3593 - [bullseye] - libslirp 4.4.0-1+deb11u2 -CVE-2021-38562 - [bullseye] - request-tracker4 4.4.4+dfsg-2+deb11u1 CVE-2019-11098 [bullseye] - edk2 2020.11-2+deb11u1 CVE-2021-38155 |