[Git][security-tracker-team/security-tracker][master] 2 commits: Review 10.1 changelog for accepted point release updates
Salvatore Bonaccorso
carnil at debian.org
Sat Sep 7 10:52:41 BST 2019
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
c58b0c81 by Salvatore Bonaccorso at 2019-09-07T09:51:25Z
Review 10.1 changelog for accepted point release updates
- - - - -
3ec54e8f by Salvatore Bonaccorso at 2019-09-07T09:52:18Z
Merge remote-tracking branch 'origin/master'
- - - - -
2 changed files:
- data/CVE/list
- data/next-point-update.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -3701,7 +3701,7 @@ CVE-2019-14775
CVE-2019-12625 [clamav zip DoS]
RESERVED
- clamav 0.101.4+dfsg-1 (bug #934359)
- [buster] - clamav <no-dsa> (ClamAV is updated via -updates)
+ [buster] - clamav 0.101.4+dfsg-0+deb10u1
[stretch] - clamav <no-dsa> (ClamAV is updated via -updates)
NOTE: https://www.openwall.com/lists/oss-security/2019/08/06/3
NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=12356
@@ -5292,7 +5292,7 @@ CVE-2019-14378 (ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer
- qemu 1:4.1-1 (bug #933741)
- qemu-kvm <removed>
- slirp4netns 0.3.2-1 (bug #933742)
- [buster] - slirp4netns <no-dsa> (Will be fixed via 10.1 point release)
+ [buster] - slirp4netns 0.2.3-1
NOTE: https://gitlab.freedesktop.org/slirp/libslirp/commit/126c04acbabd7ad32c2b018fe10dfac2a3bc1210
CVE-2018-20870 (The WebDAV transport feature in cPanel before 76.0.8 enables debug log ...)
NOT-FOR-US: cPanel
@@ -5635,6 +5635,7 @@ CVE-2019-14276
RESERVED
CVE-2019-14275 (Xfig fig2dev 3.2.7a has a stack-based buffer overflow in the calc_arro ...)
- fig2dev 1:3.2.7a-7 (unimportant; bug #933075)
+ [buster] - fig2dev 1:3.2.7a-5+deb10u1
- transfig <removed> (unimportant)
NOTE: https://sourceforge.net/p/mcj/tickets/52/
NOTE: Crash in CLI tool, no security impact, hardening build
@@ -8272,7 +8273,7 @@ CVE-2019-13566
CVE-2019-13565 (An issue was discovered in OpenLDAP 2.x before 2.4.48. When using SASL ...)
{DLA-1891-1}
- openldap 2.4.48+dfsg-1 (low; bug #932998)
- [buster] - openldap <no-dsa> (Minor issue)
+ [buster] - openldap 2.4.47+dfsg-3+deb10u1
[stretch] - openldap <no-dsa> (Minor issue)
NOTE: https://openldap.org/its/?findid=9052
CVE-2019-13564 (XSS exists in Ping Identity Agentless Integration Kit before 1.5. ...)
@@ -8441,19 +8442,19 @@ CVE-2019-13487
CVE-2019-13486 (In Xymon through 4.3.28, a stack-based buffer overflow exists in the s ...)
{DLA-1898-1}
- xymon 4.3.29-1
- [buster] - xymon <no-dsa> (Minor issue)
+ [buster] - xymon 4.3.28-5+deb10u1
[stretch] - xymon <no-dsa> (Minor issue)
NOTE: https://lists.xymon.com/archive/2019-July/046570.html
CVE-2019-13485 (In Xymon through 4.3.28, a stack-based buffer overflow vulnerability e ...)
{DLA-1898-1}
- xymon 4.3.29-1
- [buster] - xymon <no-dsa> (Minor issue)
+ [buster] - xymon 4.3.28-5+deb10u1
[stretch] - xymon <no-dsa> (Minor issue)
NOTE: https://lists.xymon.com/archive/2019-July/046570.html
CVE-2019-13484 (In Xymon through 4.3.28, a buffer overflow exists in the status-log vi ...)
{DLA-1898-1}
- xymon 4.3.29-1
- [buster] - xymon <no-dsa> (Minor issue)
+ [buster] - xymon 4.3.28-5+deb10u1
[stretch] - xymon <no-dsa> (Minor issue)
NOTE: https://lists.xymon.com/archive/2019-July/046570.html
CVE-2019-13483 (Auth0 Passport-SharePoint before 0.4.0 does not validate the JWT signa ...)
@@ -8532,7 +8533,7 @@ CVE-2019-13456
CVE-2019-13455 (In Xymon through 4.3.28, a stack-based buffer overflow vulnerability e ...)
{DLA-1898-1}
- xymon 4.3.29-1
- [buster] - xymon <no-dsa> (Minor issue)
+ [buster] - xymon 4.3.28-5+deb10u1
[stretch] - xymon <no-dsa> (Minor issue)
NOTE: https://lists.xymon.com/archive/2019-July/046570.html
CVE-2019-13454 (ImageMagick 7.0.8-54 Q16 allows Division by Zero in RemoveDuplicateLay ...)
@@ -8550,13 +8551,13 @@ CVE-2019-13453 (Zipios before 0.1.7 does not properly handle certain malformed z
CVE-2019-13452 (In Xymon through 4.3.28, a buffer overflow vulnerability exists in rep ...)
{DLA-1898-1}
- xymon 4.3.29-1
- [buster] - xymon <no-dsa> (Minor issue)
+ [buster] - xymon 4.3.28-5+deb10u1
[stretch] - xymon <no-dsa> (Minor issue)
NOTE: https://lists.xymon.com/archive/2019-July/046570.html
CVE-2019-13451 (In Xymon through 4.3.28, a buffer overflow vulnerability exists in his ...)
{DLA-1898-1}
- xymon 4.3.29-1
- [buster] - xymon <no-dsa> (Minor issue)
+ [buster] - xymon 4.3.28-5+deb10u1
[stretch] - xymon <no-dsa> (Minor issue)
NOTE: https://lists.xymon.com/archive/2019-July/046570.html
CVE-2019-XXXX [No grant table and foreign mapping limits]
@@ -9005,13 +9006,13 @@ CVE-2019-13275 (An issue was discovered in the VeronaLabs wp-statistics plugin b
CVE-2019-13274 (In Xymon through 4.3.28, an XSS vulnerability exists in the csvinfo CG ...)
{DLA-1898-1}
- xymon 4.3.29-1
- [buster] - xymon <no-dsa> (Minor issue)
+ [buster] - xymon 4.3.28-5+deb10u1
[stretch] - xymon <no-dsa> (Minor issue)
NOTE: https://lists.xymon.com/archive/2019-July/046570.html
CVE-2019-13273 (In Xymon through 4.3.28, a buffer overflow vulnerability exists in the ...)
{DLA-1898-1}
- xymon 4.3.29-1
- [buster] - xymon <no-dsa> (Minor issue)
+ [buster] - xymon 4.3.28-5+deb10u1
[stretch] - xymon <no-dsa> (Minor issue)
NOTE: https://lists.xymon.com/archive/2019-July/046570.html
CVE-2019-13272 (In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mish ...)
@@ -9105,6 +9106,7 @@ CVE-2019-13234 (In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there
CVE-2019-13232 (Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP co ...)
{DLA-1846-1}
- unzip 6.0-24 (unimportant; bug #931433)
+ [buster] - unzip 6.0-23+deb10u1
NOTE: https://www.bamsoftware.com/hacks/zipbomb/
NOTE: Fixed by: https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c
NOTE: Fix depends on: https://github.com/madler/unzip/commit/41beb477c5744bc396fa1162ee0c14218ec12213
@@ -9257,7 +9259,7 @@ CVE-2019-13179 (Calamares versions 3.1 through 3.2.10 copies a LUKS encryption k
- calamares 3.2.11-1 (bug #931392)
[buster] - calamares <ignored> (Mitigated via calamares-settings-debian in Debian)
- calamares-settings-debian 10.0.23-1 (bug #931373)
- [buster] - calamares-settings-debian <no-dsa> (Will be fixed via Buster point release)
+ [buster] - calamares-settings-debian 10.0.20-1+deb10u1
NOTE: https://github.com/calamares/calamares/issues/1191
NOTE: https://github.com/calamares/calamares/commit/003096698627a527b589c0c929dda4d58f23fd93
NOTE: The issue itself can be adressed as well via calamares-settings-debian and
@@ -9312,7 +9314,7 @@ CVE-2019-13162
RESERVED
CVE-2019-13161 (An issue was discovered in Asterisk Open Source through 13.27.0, 14.x ...)
- asterisk 1:16.2.1~dfsg-2 (low; bug #931981)
- [buster] - asterisk <no-dsa> (Minor issue)
+ [buster] - asterisk 1:16.2.1~dfsg-1+deb10u1
[stretch] - asterisk <no-dsa> (Minor issue)
[jessie] - asterisk <no-dsa> (Minor issue)
NOTE: http://downloads.digium.com/pub/security/AST-2019-003.html
@@ -9428,7 +9430,7 @@ CVE-2019-13119
CVE-2019-13118 (In numbers.c in libxslt 1.1.33, a type holding grouping characters of ...)
{DLA-1860-1}
- libxslt 1.1.32-2.1 (low; bug #931320; bug #933743)
- [buster] - libxslt <no-dsa> (Minor issue)
+ [buster] - libxslt 1.1.32-2.1~deb10u1
[stretch] - libxslt <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15069
NOTE: https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b
@@ -9436,7 +9438,7 @@ CVE-2019-13118 (In numbers.c in libxslt 1.1.33, a type holding grouping characte
CVE-2019-13117 (In numbers.c in libxslt 1.1.33, an xsl:number with certain format stri ...)
{DLA-1860-1}
- libxslt 1.1.32-2.1 (low; bug #931321; bug #933743)
- [buster] - libxslt <no-dsa> (Minor issue)
+ [buster] - libxslt 1.1.32-2.1~deb10u1
[stretch] - libxslt <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14471
NOTE: https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1
@@ -9629,7 +9631,7 @@ CVE-2019-13058
CVE-2019-13057 (An issue was discovered in the server in OpenLDAP before 2.4.48. When ...)
{DLA-1891-1}
- openldap 2.4.48+dfsg-1 (low; bug #932997)
- [buster] - openldap <no-dsa> (Minor issue)
+ [buster] - openldap 2.4.47+dfsg-3+deb10u1
[stretch] - openldap <no-dsa> (Minor issue)
NOTE: https://openldap.org/its/?findid=9038
CVE-2019-13056 (An issue was discovered in CyberPanel through 1.8.4. On the user edit ...)
@@ -10071,7 +10073,7 @@ CVE-2019-12900 (BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out
- bzip2 1.0.6-9.1 (bug #930886)
[stretch] - bzip2 <no-dsa> (Not exploitable; potential dangerous parts already guarded)
- clamav 0.101.4+dfsg-1 (bug #934359)
- [buster] - clamav <no-dsa> (ClamAV is updated via -updates)
+ [buster] - clamav 0.101.4+dfsg-0+deb10u1
[stretch] - clamav <no-dsa> (ClamAV is updated via -updates)
NOTE: https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc
NOTE: The original fix introduces regressions when extracting certain lbzip2 files
@@ -10258,7 +10260,7 @@ CVE-2019-12828 (An issue was discovered in Electronic Arts Origin before 10.5.39
NOT-FOR-US: Electronic Arts Origin
CVE-2019-12827 (Buffer overflow in res_pjsip_messaging in Digium Asterisk versions 13. ...)
- asterisk 1:16.2.1~dfsg-2 (bug #931980)
- [buster] - asterisk <no-dsa> (Minor issue)
+ [buster] - asterisk 1:16.2.1~dfsg-1+deb10u1
[stretch] - asterisk <no-dsa> (Minor issue)
[jessie] - asterisk <no-dsa> (Minor issue)
NOTE: https://downloads.asterisk.org/pub/security/AST-2019-002.html
@@ -11216,7 +11218,7 @@ CVE-2019-13012 (The keyfile settings backend in GNOME GLib (aka glib2.0) before
{DLA-1866-2 DLA-1866-1}
[experimental] - glib2.0 2.60.0-1
- glib2.0 2.60.5-1 (bug #931234)
- [buster] - glib2.0 <no-dsa> (Minor issue)
+ [buster] - glib2.0 2.58.3-2+deb10u1
[stretch] - glib2.0 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/glib/issues/1658
NOTE: https://gitlab.gnome.org/GNOME/glib/merge_requests/450
@@ -11710,7 +11712,7 @@ CVE-2019-12270 (OpenText Brava! Enterprise and Brava! Server 7.5 through 16.4 co
NOT-FOR-US: OpenText Brava!
CVE-2019-12269 (Enigmail before 2.0.11 allows PGP signature spoofing: for an inline PG ...)
- enigmail 2:2.0.11+ds1-1 (bug #929363)
- [buster] - enigmail <no-dsa> (Issue can be fixed via point release)
+ [buster] - enigmail 2:2.0.12+ds1-1~deb10u1
[stretch] - enigmail <no-dsa> (Issue can be fixed via point release)
[jessie] - enigmail <end-of-life> (see https://lists.debian.org/debian-lts-announce/2019/02/msg00002.html)
NOTE: https://sourceforge.net/p/enigmail/bugs/983/
@@ -11821,70 +11823,70 @@ CVE-2019-12223 (An issue was discovered in NVR WebViewer on Hanwah Techwin SRN-4
CVE-2019-12222 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...)
{DLA-1865-1 DLA-1861-1}
- libsdl2-image 2.0.5+dfsg1-1 (bug #932754)
- [buster] - libsdl2-image <no-dsa> (Minor issue)
+ [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[stretch] - libsdl2-image <no-dsa> (Minor issue)
- sdl-image1.2 1.2.12-11 (bug #932755)
- [buster] - sdl-image1.2 <no-dsa> (Minor issue)
+ [buster] - sdl-image1.2 1.2.12-10+deb10u1
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4621
NOTE: https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34
CVE-2019-12221 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...)
{DLA-1865-1 DLA-1861-1}
- libsdl2-image 2.0.5+dfsg1-1 (bug #932754)
- [buster] - libsdl2-image <no-dsa> (Minor issue)
+ [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[stretch] - libsdl2-image <no-dsa> (Minor issue)
- sdl-image1.2 1.2.12-11 (bug #932755)
- [buster] - sdl-image1.2 <no-dsa> (Minor issue)
+ [buster] - sdl-image1.2 1.2.12-10+deb10u1
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4628
NOTE: https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34
CVE-2019-12220 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...)
{DLA-1865-1 DLA-1861-1}
- libsdl2-image 2.0.5+dfsg1-1 (bug #932754)
- [buster] - libsdl2-image <no-dsa> (Minor issue)
+ [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[stretch] - libsdl2-image <no-dsa> (Minor issue)
- sdl-image1.2 1.2.12-11 (bug #932755)
- [buster] - sdl-image1.2 <no-dsa> (Minor issue)
+ [buster] - sdl-image1.2 1.2.12-10+deb10u1
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4627
NOTE: https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34
CVE-2019-12219 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...)
{DLA-1865-1 DLA-1861-1}
- libsdl2-image 2.0.5+dfsg1-1 (bug #932754)
- [buster] - libsdl2-image <no-dsa> (Minor issue)
+ [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[stretch] - libsdl2-image <no-dsa> (Minor issue)
- sdl-image1.2 1.2.12-11 (bug #932755)
- [buster] - sdl-image1.2 <no-dsa> (Minor issue)
+ [buster] - sdl-image1.2 1.2.12-10+deb10u1
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4625
NOTE: https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34
CVE-2019-12218 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...)
{DLA-1865-1 DLA-1861-1}
- libsdl2-image 2.0.5+dfsg1-1 (bug #932754)
- [buster] - libsdl2-image <no-dsa> (Minor issue)
+ [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[stretch] - libsdl2-image <no-dsa> (Minor issue)
- sdl-image1.2 1.2.12-11 (bug #932755)
- [buster] - sdl-image1.2 <no-dsa> (Minor issue)
+ [buster] - sdl-image1.2 1.2.12-10+deb10u1
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4620
NOTE: https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb
CVE-2019-12217 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...)
{DLA-1865-1 DLA-1861-1}
- libsdl2-image 2.0.5+dfsg1-1 (bug #932754)
- [buster] - libsdl2-image <no-dsa> (Minor issue)
+ [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[stretch] - libsdl2-image <no-dsa> (Minor issue)
- sdl-image1.2 1.2.12-11 (bug #932755)
- [buster] - sdl-image1.2 <no-dsa> (Minor issue)
+ [buster] - sdl-image1.2 1.2.12-10+deb10u1
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4626
NOTE: https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34
CVE-2019-12216 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...)
{DLA-1865-1 DLA-1861-1}
- libsdl2-image 2.0.5+dfsg1-1 (bug #932754)
- [buster] - libsdl2-image <no-dsa> (Minor issue)
+ [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[stretch] - libsdl2-image <no-dsa> (Minor issue)
- sdl-image1.2 1.2.12-11 (bug #932755)
- [buster] - sdl-image1.2 <no-dsa> (Minor issue)
+ [buster] - sdl-image1.2 1.2.12-10+deb10u1
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4619
NOTE: https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb
@@ -11912,13 +11914,13 @@ CVE-2019-12211 (When FreeImage 3.18.0 reads a tiff file, it will be handed to th
NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/
CVE-2019-12210 (In Yubico pam-u2f 1.0.7, when configured with debug and a custom debug ...)
- pam-u2f 1.0.8-1 (low; bug #930023)
- [buster] - pam-u2f <no-dsa> (Minor issue)
+ [buster] - pam-u2f 1.0.7-1+deb10u1
[stretch] - pam-u2f <no-dsa> (Minor issue)
NOTE: https://github.com/Yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62
NOTE: https://www.openwall.com/lists/oss-security/2019/06/05/1
CVE-2019-12209 (Yubico pam-u2f 1.0.7 attempts parsing of the configured authfile (defa ...)
- pam-u2f 1.0.8-1 (low; bug #930021)
- [buster] - pam-u2f <no-dsa> (Minor issue)
+ [buster] - pam-u2f 1.0.7-1+deb10u1
[stretch] - pam-u2f <no-dsa> (Minor issue)
NOTE: https://github.com/Yubico/pam-u2f/commit/7db3386fcdb454e33a3ea30dcfb8e8960d4c3aa3
NOTE: https://www.openwall.com/lists/oss-security/2019/06/05/1
@@ -13104,7 +13106,7 @@ CVE-2019-11729 (Empty or malformed p256-ECDH public keys may trigger a segmentat
[buster] - thunderbird 1:60.8.0-1~deb10u1
[stretch] - thunderbird 1:60.8.0-1~deb9u1
- nss 2:3.45-1
- [buster] - nss <no-dsa> (Minor issue)
+ [buster] - nss 2:3.42.1-1+deb10u1
[stretch] - nss <no-dsa> (Minor issue)
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11729
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729
@@ -13120,7 +13122,7 @@ CVE-2019-11728 (The HTTP Alternative Services header, Alt-Svc, can be used by a
CVE-2019-11727 (A vulnerability exists where it possible to force Network Security Ser ...)
- firefox 68.0-1 (unimportant)
- nss 2:3.45-1
- [buster] - nss <no-dsa> (Minor issue)
+ [buster] - nss 2:3.42.1-1+deb10u1
[stretch] - nss <no-dsa> (Minor issue)
[jessie] - nss <ignored> (Issue is specific to TLS 1.3 and support was not really complete in 3.26; code has diverged significantly since and applying the fix would be very disruptive)
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727
@@ -13157,7 +13159,7 @@ CVE-2019-11719 (When importing a curve25519 private key in PKCS#8format with lea
[buster] - thunderbird 1:60.8.0-1~deb10u1
[stretch] - thunderbird 1:60.8.0-1~deb9u1
- nss 2:3.45-1
- [buster] - nss <no-dsa> (Minor issue)
+ [buster] - nss 2:3.42.1-1+deb10u1
[stretch] - nss <no-dsa> (Minor issue)
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11719
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11719
@@ -14677,10 +14679,10 @@ CVE-2019-11188
CVE-2019-11187 (Incorrect Access Control in the LDAP class of GONICUS GOsa through 201 ...)
{DLA-1876-1 DLA-1875-1}
- fusiondirectory 1.2.3-5
- [buster] - fusiondirectory <no-dsa> (Minor issue)
+ [buster] - fusiondirectory 1.2.3-4+deb10u1
[stretch] - fusiondirectory <no-dsa> (Minor issue)
- gosa 2.7.4+reloaded3-9
- [buster] - gosa <no-dsa> (Minor issue)
+ [buster] - gosa 2.7.4+reloaded3-8+deb10u1
[stretch] - gosa <no-dsa> (Minor issue)
CVE-2019-11186
RESERVED
@@ -14940,7 +14942,7 @@ CVE-2019-11069 (Sequelize version 5 before 5.3.0 does not properly ensure that s
CVE-2019-11068 (libxslt through 1.1.33 allows bypass of a protection mechanism because ...)
{DLA-1756-1}
- libxslt 1.1.32-2.1 (bug #926895; bug #933743)
- [buster] - libxslt <no-dsa> (Minor issue)
+ [buster] - libxslt 1.1.32-2.1~deb10u1
[stretch] - libxslt <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libxslt/issues/12
NOTE: https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6
@@ -15813,7 +15815,7 @@ CVE-2019-10747 (set-value is vulnerable to Prototype Pollution in versions lower
TODO: check
CVE-2019-10746 (mixin-deep is vulnerable to Prototype Pollution in versions before 1.3 ...)
- node-mixin-deep 2.0.1-1 (bug #932500)
- [buster] - node-mixin-deep <no-dsa> (Minor issue; will be fixed via point release)
+ [buster] - node-mixin-deep 1.1.3-3+deb10u1
[stretch] - node-mixin-deep <ignored> (Nodejs in stretch not covered by security support)
NOTE: https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212
NOTE: https://github.com/jonschlinkert/mixin-deep/commit/8f464c8ce9761a8c9c2b3457eaeee9d404fa7af9
@@ -15822,7 +15824,7 @@ CVE-2019-10745 (assign-deep is vulnerable to Prototype Pollution in versions bef
TODO: check
CVE-2019-10744 (Versions of lodash lower than 4.17.12 are vulnerable to Prototype Poll ...)
- node-lodash 4.17.15+dfsg-1 (bug #933079)
- [buster] - node-lodash <no-dsa> (Minor issue; can be fixed in point release)
+ [buster] - node-lodash 4.17.11+dfsg-2+deb10u1
[stretch] - node-lodash <ignored> (Nodejs in stretch not covered by security support)
[jessie] - node-lodash <ignored> (Nodejs in stretch not covered by security support)
NOTE: https://snyk.io/vuln/SNYK-JS-LODASH-450202
@@ -19152,7 +19154,7 @@ CVE-2019-9824 (tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.
- qemu 1:3.1+dfsg-6
- qemu-kvm <removed>
- slirp4netns 0.3.1-1
- [buster] - slirp4netns <no-dsa> (Will be fixed via 10.1 point release)
+ [buster] - slirp4netns 0.2.3-1
NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-03/msg01871.html
NOTE: https://www.openwall.com/lists/oss-security/2019/03/18/1
NOTE: https://github.com/qemu/qemu/commit/d3222975c7d6cda9e25809dea05241188457b113
@@ -22298,7 +22300,7 @@ CVE-2019-8696 [stack-buffer-overflow in libcups's asn1_get_packed function]
RESERVED
{DLA-1893-1}
- cups 2.2.12-1 (bug #934957)
- [buster] - cups <no-dsa> (Minor issue, can be fixed via point release)
+ [buster] - cups 2.2.10-6+deb10u1
[stretch] - cups <no-dsa> (Minor issue, can be fixed via point release)
NOTE: https://github.com/apple/cups/commit/f24e6cf6a39300ad0c3726a41a4aab51ad54c109
CVE-2019-8695
@@ -22358,7 +22360,7 @@ CVE-2019-8675 [stack-buffer-overflow in libcups's asn1_get_type function]
RESERVED
{DLA-1893-1}
- cups 2.2.12-1 (bug #934957)
- [buster] - cups <no-dsa> (Minor issue, can be fixed via point release)
+ [buster] - cups 2.2.10-6+deb10u1
[stretch] - cups <no-dsa> (Minor issue, can be fixed via point release)
NOTE: https://github.com/apple/cups/commit/f24e6cf6a39300ad0c3726a41a4aab51ad54c109
CVE-2019-8674
@@ -24822,10 +24824,10 @@ CVE-2019-7635 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0
[buster] - libsdl2 <no-dsa> (Minor issue)
[stretch] - libsdl2 <no-dsa> (Minor issue)
- sdl-image1.2 1.2.12-11 (bug #932755)
- [buster] - sdl-image1.2 <no-dsa> (Minor issue)
+ [buster] - sdl-image1.2 1.2.12-10+deb10u1
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
- libsdl2-image 2.0.5+dfsg1-1 (bug #932754)
- [buster] - libsdl2-image <no-dsa> (Minor issue)
+ [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[stretch] - libsdl2-image <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4498
NOTE: https://hg.libsdl.org/SDL/rev/7c643f1c1887 (SDL-2)
@@ -31390,11 +31392,11 @@ CVE-2019-5059 (An exploitable code execution vulnerability exists in the XPM ima
NOTE: https://hg.libsdl.org/SDL_image/rev/95fc7da55247
CVE-2019-5058 (An exploitable code execution vulnerability exists in the XCF image re ...)
- libsdl2-image 2.0.5+dfsg1-1 (bug #932754)
- [buster] - libsdl2-image <no-dsa> (Minor issue)
+ [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[stretch] - libsdl2-image <no-dsa> (Minor issue)
[jessie] - libsdl2-image 2.0.0+dfsg-3+deb8u2
- sdl-image1.2 1.2.12-11 (bug #932755)
- [buster] - sdl-image1.2 <no-dsa> (Minor issue)
+ [buster] - sdl-image1.2 1.2.12-10+deb10u1
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
[jessie] - sdl-image1.2 1.2.12-5+deb8u2
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0842
@@ -31402,11 +31404,11 @@ CVE-2019-5058 (An exploitable code execution vulnerability exists in the XCF ima
NOTE: CVE-2019-5058 can be considered a CVE for an incomplete fix for CVE-2018-3977.
CVE-2019-5057 (An exploitable code execution vulnerability exists in the PCX image-re ...)
- libsdl2-image 2.0.5+dfsg1-1 (bug #932754)
- [buster] - libsdl2-image <no-dsa> (Minor issue)
+ [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[stretch] - libsdl2-image <no-dsa> (Minor issue)
[jessie] - libsdl2-image <no-dsa> (Minor issue)
- sdl-image1.2 <unfixed> (bug #932755)
- [buster] - sdl-image1.2 <no-dsa> (Minor issue)
+ [buster] - sdl-image1.2 1.2.12-10+deb10u1
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
[jessie] - sdl-image1.2 <no-dsa> (Minor issue)
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0841
@@ -31422,20 +31424,20 @@ CVE-2019-5053
CVE-2019-5052 (An exploitable integer overflow vulnerability exists when loading a PC ...)
{DLA-1865-1 DLA-1861-1}
- libsdl2-image 2.0.5+dfsg1-1 (bug #932754)
- [buster] - libsdl2-image <no-dsa> (Minor issue)
+ [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[stretch] - libsdl2-image <no-dsa> (Minor issue)
- sdl-image1.2 1.2.12-11 (bug #932755)
- [buster] - sdl-image1.2 <no-dsa> (Minor issue)
+ [buster] - sdl-image1.2 1.2.12-10+deb10u1
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0821
NOTE: https://hg.libsdl.org/SDL_image/rev/b920be2b3fc6
CVE-2019-5051 (An exploitable heap-based buffer overflow vulnerability exists when lo ...)
{DLA-1865-1 DLA-1861-1}
- libsdl2-image 2.0.5+dfsg1-1 (bug #932754)
- [buster] - libsdl2-image <no-dsa> (Minor issue)
+ [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[stretch] - libsdl2-image <no-dsa> (Minor issue)
- sdl-image1.2 1.2.12-11 (bug #932755)
- [buster] - sdl-image1.2 <no-dsa> (Minor issue)
+ [buster] - sdl-image1.2 1.2.12-10+deb10u1
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0820
NOTE: https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34
@@ -38007,7 +38009,7 @@ CVE-2019-2806
RESERVED
CVE-2019-2805 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...)
- mariadb-10.3 1:10.3.17-1
- [buster] - mariadb-10.3 <no-dsa> (Minor issue; can be fixed in point release)
+ [buster] - mariadb-10.3 1:10.3.17-0+deb10u1
- mariadb-10.1 <removed>
- mysql-5.7 <unfixed> (bug #932340)
NOTE: Fixed in MariaDB: 10.3.17, 10.1.41
@@ -38124,7 +38126,7 @@ CVE-2019-2759 (Vulnerability in the Oracle Outside In Technology component of Or
NOT-FOR-US: Oracle
CVE-2019-2758 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...)
- mariadb-10.3 1:10.3.17-1
- [buster] - mariadb-10.3 <no-dsa> (Minor issue; can be fixed in point release)
+ [buster] - mariadb-10.3 1:10.3.17-0+deb10u1
- mysql-5.7 <unfixed> (bug #932340)
NOTE: Fixed in MariaDB: 10.3.17
NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL
@@ -38169,14 +38171,14 @@ CVE-2019-2741 (Vulnerability in the MySQL Server component of Oracle MySQL (subc
NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL
CVE-2019-2740 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...)
- mariadb-10.3 1:10.3.17-1
- [buster] - mariadb-10.3 <no-dsa> (Minor issue; can be fixed in point release)
+ [buster] - mariadb-10.3 1:10.3.17-0+deb10u1
- mariadb-10.1 <removed>
- mysql-5.7 <unfixed> (bug #932340)
NOTE: Fixed in MariaDB: 10.3.17, 10.1.41
NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL
CVE-2019-2739 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...)
- mariadb-10.3 1:10.3.17-1
- [buster] - mariadb-10.3 <no-dsa> (Minor issue; can be fixed in point release)
+ [buster] - mariadb-10.3 1:10.3.17-0+deb10u1
- mariadb-10.1 <removed>
- mysql-5.7 <unfixed> (bug #932340)
NOTE: Fixed in MariaDB: 10.3.17, 10.1.41
@@ -38186,7 +38188,7 @@ CVE-2019-2738 (Vulnerability in the MySQL Server component of Oracle MySQL (subc
NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL
CVE-2019-2737 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...)
- mariadb-10.3 1:10.3.17-1
- [buster] - mariadb-10.3 <no-dsa> (Minor issue; can be fixed in point release)
+ [buster] - mariadb-10.3 1:10.3.17-0+deb10u1
- mariadb-10.1 <removed>
- mysql-5.7 <unfixed> (bug #932340)
NOTE: Fixed in MariaDB: 10.3.17, 10.1.41
=====================================
data/next-point-update.txt
=====================================
@@ -1,121 +1,6 @@
-CVE-2019-13179
- [buster] - calamares-settings-debian 10.0.20-1+deb10u1
-CVE-2019-13232
- [buster] - unzip 6.0-23+deb10u1
-CVE-2019-12209
- [buster] - pam-u2f 1.0.7-1+deb10u1
-CVE-2019-12210
- [buster] - pam-u2f 1.0.7-1+deb10u1
-CVE-2019-10746
- [buster] - node-mixin-deep 1.1.3-3+deb10u1
-CVE-2019-5052
- [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
- [buster] - sdl-image1.2 1.2.12-10+deb10u1
-CVE-2019-5051
- [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
- [buster] - sdl-image1.2 1.2.12-10+deb10u1
-CVE-2019-7635
- [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
- [buster] - sdl-image1.2 1.2.12-10+deb10u1
-CVE-2019-12216
- [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
- [buster] - sdl-image1.2 1.2.12-10+deb10u1
-CVE-2019-12217
- [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
- [buster] - sdl-image1.2 1.2.12-10+deb10u1
-CVE-2019-12218
- [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
- [buster] - sdl-image1.2 1.2.12-10+deb10u1
-CVE-2019-12219
- [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
- [buster] - sdl-image1.2 1.2.12-10+deb10u1
-CVE-2019-12220
- [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
- [buster] - sdl-image1.2 1.2.12-10+deb10u1
-CVE-2019-12221
- [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
- [buster] - sdl-image1.2 1.2.12-10+deb10u1
-CVE-2019-12222
- [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
- [buster] - sdl-image1.2 1.2.12-10+deb10u1
-CVE-2019-5057
- [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
- [buster] - sdl-image1.2 1.2.12-10+deb10u1
-CVE-2019-5058
- [buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
- [buster] - sdl-image1.2 1.2.12-10+deb10u1
-CVE-2019-14275
- [buster] - fig2dev 1:3.2.7a-5+deb10u1
-CVE-2019-13012
- [buster] - glib2.0 2.58.3-2+deb10u1
+CVE-2019-13173
+ [buster] - node-fstream 1.0.10-1+deb10u1
CVE-2019-14267
[buster] - pdfresurrect 0.15-2+deb10u1
-CVE-2019-12625
- [buster] - clamav 0.101.4+dfsg-0+deb10u1
-CVE-2019-12900
- [buster] - clamav 0.101.4+dfsg-0+deb10u1
CVE-2019-1020014
[buster] - golang-github-docker-docker-credential-helpers 0.6.1-2+deb10u1
-CVE-2019-2737
- [buster] - mariadb-10.3 1:10.3.17-0+deb10u1
-CVE-2019-2739
- [buster] - mariadb-10.3 1:10.3.17-0+deb10u1
-CVE-2019-2740
- [buster] - mariadb-10.3 1:10.3.17-0+deb10u1
-CVE-2019-2758
- [buster] - mariadb-10.3 1:10.3.17-0+deb10u1
-CVE-2019-2805
- [buster] - mariadb-10.3 1:10.3.17-0+deb10u1
-CVE-2019-11068
- [buster] - libxslt 1.1.32-2.1~deb10u1
-CVE-2019-13117
- [buster] - libxslt 1.1.32-2.1~deb10u1
-CVE-2019-13118
- [buster] - libxslt 1.1.32-2.1~deb10u1
-CVE-2019-11187
- [buster] - fusiondirectory 1.2.3-4+deb10u1
- [buster] - gosa 2.7.4+reloaded3-8+deb10u1
-CVE-2019-13057
- [buster] - openldap 2.4.47+dfsg-3+deb10u1
-CVE-2019-13565
- [buster] - openldap 2.4.47+dfsg-3+deb10u1
-CVE-2019-10744
- [buster] - node-lodash 4.17.11+dfsg-2+deb10u1
-CVE-2019-12827
- [buster] - asterisk 1:16.2.1~dfsg-1+deb10u1
-CVE-2019-13161
- [buster] - asterisk 1:16.2.1~dfsg-1+deb10u1
-CVE-2019-8696
- [buster] - cups 2.2.10-6+deb10u1
-CVE-2019-8675
- [buster] - cups 2.2.10-6+deb10u1
-CVE-2019-12269
- [buster] - enigmail 2:2.0.12+ds1-1~deb10u1
-CVE-2019-13486
- [buster] - xymon 4.3.28-5+deb10u1
-CVE-2019-13485
- [buster] - xymon 4.3.28-5+deb10u1
-CVE-2019-13484
- [buster] - xymon 4.3.28-5+deb10u1
-CVE-2019-13455
- [buster] - xymon 4.3.28-5+deb10u1
-CVE-2019-13273
- [buster] - xymon 4.3.28-5+deb10u1
-CVE-2019-13274
- [buster] - xymon 4.3.28-5+deb10u1
-CVE-2019-13451
- [buster] - xymon 4.3.28-5+deb10u1
-CVE-2019-13452
- [buster] - xymon 4.3.28-5+deb10u1
-CVE-2019-9824
- [buster] - slirp4netns 0.2.3-1
-CVE-2019-14378
- [buster] - slirp4netns 0.2.3-1
-CVE-2019-11719
- [buster] - nss 2:3.42.1-1+deb10u1
-CVE-2019-11727
- [buster] - nss 2:3.42.1-1+deb10u1
-CVE-2019-11729
- [buster] - nss 2:3.42.1-1+deb10u1
-CVE-2019-13173
- [buster] - node-fstream 1.0.10-1+deb10u1
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/6f4e36b154f8729a9208931ab957be135320cfb9...3ec54e8feb952c2d439c7fd1d3bc19fdc8b84b0b
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/6f4e36b154f8729a9208931ab957be135320cfb9...3ec54e8feb952c2d439c7fd1d3bc19fdc8b84b0b
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190907/617bc6ff/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list