[Git][security-tracker-team/security-tracker][master] 5 commits: libperlspeak-perl removed from buster in 10.4
Salvatore Bonaccorso
carnil at debian.org
Sat May 9 09:45:30 BST 2020
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
40c97747 by Salvatore Bonaccorso at 2020-05-08T14:18:24+02:00
libperlspeak-perl removed from buster in 10.4
- - - - -
806127fd by Salvatore Bonaccorso at 2020-05-08T14:18:24+02:00
libmicrodns removed from buster in 10.4
- - - - -
b01a6d60 by Salvatore Bonaccorso at 2020-05-08T14:22:08+02:00
Merge linux updates for buster 10.4
- - - - -
aa610955 by Salvatore Bonaccorso at 2020-05-08T14:40:21+02:00
Merge acked and included CVE fixes for buster 10.4
- - - - -
c7a2b99b by Salvatore Bonaccorso at 2020-05-09T08:45:23+00:00
Merge branch 'buster-10.4' into 'master'
Import changes pending for Debian buster 10.4
See merge request security-tracker-team/security-tracker!54
- - - - -
2 changed files:
- data/CVE/list
- data/next-point-update.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -213,11 +213,13 @@ CVE-2020-12660
RESERVED
CVE-2020-12659 (An issue was discovered in the Linux kernel before 5.6.7. xdp_umem_reg ...)
- linux 5.6.7-1
+ [buster] - linux 4.19.118-1
NOTE: https://git.kernel.org/linus/99e3a236dd43d06c65af0a2ef9cb44306aef6e02 (5.7-rc2)
CVE-2020-12658
RESERVED
CVE-2020-12657 (An issue was discovered in the Linux kernel before 5.6.5. There is a u ...)
- linux 5.6.7-1
+ [buster] - linux 4.19.118-1
NOTE: https://git.kernel.org/linus/2f95fa5c955d0a9987ffdc3a095e2f4e62c5f2a9 (5.7-rc1)
CVE-2020-12656 (gss_mech_free in net/sunrpc/auth_gss/gss_mech_switch.c in the rpcsec_g ...)
- linux <unfixed>
@@ -228,9 +230,11 @@ CVE-2020-12655 (An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_a
NOTE: https://git.kernel.org/linus/d0c7feaf87678371c2c09b3709400be416b2dc62 (5.7-rc1)
CVE-2020-12654 (An issue was found in Linux kernel before 5.5.4. mwifiex_ret_wmm_get_s ...)
- linux 5.5.13-1
+ [buster] - linux 4.19.118-1
NOTE: https://git.kernel.org/linus/3a9b153c5591548612c3955c9600a98150c81875 (5.6-rc1)
CVE-2020-12653 (An issue was found in Linux kernel before 5.5.4. The mwifiex_cmd_appen ...)
- linux 5.5.13-1
+ [buster] - linux 4.19.118-1
NOTE: https://git.kernel.org/linus/b70261a288ea4d2f4ac7cd04be08a9f0f2de4f4d (5.6-rc1)
CVE-2020-12652 (The __mptctl_ioctl function in drivers/message/fusion/mptctl.c in the ...)
- linux 5.4.19-1
@@ -632,6 +636,7 @@ CVE-2020-12466
RESERVED
CVE-2020-12465 (An array overflow was discovered in mt76_add_fragment in drivers/net/w ...)
- linux 5.5.13-1
+ [buster] - linux 4.19.118-1
NOTE: https://git.kernel.org/linus/b102f0c522cf668c8382c56a4f771b37d011cda2 (5.6-rc6)
CVE-2020-12464 (usb_sg_cancel in drivers/usb/core/message.c in the Linux kernel before ...)
- linux <unfixed>
@@ -1552,7 +1557,7 @@ CVE-2020-12080
CVE-2019-20788 (libvncclient/cursor.c in LibVNCServer through 0.9.12 has a HandleCurso ...)
{DLA-2146-1}
- libvncserver 0.9.12+dfsg-9 (bug #954163)
- [buster] - libvncserver <no-dsa> (Minor issue)
+ [buster] - libvncserver 0.9.11+dfsg-1.3+deb10u3
[stretch] - libvncserver <no-dsa> (Minor issue)
NOTE: https://github.com/LibVNC/libvncserver/commit/54220248886b5001fbbb9fa73c4e1a2cb9413fed
CVE-2020-12137 (GNU Mailman 2.x before 2.1.30 uses the .obj extension for scrubbed app ...)
@@ -3431,12 +3436,14 @@ CVE-2020-11670
RESERVED
CVE-2020-11669 (An issue was discovered in the Linux kernel before 5.2 on the powerpc ...)
- linux 5.2.6-1
+ [buster] - linux 4.19.118-1
[stretch] - linux <not-affected> (Vulnerability introduced later with support for KVM guests on POWER9)
[jessie] - linux <not-affected> (Vulnerability introduced later with support for KVM guests on POWER9)
NOTE: https://git.kernel.org/linus/53a712bae5dd919521a58d7bad773b949358add0
NOTE: https://www.openwall.com/lists/oss-security/2020/04/15/1
CVE-2020-11668 (In the Linux kernel before 5.6.1, drivers/media/usb/gspca/xirlink_cit. ...)
- linux 5.5.17-1
+ [buster] - linux 4.19.118-1
NOTE: https://git.kernel.org/linus/a246b4d547708f33ff4d4b9a7a5dbac741dc89d8
CVE-2020-11667
RESERVED
@@ -3613,9 +3620,11 @@ CVE-2020-11610 (An issue was discovered in xdLocalStorage through 2.0.5. The pos
NOT-FOR-US: xdLocalStorage
CVE-2020-11609 (An issue was discovered in the stv06xx subsystem in the Linux kernel b ...)
- linux 5.5.17-1
+ [buster] - linux 4.19.118-1
NOTE: https://git.kernel.org/linus/485b06aadb933190f4bc44e006076bc27a23f205
CVE-2020-11608 (An issue was discovered in the Linux kernel before 5.6.1. drivers/medi ...)
- linux 5.5.17-1
+ [buster] - linux 4.19.118-1
NOTE: https://git.kernel.org/linus/998912346c0da53a6dbb71fab3a138586b596b30
CVE-2020-11607 (An issue was discovered on Samsung mobile devices with P(9.0) and Q(10 ...)
NOT-FOR-US: Samsung mobile devices
@@ -4142,6 +4151,7 @@ CVE-2020-11495
REJECTED
CVE-2020-11494 (An issue was discovered in slc_bump in drivers/net/can/slcan.c in the ...)
- linux 5.5.17-1
+ [buster] - linux 4.19.118-1
NOTE: https://lore.kernel.org/netdev/20200401100639.20199-1-rpalethorpe@suse.com/
CVE-2020-11493
RESERVED
@@ -6392,7 +6402,6 @@ CVE-2020-10666
RESERVED
CVE-2020-10674 (PerlSpeak through 2.01 allows attackers to execute arbitrary OS comman ...)
- libperlspeak-perl <removed> (bug #954238)
- [buster] - libperlspeak-perl <ignored> (Will be removed in next point release)
[stretch] - libperlspeak-perl <ignored> (Will be removed in next point release)
[jessie] - libperlspeak-perl <end-of-life> (Not supported in jessie LTS)
NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=132173
@@ -7533,7 +7542,7 @@ CVE-2020-10175
REJECTED
CVE-2020-10174 (init_tmp in TeeJee.FileSystem.vala in Timeshift before 20.03 unsafely ...)
- timeshift 20.03+ds-1 (bug #953385)
- [buster] - timeshift <no-dsa> (Will be fixed via point release)
+ [buster] - timeshift 19.01+ds-2+deb10u1
NOTE: https://www.openwall.com/lists/oss-security/2020/03/06/3
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1165802
NOTE: https://github.com/teejee2008/timeshift/commit/335b3d5398079278b8f7094c77bfd148b315b462
@@ -8910,7 +8919,7 @@ CVE-2020-9544 (An issue was discovered on D-Link DSL-2640B E1 EU_1.01 devices. T
NOT-FOR-US: D-Link
CVE-2020-9543 (OpenStack Manila <7.4.1, >=8.0.0 <8.1.1, and >=9.0.0 <9 ...)
- manila 1:9.0.0-5 (bug #953581)
- [buster] - manila <no-dsa> (Minor issue)
+ [buster] - manila 1:7.0.0-1+deb10u1
[stretch] - manila <no-dsa> (Minor issue)
NOTE: https://bugs.launchpad.net/manila/+bug/1861485
NOTE: https://security.openstack.org/ossa/OSSA-2020-002.html
@@ -9299,6 +9308,7 @@ CVE-2020-9384 (** DISPUTED ** An Insecure Direct Object Reference (IDOR) vulnera
NOT-FOR-US: Subex
CVE-2020-9383 (An issue was discovered in the Linux kernel through 5.5.6. set_fdc in ...)
- linux 5.5.13-1
+ [buster] - linux 4.19.118-1
NOTE: https://git.kernel.org/linus/2e90ca68b0d2f5548804f22f0dd61145516171e3
CVE-2020-9382 (An issue was discovered in the Widgets extension through 1.4.0 for Med ...)
NOT-FOR-US: Widgets extension for MediaWiki
@@ -10244,6 +10254,7 @@ CVE-2020-8993
RESERVED
CVE-2020-8992 (ext4_protect_reserved_inode in fs/ext4/block_validity.c in the Linux k ...)
- linux 5.5.13-1
+ [buster] - linux 4.19.118-1
[stretch] - linux <not-affected> (Vulnerable code not present)
[jessie] - linux <not-affected> (Vulnerable code not present)
NOTE: https://patchwork.ozlabs.org/patch/1236118/
@@ -10519,7 +10530,7 @@ CVE-2020-8867 (This vulnerability allows remote attackers to create a denial-of-
CVE-2020-8866 (This vulnerability allows remote attackers to create arbitrary files o ...)
{DLA-2162-1}
- php-horde-form <removed> (bug #955020)
- [buster] - php-horde-form <no-dsa> (Minor issue)
+ [buster] - php-horde-form 2.0.18-3.1+deb10u1
[stretch] - php-horde-form <no-dsa> (Minor issue)
NOTE: https://lists.horde.org/archives/announce/2020/001288.html
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-20-275/
@@ -10527,7 +10538,7 @@ CVE-2020-8866 (This vulnerability allows remote attackers to create arbitrary fi
CVE-2020-8865 (This vulnerability allows remote attackers to execute local PHP files ...)
{DLA-2175-1}
- php-horde-trean <removed> (bug #955019)
- [buster] - php-horde-trean <no-dsa> (Minor issue)
+ [buster] - php-horde-trean 1.1.9-3+deb10u1
[stretch] - php-horde-trean <no-dsa> (Minor issue)
NOTE: https://lists.horde.org/archives/announce/2020/001286.html
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-20-276/
@@ -11052,12 +11063,15 @@ CVE-2019-20447 (Jobberbase 2.0 has SQL injection via the PATH_INFO to the jobs-i
NOT-FOR-US: Jobberbase CMS
CVE-2020-8649 (There is a use-after-free vulnerability in the Linux kernel through 5. ...)
- linux 5.5.13-1
+ [buster] - linux 4.19.118-1
NOTE: https://git.kernel.org/linus/513dc792d6060d5ef572e43852683097a8420f56
CVE-2020-8648 (There is a use-after-free vulnerability in the Linux kernel through 5. ...)
- linux 5.5.13-1
+ [buster] - linux 4.19.118-1
NOTE: https://git.kernel.org/linus/07e6124a1a46b4b5a9b3cacc0c306b50da87abf5
CVE-2020-8647 (There is a use-after-free vulnerability in the Linux kernel through 5. ...)
- linux 5.5.13-1
+ [buster] - linux 4.19.118-1
NOTE: https://git.kernel.org/linus/513dc792d6060d5ef572e43852683097a8420f56
CVE-2020-8640
RESERVED
@@ -11170,7 +11184,7 @@ CVE-2020-8598 (Trend Micro Apex One (2019), OfficeScan XG and Worry-Free Busines
CVE-2020-8597 (eap.c in pppd in ppp 2.4.2 through 2.4.8 has an rhostname buffer overf ...)
{DSA-4632-1 DLA-2097-1}
- lwip 2.1.2+dfsg1-5 (bug #951291)
- [buster] - lwip <no-dsa> (Minor issue)
+ [buster] - lwip 2.0.3-3+deb10u1
[experimental] - ppp 2.4.8-1+1~exp1
- ppp <unfixed> (bug #950618)
NOTE: http://git.savannah.nongnu.org/cgit/lwip.git/commit/?id=2ee3cbe69c6d2805e64e7cac2a1c1706e49ffd86
@@ -11336,7 +11350,7 @@ CVE-2020-8519
CVE-2020-8518 (Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary P ...)
{DLA-2174-1}
- php-horde-data <removed> (bug #951537)
- [buster] - php-horde-data <no-dsa> (Minor issue)
+ [buster] - php-horde-data 2.1.4-5+deb10u1
[stretch] - php-horde-data <no-dsa> (Minor issue)
NOTE: https://lists.horde.org/archives/announce/2020/001285.html
NOTE: https://github.com/horde/Data/commit/78ad0c2390176cdde7260a271bc6ddd86f4c9c0e
@@ -12161,7 +12175,7 @@ CVE-2020-8142 (A security restriction bypass vulnerability has been discovered i
NOT-FOR-US: Revive Adserver
CVE-2020-8141 (The dot package v1.1.2 uses Function() to compile templates. This can ...)
- node-dot 1.1.3+ds-1
- [buster] - node-dot <no-dsa> (Will be fixed via point release)
+ [buster] - node-dot 1.1.1-1+deb10u1
NOTE: https://hackerone.com/reports/390929
CVE-2020-8140 (A code injection in Nextcloud Desktop Client 2.6.2 for macOS allowed t ...)
- nextcloud-desktop <not-affected> (MacOS-specific)
@@ -12188,7 +12202,7 @@ CVE-2020-8131 (Arbitrary filesystem write vulnerability in Yarn before 1.22.0 al
CVE-2020-8130 (There is an OS command injection vulnerability in Ruby Rake < 12.3. ...)
{DLA-2120-1}
- rake 12.3.3-1
- [buster] - rake <no-dsa> (Minor issue)
+ [buster] - rake 12.3.1-3+deb10u1
[stretch] - rake <no-dsa> (Minor issue)
NOTE: https://hackerone.com/reports/651518
NOTE: Fixed by: https://github.com/ruby/rake/commit/5b8f8fc41a5d7d7d6a5d767e48464c60884d3aee (v12.3.3)
@@ -12224,7 +12238,7 @@ CVE-2020-8117 (Improper preservation of permissions in Nextcloud Server 14.0.3 c
- nextcloud-server <itp> (bug #941708)
CVE-2020-8116 (Prototype pollution vulnerability in dot-prop npm package version 5.1. ...)
- node-dot-prop 5.2.0-1
- [buster] - node-dot-prop <no-dsa> (Minor issue)
+ [buster] - node-dot-prop 4.1.1-1+deb10u1
NOTE: https://hackerone.com/reports/719856
NOTE: https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2
CVE-2020-8115 (A reflected XSS vulnerability has been discovered in the publicly acce ...)
@@ -13449,7 +13463,7 @@ CVE-2020-7611 (All versions of io.micronaut:micronaut-http-client before 1.2.11
CVE-2020-7610 (All versions of bson before 1.1.4 are vulnerable to Deserialization of ...)
[experimental] - node-mongodb 3.5.5+~cs11.12.19-1
- node-mongodb 3.5.6+~cs11.12.19-1
- [buster] - node-mongodb <no-dsa> (Minor issue)
+ [buster] - node-mongodb 3.1.13+~3.1.11-2+deb10u1
NOTE: Fixed in js-bson v1.1.4 included in 3.5.5+~cs11.12.19
NOTE: https://snyk.io/vuln/SNYK-JS-BSON-561052
NOTE: https://github.com/mongodb/js-bson/commit/3809c1313a7b2a8001065f0271199df9fa3d16a8
@@ -13457,7 +13471,7 @@ CVE-2020-7609 (node-rules including 3.0.0 and prior to 5.0.0 allows injection of
NOT-FOR-US: Node node-rules
CVE-2020-7608 (yargs-parser could be tricked into adding or modifying properties of O ...)
- node-yargs-parser 18.1.1-1
- [buster] - node-yargs-parser <no-dsa> (Minor issue; can be fixed via point release)
+ [buster] - node-yargs-parser 11.1.1-1+deb10u1
[stretch] - node-yargs-parser <ignored> (Nodejs in stretch not covered by security support)
NOTE: https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381
NOTE: https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2
@@ -17124,7 +17138,6 @@ CVE-2020-6081 (An exploitable code execution vulnerability exists in the PLC_Tas
CVE-2020-6080 (An exploitable denial-of-service vulnerability exists in the resource ...)
{DSA-4671-1}
- libmicrodns <removed>
- [buster] - libmicrodns <ignored> (Will be removed in next point release)
[stretch] - libmicrodns <ignored> (Will be removed in next point release)
- vlc 3.0.8-4
[jessie] - vlc <end-of-life> (Not supported in jessie LTS)
@@ -17133,7 +17146,6 @@ CVE-2020-6080 (An exploitable denial-of-service vulnerability exists in the reso
CVE-2020-6079 (An exploitable denial-of-service vulnerability exists in the resource ...)
{DSA-4671-1}
- libmicrodns <removed>
- [buster] - libmicrodns <ignored> (Will be removed in next point release)
[stretch] - libmicrodns <ignored> (Will be removed in next point release)
- vlc 3.0.8-4
[jessie] - vlc <end-of-life> (Not supported in jessie LTS)
@@ -17142,7 +17154,6 @@ CVE-2020-6079 (An exploitable denial-of-service vulnerability exists in the reso
CVE-2020-6078 (An exploitable denial-of-service vulnerability exists in the message-p ...)
{DSA-4671-1}
- libmicrodns <removed>
- [buster] - libmicrodns <ignored> (Will be removed in next point release)
[stretch] - libmicrodns <ignored> (Will be removed in next point release)
- vlc 3.0.8-4
[jessie] - vlc <end-of-life> (Not supported in jessie LTS)
@@ -17151,7 +17162,6 @@ CVE-2020-6078 (An exploitable denial-of-service vulnerability exists in the mess
CVE-2020-6077 (An exploitable denial-of-service vulnerability exists in the message-p ...)
{DSA-4671-1}
- libmicrodns <removed>
- [buster] - libmicrodns <ignored> (Will be removed in next point release)
[stretch] - libmicrodns <ignored> (Will be removed in next point release)
- vlc 3.0.8-4
[jessie] - vlc <end-of-life> (Not supported in jessie LTS)
@@ -17166,7 +17176,6 @@ CVE-2020-6074
CVE-2020-6073 (An exploitable denial-of-service vulnerability exists in the TXT recor ...)
{DSA-4671-1}
- libmicrodns <removed>
- [buster] - libmicrodns <ignored> (Will be removed in next point release)
[stretch] - libmicrodns <ignored> (Will be removed in next point release)
- vlc 3.0.8-4
[jessie] - vlc <end-of-life> (Not supported in jessie LTS)
@@ -17175,7 +17184,6 @@ CVE-2020-6073 (An exploitable denial-of-service vulnerability exists in the TXT
CVE-2020-6072 (An exploitable code execution vulnerability exists in the label-parsin ...)
{DSA-4671-1}
- libmicrodns <removed>
- [buster] - libmicrodns <ignored> (Will be removed in next point release)
[stretch] - libmicrodns <ignored> (Will be removed in next point release)
- vlc 3.0.8-4
[jessie] - vlc <end-of-life> (Not supported in jessie LTS)
@@ -17184,7 +17192,6 @@ CVE-2020-6072 (An exploitable code execution vulnerability exists in the label-p
CVE-2020-6071 (An exploitable denial-of-service vulnerability exists in the resource ...)
{DSA-4671-1}
- libmicrodns <removed>
- [buster] - libmicrodns <ignored> (Will be removed in next point release)
[stretch] - libmicrodns <ignored> (Will be removed in next point release)
- vlc 3.0.8-4
[jessie] - vlc <end-of-life> (Not supported in jessie LTS)
@@ -18931,7 +18938,7 @@ CVE-2020-5268 (In Saml2 Authentication Services for ASP.NET versions before 1.0.
CVE-2020-5267 (In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible ...)
{DLA-2149-1}
- rails 2:5.2.4.1+dfsg-2 (bug #954304)
- [buster] - rails <no-dsa> (Minor issue)
+ [buster] - rails 2:5.2.2.1+dfsg-1+deb10u1
[stretch] - rails <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2020/03/19/1
NOTE: https://github.com/rails/rails/commit/033a738817abd6e446e1b320cb7d1a5c15224e9a (master)
@@ -19154,7 +19161,7 @@ CVE-2020-5203 (In Fat-Free Framework 3.7.1, attackers can achieve arbitrary code
NOT-FOR-US: Fat-Free Framework
CVE-2020-5202 (apt-cacher-ng through 3.3 allows local users to obtain sensitive infor ...)
- apt-cacher-ng 3.3.1-1
- [buster] - apt-cacher-ng <no-dsa> (Minor issue)
+ [buster] - apt-cacher-ng 3.2.1-1
[stretch] - apt-cacher-ng <no-dsa> (Minor issue)
[jessie] - apt-cacher-ng <no-dsa> (Minor issue)
NOTE: https://salsa.debian.org/blade/apt-cacher-ng/commit/3b91874b0c099b0ded1a94f1784fe1265082efbc
@@ -22963,7 +22970,7 @@ CVE-2020-3899 (A memory consumption issue was addressed with improved memory han
CVE-2020-3898 [heap based buffer overflow in libcups's ppdFindOption() in ppd-mark.c]
RESERVED
- cups 2.3.1-12
- [buster] - cups <no-dsa> (Minor issue)
+ [buster] - cups 2.2.10-6+deb10u3
[stretch] - cups <no-dsa> (Minor issue)
[jessie] - cups <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1823964
@@ -23892,7 +23899,7 @@ CVE-2019-19792 (A permissions issue in ESET Cyber Security before 6.8.300.0 for
CVE-2019-19791 [Apache access rules and SOAP/REST endpoints issue]
RESERVED
- lemonldap-ng 2.0.7+ds-1
- [buster] - lemonldap-ng <no-dsa> (Minor issue)
+ [buster] - lemonldap-ng 2.0.2+ds-7+deb10u3
[stretch] - lemonldap-ng <no-dsa> (Minor issue)
[jessie] - lemonldap-ng <no-dsa> (Minor issue)
NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1943
@@ -24926,7 +24933,7 @@ CVE-2020-3124
RESERVED
CVE-2020-3123 (A vulnerability in the Data-Loss-Prevention (DLP) module in Clam AntiV ...)
- clamav 0.102.2+dfsg-1 (bug #950944)
- [buster] - clamav <no-dsa> (ClamAV is updated via -updates)
+ [buster] - clamav 0.102.2+dfsg-0+deb10u1
[stretch] - clamav <no-dsa> (ClamAV is updated via -updates)
[jessie] - clamav <not-affected> (Vulnerable code introduced in 0.102.x)
NOTE: https://blog.clamav.net/2020/02/clamav-01022-security-patch-released.html
@@ -29193,7 +29200,7 @@ CVE-2020-1731 (A flaw was found in all versions of the Keycloak operator, before
NOT-FOR-US: Keycloak
CVE-2020-1730 (A flaw was found in libssh versions before 0.8.9 and before 0.9.4 in t ...)
- libssh 0.9.4-1 (bug #956308)
- [buster] - libssh <no-dsa> (Minor issue, can be fixed via point release)
+ [buster] - libssh 0.8.7-1+deb10u1
[stretch] - libssh <not-affected> (Vulnerable code introduced later)
[jessie] - libssh <not-affected> (Vulnerable code introduced later)
NOTE: https://www.libssh.org/security/advisories/CVE-2020-1730.txt
@@ -29251,7 +29258,7 @@ CVE-2020-1713
RESERVED
CVE-2020-1712 (A heap use-after-free vulnerability was found in systemd before versio ...)
- systemd 244.2-1 (bug #950732)
- [buster] - systemd <no-dsa> (Can be fixed via point release)
+ [buster] - systemd 241-7~deb10u4
[stretch] - systemd <no-dsa> (Can be fixed via point release)
[jessie] - systemd <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/systemd/systemd/commit/773b1a7916bfce3aa2a21ecf534d475032e8528e (preparation)
@@ -30262,6 +30269,7 @@ CVE-2019-19047 (A memory leak in the mlx5_fw_fatal_reporter_dump() function in d
NOTE: https://git.kernel.org/linus/c7ed6d0183d5ea9bc31bcaeeba4070bd62546471
CVE-2019-19046 (** DISPUTED ** A memory leak in the __ipmi_bmc_register() function in ...)
- linux 5.4.19-1 (unimportant)
+ [buster] - linux 4.19.118-1
NOTE: Only a memory leak on the probe path
CVE-2019-19045 (A memory leak in the mlx5_fpga_conn_create_cq() function in drivers/ne ...)
- linux 5.3.15-1
@@ -35822,6 +35830,7 @@ CVE-2020-0010 (In fpc_ta_get_build_info of fpc_ta_kpi.c, there is a possible out
NOT-FOR-US: FPC components for Android
CVE-2020-0009 (In calc_vm_may_flags of ashmem.c, there is a possible arbitrary write ...)
- linux 5.5.13-1
+ [buster] - linux 4.19.118-1
[jessie] - linux <ignored> (Driver is not enabled or supported)
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1949
CVE-2020-0008 (In LowEnergyClient::MtuChangedCallback of low_energy_client.cc, there ...)
@@ -39519,21 +39528,21 @@ CVE-2019-16778 (In TensorFlow before 1.15, a heap buffer overflow in UnsortedSeg
CVE-2019-16777 (Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary ...)
[experimental] - npm 6.13.4+ds-1
- npm 6.13.4+ds-2 (bug #947127)
- [buster] - npm <no-dsa> (Minor issue)
+ [buster] - npm 5.8.0+ds6-4+deb10u1
[jessie] - npm <end-of-life> (Nodejs in jessie not covered by security support)
NOTE: https://github.com/npm/cli/security/advisories/GHSA-4328-8hgf-7wjr
NOTE: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
CVE-2019-16776 (Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary ...)
[experimental] - npm 6.13.4+ds-1
- npm 6.13.4+ds-2 (bug #947127)
- [buster] - npm <no-dsa> (Minor issue)
+ [buster] - npm 5.8.0+ds6-4+deb10u1
[jessie] - npm <end-of-life> (Nodejs in jessie not covered by security support)
NOTE: https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46
NOTE: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
CVE-2019-16775 (Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary ...)
[experimental] - npm 6.13.4+ds-1
- npm 6.13.4+ds-2 (bug #947127)
- [buster] - npm <no-dsa> (Minor issue)
+ [buster] - npm 5.8.0+ds6-4+deb10u1
[jessie] - npm <end-of-life> (Nodejs in jessie not covered by security support)
NOTE: https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx
NOTE: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
@@ -39551,7 +39560,7 @@ CVE-2019-16771 (Versions of Armeria 0.85.0 through and including 0.96.0 are vuln
NOT-FOR-US: Armeria
CVE-2019-16770 (In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client coul ...)
- puma 3.12.0-4 (bug #946312)
- [buster] - puma <no-dsa> (Minor issue)
+ [buster] - puma 3.12.0-2+deb10u1
[stretch] - puma <no-dsa> (Minor issue)
NOTE: https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
NOTE: https://github.com/puma/puma/commit/06053e60908074bb38293d4449ea261cb009b53e
@@ -42646,7 +42655,7 @@ CVE-2019-15690
RESERVED
{DLA-2146-1}
- libvncserver 0.9.12+dfsg-9 (bug #954163)
- [buster] - libvncserver <no-dsa> (Minor issue)
+ [buster] - libvncserver 0.9.11+dfsg-1.3+deb10u3
[stretch] - libvncserver <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2
NOTE: https://github.com/LibVNC/libvncserver/issues/381
@@ -43201,7 +43210,7 @@ CVE-2019-15523
RESERVED
CVE-2019-15522 (An issue was discovered in LINBIT csync2 through 2.0. csync_daemon_ses ...)
- csync2 2.0-25-gc0faaf9-1 (bug #955445)
- [buster] - csync2 <no-dsa> (Minor issue)
+ [buster] - csync2 2.0-22-gce67c55-1+deb10u1
[stretch] - csync2 <no-dsa> (Minor issue)
[jessie] - csync2 <no-dsa> (Minor issue)
NOTE: https://github.com/LINBIT/csync2/pull/13/commits/0ecfc333da51575f188dd7cf6ac4974d13a800b1
@@ -44679,7 +44688,7 @@ CVE-2017-18516 (The bws-linkedin plugin before 1.0.5 for WordPress has multiple
CVE-2016-10894 (xtrlock through 2.10 does not block multitouch events. Consequently, a ...)
{DLA-1959-1}
- xtrlock 2.12 (bug #830726)
- [buster] - xtrlock <no-dsa> (Minor issue; can be fixed via point release)
+ [buster] - xtrlock 2.8+deb10u1
[stretch] - xtrlock <no-dsa> (Minor issue; can be fixed via point release)
CVE-2016-10893 (The crayon-syntax-highlighter plugin before 2.8.4 for WordPress has mu ...)
NOT-FOR-US: Wordpress plugin
@@ -45478,6 +45487,7 @@ CVE-2019-14863 (There is a vulnerability in all angular versions before 1.5.0-be
NOTE: https://github.com/angular/angular.js/pull/12524
CVE-2019-14862 (There is a vulnerability in knockout before version 3.5.0-beta, where ...)
- node-knockout 3.4.2-3 (unimportant; bug #943560)
+ [buster] - node-knockout 3.4.2-2+deb10u1
NOTE: https://github.com/knockout/knockout/issues/1244
NOTE: https://github.com/knockout/knockout/pull/2345
NOTE: https://github.com/knockout/knockout/commit/7e280b2b8a04cc19176b5171263a5c68bda98efb
@@ -46331,13 +46341,13 @@ CVE-2019-14588
CVE-2019-14587
RESERVED
- edk2 0~20200229.4c0f6e34-1
- [buster] - edk2 <no-dsa> (Minor issue)
+ [buster] - edk2 0~20181115.85588389-3+deb10u1
[stretch] - edk2 <no-dsa> (Minor issue)
[jessie] - edk2 <end-of-life> (non-free)
CVE-2019-14586
RESERVED
- edk2 0~20200229.4c0f6e34-1
- [buster] - edk2 <no-dsa> (Minor issue)
+ [buster] - edk2 0~20181115.85588389-3+deb10u1
[stretch] - edk2 <no-dsa> (Minor issue)
[jessie] - edk2 <end-of-life> (non-free)
CVE-2019-14585
@@ -46363,7 +46373,7 @@ CVE-2019-14576
CVE-2019-14575 [DxeImageVerificationHandler() fails open in case of dbx signature check]
RESERVED
- edk2 0~20200229.4c0f6e34-1 (low; bug #952935)
- [buster] - edk2 <no-dsa> (Minor issue)
+ [buster] - edk2 0~20181115.85588389-3+deb10u1
[stretch] - edk2 <no-dsa> (Minor issue)
[jessie] - edk2 <end-of-life> (non-free)
NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
@@ -46392,7 +46402,7 @@ CVE-2019-14564
CVE-2019-14563 [numeric truncation in MdeModulePkg/PiDxeS3BootScriptLib]
RESERVED
- edk2 0~20200229.4c0f6e34-1 (low; bug #952934)
- [buster] - edk2 <no-dsa> (Minor issue)
+ [buster] - edk2 0~20181115.85588389-3+deb10u1
[stretch] - edk2 <no-dsa> (Minor issue)
[jessie] - edk2 <end-of-life> (non-free)
NOTE: https://github.com/tianocore/edk2/commit/322ac05f8bbc1bce066af1dabd1b70ccdbe28891
@@ -46406,7 +46416,7 @@ CVE-2019-14560
CVE-2019-14559 [memory leak in ArpOnFrameRcvdDpc]
RESERVED
- edk2 0~20200229.4c0f6e34-1 (bug #952926; low)
- [buster] - edk2 <no-dsa> (Minor issue)
+ [buster] - edk2 0~20181115.85588389-3+deb10u1
[stretch] - edk2 <no-dsa> (Minor issue)
[jessie] - edk2 <end-of-life> (non-free)
NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2550
@@ -46414,7 +46424,7 @@ CVE-2019-14559 [memory leak in ArpOnFrameRcvdDpc]
CVE-2019-14558
RESERVED
- edk2 0~20200229.4c0f6e34-1
- [buster] - edk2 <no-dsa> (Minor issue)
+ [buster] - edk2 0~20181115.85588389-3+deb10u1
[stretch] - edk2 <no-dsa> (Minor issue)
[jessie] - edk2 <end-of-life> (non-free)
CVE-2019-14557
@@ -46716,6 +46726,7 @@ CVE-2019-14467 (The Social Photo Gallery plugin 1.0 for WordPress allows Remote
CVE-2019-14466 (The GOsa_Filter_Settings cookie in GONICUS GOsa 2.7.5.2 is vulnerable ...)
{DLA-1905-1}
- gosa 2.7.4+reloaded3-10
+ [buster] - gosa 2.7.4+reloaded3-8+deb10u2
NOTE: https://github.com/gosa-project/gosa-core/commit/e1504e9765db2adde8b4685b5c93fbba57df868b (fix)
NOTE: https://github.com/gosa-project/gosa-core/commit/90b674960335d888c76ca5e99027df8e7fa66f3a (fixing the prev commit)
NOTE: https://github.com/gosa-project/gosa-core/pull/30#issuecomment-521975100
@@ -58602,7 +58613,7 @@ CVE-2019-10786 (network-manager through 1.0.2 allows remote attackers to execute
CVE-2019-10785 (dojox is vulnerable to Cross-site Scripting in all versions before ver ...)
{DLA-2127-1}
- dojo 1.15.2+dfsg1-1 (bug #952771)
- [buster] - dojo <no-dsa> (Minor issue)
+ [buster] - dojo 1.15.0+dfsg1-1+deb10u1
NOTE: https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr
NOTE: https://snyk.io/vuln/SNYK-JS-DOJOX-548257
NOTE: https://github.com/dojo/dojox/pull/315
@@ -62725,7 +62736,7 @@ CVE-2019-10782 (All versions of com.puppycrawl.tools:checkstyle before 8.29 are
CVE-2019-9658 (Checkstyle before 8.18 loads external DTDs by default. ...)
{DLA-1768-1}
- checkstyle 8.26-1 (low; bug #924598)
- [buster] - checkstyle <no-dsa> (Minor issue)
+ [buster] - checkstyle 8.15-1+deb10u1
[stretch] - checkstyle <no-dsa> (Minor issue)
NOTE: https://github.com/checkstyle/checkstyle/issues/6474
NOTE: https://github.com/checkstyle/checkstyle/issues/6478
@@ -65113,7 +65124,7 @@ CVE-2019-8843
CVE-2019-8842 [he `ippReadIO` function may under-read an extension field]
RESERVED
- cups 2.3.1-12
- [buster] - cups <no-dsa> (Minor issue)
+ [buster] - cups 2.2.10-6+deb10u3
[stretch] - cups <no-dsa> (Minor issue)
[jessie] - cups <no-dsa> (Minor issue)
NOTE: https://github.com/apple/cups/commit/82e3ee0e3230287b76a76fb8f16b92ca6e50b444 (cups/ipp.c: ippReadIO)
@@ -73894,7 +73905,7 @@ CVE-2019-5430 (In UniFi Video 3.10.0 and prior, due to the lack of CSRF protecti
NOT-FOR-US: Ubiquiti Networks UniFi Video
CVE-2019-5429 (Untrusted search path in FileZilla before 3.41.0-rc1 allows an attacke ...)
- filezilla 3.45.1-1 (low; bug #928282)
- [buster] - filezilla <no-dsa> (Minor issue)
+ [buster] - filezilla 3.39.0-2+deb10u1
[stretch] - filezilla <no-dsa> (Minor issue)
[jessie] - filezilla <no-dsa> (Minor issue)
NOTE: https://svn.filezilla-project.org/filezilla?revision=9097&view=revision
@@ -77301,7 +77312,7 @@ CVE-2019-3867
NOT-FOR-US: OpenShift (web-cosnole issue specific to OpenShift only)
CVE-2019-3866 (An information-exposure vulnerability was discovered where openstack-m ...)
- python-oslo.utils 3.41.3-1 (low; bug #946060)
- [buster] - python-oslo.utils <no-dsa> (Minor issue; can be fixed via point release)
+ [buster] - python-oslo.utils 3.36.5-0+deb10u1
[stretch] - python-oslo.utils <no-dsa> (Minor issue; can be fixed via point release)
[jessie] - python-oslo.utils <not-affected> (regex pattern rewrite)
- python-mistral-lib 1.2.0-3
@@ -82791,7 +82802,7 @@ CVE-2019-2392
CVE-2019-2391 (Incorrect parsing of certain JSON input may result in js-bson not corr ...)
[experimental] - node-mongodb 3.5.5+~cs11.12.19-1
- node-mongodb 3.5.6+~cs11.12.19-1
- [buster] - node-mongodb <no-dsa> (Minor issue)
+ [buster] - node-mongodb 3.1.13+~3.1.11-2+deb10u1
NOTE: Fixed in js-bson v1.1.4 included in 3.5.5+~cs11.12.19
CVE-2019-2390 (An unprivileged user or program on Microsoft Windows which can create ...)
NOT-FOR-US: Microsoft
=====================================
data/next-point-update.txt
=====================================
@@ -1,117 +1,3 @@
-CVE-2019-3866
- [buster] - python-oslo.utils 3.36.5-0+deb10u1
-CVE-2019-5429
- [buster] - filezilla 3.39.0-2+deb10u1
-CVE-2019-16775
- [buster] - npm 5.8.0+ds6-4+deb10u1
-CVE-2019-16776
- [buster] - npm 5.8.0+ds6-4+deb10u1
-CVE-2019-16777
- [buster] - npm 5.8.0+ds6-4+deb10u1
-CVE-2016-10894
- [buster] - xtrlock 2.8+deb10u1
-CVE-2019-19791
- [buster] - lemonldap-ng 2.0.2+ds-7+deb10u3
-CVE-2020-5202
- [buster] - apt-cacher-ng 3.2.1-1
-CVE-2020-8116
- [buster] - node-dot-prop 4.1.1-1+deb10u1
-CVE-2019-16770
- [buster] - puma 3.12.0-2+deb10u1
-CVE-2020-3123
- [buster] - clamav 0.102.2+dfsg-0+deb10u1
-CVE-2019-10785
- [buster] - dojo 1.15.0+dfsg1-1+deb10u1
-CVE-2020-8130
- [buster] - rake 12.3.1-3+deb10u1
-CVE-2020-10174
- [buster] - timeshift 19.01+ds-2+deb10u1
-CVE-2020-9543
- [buster] - manila 1:7.0.0-1+deb10u1
-CVE-2020-8141
- [buster] - node-dot 1.1.1-1+deb10u1
-CVE-2020-5267
- [buster] - rails 2:5.2.2.1+dfsg-1+deb10u1
-CVE-2020-8597
- [buster] - lwip 2.0.3-3+deb10u1
-CVE-2020-7608
- [buster] - node-yargs-parser 11.1.1-1+deb10u1
-CVE-2019-14862
- [buster] - node-knockout 3.4.2-2+deb10u1
-CVE-2019-9658
- [buster] - checkstyle 8.15-1+deb10u1
-CVE-2019-15522
- [buster] - csync2 2.0-22-gce67c55-1+deb10u1
-CVE-2019-15690
- [buster] - libvncserver 0.9.11+dfsg-1.3+deb10u3
-CVE-2019-20788
- [buster] - libvncserver 0.9.11+dfsg-1.3+deb10u3
-CVE-2020-1712
- [buster] - systemd 241-7~deb10u4
-CVE-2020-8518
- [buster] - php-horde-data 2.1.4-5+deb10u1
-CVE-2020-8866
- [buster] - php-horde-form 2.0.18-3.1+deb10u1
-CVE-2020-8865
- [buster] - php-horde-trean 1.1.9-3+deb10u1
-CVE-2019-14587
- [buster] - edk2 0~20181115.85588389-3+deb10u1
-CVE-2019-14586
- [buster] - edk2 0~20181115.85588389-3+deb10u1
-CVE-2019-14558
- [buster] - edk2 0~20181115.85588389-3+deb10u1
-CVE-2019-14563
- [buster] - edk2 0~20181115.85588389-3+deb10u1
-CVE-2019-14559
- [buster] - edk2 0~20181115.85588389-3+deb10u1
-CVE-2019-14575
- [buster] - edk2 0~20181115.85588389-3+deb10u1
-CVE-2020-3898
- [buster] - cups 2.2.10-6+deb10u3
-CVE-2019-8842
- [buster] - cups 2.2.10-6+deb10u3
-CVE-2020-1730
- [buster] - libssh 0.8.7-1+deb10u1
-CVE-2020-0009
- [buster] - linux 4.19.118-1
-CVE-2020-11494
- [buster] - linux 4.19.118-1
-CVE-2020-11608
- [buster] - linux 4.19.118-1
-CVE-2020-11609
- [buster] - linux 4.19.118-1
-CVE-2020-11668
- [buster] - linux 4.19.118-1
-CVE-2020-11669
- [buster] - linux 4.19.118-1
-CVE-2020-12465
- [buster] - linux 4.19.118-1
-CVE-2020-12653
- [buster] - linux 4.19.118-1
-CVE-2020-12654
- [buster] - linux 4.19.118-1
-CVE-2020-12657
- [buster] - linux 4.19.118-1
-CVE-2020-12659
- [buster] - linux 4.19.118-1
-CVE-2020-8647
- [buster] - linux 4.19.118-1
-CVE-2020-8648
- [buster] - linux 4.19.118-1
-CVE-2020-8649
- [buster] - linux 4.19.118-1
-CVE-2020-8992
- [buster] - linux 4.19.118-1
-CVE-2020-9383
- [buster] - linux 4.19.118-1
-CVE-2019-19046
- [buster] - linux 4.19.118-1
-CVE-2020-7610
- [buster] - node-mongodb 3.1.13+~3.1.11-2+deb10u1
-CVE-2019-2391
- [buster] - node-mongodb 3.1.13+~3.1.11-2+deb10u1
-CVE-2019-14466
- [buster] - gosa 2.7.4+reloaded3-8+deb10u2
CVE-2019-19919
[buster] - node-handlebars 3:4.1.0-1+deb10u1
CVE-2019-18277
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d8ba4b1ee4cc9abaf9e39aee58fea84f8c629b37...c7a2b99b4ad0c9347d615de7cab5f07f93655e90
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d8ba4b1ee4cc9abaf9e39aee58fea84f8c629b37...c7a2b99b4ad0c9347d615de7cab5f07f93655e90
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200509/79b4391a/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list