[Git][security-tracker-team/security-tracker][master] Merge already accepted packages for 10.10
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sat Jun 19 09:59:41 BST 2021
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
55d4a6bb by Salvatore Bonaccorso at 2021-06-19T10:59:00+02:00
Merge already accepted packages for 10.10
- - - - -
2 changed files:
- data/CVE/list
- data/next-point-update.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -2657,7 +2657,7 @@ CVE-2021-33834
RESERVED
CVE-2021-33833 (ConnMan (aka Connection Manager) 1.30 through 1.39 has a stack-based b ...)
- connman 1.36-2.2 (bug #989662)
- [buster] - connman <no-dsa> (Minor issue)
+ [buster] - connman 1.36-2.1~deb10u2
[stretch] - connman <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2021/06/09/1
NOTE: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=eceb2e8d2341c041df55a5e2f047d9a8c491463c
@@ -2729,7 +2729,7 @@ CVE-2021-3579
CVE-2021-3578 [possible remote code execution in isync/mbsync]
RESERVED
- isync 1.3.0-2.2 (bug #989564)
- [buster] - isync <no-dsa> (Minor issue)
+ [buster] - isync 1.3.0-2.2~deb10u1
[stretch] - isync <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2021/06/07/1
CVE-2021-33806 (The BDew BdLib library before 1.16.1.7 for Minecraft allows remote cod ...)
@@ -3341,7 +3341,7 @@ CVE-2021-33561 (A stored cross-site scripting (XSS) vulnerability in Shopizer be
NOT-FOR-US: Shopizer
CVE-2021-33560 (Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encry ...)
- libgcrypt20 1.8.7-6
- [buster] - libgcrypt20 <no-dsa> (Minor issue)
+ [buster] - libgcrypt20 1.8.4-5+deb10u1
[stretch] - libgcrypt20 <no-dsa> (Minor issue)
NOTE: https://dev.gnupg.org/T5328 (not yet public)
NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=3462280f2e23e16adf3ed5176e0f2413d8861320
@@ -3535,7 +3535,7 @@ CVE-2021-33478
RESERVED
CVE-2021-3561 (An Out of Bounds flaw was found fig2dev version 3.2.8a. A flawed bound ...)
- fig2dev 1:3.2.8-3
- [buster] - fig2dev <no-dsa> (Minor issue)
+ [buster] - fig2dev 1:3.2.7a-5+deb10u4
[stretch] - fig2dev <no-dsa> (Minor issue)
- transfig <removed>
NOTE: https://sourceforge.net/p/mcj/tickets/116/
@@ -4209,10 +4209,10 @@ CVE-2021-33477 (rxvt-unicode 9.22, rxvt 2.7.10, mrxvt 0.5.4, and Eterm 0.9.7 all
{DLA-2683-1 DLA-2682-1 DLA-2681-1 DLA-2671-1}
- rxvt <removed>
- rxvt-unicode 9.22-11 (bug #988763)
- [buster] - rxvt-unicode <no-dsa> (Minor issue)
+ [buster] - rxvt-unicode 9.22-6+deb10u1
- mrxvt <removed>
- eterm 0.9.6-6.1 (bug #989041)
- [buster] - eterm <no-dsa> (Minor issue)
+ [buster] - eterm 0.9.6-5+deb10u1
NOTE: https://www.openwall.com/lists/oss-security/2021/05/17/1
NOTE: Mentioned first in: https://www.openwall.com/lists/oss-security/2017/05/01/20
NOTE: Fixed by: http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.582&r2=1.583
@@ -5390,7 +5390,7 @@ CVE-2021-32641 (auth0-lock is Auth0's signin solution. Versions of nauth0-lock b
NOT-FOR-US: auth0-lock
CVE-2021-32640 (ws is an open source WebSocket client and server library for Node.js. ...)
- node-ws 7.4.2+~cs18.0.8-2
- [buster] - node-ws <no-dsa> (Minor issue)
+ [buster] - node-ws 1.1.0+ds1.e6ddaae4-5+deb10u1
[stretch] - node-ws <no-dsa> (Minor issue)
NOTE: https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693
NOTE: https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff
@@ -5817,7 +5817,7 @@ CVE-2021-3541
RESERVED
{DLA-2669-1}
- libxml2 2.9.10+dfsg-6.7 (bug #988603)
- [buster] - libxml2 <no-dsa> (Minor issue)
+ [buster] - libxml2 2.9.4+dfsg1-7+deb10u2
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1950515
NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e
NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/228 (currently private)
@@ -6691,7 +6691,7 @@ CVE-2019-25043 (ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing,
CVE-2021-3537 (A vulnerability found in libxml2 in versions before 2.9.11 shows that ...)
{DLA-2653-1}
- libxml2 2.9.10+dfsg-6.6 (bug #988123)
- [buster] - libxml2 <no-dsa> (Minor issue)
+ [buster] - libxml2 2.9.4+dfsg1-7+deb10u2
NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/243
NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/244
NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/245
@@ -7236,25 +7236,25 @@ CVE-2021-31874
RESERVED
CVE-2021-31873 (An issue was discovered in klibc before 2.0.9. Additions in the malloc ...)
- klibc 2.0.8-6 (bug #989505)
- [buster] - klibc <no-dsa> (Minor issue; only used in initramfs and not dealing with untrusted data)
+ [buster] - klibc 2.0.6-1+deb10u1
[stretch] - klibc <no-dsa> (Minor issue; only used in initramfs and not dealing with untrusted data)
NOTE: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=a31ae8c508fc8d1bca4f57e9f9f88127572d5202
NOTE: https://www.openwall.com/lists/oss-security/2021/04/30/1
CVE-2021-31872 (An issue was discovered in klibc before 2.0.9. Multiple possible integ ...)
- klibc 2.0.8-6 (bug #989505)
- [buster] - klibc <no-dsa> (Minor issue; only used in initramfs and not dealing with untrusted data)
+ [buster] - klibc 2.0.6-1+deb10u1
[stretch] - klibc <no-dsa> (Minor issue; only used in initramfs and not dealing with untrusted data)
NOTE: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=9b1c91577aef7f2e72c3aa11a27749160bd278ff
NOTE: https://www.openwall.com/lists/oss-security/2021/04/30/1
CVE-2021-31871 (An issue was discovered in klibc before 2.0.9. An integer overflow in ...)
- klibc 2.0.8-6 (bug #989505)
- [buster] - klibc <no-dsa> (Minor issue; only used in initramfs and not dealing with untrusted data)
+ [buster] - klibc 2.0.6-1+deb10u1
[stretch] - klibc <no-dsa> (Minor issue; only used in initramfs and not dealing with untrusted data)
NOTE: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=2e48a12ab1e30d43498c2d53e878a11a1b5102d5
NOTE: https://www.openwall.com/lists/oss-security/2021/04/30/1
CVE-2021-31870 (An issue was discovered in klibc before 2.0.9. Multiplication in the c ...)
- klibc 2.0.8-6 (bug #989505)
- [buster] - klibc <no-dsa> (Minor issue; only used in initramfs and not dealing with untrusted data)
+ [buster] - klibc 2.0.6-1+deb10u1
[stretch] - klibc <no-dsa> (Minor issue; only used in initramfs and not dealing with untrusted data)
NOTE: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=292650f04c2b5348b4efbad61fb014ed09b4f3f2
NOTE: https://www.openwall.com/lists/oss-security/2021/04/30/1
@@ -7406,19 +7406,19 @@ CVE-2020-36326 (PHPMailer 6.1.8 through 6.4.0 allows object injection through Ph
CVE-2021-3518 (There's a flaw in libxml2 in versions before 2.9.11. An attacker who i ...)
{DLA-2653-1}
- libxml2 2.9.10+dfsg-6.6 (bug #987737)
- [buster] - libxml2 <no-dsa> (Minor issue)
+ [buster] - libxml2 2.9.4+dfsg1-7+deb10u2
NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/237
NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7
CVE-2021-3517 (There is a flaw in the xml entity encoding functionality of libxml2 in ...)
{DLA-2653-1}
- libxml2 2.9.10+dfsg-6.6 (bug #987738)
- [buster] - libxml2 <no-dsa> (Minor issue)
+ [buster] - libxml2 2.9.4+dfsg1-7+deb10u2
NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/235
NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2
CVE-2021-3516 (There's a flaw in libxml2's xmllint in versions before 2.9.11. An atta ...)
{DLA-2653-1}
- libxml2 2.9.10+dfsg-6.6 (bug #987739)
- [buster] - libxml2 <no-dsa> (Minor issue)
+ [buster] - libxml2 2.9.4+dfsg1-7+deb10u2
NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/230
NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539
CVE-2021-3515 (A shell injection flaw was found in pglogical in versions before 2.3.4 ...)
@@ -13215,7 +13215,7 @@ CVE-2021-29470 (Exiv2 is a command-line utility and C++ library for reading, wri
NOTE: https://github.com/Exiv2/exiv2/commit/c372f2677d6f7cf88a8f26ef6bc175561e406ee2
CVE-2021-29469 (Node-redis is a Node.js Redis client. Before version 3.1.1, when a cli ...)
- node-redis 3.0.2+~cs5.18.1-3
- [buster] - node-redis <no-dsa> (Minor issue)
+ [buster] - node-redis 2.8.0-1+deb10u1
NOTE: https://github.com/NodeRedis/node-redis/issues/1569
NOTE: https://github.com/NodeRedis/node-redis/security/advisories/GHSA-35q2-47q7-3pc3
NOTE: https://github.com/NodeRedis/node-redis/commit/2d11b6dc9b9774464a91fb4b448bad8bf699629e
@@ -13503,10 +13503,10 @@ CVE-2021-29377
CVE-2021-29376 (ircII before 20210314 allows remote attackers to cause a denial of ser ...)
- ircii-pana <removed>
- ircii 20210314-1 (bug #986214)
- [buster] - ircii <no-dsa> (Minor issue)
+ [buster] - ircii 20190117-1+deb10u1
[stretch] - ircii <postponed> (Minor issue; can be fixed in next update)
- scrollz 2.2.3-2 (bug #986215)
- [buster] - scrollz <no-dsa> (Minor issue)
+ [buster] - scrollz 2.2.3-1+deb10u1
[stretch] - scrollz <postponed> (Minor issue; can be fixed in next update)
NOTE: https://www.openwall.com/lists/oss-security/2021/03/24/2
NOTE: https://github.com/ScrollZ/ScrollZ/issues/25
@@ -15733,7 +15733,7 @@ CVE-2021-28422
RESERVED
CVE-2021-28421 (FluidSynth 2.1.7 contains a use after free vulnerability in sfloader/f ...)
- fluidsynth 2.1.7-1.1 (bug #987168)
- [buster] - fluidsynth <no-dsa> (Minor issue)
+ [buster] - fluidsynth 1.1.11-1+deb10u1
[stretch] - fluidsynth <postponed> (Minor issue; can be fixed in next update)
NOTE: https://github.com/FluidSynth/fluidsynth/issues/808
NOTE: https://github.com/FluidSynth/fluidsynth/pull/810
@@ -16384,7 +16384,7 @@ CVE-2016-20009 (** UNSUPPORTED WHEN ASSIGNED ** A DNS client stack-based buffer
NOT-FOR-US: Wind River VxWorks
CVE-2021-28153 (An issue was discovered in GNOME GLib before 2.66.8. When g_file_repla ...)
- glib2.0 2.66.7-2 (bug #984969)
- [buster] - glib2.0 <no-dsa> (Minor issue)
+ [buster] - glib2.0 2.58.3-2+deb10u3
[stretch] - glib2.0 <postponed> (Minor issue, directory traversal exploitable in file-roller)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2325
CVE-2021-3435
@@ -18558,7 +18558,7 @@ CVE-2021-27230 (ExpressionEngine before 5.4.2 and 6.x before 6.0.3 allows PHP Co
CVE-2021-27229 (Mumble before 1.3.4 allows remote code execution if a victim navigates ...)
{DLA-2562-1}
- mumble 1.3.4-1 (bug #982904)
- [buster] - mumble <no-dsa> (Minor issue)
+ [buster] - mumble 1.3.0~git20190125.440b173+dfsg-2+deb10u1
NOTE: https://github.com/mumble-voip/mumble/commit/e59ee87abe249f345908c7d568f6879d16bfd648
NOTE: https://github.com/mumble-voip/mumble/pull/4733
CVE-2021-27228 (An issue was discovered in Shinobi through ocean version 1. lib/auth.j ...)
@@ -18848,7 +18848,7 @@ CVE-2021-27105
CVE-2021-3407 (A flaw was found in mupdf 1.18.0. Double free of object during lineari ...)
{DLA-2589-1}
- mupdf 1.17.0+ds1-1.3 (bug #983684)
- [buster] - mupdf <no-dsa> (Minor issue)
+ [buster] - mupdf 1.14.0+ds1-4+deb10u3
NOTE: http://git.ghostscript.com/?p=mupdf.git;h=cee7cefc610d42fd383b3c80c12cbc675443176a
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=703366 (not public yet)
CVE-2021-3406 (A flaw was found in keylime 5.8.1 and older. The issue in the Keylime ...)
@@ -19267,7 +19267,7 @@ CVE-2021-26930 (An issue was discovered in the Linux kernel 3.11 through 5.10.16
CVE-2021-26929 (An XSS issue was discovered in Horde Groupware Webmail Edition through ...)
{DLA-2564-1}
- php-horde-text-filter 2.3.7-1 (bug #982769)
- [buster] - php-horde-text-filter <no-dsa> (Minor issue)
+ [buster] - php-horde-text-filter 2.3.5-3+deb10u2
NOTE: https://lists.horde.org/archives/announce/2021/001298.html
NOTE: https://github.com/horde/Text_Filter/commit/c26f938854c36b981558a3b1b9b2f81403cff60e (master)
NOTE: https://github.com/horde/Text_Filter/commit/a2f67da064d7a91440b7a2448e56a6387ab94c67 (v2.3.7)
@@ -19489,13 +19489,13 @@ CVE-2021-21299 (hyper is an open-source HTTP library for Rust (crates.io). In hy
NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0020.html
CVE-2021-27218 (An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before ...)
- glib2.0 2.66.7-1 (bug #982779)
- [buster] - glib2.0 <no-dsa> (Minor issue)
+ [buster] - glib2.0 2.58.3-2+deb10u3
[stretch] - glib2.0 <postponed> (fix along with CVE-2021-27219)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1942
NOTE: Test case depends on CVE-2021-27219 fix
CVE-2021-27219 (An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before ...)
- glib2.0 2.66.6-1 (bug #982778)
- [buster] - glib2.0 <no-dsa> (Minor issue)
+ [buster] - glib2.0 2.58.3-2+deb10u3
[stretch] - glib2.0 <postponed> (requires fixing vulnerable rdeps, follow buster strategy)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2319
NOTE: Fix introduces new API 'g_memdup2'
@@ -23690,7 +23690,7 @@ CVE-2021-25218
CVE-2021-25217 (In ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16, ISC DHCP 4.4.0 -> 4.4.2 ( ...)
{DLA-2674-1}
- isc-dhcp 4.4.1-2.3 (bug #989157)
- [buster] - isc-dhcp <no-dsa> (Can be fixed via point release)
+ [buster] - isc-dhcp 4.4.1-2+deb10u1
NOTE: https://kb.isc.org/docs/cve-2021-25217
NOTE: https://www.openwall.com/lists/oss-security/2021/05/26/6
NOTE: https://downloads.isc.org/isc/dhcp/4.4.2-P1/patches/4.4.2.CVE-2021-25217.patch
@@ -27755,7 +27755,7 @@ CVE-2021-23370 (This affects the package swiper before 6.5.1. ...)
NOT-FOR-US: swiper
CVE-2021-23369 (The package handlebars before 4.7.7 are vulnerable to Remote Code Exec ...)
- node-handlebars 3:4.7.6+~4.1.0-2
- [buster] - node-handlebars <no-dsa> (Minor issue; will be fixed via point release)
+ [buster] - node-handlebars 3:4.1.0-1+deb10u3
- libjs-handlebars <removed>
[stretch] - libjs-handlebars <ignored> (Minor issue and too intrusive to backport)
NOTE: https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8
@@ -27783,7 +27783,7 @@ CVE-2021-23363 (This affects the package kill-by-port before 0.0.2. If (attacker
NOT-FOR-US: Node kill-by-port
CVE-2021-23362 (The package hosted-git-info before 3.0.8 are vulnerable to Regular Exp ...)
- node-hosted-git-info 3.0.8-1
- [buster] - node-hosted-git-info <no-dsa> (Minor issue)
+ [buster] - node-hosted-git-info 2.7.1-1+deb10u1
[stretch] - node-hosted-git-info <not-affected> (Vulnerable code introduced later)
NOTE: Fixed by: https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3
NOTE: https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355
@@ -29194,7 +29194,7 @@ CVE-2021-22697 (A CWE-434: Unrestricted Upload of File with Dangerous Type vulne
CVE-2020-36189 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...)
{DLA-2638-1}
- jackson-databind 2.12.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue)
+ [buster] - jackson-databind 2.9.8-3+deb10u3
NOTE: https://github.com/FasterXML/jackson-databind/issues/2996
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
NOTE: but still an issue when Default Typing is enabled.
@@ -29202,7 +29202,7 @@ CVE-2020-36189 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the in
CVE-2020-36188 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...)
{DLA-2638-1}
- jackson-databind 2.12.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue)
+ [buster] - jackson-databind 2.9.8-3+deb10u3
NOTE: https://github.com/FasterXML/jackson-databind/issues/2996
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
NOTE: but still an issue when Default Typing is enabled.
@@ -29210,7 +29210,7 @@ CVE-2020-36188 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the in
CVE-2020-36187 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...)
{DLA-2638-1}
- jackson-databind 2.12.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue)
+ [buster] - jackson-databind 2.9.8-3+deb10u3
NOTE: https://github.com/FasterXML/jackson-databind/issues/2997
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
NOTE: but still an issue when Default Typing is enabled.
@@ -29218,7 +29218,7 @@ CVE-2020-36187 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the in
CVE-2020-36186 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...)
{DLA-2638-1}
- jackson-databind 2.12.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue)
+ [buster] - jackson-databind 2.9.8-3+deb10u3
NOTE: https://github.com/FasterXML/jackson-databind/issues/2997
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
NOTE: but still an issue when Default Typing is enabled.
@@ -29226,7 +29226,7 @@ CVE-2020-36186 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the in
CVE-2020-36185 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...)
{DLA-2638-1}
- jackson-databind 2.12.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue)
+ [buster] - jackson-databind 2.9.8-3+deb10u3
NOTE: https://github.com/FasterXML/jackson-databind/issues/2998
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
NOTE: but still an issue when Default Typing is enabled.
@@ -29234,7 +29234,7 @@ CVE-2020-36185 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the in
CVE-2020-36184 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...)
{DLA-2638-1}
- jackson-databind 2.12.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue)
+ [buster] - jackson-databind 2.9.8-3+deb10u3
NOTE: https://github.com/FasterXML/jackson-databind/issues/2998
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
NOTE: but still an issue when Default Typing is enabled.
@@ -29242,7 +29242,7 @@ CVE-2020-36184 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the in
CVE-2020-36183 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...)
{DLA-2638-1}
- jackson-databind 2.12.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue)
+ [buster] - jackson-databind 2.9.8-3+deb10u3
NOTE: https://github.com/FasterXML/jackson-databind/issues/3003
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
NOTE: but still an issue when Default Typing is enabled.
@@ -29250,7 +29250,7 @@ CVE-2020-36183 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the in
CVE-2020-36182 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...)
{DLA-2638-1}
- jackson-databind 2.12.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue)
+ [buster] - jackson-databind 2.9.8-3+deb10u3
NOTE: https://github.com/FasterXML/jackson-databind/issues/3004
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
NOTE: but still an issue when Default Typing is enabled.
@@ -29258,7 +29258,7 @@ CVE-2020-36182 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the in
CVE-2020-36181 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...)
{DLA-2638-1}
- jackson-databind 2.12.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue)
+ [buster] - jackson-databind 2.9.8-3+deb10u3
NOTE: https://github.com/FasterXML/jackson-databind/issues/3004
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
NOTE: but still an issue when Default Typing is enabled.
@@ -29266,7 +29266,7 @@ CVE-2020-36181 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the in
CVE-2020-36180 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...)
{DLA-2638-1}
- jackson-databind 2.12.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue)
+ [buster] - jackson-databind 2.9.8-3+deb10u3
NOTE: https://github.com/FasterXML/jackson-databind/issues/3004
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
NOTE: but still an issue when Default Typing is enabled.
@@ -29274,7 +29274,7 @@ CVE-2020-36180 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the in
CVE-2020-36179 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...)
{DLA-2638-1}
- jackson-databind 2.12.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue)
+ [buster] - jackson-databind 2.9.8-3+deb10u3
NOTE: https://github.com/FasterXML/jackson-databind/issues/3004
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
NOTE: but still an issue when Default Typing is enabled.
@@ -32979,7 +32979,7 @@ CVE-2020-35729 (KLog Server 2.4.1 allows OS command injection via shell metachar
CVE-2020-35728 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...)
{DLA-2638-1}
- jackson-databind 2.12.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue)
+ [buster] - jackson-databind 2.9.8-3+deb10u3
NOTE: https://github.com/FasterXML/jackson-databind/issues/2999
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
NOTE: but still an issue when Default Typing is enabled.
@@ -36384,7 +36384,7 @@ CVE-2021-20248
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1927740
CVE-2021-20247 (A flaw was found in mbsync before v1.3.5 and v1.4.1. Validations of th ...)
- isync 1.3.0-2.1 (bug #983351)
- [buster] - isync <no-dsa> (Minor issue)
+ [buster] - isync 1.3.0-2.2~deb10u1
[stretch] - isync <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2021/02/22/1
CVE-2021-20246 (A flaw was found in ImageMagick in MagickCore/resample.c. An attacker ...)
@@ -36481,13 +36481,13 @@ CVE-2021-20233 (A flaw was found in grub2 in versions prior to 2.06. Setparam_pr
[stretch] - grub2 <ignored> (No SecureBoot support in stretch)
CVE-2021-20232 (A flaw was found in gnutls. A use after free issue in client_send_para ...)
- gnutls28 3.7.1-1
- [buster] - gnutls28 <no-dsa> (Minor issue)
+ [buster] - gnutls28 3.6.7-4+deb10u7
[stretch] - gnutls28 <not-affected> (Vulnerable code introduced later)
NOTE: https://www.gnutls.org/security-new.html#GNUTLS-SA-2021-03-10
NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1151
CVE-2021-20231 (A flaw was found in gnutls. A use after free issue in client sending k ...)
- gnutls28 3.7.1-1
- [buster] - gnutls28 <no-dsa> (Minor issue)
+ [buster] - gnutls28 3.6.7-4+deb10u7
[stretch] - gnutls28 <not-affected> (Vulnerable code introduced later)
NOTE: https://www.gnutls.org/security-new.html#GNUTLS-SA-2021-03-10
NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1151
@@ -36625,7 +36625,7 @@ CVE-2021-20205 (Libjpeg-turbo versions 2.0.91 and 2.0.90 is vulnerable to a deni
CVE-2021-20204 (A heap memory corruption problem (use after free) can be triggered in ...)
{DLA-2660-1}
- libgetdata 0.10.0-10 (bug #988239)
- [buster] - libgetdata <no-dsa> (Minor issue)
+ [buster] - libgetdata 0.10.0-5+deb10u1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1956348
NOTE: https://bugs.launchpad.net/ubuntu/+source/libgetdata/+bug/1912050
CVE-2021-20203 (An integer overflow issue was found in the vmxnet3 NIC emulator of the ...)
@@ -36700,7 +36700,7 @@ CVE-2021-20191 (A flaw was found in ansible. Credentials, such as secrets, are b
CVE-2021-20190 (A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishan ...)
{DLA-2638-1}
- jackson-databind 2.12.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue)
+ [buster] - jackson-databind 2.9.8-3+deb10u3
NOTE: https://github.com/FasterXML/jackson-databind/issues/2854
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
NOTE: but still an issue when Default Typing is enabled.
@@ -37207,7 +37207,7 @@ CVE-2020-35492 (A flaw was found in cairo's image-compositor.c in all versions p
CVE-2020-35491 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...)
{DLA-2638-1}
- jackson-databind 2.12.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue)
+ [buster] - jackson-databind 2.9.8-3+deb10u3
NOTE: https://github.com/FasterXML/jackson-databind/issues/2986
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
NOTE: but still an issue when Default Typing is enabled.
@@ -37215,7 +37215,7 @@ CVE-2020-35491 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the in
CVE-2020-35490 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...)
{DLA-2638-1}
- jackson-databind 2.12.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue)
+ [buster] - jackson-databind 2.9.8-3+deb10u3
NOTE: https://github.com/FasterXML/jackson-databind/issues/2986
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
NOTE: but still an issue when Default Typing is enabled.
@@ -37434,7 +37434,7 @@ CVE-2020-35460 (common/InputStreamHelper.java in Packwood MPXJ before 8.3.5 allo
CVE-2020-35459 (An issue was discovered in ClusterLabs crmsh through 4.2.1. Local atta ...)
{DLA-2533-1}
- crmsh 4.2.1-2 (bug #985376)
- [buster] - crmsh <no-dsa> (Minor issue)
+ [buster] - crmsh 4.0.0~git20190108.3d56538-3+deb10u1
NOTE: https://www.openwall.com/lists/oss-security/2021/01/12/3
CVE-2020-35458 (An issue was discovered in ClusterLabs Hawk 2.x through 2.3.0-x. There ...)
- hawk <itp> (bug #634344)
@@ -38025,7 +38025,7 @@ CVE-2020-35177 (HashiCorp Vault and Vault Enterprise 1.4.1 and newer allowed the
CVE-2020-35176 (In AWStats through 7.8, cgi-bin/awstats.pl?config= accepts a partial a ...)
{DLA-2506-1}
- awstats 7.8-2 (bug #977190)
- [buster] - awstats <no-dsa> (Minor issue; can be fixed via point release)
+ [buster] - awstats 7.6+dfsg-2+deb10u1
NOTE: https://github.com/eldy/awstats/issues/195
NOTE: https://github.com/eldy/AWStats/commit/96756d7f40e002cc1e6ba72c633fb66b92e54f49
CVE-2020-35175 (Frappe Framework 12 and 13 does not properly validate the HTTP method ...)
@@ -39975,7 +39975,7 @@ CVE-2020-29601 (The official notary docker images before signer-0.6.1-1 contain
CVE-2020-29600 (In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute ...)
{DLA-2506-1}
- awstats 7.8-1 (bug #891469)
- [buster] - awstats <no-dsa> (Minor issue; can be fixed via point release)
+ [buster] - awstats 7.6+dfsg-2+deb10u1
NOTE: https://github.com/eldy/awstats/issues/90
NOTE: https://github.com/eldy/awstats/commit/d4d815d0caae3dbae83ac70a1ae4581bd57cf376
CVE-2020-29599 (ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the - ...)
@@ -42885,7 +42885,7 @@ CVE-2021-1406 (A vulnerability in Cisco Unified Communications Manager (Unified
CVE-2021-1405 (A vulnerability in the email parsing module in Clam AntiVirus (ClamAV) ...)
{DLA-2626-1}
- clamav 0.103.2+dfsg-1 (bug #986622; bug #986790)
- [buster] - clamav <no-dsa> (clamav is updated via -updates)
+ [buster] - clamav 0.103.2+dfsg-0+deb10u1
NOTE: https://blog.clamav.net/2021/04/clamav-01032-security-patch-release.html
CVE-2021-1404 (A vulnerability in the PDF parsing module in Clam AntiVirus (ClamAV) S ...)
- clamav 0.103.2+dfsg-1 (bug #986622; bug #986790)
@@ -43711,12 +43711,12 @@ CVE-2021-1077 (NVIDIA GPU Display Driver for Windows and Linux, R450 and R460 dr
- nvidia-graphics-drivers-tesla-460 460.73.01-1 (bug #987222)
CVE-2021-1076 (NVIDIA GPU Display Driver for Windows and Linux, all versions, contain ...)
- nvidia-graphics-drivers 460.73.01-1 (bug #987216)
- [buster] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
+ [buster] - nvidia-graphics-drivers 418.197.02-1
- nvidia-graphics-drivers-legacy-340xx <unfixed> (bug #987217)
[buster] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
[stretch] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-legacy-390xx 390.143-1 (bug #987218)
- [buster] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported)
+ [buster] - nvidia-graphics-drivers-legacy-390xx 390.143-1~deb10u1
- nvidia-graphics-drivers-tesla-418 418.197.02-1 (bug #987219)
- nvidia-graphics-drivers-tesla-440 <unfixed> (bug #987220)
- nvidia-graphics-drivers-tesla-450 450.119.03-1 (bug #987221)
@@ -44037,7 +44037,7 @@ CVE-2020-28470 (This affects the package @scullyio/scully before 1.0.9. The tran
NOT-FOR-US: scully
CVE-2020-28469 (This affects the package glob-parent before 5.1.2. The enclosure regex ...)
- node-glob-parent 5.1.1+~5.1.0-2
- [buster] - node-glob-parent <no-dsa> (Minor issue)
+ [buster] - node-glob-parent 3.1.0-1+deb10u1
[stretch] - node-glob-parent <postponed> (Minor issue; can be fixed in next update)
NOTE: https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
NOTE: https://github.com/gulpjs/glob-parent/commit/f9231168b0041fea3f8f954b3cceb56269fc6366
@@ -51782,7 +51782,7 @@ CVE-2019-20921 (bootstrap-select before 1.13.6 allows Cross-Site Scripting (XSS)
NOT-FOR-US: bootstrap-select
CVE-2019-20920 (Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrar ...)
- node-handlebars 3:4.5.3-1
- [buster] - node-handlebars <no-dsa> (Minor issue)
+ [buster] - node-handlebars 3:4.1.0-1+deb10u3
- libjs-handlebars <removed>
[stretch] - libjs-handlebars <ignored> (Only reverse depends was diaspora which not in stretch and too intrusive to backport)
NOTE: https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478
@@ -53165,7 +53165,7 @@ CVE-2020-25650 (A flaw was found in the way the spice-vdagentd daemon handled fi
CVE-2020-25649 (A flaw was found in FasterXML Jackson Databind, where it did not have ...)
{DLA-2406-1}
- jackson-databind 2.11.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue)
+ [buster] - jackson-databind 2.9.8-3+deb10u3
NOTE: https://github.com/FasterXML/jackson-databind/issues/2589
NOTE: https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59 (jackson-databind-2.11.0.rc1)
CVE-2020-25648 (A flaw was found in the way NSS handled CCS (ChangeCipherSpec) message ...)
@@ -54766,6 +54766,7 @@ CVE-2020-24978 (In NASM 2.15.04rc3, there is a double-free vulnerability in pp_t
CVE-2020-24977 (GNOME project libxml2 v2.9.10 has a global buffer over-read vulnerabil ...)
{DLA-2369-1}
- libxml2 2.9.10+dfsg-6.2 (unimportant; bug #969529)
+ [buster] - libxml2 2.9.4+dfsg1-7+deb10u2
NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/178
NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2
NOTE: The issue is specific and restricted to xmllint:
@@ -55252,7 +55253,7 @@ CVE-2020-24751
CVE-2020-24750 (FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interact ...)
{DLA-2638-1}
- jackson-databind 2.12.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue)
+ [buster] - jackson-databind 2.9.8-3+deb10u3
NOTE: https://github.com/FasterXML/jackson-databind/issues/2798
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
NOTE: but still an issue when Default Typing is enabled.
@@ -55451,7 +55452,7 @@ CVE-2020-24660 (An issue was discovered in LemonLDAP::NG through 2.0.8, when NGI
NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2290
CVE-2020-24659 (An issue was discovered in GnuTLS before 3.6.15. A server can trigger ...)
- gnutls28 3.6.15-1 (bug #969547)
- [buster] - gnutls28 <no-dsa> (Minor issue)
+ [buster] - gnutls28 3.6.7-4+deb10u7
[stretch] - gnutls28 <not-affected> (Vulnerable code introduced later)
NOTE: https://www.gnutls.org/security-new.html#GNUTLS-SA-2020-09-04
NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1071
@@ -55547,7 +55548,7 @@ CVE-2020-24617 (Mailtrain through 1.24.1 allows SQL Injection in statsClickedSub
CVE-2020-24616 (FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interact ...)
{DLA-2638-1}
- jackson-databind 2.12.1-1
- [buster] - jackson-databind <no-dsa> (Minor issue)
+ [buster] - jackson-databind 2.9.8-3+deb10u3
NOTE: https://github.com/FasterXML/jackson-databind/issues/2814
NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
NOTE: but still an issue when Default Typing is enabled.
@@ -72039,7 +72040,7 @@ CVE-2020-16601
RESERVED
CVE-2020-16600 (A Use After Free vulnerability exists in Artifex Software, Inc. MuPDF ...)
- mupdf 1.17.0+ds1-1 (bug #989526)
- [buster] - mupdf <no-dsa> (only reads formerly used memory)
+ [buster] - mupdf 1.14.0+ds1-4+deb10u3
[stretch] - mupdf <not-affected> (Vulnerable code not present)
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=702253
NOTE: http://git.ghostscript.com/?p=mupdf.git;h=96751b25462f83d6e16a9afaf8980b0c3f979c8b
@@ -76044,7 +76045,7 @@ CVE-2020-15079 (In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, t
NOT-FOR-US: PrestaShop
CVE-2020-15078 (OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass ...)
- openvpn 2.5.1-2 (bug #987380)
- [buster] - openvpn <no-dsa> (Minor issue)
+ [buster] - openvpn 2.4.7-1+deb10u1
[stretch] - openvpn <no-dsa> (Minor issue)
NOTE: https://github.com/OpenVPN/openvpn/commit/f7b3bf067ffce72e7de49a4174fd17a3a83f0573 (v2.5.2)
NOTE: https://github.com/OpenVPN/openvpn/commit/3d18e308c4e7e6f7ab7c2826c70d2d07b031c18a (v2.5.2)
@@ -79343,7 +79344,7 @@ CVE-2020-13937 (Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.
CVE-2020-13936 (An attacker that is able to modify Velocity templates may execute arbi ...)
{DLA-2595-1}
- velocity 1.7-6 (bug #985220)
- [buster] - velocity <no-dsa> (Minor issue)
+ [buster] - velocity 1.7-5+deb10u1
NOTE: https://www.openwall.com/lists/oss-security/2021/03/10/1
NOTE: Fixed by: https://github.com/apache/velocity-engine/commit/1ba60771d23dae7e6b3138ae6bee09cf6f9d2485
CVE-2020-13935 (The payload length in a WebSocket frame was not correctly validated in ...)
@@ -81517,7 +81518,7 @@ CVE-2020-13125 (An issue was discovered in the "Ultimate Addons for Elementor" p
NOT-FOR-US: "Ultimate Addons for Elementor" plugin for WordPress
CVE-2020-13124 (SABnzbd 2.3.9 and 3.0.0Alpha2 has a command injection vulnerability in ...)
- sabnzbdplus 3.1.1+dfsg-1
- [buster] - sabnzbdplus <no-dsa> (Minor issue, can be fixed via point release, contrib not supported)
+ [buster] - sabnzbdplus 2.3.6+dfsg-1+deb10u1
[stretch] - sabnzbdplus <ignored> (contrib not supported)
NOTE: https://github.com/sabnzbd/sabnzbd/security/advisories/GHSA-9x87-96gg-33w2
NOTE: https://github.com/sabnzbd/sabnzbd/commit/dfcba6e2fb37f58fea06b453b1ba258c7f110429
@@ -83178,7 +83179,7 @@ CVE-2020-12461 (PHP-Fusion 9.03.50 allows SQL Injection because maincore.php has
CVE-2020-12460 (OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 has improper nul ...)
{DLA-2639-1}
- opendmarc 1.4.0~beta1+dfsg-3 (bug #966464)
- [buster] - opendmarc <no-dsa> (Minor issue)
+ [buster] - opendmarc 1.3.2-6+deb10u2
NOTE: https://github.com/trusteddomainproject/OpenDMARC/issues/64
NOTE: https://github.com/trusteddomainproject/OpenDMARC/commit/50d28af25d8735504b6103537228ce7f76ad765f
CVE-2020-12459 (In certain Red Hat packages for Grafana 6.x through 6.3.6, the configu ...)
@@ -85616,7 +85617,7 @@ CVE-2020-11811 (In qdPM 9.1, an attacker can upload a malicious .php file to the
NOT-FOR-US: qdPM
CVE-2020-11810 (An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can ...)
- openvpn 2.4.9-1 (low)
- [buster] - openvpn <no-dsa> (Minor issue)
+ [buster] - openvpn 2.4.7-1+deb10u1
[stretch] - openvpn <no-dsa> (Minor issue)
[jessie] - openvpn <no-dsa> (Minor issue)
NOTE: https://github.com/OpenVPN/openvpn/commit/37bc691e7d26ea4eb61a8a434ebd7a9ae76225ab
@@ -97069,7 +97070,7 @@ CVE-2020-7664 (In all versions of the package github.com/unknwon/cae/zip, the Ex
CVE-2020-7663 (websocket-extensions ruby module prior to 0.1.5 allows Denial of Servi ...)
{DLA-2334-1}
- ruby-websocket-extensions 0.1.5-1 (bug #964274)
- [buster] - ruby-websocket-extensions <no-dsa> (Minor issue)
+ [buster] - ruby-websocket-extensions 0.1.2-1+deb10u1
NOTE: https://github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2
NOTE: https://github.com/faye/websocket-extensions-ruby/commit/aa156a439da681361ed6f53f1a8131892418838b
CVE-2020-7662 (websocket-extensions npm module prior to 0.1.4 allows Denial of Servic ...)
@@ -101161,7 +101162,7 @@ CVE-2020-6099
RESERVED
CVE-2020-6098 (An exploitable denial of service vulnerability exists in the freeDiame ...)
- freediameter 1.2.1-8 (bug #985088)
- [buster] - freediameter <no-dsa> (Minor issue)
+ [buster] - freediameter 1.2.1-7+deb10u1
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1030
NOTE: Possible fix: http://www.freediameter.net/trac/changeset/19ab8ac08a361642e7f9ec9f2657202c6f8ef9ee/freeDiameter?old=edfb2b662b91af94b2fccc48b11eec904ccab370
CVE-2020-6097 (An exploitable denial of service vulnerability exists in the atftpd da ...)
@@ -103278,7 +103279,7 @@ CVE-2020-5209 (In NetHack before 3.6.5, unknown options starting with -de and -i
CVE-2020-5208 (It's been found that multiple functions in ipmitool before 1.8.19 negl ...)
{DLA-2098-1}
- ipmitool 1.8.18-10.1 (bug #950761)
- [buster] - ipmitool <no-dsa> (Minor issue)
+ [buster] - ipmitool 1.8.18-6+deb10u1
[stretch] - ipmitool <no-dsa> (Minor issue)
NOTE: https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
NOTE: https://github.com/ipmitool/ipmitool/commit/e824c23316ae50beb7f7488f2055ac65e8b341f2
@@ -115170,7 +115171,7 @@ CVE-2019-18850 (TrevorC2 v1.1/v1.2 fails to prevent fingerprinting primarily via
CVE-2019-18849 (In tnef before 1.4.18, an attacker may be able to write to the victim' ...)
{DLA-2005-1}
- tnef 1.4.18-1 (bug #944851)
- [buster] - tnef <no-dsa> (Minor issue; can be fixed via point release)
+ [buster] - tnef 1.4.12-1.2+deb10u1
[stretch] - tnef <no-dsa> (Minor issue; can be fixed via point release)
NOTE: https://github.com/verdammelt/tnef/pull/40
CVE-2019-18848 (The json-jwt gem before 1.11.0 for Ruby lacks an element count during ...)
@@ -132462,7 +132463,7 @@ CVE-2019-1020015 (graphql-engine (aka Hasura GraphQL Engine) before 1.0.0-beta.3
NOT-FOR-US: graphql-engine (aka Hasura GraphQL Engine)
CVE-2019-1020014 (docker-credential-helpers before 0.6.3 has a double free in the List f ...)
- golang-github-docker-docker-credential-helpers 0.6.1-3 (bug #933801)
- [buster] - golang-github-docker-docker-credential-helpers <no-dsa> (Minor issue, can be fixed in point release)
+ [buster] - golang-github-docker-docker-credential-helpers 0.6.1-2+deb10u1
[stretch] - golang-github-docker-docker-credential-helpers <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/docker/docker-credential-helpers/commit/1c9f7ede70a5ab9851f4c9cb37d317fd89cd318a
CVE-2019-1020013 (parse-server before 3.6.0 allows account enumeration. ...)
@@ -174336,7 +174337,7 @@ CVE-2019-0222 (In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT fra
- activemq 5.15.9-1 (bug #925964; unimportant)
[jessie] - activemq <not-affected> (MQTT support not enabled)
- mqtt-client 1.16-1 (bug #988109)
- [buster] - mqtt-client <no-dsa> (Minor issue)
+ [buster] - mqtt-client 1.14-1+deb10u1
NOTE: http://activemq.apache.org/security-advisories.data/CVE-2019-0222-announcement.txt
NOTE: activemq disabled MQTT transport in 5.6.0+dfsg-1 (d/patches/exclude_mqtt.diff)
NOTE: but enabled activemq-mqtt in 5.13.2+dfsg-2 using the external mqtt-client.
=====================================
data/next-point-update.txt
=====================================
@@ -1,147 +1,3 @@
-CVE-2019-1020014
- [buster] - golang-github-docker-docker-credential-helpers 0.6.1-2+deb10u1
-CVE-2020-29600
- [buster] - awstats 7.6+dfsg-2+deb10u1
-CVE-2020-35176
- [buster] - awstats 7.6+dfsg-2+deb10u1
-CVE-2020-5208
- [buster] - ipmitool 1.8.18-6+deb10u1
-CVE-2020-13124
- [buster] - sabnzbdplus 2.3.6+dfsg-1+deb10u1
-CVE-2021-23362
- [buster] - node-hosted-git-info 2.7.1-1+deb10u1
-CVE-2021-28153
- [buster] - glib2.0 2.58.3-2+deb10u3
-CVE-2021-27219
- [buster] - glib2.0 2.58.3-2+deb10u3
-CVE-2021-27218
- [buster] - glib2.0 2.58.3-2+deb10u3
-CVE-2020-35459
- [buster] - crmsh 4.0.0~git20190108.3d56538-3+deb10u1
-CVE-2020-6098
- [buster] - freediameter 1.2.1-7+deb10u1
-CVE-2021-1405
- [buster] - clamav 0.103.2+dfsg-0+deb10u1
-CVE-2019-20920
- [buster] - node-handlebars 3:4.1.0-1+deb10u3
-CVE-2021-23369
- [buster] - node-handlebars 3:4.1.0-1+deb10u3
-CVE-2020-28469
- [buster] - node-glob-parent 3.1.0-1+deb10u1
-CVE-2019-18849
- [buster] - tnef 1.4.12-1.2+deb10u1
-CVE-2020-24616
- [buster] - jackson-databind 2.9.8-3+deb10u3
-CVE-2020-24750
- [buster] - jackson-databind 2.9.8-3+deb10u3
-CVE-2020-25649
- [buster] - jackson-databind 2.9.8-3+deb10u3
-CVE-2020-35490
- [buster] - jackson-databind 2.9.8-3+deb10u3
-CVE-2020-35491
- [buster] - jackson-databind 2.9.8-3+deb10u3
-CVE-2020-35728
- [buster] - jackson-databind 2.9.8-3+deb10u3
-CVE-2020-36179
- [buster] - jackson-databind 2.9.8-3+deb10u3
-CVE-2020-36180
- [buster] - jackson-databind 2.9.8-3+deb10u3
-CVE-2020-36181
- [buster] - jackson-databind 2.9.8-3+deb10u3
-CVE-2020-36182
- [buster] - jackson-databind 2.9.8-3+deb10u3
-CVE-2020-36183
- [buster] - jackson-databind 2.9.8-3+deb10u3
-CVE-2020-36184
- [buster] - jackson-databind 2.9.8-3+deb10u3
-CVE-2020-36185
- [buster] - jackson-databind 2.9.8-3+deb10u3
-CVE-2020-36186
- [buster] - jackson-databind 2.9.8-3+deb10u3
-CVE-2020-36187
- [buster] - jackson-databind 2.9.8-3+deb10u3
-CVE-2020-36188
- [buster] - jackson-databind 2.9.8-3+deb10u3
-CVE-2020-36189
- [buster] - jackson-databind 2.9.8-3+deb10u3
-CVE-2021-20190
- [buster] - jackson-databind 2.9.8-3+deb10u3
-CVE-2021-28421
- [buster] - fluidsynth 1.1.11-1+deb10u1
-CVE-2020-12460
- [buster] - opendmarc 1.3.2-6+deb10u2
-CVE-2021-29469
- [buster] - node-redis 2.8.0-1+deb10u1
-CVE-2021-1076
- [buster] - nvidia-graphics-drivers 418.197.02-1
- [buster] - nvidia-graphics-drivers-legacy-390xx 390.143-1~deb10u1
-CVE-2020-11810
- [buster] - openvpn 2.4.7-1+deb10u1
-CVE-2020-15078
- [buster] - openvpn 2.4.7-1+deb10u1
-CVE-2021-27229
- [buster] - mumble 1.3.0~git20190125.440b173+dfsg-2+deb10u1
-CVE-2020-13936
- [buster] - velocity 1.7-5+deb10u1
- CVE-2020-7663
- [buster] - ruby-websocket-extensions 0.1.2-1+deb10u1
-CVE-2021-20204
- [buster] - libgetdata 0.10.0-5+deb10u1
-CVE-2021-29376
- [buster] - ircii 20190117-1+deb10u1
- [buster] - scrollz 2.2.3-1+deb10u1
-CVE-2020-24659
- [buster] - gnutls28 3.6.7-4+deb10u7
-CVE-2021-20231
- [buster] - gnutls28 3.6.7-4+deb10u7
-CVE-2021-20232
- [buster] - gnutls28 3.6.7-4+deb10u7
-CVE-2019-0222
- [buster] - mqtt-client 1.14-1+deb10u1
-CVE-2021-33477
- [buster] - rxvt-unicode 9.22-6+deb10u1
-CVE-2021-3561
- [buster] - fig2dev 1:3.2.7a-5+deb10u4
-CVE-2021-26929
- [buster] - php-horde-text-filter 2.3.5-3+deb10u2
-CVE-2021-32640
- [buster] - node-ws 1.1.0+ds1.e6ddaae4-5+deb10u1
-CVE-2021-25217
- [buster] - isc-dhcp 4.4.1-2+deb10u1
-CVE-2021-33560
- [buster] - libgcrypt20 1.8.4-5+deb10u1
-CVE-2021-31871
- [buster] - klibc 2.0.6-1+deb10u1
-CVE-2021-31872
- [buster] - klibc 2.0.6-1+deb10u1
-CVE-2021-31873
- [buster] - klibc 2.0.6-1+deb10u1
-CVE-2021-31874
- [buster] - klibc 2.0.6-1+deb10u1
-CVE-2020-16600
- [buster] - mupdf 1.14.0+ds1-4+deb10u3
-CVE-2021-3407
- [buster] - mupdf 1.14.0+ds1-4+deb10u3
-CVE-2021-20247
- [buster] - isync 1.3.0-2.2~deb10u1
-CVE-2021-3578
- [buster] - isync 1.3.0-2.2~deb10u1
-CVE-2021-33477
- [buster] - eterm 0.9.6-5+deb10u1
-CVE-2020-24977
- [buster] - libxml2 2.9.4+dfsg1-7+deb10u2
-CVE-2021-3516
- [buster] - libxml2 2.9.4+dfsg1-7+deb10u2
-CVE-2021-3517
- [buster] - libxml2 2.9.4+dfsg1-7+deb10u2
-CVE-2021-3518
- [buster] - libxml2 2.9.4+dfsg1-7+deb10u2
-CVE-2021-3537
- [buster] - libxml2 2.9.4+dfsg1-7+deb10u2
-CVE-2021-3541
- [buster] - libxml2 2.9.4+dfsg1-7+deb10u2
-CVE-2021-33833
- [buster] - connman 1.36-2.1~deb10u2
CVE-2019-20446
[buster] - librsvg 2.44.10-2.1+deb10u1
CVE-2019-17134
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55d4a6bb113a0028d39c30bd635be25f6bcc3578
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55d4a6bb113a0028d39c30bd635be25f6bcc3578
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210619/66b7140d/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list