[Git][security-tracker-team/security-tracker][master] Merge in the accepted packages from bullseye 11.1
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sat Oct 9 09:41:38 BST 2021
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
2201c6c9 by Salvatore Bonaccorso at 2021-10-09T10:39:17+02:00
Merge in the accepted packages from bullseye 11.1
Though the release has not been happened yet, this is the list of
packages which were copied over from bullseye-pu to bullseye.
The final 11.1 changes need to still be verifed for any missing
additional ones.
- - - - -
2 changed files:
- data/CVE/list
- data/next-point-update.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1893,7 +1893,7 @@ CVE-2021-3808
RESERVED
CVE-2021-3807 (ansi-regex is vulnerable to Inefficient Regular Expression Complexity ...)
- node-ansi-regex 5.0.1-1 (bug #994568)
- [bullseye] - node-ansi-regex <no-dsa> (Minor issue)
+ [bullseye] - node-ansi-regex 5.0.1-1~deb11u1
[buster] - node-ansi-regex <no-dsa> (Minor issue)
[stretch] - node-ansi-regex <not-affected> (Vulnerable code introduced later)
NOTE: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994
@@ -1902,7 +1902,7 @@ CVE-2021-3806 (A path traversal vulnerability on Pardus Software Center's "extra
NOT-FOR-US: Pardus Software Center
CVE-2021-3805 (object-path is vulnerable to Improperly Controlled Modification of Obj ...)
- node-object-path 0.11.8-1
- [bullseye] - node-object-path <no-dsa> (Minor issue)
+ [bullseye] - node-object-path 0.11.5-3+deb11u1
[buster] - node-object-path <no-dsa> (Minor issue)
[stretch] - node-object-path <no-dsa> (Minor issue)
NOTE: https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053
@@ -2391,6 +2391,7 @@ CVE-2021-41078
RESERVED
CVE-2021-3801 (prism is vulnerable to Inefficient Regular Expression Complexity ...)
- node-prismjs 1.25.0+dfsg-1
+ [bullseye] - node-prismjs 1.23.0+dfsg-1+deb11u1
NOTE: https://github.com/prismjs/prism/commit/0ff371bb4775a131634f47d0fe85794c547232f9
CVE-2021-41077 (The activation process in Travis CI, for certain 2021-09-03 through 20 ...)
NOT-FOR-US: Travis CI
@@ -2846,7 +2847,7 @@ CVE-2021-3799 (grav-plugin-admin is vulnerable to Improper Restriction of Render
NOT-FOR-US: Grav CMS
CVE-2021-41054 (tftpd_file.c in atftp through 0.7.4 has a buffer overflow because buff ...)
- atftp 0.7.git20210915-1 (bug #994895)
- [bullseye] - atftp <no-dsa> (Minor issue; can be fixed via point release)
+ [bullseye] - atftp 0.7.git20120829-3.3+deb11u1
[buster] - atftp <no-dsa> (Minor issue; can be fixed via point release)
[stretch] - atftp <postponed> (Minor issue)
NOTE: https://sourceforge.net/p/atftp/code/ci/d255bf90834fb45be52decf9bc0b4fb46c90f205/
@@ -3297,7 +3298,7 @@ CVE-2021-XXXX [jws alg:none signature verification issue]
NOTE: https://github.com/babelouest/rhonabwy/commit/ff9ecad4c9a031c8369acde67ea52d558899e51e (v1.0.0)
CVE-2021-40818 (scheme/webauthn.c in Glewlwyd SSO server through 2.5.3 has a buffer ov ...)
- glewlwyd 2.5.2-3 (bug #993867)
- [bullseye] - glewlwyd <no-dsa> (Minor issue; can be fixed via point release)
+ [bullseye] - glewlwyd 2.5.2-2+deb11u1
[buster] - glewlwyd <no-dsa> (Minor issue; can be fixed via point release)
NOTE: https://github.com/babelouest/glewlwyd/commit/0efd112bb62f566877750ad62ee828bff579b4e2
CVE-2021-40683 (In Akamai EAA (Enterprise Application Access) Client before 2.3.1, 2.4 ...)
@@ -3600,7 +3601,7 @@ CVE-2021-40541
RESERVED
CVE-2021-40540 (ulfius_uri_logger in Ulfius HTTP Framework before 2.7.4 omits con_info ...)
- ulfius 2.7.1-2 (bug #993851)
- [bullseye] - ulfius <no-dsa> (Minor issue)
+ [bullseye] - ulfius 2.7.1-1+deb11u1
[buster] - ulfius <no-dsa> (Minor issue)
NOTE: https://github.com/babelouest/ulfius/commit/c83f564c184a27145e07c274b305cabe943bbfaa
CVE-2021-40539 (Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnera ...)
@@ -4189,7 +4190,7 @@ CVE-2021-3750 [hcd-ehci: DMA reentrancy issue leads to use-after-free]
NOTE: Patchset: https://lists.nongnu.org/archive/html/qemu-devel/2021-08/msg03692.html
CVE-2021-3749 (axios is vulnerable to Inefficient Regular Expression Complexity ...)
- node-axios 0.21.3+dfsg-1
- [bullseye] - node-axios <no-dsa> (Minor issue)
+ [bullseye] - node-axios 0.21.1+dfsg-1+deb11u1
[buster] - node-axios <no-dsa> (Minor issue)
NOTE: https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/
NOTE: https://github.com/axios/axios/commit/5b457116e31db0e88fede6c428e969e87f290929
@@ -8275,7 +8276,7 @@ CVE-2021-38562
RESERVED
- request-tracker5 <unfixed> (bug #995167)
- request-tracker4 4.4.4+dfsg-3 (bug #995175)
- [bullseye] - request-tracker4 <no-dsa> (Minor issue; will be fixed via point release)
+ [bullseye] - request-tracker4 4.4.4+dfsg-2+deb11u1
[buster] - request-tracker4 <no-dsa> (Minor issue; will be fixed via point release)
[stretch] - request-tracker4 <no-dsa> (Minor issue)
NOTE: https://github.com/bestpractical/rt/commit/70749bb66cb13dd70bd53340c371038a5f3ca57c (rt-5.0.2)
@@ -9315,7 +9316,7 @@ CVE-2020-36432 (An issue was discovered in the alg_ds crate through 2020-08-25 f
CVE-2021-38173 (Btrbk before 0.31.2 allows command execution because of the mishandlin ...)
{DLA-2755-1}
- btrbk 0.27.1-2
- [bullseye] - btrbk <no-dsa> (Minor issue; can be fixed via point release)
+ [bullseye] - btrbk 0.27.1-1.1+deb11u1
[buster] - btrbk <no-dsa> (Minor issue; can be fixed via point release)
NOTE: Fixed by: https://github.com/digint/btrbk/commit/58212de771c381cd4fa05625927080bf264e9584 (v0.31.2)
NOTE: Introduced by: https://github.com/digint/btrbk/commit/ccb5ed5e7191a083da52998df4c880f693451144 (v0.23.0-rc1)
@@ -10094,7 +10095,7 @@ CVE-2021-37844
CVE-2021-3677 [Memory disclosure in certain queries]
RESERVED
- postgresql-13 13.4-1
- [bullseye] - postgresql-13 <no-dsa> (Minor issue; will be fixed via point release)
+ [bullseye] - postgresql-13 13.4-0+deb11u1
- postgresql-11 <removed>
[buster] - postgresql-11 <no-dsa> (Minor issue)
NOTE: https://www.postgresql.org/about/news/postgresql-134-128-1113-1018-9623-and-14-beta-3-released-2277/
@@ -10305,7 +10306,7 @@ CVE-2021-37751
CVE-2021-37750 (The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before ...)
{DLA-2771-1}
- krb5 1.18.3-7 (bug #992607)
- [bullseye] - krb5 <no-dsa> (Minor issue)
+ [bullseye] - krb5 1.18.3-6+deb11u1
[buster] - krb5 <no-dsa> (Minor issue)
NOTE: https://github.com/krb5/krb5/commit/d775c95af7606a51bf79547a94fa52ddd1cb7f49
CVE-2021-37749 (MapService.svc in Hexagon GeoMedia WebMap 2020 before Update 2 (aka 16 ...)
@@ -12528,7 +12529,7 @@ CVE-2021-36774
RESERVED
CVE-2021-36773 (uBlock Origin before 1.36.2 and nMatrix before 4.4.9 support an arbitr ...)
- ublock-origin 1.37.0+dfsg-1 (bug #991386)
- [bullseye] - ublock-origin <no-dsa> (Minor issue)
+ [bullseye] - ublock-origin 1.37.0+dfsg-1~deb11u1
[buster] - ublock-origin <no-dsa> (Minor issue)
[stretch] - ublock-origin <no-dsa> (Minor issue)
- umatrix <unfixed> (bug #991344)
@@ -14558,7 +14559,7 @@ CVE-2021-3627
RESERVED
CVE-2021-35940 (An out-of-bounds array read in the apr_time_exp*() functions was fixed ...)
- apr 1.7.0-7 (bug #992789)
- [bullseye] - apr <no-dsa> (Minor issue)
+ [bullseye] - apr 1.7.0-6+deb11u1
[buster] - apr <not-affected> (Vulnerable code re-introduced in 1.7.0)
[stretch] - apr <not-affected> (Vulnerable code re-introduced in 1.7.0)
NOTE: The issue exists because the CVE-2017-12613 fix was not carried forward
@@ -15845,7 +15846,7 @@ CVE-2021-35369
CVE-2021-35368 [CRS Request Body Bypass]
RESERVED
- modsecurity-crs 3.3.2-1 (bug #992000)
- [bullseye] - modsecurity-crs <no-dsa> (Minor issue)
+ [bullseye] - modsecurity-crs 3.3.0-1+deb11u1
[buster] - modsecurity-crs <no-dsa> (Minor issue)
[stretch] - modsecurity-crs <no-dsa> (Minor issue)
NOTE: https://coreruleset.org/20210630/cve-2021-35368-crs-request-body-bypass/
@@ -17653,7 +17654,7 @@ CVE-2021-3596
CVE-2021-3595 (An invalid pointer initialization issue was found in the SLiRP network ...)
{DLA-2753-1}
- libslirp 4.6.1-1 (bug #989996)
- [bullseye] - libslirp <no-dsa> (Minor issue)
+ [bullseye] - libslirp 4.4.0-1+deb11u2
- qemu 1:4.1-2
[buster] - qemu <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0)
@@ -17663,7 +17664,7 @@ CVE-2021-3595 (An invalid pointer initialization issue was found in the SLiRP ne
CVE-2021-3594 (An invalid pointer initialization issue was found in the SLiRP network ...)
{DLA-2753-1}
- libslirp 4.6.1-1 (bug #989995)
- [bullseye] - libslirp <no-dsa> (Minor issue)
+ [bullseye] - libslirp 4.4.0-1+deb11u2
- qemu 1:4.1-2
[buster] - qemu <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0)
@@ -17671,7 +17672,7 @@ CVE-2021-3594 (An invalid pointer initialization issue was found in the SLiRP ne
NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed.
CVE-2021-3593 (An invalid pointer initialization issue was found in the SLiRP network ...)
- libslirp 4.6.1-1 (bug #989994)
- [bullseye] - libslirp <no-dsa> (Minor issue)
+ [bullseye] - libslirp 4.4.0-1+deb11u2
- qemu 1:4.1-2
[buster] - qemu <no-dsa> (Minor issue)
[stretch] - qemu <no-dsa> (Minor issue)
@@ -17680,7 +17681,7 @@ CVE-2021-3593 (An invalid pointer initialization issue was found in the SLiRP ne
NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed.
CVE-2021-3592 (An invalid pointer initialization issue was found in the SLiRP network ...)
- libslirp 4.6.1-1 (bug #989993)
- [bullseye] - libslirp <no-dsa> (Minor issue)
+ [bullseye] - libslirp 4.4.0-1+deb11u2
- qemu 1:4.1-2
[buster] - qemu <no-dsa> (Minor issue)
[stretch] - qemu <ignored> (Introduces a regression. See Debian bug #994080)
@@ -19956,7 +19957,7 @@ CVE-2021-33583 (REINER timeCard 6.05.07 installs a Microsoft SQL Server with an
NOT-FOR-US: REINER
CVE-2021-33582 (Cyrus IMAP before 3.4.2 allows remote attackers to cause a denial of s ...)
- cyrus-imapd 3.4.2-1 (bug #993433)
- [bullseye] - cyrus-imapd <no-dsa> (Minor issue; pending fix via point release)
+ [bullseye] - cyrus-imapd 3.2.6-2+deb11u1
[buster] - cyrus-imapd <no-dsa> (Minor issue; can be fixed via point release)
[stretch] - cyrus-imapd <no-dsa> (Minor issue; can be fixed via point release)
- cyrus-imapd-2.4 <removed>
@@ -21885,14 +21886,14 @@ CVE-2021-32805 (Flask-AppBuilder is an application development framework, built
NOT-FOR-US: Flask-AppBuilder
CVE-2021-32804 (The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4 ...)
- node-tar 6.1.7+~cs11.3.10-1 (bug #992111)
- [bullseye] - node-tar <no-dsa> (Minor issue)
+ [bullseye] - node-tar 6.0.5+ds1+~cs11.3.9-1+deb11u1
[buster] - node-tar <no-dsa> (Minor issue)
[stretch] - node-tar <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9
NOTE: https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4
CVE-2021-32803 (The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4 ...)
- node-tar 6.1.7+~cs11.3.10-1 (bug #992110)
- [bullseye] - node-tar <no-dsa> (Minor issue)
+ [bullseye] - node-tar 6.0.5+ds1+~cs11.3.9-1+deb11u1
[buster] - node-tar <no-dsa> (Minor issue)
[stretch] - node-tar <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw
@@ -30603,7 +30604,7 @@ CVE-2021-29489 (Highcharts JS is a JavaScript charting library based on SVG. In
NOT-FOR-US: Highcharts JS
CVE-2021-29488 (SABnzbd is an open source binary newsreader. A vulnerability was disco ...)
- sabnzbdplus 3.2.1+dfsg-1
- [bullseye] - sabnzbdplus <no-dsa> (Minor issue; non-free/contrib not security supported)
+ [bullseye] - sabnzbdplus 3.1.1+dfsg-2+deb11u1
[buster] - sabnzbdplus <no-dsa> (Minor issue; non-free/contrib not security supported)
[stretch] - sabnzbdplus <no-dsa> (Minor issue; contrib not supported)
NOTE: https://github.com/sabnzbd/sabnzbd/security/advisories/GHSA-jwj3-wrvf-v3rp
@@ -45202,7 +45203,7 @@ CVE-2021-23441 (All versions of package com.jsoniter:jsoniter are vulnerable to
NOT-FOR-US: com.jsoniter:jsoniter
CVE-2021-23440 (This affects the package set-value before 4.0.1. A type confusion vuln ...)
- node-set-value 3.0.1-3 (bug #994448)
- [bullseye] - node-set-value <no-dsa> (Minor issue)
+ [bullseye] - node-set-value 3.0.1-2+deb11u1
[buster] - node-set-value <no-dsa> (Minor issue)
[stretch] - node-set-value <no-dsa> (Minor issue)
NOTE: https://github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f952823b4576452 (v4.0.1)
@@ -45223,7 +45224,7 @@ CVE-2021-23435 (This affects the package clearance before 2.5.0. The vulnerabili
NOT-FOR-US: Rails clearance gem
CVE-2021-23434 (This affects the package object-path before 0.11.6. A type confusion v ...)
- node-object-path 0.11.7-1
- [bullseye] - node-object-path <no-dsa> (Minor issue)
+ [bullseye] - node-object-path 0.11.5-3+deb11u1
[buster] - node-object-path <no-dsa> (Minor issue)
[stretch] - node-object-path <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://snyk.io/vuln/SNYK-JS-OBJECTPATH-1569453
@@ -88811,7 +88812,7 @@ CVE-2020-17511 (In Airflow versions prior to 1.10.13, when creating a user using
CVE-2020-17510 (Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a spec ...)
{DLA-2726-1}
- shiro 1.3.2-5 (bug #988728)
- [bullseye] - shiro <no-dsa> (Minor issue)
+ [bullseye] - shiro 1.3.2-4+deb11u1
[buster] - shiro <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2020/11/04/7
NOTE: https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E
@@ -98055,7 +98056,7 @@ CVE-2020-13934 (An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6
CVE-2020-13933 (Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafte ...)
{DLA-2726-1}
- shiro 1.3.2-5 (bug #968753)
- [bullseye] - shiro <no-dsa> (Minor issue)
+ [bullseye] - shiro 1.3.2-4+deb11u1
[buster] - shiro <no-dsa> (Minor issue)
NOTE: https://lists.apache.org/thread.html/r539f87706094e79c5da0826030384373f0041068936912876856835f%40%3Cdev.shiro.apache.org%3E
CVE-2020-13932 (In Apache ActiveMQ Artemis 2.5.0 to 2.13.0, a specially crafted MQTT p ...)
@@ -103229,7 +103230,7 @@ CVE-2020-11990 (We have resolved a security issue in the camera plugin that coul
CVE-2020-11989 (Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic ...)
{DLA-2273-1}
- shiro 1.3.2-5 (bug #988728)
- [bullseye] - shiro <no-dsa> (Minor issue)
+ [bullseye] - shiro 1.3.2-4+deb11u1
[buster] - shiro <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2020/06/22/1
NOTE: https://github.com/apache/shiro/pull/211
@@ -131299,7 +131300,7 @@ CVE-2020-1958 (When LDAP authentication is enabled in Apache Druid 0.17.0, calle
CVE-2020-1957 (Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic ...)
{DLA-2273-1 DLA-2181-1}
- shiro 1.3.2-5 (bug #955018)
- [bullseye] - shiro <no-dsa> (Minor issue)
+ [bullseye] - shiro 1.3.2-4+deb11u1
[buster] - shiro <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2020/03/23/2
NOTE: Fixed by: https://github.com/apache/shiro/commit/3708d7907016bf2fa12691dff6ff0def1249b8ce#diff-98f7bc5c0391389e56531f8b3754081aL139
=====================================
data/next-point-update.txt
=====================================
@@ -1,59 +1,3 @@
-CVE-2021-32803
- [bullseye] - node-tar 6.0.5+ds1+~cs11.3.9-1+deb11u1
-CVE-2021-32804
- [bullseye] - node-tar 6.0.5+ds1+~cs11.3.9-1+deb11u1
-CVE-2021-3677
- [bullseye] - postgresql-13 13.4-0+deb11u1
-CVE-2021-35940
- [bullseye] - apr 1.7.0-6+deb11u1
-CVE-2021-35368
- [bullseye] - modsecurity-crs 3.3.0-1+deb11u1
-CVE-2021-29488
- [bullseye] - sabnzbdplus 3.1.1+dfsg-2+deb11u1
-CVE-2020-1957
- [bullseye] - shiro 1.3.2-4+deb11u1
-CVE-2020-11989
- [bullseye] - shiro 1.3.2-4+deb11u1
-CVE-2020-13933
- [bullseye] - shiro 1.3.2-4+deb11u1
-CVE-2020-17510
- [bullseye] - shiro 1.3.2-4+deb11u1
-CVE-2021-36773
- [bullseye] - ublock-origin 1.37.0+dfsg-1~deb11u1
-CVE-2021-37750
- [bullseye] - krb5 1.18.3-6+deb11u1
-CVE-2021-33582
- [bullseye] - cyrus-imapd 3.2.6-2+deb11u1
-CVE-2021-3749
- [bullseye] - node-axios 0.21.1+dfsg-1+deb11u1
-CVE-2021-38173
- [bullseye] - btrbk 0.27.1-1.1+deb11u1
-CVE-2021-23434
- [bullseye] - node-object-path 0.11.5-3+deb11u1
-CVE-2021-3805
- [bullseye] - node-object-path 0.11.5-3+deb11u1
-CVE-2021-23440
- [bullseye] - node-set-value 3.0.1-2+deb11u1
-CVE-2021-41054
- [bullseye] - atftp 0.7.git20120829-3.3+deb11u1
-CVE-2021-40818
- [bullseye] - glewlwyd 2.5.2-2+deb11u1
-CVE-2021-40540
- [bullseye] - ulfius 2.7.1-1+deb11u1
-CVE-2021-3807
- [bullseye] - node-ansi-regex 5.0.1-1~deb11u1
-CVE-2021-3801
- [bullseye] - node-prismjs 1.23.0+dfsg-1+deb11u1
-CVE-2021-3592
- [bullseye] - libslirp 4.4.0-1+deb11u2
-CVE-2021-3595
- [bullseye] - libslirp 4.4.0-1+deb11u2
-CVE-2021-3594
- [bullseye] - libslirp 4.4.0-1+deb11u2
-CVE-2021-3593
- [bullseye] - libslirp 4.4.0-1+deb11u2
-CVE-2021-38562
- [bullseye] - request-tracker4 4.4.4+dfsg-2+deb11u1
CVE-2019-11098
[bullseye] - edk2 2020.11-2+deb11u1
CVE-2021-38155
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2201c6c930125cac57f75573a79c5c87e1123e8a
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2201c6c930125cac57f75573a79c5c87e1123e8a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20211009/327ed4c0/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list