[Git][security-tracker-team/security-tracker][master] 3 commits: Merge changes accepted for bullseye 11.4 point release
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sat Jul 9 09:25:47 BST 2022
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
0f389ebc by Salvatore Bonaccorso at 2022-07-09T09:09:25+02:00
Merge changes accepted for bullseye 11.4 point release
- - - - -
30fed671 by Salvatore Bonaccorso at 2022-07-09T10:07:15+02:00
Remove elog annotation for bullseye, removed in 11.4
- - - - -
f77a1789 by Salvatore Bonaccorso at 2022-07-09T10:24:55+02:00
Merge branch 'bullseye-11.4'
- - - - -
2 changed files:
- data/CVE/list
- data/next-point-update.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -3701,7 +3701,7 @@ CVE-2022-33988
RESERVED
CVE-2022-33987 (The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allow ...)
- node-got 11.8.3+~cs58.7.37-3 (bug #1013264)
- [bullseye] - node-got <no-dsa> (Minor issue)
+ [bullseye] - node-got 11.8.1+~cs53.13.17-3+deb11u1
[buster] - node-got <no-dsa> (Minor issue)
NOTE: https://github.com/sindresorhus/got/pull/2047
NOTE: Fixed by: https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc (v12.1.0)
@@ -7912,6 +7912,7 @@ CVE-2019-25062 (A vulnerability was found in Sricam IP CCTV Camera and classifie
CVE-2022-32296 (The Linux kernel before 5.17.9 allows TCP servers to identify clients ...)
{DSA-5173-1 DLA-3065-1}
- linux 5.17.11-1
+ [bullseye] - linux 5.10.127-1
NOTE: https://git.kernel.org/linus/4c2c8f03a5ab7cb04ec64724d7d176d00bcc91e5 (5.18-rc6)
CVE-2022-32287
RESERVED
@@ -9075,7 +9076,7 @@ CVE-2022-1946 (The Gallery WordPress plugin before 2.0.0 does not sanitise and e
NOT-FOR-US: WordPress plugin
CVE-2022-31813 (Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* h ...)
- apache2 2.4.54-1 (bug #1012513)
- [bullseye] - apache2 <no-dsa> (Minor issue; can be fixed in point release)
+ [bullseye] - apache2 2.4.54-1~deb11u1
[buster] - apache2 <no-dsa> (Minor issue; can be fixed in point release)
NOTE: https://www.openwall.com/lists/oss-security/2022/06/08/8
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-31813
@@ -10967,7 +10968,7 @@ CVE-2022-31213 [null pointer reference when supplying a malformed XML config fil
CVE-2022-31212
RESERVED
- dbus-broker 30-1 (bug #1013343)
- [bullseye] - dbus-broker <no-dsa> (Minor issue)
+ [bullseye] - dbus-broker 26-1+deb11u1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2094718
NOTE: Fixed by: https://github.com/c-util/c-shquote/commit/7fd15f8e272136955f7ffc37df29fbca9ddceca1 (v1.0.0)
CVE-2022-31211
@@ -12837,7 +12838,7 @@ CVE-2022-30594 (The Linux kernel before 5.17.2 mishandles seccomp permissions. T
NOTE: https://git.kernel.org/linus/ee1fee900537b5d9560e9f937402de5ddc8412f3 (5.18-rc1)
CVE-2022-30556 (Apache HTTP Server 2.4.53 and earlier may return lengths to applicatio ...)
- apache2 2.4.54-1 (bug #1012513)
- [bullseye] - apache2 <no-dsa> (Minor issue; can be fixed in point release)
+ [bullseye] - apache2 2.4.54-1~deb11u1
[buster] - apache2 <no-dsa> (Minor issue; can be fixed in point release)
NOTE: https://www.openwall.com/lists/oss-security/2022/06/08/7
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-30556
@@ -12995,7 +12996,7 @@ CVE-2022-1651
NOTE: https://git.kernel.org/linus/ecd1735f14d6ac868ae5d8b7a2bf193fa11f388b (5.18-rc1)
CVE-2022-1650 (Exposure of Sensitive Information to an Unauthorized Actor in GitHub r ...)
- node-eventsource 2.0.2+~1.1.8-1
- [bullseye] - node-eventsource <no-dsa> (Minor issue)
+ [bullseye] - node-eventsource 1.0.7-1+deb11u1
[buster] - node-eventsource <no-dsa> (Minor issue)
[stretch] - node-eventsource <end-of-life> (not covered by security support)
NOTE: https://huntr.dev/bounties/dc9e467f-be5d-4945-867d-1044d27e9b8e/
@@ -13026,7 +13027,7 @@ CVE-2022-30523 (Trend Micro Password Manager (Consumer) version 5.0.0.1266 and b
NOT-FOR-US: Trend Micro
CVE-2022-30522 (If Apache HTTP Server 2.4.53 is configured to do transformations with ...)
- apache2 2.4.54-1 (bug #1012513)
- [bullseye] - apache2 <no-dsa> (Minor issue; can be fixed in point release)
+ [bullseye] - apache2 2.4.54-1~deb11u1
[buster] - apache2 <no-dsa> (Minor issue; can be fixed in point release)
NOTE: https://www.openwall.com/lists/oss-security/2022/06/08/6
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-30522
@@ -13526,7 +13527,7 @@ CVE-2022-30334 (Brave before 1.34, when a Private Window with Tor Connectivity i
- brave-browser <itp> (bug #864795)
CVE-2022-30333 (RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal ...)
- unrar-nonfree 1:6.1.7-1 (bug #1010837)
- [bullseye] - unrar-nonfree <no-dsa> (Non-free not supported)
+ [bullseye] - unrar-nonfree 1:6.0.3-1+deb11u1
[buster] - unrar-nonfree <no-dsa> (Non-free not supported)
[stretch] - unrar-nonfree <no-dsa> (Non-free not supported)
- rar <unfixed> (bug #1012228)
@@ -16369,7 +16370,7 @@ CVE-2022-1382 (NULL Pointer Dereference in GitHub repository radareorg/radare2 p
NOTE: https://github.com/radareorg/radare2/commit/48f0ea79f99174fb0a62cb2354e13496ce5b7c44
CVE-2022-29404 (In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua ...)
- apache2 2.4.54-1 (bug #1012513)
- [bullseye] - apache2 <no-dsa> (Minor issue)
+ [bullseye] - apache2 2.4.54-1~deb11u1
[buster] - apache2 <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2022/06/08/5
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-29404
@@ -16765,7 +16766,7 @@ CVE-2022-1349 (The WPQA Builder Plugin WordPress plugin before 5.2, used as a co
NOT-FOR-US: WordPress plugin
CVE-2022-1348 (A vulnerability was found in logrotate in how the state file is create ...)
- logrotate 3.20.1-1 (bug #1011644)
- [bullseye] - logrotate <no-dsa> (Minor issue; pending via next point release)
+ [bullseye] - logrotate 3.18.0-2+deb11u1
[buster] - logrotate <not-affected> (Vulnerable code introduced later)
[stretch] - logrotate <not-affected> (Vulnerable code introduced later)
NOTE: https://www.openwall.com/lists/oss-security/2022/05/25/3
@@ -17029,7 +17030,7 @@ CVE-2022-29163 (Nextcloud Server is the file server software for Nextcloud, a se
- nextcloud-server <itp> (bug #941708)
CVE-2022-29162 (runc is a CLI tool for spawning and running containers on Linux accord ...)
- runc 1.1.3+ds1-1
- [bullseye] - runc <no-dsa> (Minor issue)
+ [bullseye] - runc 1.0.0~rc93+ds1-5+deb11u2
[buster] - runc <no-dsa> (Minor issue)
[stretch] - runc <not-affected> (Vulnerable code not present)
NOTE: https://www.openwall.com/lists/oss-security/2022/05/12/1
@@ -17261,7 +17262,7 @@ CVE-2022-1329 (The Elementor Website Builder plugin for WordPress is vulnerable
CVE-2022-1328 (Buffer Overflow in uudecoder in Mutt affecting all versions starting f ...)
{DLA-2999-1}
- mutt 2.2.3-1 (bug #1009734)
- [bullseye] - mutt <no-dsa> (Minor issue)
+ [bullseye] - mutt 2.0.5-4.1+deb11u1
[buster] - mutt <no-dsa> (Minor issue)
- neomutt <unfixed> (bug #1009735)
[bullseye] - neomutt <no-dsa> (Minor issue)
@@ -17293,7 +17294,7 @@ CVE-2022-29079
RESERVED
CVE-2022-29078 (The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js ...)
- node-ejs 3.1.7-1 (bug #1010359)
- [bullseye] - node-ejs <no-dsa> (Minor issue; can be fixed via point release)
+ [bullseye] - node-ejs 2.5.7-3+deb11u1
[buster] - node-ejs <no-dsa> (Minor issue; can be fixed via point release)
[stretch] - node-ejs <end-of-life> (Node not covered by security support)
NOTE: https://eslam.io/posts/ejs-server-side-template-injection-rce/
@@ -18606,14 +18607,14 @@ CVE-2022-28616 (A remote server-side request forgery (ssrf) vulnerability was di
NOT-FOR-US: HPE OneView
CVE-2022-28615 (Apache HTTP Server 2.4.53 and earlier may crash or disclose informatio ...)
- apache2 2.4.54-1 (bug #1012513)
- [bullseye] - apache2 <no-dsa> (Minor issue; can be fixed in point release)
+ [bullseye] - apache2 2.4.54-1~deb11u1
[buster] - apache2 <no-dsa> (Minor issue; can be fixed in point release)
NOTE: https://www.openwall.com/lists/oss-security/2022/06/08/9
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-28615
NOTE: https://github.com/apache/httpd/commit/6503d09ab51047554c384a6d03646ce1a8848120
CVE-2022-28614 (The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may ...)
- apache2 2.4.54-1 (bug #1012513)
- [bullseye] - apache2 <no-dsa> (Minor issue; can be fixed in point release)
+ [bullseye] - apache2 2.4.54-1~deb11u1
[buster] - apache2 <no-dsa> (Minor issue; can be fixed in point release)
NOTE: https://www.openwall.com/lists/oss-security/2022/06/08/4
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-28614
@@ -19749,6 +19750,7 @@ CVE-2022-1184
RESERVED
{DSA-5173-1}
- linux 5.18.5-1
+ [bullseye] - linux 5.10.127-1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2070205
CVE-2022-1183 (On vulnerable configurations, the named daemon may, in some circumstan ...)
- bind9 1:9.18.3-1
@@ -19881,12 +19883,12 @@ CVE-2022-28193 (NVIDIA Jetson Linux Driver Package contains a vulnerability in t
NOT-FOR-US: NVIDIA Jetson Linux Driver Package
CVE-2022-28192 (NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manag ...)
- nvidia-graphics-drivers 470.129.06-1 (bug #1011140)
- [bullseye] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers 470.129.06-5~deb11u1
[buster] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1011143)
[bullseye] - nvidia-graphics-drivers-tesla-418 <ignored> (Non-free not supported, driver is EOLed and updates impossible)
- nvidia-graphics-drivers-tesla-450 450.191.01-1 (bug #1011144)
- [bullseye] - nvidia-graphics-drivers-tesla-450 <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers-tesla-450 450.191.01-1~deb11u1
- nvidia-graphics-drivers-tesla-460 <unfixed> (bug #1011145)
[bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla-470 470.129.06-1 (bug #1011146)
@@ -19896,7 +19898,7 @@ CVE-2022-28192 (NVIDIA vGPU software contains a vulnerability in the Virtual GPU
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5353
CVE-2022-28191 (NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manag ...)
- nvidia-graphics-drivers 470.129.06-1 (bug #1011140)
- [bullseye] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers 470.129.06-5~deb11u1
[buster] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla-460 <unfixed> (bug #1011145)
[bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported)
@@ -19917,18 +19919,18 @@ CVE-2022-28186 (NVIDIA GPU Display Driver for Windows contains a vulnerability i
NOT-FOR-US: NVIDIA Windows drivers
CVE-2022-28185 (NVIDIA GPU Display Driver for Windows and Linux contains a vulnerabili ...)
- nvidia-graphics-drivers 470.129.06-1 (bug #1011140)
- [bullseye] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers 470.129.06-5~deb11u1
[buster] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-legacy-340xx <unfixed> (bug #1011141)
[buster] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
[stretch] - nvidia-graphics-drivers-legacy-340xx <ignored> (Non-free not supported, no updates provided by Nvidia anymore)
- nvidia-graphics-drivers-legacy-390xx 390.151-1 (bug #1011142)
- [bullseye] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers-legacy-390xx 390.151-1~deb11u1
[buster] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1011143)
[bullseye] - nvidia-graphics-drivers-tesla-418 <ignored> (Non-free not supported, driver is EOLed and updates impossible)
- nvidia-graphics-drivers-tesla-450 450.191.01-1 (bug #1011144)
- [bullseye] - nvidia-graphics-drivers-tesla-450 <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers-tesla-450 450.191.01-1~deb11u1
- nvidia-graphics-drivers-tesla-460 <unfixed> (bug #1011145)
[bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla-470 470.129.06-1 (bug #1011146)
@@ -19938,7 +19940,7 @@ CVE-2022-28185 (NVIDIA GPU Display Driver for Windows and Linux contains a vulne
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5353
CVE-2022-28184 (NVIDIA GPU Display Driver for Windows and Linux contains a vulnerabili ...)
- nvidia-graphics-drivers 470.129.06-1 (bug #1011140)
- [bullseye] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers 470.129.06-5~deb11u1
[buster] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla-460 <unfixed> (bug #1011145)
[bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported)
@@ -19949,7 +19951,7 @@ CVE-2022-28184 (NVIDIA GPU Display Driver for Windows and Linux contains a vulne
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5353
CVE-2022-28183 (NVIDIA GPU Display Driver for Windows and Linux contains a vulnerabili ...)
- nvidia-graphics-drivers 470.129.06-1 (bug #1011140)
- [bullseye] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers 470.129.06-5~deb11u1
[buster] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla-460 <unfixed> (bug #1011145)
[bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported)
@@ -19962,18 +19964,18 @@ CVE-2022-28182 (NVIDIA GPU Display Driver for Windows contains a vulnerability i
NOT-FOR-US: NVIDIA Windows drivers
CVE-2022-28181 (NVIDIA GPU Display Driver for Windows and Linux contains a vulnerabili ...)
- nvidia-graphics-drivers 470.129.06-1 (bug #1011140)
- [bullseye] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers 470.129.06-5~deb11u1
[buster] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-legacy-340xx <unfixed> (bug #1011141)
[buster] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
[stretch] - nvidia-graphics-drivers-legacy-340xx <ignored> (Non-free not supported, no updates provided by Nvidia anymore)
- nvidia-graphics-drivers-legacy-390xx 390.151-1 (bug #1011142)
- [bullseye] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers-legacy-390xx 390.151-1~deb11u1
[buster] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1011143)
[bullseye] - nvidia-graphics-drivers-tesla-418 <ignored> (Non-free not supported, driver is EOLed and updates impossible)
- nvidia-graphics-drivers-tesla-450 450.191.01-1 (bug #1011144)
- [bullseye] - nvidia-graphics-drivers-tesla-450 <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers-tesla-450 450.191.01-1~deb11u1
- nvidia-graphics-drivers-tesla-460 <unfixed> (bug #1011145)
[bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla-470 470.129.06-1 (bug #1011146)
@@ -20396,6 +20398,7 @@ CVE-2022-28086
RESERVED
CVE-2022-28085 (A flaw was found in htmldoc commit 31f7804. A heap buffer overflow in ...)
- htmldoc 1.9.15-2 (unimportant)
+ [bullseye] - htmldoc 1.9.11-4+deb11u3
NOTE: https://github.com/michaelrsweet/htmldoc/issues/480
NOTE: https://github.com/michaelrsweet/htmldoc/commit/46c8ec2b9bccb8ccabff52d998c5eee77a228348
NOTE: Crash in CLI tool, no security impact
@@ -22128,21 +22131,21 @@ CVE-2022-27407
RESERVED
CVE-2022-27406 (FreeType commit 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 was discovere ...)
- freetype 2.11.1+dfsg-2 (bug #1010183)
- [bullseye] - freetype <no-dsa> (Minor issue)
+ [bullseye] - freetype 2.10.4+dfsg-1+deb11u1
[buster] - freetype <no-dsa> (Minor issue)
[stretch] - freetype <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1140
NOTE: Fixed by: https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2 (VER-2-12-0)
CVE-2022-27405 (FreeType commit 53dfdcd8198d2b3201a23c4bad9190519ba918db was discovere ...)
- freetype 2.11.1+dfsg-2 (bug #1010183)
- [bullseye] - freetype <no-dsa> (Minor issue)
+ [bullseye] - freetype 2.10.4+dfsg-1+deb11u1
[buster] - freetype <no-dsa> (Minor issue)
[stretch] - freetype <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1139
NOTE: Fixed by: https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 (VER-2-12-0)
CVE-2022-27404 (FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovere ...)
- freetype 2.11.1+dfsg-2 (bug #1010183)
- [bullseye] - freetype <no-dsa> (Minor issue)
+ [bullseye] - freetype 2.10.4+dfsg-1+deb11u1
[buster] - freetype <no-dsa> (Minor issue)
[stretch] - freetype <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1138
@@ -22651,6 +22654,7 @@ CVE-2022-1012
RESERVED
{DSA-5173-1 DSA-5161-1 DLA-3065-1}
- linux 5.17.11-1
+ [bullseye] - linux 5.10.127-1
NOTE: https://git.kernel.org/linus/b2d057560b8107c633b39aabe517ff9d93f285e3 (5.18-rc6)
CVE-2022-1011 (A use-after-free flaw was found in the Linux kernel’s FUSE files ...)
{DSA-5173-1 DLA-3065-1}
@@ -23163,7 +23167,7 @@ CVE-2022-27115 (In Studio-42 elFinder 2.1.60, there is a vulnerability that caus
CVE-2022-27114 (There is a vulnerability in htmldoc 1.9.16. In image_load_jpeg functio ...)
{DLA-3004-1}
- htmldoc 1.9.15-2
- [bullseye] - htmldoc <no-dsa> (Minor issue)
+ [bullseye] - htmldoc 1.9.11-4+deb11u3
[buster] - htmldoc <no-dsa> (Minor issue)
NOTE: https://github.com/michaelrsweet/htmldoc/issues/471
NOTE: https://github.com/michaelrsweet/htmldoc/commit/31f780487e5ddc426888638786cdc47631687275
@@ -24683,7 +24687,7 @@ CVE-2022-26506
CVE-2022-26505 (A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 a ...)
{DLA-2973-1}
- minidlna 1.3.0+dfsg-2.2 (bug #1006798)
- [bullseye] - minidlna <no-dsa> (Minor issue)
+ [bullseye] - minidlna 1.3.0+dfsg-2+deb11u1
[buster] - minidlna <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/minidlna/git/ci/c21208508dbc131712281ec5340687e5ae89e940/
NOTE: https://www.openwall.com/lists/oss-security/2022/03/03/1
@@ -25110,7 +25114,7 @@ CVE-2022-26378
RESERVED
CVE-2022-26377 (Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling' ...)
- apache2 2.4.54-1 (bug #1012513)
- [bullseye] - apache2 <no-dsa> (Minor issue; can be fixed in point release)
+ [bullseye] - apache2 2.4.54-1~deb11u1
[buster] - apache2 <no-dsa> (Minor issue; can be fixed in point release)
NOTE: https://www.openwall.com/lists/oss-security/2022/06/08/2
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-26377
@@ -26542,7 +26546,7 @@ CVE-2022-21230 (This affects all versions of package org.nanohttpd:nanohttpd. Wh
NOT-FOR-US: NanoHTTPD Java
CVE-2022-21227 (The package sqlite3 before 5.0.3 are vulnerable to Denial of Service ( ...)
- node-sqlite3 5.0.6+ds1-1
- [bullseye] - node-sqlite3 <no-dsa> (Minor issue)
+ [bullseye] - node-sqlite3 5.0.0+ds1-1+deb11u1
[buster] - node-sqlite3 <no-dsa> (minor issue)
[stretch] - node-sqlite3 <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://github.com/advisories/GHSA-9qrh-qjmc-5w2p
@@ -27787,6 +27791,7 @@ CVE-2022-0692 (Open Redirect on Rudloff/alltube in Packagist rudloff/alltube pri
NOT-FOR-US: alltube
CVE-2022-0691 (Authorization Bypass Through User-Controlled Key in NPM url-parse prio ...)
- node-url-parse 1.5.9+~1.4.8-1
+ [bullseye] - node-url-parse 1.5.3-1+deb11u1
[stretch] - node-url-parse <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4
NOTE: https://github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63 (1.5.9)
@@ -27805,6 +27810,7 @@ CVE-2022-0687 (The Amelia WordPress plugin before 1.0.47 stores image blobs into
NOT-FOR-US: WordPress plugin
CVE-2022-0686 (Authorization Bypass Through User-Controlled Key in NPM url-parse prio ...)
- node-url-parse 1.5.9+~1.4.8-1
+ [bullseye] - node-url-parse 1.5.3-1+deb11u1
[stretch] - node-url-parse <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://huntr.dev/bounties/55fd06cd-9054-4d80-83be-eb5a454be78c
NOTE: https://github.com/unshiftio/url-parse/commit/d5c64791ef496ca5459ae7f2176a31ea53b127e5 (1.5.8)
@@ -28006,7 +28012,7 @@ CVE-2022-25310
RESERVED
{DLA-2974-1}
- fribidi 1.0.8-2.1 (bug #1008793)
- [bullseye] - fribidi <no-dsa> (Minor issue)
+ [bullseye] - fribidi 1.0.8-2+deb11u1
[buster] - fribidi <no-dsa> (Minor issue)
NOTE: https://github.com/fribidi/fribidi/issues/183
NOTE: https://github.com/fribidi/fribidi/pull/186
@@ -28015,7 +28021,7 @@ CVE-2022-25309
RESERVED
{DLA-2974-1}
- fribidi 1.0.8-2.1 (bug #1008793)
- [bullseye] - fribidi <no-dsa> (Minor issue)
+ [bullseye] - fribidi 1.0.8-2+deb11u1
[buster] - fribidi <no-dsa> (Minor issue)
NOTE: https://github.com/fribidi/fribidi/issues/182
NOTE: https://github.com/fribidi/fribidi/pull/185
@@ -28024,7 +28030,7 @@ CVE-2022-25308
RESERVED
{DLA-2974-1}
- fribidi 1.0.8-2.1 (bug #1008793)
- [bullseye] - fribidi <no-dsa> (Minor issue)
+ [bullseye] - fribidi 1.0.8-2+deb11u1
[buster] - fribidi <no-dsa> (Minor issue)
NOTE: https://github.com/fribidi/fribidi/issues/181
NOTE: https://github.com/fribidi/fribidi/pull/184
@@ -29101,7 +29107,7 @@ CVE-2022-24976 (Atheme IRC Services before 7.2.12, when used in conjunction with
CVE-2022-0577 (Exposure of Sensitive Information to an Unauthorized Actor in GitHub r ...)
{DLA-2950-1}
- python-scrapy 2.6.1-1 (bug #1008234)
- [bullseye] - python-scrapy <no-dsa> (Minor issue)
+ [bullseye] - python-scrapy 2.4.1-2+deb11u1
[buster] - python-scrapy <no-dsa> (Minor issue)
NOTE: https://github.com/advisories/GHSA-cjvr-mfj7-j4j8
NOTE: https://huntr.dev/bounties/3da527b1-2348-4f69-9e88-2e11a96ac585
@@ -29517,7 +29523,7 @@ CVE-2022-24829 (Garden is an automation platform for Kubernetes development and
NOT-FOR-US: Garden
CVE-2022-24828 (Composer is a dependency manager for the PHP programming language. Int ...)
- composer 2.2.12-1 (bug #1009960)
- [bullseye] - composer <no-dsa> (Minor issue)
+ [bullseye] - composer 2.0.9-2+deb11u1
[buster] - composer <no-dsa> (Minor issue)
[stretch] - composer <no-dsa> (Minor issue)
NOTE: https://github.com/composer/composer/commit/2c40c53637c5c7e43fff7c09d3d324d632734709 (2.2.12)
@@ -29585,7 +29591,7 @@ CVE-2022-24802 (deepmerge-ts is a typescript library providing functionality to
CVE-2022-24801 (Twisted is an event-based framework for internet applications, support ...)
{DLA-2991-1}
- twisted 22.4.0-1 (bug #1009030)
- [bullseye] - twisted <no-dsa> (Minor issue)
+ [bullseye] - twisted 20.3.0-7+deb11u1
[buster] - twisted <no-dsa> (Minor issue)
NOTE: https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq
NOTE: https://github.com/twisted/twisted/releases/tag/twisted-22.4.0rc1
@@ -29654,7 +29660,7 @@ CVE-2022-24786 (PJSIP is a free and open source multimedia communication library
NOTE: https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508
CVE-2022-24785 (Moment.js is a JavaScript date library for parsing, validating, manipu ...)
- node-moment 2.29.2+ds-1 (bug #1009327)
- [bullseye] - node-moment <no-dsa> (Minor issue)
+ [bullseye] - node-moment 2.29.1+ds-2+deb11u1
[buster] - node-moment <no-dsa> (Minor issue)
[stretch] - node-moment <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4
@@ -29679,26 +29685,26 @@ CVE-2022-24776 (Flask-AppBuilder is an application development framework, built
- flask-appbuilder <itp> (bug #998029)
CVE-2022-24775 (guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8 ...)
- php-guzzlehttp-psr7 1.8.5-1 (bug #1008236)
- [bullseye] - php-guzzlehttp-psr7 <no-dsa> (Minor issue)
+ [bullseye] - php-guzzlehttp-psr7 1.7.0-1+deb11u1
[buster] - php-guzzlehttp-psr7 <no-dsa> (Minor issue)
NOTE: https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96
CVE-2022-24774 (CycloneDX BOM Repository Server is a bill of materials (BOM) repositor ...)
NOT-FOR-US: CycloneDX BOM Repository Server
CVE-2022-24773 (Forge (also called `node-forge`) is a native implementation of Transpo ...)
- node-node-forge 1.3.0~dfsg-1
- [bullseye] - node-node-forge <no-dsa> (Minor issue)
+ [bullseye] - node-node-forge 0.10.0~dfsg-3+deb11u1
[buster] - node-node-forge <no-dsa> (Minor issue)
NOTE: https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr
NOTE: https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1 (v1.3.0)
CVE-2022-24772 (Forge (also called `node-forge`) is a native implementation of Transpo ...)
- node-node-forge 1.3.0~dfsg-1
- [bullseye] - node-node-forge <no-dsa> (Minor issue)
+ [bullseye] - node-node-forge 0.10.0~dfsg-3+deb11u1
[buster] - node-node-forge <no-dsa> (Minor issue)
NOTE: https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g
NOTE: https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1 (v1.3.0)
CVE-2022-24771 (Forge (also called `node-forge`) is a native implementation of Transpo ...)
- node-node-forge 1.3.0~dfsg-1
- [bullseye] - node-node-forge <no-dsa> (Minor issue)
+ [bullseye] - node-node-forge 0.10.0~dfsg-3+deb11u1
[buster] - node-node-forge <no-dsa> (Minor issue)
NOTE: https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765
NOTE: https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1 (v1.3.0)
@@ -31361,7 +31367,7 @@ CVE-2022-0437 (Cross-site Scripting (XSS) - DOM in NPM karma prior to 6.3.14. ..
CVE-2022-0436 (Path Traversal in GitHub repository gruntjs/grunt prior to 1.5.2. ...)
[experimental] - grunt 1.5.2-1
- grunt 1.5.2-2 (bug #1009676)
- [bullseye] - grunt <no-dsa> (Minor issue)
+ [bullseye] - grunt 1.3.0-1+deb11u1
[buster] - grunt <no-dsa> (Minor issue)
[stretch] - grunt <no-dsa> (Minor issue)
NOTE: https://github.com/gruntjs/grunt/commit/aad3d4521c3098fb255fb2db8f2e1d691a033665 (v1.5.0)
@@ -31675,6 +31681,7 @@ CVE-2022-24192
RESERVED
CVE-2022-24191 (In HTMLDOC 1.9.14, an infinite loop in the gif_read_lzw function can l ...)
- htmldoc 1.9.15-1 (unimportant)
+ [bullseye] - htmldoc 1.9.11-4+deb11u3
NOTE: https://github.com/michaelrsweet/htmldoc/commit/fb0334a51300988e9b83b9870d4063e86002b077 (v1.9.15)
NOTE: https://github.com/michaelrsweet/htmldoc/issues/470
NOTE: Hang in CLI tool, no security impact
@@ -33303,7 +33310,7 @@ CVE-2022-0340
CVE-2021-4209
RESERVED
- gnutls28 3.7.3-2
- [bullseye] - gnutls28 <no-dsa> (Minor issue)
+ [bullseye] - gnutls28 3.7.1-5+deb11u1
[buster] - gnutls28 <no-dsa> (Minor issue)
[stretch] - gnutls28 <postponed> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2044156
@@ -43157,7 +43164,7 @@ CVE-2021-44907
REJECTED
CVE-2021-44906 (Minimist <=1.2.5 is vulnerable to Prototype Pollution via file inde ...)
- node-minimist 1.2.6+~cs5.3.2-1
- [bullseye] - node-minimist <no-dsa> (Minor issue)
+ [bullseye] - node-minimist 1.2.5+~cs5.3.1-2+deb11u1
[buster] - node-minimist <no-dsa> (Minor issue)
[stretch] - node-minimist <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://github.com/substack/minimist/issues/164
@@ -43527,12 +43534,12 @@ CVE-2022-21815 (NVIDIA GPU Display Driver for Windows contains a vulnerability i
NOT-FOR-US: NVIDIA GPU Display Driver for Windows
CVE-2022-21814 (NVIDIA GPU Display Driver for Linux contains a vulnerability in the ke ...)
- nvidia-graphics-drivers 470.103.01-1 (bug #1004847)
- [bullseye] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers 470.129.06-5~deb11u1
[buster] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla-470 470.103.01-1 (bug #1004853)
CVE-2022-21813 (NVIDIA GPU Display Driver for Linux contains a vulnerability in the ke ...)
- nvidia-graphics-drivers 470.103.01-1 (bug #1004847)
- [bullseye] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers 470.129.06-5~deb11u1
[buster] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla-470 470.103.01-1 (bug #1004853)
CVE-2021-44795 (Single Connect does not perform an authorization check when using the ...)
@@ -46313,7 +46320,7 @@ CVE-2022-21717
CVE-2022-21716 (Twisted is an event-based framework for internet applications, support ...)
{DLA-2938-1}
- twisted 22.2.0-1
- [bullseye] - twisted <no-dsa> (Minor issue)
+ [bullseye] - twisted 20.3.0-7+deb11u1
[buster] - twisted <no-dsa> (Minor issue)
NOTE: https://github.com/twisted/twisted/security/advisories/GHSA-rv6r-3f5q-9rgx
NOTE: https://github.com/twisted/twisted/commit/98387b39e9f0b21462f6abc7a1325dc370fcdeb1
@@ -46327,7 +46334,7 @@ CVE-2022-21713 (Grafana is an open-source platform for monitoring and observabil
CVE-2022-21712 (twisted is an event-driven networking engine written in Python. In aff ...)
{DLA-2927-1}
- twisted 22.1.0-1
- [bullseye] - twisted <no-dsa> (Minor issue)
+ [bullseye] - twisted 20.3.0-7+deb11u1
[buster] - twisted <no-dsa> (Minor issue)
NOTE: https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx
NOTE: https://github.com/twisted/twisted/commit/af8fe78542a6f2bf2235ccee8158d9c88d31e8e2 (twisted-22.1.0rc1)
@@ -46763,7 +46770,7 @@ CVE-2021-43862 (jQuery Terminal Emulator is a plugin for creating command line i
NOT-FOR-US: jQuery Terminal Emulator
CVE-2021-43861 (Mermaid is a Javascript based diagramming and charting tool that uses ...)
- node-mermaid 8.13.8+~cs10.4.16-1
- [bullseye] - node-mermaid <no-dsa> (Minor issue)
+ [bullseye] - node-mermaid 8.7.0+ds+~cs27.17.17-3+deb11u2
NOTE: https://github.com/mermaid-js/mermaid/security/advisories/GHSA-p3rp-vmj9-gv6v
NOTE: https://github.com/mermaid-js/mermaid/commit/066b7a0d0bda274d94a2f2d21e4323dab5776d83
CVE-2021-43860 (Flatpak is a Linux application sandboxing and distribution framework. ...)
@@ -48390,6 +48397,7 @@ CVE-2022-21166 (Incomplete cleanup in specific special register write operations
{DSA-5178-1 DSA-5173-1 DLA-3065-1}
- intel-microcode 3.20220510.1
- linux 5.18.5-1
+ [bullseye] - linux 5.10.127-1
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00615.html
NOTE: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html#DRPW
NOTE: Linux kernel documentation patch: https://git.kernel.org/linus/4419470191386456e0b8ed4eb06a70b0021798a6
@@ -48404,6 +48412,7 @@ CVE-2022-21125 (Incomplete cleanup of microarchitectural fill buffers on some In
{DSA-5178-1 DSA-5173-1 DLA-3065-1}
- intel-microcode 3.20220510.1
- linux 5.18.5-1
+ [bullseye] - linux 5.10.127-1
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00615.html
NOTE: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html#SBDS
NOTE: Linux kernel documentation patch: https://git.kernel.org/linus/4419470191386456e0b8ed4eb06a70b0021798a6
@@ -48412,6 +48421,7 @@ CVE-2022-21123 (Incomplete cleanup of multi-core shared buffers for some Intel(R
{DSA-5178-1 DSA-5173-1 DLA-3065-1}
- intel-microcode 3.20220510.1
- linux 5.18.5-1
+ [bullseye] - linux 5.10.127-1
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00615.html
NOTE: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html#SBDR
NOTE: Linux kernel documentation patch: https://git.kernel.org/linus/4419470191386456e0b8ed4eb06a70b0021798a6
@@ -48472,7 +48482,7 @@ CVE-2021-43567
CVE-2021-43566 (All versions of Samba prior to 4.13.16 are vulnerable to a malicious c ...)
[experimental] - samba 2:4.16.0+dfsg-1
- samba 2:4.16.0+dfsg-2 (bug #1004691)
- [bullseye] - samba <ignored> (Minor issue; no backport to older versions, mitigations exists)
+ [bullseye] - samba 2:4.13.13+dfsg-1~deb11u4
[buster] - samba <ignored> (Minor issue; no backport to older versions, mitigations exists)
NOTE: https://www.samba.org/samba/security/CVE-2021-43566.html
NOTE: https://bugzilla.samba.org/show_bug.cgi?id=13979
@@ -50047,7 +50057,7 @@ CVE-2022-20797 (A vulnerability in the web-based management interface of Cisco S
CVE-2022-20796 (On May 4, 2022, the following vulnerability in the ClamAV scanning lib ...)
{DLA-3042-1}
- clamav 0.103.6+dfsg-1
- [bullseye] - clamav <no-dsa> (clamav is updated via -updates)
+ [bullseye] - clamav 0.103.6+dfsg-0+deb11u1
[buster] - clamav <no-dsa> (clamav is updated via -updates)
NOTE: https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html
CVE-2022-20795 (A vulnerability in the implementation of the Datagram TLS (DTLS) proto ...)
@@ -50060,7 +50070,7 @@ CVE-2022-20792
RESERVED
{DLA-3042-1}
- clamav 0.103.6+dfsg-1
- [bullseye] - clamav <no-dsa> (clamav is updated via -updates)
+ [bullseye] - clamav 0.103.6+dfsg-0+deb11u1
[buster] - clamav <no-dsa> (clamav is updated via -updates)
NOTE: https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html
CVE-2022-20791 (A vulnerability in the database user privileges of Cisco Unified Commu ...)
@@ -50078,7 +50088,7 @@ CVE-2022-20786 (A vulnerability in the web-based management interface of Cisco U
CVE-2022-20785 (On April 20, 2022, the following vulnerability in the ClamAV scanning ...)
{DLA-3042-1}
- clamav 0.103.6+dfsg-1
- [bullseye] - clamav <no-dsa> (clamav is updated via -updates)
+ [bullseye] - clamav 0.103.6+dfsg-0+deb11u1
[buster] - clamav <no-dsa> (clamav is updated via -updates)
NOTE: https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html
CVE-2022-20784 (A vulnerability in the Web-Based Reputation Score (WBRS) engine of Cis ...)
@@ -50110,13 +50120,13 @@ CVE-2022-20772
CVE-2022-20771 (On April 20, 2022, the following vulnerability in the ClamAV scanning ...)
{DLA-3042-1}
- clamav 0.103.6+dfsg-1
- [bullseye] - clamav <no-dsa> (clamav is updated via -updates)
+ [bullseye] - clamav 0.103.6+dfsg-0+deb11u1
[buster] - clamav <no-dsa> (clamav is updated via -updates)
NOTE: https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html
CVE-2022-20770 (On April 20, 2022, the following vulnerability in the ClamAV scanning ...)
{DLA-3042-1}
- clamav 0.103.6+dfsg-1
- [bullseye] - clamav <no-dsa> (clamav is updated via -updates)
+ [bullseye] - clamav 0.103.6+dfsg-0+deb11u1
[buster] - clamav <no-dsa> (clamav is updated via -updates)
NOTE: https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html
CVE-2022-20769
@@ -57095,7 +57105,7 @@ CVE-2021-41126 (October is a Content Management System (CMS) and web platform bu
CVE-2021-41125 (Scrapy is a high-level web crawling and scraping framework for Python. ...)
{DLA-2950-1}
- python-scrapy 2.5.1-1
- [bullseye] - python-scrapy <no-dsa> (Minor issue)
+ [bullseye] - python-scrapy 2.4.1-2+deb11u1
[buster] - python-scrapy <no-dsa> (Minor issue)
NOTE: https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498
NOTE: Fixed by: https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6 (1.8)
@@ -59818,7 +59828,7 @@ CVE-2021-3735 [ahci: deadlock issue leads to denial of service]
CVE-2021-40083 (Knot Resolver before 5.3.2 is prone to an assertion failure, triggerab ...)
[experimental] - knot-resolver 5.4.1-1
- knot-resolver 5.4.1-2 (bug #991463)
- [bullseye] - knot-resolver <no-dsa> (Minor issue; can be fixed via point release)
+ [bullseye] - knot-resolver 5.3.1-1+deb11u1
[buster] - knot-resolver <not-affected> (Vulnerable code introduced later)
NOTE: https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1169
NOTE: Introduced by https://gitlab.nic.cz/knot/knot-resolver/-/commit/7107faebc72c14c864622128a20a9b39fe94d733 (5.3.1)
@@ -62035,7 +62045,7 @@ CVE-2021-39192 (Ghost is a Node.js content management system. An error in the im
NOT-FOR-US: Ghost CMS
CVE-2021-39191 (mod_auth_openidc is an authentication/authorization module for the Apa ...)
- libapache2-mod-auth-openidc 2.4.9.4-1 (bug #993648)
- [bullseye] - libapache2-mod-auth-openidc <no-dsa> (Minor issue; can be fixed via point release)
+ [bullseye] - libapache2-mod-auth-openidc 2.4.9.4-0+deb11u1
[buster] - libapache2-mod-auth-openidc <no-dsa> (Minor issue; can be fixed via point release)
[stretch] - libapache2-mod-auth-openidc <no-dsa> (Minor issue)
NOTE: https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-2pgf-8h6h-gqg2
@@ -71332,7 +71342,7 @@ CVE-2021-35475 (SAS Environment Manager 2.5 allows XSS through the Name field wh
NOT-FOR-US: SAS Environment Manager
CVE-2021-3618 (ALPACA is an application layer protocol content confusion attack, expl ...)
- nginx 1.20.2-2 (bug #991328)
- [bullseye] - nginx <no-dsa> (Minor issue)
+ [bullseye] - nginx 1.18.0-6.1+deb11u2
[buster] - nginx <no-dsa> (Minor issue)
[stretch] - nginx <no-dsa> (Minor issue)
- vsftpd <unfixed> (bug #991329)
@@ -75601,7 +75611,7 @@ CVE-2021-33657 (There is a heap overflow problem in video/SDL_pixels.c in SDL (S
[buster] - libsdl1.2 <no-dsa> (Minor issue)
[stretch] - libsdl1.2 <no-dsa> (Minor issue)
- libsdl2 2.0.20+dfsg-2
- [bullseye] - libsdl2 <no-dsa> (Minor issue)
+ [bullseye] - libsdl2 2.0.14+dfsg2-3+deb11u1
[buster] - libsdl2 <no-dsa> (Minor issue)
[stretch] - libsdl2 <no-dsa> (Minor issue)
NOTE: https://github.com/libsdl-org/SDL/commit/8c91cf7dba5193f5ce12d06db1336515851c9ee9 (release-2.0.20)
@@ -101126,7 +101136,7 @@ CVE-2021-23649
RESERVED
CVE-2021-23648 (The package @braintree/sanitize-url before 6.0.0 are vulnerable to Cro ...)
- node-mermaid 8.14.0+~cs11.4.14-1
- [bullseye] - node-mermaid <no-dsa> (Minor issue)
+ [bullseye] - node-mermaid 8.7.0+ds+~cs27.17.17-3+deb11u1
NOTE: https://github.com/braintree/sanitize-url/pull/40
NOTE: src:node-mermaid provides embedded @braintree/sanitize-url
CVE-2021-23647
@@ -169637,7 +169647,6 @@ CVE-2020-8860 (This vulnerability allows remote attackers to execute arbitrary c
CVE-2020-8859 (This vulnerability allows remote attackers to create a denial-of-servi ...)
{DLA-3014-1}
- elog <removed>
- [bullseye] - elog <ignored> (Minor issue)
[buster] - elog <ignored> (Minor issue)
NOTE: https://elog.psi.ch/elogs/Forum/69114
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-20-252/
@@ -172665,7 +172674,7 @@ CVE-2020-7712 (This affects the package json before 10.0.0. It is possible to in
NOT-FOR-US: Node json
CVE-2020-7711 (This affects all versions of package github.com/russellhaering/goxmlds ...)
- golang-github-russellhaering-goxmldsig 1.1.1-1 (bug #968928)
- [bullseye] - golang-github-russellhaering-goxmldsig <no-dsa> (Minor issue)
+ [bullseye] - golang-github-russellhaering-goxmldsig 1.1.0-1+deb11u1
[buster] - golang-github-russellhaering-goxmldsig <no-dsa> (Minor issue)
NOTE: https://github.com/russellhaering/goxmldsig/issues/48
NOTE: https://github.com/russellhaering/goxmldsig/commit/fb23e0af61c023e3a6dae8ad30dbd0f04d8a4d8f
=====================================
data/next-point-update.txt
=====================================
@@ -1,155 +1,3 @@
-CVE-2021-23648
- [bullseye] - node-mermaid 8.7.0+ds+~cs27.17.17-3+deb11u1
-CVE-2021-43861
- [bullseye] - node-mermaid 8.7.0+ds+~cs27.17.17-3+deb11u2
-CVE-2021-44906
- [bullseye] - node-minimist 1.2.5+~cs5.3.1-2+deb11u1
-CVE-2022-24773
- [bullseye] - node-node-forge 0.10.0~dfsg-3+deb11u1
-CVE-2022-24772
- [bullseye] - node-node-forge 0.10.0~dfsg-3+deb11u1
-CVE-2022-24771
- [bullseye] - node-node-forge 0.10.0~dfsg-3+deb11u1
-CVE-2022-0686
- [bullseye] - node-url-parse 1.5.3-1+deb11u1
-CVE-2022-0691
- [bullseye] - node-url-parse 1.5.3-1+deb11u1
-CVE-2021-40083
- [bullseye] - knot-resolver 5.3.1-1+deb11u1
-CVE-2022-21814
- [bullseye] - nvidia-graphics-drivers 470.103.01-1~deb11u1
-CVE-2022-21813
- [bullseye] - nvidia-graphics-drivers 470.103.01-1~deb11u1
-CVE-2021-39191
- [bullseye] - libapache2-mod-auth-openidc 2.4.9.4-0+deb11u1
-CVE-2020-7711
- [bullseye] - golang-github-russellhaering-goxmldsig 1.1.0-1+deb11u1
-CVE-2022-25308
- [bullseye] - fribidi 1.0.8-2+deb11u1
-CVE-2022-25309
- [bullseye] - fribidi 1.0.8-2+deb11u1
-CVE-2022-25310
- [bullseye] - fribidi 1.0.8-2+deb11u1
-CVE-2022-26505
- [bullseye] - minidlna 1.3.0+dfsg-2+deb11u1
-CVE-2022-24785
- [bullseye] - node-moment 2.29.1+ds-2+deb11u1
-CVE-2021-43566
- [bullseye] - samba 2:4.13.13+dfsg-1~deb11u4
-CVE-2022-1328
- [bullseye] - mutt 2.0.5-4.1+deb11u1
-CVE-2022-0436
- [bullseye] - grunt 1.3.0-1+deb11u1
-CVE-2022-27406
- [bullseye] - freetype 2.10.4+dfsg-1+deb11u1
-CVE-2022-27405
- [bullseye] - freetype 2.10.4+dfsg-1+deb11u1
-CVE-2022-27404
- [bullseye] - freetype 2.10.4+dfsg-1+deb11u1
-CVE-2022-29078
- [bullseye] - node-ejs 2.5.7-3+deb11u1
-CVE-2022-21227
- [bullseye] - node-sqlite3 5.0.0+ds1-1+deb11u1
-CVE-2022-24801
- [bullseye] - twisted 20.3.0-7+deb11u1
-CVE-2022-21716
- [bullseye] - twisted 20.3.0-7+deb11u1
-CVE-2022-21712
- [bullseye] - twisted 20.3.0-7+deb11u1
-CVE-2022-30333
- [bullseye] - unrar-nonfree 1:6.0.3-1+deb11u1
-CVE-2022-1650
- [bullseye] - node-eventsource 1.0.7-1+deb11u1
-CVE-2021-3618
- [bullseye] - nginx 1.18.0-6.1+deb11u2
-CVE-2021-41125
- [bullseye] - python-scrapy 2.4.1-2+deb11u1
-CVE-2022-0577
- [bullseye] - python-scrapy 2.4.1-2+deb11u1
-CVE-2022-24191
- [bullseye] - htmldoc 1.9.11-4+deb11u3
-CVE-2022-27114
- [bullseye] - htmldoc 1.9.11-4+deb11u3
-CVE-2022-28085
- [bullseye] - htmldoc 1.9.11-4+deb11u3
-CVE-2022-20770
- [bullseye] - clamav 0.103.6+dfsg-0+deb11u1
-CVE-2022-20796
- [bullseye] - clamav 0.103.6+dfsg-0+deb11u1
-CVE-2022-20771
- [bullseye] - clamav 0.103.6+dfsg-0+deb11u1
-CVE-2022-20785
- [bullseye] - clamav 0.103.6+dfsg-0+deb11u1
-CVE-2022-20792
- [bullseye] - clamav 0.103.6+dfsg-0+deb11u1
-CVE-2022-24828
- [bullseye] - composer 2.0.9-2+deb11u1
-CVE-2022-28181
- [bullseye] - nvidia-graphics-drivers-legacy-390xx 390.151-1~deb11u1
-CVE-2022-28185
- [bullseye] - nvidia-graphics-drivers-legacy-390xx 390.151-1~deb11u1
-CVE-2022-24775
- [bullseye] - php-guzzlehttp-psr7 1.7.0-1+deb11u1
-CVE-2022-28181
- [bullseye] - nvidia-graphics-drivers-tesla-450 450.191.01-1~deb11u1
-CVE-2022-28185
- [bullseye] - nvidia-graphics-drivers-tesla-450 450.191.01-1~deb11u1
-CVE-2022-28192
- [bullseye] - nvidia-graphics-drivers-tesla-450 450.191.01-1~deb11u1
-CVE-2022-26377
- [bullseye] - apache2 2.4.54-1~deb11u1
-CVE-2022-28614
- [bullseye] - apache2 2.4.54-1~deb11u1
-CVE-2022-28615
- [bullseye] - apache2 2.4.54-1~deb11u1
-CVE-2022-29404
- [bullseye] - apache2 2.4.54-1~deb11u1
-CVE-2022-30522
- [bullseye] - apache2 2.4.54-1~deb11u1
-CVE-2022-30556
- [bullseye] - apache2 2.4.54-1~deb11u1
-CVE-2022-31813
- [bullseye] - apache2 2.4.54-1~deb11u1
-CVE-2022-29162
- [bullseye] - runc 1.0.0~rc93+ds1-5+deb11u2
-CVE-2021-4209
- [bullseye] - gnutls28 3.7.1-5+deb11u1
-CVE-2021-33657
- [bullseye] - libsdl2 2.0.14+dfsg2-3+deb11u1
-CVE-2022-31212
- [bullseye] - dbus-broker 26-1+deb11u1
-CVE-2022-28192
- [bullseye] - nvidia-graphics-drivers 470.129.06-5~deb11u1
-CVE-2022-28191
- [bullseye] - nvidia-graphics-drivers 470.129.06-5~deb11u1
-CVE-2022-28185
- [bullseye] - nvidia-graphics-drivers 470.129.06-5~deb11u1
-CVE-2022-28184
- [bullseye] - nvidia-graphics-drivers 470.129.06-5~deb11u1
-CVE-2022-28183
- [bullseye] - nvidia-graphics-drivers 470.129.06-5~deb11u1
-CVE-2022-28181
- [bullseye] - nvidia-graphics-drivers 470.129.06-5~deb11u1
-CVE-2022-21814
- [bullseye] - nvidia-graphics-drivers 470.129.06-5~deb11u1
-CVE-2022-21813
- [bullseye] - nvidia-graphics-drivers 470.129.06-5~deb11u1
-CVE-2022-33987
- [bullseye] - node-got 11.8.1+~cs53.13.17-3+deb11u1
-CVE-2022-1012
- [bullseye] - linux 5.10.127-1
-CVE-2022-1184
- [bullseye] - linux 5.10.127-1
-CVE-2022-21123
- [bullseye] - linux 5.10.127-1
-CVE-2022-21125
- [bullseye] - linux 5.10.127-1
-CVE-2022-21166
- [bullseye] - linux 5.10.127-1
-CVE-2022-32296
- [bullseye] - linux 5.10.127-1
-CVE-2022-1348
- [bullseye] - logrotate 3.18.0-2+deb11u1
CVE-2021-32718
[bullseye] - rabbitmq-server 3.8.9-3+deb11u1
CVE-2021-32719
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7b0ac0c26f471d7d1471414be49509b0115fb806...f77a1789b71abeb15c3858ea65b8b50a7c1f4148
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7b0ac0c26f471d7d1471414be49509b0115fb806...f77a1789b71abeb15c3858ea65b8b50a7c1f4148
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220709/5650cdc8/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list