[Git][security-tracker-team/security-tracker][master] Merge bullseye point release updates as previously reviewed and acked
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sat Mar 26 09:56:35 GMT 2022
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
aa3a4517 by Salvatore Bonaccorso at 2022-03-26T10:55:49+01:00
Merge bullseye point release updates as previously reviewed and acked
- - - - -
2 changed files:
- data/CVE/list
- data/next-point-update.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1581,7 +1581,7 @@ CVE-2022-1020
RESERVED
CVE-2022-27240 (scheme/webauthn.c in Glewlwyd SSO server 2.x before 2.6.2 has a buffer ...)
- glewlwyd 2.6.1-2
- [bullseye] - glewlwyd <no-dsa> (Minor issue)
+ [bullseye] - glewlwyd 2.5.2-2+deb11u3
[buster] - glewlwyd <no-dsa> (Minor issue)
NOTE: https://github.com/babelouest/glewlwyd/commit/4c5597c155bfbaf6491cf6b83479d241ae66940a (v2.6.2)
CVE-2022-27239
@@ -2413,7 +2413,7 @@ CVE-2022-0938 (Stored XSS via file upload in GitHub repository star7th/showdoc p
NOT-FOR-US: ShowDoc
CVE-2021-46709 (phpLiteAdmin through 1.9.8.2 allows XSS via the index.php newRows para ...)
- phpliteadmin 1.9.8.2-2
- [bullseye] - phpliteadmin <no-dsa> (Minor issue)
+ [bullseye] - phpliteadmin 1.9.8.2-1+deb11u1
[buster] - phpliteadmin <no-dsa> (Minor issue)
NOTE: https://bitbucket.org/phpliteadmin/public/issues/399/xss-vulnerability
NOTE: https://bitbucket.org/phpliteadmin/public/pull-requests/16/fix-an-xss-vulnerability-with-the-newrows
@@ -5882,7 +5882,7 @@ CVE-2022-25641
RESERVED
CVE-2022-25640 (In wolfSSL before 5.2.0, a TLS 1.3 server cannot properly enforce a re ...)
- wolfssl 5.2.0-1
- [bullseye] - wolfssl <no-dsa> (Minor issue; can be fixed via point release)
+ [bullseye] - wolfssl 4.6.0+p1-0+deb11u1
NOTE: https://github.com/wolfSSL/wolfssl/pull/4831
NOTE: https://github.com/wolfSSL/wolfssl/commit/3cdb1c639da94a9dc8c75590d0ec475e7f27c226 (v5.2.0-stable)
NOTE: https://github.com/wolfSSL/wolfssl/commit/b60d2dccce9110fd2b985d99063e524e39bdf6f7 (v5.2.0-stable)
@@ -5890,7 +5890,7 @@ CVE-2022-25639
RESERVED
CVE-2022-25638 (In wolfSSL before 5.2.0, certificate validation may be bypassed during ...)
- wolfssl 5.2.0-1
- [bullseye] - wolfssl <no-dsa> (Minor issue; can be fixed via point release)
+ [bullseye] - wolfssl 4.6.0+p1-0+deb11u1
NOTE: https://github.com/wolfSSL/wolfssl/pull/4813
NOTE: https://github.com/wolfSSL/wolfssl/commit/e13861bcde8015bb99ddb034224afb66e2fb89b8 (v5.2.0-stable)
NOTE: https://github.com/wolfSSL/wolfssl/commit/08047b2d959ee5e21a4a2c672308f45fec61f059 (v5.2.0-stable)
@@ -7929,7 +7929,7 @@ CVE-2022-24954 (Foxit PDF Reader before 11.2.1 and Foxit PDF Editor before 11.2.
NOT-FOR-US: Foxit
CVE-2022-24953 (The Crypt_GPG extension before 1.6.7 for PHP does not prevent addition ...)
- php-crypt-gpg 1.6.7-1 (bug #1005921)
- [bullseye] - php-crypt-gpg <no-dsa> (Minor issue; can be fixed via point release)
+ [bullseye] - php-crypt-gpg 1.6.4-2+deb11u1
NOTE: https://github.com/pear/Crypt_GPG/commit/74c8f989cefbe0887274b461dc56197e121bfd04 (v1.6.7)
CVE-2022-24952
RESERVED
@@ -7997,7 +7997,7 @@ CVE-2022-24921 (regexp.Compile in Go before 1.16.15 and 1.17.x before 1.17.8 all
- golang-1.18 1.18~rc1-1
- golang-1.17 1.17.8-1
- golang-1.15 <removed>
- [bullseye] - golang-1.15 <no-dsa> (Minor issue)
+ [bullseye] - golang-1.15 1.15.15-1~deb11u4
- golang-1.11 <removed>
[buster] - golang-1.11 <no-dsa> (Minor issue)
- golang-1.8 <removed>
@@ -8691,7 +8691,7 @@ CVE-2022-0537
RESERVED
CVE-2022-0536 (Exposure of Sensitive Information to an Unauthorized Actor in NPM foll ...)
- node-follow-redirects 1.14.8+~1.14.0-1
- [bullseye] - node-follow-redirects <no-dsa> (Minor issue)
+ [bullseye] - node-follow-redirects 1.13.1-1+deb11u1
[buster] - node-follow-redirects <no-dsa> (Minor issue)
NOTE: https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db/
NOTE: https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445 (v1.14.8)
@@ -8700,6 +8700,7 @@ CVE-2022-0535 (The E2Pdf WordPress plugin before 1.16.45 does not sanitise and e
CVE-2022-0534 (A vulnerability was found in htmldoc version 1.9.15 where the stack ou ...)
{DLA-2928-1}
- htmldoc 1.9.15-1 (unimportant)
+ [bullseye] - htmldoc 1.9.11-4+deb11u2
NOTE: https://github.com/michaelrsweet/htmldoc/issues/463
NOTE: Fixed by: https://github.com/michaelrsweet/htmldoc/commit/776cf0fc4c760f1fb7b966ce28dc92dd7d44ed50 (v1.9.15)
NOTE: Fixed by: https://github.com/michaelrsweet/htmldoc/commit/312f0f9c12f26fbe015cd0e6cefa40e4b99017d9 (v1.9.15)
@@ -9380,7 +9381,7 @@ CVE-2022-0493
RESERVED
CVE-2021-46671 (options.c in atftp before 0.7.5 reads past the end of an array, and co ...)
- atftp 0.7.git20210915-1 (bug #1004974)
- [bullseye] - atftp <no-dsa> (Minor issue)
+ [bullseye] - atftp 0.7.git20120829-3.3+deb11u2
[buster] - atftp <no-dsa> (Minor issue)
[stretch] - atftp <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/atftp/code/ci/9cf799c40738722001552618518279e9f0ef62e5 (v0.7.5)
@@ -9908,14 +9909,14 @@ CVE-2021-46669 (MariaDB through 10.5.9 allows attackers to trigger a convert_con
CVE-2021-46668 (MariaDB through 10.5.9 allows an application crash via certain long SE ...)
- mariadb-10.6 1:10.6.7-1
- mariadb-10.5 <removed>
- [bullseye] - mariadb-10.5 <no-dsa> (Minor issue, will be fixed in next point release)
+ [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
- mariadb-10.3 <removed>
NOTE: https://jira.mariadb.org/browse/MDEV-25787
NOTE: Fixed in MariaDB: 10.7.3, 10.6.7, 10.5.15, 10.4.24, 10.3.34, 10.2.43
CVE-2021-46667 (MariaDB before 10.6.5 has a sql_lex.cc integer overflow, leading to an ...)
- mariadb-10.6 1:10.6.5-1
- mariadb-10.5 <removed>
- [bullseye] - mariadb-10.5 <no-dsa> (Minor issue, will be fixed in next point release)
+ [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
- mariadb-10.3 <removed>
NOTE: https://jira.mariadb.org/browse/MDEV-26350
NOTE: Fixed in MariaDB: 10.2.41, 10.3.32, 10.4.22, 10.5.13, 10.6.5
@@ -9930,28 +9931,28 @@ CVE-2021-46666 (MariaDB before 10.6.2 allows an application crash because of mis
CVE-2021-46665 (MariaDB through 10.5.9 allows a sql_parse.cc application crash because ...)
- mariadb-10.6 1:10.6.7-1
- mariadb-10.5 <removed>
- [bullseye] - mariadb-10.5 <no-dsa> (Minor issue, will be fixed in next point release)
+ [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
- mariadb-10.3 <removed>
NOTE: https://jira.mariadb.org/browse/MDEV-25636
NOTE: Fixed in MariaDB: 10.7.3, 10.6.7, 10.5.15, 10.4.24, 10.3.34, 10.2.43
CVE-2021-46664 (MariaDB through 10.5.9 allows an application crash in sub_select_postj ...)
- mariadb-10.6 1:10.6.7-1
- mariadb-10.5 <removed>
- [bullseye] - mariadb-10.5 <no-dsa> (Minor issue, will be fixed in next point release)
+ [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
- mariadb-10.3 <removed>
NOTE: https://jira.mariadb.org/browse/MDEV-25761
NOTE: Fixed in MariaDB: 10.7.3, 10.6.7, 10.5.15, 10.4.24, 10.3.34, 10.2.43
CVE-2021-46663 (MariaDB through 10.5.13 allows a ha_maria::extra application crash via ...)
- mariadb-10.6 1:10.6.7-1
- mariadb-10.5 <removed>
- [bullseye] - mariadb-10.5 <no-dsa> (Minor issue, will be fixed in next point release)
+ [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
- mariadb-10.3 <removed>
NOTE: https://jira.mariadb.org/browse/MDEV-26351
NOTE: Fixed in MariaDB: 10.7.3, 10.6.7, 10.5.15, 10.4.24, 10.3.34, 10.2.43
CVE-2021-46662 (MariaDB through 10.5.9 allows a set_var.cc application crash via certa ...)
- mariadb-10.6 1:10.6.5-1
- mariadb-10.5 <removed>
- [bullseye] - mariadb-10.5 <no-dsa> (Minor issue, will be fixed in next point release)
+ [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
- mariadb-10.3 <removed>
NOTE: https://jira.mariadb.org/browse/MDEV-25637
NOTE: https://jira.mariadb.org/browse/MDEV-22464
@@ -9959,7 +9960,7 @@ CVE-2021-46662 (MariaDB through 10.5.9 allows a set_var.cc application crash via
CVE-2021-46661 (MariaDB through 10.5.9 allows an application crash in find_field_in_ta ...)
- mariadb-10.6 1:10.6.7-1
- mariadb-10.5 <removed>
- [bullseye] - mariadb-10.5 <no-dsa> (Minor issue, will be fixed in next point release)
+ [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
- mariadb-10.3 <removed>
NOTE: https://jira.mariadb.org/browse/MDEV-25766
NOTE: Fixed in MariaDB: 10.7.3, 10.6.7, 10.5.15, 10.4.24, 10.3.34, 10.2.43
@@ -10339,7 +10340,7 @@ CVE-2022-0415 (Remote Command Execution in uploading repository file in GitHub r
CVE-2022-24130 (xterm through Patch 370, when Sixel support is enabled, allows attacke ...)
{DLA-2913-1}
- xterm 370-2 (bug #1004689)
- [bullseye] - xterm <no-dsa> (Minor issue)
+ [bullseye] - xterm 366-1+deb11u1
[buster] - xterm <no-dsa> (Minor issue)
NOTE: https://twitter.com/nickblack/status/1487731459398025216
NOTE: https://www.openwall.com/lists/oss-security/2022/01/30/2
@@ -10366,7 +10367,7 @@ CVE-2021-46660 (Signiant Manager+Agents before 15.1 allows XML External Entity (
CVE-2021-46659 (MariaDB before 10.7.2 allows an application crash because it does not ...)
- mariadb-10.6 1:10.6.7-1
- mariadb-10.5 <removed>
- [bullseye] - mariadb-10.5 <no-dsa> (Minor issue, will be fixed in next point release)
+ [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
- mariadb-10.3 <removed>
NOTE: https://jira.mariadb.org/browse/MDEV-25631
NOTE: Fixed in MariaDB: 10.2.42, 10.3.33, 10.4.23, 10.5.14, 10.6.6, 10.7.2
@@ -10624,14 +10625,14 @@ CVE-2022-24053
CVE-2022-24052 (MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Es ...)
- mariadb-10.6 1:10.6.7-1
- mariadb-10.5 <removed>
- [bullseye] - mariadb-10.5 <no-dsa> (Minor issue, will be fixed in next point release)
+ [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
- mariadb-10.3 <removed>
NOTE: Fixed in MariaDB: 10.6.6, 10.5.14, 10.4.23, 10.3.33, 10.2.42
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-366/
CVE-2022-24051 (MariaDB CONNECT Storage Engine Format String Privilege Escalation Vuln ...)
- mariadb-10.6 1:10.6.7-1
- mariadb-10.5 <removed>
- [bullseye] - mariadb-10.5 <no-dsa> (Minor issue, will be fixed in next point release)
+ [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
- mariadb-10.3 <removed>
NOTE: Fixed in MariaDB: 10.6.6, 10.5.14, 10.4.23, 10.3.33, 10.2.42
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-318/
@@ -10639,7 +10640,7 @@ CVE-2022-24051 (MariaDB CONNECT Storage Engine Format String Privilege Escalatio
CVE-2022-24050 (MariaDB CONNECT Storage Engine Use-After-Free Privilege Escalation Vul ...)
- mariadb-10.6 1:10.6.7-1
- mariadb-10.5 <removed>
- [bullseye] - mariadb-10.5 <no-dsa> (Minor issue, will be fixed in next point release)
+ [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
- mariadb-10.3 <removed>
NOTE: Fixed in MariaDB: 10.6.6, 10.5.14, 10.4.23, 10.3.33, 10.2.42
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-364/
@@ -10648,7 +10649,7 @@ CVE-2022-24049 (This vulnerability allows remote attackers to execute arbitrary
CVE-2022-24048 (MariaDB CONNECT Storage Engine Stack-based Buffer Overflow Privilege E ...)
- mariadb-10.6 1:10.6.7-1
- mariadb-10.5 <removed>
- [bullseye] - mariadb-10.5 <no-dsa> (Minor issue, will be fixed in next point release)
+ [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
- mariadb-10.3 <removed>
NOTE: Fixed in MariaDB: 10.6.6, 10.5.14, 10.4.23, 10.3.33, 10.2.42
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-363/
@@ -11175,7 +11176,7 @@ CVE-2022-23944 (User can access /plugin api without authentication. This issue a
CVE-2022-23943 (Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server all ...)
{DLA-2960-1}
- apache2 2.4.53-1
- [bullseye] - apache2 <no-dsa> (Minor issue)
+ [bullseye] - apache2 2.4.53-1~deb11u1
[buster] - apache2 <no-dsa> (Minor issue)
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-23943
NOTE: Fixed by: https://svn.apache.org/r1898695
@@ -11979,7 +11980,7 @@ CVE-2022-23806 (Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17
- golang-1.18 1.18~rc1-1
- golang-1.17 1.17.7-1
- golang-1.15 <removed>
- [bullseye] - golang-1.15 <no-dsa> (Minor issue)
+ [bullseye] - golang-1.15 1.15.15-1~deb11u3
- golang-1.11 <removed>
[buster] - golang-1.11 <no-dsa> (Minor issue)
- golang-1.8 <removed>
@@ -12107,7 +12108,7 @@ CVE-2022-23773 (cmd/go in Go before 1.16.14 and 1.17.x before 1.17.7 can misinte
- golang-1.18 1.18~rc1-1
- golang-1.17 1.17.7-1
- golang-1.15 <removed>
- [bullseye] - golang-1.15 <no-dsa> (Minor issue)
+ [bullseye] - golang-1.15 1.15.15-1~deb11u3
- golang-1.11 <removed>
[buster] - golang-1.11 <no-dsa> (Minor issue)
- golang-1.8 <removed>
@@ -12119,7 +12120,7 @@ CVE-2022-23772 (Rat.SetString in math/big in Go before 1.16.14 and 1.17.x before
- golang-1.18 1.18~beta2-1
- golang-1.17 1.17.7-1
- golang-1.15 <removed>
- [bullseye] - golang-1.15 <no-dsa> (Minor issue)
+ [bullseye] - golang-1.15 1.15.15-1~deb11u3
- golang-1.11 <removed>
[buster] - golang-1.11 <no-dsa> (Minor issue)
- golang-1.8 <removed>
@@ -12380,7 +12381,7 @@ CVE-2022-23648 (containerd is a container runtime available as a daemon for Linu
NOTE: https://www.openwall.com/lists/oss-security/2022/03/02/1
CVE-2022-23647 (Prism is a syntax highlighting library. Starting with version 1.14.0 a ...)
- node-prismjs 1.27.0+dfsg+~1.26.0-1
- [bullseye] - node-prismjs <no-dsa> (Minor issue)
+ [bullseye] - node-prismjs 1.23.0+dfsg-1+deb11u2
NOTE: https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99
NOTE: https://github.com/PrismJS/prism/issues/3340
NOTE: https://github.com/PrismJS/prism/pull/3341
@@ -13545,7 +13546,7 @@ CVE-2022-23309
RESERVED
CVE-2022-23308 (valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF ...)
- libxml2 2.9.13+dfsg-1 (bug #1006489)
- [bullseye] - libxml2 <no-dsa> (Minor issue; can be fixed via point release)
+ [bullseye] - libxml2 2.9.10+dfsg-6.7+deb11u1
[buster] - libxml2 <no-dsa> (Minor issue; can be fixed via point release)
NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/327
NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12a858989b14eed4e84e453059cd3ba340e (v2.9.13)
@@ -13558,7 +13559,7 @@ CVE-2022-0265 (Improper Restriction of XML External Entity Reference in GitHub r
CVE-2022-23307 (CVE-2020-9493 identified a deserialization issue that was present in A ...)
{DLA-2905-1}
- apache-log4j1.2 1.2.17-11 (bug #1004482)
- [bullseye] - apache-log4j1.2 <no-dsa> (Minor issue)
+ [bullseye] - apache-log4j1.2 1.2.17-10+deb11u1
[buster] - apache-log4j1.2 <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2022/01/18/5
CVE-2022-23306
@@ -13566,7 +13567,7 @@ CVE-2022-23306
CVE-2022-23305 (By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as ...)
{DLA-2905-1}
- apache-log4j1.2 1.2.17-11 (bug #1004482)
- [bullseye] - apache-log4j1.2 <no-dsa> (Minor issue)
+ [bullseye] - apache-log4j1.2 1.2.17-10+deb11u1
[buster] - apache-log4j1.2 <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2022/01/18/4
CVE-2022-0263 (Unrestricted Upload of File with Dangerous Type in Packagist pimcore/p ...)
@@ -13639,7 +13640,7 @@ CVE-2022-0243 (Cross-site Scripting (XSS) - Stored in NuGet OrchardCore.Applicat
CVE-2022-23302 (JMSSink in all versions of Log4j 1.x is vulnerable to deserialization ...)
{DLA-2905-1}
- apache-log4j1.2 1.2.17-11 (bug #1004482)
- [bullseye] - apache-log4j1.2 <no-dsa> (Minor issue)
+ [bullseye] - apache-log4j1.2 1.2.17-10+deb11u1
[buster] - apache-log4j1.2 <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2022/01/18/3
CVE-2022-22142 (Reflected cross-site scripting vulnerability in the checkbox of php_ma ...)
@@ -13839,7 +13840,7 @@ CVE-2022-0236 (The WP Import Export WordPress plugin (both free and premium vers
NOT-FOR-US: WordPress plugin
CVE-2022-0235 (node-fetch is vulnerable to Exposure of Sensitive Information to an Un ...)
- node-fetch 2.6.1-7
- [bullseye] - node-fetch <no-dsa> (Minor issue)
+ [bullseye] - node-fetch 2.6.1-5+deb11u1
[buster] - node-fetch <no-dsa> (Minor issue)
NOTE: https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7/
NOTE: Fixed by: https://github.com/node-fetch/node-fetch/commit/f5d3cf5e2579cb8f4c76c291871e69696aef8f80 (v3.1.1)
@@ -13867,13 +13868,13 @@ CVE-2022-23222 (kernel/bpf/verifier.c in the Linux kernel through 5.15.14 allows
NOTE: https://www.openwall.com/lists/oss-security/2022/01/13/1
CVE-2022-23219 (The deprecated compatibility function clnt_create in the sunrpc module ...)
- glibc 2.33-3
- [bullseye] - glibc <no-dsa> (Minor issue)
+ [bullseye] - glibc 2.31-13+deb11u3
[buster] - glibc <no-dsa> (Minor issue)
[stretch] - glibc <no-dsa> (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22542
CVE-2022-23218 (The deprecated compatibility function svcunix_create in the sunrpc mod ...)
- glibc 2.33-3
- [bullseye] - glibc <no-dsa> (Minor issue)
+ [bullseye] - glibc 2.31-13+deb11u3
[buster] - glibc <no-dsa> (Minor issue)
[stretch] - glibc <no-dsa> (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28768
@@ -15402,7 +15403,7 @@ CVE-2022-22814 (The System Diagnosis service of MyASUS before 3.1.2.0 allows pri
NOT-FOR-US: ASUS
CVE-2022-0155 (follow-redirects is vulnerable to Exposure of Private Personal Informa ...)
- node-follow-redirects 1.14.7+~1.13.1-1
- [bullseye] - node-follow-redirects <no-dsa> (Minor issue)
+ [bullseye] - node-follow-redirects 1.13.1-1+deb11u1
[buster] - node-follow-redirects <ignored> (Minor issue, too intrusive to backport)
NOTE: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406
NOTE: https://github.com/follow-redirects/follow-redirects/issues/183
@@ -15823,21 +15824,21 @@ CVE-2022-22722 (A CWE-798: Use of Hard-coded Credentials vulnerability exists th
CVE-2022-22721 (If LimitXMLRequestBody is set to allow request bodies larger than 350M ...)
{DLA-2960-1}
- apache2 2.4.53-1
- [bullseye] - apache2 <no-dsa> (Minor issue)
+ [bullseye] - apache2 2.4.53-1~deb11u1
[buster] - apache2 <no-dsa> (Minor issue)
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-22721
NOTE: Fixed by: https://svn.apache.org/r1898693
CVE-2022-22720 (Apache HTTP Server 2.4.52 and earlier fails to close inbound connectio ...)
{DLA-2960-1}
- apache2 2.4.53-1
- [bullseye] - apache2 <no-dsa> (Minor issue)
+ [bullseye] - apache2 2.4.53-1~deb11u1
[buster] - apache2 <no-dsa> (Minor issue)
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-22720
NOTE: Fixed by: https://svn.apache.org/r1898692
CVE-2022-22719 (A carefully crafted request body can cause a read to a random memory a ...)
{DLA-2960-1}
- apache2 2.4.53-1
- [bullseye] - apache2 <no-dsa> (Minor issue)
+ [bullseye] - apache2 2.4.53-1~deb11u1
[buster] - apache2 <no-dsa> (Minor issue)
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-22719
NOTE: Fixed by: https://svn.apache.org/r1898694
@@ -19448,7 +19449,7 @@ CVE-2021-45453
RESERVED
CVE-2021-45452 (Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 b ...)
- python-django 2:3.2.11-1 (bug #1003113)
- [bullseye] - python-django <postponed> (Minor issue; fix in next update)
+ [bullseye] - python-django 2:2.2.26-1~deb11u1
[buster] - python-django <postponed> (Minor issue; fix in next update)
[stretch] - python-django <postponed> (Minor issue; fix in next update)
NOTE: https://www.djangoproject.com/weblog/2022/jan/04/security-releases/
@@ -20487,7 +20488,7 @@ CVE-2021-45117 (The OPC autogenerated ANSI C stack stubs (in the NodeSets) do no
NOT-FOR-US: OPCFoundation/UA-Nodeset
CVE-2021-45116 (An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11 ...)
- python-django 2:3.2.11-1 (bug #1003113)
- [bullseye] - python-django <postponed> (Minor issue; fix in next update)
+ [bullseye] - python-django 2:2.2.26-1~deb11u1
[buster] - python-django <postponed> (Minor issue; fix in next update)
[stretch] - python-django <postponed> (Minor issue; fix in next update)
NOTE: https://www.djangoproject.com/weblog/2022/jan/04/security-releases/
@@ -20495,7 +20496,7 @@ CVE-2021-45116 (An issue was discovered in Django 2.2 before 2.2.26, 3.2 before
NOTE: https://github.com/django/django/commit/c9f648ccfac5ab90fb2829a66da4f77e68c7f93a (2.2.26)
CVE-2021-45115 (An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11 ...)
- python-django 2:3.2.11-1 (bug #1003113)
- [bullseye] - python-django <postponed> (Minor issue; fix in next update)
+ [bullseye] - python-django 2:2.2.26-1~deb11u1
[buster] - python-django <postponed> (Minor issue; fix in next update)
[stretch] - python-django <postponed> (Minor issue; fix in next update)
NOTE: https://www.djangoproject.com/weblog/2022/jan/04/security-releases/
@@ -20556,7 +20557,7 @@ CVE-2021-23138 (WECON LeviStudioU Versions 2019-09-21 and prior are vulnerable t
NOT-FOR-US: WECON LeviStudioU
CVE-2021-45379 (Glewlwyd 2.0.0, fixed in 2.6.1 is affected by an incorrect access cont ...)
- glewlwyd 2.6.1-1
- [bullseye] - glewlwyd <no-dsa> (Minor issue; can be fixed via point release)
+ [bullseye] - glewlwyd 2.5.2-2+deb11u2
[buster] - glewlwyd <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/babelouest/glewlwyd/commit/125281f1c0d4b6a8b49f7e55a757205a2ef01fbe (v2.6.1)
CVE-2022-21953
@@ -20587,7 +20588,7 @@ CVE-2021-45105 (Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12
CVE-2021-31566 [symbolic links incorrectly followed when changing modes, times, ACL and flags of a file while extracting an archive]
RESERVED
- libarchive 3.5.2-1 (bug #1001990)
- [bullseye] - libarchive <no-dsa> (Minor issue)
+ [bullseye] - libarchive 3.4.3-2+deb11u1
[buster] - libarchive <no-dsa> (Minor issue)
NOTE: https://github.com/libarchive/libarchive/issues/1566
NOTE: https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043 (v3.5.2)
@@ -20595,7 +20596,7 @@ CVE-2021-31566 [symbolic links incorrectly followed when changing modes, times,
CVE-2021-23177 [extracting a symlink with ACLs modifies ACLs of target]
RESERVED
- libarchive 3.5.2-1 (bug #1001986)
- [bullseye] - libarchive <no-dsa> (Minor issue)
+ [bullseye] - libarchive 3.4.3-2+deb11u1
[buster] - libarchive <no-dsa> (Minor issue)
NOTE: https://github.com/libarchive/libarchive/issues/1565
NOTE: https://github.com/libarchive/libarchive/commit/fba4f123cc456d2b2538f811bb831483bf336bad (v3.5.2)
@@ -21159,7 +21160,7 @@ CVE-2021-45006
RESERVED
CVE-2021-45005 (Artifex MuJS v1.1.3 was discovered to contain a heap buffer overflow w ...)
- mujs 1.1.3-4
- [bullseye] - mujs <no-dsa> (Minor issue; can be fixed via point release)
+ [bullseye] - mujs 1.1.0-1+deb11u1
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=704749 (not public)
NOTE: http://git.ghostscript.com/?p=mujs.git;h=df8559e7bdbc6065276e786217eeee70f28fce66 (1.2.0)
CVE-2021-45004
@@ -21382,6 +21383,7 @@ CVE-2021-44918 (A Null Pointer Dereference vulnerability exists in gpac 1.1.0 in
NOTE: https://github.com/gpac/gpac/commit/75474199cf7187868fa4be4e76377db3c659ee9a (v2.0.0)
CVE-2021-44917 (A Divide by Zero vulnerability exists in gnuplot 5.4 in the boundary3d ...)
- gnuplot 5.4.2+dfsg2-2 (unimportant; bug #1002539)
+ [bullseye] - gnuplot 5.4.1+dfsg1-1+deb11u1
NOTE: https://sourceforge.net/p/gnuplot/bugs/2474/
NOTE: https://sourceforge.net/p/gnuplot/gnuplot-main/ci/8938dfc937348f1d4e7b3d6ef6d44209b1d89473/ (master)
NOTE: https://sourceforge.net/p/gnuplot/gnuplot-main/ci/acab14de21e323254507fca85f964e471258ac82/ (master)
@@ -21618,7 +21620,7 @@ CVE-2021-44833 (The CLI 1.0.0 for Amazon AWS OpenSearch has weak permissions for
CVE-2021-4104 (JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted ...)
{DLA-2905-1}
- apache-log4j1.2 1.2.17-11
- [bullseye] - apache-log4j1.2 <no-dsa> (Minor issue; JMSAppender not configured to be used by default)
+ [bullseye] - apache-log4j1.2 1.2.17-10+deb11u1
[buster] - apache-log4j1.2 <no-dsa> (Minor issue; JMSAppender not configured to be used by default)
NOTE: https://www.openwall.com/lists/oss-security/2021/12/13/1
NOTE: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
@@ -21629,7 +21631,7 @@ CVE-2021-4103 (Cross-site Scripting (XSS) - Stored in GitHub repository vanessa2
CVE-2021-44832 (Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fi ...)
{DLA-2870-1}
- apache-log4j2 2.17.1-1 (bug #1002813)
- [bullseye] - apache-log4j2 <no-dsa> (Minor issue; requires attacker with permissions to modify the logging configuration file)
+ [bullseye] - apache-log4j2 2.17.1-1~deb11u1
[buster] - apache-log4j2 <no-dsa> (Minor issue; requires attacker with permissions to modify the logging configuration file)
NOTE: https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44832
NOTE: https://issues.apache.org/jira/browse/LOG4J2-3293
@@ -21785,7 +21787,7 @@ CVE-2022-21814 (NVIDIA GPU Display Driver for Linux contains a vulnerability in
- nvidia-graphics-drivers-tesla-460 <unfixed> (bug #1004852)
[bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla-450 450.172.01-1 (bug #1004851)
- [bullseye] - nvidia-graphics-drivers-tesla-450 <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers-tesla-450 450.172.01-1~deb11u1
- nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1004850)
[bullseye] - nvidia-graphics-drivers-tesla-418 <no-dsa> (Non-free not supported)
CVE-2022-21813 (NVIDIA GPU Display Driver for Linux contains a vulnerability in the ke ...)
@@ -21802,7 +21804,7 @@ CVE-2022-21813 (NVIDIA GPU Display Driver for Linux contains a vulnerability in
- nvidia-graphics-drivers-tesla-460 <unfixed> (bug #1004852)
[bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla-450 450.172.01-1 (bug #1004851)
- [bullseye] - nvidia-graphics-drivers-tesla-450 <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers-tesla-450 450.172.01-1~deb11u1
- nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1004850)
[bullseye] - nvidia-graphics-drivers-tesla-418 <no-dsa> (Non-free not supported)
CVE-2021-44795 (Single Connect does not perform an authorization check when using the ...)
@@ -22078,7 +22080,7 @@ CVE-2021-44719
CVE-2021-44718
RESERVED
- wolfssl 5.1.1-1
- [bullseye] - wolfssl <no-dsa> (Minor issue; will be fixed via point release)
+ [bullseye] - wolfssl 4.6.0+p1-0+deb11u1
NOTE: https://github.com/wolfSSL/wolfssl/pull/4629
CVE-2021-44717 (Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write operat ...)
{DLA-2892-1 DLA-2891-1}
@@ -23322,7 +23324,7 @@ CVE-2021-44274
RESERVED
CVE-2021-44273 (e2guardian v5.4.x <= v5.4.3r is affected by missing SSL certificate ...)
- e2guardian 5.3.5-3 (bug #1003125)
- [bullseye] - e2guardian <no-dsa> (Minor issue)
+ [bullseye] - e2guardian 5.3.4-1+deb11u1
[buster] - e2guardian <no-dsa> (Minor issue)
[stretch] - e2guardian <ignored> (SSL MITM engine not enabled in stretch)
NOTE: https://www.openwall.com/lists/oss-security/2021/12/23/2
@@ -24030,7 +24032,7 @@ CVE-2021-3998 [Unexpected return value from realpath() for too long results]
CVE-2021-3997 [Uncontrolled recursion in systemd's systemd-tmpfiles]
RESERVED
- systemd 250.2-1 (bug #1003467)
- [bullseye] - systemd <no-dsa> (Minor issue; can be fixed via point release)
+ [bullseye] - systemd 247.3-7
[buster] - systemd <ignored> (Minor issue; not exploitable before upstream commit e535840)
[stretch] - systemd <ignored> (Minor issue; utility segfault; not exploitable before upstream commit e535840, PoC doesn't segfault on stretch)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2024639
@@ -24638,7 +24640,7 @@ CVE-2022-21671 (@replit/crosis is a JavaScript client that speaks Replit's conta
NOT-FOR-US: crosis
CVE-2022-21670 (markdown-it is a Markdown parser. Prior to version 1.3.2, special patt ...)
- node-markdown-it 10.0.0+dfsg-6
- [bullseye] - node-markdown-it <no-dsa> (Minor issue)
+ [bullseye] - node-markdown-it 10.0.0+dfsg-2+deb11u1
NOTE: https://github.com/markdown-it/markdown-it/security/advisories/GHSA-6vfc-qv3f-vr6c
NOTE: https://github.com/markdown-it/markdown-it/commit/ffc49ab46b5b751cd2be0aabb146f2ef84986101 (12.3.2)
CVE-2022-21669 (PuddingBot is a group management bot. In version 0.0.6-b933652 and pri ...)
@@ -25081,7 +25083,7 @@ CVE-2021-43809 (`Bundler` is a package for managing application dependencies in
NOTE: https://github.com/rubygems/rubygems/pull/5142
CVE-2021-43808 (Laravel is a web application framework. Laravel prior to versions 8.75 ...)
- php-laravel-framework 6.20.14+dfsg-3 (bug #1001333)
- [bullseye] - php-laravel-framework <no-dsa> (Minor issue; can be fixed via point release)
+ [bullseye] - php-laravel-framework 6.20.14+dfsg-2+deb11u1
NOTE: https://github.com/laravel/framework/security/advisories/GHSA-66hf-2p6w-jqfw
NOTE: https://github.com/laravel/framework/commit/b8174169b1807f36de1837751599e2828ceddb9b (v6.20.42)
CVE-2021-43807 (Opencast is an Open Source Lecture Capture & Video Management for ...)
@@ -26382,7 +26384,7 @@ CVE-2021-43618 (GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 ha
NOTE: https://gmplib.org/repo/gmp-6.2/rev/561a9c25298e
CVE-2021-43617 (Laravel Framework through 8.70.2 does not sufficiently block the uploa ...)
- php-laravel-framework 6.20.14+dfsg-3 (bug #1002728)
- [bullseye] - php-laravel-framework <no-dsa> (Can be fixed via point release)
+ [bullseye] - php-laravel-framework 6.20.14+dfsg-2+deb11u1
NOTE: https://hosein-vita.medium.com/laravel-8-x-image-upload-bypass-zero-day-852bd806019b
CVE-2021-3957 (kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) ...)
NOT-FOR-US: kimai2
@@ -27102,6 +27104,7 @@ CVE-2021-43392 (STMicroelectronics STSAFE-J 1.1.4, J-SAFE3 1.2.5, and J-SIGN som
NOT-FOR-US: STMicroelectronics
CVE-2021-43396 (** DISPUTED ** In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka ...)
- glibc 2.32-5 (unimportant; bug #998622)
+ [bullseye] - glibc 2.31-13+deb11u3
[buster] - glibc <not-affected> (Vulnerable code not present)
[stretch] - glibc <not-affected> (Vulnerable code not present)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28524
@@ -28308,7 +28311,7 @@ CVE-2022-20699 (Multiple vulnerabilities in Cisco Small Business RV160, RV260, R
NOT-FOR-US: Cisco Small Business RV Series Routers
CVE-2022-20698 (A vulnerability in the OOXML parsing module in Clam AntiVirus (ClamAV) ...)
- clamav 0.103.5+dfsg-1
- [bullseye] - clamav <no-dsa> (clamav is updated via -updates)
+ [bullseye] - clamav 0.103.5+dfsg-0+deb11u1
[buster] - clamav <no-dsa> (clamav is updated via -updates)
[stretch] - clamav <postponed> (Minor issue; clean crash; follow stable updates)
NOTE: https://blog.clamav.net/2022/01/clamav-01035-and-01042-security-patch.html
@@ -31662,7 +31665,7 @@ CVE-2021-42344
RESERVED
CVE-2021-42343 (An issue was discovered in the Dask distributed package before 2021.10 ...)
- dask.distributed 2021.09.1+ds.1-2
- [bullseye] - dask.distributed <no-dsa> (Minor issue; can be fixed via point release)
+ [bullseye] - dask.distributed 2021.01.0+ds.1-2.1+deb11u1
[buster] - dask.distributed <no-dsa> (Minor issue; can be fixed via point release)
NOTE: https://github.com/dask/distributed/pull/5427
NOTE: https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr
@@ -34503,7 +34506,7 @@ CVE-2021-41271 (Discourse is a platform for community discussion. In affected ve
NOT-FOR-US: Discourse
CVE-2021-41270 (Symfony/Serializer handles serializing and deserializing data structur ...)
- symfony 4.4.19+dfsg-3
- [bullseye] - symfony <no-dsa> (Minor issue; can be fixed via point release)
+ [bullseye] - symfony 4.4.19+dfsg-2+deb11u1
[buster] - symfony <not-affected> (Vulnerable code and support for csv_escape_formulas introduced in 4.1)
[stretch] - symfony <not-affected> (Vulnerable code and support for csv_escape_formulas introduced in 4.1)
NOTE: https://github.com/symfony/symfony/security/advisories/GHSA-2xhg-w2g5-w95x
@@ -35025,7 +35028,7 @@ CVE-2021-41079 (Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1
NOTE: https://github.com/apache/tomcat/commit/b90d4fc1ff44f30e4b3aba622ba6677e3f003822 (8.5.64)
CVE-2021-3803 (nth-check is vulnerable to Inefficient Regular Expression Complexity ...)
- node-nth-check 2.0.1-1
- [bullseye] - node-nth-check <no-dsa> (Minor issue)
+ [bullseye] - node-nth-check 2.0.0-1+deb11u1
[buster] - node-nth-check <no-dsa> (Minor issue)
[stretch] - node-nth-check <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://github.com/fb55/nth-check/commit/9894c1d2010870c351f66c6f6efcf656e26bb726 (v2.0.1)
@@ -35505,7 +35508,7 @@ CVE-2021-40874 [RESTServer pwdConfirm always returns true with Combination + Ker
RESERVED
[experimental] - lemonldap-ng 2.0.14~exp+ds-1
- lemonldap-ng 2.0.14+ds-1 (bug #1005302)
- [bullseye] - lemonldap-ng <no-dsa> (Minor issue)
+ [bullseye] - lemonldap-ng 2.0.11+ds-4+deb11u1
[buster] - lemonldap-ng <no-dsa> (Minor issue)
[stretch] - lemonldap-ng <no-dsa> (Minor issue)
NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2612
@@ -36427,7 +36430,7 @@ CVE-2021-40517 (Airangel HSMX Gateway devices through 5.2.04 is vulnerable to st
CVE-2021-40516 (WeeChat before 3.2.1 allows remote attackers to cause a denial of serv ...)
{DLA-2770-1}
- weechat 3.2.1-1 (bug #993803)
- [bullseye] - weechat <no-dsa> (Minor issue; can be fixed via point release)
+ [bullseye] - weechat 3.0-1+deb11u1
[buster] - weechat <no-dsa> (Minor issue; can be fixed via point release)
NOTE: https://github.com/weechat/weechat/commit/8b1331f98de1714bae15a9ca2e2b393ba49d735b
CVE-2021-40515
@@ -41075,7 +41078,7 @@ CVE-2021-38598 (OpenStack Neutron before 16.4.1, 17.x before 17.1.3, and 18.0.0
NOTE: https://review.opendev.org/c/openstack/neutron/+/785917/
CVE-2021-38597 (wolfSSL before 4.8.1 incorrectly skips OCSP verification in certain si ...)
- wolfssl 5.0.0-1 (bug #992174)
- [bullseye] - wolfssl <no-dsa> (Minor issue)
+ [bullseye] - wolfssl 4.6.0+p1-0+deb11u1
NOTE: https://github.com/wolfSSL/wolfssl/commit/f93083be72a3b3d956b52a7ec13f307a27b6e093
CVE-2021-38596
RESERVED
@@ -44857,7 +44860,7 @@ CVE-2021-37156 (Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue
NOTE: https://github.com/redmine/redmine/commit/ee0d822517154878a2ad33be66b820c6b68d077b
CVE-2021-37155 (wolfSSL 4.6.x through 4.7.x before 4.8.0 does not produce a failure ou ...)
- wolfssl 5.0.0-1 (bug #991443)
- [bullseye] - wolfssl <no-dsa> (Minor issue)
+ [bullseye] - wolfssl 4.6.0+p1-0+deb11u1
NOTE: https://github.com/wolfSSL/wolfssl/pull/3990
NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v4.8.0-stable
CVE-2021-37154 (In ForgeRock Access Management (AM) before 7.0.2, the SAML2 implementa ...)
@@ -45277,7 +45280,7 @@ CVE-2021-23184
RESERVED
CVE-2021-36980 (Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has a use-after-f ...)
- openvswitch 2.15.0+ds1-10 (bug #991308)
- [bullseye] - openvswitch <no-dsa> (Minor issue)
+ [bullseye] - openvswitch 2.15.0+ds1-2+deb11u1
[buster] - openvswitch <not-affected> (Vulnerable code not present, introduced in 2.11)
[stretch] - openvswitch <not-affected> (Vulnerable code not present, introduced in 2.11)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27851
@@ -48552,7 +48555,7 @@ CVE-2021-35605
RESERVED
CVE-2021-35604 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...)
- mariadb-10.5 <removed>
- [bullseye] - mariadb-10.5 <no-dsa> (Minor issue)
+ [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
- mariadb-10.3 <removed>
[buster] - mariadb-10.3 <no-dsa> (Minor issue)
- mysql-8.0 <unfixed>
@@ -53228,7 +53231,7 @@ CVE-2021-33624 (In kernel/bpf/verifier.c in the Linux kernel before 5.12.13, a b
NOTE: https://www.openwall.com/lists/oss-security/2021/06/21/1
CVE-2021-33623 (The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.j ...)
- node-trim-newlines 3.0.0+~3.0.0-1
- [bullseye] - node-trim-newlines <no-dsa> (Minor issue)
+ [bullseye] - node-trim-newlines 3.0.0-1+deb11u1
[buster] - node-trim-newlines <no-dsa> (Minor issue)
[stretch] - node-trim-newlines <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://github.com/advisories/GHSA-7p7h-4mm5-852v
@@ -53359,7 +53362,7 @@ CVE-2021-33575 (The Pixar ruby-jss gem before 1.6.0 allows remote attackers to e
CVE-2021-33574 (The mq_notify function in the GNU C Library (aka glibc) versions 2.32 ...)
[experimental] - glibc 2.32-0experimental0
- glibc 2.32-1 (bug #989147)
- [bullseye] - glibc <no-dsa> (Minor issue)
+ [bullseye] - glibc 2.31-13+deb11u3
[buster] - glibc <no-dsa> (Minor issue)
[stretch] - glibc <no-dsa> (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=27896
@@ -54520,7 +54523,7 @@ CVE-2021-33121
RESERVED
CVE-2021-33120 (Out of bounds read under complex microarchitectural condition in memor ...)
- intel-microcode 3.20220207.1
- [bullseye] - intel-microcode <postponed> (Wait until exposed in unstable; tendency to point release)
+ [bullseye] - intel-microcode 3.20220207.1~deb11u1
[buster] - intel-microcode <postponed> (Wait until exposed in unstable; tendency point release)
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00589.html
CVE-2021-33119 (Improper access control in the Intel(R) RealSense(TM) DCM before versi ...)
@@ -78890,7 +78893,7 @@ CVE-2021-23519
RESERVED
CVE-2021-23518 (The package cached-path-relative before 1.1.0 are vulnerable to Protot ...)
- node-cached-path-relative 1.1.0+~1.0.0-1 (bug #1004338)
- [bullseye] - node-cached-path-relative <no-dsa> (Minor issue)
+ [bullseye] - node-cached-path-relative 1.0.2-1+deb11u1
[buster] - node-cached-path-relative <no-dsa> (Minor issue)
NOTE: https://github.com/ashaffer/cached-path-relative/commit/40c73bf70c58add5aec7d11e4f36b93d144bb760
NOTE: results from incomplete fix for https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573
@@ -97511,7 +97514,7 @@ CVE-2021-0562 (In RasterIntraUpdate of motion_est.cpp, there is a possible out o
CVE-2021-0561 (In append_to_verify_fifo_interleaved_ of stream_encoder.c, there is a ...)
{DLA-2951-1}
- flac 1.3.4-1 (bug #1006339)
- [bullseye] - flac <no-dsa> (Minor issue)
+ [bullseye] - flac 1.3.3-2+deb11u1
[buster] - flac <no-dsa> (Minor issue)
NOTE: https://github.com/xiph/flac/commit/e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be (1.3.4)
NOTE: https://xiph.org/flac/changelog.html#flac_1.3.4
@@ -100245,7 +100248,7 @@ CVE-2021-0146 (Hardware allows activation of test or debug logic at runtime for
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20220207
CVE-2021-0145 (Improper initialization of shared resources in some Intel(R) Processor ...)
- intel-microcode 3.20220207.1
- [bullseye] - intel-microcode <postponed> (Wait until exposed in unstable; tendency to point release)
+ [bullseye] - intel-microcode 3.20220207.1~deb11u1
[buster] - intel-microcode <postponed> (Wait until exposed in unstable; tendency point release)
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00561.html
NOTE: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/fast-store-forwarding-predictor.html
@@ -100291,7 +100294,7 @@ CVE-2021-0128
RESERVED
CVE-2021-0127 (Insufficient control flow management in some Intel(R) Processors may a ...)
- intel-microcode 3.20220207.1
- [bullseye] - intel-microcode <postponed> (Wait until exposed in unstable; tendency to point release)
+ [bullseye] - intel-microcode 3.20220207.1~deb11u1
[buster] - intel-microcode <postponed> (Wait until exposed in unstable; tendency point release)
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00532.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20220207
@@ -121221,7 +121224,7 @@ CVE-2020-18443
CVE-2020-18442 (Infinite Loop in zziplib v0.13.69 allows remote attackers to cause a d ...)
{DLA-2859-1}
- zziplib 0.13.72+dfsg.1-1
- [bullseye] - zziplib <no-dsa> (Minor issue)
+ [bullseye] - zziplib 0.13.62-3.3+deb11u1
[buster] - zziplib <no-dsa> (Minor issue)
NOTE: https://github.com/gdraheim/zziplib/issues/68
NOTE: https://github.com/gdraheim/zziplib/commit/ac9ae39ef419e9f0f83da1e583314d8c7cda34a6
=====================================
data/next-point-update.txt
=====================================
@@ -1,153 +1,3 @@
-CVE-2021-42343
- [bullseye] - dask.distributed 2021.01.0+ds.1-2.1+deb11u1
-CVE-2021-41270
- [bullseye] - symfony 4.4.19+dfsg-2+deb11u1
-CVE-2021-35604
- [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
-CVE-2021-46667
- [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
-CVE-2021-46662
- [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
-CVE-2021-46659
- [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
-CVE-2022-24048
- [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
-CVE-2022-24050
- [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
-CVE-2022-24051
- [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
-CVE-2022-24052
- [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
-CVE-2021-46661
- [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
-CVE-2021-46663
- [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
-CVE-2021-46664
- [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
-CVE-2021-46665
- [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
-CVE-2021-46668
- [bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
-CVE-2021-44917
- [bullseye] - gnuplot 5.4.1+dfsg1-1+deb11u1
-CVE-2021-45379
- [bullseye] - glewlwyd 2.5.2-2+deb11u2
-CVE-2021-23177
- [bullseye] - libarchive 3.4.3-2+deb11u1
-CVE-2021-31566
- [bullseye] - libarchive 3.4.3-2+deb11u1
-CVE-2021-43808
- [bullseye] - php-laravel-framework 6.20.14+dfsg-2+deb11u1
-CVE-2021-43617
- [bullseye] - php-laravel-framework 6.20.14+dfsg-2+deb11u1
-CVE-2021-36980
- [bullseye] - openvswitch 2.15.0+ds1-2+deb11u1
-CVE-2022-0155
- [bullseye] - node-follow-redirects 1.13.1-1+deb11u1
-CVE-2022-0536
- [bullseye] - node-follow-redirects 1.13.1-1+deb11u1
-CVE-2021-45115
- [bullseye] - python-django 2:2.2.26-1~deb11u1
-CVE-2021-45116
- [bullseye] - python-django 2:2.2.26-1~deb11u1
-CVE-2021-45452
- [bullseye] - python-django 2:2.2.26-1~deb11u1
-CVE-2022-21670
- [bullseye] - node-markdown-it 10.0.0+dfsg-2+deb11u1
-CVE-2022-20698
- [bullseye] - clamav 0.103.5+dfsg-0+deb11u1
-CVE-2021-3997
- [bullseye] - systemd 247.3-7
-CVE-2020-18442
- [bullseye] - zziplib 0.13.62-3.3+deb11u1
-CVE-2022-0235
- [bullseye] - node-fetch 2.6.1-5+deb11u1
-CVE-2021-40516
- [bullseye] - weechat 3.0-1+deb11u1
-CVE-2021-23518
- [bullseye] - node-cached-path-relative 1.0.2-1+deb11u1
-CVE-2021-44273
- [bullseye] - e2guardian 5.3.4-1+deb11u1
-CVE-2021-46671
- [bullseye] - atftp 0.7.git20120829-3.3+deb11u2
-CVE-2022-24130
- [bullseye] - xterm 366-1+deb11u1
-CVE-2022-21814
- [bullseye] - nvidia-graphics-drivers-tesla-450 450.172.01-1~deb11u1
-CVE-2022-21813
- [bullseye] - nvidia-graphics-drivers-tesla-450 450.172.01-1~deb11u1
-CVE-2021-3803
- [bullseye] - node-nth-check 2.0.0-1+deb11u1
-CVE-2021-33623
- [bullseye] - node-trim-newlines 3.0.0-1+deb11u1
-CVE-2022-23806
- [bullseye] - golang-1.15 1.15.15-1~deb11u3
-CVE-2022-23772
- [bullseye] - golang-1.15 1.15.15-1~deb11u3
-CVE-2022-23773
- [bullseye] - golang-1.15 1.15.15-1~deb11u3
-CVE-2022-24921
- [bullseye] - golang-1.15 1.15.15-1~deb11u4
-CVE-2021-4104
- [bullseye] - apache-log4j1.2 1.2.17-10+deb11u1
-CVE-2022-23302
- [bullseye] - apache-log4j1.2 1.2.17-10+deb11u1
-CVE-2022-23305
- [bullseye] - apache-log4j1.2 1.2.17-10+deb11u1
-CVE-2022-23307
- [bullseye] - apache-log4j1.2 1.2.17-10+deb11u1
-CVE-2021-44832
- [bullseye] - apache-log4j2 2.17.1-1~deb11u1
-CVE-2021-43396
- [bullseye] - glibc 2.31-13+deb11u3
-CVE-2022-23218
- [bullseye] - glibc 2.31-13+deb11u3
-CVE-2022-23219
- [bullseye] - glibc 2.31-13+deb11u3
-CVE-2021-33574
- [bullseye] - glibc 2.31-13+deb11u3
-CVE-2022-24953
- [bullseye] - php-crypt-gpg 1.6.4-2+deb11u1
-CVE-2022-23647
- [bullseye] - node-prismjs 1.23.0+dfsg-1+deb11u2
-CVE-2021-40874
- [bullseye] - lemonldap-ng 2.0.11+ds-4+deb11u1
-CVE-2022-0534
- [bullseye] - htmldoc 1.9.11-4+deb11u2
-CVE-2022-22719
- [bullseye] - apache2 2.4.53-1~deb11u1
-CVE-2022-22720
- [bullseye] - apache2 2.4.53-1~deb11u1
-CVE-2022-22721
- [bullseye] - apache2 2.4.53-1~deb11u1
-CVE-2022-23943
- [bullseye] - apache2 2.4.53-1~deb11u1
-CVE-2021-37155
- [bullseye] - wolfssl 4.6.0+p1-0+deb11u1
-CVE-2021-38597
- [bullseye] - wolfssl 4.6.0+p1-0+deb11u1
-CVE-2021-44718
- [bullseye] - wolfssl 4.6.0+p1-0+deb11u1
-CVE-2022-25638
- [bullseye] - wolfssl 4.6.0+p1-0+deb11u1
-CVE-2022-25640
- [bullseye] - wolfssl 4.6.0+p1-0+deb11u1
-CVE-2022-23308
- [bullseye] - libxml2 2.9.10+dfsg-6.7+deb11u1
-CVE-2021-0561
- [bullseye] - flac 1.3.3-2+deb11u1
-CVE-2021-45005
- [bullseye] - mujs 1.1.0-1+deb11u1
-CVE-2022-27240
- [bullseye] - glewlwyd 2.5.2-2+deb11u3
-CVE-2021-46709
- [bullseye] - phpliteadmin 1.9.8.2-1+deb11u1
-CVE-2021-33120
- [bullseye] - intel-microcode 3.20220207.1~deb11u1
-CVE-2021-0145
- [bullseye] - intel-microcode 3.20220207.1~deb11u1
-CVE-2021-0127
- [bullseye] - intel-microcode 3.20220207.1~deb11u1
CVE-2021-43861
[bullseye] - node-mermaid 8.7.0+ds+~cs27.17.17-3+deb11u1
CVE-2021-44906
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa3a45174391efb10f0e4b66248856ca9d971b32
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa3a45174391efb10f0e4b66248856ca9d971b32
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220326/4d4f5034/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list