[Git][security-tracker-team/security-tracker][master] Track updates included for buster point release
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sat Mar 26 10:21:46 GMT 2022
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
7f560f6e by Salvatore Bonaccorso at 2022-03-26T11:21:25+01:00
Track updates included for buster point release
- - - - -
2 changed files:
- data/CVE/list
- data/next-oldstable-point-update.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -2414,7 +2414,7 @@ CVE-2022-0938 (Stored XSS via file upload in GitHub repository star7th/showdoc p
CVE-2021-46709 (phpLiteAdmin through 1.9.8.2 allows XSS via the index.php newRows para ...)
- phpliteadmin 1.9.8.2-2
[bullseye] - phpliteadmin 1.9.8.2-1+deb11u1
- [buster] - phpliteadmin <no-dsa> (Minor issue)
+ [buster] - phpliteadmin 1.9.7.1-2+deb10u1
NOTE: https://bitbucket.org/phpliteadmin/public/issues/399/xss-vulnerability
NOTE: https://bitbucket.org/phpliteadmin/public/pull-requests/16/fix-an-xss-vulnerability-with-the-newrows
CVE-2022-26979
@@ -8701,6 +8701,7 @@ CVE-2022-0534 (A vulnerability was found in htmldoc version 1.9.15 where the sta
{DLA-2928-1}
- htmldoc 1.9.15-1 (unimportant)
[bullseye] - htmldoc 1.9.11-4+deb11u2
+ [buster] - htmldoc 1.9.3-1+deb10u3
NOTE: https://github.com/michaelrsweet/htmldoc/issues/463
NOTE: Fixed by: https://github.com/michaelrsweet/htmldoc/commit/776cf0fc4c760f1fb7b966ce28dc92dd7d44ed50 (v1.9.15)
NOTE: Fixed by: https://github.com/michaelrsweet/htmldoc/commit/312f0f9c12f26fbe015cd0e6cefa40e4b99017d9 (v1.9.15)
@@ -9382,7 +9383,7 @@ CVE-2022-0493
CVE-2021-46671 (options.c in atftp before 0.7.5 reads past the end of an array, and co ...)
- atftp 0.7.git20210915-1 (bug #1004974)
[bullseye] - atftp 0.7.git20120829-3.3+deb11u2
- [buster] - atftp <no-dsa> (Minor issue)
+ [buster] - atftp 0.7.git20120829-3.2~deb10u3
[stretch] - atftp <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/atftp/code/ci/9cf799c40738722001552618518279e9f0ef62e5 (v0.7.5)
CVE-2022-24407 (In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does ...)
@@ -9911,6 +9912,7 @@ CVE-2021-46668 (MariaDB through 10.5.9 allows an application crash via certain l
- mariadb-10.5 <removed>
[bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
- mariadb-10.3 <removed>
+ [buster] - mariadb-10.3 1:10.3.34-0+deb10u1
NOTE: https://jira.mariadb.org/browse/MDEV-25787
NOTE: Fixed in MariaDB: 10.7.3, 10.6.7, 10.5.15, 10.4.24, 10.3.34, 10.2.43
CVE-2021-46667 (MariaDB before 10.6.5 has a sql_lex.cc integer overflow, leading to an ...)
@@ -9918,6 +9920,7 @@ CVE-2021-46667 (MariaDB before 10.6.5 has a sql_lex.cc integer overflow, leading
- mariadb-10.5 <removed>
[bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
- mariadb-10.3 <removed>
+ [buster] - mariadb-10.3 1:10.3.34-0+deb10u1
NOTE: https://jira.mariadb.org/browse/MDEV-26350
NOTE: Fixed in MariaDB: 10.2.41, 10.3.32, 10.4.22, 10.5.13, 10.6.5
CVE-2021-46666 (MariaDB before 10.6.2 allows an application crash because of mishandli ...)
@@ -9933,6 +9936,7 @@ CVE-2021-46665 (MariaDB through 10.5.9 allows a sql_parse.cc application crash b
- mariadb-10.5 <removed>
[bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
- mariadb-10.3 <removed>
+ [buster] - mariadb-10.3 1:10.3.34-0+deb10u1
NOTE: https://jira.mariadb.org/browse/MDEV-25636
NOTE: Fixed in MariaDB: 10.7.3, 10.6.7, 10.5.15, 10.4.24, 10.3.34, 10.2.43
CVE-2021-46664 (MariaDB through 10.5.9 allows an application crash in sub_select_postj ...)
@@ -9940,6 +9944,7 @@ CVE-2021-46664 (MariaDB through 10.5.9 allows an application crash in sub_select
- mariadb-10.5 <removed>
[bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
- mariadb-10.3 <removed>
+ [buster] - mariadb-10.3 1:10.3.34-0+deb10u1
NOTE: https://jira.mariadb.org/browse/MDEV-25761
NOTE: Fixed in MariaDB: 10.7.3, 10.6.7, 10.5.15, 10.4.24, 10.3.34, 10.2.43
CVE-2021-46663 (MariaDB through 10.5.13 allows a ha_maria::extra application crash via ...)
@@ -9947,6 +9952,7 @@ CVE-2021-46663 (MariaDB through 10.5.13 allows a ha_maria::extra application cra
- mariadb-10.5 <removed>
[bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
- mariadb-10.3 <removed>
+ [buster] - mariadb-10.3 1:10.3.34-0+deb10u1
NOTE: https://jira.mariadb.org/browse/MDEV-26351
NOTE: Fixed in MariaDB: 10.7.3, 10.6.7, 10.5.15, 10.4.24, 10.3.34, 10.2.43
CVE-2021-46662 (MariaDB through 10.5.9 allows a set_var.cc application crash via certa ...)
@@ -9954,6 +9960,7 @@ CVE-2021-46662 (MariaDB through 10.5.9 allows a set_var.cc application crash via
- mariadb-10.5 <removed>
[bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
- mariadb-10.3 <removed>
+ [buster] - mariadb-10.3 1:10.3.34-0+deb10u1
NOTE: https://jira.mariadb.org/browse/MDEV-25637
NOTE: https://jira.mariadb.org/browse/MDEV-22464
NOTE: Fixed in MariaDB: 10.3.32, 10.4.22, 10.5.13, 10.6.5
@@ -9962,6 +9969,7 @@ CVE-2021-46661 (MariaDB through 10.5.9 allows an application crash in find_field
- mariadb-10.5 <removed>
[bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
- mariadb-10.3 <removed>
+ [buster] - mariadb-10.3 1:10.3.34-0+deb10u1
NOTE: https://jira.mariadb.org/browse/MDEV-25766
NOTE: Fixed in MariaDB: 10.7.3, 10.6.7, 10.5.15, 10.4.24, 10.3.34, 10.2.43
CVE-2021-4218
@@ -10341,7 +10349,7 @@ CVE-2022-24130 (xterm through Patch 370, when Sixel support is enabled, allows a
{DLA-2913-1}
- xterm 370-2 (bug #1004689)
[bullseye] - xterm 366-1+deb11u1
- [buster] - xterm <no-dsa> (Minor issue)
+ [buster] - xterm 344-1+deb10u2
NOTE: https://twitter.com/nickblack/status/1487731459398025216
NOTE: https://www.openwall.com/lists/oss-security/2022/01/30/2
NOTE: https://www.openwall.com/lists/oss-security/2022/01/30/3
@@ -10369,6 +10377,7 @@ CVE-2021-46659 (MariaDB before 10.7.2 allows an application crash because it doe
- mariadb-10.5 <removed>
[bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
- mariadb-10.3 <removed>
+ [buster] - mariadb-10.3 1:10.3.34-0+deb10u1
NOTE: https://jira.mariadb.org/browse/MDEV-25631
NOTE: Fixed in MariaDB: 10.2.42, 10.3.33, 10.4.23, 10.5.14, 10.6.6, 10.7.2
CVE-2021-46658 (save_window_function_values in MariaDB before 10.6.3 allows an applica ...)
@@ -10627,6 +10636,7 @@ CVE-2022-24052 (MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privil
- mariadb-10.5 <removed>
[bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
- mariadb-10.3 <removed>
+ [buster] - mariadb-10.3 1:10.3.34-0+deb10u1
NOTE: Fixed in MariaDB: 10.6.6, 10.5.14, 10.4.23, 10.3.33, 10.2.42
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-366/
CVE-2022-24051 (MariaDB CONNECT Storage Engine Format String Privilege Escalation Vuln ...)
@@ -10634,6 +10644,7 @@ CVE-2022-24051 (MariaDB CONNECT Storage Engine Format String Privilege Escalatio
- mariadb-10.5 <removed>
[bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
- mariadb-10.3 <removed>
+ [buster] - mariadb-10.3 1:10.3.34-0+deb10u1
NOTE: Fixed in MariaDB: 10.6.6, 10.5.14, 10.4.23, 10.3.33, 10.2.42
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-318/
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-365/
@@ -10642,6 +10653,7 @@ CVE-2022-24050 (MariaDB CONNECT Storage Engine Use-After-Free Privilege Escalati
- mariadb-10.5 <removed>
[bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
- mariadb-10.3 <removed>
+ [buster] - mariadb-10.3 1:10.3.34-0+deb10u1
NOTE: Fixed in MariaDB: 10.6.6, 10.5.14, 10.4.23, 10.3.33, 10.2.42
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-364/
CVE-2022-24049 (This vulnerability allows remote attackers to execute arbitrary code o ...)
@@ -10651,6 +10663,7 @@ CVE-2022-24048 (MariaDB CONNECT Storage Engine Stack-based Buffer Overflow Privi
- mariadb-10.5 <removed>
[bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
- mariadb-10.3 <removed>
+ [buster] - mariadb-10.3 1:10.3.34-0+deb10u1
NOTE: Fixed in MariaDB: 10.6.6, 10.5.14, 10.4.23, 10.3.33, 10.2.42
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-363/
CVE-2022-24047 (This vulnerability allows remote attackers to bypass authentication on ...)
@@ -13547,7 +13560,7 @@ CVE-2022-23309
CVE-2022-23308 (valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF ...)
- libxml2 2.9.13+dfsg-1 (bug #1006489)
[bullseye] - libxml2 2.9.10+dfsg-6.7+deb11u1
- [buster] - libxml2 <no-dsa> (Minor issue; can be fixed via point release)
+ [buster] - libxml2 2.9.4+dfsg1-7+deb10u3
NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/issues/327
NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12a858989b14eed4e84e453059cd3ba340e (v2.9.13)
CVE-2022-0266 (Authorization Bypass Through User-Controlled Key in Packagist remdex/l ...)
@@ -13560,7 +13573,7 @@ CVE-2022-23307 (CVE-2020-9493 identified a deserialization issue that was presen
{DLA-2905-1}
- apache-log4j1.2 1.2.17-11 (bug #1004482)
[bullseye] - apache-log4j1.2 1.2.17-10+deb11u1
- [buster] - apache-log4j1.2 <no-dsa> (Minor issue)
+ [buster] - apache-log4j1.2 1.2.17-8+deb10u2
NOTE: https://www.openwall.com/lists/oss-security/2022/01/18/5
CVE-2022-23306
RESERVED
@@ -13568,7 +13581,7 @@ CVE-2022-23305 (By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statem
{DLA-2905-1}
- apache-log4j1.2 1.2.17-11 (bug #1004482)
[bullseye] - apache-log4j1.2 1.2.17-10+deb11u1
- [buster] - apache-log4j1.2 <no-dsa> (Minor issue)
+ [buster] - apache-log4j1.2 1.2.17-8+deb10u2
NOTE: https://www.openwall.com/lists/oss-security/2022/01/18/4
CVE-2022-0263 (Unrestricted Upload of File with Dangerous Type in Packagist pimcore/p ...)
NOT-FOR-US: pimcore
@@ -13641,7 +13654,7 @@ CVE-2022-23302 (JMSSink in all versions of Log4j 1.x is vulnerable to deserializ
{DLA-2905-1}
- apache-log4j1.2 1.2.17-11 (bug #1004482)
[bullseye] - apache-log4j1.2 1.2.17-10+deb11u1
- [buster] - apache-log4j1.2 <no-dsa> (Minor issue)
+ [buster] - apache-log4j1.2 1.2.17-8+deb10u2
NOTE: https://www.openwall.com/lists/oss-security/2022/01/18/3
CVE-2022-22142 (Reflected cross-site scripting vulnerability in the checkbox of php_ma ...)
NOT-FOR-US: php_mailform
@@ -21621,7 +21634,7 @@ CVE-2021-4104 (JMSAppender in Log4j 1.2 is vulnerable to deserialization of untr
{DLA-2905-1}
- apache-log4j1.2 1.2.17-11
[bullseye] - apache-log4j1.2 1.2.17-10+deb11u1
- [buster] - apache-log4j1.2 <no-dsa> (Minor issue; JMSAppender not configured to be used by default)
+ [buster] - apache-log4j1.2 1.2.17-8+deb10u2
NOTE: https://www.openwall.com/lists/oss-security/2021/12/13/1
NOTE: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126
NOTE: Issue for Log4j 1.2 when specifically configured to use JMSAppender (not the default)
@@ -21632,7 +21645,7 @@ CVE-2021-44832 (Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding secur
{DLA-2870-1}
- apache-log4j2 2.17.1-1 (bug #1002813)
[bullseye] - apache-log4j2 2.17.1-1~deb11u1
- [buster] - apache-log4j2 <no-dsa> (Minor issue; requires attacker with permissions to modify the logging configuration file)
+ [buster] - apache-log4j2 2.17.1-1~deb10u1
NOTE: https://logging.apache.org/log4j/2.x/security.html#CVE-2021-44832
NOTE: https://issues.apache.org/jira/browse/LOG4J2-3293
NOTE: https://lists.apache.org/thread/s1o5vlo78ypqxnzn6p8zf6t9shtq5143
@@ -22620,7 +22633,7 @@ CVE-2021-44543 (An XSS vulnerability was found in Privoxy which was fixed in cgi
{DLA-2844-1}
- privoxy 3.0.33-1
[bullseye] - privoxy 3.0.32-2+deb11u1
- [buster] - privoxy <no-dsa> (Minor issue)
+ [buster] - privoxy 3.0.28-2+deb10u2
NOTE: https://www.openwall.com/lists/oss-security/2021/12/09/1
NOTE: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=0e668e9409cbf4ab8bf2d79be204bd4e81a00d85 (v_3_0_33)
CVE-2021-44542 (A memory leak vulnerability was found in Privoxy when handling errors. ...)
@@ -22641,7 +22654,7 @@ CVE-2021-44540 (A vulnerability was found in Privoxy which was fixed in get_url_
{DLA-2844-1}
- privoxy 3.0.33-1
[bullseye] - privoxy 3.0.32-2+deb11u1
- [buster] - privoxy <no-dsa> (Minor issue)
+ [buster] - privoxy 3.0.28-2+deb10u2
NOTE: https://www.openwall.com/lists/oss-security/2021/12/09/1
NOTE: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=652b4b7cb07592c0912cf938a50fcd009fa29a0a (v_3_0_33)
CVE-2021-43353 (The Crisp Live Chat WordPress plugin is vulnerable to Cross-Site Reque ...)
@@ -23566,7 +23579,7 @@ CVE-2021-4024 (A flaw was found in podman. The `podman machine` function (used t
NOTE: Fixed by: https://github.com/containers/podman/commit/57c5e2246efeaf2fef820a482241f1cc43960c7a (v3.4.3)
CVE-2021-44227 (In GNU Mailman before 2.1.38, a list member or moderator can get a CSR ...)
- mailman <removed>
- [buster] - mailman <no-dsa> (Minor issue)
+ [buster] - mailman 1:2.1.29-1+deb10u4
[stretch] - mailman <no-dsa> (Minor issue; can be fixed with the next DLA)
NOTE: https://bugs.launchpad.net/mailman/+bug/1952384
NOTE: Patch: https://launchpadlibrarian.net/570827498/patch.txt
@@ -26379,7 +26392,7 @@ CVE-2021-43618 (GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 ha
{DLA-2837-1}
- gmp 2:6.2.1+dfsg-3 (bug #994405)
[bullseye] - gmp 2:6.2.1+dfsg-1+deb11u1
- [buster] - gmp <no-dsa> (Minor issue)
+ [buster] - gmp 2:6.1.2+dfsg-4+deb10u1
NOTE: https://gmplib.org/list-archives/gmp-bugs/2021-September/005077.html
NOTE: https://gmplib.org/repo/gmp-6.2/rev/561a9c25298e
CVE-2021-43617 (Laravel Framework through 8.70.2 does not sufficiently block the uploa ...)
@@ -26490,6 +26503,7 @@ CVE-2021-43579 (A stack-based buffer overflow in image_load_bmp() in HTMLDOC <
{DLA-2928-1}
- htmldoc 1.9.13-1 (unimportant)
[bullseye] - htmldoc 1.9.11-4+deb11u1
+ [buster] - htmldoc 1.9.3-1+deb10u3
NOTE: https://github.com/michaelrsweet/htmldoc/commit/27d08989a5a567155d506ac870ae7d8cc88fa58b (v1.9.13)
NOTE: https://github.com/michaelrsweet/htmldoc/issues/453
NOTE: Crash in CLI tool, no security impact
@@ -27251,13 +27265,13 @@ CVE-2021-43333 (The Datalogic DXU service on (for example) DL-Axist devices does
NOT-FOR-US: Datalogic
CVE-2021-43332 (In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py ad ...)
- mailman <removed> (bug #1000367)
- [buster] - mailman <no-dsa> (Minor issue)
+ [buster] - mailman 1:2.1.29-1+deb10u3
[stretch] - mailman <no-dsa> (Minor issue)
NOTE: https://mail.python.org/archives/list/mailman-announce@python.org/message/I2X7PSFXIEPLM3UMKZMGOEO3UFYETGRL/
NOTE: https://bugs.launchpad.net/mailman/+bug/1949403
CVE-2021-43331 (In GNU Mailman before 2.1.36, a crafted URL to the Cgi/options.py user ...)
- mailman <removed> (bug #1000367)
- [buster] - mailman <no-dsa> (Minor issue)
+ [buster] - mailman 1:2.1.29-1+deb10u3
[stretch] - mailman <no-dsa> (Minor issue)
NOTE: https://mail.python.org/archives/list/mailman-announce@python.org/message/I2X7PSFXIEPLM3UMKZMGOEO3UFYETGRL/
NOTE: https://bugs.launchpad.net/mailman/+bug/1949401
@@ -28312,7 +28326,7 @@ CVE-2022-20699 (Multiple vulnerabilities in Cisco Small Business RV160, RV260, R
CVE-2022-20698 (A vulnerability in the OOXML parsing module in Clam AntiVirus (ClamAV) ...)
- clamav 0.103.5+dfsg-1
[bullseye] - clamav 0.103.5+dfsg-0+deb11u1
- [buster] - clamav <no-dsa> (clamav is updated via -updates)
+ [buster] - clamav 0.103.5+dfsg-0+deb10u1
[stretch] - clamav <postponed> (Minor issue; clean crash; follow stable updates)
NOTE: https://blog.clamav.net/2022/01/clamav-01035-and-01042-security-patch.html
NOTE: https://github.com/Cisco-Talos/clamav/commit/9a6bb57f89721db637f4ddb5b233c1c4e23d223a (0.103.5)
@@ -35265,6 +35279,7 @@ CVE-2021-40985 (A stack-based buffer under-read in htmldoc before 1.9.12, allows
{DLA-2928-1}
- htmldoc 1.9.13-1 (unimportant)
[bullseye] - htmldoc 1.9.11-4+deb11u1
+ [buster] - htmldoc 1.9.3-1+deb10u3
NOTE: https://github.com/michaelrsweet/htmldoc/issues/444
NOTE: https://github.com/michaelrsweet/htmldoc/commit/f12b9666e582a8e7b70f11b28e5ffc49ad625d43 (v1.9.13)
NOTE: Crash in CLI tool, no security impact
@@ -35509,7 +35524,7 @@ CVE-2021-40874 [RESTServer pwdConfirm always returns true with Combination + Ker
[experimental] - lemonldap-ng 2.0.14~exp+ds-1
- lemonldap-ng 2.0.14+ds-1 (bug #1005302)
[bullseye] - lemonldap-ng 2.0.11+ds-4+deb11u1
- [buster] - lemonldap-ng <no-dsa> (Minor issue)
+ [buster] - lemonldap-ng 2.0.2+ds-7+deb10u7
[stretch] - lemonldap-ng <no-dsa> (Minor issue)
NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2612
NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/66946e8f754812b375768c2124937137c856fe0c
@@ -35551,7 +35566,7 @@ CVE-2021-3796 (vim is vulnerable to Use After Free ...)
{DLA-2876-1}
- vim 2:8.2.3455-1 (bug #994497)
[bullseye] - vim 2:8.2.2434-3+deb11u1
- [buster] - vim <no-dsa> (Minor issue)
+ [buster] - vim 2:8.1.0875-5+deb10u1
NOTE: https://huntr.dev/bounties/ab60b7f3-6fb1-4ac2-a4fa-4d592e08008d/
NOTE: https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3 (v8.2.3428)
NOTE: https://www.openwall.com/lists/oss-security/2021/10/01/1
@@ -36005,7 +36020,7 @@ CVE-2021-3778 (vim is vulnerable to Heap-based Buffer Overflow ...)
{DLA-2876-1}
- vim 2:8.2.3455-1 (bug #994498)
[bullseye] - vim 2:8.2.2434-3+deb11u1
- [buster] - vim <no-dsa> (Minor issue)
+ [buster] - vim 2:8.1.0875-5+deb10u1
NOTE: https://huntr.dev/bounties/d9c17308-2c99-4f9f-a706-f7f72c24c273
NOTE: https://github.com/vim/vim/commit/65b605665997fad54ef39a93199e305af2fe4d7f (v8.2.3409)
NOTE: https://www.openwall.com/lists/oss-security/2021/10/01/1
@@ -36431,14 +36446,14 @@ CVE-2021-40516 (WeeChat before 3.2.1 allows remote attackers to cause a denial o
{DLA-2770-1}
- weechat 3.2.1-1 (bug #993803)
[bullseye] - weechat 3.0-1+deb11u1
- [buster] - weechat <no-dsa> (Minor issue; can be fixed via point release)
+ [buster] - weechat 2.3-1+deb10u1
NOTE: https://github.com/weechat/weechat/commit/8b1331f98de1714bae15a9ca2e2b393ba49d735b
CVE-2021-40515
RESERVED
CVE-2021-3770 (vim is vulnerable to Heap-based Buffer Overflow ...)
- vim 2:8.2.3455-1 (bug #994076)
[bullseye] - vim 2:8.2.2434-3+deb11u1
- [buster] - vim <no-dsa> (Minor issue)
+ [buster] - vim 2:8.1.0875-5+deb10u1
[stretch] - vim <not-affected> (Vulnerable code not present)
NOTE: https://huntr.dev/bounties/016ad2f2-07c1-4d14-a8ce-6eed10729365/
NOTE: Fixed by: https://github.com/vim/vim/commit/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9 (v8.2.3402)
@@ -36760,7 +36775,7 @@ CVE-2021-40391 (An out-of-bounds write vulnerability exists in the drill format
{DLA-2839-1}
- gerbv 2.7.1-1
[bullseye] - gerbv 2.7.0-2+deb11u1
- [buster] - gerbv <no-dsa> (Minor issue)
+ [buster] - gerbv 2.7.0-1+deb10u1
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1402
NOTE: https://github.com/gerbv/gerbv/commit/9f83950b772b37b49ee188300e444546e6aab17e
NOTE: https://github.com/gerbv/gerbv/issues/30
@@ -37872,13 +37887,13 @@ CVE-2021-39930 (Missing authorization in GitLab EE versions between 12.4 and 14.
CVE-2021-39929 (Uncontrolled Recursion in the Bluetooth DHT dissector in Wireshark 3.4 ...)
{DSA-5019-1 DLA-2849-1}
- wireshark 3.6.0-1
- [buster] - wireshark <no-dsa> (Minor issue)
+ [buster] - wireshark 2.6.20-0+deb10u3
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17651
NOTE: https://www.wireshark.org/security/wnpa-sec-2021-07.html
CVE-2021-39928 (NULL pointer exception in the IEEE 802.11 dissector in Wireshark 3.4.0 ...)
{DSA-5019-1 DLA-2849-1}
- wireshark 3.6.0-1
- [buster] - wireshark <no-dsa> (Minor issue)
+ [buster] - wireshark 2.6.20-0+deb10u3
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17704
NOTE: https://www.wireshark.org/security/wnpa-sec-2021-13.html
CVE-2021-39927 (Server side request forgery protections in GitLab CE/EE versions betwe ...)
@@ -37899,25 +37914,25 @@ CVE-2021-39925 (Buffer overflow in the Bluetooth SDP dissector in Wireshark 3.4.
CVE-2021-39924 (Large loop in the Bluetooth DHT dissector in Wireshark 3.4.0 to 3.4.9 ...)
{DSA-5019-1 DLA-2849-1}
- wireshark 3.6.0-1
- [buster] - wireshark <no-dsa> (Minor issue)
+ [buster] - wireshark 2.6.20-0+deb10u3
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17677
NOTE: https://www.wireshark.org/security/wnpa-sec-2021-10.html
CVE-2021-39923 (Large loop in the PNRP dissector in Wireshark 3.4.0 to 3.4.9 and 3.2.0 ...)
{DSA-5019-1 DLA-2849-1}
- wireshark 3.6.0-1
- [buster] - wireshark <no-dsa> (Minor issue)
+ [buster] - wireshark 2.6.20-0+deb10u3
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17684
NOTE: https://www.wireshark.org/security/wnpa-sec-2021-11.html
CVE-2021-39922 (Buffer overflow in the C12.22 dissector in Wireshark 3.4.0 to 3.4.9 an ...)
{DSA-5019-1 DLA-2849-1}
- wireshark 3.6.0-1
- [buster] - wireshark <no-dsa> (Minor issue)
+ [buster] - wireshark 2.6.20-0+deb10u3
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17636
NOTE: https://www.wireshark.org/security/wnpa-sec-2021-12.html
CVE-2021-39921 (NULL pointer exception in the Modbus dissector in Wireshark 3.4.0 to 3 ...)
{DSA-5019-1 DLA-2849-1}
- wireshark 3.6.0-1
- [buster] - wireshark <no-dsa> (Minor issue)
+ [buster] - wireshark 2.6.20-0+deb10u3
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17703
NOTE: https://www.wireshark.org/security/wnpa-sec-2021-14.html
CVE-2021-39920 (NULL pointer exception in the IPPUSB dissector in Wireshark 3.4.0 to 3 ...)
@@ -40802,7 +40817,7 @@ CVE-2021-38714 (In Plib through 1.85, there is an integer overflow vulnerability
{DLA-2775-1}
- plib 1.8.5-10 (bug #992973)
[bullseye] - plib 1.8.5-8+deb11u1
- [buster] - plib <no-dsa> (Minor issue)
+ [buster] - plib 1.8.5-8+deb10u1
NOTE: https://sourceforge.net/p/plib/bugs/55/
CVE-2021-38713 (imgURL 2.31 allows XSS via an X-Forwarded-For HTTP header. ...)
NOT-FOR-US: imgURL
@@ -44907,7 +44922,7 @@ CVE-2021-37146 (An infinite loop in Open Robotics ros_comm XMLRPC server in ROS
[experimental] - ros-ros-comm 1.15.13+ds1-1
- ros-ros-comm 1.15.13+ds1-2
[bullseye] - ros-ros-comm 1.15.9+ds1-7+deb11u1
- [buster] - ros-ros-comm <no-dsa> (Minor issue)
+ [buster] - ros-ros-comm 1.14.3+ds1-5+deb10u3
[stretch] - ros-ros-comm <no-dsa> (Minor issue)
NOTE: https://discourse.ros.org/t/new-packages-for-melodic-2021-09-27/22446
NOTE: https://discourse.ros.org/t/new-packages-for-noetic-2021-09-27/22447
@@ -48557,7 +48572,7 @@ CVE-2021-35604 (Vulnerability in the MySQL Server product of Oracle MySQL (compo
- mariadb-10.5 <removed>
[bullseye] - mariadb-10.5 1:10.5.15-0+deb11u1
- mariadb-10.3 <removed>
- [buster] - mariadb-10.3 <no-dsa> (Minor issue)
+ [buster] - mariadb-10.3 1:10.3.34-0+deb10u1
- mysql-8.0 <unfixed>
- mysql-5.7 <removed>
NOTE: Fixed in MariaDB: 10.5.13, 10.3.32
@@ -51060,7 +51075,7 @@ CVE-2021-34553 (Sonatype Nexus Repository Manager 3.x before 3.31.0 allows a rem
CVE-2021-34552 (Pillow through 8.2.0 and PIL (aka Python Imaging Library) through 1.1. ...)
{DLA-2716-1}
- pillow 8.1.2+dfsg-0.3 (bug #991293)
- [buster] - pillow <no-dsa> (Minor issue, mitigated by FORTIFY_SOURCE)
+ [buster] - pillow 5.4.1-2+deb10u3
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.3.0.html#buffer-overflow
NOTE: https://github.com/python-pillow/Pillow/pull/5567
NOTE: https://github.com/python-pillow/Pillow/commit/31c473898c29d1b7cb6555ce67d9503a4906b83f (8.3.0)
@@ -54524,7 +54539,7 @@ CVE-2021-33121
CVE-2021-33120 (Out of bounds read under complex microarchitectural condition in memor ...)
- intel-microcode 3.20220207.1
[bullseye] - intel-microcode 3.20220207.1~deb11u1
- [buster] - intel-microcode <postponed> (Wait until exposed in unstable; tendency point release)
+ [buster] - intel-microcode 3.20220207.1~deb10u1
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00589.html
CVE-2021-33119 (Improper access control in the Intel(R) RealSense(TM) DCM before versi ...)
NOT-FOR-US: Intel
@@ -66325,7 +66340,7 @@ CVE-2021-28679
CVE-2021-28678 (An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImage ...)
[experimental] - pillow 8.2.0-1
- pillow 8.1.2+dfsg-0.2 (bug #989062)
- [buster] - pillow <no-dsa> (Minor issue)
+ [buster] - pillow 5.4.1-2+deb10u3
[stretch] - pillow <not-affected> (Vulnerable code introduced later)
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos
NOTE: https://github.com/python-pillow/Pillow/commit/496245aa4365d0827390bd0b6fbd11287453b3a1
@@ -66333,7 +66348,7 @@ CVE-2021-28677 (An issue was discovered in Pillow before 8.2.0. For EPS data, th
{DLA-2716-1}
[experimental] - pillow 8.2.0-1
- pillow 8.1.2+dfsg-0.2 (bug #989062)
- [buster] - pillow <no-dsa> (Minor issue)
+ [buster] - pillow 5.4.1-2+deb10u3
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open
NOTE: https://github.com/python-pillow/Pillow/commit/5a5e6db0abf4e7a638fb1b3408c4e495a096cb92
CVE-2021-28676 (An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecod ...)
@@ -67589,31 +67604,31 @@ CVE-2020-36282 (JMS Client for RabbitMQ 1.x before 1.15.2 and 2.x before 2.2.0 i
CVE-2020-36281 (Leptonica before 1.80.0 allows a heap-based buffer over-read in pixFew ...)
{DLA-2612-1}
- leptonlib 1.79.0-1.1 (bug #985089)
- [buster] - leptonlib <no-dsa> (Minor issue)
+ [buster] - leptonlib 1.76.0-1+deb10u1
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22140
NOTE: https://github.com/DanBloomberg/leptonica/commit/5ee24b398bb67666f6d173763eaaedd9c36fb1e5
CVE-2020-36280 (Leptonica before 1.80.0 allows a heap-based buffer over-read in pixRea ...)
- leptonlib 1.79.0-1.1 (bug #985089)
- [buster] - leptonlib <no-dsa> (Minor issue)
+ [buster] - leptonlib 1.76.0-1+deb10u1
[stretch] - leptonlib <not-affected> (Vulnerable code introduced later)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23654
NOTE: https://github.com/DanBloomberg/leptonica/commit/5ba34b1fe741d69d43a6c8cf767756997eadd87c
CVE-2020-36279 (Leptonica before 1.80.0 allows a heap-based buffer over-read in raster ...)
{DLA-2612-1}
- leptonlib 1.79.0-1.1 (bug #985089)
- [buster] - leptonlib <no-dsa> (Minor issue)
+ [buster] - leptonlib 1.76.0-1+deb10u1
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22512
NOTE: https://github.com/DanBloomberg/leptonica/commit/3c18c43b6a3f753f0dfff99610d46ad46b8bfac4
CVE-2020-36278 (Leptonica before 1.80.0 allows a heap-based buffer over-read in findNe ...)
{DLA-2612-1}
- leptonlib 1.79.0-1.1 (bug #985089)
- [buster] - leptonlib <no-dsa> (Minor issue)
+ [buster] - leptonlib 1.76.0-1+deb10u1
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23433
NOTE: https://github.com/DanBloomberg/leptonica/commit/8d6e1755518cfb98536d6c3daf0601f226d16842
CVE-2020-36277 (Leptonica before 1.80.0 allows a denial of service (application crash) ...)
{DLA-2612-1}
- leptonlib 1.79.0-1.1 (bug #985089)
- [buster] - leptonlib <no-dsa> (Minor issue)
+ [buster] - leptonlib 1.76.0-1+deb10u1
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21997
NOTE: https://github.com/DanBloomberg/leptonica/pull/499
CVE-2016-20009 (** UNSUPPORTED WHEN ASSIGNED ** A DNS client stack-based buffer overfl ...)
@@ -68240,19 +68255,19 @@ CVE-2021-27924 (An issue was discovered in Couchbase Server 6.x through 6.6.1. T
NOT-FOR-US: Couchbase Server
CVE-2021-27923 (Pillow before 8.1.1 allows attackers to cause a denial of service (mem ...)
- pillow 8.1.2-1
- [buster] - pillow <ignored> (Minor issue)
+ [buster] - pillow 5.4.1-2+deb10u3
[stretch] - pillow <ignored> (Minor issue, risk of regression, _decompression_bomb_check only warned, see CVE-2019-16865)
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.2.html
NOTE: https://github.com/python-pillow/Pillow/commit/756fff33128a0b643d10518a26ad04b726dd8973
CVE-2021-27922 (Pillow before 8.1.1 allows attackers to cause a denial of service (mem ...)
- pillow 8.1.2-1
- [buster] - pillow <ignored> (Minor issue)
+ [buster] - pillow 5.4.1-2+deb10u3
[stretch] - pillow <ignored> (Minor issue, risk of regression, _decompression_bomb_check only warned, see CVE-2019-16865)
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.2.html
NOTE: https://github.com/python-pillow/Pillow/commit/756fff33128a0b643d10518a26ad04b726dd8973
CVE-2021-27921 (Pillow before 8.1.1 allows attackers to cause a denial of service (mem ...)
- pillow 8.1.2-1
- [buster] - pillow <ignored> (Minor issue)
+ [buster] - pillow 5.4.1-2+deb10u3
[stretch] - pillow <not-affected> (Vulnerable code introduced later)
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.2.html
NOTE: https://github.com/python-pillow/Pillow/commit/756fff33128a0b643d10518a26ad04b726dd8973
@@ -74852,7 +74867,7 @@ CVE-2021-25293 (An issue was discovered in Pillow before 8.1.1. There is an out-
NOTE: Introduced in https://github.com/python-pillow/Pillow/commit/a90dc4910045f5c6c119b582d4fd2e4841cd51f8 (v4.3.0)
CVE-2021-25292 (An issue was discovered in Pillow before 8.1.1. The PDF parser allows ...)
- pillow 8.1.1-1
- [buster] - pillow <no-dsa> (Minor issue)
+ [buster] - pillow 5.4.1-2+deb10u3
[stretch] - pillow <not-affected> (Vulnerable code introduced later)
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
NOTE: https://github.com/python-pillow/Pillow/commit/521dab94c7ab72b037bd9a83e9663401e0fd2cee
@@ -74867,7 +74882,7 @@ CVE-2021-25291 (An issue was discovered in Pillow before 8.1.1. In TiffDecode.c,
CVE-2021-25290 (An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there ...)
{DLA-2716-1}
- pillow 8.1.1-1
- [buster] - pillow <no-dsa> (Minor issue)
+ [buster] - pillow 5.4.1-2+deb10u3
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
NOTE: https://github.com/python-pillow/Pillow/commit/e25be1e33dc526bfd1094bc778a54d8e29bf66c9
CVE-2021-25289 (An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap- ...)
@@ -74946,7 +74961,7 @@ CVE-2021-XXXX [Unexpected database bindings via requests (follow-up)]
CVE-2021-21263 (Laravel is a web application framework. Versions of Laravel before 6.2 ...)
- php-laravel-framework 6.20.11+dfsg-1 (bug #980095)
- php-illuminate-database <removed> (bug #980899)
- [buster] - php-illuminate-database <no-dsa> (Minor issue)
+ [buster] - php-illuminate-database 5.7.27-1+deb10u1
NOTE: https://blog.laravel.com/security-laravel-62011-7302-8221-released
NOTE: https://github.com/laravel/framework/security/advisories/GHSA-3p32-j457-pg5x
NOTE: https://github.com/laravel/framework/pull/35865
@@ -81877,7 +81892,7 @@ CVE-2021-22235 (Crash in DNP dissector in Wireshark 3.4.0 to 3.4.6 and 3.2.0 to
{DSA-5019-1 DLA-2849-1}
[experimental] - wireshark 3.4.7-1~exp1
- wireshark 3.4.7-1
- [buster] - wireshark <no-dsa> (Minor issue)
+ [buster] - wireshark 2.6.20-0+deb10u3
NOTE: https://www.wireshark.org/security/wnpa-sec-2021-06.html
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17462
NOTE: Regression fix: https://gitlab.com/wireshark/wireshark/-/merge_requests/3616
@@ -81949,7 +81964,7 @@ CVE-2021-22207 (Excessive memory consumption in MS-WSP dissector in Wireshark 3.
{DSA-5019-1 DLA-2849-1}
[experimental] - wireshark 3.4.6-1~exp1
- wireshark 3.4.7-1 (bug #987853)
- [buster] - wireshark <no-dsa> (Minor issue)
+ [buster] - wireshark 2.6.20-0+deb10u3
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17331
NOTE: https://gitlab.com/wireshark/wireshark/-/commit/b7a0650e061b5418ab4a8f72c6e4b00317aff623
NOTE: https://www.wireshark.org/security/wnpa-sec-2021-04.html
@@ -85091,7 +85106,7 @@ CVE-2020-35656 (Jaws through 1.8.0 allows remote authenticated administrators to
NOT-FOR-US: Jaws
CVE-2020-35655 (In Pillow before 8.1.0, SGIRleDecode has a 4-byte buffer over-read whe ...)
- pillow 8.1.0-1
- [buster] - pillow <no-dsa> (Minor issue)
+ [buster] - pillow 5.4.1-2+deb10u3
[stretch] - pillow <not-affected> (Vulnerable code introduced later)
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security
NOTE: https://github.com/python-pillow/Pillow/pull/5173
@@ -85108,7 +85123,7 @@ CVE-2020-35654 (In Pillow before 8.1.0, TiffDecode has a heap-based buffer overf
CVE-2020-35653 (In Pillow before 8.1.0, PcxDecode has a buffer over-read when decoding ...)
{DLA-2716-1}
- pillow 8.1.0-1
- [buster] - pillow <no-dsa> (Minor issue)
+ [buster] - pillow 5.4.1-2+deb10u3
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.0.html#security
NOTE: https://github.com/python-pillow/Pillow/pull/5174
NOTE: https://github.com/python-pillow/Pillow/commit/2f409261eb1228e166868f8f0b5da5cda52e55bf
@@ -95640,14 +95655,14 @@ CVE-2020-28601 (A code execution vulnerability exists in the Nef polygon-parsing
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225
CVE-2020-28600 (An out-of-bounds write vulnerability exists in the import_stl.cc:impor ...)
- openscad 2021.01-1 (bug #996020)
- [buster] - openscad <no-dsa> (Minor issue)
+ [buster] - openscad 2019.01~RC2-2+deb10u1
[stretch] - openscad <not-affected> (Vulnerable code introduced later)
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1224
NOTE: introduced at https://github.com/openscad/openscad/commit/25ec72ce0770115ad62c17fe10ee7464ac256391
NOTE: vulnerable code removed at https://github.com/openscad/openscad/commit/07ea60f82e94a155f4926f17fad8e8366bc74874
CVE-2020-28599 (A stack-based buffer overflow vulnerability exists in the import_stl.c ...)
- openscad 2021.01-1 (bug #996020)
- [buster] - openscad <no-dsa> (Minor issue)
+ [buster] - openscad 2019.01~RC2-2+deb10u1
[stretch] - openscad <no-dsa> (Minor issue)
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1223
NOTE: https://github.com/openscad/openscad/commit/07ea60f82e94a155f4926f17fad8e8366bc74874
@@ -98173,7 +98188,7 @@ CVE-2020-28283 (Prototype pollution vulnerability in 'libnested' versions 0.0.0
CVE-2020-28282 (Prototype pollution vulnerability in 'getobject' version 0.1.0 allows ...)
- node-getobject 1.0.2-1
[bullseye] - node-getobject 0.1.0-2+deb11u1
- [buster] - node-getobject <no-dsa> (Minor issue)
+ [buster] - node-getobject 0.1.0-2+deb10u1
[stretch] - node-getobject <no-dsa> (Minor issue)
NOTE: https://github.com/cowboy/node-getobject/commit/84071748fa407caa8f824e0d0b9c1cde9ec56633 (v1.0.0)
CVE-2020-28281 (Prototype pollution vulnerability in 'set-object-value' versions 0.0.0 ...)
@@ -100249,7 +100264,7 @@ CVE-2021-0146 (Hardware allows activation of test or debug logic at runtime for
CVE-2021-0145 (Improper initialization of shared resources in some Intel(R) Processor ...)
- intel-microcode 3.20220207.1
[bullseye] - intel-microcode 3.20220207.1~deb11u1
- [buster] - intel-microcode <postponed> (Wait until exposed in unstable; tendency point release)
+ [buster] - intel-microcode 3.20220207.1~deb10u1
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00561.html
NOTE: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/fast-store-forwarding-predictor.html
CVE-2021-0144 (Insecure default variable initialization for the Intel BSSA DFT featur ...)
@@ -100295,7 +100310,7 @@ CVE-2021-0128
CVE-2021-0127 (Insufficient control flow management in some Intel(R) Processors may a ...)
- intel-microcode 3.20220207.1
[bullseye] - intel-microcode 3.20220207.1~deb11u1
- [buster] - intel-microcode <postponed> (Wait until exposed in unstable; tendency point release)
+ [buster] - intel-microcode 3.20220207.1~deb10u1
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00532.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20220207
CVE-2021-0126
@@ -103103,19 +103118,19 @@ CVE-1999-0199 (manual/search.texi in the GNU C Library (aka glibc) before 2.2 la
CVE-2020-26572 (The TCOS smart card software driver in OpenSC before 0.21.0-rc1 has a ...)
{DLA-2832-1}
- opensc 0.21.0-1 (bug #972035)
- [buster] - opensc <no-dsa> (Minor issue)
+ [buster] - opensc 0.19.0-1+deb10u1
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22967
NOTE: https://github.com/OpenSC/OpenSC/commit/9d294de90d1cc66956389856e60b6944b27b4817 (0.21.0-rc1)
CVE-2020-26571 (The gemsafe GPK smart card software driver in OpenSC before 0.21.0-rc1 ...)
{DLA-2832-1}
- opensc 0.21.0-1 (bug #972036)
- [buster] - opensc <no-dsa> (Minor issue)
+ [buster] - opensc 0.19.0-1+deb10u1
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20612
NOTE: https://github.com/OpenSC/OpenSC/commit/ed55fcd2996930bf58b9bb57e9ba7b1f3a753c43 (0.21.0-rc1)
CVE-2020-26570 (The Oberthur smart card software driver in OpenSC before 0.21.0-rc1 ha ...)
{DLA-2832-1}
- opensc 0.21.0-1 (bug #972037)
- [buster] - opensc <no-dsa> (Minor issue)
+ [buster] - opensc 0.19.0-1+deb10u1
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24316
NOTE: https://github.com/OpenSC/OpenSC/commit/6903aebfddc466d966c7b865fae34572bf3ed23e (0.21.0-rc1)
CVE-2020-26569 (In EVPN VxLAN setups in Arista EOS, specific malformed packets can lea ...)
@@ -105213,7 +105228,7 @@ CVE-2020-25713 (A malformed input file can lead to a segfault due to an out of b
{DLA-2846-1}
- raptor <removed>
- raptor2 2.0.14-1.2 (bug #974664)
- [buster] - raptor2 <no-dsa> (Minor issue)
+ [buster] - raptor2 2.0.14-1.1~deb10u2
NOTE: https://bugs.librdf.org/mantis/view.php?id=650
CVE-2020-25712 (A flaw was found in xorg-x11-server before 1.20.10. A heap-buffer over ...)
{DSA-4803-1 DLA-2486-1}
@@ -105295,7 +105310,7 @@ CVE-2020-25694 (A flaw was found in PostgreSQL versions before 13.1, before 12.5
CVE-2020-25693 (A flaw was found in CImg in versions prior to 2.9.3. Integer overflows ...)
{DLA-2462-1}
- cimg 2.9.4+dfsg-2 (bug #973770)
- [buster] - cimg <no-dsa> (Minor issue)
+ [buster] - cimg 2.4.5+dfsg-1+deb10u1
NOTE: https://github.com/dtschump/CImg/pull/295
NOTE: https://bugs.launchpad.net/ubuntu/+source/cimg/+bug/1900983
NOTE: Fixed by: https://github.com/dtschump/CImg/commit/4f184f89f9ab6785a6c90fd238dbaa6d901d3505
@@ -121225,7 +121240,7 @@ CVE-2020-18442 (Infinite Loop in zziplib v0.13.69 allows remote attackers to cau
{DLA-2859-1}
- zziplib 0.13.72+dfsg.1-1
[bullseye] - zziplib 0.13.62-3.3+deb11u1
- [buster] - zziplib <no-dsa> (Minor issue)
+ [buster] - zziplib 0.13.62-3.2+deb10u1
NOTE: https://github.com/gdraheim/zziplib/issues/68
NOTE: https://github.com/gdraheim/zziplib/commit/ac9ae39ef419e9f0f83da1e583314d8c7cda34a6
NOTE: https://github.com/gdraheim/zziplib/commit/7e786544084548da7fcfcd9090d3c4e7f5777f7e
@@ -126189,7 +126204,7 @@ CVE-2020-16118 (In GNOME Balsa before 2.6.0, a malicious server operator or man
CVE-2020-16117 (In GNOME evolution-data-server before 3.35.91, a malicious server can ...)
{DLA-2309-1}
- evolution-data-server 3.36.0-1
- [buster] - evolution-data-server <no-dsa> (Minor issue)
+ [buster] - evolution-data-server 3.30.5-1+deb10u2
NOTE: https://gitlab.gnome.org/GNOME/evolution-data-server/-/commit/2cc39592b532cf0dc994fd3694b8e6bf924c9ab5
NOTE: https://gitlab.gnome.org/GNOME/evolution-data-server/-/commit/627c3cdbfd077e59aa288c85ff8272950577f1d7
NOTE: https://gitlab.gnome.org/GNOME/evolution-data-server/-/issues/189
@@ -126731,7 +126746,7 @@ CVE-2020-15954 (KDE KMail 19.12.3 (aka 5.13.3) engages in unencrypted POP3 commu
CVE-2020-15953 (LibEtPan through 1.9.4, as used in MailCore 2 through 0.6.3 and other ...)
{DLA-2329-1}
- libetpan 1.9.4-3 (bug #966647)
- [buster] - libetpan <no-dsa> (Minor issue)
+ [buster] - libetpan 1.9.3-2+deb10u1
NOTE: https://github.com/dinhvh/libetpan/issues/386
NOTE: https://github.com/dinhvh/libetpan/pull/387
NOTE: https://github.com/dinhvh/libetpan/pull/388
@@ -133261,7 +133276,7 @@ CVE-2019-20808 (In QEMU 4.1.0, an out-of-bounds read flaw was found in the ATI V
CVE-2019-20807 (In Vim before 8.1.0881, users can circumvent the rvim restricted mode ...)
{DLA-2876-1}
- vim 2:8.1.2136-1
- [buster] - vim <no-dsa> (Minor issue)
+ [buster] - vim 2:8.1.0875-5+deb10u1
[jessie] - vim <no-dsa> (Minor issue)
NOTE: https://github.com/vim/vim/commit/8c62a08faf89663e5633dc5036cd8695c80f1075
CVE-2020-13644 (An issue was discovered in the Accordion plugin before 2.2.9 for WordP ...)
@@ -135722,7 +135737,7 @@ CVE-2020-12689 (An issue was discovered in OpenStack Keystone before 15.0.1, and
CVE-2020-12672 (GraphicsMagick through 1.3.35 has a heap-based buffer overflow in Read ...)
{DLA-2902-1 DLA-2236-1}
- graphicsmagick 1.4+really1.3.35-2 (bug #960000)
- [buster] - graphicsmagick <postponed> (Minor issue; can be fixed along in future DSA)
+ [buster] - graphicsmagick 1.4+really1.3.35-1~deb10u2
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19025
NOTE: Fixed by: https://sourceforge.net/p/graphicsmagick/code/ci/50395430a37188d0d197e71bd85ed6dd0f649ee3/
CVE-2020-12671
@@ -136309,7 +136324,7 @@ CVE-2020-12430 (An issue was discovered in qemuDomainGetStatsIOThread in qemu/qe
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1828190
CVE-2019-20792 (OpenSC before 0.20.0 has a double free in coolkey_free_private_data be ...)
- opensc 0.20.0-1 (low)
- [buster] - opensc <no-dsa> (Minor issue)
+ [buster] - opensc 0.19.0-1+deb10u1
[stretch] - opensc <not-affected> (Coolkey driver added in 0.17.0)
[jessie] - opensc <postponed> (Minor issue but can be worth fixing later)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19208
@@ -136912,7 +136927,7 @@ CVE-2020-12269
CVE-2020-12268 (jbig2_image_compose in jbig2_image.c in Artifex jbig2dec before 0.18 h ...)
{DLA-2796-1}
- jbig2dec 0.18-1
- [buster] - jbig2dec <no-dsa> (Minor issue)
+ [buster] - jbig2dec 0.16-1+deb10u1
[jessie] - jbig2dec <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20332
NOTE: https://github.com/ArtifexSoftware/jbig2dec/commit/0726320a4b55078e9d8deb590e477d598b3da66e
@@ -144849,7 +144864,7 @@ CVE-2020-10002 (A logic issue was addressed with improved state management. This
CVE-2020-10001 (An input validation issue was addressed with improved memory handling. ...)
{DLA-2800-1}
- cups 2.3.3op2-1
- [buster] - cups <no-dsa> (Minor issue)
+ [buster] - cups 2.2.10-6+deb10u5
NOTE: https://github.com/OpenPrinting/cups/commit/efbea1742bd30f842fbbfb87a473e5c84f4162f9 (v2.3.3op2)
CVE-2020-10000
RESERVED
@@ -144868,12 +144883,12 @@ CVE-2020-9761 (An issue was discovered in UNCTAD ASYCUDA World 2001 through 2020
CVE-2020-9760 (An issue was discovered in WeeChat before 2.7.1 (0.3.4 to 2.7 are affe ...)
{DLA-2770-1 DLA-2157-1}
- weechat 2.7.1-1
- [buster] - weechat <no-dsa> (Minor issue)
+ [buster] - weechat 2.3-1+deb10u1
NOTE: https://github.com/weechat/weechat/commit/694b5c9f874d7337cd2e03761e0de435275dd64d
CVE-2020-9759 (A Vulnerability of LG Electronic web OS TV Emulator could allow an att ...)
{DLA-2770-1 DLA-2157-1}
- weechat 2.7.1-1
- [buster] - weechat <no-dsa> (Minor issue)
+ [buster] - weechat 2.3-1+deb10u1
NOTE: https://github.com/weechat/weechat/commit/c827d6fa864e2c0b79cea640c45272e83703081e
CVE-2020-9758 (An issue was discovered in chat.php in LiveZilla Live Chat 8.0.1.3 (He ...)
NOT-FOR-US: LiveZilla Live Chat
@@ -146790,7 +146805,7 @@ CVE-2020-8956 (Pulse Secure Desktop Client 9.0Rx before 9.0R5 and 9.1Rx before 9
CVE-2020-8955 (irc_mode_channel_update in plugins/irc/irc-mode.c in WeeChat through 2 ...)
{DLA-2770-1 DLA-2157-1}
- weechat 2.7.1-1 (bug #951289)
- [buster] - weechat <no-dsa> (Minor issue)
+ [buster] - weechat 2.3-1+deb10u1
NOTE: https://github.com/weechat/weechat/commit/6f4f147d8e86adf9ad34a8ffd7e7f1f23a7e74da
CVE-2020-8954 (OpenSearch Web browser 1.0.4.9 allows Intent Scheme Hijacking.[a link ...)
NOT-FOR-US: OpenSearch Web browser
@@ -165994,7 +166009,7 @@ CVE-2019-19480 (An issue was discovered in OpenSC through 0.19.0 and 0.20.x thro
CVE-2019-19479 (An issue was discovered in OpenSC through 0.19.0 and 0.20.x through 0. ...)
{DLA-2832-1 DLA-2046-1}
- opensc 0.20.0-1 (bug #947383)
- [buster] - opensc <no-dsa> (Minor issue)
+ [buster] - opensc 0.19.0-1+deb10u1
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18693
NOTE: https://github.com/OpenSC/OpenSC/commit/c3f23b836e5a1766c36617fe1da30d22f7b63de2
CVE-2019-19478
@@ -172396,7 +172411,7 @@ CVE-2020-0500 (In startInputUncheckedLocked of InputMethodManager.java, there is
CVE-2020-0499 (In FLAC__bitreader_read_rice_signed_block of bitreader.c, there is a p ...)
{DLA-2514-1}
- flac 1.3.3-2 (bug #977764)
- [buster] - flac <no-dsa> (Minor issue)
+ [buster] - flac 1.3.2-3+deb10u1
NOTE: https://github.com/xiph/flac/commit/2e7931c27eb15e387da440a37f12437e35b22dd4
NOTE: https://android.googlesource.com/platform/external/flac/+/029048f823ced50f63a92e25073427ec3a9bd909%5E%21/#F0
NOTE: https://source.android.com/security/bulletin/pixel/2020-12-01
@@ -176347,12 +176362,12 @@ CVE-2019-17043 (An issue was discovered in BMC Patrol Agent 9.0.10i. Weak execut
CVE-2019-17042 (An issue was discovered in Rsyslog v8.1908.0. contrib/pmcisconames/pmc ...)
{DLA-2835-1 DLA-1952-1}
- rsyslog 8.1910.0-1 (bug #942065)
- [buster] - rsyslog <no-dsa> (Minor issue, pmcisconames module not loaded by default)
+ [buster] - rsyslog 8.1901.0-1+deb10u1
NOTE: https://github.com/rsyslog/rsyslog/pull/3883
CVE-2019-17041 (An issue was discovered in Rsyslog v8.1908.0. contrib/pmaixforwardedfr ...)
{DLA-2835-1 DLA-1952-1}
- rsyslog 8.1910.0-1 (bug #942067)
- [buster] - rsyslog <no-dsa> (Minor issue, pmaixforwardedfrom module not loaded by default)
+ [buster] - rsyslog 8.1901.0-1+deb10u1
NOTE: https://github.com/rsyslog/rsyslog/pull/3884
CVE-2019-17040 (contrib/pmdb2diag/pmdb2diag.c in Rsyslog v8.1908.0 allows out-of-bound ...)
- rsyslog 8.1910.0-1 (unimportant)
@@ -179518,12 +179533,12 @@ CVE-2019-15947 (In Bitcoin Core 0.18.0, bitcoin-qt stores wallet.dat data unencr
CVE-2019-15946 (OpenSC before 0.20.0-rc1 has an out-of-bounds access of an ASN.1 Octet ...)
{DLA-2832-1 DLA-1916-1}
- opensc 0.20.0-1 (bug #939669)
- [buster] - opensc <no-dsa> (Minor issue)
+ [buster] - opensc 0.19.0-1+deb10u1
NOTE: https://github.com/OpenSC/OpenSC/commit/a3fc7693f3a035a8a7921cffb98432944bb42740
CVE-2019-15945 (OpenSC before 0.20.0-rc1 has an out-of-bounds access of an ASN.1 Bitst ...)
{DLA-2832-1 DLA-1916-1}
- opensc 0.20.0-1 (bug #939668)
- [buster] - opensc <no-dsa> (Minor issue)
+ [buster] - opensc 0.19.0-1+deb10u1
NOTE: https://github.com/OpenSC/OpenSC/commit/412a6142c27a5973c61ba540e33cdc22d5608e68
CVE-2019-15944 (In Counter-Strike: Global Offensive before 8/29/2019, community game s ...)
NOT-FOR-US: Counter-Strike: Global Offensive
@@ -180888,7 +180903,7 @@ CVE-2019-15532 (CyberChef before 8.31.2 allows XSS in core/operations/TextEncodi
CVE-2019-15531 (GNU Libextractor through 1.9 has a heap-based buffer over-read in the ...)
{DLA-2851-1 DLA-1904-1}
- libextractor 1:1.9-2 (bug #935553)
- [buster] - libextractor <no-dsa> (Minor issue)
+ [buster] - libextractor 1:1.8-2+deb10u1
NOTE: https://bugs.gnunet.org/view.php?id=5846
NOTE: https://git.gnunet.org/libextractor.git/commit/?id=d2b032452241708bee68d02aa02092cfbfba951a
CVE-2019-15530 (An issue was discovered on D-Link DIR-823G devices with firmware V1.0. ...)
@@ -181941,7 +181956,7 @@ CVE-2019-15166 (lmp_print_data_link_subobjs() in print-lmp.c in tcpdump before 4
CVE-2019-15165 (sf-pcapng.c in libpcap before 1.9.1 does not properly validate the PHB ...)
{DLA-2850-1 DLA-1967-1}
- libpcap 1.9.1-1 (low; bug #941697)
- [buster] - libpcap <ignored> (Minor issue)
+ [buster] - libpcap 1.8.1-6+deb10u1
NOTE: https://github.com/the-tcpdump-group/libpcap/commit/87d6bef033062f969e70fa40c43dfd945d5a20ab
NOTE: https://github.com/the-tcpdump-group/libpcap/commit/a5a36d9e82dde7265e38fe1f87b7f11c461c29f6
CVE-2019-15164 (rpcapd/daemon.c in libpcap before 1.9.1 allows SSRF because a URL may ...)
@@ -184471,7 +184486,7 @@ CVE-2019-14464 (XMFile::read in XMFile.cpp in milkyplay in MilkyTracker 1.02.00
CVE-2019-14463 (An issue was discovered in libmodbus before 3.0.7 and 3.1.x before 3.1 ...)
{DLA-2825-1}
- libmodbus 3.1.6-1 (bug #933805)
- [buster] - libmodbus <no-dsa> (Minor issue)
+ [buster] - libmodbus 3.1.4-2+deb10u1
[jessie] - libmodbus <no-dsa> (Minor issue)
NOTE: https://github.com/stephane/libmodbus/commit/5ccdf5ef79d742640355d1132fa9e2abc7fbaefc (3.1.5)
NOTE: https://github.com/stephane/libmodbus/commit/6f915d4215c06be3c719761423d9b5e8aa3cb820 (3.1.5)
@@ -184480,7 +184495,7 @@ CVE-2019-14463 (An issue was discovered in libmodbus before 3.0.7 and 3.1.x befo
CVE-2019-14462 (An issue was discovered in libmodbus before 3.0.7 and 3.1.x before 3.1 ...)
{DLA-2825-1}
- libmodbus 3.1.6-1 (bug #933805)
- [buster] - libmodbus <no-dsa> (Minor issue)
+ [buster] - libmodbus 3.1.4-2+deb10u1
[jessie] - libmodbus <no-dsa> (Minor issue)
NOTE: https://github.com/stephane/libmodbus/commit/5ccdf5ef79d742640355d1132fa9e2abc7fbaefc (3.1.5)
NOTE: https://github.com/stephane/libmodbus/commit/6f915d4215c06be3c719761423d9b5e8aa3cb820 (3.1.5)
@@ -187381,7 +187396,7 @@ CVE-2019-13616 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.
[buster] - libsdl2 <no-dsa> (Minor issue)
[jessie] - libsdl2 <postponed> (can be fixed along with more important patches)
- libsdl1.2 1.2.15+dfsg2-5
- [buster] - libsdl1.2 <no-dsa> (Minor issue)
+ [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
[jessie] - libsdl1.2 <postponed> (can be fixed along with more important patches)
- libsdl2-image 2.0.5+dfsg1-2 (bug #940934)
[buster] - libsdl2-image <no-dsa> (Minor issue)
@@ -198027,7 +198042,7 @@ CVE-2019-10173 (It was found that xstream API version 1.4.10 before 1.4.11 intro
CVE-2019-10172 (A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libr ...)
{DLA-2342-1 DLA-2091-1}
- libjackson-json-java 1.9.13-2
- [buster] - libjackson-json-java <no-dsa> (Minor issue)
+ [buster] - libjackson-json-java 1.9.13-2~deb10u1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1715075
NOTE: https://stackoverflow.com/questions/38017676/small-fix-for-cve-2016-3720-with-older-versions-of-jackson-all-1-9-11-and-in-ja/38017721
NOTE: https://github.com/FasterXML/jackson-1/pull/1
@@ -198963,7 +198978,7 @@ CVE-2019-9888
CVE-2019-1010319 (WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialize ...)
{DLA-2525-1}
- wavpack 5.1.0-7 (low; bug #932061)
- [buster] - wavpack <no-dsa> (Minor issue)
+ [buster] - wavpack 5.1.0-6+deb10u1
NOTE: https://github.com/dbry/WavPack/commit/33a0025d1d63ccd05d9dbaa6923d52b1446a62fe
NOTE: https://github.com/dbry/WavPack/issues/68
CVE-2019-1010318
@@ -198971,7 +198986,7 @@ CVE-2019-1010318
CVE-2019-1010317 (WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialize ...)
{DLA-2525-1}
- wavpack 5.1.0-7 (low; bug #932060)
- [buster] - wavpack <no-dsa> (Minor issue)
+ [buster] - wavpack 5.1.0-6+deb10u1
NOTE: https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b
NOTE: https://github.com/dbry/WavPack/issues/66
CVE-2019-1010316 (pyxtrlock 0.3 and earlier is affected by: Incorrect Access Control. Th ...)
@@ -205910,7 +205925,7 @@ CVE-2019-7639 (An issue was discovered in gsi-openssh-server 7.9p1 on Fedora 29.
CVE-2019-7638 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...)
{DLA-2804-1 DLA-2536-1 DLA-1714-1 DLA-1713-1}
- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
- [buster] - libsdl1.2 <no-dsa> (Minor issue)
+ [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
- libsdl2 2.0.10+dfsg1-1 (bug #924610)
[buster] - libsdl2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4500
@@ -205919,7 +205934,7 @@ CVE-2019-7638 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0
CVE-2019-7637 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...)
{DLA-2804-1 DLA-2803-1 DLA-1714-1 DLA-1713-1}
- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
- [buster] - libsdl1.2 <no-dsa> (Minor issue)
+ [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
- libsdl2 2.0.6+dfsg1-4 (bug #924610)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4497
NOTE: https://hg.libsdl.org/SDL/rev/9b0e5c555c0f (SDL-1.2)
@@ -205931,7 +205946,7 @@ CVE-2019-7637 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0
CVE-2019-7636 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...)
{DLA-2804-1 DLA-2536-1 DLA-1714-1 DLA-1713-1}
- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
- [buster] - libsdl1.2 <no-dsa> (Minor issue)
+ [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
- libsdl2 2.0.10+dfsg1-1 (bug #924610)
[buster] - libsdl2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4499
@@ -205940,7 +205955,7 @@ CVE-2019-7636 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0
CVE-2019-7635 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...)
{DLA-2804-1 DLA-2536-1 DLA-1865-1 DLA-1861-1 DLA-1714-1 DLA-1713-1}
- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
- [buster] - libsdl1.2 <no-dsa> (Minor issue)
+ [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
- libsdl2 2.0.10+dfsg1-1 (bug #924610)
[buster] - libsdl2 <no-dsa> (Minor issue)
- sdl-image1.2 1.2.12-11 (bug #932755)
@@ -206082,7 +206097,7 @@ CVE-2019-7579 (An issue was discovered on Linksys WRT1900ACS 1.0.3.187766 device
CVE-2019-7578 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...)
{DLA-2804-1 DLA-2536-1 DLA-1714-1 DLA-1713-1}
- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
- [buster] - libsdl1.2 <no-dsa> (Minor issue)
+ [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
- libsdl2 2.0.10+dfsg1-1 (bug #924610)
[buster] - libsdl2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4494
@@ -206091,7 +206106,7 @@ CVE-2019-7578 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0
CVE-2019-7577 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...)
{DLA-2804-1 DLA-2536-1 DLA-1714-1 DLA-1713-1}
- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
- [buster] - libsdl1.2 <no-dsa> (Minor issue)
+ [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
- libsdl2 2.0.10+dfsg1-1 (bug #924610)
[buster] - libsdl2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
@@ -206102,7 +206117,7 @@ CVE-2019-7577 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0
CVE-2019-7576 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...)
{DLA-2804-1 DLA-1714-1 DLA-1713-1}
- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
- [buster] - libsdl1.2 <no-dsa> (Minor issue)
+ [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
- libsdl2 2.0.10+dfsg1-1 (bug #924610)
[buster] - libsdl2 <no-dsa> (Minor issue)
[stretch] - libsdl2 <no-dsa> (Minor issue)
@@ -206112,7 +206127,7 @@ CVE-2019-7576 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0
CVE-2019-7575 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...)
{DLA-2804-1 DLA-2536-1 DLA-1714-1 DLA-1713-1}
- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
- [buster] - libsdl1.2 <no-dsa> (Minor issue)
+ [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
- libsdl2 2.0.10+dfsg1-1 (bug #924610)
[buster] - libsdl2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4493
@@ -206122,7 +206137,7 @@ CVE-2019-7575 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0
CVE-2019-7574 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...)
{DLA-2804-1 DLA-1714-1 DLA-1713-1}
- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
- [buster] - libsdl1.2 <no-dsa> (Minor issue)
+ [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
- libsdl2 2.0.10+dfsg1-1 (bug #924610)
[buster] - libsdl2 <no-dsa> (Minor issue)
[stretch] - libsdl2 <no-dsa> (Minor issue)
@@ -206133,7 +206148,7 @@ CVE-2019-7574 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0
CVE-2019-7573 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...)
{DLA-2804-1 DLA-1714-1 DLA-1713-1}
- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
- [buster] - libsdl1.2 <no-dsa> (Minor issue)
+ [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
- libsdl2 2.0.10+dfsg1-1 (bug #924610)
[buster] - libsdl2 <no-dsa> (Minor issue)
[stretch] - libsdl2 <no-dsa> (Minor issue)
@@ -206145,7 +206160,7 @@ CVE-2019-7573 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0
CVE-2019-7572 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...)
{DLA-2804-1 DLA-1714-1 DLA-1713-1}
- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
- [buster] - libsdl1.2 <no-dsa> (Minor issue)
+ [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
- libsdl2 2.0.10+dfsg1-1 (bug #924610)
[buster] - libsdl2 <no-dsa> (Minor issue)
[stretch] - libsdl2 <no-dsa> (Minor issue)
@@ -287980,7 +287995,7 @@ CVE-2017-15095 (A deserialization flaw was discovered in the jackson-databind in
{DSA-4037-1 DLA-2342-1 DLA-2091-1}
- jackson-databind 2.9.1-1
- libjackson-json-java 1.9.13-2
- [buster] - libjackson-json-java <no-dsa> (Minor issue)
+ [buster] - libjackson-json-java 1.9.13-2~deb10u1
NOTE: The Debian upload for stretch (2.8.6-1+deb9u1) and jessie (2.4.2-2+deb8u1)
NOTE: misses the further sets of blacklists, in particular as well
NOTE: https://github.com/FasterXML/jackson-databind/commit/3bfbb835
@@ -311189,7 +311204,7 @@ CVE-2017-7525 (A deserialization flaw was discovered in the jackson-databind, ve
{DSA-4004-1 DLA-2342-1 DLA-2091-1}
- jackson-databind 2.9.1-1 (bug #870848)
- libjackson-json-java 1.9.13-2
- [buster] - libjackson-json-java <no-dsa> (Minor issue)
+ [buster] - libjackson-json-java 1.9.13-2~deb10u1
NOTE: https://github.com/FasterXML/jackson-databind/issues/1599
NOTE: For libjackson-json-java:
NOTE: https://github.com/FasterXML/jackson-1/commit/9ac68db819bce7b9546bc4bf1c44f82ca910fa31
=====================================
data/next-oldstable-point-update.txt
=====================================
@@ -1,229 +1,3 @@
-CVE-2019-20807
- [buster] - vim 2:8.1.0875-5+deb10u1
-CVE-2021-3770
- [buster] - vim 2:8.1.0875-5+deb10u1
-CVE-2021-3778
- [buster] - vim 2:8.1.0875-5+deb10u1
-CVE-2021-3796
- [buster] - vim 2:8.1.0875-5+deb10u1
-CVE-2020-36277
- [buster] - leptonlib 1.76.0-1+deb10u1
-CVE-2020-36278
- [buster] - leptonlib 1.76.0-1+deb10u1
-CVE-2020-36279
- [buster] - leptonlib 1.76.0-1+deb10u1
-CVE-2020-36280
- [buster] - leptonlib 1.76.0-1+deb10u1
-CVE-2020-36281
- [buster] - leptonlib 1.76.0-1+deb10u1
-CVE-2020-35653
- [buster] - pillow 5.4.1-2+deb10u3
-CVE-2020-35655
- [buster] - pillow 5.4.1-2+deb10u3
-CVE-2021-27921
- [buster] - pillow 5.4.1-2+deb10u3
-CVE-2021-27922
- [buster] - pillow 5.4.1-2+deb10u3
-CVE-2021-27923
- [buster] - pillow 5.4.1-2+deb10u3
-CVE-2021-25290
- [buster] - pillow 5.4.1-2+deb10u3
-CVE-2021-25292
- [buster] - pillow 5.4.1-2+deb10u3
-CVE-2021-28677
- [buster] - pillow 5.4.1-2+deb10u3
-CVE-2021-28678
- [buster] - pillow 5.4.1-2+deb10u3
-CVE-2021-34552
- [buster] - pillow 5.4.1-2+deb10u3
-CVE-2020-28600
- [buster] - openscad 2019.01~RC2-2+deb10u1
-CVE-2020-28599
- [buster] - openscad 2019.01~RC2-2+deb10u1
-CVE-2020-28282
- [buster] - node-getobject 0.1.0-2+deb10u1
-CVE-2021-38714
- [buster] - plib 1.8.5-8+deb10u1
-CVE-2020-12268
- [buster] - jbig2dec 0.16-1+deb10u1
-CVE-2019-1010317
- [buster] - wavpack 5.1.0-6+deb10u1
-CVE-2019-1010319
- [buster] - wavpack 5.1.0-6+deb10u1
-CVE-2021-35604
- [buster] - mariadb-10.3 1:10.3.34-0+deb10u1
-CVE-2021-46662
- [buster] - mariadb-10.3 1:10.3.34-0+deb10u1
-CVE-2021-46667
- [buster] - mariadb-10.3 1:10.3.34-0+deb10u1
-CVE-2021-46659
- [buster] - mariadb-10.3 1:10.3.34-0+deb10u1
-CVE-2022-24048
- [buster] - mariadb-10.3 1:10.3.34-0+deb10u1
-CVE-2022-24050
- [buster] - mariadb-10.3 1:10.3.34-0+deb10u1
-CVE-2022-24051
- [buster] - mariadb-10.3 1:10.3.34-0+deb10u1
-CVE-2022-24052
- [buster] - mariadb-10.3 1:10.3.34-0+deb10u1
-CVE-2021-46661
- [buster] - mariadb-10.3 1:10.3.34-0+deb10u1
-CVE-2021-46663
- [buster] - mariadb-10.3 1:10.3.34-0+deb10u1
-CVE-2021-46664
- [buster] - mariadb-10.3 1:10.3.34-0+deb10u1
-CVE-2021-46665
- [buster] - mariadb-10.3 1:10.3.34-0+deb10u1
-CVE-2021-46668
- [buster] - mariadb-10.3 1:10.3.34-0+deb10u1
-CVE-2021-43331
- [buster] - mailman 1:2.1.29-1+deb10u3
-CVE-2021-43332
- [buster] - mailman 1:2.1.29-1+deb10u3
-CVE-2021-44227
- [buster] - mailman 1:2.1.29-1+deb10u4
-CVE-2019-14462
- [buster] - libmodbus 3.1.4-2+deb10u1
-CVE-2019-14463
- [buster] - libmodbus 3.1.4-2+deb10u1
-CVE-2021-43618
- [buster] - gmp 2:6.1.2+dfsg-4+deb10u1
-CVE-2021-37146
- [buster] - ros-ros-comm 1.14.3+ds1-5+deb10u3
-CVE-2021-40391
- [buster] - gerbv 2.7.0-1+deb10u1
-CVE-2021-44540
- [buster] - privoxy 3.0.28-2+deb10u2
-CVE-2021-44543
- [buster] - privoxy 3.0.28-2+deb10u2
-CVE-2020-12672
- [buster] - graphicsmagick 1.4+really1.3.35-1~deb10u2
-CVE-2020-16117
- [buster] - evolution-data-server 3.30.5-1+deb10u2
-CVE-2020-15953
- [buster] - libetpan 1.9.3-2+deb10u1
-CVE-2019-10172
- [buster] - libjackson-json-java 1.9.13-2~deb10u1
-CVE-2017-15095
- [buster] - libjackson-json-java 1.9.13-2~deb10u1
-CVE-2017-7525
- [buster] - libjackson-json-java 1.9.13-2~deb10u1
-CVE-2021-22207
- [buster] - wireshark 2.6.20-0+deb10u3
-CVE-2021-22235
- [buster] - wireshark 2.6.20-0+deb10u3
-CVE-2021-39921
- [buster] - wireshark 2.6.20-0+deb10u3
-CVE-2021-39922
- [buster] - wireshark 2.6.20-0+deb10u3
-CVE-2021-39923
- [buster] - wireshark 2.6.20-0+deb10u3
-CVE-2021-39924
- [buster] - wireshark 2.6.20-0+deb10u3
-CVE-2021-39928
- [buster] - wireshark 2.6.20-0+deb10u3
-CVE-2021-39929
- [buster] - wireshark 2.6.20-0+deb10u3
-CVE-2020-25693
- [buster] - cimg 2.4.5+dfsg-1+deb10u1
-CVE-2020-0499
- [buster] - flac 1.3.2-3+deb10u1
-CVE-2022-20698
- [buster] - clamav 0.103.5+dfsg-0+deb10u1
-CVE-2020-25713
- [buster] - raptor2 2.0.14-1.1~deb10u2
-CVE-2019-7572
- [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
-CVE-2019-7573
- [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
-CVE-2019-7574
- [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
-CVE-2019-7575
- [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
-CVE-2019-7576
- [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
-CVE-2019-7577
- [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
-CVE-2019-7578
- [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
-CVE-2019-7635
- [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
-CVE-2019-7636
- [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
-CVE-2019-7637
- [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
-CVE-2019-7638
- [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
-CVE-2019-13616
- [buster] - libsdl1.2 1.2.15+dfsg2-4+deb10u1
-CVE-2020-18442
- [buster] - zziplib 0.13.62-3.2+deb10u1
-CVE-2020-8955
- [buster] - weechat 2.3-1+deb10u1
-CVE-2020-9759
- [buster] - weechat 2.3-1+deb10u1
-CVE-2020-9760
- [buster] - weechat 2.3-1+deb10u1
-CVE-2021-40516
- [buster] - weechat 2.3-1+deb10u1
-CVE-2019-15945
- [buster] - opensc 0.19.0-1+deb10u1
-CVE-2019-15946
- [buster] - opensc 0.19.0-1+deb10u1
-CVE-2019-19479
- [buster] - opensc 0.19.0-1+deb10u1
-CVE-2019-20792
- [buster] - opensc 0.19.0-1+deb10u1
-CVE-2020-26570
- [buster] - opensc 0.19.0-1+deb10u1
-CVE-2020-26571
- [buster] - opensc 0.19.0-1+deb10u1
-CVE-2020-26572
- [buster] - opensc 0.19.0-1+deb10u1
-CVE-2019-17041
- [buster] - rsyslog 8.1901.0-1+deb10u1
-CVE-2019-17042
- [buster] - rsyslog 8.1901.0-1+deb10u1
-CVE-2019-15165
- [buster] - libpcap 1.8.1-6+deb10u1
-CVE-2019-15531
- [buster] - libextractor 1:1.8-2+deb10u1
-CVE-2021-46671
- [buster] - atftp 0.7.git20120829-3.2~deb10u3
-CVE-2022-24130
- [buster] - xterm 344-1+deb10u2
-CVE-2021-4104
- [buster] - apache-log4j1.2 1.2.17-8+deb10u2
-CVE-2022-23302
- [buster] - apache-log4j1.2 1.2.17-8+deb10u2
-CVE-2022-23305
- [buster] - apache-log4j1.2 1.2.17-8+deb10u2
-CVE-2022-23307
- [buster] - apache-log4j1.2 1.2.17-8+deb10u2
-CVE-2021-44832
- [buster] - apache-log4j2 2.17.1-1~deb10u1
-CVE-2021-40874
- [buster] - lemonldap-ng 2.0.2+ds-7+deb10u7
-CVE-2021-21263
- [buster] - php-illuminate-database 5.7.27-1+deb10u1
-CVE-2022-0534
- [buster] - htmldoc 1.9.3-1+deb10u3
-CVE-2021-43579
- [buster] - htmldoc 1.9.3-1+deb10u3
-CVE-2021-40985
- [buster] - htmldoc 1.9.3-1+deb10u3
-CVE-2022-23308
- [buster] - libxml2 2.9.4+dfsg1-7+deb10u3
-CVE-2020-10001
- [buster] - cups 2.2.10-6+deb10u5
-CVE-2021-46709
- [buster] - phpliteadmin 1.9.7.1-2+deb10u1
-CVE-2021-33120
- [buster] - intel-microcode 3.20220207.1~deb10u1
-CVE-2021-0145
- [buster] - intel-microcode 3.20220207.1~deb10u1
-CVE-2021-0127
- [buster] - intel-microcode 3.20220207.1~deb10u1
CVE-2021-44906
[buster] - node-minimist 1.2.0-1+deb10u2
CVE-2022-24773
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f560f6e741245c9ac7a39cfc91d63a81b13029c
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f560f6e741245c9ac7a39cfc91d63a81b13029c
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220326/c43c9dff/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list