[Git][security-tracker-team/security-tracker][master] 2 commits: Merge changes accepted for bullseye 11.5 release
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sat Sep 10 09:34:33 BST 2022
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
f9933e50 by Salvatore Bonaccorso at 2022-09-10T10:29:58+02:00
Merge changes accepted for bullseye 11.5 release
- - - - -
fc119db4 by Salvatore Bonaccorso at 2022-09-10T08:34:23+00:00
Merge branch 'bullseye-11.5' into 'master'
Merge changes accepted for bullseye 11.5 release
See merge request security-tracker-team/security-tracker!116
- - - - -
2 changed files:
- data/CVE/list
- data/next-point-update.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -2450,6 +2450,7 @@ CVE-2022-39191
RESERVED
CVE-2022-39190 (An issue was discovered in net/netfilter/nf_tables_api.c in the Linux ...)
- linux 5.19.6-1
+ [bullseye] - linux 5.10.140-1
[buster] - linux <not-affected> (Vulnerable code introduced later)
NOTE: https://git.kernel.org/linus/e02f0d3970404bfea385b6edb86f2d936db0ea2b (6.0-rc3)
CVE-2022-39187
@@ -2548,6 +2549,7 @@ CVE-2022-39189 (An issue was discovered the x86 KVM subsystem in the Linux kerne
NOTE: https://git.kernel.org/linus/6cd88243c7e03845a450795e134b488fc2afb736 (5.19-rc2)
CVE-2022-39188 (An issue was discovered in include/asm-generic/tlb.h in the Linux kern ...)
- linux 5.19.6-1
+ [bullseye] - linux 5.10.140-1
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=2329
NOTE: https://lore.kernel.org/stable/CAG48ez3SEqOPcPCYGHVZv4iqEApujD5VtM3Re-tCKLDEFdEdbg@mail.gmail.com/
NOTE: https://git.kernel.org/linus/b67fbebd4cf980aecbcc750e1462128bffe8ae15
@@ -3491,6 +3493,7 @@ CVE-2022-3029
RESERVED
CVE-2022-3028 (A race condition was found in the Linux kernel's IP framework for tran ...)
- linux 5.19.6-1
+ [bullseye] - linux 5.10.140-1
NOTE: https://lore.kernel.org/all/YtoWqEkKzvimzWS5@gondor.apana.org.au/T/
NOTE: https://git.kernel.org/linus/ba953a9d89a00c078b85f4b190bc1dde66fe16b5 (6.0-rc3)
CVE-2022-3027
@@ -3515,7 +3518,7 @@ CVE-2022-3019 (The forgot password token basically just makes us capable of taki
NOT-FOR-US: ToolJet
CVE-2022-39028 (telnetd in GNU Inetutils through 2.3, MIT krb5-appl through 1.0.3, and ...)
- inetutils 2:2.3-5
- [bullseye] - inetutils <no-dsa> (Minor issue)
+ [bullseye] - inetutils 2:2.0-1+deb11u1
[buster] - inetutils <no-dsa> (Minor issue)
NOTE: https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00002.html
NOTE: https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html
@@ -4564,6 +4567,7 @@ CVE-2022-2906
RESERVED
CVE-2022-2905 (An out-of-bounds memory read flaw was found in the Linux kernel's BPF ...)
- linux 5.19.6-1
+ [bullseye] - linux 5.10.140-1
[buster] - linux <not-affected> (Vulnerable code not present)
NOTE: https://www.openwall.com/lists/oss-security/2022/08/26/1
CVE-2022-2904
@@ -12954,7 +12958,7 @@ CVE-2022-35253
CVE-2022-35252
RESERVED
- curl 7.85.0-1 (bug #1018831)
- [bullseye] - curl <postponed> (Minor issue)
+ [bullseye] - curl 7.74.0-1.3+deb11u3
NOTE: https://curl.se/docs/CVE-2022-35252.html
NOTE: Fixed by: https://github.com/curl/curl/commit/8dfc93e573ca740544a2d79ebb0ed786592c65c3 (curl-7_85_0)
NOTE: https://www.openwall.com/lists/oss-security/2022/08/31/2
@@ -15957,7 +15961,7 @@ CVE-2022-2154
CVE-2022-2153 (A flaw was found in the Linux kernel’s KVM when attempting to se ...)
{DSA-5173-1 DLA-3065-1}
- linux 5.17.3-1
- [bullseye] - linux 5.10.113-1
+ [bullseye] - linux 5.10.140-1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2069736
NOTE: https://git.kernel.org/linus/7ec37d1cbe17d8189d9562178d8b29167fe1c31a (5.18-rc1)
NOTE: https://git.kernel.org/linus/00b5f37189d24ac3ed46cb7f11742094778c46ce (5.18-rc1)
@@ -22733,22 +22737,22 @@ CVE-2022-31616
CVE-2022-31615
RESERVED
- nvidia-graphics-drivers 470.141.03-1 (bug #1016614)
- [bullseye] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers 470.141.03-1~deb11u1
[buster] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-legacy-340xx <unfixed> (bug #1016615)
[buster] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-legacy-390xx 390.154-1 (bug #1016616)
- [bullseye] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb11u1
[buster] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1016617)
[bullseye] - nvidia-graphics-drivers-tesla-418 <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla-450 450.203.03-1 (bug #1016618)
- [bullseye] - nvidia-graphics-drivers-tesla-450 <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers-tesla-450 450.203.03-1~deb11u1
- nvidia-graphics-drivers-tesla-460 460.106.00-3 (bug #1016619)
[bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported)
NOTE: 460.106.00-3 turned the package into a metapackage to aid switching to nvidia-graphics-drivers-tesla-470
- nvidia-graphics-drivers-tesla-470 470.141.03-1 (bug #1016620)
- [bullseye] - nvidia-graphics-drivers-tesla-470 <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers-tesla-470 470.141.03-1~deb11u1
- nvidia-graphics-drivers-tesla-510 510.85.02-1 (bug #1016621)
CVE-2022-31614 (NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manag ...)
NOT-FOR-US: NVIDIA
@@ -22765,42 +22769,42 @@ CVE-2022-31609 (NVIDIA vGPU software contains a vulnerability in the Virtual GPU
CVE-2022-31608
RESERVED
- nvidia-graphics-drivers 470.141.03-1 (bug #1016614)
- [bullseye] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers 470.141.03-1~deb11u1
[buster] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-legacy-340xx <unfixed> (bug #1016615)
[buster] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-legacy-390xx 390.154-1 (bug #1016616)
- [bullseye] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb11u1
[buster] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1016617)
[bullseye] - nvidia-graphics-drivers-tesla-418 <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla-450 450.203.03-1 (bug #1016618)
- [bullseye] - nvidia-graphics-drivers-tesla-450 <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers-tesla-450 450.203.03-1~deb11u1
- nvidia-graphics-drivers-tesla-460 460.106.00-3 (bug #1016619)
[bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported)
NOTE: 460.106.00-3 turned the package into a metapackage to aid switching to nvidia-graphics-drivers-tesla-470
- nvidia-graphics-drivers-tesla-470 470.141.03-1 (bug #1016620)
- [bullseye] - nvidia-graphics-drivers-tesla-470 <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers-tesla-470 470.141.03-1~deb11u1
- nvidia-graphics-drivers-tesla-510 510.85.02-1 (bug #1016621)
CVE-2022-31607
RESERVED
- nvidia-graphics-drivers 470.141.03-1 (bug #1016614)
- [bullseye] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers 470.141.03-1~deb11u1
[buster] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-legacy-340xx <unfixed> (bug #1016615)
[buster] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-legacy-390xx 390.154-1 (bug #1016616)
- [bullseye] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb11u1
[buster] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1016617)
[bullseye] - nvidia-graphics-drivers-tesla-418 <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla-450 450.203.03-1 (bug #1016618)
- [bullseye] - nvidia-graphics-drivers-tesla-450 <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers-tesla-450 450.203.03-1~deb11u1
- nvidia-graphics-drivers-tesla-460 460.106.00-3 (bug #1016619)
[bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported)
NOTE: 460.106.00-3 turned the package into a metapackage to aid switching to nvidia-graphics-drivers-tesla-470
- nvidia-graphics-drivers-tesla-470 470.141.03-1 (bug #1016620)
- [bullseye] - nvidia-graphics-drivers-tesla-470 <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers-tesla-470 470.141.03-1~deb11u1
- nvidia-graphics-drivers-tesla-510 510.85.02-1 (bug #1016621)
CVE-2022-31606
RESERVED
@@ -23597,7 +23601,7 @@ CVE-2022-31292
RESERVED
CVE-2022-31291 (An issue in dlt_config_file_parser.c of dlt-daemon v2.18.8 allows atta ...)
- dlt-daemon 2.18.6-2.1 (bug #1014534)
- [bullseye] - dlt-daemon <no-dsa> (Minor issue)
+ [bullseye] - dlt-daemon 2.18.6-1+deb11u1
[buster] - dlt-daemon <no-dsa> (Minor issue)
NOTE: https://github.com/COVESA/dlt-daemon/pull/376
NOTE: https://github.com/COVESA/dlt-daemon/commit/6a3bd901d825c7206797e36ea98e10a218f5aad2
@@ -23872,7 +23876,7 @@ CVE-2022-31214 (A Privilege Context Switching issue was discovered in join.c in
NOTE: https://github.com/netblue30/firejail/files/8913178/CVE-2022-31214.zip (0.9.58.2 - 0.9.68 backports)
CVE-2022-31213 (An issue was discovered in dbus-broker before 31. Multiple NULL pointe ...)
- dbus-broker 30-1
- [bullseye] - dbus-broker <no-dsa> (Minor issue)
+ [bullseye] - dbus-broker 26-1+deb11u2
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2094722
NOTE: "CHANGES WITH 30:" mention: Fix NULL-derefs in the XML configuration parser. Empty XML tags could
NOTE: have caused NULL-derefs before.
@@ -24072,7 +24076,7 @@ CVE-2022-31130
RESERVED
CVE-2022-31129 (moment is a JavaScript date library for parsing, validating, manipulat ...)
- node-moment 2.29.4+ds-1 (bug #1014845)
- [bullseye] - node-moment <no-dsa> (Minor issue)
+ [bullseye] - node-moment 2.29.1+ds-2+deb11u2
[buster] - node-moment <no-dsa> (Minor issue)
NOTE: https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3 (2.29.4)
NOTE: https://github.com/moment/moment/pull/6015#issuecomment-1152961973
@@ -24210,7 +24214,7 @@ CVE-2022-31082 (GLPI is a Free Asset and IT Management Software package, Data ce
NOTE: Only supported behind an authenticated HTTP zone
CVE-2022-31081 (HTTP::Daemon is a simple http server class written in perl. Versions p ...)
- libhttp-daemon-perl 6.14-1.1 (bug #1014808)
- [bullseye] - libhttp-daemon-perl <no-dsa> (Minor issue)
+ [bullseye] - libhttp-daemon-perl 6.12-1+deb11u1
[buster] - libhttp-daemon-perl <no-dsa> (Minor issue)
NOTE: https://github.com/libwww-perl/HTTP-Daemon/security/advisories/GHSA-cg8c-pxmv-w7cf
NOTE: Refactoring/renaming prerequisite: https://github.com/libwww-perl/HTTP-Daemon/commit/331d5c1d1f0e48e6b57ef738c2a8509b1eb53376
@@ -25825,6 +25829,7 @@ CVE-2022-1680 (An account takeover issue has been discovered in GitLab EE affect
NOTE: https://about.gitlab.com/releases/2022/06/01/critical-security-release-gitlab-15-0-1-released/
CVE-2022-1679 (A use-after-free flaw was found in the Linux kernel’s Atheros wi ...)
- linux 5.19.6-1
+ [bullseye] - linux 5.10.140-1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2084125
NOTE: https://lore.kernel.org/lkml/87ilqc7jv9.fsf@kernel.org/t/
CVE-2022-1678 (An issue was discovered in the Linux Kernel from 4.18 to 4.19, an impr ...)
@@ -25865,7 +25870,7 @@ CVE-2022-30551 (OPC UA Legacy Java Stack 2022-04-01 allows a remote attacker to
NOT-FOR-US: OPC UA Legacy Java Stack
CVE-2022-30550 (An issue was discovered in the auth component in Dovecot 2.2 and 2.3 b ...)
- dovecot 1:2.3.19.1+dfsg1-2 (bug #1016351)
- [bullseye] - dovecot <no-dsa> (Minor issue)
+ [bullseye] - dovecot 1:2.3.13+dfsg1-2+deb11u1
[buster] - dovecot <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2022/07/06/9
NOTE: https://github.com/dovecot/core/commit/7bad6a24160e34bce8f10e73dbbf9e5fbbcd1904
@@ -26781,13 +26786,13 @@ CVE-2022-1588
REJECTED
CVE-2022-1587 (An out-of-bounds read vulnerability was discovered in the PCRE2 librar ...)
- pcre2 10.40-1 (bug #1011954)
- [bullseye] - pcre2 <no-dsa> (Minor issue)
+ [bullseye] - pcre2 10.36-2+deb11u1
[buster] - pcre2 <no-dsa> (Minor issue)
[stretch] - pcre2 <no-dsa> (Minor issue)
NOTE: https://github.com/PCRE2Project/pcre2/commit/03654e751e7f0700693526b67dfcadda6b42c9d0 (pcre2-10.40)
CVE-2022-1586 (An out-of-bounds read vulnerability was discovered in the PCRE2 librar ...)
- pcre2 10.40-1 (bug #1011954)
- [bullseye] - pcre2 <no-dsa> (Minor issue)
+ [bullseye] - pcre2 10.36-2+deb11u1
[buster] - pcre2 <no-dsa> (Minor issue)
[stretch] - pcre2 <no-dsa> (Minor issue)
NOTE: https://github.com/PCRE2Project/pcre2/commit/50a51cb7e67268e6ad417eb07c9de9bfea5cc55a (pcre2-10.40)
@@ -31184,7 +31189,7 @@ CVE-2022-28737
CVE-2022-28736
RESERVED
- grub2 2.06-3
- [bullseye] - grub2 <no-dsa> (Minor issue, fix via point release)
+ [bullseye] - grub2 2.06-3~deb11u1
[buster] - grub2 <no-dsa> (Minor issue, fix via point release)
[stretch] - grub2 <ignored> (No SecureBoot support in stretch)
[jessie] - grub2 <ignored> (No SecureBoot support in jessie)
@@ -31192,7 +31197,7 @@ CVE-2022-28736
CVE-2022-28735
RESERVED
- grub2 2.06-3 (bug #1001057)
- [bullseye] - grub2 <no-dsa> (Minor issue, fix via point release)
+ [bullseye] - grub2 2.06-3~deb11u1
[buster] - grub2 <no-dsa> (Minor issue, fix via point release)
[stretch] - grub2 <ignored> (No SecureBoot support in stretch)
[jessie] - grub2 <ignored> (No SecureBoot support in jessie)
@@ -31200,7 +31205,7 @@ CVE-2022-28735
CVE-2022-28734
RESERVED
- grub2 2.06-3
- [bullseye] - grub2 <no-dsa> (Minor issue, fix via point release)
+ [bullseye] - grub2 2.06-3~deb11u1
[buster] - grub2 <no-dsa> (Minor issue, fix via point release)
[stretch] - grub2 <ignored> (No SecureBoot support in stretch)
[jessie] - grub2 <ignored> (No SecureBoot support in jessie)
@@ -31208,7 +31213,7 @@ CVE-2022-28734
CVE-2022-28733
RESERVED
- grub2 2.06-3
- [bullseye] - grub2 <no-dsa> (Minor issue, fix via point release)
+ [bullseye] - grub2 2.06-3~deb11u1
[buster] - grub2 <no-dsa> (Minor issue, fix via point release)
[stretch] - grub2 <ignored> (No SecureBoot support in stretch)
[jessie] - grub2 <ignored> (No SecureBoot support in jessie)
@@ -32745,6 +32750,7 @@ CVE-2022-1185 (A denial of service vulnerability when rendering RDoc files in Gi
- gitlab <unfixed>
CVE-2022-1184 (A use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() i ...)
- linux 5.19.6-1
+ [bullseye] - linux 5.10.140-1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2070205
NOTE: https://git.kernel.org/linus/65f8ea4cd57dbd46ea13b41dc8bac03176b04233
CVE-2022-1183 (On vulnerable configurations, the named daemon may, in some circumstan ...)
@@ -38389,17 +38395,17 @@ CVE-2022-26308 (Pandora FMS v7.0NG.760 and below allows an improper access contr
NOT-FOR-US: Pandora FMS
CVE-2022-26307 (LibreOffice supports the storage of passwords for web connections in t ...)
- libreoffice 1:7.3.3~rc1-2
- [bullseye] - libreoffice <no-dsa> (Minor issue)
+ [bullseye] - libreoffice 1:7.0.4-4+deb11u2
[buster] - libreoffice <no-dsa> (Minor issue)
NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2022-26307
CVE-2022-26306 (LibreOffice supports the storage of passwords for web connections in t ...)
- libreoffice 1:7.3.3~rc1-2
- [bullseye] - libreoffice <no-dsa> (Minor issue)
+ [bullseye] - libreoffice 1:7.0.4-4+deb11u2
[buster] - libreoffice <no-dsa> (Minor issue)
NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2022-26306
CVE-2022-26305 (An Improper Certificate Validation vulnerability in LibreOffice existe ...)
- libreoffice 1:7.3.2~rc2-1
- [bullseye] - libreoffice <no-dsa> (Minor issue)
+ [bullseye] - libreoffice 1:7.0.4-4+deb11u2
[buster] - libreoffice <no-dsa> (Minor issue)
NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2022-26305
CVE-2022-26301 (TuziCMS v2.0.6 was discovered to contain a SQL injection vulnerability ...)
@@ -52653,17 +52659,17 @@ CVE-2021-4187 (vim is vulnerable to Use After Free ...)
CVE-2021-45911 (An issue was discovered in gif2apng 1.9. There is a heap-based buffer ...)
{DLA-2937-1}
- gif2apng <removed> (bug #1002687)
- [bullseye] - gif2apng <no-dsa> (Minor issue)
+ [bullseye] - gif2apng 1.9+srconly-3+deb11u1
[buster] - gif2apng <no-dsa> (Minor issue)
CVE-2021-45910 (An issue was discovered in gif2apng 1.9. There is a heap-based buffer ...)
{DLA-2937-1}
- gif2apng <removed> (bug #1002667)
- [bullseye] - gif2apng <no-dsa> (Minor issue)
+ [bullseye] - gif2apng 1.9+srconly-3+deb11u1
[buster] - gif2apng <no-dsa> (Minor issue)
CVE-2021-45909 (An issue was discovered in gif2apng 1.9. There is a heap-based buffer ...)
{DLA-2937-1}
- gif2apng <removed> (bug #1002668)
- [bullseye] - gif2apng <no-dsa> (Minor issue)
+ [bullseye] - gif2apng 1.9+srconly-3+deb11u1
[buster] - gif2apng <no-dsa> (Minor issue)
CVE-2021-45908 (An issue was discovered in gif2apng 1.9. There is a stack-based buffer ...)
- gif2apng <removed> (bug #1002669; unimportant)
@@ -59007,7 +59013,7 @@ CVE-2021-4000 (showdoc is vulnerable to URL Redirection to Untrusted Site ...)
NOT-FOR-US: ShowDoc
CVE-2021-3999 (A flaw was found in glibc. An off-by-one buffer overflow and underflow ...)
- glibc 2.33-4
- [bullseye] - glibc <no-dsa> (Minor issue)
+ [bullseye] - glibc 2.31-13+deb11u4
[buster] - glibc <no-dsa> (Minor issue)
[stretch] - glibc <no-dsa> (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28769
@@ -59529,7 +59535,7 @@ CVE-2022-21705 (Octobercms is a self-hosted CMS platform based on the Laravel PH
NOT-FOR-US: October CMS
CVE-2022-21704 (log4js-node is a port of log4js to node.js. In affected versions defau ...)
- node-log4js 6.4.1+~cs8.3.5-1
- [bullseye] - node-log4js <no-dsa> (Minor issue)
+ [bullseye] - node-log4js 6.3.0+~cs8.3.10-1+deb11u1
[buster] - node-log4js <no-dsa> (Minor issue)
[stretch] - node-log4js <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://github.com/log4js-node/log4js-node/pull/1141 (v6.4.1)
@@ -72130,7 +72136,7 @@ CVE-2021-40438 (A crafted request uri-path can cause mod_proxy to forward the re
NOTE: Regression fix #2: https://github.com/apache/httpd/commit/81a8b0133b46c4cf7dfc4b5476ad46eb34aa0a5c (2.4.x)
CVE-2021-40491 (The ftp client in GNU Inetutils before 2.2 does not validate addresses ...)
- inetutils 2:2.2-1 (bug #993476)
- [bullseye] - inetutils <no-dsa> (Minor issue)
+ [bullseye] - inetutils 2:2.0-1+deb11u1
[buster] - inetutils <no-dsa> (Minor issue)
[stretch] - inetutils <no-dsa> (Minor issue)
NOTE: https://lists.gnu.org/archive/html/bug-inetutils/2021-06/msg00002.html
@@ -77268,21 +77274,21 @@ CVE-2021-3698 (A flaw was found in Cockpit in versions prior to 260 in the way i
NOTE: https://cockpit-project.org/blog/cockpit-260.html
CVE-2021-3697 (A crafted JPEG image may lead the JPEG reader to underflow its data po ...)
- grub2 2.06-3
- [bullseye] - grub2 <no-dsa> (Minor issue, fix via point release)
+ [bullseye] - grub2 2.06-3~deb11u1
[buster] - grub2 <no-dsa> (Minor issue, fix via point release)
[stretch] - grub2 <ignored> (No SecureBoot support in stretch)
[jessie] - grub2 <ignored> (No SecureBoot support in jessie)
NOTE: https://www.openwall.com/lists/oss-security/2022/06/07/5
CVE-2021-3696 (A heap out-of-bounds write may heppen during the handling of Huffman t ...)
- grub2 2.06-3
- [bullseye] - grub2 <no-dsa> (Minor issue, fix via point release)
+ [bullseye] - grub2 2.06-3~deb11u1
[buster] - grub2 <no-dsa> (Minor issue, fix via point release)
[stretch] - grub2 <ignored> (No SecureBoot support in stretch)
[jessie] - grub2 <ignored> (No SecureBoot support in jessie)
NOTE: https://www.openwall.com/lists/oss-security/2022/06/07/5
CVE-2021-3695 (A crafted 16-bit grayscale PNG image may lead to a out-of-bounds write ...)
- grub2 2.06-3
- [bullseye] - grub2 <no-dsa> (Minor issue, fix via point release)
+ [bullseye] - grub2 2.06-3~deb11u1
[buster] - grub2 <no-dsa> (Minor issue, fix via point release)
[stretch] - grub2 <ignored> (No SecureBoot support in stretch)
[jessie] - grub2 <ignored> (No SecureBoot support in jessie)
@@ -79602,7 +79608,7 @@ CVE-2021-37531 (SAP NetWeaver Knowledge Management XML Forms versions - 7.10, 7.
NOT-FOR-US: SAP
CVE-2021-37530 (A denial of service vulnerabiity exists in fig2dev through 3.28a due t ...)
- fig2dev 1:3.2.8b-1
- [bullseye] - fig2dev <no-dsa> (Minor issue)
+ [bullseye] - fig2dev 1:3.2.8-3+deb11u1
[buster] - fig2dev <no-dsa> (Minor issue)
[stretch] - fig2dev <no-dsa> (Minor issue)
- transfig <removed>
@@ -79610,7 +79616,7 @@ CVE-2021-37530 (A denial of service vulnerabiity exists in fig2dev through 3.28a
NOTE: https://sourceforge.net/p/mcj/fig2dev/ci/ff103511e49c44c83fc58e2092aa37e9019a3a9f/
CVE-2021-37529 (A double-free vulnerability exists in fig2dev through 3.28a is affecte ...)
- fig2dev 1:3.2.8b-1
- [bullseye] - fig2dev <no-dsa> (Minor issue)
+ [bullseye] - fig2dev 1:3.2.8-3+deb11u1
[buster] - fig2dev <no-dsa> (Minor issue)
[stretch] - fig2dev <no-dsa> (Minor issue)
- transfig <removed>
@@ -94892,7 +94898,7 @@ CVE-2021-31403 (Non-constant-time comparison of CSRF tokens in UIDL request hand
NOT-FOR-US: Vaadin
CVE-2021-3502 (A flaw was found in avahi 0.8-5. A reachable assertion is present in a ...)
- avahi 0.8-6 (bug #986018)
- [bullseye] - avahi <no-dsa> (Minor issue)
+ [bullseye] - avahi 0.8-5+deb11u1
[buster] - avahi <not-affected> (Vulnerable code introduced later)
[stretch] - avahi <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/lathiat/avahi/issues/338
@@ -109838,7 +109844,7 @@ CVE-2021-25637
RESERVED
CVE-2021-25636 (LibreOffice supports digital signatures of ODF documents and macros wi ...)
- libreoffice 1:7.3.0-1
- [bullseye] - libreoffice <no-dsa> (Minor issue)
+ [bullseye] - libreoffice 1:7.0.4-4+deb11u2
[buster] - libreoffice <no-dsa> (Minor issue)
[stretch] - libreoffice <postponed> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2056955
@@ -148965,14 +148971,14 @@ CVE-2020-22285
RESERVED
CVE-2020-22284 (A buffer overflow vulnerability in the zepif_linkoutput() function of ...)
- lwip 2.1.3+dfsg1-1 (bug #991646)
- [bullseye] - lwip <no-dsa> (Minor issue)
+ [bullseye] - lwip 2.1.2+dfsg1-8+deb11u1
[buster] - lwip <no-dsa> (Minor issue)
NOTE: https://savannah.nongnu.org/bugs/index.php?58554
NOTE: https://git.savannah.nongnu.org/cgit/lwip.git/commit/?id=8363c24e45a32728e385cfc2c3c36d88a8a9e70b (master)
NOTE: https://git.savannah.nongnu.org/cgit/lwip.git/commit/?id=379d55044e9181533f1fd4d0e0cf89bc01cb9b8b (STABLE-2_1_3_RC1)
CVE-2020-22283 (A buffer overflow vulnerability in the icmp6_send_response_with_addrs_ ...)
- lwip 2.1.3+dfsg1-1 (bug #991645)
- [bullseye] - lwip <no-dsa> (Minor issue)
+ [bullseye] - lwip 2.1.2+dfsg1-8+deb11u1
[buster] - lwip <no-dsa> (Minor issue)
NOTE: https://savannah.nongnu.org/bugs/index.php?58553
NOTE: Pre-requisite: http://git.savannah.nongnu.org/cgit/lwip.git/commit/?id=d843e47a1d65451bd7f7aaa5017b408bd108be88 (master)
@@ -184446,7 +184452,7 @@ CVE-2020-8288 (The `specializedRendering` function in Rocket.Chat server before
CVE-2020-8287 (Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two co ...)
{DSA-4826-1}
- http-parser 2.9.4-5 (bug #1016690)
- [bullseye] - http-parser <no-dsa> (Minor issue)
+ [bullseye] - http-parser 2.9.4-4+deb11u1
[buster] - http-parser <no-dsa> (Minor issue)
- nodejs 12.20.1~dfsg-1 (bug #979364)
[stretch] - nodejs <ignored> (Nodejs in stretch not covered by security support)
=====================================
data/next-point-update.txt
=====================================
@@ -1,96 +1,3 @@
-CVE-2020-22284
- [bullseye] - lwip 2.1.2+dfsg1-8+deb11u1
-CVE-2020-22283
- [bullseye] - lwip 2.1.2+dfsg1-8+deb11u1
-CVE-2022-21704
- [bullseye] - node-log4js 6.3.0+~cs8.3.10-1+deb11u1
-CVE-2022-31129
- [bullseye] - node-moment 2.29.1+ds-2+deb11u2
-CVE-2022-26307
- [bullseye] - libreoffice 1:7.0.4-4+deb11u2
-CVE-2022-26306
- [bullseye] - libreoffice 1:7.0.4-4+deb11u2
-CVE-2022-26305
- [bullseye] - libreoffice 1:7.0.4-4+deb11u2
-CVE-2021-25636
- [bullseye] - libreoffice 1:7.0.4-4+deb11u2
-CVE-2021-45911
- [bullseye] - gif2apng 1.9+srconly-3+deb11u1
-CVE-2021-45910
- [bullseye] - gif2apng 1.9+srconly-3+deb11u1
-CVE-2021-45909
- [bullseye] - gif2apng 1.9+srconly-3+deb11u1
-CVE-2022-31081
- [bullseye] - libhttp-daemon-perl 6.12-1+deb11u1
-CVE-2022-31213
- [bullseye] - dbus-broker 26-1+deb11u2
-CVE-2022-28736
- [bullseye] - grub2 2.06-3~deb11u1
-CVE-2022-28735
- [bullseye] - grub2 2.06-3~deb11u1
-CVE-2022-28734
- [bullseye] - grub2 2.06-3~deb11u1
-CVE-2022-28733
- [bullseye] - grub2 2.06-3~deb11u1
-CVE-2021-3697
- [bullseye] - grub2 2.06-3~deb11u1
-CVE-2021-3696
- [bullseye] - grub2 2.06-3~deb11u1
-CVE-2021-3695
- [bullseye] - grub2 2.06-3~deb11u1
-CVE-2022-31607
- [bullseye] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb11u1
- [bullseye] - nvidia-graphics-drivers-tesla-450 450.203.03-1~deb11u1
- [bullseye] - nvidia-graphics-drivers-tesla-470 470.141.03-1~deb11u1
- [bullseye] - nvidia-graphics-drivers 470.141.03-1~deb11u1
-CVE-2022-31608
- [bullseye] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb11u1
- [bullseye] - nvidia-graphics-drivers-tesla-450 450.203.03-1~deb11u1
- [bullseye] - nvidia-graphics-drivers-tesla-470 470.141.03-1~deb11u1
- [bullseye] - nvidia-graphics-drivers 470.141.03-1~deb11u1
-CVE-2022-31615
- [bullseye] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb11u1
- [bullseye] - nvidia-graphics-drivers-tesla-450 450.203.03-1~deb11u1
- [bullseye] - nvidia-graphics-drivers-tesla-470 470.141.03-1~deb11u1
- [bullseye] - nvidia-graphics-drivers 470.141.03-1~deb11u1
-CVE-2021-3502
- [bullseye] - avahi 0.8-5+deb11u1
-CVE-2020-8287
- [bullseye] - http-parser 2.9.4-4+deb11u1
-CVE-2021-3999
- [bullseye] - glibc 2.31-13+deb11u4
-CVE-2021-37530
- [bullseye] - fig2dev 1:3.2.8-3+deb11u1
-CVE-2021-37529
- [bullseye] - fig2dev 1:3.2.8-3+deb11u1
-CVE-2022-1587
- [bullseye] - pcre2 10.36-2+deb11u1
-CVE-2022-1586
- [bullseye] - pcre2 10.36-2+deb11u1
-CVE-2022-31291
- [bullseye] - dlt-daemon 2.18.6-1+deb11u1
-CVE-2022-30550
- [bullseye] - dovecot 1:2.3.13+dfsg1-2+deb11u1
-CVE-2021-40491
- [bullseye] - inetutils 2:2.0-1+deb11u1
-CVE-2022-39028
- [bullseye] - inetutils 2:2.0-1+deb11u1
-CVE-2022-35252
- [bullseye] - curl 7.74.0-1.3+deb11u3
-CVE-2022-1184
- [bullseye] - linux 5.10.140-1
-CVE-2022-1679
- [bullseye] - linux 5.10.140-1
-CVE-2022-2153
- [bullseye] - linux 5.10.140-1
-CVE-2022-2905
- [bullseye] - linux 5.10.140-1
-CVE-2022-3028
- [bullseye] - linux 5.10.140-1
-CVE-2022-39188
- [bullseye] - linux 5.10.140-1
-CVE-2022-39190
- [bullseye] - linux 5.10.140-1
CVE-2021-32718
[bullseye] - rabbitmq-server 3.8.9-3+deb11u1
CVE-2021-32719
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a1c1edccfe2a0a4963ff936bdce603476d171814...fc119db4ca32a02ebbc24e42966fb6051714c4f1
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a1c1edccfe2a0a4963ff936bdce603476d171814...fc119db4ca32a02ebbc24e42966fb6051714c4f1
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220910/c950c770/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list