[Git][security-tracker-team/security-tracker][master] 3 commits: Remove ignored elog entry as not removed as well from buster
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sat Sep 10 13:54:09 BST 2022
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
77d7165a by Salvatore Bonaccorso at 2022-09-10T10:33:06+02:00
Remove ignored elog entry as not removed as well from buster
- - - - -
33265aca by Salvatore Bonaccorso at 2022-09-10T12:42:03+02:00
Merge changes accepted for buster 10.13 release
- - - - -
21b19a8b by Salvatore Bonaccorso at 2022-09-10T12:53:55+00:00
Merge branch 'buster-10.13' into 'master'
Merge changes accepted for buster 10.13 release
See merge request security-tracker-team/security-tracker!117
- - - - -
2 changed files:
- data/CVE/list
- data/next-oldstable-point-update.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -20502,7 +20502,7 @@ CVE-2022-32308 (Cross Site Scripting (XSS) vulnerability in uBlock Origin extens
{DLA-3062-1}
- ublock-origin 1.42.0+dfsg-1
[bullseye] - ublock-origin 1.42.0+dfsg-1~deb11u1
- [buster] - ublock-origin <no-dsa> (Minor issue; pending via buster-pu)
+ [buster] - ublock-origin 1.42.0+dfsg-1~deb10u1
NOTE: https://github.com/uBlockOrigin/uBlock-issues/issues/1992
NOTE: https://github.com/gorhill/uBlock/commit/e1e2ba3d5d00112f74464ddcc9f561f065dd3623 (1.41.5b2)
NOTE: https://github.com/gorhill/uBlock/commit/60072e7996e58cd7cca5186fde742d83cc6a612c (1.41.7b0)
@@ -21915,7 +21915,7 @@ CVE-2022-1946 (The Gallery WordPress plugin before 2.0.0 does not sanitise and e
CVE-2022-31813 (Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* h ...)
- apache2 2.4.54-1 (bug #1012513)
[bullseye] - apache2 2.4.54-1~deb11u1
- [buster] - apache2 <no-dsa> (Minor issue; can be fixed in point release)
+ [buster] - apache2 2.4.38-3+deb10u8
NOTE: https://www.openwall.com/lists/oss-security/2022/06/08/8
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-31813
NOTE: https://github.com/apache/httpd/commit/956f708b094698ac9ad570d640d4f30eb0df7305
@@ -22745,7 +22745,7 @@ CVE-2022-31615
[buster] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-legacy-390xx 390.154-1 (bug #1016616)
[bullseye] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb11u1
- [buster] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported)
+ [buster] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb10u1
- nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1016617)
[bullseye] - nvidia-graphics-drivers-tesla-418 <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla-450 450.203.03-1 (bug #1016618)
@@ -22777,7 +22777,7 @@ CVE-2022-31608
[buster] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-legacy-390xx 390.154-1 (bug #1016616)
[bullseye] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb11u1
- [buster] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported)
+ [buster] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb10u1
- nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1016617)
[bullseye] - nvidia-graphics-drivers-tesla-418 <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla-450 450.203.03-1 (bug #1016618)
@@ -22797,7 +22797,7 @@ CVE-2022-31607
[buster] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-legacy-390xx 390.154-1 (bug #1016616)
[bullseye] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb11u1
- [buster] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported)
+ [buster] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb10u1
- nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1016617)
[bullseye] - nvidia-graphics-drivers-tesla-418 <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla-450 450.203.03-1 (bug #1016618)
@@ -25850,7 +25850,7 @@ CVE-2022-30594 (The Linux kernel before 5.17.2 mishandles seccomp permissions. T
CVE-2022-30556 (Apache HTTP Server 2.4.53 and earlier may return lengths to applicatio ...)
- apache2 2.4.54-1 (bug #1012513)
[bullseye] - apache2 2.4.54-1~deb11u1
- [buster] - apache2 <no-dsa> (Minor issue; can be fixed in point release)
+ [buster] - apache2 2.4.38-3+deb10u8
NOTE: https://www.openwall.com/lists/oss-security/2022/06/08/7
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-30556
NOTE: https://github.com/apache/httpd/commit/3a561759fcb37af179585adb8478922dc9bc6a85
@@ -26040,7 +26040,7 @@ CVE-2022-30523 (Trend Micro Password Manager (Consumer) version 5.0.0.1266 and b
CVE-2022-30522 (If Apache HTTP Server 2.4.53 is configured to do transformations with ...)
- apache2 2.4.54-1 (bug #1012513)
[bullseye] - apache2 2.4.54-1~deb11u1
- [buster] - apache2 <no-dsa> (Minor issue; can be fixed in point release)
+ [buster] - apache2 2.4.38-3+deb10u8
NOTE: https://www.openwall.com/lists/oss-security/2022/06/08/6
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-30522
NOTE: https://github.com/apache/httpd/commit/db47781128e42bd49f55076665b3f6ca4e2bc5e2
@@ -26530,7 +26530,7 @@ CVE-2022-30334 (Brave before 1.34, when a Private Window with Tor Connectivity i
CVE-2022-30333 (RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal ...)
- unrar-nonfree 1:6.1.7-1 (bug #1010837)
[bullseye] - unrar-nonfree 1:6.0.3-1+deb11u1
- [buster] - unrar-nonfree <no-dsa> (Non-free not supported)
+ [buster] - unrar-nonfree 1:5.6.6-1+deb10u1
[stretch] - unrar-nonfree <no-dsa> (Non-free not supported)
- rar <unfixed> (bug #1012228)
[bullseye] - rar <no-dsa> (Non-free not supported)
@@ -29374,7 +29374,7 @@ CVE-2022-1382 (NULL Pointer Dereference in GitHub repository radareorg/radare2 p
CVE-2022-29404 (In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua ...)
- apache2 2.4.54-1 (bug #1012513)
[bullseye] - apache2 2.4.54-1~deb11u1
- [buster] - apache2 <no-dsa> (Minor issue)
+ [buster] - apache2 2.4.38-3+deb10u8
NOTE: https://www.openwall.com/lists/oss-security/2022/06/08/5
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-29404
NOTE: https://github.com/apache/httpd/commit/ce259c4061905bf834f9af51c92456cfe8335ddc
@@ -30280,7 +30280,7 @@ CVE-2022-1328 (Buffer Overflow in uudecoder in Mutt affecting all versions start
{DLA-2999-1}
- mutt 2.2.3-1 (bug #1009734)
[bullseye] - mutt 2.0.5-4.1+deb11u1
- [buster] - mutt <no-dsa> (Minor issue)
+ [buster] - mutt 1.10.1-2.1+deb10u6
- neomutt <unfixed> (bug #1009735)
[bullseye] - neomutt <no-dsa> (Minor issue)
[buster] - neomutt <no-dsa> (Minor issue)
@@ -30317,7 +30317,7 @@ CVE-2022-29079
CVE-2022-29078 (The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js ...)
- node-ejs 3.1.7-1 (bug #1010359)
[bullseye] - node-ejs 2.5.7-3+deb11u1
- [buster] - node-ejs <no-dsa> (Minor issue; can be fixed via point release)
+ [buster] - node-ejs 2.5.7-1+deb10u1
[stretch] - node-ejs <end-of-life> (Node not covered by security support)
NOTE: https://eslam.io/posts/ejs-server-side-template-injection-rce/
NOTE: https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf (v3.1.7)
@@ -31192,7 +31192,7 @@ CVE-2022-28736
RESERVED
- grub2 2.06-3
[bullseye] - grub2 2.06-3~deb11u1
- [buster] - grub2 <no-dsa> (Minor issue, fix via point release)
+ [buster] - grub2 2.06-3~deb10u1
[stretch] - grub2 <ignored> (No SecureBoot support in stretch)
[jessie] - grub2 <ignored> (No SecureBoot support in jessie)
NOTE: https://www.openwall.com/lists/oss-security/2022/06/07/5
@@ -31200,7 +31200,7 @@ CVE-2022-28735
RESERVED
- grub2 2.06-3 (bug #1001057)
[bullseye] - grub2 2.06-3~deb11u1
- [buster] - grub2 <no-dsa> (Minor issue, fix via point release)
+ [buster] - grub2 2.06-3~deb10u1
[stretch] - grub2 <ignored> (No SecureBoot support in stretch)
[jessie] - grub2 <ignored> (No SecureBoot support in jessie)
NOTE: https://www.openwall.com/lists/oss-security/2022/06/07/5
@@ -31208,7 +31208,7 @@ CVE-2022-28734
RESERVED
- grub2 2.06-3
[bullseye] - grub2 2.06-3~deb11u1
- [buster] - grub2 <no-dsa> (Minor issue, fix via point release)
+ [buster] - grub2 2.06-3~deb10u1
[stretch] - grub2 <ignored> (No SecureBoot support in stretch)
[jessie] - grub2 <ignored> (No SecureBoot support in jessie)
NOTE: https://www.openwall.com/lists/oss-security/2022/06/07/5
@@ -31216,7 +31216,7 @@ CVE-2022-28733
RESERVED
- grub2 2.06-3
[bullseye] - grub2 2.06-3~deb11u1
- [buster] - grub2 <no-dsa> (Minor issue, fix via point release)
+ [buster] - grub2 2.06-3~deb10u1
[stretch] - grub2 <ignored> (No SecureBoot support in stretch)
[jessie] - grub2 <ignored> (No SecureBoot support in jessie)
NOTE: https://www.openwall.com/lists/oss-security/2022/06/07/5
@@ -31614,14 +31614,14 @@ CVE-2022-28616 (A remote server-side request forgery (ssrf) vulnerability was di
CVE-2022-28615 (Apache HTTP Server 2.4.53 and earlier may crash or disclose informatio ...)
- apache2 2.4.54-1 (bug #1012513)
[bullseye] - apache2 2.4.54-1~deb11u1
- [buster] - apache2 <no-dsa> (Minor issue; can be fixed in point release)
+ [buster] - apache2 2.4.38-3+deb10u8
NOTE: https://www.openwall.com/lists/oss-security/2022/06/08/9
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-28615
NOTE: https://github.com/apache/httpd/commit/6503d09ab51047554c384a6d03646ce1a8848120
CVE-2022-28614 (The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may ...)
- apache2 2.4.54-1 (bug #1012513)
[bullseye] - apache2 2.4.54-1~deb11u1
- [buster] - apache2 <no-dsa> (Minor issue; can be fixed in point release)
+ [buster] - apache2 2.4.38-3+deb10u8
NOTE: https://www.openwall.com/lists/oss-security/2022/06/08/4
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-28614
NOTE: https://github.com/apache/httpd/commit/8c14927162cf3b4f810683e1c5505e9ef9e1f123
@@ -32936,7 +32936,7 @@ CVE-2022-28185 (NVIDIA GPU Display Driver for Windows and Linux contains a vulne
[stretch] - nvidia-graphics-drivers-legacy-340xx <ignored> (Non-free not supported, no updates provided by Nvidia anymore)
- nvidia-graphics-drivers-legacy-390xx 390.151-1 (bug #1011142)
[bullseye] - nvidia-graphics-drivers-legacy-390xx 390.151-1~deb11u1
- [buster] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported)
+ [buster] - nvidia-graphics-drivers-legacy-390xx 390.151-1~deb10u1
- nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1011143)
[bullseye] - nvidia-graphics-drivers-tesla-418 <ignored> (Non-free not supported, driver is EOLed and updates impossible)
- nvidia-graphics-drivers-tesla-450 450.191.01-1 (bug #1011144)
@@ -32981,7 +32981,7 @@ CVE-2022-28181 (NVIDIA GPU Display Driver for Windows and Linux contains a vulne
[stretch] - nvidia-graphics-drivers-legacy-340xx <ignored> (Non-free not supported, no updates provided by Nvidia anymore)
- nvidia-graphics-drivers-legacy-390xx 390.151-1 (bug #1011142)
[bullseye] - nvidia-graphics-drivers-legacy-390xx 390.151-1~deb11u1
- [buster] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported)
+ [buster] - nvidia-graphics-drivers-legacy-390xx 390.151-1~deb10u1
- nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1011143)
[bullseye] - nvidia-graphics-drivers-tesla-418 <ignored> (Non-free not supported, driver is EOLed and updates impossible)
- nvidia-graphics-drivers-tesla-450 450.191.01-1 (bug #1011144)
@@ -33391,6 +33391,7 @@ CVE-2022-28086
CVE-2022-28085 (A flaw was found in htmldoc commit 31f7804. A heap buffer overflow in ...)
- htmldoc 1.9.15-2 (unimportant)
[bullseye] - htmldoc 1.9.11-4+deb11u3
+ [buster] - htmldoc 1.9.3-1+deb10u4
NOTE: https://github.com/michaelrsweet/htmldoc/issues/480
NOTE: https://github.com/michaelrsweet/htmldoc/commit/46c8ec2b9bccb8ccabff52d998c5eee77a228348
NOTE: Crash in CLI tool, no security impact
@@ -35143,21 +35144,21 @@ CVE-2022-27407
CVE-2022-27406 (FreeType commit 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 was discovere ...)
- freetype 2.11.1+dfsg-2 (bug #1010183)
[bullseye] - freetype 2.10.4+dfsg-1+deb11u1
- [buster] - freetype <no-dsa> (Minor issue)
+ [buster] - freetype 2.9.1-3+deb10u3
[stretch] - freetype <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1140
NOTE: Fixed by: https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2 (VER-2-12-0)
CVE-2022-27405 (FreeType commit 53dfdcd8198d2b3201a23c4bad9190519ba918db was discovere ...)
- freetype 2.11.1+dfsg-2 (bug #1010183)
[bullseye] - freetype 2.10.4+dfsg-1+deb11u1
- [buster] - freetype <no-dsa> (Minor issue)
+ [buster] - freetype 2.9.1-3+deb10u3
[stretch] - freetype <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1139
NOTE: Fixed by: https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 (VER-2-12-0)
CVE-2022-27404 (FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovere ...)
- freetype 2.11.1+dfsg-2 (bug #1010183)
[bullseye] - freetype 2.10.4+dfsg-1+deb11u1
- [buster] - freetype <no-dsa> (Minor issue)
+ [buster] - freetype 2.9.1-3+deb10u3
[stretch] - freetype <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1138
NOTE: Fixed by: https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db (VER-2-12-0)
@@ -36176,7 +36177,7 @@ CVE-2022-27114 (There is a vulnerability in htmldoc 1.9.16. In image_load_jpeg f
{DLA-3004-1}
- htmldoc 1.9.15-2
[bullseye] - htmldoc 1.9.11-4+deb11u3
- [buster] - htmldoc <no-dsa> (Minor issue)
+ [buster] - htmldoc 1.9.3-1+deb10u4
NOTE: https://github.com/michaelrsweet/htmldoc/issues/471
NOTE: https://github.com/michaelrsweet/htmldoc/commit/31f780487e5ddc426888638786cdc47631687275
CVE-2022-27113
@@ -37700,7 +37701,7 @@ CVE-2022-26505 (A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1
{DLA-2973-1}
- minidlna 1.3.0+dfsg-2.2 (bug #1006798)
[bullseye] - minidlna 1.3.0+dfsg-2+deb11u1
- [buster] - minidlna <no-dsa> (Minor issue)
+ [buster] - minidlna 1.2.1+dfsg-2+deb10u3
NOTE: https://sourceforge.net/p/minidlna/git/ci/c21208508dbc131712281ec5340687e5ae89e940/
NOTE: https://www.openwall.com/lists/oss-security/2022/03/03/1
CVE-2022-26504 (Improper authentication in Veeam Backup & Replication 9.5U3, 9.5U4 ...)
@@ -38124,7 +38125,7 @@ CVE-2022-26378
CVE-2022-26377 (Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling' ...)
- apache2 2.4.54-1 (bug #1012513)
[bullseye] - apache2 2.4.54-1~deb11u1
- [buster] - apache2 <no-dsa> (Minor issue; can be fixed in point release)
+ [buster] - apache2 2.4.38-3+deb10u8
NOTE: https://www.openwall.com/lists/oss-security/2022/06/08/2
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-26377
NOTE: https://github.com/apache/httpd/commit/f7f15f3d8bfe3032926c8c39eb8434529f680bd4
@@ -41057,7 +41058,7 @@ CVE-2022-25310 (A segmentation fault (SEGV) flaw was found in the Fribidi packag
{DLA-2974-1}
- fribidi 1.0.8-2.1 (bug #1008793)
[bullseye] - fribidi 1.0.8-2+deb11u1
- [buster] - fribidi <no-dsa> (Minor issue)
+ [buster] - fribidi 1.0.5-3.1+deb10u2
NOTE: https://github.com/fribidi/fribidi/issues/183
NOTE: https://github.com/fribidi/fribidi/pull/186
NOTE: https://github.com/fribidi/fribidi/commit/175850b03e1af251d705c1d04b2b9b3c1c06e48f
@@ -41065,7 +41066,7 @@ CVE-2022-25309 (A heap-based buffer overflow flaw was found in the Fribidi packa
{DLA-2974-1}
- fribidi 1.0.8-2.1 (bug #1008793)
[bullseye] - fribidi 1.0.8-2+deb11u1
- [buster] - fribidi <no-dsa> (Minor issue)
+ [buster] - fribidi 1.0.5-3.1+deb10u2
NOTE: https://github.com/fribidi/fribidi/issues/182
NOTE: https://github.com/fribidi/fribidi/pull/185
NOTE: https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3
@@ -41073,7 +41074,7 @@ CVE-2022-25308 (A stack-based buffer overflow flaw was found in the Fribidi pack
{DLA-2974-1}
- fribidi 1.0.8-2.1 (bug #1008793)
[bullseye] - fribidi 1.0.8-2+deb11u1
- [buster] - fribidi <no-dsa> (Minor issue)
+ [buster] - fribidi 1.0.5-3.1+deb10u2
NOTE: https://github.com/fribidi/fribidi/issues/181
NOTE: https://github.com/fribidi/fribidi/pull/184
NOTE: https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1
@@ -42081,14 +42082,14 @@ CVE-2022-0586 (Infinite loop in RTMPT protocol dissector in Wireshark 3.6.0 to 3
{DLA-2967-1}
- wireshark 3.6.2-1
[bullseye] - wireshark <no-dsa> (Minor issue)
- [buster] - wireshark <no-dsa> (Minor issue)
+ [buster] - wireshark 2.6.20-0+deb10u4
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17813
NOTE: https://www.wireshark.org/security/wnpa-sec-2022-01.html
CVE-2022-0585 (Large loops in multiple protocol dissectors in Wireshark 3.6.0 to 3.6. ...)
{DLA-2967-1}
- wireshark 3.6.2-1
[bullseye] - wireshark <no-dsa> (Minor issue)
- [buster] - wireshark <no-dsa> (Minor issue)
+ [buster] - wireshark 2.6.20-0+deb10u4
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2054049
NOTE: https://www.wireshark.org/security/wnpa-sec-2022-02.html
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17829
@@ -42107,21 +42108,21 @@ CVE-2022-0583 (Crash in the PVFS protocol dissector in Wireshark 3.6.0 to 3.6.1
{DLA-2967-1}
- wireshark 3.6.2-1
[bullseye] - wireshark <no-dsa> (Minor issue)
- [buster] - wireshark <no-dsa> (Minor issue)
+ [buster] - wireshark 2.6.20-0+deb10u4
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17840
NOTE: https://www.wireshark.org/security/wnpa-sec-2022-03.html
CVE-2022-0582 (Unaligned access in the CSN.1 protocol dissector in Wireshark 3.6.0 to ...)
{DLA-2967-1}
- wireshark 3.6.2-1
[bullseye] - wireshark <no-dsa> (Minor issue)
- [buster] - wireshark <no-dsa> (Minor issue)
+ [buster] - wireshark 2.6.20-0+deb10u4
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17882
NOTE: https://www.wireshark.org/security/wnpa-sec-2022-04.html
CVE-2022-0581 (Crash in the CMS protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3. ...)
{DLA-2967-1}
- wireshark 3.6.2-1
[bullseye] - wireshark <no-dsa> (Minor issue)
- [buster] - wireshark <no-dsa> (Minor issue)
+ [buster] - wireshark 2.6.20-0+deb10u4
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17935
NOTE: https://www.wireshark.org/security/wnpa-sec-2022-05.html
CVE-2022-0580 (Improper Access Control in Packagist librenms/librenms prior to 22.2.0 ...)
@@ -42149,7 +42150,7 @@ CVE-2022-0577 (Exposure of Sensitive Information to an Unauthorized Actor in Git
{DLA-2950-1}
- python-scrapy 2.6.1-1 (bug #1008234)
[bullseye] - python-scrapy 2.4.1-2+deb11u1
- [buster] - python-scrapy <no-dsa> (Minor issue)
+ [buster] - python-scrapy 1.5.1-1+deb10u1
NOTE: https://github.com/advisories/GHSA-cjvr-mfj7-j4j8
NOTE: https://huntr.dev/bounties/3da527b1-2348-4f69-9e88-2e11a96ac585
NOTE: https://github.com/scrapy/scrapy/commit/8ce01b3b76d4634f55067d6cfdf632ec70ba304a
@@ -42565,7 +42566,7 @@ CVE-2022-24829 (Garden is an automation platform for Kubernetes development and
CVE-2022-24828 (Composer is a dependency manager for the PHP programming language. Int ...)
- composer 2.2.12-1 (bug #1009960)
[bullseye] - composer 2.0.9-2+deb11u1
- [buster] - composer <no-dsa> (Minor issue)
+ [buster] - composer 1.8.4-1+deb10u2
[stretch] - composer <no-dsa> (Minor issue)
NOTE: https://github.com/composer/composer/commit/2c40c53637c5c7e43fff7c09d3d324d632734709 (2.2.12)
NOTE: https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6
@@ -42663,7 +42664,7 @@ CVE-2022-24801 (Twisted is an event-based framework for internet applications, s
{DLA-2991-1}
- twisted 22.4.0-1 (bug #1009030)
[bullseye] - twisted 20.3.0-7+deb11u1
- [buster] - twisted <no-dsa> (Minor issue)
+ [buster] - twisted 18.9.0-3+deb10u1
NOTE: https://github.com/twisted/twisted/security/advisories/GHSA-c2jg-hw38-jrqq
NOTE: https://github.com/twisted/twisted/releases/tag/twisted-22.4.0rc1
NOTE: https://github.com/twisted/twisted/commit/592217e951363d60e9cd99c5bbfd23d4615043ac (twisted-22.04.0rc1)
@@ -42759,26 +42760,26 @@ CVE-2022-24776 (Flask-AppBuilder is an application development framework, built
CVE-2022-24775 (guzzlehttp/psr7 is a PSR-7 HTTP message library. Versions prior to 1.8 ...)
- php-guzzlehttp-psr7 1.8.5-1 (bug #1008236)
[bullseye] - php-guzzlehttp-psr7 1.7.0-1+deb11u1
- [buster] - php-guzzlehttp-psr7 <no-dsa> (Minor issue)
+ [buster] - php-guzzlehttp-psr7 1.4.2-0.1+deb10u1
NOTE: https://github.com/guzzle/psr7/security/advisories/GHSA-q7rv-6hp3-vh96
CVE-2022-24774 (CycloneDX BOM Repository Server is a bill of materials (BOM) repositor ...)
NOT-FOR-US: CycloneDX BOM Repository Server
CVE-2022-24773 (Forge (also called `node-forge`) is a native implementation of Transpo ...)
- node-node-forge 1.3.0~dfsg-1
[bullseye] - node-node-forge 0.10.0~dfsg-3+deb11u1
- [buster] - node-node-forge <no-dsa> (Minor issue)
+ [buster] - node-node-forge 0.8.1~dfsg-1+deb10u1
NOTE: https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr
NOTE: https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1 (v1.3.0)
CVE-2022-24772 (Forge (also called `node-forge`) is a native implementation of Transpo ...)
- node-node-forge 1.3.0~dfsg-1
[bullseye] - node-node-forge 0.10.0~dfsg-3+deb11u1
- [buster] - node-node-forge <no-dsa> (Minor issue)
+ [buster] - node-node-forge 0.8.1~dfsg-1+deb10u1
NOTE: https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g
NOTE: https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1 (v1.3.0)
CVE-2022-24771 (Forge (also called `node-forge`) is a native implementation of Transpo ...)
- node-node-forge 1.3.0~dfsg-1
[bullseye] - node-node-forge 0.10.0~dfsg-3+deb11u1
- [buster] - node-node-forge <no-dsa> (Minor issue)
+ [buster] - node-node-forge 0.8.1~dfsg-1+deb10u1
NOTE: https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765
NOTE: https://github.com/digitalbazaar/forge/commit/3f0b49a0573ef1bb7af7f5673c0cfebf00424df1 (v1.3.0)
CVE-2022-24770 (`gradio` is an open source framework for building interactive machine ...)
@@ -44765,6 +44766,7 @@ CVE-2022-24192
CVE-2022-24191 (In HTMLDOC 1.9.14, an infinite loop in the gif_read_lzw function can l ...)
- htmldoc 1.9.15-1 (unimportant)
[bullseye] - htmldoc 1.9.11-4+deb11u3
+ [buster] - htmldoc 1.9.3-1+deb10u4
NOTE: https://github.com/michaelrsweet/htmldoc/commit/fb0334a51300988e9b83b9870d4063e86002b077 (v1.9.15)
NOTE: https://github.com/michaelrsweet/htmldoc/issues/470
NOTE: Hang in CLI tool, no security impact
@@ -45762,7 +45764,7 @@ CVE-2022-23943 (Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Serv
{DLA-2960-1}
- apache2 2.4.53-1
[bullseye] - apache2 2.4.53-1~deb11u1
- [buster] - apache2 <no-dsa> (Minor issue)
+ [buster] - apache2 2.4.38-3+deb10u8
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-23943
NOTE: Fixed by: https://svn.apache.org/r1898695
NOTE: Fixed by: https://svn.apache.org/r1898772
@@ -50546,21 +50548,21 @@ CVE-2022-22721 (If LimitXMLRequestBody is set to allow request bodies larger tha
{DLA-2960-1}
- apache2 2.4.53-1
[bullseye] - apache2 2.4.53-1~deb11u1
- [buster] - apache2 <no-dsa> (Minor issue)
+ [buster] - apache2 2.4.38-3+deb10u8
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-22721
NOTE: Fixed by: https://svn.apache.org/r1898693
CVE-2022-22720 (Apache HTTP Server 2.4.52 and earlier fails to close inbound connectio ...)
{DLA-2960-1}
- apache2 2.4.53-1
[bullseye] - apache2 2.4.53-1~deb11u1
- [buster] - apache2 <no-dsa> (Minor issue)
+ [buster] - apache2 2.4.38-3+deb10u8
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-22720
NOTE: Fixed by: https://svn.apache.org/r1898692
CVE-2022-22719 (A carefully crafted request body can cause a read to a random memory a ...)
{DLA-2960-1}
- apache2 2.4.53-1
[bullseye] - apache2 2.4.53-1~deb11u1
- [buster] - apache2 <no-dsa> (Minor issue)
+ [buster] - apache2 2.4.38-3+deb10u8
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-22719
NOTE: Fixed by: https://svn.apache.org/r1898694
CVE-2022-22718 (Windows Print Spooler Elevation of Privilege Vulnerability. This CVE I ...)
@@ -52662,17 +52664,17 @@ CVE-2021-45911 (An issue was discovered in gif2apng 1.9. There is a heap-based b
{DLA-2937-1}
- gif2apng <removed> (bug #1002687)
[bullseye] - gif2apng 1.9+srconly-3+deb11u1
- [buster] - gif2apng <no-dsa> (Minor issue)
+ [buster] - gif2apng 1.9+srconly-2+deb10u1
CVE-2021-45910 (An issue was discovered in gif2apng 1.9. There is a heap-based buffer ...)
{DLA-2937-1}
- gif2apng <removed> (bug #1002667)
[bullseye] - gif2apng 1.9+srconly-3+deb11u1
- [buster] - gif2apng <no-dsa> (Minor issue)
+ [buster] - gif2apng 1.9+srconly-2+deb10u1
CVE-2021-45909 (An issue was discovered in gif2apng 1.9. There is a heap-based buffer ...)
{DLA-2937-1}
- gif2apng <removed> (bug #1002668)
[bullseye] - gif2apng 1.9+srconly-3+deb11u1
- [buster] - gif2apng <no-dsa> (Minor issue)
+ [buster] - gif2apng 1.9+srconly-2+deb10u1
CVE-2021-45908 (An issue was discovered in gif2apng 1.9. There is a stack-based buffer ...)
- gif2apng <removed> (bug #1002669; unimportant)
NOTE: Negligible security impact
@@ -52734,14 +52736,14 @@ CVE-2021-4185 (Infinite loop in the RTMPT dissector in Wireshark 3.6.0 and 3.4.0
{DLA-2967-1}
- wireshark 3.6.2-1
[bullseye] - wireshark <no-dsa> (Minor issue)
- [buster] - wireshark <no-dsa> (Minor issue)
+ [buster] - wireshark 2.6.20-0+deb10u4
NOTE: https://www.wireshark.org/security/wnpa-sec-2021-17.html
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17745
CVE-2021-4184 (Infinite loop in the BitTorrent DHT dissector in Wireshark 3.6.0 and 3 ...)
{DLA-2967-1}
- wireshark 3.6.2-1
[bullseye] - wireshark <no-dsa> (Minor issue)
- [buster] - wireshark <no-dsa> (Minor issue)
+ [buster] - wireshark 2.6.20-0+deb10u4
NOTE: https://www.wireshark.org/security/wnpa-sec-2021-18.html
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17754
CVE-2021-4183 (Crash in the pcapng file parser in Wireshark 3.6.0 allows denial of se ...)
@@ -52762,7 +52764,7 @@ CVE-2021-4181 (Crash in the Sysdig Event dissector in Wireshark 3.6.0 and 3.4.0
{DLA-2967-1}
- wireshark 3.6.2-1
[bullseye] - wireshark <no-dsa> (Minor issue)
- [buster] - wireshark <no-dsa> (Minor issue)
+ [buster] - wireshark 2.6.20-0+deb10u4
NOTE: https://www.wireshark.org/security/wnpa-sec-2021-21.html
NOTE: https://gitlab.com/wireshark/wireshark/-/merge_requests/5429
CVE-2021-45884 (In Brave Desktop 1.17 through 1.33 before 1.33.106, when CNAME-based a ...)
@@ -56285,7 +56287,7 @@ CVE-2021-44907
CVE-2021-44906 (Minimist <=1.2.5 is vulnerable to Prototype Pollution via file inde ...)
- node-minimist 1.2.6+~cs5.3.2-1
[bullseye] - node-minimist 1.2.5+~cs5.3.1-2+deb11u1
- [buster] - node-minimist <no-dsa> (Minor issue)
+ [buster] - node-minimist 1.2.0-1+deb10u2
[stretch] - node-minimist <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://github.com/substack/minimist/issues/164
NOTE: https://snyk.io/vuln/SNYK-JS-MINIMIST-559764
@@ -59499,7 +59501,7 @@ CVE-2022-21716 (Twisted is an event-based framework for internet applications, s
{DLA-2938-1}
- twisted 22.2.0-1
[bullseye] - twisted 20.3.0-7+deb11u1
- [buster] - twisted <no-dsa> (Minor issue)
+ [buster] - twisted 18.9.0-3+deb10u1
NOTE: https://github.com/twisted/twisted/security/advisories/GHSA-rv6r-3f5q-9rgx
NOTE: https://github.com/twisted/twisted/commit/98387b39e9f0b21462f6abc7a1325dc370fcdeb1
NOTE: https://twistedmatrix.com/trac/ticket/10284
@@ -59513,7 +59515,7 @@ CVE-2022-21712 (twisted is an event-driven networking engine written in Python.
{DLA-2927-1}
- twisted 22.1.0-1
[bullseye] - twisted 20.3.0-7+deb11u1
- [buster] - twisted <no-dsa> (Minor issue)
+ [buster] - twisted 18.9.0-3+deb10u1
NOTE: https://github.com/twisted/twisted/security/advisories/GHSA-92x2-jw7w-xvvx
NOTE: https://github.com/twisted/twisted/commit/af8fe78542a6f2bf2235ccee8158d9c88d31e8e2 (twisted-22.1.0rc1)
CVE-2022-21711 (elfspirit is an ELF static analysis and injection framework that parse ...)
@@ -63269,7 +63271,7 @@ CVE-2022-20796 (On May 4, 2022, the following vulnerability in the ClamAV scanni
{DLA-3042-1}
- clamav 0.103.6+dfsg-1
[bullseye] - clamav 0.103.6+dfsg-0+deb11u1
- [buster] - clamav <no-dsa> (clamav is updated via -updates)
+ [buster] - clamav 0.103.6+dfsg-0+deb10u1
NOTE: https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html
CVE-2022-20795 (A vulnerability in the implementation of the Datagram TLS (DTLS) proto ...)
NOT-FOR-US: Cisco
@@ -63281,7 +63283,7 @@ CVE-2022-20792 (A vulnerability in the regex module used by the signature databa
{DLA-3042-1}
- clamav 0.103.6+dfsg-1
[bullseye] - clamav 0.103.6+dfsg-0+deb11u1
- [buster] - clamav <no-dsa> (clamav is updated via -updates)
+ [buster] - clamav 0.103.6+dfsg-0+deb10u1
NOTE: https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html
CVE-2022-20791 (A vulnerability in the database user privileges of Cisco Unified Commu ...)
NOT-FOR-US: Cisco
@@ -63299,7 +63301,7 @@ CVE-2022-20785 (On April 20, 2022, the following vulnerability in the ClamAV sca
{DLA-3042-1}
- clamav 0.103.6+dfsg-1
[bullseye] - clamav 0.103.6+dfsg-0+deb11u1
- [buster] - clamav <no-dsa> (clamav is updated via -updates)
+ [buster] - clamav 0.103.6+dfsg-0+deb10u1
NOTE: https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html
CVE-2022-20784 (A vulnerability in the Web-Based Reputation Score (WBRS) engine of Cis ...)
NOT-FOR-US: Cisco
@@ -63331,13 +63333,13 @@ CVE-2022-20771 (On April 20, 2022, the following vulnerability in the ClamAV sca
{DLA-3042-1}
- clamav 0.103.6+dfsg-1
[bullseye] - clamav 0.103.6+dfsg-0+deb11u1
- [buster] - clamav <no-dsa> (clamav is updated via -updates)
+ [buster] - clamav 0.103.6+dfsg-0+deb10u1
NOTE: https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html
CVE-2022-20770 (On April 20, 2022, the following vulnerability in the ClamAV scanning ...)
{DLA-3042-1}
- clamav 0.103.6+dfsg-1
[bullseye] - clamav 0.103.6+dfsg-0+deb11u1
- [buster] - clamav <no-dsa> (clamav is updated via -updates)
+ [buster] - clamav 0.103.6+dfsg-0+deb10u1
NOTE: https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html
CVE-2022-20769
RESERVED
@@ -70325,7 +70327,7 @@ CVE-2021-41125 (Scrapy is a high-level web crawling and scraping framework for P
{DLA-2950-1}
- python-scrapy 2.5.1-1
[bullseye] - python-scrapy 2.4.1-2+deb11u1
- [buster] - python-scrapy <no-dsa> (Minor issue)
+ [buster] - python-scrapy 1.5.1-1+deb10u1
NOTE: https://github.com/scrapy/scrapy/security/advisories/GHSA-jwqp-28gf-p498
NOTE: Fixed by: https://github.com/scrapy/scrapy/commit/b01d69a1bf48060daec8f751368622352d8b85a6 (1.8)
CVE-2021-41124 (Scrapy-splash is a library which provides Scrapy and JavaScript integr ...)
@@ -77277,21 +77279,21 @@ CVE-2021-3698 (A flaw was found in Cockpit in versions prior to 260 in the way i
CVE-2021-3697 (A crafted JPEG image may lead the JPEG reader to underflow its data po ...)
- grub2 2.06-3
[bullseye] - grub2 2.06-3~deb11u1
- [buster] - grub2 <no-dsa> (Minor issue, fix via point release)
+ [buster] - grub2 2.06-3~deb10u1
[stretch] - grub2 <ignored> (No SecureBoot support in stretch)
[jessie] - grub2 <ignored> (No SecureBoot support in jessie)
NOTE: https://www.openwall.com/lists/oss-security/2022/06/07/5
CVE-2021-3696 (A heap out-of-bounds write may heppen during the handling of Huffman t ...)
- grub2 2.06-3
[bullseye] - grub2 2.06-3~deb11u1
- [buster] - grub2 <no-dsa> (Minor issue, fix via point release)
+ [buster] - grub2 2.06-3~deb10u1
[stretch] - grub2 <ignored> (No SecureBoot support in stretch)
[jessie] - grub2 <ignored> (No SecureBoot support in jessie)
NOTE: https://www.openwall.com/lists/oss-security/2022/06/07/5
CVE-2021-3695 (A crafted 16-bit grayscale PNG image may lead to a out-of-bounds write ...)
- grub2 2.06-3
[bullseye] - grub2 2.06-3~deb11u1
- [buster] - grub2 <no-dsa> (Minor issue, fix via point release)
+ [buster] - grub2 2.06-3~deb10u1
[stretch] - grub2 <ignored> (No SecureBoot support in stretch)
[jessie] - grub2 <ignored> (No SecureBoot support in jessie)
NOTE: https://www.openwall.com/lists/oss-security/2022/06/07/5
@@ -80453,7 +80455,7 @@ CVE-2021-3657 (A flaw was found in mbsync versions prior to 1.4.4. Due to inadeq
{DLA-3066-1}
- isync 1.4.4-1
[bullseye] - isync 1.3.0-2.2+deb11u1
- [buster] - isync <no-dsa> (Minor issue)
+ [buster] - isync 1.3.0-2.2~deb10u2
NOTE: https://www.openwall.com/lists/oss-security/2021/12/03/1
CVE-2021-37159 (hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel throu ...)
{DLA-2843-1 DLA-2785-1}
@@ -84408,7 +84410,7 @@ CVE-2021-3623 (A flaw was found in libtpms. The flaw can be triggered by special
NOTE: https://github.com/stefanberger/libtpms/commit/2e6173c273ca14adb11386db4e47622552b1c00e
CVE-2021-35525 (PostSRSd before 1.11 allows a denial of service (subprocess hang) if P ...)
- postsrsd 1.10-2 (bug #990439)
- [buster] - postsrsd <no-dsa> (Minor issue; can be fixed via point release)
+ [buster] - postsrsd 1.5-2+deb10u2
[stretch] - postsrsd <no-dsa> (Minor issue)
NOTE: https://bugs.gentoo.org/793674
NOTE: https://github.com/roehling/postsrsd/commit/077be98d8c8a9847e4ae0c7dc09e7474cbe27db2
@@ -99720,7 +99722,7 @@ CVE-2021-29626 (In FreeBSD 13.0-STABLE before n245117, 12.2-STABLE before r36955
- kfreebsd-10 <unfixed> (unimportant)
CVE-2021-29625 (Adminer is open-source database management software. A cross-site scri ...)
- adminer 4.7.9-2 (bug #988886)
- [buster] - adminer <no-dsa> (Minor issue)
+ [buster] - adminer 4.7.1-1+deb10u1
[stretch] - adminer <no-dsa> (Minor issue)
NOTE: https://github.com/vrana/adminer/security/advisories/GHSA-2v82-5746-vwqc
NOTE: https://github.com/vrana/adminer/commit/4043092ec2c0de2258d60a99d0c5958637d051a7
@@ -117834,7 +117836,7 @@ CVE-2021-22192 (An issue has been discovered in GitLab CE/EE affecting all versi
CVE-2021-22191 (Improper URL handling in Wireshark 3.4.0 to 3.4.3 and 3.2.0 to 3.2.11 ...)
{DLA-2967-1}
- wireshark 3.4.4-1
- [buster] - wireshark <no-dsa> (Minor issue)
+ [buster] - wireshark 2.6.20-0+deb10u4
NOTE: https://www.wireshark.org/security/wnpa-sec-2021-03.html
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17232
CVE-2021-22190 (A path traversal vulnerability via the GitLab Workhorse in all version ...)
@@ -121400,7 +121402,7 @@ CVE-2021-21312 (GLPI is open source software which stands for Gestionnaire Libre
CVE-2021-21311 (Adminer is an open-source database management in a single PHP file. In ...)
{DLA-2580-1}
- adminer 4.7.9-1
- [buster] - adminer <no-dsa> (Minor issue)
+ [buster] - adminer 4.7.1-1+deb10u1
NOTE: https://github.com/vrana/adminer/security/advisories/GHSA-x5r2-hj5c-8jx6
NOTE: https://github.com/vrana/adminer/commit/ccd2374b0b12bd547417bf0dacdf153826c83351 (v4.7.9)
CVE-2021-21310 (NextAuth.js (next-auth) is am open source authentication solution for ...)
@@ -122255,7 +122257,7 @@ CVE-2020-35574
RESERVED
CVE-2020-35572 (Adminer through 4.7.8 allows XSS via the history parameter to the defa ...)
- adminer 4.7.9-1
- [buster] - adminer <no-dsa> (Minor issue)
+ [buster] - adminer 4.7.1-1+deb10u1
[stretch] - adminer <not-affected> (Vulnerable code introduced in v4.7.0)
NOTE: https://sourceforge.net/p/adminer/bugs-and-features/775/
NOTE: https://github.com/vrana/adminer/security/advisories/GHSA-9pgx-gcph-mpqr
@@ -133495,6 +133497,7 @@ CVE-2021-0561 (In append_to_verify_fifo_interleaved_ of stream_encoder.c, there
{DLA-3094-1 DLA-2951-1}
- flac 1.3.4-1 (bug #1006339)
[bullseye] - flac 1.3.3-2+deb11u1
+ [buster] - flac 1.3.2-3+deb10u2
NOTE: https://github.com/xiph/flac/commit/e1575e4a7c5157cbf4e4a16dbd39b74f7174c7be (1.3.4)
NOTE: https://xiph.org/flac/changelog.html#flac_1.3.4
NOTE: https://android.googlesource.com/platform/external/flac/+/368eb3f5bec249a197c95a95583ff8153aa6a87f
@@ -180013,13 +180016,13 @@ CVE-2020-10110 (** DISPUTED ** Citrix Gateway 11.1, 12.0, and 12.1 allows Inform
CVE-2020-10109 (In Twisted Web through 19.10.0, there was an HTTP request splitting vu ...)
{DLA-2927-1 DLA-2145-1}
- twisted 18.9.0-7 (bug #953950)
- [buster] - twisted <no-dsa> (Minor issue)
+ [buster] - twisted 18.9.0-3+deb10u1
NOTE: https://know.bishopfox.com/advisories/twisted-version-19.10.0#INOR
NOTE: https://github.com/twisted/twisted/commit/4a7d22e490bb8ff836892cc99a1f54b85ccb0281
CVE-2020-10108 (In Twisted Web through 19.10.0, there was an HTTP request splitting vu ...)
{DLA-2927-1 DLA-2145-1}
- twisted 18.9.0-7 (bug #953950)
- [buster] - twisted <no-dsa> (Minor issue)
+ [buster] - twisted 18.9.0-3+deb10u1
NOTE: https://know.bishopfox.com/advisories/twisted-version-19.10.0#INOR
NOTE: https://github.com/twisted/twisted/commit/4a7d22e490bb8ff836892cc99a1f54b85ccb0281
CVE-2020-10107 (PHPGurukul Daily Expense Tracker System 1.0 is vulnerable to stored XS ...)
@@ -183026,7 +183029,6 @@ CVE-2020-8860 (This vulnerability allows remote attackers to execute arbitrary c
CVE-2020-8859 (This vulnerability allows remote attackers to create a denial-of-servi ...)
{DLA-3014-1}
- elog <removed>
- [buster] - elog <ignored> (Minor issue)
NOTE: https://elog.psi.ch/elogs/Forum/69114
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-20-252/
NOTE: https://bitbucket.org/ritt/elog/commits/033e292301fa569738b20768b8d1f1d7d0bc1ca7
@@ -183943,7 +183945,7 @@ CVE-2020-8516 (** DISPUTED ** The daemon in Tor through 0.4.1.8 and 0.4.2.x thro
CVE-2019-20446 (In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file with nest ...)
{DLA-2285-1}
- librsvg 2.46.4-1
- [buster] - librsvg <no-dsa> (Will be fixed via spu)
+ [buster] - librsvg 2.44.10-2.1+deb10u1
[jessie] - librsvg <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/librsvg/issues/515
NOTE: https://gitlab.gnome.org/GNOME/librsvg/commit/572f95f739529b865e2717664d6fefcef9493135
@@ -185370,7 +185372,7 @@ CVE-2019-20420
RESERVED
CVE-2015-9541 (Qt through 5.14 allows an exponential XML entity expansion attack via ...)
- qtbase-opensource-src 5.12.5+dfsg-9 (low; bug #951066)
- [buster] - qtbase-opensource-src <no-dsa> (Minor issue)
+ [buster] - qtbase-opensource-src 5.11.3+dfsg1-1+deb10u5
[stretch] - qtbase-opensource-src <no-dsa> (Minor issue)
[jessie] - qtbase-opensource-src <ignored> (Minor issue; upstream patches use not-yet-available QStringView API)
NOTE: https://bugreports.qt.io/browse/QTBUG-47417
@@ -186059,7 +186061,7 @@ CVE-2020-7712 (This affects the package json before 10.0.0. It is possible to in
CVE-2020-7711 (This affects all versions of package github.com/russellhaering/goxmlds ...)
- golang-github-russellhaering-goxmldsig 1.1.1-1 (bug #968928)
[bullseye] - golang-github-russellhaering-goxmldsig 1.1.0-1+deb11u1
- [buster] - golang-github-russellhaering-goxmldsig <no-dsa> (Minor issue)
+ [buster] - golang-github-russellhaering-goxmldsig 0.0~git20170911.b7efc62-1+deb10u1
NOTE: https://github.com/russellhaering/goxmldsig/issues/48
NOTE: https://github.com/russellhaering/goxmldsig/commit/fb23e0af61c023e3a6dae8ad30dbd0f04d8a4d8f
CVE-2020-7710 (This affects all versions of package safe-eval. It is possible for an ...)
@@ -211989,7 +211991,7 @@ CVE-2019-17186 (/var/WEB-GUI/cgi-bin/telnet.cgi on FiberHome HG2201T 1.00.M5007_
NOT-FOR-US: FiberHome HG2201T devices
CVE-2019-17185 (In FreeRADIUS 3.0.x before 3.0.20, the EAP-pwd module used a global Op ...)
- freeradius 3.0.20+dfsg-1
- [buster] - freeradius <no-dsa> (Minor issue)
+ [buster] - freeradius 3.0.17+dfsg-1.1+deb10u1
[stretch] - freeradius <no-dsa> (Minor issue)
[jessie] - freeradius <not-affected> (Vulnerable code not present; EAP-pwd module introduced in later version)
NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/6b522f8780813726799e6b8cf0f1f8e0ce2c8ebf
@@ -212109,7 +212111,7 @@ CVE-2019-17135 (This vulnerability allows remote attackers to execute arbitrary
NOT-FOR-US: Foxit PhantomPDF
CVE-2019-17134 (Amphora Images in OpenStack Octavia >=0.10.0 <2.1.2, >=3.0.0 ...)
- octavia 4.0.0-6 (bug #941897)
- [buster] - octavia <no-dsa> (Minor issue in regular setups, can be fixed via point release)
+ [buster] - octavia 3.0.0-3+deb10u1
CVE-2019-17132 (vBulletin through 5.5.4 mishandles custom avatars. ...)
NOT-FOR-US: vBulletin
CVE-2019-17131 (vBulletin before 5.5.4 allows clickjacking. ...)
@@ -219244,7 +219246,7 @@ CVE-2019-14858 (A vulnerability was found in Ansible engine 2.x up to 2.8 and An
CVE-2019-14857 (A flaw was found in mod_auth_openidc before version 2.4.0.1. An open r ...)
{DLA-2298-1 DLA-1996-1}
- libapache2-mod-auth-openidc 2.4.0.3-1 (bug #942165)
- [buster] - libapache2-mod-auth-openidc <no-dsa> (Minor issue)
+ [buster] - libapache2-mod-auth-openidc 2.3.10.2-1+deb10u1
NOTE: https://github.com/zmartzone/mod_auth_openidc/commit/5c15dfb08106c2451c2c44ce7ace6813c216ba75
NOTE: https://github.com/zmartzone/mod_auth_openidc/commit/ce37080c6aea30aabae8b4a9b4eea7808445cc8e
NOTE: https://github.com/zmartzone/mod_auth_openidc/pull/451
@@ -224809,7 +224811,7 @@ CVE-2019-13457 (An issue was discovered in Open Ticket Request System (OTRS) 7.0
NOTE: https://otrs.com/release-notes/otrs-security-advisory-2019-11/
CVE-2019-13456 (In FreeRADIUS 3.0 through 3.0.19, on average 1 in every 2048 EAP-pwd h ...)
- freeradius 3.0.20+dfsg-1
- [buster] - freeradius <no-dsa> (Minor issue)
+ [buster] - freeradius 3.0.17+dfsg-1.1+deb10u1
[stretch] - freeradius <no-dsa> (Minor issue)
[jessie] - freeradius <not-affected> (Vulnerable code introduced later in version 3.0.0)
NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/3ea2a5a026e73d81cd9a3e9bbd4300c433004bfa (release_3_0_20)
@@ -226284,7 +226286,7 @@ CVE-2019-12954 (SolarWinds Network Performance Monitor (Orion Platform 2018, NPM
NOT-FOR-US: SolarWinds
CVE-2019-12953 (Dropbear 2011.54 through 2018.76 has an inconsistent failure delay tha ...)
- dropbear 2019.78-1 (bug #1009062)
- [buster] - dropbear <no-dsa> (Minor issue)
+ [buster] - dropbear 2018.76-5+deb10u1
[stretch] - dropbear <postponed> (Minor issue but fixed along next DLA)
NOTE: https://hg.ucc.asn.au/dropbear/rev/228b086794b7
CVE-2019-12952
@@ -226533,7 +226535,7 @@ CVE-2019-12856
RESERVED
CVE-2019-12855 (In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP su ...)
- twisted 18.9.0-7 (bug #930626)
- [buster] - twisted <no-dsa> (Minor issue)
+ [buster] - twisted 18.9.0-3+deb10u1
[stretch] - twisted <no-dsa> (Minor issue)
[jessie] - twisted <no-dsa> (Minor issue)
NOTE: https://github.com/twisted/twisted/pull/1147
@@ -227819,7 +227821,7 @@ CVE-2019-12388 (Anviz access control devices perform cleartext transmission of s
NOT-FOR-US: Anviz
CVE-2019-12387 (In Twisted before 19.2.1, twisted.web did not validate or sanitize URI ...)
- twisted 18.9.0-7 (bug #930389)
- [buster] - twisted <no-dsa> (Minor issue)
+ [buster] - twisted 18.9.0-3+deb10u1
[stretch] - twisted <no-dsa> (Minor issue)
[jessie] - twisted <no-dsa> (Minor issue)
NOTE: https://github.com/twisted/twisted/commit/6c61fc4503ae39ab8ecee52d10f10ee2c371d7e2
=====================================
data/next-oldstable-point-update.txt
=====================================
@@ -1,169 +1,3 @@
-CVE-2021-44906
- [buster] - node-minimist 1.2.0-1+deb10u2
-CVE-2022-24773
- [buster] - node-node-forge 0.8.1~dfsg-1+deb10u1
-CVE-2022-24772
- [buster] - node-node-forge 0.8.1~dfsg-1+deb10u1
-CVE-2022-24771
- [buster] - node-node-forge 0.8.1~dfsg-1+deb10u1
-CVE-2019-17134
- [buster] - octavia 3.0.0-3+deb10u1
-CVE-2019-14857
- [buster] - libapache2-mod-auth-openidc 2.3.10.2-1+deb10u1
-CVE-2020-35572
- [buster] - adminer 4.7.1-1+deb10u1
-CVE-2021-21311
- [buster] - adminer 4.7.1-1+deb10u1
-CVE-2021-29625
- [buster] - adminer 4.7.1-1+deb10u1
-CVE-2021-35525
- [buster] - postsrsd 1.5-2+deb10u2
-CVE-2015-9541
- [buster] - qtbase-opensource-src 5.11.3+dfsg1-1+deb10u5
-CVE-2020-7711
- [buster] - golang-github-russellhaering-goxmldsig 0.0~git20170911.b7efc62-1+deb10u1
-CVE-2022-25308
- [buster] - fribidi 1.0.5-3.1+deb10u2
-CVE-2022-25309
- [buster] - fribidi 1.0.5-3.1+deb10u2
-CVE-2022-25310
- [buster] - fribidi 1.0.5-3.1+deb10u2
-CVE-2022-26505
- [buster] - minidlna 1.2.1+dfsg-2+deb10u3
-CVE-2019-12953
- [buster] - dropbear 2018.76-5+deb10u1
-CVE-2022-1328
- [buster] - mutt 1.10.1-2.1+deb10u6
-CVE-2022-27406
- [buster] - freetype 2.9.1-3+deb10u3
-CVE-2022-27405
- [buster] - freetype 2.9.1-3+deb10u3
-CVE-2022-27404
- [buster] - freetype 2.9.1-3+deb10u3
-CVE-2021-0561
- [buster] - flac 1.3.2-3+deb10u2
-CVE-2022-29078
- [buster] - node-ejs 2.5.7-1+deb10u1
-CVE-2019-12387
- [buster] - twisted 18.9.0-3+deb10u1
-CVE-2019-12855
- [buster] - twisted 18.9.0-3+deb10u1
-CVE-2020-10108
- [buster] - twisted 18.9.0-3+deb10u1
-CVE-2020-10109
- [buster] - twisted 18.9.0-3+deb10u1
-CVE-2022-21712
- [buster] - twisted 18.9.0-3+deb10u1
-CVE-2022-21716
- [buster] - twisted 18.9.0-3+deb10u1
-CVE-2022-24801
- [buster] - twisted 18.9.0-3+deb10u1
-CVE-2022-30333
- [buster] - unrar-nonfree 1:5.6.6-1+deb10u1
-CVE-2021-41125
- [buster] - python-scrapy 1.5.1-1+deb10u1
-CVE-2022-0577
- [buster] - python-scrapy 1.5.1-1+deb10u1
-CVE-2022-24191
- [buster] - htmldoc 1.9.3-1+deb10u4
-CVE-2022-27114
- [buster] - htmldoc 1.9.3-1+deb10u4
-CVE-2022-28085
- [buster] - htmldoc 1.9.3-1+deb10u4
-CVE-2022-20770
- [buster] - clamav 0.103.6+dfsg-0+deb10u1
-CVE-2022-20796
- [buster] - clamav 0.103.6+dfsg-0+deb10u1
-CVE-2022-20771
- [buster] - clamav 0.103.6+dfsg-0+deb10u1
-CVE-2022-20785
- [buster] - clamav 0.103.6+dfsg-0+deb10u1
-CVE-2022-20792
- [buster] - clamav 0.103.6+dfsg-0+deb10u1
-CVE-2022-24828
- [buster] - composer 1.8.4-1+deb10u2
-CVE-2022-24775
- [buster] - php-guzzlehttp-psr7 1.4.2-0.1+deb10u1
-CVE-2021-4181
- [buster] - wireshark 2.6.20-0+deb10u4
-CVE-2021-4184
- [buster] - wireshark 2.6.20-0+deb10u4
-CVE-2021-4185
- [buster] - wireshark 2.6.20-0+deb10u4
-CVE-2021-22191
- [buster] - wireshark 2.6.20-0+deb10u4
-CVE-2022-0581
- [buster] - wireshark 2.6.20-0+deb10u4
-CVE-2022-0582
- [buster] - wireshark 2.6.20-0+deb10u4
-CVE-2022-0583
- [buster] - wireshark 2.6.20-0+deb10u4
-CVE-2022-0585
- [buster] - wireshark 2.6.20-0+deb10u4
-CVE-2022-0586
- [buster] - wireshark 2.6.20-0+deb10u4
-CVE-2022-28181
- [buster] - nvidia-graphics-drivers-legacy-390xx 390.151-1~deb10u1
-CVE-2022-28185
- [buster] - nvidia-graphics-drivers-legacy-390xx 390.151-1~deb10u1
-CVE-2022-22719
- [buster] - apache2 2.4.38-3+deb10u8
-CVE-2022-22720
- [buster] - apache2 2.4.38-3+deb10u8
-CVE-2022-22721
- [buster] - apache2 2.4.38-3+deb10u8
-CVE-2022-23943
- [buster] - apache2 2.4.38-3+deb10u8
-CVE-2022-26377
- [buster] - apache2 2.4.38-3+deb10u8
-CVE-2022-28615
- [buster] - apache2 2.4.38-3+deb10u8
-CVE-2022-28614
- [buster] - apache2 2.4.38-3+deb10u8
-CVE-2022-29404
- [buster] - apache2 2.4.38-3+deb10u8
-CVE-2022-30522
- [buster] - apache2 2.4.38-3+deb10u8
-CVE-2022-30556
- [buster] - apache2 2.4.38-3+deb10u8
-CVE-2022-31813
- [buster] - apache2 2.4.38-3+deb10u8
-CVE-2021-3657
- [buster] - isync 1.3.0-2.2~deb10u2
-CVE-2022-32308
- [buster] - ublock-origin 1.42.0+dfsg-1~deb10u1
-CVE-2021-45911
- [buster] - gif2apng 1.9+srconly-2+deb10u1
-CVE-2021-45910
- [buster] - gif2apng 1.9+srconly-2+deb10u1
-CVE-2021-45909
- [buster] - gif2apng 1.9+srconly-2+deb10u1
-CVE-2022-28736
- [buster] - grub2 2.06-3~deb10u1
-CVE-2022-28735
- [buster] - grub2 2.06-3~deb10u1
-CVE-2022-28734
- [buster] - grub2 2.06-3~deb10u1
-CVE-2022-28733
- [buster] - grub2 2.06-3~deb10u1
-CVE-2021-3697
- [buster] - grub2 2.06-3~deb10u1
-CVE-2021-3696
- [buster] - grub2 2.06-3~deb10u1
-CVE-2021-3695
- [buster] - grub2 2.06-3~deb10u1
-CVE-2022-31607
- [buster] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb10u1
-CVE-2022-31608
- [buster] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb10u1
-CVE-2022-31615
- [buster] - nvidia-graphics-drivers-legacy-390xx 390.154-1~deb10u1
-CVE-2019-13456
- [buster] - freeradius 3.0.17+dfsg-1.1+deb10u1
-CVE-2019-17185
- [buster] - freeradius 3.0.17+dfsg-1.1+deb10u1
-CVE-2019-20446
- [buster] - librsvg 2.44.10-2.1+deb10u1
CVE-2019-14433
[buster] - nova 2:18.1.0-6+deb10u1
CVE-2022-28737
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c530f7b206be57b81b57590f8bfe4e179756469b...21b19a8b7b667ddb05cfa6a49f794aad280e0409
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c530f7b206be57b81b57590f8bfe4e179756469b...21b19a8b7b667ddb05cfa6a49f794aad280e0409
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220910/98d4d8c9/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list