[Git][security-tracker-team/security-tracker][master] 5 commits: Merge linux changes for bullseye 11.8
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sat Oct 7 11:15:02 BST 2023
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
3376376c by Salvatore Bonaccorso at 2023-10-06T22:55:34+02:00
Merge linux changes for bullseye 11.8
- - - - -
027c1e33 by Salvatore Bonaccorso at 2023-10-06T22:58:33+02:00
Merge changes for updates with CVEs via bullseye 11.8
- - - - -
c2892966 by Salvatore Bonaccorso at 2023-10-06T22:59:37+02:00
Merge changes for updates without CVEs via bullseye 11.8
- - - - -
224944f2 by Salvatore Bonaccorso at 2023-10-07T12:12:12+02:00
Drop nomad for bullseye specific and unresolved entries as nomad is removed
- - - - -
d7328b6b by Salvatore Bonaccorso at 2023-10-07T10:14:43+00:00
Merge branch 'bullseye-11.8' into 'master'
Merge changes accepted for bullseye 11.8 release
See merge request security-tracker-team/security-tracker!149
- - - - -
2 changed files:
- data/CVE/list
- data/next-oldstable-point-update.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -378,16 +378,19 @@ CVE-2023-3037 (Improper authorization vulnerability in HelpDezk Community affect
CVE-2023-39194 [net: xfrm: Fix xfrm_address_filter OOB read]
- linux 6.4.13-1
[bookworm] - linux 6.1.52-1
+ [bullseye] - linux 5.10.197-1
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1492/
NOTE: https://git.kernel.org/linus/dfa73c17d55b921e1d4e154976de35317e43a93a (6.5-rc7)
CVE-2023-39193 [netfilter: xt_sctp: validate the flag_info count]
- linux 6.5.3-1
[bookworm] - linux 6.1.55-1
+ [bullseye] - linux 5.10.197-1
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1491/
NOTE: https://git.kernel.org/linus/e99476497687ef9e850748fe6d232264f30bc8f9 (6.6-rc1)
CVE-2023-39192 [netfilter: xt_u32: validate user space input]
- linux 6.5.3-1
[bookworm] - linux 6.1.55-1
+ [bullseye] - linux 5.10.197-1
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1490/
NOTE: https://git.kernel.org/linus/69c5d284f67089b4750d28ff6ac6f52ec224b330 (6.6-rc1)
CVE-2023-39191 (An improper input validation flaw was found in the eBPF subsystem in t ...)
@@ -1149,7 +1152,7 @@ CVE-2023-4316 (Zod in version 3.22.2 allows an attacker to perform a denial of s
CVE-2023-44469 (A Server-Side Request Forgery issue in the OpenID Connect Issuer in Le ...)
- lemonldap-ng 2.17.1+ds-1
[bookworm] - lemonldap-ng 2.16.1+ds-deb12u2
- [bullseye] - lemonldap-ng <no-dsa> (Minor issue)
+ [bullseye] - lemonldap-ng 2.0.11+ds-4+deb11u5
[buster] - lemonldap-ng <no-dsa> (Minor issue)
NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2998
NOTE: https://security.lauritz-holtmann.de/post/sso-security-ssrf/
@@ -2213,12 +2216,14 @@ CVE-2022-48605 (Input verification vulnerability in the fingerprint module. Succ
CVE-2023-42756 (A flaw was found in the Netfilter subsystem of the Linux kernel. A rac ...)
- linux 6.5.6-1
[bookworm] - linux 6.1.55-1
+ [bullseye] - linux 5.10.197-1
[buster] - linux <not-affected> (Vulnerable code not present)
NOTE: https://www.openwall.com/lists/oss-security/2023/09/27/2
NOTE: https://git.kernel.org/linus/7433b6d2afd512d04398c73aa984d1e285be125b (6.6-rc3)
CVE-2023-42755 (A flaw was found in the IPv4 Resource Reservation Protocol (RSVP) clas ...)
- linux 6.3.7-1
[bookworm] - linux 6.1.55-1
+ [bullseye] - linux 5.10.197-1
NOTE: https://lore.kernel.org/all/CADW8OBtkAf+nGokhD9zCFcmiebL1SM8bJp_oo=pE02BknG9qnQ@mail.gmail.com/
NOTE: https://git.kernel.org/linus/265b4da82dbf5df04bee5a5d46b7474b1aaf326a (6.3-rc1)
CVE-2023-40581 (yt-dlp is a youtube-dl fork with additional features and fixes. yt-dlp ...)
@@ -2621,7 +2626,7 @@ CVE-2023-4504 (Due to failure in validating the length provided by an attacker-c
{DLA-3594-1}
- cups 2.4.2-6
[bookworm] - cups 2.4.2-3+deb12u2
- [bullseye] - cups <no-dsa> (Minor issue)
+ [bullseye] - cups 2.3.3op2-3+deb11u4
- libppd <not-affected> (Vulnerable code introduced later)
NOTE: https://www.openwall.com/lists/oss-security/2023/09/20/3
NOTE: https://takeonme.org/cves/CVE-2023-4504.html
@@ -2790,11 +2795,13 @@ CVE-2023-4237 (A flaw was found in the Ansible Automation Platform. When creatin
CVE-2023-42754 (A NULL pointer dereference flaw was found in the Linux kernel ipv4 sta ...)
- linux 6.5.6-1
[bookworm] - linux 6.1.55-1
+ [bullseye] - linux 5.10.197-1
NOTE: https://www.openwall.com/lists/oss-security/2023/10/02/8
NOTE: https://git.kernel.org/linus/0113d9c9d1ccc07f5a3710dac4aa24b6d711278c (6.6-rc3)
CVE-2023-42753 (An array indexing vulnerability was found in the netfilter subsystem o ...)
- linux 6.5.3-1
[bookworm] - linux 6.1.55-1
+ [bullseye] - linux 5.10.197-1
NOTE: https://www.openwall.com/lists/oss-security/2023/09/22/10
NOTE: https://git.kernel.org/linus/050d91c03b28ca479df13dfb02bcd2c60dd6a878 (6.6-rc1)
CVE-2023-42752 [integer overflows in kmalloc_reserve()]
@@ -2849,7 +2856,7 @@ CVE-2023-43770 (Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.
{DLA-3577-1}
- roundcube 1.6.3+dfsg-1 (bug #1052059)
[bookworm] - roundcube 1.6.3+dfsg-1~deb12u1
- [bullseye] - roundcube <no-dsa> (Minor issue)
+ [bullseye] - roundcube 1.4.14+dfsg.1-1~deb11u1
NOTE: https://roundcube.net/news/2023/09/15/security-update-1.6.3-released
NOTE: Fixed by: https://github.com/roundcube/roundcubemail/commit/e92ec206a886461245e1672d8530cc93c618a49b (1.6.3)
CVE-2023-5036 (Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos ...)
@@ -2869,7 +2876,7 @@ CVE-2023-5029 (A vulnerability, which was classified as critical, was found in m
CVE-2023-43115 (In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead ...)
- ghostscript 10.02.0~dfsg-1
[bookworm] - ghostscript 10.0.0~dfsg-11+deb12u2
- [bullseye] - ghostscript <no-dsa> (Minor issue; documented risks, can be fixed in later update)
+ [bullseye] - ghostscript 9.53.3~dfsg-7+deb11u6
[buster] - ghostscript <ignored> (Minor issue; documented risks, have done refactoring in later versions)
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=707051
NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5
@@ -3302,7 +3309,7 @@ CVE-2023-41081 (Important: Authentication Bypass CVE-2023-41081 The mod_jk comp
{DLA-3580-1}
- libapache-mod-jk 1:1.2.49-1 (bug #1051956)
[bookworm] - libapache-mod-jk 1:1.2.48-2+deb12u1
- [bullseye] - libapache-mod-jk <no-dsa> (Minor issue)
+ [bullseye] - libapache-mod-jk 1:1.2.48-1+deb11u1
NOTE: https://lists.apache.org/thread/rd1r26w7271jyqgzr4492tooyt583d8b
NOTE: http://www.openwall.com/lists/oss-security/2023/09/13/2
NOTE: https://tomcat.apache.org/security-jk.html#Fixed_in_Apache_Tomcat_JK_Connector_1.2.49
@@ -3431,6 +3438,7 @@ CVE-2023-4527 (A flaw was found in glibc. When the getaddrinfo function is calle
CVE-2023-4921 (A use-after-free vulnerability in the Linux kernel's net/sched: sch_qf ...)
- linux 6.5.6-1
[bookworm] - linux 6.1.55-1
+ [bullseye] - linux 5.10.197-1
NOTE: https://kernel.dance/#8fc134fee27f2263988ae38920bc03da416b03d8
NOTE: https://git.kernel.org/linus/8fc134fee27f2263988ae38920bc03da416b03d8 (6.6-rc1)
CVE-2023-4918 (A flaw was found in the Keycloak package, more specifically org.keyclo ...)
@@ -4168,10 +4176,12 @@ CVE-2023-4634 (The Media Library Assistant plugin for WordPress is vulnerable to
CVE-2023-4623 (A use-after-free vulnerability in the Linux kernel's net/sched: sch_hf ...)
- linux 6.5.3-1
[bookworm] - linux 6.1.55-1
+ [bullseye] - linux 5.10.197-1
NOTE: https://git.kernel.org/linus/b3d26c5702c7d6c45456326e56d2ccf3f103e60f
CVE-2023-4622 (A use-after-free vulnerability in the Linux kernel's af_unix component ...)
{DSA-5492-1}
- linux 6.4.13-1
+ [bullseye] - linux 5.10.197-1
NOTE: https://kernel.dance/790c2f9d15b594350ae9bca7b236f2b1859de02c
CVE-2023-4621
REJECTED
@@ -4184,6 +4194,7 @@ CVE-2023-4498 (Tenda N300 Wireless N VDSL2 Modem Router allows unauthenticated a
CVE-2023-4244 (A use-after-free vulnerability in the Linux kernel's netfilter: nf_tab ...)
- linux 6.4.13-1
[bookworm] - linux 6.1.55-1
+ [bullseye] - linux 5.10.197-1
NOTE: https://lore.kernel.org/netdev/20230810070830.24064-1-pablo@netfilter.org/
NOTE: https://lore.kernel.org/netdev/20230815223011.7019-1-fw@strlen.de/
NOTE: https://kernel.dance/3e91b0ebd994635df2346353322ac51ce84ce6d8
@@ -6236,7 +6247,7 @@ CVE-2023-40217 (An issue was discovered in Python before 3.8.18, 3.9.x before 3.
- python3.9 <removed>
- python3.7 <removed>
- python2.7 <removed>
- [bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
+ [bullseye] - python2.7 2.7.18-8+deb11u1
- pypy3 7.3.13+dfsg-1
NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/
NOTE: https://github.com/python/cpython/issues/108310
@@ -6414,10 +6425,10 @@ CVE-2023-40477
{DLA-3543-1 DLA-3542-1}
- rar 2:6.23-1
[bookworm] - rar 2:6.23-1~deb12u1
- [bullseye] - rar <no-dsa> (Non-free not supported)
+ [bullseye] - rar 2:6.23-1~deb11u1
- unrar-nonfree 1:6.2.10-1
[bookworm] - unrar-nonfree 1:6.2.6-1+deb12u1
- [bullseye] - unrar-nonfree <no-dsa> (Non-free not supported)
+ [bullseye] - unrar-nonfree 1:6.0.3-1+deb11u3
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1152/
NOTE: https://www.win-rar.com/singlenewsview.html?&L=0&tx_ttnews%5Btt_news%5D=232&cHash=c5bf79590657e32554c6683296a8e8aa
CVE-2023-38831 (RARLabs WinRAR before 6.23 allows attackers to execute arbitrary code ...)
@@ -6608,7 +6619,7 @@ CVE-2022-48566 (An issue was discovered in compare_digest in Lib/hmac.py in Pyth
- python3.9 3.9.1~rc1-1
- python3.7 <removed>
- python2.7 <removed>
- [bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
+ [bullseye] - python2.7 2.7.18-8+deb11u1
NOTE: https://bugs.python.org/issue40791
NOTE: https://github.com/python/cpython/commit/8183e11d87388e4e44e3242c42085b87a878f781 (v3.9.0b2)
NOTE: https://github.com/python/cpython/commit/c1bbca5b004b3f74d240ef8a76ff445cc1a27efb (v3.9.1rc1)
@@ -6620,7 +6631,7 @@ CVE-2022-48565 (An XML External Entity (XXE) issue was discovered in Python thro
- python3.9 3.9.1~rc1-1
- python3.7 <removed>
- python2.7 <removed>
- [bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
+ [bullseye] - python2.7 2.7.18-8+deb11u1
NOTE: https://bugs.python.org/issue42051
NOTE: https://github.com/python/cpython/issues/86217
NOTE: https://github.com/python/cpython/commit/05ee790f4d1cd8725a90b54268fc1dfe5b4d1fa2 (v3.10.0a2)
@@ -6644,7 +6655,7 @@ CVE-2022-48560 (A use-after-free exists in Python through 3.9 via heappushpop in
- python3.9 <not-affected> (Fixed before initial upload to the archive)
- python3.7 3.7.7-1
- python2.7 <removed>
- [bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
+ [bullseye] - python2.7 2.7.18-8+deb11u1
NOTE: https://bugs.python.org/issue39421
NOTE: https://github.com/python/cpython/issues/83602
NOTE: https://github.com/python/cpython/commit/79f89e6e5a659846d1068e8b1bd8e491ccdef861 (v3.9.0a3)
@@ -7554,7 +7565,7 @@ CVE-2023-40305 (GNU indent 2.2.13 has a heap-based buffer overflow in search_bra
CVE-2023-40303 (GNU inetutils through 2.4 may allow privilege escalation because of un ...)
- inetutils 2:2.4-3 (bug #1049365)
[bookworm] - inetutils 2:2.4-2+deb12u1
- [bullseye] - inetutils <no-dsa> (Minor issue)
+ [bullseye] - inetutils 2:2.0-1+deb11u2
[buster] - inetutils <no-dsa> (Minor issue)
NOTE: https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6
NOTE: https://lists.gnu.org/archive/html/bug-inetutils/2023-07/msg00000.html
@@ -8773,7 +8784,7 @@ CVE-2023-36220 (Directory Traversal vulnerability in Textpattern CMS v4.8.8 allo
CVE-2023-36054 (lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 an ...)
- krb5 1.20.1-3 (bug #1043431)
[bookworm] - krb5 1.20.1-2+deb12u1
- [bullseye] - krb5 <no-dsa> (Minor issue)
+ [bullseye] - krb5 1.18.3-6+deb11u4
[buster] - krb5 <postponed> (Minor issue, DoS)
NOTE: https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd
CVE-2023-34477 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
@@ -8813,7 +8824,7 @@ CVE-2023-33906 (In Contacts Service, there is a possible missing permission chec
CVE-2022-48579 (UnRAR before 6.2.3 allows extraction of files outside of the destinati ...)
{DLA-3535-1}
- unrar-nonfree 1:6.2.3-1 (bug #1050080)
- [bullseye] - unrar-nonfree <no-dsa> (Non-free not supported)
+ [bullseye] - unrar-nonfree 1:6.0.3-1+deb11u2
NOTE: https://github.com/pmachapman/unrar/commit/2ecab6bb5ac4f3b88f270218445496662020205f#diff-ca3086f578522062d7e390ed2cd7e10f646378a8b8cbf287a6e4db5966df68ee
CVE-2023-4196 (Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/co ...)
NOT-FOR-US: Cockpit CMS
@@ -9158,7 +9169,7 @@ CVE-2023-3180 (A flaw was found in the QEMU virtual crypto device while handling
{DLA-3604-1}
- qemu 1:8.0.4+dfsg-1
[bookworm] - qemu 1:7.2+dfsg-7+deb12u2
- [bullseye] - qemu <no-dsa> (Minor issue)
+ [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/04b9b37edda85964cca033a48dcc0298036782f2 (v2.8.0-rc0)
NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/9d38a8434721a6479fe03fb5afb150ca793d3980 (master)
NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f (v8.0.4)
@@ -9452,7 +9463,7 @@ CVE-2023-3364 (An issue has been discovered in GitLab CE/EE affecting all versio
CVE-2023-3301 (A flaw was found in QEMU. The async nature of hot-unplug enables a rac ...)
- qemu 1:8.0.3+dfsg-1
[bookworm] - qemu <no-dsa> (Minor issue)
- [bullseye] - qemu <no-dsa> (Minor issue)
+ [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
[buster] - qemu <not-affected> (vhost-vdpa introduced in v5.1)
NOTE: https://github.com/qemu/qemu/commit/a0d7215e339b61c7d7a7b3fcf754954d80d93eb8 (v8.1.0-rc0)
NOTE: https://github.com/qemu/qemu/commit/aab37b2002811f112d5c26337473486d7d585881 (v8.0.3)
@@ -9475,7 +9486,7 @@ CVE-2023-38559 (A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn
{DLA-3519-1}
- ghostscript 10.02.0~dfsg-1 (bug #1043033)
[bookworm] - ghostscript 10.0.0~dfsg-11+deb12u2
- [bullseye] - ghostscript <postponed> (Minor issue; can be batched together in a later update)
+ [bullseye] - ghostscript 9.53.3~dfsg-7+deb11u6
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=706897
NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f (ghostpdl-10.02.0rc1)
CVE-2023-38357 (Session tokens in RWS WorldServer 11.7.3 and earlier have a low entrop ...)
@@ -9674,7 +9685,7 @@ CVE-2023-3817 (Issue summary: Checking excessively long DH keys or parameters ma
{DLA-3530-1}
- openssl 3.0.10-1
[bookworm] - openssl 3.0.10-1~deb12u1
- [bullseye] - openssl <postponed> (Minor issue, fix along with future DSA)
+ [bullseye] - openssl 1.1.1v-0~deb11u1
NOTE: https://www.openssl.org/news/secadv/20230731.txt
NOTE: https://www.openwall.com/lists/oss-security/2023/07/31/1
NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1c16253f3c3a8d1e25918c3f404aae6a5b0893de (master)
@@ -10328,11 +10339,13 @@ CVE-2023-2626 (There exists an authentication bypass vulnerability in OpenThread
CVE-2023-3773 (A flaw was found in the Linux kernel\u2019s IP framework for transform ...)
{DSA-5492-1}
- linux 6.4.13-1
+ [bullseye] - linux 5.10.197-1
[buster] - linux <not-affected> (Vulnerable code not present)
NOTE: https://lore.kernel.org/all/20230723074110.3705047-1-linma@zju.edu.cn/T/#u
CVE-2023-3772 (A flaw was found in the Linux kernel\u2019s IP framework for transform ...)
{DSA-5492-1}
- linux 6.4.13-1
+ [bullseye] - linux 5.10.197-1
NOTE: https://lore.kernel.org/netdev/20230721145103.2714073-1-linma@zju.edu.cn/
NOTE: https://www.openwall.com/lists/oss-security/2023/08/10/1
CVE-2023-37895 (Java object deserialization issue in Jackrabbit webapp/standalone on a ...)
@@ -10755,13 +10768,11 @@ CVE-2023-3779 (The Essential Addons For Elementor plugin for WordPress is vulner
NOT-FOR-US: WordPress plugin
CVE-2023-3300 (HashiCorp Nomad and Nomad Enterprise 0.11.0 up to 1.5.6 and 1.4.1 HTTP ...)
- nomad <removed>
- [bullseye] - nomad <ignored> (Will be removed in Bullseye 11.8)
NOTE: https://discuss.hashicorp.com/t/hcsec-2023-22-nomad-search-api-leaks-information-about-csi-plugins/56272
CVE-2023-3299 (HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies ...)
- nomad <not-affected> (Specific to Nomad Enterprise)
CVE-2023-3072 (HashiCorp Nomad and Nomad Enterprise 0.7.0 up to 1.5.6 and 1.4.10 ACL ...)
- nomad <removed>
- [bullseye] - nomad <ignored> (Will be removed in Bullseye 11.8)
NOTE: https://discuss.hashicorp.com/t/hcsec-2023-20-nomad-acl-policies-without-label-are-applied-to-unexpected-resources/56270
CVE-2023-37362 (Weintek Weincloud v0.13.6 could allow an attacker to abuse the reg ...)
NOT-FOR-US: Weincloud
@@ -10787,7 +10798,7 @@ CVE-2023-38408 (The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an
{DLA-3532-1}
- openssh 1:9.3p2-1 (bug #1042460)
[bookworm] - openssh 1:9.2p1-2+deb12u1
- [bullseye] - openssh <no-dsa> (Minor issue; needs specific conditions and forwarding was always subject to caution warning)
+ [bullseye] - openssh 1:8.4p1-5+deb11u2
NOTE: https://www.openwall.com/lists/oss-security/2023/07/19/9
NOTE: https://github.com/openssh/openssh-portable/commit/892506b13654301f69f9545f48213fc210e5c5cc
NOTE: https://github.com/openssh/openssh-portable/commit/1f2731f5d7a8f8a8385c6031667ed29072c0d92a
@@ -10924,7 +10935,7 @@ CVE-2023-3446 (Issue summary: Checking excessively long DH keys or parameters ma
{DLA-3530-1}
- openssl 3.0.10-1 (bug #1041817)
[bookworm] - openssl 3.0.10-1~deb12u1
- [bullseye] - openssl <postponed> (Minor issue, fix along with future DSA)
+ [bullseye] - openssl 1.1.1v-0~deb11u1
NOTE: https://www.openssl.org/news/secadv/20230719.txt
NOTE: https://github.com/openssl/openssl/commit/9e0094e2aa1b3428a12d5095132f133c078d3c3d (master)
NOTE: https://github.com/openssl/openssl/commit/1fa20cf2f506113c761777127a38bce5068740eb (openssl-3.0.10)
@@ -12750,7 +12761,7 @@ CVE-2015-10119 (A vulnerability, which was classified as problematic, has been f
CVE-2023-XXXX [spip: Use a dedicated function to clean author data when preparing a session]
- spip 4.1.11+dfsg-1
[bookworm] - spip 4.1.9+dfsg-1+deb12u2
- [bullseye] - spip <no-dsa> (Minor issue)
+ [bullseye] - spip 3.2.11-3+deb11u9
[buster] - spip <no-dsa> (Minor issue)
NOTE: https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-4-SPIP-4-1-11.html
CVE-2023-3568 (Open Redirect in GitHub repository alextselegidis/easyappointments pri ...)
@@ -13135,7 +13146,7 @@ CVE-2023-35936 (Pandoc is a Haskell library for converting from one markup forma
{DLA-3507-1}
- pandoc 2.17.1.1-2 (bug #1041976)
[bookworm] - pandoc 2.17.1.1-2~deb12u1
- [bullseye] - pandoc <no-dsa> (Minor issue)
+ [bullseye] - pandoc 2.9.2.1-1+deb11u1
NOTE: https://github.com/jgm/pandoc/security/advisories/GHSA-xj5q-fv23-575g
NOTE: Fixed by: https://github.com/jgm/pandoc/commit/5e381e3878b5da87ee7542f7e51c3c1a7fd84b89 (3.1.4)
NOTE: Regression: https://github.com/jgm/pandoc/commit/54561e9a6667b36a8452b01d2def9e3642013dd6 (3.1.4)
@@ -13570,7 +13581,7 @@ CVE-2023-3478 (A vulnerability classified as critical was found in IBOS OA 4.5.5
CVE-2023-37365 (Hnswlib 0.7.0 has a double free in init_index when the M argument is a ...)
- hnswlib 0.7.0-1 (bug #1041426)
[bookworm] - hnswlib 0.6.2-2+deb12u1
- [bullseye] - hnswlib <no-dsa> (Minor issue)
+ [bullseye] - hnswlib 0.4.0-3+deb11u1
NOTE: https://github.com/nmslib/hnswlib/issues/467
CVE-2023-37360 (pacparser_find_proxy in Pacparser before 1.4.2 allows JavaScript injec ...)
- pacparser <unfixed> (bug #1041425)
@@ -13936,7 +13947,7 @@ CVE-2023-3355 (A NULL pointer dereference flaw was found in the Linux kernel's d
CVE-2023-3354 (A flaw was found in the QEMU built-in VNC server. When a client connec ...)
- qemu 1:8.0.4+dfsg-1
[bookworm] - qemu 1:7.2+dfsg-7+deb12u2
- [bullseye] - qemu <no-dsa> (Minor issue)
+ [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
[buster] - qemu <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2216478
NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2023-07/msg01014.html
@@ -14464,7 +14475,7 @@ CVE-2023-32360 (An authentication issue was addressed with improved state manage
{DLA-3594-1}
- cups 2.4.2-6 (bug #1051953)
[bookworm] - cups 2.4.2-3+deb12u2
- [bullseye] - cups <no-dsa> (Workaround exist; patch changes only default cupsd.conf; can be fixed via point release)
+ [bullseye] - cups 2.3.3op2-3+deb11u4
NOTE: https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913 (v2.4.3)
CVE-2023-32357 (An authorization issue was addressed with improved state management. T ...)
NOT-FOR-US: Apple
@@ -15200,7 +15211,7 @@ CVE-2023-34241 (OpenPrinting CUPS is a standards-based, open source printing sys
{DLA-3476-1}
- cups 2.4.2-5 (bug #1038885)
[bookworm] - cups 2.4.2-3+deb12u1
- [bullseye] - cups <no-dsa> (Minor issue; exploitable under specific conditions; can be fixed via point release)
+ [bullseye] - cups 2.3.3op2-3+deb11u3
NOTE: https://www.openwall.com/lists/oss-security/2023/06/22/4
NOTE: https://github.com/OpenPrinting/cups/commit/9809947a959e18409dcf562a3466ef246cb90cb2
NOTE: Introduced by: https://github.com/OpenPrinting/cups/commit/996acce8760c538b9fee69c99f274ffc27744386#diff-ea18088a3c3df78fec37244a94c58754b6e5cb7fbfd7066f6124de51a73c284d (v2.2b1)
@@ -15965,7 +15976,7 @@ CVE-2023-34969 (D-Bus before 1.15.6 sometimes allows unprivileged users to crash
[experimental] - dbus 1.15.6-1
- dbus 1.14.8-1 (bug #1037151)
[bookworm] - dbus 1.14.8-1~deb12u1
- [bullseye] - dbus <no-dsa> (Minor issue)
+ [bullseye] - dbus 1.12.28-0+deb11u1
[buster] - dbus <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/dbus/dbus/-/issues/457
CVE-2023-34239 (Gradio is an open-source Python library that is used to build machine ...)
@@ -16371,7 +16382,7 @@ CVE-2023-33460 (There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse
{DLA-3492-1 DLA-3478-1}
- yajl 2.1.0-5 (bug #1039984)
[bookworm] - yajl 2.1.0-3+deb12u2
- [bullseye] - yajl <no-dsa> (Minor issue)
+ [bullseye] - yajl 2.1.0-3+deb11u2
NOTE: https://github.com/lloyd/yajl/issues/250
NOTE: Introduced with: https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb (2.0.0)
NOTE: The original fix uploaded as 2.1.0-3.1 was incomplete.
@@ -16835,7 +16846,7 @@ CVE-2023-32324 (OpenPrinting CUPS is an open source printing system. In versions
{DLA-3440-1}
- cups 2.4.2-4
[bookworm] - cups 2.4.2-3+deb12u1
- [bullseye] - cups <no-dsa> (Can be fixed via point release; exploitable when setting loglevel to DEBUG)
+ [bullseye] - cups 2.3.3op2-3+deb11u3
NOTE: https://github.com/OpenPrinting/cups/security/advisories/GHSA-cxc6-w2g7-69p7
NOTE: Fixed by: https://github.com/OpenPrinting/cups/commit/fd8bc2d32589d1fd91fe1c0521be2a7c0462109e
CVE-2023-3029 (A vulnerability has been found in Guangdong Pythagorean OA Office Syst ...)
@@ -21930,7 +21941,7 @@ CVE-2022-48438 (In cp_dump driver, there is a possible out of bounds write due t
CVE-2023-30570 (pluto in Libreswan before 4.11 allows a denial of service (responder S ...)
- libreswan 4.11-1 (bug #1035542)
[bookworm] - libreswan 4.10-2+deb12u1
- [bullseye] - libreswan <no-dsa> (Minor issue; can be fixed via point release)
+ [bullseye] - libreswan 4.3-1+deb11u4
[buster] - libreswan <not-affected> (The vulnerable code was introduced in version 3.28)
NOTE: https://libreswan.org/security/CVE-2023-30570/CVE-2023-30570.txt
NOTE: https://github.com/libreswan/libreswan/issues/1039
@@ -22251,7 +22262,7 @@ CVE-2023-1990 (A use-after-free flaw was found in ndlc_remove in drivers/nfc/st-
CVE-2023-1989 (A use-after-free flaw was found in btsdio_remove in drivers\bluetooth\ ...)
{DSA-5492-1 DLA-3404-1 DLA-3403-1}
- linux 6.3.7-1
- [bullseye] - linux 5.10.178-1
+ [bullseye] - linux 5.10.197-1
NOTE: https://git.kernel.org/linus/1e9ac114c4428fdb7ff4635b45d4f46017e8916f (6.3-rc4)
CVE-2023-1988 (A vulnerability was found in SourceCodester Online Computer and Laptop ...)
NOT-FOR-US: SourceCodester Online Computer and Laptop Store
@@ -24558,7 +24569,7 @@ CVE-2023-29492 (Novi Survey before 8.9.43676 allows remote attackers to execute
NOT-FOR-US: Novi Survey
CVE-2023-29491 (ncurses before 6.4 20230408, when used by a setuid application, allows ...)
- ncurses 6.4-3 (bug #1034372)
- [bullseye] - ncurses <no-dsa> (Minor issue)
+ [bullseye] - ncurses 6.2+20201114-2+deb11u2
[buster] - ncurses <no-dsa> (Minor issue)
NOTE: https://invisible-island.net/ncurses/NEWS.html#index-t20230408
NOTE: http://ncurses.scripts.mit.edu/?p=ncurses.git;a=commitdiff;h=eb51b1ea1f75a0ec17c9c5937cb28df1e8eeec56
@@ -25749,10 +25760,10 @@ CVE-2023-29198 (Electron is a framework which lets you write cross-platform desk
- electron <itp> (bug #842420)
CVE-2023-29197 (guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. ...)
- php-guzzlehttp-psr7 2.4.5-1 (bug #1034581)
- [bullseye] - php-guzzlehttp-psr7 <no-dsa> (Minor issue; can be fixed via point release)
+ [bullseye] - php-guzzlehttp-psr7 1.7.0-1+deb11u2
[buster] - php-guzzlehttp-psr7 <no-dsa> (Minor issue)
- php-nyholm-psr7 1.5.1-2 (bug #1034597)
- [bullseye] - php-nyholm-psr7 <no-dsa> (Minor issue; can be fixed via point release)
+ [bullseye] - php-nyholm-psr7 1.3.2-2+deb11u1
NOTE: https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw
NOTE: https://github.com/guzzle/psr7/commit/0454e12ef0cd597ccd2adb036f7bda4e7fface66 (2.4.5)
NOTE: https://github.com/Nyholm/psr7/security/advisories/GHSA-wjfc-pgfp-pv9c
@@ -26629,7 +26640,7 @@ CVE-2023-28744 (A use-after-free vulnerability exists in the JavaScript engine o
CVE-2023-1672 (A race condition exists in the Tang server functionality for key gener ...)
- tang 14-1 (bug #1038119)
[bookworm] - tang 11-2+deb12u1
- [bullseye] - tang <no-dsa> (Minor issue)
+ [bullseye] - tang 8-3+deb11u2
[buster] - tang <no-dsa> (Minor issue)
NOTE: Fixed by: https://github.com/latchset/tang/commit/8dbbed10870378f1b2c3cf3df2ea7edca7617096
NOTE: https://census-labs.com/news/2023/06/15/race-tang/
@@ -27567,7 +27578,7 @@ CVE-2023-1545 (SQL Injection in GitHub repository nilsteampassnet/teampass prior
CVE-2023-1544 (A flaw was found in the QEMU implementation of VMWare's paravirtual RD ...)
- qemu 1:8.0.2+dfsg-1 (bug #1034179)
[bookworm] - qemu <no-dsa> (Minor issue)
- [bullseye] - qemu <no-dsa> (Minor issue)
+ [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
[buster] - qemu <no-dsa> (Minor issue)
NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html
NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/31c4b6fb0293e359f9ef8a61892667e76eea4c99 (v8.0.0-rc0)
@@ -27859,7 +27870,7 @@ CVE-2023-28617 (org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1
{DLA-3416-1}
[experimental] - org-mode 9.6.6+dfsg-1~exp1
- org-mode 9.5.2+dfsh-5 (bug #1033341)
- [bullseye] - org-mode <no-dsa> (Minor issue)
+ [bullseye] - org-mode 9.4.0+dfsg-1+deb11u1
[buster] - org-mode <no-dsa> (Minor issue)
- emacs 1:28.2+1-14 (bug #1033342)
[bullseye] - emacs <no-dsa> (Minor issue)
@@ -28965,14 +28976,14 @@ CVE-2023-28323 (A deserialization of untrusted data exists in EPM 2022 Su3 and a
NOT-FOR-US: Ivanti
CVE-2023-28322 (An information disclosure vulnerability exists in curl <v8.1.0 when do ...)
- curl 7.88.1-10 (bug #1036239)
- [bullseye] - curl <no-dsa> (Minor issue)
+ [bullseye] - curl 7.74.0-1.3+deb11u9
[buster] - curl <no-dsa> (Minor issue)
NOTE: https://curl.se/docs/CVE-2023-28322.html
NOTE: Introduced by: https://github.com/curl/curl/commit/546572da0457f37c698c02d0a08d90fdfcbeedec (curl-7_7)
NOTE: Fixed by: https://github.com/curl/curl/commit/7815647d6582c0a4900be2e1de6c5e61272c496b (curl-8_1_0)
CVE-2023-28321 (An improper certificate validation vulnerability exists in curl <v8.1. ...)
- curl 7.88.1-10 (bug #1036239)
- [bullseye] - curl <no-dsa> (Minor issue)
+ [bullseye] - curl 7.74.0-1.3+deb11u9
[buster] - curl <no-dsa> (Minor issue)
NOTE: https://curl.se/docs/CVE-2023-28321.html
NOTE: Introduced by: https://github.com/curl/curl/commit/9631fa740708b1890197fad01e25b34b7e8eb80e (curl-7_12_0)
@@ -31522,7 +31533,7 @@ CVE-2023-27539
CVE-2023-27538 (An authentication bypass vulnerability exists in libcurl prior to v8.0 ...)
{DLA-3398-1}
- curl 7.88.1-7
- [bullseye] - curl <no-dsa> (Minor issue)
+ [bullseye] - curl 7.74.0-1.3+deb11u8
NOTE: https://curl.se/docs/CVE-2023-27538.html
NOTE: Fixed by: https://github.com/curl/curl/commit/af369db4d3833272b8ed443f7fcc2e757a0872eb (curl-8_0_0)
CVE-2023-27537 (A double free vulnerability exists in libcurl <8.0.0 when sharing HSTS ...)
@@ -31535,20 +31546,20 @@ CVE-2023-27537 (A double free vulnerability exists in libcurl <8.0.0 when sharin
CVE-2023-27536 (An authentication bypass vulnerability exists libcurl <8.0.0 in the co ...)
{DLA-3398-1}
- curl 7.88.1-7
- [bullseye] - curl <no-dsa> (Minor issue)
+ [bullseye] - curl 7.74.0-1.3+deb11u8
NOTE: https://curl.se/docs/CVE-2023-27536.html
NOTE: Introduced by: https://github.com/curl/curl/commit/ebf42c4be76df40ec6d3bf32f229bbb274e2c32f (curl-7_22_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/cb49e67303dbafbab1cebf4086e3ec15b7d56ee5 (curl-8_0_0)
CVE-2023-27535 (An authentication bypass vulnerability exists in libcurl <8.0.0 in the ...)
{DLA-3398-1}
- curl 7.88.1-7
- [bullseye] - curl <no-dsa> (Minor issue)
+ [bullseye] - curl 7.74.0-1.3+deb11u8
NOTE: https://curl.se/docs/CVE-2023-27535.html
NOTE: Introduced by: https://github.com/curl/curl/commit/177dbc7be07125582ddb7416dba7140b88ab9f62 (curl-7_13_0)
NOTE: Fixed by: https://github.com/curl/curl/commit/8f4608468b890dce2dad9f91d5607ee7e9c1aba1 (curl-8_0_0)
CVE-2023-27534 (A path traversal vulnerability exists in curl <8.0.0 SFTP implementati ...)
- curl 7.88.1-7
- [bullseye] - curl <no-dsa> (Minor issue)
+ [bullseye] - curl 7.74.0-1.3+deb11u8
[buster] - curl <no-dsa> (Minor issue)
NOTE: https://curl.se/docs/CVE-2023-27534.html
NOTE: Introduced by: https://github.com/curl/curl/commit/ba6f20a2442ab1ebfe947cff19a552f92114a29a (curl-7_18_0)
@@ -31556,7 +31567,7 @@ CVE-2023-27534 (A path traversal vulnerability exists in curl <8.0.0 SFTP implem
CVE-2023-27533 (A vulnerability in input validation exists in curl <8.0 during communi ...)
{DLA-3398-1}
- curl 7.88.1-7
- [bullseye] - curl <no-dsa> (Minor issue)
+ [bullseye] - curl 7.74.0-1.3+deb11u8
NOTE: https://curl.se/docs/CVE-2023-27533.html
NOTE: Introduced by: https://github.com/curl/curl/commit/a1d6ad26100bc493c7b04f1301b1634b7f5aa8b4 (curl-7_7_alpha2)
NOTE: Fixed by: https://github.com/curl/curl/commit/538b1e79a6e7b0bb829ab4cecc828d32105d0684 (curl-8_0_0)
@@ -36358,7 +36369,6 @@ CVE-2023-0822 (The affected product DIAEnergie (versions prior to v1.9.03.001) c
NOT-FOR-US: DIAEnergie
CVE-2023-0821 (HashiCorp Nomad and Nomad Enterprise 1.2.15 up to 1.3.8, and 1.4.3 job ...)
- nomad <removed> (bug #1034181)
- [bullseye] - nomad <no-dsa> (Minor issue)
NOTE: https://discuss.hashicorp.com/t/hcsec-2023-05-nomad-client-vulnerable-to-decompression-bombs-in-artifact-block/50292
CVE-2023-0820 (The User Role by BestWebSoft WordPress plugin before 1.6.7 does not pr ...)
NOT-FOR-US: WordPress plugin
@@ -37480,12 +37490,12 @@ CVE-2023-25516 (NVIDIA GPU Display Driver for Linux contains a vulnerability in
[bookworm] - nvidia-graphics-drivers-tesla 525.125.06-1~deb12u1
- nvidia-graphics-drivers-tesla-470 470.199.02-1 (bug #1039684)
[bookworm] - nvidia-graphics-drivers-tesla-470 470.199.02-1~deb12u1
- [bullseye] - nvidia-graphics-drivers-tesla-470 <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers-tesla-470 470.199.02-1
- nvidia-graphics-drivers-tesla-460 460.106.00-3 (bug #1039683)
[bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported)
NOTE: 460.106.00-3 turned the package into a metapackage to aid switching to nvidia-graphics-drivers-tesla-470
- nvidia-graphics-drivers-tesla-450 450.248.02-1 (bug #1039682)
- [bullseye] - nvidia-graphics-drivers-tesla-450 <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers-tesla-450 450.248.02-1~deb11u1
- nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1039681)
[bullseye] - nvidia-graphics-drivers-tesla-418 <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-legacy-390xx <unfixed> (bug #1039680)
@@ -37495,7 +37505,7 @@ CVE-2023-25516 (NVIDIA GPU Display Driver for Linux contains a vulnerability in
[buster] - nvidia-graphics-drivers-legacy-340xx <ignored> (Non-free not supported, no updates provided by Nvidia anymore)
- nvidia-graphics-drivers 525.125.06-1 (bug #1039678)
[bookworm] - nvidia-graphics-drivers 525.125.06-1~deb12u1
- [bullseye] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers 470.199.02-1
[buster] - nvidia-graphics-drivers <postponed> (Minor issue, revisit when/if fixed upstream)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5468
CVE-2023-25515 (NVIDIA GPU Display Driver for Windows and Linux contains a vulnerabili ...)
@@ -37505,12 +37515,12 @@ CVE-2023-25515 (NVIDIA GPU Display Driver for Windows and Linux contains a vulne
[bookworm] - nvidia-graphics-drivers-tesla 525.125.06-1~deb12u1
- nvidia-graphics-drivers-tesla-470 470.199.02-1 (bug #1039684)
[bookworm] - nvidia-graphics-drivers-tesla-470 470.199.02-1~deb12u1
- [bullseye] - nvidia-graphics-drivers-tesla-470 <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers-tesla-470 470.199.02-1
- nvidia-graphics-drivers-tesla-460 460.106.00-3 (bug #1039683)
[bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported)
NOTE: 460.106.00-3 turned the package into a metapackage to aid switching to nvidia-graphics-drivers-tesla-470
- nvidia-graphics-drivers-tesla-450 450.248.02-1 (bug #1039682)
- [bullseye] - nvidia-graphics-drivers-tesla-450 <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers-tesla-450 450.248.02-1~deb11u1
- nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1039681)
[bullseye] - nvidia-graphics-drivers-tesla-418 <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-legacy-390xx <unfixed> (bug #1039680)
@@ -37520,7 +37530,7 @@ CVE-2023-25515 (NVIDIA GPU Display Driver for Windows and Linux contains a vulne
[buster] - nvidia-graphics-drivers-legacy-340xx <ignored> (Non-free not supported, no updates provided by Nvidia anymore)
- nvidia-graphics-drivers 525.125.06-1 (bug #1039678)
[bookworm] - nvidia-graphics-drivers 525.125.06-1~deb12u1
- [bullseye] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-graphics-drivers 470.199.02-1
[buster] - nvidia-graphics-drivers <postponed> (Minor issue, revisit when/if fixed upstream)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5468
CVE-2023-25514 (NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability in ...)
@@ -41040,7 +41050,7 @@ CVE-2023-24329 (An issue in the urllib.parse component of Python before 3.11.4 a
- python3.7 <removed>
[buster] - python3.7 <ignored> (Cf. related CVE-2022-0391)
- python2.7 <removed>
- [bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
+ [bullseye] - python2.7 2.7.18-8+deb11u1
NOTE: https://pointernull.com/security/python-url-parse-problem.html
NOTE: https://github.com/python/cpython/pull/99421
NOTE: https://github.com/python/cpython/pull/99446 (backport for 3.11 branch)
@@ -41132,7 +41142,7 @@ CVE-2023-24292
CVE-2023-24291 [A crafted save file can cause a buffer overrun in Simon Tatham's Portable Puzzle Collection]
RESERVED
- sgt-puzzles 20230122.806ae71-1 (bug #1028986)
- [bullseye] - sgt-puzzles <no-dsa> (Minor issue)
+ [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1
[buster] - sgt-puzzles <no-dsa> (Minor issue)
CVE-2023-24290
RESERVED
@@ -41141,12 +41151,12 @@ CVE-2023-24289
CVE-2023-24288 [A crafted save file can cause a buffer overrun in Simon Tatham's Portable Puzzle Collection]
RESERVED
- sgt-puzzles 20230122.806ae71-1 (bug #1028986)
- [bullseye] - sgt-puzzles <no-dsa> (Minor issue)
+ [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1
[buster] - sgt-puzzles <no-dsa> (Minor issue)
CVE-2023-24287 [A crafted save file can cause a buffer overrun in the Undead puzzle]
RESERVED
- sgt-puzzles 20230122.806ae71-1 (bug #1028986)
- [bullseye] - sgt-puzzles <no-dsa> (Minor issue)
+ [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1
[buster] - sgt-puzzles <no-dsa> (Minor issue)
CVE-2023-24286 [A crafted save file can cause a buffer overrun in the Mosaic puzzle]
RESERVED
@@ -41156,17 +41166,17 @@ CVE-2023-24286 [A crafted save file can cause a buffer overrun in the Mosaic puz
CVE-2023-24285 [A crafted save file can cause a buffer overrun in the Netslide puzzle]
RESERVED
- sgt-puzzles 20230122.806ae71-1 (bug #1028986)
- [bullseye] - sgt-puzzles <no-dsa> (Minor issue)
+ [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1
[buster] - sgt-puzzles <no-dsa> (Minor issue)
CVE-2023-24284 [A crafted save file can cause a buffer overrun in the Guess puzzle]
RESERVED
- sgt-puzzles 20230122.806ae71-1 (bug #1028986)
- [bullseye] - sgt-puzzles <no-dsa> (Minor issue)
+ [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1
[buster] - sgt-puzzles <no-dsa> (Minor issue)
CVE-2023-24283 [A crafted save file can cause a buffer overrun in the Guess puzzle]
RESERVED
- sgt-puzzles 20230122.806ae71-1 (bug #1028986)
- [bullseye] - sgt-puzzles <no-dsa> (Minor issue)
+ [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1
[buster] - sgt-puzzles <no-dsa> (Minor issue)
CVE-2023-24282 (An arbitrary file upload vulnerability in Poly Trio 8800 7.2.2.1094 al ...)
NOT-FOR-US: Poly Trio 8800
@@ -42910,7 +42920,7 @@ CVE-2023-0330 (A vulnerability in the lsi53c895a device affects the latest versi
{DLA-3604-1}
- qemu 1:8.0.2+dfsg-1 (bug #1029155)
[bookworm] - qemu 1:7.2+dfsg-7+deb12u1
- [bullseye] - qemu <no-dsa> (Minor issue)
+ [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2160151
NOTE: Proposed patch: https://lists.nongnu.org/archive/html/qemu-devel/2023-01/msg03411.html
NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/e49884a90987744ddb54b2fadc770633eb6a4d62 (v8.0.1)
@@ -52472,7 +52482,7 @@ CVE-2022-47015 (MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denia
- mariadb 1:10.11.3-1 (bug #1034889)
- mariadb-10.6 <removed>
- mariadb-10.5 <removed>
- [bullseye] - mariadb-10.5 <no-dsa> (Minor issue)
+ [bullseye] - mariadb-10.5 1:10.5.20-0+deb11u1
- mariadb-10.3 <removed>
NOTE: https://jira.mariadb.org/browse/MDEV-29644
CVE-2022-47014
@@ -55356,7 +55366,7 @@ CVE-2022-46176 (Cargo is a Rust package manager. The Rust Security Response WG w
NOTE: https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176
CVE-2022-46175 (JSON5 is an extension to the popular JSON file format that aims to be ...)
- node-json5 2.2.3+dfsg-1 (bug #1027145)
- [bullseye] - node-json5 <no-dsa> (Minor issue)
+ [bullseye] - node-json5 2.1.3-2+deb11u1
[buster] - node-json5 <no-dsa> (Minor issue)
NOTE: https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h
NOTE: https://github.com/json5/json5/issues/199
@@ -56830,7 +56840,7 @@ CVE-2022-45583
CVE-2022-45582 (Open Redirect vulnerability in Horizon Web Dashboard 19.4.0 thru 20.1. ...)
- horizon 3:23.1.0-3
[bookworm] - horizon 3:23.0.0-5+deb12u1
- [bullseye] - horizon <no-dsa> (Minor issue)
+ [bullseye] - horizon 3:18.6.2-5+deb11u2
[buster] - horizon <no-dsa> (Minor issue)
NOTE: https://bugs.launchpad.net/horizon/+bug/1982676
NOTE: https://opendev.org/openstack/horizon/commit/beed6bf6f6f83df9972db5fb539d64175ce12ce9 (19.4.0)
@@ -59547,14 +59557,14 @@ CVE-2022-44731 (A vulnerability has been identified in SIMATIC WinCC OA V3.15 (A
CVE-2022-44730 (Server-Side Request Forgery (SSRF) vulnerability in Apache Software Fo ...)
- batik 1.17+dfsg-1
[bookworm] - batik 1.16+dfsg-1+deb12u1
- [bullseye] - batik <no-dsa> (Minor issue)
+ [bullseye] - batik 1.12-4+deb11u2
[buster] - batik <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2023/08/22/3
NOTE: https://issues.apache.org/jira/browse/BATIK-1347
CVE-2022-44729 (Server-Side Request Forgery (SSRF) vulnerability in Apache Software Fo ...)
- batik 1.17+dfsg-1
[bookworm] - batik 1.16+dfsg-1+deb12u1
- [bullseye] - batik <no-dsa> (Minor issue)
+ [bullseye] - batik 1.12-4+deb11u2
[buster] - batik <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2023/08/22/2
NOTE: https://issues.apache.org/jira/browse/BATIK-1349
@@ -63152,6 +63162,7 @@ CVE-2023-20589 (An attacker with specialized hardware and physical access to an
CVE-2023-20588 (A division-by-zero error on some AMD processors can potentially return ...)
{DSA-5492-1 DSA-5480-1}
- linux 6.4.13-1
+ [bullseye] - linux 5.10.197-1
- xen <unfixed>
[bookworm] - xen <postponed> (Minor issue, fix along in future DSA or point release)
[bullseye] - xen <postponed> (Minor issue, fix along in future DSA or point release)
@@ -63971,7 +63982,7 @@ CVE-2023-20197 (A vulnerability in the filesystem image parser for Hierarchical
{DLA-3544-1}
- clamav 1.0.2+dfsg-1 (bug #1050057)
[bookworm] - clamav 1.0.2+dfsg-1~deb12u1
- [bullseye] - clamav <no-dsa> (clamav is updated via -updates)
+ [bullseye] - clamav 0.103.9+dfsg-0+deb11u1
NOTE: https://blog.clamav.net/2023/07/2023-08-16-releases.html
CVE-2023-20196
RESERVED
@@ -71047,7 +71058,6 @@ CVE-2022-41608 (Cross-Site Request Forgery (CSRF) vulnerability in Thomas Belser
NOT-FOR-US: WordPress plugin
CVE-2022-41606 (HashiCorp Nomad and Nomad Enterprise 1.0.2 up to 1.2.12, and 1.3.5 job ...)
- nomad <removed> (bug #1021670)
- [bullseye] - nomad <no-dsa> (Minor issue)
NOTE: https://discuss.hashicorp.com/t/hcsec-2022-22-nomad-panics-on-job-submission-with-bad-artifact-stanza-source-url/45420
CVE-2022-41605
RESERVED
@@ -97707,7 +97717,7 @@ CVE-2022-1941 (A parsing vulnerability for the MessageSet type in the ProtocolBu
{DLA-3393-1}
[experimental] - protobuf 3.20.2-1
- protobuf 3.21.9-3
- [bullseye] - protobuf <no-dsa> (Minor issue)
+ [bullseye] - protobuf 3.12.4-1+deb11u1
NOTE: https://www.openwall.com/lists/oss-security/2022/09/27/1
NOTE: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf
NOTE: https://github.com/protocolbuffers/protobuf/commit/806d7e4ce6f1fd0545cae226b94cb0249ea495c7 (v3.20.2)
@@ -102317,7 +102327,7 @@ CVE-2022-30333 (RARLAB UnRAR before 6.12 on Linux and UNIX allows directory trav
[buster] - unrar-nonfree 1:5.6.6-1+deb10u1
[stretch] - unrar-nonfree <no-dsa> (Non-free not supported)
- rar 2:6.20~b1-0.1 (bug #1012228)
- [bullseye] - rar <no-dsa> (Non-free not supported)
+ [bullseye] - rar 2:6.20-0.1~deb11u1
[stretch] - rar <no-dsa> (Non-free not supported)
NOTE: 6.12 application version corresponds to 6.1.7 source version:
NOTE: https://github.com/debian-calibre/unrar-nonfree/compare/upstream/6.1.6...upstream/6.1.7
@@ -103546,7 +103556,7 @@ CVE-2022-1538
CVE-2022-1537 (file.copy operations in GruntJS are vulnerable to a TOCTOU race condit ...)
{DLA-3383-1}
- grunt 1.5.3-1
- [bullseye] - grunt <no-dsa> (Minor issue)
+ [bullseye] - grunt 1.3.0-1+deb11u2
NOTE: https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d/
NOTE: https://github.com/gruntjs/grunt/commit/58016ffac5ed9338b63ecc2a63710f5027362bae (v1.5.3)
CVE-2022-1536 (A vulnerability has been found in automad up to 1.10.9 and classified ...)
@@ -115547,7 +115557,7 @@ CVE-2022-21223 (The package cocoapods-downloader before 1.6.2 are vulnerable to
CVE-2022-21222 (The package css-what before 2.1.3 are vulnerable to Regular Expression ...)
{DLA-3350-1}
- node-css-what 5.0.1-1 (bug #1032188)
- [bullseye] - node-css-what <no-dsa> (Minor issue)
+ [bullseye] - node-css-what 4.0.0-3+deb11u1
NOTE: https://security.snyk.io/vuln/SNYK-JS-CSSWHAT-3035488
NOTE: ReDoS issue fixed with rewrite of module to TypeScript
NOTE: Not fixed in 4.0.0 see https://sources.debian.org/src/node-css-what/4.0.0-3/src/parse.ts/#L84
@@ -118677,7 +118687,7 @@ CVE-2022-24795 (yajl-ruby is a C binding to the YAJL JSON parsing and generation
[stretch] - ruby-yajl <no-dsa> (Minor issue)
- yajl 2.1.0-4 (bug #1040036)
[bookworm] - yajl 2.1.0-3+deb12u2
- [bullseye] - yajl <no-dsa> (Minor issue)
+ [bullseye] - yajl 2.1.0-3+deb11u2
- burp <unfixed> (bug #1040146)
[bookworm] - burp <no-dsa> (Minor issue)
[bullseye] - burp <no-dsa> (Minor issue)
@@ -119168,22 +119178,18 @@ CVE-2022-24687 (HashiCorp Consul and Consul Enterprise 1.9.0 through 1.9.14, 1.1
NOTE: https://github.com/hashicorp/consul/commit/d35c6a97cbdff252f5238d6b52f49786f896566a (v1.9.15)
CVE-2022-24686 (HashiCorp Nomad and Nomad Enterprise 0.3.0 through 1.0.17, 1.1.11, and ...)
- nomad <removed> (bug #1021273)
- [bullseye] - nomad <no-dsa> (Minor issue)
NOTE: https://discuss.hashicorp.com/t/hcsec-2022-01-nomad-artifact-download-race-condition/35559
CVE-2022-24685 (HashiCorp Nomad and Nomad Enterprise 1.0.17, 1.1.11, and 1.2.5 allow i ...)
- nomad <removed> (bug #1021273)
- [bullseye] - nomad <no-dsa> (Minor issue)
NOTE: https://discuss.hashicorp.com/t/hcsec-2022-03-nomad-malformed-job-parsing-results-in-excessive-cpu-usage/35561
NOTE: https://github.com/hashicorp/nomad/issues/12038
CVE-2022-24684 (HashiCorp Nomad and Nomad Enterprise 0.9.0 through 1.0.16, 1.1.11, and ...)
- nomad <removed> (bug #1021273)
- [bullseye] - nomad <no-dsa> (Minor issue)
NOTE: https://discuss.hashicorp.com/t/hcsec-2022-04-nomad-spread-job-stanza-may-trigger-panic-in-servers/35562
NOTE: https://github.com/hashicorp/nomad/issues/12039
NOTE: https://github.com/hashicorp/nomad/commit/c49359ad58f0af18a5697a0b7b9b6cca9656d267 (v1.2.6)
CVE-2022-24683 (HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and ...)
- nomad <removed> (bug #1021273)
- [bullseye] - nomad <no-dsa> (Minor issue)
NOTE: https://discuss.hashicorp.com/t/hcsec-2022-02-nomad-alloc-filesystem-and-container-escape/35560
CVE-2022-24682 (An issue was discovered in the Calendar feature in Zimbra Collaboratio ...)
NOT-FOR-US: Zimbra
@@ -121322,7 +121328,7 @@ CVE-2022-0391 (A flaw was found in Python, specifically within the urllib.parse
- python3.5 <removed>
- python3.4 <removed>
- python2.7 <removed>
- [bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
+ [bullseye] - python2.7 2.7.18-8+deb11u1
NOTE: https://bugs.python.org/issue43882
NOTE: Regressions reported for django, boto-core and cloud-init
NOTE: Fixed by: https://github.com/python/cpython/commit/76cd81d60310d65d01f9d7b48a8985d8ab89c8b4 (v3.10.0b1)
@@ -124758,7 +124764,7 @@ CVE-2022-0218 (The WP HTML Mail WordPress plugin is vulnerable to unauthorized a
CVE-2022-0216 (A use-after-free vulnerability was found in the LSI53C895A SCSI Host B ...)
{DLA-3362-1}
- qemu 1:7.1+dfsg-1 (bug #1014590)
- [bullseye] - qemu <no-dsa> (Minor issue)
+ [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2036953
NOTE: https://starlabs.sg/advisories/22/22-0216/
NOTE: https://gitlab.com/qemu-project/qemu/-/issues/972
@@ -130581,7 +130587,7 @@ CVE-2021-45424
RESERVED
CVE-2021-45423 (A Buffer Overflow vulnerabilityexists in Pev 0.81 via the pe_exports f ...)
- pev 0.81-9 (bug #1034725)
- [bullseye] - pev <no-dsa> (Minor issue, will be fixed in next point release)
+ [bullseye] - pev 0.81-3+deb11u1
[buster] - pev <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/merces/libpe/issues/35
NOTE: https://github.com/merces/libpe/commit/9b5fedc37ccbcd23695a0e97c0fe46c999e26100
@@ -138434,7 +138440,6 @@ CVE-2021-43416
RESERVED
CVE-2021-43415 (HashiCorp Nomad and Nomad Enterprise up to 1.0.13, 1.1.7, and 1.2.0, w ...)
- nomad <removed> (bug #1021273)
- [bullseye] - nomad <no-dsa> (Minor issue)
NOTE: https://discuss.hashicorp.com/t/hcsec-2021-31-nomad-qemu-task-driver-allowed-paths-bypass-with-job-args/32288
NOTE: https://github.com/hashicorp/nomad/issues/11542
NOTE: https://github.com/hashicorp/nomad/pull/11554
@@ -138474,7 +138479,7 @@ CVE-2021-3931 (snipe-it is vulnerable to Cross-Site Request Forgery (CSRF))
CVE-2021-3930 (An off-by-one error was found in the SCSI device emulation in QEMU. It ...)
{DLA-3099-1 DLA-2970-1}
- qemu 1:6.2+dfsg-1
- [bullseye] - qemu <postponed> (Minor issue)
+ [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2020588
NOTE: https://gitlab.com/qemu-project/qemu/-/issues/546
NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 (v6.2.0-rc0)
@@ -154155,7 +154160,7 @@ CVE-2021-38186 (An issue was discovered in the comrak crate before 0.10.1 for Ru
CVE-2021-38185 (GNU cpio through 2.13 allows attackers to execute arbitrary code via a ...)
{DLA-3445-1}
- cpio 2.13+dfsg-5 (bug #992045)
- [bullseye] - cpio <no-dsa> (Minor issue)
+ [bullseye] - cpio 2.13+dfsg-7.1~deb11u1
[stretch] - cpio <no-dsa> (Minor issue)
NOTE: https://git.savannah.gnu.org/cgit/cpio.git/commit/?id=dd96882877721703e19272fe25034560b794061b
NOTE: https://github.com/fangqyi/cpiopwn
@@ -156760,7 +156765,6 @@ CVE-2021-37219 (HashiCorp Consul and Consul Enterprise 1.10.1 Raft RPC layer all
NOTE: https://github.com/hashicorp/consul/commit/ccf8eb1947357434eb6e66303ddab79f4c9d4103
CVE-2021-37218 (HashiCorp Nomad and Nomad Enterprise Raft RPC layer allows non-server ...)
- nomad <removed> (bug #1021273)
- [bullseye] - nomad <no-dsa> (Minor issue)
NOTE: https://discuss.hashicorp.com/t/hcsec-2021-21-nomad-raft-rpc-privilege-escalation/29023
NOTE: https://github.com/hashicorp/nomad/pull/11089 (main)
NOTE: https://github.com/hashicorp/nomad/commit/768d7c72a77e9c0415d92900753fc83e8822145a (release-1.1.4)
@@ -165059,7 +165063,7 @@ CVE-2021-33798 (A null pointer dereference was found in libpano13, version libpa
NOTE: duplicate of CVE-2021-33293, pinged Fedora for reject
CVE-2021-33797 (Buffer-overflow in jsdtoa.c in Artifex MuJS in versions 1.0.1 to 1.1.1 ...)
- mujs 1.1.3-2
- [bullseye] - mujs <no-dsa> (Minor issue)
+ [bullseye] - mujs 1.1.0-1+deb11u3
NOTE: https://github.com/ccxvii/mujs/issues/148
NOTE: https://github.com/ccxvii/mujs/commit/833b6f1672b4f2991a63c4d05318f0b84ef4d550 (1.1.2)
CVE-2021-33796 (In MuJS before version 1.1.2, a use-after-free flaw in the regexp sour ...)
@@ -165603,7 +165607,7 @@ CVE-2021-33588
CVE-2021-33587 (The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure t ...)
{DLA-3350-1}
- node-css-what 5.0.1-1 (bug #989264)
- [bullseye] - node-css-what <ignored> (Minor issue, intrusive to backport fixes to older series)
+ [bullseye] - node-css-what 4.0.0-3+deb11u1
[buster] - node-css-what <ignored> (Minor issue, intrusive to backport fixes to older series)
[stretch] - node-css-what <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://github.com/fb55/css-what/commit/4cdaacfd0d4b6fd00614be030da0dea6c2994655
@@ -171315,7 +171319,7 @@ CVE-2021-3508 (A flaw was found in PDFResurrect in version 0.22b. There is an in
CVE-2021-3507 (A heap buffer overflow was found in the floppy disk emulator of QEMU u ...)
{DLA-3099-1}
- qemu 1:7.1+dfsg-1 (bug #987410)
- [bullseye] - qemu <no-dsa> (Minor issue)
+ [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
[stretch] - qemu <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1951118
NOTE: https://gitlab.com/qemu-project/qemu/-/commit/defac5e2fbddf8423a354ff0454283a2115e1367 (v7.1.0-rc0)
@@ -191961,7 +191965,7 @@ CVE-2021-23336 (The package python/cpython from 0 and before 3.6.13, from 3.7.0
- python3.5 <removed>
[experimental] - python2.7 2.7.18-13.1~exp1
- python2.7 2.7.18-13.1
- [bullseye] - python2.7 <ignored> (Python 2.7 in Bullseye not covered by security support)
+ [bullseye] - python2.7 2.7.18-8+deb11u1
- pypy3 7.3.3+dfsg-3
[buster] - pypy3 <no-dsa> (Minor issue)
NOTE: https://github.com/python/cpython/pull/24297
@@ -193794,7 +193798,7 @@ CVE-2021-22570 (Nullptr dereference when a null char is present in a proto symbo
{DLA-3393-1}
[experimental] - protobuf 3.17.1-1
- protobuf 3.21.9-3
- [bullseye] - protobuf <no-dsa> (Minor issue)
+ [bullseye] - protobuf 3.12.4-1+deb11u1
[stretch] - protobuf <postponed> (Minor issue; clean crash / Dos; patch needs to be isolated)
NOTE: Fixed upstream in v3.15.0: https://github.com/protocolbuffers/protobuf/releases/tag/v3.15.0
NOTE: Fixed in merge commit https://github.com/protocolbuffers/protobuf/a00125024e9231d76746bd394fef8876f5cc15e2
@@ -193803,7 +193807,7 @@ CVE-2021-22569 (An issue in protobuf-java allowed the interleaving of com.google
{DLA-3393-1}
[experimental] - protobuf 3.19.3-1
- protobuf 3.21.9-3
- [bullseye] - protobuf <no-dsa> (Minor issue)
+ [bullseye] - protobuf 3.12.4-1+deb11u1
[stretch] - protobuf <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2022/01/12/4
NOTE: https://cloud.google.com/support/bulletins#gcp-2022-001
@@ -201298,7 +201302,7 @@ CVE-2021-20204 (A heap memory corruption problem (use after free) can be trigger
CVE-2021-20203 (An integer overflow issue was found in the vmxnet3 NIC emulator of the ...)
{DLA-3099-1 DLA-2623-1}
- qemu 1:6.2+dfsg-1 (bug #984452)
- [bullseye] - qemu <postponed> (Minor issue)
+ [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
NOTE: https://bugs.launchpad.net/qemu/+bug/1913873
NOTE: https://gitlab.com/qemu-project/qemu/-/issues/308
NOTE: https://bugs.launchpad.net/qemu/+bug/1890152
@@ -201338,7 +201342,7 @@ CVE-2021-20197 (There is an open race window when writing output in the followin
CVE-2021-20196 (A NULL pointer dereference flaw was found in the floppy disk emulator ...)
{DLA-3099-1 DLA-2970-1}
- qemu 1:6.2+dfsg-1 (bug #984453)
- [bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream)
+ [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1919210
NOTE: https://bugs.launchpad.net/qemu/+bug/1912780
NOTE: https://gitlab.com/qemu-project/qemu/-/issues/338
@@ -221436,7 +221440,7 @@ CVE-2020-24370 (ldebug.c in Lua 5.4.0 allows a negation overflow and segmentatio
{DLA-3469-1 DLA-2381-1}
- lua5.4 5.4.1-1 (bug #971613)
- lua5.3 5.3.6-1 (bug #988734)
- [bullseye] - lua5.3 <no-dsa> (Minor issue)
+ [bullseye] - lua5.3 5.3.3-1.1+deb11u1
NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00324.html
NOTE: (lua5.4) https://github.com/lua/lua/commit/a585eae6e7ada1ca9271607a4f48dfb17868ab7b
NOTE: (lua5.3) https://github.com/lua/lua/commit/b5bc89846721375fe30772eb8c5ab2786f362bf9
@@ -244039,7 +244043,7 @@ CVE-2020-14395
CVE-2020-14394 (An infinite loop flaw was found in the USB xHCI controller emulation o ...)
{DLA-3362-1}
- qemu 1:7.1+dfsg-1 (bug #979677)
- [bullseye] - qemu <postponed> (Minor issue)
+ [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1908004
NOTE: https://gitlab.com/qemu-project/qemu/-/issues/646
NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/effaf5a240e03020f4ae953e10b764622c3e87cc (v7.1.0-rc3)
@@ -321481,7 +321485,7 @@ CVE-2019-6707 (PHPSHE 1.7 has SQL injection via the admin.php?mod=product&act=st
CVE-2019-6706 (Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For examp ...)
{DLA-3469-1}
- lua5.3 5.3.6-1 (bug #920321)
- [bullseye] - lua5.3 <postponed> (Minor issue, revisit when fixed upstream)
+ [bullseye] - lua5.3 5.3.3-1.1+deb11u1
- lua5.2 <not-affected> (Vulnerable code introduced later)
- lua5.1 <not-affected> (Vulnerable code introduced later)
- lua50 <not-affected> (Vulnerable code introduced later)
@@ -396837,7 +396841,7 @@ CVE-2017-16516 (In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is
[jessie] - ruby-yajl <no-dsa> (Minor issue)
- yajl 2.1.0-4 (bug #1040036)
[bookworm] - yajl 2.1.0-3+deb12u2
- [bullseye] - yajl <no-dsa> (Minor issue)
+ [bullseye] - yajl 2.1.0-3+deb11u2
- burp <unfixed> (bug #1040146)
[bookworm] - burp <no-dsa> (Minor issue)
[bullseye] - burp <no-dsa> (Minor issue)
=====================================
data/next-oldstable-point-update.txt
=====================================
@@ -1,197 +1,3 @@
-CVE-2022-46175
- [bullseye] - node-json5 2.1.3-2+deb11u1
-CVE-2022-21222
- [bullseye] - node-css-what 4.0.0-3+deb11u1
-CVE-2021-33587
- [bullseye] - node-css-what 4.0.0-3+deb11u1
-CVE-2021-22569
- [bullseye] - protobuf 3.12.4-1+deb11u1
-CVE-2021-22570
- [bullseye] - protobuf 3.12.4-1+deb11u1
-CVE-2022-1941
- [bullseye] - protobuf 3.12.4-1+deb11u1
-CVE-2023-29197
- [bullseye] - php-guzzlehttp-psr7 1.7.0-1+deb11u2
- [bullseye] - php-nyholm-psr7 1.3.2-2+deb11u1
-CVE-2021-45423
- [bullseye] - pev 0.81-3+deb11u1
-CVE-2023-24291
- [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1
-CVE-2023-24288
- [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1
-CVE-2023-24287
- [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1
-CVE-2023-24285
- [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1
-CVE-2023-24284
- [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1
-CVE-2023-24283
- [bullseye] - sgt-puzzles 20191231.79a5378-3+deb11u1
-CVE-2023-27533
- [bullseye] - curl 7.74.0-1.3+deb11u8
-CVE-2023-27534
- [bullseye] - curl 7.74.0-1.3+deb11u8
-CVE-2023-27535
- [bullseye] - curl 7.74.0-1.3+deb11u8
-CVE-2023-27536
- [bullseye] - curl 7.74.0-1.3+deb11u8
-CVE-2023-27538
- [bullseye] - curl 7.74.0-1.3+deb11u8
-CVE-2021-33797
- [bullseye] - mujs 1.1.0-1+deb11u3
-CVE-2023-29491
- [bullseye] - ncurses 6.2+20201114-2+deb11u2
-CVE-2022-1537
- [bullseye] - grunt 1.3.0-1+deb11u2
-CVE-2023-30570
- [bullseye] - libreswan 4.3-1+deb11u4
-CVE-2022-47015
- [bullseye] - mariadb-10.5 1:10.5.20-0+deb11u1
-CVE-2023-28617
- [bullseye] - org-mode 9.4.0+dfsg-1+deb11u1
-CVE-2023-34969
- [bullseye] - dbus 1.12.28-0+deb11u1
-CVE-2023-34241
- [bullseye] - cups 2.3.3op2-3+deb11u3
-CVE-2023-32324
- [bullseye] - cups 2.3.3op2-3+deb11u3
-CVE-2023-4504
- [bullseye] - cups 2.3.3op2-3+deb11u4
-CVE-2023-32360
- [bullseye] - cups 2.3.3op2-3+deb11u4
-CVE-2023-33460
- [bullseye] - yajl 2.1.0-3+deb11u2
-CVE-2017-16516
- [bullseye] - yajl 2.1.0-3+deb11u2
-CVE-2022-24795
- [bullseye] - yajl 2.1.0-3+deb11u2
-CVE-2019-6706
- [bullseye] - lua5.3 5.3.3-1.1+deb11u1
-CVE-2020-24370
- [bullseye] - lua5.3 5.3.3-1.1+deb11u1
-CVE-2023-25516
- [bullseye] - nvidia-graphics-drivers-tesla-470 470.199.02-1
- [bullseye] - nvidia-graphics-drivers-tesla-450 450.248.02-1~deb11u1
- [bullseye] - nvidia-graphics-drivers 470.199.02-1
-CVE-2023-25515
- [bullseye] - nvidia-graphics-drivers-tesla-470 470.199.02-1
- [bullseye] - nvidia-graphics-drivers-tesla-450 450.248.02-1~deb11u1
- [bullseye] - nvidia-graphics-drivers 470.199.02-1
-CVE-2023-1672
- [bullseye] - tang 8-3+deb11u2
-CVE-2023-XXXX [spip: Use a dedicated function to clean author data when preparing a session]
- [bullseye] - spip 3.2.11-3+deb11u9
-CVE-2023-37365
- [bullseye] - hnswlib 0.4.0-3+deb11u1
-CVE-2023-35936
- [bullseye] - pandoc 2.9.2.1-1+deb11u1
-CVE-2023-36054
- [bullseye] - krb5 1.18.3-6+deb11u4
-CVE-2022-30333
- [bullseye] - rar 2:6.20-0.1~deb11u1
-CVE-2023-40477
- [bullseye] - rar 2:6.23-1~deb11u1
- [bullseye] - unrar-nonfree 1:6.0.3-1+deb11u3
-CVE-2022-48579
- [bullseye] - unrar-nonfree 1:6.0.3-1+deb11u2
-CVE-2023-40303
- [bullseye] - inetutils 2:2.0-1+deb11u2
-CVE-2022-44729
- [bullseye] - batik 1.12-4+deb11u2
-CVE-2022-44730
- [bullseye] - batik 1.12-4+deb11u2
-CVE-2023-3446
- [bullseye] - openssl 1.1.1v-0~deb11u1
-CVE-2023-3817
- [bullseye] - openssl 1.1.1v-0~deb11u1
-CVE-2023-20197
- [bullseye] - clamav 0.103.9+dfsg-0+deb11u1
-CVE-2023-38408
- [bullseye] - openssh 1:8.4p1-5+deb11u2
-CVE-2022-45582
- [bullseye] - horizon 3:18.6.2-5+deb11u2
-CVE-2021-23336
- [bullseye] - python2.7 2.7.18-8+deb11u1
-CVE-2022-0391
- [bullseye] - python2.7 2.7.18-8+deb11u1
-CVE-2022-48560
- [bullseye] - python2.7 2.7.18-8+deb11u1
-CVE-2022-48565
- [bullseye] - python2.7 2.7.18-8+deb11u1
-CVE-2022-48566
- [bullseye] - python2.7 2.7.18-8+deb11u1
-CVE-2023-24329
- [bullseye] - python2.7 2.7.18-8+deb11u1
-CVE-2023-40217
- [bullseye] - python2.7 2.7.18-8+deb11u1
-CVE-2021-20196
- [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
-CVE-2023-0330
- [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
-CVE-2023-1544
- [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
-CVE-2023-3354
- [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
-CVE-2021-3930
- [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
-CVE-2023-3180
- [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
-CVE-2021-20203
- [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
-CVE-2021-3507
- [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
-CVE-2020-14394
- [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
-CVE-2023-3301
- [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
-CVE-2022-0216
- [bullseye] - qemu 1:5.2+dfsg-11+deb11u3
-CVE-2023-41081
- [bullseye] - libapache-mod-jk 1:1.2.48-1+deb11u1
-CVE-2023-43770
- [bullseye] - roundcube 1.4.14+dfsg.1-1~deb11u1
-CVE-2023-38559
- [bullseye] - ghostscript 9.53.3~dfsg-7+deb11u6
-CVE-2023-43115
- [bullseye] - ghostscript 9.53.3~dfsg-7+deb11u6
-CVE-2023-44469
- [bullseye] - lemonldap-ng 2.0.11+ds-4+deb11u5
-CVE-2021-38185
- [bullseye] - cpio 2.13+dfsg-7.1~deb11u1
-CVE-2023-39194
- [bullseye] - linux 5.10.197-1
-CVE-2023-39193
- [bullseye] - linux 5.10.197-1
-CVE-2023-39192
- [bullseye] - linux 5.10.197-1
-CVE-2023-1989
- [bullseye] - linux 5.10.197-1
-CVE-2023-20588
- [bullseye] - linux 5.10.197-1
-CVE-2023-3772
- [bullseye] - linux 5.10.197-1
-CVE-2023-3773
- [bullseye] - linux 5.10.197-1
-CVE-2023-4244
- [bullseye] - linux 5.10.197-1
-CVE-2023-42753
- [bullseye] - linux 5.10.197-1
-CVE-2023-42754
- [bullseye] - linux 5.10.197-1
-CVE-2023-42755
- [bullseye] - linux 5.10.197-1
-CVE-2023-42756
- [bullseye] - linux 5.10.197-1
-CVE-2023-4622
- [bullseye] - linux 5.10.197-1
-CVE-2023-4623
- [bullseye] - linux 5.10.197-1
-CVE-2023-4921
- [bullseye] - linux 5.10.197-1
-CVE-2023-28322
- [bullseye] - curl 7.74.0-1.3+deb11u9
-CVE-2023-28321
- [bullseye] - curl 7.74.0-1.3+deb11u9
CVE-2023-32665
[bullseye] - glib2.0 2.66.8-1+deb11u1
CVE-2023-32611
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/54c945966670557a4e3d7310a23e52e417dd6fde...d7328b6b3f999f67bd7ae160827eb278a54c44ae
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/54c945966670557a4e3d7310a23e52e417dd6fde...d7328b6b3f999f67bd7ae160827eb278a54c44ae
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231007/6d7dc6a9/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list