[Git][security-tracker-team/security-tracker][master] 4 commits: Remove entries from kanboard (removed from bookworm)
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sat Mar 15 08:38:10 GMT 2025
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
559fc433 by Salvatore Bonaccorso at 2025-03-14T18:24:41+01:00
Remove entries from kanboard (removed from bookworm)
- - - - -
cf820fe2 by Salvatore Bonaccorso at 2025-03-14T18:25:33+01:00
Remove entries from libnet-easytcp-perl (removed in bookworm)
- - - - -
49b26099 by Salvatore Bonaccorso at 2025-03-14T18:28:11+01:00
Merge changes for updates with CVEs via bookworm 12.10
- - - - -
b7d02704 by Salvatore Bonaccorso at 2025-03-15T08:38:04+00:00
Merge branch 'bookworm-12.10' into 'master'
Merge changes accepted for bookworm 12.10 release
See merge request security-tracker-team/security-tracker!208
- - - - -
2 changed files:
- data/CVE/list
- data/next-point-update.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -9421,11 +9421,11 @@ CVE-2025-25891 (A buffer overflow vulnerability was discovered in D-Link DSL-378
NOT-FOR-US: D-Link
CVE-2025-25475 (A NULL pointer dereference in the component /libsrc/dcrleccd.cc of DCM ...)
- dcmtk 3.6.9-4 (bug #1098373)
- [bookworm] - dcmtk <no-dsa> (Minor issue)
+ [bookworm] - dcmtk 3.6.7-9~deb12u3
NOTE: Fixed by: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=bffa3e9116abb7038b432443f16b1bd390e80245
CVE-2025-25474 (DCMTK v3.6.9+ DEV was discovered to contain a buffer overflow via the ...)
- dcmtk 3.6.9-4 (bug #1098374)
- [bookworm] - dcmtk <no-dsa> (Will be fixed via spu)
+ [bookworm] - dcmtk 3.6.7-9~deb12u3
NOTE: Fixed by: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=1d205bcd307164c99e0d4bbf412110372658d847
CVE-2025-25473 (FFmpeg git master before commit c08d30 was discovered to contain a NUL ...)
- ffmpeg <unfixed>
@@ -9435,7 +9435,7 @@ CVE-2025-25473 (FFmpeg git master before commit c08d30 was discovered to contain
NOTE: Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/c08d300481b8ebb846cd43a473988fdbc6793d1b
CVE-2025-25472 (A buffer overflow in DCMTK git master v3.6.9+ DEV allows attackers to ...)
- dcmtk 3.6.9-4
- [bookworm] - dcmtk <no-dsa> (Will be fixed via spu)
+ [bookworm] - dcmtk 3.6.7-9~deb12u3
NOTE: Introduced by fix for CVE-2024-47796: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=89a6e399f1e17d08a8bc8cdaa05b2ac9a50cd4f6
NOTE: Fixed by: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=410ffe2019b9db6a8f4036daac742a6f5e4d36c2
CVE-2025-25471 (FFmpeg git master before commit fd1772 was discovered to contain a NUL ...)
@@ -10218,7 +10218,7 @@ CVE-2024-10581 (The DirectoryPress Frontend plugin for WordPress is vulnerable t
NOT-FOR-US: WordPress plugin
CVE-2025-26819 (Monero through 0.18.3.4 before ec74ff4 does not have response limits o ...)
- monero 0.18.3.4+~0+20200826-2 (bug #1098240)
- [bookworm] - monero <no-dsa> (Minor issue)
+ [bookworm] - monero 0.18.0.0+~0+20200826-1+deb12u1
[bullseye] - monero <postponed> (Minor issue, DoS)
NOTE: Fixed by: https://github.com/monero-project/monero/commit/ec74ff4a3d3ca38b7912af680209a45fd1701c3d
CVE-2025-21401 (Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability)
@@ -10706,7 +10706,7 @@ CVE-2025-1094 (Improper neutralization of quoting syntax in PostgreSQL libpq fun
{DLA-4052-2 DLA-4052-1}
- postgresql-17 17.3-1
- postgresql-15 <removed>
- [bookworm] - postgresql-15 <no-dsa> (Minor issue)
+ [bookworm] - postgresql-15 15.11-0+deb12u1
- postgresql-13 <removed>
NOTE: https://www.postgresql.org/support/security/CVE-2025-1094/
NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=7d43ca6fe068015b403ffa1762f4df4efdf68b69 (REL_17_3)
@@ -11270,62 +11270,62 @@ CVE-2025-26467
- cassandra <itp> (bug #585905)
CVE-2024-31068 (Improper Finite State Machines (FSMs) in Hardware Logic for some Intel ...)
- intel-microcode 3.20250211.1 (bug #1095805)
- [bookworm] - intel-microcode <postponed> (Minor issue; wait for unstable exposure, can be fixed via point release)
+ [bookworm] - intel-microcode 3.20250211.1~deb12u1
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01166.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250211
CVE-2024-36293 (Improper access control in the EDECCSSA user leaf function for some In ...)
- intel-microcode 3.20250211.1 (bug #1095805)
- [bookworm] - intel-microcode <postponed> (Minor issue; wait for unstable exposure, can be fixed via point release)
+ [bookworm] - intel-microcode 3.20250211.1~deb12u1
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01213.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250211
CVE-2024-28047 (Improper input validation in UEFI firmware for some Intel(R) Processor ...)
- intel-microcode 3.20250211.1 (bug #1095805)
- [bookworm] - intel-microcode <postponed> (Minor issue; wait for unstable exposure, can be fixed via point release)
+ [bookworm] - intel-microcode 3.20250211.1~deb12u1
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01139.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250211
CVE-2024-31157 (Improper initialization in UEFI firmware OutOfBandXML module in some I ...)
- intel-microcode 3.20250211.1 (bug #1095805)
- [bookworm] - intel-microcode <postponed> (Minor issue; wait for unstable exposure, can be fixed via point release)
+ [bookworm] - intel-microcode 3.20250211.1~deb12u1
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01139.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250211
CVE-2024-39279 (Insufficient granularity of access control in UEFI firmware in some In ...)
- intel-microcode 3.20250211.1 (bug #1095805)
- [bookworm] - intel-microcode <postponed> (Minor issue; wait for unstable exposure, can be fixed via point release)
+ [bookworm] - intel-microcode 3.20250211.1~deb12u1
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01139.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250211
CVE-2024-28127 (Improper input validation in UEFI firmware for some Intel(R) Processor ...)
- intel-microcode 3.20250211.1 (bug #1095805)
- [bookworm] - intel-microcode <postponed> (Minor issue; wait for unstable exposure, can be fixed via point release)
+ [bookworm] - intel-microcode 3.20250211.1~deb12u1
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01139.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250211
CVE-2024-29214 (Improper input validation in UEFI firmware CseVariableStorageSmm for s ...)
- intel-microcode 3.20250211.1 (bug #1095805)
- [bookworm] - intel-microcode <postponed> (Minor issue; wait for unstable exposure, can be fixed via point release)
+ [bookworm] - intel-microcode 3.20250211.1~deb12u1
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01139.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250211
CVE-2024-24582 (Improper input validation in XmlCli feature for UEFI firmware for some ...)
- intel-microcode 3.20250211.1 (bug #1095805)
- [bookworm] - intel-microcode <postponed> (Minor issue; wait for unstable exposure, can be fixed via point release)
+ [bookworm] - intel-microcode 3.20250211.1~deb12u1
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01139.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250211
CVE-2023-34440 (Improper input validation in UEFI firmware for some Intel(R) Processor ...)
- intel-microcode 3.20250211.1 (bug #1095805)
- [bookworm] - intel-microcode <postponed> (Minor issue; wait for unstable exposure, can be fixed via point release)
+ [bookworm] - intel-microcode 3.20250211.1~deb12u1
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01139.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250211
CVE-2023-43758 (Improper input validation in UEFI firmware for some Intel(R) processor ...)
- intel-microcode 3.20250211.1 (bug #1095805)
- [bookworm] - intel-microcode <postponed> (Minor issue; wait for unstable exposure, can be fixed via point release)
+ [bookworm] - intel-microcode 3.20250211.1~deb12u1
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01139.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250211
CVE-2024-39355 (Improper handling of physical or environmental conditions in some Inte ...)
- intel-microcode 3.20250211.1 (bug #1095805)
- [bookworm] - intel-microcode <postponed> (Minor issue; wait for unstable exposure, can be fixed via point release)
+ [bookworm] - intel-microcode 3.20250211.1~deb12u1
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01228.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250211
CVE-2024-37020 (Sequence of processor instructions leads to unexpected behavior in the ...)
- intel-microcode 3.20250211.1 (bug #1095805)
- [bookworm] - intel-microcode <postponed> (Minor issue; wait for unstable exposure, can be fixed via point release)
+ [bookworm] - intel-microcode 3.20250211.1~deb12u1
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01194.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250211
CVE-2025-25203 (CtrlPanel is open-source billing software for hosting providers. Prior ...)
@@ -13010,7 +13010,7 @@ CVE-2025-24312 (When BIG-IP AFM is provisioned with IPS module enabled and proto
NOT-FOR-US: F5
CVE-2025-23419 (When multiple server blocks are configured to share the same IP addres ...)
- nginx 1.26.3-2 (bug #1095403)
- [bookworm] - nginx <no-dsa> (Minor issue; can be mitigated with by configuration)
+ [bookworm] - nginx 1.22.1-9+deb12u1
NOTE: https://www.openwall.com/lists/oss-security/2025/02/05/8
NOTE: https://github.com/nginx/nginx/commit/13935cf9fdc3c8d8278c70716417d3b71c36140e (release-1.26.3)
CVE-2025-23415 (An insufficient verification of data authenticity vulnerability exists ...)
@@ -13121,7 +13121,7 @@ CVE-2023-52924 (In the Linux kernel, the following vulnerability has been resolv
NOTE: https://git.kernel.org/linus/24138933b97b055d486e8064b4a1721702442a9b (6.5-rc6)
CVE-2025-0167 (When asked to use a `.netrc` file for credentials **and** to follow HT ...)
- curl 8.12.0+git20250209.89ed161+ds-1
- [bookworm] - curl <no-dsa> (Minor issue; can be fixed via point release)
+ [bookworm] - curl 7.88.1-10+deb12u11
[bullseye] - curl <not-affected> (Vulnerable code introduced later)
NOTE: https://curl.se/docs/CVE-2025-0167.html
NOTE: Introduced with: https://github.com/curl/curl/commit/46620b97431e19c53ce82e55055c85830f088cf4 (curl-7_76_0)
@@ -14741,7 +14741,7 @@ CVE-2025-0353 (The Divi Torque Lite \u2013 Best Divi Addon, Extensions, Modules
NOT-FOR-US: WordPress plugin
CVE-2024-57965 (In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a U ...)
- node-axios 1.7.9+dfsg-1 (bug #1094731)
- [bookworm] - node-axios <no-dsa> (Minor issue)
+ [bookworm] - node-axios 1.2.1+dfsg-1+deb12u1
[bullseye] - node-axios <postponed> (Minor issue)
NOTE: https://github.com/axios/axios/issues/6351
NOTE: https://github.com/axios/axios/commit/0a8d6e19da5b9899a2abafaaa06a75ee548597db (v1.7.8)
@@ -15565,9 +15565,9 @@ CVE-2023-46187 (IBM InfoSphere Master Data Management 11.6, 12.0, and 14.0 is vu
CVE-2025-0781 (An attacker can bypass the sandboxing of Nasal scripts and arbitrarily ...)
{DLA-4035-1 DLA-4034-1}
- flightgear 1:2020.3.19+dfsg-1
- [bookworm] - flightgear <no-dsa> (Minor issue)
+ [bookworm] - flightgear 1:2020.3.16+dfsg-1+deb12u1
- simgear 1:2020.3.19+dfsg-1
- [bookworm] - simgear <no-dsa> (Minor issue)
+ [bookworm] - simgear 1:2020.3.16+dfsg-1+deb12u1
NOTE: Fixed by: https://gitlab.com/flightgear/flightgear/-/commit/ad37afce28083fad7f79467b3ffdead753584358
NOTE: Fixed by: https://gitlab.com/flightgear/simgear/-/commit/5bb023647114267141a7610e8f1ca7d6f4f5a5a8
NOTE: Backported patch for 2020.3.6: https://gitlab.com/frougon/flightgear-flightgear/-/commit/cf99dc921aadab502ff90a1dd943d8bbb897de91
@@ -16712,7 +16712,7 @@ CVE-2025-0604 (A flaw was found in Keycloak. When an Active Directory user reset
- keycloak <itp> (bug #1088287)
CVE-2025-0395 (When the assert() function in the GNU C Library versions 2.13 to 2.40 ...)
- glibc 2.40-6
- [bookworm] - glibc <no-dsa> (Minor issue)
+ [bookworm] - glibc 2.36-9+deb12u10
[bullseye] - glibc <postponed> (Minor issue; can be fixed in next update)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=32582
NOTE: https://www.openwall.com/lists/oss-security/2025/01/22/4
@@ -16806,7 +16806,7 @@ CVE-2023-36998 (The NextEPC MME <= 1.0.1 (fixed in commit a8492c9c5bc0a66c6999cb
NOT-FOR-US: NextEPC MME
CVE-2024-52948 [CSRF on 2FA registration]
- lemonldap-ng 2.20.2+ds-1
- [bookworm] - lemonldap-ng <no-dsa> (Will be fixed via point update)
+ [bookworm] - lemonldap-ng 2.16.1+ds-deb12u5
[bullseye] - lemonldap-ng <postponed> (Minor issue; can be fixed in next update)
NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3258
NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/0e69ee17ee7e78569a6f7a3c859105e958d374d4
@@ -16998,7 +16998,7 @@ CVE-2025-21490 (Vulnerability in the MySQL Server product of Oracle MySQL (compo
{DLA-4074-1}
- mysql-8.0 8.0.41-1 (bug #1093877)
- mariadb 1:11.4.5-1
- [bookworm] - mariadb <no-dsa> (Minor issue)
+ [bookworm] - mariadb 1:10.11.11-0+deb12u1
- mariadb-10.5 <removed>
NOTE: Fixed in MariaDB 11.7.2, 11.4.5, 10.11.11, 10.6.21, 10.5.28
CVE-2025-21489 (Vulnerability in the Oracle Advanced Outbound Telephony product of Ora ...)
@@ -20633,7 +20633,7 @@ CVE-2024-52935 (Kernel software installed and running inside a Guest VM may expl
CVE-2024-52333 (An improper array index validation vulnerability exists in the determi ...)
{DLA-4038-1}
- dcmtk 3.6.8-7 (bug #1093047)
- [bookworm] - dcmtk <no-dsa> (Minor issue; can be fixed via point release)
+ [bookworm] - dcmtk 3.6.7-9~deb12u2
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-2121
NOTE: Fixed by: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=03e851b0586d05057c3268988e180ffb426b2e03
CVE-2024-51728
@@ -20649,7 +20649,7 @@ CVE-2024-47894 (Kernel software installed and running inside a Guest VM may post
CVE-2024-47796 (An improper array index validation vulnerability exists in the nowindo ...)
{DLA-4038-1}
- dcmtk 3.6.8-7 (bug #1093043)
- [bookworm] - dcmtk <no-dsa> (Minor issue; can be fixed via point release)
+ [bookworm] - dcmtk 3.6.7-9~deb12u2
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-2122
NOTE: Fixed by: https://git.dcmtk.org/?p=dcmtk.git;a=commit;h=89a6e399f1e17d08a8bc8cdaa05b2ac9a50cd4f6
CVE-2024-46921 (An issue was discovered in Samsung Mobile Processor and Modem Exynos 9 ...)
@@ -21669,7 +21669,7 @@ CVE-2025-22445 (Mattermost versions 10.x <= 10.2 fail to accurately reflect miss
CVE-2025-22145 (Carbon is an international PHP extension for DateTime. Application pas ...)
{DLA-4068-1}
- php-nesbot-carbon 2.72.6-1 (bug #1092680)
- [bookworm] - php-nesbot-carbon <no-dsa> (Minor issue)
+ [bookworm] - php-nesbot-carbon 2.65.0-1+deb12u1
NOTE: https://github.com/CarbonPHP/carbon/security/advisories/GHSA-j3f9-p6hm-5w6q
NOTE: https://github.com/briannesbitt/Carbon/commit/129700ed449b1f02d70272d2ac802357c8c30c58 (3.8.4)
NOTE: https://github.com/briannesbitt/Carbon/commit/1e9d50601e7035a4c61441a208cb5bed73e108c5 (2.72.6)
@@ -23941,7 +23941,6 @@ CVE-2025-22214 (Landray EIS 2001 through 2006 allows Message/fi_message_receiver
NOT-FOR-US: WordPress pluginEIS
CVE-2024-56830 (The Net::EasyTCP package 0.15 through 0.26 for Perl uses Perl's builti ...)
- libnet-easytcp-perl <removed>
- [bookworm] - libnet-easytcp-perl <ignored> (Scheduled for removal)
NOTE: https://github.com/briandfoy/cpan-security-advisory/issues/184
NOTE: Related to CVE-2002-20002 (direct use of rand for version before < 0.15)
CVE-2024-56829 (Huang Yaoshi Pharmaceutical Management Software through 16.0 allows ar ...)
@@ -26455,12 +26454,12 @@ CVE-2024-56362 (Navidrome is an open source web-based music collection server an
NOT-FOR-US: Navidrome
CVE-2024-56326 (Jinja is an extensible templating engine. Prior to 3.1.5, An oversight ...)
- jinja2 3.1.5-1 (bug #1091331)
- [bookworm] - jinja2 <no-dsa> (Minor issue)
+ [bookworm] - jinja2 3.1.2-1+deb12u2
NOTE: https://github.com/pallets/jinja/security/advisories/GHSA-q2x7-8rv6-6q7h
NOTE: Fixed by: https://github.com/pallets/jinja/commit/48b0687e05a5466a91cd5812d604fa37ad0943b4 (3.1.5)
CVE-2024-56201 (Jinja is an extensible templating engine. In versions on the 3.x branc ...)
- jinja2 3.1.5-1 (bug #1091329)
- [bookworm] - jinja2 <no-dsa> (Minor issue)
+ [bookworm] - jinja2 3.1.2-1+deb12u2
NOTE: https://github.com/pallets/jinja/security/advisories/GHSA-gmj6-6f8f-6699
NOTE: https://github.com/pallets/jinja/issues/1792
NOTE: Fixed by: https://github.com/pallets/jinja/commit/767b23617628419ae3709ccfb02f9602ae9fe51f (3.1.5)
@@ -28538,7 +28537,7 @@ CVE-2024-21544 (Versions of the package spatie/browsershot before 5.0.1 are vuln
CVE-2024-21543 (Versions of the package djoser before 2.3.0 are vulnerable to Authenti ...)
{DLA-4060-1}
- djoser 2.3.1-1 (bug #1089915)
- [bookworm] - djoser <no-dsa> (Minor issue; can be fixed via point release)
+ [bookworm] - djoser 2.1.0-1+deb12u1
NOTE: https://github.com/sunscrapers/djoser/issues/795
NOTE: https://github.com/sunscrapers/djoser/pull/819
NOTE: https://github.com/sunscrapers/djoser/commit/d33c3993c0c735f23cbedc60fa59fce69354f19d (2.3.0)
@@ -29766,7 +29765,7 @@ CVE-2023-37395 (IBM Aspera Faspex 5.0.0 through 5.0.7 could allow a local user t
NOT-FOR-US: IBM
CVE-2024-11053 (When asked to both use a `.netrc` file for credentials and to follow H ...)
- curl 8.11.1-1 (bug #1089682)
- [bookworm] - curl <no-dsa> (Minor issue)
+ [bookworm] - curl 7.88.1-10+deb12u10
[bullseye] - curl <postponed> (Minor issue; can be fixed in next update)
NOTE: https://curl.se/docs/CVE-2024-11053.html
NOTE: Introduced by: https://github.com/curl/curl/commit/ae1912cb0d494b48d514d937826c9fe83ec96c4d (curl-6_5)
@@ -30305,7 +30304,7 @@ CVE-2024-48956 (Serviceware Processes 6.0 through 7.3 before 7.4 allows attacker
NOT-FOR-US: Serviceware Processes
CVE-2024-46901 (Insufficient validation of filenames against control characters in Apa ...)
- subversion 1.14.5-1
- [bookworm] - subversion <no-dsa> (Minor issue)
+ [bookworm] - subversion 1.14.2-4+deb12u1
[bullseye] - subversion <postponed> (Minor issue; can be fixed in next update)
NOTE: https://subversion.apache.org/security/CVE-2024-46901-advisory.txt
CVE-2024-46547 (A vulnerability was found in Romain Bourdon Wampserver all versions (d ...)
@@ -30539,7 +30538,7 @@ CVE-2024-55566 (ColPack 1.0.10 through 9a7293a has a predictable temporary file
CVE-2024-55565 (nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 ...)
{DLA-4013-1 DLA-4003-1}
- node-postcss 8.4.49+~cs9.2.32-1
- [bookworm] - node-postcss <no-dsa> (Minor issue)
+ [bookworm] - node-postcss 8.4.20+~cs8.0.23-1+deb12u1
- node-mocha 9.1.4+ds1+~cs28.2.8-1
NOTE: node-postcss bundles nanoid
NOTE: https://github.com/ai/nanoid/pull/510
@@ -40025,7 +40024,7 @@ CVE-2024-9934 (The Wp-ImageZoom WordPress plugin through 1.1.0 does not sanitise
NOT-FOR-US: WordPress plugin
CVE-2024-9681 (When curl is asked to use HSTS, the expiry time for a subdomain might ...)
- curl 8.11.0-1 (bug #1086804)
- [bookworm] - curl <no-dsa> (Minor issue)
+ [bookworm] - curl 7.88.1-10+deb12u9
[bullseye] - curl <ignored> (curl is not built with HSTS support)
NOTE: https://curl.se/docs/CVE-2024-9681.html
NOTE: Introduced by: https://github.com/curl/curl/commit/7385610d0c74c6a254fea5e4cd6e1d559d848c8c (curl-7_74_0)
@@ -49079,7 +49078,7 @@ CVE-2024-47817 (Lara-zeus Dynamic Dashboard simple way to manage widgets for you
NOT-FOR-US: Lara-zeus Dynamic Dashboard
CVE-2024-47814 (Vim is an open source, command line text editor. A use-after-free was ...)
- vim 2:9.1.0777-1 (bug #1084806)
- [bookworm] - vim <no-dsa> (Minor issue)
+ [bookworm] - vim 2:9.0.1378-2+deb12u1
[bullseye] - vim <postponed> (Minor issue)
NOTE: https://github.com/vim/vim/security/advisories/GHSA-rj48-v4mq-j4vg
NOTE: https://github.com/vim/vim/commit/51b62387be93c65fa56bbabe1c3 (v9.1.0764)
@@ -50753,7 +50752,7 @@ CVE-2024-46453 (A cross-site scripting (XSS) vulnerability in the component /tes
NOT-FOR-US: iq3xcite
CVE-2024-38796 (EDK2 contains a vulnerability in the PeCoffLoaderRelocateImage(). An A ...)
- edk2 2024.08-3 (bug #1084055)
- [bookworm] - edk2 <no-dsa> (Minor issue)
+ [bookworm] - edk2 2022.11-6+deb12u2
NOTE: https://github.com/tianocore/edk2/security/advisories/GHSA-xpcr-7hjq-m6qm
NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1993
NOTE: https://github.com/tianocore/edk2/pull/6249
@@ -51943,7 +51942,7 @@ CVE-2024-46639 (A cross-site scripting (XSS) vulnerability in HelpDeskZ v2.0.2 a
CVE-2024-46544 (Incorrect Default Permissions vulnerability in Apache Tomcat Connector ...)
{DLA-3919-1}
- libapache-mod-jk 1:1.2.50-1 (bug #1082713)
- [bookworm] - libapache-mod-jk <no-dsa> (Minor issue)
+ [bookworm] - libapache-mod-jk 1:1.2.48-2+deb12u2
NOTE: https://www.openwall.com/lists/oss-security/2024/09/23/1
NOTE: Fixed by: https://github.com/apache/tomcat-connectors/commit/d55706e92b65018c2e4c7ab14014a996b0174966 (JK_1_2_50)
CVE-2024-46241 (PHPGurukul Dairy Farm Shop Management System v1.1 is vulnerable to Cro ...)
@@ -52258,7 +52257,7 @@ CVE-2024-45752 (logiops through 0.3.4, in its default configuration, allows any
CVE-2024-45614 (Puma is a Ruby/Rack web server built for parallelism. In affected vers ...)
{DLA-3947-1}
- puma 6.4.3-1 (bug #1082379)
- [bookworm] - puma <no-dsa> (Minor issue)
+ [bookworm] - puma 5.6.5-3+deb12u1
NOTE: https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4
NOTE: Fixed by: https://github.com/puma/puma/commit/cac3fd18cf29ed43719ff5d52d9cfec215f0a043 (v6.4.3)
CVE-2024-43496 (Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability)
@@ -57697,7 +57696,7 @@ CVE-2024-43806 (Rustix is a set of safe Rust bindings to POSIX-ish APIs. When us
NOTE: https://github.com/bytecodealliance/rustix/security/advisories/GHSA-c827-hfw6-qwvm
CVE-2024-43802 (Vim is an improved version of the unix vi text editor. When flushing t ...)
- vim 2:9.1.0698-1
- [bookworm] - vim <no-dsa> (Minor issue)
+ [bookworm] - vim 2:9.0.1378-2+deb12u1
[bullseye] - vim <postponed> (Minor issue)
NOTE: https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh
NOTE: https://github.com/vim/vim/commit/322ba9108612bead5eb7731ccb66763dec69ef1b (v9.1.0697)
@@ -72293,7 +72292,7 @@ CVE-2024-27629 (An issue in dc2niix before v.1.0.20240202 allows a local attacke
NOTE: https://github.com/rordenlab/dcm2niix/pull/789
CVE-2024-27628 (Buffer Overflow vulnerability in DCMTK v.3.6.8 allows an attacker to e ...)
- dcmtk 3.6.8-6 (bug #1074483)
- [bookworm] - dcmtk <no-dsa> (Minor issue)
+ [bookworm] - dcmtk 3.6.7-9~deb12u2
[bullseye] - dcmtk <not-affected> (Vulnerable code introduced later)
[buster] - dcmtk <not-affected> (Vulnerable code introduced later)
NOTE: https://support.dcmtk.org/redmine/issues/1108
@@ -75355,6 +75354,7 @@ CVE-2024-5967 (A vulnerability was found in Keycloak. The LDAP testing endpoint
CVE-2024-5953 (A denial of service vulnerability was found in the 389-ds-base LDAP se ...)
{DLA-4021-1}
- 389-ds-base 3.1.1+dfsg1-1
+ [bookworm] - 389-ds-base 2.3.1+dfsg1-1+deb12u1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2292104
NOTE: https://github.com/389ds/389-ds-base/commit/9e6cefb1f37740f3ce180f272ee0653d65b878d9 (389-ds-base-3.1.1)
NOTE: https://github.com/389ds/389-ds-base/commit/e269182d7a5d6d23abba86dbfe0cbadce2ea3147 (389-ds-base-2.4.6)
@@ -75772,7 +75772,7 @@ CVE-2024-36397 (Vantiva - MediaAccess DGA2232v19.4 -CWE-79: Improper Neutralizat
NOT-FOR-US: Vantiva
CVE-2024-38428 (url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo ...)
- wget 1.24.5-2 (bug #1073523)
- [bookworm] - wget <no-dsa> (Minor issue)
+ [bookworm] - wget 1.21.3-1+deb12u1
[bullseye] - wget <no-dsa> (Minor issue)
[buster] - wget <postponed> (Minor issue, infoleak in limited conditions)
NOTE: https://lists.gnu.org/archive/html/bug-wget/2024-06/msg00005.html
@@ -78871,7 +78871,6 @@ CVE-2024-36730 (Improper input validation in OneFlow-Inc. Oneflow v0.9.1 allows
NOT-FOR-US: OneFlow
CVE-2024-36399 (Kanboard is project management software that focuses on the Kanban met ...)
- kanboard <removed> (bug #1072791)
- [bookworm] - kanboard <no-dsa> (Minor issue, can be fixed via point release)
NOTE: https://github.com/kanboard/kanboard/security/advisories/GHSA-x8v7-3ghx-65cv
NOTE: https://github.com/kanboard/kanboard/commit/b6703688aac8187f5ea4d4d704fc7afeeffeafa7 (v1.2.37)
CVE-2024-36394 (SysAid - CWE-78: Improper Neutralization of Special Elements used in a ...)
@@ -80035,7 +80034,7 @@ CVE-2024-23847 (Incorrect default permissions issue exists in Unifier and Unifie
NOT-FOR-US: Unifier and Unifier Cast
CVE-2024-1298 (EDK2 contains a vulnerability when S3 sleep is activated where an Atta ...)
- edk2 2024.05-1
- [bookworm] - edk2 <no-dsa> (Minor issue)
+ [bookworm] - edk2 2022.11-6+deb12u2
[bullseye] - edk2 <no-dsa> (Minor issue)
NOTE: https://github.com/tianocore/edk2/security/advisories/GHSA-chfw-xj8f-6m53
NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=4677
@@ -80914,6 +80913,7 @@ CVE-2024-3969 (XML External Entity injection vulnerability foundin OpenText\u212
CVE-2024-3657 (A flaw was found in 389-ds-base. A specially-crafted LDAP query can po ...)
{DLA-4021-1}
- 389-ds-base 3.1.1+dfsg1-1
+ [bookworm] - 389-ds-base 2.3.1+dfsg1-1+deb12u1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274401
NOTE: https://github.com/389ds/389-ds-base/commit/b1e9acf39d1e1b752e8b4b469f32e17c743ad6f9 (389-ds-base-3.1.1)
NOTE: https://github.com/389ds/389-ds-base/commit/d8068fd7ef3c0c256b06ca47cfa0e1921d143778 (389-ds-base-2.4.6)
@@ -81012,7 +81012,7 @@ CVE-2024-2451 (Improper fingerprint validation in the TeamViewer Client (Full &
CVE-2024-2199 (A denial of service vulnerability was found in 389-ds-base ldap server ...)
{DLA-4021-1}
- 389-ds-base 3.1.1+dfsg1-1 (bug #1072531)
- [bookworm] - 389-ds-base <no-dsa> (Minor issue)
+ [bookworm] - 389-ds-base 2.3.1+dfsg1-1+deb12u1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2267976
NOTE: https://github.com/389ds/389-ds-base/commit/36a2f1d5e4e2265140320087104c6799a97c28d9 (389-ds-base-3.1.1)
NOTE: https://github.com/389ds/389-ds-base/commit/63946b8e63328efc9b36a01f99d5ba71e243fcfa (389-ds-base-2.4.6)
@@ -90604,13 +90604,13 @@ CVE-2024-34510 (Gradio before 4.20 allows credential leakage on Windows.)
CVE-2024-34509 (dcmdata in DCMTK before 3.6.9 has a segmentation fault via an invalid ...)
{DLA-4038-1 DLA-3847-1}
- dcmtk 3.6.7-14
- [bookworm] - dcmtk <no-dsa> (Minor issue)
+ [bookworm] - dcmtk 3.6.7-9~deb12u2
NOTE: https://support.dcmtk.org/redmine/issues/1114
NOTE: https://github.com/DCMTK/dcmtk/commit/c78e434c0c5f9d932874f0b17a8b4ce305ca01f5
CVE-2024-34508 (dcmnet in DCMTK before 3.6.9 has a segmentation fault via an invalid D ...)
{DLA-4038-1 DLA-3847-1}
- dcmtk 3.6.7-14
- [bookworm] - dcmtk <no-dsa> (Minor issue)
+ [bookworm] - dcmtk 3.6.7-9~deb12u2
NOTE: https://support.dcmtk.org/redmine/issues/1114
NOTE: https://github.com/DCMTK/dcmtk/commit/c78e434c0c5f9d932874f0b17a8b4ce305ca01f5
CVE-2024-34507 (An issue was discovered in includes/CommentFormatter/CommentParser.php ...)
@@ -95604,7 +95604,7 @@ CVE-2024-28627 (An issue in Flipsnack v.18/03/2024 allows a local attacker to ob
CVE-2024-28130 (An incorrect type conversion vulnerability exists in the DVPSSoftcopyV ...)
{DLA-4038-1 DLA-3847-1}
- dcmtk 3.6.7-14 (bug #1070207)
- [bookworm] - dcmtk <no-dsa> (Minor issue)
+ [bookworm] - dcmtk 3.6.7-9~deb12u3
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1957
NOTE: https://support.dcmtk.org/redmine/issues/1120
NOTE: https://github.com/DCMTK/dcmtk/commit/dc6a2446dc03c9db90f82ce17a597f2cd53776c5
@@ -96441,7 +96441,7 @@ CVE-2023-41864 (Cross-Site Request Forgery (CSRF) vulnerability in Pepro Dev. Gr
CVE-2023-3758 (A race condition flaw was found in sssd where the GPO policy is not co ...)
{DLA-4047-1}
- sssd 2.9.5-1 (bug #1070369)
- [bookworm] - sssd <no-dsa> (Minor issue)
+ [bookworm] - sssd 2.8.2-4+deb12u1
[buster] - sssd <postponed> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2223762
NOTE: https://github.com/SSSD/sssd/pull/7302
@@ -97606,7 +97606,7 @@ CVE-2024-21096 (Vulnerability in the MySQL Server product of Oracle MySQL (compo
{DLA-3891-1}
- mysql-8.0 8.0.37-1 (bug #1069189)
- mariadb 1:10.11.8-1
- [bookworm] - mariadb <no-dsa> (Minor issue)
+ [bookworm] - mariadb 1:10.11.11-0+deb12u1
- mariadb-10.5 <removed>
[bullseye] - mariadb-10.5 <no-dsa> (Minor issue)
- mariadb-10.3 <removed>
@@ -118160,7 +118160,7 @@ CVE-2024-23196 (A race condition was found in the Linux kernel's sound/hda devi
NOTE: https://git.kernel.org/linus/1f4a08fed450db87fbb5ff5105354158bdbe1a22 (6.5-rc1)
CVE-2024-22667 (Vim before 9.0.2142 has a stack-based buffer overflow because did_set_ ...)
- vim 2:9.0.2189-1
- [bookworm] - vim <no-dsa> (Minor issue)
+ [bookworm] - vim 2:9.0.1378-2+deb12u1
[bullseye] - vim <no-dsa> (Minor issue)
[buster] - vim <no-dsa> (Minor issue)
NOTE: https://github.com/vim/vim/commit/b39b240c386a5a29241415541f1c99e2e6b8ce47 (v9.0.2142)
@@ -120050,7 +120050,6 @@ CVE-2024-22725 (Orthanc versions before 1.12.2 are affected by a reflected cross
NOTE: https://orthanc.uclouvain.be/hg/orthanc/rev/505416b269a0
CVE-2024-22720 (Kanboard 1.2.34 is vulnerable to Html Injection in the group managemen ...)
- kanboard <removed> (bug #1062710)
- [bookworm] - kanboard <no-dsa> (Minor issue)
NOTE: https://cupc4k3.medium.com/html-injection-vulnerability-in-kanboard-group-management-d9fe5154bb1b
NOTE: https://github.com/kanboard/kanboard/issues/5411
NOTE: Fixed by: https://github.com/kanboard/kanboard/commit/70df1210259a2e5ec258a753318bddfda6f7d024 (v1.2.35)
@@ -123654,7 +123653,7 @@ CVE-2024-21650 (XWiki Platform is a generic wiki platform offering runtime servi
CVE-2024-21647 (Puma is a web server for Ruby/Rack applications built for parallelism. ...)
{DLA-3947-1}
- puma 6.4.2-1 (bug #1060345)
- [bookworm] - puma <no-dsa> (Minor issue)
+ [bookworm] - puma 5.6.5-3+deb12u1
[buster] - puma <no-dsa> (Minor issue)
NOTE: https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2
NOTE: https://github.com/puma/puma/commit/bbb880ffb6debbfdea535b4b3eb2204d49ae151d (v5.6.8)
@@ -134386,7 +134385,7 @@ CVE-2023-45875 (An issue was discovered in Couchbase Server 7.2.0. There is a pr
NOT-FOR-US: Couchbase Server
CVE-2023-45857 (An issue discovered in Axios 1.5.1 inadvertently reveals the confident ...)
- node-axios 1.6.2+dfsg-1 (bug #1056099)
- [bookworm] - node-axios <no-dsa> (Minor issue)
+ [bookworm] - node-axios 1.2.1+dfsg-1+deb12u1
[bullseye] - node-axios <no-dsa> (Minor issue)
[buster] - node-axios <no-dsa> (Minor issue)
NOTE: https://github.com/axios/axios/issues/6006
@@ -141112,7 +141111,7 @@ CVE-2023-5345 (A use-after-free vulnerability in the Linux kernel's fs/smb/clien
NOTE: https://kernel.dance/#e6e43b8aa7cd3c3af686caf0c2e11819a886d705
CVE-2023-5344 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1 ...)
- vim 2:9.0.2018-1 (bug #1053694)
- [bookworm] - vim <no-dsa> (Minor issue)
+ [bookworm] - vim 2:9.0.1378-2+deb12u1
[bullseye] - vim <no-dsa> (Minor issue)
[buster] - vim <postponed> (Minor issue, 1-byte overflow)
NOTE: https://github.com/vim/vim/commit/3bd7fa12e146c6051490d048a4acbfba974eeb04
@@ -141440,7 +141439,7 @@ CVE-2023-5201 (The OpenHook plugin for WordPress is vulnerable to Remote Code Ex
CVE-2023-44270 (An issue was discovered in PostCSS before 8.4.31. The vulnerability af ...)
{DLA-4003-1}
- node-postcss 8.4.31+~cs8.0.26-1 (bug #1053282)
- [bookworm] - node-postcss <no-dsa> (Minor issue)
+ [bookworm] - node-postcss 8.4.20+~cs8.0.23-1+deb12u1
[buster] - node-postcss <postponed> (Minor issue)
NOTE: https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5 (8.4.31)
CVE-2023-43711 (Os Commerce is currently susceptible to a Cross-Site Scripting (XSS) v ...)
@@ -144953,7 +144952,7 @@ CVE-2023-36851 (A Missing Authentication for Critical Function vulnerability in
CVE-2023-4781 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1 ...)
{DLA-3588-1}
- vim 2:9.0.1894-1
- [bookworm] - vim <no-dsa> (Minor issue)
+ [bookworm] - vim 2:9.0.1378-2+deb12u1
[bullseye] - vim <no-dsa> (Minor issue)
NOTE: https://huntr.dev/bounties/c867eb0a-aa8b-4946-a621-510350673883/
NOTE: https://github.com/vim/vim/commit/f6d28fe2c95c678cc3202cc5dc825a3fcc709e93 (v9.0.1873)
@@ -145199,7 +145198,7 @@ CVE-2023-4754 (Out-of-bounds Write in GitHub repository gpac/gpac prior to 2.3-D
CVE-2023-4752 (Use After Free in GitHub repository vim/vim prior to 9.0.1858.)
{DLA-3588-1}
- vim 2:9.0.1894-1
- [bookworm] - vim <no-dsa> (Minor issue)
+ [bookworm] - vim 2:9.0.1378-2+deb12u1
[bullseye] - vim <no-dsa> (Minor issue)
NOTE: https://huntr.dev/bounties/85f62dd7-ed84-4fa2-b265-8a369a318757/
NOTE: https://github.com/vim/vim/commit/ee9166eb3b41846661a39b662dc7ebe8b5e15139 (v9.0.1858)
@@ -145558,7 +145557,7 @@ CVE-2023-41180 (Incorrect certificate validation in InvokeHTTP on Apache NiFi Mi
NOT-FOR-US: Apache NiFi
CVE-2023-4738 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1 ...)
- vim 2:9.0.1894-1
- [bookworm] - vim <no-dsa> (Minor issue)
+ [bookworm] - vim 2:9.0.1378-2+deb12u1
[bullseye] - vim <no-dsa> (Minor issue)
[buster] - vim <no-dsa> (Minor issue; intrusive and hard to backport and will need a rewrite)
NOTE: https://huntr.dev/bounties/9fc7dced-a7bb-4479-9718-f956df20f612/
@@ -147557,7 +147556,7 @@ CVE-2023-4427 (Out of bounds memory access in V8 in Google Chrome prior to 116.0
[buster] - chromium <end-of-life> (see DSA 5046)
CVE-2023-40175 (Puma is a Ruby/Rack web server built for parallelism. Prior to version ...)
- puma 5.6.7-1 (bug #1050079)
- [bookworm] - puma <no-dsa> (Minor issue)
+ [bookworm] - puma 5.6.5-3+deb12u1
[bullseye] - puma <ignored> (Minor issue, invasive to backport)
[buster] - puma <ignored> (invasive to backport)
NOTE: https://github.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8
@@ -155796,7 +155795,7 @@ CVE-2023-35790 (An issue was discovered in dec_patch_dictionary.cc in libjxl bef
NOTE: https://github.com/libjxl/libjxl/commit/d4e67a644d8babe7cb68de122d8b5ccb2ad8f226
CVE-2023-35789 (An issue was discovered in the C AMQP client library (aka rabbitmq-c) ...)
- librabbitmq 0.14.0-1 (bug #1037322)
- [bookworm] - librabbitmq <no-dsa> (Minor issue)
+ [bookworm] - librabbitmq 0.11.0-1+deb12u1
[bullseye] - librabbitmq <no-dsa> (Minor issue)
[buster] - librabbitmq <no-dsa> (Minor issue)
NOTE: https://github.com/alanxz/rabbitmq-c/issues/575
@@ -157577,7 +157576,7 @@ CVE-2023-32310 (DataEase is an open source data visualization and analysis tool.
NOT-FOR-US: DataEase
CVE-2023-32181 (A Buffer Copy without Checking Size of Input ('Classic Buffer Overflow ...)
- libeconf 0.5.2+dfsg1-1 (bug #1037333)
- [bookworm] - libeconf <ignored> (Minor issue, no reverse deps)
+ [bookworm] - libeconf 0.5.1+dfsg1-1+deb12u1
[bullseye] - libeconf <no-dsa> (Minor issue)
NOTE: https://github.com/openSUSE/libeconf/issues/178
NOTE: https://github.com/openSUSE/libeconf/commit/8d086dfc69d4299e55e4844e3573b3a4cf420f19 (v0.5.2)
@@ -159740,7 +159739,7 @@ CVE-2023-2614 (Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pim
CVE-2023-2610 (Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9 ...)
{DLA-3453-1}
- vim 2:9.0.1658-1 (bug #1035955)
- [bookworm] - vim <no-dsa> (Minor issue)
+ [bookworm] - vim 2:9.0.1378-2+deb12u1
[bullseye] - vim <no-dsa> (Minor issue)
NOTE: https://huntr.dev/bounties/31e67340-935b-4f6c-a923-f7246bc29c7d
NOTE: https://github.com/vim/vim/commit/ab9a2d884b3a4abe319606ea95a5a6d6b01cd73a (v9.0.1532)
@@ -187236,7 +187235,7 @@ CVE-2023-22665 (There is insufficient checking of user queries in Apache Jena ve
NOTE: https://lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s
CVE-2023-22652 (A Buffer Copy without Checking Size of Input ('Classic Buffer Overflow ...)
- libeconf 0.5.2+dfsg1-1 (bug #1037333)
- [bookworm] - libeconf <ignored> (Minor issue, no reverse deps)
+ [bookworm] - libeconf 0.5.1+dfsg1-1+deb12u1
[bullseye] - libeconf <no-dsa> (Minor issue)
NOTE: https://github.com/openSUSE/libeconf/issues/177
NOTE: https://github.com/openSUSE/libeconf/commit/8d086dfc69d4299e55e4844e3573b3a4cf420f19 (v0.5.2)
@@ -306660,25 +306659,25 @@ CVE-2021-33647 (When performing the inference shape operation of the Tile operat
CVE-2021-33646 (The th_read() function doesn\u2019t free a variable t->th_buf.gnu_long ...)
{DLA-4033-1}
- libtar <removed>
- [bookworm] - libtar <no-dsa> (Minor issue)
+ [bookworm] - libtar 1.2.20-8+deb12u1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2121295
NOTE: (not-upstream) patch from OpenEuler: https://gitee.com/src-openeuler/libtar/blob/master/openEuler-CVE-2021-33645-CVE-2021-33646.patch
CVE-2021-33645 (The th_read() function doesn\u2019t free a variable t->th_buf.gnu_long ...)
{DLA-4033-1}
- libtar <removed>
- [bookworm] - libtar <no-dsa> (Minor issue)
+ [bookworm] - libtar 1.2.20-8+deb12u1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2121295
NOTE: (not-upstream) patch from OpenEuler: https://gitee.com/src-openeuler/libtar/blob/master/openEuler-CVE-2021-33645-CVE-2021-33646.patch
CVE-2021-33644 (An attacker who submits a crafted tar file with size in header struct ...)
{DLA-4033-1}
- libtar <removed>
- [bookworm] - libtar <no-dsa> (Minor issue)
+ [bookworm] - libtar 1.2.20-8+deb12u1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2121292
NOTE: (not-upstream) patch from OpenEuler: https://gitee.com/src-openeuler/libtar/blob/master/openEuler-CVE-2021-33643-CVE-2021-33644.patch
CVE-2021-33643 (An attacker who submits a crafted tar file with size in header struct ...)
{DLA-4033-1}
- libtar <removed>
- [bookworm] - libtar <no-dsa> (Minor issue)
+ [bookworm] - libtar 1.2.20-8+deb12u1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2121289
NOTE: (not-upstream) patch from OpenEuler: https://gitee.com/src-openeuler/libtar/blob/master/openEuler-CVE-2021-33643-CVE-2021-33644.patch
CVE-2021-33642 (When a file is processed, an infinite loop occurs in next_inline() of ...)
=====================================
data/next-point-update.txt
=====================================
@@ -1,139 +1,3 @@
-CVE-2024-9681
- [bookworm] - curl 7.88.1-10+deb12u9
-CVE-2024-46901
- [bookworm] - subversion 1.14.2-4+deb12u1
-CVE-2024-38796
- [bookworm] - edk2 2022.11-6+deb12u2
-CVE-2024-1298
- [bookworm] - edk2 2022.11-6+deb12u2
-CVE-2023-35789
- [bookworm] - librabbitmq 0.11.0-1+deb12u1
-CVE-2023-44270
- [bookworm] - node-postcss 8.4.20+~cs8.0.23-1+deb12u1
-CVE-2024-55565
- [bookworm] - node-postcss 8.4.20+~cs8.0.23-1+deb12u1
-CVE-2023-40175
- [bookworm] - puma 5.6.5-3+deb12u1
-CVE-2024-21647
- [bookworm] - puma 5.6.5-3+deb12u1
-CVE-2024-45614
- [bookworm] - puma 5.6.5-3+deb12u1
-CVE-2021-33643
- [bookworm] - libtar 1.2.20-8+deb12u1
-CVE-2021-33644
- [bookworm] - libtar 1.2.20-8+deb12u1
-CVE-2021-33645
- [bookworm] - libtar 1.2.20-8+deb12u1
-CVE-2021-33646
- [bookworm] - libtar 1.2.20-8+deb12u1
-CVE-2024-52948
- [bookworm] - lemonldap-ng 2.16.1+ds-deb12u5
-CVE-2024-2199
- [bookworm] - 389-ds-base 2.3.1+dfsg1-1+deb12u1
-CVE-2024-5953
- [bookworm] - 389-ds-base 2.3.1+dfsg1-1+deb12u1
-CVE-2024-3657
- [bookworm] - 389-ds-base 2.3.1+dfsg1-1+deb12u1
-CVE-2024-57965
- [bookworm] - node-axios 1.2.1+dfsg-1+deb12u1
-CVE-2023-45857
- [bookworm] - node-axios 1.2.1+dfsg-1+deb12u1
-CVE-2023-2610
- [bookworm] - vim 2:9.0.1378-2+deb12u1
-CVE-2023-4738
- [bookworm] - vim 2:9.0.1378-2+deb12u1
-CVE-2023-4752
- [bookworm] - vim 2:9.0.1378-2+deb12u1
-CVE-2023-4781
- [bookworm] - vim 2:9.0.1378-2+deb12u1
-CVE-2023-5344
- [bookworm] - vim 2:9.0.1378-2+deb12u1
-CVE-2024-22667
- [bookworm] - vim 2:9.0.1378-2+deb12u1
-CVE-2024-43802
- [bookworm] - vim 2:9.0.1378-2+deb12u1
-CVE-2024-47814
- [bookworm] - vim 2:9.0.1378-2+deb12u1
-CVE-2025-0781
- [bookworm] - flightgear 1:2020.3.16+dfsg-1+deb12u1
-CVE-2025-0781
- [bookworm] - simgear 1:2020.3.16+dfsg-1+deb12u1
-CVE-2024-27628
- [bookworm] - dcmtk 3.6.7-9~deb12u2
-CVE-2024-34508
- [bookworm] - dcmtk 3.6.7-9~deb12u2
-CVE-2024-34509
- [bookworm] - dcmtk 3.6.7-9~deb12u2
-CVE-2024-47796
- [bookworm] - dcmtk 3.6.7-9~deb12u2
-CVE-2024-52333
- [bookworm] - dcmtk 3.6.7-9~deb12u2
-CVE-2024-46544
- [bookworm] - libapache-mod-jk 1:1.2.48-2+deb12u2
-CVE-2023-32181
- [bookworm] - libeconf 0.5.1+dfsg1-1+deb12u1
-CVE-2023-22652
- [bookworm] - libeconf 0.5.1+dfsg1-1+deb12u1
-CVE-2025-1094
- [bookworm] - postgresql-15 15.11-0+deb12u1
-CVE-2023-3758
- [bookworm] - sssd 2.8.2-4+deb12u1
-CVE-2024-21543
- [bookworm] - djoser 2.1.0-1+deb12u1
-CVE-2025-23419
- [bookworm] - nginx 1.22.1-9+deb12u1
-CVE-2025-26819
- [bookworm] - monero 0.18.0.0+~0+20200826-1+deb12u1
-CVE-2024-11053
- [bookworm] - curl 7.88.1-10+deb12u10
-CVE-2025-22145
- [bookworm] - php-nesbot-carbon 2.65.0-1+deb12u1
-CVE-2024-21096
- [bookworm] - mariadb 1:10.11.11-0+deb12u1
-CVE-2025-21490
- [bookworm] - mariadb 1:10.11.11-0+deb12u1
-CVE-2025-0167
- [bookworm] - curl 7.88.1-10+deb12u11
-CVE-2024-28130
- [bookworm] - dcmtk 3.6.7-9~deb12u3
-CVE-2025-25475
- [bookworm] - dcmtk 3.6.7-9~deb12u3
-CVE-2025-25474
- [bookworm] - dcmtk 3.6.7-9~deb12u3
-CVE-2025-25472
- [bookworm] - dcmtk 3.6.7-9~deb12u3
-CVE-2024-56201
- [bookworm] - jinja2 3.1.2-1+deb12u2
-CVE-2024-56326
- [bookworm] - jinja2 3.1.2-1+deb12u2
-CVE-2024-38428
- [bookworm] - wget 1.21.3-1+deb12u1
-CVE-2025-0395
- [bookworm] - glibc 2.36-9+deb12u10
-CVE-2024-31068
- [bookworm] - intel-microcode 3.20250211.1~deb12u1
-CVE-2024-36293
- [bookworm] - intel-microcode 3.20250211.1~deb12u1
-CVE-2023-43758
- [bookworm] - intel-microcode 3.20250211.1~deb12u1
-CVE-2023-34440
- [bookworm] - intel-microcode 3.20250211.1~deb12u1
-CVE-2024-24582
- [bookworm] - intel-microcode 3.20250211.1~deb12u1
-CVE-2024-29214
- [bookworm] - intel-microcode 3.20250211.1~deb12u1
-CVE-2024-28127
- [bookworm] - intel-microcode 3.20250211.1~deb12u1
-CVE-2024-39279
- [bookworm] - intel-microcode 3.20250211.1~deb12u1
-CVE-2024-31157
- [bookworm] - intel-microcode 3.20250211.1~deb12u1
-CVE-2024-28047
- [bookworm] - intel-microcode 3.20250211.1~deb12u1
-CVE-2024-39355
- [bookworm] - intel-microcode 3.20250211.1~deb12u1
-CVE-2024-37020
- [bookworm] - intel-microcode 3.20250211.1~deb12u1
CVE-2024-26462
[bookworm] - krb5 1.20.1-2+deb12u3
CVE-2025-24528
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7ce8a399e5f0585ca19fc2d32fd2783ed463e068...b7d0270448065b3d3759d59650124cddcbee4896
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7ce8a399e5f0585ca19fc2d32fd2783ed463e068...b7d0270448065b3d3759d59650124cddcbee4896
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250315/970cb54b/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list