diff options
author | Salvatore Bonaccorso <carnil@debian.org> | 2024-02-06 22:16:21 +0100 |
---|---|---|
committer | Salvatore Bonaccorso <carnil@debian.org> | 2024-02-06 22:16:21 +0100 |
commit | 5c7629449cb0849731be15c1e89b8b710dd2a662 (patch) | |
tree | f9e13011e0df02d0ea0c5e38ccbaafc5cd250727 /data | |
parent | 9b6d68ce309a85007f3bc2d23deea79eaab4f03f (diff) |
Merge changes for updates with CVEs via bullseye 11.9
Diffstat (limited to 'data')
-rw-r--r-- | data/CVE/list | 113 | ||||
-rw-r--r-- | data/next-oldstable-point-update.txt | 114 |
2 files changed, 57 insertions, 170 deletions
diff --git a/data/CVE/list b/data/CVE/list index b107684ada..7827b516da 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -3411,7 +3411,7 @@ CVE-2024-23525 (The Spreadsheet::ParseXLSX package before 0.30 for Perl allows X {DLA-3723-1} - libspreadsheet-parsexlsx-perl 0.31-1 (bug #1061098) [bookworm] - libspreadsheet-parsexlsx-perl 0.27-3+deb12u2 - [bullseye] - libspreadsheet-parsexlsx-perl <no-dsa> (Slight minor issue; will be fixed in point release) + [bullseye] - libspreadsheet-parsexlsx-perl 0.27-2.1+deb11u2 NOTE: https://gist.github.com/phvietan/d1c95a88ab6e17047b0248d6bf9eac4a NOTE: https://github.com/MichaelDaum/spreadsheet-parsexlsx/issues/10 NOTE: Isolated changes: https://github.com/MichaelDaum/spreadsheet-parsexlsx/commit/1d55f90caf433c7442e5be21a1849af2b5522ffe#diff-0702489aae2d242fa44a345ab28b021c884c51a87ba376b835f44e3474dc2385L1175-L1180 (0.30) @@ -3876,7 +3876,7 @@ CVE-2024-0569 (A vulnerability classified as problematic has been found in Totol CVE-2024-0567 (A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTL ...) - gnutls28 3.8.3-1 (bug #1061045) [bookworm] - gnutls28 3.7.9-2+deb12u2 - [bullseye] - gnutls28 <no-dsa> (Minor issue) + [bullseye] - gnutls28 3.7.1-5+deb11u5 [buster] - gnutls28 <no-dsa> (Minor issue) NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1521 NOTE: https://gnutls.org/security-new.html#GNUTLS-SA-2024-01-09 @@ -5467,7 +5467,7 @@ CVE-2024-22368 (The Spreadsheet::ParseXLSX package before 0.28 for Perl can enco {DLA-3723-1} - libspreadsheet-parsexlsx-perl 0.29-1 [bookworm] - libspreadsheet-parsexlsx-perl 0.27-3+deb12u1 - [bullseye] - libspreadsheet-parsexlsx-perl <no-dsa> (Minor issue; DoS, can be fixed in point release) + [bullseye] - libspreadsheet-parsexlsx-perl 0.27-2.1+deb11u1 NOTE: https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_xlsx_bomb.md NOTE: Fixed by: https://github.com/MichaelDaum/spreadsheet-parsexlsx/commit/39b25b91fcb939a9c8ea807fdc80386c1ae5be0c (0.28) NOTE: Minor rewrite followup: https://github.com/MichaelDaum/spreadsheet-parsexlsx/commit/47ff82d74fbd014b8ec3cab80fa4fd25db9e8242 @@ -7934,7 +7934,7 @@ CVE-2023-51764 (Postfix through 3.8.5 allows SMTP smuggling unless configured wi {DLA-3725-1} - postfix 3.8.4-1 (bug #1059230) [bookworm] - postfix 3.7.9-0+deb12u1 - [bullseye] - postfix <no-dsa> (Minor issue; mitigations exist) + [bullseye] - postfix 3.5.23-0+deb11u1 NOTE: https://sec-consult.com/blog/detail/smtp-smuggling-spoofing-e-mails-worldwide/ NOTE: https://www.openwall.com/lists/oss-security/2023/12/21/6 NOTE: https://www.postfix.org/smtp-smuggling.html @@ -8155,7 +8155,7 @@ CVE-2023-39251 (Dell BIOS contains an Improper Input Validation vulnerability. A CVE-2023-52322 (ecrire/public/assembler.php in SPIP before 4.1.13 and 4.2.x before 4.2 ...) - spip 4.1.13+dfsg-1 (bug #1059331) [bookworm] - spip 4.1.9+dfsg-1+deb12u4 - [bullseye] - spip <no-dsa> (Minor issue) + [bullseye] - spip 3.2.11-3+deb11u10 [buster] - spip <no-dsa> (Minor issue) NOTE: https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-7-SPIP-4-1-13.html?lang=fr NOTE: https://git.spip.net/spip/spip/commit/e90f5344b8c82711053053e778d38a35e42b7bcb @@ -9243,7 +9243,7 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun {DSA-5601-1 DSA-5600-1 DSA-5599-1 DSA-5591-1 DSA-5588-1 DSA-5586-1 DLA-3730-1 DLA-3719-1 DLA-3718-1 DLA-3694-1} - dropbear 2022.83-4 (bug #1059001) [bookworm] - dropbear 2022.83-1+deb12u1 - [bullseye] - dropbear <no-dsa> (Minor issue) + [bullseye] - dropbear 2020.81-3+deb11u1 [buster] - dropbear <not-affected> (ChaCha20-Poly1305 support introduced in 2020.79; *-EtM not supported as of 2022.83) - erlang 1:25.3.2.8+dfsg-1 (bug #1059002) [bookworm] - erlang <no-dsa> (Minor issue) @@ -9251,7 +9251,7 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun [buster] - erlang <no-dsa> (Minor issue) - filezilla 3.66.4-1 [bookworm] - filezilla 3.63.0-1+deb12u3 - [bullseye] - filezilla <no-dsa> (Minor issue) + [bullseye] - filezilla 3.52.2-3+deb11u1 [buster] - filezilla <no-dsa> (Minor issue) - golang-go.crypto 1:0.17.0-1 (bug #1059003) [bookworm] - golang-go.crypto <no-dsa> (Minor issue) @@ -10654,7 +10654,7 @@ CVE-2023-34194 (StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in T {DLA-3701-1} - tinyxml 2.6.2-6.1 (bug #1059315) [bookworm] - tinyxml 2.6.2-6+deb12u1 - [bullseye] - tinyxml <no-dsa> (Minor issue) + [bullseye] - tinyxml 2.6.2-4+deb11u2 NOTE: https://www.forescout.com/resources/sierra21-vulnerabilities NOTE: Debian (non upstream) patch: https://salsa.debian.org/debian/tinyxml/-/raw/2366e1f23d059d4c20c43c54176b6bd78d6a83fc/debian/patches/CVE-2023-34194.patch CVE-2023-6707 (Use after free in CSS in Google Chrome prior to 120.0.6099.109 allowed ...) @@ -11161,7 +11161,7 @@ CVE-2023-6356 [NULL pointer dereference in nvmet_tcp_build_iovec] CVE-2023-39804 [Incorrectly handled extension attributes in PAX archives can lead to a crash] - tar 1.34+dfsg-1.3 (bug #1058079) [bookworm] - tar 1.34+dfsg-1.2+deb12u1 - [bullseye] - tar <no-dsa> (Minor issue) + [bullseye] - tar 1.34+dfsg-1+deb11u1 [buster] - tar <no-dsa> (Minor issue) NOTE: Fixed by: https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4 (v1.35) CVE-2023-6679 (A null pointer dereference vulnerability was found in dpll_pin_parent_ ...) @@ -11556,21 +11556,21 @@ CVE-2023-49468 (Libde265 v1.0.14 was discovered to contain a global buffer overf {DLA-3699-1} - libde265 1.0.15-1 (bug #1059275) [bookworm] - libde265 1.0.11-1+deb12u2 - [bullseye] - libde265 <no-dsa> (Minor issue) + [bullseye] - libde265 1.0.11-0+deb11u3 NOTE: https://github.com/strukturag/libde265/issues/432 NOTE: Fixed by: https://github.com/strukturag/libde265/commit/3e822a3ccf88df1380b165d6ce5a00494a27ceeb (v1.0.15) CVE-2023-49467 (Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vuln ...) {DLA-3699-1} - libde265 1.0.15-1 (bug #1059275) [bookworm] - libde265 1.0.11-1+deb12u2 - [bullseye] - libde265 <no-dsa> (Minor issue) + [bullseye] - libde265 1.0.11-0+deb11u3 NOTE: https://github.com/strukturag/libde265/issues/434 NOTE: Fixed by: https://github.com/strukturag/libde265/commit/7e4faf254bbd2e52b0f216cb987573a2cce97b54 (v1.0.15) CVE-2023-49465 (Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vuln ...) {DLA-3699-1} - libde265 1.0.15-1 (bug #1059275) [bookworm] - libde265 1.0.11-1+deb12u2 - [bullseye] - libde265 <no-dsa> (Minor issue) + [bullseye] - libde265 1.0.11-0+deb11u3 NOTE: https://github.com/strukturag/libde265/issues/435 NOTE: Fixed by: https://github.com/strukturag/libde265/commit/1475c7d2f0a6dc35c27e18abc4db9679bfd32568 (v1.0.15) CVE-2023-49464 (libheif v1.17.5 was discovered to contain a segmentation violation via ...) @@ -13748,7 +13748,7 @@ CVE-2023-47039 (A vulnerability was found in Perl. This security issue occurs wh CVE-2023-47038 (A vulnerability was found in perl. This issue occurs when a crafted re ...) - perl 5.36.0-10 (bug #1056746) [bookworm] - perl 5.36.0-7+deb12u1 - [bullseye] - perl <no-dsa> (Minor issue; can be fixed via point release) + [bullseye] - perl 5.32.1-4+deb11u3 [buster] - perl <not-affected> (Vulnerable code introduced later) NOTE: Fixed by: https://github.com/Perl/perl5/commit/12c313ce49b36160a7ca2e9b07ad5bd92ee4a010 (v5.34.2) NOTE: Fixed by: https://github.com/Perl/perl5/commit/7047915eef37fccd93e7cd985c29fe6be54650b6 (v5.36.2) @@ -15062,14 +15062,14 @@ CVE-2023-43887 (Libde265 v1.0.12 was discovered to contain multiple buffer overf {DLA-3676-1} - libde265 1.0.13-1 [bookworm] - libde265 1.0.11-1+deb12u1 - [bullseye] - libde265 <no-dsa> (Minor issue) + [bullseye] - libde265 1.0.11-0+deb11u2 NOTE: https://github.com/strukturag/libde265/issues/418 NOTE: https://github.com/strukturag/libde265/commit/63b596c915977f038eafd7647d1db25488a8c133 (v1.0.13) CVE-2023-47471 (Buffer Overflow vulnerability in strukturag libde265 v1.10.12 allows a ...) {DLA-3676-1} - libde265 1.0.13-1 (bug #1056187) [bookworm] - libde265 1.0.11-1+deb12u1 - [bullseye] - libde265 <no-dsa> (Minor issue) + [bullseye] - libde265 1.0.11-0+deb11u2 NOTE: https://github.com/strukturag/libde265/issues/426 NOTE: https://github.com/strukturag/libde265/commit/e36b4a1b0bafa53df47514c419d5be3e8916ebc7 (v1.0.13) CVE-2023-47470 (Buffer Overflow vulnerability in Ffmpeg before github commit 456574705 ...) @@ -15165,7 +15165,7 @@ CVE-2023-5981 (A vulnerability was found that the response times to malformed ci {DLA-3660-1} - gnutls28 3.8.2-1 (bug #1056188) [bookworm] - gnutls28 3.7.9-2+deb12u1 - [bullseye] - gnutls28 <no-dsa> (Minor issue; can be fixed via point release) + [bullseye] - gnutls28 3.7.1-5+deb11u5 NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1511 NOTE: https://gnutls.org/security-new.html#GNUTLS-SA-2023-10-23 NOTE: https://lists.gnupg.org/pipermail/gnutls-help/2023-November/004837.html @@ -16047,7 +16047,7 @@ CVE-2023-46734 (Symfony is a PHP framework for web and console applications and {DLA-3664-1} - symfony 5.4.31+dfsg-1 (bug #1055774) [bookworm] - symfony 5.4.23+dfsg-1+deb12u1 - [bullseye] - symfony <no-dsa> (Minor issue) + [bullseye] - symfony 4.4.19+dfsg-2+deb11u4 NOTE: https://github.com/symfony/symfony/security/advisories/GHSA-q847-2q57-wmr3 NOTE: https://github.com/symfony/symfony/commit/9da9a145ce57e4585031ad4bee37c497353eec7c (v4.4.51, v5.4.31, v6.3.8) CVE-2023-46733 (Symfony is a PHP framework for web and console applications and a set ...) @@ -19264,7 +19264,7 @@ CVE-2023-46316 (In buc Traceroute 2.0.12 through 2.1.2 before 2.1.3, the wrapper CVE-2023-46586 - weborf 1.0-1 (bug #1054417) [bookworm] - weborf 0.19-2.1+deb12u1 - [bullseye] - weborf <no-dsa> (Minor issue) + [bullseye] - weborf 0.17-3+deb11u1 [buster] - weborf <no-dsa> (Minor issue) NOTE: https://github.com/ltworf/weborf/pull/88 NOTE: Fixed by: https://github.com/ltworf/weborf/commit/49824204add55aab0568d90a6b1e7c822d32120d (1.0) @@ -20754,7 +20754,7 @@ CVE-2023-45853 (MiniZip in zlib through 1.3 has an integer overflow and resultan [buster] - zlib <ignored> (contrib/minizip not built and producing binary packages) - minizip <removed> (bug #1056718) [bookworm] - minizip 1.1-8+deb12u1 - [bullseye] - minizip <no-dsa> (Minor issue; can be fixed in point release) + [bullseye] - minizip 1.1-8+deb11u1 NOTE: https://github.com/madler/zlib/pull/843 NOTE: https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c NOTE: src:zlib only starts building minizip starting in 1:1.2.13.dfsg-2 @@ -21289,7 +21289,7 @@ CVE-2023-44689 (e-Gov Client Application (Windows version) versions prior to 2.1 CVE-2023-37536 (An integer overflow in xerces-c++ 3.2.3 in BigFix Platform allows remo ...) {DLA-3704-1} - xerces-c 3.2.4+debian-1 - [bullseye] - xerces-c <no-dsa> (Minor issue) + [bullseye] - xerces-c 3.2.3+debian-3+deb11u1 NOTE: https://github.com/apache/xerces-c/pull/51 NOTE: https://issues.apache.org/jira/browse/XERCESC-2241 NOTE: Fixed by: https://github.com/apache/xerces-c/commit/1296a40db07308dbaac32494469f609b00cdfaf3 (v3.2.4) @@ -26988,7 +26988,7 @@ CVE-2023-40743 (** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x {DLA-3622-1} - axis 1.4-29 (bug #1051288) [bookworm] - axis 1.4-28+deb12u1 - [bullseye] - axis <no-dsa> (Minor issue) + [bullseye] - axis 1.4-28+deb11u1 NOTE: https://www.openwall.com/lists/oss-security/2023/09/05/1 NOTE: https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 CVE-2023-34322 (For migration as well as to work around kernels unaware of L1TF (see X ...) @@ -35086,7 +35086,7 @@ CVE-2022-48521 (An issue was discovered in OpenDKIM through 2.10.3, and 2.11.x t {DLA-3680-1} - opendkim 2.11.0~beta2-9 (bug #1041107) [bookworm] - opendkim 2.11.0~beta2-8+deb12u1 - [bullseye] - opendkim <no-dsa> (Minor issue) + [bullseye] - opendkim 2.11.0~beta2-4+deb11u1 NOTE: https://github.com/trusteddomainproject/OpenDKIM/issues/148 CVE-2023-36543 (Apache Airflow, versions before 2.6.3, has a vulnerability where an au ...) - airflow <itp> (bug #819700) @@ -42905,7 +42905,7 @@ CVE-2023-31023 (NVIDIA Display Driver for Windows contains a vulnerability where CVE-2023-31022 (NVIDIA GPU Display Driver for Windows and Linux contains a vulnerabili ...) - nvidia-graphics-drivers 525.147.05-1 (bug #1055136) [bookworm] - nvidia-graphics-drivers 525.147.05-1~deb12u1 - [bullseye] - nvidia-graphics-drivers <no-dsa> (Non-free not supported) + [bullseye] - nvidia-graphics-drivers 470.223.02-1 [buster] - nvidia-graphics-drivers <no-dsa> (Non-free not supported) - nvidia-open-gpu-kernel-modules 525.147.05-1 (bug #1055144) [bookworm] - nvidia-open-gpu-kernel-modules 525.147.05-1~deb12u1 @@ -42913,7 +42913,7 @@ CVE-2023-31022 (NVIDIA GPU Display Driver for Windows and Linux contains a vulne [bookworm] - nvidia-graphics-drivers-tesla 525.147.05-3~deb12u1 - nvidia-graphics-drivers-tesla-470 470.223.02-1 (bug #1055142) [bookworm] - nvidia-graphics-drivers-tesla-470 470.223.02-1~deb12u1 - [bullseye] - nvidia-graphics-drivers-tesla-470 <no-dsa> (Non-free not supported) + [bullseye] - nvidia-graphics-drivers-tesla-470 470.223.02-1~deb11u1 - nvidia-graphics-drivers-tesla-460 460.106.00-3 (bug #1055141) [bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported) NOTE: 460.106.00-3 turned the package into a metapackage to aid switching to nvidia-graphics-drivers-tesla-470 @@ -47163,7 +47163,7 @@ CVE-2023-32643 (A flaw was found in GLib. The GVariant deserialization code is v CVE-2023-32665 (A flaw was found in GLib. GVariant deserialization is vulnerable to an ...) {DLA-3583-1} - glib2.0 2.74.4-1 - [bullseye] - glib2.0 <no-dsa> (Minor issue) + [bullseye] - glib2.0 2.66.8-1+deb11u1 NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2121 NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3125 NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3126 (2.74, 3125 backport) @@ -47174,7 +47174,7 @@ CVE-2023-32665 (A flaw was found in GLib. GVariant deserialization is vulnerable CVE-2023-32611 (A flaw was found in GLib. GVariant deserialization is vulnerable to a ...) {DLA-3583-1} - glib2.0 2.74.4-1 - [bullseye] - glib2.0 <no-dsa> (Minor issue) + [bullseye] - glib2.0 2.66.8-1+deb11u1 NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2797 NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3125 NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3126 (2.74, 3125 backport) @@ -47185,7 +47185,7 @@ CVE-2023-32611 (A flaw was found in GLib. GVariant deserialization is vulnerable CVE-2023-29499 (A flaw was found in GLib. GVariant deserialization fails to validate t ...) {DLA-3583-1} - glib2.0 2.74.4-1 - [bullseye] - glib2.0 <no-dsa> (Minor issue) + [bullseye] - glib2.0 2.66.8-1+deb11u1 NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2794 NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3125 NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/3126 (2.74, 3125 backport) @@ -55405,14 +55405,14 @@ CVE-2023-27103 (Libde265 v1.0.11 was discovered to contain a heap buffer overflo {DLA-3676-1} - libde265 1.0.12-1 (bug #1033257) [bookworm] - libde265 1.0.11-1+deb12u1 - [bullseye] - libde265 <no-dsa> (Minor issue) + [bullseye] - libde265 1.0.11-0+deb11u2 NOTE: https://github.com/strukturag/libde265/issues/394 NOTE: https://github.com/strukturag/libde265/commit/d6bf73e765b7a23627bfd7a8645c143fd9097995 (v1.0.12) CVE-2023-27102 (Libde265 v1.0.11 was discovered to contain a segmentation violation vi ...) {DLA-3676-1} - libde265 1.0.12-1 (bug #1033257) [bookworm] - libde265 1.0.11-1+deb12u1 - [bullseye] - libde265 <no-dsa> (Minor issue) + [bullseye] - libde265 1.0.11-0+deb11u2 NOTE: https://github.com/strukturag/libde265/issues/393 NOTE: https://github.com/strukturag/libde265/commit/0b1752abff97cb542941d317a0d18aa50cb199b1 (v1.0.12) CVE-2023-27101 @@ -57901,7 +57901,7 @@ CVE-2023-26133 (All versions of the package progressbar.js are vulnerable to Pro CVE-2023-26132 (Versions of the package dottie before 2.0.4 are vulnerable to Prototyp ...) - node-dottie 2.0.6+~2.0.5-1 (bug #1040592) [bookworm] - node-dottie 2.0.2-4+deb12u1 - [bullseye] - node-dottie <no-dsa> (Minor issue) + [bullseye] - node-dottie 2.0.2-4+deb11u1 NOTE: https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763 NOTE: https://github.com/mickhansen/dottie.js/commit/7d3aee1c9c3c842720506e131de7e181e5c8db68 (v2.0.4) CVE-2023-26131 (All versions of the package github.com/xyproto/algernon/engine; all ve ...) @@ -58930,7 +58930,7 @@ CVE-2023-0843 RESERVED CVE-2023-0842 (xml2js version 0.4.23 allows an external attacker to edit or add new p ...) - node-xml2js 0.4.23+~cs15.4.0+dfsg-7 (bug #1034148) - [bullseye] - node-xml2js <no-dsa> (Minor issue) + [bullseye] - node-xml2js 0.2.8-1+deb11u1 [buster] - node-xml2js <no-dsa> (Minor issue) NOTE: https://fluidattacks.com/advisories/myers/ NOTE: https://github.com/Leonidas-from-XIV/node-xml2js/issues/663 @@ -62601,6 +62601,7 @@ CVE-2022-48304 CVE-2022-48303 (GNU Tar through 1.34 has a one-byte out-of-bounds read that results in ...) - tar 1.34+dfsg-1.4 (unimportant) [bookworm] - tar 1.34+dfsg-1.2+deb12u1 + [bullseye] - tar 1.34+dfsg-1+deb11u1 NOTE: Crash in CLI tool, no security impact NOTE: https://savannah.gnu.org/bugs/?62387 NOTE: https://savannah.gnu.org/patch/?10307 @@ -64460,7 +64461,7 @@ CVE-2020-36655 (Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arb CVE-2023-24021 (Incorrect handling of '\0' bytes in file uploads in ModSecurity before ...) {DLA-3283-1} - modsecurity-apache 2.9.7-1 (bug #1029329) - [bullseye] - modsecurity-apache <no-dsa> (Minor issue) + [bullseye] - modsecurity-apache 2.9.3-3+deb11u2 NOTE: https://github.com/SpiderLabs/ModSecurity/pull/2857 NOTE: https://github.com/SpiderLabs/ModSecurity/commit/4324f0ac59f8225aa44bc5034df60dbeccd1d334 (v2.9.7) CVE-2023-24012 @@ -64601,7 +64602,7 @@ CVE-2022-4893 CVE-2022-48279 (In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart reque ...) {DLA-3283-1} - modsecurity-apache 2.9.6-1 - [bullseye] - modsecurity-apache <no-dsa> (Minor issue) + [bullseye] - modsecurity-apache 2.9.3-3+deb11u2 - modsecurity 3.0.8-1 [bullseye] - modsecurity <no-dsa> (Minor issue) [buster] - modsecurity <no-dsa> (Minor issue) @@ -72754,7 +72755,7 @@ CVE-2023-22084 (Vulnerability in the MySQL Server product of Oracle MySQL (compo - mariadb 1:10.11.6-1 [bookworm] - mariadb 1:10.11.6-0+deb12u1 - mariadb-10.5 <removed> - [bullseye] - mariadb-10.5 <no-dsa> (Minor issue, will be fixed via point update) + [bullseye] - mariadb-10.5 1:10.5.23-0+deb11u1 - mariadb-10.3 <removed> - mysql-8.0 8.0.35-1 (bug #1055034) NOTE: Fixed in MariaDB: 11.2.2, 11.1.3, 11.0.4, 10.11.6, 10.10.7, 10.6.16, 10.5.23, 10.4.32 @@ -73820,7 +73821,7 @@ CVE-2022-4516 CVE-2022-4515 (A flaw was found in Exuberant Ctags in the way it handles the "-o" opt ...) {DLA-3254-1} - exuberant-ctags 1:5.9~svn20110310-18 (bug #1026995) - [bullseye] - exuberant-ctags <no-dsa> (Minor issue) + [bullseye] - exuberant-ctags 1:5.9~svn20110310-14+deb11u1 - universal-ctags <not-affected> (Fixed before initial upload to Debian) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2153519 NOTE: Fixed by: https://github.com/universal-ctags/ctags/commit/e00c55d7a0204dc1d0ae316141323959e1e16162 @@ -90040,7 +90041,7 @@ CVE-2022-42962 RESERVED CVE-2022-42961 (An issue was discovered in wolfSSL before 5.5.0. A fault injection att ...) - wolfssl 5.5.3-1 (bug #1023574) - [bullseye] - wolfssl <no-dsa> (Minor issue) + [bullseye] - wolfssl 4.6.0+p1-0+deb11u2 NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.0-stable CVE-2022-42960 (EqualWeb Accessibility Widget 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.1 ...) NOT-FOR-US: EqualWeb Accessibility Widget @@ -90324,7 +90325,7 @@ CVE-2022-42907 RESERVED CVE-2022-42905 (In wolfSSL before 5.5.2, if callback functions are enabled (via the WO ...) - wolfssl 5.5.3-1 - [bullseye] - wolfssl <no-dsa> (Minor issue) + [bullseye] - wolfssl 4.6.0+p1-0+deb11u2 NOTE: Fixed in 5.5.2 (https://www.wolfssl.com/docs/security-vulnerabilities/) CVE-2022-42904 (Zoho ManageEngine ADManager Plus through 7151 allows authenticated adm ...) NOT-FOR-US: Zoho ManageEngine @@ -100087,7 +100088,7 @@ CVE-2022-39174 RESERVED CVE-2022-39173 (In wolfSSL before 5.5.1, malicious clients can cause a buffer overflow ...) - wolfssl 5.5.3-1 (bug #1021021) - [bullseye] - wolfssl <no-dsa> (Minor issue) + [bullseye] - wolfssl 4.6.0+p1-0+deb11u2 CVE-2022-39172 (A stored XSS in the process overview (bersicht zugewiesener Vorgaenge) ...) NOT-FOR-US: mbsupport openVIVA c2 CVE-2022-39171 @@ -101401,7 +101402,7 @@ CVE-2022-2990 (An incorrect handling of the supplementary groups in the Buildah CVE-2022-2989 (An incorrect handling of the supplementary groups in the Podman contai ...) [experimental] - libpod 4.3.1+ds1-1 - libpod 4.3.1+ds1-4 (bug #1019591) - [bullseye] - libpod <no-dsa> (Minor issue) + [bullseye] - libpod 3.0.1+dfsg1-3+deb11u5 NOTE: https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2121445 NOTE: https://github.com/containers/podman/pull/15696 @@ -118382,7 +118383,7 @@ CVE-2023-34151 (A vulnerability was found in ImageMagick. This security flaw ouc CVE-2022-32546 (A vulnerability was found in ImageMagick, causing an outside the range ...) {DLA-3429-1} - imagemagick 8:6.9.11.60+dfsg-1.5 (bug #1016442) - [bullseye] - imagemagick <ignored> (Minor issue) + [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 [stretch] - imagemagick <no-dsa> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2091812 NOTE: https://github.com/ImageMagick/ImageMagick/issues/4985 @@ -118392,7 +118393,7 @@ CVE-2022-32546 (A vulnerability was found in ImageMagick, causing an outside the CVE-2022-32545 (A vulnerability was found in ImageMagick, causing an outside the range ...) {DLA-3429-1} - imagemagick 8:6.9.11.60+dfsg-1.5 (bug #1016442) - [bullseye] - imagemagick <ignored> (Minor issue) + [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 [stretch] - imagemagick <no-dsa> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2091811 NOTE: https://github.com/ImageMagick/ImageMagick/issues/4962 @@ -130598,7 +130599,7 @@ CVE-2022-28464 (Apifox through 2.1.6 is vulnerable to Cross Site Scripting (XSS) CVE-2022-28463 (ImageMagick 7.1.0-27 is vulnerable to Buffer Overflow.) {DLA-3429-1 DLA-3007-1} - imagemagick 8:6.9.11.60+dfsg-1.5 (bug #1013282) - [bullseye] - imagemagick <no-dsa> (Minor issue) + [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 NOTE: https://github.com/ImageMagick/ImageMagick/commit/ca3654ebf7a439dc736f56f083c9aa98e4464b7f NOTE: https://github.com/ImageMagick/ImageMagick/issues/4988 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/e6ea5876e0228165ee3abc6e959aa174cee06680 @@ -131908,7 +131909,7 @@ CVE-2022-1115 (A heap-buffer-overflow flaw was found in ImageMagick\u2019s PushS NOTE: Introduced by (Support 32-bit tiles TIFF images): https://github.com/ImageMagick/ImageMagick6/commit/b874d50070557eb98bdc6a3095ef476 (6.9.10-88) CVE-2022-1114 (A heap-use-after-free flaw was found in ImageMagick's RelinquishDCMInf ...) - imagemagick 8:6.9.11.60+dfsg-1.5 (bug #1013282) - [bullseye] - imagemagick <no-dsa> (Minor issue) + [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 [buster] - imagemagick <no-dsa> (Minor issue) [stretch] - imagemagick <not-affected> (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/4947 @@ -140264,7 +140265,7 @@ CVE-2021-4220 REJECTED CVE-2021-4219 (A flaw was found in ImageMagick. The vulnerability occurs due to impro ...) - imagemagick 8:6.9.11.60+dfsg-1.5 (bug #1013282) - [bullseye] - imagemagick <no-dsa> (Minor issue) + [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 [buster] - imagemagick <not-affected> (Vulnerable code introduced later) [stretch] - imagemagick <not-affected> (Vulnerable code introduced later) NOTE: introduced by https://github.com/ImageMagick/ImageMagick6/commit/b51ead044753d771646fe1dfd6fb1db0b562a5f0 @@ -142715,7 +142716,7 @@ CVE-2022-0513 (The WP Statistics WordPress plugin is vulnerable to SQL Injection CVE-2022-0512 (Authorization Bypass Through User-Controlled Key in NPM url-parse prio ...) {DLA-3336-1} - node-url-parse 1.5.7-1 - [bullseye] - node-url-parse <no-dsa> (Minor issue) + [bullseye] - node-url-parse 1.5.3-1+deb11u2 [stretch] - node-url-parse <end-of-life> (Nodejs in stretch not covered by security support) NOTE: https://huntr.dev/bounties/6d1bc51f-1876-4f5b-a2c2-734e09e8e05b NOTE: https://github.com/unshiftio/url-parse/commit/9be7ee88afd2bb04e4d5a1a8da9a389ac13f8c40 (1.5.6) @@ -174456,7 +174457,7 @@ CVE-2021-39213 (GLPI is a free Asset and IT management software package. Startin CVE-2021-39212 (ImageMagick is free software delivered as a ready-to-run binary distri ...) {DLA-3429-1} - imagemagick 8:6.9.11.60+dfsg-1.5 (bug #996588) - [bullseye] - imagemagick <no-dsa> (Minor issue) + [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 [stretch] - imagemagick <no-dsa> (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qvhr-jj4p-j2qr NOTE: https://github.com/ImageMagick/ImageMagick/commit/01faddbe2711a4156180c4a92837e2f23683cc68 @@ -187622,7 +187623,7 @@ CVE-2021-33881 (On NXP MIFARE Ultralight and NTAG cards, an attacker can interru NOT-FOR-US: NXP CVE-2021-33880 (The aaugustin websockets library before 9.1 for Python has an Observab ...) - python-websockets 9.1-1 (bug #989561) - [bullseye] - python-websockets <no-dsa> (Minor issue) + [bullseye] - python-websockets 8.1-1+deb11u1 [buster] - python-websockets <not-affected> (Vulnerable code introduced in 8.0) [stretch] - python-websockets <not-affected> (Vulnerable code introduced in 8.0) NOTE: https://github.com/aaugustin/websockets/commit/547a26b685d08cac0aa64e5e65f7867ac0ea9bc0 @@ -187848,7 +187849,7 @@ CVE-2021-3574 (A vulnerability was found in ImageMagick-7.0.11-5, where executin {DLA-3357-1} [experimental] - imagemagick 8:6.9.12.20+dfsg1-1 - imagemagick 8:6.9.11.60+dfsg-1.5 (bug #1027164) - [bullseye] - imagemagick <ignored> (Minor issue) + [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 NOTE: https://github.com/ImageMagick/ImageMagick/issues/3540 NOTE: https://github.com/ImageMagick/ImageMagick/commit/c6ad94fbb7b280f39c2fbbdc1c140e51b1b466e9 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/cd7f9fb7751b0d59d5a74b12d971155caad5a792 @@ -223569,7 +223570,7 @@ CVE-2021-20309 (A flaw was found in ImageMagick in versions before 7.0.11 and be {DLA-3429-1 DLA-2672-1} [experimental] - imagemagick 8:6.9.12.20+dfsg1-1 - imagemagick 8:6.9.11.60+dfsg-1.5 (bug #1013282) - [bullseye] - imagemagick <ignored> (Minor issue) + [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/94174beff065cb5683d09d79e992c3ebbdead311 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/f1e68d22d1b35459421710587a0dcbab6900b51f CVE-2021-20308 (Integer overflow in the htmldoc 1.9.11 and before may allow attackers ...) @@ -223862,7 +223863,7 @@ CVE-2021-20246 (A flaw was found in ImageMagick in MagickCore/resample.c. An att {DLA-3429-1 DLA-2602-1} [experimental] - imagemagick 8:6.9.12.20+dfsg1-1 - imagemagick 8:6.9.11.60+dfsg-1.5 (bug #1013282) - [bullseye] - imagemagick <ignored> (Minor issue) + [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 NOTE: https://github.com/ImageMagick/ImageMagick/issues/3195 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/8d25d94a363b104acd6ff23df7470aeedb806c51 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/f3190d4a6e6e8556575c84b5d976f77d111caa74 @@ -223870,7 +223871,7 @@ CVE-2021-20245 (A flaw was found in ImageMagick in coders/webp.c. An attacker wh {DLA-3429-1 DLA-2672-1} [experimental] - imagemagick 8:6.9.12.20+dfsg1-1 - imagemagick 8:6.9.11.60+dfsg-1.5 (bug #1013282) - [bullseye] - imagemagick <ignored> (Minor issue) + [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 NOTE: https://github.com/ImageMagick/ImageMagick/issues/3176 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/ffb683e62ddedc6436a1b88388eb690d7ca57bf2 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/a78d92dc0f468e79c3d761aae9707042952cdaca @@ -223878,7 +223879,7 @@ CVE-2021-20244 (A flaw was found in ImageMagick in MagickCore/visual-effects.c. {DLA-3429-1 DLA-2602-1} [experimental] - imagemagick 8:6.9.12.20+dfsg1-1 - imagemagick 8:6.9.11.60+dfsg-1.5 (bug #1013282) - [bullseye] - imagemagick <ignored> (Minor issue) + [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 NOTE: https://github.com/ImageMagick/ImageMagick/pull/3194 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/329dd528ab79531d884c0ba131e97d43f872ab5d NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/c8d674946a687f40a126166edf470733fc8ede02 @@ -223886,7 +223887,7 @@ CVE-2021-20243 (A flaw was found in ImageMagick in MagickCore/resize.c. An attac {DLA-3429-1 DLA-2672-1} [experimental] - imagemagick 8:6.9.12.20+dfsg1-1 - imagemagick 8:6.9.11.60+dfsg-1.5 (bug #1013282) - [bullseye] - imagemagick <ignored> (Minor issue) + [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 NOTE: https://github.com/ImageMagick/ImageMagick/pull/3193 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/9751bd619872c8e58609fbed56c4827afa083b40 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/53cb91b3e7bf95d0e372cbc745e0055ac6054745 (resize.c hunk) @@ -223896,7 +223897,7 @@ CVE-2021-20241 (A flaw was found in ImageMagick in coders/jp2.c. An attacker who {DLA-3429-1 DLA-2602-1} [experimental] - imagemagick 8:6.9.12.20+dfsg1-1 - imagemagick 8:6.9.11.60+dfsg-1.5 (bug #1013282) - [bullseye] - imagemagick <ignored> (Minor issue) + [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 NOTE: https://github.com/ImageMagick/ImageMagick/pull/3177 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/dd33b451c3e01098efad34bbaca2df78d5391dc8 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/53cb91b3e7bf95d0e372cbc745e0055ac6054745 @@ -496088,7 +496089,7 @@ CVE-2016-1244 (The extractTree function in unADF allows remote attackers to exec {DSA-3676-1 DLA-631-1} - unadf 0.7.11a-6 (bug #838248) [bookworm] - unadf 0.7.11a-5+deb12u1 - [bullseye] - unadf <no-dsa> (Minor issue) + [bullseye] - unadf 0.7.11a-4+deb11u1 [buster] - unadf <no-dsa> (Minor issue) NOTE: Fixed by: https://github.com/lclevy/ADFlib/commit/8e973d7b894552c3a3de0ccd2d1e9cb0b8e618dd NOTE: The changes between 0.7.11a-3 and 0.7.11a-4 did not include the upstream fix. @@ -496096,7 +496097,7 @@ CVE-2016-1243 (Stack-based buffer overflow in the extractTree function in unADF {DSA-3676-1 DLA-631-1} - unadf 0.7.11a-6 (bug #838248) [bookworm] - unadf 0.7.11a-5+deb12u1 - [bullseye] - unadf <no-dsa> (Minor issue) + [bullseye] - unadf 0.7.11a-4+deb11u1 [buster] - unadf <no-dsa> (Minor issue) NOTE: Fixed by: https://github.com/lclevy/ADFlib/commit/8e973d7b894552c3a3de0ccd2d1e9cb0b8e618dd NOTE: The changes between 0.7.11a-3 and 0.7.11a-4 did not include the upstream fix. diff --git a/data/next-oldstable-point-update.txt b/data/next-oldstable-point-update.txt index a521670b71..596c8b3e2e 100644 --- a/data/next-oldstable-point-update.txt +++ b/data/next-oldstable-point-update.txt @@ -1,117 +1,3 @@ -CVE-2023-32665 - [bullseye] - glib2.0 2.66.8-1+deb11u1 -CVE-2023-32611 - [bullseye] - glib2.0 2.66.8-1+deb11u1 -CVE-2023-29499 - [bullseye] - glib2.0 2.66.8-1+deb11u1 -CVE-2022-42961 - [bullseye] - wolfssl 4.6.0+p1-0+deb11u2 -CVE-2022-39173 - [bullseye] - wolfssl 4.6.0+p1-0+deb11u2 -CVE-2022-42905 - [bullseye] - wolfssl 4.6.0+p1-0+deb11u2 -CVE-2022-48279 - [bullseye] - modsecurity-apache 2.9.3-3+deb11u2 -CVE-2023-24021 - [bullseye] - modsecurity-apache 2.9.3-3+deb11u2 -CVE-2023-0842 - [bullseye] - node-xml2js 0.2.8-1+deb11u1 -CVE-2022-0512 - [bullseye] - node-url-parse 1.5.3-1+deb11u2 -CVE-2021-3574 - [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 -CVE-2021-4219 - [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 -CVE-2021-20241 - [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 -CVE-2021-20243 - [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 -CVE-2021-20244 - [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 -CVE-2021-20245 - [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 -CVE-2021-20246 - [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 -CVE-2021-20309 - [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 -CVE-2021-39212 - [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 -CVE-2022-1114 - [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 -CVE-2022-28463 - [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 -CVE-2022-32545 - [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 -CVE-2022-32546 - [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 -CVE-2023-26132 - [bullseye] - node-dottie 2.0.2-4+deb11u1 -CVE-2023-40743 - [bullseye] - axis 1.4-28+deb11u1 -CVE-2023-46586 - [bullseye] - weborf 0.17-3+deb11u1 -CVE-2021-33880 - [bullseye] - python-websockets 8.1-1+deb11u1 -CVE-2023-46734 - [bullseye] - symfony 4.4.19+dfsg-2+deb11u4 -CVE-2023-31022 - [bullseye] - nvidia-graphics-drivers 470.223.02-1 -CVE-2023-45853 - [bullseye] - minizip 1.1-8+deb11u1 -CVE-2023-31022 - [bullseye] - nvidia-graphics-drivers-tesla-470 470.223.02-1~deb11u1 -CVE-2023-47038 - [bullseye] - perl 5.32.1-4+deb11u3 -CVE-2023-27102 - [bullseye] - libde265 1.0.11-0+deb11u2 -CVE-2023-27103 - [bullseye] - libde265 1.0.11-0+deb11u2 -CVE-2023-43887 - [bullseye] - libde265 1.0.11-0+deb11u2 -CVE-2023-47471 - [bullseye] - libde265 1.0.11-0+deb11u2 -CVE-2023-5981 - [bullseye] - gnutls28 3.7.1-5+deb11u5 -CVE-2024-0567 - [bullseye] - gnutls28 3.7.1-5+deb11u5 -CVE-2023-22084 - [bullseye] - mariadb-10.5 1:10.5.23-0+deb11u1 -CVE-2022-48521 - [bullseye] - opendkim 2.11.0~beta2-4+deb11u1 -CVE-2023-52322 - [bullseye] - spip 3.2.11-3+deb11u10 -CVE-2023-51764 - [bullseye] - postfix 3.5.23-0+deb11u1 -CVE-2023-48795 - [bullseye] - filezilla 3.52.2-3+deb11u1 -CVE-2023-48795 - [bullseye] - dropbear 2020.81-3+deb11u1 -CVE-2022-4515 - [bullseye] - exuberant-ctags 1:5.9~svn20110310-14+deb11u1 -CVE-2022-2989 - [bullseye] - libpod 3.0.1+dfsg1-3+deb11u5 -CVE-2023-49465 - [bullseye] - libde265 1.0.11-0+deb11u3 -CVE-2023-49467 - [bullseye] - libde265 1.0.11-0+deb11u3 -CVE-2023-49468 - [bullseye] - libde265 1.0.11-0+deb11u3 -CVE-2024-22368 - [bullseye] - libspreadsheet-parsexlsx-perl 0.27-2.1+deb11u1 -CVE-2024-23525 - [bullseye] - libspreadsheet-parsexlsx-perl 0.27-2.1+deb11u2 -CVE-2022-48303 - [bullseye] - tar 1.34+dfsg-1+deb11u1 -CVE-2023-39804 - [bullseye] - tar 1.34+dfsg-1+deb11u1 -CVE-2023-37536 - [bullseye] - xerces-c 3.2.3+debian-3+deb11u1 -CVE-2023-34194 - [bullseye] - tinyxml 2.6.2-4+deb11u2 -CVE-2016-1244 - [bullseye] - unadf 0.7.11a-4+deb11u1 -CVE-2016-1243 - [bullseye] - unadf 0.7.11a-4+deb11u1 CVE-2023-5157 [bullseye] - galera-4 26.4.14-0+deb11u1 CVE-2021-32718 |