Skip to content
Commits on Source (2)
Show whitespace changes
Inline Side-by-side
data/CVE/list
View file @ 3ec54e8f
......@@ -3701,7 +3701,7 @@ CVE-2019-14775
CVE-2019-12625 [clamav zip DoS]
RESERVED
- clamav 0.101.4+dfsg-1 (bug #934359)
[buster] - clamav <no-dsa> (ClamAV is updated via -updates)
[buster] - clamav 0.101.4+dfsg-0+deb10u1
[stretch] - clamav <no-dsa> (ClamAV is updated via -updates)
NOTE: https://www.openwall.com/lists/oss-security/2019/08/06/3
NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=12356
......@@ -5292,7 +5292,7 @@ CVE-2019-14378 (ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer
- qemu 1:4.1-1 (bug #933741)
- qemu-kvm <removed>
- slirp4netns 0.3.2-1 (bug #933742)
[buster] - slirp4netns <no-dsa> (Will be fixed via 10.1 point release)
[buster] - slirp4netns 0.2.3-1
NOTE: https://gitlab.freedesktop.org/slirp/libslirp/commit/126c04acbabd7ad32c2b018fe10dfac2a3bc1210
CVE-2018-20870 (The WebDAV transport feature in cPanel before 76.0.8 enables debug log ...)
NOT-FOR-US: cPanel
......@@ -5635,6 +5635,7 @@ CVE-2019-14276
RESERVED
CVE-2019-14275 (Xfig fig2dev 3.2.7a has a stack-based buffer overflow in the calc_arro ...)
- fig2dev 1:3.2.7a-7 (unimportant; bug #933075)
[buster] - fig2dev 1:3.2.7a-5+deb10u1
- transfig <removed> (unimportant)
NOTE: https://sourceforge.net/p/mcj/tickets/52/
NOTE: Crash in CLI tool, no security impact, hardening build
......@@ -8272,7 +8273,7 @@ CVE-2019-13566
CVE-2019-13565 (An issue was discovered in OpenLDAP 2.x before 2.4.48. When using SASL ...)
{DLA-1891-1}
- openldap 2.4.48+dfsg-1 (low; bug #932998)
[buster] - openldap <no-dsa> (Minor issue)
[buster] - openldap 2.4.47+dfsg-3+deb10u1
[stretch] - openldap <no-dsa> (Minor issue)
NOTE: https://openldap.org/its/?findid=9052
CVE-2019-13564 (XSS exists in Ping Identity Agentless Integration Kit before 1.5. ...)
......@@ -8441,19 +8442,19 @@ CVE-2019-13487
CVE-2019-13486 (In Xymon through 4.3.28, a stack-based buffer overflow exists in the s ...)
{DLA-1898-1}
- xymon 4.3.29-1
[buster] - xymon <no-dsa> (Minor issue)
[buster] - xymon 4.3.28-5+deb10u1
[stretch] - xymon <no-dsa> (Minor issue)
NOTE: https://lists.xymon.com/archive/2019-July/046570.html
CVE-2019-13485 (In Xymon through 4.3.28, a stack-based buffer overflow vulnerability e ...)
{DLA-1898-1}
- xymon 4.3.29-1
[buster] - xymon <no-dsa> (Minor issue)
[buster] - xymon 4.3.28-5+deb10u1
[stretch] - xymon <no-dsa> (Minor issue)
NOTE: https://lists.xymon.com/archive/2019-July/046570.html
CVE-2019-13484 (In Xymon through 4.3.28, a buffer overflow exists in the status-log vi ...)
{DLA-1898-1}
- xymon 4.3.29-1
[buster] - xymon <no-dsa> (Minor issue)
[buster] - xymon 4.3.28-5+deb10u1
[stretch] - xymon <no-dsa> (Minor issue)
NOTE: https://lists.xymon.com/archive/2019-July/046570.html
CVE-2019-13483 (Auth0 Passport-SharePoint before 0.4.0 does not validate the JWT signa ...)
......@@ -8532,7 +8533,7 @@ CVE-2019-13456
CVE-2019-13455 (In Xymon through 4.3.28, a stack-based buffer overflow vulnerability e ...)
{DLA-1898-1}
- xymon 4.3.29-1
[buster] - xymon <no-dsa> (Minor issue)
[buster] - xymon 4.3.28-5+deb10u1
[stretch] - xymon <no-dsa> (Minor issue)
NOTE: https://lists.xymon.com/archive/2019-July/046570.html
CVE-2019-13454 (ImageMagick 7.0.8-54 Q16 allows Division by Zero in RemoveDuplicateLay ...)
......@@ -8550,13 +8551,13 @@ CVE-2019-13453 (Zipios before 0.1.7 does not properly handle certain malformed z
CVE-2019-13452 (In Xymon through 4.3.28, a buffer overflow vulnerability exists in rep ...)
{DLA-1898-1}
- xymon 4.3.29-1
[buster] - xymon <no-dsa> (Minor issue)
[buster] - xymon 4.3.28-5+deb10u1
[stretch] - xymon <no-dsa> (Minor issue)
NOTE: https://lists.xymon.com/archive/2019-July/046570.html
CVE-2019-13451 (In Xymon through 4.3.28, a buffer overflow vulnerability exists in his ...)
{DLA-1898-1}
- xymon 4.3.29-1
[buster] - xymon <no-dsa> (Minor issue)
[buster] - xymon 4.3.28-5+deb10u1
[stretch] - xymon <no-dsa> (Minor issue)
NOTE: https://lists.xymon.com/archive/2019-July/046570.html
CVE-2019-XXXX [No grant table and foreign mapping limits]
......@@ -9005,13 +9006,13 @@ CVE-2019-13275 (An issue was discovered in the VeronaLabs wp-statistics plugin b
CVE-2019-13274 (In Xymon through 4.3.28, an XSS vulnerability exists in the csvinfo CG ...)
{DLA-1898-1}
- xymon 4.3.29-1
[buster] - xymon <no-dsa> (Minor issue)
[buster] - xymon 4.3.28-5+deb10u1
[stretch] - xymon <no-dsa> (Minor issue)
NOTE: https://lists.xymon.com/archive/2019-July/046570.html
CVE-2019-13273 (In Xymon through 4.3.28, a buffer overflow vulnerability exists in the ...)
{DLA-1898-1}
- xymon 4.3.29-1
[buster] - xymon <no-dsa> (Minor issue)
[buster] - xymon 4.3.28-5+deb10u1
[stretch] - xymon <no-dsa> (Minor issue)
NOTE: https://lists.xymon.com/archive/2019-July/046570.html
CVE-2019-13272 (In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mish ...)
......@@ -9105,6 +9106,7 @@ CVE-2019-13234 (In the Alkacon OpenCms Apollo Template 10.5.4 and 10.5.5, there
CVE-2019-13232 (Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP co ...)
{DLA-1846-1}
- unzip 6.0-24 (unimportant; bug #931433)
[buster] - unzip 6.0-23+deb10u1
NOTE: https://www.bamsoftware.com/hacks/zipbomb/
NOTE: Fixed by: https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c
NOTE: Fix depends on: https://github.com/madler/unzip/commit/41beb477c5744bc396fa1162ee0c14218ec12213
......@@ -9257,7 +9259,7 @@ CVE-2019-13179 (Calamares versions 3.1 through 3.2.10 copies a LUKS encryption k
- calamares 3.2.11-1 (bug #931392)
[buster] - calamares <ignored> (Mitigated via calamares-settings-debian in Debian)
- calamares-settings-debian 10.0.23-1 (bug #931373)
[buster] - calamares-settings-debian <no-dsa> (Will be fixed via Buster point release)
[buster] - calamares-settings-debian 10.0.20-1+deb10u1
NOTE: https://github.com/calamares/calamares/issues/1191
NOTE: https://github.com/calamares/calamares/commit/003096698627a527b589c0c929dda4d58f23fd93
NOTE: The issue itself can be adressed as well via calamares-settings-debian and
......@@ -9312,7 +9314,7 @@ CVE-2019-13162
RESERVED
CVE-2019-13161 (An issue was discovered in Asterisk Open Source through 13.27.0, 14.x ...)
- asterisk 1:16.2.1~dfsg-2 (low; bug #931981)
[buster] - asterisk <no-dsa> (Minor issue)
[buster] - asterisk 1:16.2.1~dfsg-1+deb10u1
[stretch] - asterisk <no-dsa> (Minor issue)
[jessie] - asterisk <no-dsa> (Minor issue)
NOTE: http://downloads.digium.com/pub/security/AST-2019-003.html
......@@ -9428,7 +9430,7 @@ CVE-2019-13119
CVE-2019-13118 (In numbers.c in libxslt 1.1.33, a type holding grouping characters of ...)
{DLA-1860-1}
- libxslt 1.1.32-2.1 (low; bug #931320; bug #933743)
[buster] - libxslt <no-dsa> (Minor issue)
[buster] - libxslt 1.1.32-2.1~deb10u1
[stretch] - libxslt <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15069
NOTE: https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b
......@@ -9436,7 +9438,7 @@ CVE-2019-13118 (In numbers.c in libxslt 1.1.33, a type holding grouping characte
CVE-2019-13117 (In numbers.c in libxslt 1.1.33, an xsl:number with certain format stri ...)
{DLA-1860-1}
- libxslt 1.1.32-2.1 (low; bug #931321; bug #933743)
[buster] - libxslt <no-dsa> (Minor issue)
[buster] - libxslt 1.1.32-2.1~deb10u1
[stretch] - libxslt <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14471
NOTE: https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1
......@@ -9629,7 +9631,7 @@ CVE-2019-13058
CVE-2019-13057 (An issue was discovered in the server in OpenLDAP before 2.4.48. When ...)
{DLA-1891-1}
- openldap 2.4.48+dfsg-1 (low; bug #932997)
[buster] - openldap <no-dsa> (Minor issue)
[buster] - openldap 2.4.47+dfsg-3+deb10u1
[stretch] - openldap <no-dsa> (Minor issue)
NOTE: https://openldap.org/its/?findid=9038
CVE-2019-13056 (An issue was discovered in CyberPanel through 1.8.4. On the user edit ...)
......@@ -10071,7 +10073,7 @@ CVE-2019-12900 (BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out
- bzip2 1.0.6-9.1 (bug #930886)
[stretch] - bzip2 <no-dsa> (Not exploitable; potential dangerous parts already guarded)
- clamav 0.101.4+dfsg-1 (bug #934359)
[buster] - clamav <no-dsa> (ClamAV is updated via -updates)
[buster] - clamav 0.101.4+dfsg-0+deb10u1
[stretch] - clamav <no-dsa> (ClamAV is updated via -updates)
NOTE: https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc
NOTE: The original fix introduces regressions when extracting certain lbzip2 files
......@@ -10258,7 +10260,7 @@ CVE-2019-12828 (An issue was discovered in Electronic Arts Origin before 10.5.39
NOT-FOR-US: Electronic Arts Origin
CVE-2019-12827 (Buffer overflow in res_pjsip_messaging in Digium Asterisk versions 13. ...)
- asterisk 1:16.2.1~dfsg-2 (bug #931980)
[buster] - asterisk <no-dsa> (Minor issue)
[buster] - asterisk 1:16.2.1~dfsg-1+deb10u1
[stretch] - asterisk <no-dsa> (Minor issue)
[jessie] - asterisk <no-dsa> (Minor issue)
NOTE: https://downloads.asterisk.org/pub/security/AST-2019-002.html
......@@ -11216,7 +11218,7 @@ CVE-2019-13012 (The keyfile settings backend in GNOME GLib (aka glib2.0) before
{DLA-1866-2 DLA-1866-1}
[experimental] - glib2.0 2.60.0-1
- glib2.0 2.60.5-1 (bug #931234)
[buster] - glib2.0 <no-dsa> (Minor issue)
[buster] - glib2.0 2.58.3-2+deb10u1
[stretch] - glib2.0 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/glib/issues/1658
NOTE: https://gitlab.gnome.org/GNOME/glib/merge_requests/450
......@@ -11710,7 +11712,7 @@ CVE-2019-12270 (OpenText Brava! Enterprise and Brava! Server 7.5 through 16.4 co
NOT-FOR-US: OpenText Brava!
CVE-2019-12269 (Enigmail before 2.0.11 allows PGP signature spoofing: for an inline PG ...)
- enigmail 2:2.0.11+ds1-1 (bug #929363)
[buster] - enigmail <no-dsa> (Issue can be fixed via point release)
[buster] - enigmail 2:2.0.12+ds1-1~deb10u1
[stretch] - enigmail <no-dsa> (Issue can be fixed via point release)
[jessie] - enigmail <end-of-life> (see https://lists.debian.org/debian-lts-announce/2019/02/msg00002.html)
NOTE: https://sourceforge.net/p/enigmail/bugs/983/
......@@ -11821,70 +11823,70 @@ CVE-2019-12223 (An issue was discovered in NVR WebViewer on Hanwah Techwin SRN-4
CVE-2019-12222 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...)
{DLA-1865-1 DLA-1861-1}
- libsdl2-image 2.0.5+dfsg1-1 (bug #932754)
[buster] - libsdl2-image <no-dsa> (Minor issue)
[buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[stretch] - libsdl2-image <no-dsa> (Minor issue)
- sdl-image1.2 1.2.12-11 (bug #932755)
[buster] - sdl-image1.2 <no-dsa> (Minor issue)
[buster] - sdl-image1.2 1.2.12-10+deb10u1
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4621
NOTE: https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34
CVE-2019-12221 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...)
{DLA-1865-1 DLA-1861-1}
- libsdl2-image 2.0.5+dfsg1-1 (bug #932754)
[buster] - libsdl2-image <no-dsa> (Minor issue)
[buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[stretch] - libsdl2-image <no-dsa> (Minor issue)
- sdl-image1.2 1.2.12-11 (bug #932755)
[buster] - sdl-image1.2 <no-dsa> (Minor issue)
[buster] - sdl-image1.2 1.2.12-10+deb10u1
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4628
NOTE: https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34
CVE-2019-12220 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...)
{DLA-1865-1 DLA-1861-1}
- libsdl2-image 2.0.5+dfsg1-1 (bug #932754)
[buster] - libsdl2-image <no-dsa> (Minor issue)
[buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[stretch] - libsdl2-image <no-dsa> (Minor issue)
- sdl-image1.2 1.2.12-11 (bug #932755)
[buster] - sdl-image1.2 <no-dsa> (Minor issue)
[buster] - sdl-image1.2 1.2.12-10+deb10u1
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4627
NOTE: https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34
CVE-2019-12219 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...)
{DLA-1865-1 DLA-1861-1}
- libsdl2-image 2.0.5+dfsg1-1 (bug #932754)
[buster] - libsdl2-image <no-dsa> (Minor issue)
[buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[stretch] - libsdl2-image <no-dsa> (Minor issue)
- sdl-image1.2 1.2.12-11 (bug #932755)
[buster] - sdl-image1.2 <no-dsa> (Minor issue)
[buster] - sdl-image1.2 1.2.12-10+deb10u1
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4625
NOTE: https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34
CVE-2019-12218 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...)
{DLA-1865-1 DLA-1861-1}
- libsdl2-image 2.0.5+dfsg1-1 (bug #932754)
[buster] - libsdl2-image <no-dsa> (Minor issue)
[buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[stretch] - libsdl2-image <no-dsa> (Minor issue)
- sdl-image1.2 1.2.12-11 (bug #932755)
[buster] - sdl-image1.2 <no-dsa> (Minor issue)
[buster] - sdl-image1.2 1.2.12-10+deb10u1
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4620
NOTE: https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb
CVE-2019-12217 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...)
{DLA-1865-1 DLA-1861-1}
- libsdl2-image 2.0.5+dfsg1-1 (bug #932754)
[buster] - libsdl2-image <no-dsa> (Minor issue)
[buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[stretch] - libsdl2-image <no-dsa> (Minor issue)
- sdl-image1.2 1.2.12-11 (bug #932755)
[buster] - sdl-image1.2 <no-dsa> (Minor issue)
[buster] - sdl-image1.2 1.2.12-10+deb10u1
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4626
NOTE: https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34
CVE-2019-12216 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...)
{DLA-1865-1 DLA-1861-1}
- libsdl2-image 2.0.5+dfsg1-1 (bug #932754)
[buster] - libsdl2-image <no-dsa> (Minor issue)
[buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[stretch] - libsdl2-image <no-dsa> (Minor issue)
- sdl-image1.2 1.2.12-11 (bug #932755)
[buster] - sdl-image1.2 <no-dsa> (Minor issue)
[buster] - sdl-image1.2 1.2.12-10+deb10u1
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4619
NOTE: https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb
......@@ -11912,13 +11914,13 @@ CVE-2019-12211 (When FreeImage 3.18.0 reads a tiff file, it will be handed to th
NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/
CVE-2019-12210 (In Yubico pam-u2f 1.0.7, when configured with debug and a custom debug ...)
- pam-u2f 1.0.8-1 (low; bug #930023)
[buster] - pam-u2f <no-dsa> (Minor issue)
[buster] - pam-u2f 1.0.7-1+deb10u1
[stretch] - pam-u2f <no-dsa> (Minor issue)
NOTE: https://github.com/Yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62
NOTE: https://www.openwall.com/lists/oss-security/2019/06/05/1
CVE-2019-12209 (Yubico pam-u2f 1.0.7 attempts parsing of the configured authfile (defa ...)
- pam-u2f 1.0.8-1 (low; bug #930021)
[buster] - pam-u2f <no-dsa> (Minor issue)
[buster] - pam-u2f 1.0.7-1+deb10u1
[stretch] - pam-u2f <no-dsa> (Minor issue)
NOTE: https://github.com/Yubico/pam-u2f/commit/7db3386fcdb454e33a3ea30dcfb8e8960d4c3aa3
NOTE: https://www.openwall.com/lists/oss-security/2019/06/05/1
......@@ -13104,7 +13106,7 @@ CVE-2019-11729 (Empty or malformed p256-ECDH public keys may trigger a segmentat
[buster] - thunderbird 1:60.8.0-1~deb10u1
[stretch] - thunderbird 1:60.8.0-1~deb9u1
- nss 2:3.45-1
[buster] - nss <no-dsa> (Minor issue)
[buster] - nss 2:3.42.1-1+deb10u1
[stretch] - nss <no-dsa> (Minor issue)
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11729
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729
......@@ -13120,7 +13122,7 @@ CVE-2019-11728 (The HTTP Alternative Services header, Alt-Svc, can be used by a
CVE-2019-11727 (A vulnerability exists where it possible to force Network Security Ser ...)
- firefox 68.0-1 (unimportant)
- nss 2:3.45-1
[buster] - nss <no-dsa> (Minor issue)
[buster] - nss 2:3.42.1-1+deb10u1
[stretch] - nss <no-dsa> (Minor issue)
[jessie] - nss <ignored> (Issue is specific to TLS 1.3 and support was not really complete in 3.26; code has diverged significantly since and applying the fix would be very disruptive)
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11727
......@@ -13157,7 +13159,7 @@ CVE-2019-11719 (When importing a curve25519 private key in PKCS#8format with lea
[buster] - thunderbird 1:60.8.0-1~deb10u1
[stretch] - thunderbird 1:60.8.0-1~deb9u1
- nss 2:3.45-1
[buster] - nss <no-dsa> (Minor issue)
[buster] - nss 2:3.42.1-1+deb10u1
[stretch] - nss <no-dsa> (Minor issue)
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11719
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11719
......@@ -14677,10 +14679,10 @@ CVE-2019-11188
CVE-2019-11187 (Incorrect Access Control in the LDAP class of GONICUS GOsa through 201 ...)
{DLA-1876-1 DLA-1875-1}
- fusiondirectory 1.2.3-5
[buster] - fusiondirectory <no-dsa> (Minor issue)
[buster] - fusiondirectory 1.2.3-4+deb10u1
[stretch] - fusiondirectory <no-dsa> (Minor issue)
- gosa 2.7.4+reloaded3-9
[buster] - gosa <no-dsa> (Minor issue)
[buster] - gosa 2.7.4+reloaded3-8+deb10u1
[stretch] - gosa <no-dsa> (Minor issue)
CVE-2019-11186
RESERVED
......@@ -14940,7 +14942,7 @@ CVE-2019-11069 (Sequelize version 5 before 5.3.0 does not properly ensure that s
CVE-2019-11068 (libxslt through 1.1.33 allows bypass of a protection mechanism because ...)
{DLA-1756-1}
- libxslt 1.1.32-2.1 (bug #926895; bug #933743)
[buster] - libxslt <no-dsa> (Minor issue)
[buster] - libxslt 1.1.32-2.1~deb10u1
[stretch] - libxslt <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libxslt/issues/12
NOTE: https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6
......@@ -15813,7 +15815,7 @@ CVE-2019-10747 (set-value is vulnerable to Prototype Pollution in versions lower
TODO: check
CVE-2019-10746 (mixin-deep is vulnerable to Prototype Pollution in versions before 1.3 ...)
- node-mixin-deep 2.0.1-1 (bug #932500)
[buster] - node-mixin-deep <no-dsa> (Minor issue; will be fixed via point release)
[buster] - node-mixin-deep 1.1.3-3+deb10u1
[stretch] - node-mixin-deep <ignored> (Nodejs in stretch not covered by security support)
NOTE: https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212
NOTE: https://github.com/jonschlinkert/mixin-deep/commit/8f464c8ce9761a8c9c2b3457eaeee9d404fa7af9
......@@ -15822,7 +15824,7 @@ CVE-2019-10745 (assign-deep is vulnerable to Prototype Pollution in versions bef
TODO: check
CVE-2019-10744 (Versions of lodash lower than 4.17.12 are vulnerable to Prototype Poll ...)
- node-lodash 4.17.15+dfsg-1 (bug #933079)
[buster] - node-lodash <no-dsa> (Minor issue; can be fixed in point release)
[buster] - node-lodash 4.17.11+dfsg-2+deb10u1
[stretch] - node-lodash <ignored> (Nodejs in stretch not covered by security support)
[jessie] - node-lodash <ignored> (Nodejs in stretch not covered by security support)
NOTE: https://snyk.io/vuln/SNYK-JS-LODASH-450202
......@@ -19152,7 +19154,7 @@ CVE-2019-9824 (tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.
- qemu 1:3.1+dfsg-6
- qemu-kvm <removed>
- slirp4netns 0.3.1-1
[buster] - slirp4netns <no-dsa> (Will be fixed via 10.1 point release)
[buster] - slirp4netns 0.2.3-1
NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-03/msg01871.html
NOTE: https://www.openwall.com/lists/oss-security/2019/03/18/1
NOTE: https://github.com/qemu/qemu/commit/d3222975c7d6cda9e25809dea05241188457b113
......@@ -22298,7 +22300,7 @@ CVE-2019-8696 [stack-buffer-overflow in libcups's asn1_get_packed function]
RESERVED
{DLA-1893-1}
- cups 2.2.12-1 (bug #934957)
[buster] - cups <no-dsa> (Minor issue, can be fixed via point release)
[buster] - cups 2.2.10-6+deb10u1
[stretch] - cups <no-dsa> (Minor issue, can be fixed via point release)
NOTE: https://github.com/apple/cups/commit/f24e6cf6a39300ad0c3726a41a4aab51ad54c109
CVE-2019-8695
......@@ -22358,7 +22360,7 @@ CVE-2019-8675 [stack-buffer-overflow in libcups's asn1_get_type function]
RESERVED
{DLA-1893-1}
- cups 2.2.12-1 (bug #934957)
[buster] - cups <no-dsa> (Minor issue, can be fixed via point release)
[buster] - cups 2.2.10-6+deb10u1
[stretch] - cups <no-dsa> (Minor issue, can be fixed via point release)
NOTE: https://github.com/apple/cups/commit/f24e6cf6a39300ad0c3726a41a4aab51ad54c109
CVE-2019-8674
......@@ -24822,10 +24824,10 @@ CVE-2019-7635 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0
[buster] - libsdl2 <no-dsa> (Minor issue)
[stretch] - libsdl2 <no-dsa> (Minor issue)
- sdl-image1.2 1.2.12-11 (bug #932755)
[buster] - sdl-image1.2 <no-dsa> (Minor issue)
[buster] - sdl-image1.2 1.2.12-10+deb10u1
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
- libsdl2-image 2.0.5+dfsg1-1 (bug #932754)
[buster] - libsdl2-image <no-dsa> (Minor issue)
[buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[stretch] - libsdl2-image <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4498
NOTE: https://hg.libsdl.org/SDL/rev/7c643f1c1887 (SDL-2)
......@@ -31390,11 +31392,11 @@ CVE-2019-5059 (An exploitable code execution vulnerability exists in the XPM ima
NOTE: https://hg.libsdl.org/SDL_image/rev/95fc7da55247
CVE-2019-5058 (An exploitable code execution vulnerability exists in the XCF image re ...)
- libsdl2-image 2.0.5+dfsg1-1 (bug #932754)
[buster] - libsdl2-image <no-dsa> (Minor issue)
[buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[stretch] - libsdl2-image <no-dsa> (Minor issue)
[jessie] - libsdl2-image 2.0.0+dfsg-3+deb8u2
- sdl-image1.2 1.2.12-11 (bug #932755)
[buster] - sdl-image1.2 <no-dsa> (Minor issue)
[buster] - sdl-image1.2 1.2.12-10+deb10u1
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
[jessie] - sdl-image1.2 1.2.12-5+deb8u2
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0842
......@@ -31402,11 +31404,11 @@ CVE-2019-5058 (An exploitable code execution vulnerability exists in the XCF ima
NOTE: CVE-2019-5058 can be considered a CVE for an incomplete fix for CVE-2018-3977.
CVE-2019-5057 (An exploitable code execution vulnerability exists in the PCX image-re ...)
- libsdl2-image 2.0.5+dfsg1-1 (bug #932754)
[buster] - libsdl2-image <no-dsa> (Minor issue)
[buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[stretch] - libsdl2-image <no-dsa> (Minor issue)
[jessie] - libsdl2-image <no-dsa> (Minor issue)
- sdl-image1.2 <unfixed> (bug #932755)
[buster] - sdl-image1.2 <no-dsa> (Minor issue)
[buster] - sdl-image1.2 1.2.12-10+deb10u1
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
[jessie] - sdl-image1.2 <no-dsa> (Minor issue)
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0841
......@@ -31422,20 +31424,20 @@ CVE-2019-5053
CVE-2019-5052 (An exploitable integer overflow vulnerability exists when loading a PC ...)
{DLA-1865-1 DLA-1861-1}
- libsdl2-image 2.0.5+dfsg1-1 (bug #932754)
[buster] - libsdl2-image <no-dsa> (Minor issue)
[buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[stretch] - libsdl2-image <no-dsa> (Minor issue)
- sdl-image1.2 1.2.12-11 (bug #932755)
[buster] - sdl-image1.2 <no-dsa> (Minor issue)
[buster] - sdl-image1.2 1.2.12-10+deb10u1
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0821
NOTE: https://hg.libsdl.org/SDL_image/rev/b920be2b3fc6
CVE-2019-5051 (An exploitable heap-based buffer overflow vulnerability exists when lo ...)
{DLA-1865-1 DLA-1861-1}
- libsdl2-image 2.0.5+dfsg1-1 (bug #932754)
[buster] - libsdl2-image <no-dsa> (Minor issue)
[buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[stretch] - libsdl2-image <no-dsa> (Minor issue)
- sdl-image1.2 1.2.12-11 (bug #932755)
[buster] - sdl-image1.2 <no-dsa> (Minor issue)
[buster] - sdl-image1.2 1.2.12-10+deb10u1
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0820
NOTE: https://hg.libsdl.org/SDL_image/rev/e7e9786a1a34
......@@ -38007,7 +38009,7 @@ CVE-2019-2806
RESERVED
CVE-2019-2805 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...)
- mariadb-10.3 1:10.3.17-1
[buster] - mariadb-10.3 <no-dsa> (Minor issue; can be fixed in point release)
[buster] - mariadb-10.3 1:10.3.17-0+deb10u1
- mariadb-10.1 <removed>
- mysql-5.7 <unfixed> (bug #932340)
NOTE: Fixed in MariaDB: 10.3.17, 10.1.41
......@@ -38124,7 +38126,7 @@ CVE-2019-2759 (Vulnerability in the Oracle Outside In Technology component of Or
NOT-FOR-US: Oracle
CVE-2019-2758 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...)
- mariadb-10.3 1:10.3.17-1
[buster] - mariadb-10.3 <no-dsa> (Minor issue; can be fixed in point release)
[buster] - mariadb-10.3 1:10.3.17-0+deb10u1
- mysql-5.7 <unfixed> (bug #932340)
NOTE: Fixed in MariaDB: 10.3.17
NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL
......@@ -38169,14 +38171,14 @@ CVE-2019-2741 (Vulnerability in the MySQL Server component of Oracle MySQL (subc
NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL
CVE-2019-2740 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...)
- mariadb-10.3 1:10.3.17-1
[buster] - mariadb-10.3 <no-dsa> (Minor issue; can be fixed in point release)
[buster] - mariadb-10.3 1:10.3.17-0+deb10u1
- mariadb-10.1 <removed>
- mysql-5.7 <unfixed> (bug #932340)
NOTE: Fixed in MariaDB: 10.3.17, 10.1.41
NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL
CVE-2019-2739 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...)
- mariadb-10.3 1:10.3.17-1
[buster] - mariadb-10.3 <no-dsa> (Minor issue; can be fixed in point release)
[buster] - mariadb-10.3 1:10.3.17-0+deb10u1
- mariadb-10.1 <removed>
- mysql-5.7 <unfixed> (bug #932340)
NOTE: Fixed in MariaDB: 10.3.17, 10.1.41
......@@ -38186,7 +38188,7 @@ CVE-2019-2738 (Vulnerability in the MySQL Server component of Oracle MySQL (subc
NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL
CVE-2019-2737 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...)
- mariadb-10.3 1:10.3.17-1
[buster] - mariadb-10.3 <no-dsa> (Minor issue; can be fixed in point release)
[buster] - mariadb-10.3 1:10.3.17-0+deb10u1
- mariadb-10.1 <removed>
- mysql-5.7 <unfixed> (bug #932340)
NOTE: Fixed in MariaDB: 10.3.17, 10.1.41
data/next-point-update.txt
View file @ 3ec54e8f
CVE-2019-13179
[buster] - calamares-settings-debian 10.0.20-1+deb10u1
CVE-2019-13232
[buster] - unzip 6.0-23+deb10u1
CVE-2019-12209
[buster] - pam-u2f 1.0.7-1+deb10u1
CVE-2019-12210
[buster] - pam-u2f 1.0.7-1+deb10u1
CVE-2019-10746
[buster] - node-mixin-deep 1.1.3-3+deb10u1
CVE-2019-5052
[buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[buster] - sdl-image1.2 1.2.12-10+deb10u1
CVE-2019-5051
[buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[buster] - sdl-image1.2 1.2.12-10+deb10u1
CVE-2019-7635
[buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[buster] - sdl-image1.2 1.2.12-10+deb10u1
CVE-2019-12216
[buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[buster] - sdl-image1.2 1.2.12-10+deb10u1
CVE-2019-12217
[buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[buster] - sdl-image1.2 1.2.12-10+deb10u1
CVE-2019-12218
[buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[buster] - sdl-image1.2 1.2.12-10+deb10u1
CVE-2019-12219
[buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[buster] - sdl-image1.2 1.2.12-10+deb10u1
CVE-2019-12220
[buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[buster] - sdl-image1.2 1.2.12-10+deb10u1
CVE-2019-12221
[buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[buster] - sdl-image1.2 1.2.12-10+deb10u1
CVE-2019-12222
[buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[buster] - sdl-image1.2 1.2.12-10+deb10u1
CVE-2019-5057
[buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[buster] - sdl-image1.2 1.2.12-10+deb10u1
CVE-2019-5058
[buster] - libsdl2-image 2.0.4+dfsg1-1+deb10u1
[buster] - sdl-image1.2 1.2.12-10+deb10u1
CVE-2019-14275
[buster] - fig2dev 1:3.2.7a-5+deb10u1
CVE-2019-13012
[buster] - glib2.0 2.58.3-2+deb10u1
CVE-2019-13173
[buster] - node-fstream 1.0.10-1+deb10u1
CVE-2019-14267
[buster] - pdfresurrect 0.15-2+deb10u1
CVE-2019-12625
[buster] - clamav 0.101.4+dfsg-0+deb10u1
CVE-2019-12900
[buster] - clamav 0.101.4+dfsg-0+deb10u1
CVE-2019-1020014
[buster] - golang-github-docker-docker-credential-helpers 0.6.1-2+deb10u1
CVE-2019-2737
[buster] - mariadb-10.3 1:10.3.17-0+deb10u1
CVE-2019-2739
[buster] - mariadb-10.3 1:10.3.17-0+deb10u1
CVE-2019-2740
[buster] - mariadb-10.3 1:10.3.17-0+deb10u1
CVE-2019-2758
[buster] - mariadb-10.3 1:10.3.17-0+deb10u1
CVE-2019-2805
[buster] - mariadb-10.3 1:10.3.17-0+deb10u1
CVE-2019-11068
[buster] - libxslt 1.1.32-2.1~deb10u1
CVE-2019-13117
[buster] - libxslt 1.1.32-2.1~deb10u1
CVE-2019-13118
[buster] - libxslt 1.1.32-2.1~deb10u1
CVE-2019-11187
[buster] - fusiondirectory 1.2.3-4+deb10u1
[buster] - gosa 2.7.4+reloaded3-8+deb10u1
CVE-2019-13057
[buster] - openldap 2.4.47+dfsg-3+deb10u1
CVE-2019-13565
[buster] - openldap 2.4.47+dfsg-3+deb10u1
CVE-2019-10744
[buster] - node-lodash 4.17.11+dfsg-2+deb10u1
CVE-2019-12827
[buster] - asterisk 1:16.2.1~dfsg-1+deb10u1
CVE-2019-13161
[buster] - asterisk 1:16.2.1~dfsg-1+deb10u1
CVE-2019-8696
[buster] - cups 2.2.10-6+deb10u1
CVE-2019-8675
[buster] - cups 2.2.10-6+deb10u1
CVE-2019-12269
[buster] - enigmail 2:2.0.12+ds1-1~deb10u1
CVE-2019-13486
[buster] - xymon 4.3.28-5+deb10u1
CVE-2019-13485
[buster] - xymon 4.3.28-5+deb10u1
CVE-2019-13484
[buster] - xymon 4.3.28-5+deb10u1
CVE-2019-13455
[buster] - xymon 4.3.28-5+deb10u1
CVE-2019-13273
[buster] - xymon 4.3.28-5+deb10u1
CVE-2019-13274
[buster] - xymon 4.3.28-5+deb10u1
CVE-2019-13451
[buster] - xymon 4.3.28-5+deb10u1
CVE-2019-13452
[buster] - xymon 4.3.28-5+deb10u1
CVE-2019-9824
[buster] - slirp4netns 0.2.3-1
CVE-2019-14378
[buster] - slirp4netns 0.2.3-1
CVE-2019-11719
[buster] - nss 2:3.42.1-1+deb10u1
CVE-2019-11727
[buster] - nss 2:3.42.1-1+deb10u1
CVE-2019-11729
[buster] - nss 2:3.42.1-1+deb10u1
CVE-2019-13173
[buster] - node-fstream 1.0.10-1+deb10u1