Ola Lundqvist pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
55001d9c by Ola Lundqvist at 2022-07-11T23:23:41+02:00
Wrote a script to bulk add EOL entries for LTS buster.
- - - - -
b4c0adda by Ola Lundqvist at 2022-07-11T23:23:43+02:00
Bulk added EOL entries for ckeditor3 for LTS buster.
- - - - -
141f38d2 by Ola Lundqvist at 2022-07-11T23:23:44+02:00
Bulk added almost 70 EOL entries for gpac in LTS buster.
- - - - -
a577308d by Ola Lundqvist at 2022-07-11T23:23:45+02:00
Bulk added EOL for 3 CVEs for libspring-java in buster LTS.
- - - - -
d3c2727d by Ola Lundqvist at 2022-07-11T23:23:46+02:00
Bulk added EOL for 2 CVEs for node-tar in buster LTS.
- - - - -
58366339 by Ola Lundqvist at 2022-07-11T23:23:48+02:00
Bulk added EOL for 2 CVEs for node-url-parse in buster LTS.
- - - - -
021ec750 by Ola Lundqvist at 2022-07-11T23:23:48+02:00
One correction to the eol bulk add script. Also simplified the output to make
it less verbose.
- - - - -
22d9f630 by Ola Lundqvist at 2022-07-11T23:23:49+02:00
Bulk added EOL for 12 CVEs for nodejs in buster LTS.
- - - - -
2 changed files:
- + bin/lts-auto-eol
- data/CVE/list
Changes:
=====================================
bin/lts-auto-eol
=====================================
@@ -0,0 +1,68 @@
+#!/usr/bin/perl
+use File::Copy;
+my $pkg = $ARGV[0];
+shift @ARGV;
+while (my $cve = shift @ARGV) {
+ &addEol($pkg, $cve);
+}
+exit;
+
+sub addEol {
+ my ($pkg, $cve) = @_;
+# print "Searching for $cve\n";
+ # Mode
+ # d - default
+ # c - cve found
+ # p - pkg found
+ # e - eol printed, just continue to end of file as we are done
+ my $mode = "d";
+ open IF, "data/CVE/list";
+ open OF, ">data/CVE/list.x";
+ while (my $line = <IF>) {
+ if ($mode eq "e") {
+ print OF $line;
+ next;
+ }
+ if ($mode eq "d") {
+ if ($line =~ /$cve\s/) {
+# print " CVE $cve found\n";
+ $mode = "c";
+ print OF $line;
+ next;
+ }
+ }
+ if ($mode eq "c") {
+ if ($line =~ /^\s+- $pkg\s/) {
+ $mode = "p";
+# print " Package $pkg found\n";
+ print OF $line;
+ next;
+ }
+ }
+ if ($mode eq "p") {
+ if ($line =~ /^\s+\[buster\] - $pkg\s/) {
+ $mode = "e";
+ print "Existing LTS line found, skipping: $line";
+ print OF $line;
+ next;
+ }
+ if ($line =~ /^\s+\[bullseye\] - $pkg\s/ ||
+ $line =~ /^\s+\[bookworm\] - $pkg\s/ ||
+ $line =~ /^\s+\[trixie\] - $pkg\s/) {
+ # skipping through other distribution info
+ print OF $line;
+ next;
+ }
+ # End of package entry add EOL
+ print "EOL $cve for $pkg added.\n";
+ print OF "\t[buster] - $pkg <end-of-life> (No longer supported in
LTS buster)\n";
+ print OF $line;
+ $mode = "e";
+ next;
+ }
+ print OF $line;
+ }
+ close IF;
+ close OF;
+ move ("data/CVE/list.x", "data/CVE/list");
+}
=====================================
data/CVE/list
=====================================
@@ -8600,6 +8600,7 @@ CVE-2022-32216
CVE-2022-32215 [HTTP Request Smuggling - Incorrect Parsing of Multi-line
Transfer-Encoding]
RESERVED
- nodejs <unfixed>
+ [buster] - nodejs <end-of-life> (No longer supported in LTS buster)
- llhttp <itp> (bug #977716)
NOTE:
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#http-request-smuggling-incorrect-parsing-of-multi-line-transfer-encoding-medium-cve-2022-32215
NOTE:
https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd
(v14.x)
@@ -8607,6 +8608,7 @@ CVE-2022-32215 [HTTP Request Smuggling - Incorrect
Parsing of Multi-line Transfe
CVE-2022-32214 [HTTP Request Smuggling - Improper Delimiting of Header Fields]
RESERVED
- nodejs <unfixed>
+ [buster] - nodejs <end-of-life> (No longer supported in LTS buster)
- llhttp <itp> (bug #977716)
NOTE:
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#http-request-smuggling-improper-delimiting-of-header-fields-medium-cve-2022-32214
NOTE:
https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd
(v14.x)
@@ -8614,6 +8616,7 @@ CVE-2022-32214 [HTTP Request Smuggling - Improper
Delimiting of Header Fields]
CVE-2022-32213 [HTTP Request Smuggling - Flawed Parsing of Transfer-Encoding]
RESERVED
- nodejs <unfixed>
+ [buster] - nodejs <end-of-life> (No longer supported in LTS buster)
- llhttp <itp> (bug #977716)
NOTE:
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#http-request-smuggling-flawed-parsing-of-transfer-encoding-medium-cve-2022-32213
NOTE:
https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd
(v14.x)
@@ -8621,6 +8624,7 @@ CVE-2022-32213 [HTTP Request Smuggling - Flawed Parsing
of Transfer-Encoding]
CVE-2022-32212
RESERVED
- nodejs <unfixed>
+ [buster] - nodejs <end-of-life> (No longer supported in LTS buster)
NOTE:
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#dns-rebinding-in-inspect-via-invalid-ip-addresses-high-cve-2022-32212
NOTE:
https://github.com/nodejs/node/commit/48c5aa5cab718d04473fa2761d532657c84b8131
(v14.x)
NOTE:
https://github.com/nodejs/node/commit/1aa5036c31ac2a9b2a2528af454675ad412f1464
(main)
@@ -12052,6 +12056,7 @@ CVE-2022-1796 (Use After Free in GitHub repository
vim/vim prior to 8.2.4979. ..
NOTE: Crash in CLI tool, no security impact
CVE-2022-1795 (Use After Free in GitHub repository gpac/gpac prior to
v2.1.0-DEV. ...)
- gpac <unfixed>
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://huntr.dev/bounties/9c312763-41a6-4fc7-827b-269eb86efcbc
NOTE:
https://github.com/gpac/gpac/commit/c535bad50d5812d27ee5b22b54371bddec411514
@@ -12110,6 +12115,7 @@ CVE-2022-1776 (The Popups, Welcome Bar, Optins and Lead
Generation Plugin WordPr
NOT-FOR-US: WordPress plugin
CVE-2022-30976 (GPAC 2.0.0 misuses a certain Unicode utf8_wcslen (renamed
gf_utf8_wcsl ...)
- gpac <unfixed>
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/2179
NOTE:
https://github.com/gpac/gpac/commit/915e2cba715f36b7cc29e28888117831ca143d78
@@ -16301,6 +16307,7 @@ CVE-2022-29593
RESERVED
CVE-2022-1441 (MP4Box is a component of GPAC-2.0.0, which is a widely-used
third-part ...)
- gpac <unfixed>
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/2175
NOTE:
https://github.com/gpac/gpac/commit/3dbe11b37d65c8472faf0654410068e5500b3adb
@@ -19169,6 +19176,7 @@ CVE-2022-1223 (Improper Access Control in GitHub
repository phpipam/phpipam prio
- phpipam <itp> (bug #731713)
CVE-2022-1222 (Inf loop in GitHub repository gpac/gpac prior to 2.1.0-DEV. ...)
- gpac <unfixed>
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://huntr.dev/bounties/f8cb85b8-7ff3-47f1-a9a6-7080eb371a3d
NOTE:
https://github.com/gpac/gpac/commit/7f060bbb72966cae80d6fee338d0b07fa3fc06e1
@@ -23035,6 +23043,7 @@ CVE-2022-1036 (Able to create an account with long
password leads to memory corr
NOT-FOR-US: microweber
CVE-2022-1035 (Segmentation Fault caused by MP4Box -lsr in GitHub repository
gpac/gpa ...)
- gpac <unfixed>
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://huntr.dev/bounties/851942a4-1d64-4553-8fdc-9fccd167864b
NOTE:
https://github.com/gpac/gpac/commit/3718d583c6ade191dc7979c64f48c001ca6f0243
@@ -23605,21 +23614,25 @@ CVE-2022-27149
REJECTED
CVE-2022-27148 (GPAC mp4box 1.1.0-DEV-rev1663-g881c6a94a-master is vulnerable
to Integ ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/2067
NOTE:
https://github.com/gpac/gpac/commit/0cd19f4db70615d707e0e6202933c2ea0c1d36df
(v2.0.0)
CVE-2022-27147 (GPAC mp4box 1.1.0-DEV-rev1727-g8be34973d-master has a
use-after-free v ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/2109
NOTE:
https://github.com/gpac/gpac/commit/9723dd0955894f2cb7be13b94cf7a47f2754b893
(v2.0.0)
CVE-2022-27146 (GPAC mp4box 1.1.0-DEV-rev1759-geb2d1e6dd-has a
heap-buffer-overflow vu ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/2120
NOTE:
https://github.com/gpac/gpac/commit/f0a41d178a2dc5ac185506d9fa0b0a58356b16f7
(v2.0.0)
CVE-2022-27145 (GPAC mp4box 1.1.0-DEV-rev1727-g8be34973d-master has a
stack-overflow v ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE:
https://github.com/gpac/gpac/commit/d7daa8aeb6df4b6c3ec102622e1599279310a19e
(v2.0.0)
NOTE: https://github.com/gpac/gpac/issues/2108
@@ -28311,6 +28324,7 @@ CVE-2022-0692 (Open Redirect on Rudloff/alltube in
Packagist rudloff/alltube pri
CVE-2022-0691 (Authorization Bypass Through User-Controlled Key in NPM
url-parse prio ...)
- node-url-parse 1.5.9+~1.4.8-1
[bullseye] - node-url-parse 1.5.3-1+deb11u1
+ [buster] - node-url-parse <end-of-life> (No longer supported in LTS
buster)
[stretch] - node-url-parse <end-of-life> (Nodejs in stretch not covered
by security support)
NOTE: https://huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4
NOTE:
https://github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63
(1.5.9)
@@ -28330,6 +28344,7 @@ CVE-2022-0687 (The Amelia WordPress plugin before
1.0.47 stores image blobs into
CVE-2022-0686 (Authorization Bypass Through User-Controlled Key in NPM
url-parse prio ...)
- node-url-parse 1.5.9+~1.4.8-1
[bullseye] - node-url-parse 1.5.3-1+deb11u1
+ [buster] - node-url-parse <end-of-life> (No longer supported in LTS
buster)
[stretch] - node-url-parse <end-of-life> (Nodejs in stretch not covered
by security support)
NOTE: https://huntr.dev/bounties/55fd06cd-9054-4d80-83be-eb5a454be78c
NOTE:
https://github.com/unshiftio/url-parse/commit/d5c64791ef496ca5459ae7f2176a31ea53b127e5
(1.5.8)
@@ -30390,11 +30405,13 @@ CVE-2022-24730 (Argo CD is a declarative, GitOps
continuous delivery tool for Ku
CVE-2022-24729 (CKEditor4 is an open source what-you-see-is-what-you-get HTML
editor. ...)
- ckeditor <unfixed>
- ckeditor3 <unfixed>
+ [buster] - ckeditor3 <end-of-life> (No longer supported in LTS buster)
[stretch] - ckeditor3 <end-of-life> (EOL'd for stretch)
NOTE:
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh
CVE-2022-24728 (CKEditor4 is an open source what-you-see-is-what-you-get HTML
editor. ...)
- ckeditor <unfixed>
- ckeditor3 <unfixed>
+ [buster] - ckeditor3 <end-of-life> (No longer supported in LTS buster)
[stretch] - ckeditor3 <end-of-life> (EOL'd for stretch)
NOTE:
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89
NOTE:
https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949
(4.18.0)
@@ -30966,28 +30983,33 @@ CVE-2022-24579
RESERVED
CVE-2022-24578 (GPAC 1.0.1 is affected by a heap-based buffer overflow in
SFS_AddStrin ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://huntr.dev/bounties/1691cca3-ab54-4259-856b-751be2395b11/
NOTE:
https://github.com/gpac/gpac/commit/b5741da08e88e8dcc8da0a7669b92405b9862850
(v2.0.0)
CVE-2022-24577 (GPAC 1.0.1 is affected by a NULL pointer dereference in
gf_utf8_wcslen ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://huntr.dev/bounties/0758b3a2-8ff2-45fc-8543-7633d605d24e/
NOTE:
https://github.com/gpac/gpac/commit/586e817dcd531bb3e75438390f1f753cfe6e940a
(v2.0.0)
CVE-2022-24576 (GPAC 1.0.1 is affected by Use After Free through MP4Box. ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/2061
NOTE: https://huntr.dev/bounties/011ac07c-6139-4f43-b745-424143e60ac7/
NOTE:
https://github.com/gpac/gpac/commit/96699aabae042f8f55cf8a85fa5758e3db752bae
(v2.0.0)
CVE-2022-24575 (GPAC 1.0.1 is affected by a stack-based buffer overflow
through MP4Box ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/2058
NOTE: https://huntr.dev/bounties/1d9bf402-f756-4583-9a1d-436722609c1e/
NOTE:
https://github.com/gpac/gpac/commit/b13e9986aa1134c764b0d84f0f66328429b9c2eb
(v2.0.0)
CVE-2022-24574 (GPAC 1.0.1 is affected by a NULL pointer dereference in
gf_dump_vrml_f ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://huntr.dev/bounties/a08437cc-25aa-4116-8069-816f78a2247c/
NOTE: https://github.com/gpac/gpac/issues/2055
@@ -36777,10 +36799,12 @@ CVE-2022-22972 (VMware Workspace ONE Access, Identity
Manager and vRealize Autom
NOT-FOR-US: VMware
CVE-2022-22971 (In spring framework versions prior to 5.3.20+ , 5.2.22+ and
old unsupp ...)
- libspring-java <unfixed>
+ [buster] - libspring-java <end-of-life> (No longer supported in LTS
buster)
[stretch] - libspring-java <end-of-life> (No longer supported in LTS)
NOTE: https://tanzu.vmware.com/security/cve-2022-22971
CVE-2022-22970 (In spring framework versions prior to 5.3.20+ , 5.2.22+ and
old unsupp ...)
- libspring-java <unfixed>
+ [buster] - libspring-java <end-of-life> (No longer supported in LTS
buster)
[stretch] - libspring-java <end-of-life> (No longer supported in LTS)
NOTE: https://tanzu.vmware.com/security/cve-2022-22970
CVE-2022-22969 (<Issue Description> Spring Security OAuth versions 2.5.x
prior t ...)
@@ -40316,6 +40340,7 @@ CVE-2021-45832 (A Stack-based Buffer Overflow
Vulnerability exists in HDF5 1.13.
NOTE: Negligible security impact, malicous scientific data has more
issues than a crash...
CVE-2021-45831 (A Null Pointer Dereference vulnerability exitgs in GPAC 1.0.1
in MP4Bo ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1990
NOTE:
https://github.com/gpac/gpac/commit/4613a35362e15a6df90453bd632d083645e5a765
(v2.0.0)
@@ -42123,11 +42148,13 @@ CVE-2021-45293 (A Denial of Service vulnerability
exists in Binaryen 103 due to
NOTE: Crash in CLI tool, no security impact
CVE-2021-45292 (The gf_isom_hint_rtp_read function in GPAC 1.0.1 allows
attackers to c ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1958
NOTE:
https://github.com/gpac/gpac/commit/3dafcb5e71e9ffebb50238784dcad8b105da81f6
(v2.0.0)
CVE-2021-45291 (The gf_dump_setup function in GPAC 1.0.1 allows malicoius
users to cau ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1955
NOTE:
https://github.com/gpac/gpac/commit/a07c64979af592aad56bc175157b7397e43fa9cc
(v2.0.0)
@@ -42139,11 +42166,13 @@ CVE-2021-45290 (A Denial of Service vulnerability
exits in Binaryen 103 due to a
NOTE: Crash in CLI tool, no security impact
CVE-2021-45289 (A vulnerability exists in GPAC 1.0.1 due to an omission of
security-re ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1972
NOTE:
https://github.com/gpac/gpac/commit/5e1f084e0c6ad2736c9913715c4abb57c554209d
(v2.0.0)
CVE-2021-45288 (A Double Free vulnerability exists in filedump.c in GPAC
1.0.1, which ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1956
NOTE:
https://github.com/gpac/gpac/commit/9bbce9634cba1128aa4b96d590be578ae3ce80b3
(v2.0.0)
@@ -42189,11 +42218,13 @@ CVE-2021-45268 (** DISPUTED ** A Cross Site Request
Forgery (CSRF) vulnerability
NOT-FOR-US: Backdrop CMS
CVE-2021-45267 (An invalid memory address dereference vulnerability exists in
gpac 1.1 ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1965
NOTE:
https://github.com/gpac/gpac/commit/29f31f431b18278b94c659452562e8a027436487
(v2.0.0)
CVE-2021-45266 (A null pointer dereference vulnerability exists in gpac 1.1.0
via the ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1985
NOTE:
https://github.com/gpac/gpac/commit/76b9e3f578a056fee07a4b317f5b36a83d01810e
(v2.0.0)
@@ -42203,11 +42234,13 @@ CVE-2021-45264
RESERVED
CVE-2021-45263 (An invalid free vulnerability exists in gpac 1.1.0 via the
gf_svg_dele ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1975
NOTE:
https://github.com/gpac/gpac/commit/b232648da3b111a0efe500501ee8ca8f32b616e9
(v2.0.0)
CVE-2021-45262 (An invalid free vulnerability exists in gpac 1.1.0 via the
gf_sg_comma ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1980
NOTE:
https://github.com/gpac/gpac/commit/ef86a8eba3b166b885dec219066dd3a47501e03a
(v2.0.0)
@@ -43612,53 +43645,63 @@ CVE-2021-44928
RESERVED
CVE-2021-44927 (A null pointer dereference vulnerability exists in gpac 1.1.0
in the g ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1960
NOTE:
https://github.com/gpac/gpac/commit/eaea647cc7dec7b452c17e72f4ce46be35348c92
(v2.0.0)
CVE-2021-44926 (A null pointer dereference vulnerability exists in gpac
1.1.0-DEV in t ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1961
NOTE:
https://github.com/gpac/gpac/commit/f73da86bf32992f62b9ff2b9c9e853e3c97edf8e
(v2.0.0)
CVE-2021-44925 (A null pointer dereference vulnerability exists in gpac 1.1.0
in the g ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1967
NOTE:
https://github.com/gpac/gpac/commit/a5a8dbcdd95666f763fe59ab65154ae9271a18f2
(v2.0.0)
CVE-2021-44924 (An infinite loop vulnerability exists in gpac 1.1.0 in the
gf_log func ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1959
NOTE:
https://github.com/gpac/gpac/commit/e2acb1511d1e69115141ea3080afd1cce6a15497
(v2.0.0)
CVE-2021-44923 (A null pointer dereference vulnerability exists in gpac 1.1.0
in the g ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1962
NOTE:
https://github.com/gpac/gpac/commit/8a3c021109d26894c3cb85c9d7cda5780a3a2229
(v2.0.0)
CVE-2021-44922 (A null pointer dereference vulnerability exists in gpac 1.1.0
in the B ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1969
NOTE: https://github.com/gpac/gpac/issues/1968
NOTE:
https://github.com/gpac/gpac/commit/75474199cf7187868fa4be4e76377db3c659ee9a
(v2.0.0)
CVE-2021-44921 (A null pointer dereference vulnerability exists in gpac 1.1.0
in the g ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1964
NOTE:
https://github.com/gpac/gpac/commit/5b4a6417a90223f1ef6c0b41b055716f7bfbbca2
(v2.0.0)
CVE-2021-44920 (An invalid memory address dereference vulnerability exists in
gpac 1.1 ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1957
NOTE:
https://github.com/gpac/gpac/commit/339fe399e7c8eab748bab76e9e6a9da7e117eeb4
(v2.0.0)
CVE-2021-44919 (A Null Pointer Dereference vulnerability exists in the
gf_sg_vrml_mf_a ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1963
NOTE: https://github.com/gpac/gpac/issues/1962
NOTE:
https://github.com/gpac/gpac/commit/8a3c021109d26894c3cb85c9d7cda5780a3a2229
(v2.0.0)
CVE-2021-44918 (A Null Pointer Dereference vulnerability exists in gpac 1.1.0
in the g ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1968
NOTE:
https://github.com/gpac/gpac/commit/75474199cf7187868fa4be4e76377db3c659ee9a
(v2.0.0)
@@ -44925,6 +44968,7 @@ CVE-2021-44535
CVE-2022-21824 (Due to the formatting logic of the "console.table()" function
it was n ...)
{DSA-5170-1}
- nodejs 12.22.9~dfsg-1 (bug #1004177)
+ [buster] - nodejs <end-of-life> (No longer supported in LTS buster)
[stretch] - nodejs <end-of-life> (Nodejs in stretch not covered by
security support)
NOTE:
https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/#prototype-pollution-via-console-table-properties-low-cve-2022-21824
NOTE:
https://github.com/nodejs/node/commit/be69403528da99bf3df9e1dc47186f18ba59cb5e
(v12.x)
@@ -44933,18 +44977,21 @@ CVE-2021-44534
CVE-2021-44533 (Node.js < 12.22.9, < 14.18.3, < 16.13.2, and <
17.3.1 did ...)
{DSA-5170-1}
- nodejs 12.22.9~dfsg-1 (bug #1004177)
+ [buster] - nodejs <end-of-life> (No longer supported in LTS buster)
[stretch] - nodejs <end-of-life> (Nodejs in stretch not covered by
security support)
NOTE:
https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/#incorrect-handling-of-certificate-subject-and-issuer-fields-medium-cve-2021-44533
NOTE:
https://github.com/nodejs/node/commit/8c2db2c86baff110a1d905ed1e0dd4e1c4fd2dd1
(v12.x)
CVE-2021-44532 (Node.js < 12.22.9, < 14.18.3, < 16.13.2, and <
17.3.1 conv ...)
{DSA-5170-1}
- nodejs 12.22.9~dfsg-1 (bug #1004177)
+ [buster] - nodejs <end-of-life> (No longer supported in LTS buster)
[stretch] - nodejs <end-of-life> (Nodejs in stretch not covered by
security support)
NOTE:
https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/#certificate-verification-bypass-via-string-injection-medium-cve-2021-44532
NOTE:
https://github.com/nodejs/node/commit/19873abfb24dce75ffff042efe76dc5633052677
(v12.x)
CVE-2021-44531 (Accepting arbitrary Subject Alternative Name (SAN) types,
unless a PKI ...)
{DSA-5170-1}
- nodejs 12.22.9~dfsg-1 (bug #1004177)
+ [buster] - nodejs <end-of-life> (No longer supported in LTS buster)
[stretch] - nodejs <end-of-life> (Nodejs in stretch not covered by
security support)
NOTE:
https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/#improper-handling-of-uri-subject-alternative-names-medium-cve-2021-44531
NOTE:
https://github.com/nodejs/node/commit/e0fe6a635e5929a364986a6c39dc3585b9ddcd85
(v12.x)
@@ -56797,6 +56844,7 @@ CVE-2021-41459 (There is a stack buffer overflow in
MP4Box v1.0.1 at src/filters
NOTE: Fixed by:
https://github.com/gpac/gpac/commit/7d4538e104f2b3ff6a65a41394795654e6972339
(v2.0.0)
CVE-2021-41458 (In GPAC MP4Box v1.1.0, there is a stack buffer overflow at
src/utils/e ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1910
NOTE:
https://github.com/gpac/gpac/commit/74695dea7278e78af3db467e586233fe8773c07e
(v2.0.0)
@@ -57518,6 +57566,7 @@ CVE-2021-41165 (CKEditor4 is an open source WYSIWYG
HTML editor. In affected ver
[buster] - ckeditor <no-dsa> (Minor issue)
[stretch] - ckeditor <no-dsa> (Minor issue)
- ckeditor3 <unfixed>
+ [buster] - ckeditor3 <end-of-life> (No longer supported in LTS buster)
[stretch] - ckeditor3 <end-of-life> (EOL'd for stretch)
NOTE:
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7h26-63m7-qhf2
(v4.17.0)
CVE-2021-41164 (CKEditor4 is an open source WYSIWYG HTML editor. In affected
versions ...)
@@ -58105,12 +58154,14 @@ CVE-2021-40945
RESERVED
CVE-2021-40944 (In GPAC MP4Box 1.1.0, there is a Null pointer reference in the
functio ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
NOTE: https://github.com/gpac/gpac/issues/1906
NOTE:
https://github.com/gpac/gpac/commit/44fdc3d972c31c56efe73e1a3b63438d46087652
(v2.0.0)
CVE-2021-40943 (In Bento4 1.6.0-638, there is a null pointer reference in the
function ...)
NOT-FOR-US: Bento4
CVE-2021-40942 (In GPAC MP4Box v1.1.0, there is a heap-buffer-overflow in the
function ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
NOTE: https://github.com/gpac/gpac/issues/1908
NOTE:
https://github.com/gpac/gpac/commit/da37ec8582266983d0ec4b7550ec907401ec441e
(v2.0.0)
CVE-2021-40941 (In Bento4 1.6.0-638, there is an allocator is out of memory in
the fun ...)
@@ -58921,18 +58972,22 @@ CVE-2021-40610 (Emlog Pro v 1.0.4 cross-site
scripting (XSS) in Emlog Pro backgr
NOT-FOR-US: emlog
CVE-2021-40609 (The GetHintFormat function in GPAC 1.0.1 allows attackers to
cause a d ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
NOTE: https://github.com/gpac/gpac/issues/1894
NOTE:
https://github.com/gpac/gpac/commit/86c1566f040b2b84c72afcb6cbd444c5aff56cfe
(v2.0.0)
CVE-2021-40608 (The gf_hinter_track_finalize function in GPAC 1.0.1 allows
attackers t ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
NOTE: https://github.com/gpac/gpac/issues/1883
NOTE:
https://github.com/gpac/gpac/commit/b09c75dc2d4bf68ac447daa71e72365aa30231a9
(v2.0.0)
CVE-2021-40607 (The schm_box_size function in GPAC 1.0.1 allows attackers to
cause a d ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
NOTE: https://github.com/gpac/gpac/issues/1879
NOTE:
https://github.com/gpac/gpac/commit/f19668964bf422cf5a63e4dbe1d3c6c75edadcbb
(v2.0.0)
CVE-2021-40606 (The gf_bs_write_data function in GPAC 1.0.1 allows attackers
to cause ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
NOTE: https://github.com/gpac/gpac/issues/1885
NOTE:
https://github.com/gpac/gpac/commit/f5a038e6893019ee471b6a57490cf7a495673816
(v2.0.0)
CVE-2021-40605
@@ -58963,6 +59018,7 @@ CVE-2021-40593
RESERVED
CVE-2021-40592 (GPAC version before commit
71460d72ec07df766dab0a4d52687529f3efcf0a (v ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE:
https://github.com/gpac/gpac/commit/71460d72ec07df766dab0a4d52687529f3efcf0a
(v2.0.0)
NOTE: https://github.com/gpac/gpac/issues/1876
@@ -59000,76 +59056,91 @@ CVE-2021-40577 (A Stored Cross Site Scripting (XSS)
vulnerability exists in Sour
NOT-FOR-US: Sourcecodester
CVE-2021-40576 (The binary MP4Box in Gpac 1.0.1 has a null pointer dereference
vulnera ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1904
NOTE:
https://github.com/gpac/gpac/commit/ad18ece95fa064efc0995c4ab2c985f77fb166ec
(v2.0.0)
CVE-2021-40575 (The binary MP4Box in Gpac 1.0.1 has a null pointer dereference
vulnera ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1905
NOTE:
https://github.com/gpac/gpac/commit/5f2c2a16d30229b6241f02fa28e3d6b810d64858
(v2.0.0)
CVE-2021-40574 (The binary MP4Box in Gpac 1.0.1 has a double-free
vulnerability in the ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1897
NOTE:
https://github.com/gpac/gpac/commit/30ac5e5236b790accd1f25347eebf2dc8c6c1bcb
(v2.0.0)
CVE-2021-40573 (The binary MP4Box in Gpac 1.0.1 has a double-free
vulnerability in the ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1891
NOTE:
https://github.com/gpac/gpac/commit/b03c9f252526bb42fbd1b87b9f5e339c3cf2390a
(v2.0.0)
CVE-2021-40572 (The binary MP4Box in Gpac 1.0.1 has a double-free bug in the
av1dmx_fi ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1893
NOTE:
https://github.com/gpac/gpac/commit/7bb1b4a4dd23c885f9db9f577dfe79ecc5433109
(v2.0.0)
CVE-2021-40571 (The binary MP4Box in Gpac 1.0.1 has a double-free
vulnerability in the ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1895
NOTE:
https://github.com/gpac/gpac/commit/a69b567b8c95c72f9560c873c5ab348be058f340
(v2.0.0)
CVE-2021-40570 (The binary MP4Box in Gpac 1.0.1 has a double-free
vulnerability in the ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1899
NOTE:
https://github.com/gpac/gpac/commit/04dbf08bff4d61948bab80c3f9096ecc60c7f302
(v2.0.0)
CVE-2021-40569 (The binary MP4Box in Gpac through 1.0.1 has a double-free
vulnerabilit ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1890
NOTE:
https://github.com/gpac/gpac/commit/b03c9f252526bb42fbd1b87b9f5e339c3cf2390a
(v2.0.0)
CVE-2021-40568 (A buffer overflow vulnerability exists in Gpac through 1.0.1
via a mal ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1900
NOTE:
https://github.com/gpac/gpac/commit/f1ae01d745200a258cdf62622f71754c37cb6c30
(v2.0.0)
CVE-2021-40567 (Segmentation fault vulnerability exists in Gpac through 1.0.1
via the ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1889
NOTE:
https://github.com/gpac/gpac/commit/f5a038e6893019ee471b6a57490cf7a495673816
(v2.0.0)
CVE-2021-40566 (A Segmentation fault casued by heap use after free
vulnerability exist ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1887
NOTE:
https://github.com/gpac/gpac/commit/96047e0e6166407c40cc19f4e94fb35cd7624391
(v2.0.0)
CVE-2021-40565 (A Segmentation fault caused by a null pointer dereference
vulnerabilit ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1902
NOTE:
https://github.com/gpac/gpac/commit/893fb99b606eebfae46cde151846a980e689039b
(v2.0.0)
CVE-2021-40564 (A Segmentation fault caused by null pointer dereference
vulnerability ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1898
NOTE:
https://github.com/gpac/gpac/commit/cf6771c857eb9a290e2c19ddacfdd3ed98b27618
(v2.0.0)
CVE-2021-40563 (A Segmentation fault exists casued by null pointer dereference
exists ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1892
NOTE:
https://github.com/gpac/gpac/commit/5ce0c906ed8599d218036b18b78e8126a496f137
(v2.0.0)
CVE-2021-40562 (A Segmentation fault caused by a floating point exception
exists in Gp ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1901
NOTE:
https://github.com/gpac/gpac/commit/5dd71c7201a3e5cf40732d585bfb21c906c171d3
(v2.0.0)
@@ -59079,6 +59150,7 @@ CVE-2021-40560
RESERVED
CVE-2021-40559 (A null pointer deference vulnerability exists in gpac through
1.0.1 vi ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1886
NOTE:
https://github.com/gpac/gpac/commit/70607fc71a671cf48a05e013a4e411429373dce7
(v2.0.0)
@@ -66442,6 +66514,7 @@ CVE-2021-37713 (The npm package "tar" (aka node-tar)
before versions 4.4.18, 5.0
CVE-2021-37712 (The npm package "tar" (aka node-tar) before versions 4.4.18,
5.0.10, a ...)
{DSA-5008-1}
- node-tar 6.1.11+~cs11.3.10-1 (bug #993981)
+ [buster] - node-tar <end-of-life> (No longer supported in LTS buster)
[stretch] - node-tar <end-of-life> (Nodejs in stretch not covered by
security support)
NOTE:
https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p
CVE-2021-37711 (Versions prior to 6.4.3.1 contain an authenticated server-side
request ...)
@@ -66475,6 +66548,7 @@ CVE-2021-37702 (Pimcore is an open source data &
experience management platf
CVE-2021-37701 (The npm package "tar" (aka node-tar) before versions 4.4.16,
5.0.8, an ...)
{DSA-5008-1}
- node-tar 6.1.7+~cs11.3.10-1
+ [buster] - node-tar <end-of-life> (No longer supported in LTS buster)
[stretch] - node-tar <end-of-life> (Nodejs in stretch not covered by
security support)
NOTE:
https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc
CVE-2021-37700 (@github/paste-markdown is an npm package for pasting markdown
objects. ...)
@@ -66503,6 +66577,7 @@ CVE-2021-37695 (ckeditor is an open source WYSIWYG HTML
editor with rich content
[bullseye] - ckeditor <no-dsa> (Minor issue)
[buster] - ckeditor <no-dsa> (Minor issue)
- ckeditor3 <unfixed>
+ [buster] - ckeditor3 <end-of-life> (No longer supported in LTS buster)
[stretch] - ckeditor3 <end-of-life> (EOL'd for stretch)
NOTE:
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc
NOTE:
https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58
@@ -69470,6 +69545,7 @@ CVE-2021-36418
RESERVED
CVE-2021-36417 (A heap-based buffer overflow vulnerability exists in GPAC
v1.0.1 in th ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1846
NOTE:
https://github.com/gpac/gpac/commit/737e1f39da80e02912953269966d89afd196ad30
(v2.0.0)
@@ -69479,6 +69555,7 @@ CVE-2021-36415
RESERVED
CVE-2021-36414 (A heab-based buffer overflow vulnerability exists in MP4Box in
GPAC 1. ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1840
NOTE:
https://github.com/gpac/gpac/commit/6007c7145eb0fcd29fe05b6e5983a065b42c6b21
(v2.0.0)
@@ -69486,6 +69563,7 @@ CVE-2021-36413
RESERVED
CVE-2021-36412 (A heap-based buffer overflow vulnerability exists in MP4Box in
GPAC 1. ...)
- gpac 2.0.0+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1838
NOTE:
https://github.com/gpac/gpac/commit/828188475084db87cebc34208b6bd2509709845e
(v2.0.0)
@@ -75678,6 +75756,7 @@ CVE-2021-33829 (A cross-site scripting (XSS)
vulnerability in the HTML Data Proc
- ckeditor 4.16.0+dfsg-2
[buster] - ckeditor <no-dsa> (Minor issue)
- ckeditor3 <unfixed>
+ [buster] - ckeditor3 <end-of-life> (No longer supported in LTS buster)
[stretch] - ckeditor3 <end-of-life> (EOL'd for stretch)
NOTE:
https://ckeditor.com/blog/ckeditor-4.16.1-with-accessibility-enhancements/#improvements-for-comments-in-html-parser
NOTE:
https://github.com/ckeditor/ckeditor4/commit/3e426ce34f7fc7bf784624358831ef9e189bb6ed
@@ -79706,6 +79785,7 @@ CVE-2021-32272 (An issue was discovered in faad2 before
2.10.0. A heap-buffer-ov
NOTE:
https://github.com/knik0/faad2/commit/1b71a6ba963d131375f5e489b3b25e36f19f3f24
(2_10_0)
CVE-2021-32271 (An issue was discovered in gpac through 20200801. A
stack-buffer-overf ...)
- gpac 1.0.1+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE:
https://github.com/gpac/gpac/commit/71f1d75eaf71f47944ddbd9356fb498ca252b19a
(v1.0.1)
NOTE: https://github.com/gpac/gpac/issues/1575
@@ -79723,6 +79803,7 @@ CVE-2021-32269 (An issue was discovered in gpac through
20200801. A NULL pointer
NOTE:
https://github.com/gpac/gpac/commit/fc4d8f594acfd97fc750403cca734671bb623afc
(v1.0.1)
CVE-2021-32268 (Buffer overflow vulnerability in function gf_fprintf in
os_file.c in g ...)
- gpac 1.0.1+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1587
NOTE:
https://github.com/gpac/gpac/commit/388ecce75d05e11fc8496aa4857b91245007d26e
(v1.0.1)
@@ -95317,6 +95398,7 @@ CVE-2021-26271 (It was possible to execute a ReDoS-type
attack inside CKEditor 4
[buster] - ckeditor <no-dsa> (Minor issue)
[stretch] - ckeditor <postponed> (Fix along next DLA)
- ckeditor3 <unfixed>
+ [buster] - ckeditor3 <end-of-life> (No longer supported in LTS buster)
[stretch] - ckeditor3 <end-of-life> (EOL'd for stretch)
NOTE:
https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416
CVE-2021-26270
@@ -103160,11 +103242,13 @@ CVE-2021-22961 (A code injection vulnerability
exists within the firewall softwa
CVE-2021-22960 (The parse function in llhttp < 2.1.4 and < 6.0.6.
ignores chunk ...)
{DSA-5170-1}
- nodejs 12.22.7~dfsg-1
+ [buster] - nodejs <end-of-life> (No longer supported in LTS buster)
[stretch] - nodejs <end-of-life> (Nodejs in stretch not covered by
security support)
NOTE:
https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/#http-request-smuggling-when-parsing-the-body-medium-cve-2021-22960
CVE-2021-22959 (The parser in accepts requests with a space (SP) right after
the heade ...)
{DSA-5170-1}
- nodejs 12.22.7~dfsg-1
+ [buster] - nodejs <end-of-life> (No longer supported in LTS buster)
[stretch] - nodejs <end-of-life> (Nodejs in stretch not covered by
security support)
NOTE:
https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/#http-request-smuggling-due-to-spaced-in-headers-medium-cve-2021-22959
CVE-2021-22958 (A Server-Side Request Forgery vulnerability was found in
concrete5 < ...)
@@ -103232,6 +103316,7 @@ CVE-2021-22940 (Node.js before 16.6.1, 14.17.5, and
12.22.5 is vulnerable to a u
CVE-2021-22939 (If the Node.js https API was used incorrectly and "undefined"
was in p ...)
- nodejs 12.22.5~dfsg-1
[bullseye] - nodejs 12.22.5~dfsg-2~11u1
+ [buster] - nodejs <end-of-life> (No longer supported in LTS buster)
[stretch] - nodejs <end-of-life> (Nodejs in stretch not covered by
security support)
NOTE:
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/#incomplete-validation-of-rejectunauthorized-parameter-low-cve-2021-22939
CVE-2021-22938 (A vulnerability in Pulse Connect Secure before 9.1R12 could
allow an a ...)
@@ -105367,6 +105452,7 @@ CVE-2021-22061
RESERVED
CVE-2021-22060 (In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18,
and older ...)
- libspring-java <unfixed>
+ [buster] - libspring-java <end-of-life> (No longer supported in LTS
buster)
[stretch] - libspring-java <end-of-life> (EOL'd for stretch)
NOTE: follow-up to CVE-2021-22096
NOTE: https://tanzu.vmware.com/security/cve-2021-22060
@@ -129211,6 +129297,7 @@ CVE-2020-25428
RESERVED
CVE-2020-25427 (A Null pointer dereference vulnerability exits in MP4Box -
GPAC versio ...)
- gpac 1.0.1+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1406
NOTE:
https://github.com/gpac/gpac/commit/8e585e623b1d666b4ef736ed609264639cb27701
(v0.8.1)
@@ -130605,6 +130692,7 @@ CVE-2020-24830
RESERVED
CVE-2020-24829 (An issue was discovered in GPAC v0.8.0, as demonstrated by
MP4Box. It ...)
- gpac 1.0.1+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1422
NOTE:
https://github.com/gpac/gpac/commit/8c5e847185d74462d674ee7d28fb46c29dae6dd2
@@ -134097,6 +134185,7 @@ CVE-2020-23270
RESERVED
CVE-2020-23269 (An issue was discovered in gpac 0.8.0. The stbl_GetSampleSize
function ...)
- gpac 1.0.1+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1482
NOTE: fixed by fixes for related bugs, no specific commit identified
upstream
@@ -134106,6 +134195,7 @@ CVE-2020-23268
RESERVED
CVE-2020-23267 (An issue was discovered in gpac 0.8.0. The
gf_hinter_track_process fun ...)
- gpac 1.0.1+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/1479
NOTE: fixed by fixes for related bugs, no specific commit identified
upstream
@@ -134113,6 +134203,7 @@ CVE-2020-23267 (An issue was discovered in gpac
0.8.0. The gf_hinter_track_proce
NOTE:
https://github.com/gpac/gpac/commit/b286aa0cdc0cb781e96430c8777d38f066a2c9f9
(v0.9.0, v0.8.1)
CVE-2020-23266 (An issue was discovered in gpac 0.8.0. The OD_ReadUTF8String
function ...)
- gpac 1.0.1+dfsg1-2
+ [buster] - gpac <end-of-life> (No longer supported in LTS buster)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE:
https://github.com/gpac/gpac/commit/47d8bc5b3ddeed6d775197ebefae7c94a45d9bf2
(v0.9.0, v0.8.1)
NOTE: https://github.com/gpac/gpac/issues/1481
@@ -254603,6 +254694,7 @@ CVE-2018-17960 (CKEditor 4.x before 4.11.0 allows
user-assisted XSS involving a
[stretch] - ckeditor <ignored> (Minor issue, XSS through direct
copy/paste by victim, no identified patch)
[jessie] - ckeditor <ignored> (Minor issue)
- ckeditor3 <unfixed> (low)
+ [buster] - ckeditor3 <end-of-life> (No longer supported in LTS buster)
[stretch] - ckeditor3 <end-of-life> (EOL'd for stretch)
- fckeditor <removed>
CVE-2018-17959
@@ -423346,6 +423438,7 @@ CVE-2014-5191 (Cross-site scripting (XSS)
vulnerability in the Preview plugin be
[wheezy] - ckeditor <not-affected> (Preview plugin not yet present)
[squeeze] - ckeditor <not-affected> (Preview plugin not yet present)
- ckeditor3 <unfixed>
+ [buster] - ckeditor3 <end-of-life> (No longer supported in LTS buster)
[stretch] - ckeditor3 <end-of-life> (EOL'd for stretch)
NOTE:
https://dev.ckeditor.com/browser/CKEditor/trunk/_source/plugins/preview/preview.html?rev=7706
(v3.6.x)
NOTE:
https://github.com/ckeditor/ckeditor4/commit/b685874c6bc873a76e6e95916c43840a2b7ab08a
(v4.4.3)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/391fef271d0897389daf517a4c516f2536db6077...22d9f630a6c2f2a80db5b748c40aea24d931cac3
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/391fef271d0897389daf517a4c516f2536db6077...22d9f630a6c2f2a80db5b748c40aea24d931cac3
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
