---

{"389-ds-base":{"CVE-2012-0833":{"description":"The acllas__handle_group_entry function in servers/plugins/acl/acllas.c in 389 Directory Server before 1.2.10 does not properly handled access control instructions (ACIs) that use certificate groups, which allows remote authenticated LDAP users with a certificate group to cause a denial of service (infinite loop and CPU consumption) by binding to the server.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2012-2678":{"description":"389 Directory Server before 1.2.11.6 (aka Red Hat Directory Server before 8.2.10-3), after the password for a LDAP user has been changed and before the server has been reset, allows remote attackers to read the plaintext password via the unhashed#user#password attribute.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2012-2746":{"description":"389 Directory Server before 1.2.11.6 (aka Red Hat Directory Server before 8.2.10-3), when the password of a LDAP user has been changed and audit logging is enabled, saves the new password to the log in plain text, which allows remote authenticated users to read the password.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2012-4450":{"description":"389 Directory Server 1.2.10 does not properly update the ACL when a DN entry is moved by a modrdn operation, which allows remote authenticated users with certain permissions to bypass ACL restrictions and access the DN entry.","debianbug":688942,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.2.11.15-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.2.11.15-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.2.11.15-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.2.11.15-1","urgency":"not yet assigned"}}},"CVE-2013-0312":{"description":"389 Directory Server before 1.3.0.4 allows remote attackers to cause a denial of service (crash) via a zero length LDAP control sequence.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.3.0.3-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.3.0.3-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.3.0.3-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.3.0.3-1","urgency":"not yet assigned"}}},"CVE-2013-0336":{"description":"The ipapwd_chpwop function in daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c in the directory server (dirsrv) in FreeIPA before 3.2.0 allows remote attackers to cause a denial of service (crash) via a connection request without a username/dn, related to the 389 directory server.","debianbug":704077,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.3.2.9-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.3.2.9-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.3.2.9-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.3.2.9-1","urgency":"not yet assigned"}}},"CVE-2013-1897":{"description":"The do_search function in ldap/servers/slapd/search.c in 389 Directory Server 1.2.x before 1.2.11.20 and 1.3.x before 1.3.0.5 does not properly restrict access to entries when the nsslapd-allow-anonymous-access configuration is set to rootdse and the BASE search scope is used, which allows remote attackers to obtain sensitive information outside of the rootDSE via a crafted LDAP search.","debianbug":704421,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.3.2.9-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.3.2.9-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.3.2.9-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.3.2.9-1","urgency":"not yet assigned"}}},"CVE-2013-2219":{"description":"The Red Hat Directory Server before 8.2.11-13 and 389 Directory Server do not properly restrict access to entity attributes, which allows remote authenticated users to obtain sensitive information via a search query for the attribute.","debianbug":718325,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.3.2.9-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.3.2.9-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.3.2.9-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.3.2.9-1","urgency":"not yet assigned"}}},"CVE-2013-4283":{"description":"ns-slapd in 389 Directory Server before 1.3.0.8 allows remote attackers to cause a denial of service (server crash) via a crafted Distinguished Name (DN) in a MOD operation request.","debianbug":721222,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.3.2.9-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.3.2.9-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.3.2.9-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.3.2.9-1","urgency":"not yet assigned"}}},"CVE-2013-4485":{"description":"389 Directory Server 1.2.11.15 (aka Red Hat Directory Server before 8.2.11-14) allows remote authenticated users to cause a denial of service (crash) via multiple @ characters in a GER attribute list in a search request.","debianbug":730115,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.3.2.9-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.3.2.9-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.3.2.9-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.3.2.9-1","urgency":"not yet assigned"}}},"CVE-2014-0132":{"description":"The SASL authentication functionality in 389 Directory Server before 1.2.11.26 allows remote authenticated users to connect as an arbitrary user and gain privileges via the authzid parameter in a SASL/GSSAPI bind.","debianbug":741600,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.3.2.9-1.1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.3.2.9-1.1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.3.2.9-1.1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.3.2.9-1.1","urgency":"not yet assigned"}}},"CVE-2014-3562":{"description":"Red Hat Directory Server 8 and 389 Directory Server, when debugging is enabled, allows remote attackers to obtain sensitive replicated metadata by searching the directory.","debianbug":757437,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.3.2.21-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.3.2.21-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.3.2.21-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.3.2.21-1","urgency":"not yet assigned"}}},"CVE-2014-8105":{"description":"389 Directory Server before 1.3.2.27 and 1.3.3.x before 1.3.3.9 does not properly restrict access to the \"cn=changelog\" LDAP sub-tree, which allows remote attackers to obtain sensitive information from the changelog via unspecified vectors.","debianbug":779909,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.3.3.5-4","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.3.3.5-4","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.3.3.5-4","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.3.3.5-4","urgency":"not yet assigned"}}},"CVE-2014-8112":{"description":"389 Directory Server 1.3.1.x, 1.3.2.x before 1.3.2.27, and 1.3.3.x before 1.3.3.9 stores \"unhashed\" passwords even when the nsslapd-unhashed-pw-switch option is set to off, which allows remote authenticated users to obtain sensitive information by reading the Changelog.","debianbug":779909,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.3.3.5-4","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.3.3.5-4","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.3.3.5-4","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.3.3.5-4","urgency":"not yet assigned"}}},"CVE-2015-1854":{"description":"389 Directory Server before 1.3.3.10 allows attackers to bypass intended access restrictions and modify directory entries via a crafted ldapmodrdn call.","debianbug":783923,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.3.3.10-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.3.3.10-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.3.3.10-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.3.3.10-1","urgency":"not yet assigned"}}},"CVE-2015-3230":{"description":"389 Directory Server (formerly Fedora Directory Server) before 1.3.3.12 does not enforce the nsSSL3Ciphers preference when creating an sslSocket, which allows remote attackers to have unspecified impact by requesting to use a disabled cipher.","debianbug":789202,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.3.3.12-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.3.3.12-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.3.3.12-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.3.3.12-1","urgency":"not yet assigned"}}},"CVE-2016-0741":{"description":"slapd/connection.c in 389 Directory Server (formerly Fedora Directory Server) 1.3.4.x before 1.3.4.7 allows remote attackers to cause a denial of service (infinite loop and connection blocking) by leveraging an abnormally closed connection.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.3.4.8-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.3.4.8-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.3.4.8-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.3.4.8-1","urgency":"not yet assigned"}}},"CVE-2016-4992":{"description":"389 Directory Server in Red Hat Enterprise Linux Desktop 6 through 7, Red Hat Enterprise Linux HPC Node 6 through 7, Red Hat Enterprise Linux Server 6 through 7, and Red Hat Enterprise Linux Workstation 6 through 7 allows remote attackers to infer the existence of RDN component objects.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.3.5.13-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.3.5.13-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.3.5.13-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.3.5.13-1","urgency":"not yet assigned"}}},"CVE-2016-5405":{"description":"389 Directory Server in Red Hat Enterprise Linux Desktop 6 through 7, Red Hat Enterprise Linux HPC Node 6 through 7, Red Hat Enterprise Linux Server 6 through 7, and Red Hat Enterprise Linux Workstation 6 through 7 allows remote attackers to obtain user passwords.","debianbug":842121,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.3.5.15-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.3.5.15-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.3.5.15-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.3.5.15-1","urgency":"not yet assigned"}}},"CVE-2016-5416":{"description":"389 Directory Server in Red Hat Enterprise Linux Desktop 6 through 7, Red Hat Enterprise Linux HPC Node 6 through 7, Red Hat Enterprise Linux Server 6 through 7, and Red Hat Enterprise Linux Workstation 6 through 7 allows remote attackers to read the default Access Control Instructions.","debianbug":834233,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"urgency":"unimportant"},"bullseye":{"status":"open","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"urgency":"unimportant"},"sid":{"status":"open","repositories":{"sid":"3.1.2+vendor1-2"},"urgency":"unimportant"},"trixie":{"status":"open","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"urgency":"unimportant"}}},"CVE-2017-15134":{"description":"A stack buffer overflow flaw was found in the way 389-ds-base 1.3.6.x before 1.3.6.13, 1.3.7.x before 1.3.7.9, 1.4.x before 1.4.0.5 handled certain LDAP search filters. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus resulting in denial of service.","debianbug":888452,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.3.7.9-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.3.7.9-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.3.7.9-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.3.7.9-1","urgency":"not yet assigned"}}},"CVE-2017-15135":{"description":"It was found that 389-ds-base since 1.3.6.1 up to and including 1.4.0.3 did not always handle internal hash comparison operations correctly during the authentication process. A remote, unauthenticated attacker could potentially use this flaw to bypass the authentication process under very rare and specific circumstances.","debianbug":888451,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.3.7.9-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.3.7.9-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.3.7.9-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.3.7.9-1","urgency":"not yet assigned"}}},"CVE-2017-2591":{"description":"389-ds-base before version 1.3.6 is vulnerable to an improperly NULL terminated array in the uniqueness_entry_to_config() function in the \"attribute uniqueness\" plugin of 389 Directory Server. An authenticated, or possibly unauthenticated, attacker could use this flaw to force an out-of-bound heap memory read, possibly triggering a crash of the LDAP service.","debianbug":851769,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.3.5.15-2","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.3.5.15-2","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.3.5.15-2","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.3.5.15-2","urgency":"not yet assigned"}}},"CVE-2017-2668":{"description":"389-ds-base before versions 1.3.5.17 and 1.3.6.10 is vulnerable to an invalid pointer dereference in the way LDAP bind requests are handled. A remote unauthenticated attacker could use this flaw to make ns-slapd crash via a specially crafted LDAP bind request, resulting in denial of service.","debianbug":860125,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.3.5.17-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.3.5.17-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.3.5.17-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.3.5.17-1","urgency":"not yet assigned"}}},"CVE-2017-7551":{"description":"389-ds-base version before 1.3.5.19 and 1.3.6.7 are vulnerable to password brute-force attacks during account lockout due to different return codes returned on password attempts.","debianbug":870752,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.3.6.7-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.3.6.7-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.3.6.7-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.3.6.7-1","urgency":"not yet assigned"}}},"CVE-2018-1054":{"description":"An out-of-bounds memory read flaw was found in the way 389-ds-base handled certain LDAP search filters, affecting all versions including 1.4.x. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus resulting in denial of service.","debianbug":892124,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.3.7.10-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.3.7.10-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.3.7.10-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.3.7.10-1","urgency":"not yet assigned"}}},"CVE-2018-10850":{"description":"389-ds-base before versions 1.4.0.10, 1.3.8.3 is vulnerable to a race condition in the way 389-ds-base handles persistent search, resulting in a crash if the server is under load. An anonymous attacker could use this flaw to trigger a denial of service.","debianbug":903501,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.4.0.15-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.4.0.15-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.4.0.15-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.4.0.15-1","urgency":"not yet assigned"}}},"CVE-2018-10871":{"description":"389-ds-base before versions 1.3.8.5, 1.4.0.12 is vulnerable to a Cleartext Storage of Sensitive Information. By default, when the Replica and/or retroChangeLog plugins are enabled, 389-ds-base stores passwords in plaintext format in their respective changelog files. An attacker with sufficiently high privileges, such as root or Directory Manager, can query these files in order to retrieve plaintext passwords.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.4.0.15-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.4.0.15-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.4.0.15-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.4.0.15-1","urgency":"not yet assigned"}}},"CVE-2018-1089":{"description":"389-ds-base before versions 1.4.0.9, 1.3.8.1, 1.3.6.15 did not properly handle long search filters with characters needing escapes, possibly leading to buffer overflows. A remote, unauthenticated attacker could potentially use this flaw to make ns-slapd crash via a specially crafted LDAP request, thus resulting in denial of service.","debianbug":898138,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.3.8.2-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.3.8.2-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.3.8.2-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.3.8.2-1","urgency":"not yet assigned"}}},"CVE-2018-10935":{"description":"A flaw was found in the 389 Directory Server that allows users to cause a crash in the LDAP server using ldapsearch with server side sort.","debianbug":906985,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.4.0.15-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.4.0.15-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.4.0.15-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.4.0.15-1","urgency":"not yet assigned"}}},"CVE-2018-14624":{"description":"A vulnerability was discovered in 389-ds-base through versions 1.3.7.10, 1.3.8.8 and 1.4.0.16. The lock controlling the error log was not correctly used when re-opening the log file in log__error_emergency(). An attacker could send a flood of modifications to a very large DN, which would cause slapd to crash.","debianbug":907778,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.4.0.18-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.4.0.18-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.4.0.18-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.4.0.18-1","urgency":"not yet assigned"}}},"CVE-2018-14638":{"description":"A flaw was found in 389-ds-base before version 1.3.8.4-13. The process ns-slapd crashes in delete_passwdPolicy function when persistent search connections are terminated unexpectedly leading to remote denial of service.","debianbug":908859,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.4.0.18-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.4.0.18-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.4.0.18-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.4.0.18-1","urgency":"not yet assigned"}}},"CVE-2018-14648":{"description":"A flaw was found in 389 Directory Server. A specially crafted search query could lead to excessive CPU consumption in the do_search() function. An unauthenticated attacker could use this flaw to provoke a denial of service.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.4.0.18-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.4.0.18-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.4.0.18-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.4.0.18-1","urgency":"not yet assigned"}}},"CVE-2019-10171":{"description":"It was found that the fix for CVE-2018-14648 in 389-ds-base, versions 1.4.0.x before 1.4.0.17, was incorrectly applied in RHEL 7.5. An attacker would still be able to provoke excessive CPU consumption leading to a denial of service.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2019-10224":{"description":"A flaw has been found in 389-ds-base versions 1.4.x.x before 1.4.1.3. When executed in verbose mode, the dscreate and dsconf commands may display sensitive information, such as the Directory Manager password. An attacker, able to see the screen or record the terminal standard error output, could use this flaw to gain sensitive information.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.4.1.5-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.4.1.5-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.4.1.5-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.4.1.5-1","urgency":"not yet assigned"}}},"CVE-2019-14824":{"description":"A flaw was found in the 'deref' plugin of 389-ds-base where it could use the 'search' permission to display attribute values. In some configurations, this could allow an authenticated attacker to view private attributes, such as password hashes.","debianbug":944150,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.4.2.4-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.4.2.4-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.4.2.4-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.4.2.4-1","urgency":"not yet assigned"}}},"CVE-2019-3883":{"description":"In 389-ds-base up to version 1.4.1.2, requests are handled by workers threads. Each sockets will be waited by the worker for at most 'ioblocktimeout' seconds. However this timeout applies only for un-encrypted requests. Connections using SSL/TLS are not taking this timeout into account during reads, and may hang longer.An unauthenticated attacker could repeatedly create hanging LDAP requests to hang all the workers, resulting in a Denial of Service.","debianbug":927939,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.4.1.5-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.4.1.5-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.4.1.5-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.4.1.5-1","urgency":"not yet assigned"}}},"CVE-2020-35518":{"description":"When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.4.4.10-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.4.4.10-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.4.4.10-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.4.4.10-1","urgency":"not yet assigned"}}},"CVE-2021-3514":{"description":"When using a sync_repl client in 389-ds-base, an authenticated attacker can cause a NULL pointer dereference using a specially crafted query, causing a crash.","debianbug":988727,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.4.4.11-2","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.4.4.11-2","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.4.4.11-2","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.4.4.11-2","urgency":"not yet assigned"}}},"CVE-2021-3652":{"description":"A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This flaw allows an attacker to successfully authenticate as a user whose password was disabled.","debianbug":991405,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"1.4.4.17-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.4.4.11-2+deb11u1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"1.4.4.17-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"1.4.4.17-1","urgency":"not yet assigned"}}},"CVE-2021-4091":{"description":"A double-free was found in the way 389-ds-base handles virtual attributes context in persistent searches. An attacker could send a series of search requests, forcing the server to behave unexpectedly, and crash.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"2.0.15-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.4.4.11-2+deb11u1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"2.0.15-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"2.0.15-1","urgency":"not yet assigned"}}},"CVE-2022-0918":{"description":"A vulnerability was discovered in the 389 Directory Server that allows an unauthenticated attacker with network access to the LDAP port to cause a denial of service. The denial of service is triggered by a single message sent over a TCP connection, no bind or other authentication is required. The message triggers a segmentation fault that results in slapd crashing.","debianbug":1016445,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"2.0.15-1.1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.4.4.11-2+deb11u1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"2.0.15-1.1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"2.0.15-1.1","urgency":"not yet assigned"}}},"CVE-2022-0996":{"description":"A vulnerability was found in the 389 Directory Server that allows expired passwords to access the database to cause improper authentication.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"2.0.15-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.4.4.11-2+deb11u1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"2.0.15-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"2.0.15-1","urgency":"not yet assigned"}}},"CVE-2022-1949":{"description":"An access control bypass vulnerability found in 389-ds-base. That mishandling of the filter that would yield incorrect results, but as that has progressed, can be determined that it actually is an access control bypass. This may allow any remote unauthenticated user to issue a filter that allows searching for database items they do not have access to, including but not limited to potentially userPassword hashes and other sensitive data.","debianbug":1016446,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"2.3.1-1","urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"urgency":"not yet assigned","nodsa":"Minor issue, too intrusive to backport","nodsa_reason":"ignored"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"2.3.1-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"2.3.1-1","urgency":"not yet assigned"}}},"CVE-2022-2850":{"description":"A flaw was found In 389-ds-base. When the Content Synchronization plugin is enabled, an authenticated user can reach a NULL pointer dereference using a specially crafted query. This flaw allows an authenticated attacker to cause a denial of service. This CVE is assigned against an incomplete fix of CVE-2021-3514.","debianbug":1018054,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"2.3.1-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.4.4.11-2+deb11u1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"2.3.1-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"2.3.1-1","urgency":"not yet assigned"}}},"CVE-2023-1055":{"description":"A flaw was found in RHDS 11 and RHDS 12. While browsing entries LDAP tries to decode the userPassword attribute instead of the userCertificate attribute which could lead into sensitive information leaked. An attacker with a local account where the cockpit-389-ds is running can list the processes and display the hashed passwords. The highest threat from this vulnerability is to data confidentiality.","debianbug":1034891,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":""},"bullseye":{"status":"open","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":""},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"2.3.4+dfsg1-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"2.3.4+dfsg1-1","urgency":"not yet assigned"}}},"CVE-2024-1062":{"description":"A heap overflow flaw was found in 389-ds-base. This issue leads to a denial of service when writing a value larger than 256 chars in log_entry_attr.","debianbug":1066120,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":""},"bullseye":{"status":"open","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":""},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"2.3.4+dfsg1-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"2.3.4+dfsg1-1","urgency":"not yet assigned"}}},"CVE-2024-2199":{"description":"A denial of service vulnerability was found in 389-ds-base ldap server. This issue may allow an authenticated user to cause a server crash while modifying `userPassword` using malformed input.","debianbug":1072531,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"2.3.1+dfsg1-1+deb12u1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.4.4.11-2+deb11u1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"3.1.1+dfsg1-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"3.1.1+dfsg1-1","urgency":"not yet assigned"}}},"CVE-2024-3657":{"description":"A flaw was found in 389-ds-base. A specially-crafted LDAP query can potentially cause a failure on the directory server, leading to a denial of service","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"2.3.1+dfsg1-1+deb12u1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.4.4.11-2+deb11u1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"3.1.1+dfsg1-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"3.1.1+dfsg1-1","urgency":"not yet assigned"}}},"CVE-2024-5953":{"description":"A denial of service vulnerability was found in the 389-ds-base LDAP server. This issue may allow an authenticated user to cause a server denial of service while attempting to log in with a user with a malformed hash in their password.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"2.3.1+dfsg1-1+deb12u1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.4.4.11-2+deb11u1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"3.1.1+dfsg1-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"3.1.1+dfsg1-1","urgency":"not yet assigned"}}},"CVE-2024-6237":{"description":"A flaw was found in the 389 Directory Server. This flaw allows an unauthenticated user to cause a systematic server crash while sending a specific extended search request, leading to a denial of service.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":""},"bullseye":{"status":"open","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"urgency":"not yet assigned","nodsa":"Minor issue, DoS","nodsa_reason":"postponed"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"2.4.5+dfsg1-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"2.4.5+dfsg1-1","urgency":"not yet assigned"}}},"CVE-2024-8445":{"description":"The fix for CVE-2024-2199 in 389-ds-base was insufficient to cover all scenarios. In certain product versions, an authenticated user may cause a server crash while modifying `userPassword` using malformed input.","debianbug":1082852,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"fixed_version":"2.0.11-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"fixed_version":"1.4.4.11-2+deb11u1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"2.0.11-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"2.0.11-1","urgency":"not yet assigned"}}},"CVE-2025-14905":{"description":"A flaw was found in the 389-ds-base server. A heap buffer overflow vulnerability exists in the `schema_attr_enum_callback` function within the `schema.c` file. This occurs because the code incorrectly calculates the buffer size by summing alias string lengths without accounting for additional formatting characters. When a large number of aliases are processed, this oversight can lead to a heap overflow, potentially allowing a remote attacker to cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE).","debianbug":1130910,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"urgency":"not yet assigned","nodsa":"Minor issue; can be fixed via point release","nodsa_reason":""},"bullseye":{"status":"open","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"3.1.2+vendor1-2","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"3.1.2+dfsg1-1+deb13u1","urgency":"not yet assigned"}}},"CVE-2025-2487":{"description":"A flaw was found in the 389-ds-base LDAP Server. This issue occurs when issuing a Modify DN LDAP operation through the ldap protocol, when the function return value is not tested and a NULL pointer is dereferenced. If a privileged user performs a ldap MODDN operation after a failed operation, it could lead to a Denial of Service (DoS) or system crash.","debianbug":1100994,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":""},"bullseye":{"status":"open","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"urgency":"not yet assigned","nodsa":"need priviligied user; DoS","nodsa_reason":"postponed"},"sid":{"status":"resolved","repositories":{"sid":"3.1.2+vendor1-2"},"fixed_version":"3.1.2+dfsg1-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"fixed_version":"3.1.2+dfsg1-1","urgency":"not yet assigned"}}},"CVE-2026-11611":{"description":"A flaw was found in 389 Directory Server. The Content Synchronization persistent search plugin allows unbounded memory growth when an authenticated client stops reading sync responses, enabling denial of service. Additional race conditions in plugin thread lifecycle can cause crashes during connection teardown or shutdown.","debianbug":1139820,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"3.1.2+vendor1-2"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"urgency":"not yet assigned"}}},"CVE-2026-11774":{"description":"An integer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). In sasl_io_start_packet(), adding sizeof(uint32_t) to a crafted SASL packet length prefix of 0xFFFFFFFC causes unsigned wraparound to zero, bypassing the nsslapd-maxsasliosize limit and leading to a heap buffer overflow of up to approximately 2 megabytes of attacker-controlled data. After a successful SASL bind with integrity protection (SSF > 0), a remote attacker can cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, enrolled host, or service account can trigger this vulnerability over the network. This flaw is independent of CVE-2025-14905, which patched schema.c only and did not modify sasl_io.c.","debianbug":1139809,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"3.1.2+vendor1-2"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"urgency":"not yet assigned"}}},"CVE-2026-11785":{"description":"A flaw was found in 389 Directory Server. A type confusion in the SSO token extended operation handler causes partial stack address information to be disclosed in LDAP responses to authenticated users.","debianbug":1139810,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"3.1.2+vendor1-2"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"urgency":"not yet assigned"}}},"CVE-2026-11786":{"description":"A flaw was found in 389 Directory Server. The LDIF parser reads past the end of a heap buffer when processing attribute types with trailing semicolons during database import, causing an out-of-bounds read detectable under memory instrumentation.","debianbug":1139811,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"3.1.2+vendor1-2"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"urgency":"not yet assigned"}}},"CVE-2026-11787":{"description":"A flaw was found in 389 Directory Server. The ldap_utf8prev() function reads bytes before the start of a buffer without bounds checking, causing a heap buffer over-read in string filter parsing that may influence internal filter processing behavior.","debianbug":1139812,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"3.1.2+vendor1-2"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"urgency":"not yet assigned"}}},"CVE-2026-11788":{"description":"A flaw was found in 389 Directory Server. The dereference control plugin does not check for allocation failure before using a BER structure, allowing an unauthenticated remote attacker to crash the LDAP server when the system is under memory pressure.","debianbug":1139813,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"3.1.2+vendor1-2"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"urgency":"not yet assigned"}}},"CVE-2026-11789":{"description":"A flaw was found in 389 Directory Server. The SMD5 password storage plugin performs unsigned integer underflow when computing salt length from a crafted password hash shorter than 16 bytes, causing a buffer over-read that crashes the LDAP server during authentication.","debianbug":1139814,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"3.1.2+vendor1-2"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"urgency":"not yet assigned"}}},"CVE-2026-11790":{"description":"A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password storage plugin does not enforce an upper bound on the iteration count extracted from stored password hashes. A privileged attacker who can modify a user's password hash can cause excessive CPU consumption during authentication, resulting in denial of service.","debianbug":1139815,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"3.1.2+vendor1-2"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"urgency":"not yet assigned"}}},"CVE-2026-11791":{"description":"A flaw was found in 389 Directory Server. During schema reload, the attr_syntax_swap_ht() function unconditionally frees attribute syntax information nodes, bypassing the refcount-based deferred deletion used elsewhere in the attribute syntax subsystem. If an administrator triggers schema reload while concurrent LDAP query traffic is active, worker threads may access freed memory, resulting in use-after-free or double-free and a denial of service (server crash).","debianbug":1139816,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"3.1.2+vendor1-2"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"urgency":"not yet assigned"}}},"CVE-2026-11792":{"description":"A heap buffer overflow flaw was found in 389 Directory Server. When audit logging is enabled, the create_masked_entry_string() function in auditlog.c copies a fixed-length password mask into a precisely-sized heap buffer without checking available space. If a short cleartext password is logged (requiring non-default CLEAR password storage or a compromised replication peer), the copy overflows the buffer, corrupting heap memory and audit log output.","debianbug":1139817,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"3.1.2+vendor1-2"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"urgency":"not yet assigned"}}},"CVE-2026-11793":{"description":"A stack buffer overflow flaw was found in 389 Directory Server. The checkPrefix() function in pw.c copies an attacker-controlled algorithm ID into a 256-byte stack buffer without bounds checking when parsing reversible-encrypted attribute values. An attacker with Directory Manager privileges can crash the LDAP server by storing a crafted credential with an oversized algorithm ID. FORTIFY_SOURCE mitigates this to denial of service only.","debianbug":1139818,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"3.1.2+vendor1-2"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"urgency":"not yet assigned"}}},"CVE-2026-11884":{"description":"A heap buffer overflow flaw was found in 389 Directory Server. When serializing objectclass definitions, the oc_superior (SUP) field length is omitted from buffer size calculations in read_schema_dse() and schema_oc_to_string(), but the field is still written via strcat(). An attacker with Directory Manager privileges, or a compromised replication supplier, can trigger a server crash by creating objectclasses with long SUP values. This is an incomplete fix variant of CVE-2025-14905.","debianbug":1139819,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"3.1.2+vendor1-2"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"urgency":"not yet assigned"}}},"CVE-2026-12528":{"description":"A flaw was found in 389 Directory Server in the __aclp__normalize_acltxt() function of aclparse.c. A malformed ACI (Access Control Instruction) string can trigger heap-buffer-overflow writes and reads during ACI parsing. The function fails to validate that the ACI keyword has sufficient length after whitespace stripping, leading to a 1-byte out-of-bounds write and subsequent out-of-bounds reads. An authenticated user with write access to the aci attribute could send a crafted ACI value to silently corrupt heap memory in the directory server process.","debianbug":1140484,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"3.1.2+vendor1-2"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":""}}},"CVE-2026-9064":{"description":"A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls within the default maximum BER message size (2 MB), causing excessive CPU consumption and heap allocation on the server. Under concurrent exploitation, this leads to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service.","debianbug":1137436,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"2.3.1+dfsg1-1+deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"1.4.4.11-2","bullseye-security":"1.4.4.11-2+deb11u1"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"3.1.2+vendor1-2"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"3.1.2+dfsg1-1+deb13u1"},"urgency":"not yet assigned"}}}},"7zip":{"CVE-2022-47111":{"description":"7-Zip 22.01 does not report an error for certain invalid xz files, involving block flags and reserved bits. Some later versions are unaffected.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"22.01+really25.01+dfsg-0+deb12u1"},"urgency":"unimportant"},"forky":{"status":"open","repositories":{"forky":"26.01+dfsg-3"},"urgency":"unimportant"},"sid":{"status":"open","repositories":{"sid":"26.02+dfsg-1"},"urgency":"unimportant"},"trixie":{"status":"open","repositories":{"trixie":"25.01+dfsg-1~deb13u2"},"urgency":"unimportant"}}},"CVE-2022-47112":{"description":"7-Zip 22.01 does not report an error for certain invalid xz files, involving stream flags and reserved bits. Some later versions are unaffected.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"22.01+really25.01+dfsg-0+deb12u1"},"urgency":"unimportant"},"forky":{"status":"open","repositories":{"forky":"26.01+dfsg-3"},"urgency":"unimportant"},"sid":{"status":"open","repositories":{"sid":"26.02+dfsg-1"},"urgency":"unimportant"},"trixie":{"status":"open","repositories":{"trixie":"25.01+dfsg-1~deb13u2"},"urgency":"unimportant"}}},"CVE-2023-31102":{"description":"Ppmd7.c in 7-Zip before 23.00 allows an integer underflow and invalid read operation via a crafted 7Z archive.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"22.01+really25.01+dfsg-0+deb12u1"},"fixed_version":"22.01+really25.01+dfsg-0+deb12u1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"26.01+dfsg-3"},"fixed_version":"23.01+dfsg-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"26.02+dfsg-1"},"fixed_version":"23.01+dfsg-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"25.01+dfsg-1~deb13u2"},"fixed_version":"23.01+dfsg-1","urgency":"not yet assigned"}}},"CVE-2023-40481":{"description":"7-Zip SquashFS File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SQFS files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-18589.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"22.01+really25.01+dfsg-0+deb12u1"},"fixed_version":"22.01+really25.01+dfsg-0+deb12u1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"26.01+dfsg-3"},"fixed_version":"23.01+dfsg-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"26.02+dfsg-1"},"fixed_version":"23.01+dfsg-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"25.01+dfsg-1~deb13u2"},"fixed_version":"23.01+dfsg-1","urgency":"not yet assigned"}}},"CVE-2023-52168":{"description":"The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains a heap-based buffer overflow that allows an attacker to overwrite two bytes at multiple offsets beyond the allocated buffer size: buffer+512*i-2, for i=9, i=10, i=11, etc.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"22.01+really25.01+dfsg-0+deb12u1"},"fixed_version":"22.01+dfsg-8+deb12u1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"26.01+dfsg-3"},"fixed_version":"24.05+dfsg-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"26.02+dfsg-1"},"fixed_version":"24.05+dfsg-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"25.01+dfsg-1~deb13u2"},"fixed_version":"24.05+dfsg-1","urgency":"not yet assigned"}}},"CVE-2023-52169":{"description":"The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains an out-of-bounds read that allows an attacker to read beyond the intended buffer. The bytes read beyond the intended buffer are presented as a part of a filename listed in the file system image. This has security relevance in some known web-service use cases where untrusted users can upload files and have them extracted by a server-side 7-Zip process.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"22.01+really25.01+dfsg-0+deb12u1"},"fixed_version":"22.01+dfsg-8+deb12u1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"26.01+dfsg-3"},"fixed_version":"24.05+dfsg-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"26.02+dfsg-1"},"fixed_version":"24.05+dfsg-1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"25.01+dfsg-1~deb13u2"},"fixed_version":"24.05+dfsg-1","urgency":"unimportant"}}},"CVE-2024-11477":{"description":"7-Zip Zstandard Decompression Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the implementation of Zstandard decompression. The issue results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24346.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"22.01+really25.01+dfsg-0+deb12u1"},"fixed_version":"0","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"26.01+dfsg-3"},"fixed_version":"24.07+dfsg-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"26.02+dfsg-1"},"fixed_version":"24.07+dfsg-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"25.01+dfsg-1~deb13u2"},"fixed_version":"24.07+dfsg-1","urgency":"not yet assigned"}}},"CVE-2024-11612":{"description":"7-Zip CopyCoder Infinite Loop Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of 7-Zip. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of streams. The issue results from a logic error that can lead to an infinite loop. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-24307.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"22.01+really25.01+dfsg-0+deb12u1"},"fixed_version":"22.01+really25.01+dfsg-0+deb12u1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"26.01+dfsg-3"},"fixed_version":"24.08+dfsg-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"26.02+dfsg-1"},"fixed_version":"24.08+dfsg-1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"25.01+dfsg-1~deb13u2"},"fixed_version":"24.08+dfsg-1","urgency":"unimportant"}}},"CVE-2025-0411":{"description":"7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. Was ZDI-CAN-25456.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"22.01+really25.01+dfsg-0+deb12u1"},"fixed_version":"0","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"26.01+dfsg-3"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"26.02+dfsg-1"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"25.01+dfsg-1~deb13u2"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2025-11001":{"description":"7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26753.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"22.01+really25.01+dfsg-0+deb12u1"},"fixed_version":"22.01+really25.01+dfsg-0+deb12u1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"26.01+dfsg-3"},"fixed_version":"25.00+dfsg-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"26.02+dfsg-1"},"fixed_version":"25.00+dfsg-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"25.01+dfsg-1~deb13u2"},"fixed_version":"25.01+dfsg-1~deb13u1","urgency":"not yet assigned"}}},"CVE-2025-11002":{"description":"7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26743.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"22.01+really25.01+dfsg-0+deb12u1"},"fixed_version":"22.01+really25.01+dfsg-0+deb12u1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"26.01+dfsg-3"},"fixed_version":"25.00+dfsg-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"26.02+dfsg-1"},"fixed_version":"25.00+dfsg-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"25.01+dfsg-1~deb13u2"},"fixed_version":"25.01+dfsg-1~deb13u1","urgency":"not yet assigned"}}},"CVE-2025-53817":{"description":"7-Zip is a file archiver with a high compression ratio. 7-Zip supports extracting from Compound Documents. Prior to version 25.0.0, a null pointer dereference in the Compound handler may lead to denial of service. Version 25.0.0 contains a fix cor the issue.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"22.01+really25.01+dfsg-0+deb12u1"},"fixed_version":"22.01+really25.01+dfsg-0+deb12u1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"26.01+dfsg-3"},"fixed_version":"25.00+dfsg-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"26.02+dfsg-1"},"fixed_version":"25.00+dfsg-1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"25.01+dfsg-1~deb13u2"},"fixed_version":"25.00+dfsg-1","urgency":"unimportant"}}},"CVE-2025-55188":{"description":"7-Zip before 25.01 does not always properly handle symbolic links during extraction.","debianbug":1111068,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"22.01+really25.01+dfsg-0+deb12u1"},"fixed_version":"22.01+really25.01+dfsg-0+deb12u1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"26.01+dfsg-3"},"fixed_version":"25.01+dfsg-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"26.02+dfsg-1"},"fixed_version":"25.01+dfsg-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"25.01+dfsg-1~deb13u2"},"fixed_version":"25.01+dfsg-1~deb13u1","urgency":"not yet assigned"}}},"CVE-2026-48092":{"description":"7-Zip is a file archiver with a high compression ratio. Versions 9.34 through 26.00 contain a heap memory disclosure via SquashFS fragment offset integer overflow on 32-bit builds. 32-bit integer overflow in the SquashFS ReadBlock function allows an attacker-controlled node.Offset value to bypass the fragment bounds check, causing memcpy to read heap memory preceding the cache buffer into the extracted file. The vulnerability is exploitable only on 32-bit builds of 7-Zip where size_t is 32 bits, allowing the addition offsetInBlock + blockSize to wrap modulo 2\u00b3\u00b2. On 64-bit builds the addition is promoted to 64 bits and the check correctly rejects the input. Version 26.01 patches the issue.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"22.01+really25.01+dfsg-0+deb12u1"},"urgency":"unimportant","next_point_update":true},"forky":{"status":"resolved","repositories":{"forky":"26.01+dfsg-3"},"fixed_version":"26.01+dfsg-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"26.02+dfsg-1"},"fixed_version":"26.01+dfsg-1","urgency":"unimportant"},"trixie":{"status":"open","repositories":{"trixie":"25.01+dfsg-1~deb13u2"},"urgency":"unimportant"}}},"CVE-2026-48095":{"description":"7-Zip is a file archiver with a high compression ratio. Versions 26.00 and prior contain a heap buffer overflow vulnerability caused by an under-allocation in the NTFS compressed stream buffer (GetCuSize shift UB), potentially allowing attackers to cause arbitrary code execution or application crashes. CInStream::GetCuSize() in the NTFS handler computes the compression-unit buffer size as (UInt32)1 << (BlockSizeLog + CompressionUnit), and a crafted image with ClusterSizeLog >= 28 and CompressionUnit == 4 drives the exponent to 32, which is undefined behavior and collapses on x86/x64 so _inBuf is allocated as 1 byte. ReadStream_FALSE then writes up to 256 MB of attacker-controlled data into that 1-byte buffer in 64 KB iterations, and because the CInStream object sits only 304 bytes after _inBuf, its vtable pointer is overwritten and the next dispatched call achieves a vtable hijack. On 32-bit builds the overflow is unconditionally reached; on 64-bit it requires the parallel 8 GB _outBuf allocation to succeed, otherwise failing closed to denial of service. The NTFS handler is enabled by default in stock 7z.dll and, via signature-based fallback matching \"NTFS \" at offset 3, will open a crafted image regardless of file extension during extraction or testing. Version 26.01 fixes the issue.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"22.01+really25.01+dfsg-0+deb12u1"},"urgency":"not yet assigned","next_point_update":true},"forky":{"status":"resolved","repositories":{"forky":"26.01+dfsg-3"},"fixed_version":"26.01+dfsg-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"26.02+dfsg-1"},"fixed_version":"26.01+dfsg-1","urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"25.01+dfsg-1~deb13u2"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":""}}},"CVE-2026-48101":{"description":"7-Zip is a file archiver with a high compression ratio. Versions 9.21 through 26.00 contain an An uninitialized memory disclosure vulnerability in the UEFI capsule (.scap) parser in 7-Zip. The OpenCapsule function allocates a heap buffer of attacker-declared CapsuleImageSize (up to 1 GiB) without zero-initialization, then reads the file contents into it with ReadStream_FALSE whose return value is silently discarded. If the file is truncated, the unread tail of the buffer retains uninitialized heap memory, which is then exposed as extracted file content via GetStream. Version 26.0.1 fixes the issue.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"22.01+really25.01+dfsg-0+deb12u1"},"urgency":"unimportant","next_point_update":true},"forky":{"status":"resolved","repositories":{"forky":"26.01+dfsg-3"},"fixed_version":"26.01+dfsg-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"26.02+dfsg-1"},"fixed_version":"26.01+dfsg-1","urgency":"unimportant"},"trixie":{"status":"open","repositories":{"trixie":"25.01+dfsg-1~deb13u2"},"urgency":"unimportant"}}},"CVE-2026-48102":{"description":"7-Zip is a file archiver with a high compression ratio. Versions 9.11 through 26.00 contain a heap out-of-bounds read of up to 3 bytes in the UDF disc image handler's File Identifier Descriptor parser. In CFileId::Parse (CPP/7zip/Archive/Udf/UdfIn.cpp), after validating size < 38 + idLen + impLen and advancing processed to 38 + impLen + idLen, the alignment-padding loop reads p[processed] while incrementing up to 3 times to reach a 4-byte boundary, and the processed <= size bounds check only runs after the loop. When (38 + impLen + idLen) % 4 != 0 and 38 + impLen + idLen == size, the loop reads 1 to 3 bytes past the end of the exact-size heap buffer allocated via buf.Alloc((size_t)item.Size). The UDF handler is registered for .iso and .udf files and auto-detected by signature, and the OOB read triggers during Open() when listing or extracting a crafted UDF image. Impact is limited to information disclosure (a 1-bit oracle per OOB byte via open/fail behavior) and denial of service (crash under hardened allocators); there is no write primitive. Version 26.01 fixes the issue.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"22.01+really25.01+dfsg-0+deb12u1"},"urgency":"unimportant","next_point_update":true},"forky":{"status":"resolved","repositories":{"forky":"26.01+dfsg-3"},"fixed_version":"26.01+dfsg-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"26.02+dfsg-1"},"fixed_version":"26.01+dfsg-1","urgency":"unimportant"},"trixie":{"status":"open","repositories":{"trixie":"25.01+dfsg-1~deb13u2"},"urgency":"unimportant"}}},"CVE-2026-48103":{"description":"7-Zip is a file archiver with a high compression ratio. Versions 9.34 through 26.00 contain an off-by-one heap out-of-bounds read in the WIM (Windows Imaging) archive handler's security descriptor lookup. In CHandler::GetSecurity (CPP/7zip/Archive/Wim/WimHandler.cpp), the per-image SecurOffsets table holds numEntries + 1 cumulative offsets, but the check securityId >= SecurOffsets.Size() admits securityId == numEntries, and the function then reads SecurOffsets[securityId + 1], fetching one UInt32 past the end of the heap-allocated CRecordVector (which performs no bounds checking on operator[]). The securityId is attacker-controlled at offset +0xC of any directory entry in WIM metadata, and the handler is registered for .wim, .swm, .esd, and .ppkg and enabled by default in stock 7z.dll; the OOB triggers zero-click in the GUI because 7zFM.exe's ListView calls GetRawProp(kpidNtSecure) for every item during listing (ASan-confirmed), and is also reachable via CLI listing with 7zz l -slt. Impact is limited to denial of service under hardened allocators and minor information disclosure, since the OOB value is only consumed arithmetically as a length and is not surfaced to the attacker; there is no write primitive.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"22.01+really25.01+dfsg-0+deb12u1"},"urgency":"unimportant","next_point_update":true},"forky":{"status":"resolved","repositories":{"forky":"26.01+dfsg-3"},"fixed_version":"26.01+dfsg-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"26.02+dfsg-1"},"fixed_version":"26.01+dfsg-1","urgency":"unimportant"},"trixie":{"status":"open","repositories":{"trixie":"25.01+dfsg-1~deb13u2"},"urgency":"unimportant"}}},"CVE-2026-48104":{"description":"7-Zip is a file archiver with a high compression ratio. Versions 9.18 through 26.00 contain an uninitialized heap read in the SquashFS archive handler caused by a sparsely populated index array. In the SquashFS handler, _blockToNode is allocated with capacity for every metadata block but populated only when an inode crosses a block boundary, so a crafted image with few inodes spanning many blocks leaves most slots holding raw heap contents (the underlying allocator does not zero-initialize POD storage). When OpenDir looks up an attacker-influenced blockIndex (derived from the RootInode superblock field), it reads two of these uninitialized slots and passes them as the left/right bounds of a binary search over _nodesPos, which dereferences the midpoint without bounds checking; if the resulting value happens to match the search key, the returned index is used to read a full node struct from _nodes whose fields feed further directory parsing, forming a chained OOB read primitive that is heap-layout-dependent and not reliably triggerable. The SquashFS handler is enabled by default in stock 7z.dll and the issue triggers during Open() with no interaction beyond opening the file; impact is denial of service from wild-pointer dereference and potential heap information disclosure, with no write primitive. Version 26.01 fixes the issue.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"22.01+really25.01+dfsg-0+deb12u1"},"urgency":"unimportant","next_point_update":true},"forky":{"status":"resolved","repositories":{"forky":"26.01+dfsg-3"},"fixed_version":"26.01+dfsg-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"26.02+dfsg-1"},"fixed_version":"26.01+dfsg-1","urgency":"unimportant"},"trixie":{"status":"open","repositories":{"trixie":"25.01+dfsg-1~deb13u2"},"urgency":"unimportant"}}},"CVE-2026-48111":{"description":"7-Zip is a file archiver with a high compression ratio. Versions 9.21 through 26.00 contain an off-by-one out-of-bounds read vulnerability in the ParseDepedencyExpression function of the UEFI firmware image parser(CPP/7zip/Archive/UefiHandler.cpp). The function validates an attacker-controlled opcode byte using > instead of >= against the element count of the 10-entry kExpressionCommands static array, allowing an opcode value of 10 to read one pointer slot (8 bytes on x64) past the end of the array in .rodata. The out-of-bounds value is then dereferenced as a const char * and passed through strlen and memcpy into the archive's Characts property, which may cause either a denial of service (access violation when the adjacent bytes do not form a valid readable pointer) or a minor information disclosure of an adjacent .rdata string literal into archive metadata. The vulnerability is reached automatically during IInArchive::Open() via the call path OpenFv/OpenCapsule \u2192 ParseVolume \u2192 ParseSections when processing a SECTION_DXE_DEPEX (0x13) or SECTION_PEI_DEPEX (0x1B) section whose first body byte is 0x0A, and the UEFI handler is enabled by default in stock 7z.dll with signature-based detection for both UEFIc and UEFIf formats. The outcome (crash vs. silent leak) is deterministic per build but linker-layout dependent, with no write primitive and no disclosure of heap data, secrets, or ASLR base addresses. Version 26.01 fixes the issue.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"22.01+really25.01+dfsg-0+deb12u1"},"urgency":"unimportant","next_point_update":true},"forky":{"status":"resolved","repositories":{"forky":"26.01+dfsg-3"},"fixed_version":"26.01+dfsg-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"26.02+dfsg-1"},"fixed_version":"26.01+dfsg-1","urgency":"unimportant"},"trixie":{"status":"open","repositories":{"trixie":"25.01+dfsg-1~deb13u2"},"urgency":"unimportant"}}},"CVE-2026-48112":{"description":"7-Zip is a file archiver with a high compression ratio. Versions 9.18 through 26.00 contain a heap out-of-bounds read in 7-Zip Ar handler BSD SYMDEF parser. A 4-byte heap out-of-bounds read exists in the Unix ar archive parser in 7-Zip. When parsing a BSD-style __.SYMDEF symbol table, the ParseLibSymbols function reads a 32-bit namesSize field via Get32 at a position that can equal the buffer size, reading 4 bytes past the end of the heap allocation. This reads uninitialized heap data under the default allocator. Version 26.01 patches the issue.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"22.01+really25.01+dfsg-0+deb12u1"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":"","next_point_update":true},"forky":{"status":"resolved","repositories":{"forky":"26.01+dfsg-3"},"fixed_version":"26.01+dfsg-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"26.02+dfsg-1"},"fixed_version":"26.01+dfsg-1","urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"25.01+dfsg-1~deb13u2"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":""}}}},"7zip-rar":{"CVE-2025-53816":{"description":"7-Zip is a file archiver with a high compression ratio. Zeroes written outside heap buffer in RAR5 handler may lead to memory corruption and denial of service in versions of 7-Zip prior to 25.0.0. Version 25.0.0 contains a fix for the issue.","debianbug":1109494,"scope":"local","releases":{"forky":{"status":"resolved","repositories":{"forky":"26.01-2"},"fixed_version":"25.00+ds-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"26.02-1"},"fixed_version":"25.00+ds-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"25.00+ds-1+deb13u1"},"fixed_version":"25.00+ds-1","urgency":"not yet assigned"}}}},"9base":{"CVE-2014-1935":{"description":"9base 1:6-6 and 1:6-7 insecurely creates temporary files which results in predictable filenames.","debianbug":737206,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"1:6-13"},"urgency":"unimportant"},"bullseye":{"status":"open","repositories":{"bullseye":"1:6-11"},"urgency":"unimportant"},"forky":{"status":"open","repositories":{"forky":"1:6-15"},"urgency":"unimportant"},"sid":{"status":"open","repositories":{"sid":"1:6-15"},"urgency":"unimportant"},"trixie":{"status":"open","repositories":{"trixie":"1:6-14"},"urgency":"unimportant"}}}},"a2ps":{"CVE-2001-1593":{"description":"The tempname_ensure function in lib/routines.h in a2ps 4.14 and earlier, as used by the spy_user function and possibly other functions, allows local users to modify arbitrary files via a symlink attack on a temporary file.","debianbug":737385,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:4.14-8"},"fixed_version":"1:4.14-1.2","urgency":"low"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:4.14-7"},"fixed_version":"1:4.14-1.2","urgency":"low"},"forky":{"status":"resolved","repositories":{"forky":"1:4.15.8-1"},"fixed_version":"1:4.14-1.2","urgency":"low"},"sid":{"status":"resolved","repositories":{"sid":"1:4.15.8-1"},"fixed_version":"1:4.14-1.2","urgency":"low"},"trixie":{"status":"resolved","repositories":{"trixie":"1:4.15.6-1"},"fixed_version":"1:4.14-1.2","urgency":"low"}}},"CVE-2004-1170":{"description":"a2ps 4.13 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename.","debianbug":283134,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:4.14-8"},"fixed_version":"1:4.13b-4.2","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:4.14-7"},"fixed_version":"1:4.13b-4.2","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"1:4.15.8-1"},"fixed_version":"1:4.13b-4.2","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"1:4.15.8-1"},"fixed_version":"1:4.13b-4.2","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"1:4.15.6-1"},"fixed_version":"1:4.13b-4.2","urgency":"not yet assigned"}}},"CVE-2004-1377":{"description":"The (1) fixps (aka fixps.in) and (2) psmandup (aka psmandup.in) scripts in a2ps before 4.13 allow local users to overwrite arbitrary files via a symlink attack on temporary files.","debianbug":286387,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:4.14-8"},"fixed_version":"1:4.13b-4.3","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:4.14-7"},"fixed_version":"1:4.13b-4.3","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"1:4.15.8-1"},"fixed_version":"1:4.13b-4.3","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"1:4.15.8-1"},"fixed_version":"1:4.13b-4.3","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"1:4.15.6-1"},"fixed_version":"1:4.13b-4.3","urgency":"not yet assigned"}}},"CVE-2014-0466":{"description":"The fixps script in a2ps 4.14 does not use the -dSAFER option when executing gs, which allows context-dependent attackers to delete arbitrary files or execute arbitrary commands via a crafted PostScript file.","debianbug":742902,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:4.14-8"},"fixed_version":"1:4.14-1.3","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:4.14-7"},"fixed_version":"1:4.14-1.3","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"1:4.15.8-1"},"fixed_version":"1:4.14-1.3","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"1:4.15.8-1"},"fixed_version":"1:4.14-1.3","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"1:4.15.6-1"},"fixed_version":"1:4.14-1.3","urgency":"not yet assigned"}}},"CVE-2015-8107":{"description":"Format string vulnerability in GNU a2ps 4.14 allows remote attackers to execute arbitrary code.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:4.14-8"},"fixed_version":"1:4.14-1.2","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:4.14-7"},"fixed_version":"1:4.14-1.2","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"1:4.15.8-1"},"fixed_version":"1:4.14-1.2","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"1:4.15.8-1"},"fixed_version":"1:4.14-1.2","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"1:4.15.6-1"},"fixed_version":"1:4.14-1.2","urgency":"not yet assigned"}}}},"aardvark-dns":{"CVE-2024-8418":{"description":"A flaw was found in Aardvark-dns, which is vulnerable to a Denial of Service attack due to the serial processing of TCP DNS queries. An attacker can exploit this flaw by keeping a TCP connection open indefinitely, causing the server to become unresponsive and resulting in other DNS queries timing out. This issue prevents legitimate users from accessing DNS services, thereby disrupting normal operations and causing service downtime.","debianbug":1080964,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1.4.0-3"},"fixed_version":"0","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"1.17.1-2"},"fixed_version":"1.12.2-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"1.17.1-2"},"fixed_version":"1.12.2-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"1.14.0-3"},"fixed_version":"1.12.2-1","urgency":"not yet assigned"}}},"CVE-2026-35406":{"description":"Aardvark-dns is an authoritative dns server for A/AAAA container records. From 1.16.0 to 1.17.0, a truncated TCP DNS query followed by a connection reset causes aardvark-dns to enter an unrecoverable infinite error loop at 100% CPU. This vulnerability is fixed in 1.17.1.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"1.4.0-3"},"urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"1.17.1-2"},"fixed_version":"1.16.0-3","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"1.17.1-2"},"fixed_version":"1.16.0-3","urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"1.14.0-3"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":""}}}},"abcm2ps":{"CVE-2004-1258":{"description":"Buffer overflow in the put_words function in subs.c for abcm2ps 3.7.20 allows remote attackers to execute arbitrary code via crafted ABC files.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"8.14.14-1"},"fixed_version":"4.8.5-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"8.14.11-0.1"},"fixed_version":"4.8.5-1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"8.14.18-1"},"fixed_version":"4.8.5-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"8.14.18-1"},"fixed_version":"4.8.5-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"8.14.17-2"},"fixed_version":"4.8.5-1","urgency":"not yet assigned"}}},"CVE-2010-3441":{"description":"Multiple buffer overflows in abcm2ps before 5.9.12 might allow remote attackers to execute arbitrary code via (1) a crafted input file, related to the PUT0 and PUT1 output macros; (2) a crafted input file, related to the trim_title function; and possibly (3) a long -O option on a command line.","debianbug":577014,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"8.14.14-1"},"fixed_version":"5.9.13-0.1","urgency":"low"},"bullseye":{"status":"resolved","repositories":{"bullseye":"8.14.11-0.1"},"fixed_version":"5.9.13-0.1","urgency":"low"},"forky":{"status":"resolved","repositories":{"forky":"8.14.18-1"},"fixed_version":"5.9.13-0.1","urgency":"low"},"sid":{"status":"resolved","repositories":{"sid":"8.14.18-1"},"fixed_version":"5.9.13-0.1","urgency":"low"},"trixie":{"status":"resolved","repositories":{"trixie":"8.14.17-2"},"fixed_version":"5.9.13-0.1","urgency":"low"}}},"CVE-2010-4743":{"description":"Heap-based buffer overflow in the getarena function in abc2ps.c in abcm2ps before 5.9.13 might allow remote attackers to execute arbitrary code via a crafted ABC file, a different vulnerability than CVE-2010-3441. NOTE: some of these details are obtained from third party information.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"8.14.14-1"},"fixed_version":"5.9.22-1","urgency":"low"},"bullseye":{"status":"resolved","repositories":{"bullseye":"8.14.11-0.1"},"fixed_version":"5.9.22-1","urgency":"low"},"forky":{"status":"resolved","repositories":{"forky":"8.14.18-1"},"fixed_version":"5.9.22-1","urgency":"low"},"sid":{"status":"resolved","repositories":{"sid":"8.14.18-1"},"fixed_version":"5.9.22-1","urgency":"low"},"trixie":{"status":"resolved","repositories":{"trixie":"8.14.17-2"},"fixed_version":"5.9.22-1","urgency":"low"}}},"CVE-2010-4744":{"description":"Multiple unspecified vulnerabilities in abcm2ps before 5.9.13 have unknown impact and attack vectors, a different issue than CVE-2010-3441.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"8.14.14-1"},"fixed_version":"5.9.22-1","urgency":"low"},"bullseye":{"status":"resolved","repositories":{"bullseye":"8.14.11-0.1"},"fixed_version":"5.9.22-1","urgency":"low"},"forky":{"status":"resolved","repositories":{"forky":"8.14.18-1"},"fixed_version":"5.9.22-1","urgency":"low"},"sid":{"status":"resolved","repositories":{"sid":"8.14.18-1"},"fixed_version":"5.9.22-1","urgency":"low"},"trixie":{"status":"resolved","repositories":{"trixie":"8.14.17-2"},"fixed_version":"5.9.22-1","urgency":"low"}}},"CVE-2018-10753":{"description":"Stack-based buffer overflow in the delayed_output function in music.c in abcm2ps through 8.13.20 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.","debianbug":897966,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"8.14.14-1"},"fixed_version":"8.14.2-0.1","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"8.14.11-0.1"},"fixed_version":"8.14.2-0.1","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"8.14.18-1"},"fixed_version":"8.14.2-0.1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"8.14.18-1"},"fixed_version":"8.14.2-0.1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"8.14.17-2"},"fixed_version":"8.14.2-0.1","urgency":"unimportant"}}},"CVE-2018-10771":{"description":"Stack-based buffer overflow in the get_key function in parse.c in abcm2ps through 8.13.20 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact.","debianbug":898130,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"8.14.14-1"},"fixed_version":"8.14.2-0.1","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"8.14.11-0.1"},"fixed_version":"8.14.2-0.1","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"8.14.18-1"},"fixed_version":"8.14.2-0.1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"8.14.18-1"},"fixed_version":"8.14.2-0.1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"8.14.17-2"},"fixed_version":"8.14.2-0.1","urgency":"unimportant"}}},"CVE-2019-1010069":{"description":"moinejf abcm2ps 8.13.20 is affected by: Incorrect Access Control. The impact is: Allows attackers to cause a denial of service attack via a crafted file. The component is: front.c, function txt_add. The fixed version is: after commit commit 08aef597656d065e86075f3d53fda89765845eae.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"8.14.14-1"},"fixed_version":"8.14.2-0.1","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"8.14.11-0.1"},"fixed_version":"8.14.2-0.1","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"8.14.18-1"},"fixed_version":"8.14.2-0.1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"8.14.18-1"},"fixed_version":"8.14.2-0.1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"8.14.17-2"},"fixed_version":"8.14.2-0.1","urgency":"unimportant"}}},"CVE-2021-32434":{"description":"abcm2ps v8.14.11 was discovered to contain an out-of-bounds read in the function calculate_beam at draw.c.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"8.14.14-1"},"fixed_version":"8.14.13-1","urgency":"unimportant"},"bullseye":{"status":"open","repositories":{"bullseye":"8.14.11-0.1"},"urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"8.14.18-1"},"fixed_version":"8.14.13-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"8.14.18-1"},"fixed_version":"8.14.13-1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"8.14.17-2"},"fixed_version":"8.14.13-1","urgency":"unimportant"}}},"CVE-2021-32435":{"description":"Stack-based buffer overflow in the function get_key in parse.c of abcm2ps v8.14.11 allows remote attackers to cause a Denial of Service (DoS) via unspecified vectors.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"8.14.14-1"},"fixed_version":"8.14.13-1","urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"8.14.11-0.1"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":""},"forky":{"status":"resolved","repositories":{"forky":"8.14.18-1"},"fixed_version":"8.14.13-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"8.14.18-1"},"fixed_version":"8.14.13-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"8.14.17-2"},"fixed_version":"8.14.13-1","urgency":"not yet assigned"}}},"CVE-2021-32436":{"description":"An out-of-bounds read in the function write_title() in subs.c of abcm2ps v8.14.11 allows remote attackers to cause a Denial of Service (DoS) via unspecified vectors.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"8.14.14-1"},"fixed_version":"8.14.13-1","urgency":"unimportant"},"bullseye":{"status":"open","repositories":{"bullseye":"8.14.11-0.1"},"urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"8.14.18-1"},"fixed_version":"8.14.13-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"8.14.18-1"},"fixed_version":"8.14.13-1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"8.14.17-2"},"fixed_version":"8.14.13-1","urgency":"unimportant"}}}},"abcmidi":{"CVE-2004-1256":{"description":"Multiple buffer overflows in the (1) event_text and (2) event_specific functions in abc2midi 2004.12.04 allow remote attackers to execute arbitrary code via crafted ABC files.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"20230208+ds1-1"},"fixed_version":"20050101-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"20210221-1"},"fixed_version":"20050101-1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"20260609+ds-2"},"fixed_version":"20050101-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"20260609+ds-2"},"fixed_version":"20050101-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"20250216+ds-1"},"fixed_version":"20050101-1","urgency":"not yet assigned"}}},"CVE-2006-1514":{"description":"Multiple buffer overflows in the abcmidi-yaps translator in abcmidi 20050101, and other versions, allow remote attackers to execute arbitrary code via crafted ABC music files that trigger the overflows during translation into PostScript.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"20230208+ds1-1"},"fixed_version":"20060422-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"20210221-1"},"fixed_version":"20060422-1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"20260609+ds-2"},"fixed_version":"20060422-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"20260609+ds-2"},"fixed_version":"20060422-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"20250216+ds-1"},"fixed_version":"20060422-1","urgency":"not yet assigned"}}}},"abiword":{"CVE-2004-0645":{"description":"Buffer overflow in the wvHandleDateTimePicture function in wv library (wvWare) 0.7.4 through 0.7.6 and 1.0.0 allows remote attackers to execute arbitrary code via a document with a long DateTime field.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"3.0.5~dfsg-3.2"},"fixed_version":"2.0.8","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"3.0.4~dfsg-3"},"fixed_version":"2.0.8","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"3.0.8+ds-2"},"fixed_version":"2.0.8","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.0.8+ds-2"},"fixed_version":"2.0.8","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.0.6~dfsg-1"},"fixed_version":"2.0.8","urgency":"not yet assigned"}}},"CVE-2005-2964":{"description":"Stack-based buffer overflow in AbiWord before 2.2.10 allows attackers to execute arbitrary code via the RTF import mechanism.","debianbug":329839,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"3.0.5~dfsg-3.2"},"fixed_version":"2.2.10-1","urgency":"medium"},"bullseye":{"status":"resolved","repositories":{"bullseye":"3.0.4~dfsg-3"},"fixed_version":"2.2.10-1","urgency":"medium"},"forky":{"status":"resolved","repositories":{"forky":"3.0.8+ds-2"},"fixed_version":"2.2.10-1","urgency":"medium"},"sid":{"status":"resolved","repositories":{"sid":"3.0.8+ds-2"},"fixed_version":"2.2.10-1","urgency":"medium"},"trixie":{"status":"resolved","repositories":{"trixie":"3.0.6~dfsg-1"},"fixed_version":"2.2.10-1","urgency":"medium"}}},"CVE-2005-2972":{"description":"Multiple stack-based buffer overflows in the RTF import feature in AbiWord before 2.2.11 allow user-assisted attackers to execute arbitrary code via an RTF file with long identifiers, which are not properly handled in the (1) ParseLevelText, (2) getCharsInsideBrace, (3) HandleLists, (4) or (5) HandleAbiLists functions in ie_imp_RTF.cpp, a different vulnerability than CVE-2005-2964.","debianbug":333740,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"3.0.5~dfsg-3.2"},"fixed_version":"2.4.1-1","urgency":"medium"},"bullseye":{"status":"resolved","repositories":{"bullseye":"3.0.4~dfsg-3"},"fixed_version":"2.4.1-1","urgency":"medium"},"forky":{"status":"resolved","repositories":{"forky":"3.0.8+ds-2"},"fixed_version":"2.4.1-1","urgency":"medium"},"sid":{"status":"resolved","repositories":{"sid":"3.0.8+ds-2"},"fixed_version":"2.4.1-1","urgency":"medium"},"trixie":{"status":"resolved","repositories":{"trixie":"3.0.6~dfsg-1"},"fixed_version":"2.4.1-1","urgency":"medium"}}},"CVE-2006-4513":{"description":"Multiple integer overflows in the WV library in wvWare (formerly mswordview) before 1.2.3, as used by AbiWord, KWord, and possibly other products, allow user-assisted remote attackers to execute arbitrary code via a crafted Microsoft Word (DOC) file that produces (1) large LFO clfolvl values in the wvGetLFO_records function or (2) a large LFO nolfo value in the wvGetFLO_PLF function.","debianbug":396360,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"3.0.5~dfsg-3.2"},"fixed_version":"2.4.6-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"3.0.4~dfsg-3"},"fixed_version":"2.4.6-1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"3.0.8+ds-2"},"fixed_version":"2.4.6-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.0.8+ds-2"},"fixed_version":"2.4.6-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.0.6~dfsg-1"},"fixed_version":"2.4.6-1","urgency":"not yet assigned"}}},"CVE-2017-17529":{"description":"af/util/xp/ut_go_file.cpp in AbiWord 3.0.2-2 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.","debianbug":884923,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"3.0.5~dfsg-3.2"},"urgency":"unimportant"},"bullseye":{"status":"open","repositories":{"bullseye":"3.0.4~dfsg-3"},"urgency":"unimportant"},"forky":{"status":"open","repositories":{"forky":"3.0.8+ds-2"},"urgency":"unimportant"},"sid":{"status":"open","repositories":{"sid":"3.0.8+ds-2"},"urgency":"unimportant"},"trixie":{"status":"open","repositories":{"trixie":"3.0.6~dfsg-1"},"urgency":"unimportant"}}}},"abseil":{"CVE-2025-0838":{"description":"There exists a heap buffer overflow vulnerable in Abseil-cpp. The sized constructors, reserve(), and rehash() methods of absl::{flat,node}hash{set,map} did not impose an upper bound on their size argument. As a result, it was possible for a caller to pass a very large size that would cause an integer overflow when computing the size of the container's backing store, and a subsequent out-of-bounds memory write. Subsequent accesses to the container might also access out-of-bounds memory. We recommend upgrading past commit 5a0e2cb5e3958dd90bb8569a2766622cb74d90c1","debianbug":1098903,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"20220623.1-1+deb12u2"},"fixed_version":"20220623.1-1+deb12u1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"0~20200923.3-2","bullseye-security":"0~20200923.3-2+deb11u1"},"fixed_version":"0~20200923.3-2+deb11u1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"20260107.0-5"},"fixed_version":"20240722.0-3","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"20260107.0-5"},"fixed_version":"20240722.0-3","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"20240722.0-4"},"fixed_version":"20240722.0-3","urgency":"not yet assigned"}}}},"accountsservice":{"CVE-2011-4406":{"description":"The Ubuntu AccountsService package before 0.6.14-1git1ubuntu1.1 does not properly drop privileges when changing language settings, which allows local users to modify arbitrary files via unspecified vectors.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"22.08.8-6"},"fixed_version":"0.6.15-3","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"0.6.55-3"},"fixed_version":"0.6.15-3","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"23.13.9-8"},"fixed_version":"0.6.15-3","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"23.13.9-8"},"fixed_version":"0.6.15-3","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"23.13.9-7"},"fixed_version":"0.6.15-3","urgency":"not yet assigned"}}},"CVE-2012-2737":{"description":"The user_change_icon_file_authorized_cb function in /usr/libexec/accounts-daemon in AccountsService before 0.6.22 does not properly check the UID when copying an icon file to the system cache directory, which allows local users to read arbitrary files via a race condition.","debianbug":679429,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"22.08.8-6"},"fixed_version":"0.6.21-6","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"0.6.55-3"},"fixed_version":"0.6.21-6","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"23.13.9-8"},"fixed_version":"0.6.21-6","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"23.13.9-8"},"fixed_version":"0.6.21-6","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"23.13.9-7"},"fixed_version":"0.6.21-6","urgency":"not yet assigned"}}},"CVE-2012-6655":{"description":"An issue exists AccountService 0.6.37 in the user_change_password_authorized_cb() function in user.c which could let a local users obtain encrypted passwords.","debianbug":757912,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"22.08.8-6"},"fixed_version":"22.08.8-4","urgency":"low"},"bullseye":{"status":"open","repositories":{"bullseye":"0.6.55-3"},"urgency":"low","nodsa":"Minor issue","nodsa_reason":"ignored"},"forky":{"status":"resolved","repositories":{"forky":"23.13.9-8"},"fixed_version":"22.08.8-4","urgency":"low"},"sid":{"status":"resolved","repositories":{"sid":"23.13.9-8"},"fixed_version":"22.08.8-4","urgency":"low"},"trixie":{"status":"resolved","repositories":{"trixie":"23.13.9-7"},"fixed_version":"22.08.8-4","urgency":"low"}}},"CVE-2018-14036":{"description":"Directory Traversal with ../ sequences occurs in AccountsService before 0.6.50 because of an insufficient path check in user_change_icon_file_authorized_cb() in user.c.","debianbug":903828,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"22.08.8-6"},"fixed_version":"0.6.45-2","urgency":"low"},"bullseye":{"status":"resolved","repositories":{"bullseye":"0.6.55-3"},"fixed_version":"0.6.45-2","urgency":"low"},"forky":{"status":"resolved","repositories":{"forky":"23.13.9-8"},"fixed_version":"0.6.45-2","urgency":"low"},"sid":{"status":"resolved","repositories":{"sid":"23.13.9-8"},"fixed_version":"0.6.45-2","urgency":"low"},"trixie":{"status":"resolved","repositories":{"trixie":"23.13.9-7"},"fixed_version":"0.6.45-2","urgency":"low"}}},"CVE-2020-16126":{"description":"An Ubuntu-specific modification to AccountsService in versions before 0.6.55-0ubuntu13.2, among other earlier versions, improperly dropped the ruid, allowing untrusted users to send signals to AccountService, thus stopping it from handling D-Bus messages in a timely fashion.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"22.08.8-6"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"0.6.55-3"},"fixed_version":"0","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"23.13.9-8"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"23.13.9-8"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"23.13.9-7"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2020-16127":{"description":"An Ubuntu-specific modification to AccountsService in versions before 0.6.55-0ubuntu13.2, among other earlier versions, would perform unbounded read operations on user-controlled ~/.pam_environment files, allowing an infinite loop if /dev/zero is symlinked to this location.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"22.08.8-6"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"0.6.55-3"},"fixed_version":"0","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"23.13.9-8"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"23.13.9-8"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"23.13.9-7"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2021-3939":{"description":"Ubuntu-specific modifications to accountsservice (in patch file debian/patches/0010-set-language.patch) caused the fallback_locale variable, pointing to static storage, to be freed, in the user_change_language_authorized_cb function. This is reachable via the SetLanguage dbus function. This is fixed in versions 0.6.55-0ubuntu12~20.04.5, 0.6.55-0ubuntu13.3, 0.6.55-0ubuntu14.1.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"22.08.8-6"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"0.6.55-3"},"fixed_version":"0","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"23.13.9-8"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"23.13.9-8"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"23.13.9-7"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2022-1804":{"description":"accountsservice no longer drops permissions when writting .pam_environment","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"22.08.8-6"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"0.6.55-3"},"fixed_version":"0","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"23.13.9-8"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"23.13.9-8"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"23.13.9-7"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2023-3297":{"description":"In Ubuntu's accountsservice an unprivileged local attacker can trigger a use-after-free vulnerability in accountsservice by sending a D-Bus message to the accounts-daemon process.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"22.08.8-6"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"0.6.55-3"},"fixed_version":"0","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"23.13.9-8"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"23.13.9-8"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"23.13.9-7"},"fixed_version":"0","urgency":"unimportant"}}}},"ace":{"CVE-2014-6311":{"description":"generate_doygen.pl in ace before 6.2.7+dfsg-2 creates predictable file names in the /tmp directory which allows attackers to gain elevated privileges.","debianbug":760709,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"7.0.8+dfsg-2"},"fixed_version":"6.2.7+dfsg-2","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"6.5.12+dfsg-3"},"fixed_version":"6.2.7+dfsg-2","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"8.0.5+dfsg-2"},"fixed_version":"6.2.7+dfsg-2","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"8.0.5+dfsg-2"},"fixed_version":"6.2.7+dfsg-2","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"8.0.2+dfsg-2"},"fixed_version":"6.2.7+dfsg-2","urgency":"unimportant"}}}},"acl":{"CVE-2009-4411":{"description":"The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when running in recursive (-R) mode, follow symbolic links even when the --physical (aka -P) or -L option is specified, which might allow local users to modify the ACL for arbitrary files or directories via a symlink attack.","debianbug":499076,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.1-3"},"fixed_version":"2.2.49-2","urgency":"low"},"bullseye":{"status":"resolved","repositories":{"bullseye":"2.2.53-10"},"fixed_version":"2.2.49-2","urgency":"low"},"forky":{"status":"resolved","repositories":{"forky":"2.3.2-3"},"fixed_version":"2.2.49-2","urgency":"low"},"sid":{"status":"resolved","repositories":{"sid":"2.3.2-3"},"fixed_version":"2.2.49-2","urgency":"low"},"trixie":{"status":"resolved","repositories":{"trixie":"2.3.2-2"},"fixed_version":"2.2.49-2","urgency":"low"}}}},"acm":{"CVE-2002-0391":{"description":"Integer overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"6.0+20200416-1.1"},"fixed_version":"5.0-10","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"6.0+20200416-1"},"fixed_version":"5.0-10","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"6.0+20200416-1.2"},"fixed_version":"5.0-10","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"6.0+20200416-1.2"},"fixed_version":"5.0-10","urgency":"not yet assigned"}}}},"acme.sh":{"CVE-2023-38198":{"description":"acme.sh before 3.0.6 runs arbitrary commands from a remote server via eval, as exploited in the wild in June 2023.","scope":"local","releases":{"forky":{"status":"resolved","repositories":{"forky":"3.1.3+~cs0.0.20260427-2"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"3.1.3+~cs0.0.20260427-2"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"3.1.1-1"},"fixed_version":"0","urgency":"unimportant"}}}},"acpi-support":{"CVE-2014-0484":{"description":"The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the \"user's environment.\"","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"0.143-5.1"},"fixed_version":"0.142-4","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"0.143-5"},"fixed_version":"0.142-4","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"0.143-5.2"},"fixed_version":"0.142-4","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"0.143-5.2"},"fixed_version":"0.142-4","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"0.143-5.2"},"fixed_version":"0.142-4","urgency":"not yet assigned"}}},"CVE-2014-1419":{"description":"Race condition in the power policy functions in policy-funcs in acpi-support before 0.142 allows local users to gain privileges via unspecified vectors.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"0.143-5.1"},"fixed_version":"0.142-2","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"0.143-5"},"fixed_version":"0.142-2","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"0.143-5.2"},"fixed_version":"0.142-2","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"0.143-5.2"},"fixed_version":"0.142-2","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"0.143-5.2"},"fixed_version":"0.142-2","urgency":"not yet assigned"}}}},"acpica-unix":{"CVE-2017-13693":{"description":"The acpi_ds_create_operands() function in drivers/acpi/acpica/dsutils.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"20200925-8"},"fixed_version":"20180209-1","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"20200925-1.2"},"fixed_version":"20180209-1","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"20260408-1"},"fixed_version":"20180209-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"20260408-1"},"fixed_version":"20180209-1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"20250404-1"},"fixed_version":"20180209-1","urgency":"unimportant"}}},"CVE-2017-13694":{"description":"The acpi_ps_complete_final_op() function in drivers/acpi/acpica/psobject.c in the Linux kernel through 4.12.9 does not flush the node and node_ext caches and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"20200925-8"},"fixed_version":"20180209-1","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"20200925-1.2"},"fixed_version":"20180209-1","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"20260408-1"},"fixed_version":"20180209-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"20260408-1"},"fixed_version":"20180209-1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"20250404-1"},"fixed_version":"20180209-1","urgency":"unimportant"}}},"CVE-2017-13695":{"description":"The acpi_ns_evaluate() function in drivers/acpi/acpica/nseval.c in the Linux kernel through 4.12.9 does not flush the operand cache and causes a kernel stack dump, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism (in the kernel through 4.9) via a crafted ACPI table.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"20200925-8"},"fixed_version":"20180209-1","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"20200925-1.2"},"fixed_version":"20180209-1","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"20260408-1"},"fixed_version":"20180209-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"20260408-1"},"fixed_version":"20180209-1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"20250404-1"},"fixed_version":"20180209-1","urgency":"unimportant"}}},"CVE-2024-24856":{"description":"The memory allocation function ACPI_ALLOCATE_ZEROED does not guarantee a successful allocation, but the subsequent code directly dereferences the pointer that receives it, which may lead to null pointer dereference. To fix this issue, a null pointer check should be added. If it is null, return exception code AE_NO_MEMORY.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"20200925-8"},"urgency":"unimportant"},"bullseye":{"status":"open","repositories":{"bullseye":"20200925-1.2"},"urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"20260408-1"},"fixed_version":"20240827-2","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"20260408-1"},"fixed_version":"20240827-2","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"20250404-1"},"fixed_version":"20240827-2","urgency":"unimportant"}}}},"acpid":{"CVE-2009-0798":{"description":"ACPI Event Daemon (acpid) before 1.0.10 allows remote attackers to cause a denial of service (CPU consumption and connectivity loss) by opening a large number of UNIX sockets without closing them, which triggers an infinite loop.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:2.0.33-2"},"fixed_version":"1.0.10-1","urgency":"medium"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:2.0.32-1"},"fixed_version":"1.0.10-1","urgency":"medium"},"forky":{"status":"resolved","repositories":{"forky":"1:2.0.34-1"},"fixed_version":"1.0.10-1","urgency":"medium"},"sid":{"status":"resolved","repositories":{"sid":"1:2.0.34-1"},"fixed_version":"1.0.10-1","urgency":"medium"},"trixie":{"status":"resolved","repositories":{"trixie":"1:2.0.34-1"},"fixed_version":"1.0.10-1","urgency":"medium"}}},"CVE-2009-4033":{"description":"A certain Red Hat patch for acpid 1.0.4 effectively triggers a call to the open function with insufficient arguments, which might allow local users to leverage weak permissions on /var/log/acpid, and obtain sensitive information by reading this file, cause a denial of service by overwriting this file, or gain privileges by executing this file.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:2.0.33-2"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:2.0.32-1"},"fixed_version":"0","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"1:2.0.34-1"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"1:2.0.34-1"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"1:2.0.34-1"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2009-4235":{"description":"acpid 1.0.4 sets an unrestrictive umask, which might allow local users to leverage weak permissions on /var/log/acpid, and obtain sensitive information by reading this file or cause a denial of service by overwriting this file, a different vulnerability than CVE-2009-4033.","debianbug":560771,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:2.0.33-2"},"fixed_version":"1.0.6","urgency":"low"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:2.0.32-1"},"fixed_version":"1.0.6","urgency":"low"},"forky":{"status":"resolved","repositories":{"forky":"1:2.0.34-1"},"fixed_version":"1.0.6","urgency":"low"},"sid":{"status":"resolved","repositories":{"sid":"1:2.0.34-1"},"fixed_version":"1.0.6","urgency":"low"},"trixie":{"status":"resolved","repositories":{"trixie":"1:2.0.34-1"},"fixed_version":"1.0.6","urgency":"low"}}},"CVE-2011-1159":{"description":"acpid.c in acpid before 2.0.9 does not properly handle a situation in which a process has connected to acpid.socket but is not reading any data, which allows local users to cause a denial of service (daemon hang) via a crafted application that performs a connect system call but no read system calls.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:2.0.33-2"},"fixed_version":"1:2.0.9-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:2.0.32-1"},"fixed_version":"1:2.0.9-1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"1:2.0.34-1"},"fixed_version":"1:2.0.9-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"1:2.0.34-1"},"fixed_version":"1:2.0.9-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"1:2.0.34-1"},"fixed_version":"1:2.0.9-1","urgency":"not yet assigned"}}},"CVE-2011-2777":{"description":"samples/powerbtn/powerbtn.sh in acpid (aka acpid2) 2.0.16 and earlier uses the pidof program incorrectly, which allows local users to gain privileges by running a program with the name kded4 and a DBUS_SESSION_BUS_ADDRESS environment variable containing commands.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:2.0.33-2"},"fixed_version":"1:2.0.14-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:2.0.32-1"},"fixed_version":"1:2.0.14-1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"1:2.0.34-1"},"fixed_version":"1:2.0.14-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"1:2.0.34-1"},"fixed_version":"1:2.0.14-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"1:2.0.34-1"},"fixed_version":"1:2.0.14-1","urgency":"not yet assigned"}}},"CVE-2011-4578":{"description":"event.c in acpid (aka acpid2) before 2.0.11 does not have an appropriate umask setting during execution of event-handler scripts, which might allow local users to (1) perform write operations within directories created by a script, or (2) read files created by a script, via standard filesystem system calls.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:2.0.33-2"},"fixed_version":"1:2.0.11-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:2.0.32-1"},"fixed_version":"1:2.0.11-1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"1:2.0.34-1"},"fixed_version":"1:2.0.11-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"1:2.0.34-1"},"fixed_version":"1:2.0.11-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"1:2.0.34-1"},"fixed_version":"1:2.0.11-1","urgency":"not yet assigned"}}}},"activemq":{"CVE-2011-4905":{"description":"Apache ActiveMQ before 5.6.0 allows remote attackers to cause a denial of service (file-descriptor exhaustion and broker crash or hang) by sending many openwire failover:tcp:// connection requests.","debianbug":655495,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"5.5.0+dfsg-5","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"5.5.0+dfsg-5","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"5.5.0+dfsg-5","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"5.5.0+dfsg-5","urgency":"not yet assigned"}}},"CVE-2012-6092":{"description":"Multiple cross-site scripting (XSS) vulnerabilities in the web demos in Apache ActiveMQ before 5.8.0 allow remote attackers to inject arbitrary web script or HTML via (1) the refresh parameter to PortfolioPublishServlet.java (aka demo/portfolioPublish or Market Data Publisher), or vectors involving (2) debug logs or (3) subscribe messages in webapp/websocket/chat.js. NOTE: AMQ-4124 is covered by CVE-2012-6551.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2012-6551":{"description":"The default configuration of Apache ActiveMQ before 5.8.0 enables a sample web application, which allows remote attackers to cause a denial of service (broker resource consumption) via HTTP requests.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2013-1879":{"description":"Cross-site scripting (XSS) vulnerability in scheduled.jsp in Apache ActiveMQ 5.8.0 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors involving the \"cron of a message.\"","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2013-1880":{"description":"Cross-site scripting (XSS) vulnerability in the Portfolio publisher servlet in the demo web application in Apache ActiveMQ before 5.9.0 allows remote attackers to inject arbitrary web script or HTML via the refresh parameter to demo/portfolioPublish, a different vulnerability than CVE-2012-6092.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2013-3060":{"description":"The web console in Apache ActiveMQ before 5.8.0 does not require authentication, which allows remote attackers to obtain sensitive information or cause a denial of service via HTTP requests.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2014-3576":{"description":"The processControlCommand function in broker/TransportConnection.java in Apache ActiveMQ before 5.11.0 allows remote attackers to cause a denial of service (shutdown) via a shutdown command.","debianbug":792857,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"5.6.0+dfsg1-4+deb8u1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"5.6.0+dfsg1-4+deb8u1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"5.6.0+dfsg1-4+deb8u1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"5.6.0+dfsg1-4+deb8u1","urgency":"not yet assigned"}}},"CVE-2014-3600":{"description":"XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages.","debianbug":777196,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"5.6.0+dfsg1-4","urgency":"low"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"5.6.0+dfsg1-4","urgency":"low"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"5.6.0+dfsg1-4","urgency":"low"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"5.6.0+dfsg1-4","urgency":"low"}}},"CVE-2014-3612":{"description":"The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. NOTE: this identifier has been SPLIT per ADT2 due to different vulnerability types. See CVE-2015-6524 for the use of wildcard operators in usernames.","debianbug":777196,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"5.6.0+dfsg1-4","urgency":"low"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"5.6.0+dfsg1-4","urgency":"low"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"5.6.0+dfsg1-4","urgency":"low"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"5.6.0+dfsg1-4","urgency":"low"}}},"CVE-2014-8110":{"description":"Multiple cross-site scripting (XSS) vulnerabilities in the web based administration console in Apache ActiveMQ 5.x before 5.10.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2015-1830":{"description":"Directory traversal vulnerability in the fileserver upload/download functionality for blob messages in Apache ActiveMQ 5.x before 5.11.2 for Windows allows remote attackers to create JSP files in arbitrary directories via unspecified vectors.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2015-5254":{"description":"Apache ActiveMQ 5.x before 5.13.0 does not restrict the classes that can be serialized in the broker, which allows remote attackers to execute arbitrary code via a crafted serialized Java Message Service (JMS) ObjectMessage object.","debianbug":809733,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"5.13.2+dfsg-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"5.13.2+dfsg-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"5.13.2+dfsg-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"5.13.2+dfsg-1","urgency":"not yet assigned"}}},"CVE-2015-6524":{"description":"The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows wildcard operators in usernames, which allows remote attackers to obtain credentials via a brute force attack. NOTE: this identifier was SPLIT from CVE-2014-3612 per ADT2 due to different vulnerability types.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"5.6.0+dfsg1-4","urgency":"low"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"5.6.0+dfsg1-4","urgency":"low"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"5.6.0+dfsg1-4","urgency":"low"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"5.6.0+dfsg1-4","urgency":"low"}}},"CVE-2015-7559":{"description":"It was found that the Apache ActiveMQ client before 5.14.5 exposed a remote shutdown command in the ActiveMQConnection class. An attacker logged into a compromised broker could use this flaw to achieve denial of service on a connected client.","debianbug":860866,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"5.14.3-3","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"5.14.3-3","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"5.14.3-3","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"5.14.3-3","urgency":"not yet assigned"}}},"CVE-2016-0734":{"description":"The web-based administration console in Apache ActiveMQ 5.x before 5.13.2 does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that contains a (1) FRAME or (2) IFRAME element.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2016-0782":{"description":"The administration web console in Apache ActiveMQ 5.x before 5.11.4, 5.12.x before 5.12.3, and 5.13.x before 5.13.2 allows remote authenticated users to conduct cross-site scripting (XSS) attacks and consequently obtain sensitive information from a Java memory dump via vectors related to creating a queue.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"5.13.2+dfsg-1","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"5.13.2+dfsg-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"5.13.2+dfsg-1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"5.13.2+dfsg-1","urgency":"unimportant"}}},"CVE-2016-3088":{"description":"The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"5.14.0+dfsg-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"5.14.0+dfsg-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"5.14.0+dfsg-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"5.14.0+dfsg-1","urgency":"not yet assigned"}}},"CVE-2016-6810":{"description":"In Apache ActiveMQ 5.x before 5.14.2, an instance of a cross-site scripting vulnerability was identified to be present in the web based administration console. The root cause of this issue is improper user data output validation.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"5.14.2+dfsg-1","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"5.14.2+dfsg-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"5.14.2+dfsg-1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"5.14.2+dfsg-1","urgency":"unimportant"}}},"CVE-2017-15709":{"description":"When using the OpenWire protocol in ActiveMQ versions 5.14.0 to 5.15.2 it was found that certain system details (such as the OS and kernel version) are exposed as plain text.","debianbug":890352,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"5.15.3-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"5.15.3-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"5.15.3-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"5.15.3-1","urgency":"not yet assigned"}}},"CVE-2018-11775":{"description":"TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.","debianbug":908950,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"5.15.6-1","urgency":"low"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"5.15.6-1","urgency":"low"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"5.15.6-1","urgency":"low"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"5.15.6-1","urgency":"low"}}},"CVE-2018-8006":{"description":"An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the queue.jsp page of Apache ActiveMQ versions 5.0.0 to 5.15.5. The root cause of this issue is improper data filtering of the QueueFilter parameter.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"5.15.6-1","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"5.15.6-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"5.15.6-1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"5.15.6-1","urgency":"unimportant"}}},"CVE-2019-0222":{"description":"In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame can lead to broker Out of Memory exception making it unresponsive.","debianbug":925964,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"5.15.9-1","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"5.15.9-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"5.15.9-1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"5.15.9-1","urgency":"unimportant"}}},"CVE-2020-11998":{"description":"A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to RMIConnectorServer, instead of the map that contains the authentication credentials, it leaves ActiveMQ open to the following attack: https://docs.oracle.com/javase/8/docs/technotes/guides/management/agent.html \"A remote client could create a javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs, at least if there is no security manager. In other words, a rogue remote client could make your Java application execute arbitrary code.\" Mitigation: Upgrade to Apache ActiveMQ 5.15.13","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2020-13920":{"description":"Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX RMI registry and binds the server to the \"jmxrmi\" entry. It is possible to connect to the registry without authentication and call the rebind method to rebind jmxrmi to something else. If an attacker creates another server to proxy the original, and bound that, he effectively becomes a man in the middle and is able to intercept the credentials when an user connects. Upgrade to Apache ActiveMQ 5.15.12.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"5.16.0-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"5.16.0-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"5.16.0-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"5.16.0-1","urgency":"not yet assigned"}}},"CVE-2020-13947":{"description":"An instance of a cross-site scripting vulnerability was identified to be present in the web based administration console on the message.jsp page of Apache ActiveMQ versions 5.15.12 through 5.16.0.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"5.16.1-1","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"5.16.1-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"5.16.1-1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"5.16.1-1","urgency":"unimportant"}}},"CVE-2020-1941":{"description":"In Apache ActiveMQ 5.0.0 to 5.15.11, the webconsole admin GUI is open to XSS, in the view that lists the contents of a queue.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"5.16.0-1","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"5.16.0-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"5.16.0-1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"5.16.0-1","urgency":"unimportant"}}},"CVE-2021-26117":{"description":"The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error, resulting in no check on the password.","debianbug":982590,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"5.16.1-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"5.16.1-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"5.16.1-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"5.16.1-1","urgency":"not yet assigned"}}},"CVE-2022-41678":{"description":"Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution.\u00a0 In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest is able to create JmxRequest through JSONObject. And calls to org.jolokia.http.HttpRequestHandler#executeRequest. Into deeper calling stacks, org.jolokia.handler.ExecHandler#doHandleRequest can be invoked through refection. This could lead to RCE through via various mbeans. One example is unrestricted deserialization in jdk.management.jfr.FlightRecorderMXBeanImpl which exists on Java version above 11. 1 Call newRecording. 2 Call setConfiguration. And a webshell data hides in it. 3 Call startRecording. 4 Call copyTo method. The webshell will be written to a .jsp file. The mitigation is to restrict (by default) the actions authorized on Jolokia, or disable Jolokia. A more restrictive Jolokia configuration has been defined in default ActiveMQ distribution. We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"5.17.2+dfsg-2+deb12u1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"5.16.1-1+deb11u1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"5.17.6+dfsg-1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"5.17.6+dfsg-1","urgency":"unimportant"}}},"CVE-2023-46604":{"description":"The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.","debianbug":1054909,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"5.17.2+dfsg-2+deb12u1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"5.16.1-1+deb11u1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"5.17.6+dfsg-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"5.17.6+dfsg-1","urgency":"not yet assigned"}}},"CVE-2024-32114":{"description":"In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context (where the Jolokia JMX REST API and the Message REST API are located). It means that anyone can use these layers without any required authentication. Potentially, anyone can interact with the broker (using Jolokia JMX REST API) and/or produce/consume messages or purge/delete destinations (using the Message REST API). To mitigate, users can update the default conf/jetty.xml configuration file to add authentication requirement: Or we encourage users to upgrade to Apache ActiveMQ 6.1.2 where the default configuration has been updated with authentication by default.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2025-27533":{"description":"Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ. During unmarshalling of OpenWire commands the size value of buffers was not properly validated which could lead to excessive memory allocation and be exploited to cause a denial of service (DoS) by depleting process memory, thereby affecting applications and services that rely on the availability of the ActiveMQ broker when not using mutual TLS connections. This issue affects Apache ActiveMQ: from 6.0.0 before 6.1.6, from 5.18.0 before 5.18.7, from 5.17.0 before 5.17.7, before 5.16.8. ActiveMQ 5.19.0 is not affected. Users are recommended to upgrade to version 6.1.6+, 5.19.0+, 5.18.7+, 5.17.7, or 5.16.8 or which fixes the issue. Existing users may implement mutual TLS to mitigate the risk on affected brokers.","debianbug":1104933,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"5.16.1-1+deb11u2","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"5.17.6+dfsg-2","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"5.17.6+dfsg-2","urgency":"not yet assigned"}}},"CVE-2025-66168":{"description":"WARNING: Users of 6.x should upgrade to 6.2.4 or later as the fix was missed in previous 6.x releases. See the\u00a0 following for more details: https://activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt https://www.cve.org/CVERecord?id=CVE-2026-40046 Original Report: Apache ActiveMQ does not properly validate the remaining length field which may lead to an overflow during the decoding of malformed packets.\u00a0When this integer overflow occurs, ActiveMQ may incorrectly compute the total Remaining Length and subsequently misinterpret the payload as multiple MQTT control packets which makes\u00a0the broker susceptible to unexpected behavior when interacting with non-compliant clients.\u00a0This behavior violates the MQTT v3.1.1 specification, which restricts Remaining Length to a maximum of 4 bytes.\u00a0The scenario occurs on established connections after the authentication process. Brokers that are not enabling mqtt transport connectors are not impacted. This issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8, and 6.2.0 Users are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1, which fixes the issue.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"5.17.6+dfsg-2"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"5.17.6+dfsg-2"},"urgency":"not yet assigned"}}},"CVE-2026-33227":{"description":"Improper validation and restriction of a classpath path name vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ. In two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated user provided \"key\" value could be constructed to traverse the classpath due to path concatenation. As a result, the application is exposed to a classpath path resource loading vulnerability that could potentially be chained together with another attack to lead to exploit. This issue affects Apache ActiveMQ Client: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Broker: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ All: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ Web: before 5.19.3, from 6.0.0 before 6.2.2; Apache ActiveMQ: before 5.19.3, from 6.0.0 before 6.2.2. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue. Note: 5.19.3 and 6.2.2 also fix this issue, but that is limited to non-Windows environments due to a path separator resolution bug fixed in 5.19.4 and 6.2.3.","debianbug":1136024,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"5.17.6+dfsg-2"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"5.17.6+dfsg-2"},"urgency":"not yet assigned"}}},"CVE-2026-34197":{"description":"Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ All: before 5.19.4, from 6.0.0 before 6.2.3; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.3. Users are recommended to upgrade to version 5.19.4 or 6.2.3, which fixes the issue","debianbug":1136024,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"5.17.6+dfsg-2"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"5.17.6+dfsg-2"},"urgency":"not yet assigned"}}},"CVE-2026-39304":{"description":"Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ. ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes the broker to exhaust all its memory in the SSL engine leading to DoS. Note: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are not vulnerable to OOM. Previous TLS versions require a full handshake renegotiation which causes a connection to hang but not OOM. This is fixed as well. This issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4. Users are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue.","debianbug":1136024,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"5.17.6+dfsg-2"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"5.17.6+dfsg-2"},"urgency":"not yet assigned"}}},"CVE-2026-40046":{"description":"Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT. The fix for \"CVE-2025-66168: MQTT control packet remaining length field is not properly validated\" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versions. This issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4. Users are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"5.17.6+dfsg-2"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"5.17.6+dfsg-2"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2026-40466":{"description":"Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. An authenticated attacker may bypass the fix in CVE-2026-34197 by adding a connector using an HTTP Discovery transport via\u00a0BrokerView.addNetworkConnector or\u00a0BrokerView.addConnector through\u00a0Jolokia if the activemq-http module is on the classpath. A malicious HTTP endpoint can return a VM transport through the HTTP URI which will bypass the validation added in CVE-2026-34197. The attacker can then use the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5. Users are recommended to upgrade to version 5.19.6 or 6.2.5, which fixes the issue.","debianbug":1136024,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"5.17.6+dfsg-2"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"5.17.6+dfsg-2"},"urgency":"not yet assigned"}}},"CVE-2026-41043":{"description":"Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. An authenticated attacker can show malicious content when browsing queues in the web console by overriding the content type to be HTML (instead of XML) and by injecting HTML into a JMS selector field. This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Web: before 5.19.6, from 6.0.0 before 6.2.5. Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.","debianbug":1136024,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"5.17.6+dfsg-2"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"5.17.6+dfsg-2"},"urgency":"not yet assigned"}}},"CVE-2026-41044":{"description":"Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ, Apache ActiveMQ Broker, Apache ActiveMQ All. An authenticated attacker can use the admin web console page to construct a malicious broker name that bypasses name validation to include an xbean binding that can be later used by a VM transport to load a remote Spring XML application. The attacker can then use the DestinationView mbean to send a message to trigger a VM transport creation that will reference this malicious broker name which can lead to loading the malicious Spring XML context file. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ Broker: before 5.19.6, from 6.0.0 before 6.2.5; Apache ActiveMQ All: before 5.19.6, from 6.0.0 before 6.2.5. Users are recommended to upgrade to version 6.2.5 or 5.19.6, which fixes the issue.","debianbug":1136024,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"5.17.6+dfsg-2"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"5.17.6+dfsg-2"},"urgency":"not yet assigned"}}},"CVE-2026-42253":{"description":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. The MessageServlet in the ActiveMQ web console API copies every JMS message property into an HTTP response header without any validation. This can allow overwriting and injecting security headers by setting them on JMS messages that are returned by the servlet. This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ Web: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the issue.\u00a0The MessageServlet has now been deprecated and disabled by default.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"5.17.6+dfsg-2"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"5.17.6+dfsg-2"},"urgency":"not yet assigned"}}},"CVE-2026-42588":{"description":"Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String). An authenticated attacker can invoke these operations with a crafted discovery URI that triggers the VM transport's brokerConfig parameter using the \"masterslave:// \" URL which can allow loading a\u00a0Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the issue.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"5.17.6+dfsg-2"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"5.17.6+dfsg-2"},"urgency":"not yet assigned"}}},"CVE-2026-45505":{"description":"Improper Input Validation, Improper Control of Generation of Code ('Code Injection') vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Non-parenthesized discovery wrappers such as `masterslave:vm://...,...` and `static:vm://...` incorrectly pass validation allowing bypass of fix in\u00a0CVE-2026-34197.\u00a0 Original description from\u00a0CVE-2026-34197. Apache ActiveMQ exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations on all ActiveMQ MBeans (org.apache.activemq:*), including BrokerService.addNetworkConnector(String) and BrokerService.addConnector(String).\u00a0An authenticated attacker can invoke these operations with a crafted discovery UR that triggers the VM transport's brokerConfig parameter to load a remote Spring XML application context using ResourceXmlApplicationContext. Because Spring's ResourceXmlApplicationContext instantiates all singleton beans before the BrokerService validates the configuration, arbitrary code execution occurs on the broker's JVM through bean factory methods such as Runtime.exec(). This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version 5.19.7 or 6.2.6, which fixes the issue.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"5.17.6+dfsg-2"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"5.17.6+dfsg-2"},"urgency":"not yet assigned"}}},"CVE-2026-46605":{"description":"Incomplete authorization by Apache ActiveMQ server before versions v6.2.6 and v5.19.7 allows authenticated connections to remove existing destinations with proper permissions. This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version v6.2.6 or v5.19.7, which fixes the issue.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"5.17.6+dfsg-2"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"5.17.6+dfsg-2"},"urgency":"not yet assigned"}}},"CVE-2026-49157":{"description":"Incorrect Default Permissions vulnerability in Apache ActiveMQ. This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. The default Jolokia authorization settings granted\u00a0non-admin (low-privilege) web-login accounts\u00a0access to Jolokia operations which allowed executing broker management operations meant for admins such as addQueue and removeQueue. Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"5.17.6+dfsg-2"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"5.17.6+dfsg-2"},"urgency":"not yet assigned"}}},"CVE-2026-49270":{"description":"Exposure of Sensitive Information Through Metadata vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. Brokers that are configured with a network connector with syncDurableSubs set to true, are vulnerable to an unauthenticated attacker who can receive a list of all durable topic subscriptions in the broker,\u00a0including client identifiers, subscription names, topic destinations, and\u00a0JMS selector expressions, by sending a BrokerInfo command. The broker incorrectly responds without first ensuring the connection is authenticated. This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"5.17.2+dfsg-2+deb12u1","bookworm-security":"5.17.2+dfsg-2+deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"5.16.1-1","bullseye-security":"5.16.1-1+deb11u2"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"5.17.6+dfsg-2"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"5.17.6+dfsg-2"},"urgency":"not yet assigned"}}}},"adduser":{"TEMP-0331720-9168FE":{"debianbug":331720,"releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"3.134"},"fixed_version":"3.77","urgency":"low"},"bullseye":{"status":"resolved","repositories":{"bullseye":"3.118+deb11u1"},"fixed_version":"3.77","urgency":"low"},"forky":{"status":"resolved","repositories":{"forky":"3.157"},"fixed_version":"3.77","urgency":"low"},"sid":{"status":"resolved","repositories":{"sid":"3.157"},"fixed_version":"3.77","urgency":"low"},"trixie":{"status":"resolved","repositories":{"trixie":"3.152"},"fixed_version":"3.77","urgency":"low"}}}},"adequate":{"CVE-2013-6409":{"description":"Debian adequate before 0.8.1, when run by root with the --user option, allows local users to hijack the tty and possibly gain privileges via the TIOCSTI ioctl.","debianbug":730691,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"0.15.9~deb12u1"},"fixed_version":"0.8.1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"0.15.6"},"fixed_version":"0.8.1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"0.17.6"},"fixed_version":"0.8.1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"0.17.6"},"fixed_version":"0.8.1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"0.17.5"},"fixed_version":"0.8.1","urgency":"not yet assigned"}}}},"admesh":{"CVE-2018-25033":{"description":"ADMesh through 0.98.4 has a heap-based buffer over-read in stl_update_connects_remove_1 (called from stl_remove_degenerate) in connect.c in libadmesh.a.","debianbug":1010770,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"0.98.4-2"},"fixed_version":"0.98.4-2","urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"0.98.4-1"},"urgency":"not yet assigned","nodsa":"Minor issue; can be fixed via point release","nodsa_reason":""},"forky":{"status":"resolved","repositories":{"forky":"0.98.5-1"},"fixed_version":"0.98.4-2","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"0.98.5-1"},"fixed_version":"0.98.4-2","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"0.98.5-1"},"fixed_version":"0.98.4-2","urgency":"not yet assigned"}}},"CVE-2022-38072":{"description":"An improper array index validation vulnerability exists in the stl_fix_normal_directions functionality of ADMesh Master Commit 767a105 and v0.98.4. A specially-crafted stl file can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"0.98.4-2"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":""},"bullseye":{"status":"open","repositories":{"bullseye":"0.98.4-1"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":"postponed"},"forky":{"status":"resolved","repositories":{"forky":"0.98.5-1"},"fixed_version":"0.98.5-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"0.98.5-1"},"fixed_version":"0.98.5-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"0.98.5-1"},"fixed_version":"0.98.5-1","urgency":"not yet assigned"}}},"CVE-2026-2653":{"description":"A security flaw has been discovered in admesh up to 0.98.5. This issue affects the function stl_check_normal_vector of the file src/normals.c. Performing a manipulation results in heap-based buffer overflow. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. It looks like this product is not really maintained anymore.","debianbug":1128613,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"0.98.4-2"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":""},"bullseye":{"status":"open","repositories":{"bullseye":"0.98.4-1"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":"postponed"},"forky":{"status":"open","repositories":{"forky":"0.98.5-1"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"0.98.5-1"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"0.98.5-1"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":""}}}},"adminer":{"CVE-2018-7667":{"description":"Adminer through 4.3.1 has SSRF via the server parameter.","debianbug":893668,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"4.8.1-1"},"fixed_version":"4.5.0-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"4.7.9-2"},"fixed_version":"4.5.0-1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"5.4.2+dfsg-1"},"fixed_version":"4.5.0-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"5.4.2+dfsg-1"},"fixed_version":"4.5.0-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"5.2.1+dfsg-1"},"fixed_version":"4.5.0-1","urgency":"not yet assigned"}}},"CVE-2020-35572":{"description":"Adminer through 4.7.8 allows XSS via the history parameter to the default URI.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"4.8.1-1"},"fixed_version":"4.7.9-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"4.7.9-2"},"fixed_version":"4.7.9-1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"5.4.2+dfsg-1"},"fixed_version":"4.7.9-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"5.4.2+dfsg-1"},"fixed_version":"4.7.9-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"5.2.1+dfsg-1"},"fixed_version":"4.7.9-1","urgency":"not yet assigned"}}},"CVE-2021-21311":{"description":"Adminer is an open-source database management in a single PHP file. In adminer from version 4.0.0 and before 4.7.9 there is a server-side request forgery vulnerability. Users of Adminer versions bundling all drivers (e.g. `adminer.php`) are affected. This is fixed in version 4.7.9.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"4.8.1-1"},"fixed_version":"4.7.9-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"4.7.9-2"},"fixed_version":"4.7.9-1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"5.4.2+dfsg-1"},"fixed_version":"4.7.9-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"5.4.2+dfsg-1"},"fixed_version":"4.7.9-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"5.2.1+dfsg-1"},"fixed_version":"4.7.9-1","urgency":"not yet assigned"}}},"CVE-2021-29625":{"description":"Adminer is open-source database management software. A cross-site scripting vulnerability in Adminer versions 4.6.1 to 4.8.0 affects users of MySQL, MariaDB, PgSQL and SQLite. XSS is in most cases prevented by strict CSP in all modern browsers. The only exception is when Adminer is using a `pdo_` extension to communicate with the database (it is used if the native extensions are not enabled). In browsers without CSP, Adminer versions 4.6.1 to 4.8.0 are affected. The vulnerability is patched in version 4.8.1. As workarounds, one can use a browser supporting strict CSP or enable the native PHP extensions (e.g. `mysqli`) or disable displaying PHP errors (`display_errors`).","debianbug":988886,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"4.8.1-1"},"fixed_version":"4.7.9-2","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"4.7.9-2"},"fixed_version":"4.7.9-2","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"5.4.2+dfsg-1"},"fixed_version":"4.7.9-2","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"5.4.2+dfsg-1"},"fixed_version":"4.7.9-2","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"5.2.1+dfsg-1"},"fixed_version":"4.7.9-2","urgency":"not yet assigned"}}},"CVE-2021-43008":{"description":"Improper Access Control in Adminer versions 1.12.0 to 4.6.2 (fixed in version 4.6.3) allows an attacker to achieve Arbitrary File Read on the remote server by requesting the Adminer to connect to a remote MySQL database.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"4.8.1-1"},"fixed_version":"4.6.3-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"4.7.9-2"},"fixed_version":"4.6.3-1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"5.4.2+dfsg-1"},"fixed_version":"4.6.3-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"5.4.2+dfsg-1"},"fixed_version":"4.6.3-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"5.2.1+dfsg-1"},"fixed_version":"4.6.3-1","urgency":"not yet assigned"}}},"CVE-2023-45195":{"description":"Adminer and AdminerEvo are vulnerable to SSRF via database connection fields. This could allow an unauthenticated remote attacker to enumerate or access systems the attacker would not otherwise have access to.\u00a0Adminer is no longer supported, but this issue was fixed in AdminerEvo version 4.8.4.","debianbug":1074430,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"4.8.1-1"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":""},"bullseye":{"status":"open","repositories":{"bullseye":"4.7.9-2"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":""},"forky":{"status":"resolved","repositories":{"forky":"5.4.2+dfsg-1"},"fixed_version":"4.8.1-4","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"5.4.2+dfsg-1"},"fixed_version":"4.8.1-4","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"5.2.1+dfsg-1"},"fixed_version":"4.8.1-4","urgency":"not yet assigned"}}},"CVE-2023-45196":{"description":"Adminer and AdminerEvo allow an unauthenticated remote attacker to cause a denial of service by connecting to an attacker-controlled service that responds with HTTP redirects. The denial of service is subject to PHP configuration limits.\u00a0Adminer is no longer supported, but this issue was fixed in AdminerEvo version 4.8.4.","debianbug":1074430,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"4.8.1-1"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":""},"bullseye":{"status":"open","repositories":{"bullseye":"4.7.9-2"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":""},"forky":{"status":"resolved","repositories":{"forky":"5.4.2+dfsg-1"},"fixed_version":"4.8.1-4","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"5.4.2+dfsg-1"},"fixed_version":"4.8.1-4","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"5.2.1+dfsg-1"},"fixed_version":"4.8.1-4","urgency":"not yet assigned"}}},"CVE-2025-43960":{"description":"Adminer 4.8.1, when using Monolog for logging, allows a Denial of Service (memory consumption) via a crafted serialized payload (e.g., using s:1000000000), leading to a PHP Object Injection issue. Remote, unauthenticated attackers can trigger this by sending a malicious serialized object, which forces excessive memory usage, rendering Adminer\u2019s interface unresponsive and causing a server-level DoS. While the server may recover after several minutes, multiple simultaneous requests can cause a complete crash requiring manual intervention.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"4.8.1-1"},"urgency":"unimportant"},"bullseye":{"status":"open","repositories":{"bullseye":"4.7.9-2"},"urgency":"unimportant"},"forky":{"status":"open","repositories":{"forky":"5.4.2+dfsg-1"},"urgency":"unimportant"},"sid":{"status":"open","repositories":{"sid":"5.4.2+dfsg-1"},"urgency":"unimportant"},"trixie":{"status":"open","repositories":{"trixie":"5.2.1+dfsg-1"},"urgency":"unimportant"}}},"CVE-2026-25892":{"description":"Adminer is open-source database management software. Adminer v5.4.1 and earlier has a version check mechanism where adminer.org sends signed version info via JavaScript postMessage, which the browser then POSTs to ?script=version. This endpoint lacks origin validation and accepts POST data from any source. An attacker can POST version[] parameter which PHP converts to an array. On next page load, openssl_verify() receives this array instead of string and throws TypeError, returning HTTP 500 to all users. Upgrade to Adminer 5.4.2.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"4.8.1-1"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"4.7.9-2"},"fixed_version":"0","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"5.4.2+dfsg-1"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"5.4.2+dfsg-1"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"5.2.1+dfsg-1"},"fixed_version":"0","urgency":"unimportant"}}}},"adns":{"CVE-2008-1447":{"description":"The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka \"DNS Insufficient Socket Entropy Vulnerability\" or \"the Kaminsky bug.\"","debianbug":492698,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1.6.0-2"},"fixed_version":"1.4-2","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.6.0-2"},"fixed_version":"1.4-2","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"1.6.2-3"},"fixed_version":"1.4-2","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"1.6.2-3"},"fixed_version":"1.4-2","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"1.6.1-1"},"fixed_version":"1.4-2","urgency":"unimportant"}}},"CVE-2008-4100":{"description":"GNU adns 1.4 and earlier uses a fixed source port and sequential transaction IDs for DNS requests, which makes it easier for remote attackers to spoof DNS responses, a different vulnerability than CVE-2008-1447. NOTE: the vendor reports that this is intended behavior and is compatible with the product's intended role in a trusted environment.","debianbug":492698,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1.6.0-2"},"fixed_version":"1.4-2","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.6.0-2"},"fixed_version":"1.4-2","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"1.6.2-3"},"fixed_version":"1.4-2","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"1.6.2-3"},"fixed_version":"1.4-2","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"1.6.1-1"},"fixed_version":"1.4-2","urgency":"unimportant"}}},"CVE-2017-9103":{"description":"An issue was discovered in adns before 1.5.2. pap_mailbox822 does not properly check st from adns__findlabel_next. Without this, an uninitialised stack value can be used as the first label length. Depending on the circumstances, an attacker might be able to trick adns into crashing the calling program, leaking aspects of the contents of some of its memory, causing it to allocate lots of memory, or perhaps overrunning a buffer. This is only possible with applications which make non-raw queries for SOA or RP records.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1.6.0-2"},"fixed_version":"1.6.0-2","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.6.0-2"},"fixed_version":"1.6.0-2","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"1.6.2-3"},"fixed_version":"1.6.0-2","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"1.6.2-3"},"fixed_version":"1.6.0-2","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"1.6.1-1"},"fixed_version":"1.6.0-2","urgency":"unimportant"}}},"CVE-2017-9104":{"description":"An issue was discovered in adns before 1.5.2. It hangs, eating CPU, if a compression pointer loop is encountered.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1.6.0-2"},"fixed_version":"1.6.0-2","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.6.0-2"},"fixed_version":"1.6.0-2","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"1.6.2-3"},"fixed_version":"1.6.0-2","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"1.6.2-3"},"fixed_version":"1.6.0-2","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"1.6.1-1"},"fixed_version":"1.6.0-2","urgency":"unimportant"}}},"CVE-2017-9105":{"description":"An issue was discovered in adns before 1.5.2. It corrupts a pointer when a nameserver speaks first because of a wrong number of pointer dereferences. This bug may well be exploitable as a remote code execution.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1.6.0-2"},"fixed_version":"1.6.0-2","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.6.0-2"},"fixed_version":"1.6.0-2","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"1.6.2-3"},"fixed_version":"1.6.0-2","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"1.6.2-3"},"fixed_version":"1.6.0-2","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"1.6.1-1"},"fixed_version":"1.6.0-2","urgency":"unimportant"}}},"CVE-2017-9106":{"description":"An issue was discovered in adns before 1.5.2. adns_rr_info mishandles a bogus *datap. The general pattern for formatting integers is to sprintf into a fixed-size buffer. This is correct if the input is in the right range; if it isn't, the buffer may be overrun (depending on the sizes of the types on the current platform). Of course the inputs ought to be right. And there are pointers in there too, so perhaps one could say that the caller ought to check these things. It may be better to require the caller to make the pointer structure right, but to have the code here be defensive about (and tolerate with an error but without crashing) out-of-range integer values. So: it should defend each of these integer conversion sites with a check for the actual permitted range, and return adns_s_invaliddata if not. The lack of this check causes the SOA sign extension bug to be a serious security problem: the sign extended SOA value is out of range, and overruns the buffer when reconverted. This is related to sign extending SOA 32-bit integer fields, and use of a signed data type.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1.6.0-2"},"fixed_version":"1.6.0-2","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.6.0-2"},"fixed_version":"1.6.0-2","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"1.6.2-3"},"fixed_version":"1.6.0-2","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"1.6.2-3"},"fixed_version":"1.6.0-2","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"1.6.1-1"},"fixed_version":"1.6.0-2","urgency":"unimportant"}}},"CVE-2017-9107":{"description":"An issue was discovered in adns before 1.5.2. It overruns reading a buffer if a domain ends with backslash. If the query domain ended with \\, and adns_qf_quoteok_query was specified, qdparselabel would read additional bytes from the buffer and try to treat them as the escape sequence. It would depart the input buffer and start processing many bytes of arbitrary heap data as if it were the query domain. Eventually it would run out of input or find some other kind of error, and declare the query domain invalid. But before then it might outrun available memory and crash. In principle this could be a denial of service attack.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1.6.0-2"},"fixed_version":"1.6.0-2","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.6.0-2"},"fixed_version":"1.6.0-2","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"1.6.2-3"},"fixed_version":"1.6.0-2","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"1.6.2-3"},"fixed_version":"1.6.0-2","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"1.6.1-1"},"fixed_version":"1.6.0-2","urgency":"unimportant"}}},"CVE-2017-9108":{"description":"An issue was discovered in adns before 1.5.2. adnshost mishandles a missing final newline on a stdin read. It is wrong to increment used as well as setting r, since used is incremented according to r, later. Rather one should be doing what read() would have done. Without this fix, adnshost may read and process one byte beyond the buffer, perhaps crashing or perhaps somehow leaking the value of that byte.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1.6.0-2"},"fixed_version":"1.6.0-2","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.6.0-2"},"fixed_version":"1.6.0-2","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"1.6.2-3"},"fixed_version":"1.6.0-2","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"1.6.2-3"},"fixed_version":"1.6.0-2","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"1.6.1-1"},"fixed_version":"1.6.0-2","urgency":"unimportant"}}},"CVE-2017-9109":{"description":"An issue was discovered in adns before 1.5.2. It fails to ignore apparent answers before the first RR that was found the first time. when this is fixed, the second answer scan finds the same RRs at the first. Otherwise, adns can be confused by interleaving answers for the CNAME target, with the CNAME itself. In that case the answer data structure (on the heap) can be overrun. With this fixed, it prefers to look only at the answer RRs which come after the CNAME, which is at least arguably correct.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1.6.0-2"},"fixed_version":"1.6.0-2","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.6.0-2"},"fixed_version":"1.6.0-2","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"1.6.2-3"},"fixed_version":"1.6.0-2","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"1.6.2-3"},"fixed_version":"1.6.0-2","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"1.6.1-1"},"fixed_version":"1.6.0-2","urgency":"unimportant"}}}},"adplug":{"CVE-2006-3581":{"description":"Multiple stack-based buffer overflows in Audacious AdPlug 2.0 and earlier allow remote user-assisted attackers to execute arbitrary code via large (1) DTM and (2) S3M files.","debianbug":378279,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.3+dfsg-2"},"fixed_version":"2.0.1-1","urgency":"medium"},"bullseye":{"status":"resolved","repositories":{"bullseye":"2.3.3+dfsg-2"},"fixed_version":"2.0.1-1","urgency":"medium"},"forky":{"status":"resolved","repositories":{"forky":"2.4+dfsg-2"},"fixed_version":"2.0.1-1","urgency":"medium"},"sid":{"status":"resolved","repositories":{"sid":"2.4+dfsg-2"},"fixed_version":"2.0.1-1","urgency":"medium"},"trixie":{"status":"resolved","repositories":{"trixie":"2.3.3+dfsg-2"},"fixed_version":"2.0.1-1","urgency":"medium"}}},"CVE-2006-3582":{"description":"Multiple heap-based buffer overflows in Audacious AdPlug 2.0 and earlier allow remote user-assisted attackers to execute arbitrary code via the size specified in the package header of (1) CFF, (2) MTK, (3) DMO, and (4) U6M files.","debianbug":378279,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.3+dfsg-2"},"fixed_version":"2.0.1-1","urgency":"medium"},"bullseye":{"status":"resolved","repositories":{"bullseye":"2.3.3+dfsg-2"},"fixed_version":"2.0.1-1","urgency":"medium"},"forky":{"status":"resolved","repositories":{"forky":"2.4+dfsg-2"},"fixed_version":"2.0.1-1","urgency":"medium"},"sid":{"status":"resolved","repositories":{"sid":"2.4+dfsg-2"},"fixed_version":"2.0.1-1","urgency":"medium"},"trixie":{"status":"resolved","repositories":{"trixie":"2.3.3+dfsg-2"},"fixed_version":"2.0.1-1","urgency":"medium"}}},"CVE-2018-17825":{"description":"An issue was discovered in AdPlug 2.3.1. There are several double-free vulnerabilities in the CEmuopl class in emuopl.cpp because of a destructor's two OPLDestroy calls, each of which frees TL_TABLE, SIN_TABLE, AMS_TABLE, and VIB_TABLE.","debianbug":910534,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.3+dfsg-2"},"fixed_version":"2.2.1+dfsg3-1","urgency":"low"},"bullseye":{"status":"resolved","repositories":{"bullseye":"2.3.3+dfsg-2"},"fixed_version":"2.2.1+dfsg3-1","urgency":"low"},"forky":{"status":"resolved","repositories":{"forky":"2.4+dfsg-2"},"fixed_version":"2.2.1+dfsg3-1","urgency":"low"},"sid":{"status":"resolved","repositories":{"sid":"2.4+dfsg-2"},"fixed_version":"2.2.1+dfsg3-1","urgency":"low"},"trixie":{"status":"resolved","repositories":{"trixie":"2.3.3+dfsg-2"},"fixed_version":"2.2.1+dfsg3-1","urgency":"low"}}},"CVE-2019-14690":{"description":"AdPlug 2.3.1 has a heap-based buffer overflow in CxadbmfPlayer::__bmf_convert_stream() in bmf.cpp.","debianbug":943929,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.3+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"2.3.3+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"2.4+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"2.4+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"2.3.3+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"}}},"CVE-2019-14691":{"description":"AdPlug 2.3.1 has a heap-based buffer overflow in CdtmLoader::load() in dtm.cpp.","debianbug":943928,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.3+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"2.3.3+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"2.4+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"2.4+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"2.3.3+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"}}},"CVE-2019-14692":{"description":"AdPlug 2.3.1 has a heap-based buffer overflow in CmkjPlayer::load() in mkj.cpp.","debianbug":943927,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.3+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"2.3.3+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"2.4+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"2.4+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"2.3.3+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"}}},"CVE-2019-14732":{"description":"AdPlug 2.3.1 has multiple heap-based buffer overflows in Ca2mLoader::load() in a2m.cpp.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.3+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"2.3.3+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"2.4+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"2.4+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"2.3.3+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"}}},"CVE-2019-14733":{"description":"AdPlug 2.3.1 has multiple heap-based buffer overflows in CradLoader::load() in rad.cpp.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.3+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"2.3.3+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"2.4+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"2.4+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"2.3.3+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"}}},"CVE-2019-14734":{"description":"AdPlug 2.3.1 has multiple heap-based buffer overflows in CmtkLoader::load() in mtk.cpp.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.3+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"2.3.3+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"2.4+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"2.4+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"2.3.3+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"}}},"CVE-2019-15151":{"description":"AdPlug 2.3.1 has a double free in the Cu6mPlayer class in u6m.h.","debianbug":946340,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.3.3+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"2.3.3+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"2.4+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"2.4+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"2.3.3+dfsg-2"},"fixed_version":"2.3.3+dfsg-2","urgency":"not yet assigned"}}}},"advancecomp":{"CVE-2018-1056":{"description":"An out-of-bounds heap buffer read flaw was found in the way advancecomp before 2.1-2018/02 handled processing of ZIP files. An attacker could potentially use this flaw to crash the advzip utility by tricking it into processing crafted ZIP files.","debianbug":889270,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.5-1"},"fixed_version":"2.1-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"2.1-2.1"},"fixed_version":"2.1-1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"2.5-1"},"fixed_version":"2.1-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"2.5-1"},"fixed_version":"2.1-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"2.5-1"},"fixed_version":"2.1-1","urgency":"not yet assigned"}}},"CVE-2019-8379":{"description":"An issue was discovered in AdvanceCOMP through 2.1. A NULL pointer dereference exists in the function be_uint32_read() located in endianrw.h. It can be triggered by sending a crafted file to a binary. It allows an attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact when a victim opens a specially crafted file.","debianbug":928729,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.5-1"},"fixed_version":"2.1-2.1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"2.1-2.1"},"fixed_version":"2.1-2.1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"2.5-1"},"fixed_version":"2.1-2.1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"2.5-1"},"fixed_version":"2.1-2.1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"2.5-1"},"fixed_version":"2.1-2.1","urgency":"not yet assigned"}}},"CVE-2019-8383":{"description":"An issue was discovered in AdvanceCOMP through 2.1. An invalid memory address occurs in the function adv_png_unfilter_8 in lib/png.c. It can be triggered by sending a crafted file to a binary. It allows an attacker to cause a Denial of Service (Segmentation fault) or possibly have unspecified other impact when a victim opens a specially crafted file.","debianbug":928730,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.5-1"},"fixed_version":"2.1-2.1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"2.1-2.1"},"fixed_version":"2.1-2.1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"2.5-1"},"fixed_version":"2.1-2.1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"2.5-1"},"fixed_version":"2.1-2.1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"2.5-1"},"fixed_version":"2.1-2.1","urgency":"not yet assigned"}}},"CVE-2019-9210":{"description":"In AdvanceCOMP 2.1, png_compress in pngex.cc in advpng has an integer overflow upon encountering an invalid PNG size, which results in an attempted memcpy to write into a buffer that is too small. (There is also a heap-based buffer over-read.)","debianbug":923416,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.5-1"},"fixed_version":"2.1-2","urgency":"low"},"bullseye":{"status":"resolved","repositories":{"bullseye":"2.1-2.1"},"fixed_version":"2.1-2","urgency":"low"},"forky":{"status":"resolved","repositories":{"forky":"2.5-1"},"fixed_version":"2.1-2","urgency":"low"},"sid":{"status":"resolved","repositories":{"sid":"2.5-1"},"fixed_version":"2.1-2","urgency":"low"},"trixie":{"status":"resolved","repositories":{"trixie":"2.5-1"},"fixed_version":"2.1-2","urgency":"low"}}},"CVE-2022-35014":{"description":"Advancecomp v2.3 contains a segmentation fault.","debianbug":1019592,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.5-1"},"fixed_version":"2.4-1","urgency":"unimportant"},"bullseye":{"status":"open","repositories":{"bullseye":"2.1-2.1"},"urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"2.5-1"},"fixed_version":"2.4-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"2.5-1"},"fixed_version":"2.4-1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"2.5-1"},"fixed_version":"2.4-1","urgency":"unimportant"}}},"CVE-2022-35015":{"description":"Advancecomp v2.3 was discovered to contain a heap buffer overflow via le_uint32_read at /lib/endianrw.h.","debianbug":1019592,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.5-1"},"fixed_version":"2.4-1","urgency":"unimportant"},"bullseye":{"status":"open","repositories":{"bullseye":"2.1-2.1"},"urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"2.5-1"},"fixed_version":"2.4-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"2.5-1"},"fixed_version":"2.4-1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"2.5-1"},"fixed_version":"2.4-1","urgency":"unimportant"}}},"CVE-2022-35016":{"description":"Advancecomp v2.3 was discovered to contain a heap buffer overflow.","debianbug":1019592,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.5-1"},"fixed_version":"2.4-1","urgency":"unimportant"},"bullseye":{"status":"open","repositories":{"bullseye":"2.1-2.1"},"urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"2.5-1"},"fixed_version":"2.4-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"2.5-1"},"fixed_version":"2.4-1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"2.5-1"},"fixed_version":"2.4-1","urgency":"unimportant"}}},"CVE-2022-35017":{"description":"Advancecomp v2.3 was discovered to contain a heap buffer overflow.","debianbug":1019592,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.5-1"},"fixed_version":"2.4-1","urgency":"unimportant"},"bullseye":{"status":"open","repositories":{"bullseye":"2.1-2.1"},"urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"2.5-1"},"fixed_version":"2.4-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"2.5-1"},"fixed_version":"2.4-1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"2.5-1"},"fixed_version":"2.4-1","urgency":"unimportant"}}},"CVE-2022-35018":{"description":"Advancecomp v2.3 was discovered to contain a segmentation fault.","debianbug":1019592,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.5-1"},"fixed_version":"2.4-1","urgency":"unimportant"},"bullseye":{"status":"open","repositories":{"bullseye":"2.1-2.1"},"urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"2.5-1"},"fixed_version":"2.4-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"2.5-1"},"fixed_version":"2.4-1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"2.5-1"},"fixed_version":"2.4-1","urgency":"unimportant"}}},"CVE-2022-35019":{"description":"Advancecomp v2.3 was discovered to contain a segmentation fault.","debianbug":1019592,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.5-1"},"fixed_version":"2.4-1","urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"2.1-2.1"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":""},"forky":{"status":"resolved","repositories":{"forky":"2.5-1"},"fixed_version":"2.4-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"2.5-1"},"fixed_version":"2.4-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"2.5-1"},"fixed_version":"2.4-1","urgency":"not yet assigned"}}},"CVE-2022-35020":{"description":"Advancecomp v2.3 was discovered to contain a heap buffer overflow via the component __interceptor_memcpy at /sanitizer_common/sanitizer_common_interceptors.inc.","debianbug":1019592,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.5-1"},"fixed_version":"2.4-1","urgency":"unimportant"},"bullseye":{"status":"open","repositories":{"bullseye":"2.1-2.1"},"urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"2.5-1"},"fixed_version":"2.4-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"2.5-1"},"fixed_version":"2.4-1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"2.5-1"},"fixed_version":"2.4-1","urgency":"unimportant"}}},"CVE-2023-2961":{"description":"A segmentation fault flaw was found in the Advancecomp package. This may lead to decreased availability.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.5-1"},"fixed_version":"2.5-1","urgency":"unimportant"},"bullseye":{"status":"open","repositories":{"bullseye":"2.1-2.1"},"urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"2.5-1"},"fixed_version":"2.5-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"2.5-1"},"fixed_version":"2.5-1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"2.5-1"},"fixed_version":"2.5-1","urgency":"unimportant"}}}},"advi":{"CVE-2009-2295":{"description":"Multiple integer overflows in CamlImages 2.2 and earlier might allow context-dependent attackers to execute arbitrary code via a crafted PNG image with large width and height values that trigger a heap-based buffer overflow in the (1) read_png_file or (2) read_png_file_as_rgb24 function.","debianbug":550440,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1.10.2-9"},"fixed_version":"1.6.0-15","urgency":"low"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.10.2-9"},"fixed_version":"1.6.0-15","urgency":"low"},"forky":{"status":"resolved","repositories":{"forky":"2.0.0-5"},"fixed_version":"1.6.0-15","urgency":"low"},"sid":{"status":"resolved","repositories":{"sid":"2.0.0-5"},"fixed_version":"1.6.0-15","urgency":"low"},"trixie":{"status":"resolved","repositories":{"trixie":"2.0.0-4"},"fixed_version":"1.6.0-15","urgency":"low"}}},"CVE-2009-2660":{"description":"Multiple integer overflows in CamlImages 2.2 might allow context-dependent attackers to execute arbitrary code via images containing large width and height values that trigger a heap-based buffer overflow, related to (1) crafted GIF files (gifread.c) and (2) crafted JPEG files (jpegread.c), a different vulnerability than CVE-2009-2295.","debianbug":551282,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1.10.2-9"},"fixed_version":"1.6.0-15","urgency":"low"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.10.2-9"},"fixed_version":"1.6.0-15","urgency":"low"},"forky":{"status":"resolved","repositories":{"forky":"2.0.0-5"},"fixed_version":"1.6.0-15","urgency":"low"},"sid":{"status":"resolved","repositories":{"sid":"2.0.0-5"},"fixed_version":"1.6.0-15","urgency":"low"},"trixie":{"status":"resolved","repositories":{"trixie":"2.0.0-4"},"fixed_version":"1.6.0-15","urgency":"low"}}},"CVE-2009-3296":{"description":"Multiple integer overflows in tiffread.c in CamlImages 2.2 might allow remote attackers to execute arbitrary code via TIFF images containing large width and height values that trigger heap-based buffer overflows.","debianbug":551282,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1.10.2-9"},"fixed_version":"1.6.0-15","urgency":"low"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.10.2-9"},"fixed_version":"1.6.0-15","urgency":"low"},"forky":{"status":"resolved","repositories":{"forky":"2.0.0-5"},"fixed_version":"1.6.0-15","urgency":"low"},"sid":{"status":"resolved","repositories":{"sid":"2.0.0-5"},"fixed_version":"1.6.0-15","urgency":"low"},"trixie":{"status":"resolved","repositories":{"trixie":"2.0.0-4"},"fixed_version":"1.6.0-15","urgency":"low"}}}},"aerc":{"CVE-2025-49466":{"description":"aerc before 93bec0d allows directory traversal in commands/msgview/open.go because of direct path concatenation of the name of an attachment part,","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"0.14.0-1"},"fixed_version":"0","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"0.21.0-2"},"fixed_version":"0.20.0-2","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"0.21.0-2"},"fixed_version":"0.20.0-2","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"0.20.0-2"},"fixed_version":"0.20.0-2","urgency":"not yet assigned"}}}},"afflib":{"CVE-2018-8050":{"description":"The af_get_page() function in lib/afflib_pages.cpp in AFFLIB (aka AFFLIBv3) through 3.7.16 allows remote attackers to cause a denial of service (segmentation fault) via a corrupt AFF image that triggers an unexpected pagesize value.","debianbug":892599,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"3.7.20-1"},"fixed_version":"3.7.16-3","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"3.7.19-1"},"fixed_version":"3.7.16-3","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"3.7.22-2"},"fixed_version":"3.7.16-3","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"3.7.22-2"},"fixed_version":"3.7.16-3","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"3.7.21-1"},"fixed_version":"3.7.16-3","urgency":"unimportant"}}}},"aflplusplus":{"CVE-2023-26266":{"description":"In AFL++ 4.05c, the CmpLog component uses the current working directory to resolve and execute unprefixed fuzzing targets, allowing code execution.","debianbug":1033255,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"4.04c-4"},"fixed_version":"4.04c-4","urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"2.68c-1"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":""},"forky":{"status":"resolved","repositories":{"forky":"4.33c-1.1"},"fixed_version":"4.04c-4","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"4.33c-1.1"},"fixed_version":"4.04c-4","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"4.21c-5"},"fixed_version":"4.04c-4","urgency":"not yet assigned"}}}},"afuse":{"CVE-2008-2232":{"description":"The expand_template function in afuse.c in afuse 0.2 allows local users to gain privileges via shell metacharacters in a pathname.","debianbug":490921,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"0.4.1-1.1"},"fixed_version":"0.2-3","urgency":"medium"},"bullseye":{"status":"resolved","repositories":{"bullseye":"0.4.1-1"},"fixed_version":"0.2-3","urgency":"medium"},"forky":{"status":"resolved","repositories":{"forky":"0.5.0-2"},"fixed_version":"0.2-3","urgency":"medium"},"sid":{"status":"resolved","repositories":{"sid":"0.5.0-2"},"fixed_version":"0.2-3","urgency":"medium"},"trixie":{"status":"resolved","repositories":{"trixie":"0.5.0-0.1"},"fixed_version":"0.2-3","urgency":"medium"}}}},"agg":{"CVE-2019-6245":{"description":"An issue was discovered in Anti-Grain Geometry (AGG) 2.4 as used in SVG++ (aka svgpp) 1.2.3. In the function agg::cell_aa::not_equal, dx is assigned to (x2 - x1). If dx >= dx_limit, which is (16384 << poly_subpixel_shift), this function will call itself recursively. There can be a situation where (x2 - x1) is always bigger than dx_limit during the recursion, leading to continual stack consumption.","debianbug":919322,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:2.6.1-r134+dfsg1-2"},"fixed_version":"1:2.4-r127+dfsg1-1","urgency":"low"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:2.6.1-r134+dfsg1-2"},"fixed_version":"1:2.4-r127+dfsg1-1","urgency":"low"},"forky":{"status":"resolved","repositories":{"forky":"1:2.7.0.r145+dfsg-2.1"},"fixed_version":"1:2.4-r127+dfsg1-1","urgency":"low"},"sid":{"status":"resolved","repositories":{"sid":"1:2.7.0.r145+dfsg-2.1"},"fixed_version":"1:2.4-r127+dfsg1-1","urgency":"low"},"trixie":{"status":"resolved","repositories":{"trixie":"1:2.7.0.r145+dfsg-2"},"fixed_version":"1:2.4-r127+dfsg1-1","urgency":"low"}}}},"aide":{"CVE-2005-2096":{"description":"zlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file.","debianbug":317523,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"0.18.3-1+deb12u4","bookworm-security":"0.18.3-1+deb12u4"},"fixed_version":"0.10-6.1.1","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"0.17.3-4+deb11u2","bullseye-security":"0.17.3-4+deb11u3"},"fixed_version":"0.10-6.1.1","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"0.19.3-1"},"fixed_version":"0.10-6.1.1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"0.19.3-1"},"fixed_version":"0.10-6.1.1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"0.19.1-2+deb13u2","trixie-security":"0.19.1-2+deb13u1"},"fixed_version":"0.10-6.1.1","urgency":"unimportant"}}},"CVE-2021-45417":{"description":"AIDE before 0.17.4 allows local users to obtain root privileges via crafted file metadata (such as XFS extended attributes or tmpfs ACLs), because of a heap-based buffer overflow.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"0.18.3-1+deb12u4","bookworm-security":"0.18.3-1+deb12u4"},"fixed_version":"0.17.4-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"0.17.3-4+deb11u2","bullseye-security":"0.17.3-4+deb11u3"},"fixed_version":"0.17.3-4+deb11u1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"0.19.3-1"},"fixed_version":"0.17.4-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"0.19.3-1"},"fixed_version":"0.17.4-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"0.19.1-2+deb13u2","trixie-security":"0.19.1-2+deb13u1"},"fixed_version":"0.17.4-1","urgency":"not yet assigned"}}},"CVE-2025-54389":{"description":"AIDE is an advanced intrusion detection environment. Prior to version 0.19.2, there is an improper output neutralization vulnerability in AIDE. An attacker can craft a malicious filename by including terminal escape sequences to hide the addition or removal of the file from the report and/or tamper with the log output. A local user might exploit this to bypass the AIDE detection of malicious files. Additionally the output of extended attribute key names and symbolic links targets are also not properly neutralized. This issue has been patched in version 0.19.2. A workaround involves configuring AIDE to write the report output to a regular file, redirecting stdout to a regular file, or redirecting the log output written to stderr to a regular file.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"0.18.3-1+deb12u4","bookworm-security":"0.18.3-1+deb12u4"},"fixed_version":"0.18.3-1+deb12u4","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"0.17.3-4+deb11u2","bullseye-security":"0.17.3-4+deb11u3"},"fixed_version":"0.17.3-4+deb11u3","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"0.19.3-1"},"fixed_version":"0.19.2-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"0.19.3-1"},"fixed_version":"0.19.2-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"0.19.1-2+deb13u2","trixie-security":"0.19.1-2+deb13u1"},"fixed_version":"0.19.1-2+deb13u1","urgency":"not yet assigned"}}},"CVE-2025-54409":{"description":"AIDE is an advanced intrusion detection environment. From versions 0.13 to 0.19.1, there is a null pointer dereference vulnerability in AIDE. An attacker can crash the program during report printing or database listing after setting extended file attributes with an empty attribute value or with a key containing a comma. A local user might exploit this to cause a local denial of service. This issue has been patched in version 0.19.2. A workaround involves removing xattrs group from rules matching files on affected file systems.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"0.18.3-1+deb12u4","bookworm-security":"0.18.3-1+deb12u4"},"fixed_version":"0.18.3-1+deb12u4","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"0.17.3-4+deb11u2","bullseye-security":"0.17.3-4+deb11u3"},"fixed_version":"0.17.3-4+deb11u3","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"0.19.3-1"},"fixed_version":"0.19.2-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"0.19.3-1"},"fixed_version":"0.19.2-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"0.19.1-2+deb13u2","trixie-security":"0.19.1-2+deb13u1"},"fixed_version":"0.19.1-2+deb13u1","urgency":"not yet assigned"}}}},"aiomysql":{"CVE-2025-62611":{"description":"aiomysql is a library for accessing a MySQL database from the asyncio. Prior to version 0.3.0, the client-side settings are not checked before sending local files to MySQL server, which allows obtaining arbitrary files from the client using a rogue server. It is possible to create a rogue MySQL server that emulates authorization, ignores client flags and requests arbitrary files from the client by sending a LOAD_LOCAL instruction packet. This issue has been patched in version 0.3.0.","debianbug":1118754,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"0.1.1-2"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":""},"bullseye":{"status":"open","repositories":{"bullseye":"0.0.20-2"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":"postponed"},"forky":{"status":"resolved","repositories":{"forky":"0.3.2-2"},"fixed_version":"0.3.2-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"0.3.2-2"},"fixed_version":"0.3.2-1","urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"0.1.1-2"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":""}}}},"aircrack-ng":{"CVE-2007-2057":{"description":"Stack-based buffer overflow in aircrack-ng airodump-ng 0.7 allows remote attackers to execute arbitrary code via crafted 802.11 authentication packets.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:1.7-5"},"fixed_version":"1:0.7-3","urgency":"medium"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:1.6+git20210130.91820bc-1"},"fixed_version":"1:0.7-3","urgency":"medium"},"forky":{"status":"resolved","repositories":{"forky":"1:1.7+git20230807.4bf83f1a-3"},"fixed_version":"1:0.7-3","urgency":"medium"},"sid":{"status":"resolved","repositories":{"sid":"1:1.7+git20230807.4bf83f1a-3"},"fixed_version":"1:0.7-3","urgency":"medium"},"trixie":{"status":"resolved","repositories":{"trixie":"1:1.7+git20230807.4bf83f1a-2"},"fixed_version":"1:0.7-3","urgency":"medium"}}},"CVE-2010-1159":{"description":"Multiple heap-based buffer overflows in Aircrack-ng before 1.1 allow remote attackers to cause a denial of service (crash) and execute arbitrary code via a (1) large length value in an EAPOL packet or (2) long EAPOL packet.","debianbug":577758,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:1.7-5"},"fixed_version":"1:1.1-1","urgency":"low"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:1.6+git20210130.91820bc-1"},"fixed_version":"1:1.1-1","urgency":"low"},"forky":{"status":"resolved","repositories":{"forky":"1:1.7+git20230807.4bf83f1a-3"},"fixed_version":"1:1.1-1","urgency":"low"},"sid":{"status":"resolved","repositories":{"sid":"1:1.7+git20230807.4bf83f1a-3"},"fixed_version":"1:1.1-1","urgency":"low"},"trixie":{"status":"resolved","repositories":{"trixie":"1:1.7+git20230807.4bf83f1a-2"},"fixed_version":"1:1.1-1","urgency":"low"}}},"CVE-2014-8321":{"description":"Stack-based buffer overflow in the gps_tracker function in airodump-ng.c in Aircrack-ng before 1.2 RC 1 allows local users to execute arbitrary code or gain privileges via unspecified vectors.","debianbug":767979,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:1.7-5"},"fixed_version":"1:1.2-0~beta3-2","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:1.6+git20210130.91820bc-1"},"fixed_version":"1:1.2-0~beta3-2","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"1:1.7+git20230807.4bf83f1a-3"},"fixed_version":"1:1.2-0~beta3-2","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"1:1.7+git20230807.4bf83f1a-3"},"fixed_version":"1:1.2-0~beta3-2","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"1:1.7+git20230807.4bf83f1a-2"},"fixed_version":"1:1.2-0~beta3-2","urgency":"not yet assigned"}}},"CVE-2014-8322":{"description":"Stack-based buffer overflow in the tcp_test function in aireplay-ng.c in Aircrack-ng before 1.2 RC 1 allows remote attackers to execute arbitrary code via a crafted length parameter value.","debianbug":767979,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:1.7-5"},"fixed_version":"1:1.2-0~beta3-2","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:1.6+git20210130.91820bc-1"},"fixed_version":"1:1.2-0~beta3-2","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"1:1.7+git20230807.4bf83f1a-3"},"fixed_version":"1:1.2-0~beta3-2","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"1:1.7+git20230807.4bf83f1a-3"},"fixed_version":"1:1.2-0~beta3-2","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"1:1.7+git20230807.4bf83f1a-2"},"fixed_version":"1:1.2-0~beta3-2","urgency":"not yet assigned"}}},"CVE-2014-8323":{"description":"buddy-ng.c in Aircrack-ng before 1.2 Beta 3 allows remote attackers to cause a denial of service (segmentation fault) via a response with a crafted length parameter.","debianbug":767979,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:1.7-5"},"fixed_version":"1:1.2-0~beta3-2","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:1.6+git20210130.91820bc-1"},"fixed_version":"1:1.2-0~beta3-2","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"1:1.7+git20230807.4bf83f1a-3"},"fixed_version":"1:1.2-0~beta3-2","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"1:1.7+git20230807.4bf83f1a-3"},"fixed_version":"1:1.2-0~beta3-2","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"1:1.7+git20230807.4bf83f1a-2"},"fixed_version":"1:1.2-0~beta3-2","urgency":"not yet assigned"}}},"CVE-2014-8324":{"description":"network.c in Aircrack-ng before 1.2 Beta 3 allows remote attackers to cause a denial of service (segmentation fault) via a response with a crafted length parameter.","debianbug":767979,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:1.7-5"},"fixed_version":"1:1.2-0~beta3-2","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:1.6+git20210130.91820bc-1"},"fixed_version":"1:1.2-0~beta3-2","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"1:1.7+git20230807.4bf83f1a-3"},"fixed_version":"1:1.2-0~beta3-2","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"1:1.7+git20230807.4bf83f1a-3"},"fixed_version":"1:1.2-0~beta3-2","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"1:1.7+git20230807.4bf83f1a-2"},"fixed_version":"1:1.2-0~beta3-2","urgency":"not yet assigned"}}}},"alien-arena":{"CVE-2007-4754":{"description":"Format string vulnerability in the safe_bprintf function in acesrc/acebot_cmds.c in Alien Arena 2007 6.10 and earlier allows remote attackers to cause a denial of service (daemon crash) via format string specifiers in a nickname.","debianbug":442075,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"7.71.3+dfsg-3"},"fixed_version":"6.05-4.1","urgency":"medium"},"bullseye":{"status":"resolved","repositories":{"bullseye":"7.66+dfsg-6"},"fixed_version":"6.05-4.1","urgency":"medium"},"forky":{"status":"resolved","repositories":{"forky":"7.71.7+dfsg-1"},"fixed_version":"6.05-4.1","urgency":"medium"},"sid":{"status":"resolved","repositories":{"sid":"7.71.7+dfsg-1"},"fixed_version":"6.05-4.1","urgency":"medium"},"trixie":{"status":"resolved","repositories":{"trixie":"7.71.7+dfsg-1"},"fixed_version":"6.05-4.1","urgency":"medium"}}},"CVE-2007-4755":{"description":"Alien Arena 2007 6.10 and earlier allows remote attackers to cause a denial of service (client disconnect) by sending a client_connect command in a forged packet from the server to a client. NOTE: client IP addresses are available via product-specific queries.","debianbug":442075,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"7.71.3+dfsg-3"},"fixed_version":"6.05-4.1","urgency":"low"},"bullseye":{"status":"resolved","repositories":{"bullseye":"7.66+dfsg-6"},"fixed_version":"6.05-4.1","urgency":"low"},"forky":{"status":"resolved","repositories":{"forky":"7.71.7+dfsg-1"},"fixed_version":"6.05-4.1","urgency":"low"},"sid":{"status":"resolved","repositories":{"sid":"7.71.7+dfsg-1"},"fixed_version":"6.05-4.1","urgency":"low"},"trixie":{"status":"resolved","repositories":{"trixie":"7.71.7+dfsg-1"},"fixed_version":"6.05-4.1","urgency":"low"}}},"CVE-2009-3637":{"description":"Stack-based buffer overflow in the M_AddToServerList function in client/menu.c in Red Planet Arena Alien Arena 7.30 allows remote attackers to execute arbitrary code via a packet with a crafted server description to UDP port 27901 followed by a packet with a long print command.","debianbug":552038,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"7.71.3+dfsg-3"},"fixed_version":"7.33-1","urgency":"medium"},"bullseye":{"status":"resolved","repositories":{"bullseye":"7.66+dfsg-6"},"fixed_version":"7.33-1","urgency":"medium"},"forky":{"status":"resolved","repositories":{"forky":"7.71.7+dfsg-1"},"fixed_version":"7.33-1","urgency":"medium"},"sid":{"status":"resolved","repositories":{"sid":"7.71.7+dfsg-1"},"fixed_version":"7.33-1","urgency":"medium"},"trixie":{"status":"resolved","repositories":{"trixie":"7.71.7+dfsg-1"},"fixed_version":"7.33-1","urgency":"medium"}}},"CVE-2010-3439":{"description":"It is possible to cause a DoS condition by causing the server to crash in alien-arena 7.33 by supplying various invalid parameters to the download command.","debianbug":575621,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"7.71.3+dfsg-3"},"fixed_version":"7.33-5","urgency":"low"},"bullseye":{"status":"resolved","repositories":{"bullseye":"7.66+dfsg-6"},"fixed_version":"7.33-5","urgency":"low"},"forky":{"status":"resolved","repositories":{"forky":"7.71.7+dfsg-1"},"fixed_version":"7.33-5","urgency":"low"},"sid":{"status":"resolved","repositories":{"sid":"7.71.7+dfsg-1"},"fixed_version":"7.33-5","urgency":"low"},"trixie":{"status":"resolved","repositories":{"trixie":"7.71.7+dfsg-1"},"fixed_version":"7.33-5","urgency":"low"}}}},"allegro4.4":{"CVE-2021-36489":{"description":"Buffer Overflow vulnerability in Allegro through 5.2.6 allows attackers to cause a denial of service via crafted PCX/TGA/BMP files to allegro_image addon.","debianbug":1032670,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"2:4.4.3.1-3"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":"ignored"},"bullseye":{"status":"open","repositories":{"bullseye":"2:4.4.3.1-2"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":""},"forky":{"status":"resolved","repositories":{"forky":"2:4.4.3.1-8"},"fixed_version":"2:4.4.3.1-8","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"2:4.4.3.1-8"},"fixed_version":"2:4.4.3.1-8","urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"2:4.4.3.1-5"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":"ignored"}}}},"allegro5":{"CVE-2021-36489":{"description":"Buffer Overflow vulnerability in Allegro through 5.2.6 allows attackers to cause a denial of service via crafted PCX/TGA/BMP files to allegro_image addon.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2:5.2.8.0+dfsg-1"},"fixed_version":"2:5.2.8.0-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"2:5.2.6.0-3+deb11u1"},"fixed_version":"2:5.2.6.0-3+deb11u1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"2:5.2.11.3+dfsg-1"},"fixed_version":"2:5.2.8.0-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"2:5.2.11.3+dfsg-1"},"fixed_version":"2:5.2.8.0-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"2:5.2.10.1+dfsg-1"},"fixed_version":"2:5.2.8.0-1","urgency":"not yet assigned"}}}},"almanah":{"CVE-2013-1853":{"description":"Almanah Diary 0.9.0 and 0.10.0 does not encrypt the database when closed, which allows local users to obtain sensitive information by reading the database.","debianbug":702905,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"0.12.3-2"},"fixed_version":"0.9.1-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"0.12.3-1"},"fixed_version":"0.9.1-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"0.12.4-1"},"fixed_version":"0.9.1-1","urgency":"not yet assigned"}}}},"alpine":{"CVE-2002-1903":{"description":"Pine 4.2.1 through 4.4.4 puts Unix usernames and/or uid into Sender: and X-Sender: headers, which could allow remote attackers to obtain sensitive information.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.26+dfsg-1"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"2.24+dfsg1-1"},"fixed_version":"0","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"2.26+dfsg-6"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"2.26+dfsg-6"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"2.26+dfsg-3"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2003-0297":{"description":"c-client IMAP Client, as used in imap-2002b and Pine 4.53, allows remote malicious IMAP servers to cause a denial of service (crash) and possibly execute arbitrary code via certain large (1) literal and (2) mailbox size values that cause either integer signedness errors or integer overflow errors.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.26+dfsg-1"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"2.24+dfsg1-1"},"fixed_version":"0","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"2.26+dfsg-6"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"2.26+dfsg-6"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"2.26+dfsg-3"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2003-0720":{"description":"Buffer overflow in PINE before 4.58 allows remote attackers to execute arbitrary code via a malformed message/external-body MIME type.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.26+dfsg-1"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"2.24+dfsg1-1"},"fixed_version":"0","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"2.26+dfsg-6"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"2.26+dfsg-6"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"2.26+dfsg-3"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2003-0721":{"description":"Integer signedness error in rfc2231_get_param from strings.c in PINE before 4.58 allows remote attackers to execute arbitrary code via an email that causes an out-of-bounds array access using a negative number.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.26+dfsg-1"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"2.24+dfsg1-1"},"fixed_version":"0","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"2.26+dfsg-6"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"2.26+dfsg-6"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"2.26+dfsg-3"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2005-1066":{"description":"Race condition in rpdump in Pine 4.62 and earlier allows local users to overwrite arbitrary files via a symlink attack.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.26+dfsg-1"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"2.24+dfsg1-1"},"fixed_version":"0","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"2.26+dfsg-6"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"2.26+dfsg-6"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"2.26+dfsg-3"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2005-2933":{"description":"Buffer overflow in the mail_valid_net_parse_work function in mail.c for Washington's IMAP Server (UW-IMAP) before imap-2004g allows remote attackers to execute arbitrary code via a mailbox name containing a single double-quote (\") character without a closing quote, which causes bytes after the double-quote to be copied into a buffer indefinitely.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.26+dfsg-1"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"2.24+dfsg1-1"},"fixed_version":"0","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"2.26+dfsg-6"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"2.26+dfsg-6"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"2.26+dfsg-3"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2008-5005":{"description":"Multiple stack-based buffer overflows in (1) University of Washington IMAP Toolkit 2002 through 2007c, (2) University of Washington Alpine 2.00 and earlier, and (3) Panda IMAP allow (a) local users to gain privileges by specifying a long folder extension argument on the command line to the tmail or dmail program; and (b) remote attackers to execute arbitrary code by sending e-mail to a destination mailbox name composed of a username and '+' character followed by a long string, processed by the tmail or possibly dmail program.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.26+dfsg-1"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"2.24+dfsg1-1"},"fixed_version":"0","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"2.26+dfsg-6"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"2.26+dfsg-6"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"2.26+dfsg-3"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2008-5514":{"description":"Off-by-one error in the rfc822_output_char function in the RFC822BUFFER routines in the University of Washington (UW) c-client library, as used by the UW IMAP toolkit before imap-2007e and other applications, allows context-dependent attackers to cause a denial of service (crash) via an e-mail message that triggers a buffer overflow.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.26+dfsg-1"},"fixed_version":"2.02-3.1","urgency":"low"},"bullseye":{"status":"resolved","repositories":{"bullseye":"2.24+dfsg1-1"},"fixed_version":"2.02-3.1","urgency":"low"},"forky":{"status":"resolved","repositories":{"forky":"2.26+dfsg-6"},"fixed_version":"2.02-3.1","urgency":"low"},"sid":{"status":"resolved","repositories":{"sid":"2.26+dfsg-6"},"fixed_version":"2.02-3.1","urgency":"low"},"trixie":{"status":"resolved","repositories":{"trixie":"2.26+dfsg-3"},"fixed_version":"2.02-3.1","urgency":"low"}}},"CVE-2015-2305":{"description":"Integer overflow in the regcomp implementation in the Henry Spencer BSD regex library (aka rxspencer) alpha3.8.g5 on 32-bit platforms, as used in NetBSD through 6.1.5 and other products, might allow context-dependent attackers to execute arbitrary code via a large regular expression that leads to a heap-based buffer overflow.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.26+dfsg-1"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"2.24+dfsg1-1"},"fixed_version":"0","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"2.26+dfsg-6"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"2.26+dfsg-6"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"2.26+dfsg-3"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2020-14929":{"description":"Alpine before 2.23 silently proceeds to use an insecure connection after a /tls is sent in certain circumstances involving PREAUTH, which is a less secure behavior than the alternative of closing the connection and letting the user decide what they would like to do.","debianbug":963179,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.26+dfsg-1"},"fixed_version":"2.23+dfsg1-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"2.24+dfsg1-1"},"fixed_version":"2.23+dfsg1-1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"2.26+dfsg-6"},"fixed_version":"2.23+dfsg1-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"2.26+dfsg-6"},"fixed_version":"2.23+dfsg1-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"2.26+dfsg-3"},"fixed_version":"2.23+dfsg1-1","urgency":"not yet assigned"}}},"CVE-2021-38370":{"description":"In Alpine before 2.25, untagged responses from an IMAP server are accepted before STARTTLS.","debianbug":992171,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.26+dfsg-1"},"fixed_version":"2.25+dfsg1-1","urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"2.24+dfsg1-1"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":""},"forky":{"status":"resolved","repositories":{"forky":"2.26+dfsg-6"},"fixed_version":"2.25+dfsg1-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"2.26+dfsg-6"},"fixed_version":"2.25+dfsg1-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"2.26+dfsg-3"},"fixed_version":"2.25+dfsg1-1","urgency":"not yet assigned"}}},"CVE-2021-46853":{"description":"Alpine before 2.25 allows remote attackers to cause a denial of service (application crash) when LIST or LSUB is sent before STARTTLS.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2.26+dfsg-1"},"fixed_version":"2.25+dfsg1-1","urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"2.24+dfsg1-1"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":""},"forky":{"status":"resolved","repositories":{"forky":"2.26+dfsg-6"},"fixed_version":"2.25+dfsg1-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"2.26+dfsg-6"},"fixed_version":"2.25+dfsg1-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"2.26+dfsg-3"},"fixed_version":"2.25+dfsg1-1","urgency":"not yet assigned"}}}},"alsa-lib":{"CVE-2005-0087":{"description":"The alsa-lib package in Red Hat Linux 4 disables stack protection for the libasound.so library, which makes it easier for attackers to execute arbitrary code if there are other vulnerabilities in the library.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1.2.8-1"},"fixed_version":"1.0.9-1","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.2.4-1.1","bullseye-security":"1.2.4-1.1+deb11u1"},"fixed_version":"1.0.9-1","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"1.2.16-1"},"fixed_version":"1.0.9-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"1.2.16-1"},"fixed_version":"1.0.9-1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"1.2.14-1"},"fixed_version":"1.0.9-1","urgency":"unimportant"}}},"CVE-2026-25068":{"description":"alsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to commit 5f7fe33, contain a heap-based buffer overflow in the topology mixer control decoder. The tplg_decode_control_mixer1() function reads the num_channels field from untrusted .tplg data and uses it as a loop bound without validating it against the fixed-size channel array (SND_TPLG_MAX_CHAN). A crafted topology file with an excessive num_channels value can cause out-of-bounds heap writes, leading to a crash.","debianbug":1126629,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"1.2.8-1"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":""},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.2.4-1.1","bullseye-security":"1.2.4-1.1+deb11u1"},"fixed_version":"1.2.4-1.1+deb11u1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"1.2.16-1"},"fixed_version":"1.2.16-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"1.2.16-1"},"fixed_version":"1.2.16-1","urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"1.2.14-1"},"urgency":"not yet assigned","nodsa":"Minor issue","nodsa_reason":"","next_point_update":true}}},"CVE-2026-56109":{"description":"The Advanced Linux Sound Architecture (ALSA) library before 1.2.16.1 contains a double-free vulnerability in parse_def() in src/conf.c that allows attackers to corrupt memory by supplying maliciously crafted ALSA configuration text. When parsing nested compound or array configuration blocks, parse_def() fails to check return values before continuing, causing snd_config_delete() to be called twice on the same already-freed node, resulting in a NULL-pointer write or invalid memory read.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"1.2.8-1"},"urgency":"unimportant"},"bullseye":{"status":"open","repositories":{"bullseye":"1.2.4-1.1","bullseye-security":"1.2.4-1.1+deb11u1"},"urgency":"unimportant"},"forky":{"status":"open","repositories":{"forky":"1.2.16-1"},"urgency":"unimportant"},"sid":{"status":"open","repositories":{"sid":"1.2.16-1"},"urgency":"unimportant"},"trixie":{"status":"open","repositories":{"trixie":"1.2.14-1"},"urgency":"unimportant"}}}},"alsaplayer":{"CVE-2002-1896":{"description":"Buffer overflow in Alsaplayer 0.99.71, when installed setuid root, allows local users to execute arbitrary code via a long (1) -f or (2) -o command line argument.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"0.99.81-2"},"fixed_version":"0.99.72-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"0.99.81-2"},"fixed_version":"0.99.72-1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"0.99.82-5"},"fixed_version":"0.99.72-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"0.99.82-5"},"fixed_version":"0.99.72-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"0.99.82-2"},"fixed_version":"0.99.72-1","urgency":"not yet assigned"}}},"CVE-2006-4089":{"description":"Multiple buffer overflows in Andy Lo-A-Foe AlsaPlayer 0.99.76 and earlier allow remote attackers to cause a denial of service (application crash), or have other unknown impact, via (1) a long Location field sent by a web server, which triggers an overflow in the reconnect function in reader/http/http.c; (2) a long URL sent by a web server when AlsaPlayer is seeking a media file for the playlist, which triggers overflows in new_list_item and CbUpdated in interface/gtk/PlaylistWindow.cpp; and (3) a long response sent by a CDDB server, which triggers an overflow in cddb_lookup in input/ccda/cdda_engine.c.","debianbug":382842,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"0.99.81-2"},"fixed_version":"0.99.76-9","urgency":"medium"},"bullseye":{"status":"resolved","repositories":{"bullseye":"0.99.81-2"},"fixed_version":"0.99.76-9","urgency":"medium"},"forky":{"status":"resolved","repositories":{"forky":"0.99.82-5"},"fixed_version":"0.99.76-9","urgency":"medium"},"sid":{"status":"resolved","repositories":{"sid":"0.99.82-5"},"fixed_version":"0.99.76-9","urgency":"medium"},"trixie":{"status":"resolved","repositories":{"trixie":"0.99.82-2"},"fixed_version":"0.99.76-9","urgency":"medium"}}},"CVE-2007-5301":{"description":"Buffer overflow in the vorbis_stream_info function in input/vorbis/vorbis_engine.c (aka the vorbis input plugin) in AlsaPlayer before 0.99.80-rc3 allows remote attackers to execute arbitrary code via a .OGG file with long comments.","debianbug":446034,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"0.99.81-2"},"fixed_version":"0.99.80~rc4-1","urgency":"low"},"bullseye":{"status":"resolved","repositories":{"bullseye":"0.99.81-2"},"fixed_version":"0.99.80~rc4-1","urgency":"low"},"forky":{"status":"resolved","repositories":{"forky":"0.99.82-5"},"fixed_version":"0.99.80~rc4-1","urgency":"low"},"sid":{"status":"resolved","repositories":{"sid":"0.99.82-5"},"fixed_version":"0.99.80~rc4-1","urgency":"low"},"trixie":{"status":"resolved","repositories":{"trixie":"0.99.82-2"},"fixed_version":"0.99.80~rc4-1","urgency":"low"}}}},"altermime":{"CVE-2002-1721":{"description":"Off-by-one error in alterMIME 0.1.10 and 0.1.11 allows remote attackers to cause a denial of service (crash) via an x-header that causes snprintf overwrite the FFGET_FILE variable with a (null) byte.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"0.3.10-12"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"0.3.10-12"},"fixed_version":"0","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"0.3.10-14"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"0.3.10-14"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"0.3.10-13"},"fixed_version":"0","urgency":"unimportant"}}}},"amanda":{"CVE-2002-0901":{"description":"Multiple buffer overflows in Advanced Maryland Automatic Network Disk Archiver (AMANDA) 2.3.0.4 allow (1) remote attackers to execute arbitrary code via long commands to the amindexd daemon, or certain local users to execute arbitrary code via long command line arguments to the programs (2) amcheck, (3) amgetidx, (4) amtrmidx, (5) createindex-dump, or (6) createindex-gnutar.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:3.5.1-11+deb12u2"},"fixed_version":"2.4.0b6-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:3.5.1-7","bullseye-security":"1:3.5.1-7+deb11u1"},"fixed_version":"2.4.0b6-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"1:3.5.4-2.1"},"fixed_version":"2.4.0b6-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"1:3.5.4-2"},"fixed_version":"2.4.0b6-1","urgency":"not yet assigned"}}},"CVE-2016-10729":{"description":"An issue was discovered in Amanda 3.3.1. A user with backup privileges can trivially compromise a client installation. The \"runtar\" setuid root binary does not check for additional arguments supplied after --create, allowing users to manipulate commands and perform command injection as root.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:3.5.1-11+deb12u2"},"fixed_version":"1:3.3.9-1","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:3.5.1-7","bullseye-security":"1:3.5.1-7+deb11u1"},"fixed_version":"1:3.3.9-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"1:3.5.4-2.1"},"fixed_version":"1:3.3.9-1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"1:3.5.4-2"},"fixed_version":"1:3.3.9-1","urgency":"unimportant"}}},"CVE-2016-10730":{"description":"An issue was discovered in Amanda 3.3.1. A user with backup privileges can trivially compromise a client installation. Amstar is an Amanda Application API script. It should not be run by users directly. It uses star to backup and restore data. It runs binaries with root permissions when parsing the command line argument --star-path.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:3.5.1-11+deb12u2"},"fixed_version":"1:3.3.9-1","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:3.5.1-7","bullseye-security":"1:3.5.1-7+deb11u1"},"fixed_version":"1:3.3.9-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"1:3.5.4-2.1"},"fixed_version":"1:3.3.9-1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"1:3.5.4-2"},"fixed_version":"1:3.3.9-1","urgency":"unimportant"}}},"CVE-2022-37703":{"description":"In Amanda 3.5.1, an information leak vulnerability was found in the calcsize SUID binary. An attacker can abuse this vulnerability to know if a directory exists or not anywhere in the fs. The binary will use `opendir()` as root directly without checking the path, letting the attacker provide an arbitrary path.","debianbug":1021017,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:3.5.1-11+deb12u2"},"fixed_version":"1:3.5.1-10","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:3.5.1-7","bullseye-security":"1:3.5.1-7+deb11u1"},"fixed_version":"1:3.5.1-7+deb11u1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"1:3.5.4-2.1"},"fixed_version":"1:3.5.1-10","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"1:3.5.4-2"},"fixed_version":"1:3.5.1-10","urgency":"not yet assigned"}}},"CVE-2022-37704":{"description":"Amanda 3.5.1 allows privilege escalation from the regular user backup to root. The SUID binary located at /lib/amanda/rundump will execute /usr/sbin/dump as root with controlled arguments from the attacker which may lead to escalation of privileges, denial of service, and information disclosure.","debianbug":1029829,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:3.5.1-11+deb12u2"},"fixed_version":"1:3.5.1-10","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:3.5.1-7","bullseye-security":"1:3.5.1-7+deb11u1"},"fixed_version":"1:3.5.1-7+deb11u1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"1:3.5.4-2.1"},"fixed_version":"1:3.5.1-10","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"1:3.5.4-2"},"fixed_version":"1:3.5.1-10","urgency":"not yet assigned"}}},"CVE-2022-37705":{"description":"A privilege escalation flaw was found in Amanda 3.5.1 in which the backup user can acquire root privileges. The vulnerable component is the runtar SUID program, which is a wrapper to run /usr/bin/tar with specific arguments that are controllable by the attacker. This program mishandles the arguments passed to tar binary (it expects that the argument name and value are separated with a space; however, separating them with an equals sign is also supported),","debianbug":1029829,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:3.5.1-11+deb12u2"},"fixed_version":"1:3.5.1-10","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:3.5.1-7","bullseye-security":"1:3.5.1-7+deb11u1"},"fixed_version":"1:3.5.1-7+deb11u1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"1:3.5.4-2.1"},"fixed_version":"1:3.5.1-10","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"1:3.5.4-2"},"fixed_version":"1:3.5.1-10","urgency":"not yet assigned"}}},"CVE-2023-30577":{"description":"AMANDA (Advanced Maryland Automatic Network Disk Archiver) before tag-community-3.5.4 mishandles argument checking for runtar.c, a different vulnerability than CVE-2022-37705.","debianbug":1055253,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:3.5.1-11+deb12u2"},"fixed_version":"1:3.5.1-11+deb12u1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:3.5.1-7","bullseye-security":"1:3.5.1-7+deb11u1"},"fixed_version":"1:3.5.1-7+deb11u1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"1:3.5.4-2.1"},"fixed_version":"1:3.5.1-11.1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"1:3.5.4-2"},"fixed_version":"1:3.5.1-11.1","urgency":"not yet assigned"}}}},"amarok":{"CVE-2006-6979":{"description":"The ruby handlers in the Magnatune component in Amarok do not properly quote text in certain contexts, probably including construction of an unzip command line, which allows attackers to execute arbitrary commands via shell metacharacters.","debianbug":410850,"scope":"local","releases":{"forky":{"status":"resolved","repositories":{"forky":"3.3.2-1"},"fixed_version":"1.4.4-1","urgency":"low"},"sid":{"status":"resolved","repositories":{"sid":"3.3.3-1"},"fixed_version":"1.4.4-1","urgency":"low"},"trixie":{"status":"resolved","repositories":{"trixie":"3.2.2-1"},"fixed_version":"1.4.4-1","urgency":"low"}}},"CVE-2006-6980":{"description":"The magnatune.com album browser in Amarok allows attackers to cause a denial of service (application crash) via unspecified vectors.","debianbug":410850,"scope":"local","releases":{"forky":{"status":"resolved","repositories":{"forky":"3.3.2-1"},"fixed_version":"1.4.4-4","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"3.3.3-1"},"fixed_version":"1.4.4-4","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"3.2.2-1"},"fixed_version":"1.4.4-4","urgency":"unimportant"}}},"CVE-2008-3699":{"description":"The MagnatuneBrowser::listDownloadComplete function in magnatunebrowser/magnatunebrowser.cpp in Amarok before 1.4.10 allows local users to overwrite arbitrary files via a symlink attack on the album_info.xml temporary file.","debianbug":494765,"scope":"local","releases":{"forky":{"status":"resolved","repositories":{"forky":"3.3.2-1"},"fixed_version":"1.4.10-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"3.3.3-1"},"fixed_version":"1.4.10-1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"3.2.2-1"},"fixed_version":"1.4.10-1","urgency":"unimportant"}}},"CVE-2009-0135":{"description":"Multiple integer overflows in the Audible::Tag::readTag function in metadata/audible/audibletag.cpp in Amarok 1.4.10 through 2.0.1 allow remote attackers to execute arbitrary code via an Audible Audio (.aa) file with a large (1) nlen or (2) vlen Tag value, each of which triggers a heap-based buffer overflow.","scope":"local","releases":{"forky":{"status":"resolved","repositories":{"forky":"3.3.2-1"},"fixed_version":"1.4.10-2","urgency":"medium"},"sid":{"status":"resolved","repositories":{"sid":"3.3.3-1"},"fixed_version":"1.4.10-2","urgency":"medium"},"trixie":{"status":"resolved","repositories":{"trixie":"3.2.2-1"},"fixed_version":"1.4.10-2","urgency":"medium"}}},"CVE-2009-0136":{"description":"Multiple array index errors in the Audible::Tag::readTag function in metadata/audible/audibletag.cpp in Amarok 1.4.10 through 2.0.1 allow remote attackers to cause a denial of service (application crash) or execute arbitrary code via an Audible Audio (.aa) file with a crafted (1) nlen or (2) vlen Tag value, each of which can lead to an invalid pointer dereference, or the writing of a 0x00 byte to an arbitrary memory location, after an allocation failure.","scope":"local","releases":{"forky":{"status":"resolved","repositories":{"forky":"3.3.2-1"},"fixed_version":"1.4.10-2","urgency":"medium"},"sid":{"status":"resolved","repositories":{"sid":"3.3.3-1"},"fixed_version":"1.4.10-2","urgency":"medium"},"trixie":{"status":"resolved","repositories":{"trixie":"3.2.2-1"},"fixed_version":"1.4.10-2","urgency":"medium"}}},"CVE-2020-13152":{"description":"A remote user can create a specially crafted M3U file, media playlist file that when loaded by the target user, will trigger a memory leak, whereby Amarok 2.8.0 continue to waste resources over time, eventually allows attackers to cause a denial of service.","scope":"local","releases":{"forky":{"status":"open","repositories":{"forky":"3.3.2-1"},"urgency":"unimportant"},"sid":{"status":"open","repositories":{"sid":"3.3.3-1"},"urgency":"unimportant"},"trixie":{"status":"open","repositories":{"trixie":"3.2.2-1"},"urgency":"unimportant"}}}},"amavisd-new":{"CVE-2024-28054":{"description":"Amavis before 2.12.3 and 2.13.x before 2.13.1, in part because of its use of MIME-tools, has an Interpretation Conflict (relative to some mail user agents) when there are multiple boundary parameters in a MIME email message. Consequently, there can be an incorrect check for banned files or malware.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:2.13.0-3+deb12u1"},"fixed_version":"1:2.13.0-3+deb12u1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:2.11.1-5+deb11u1"},"fixed_version":"1:2.11.1-5+deb11u1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"1:2.13.0-7"},"fixed_version":"1:2.13.0-5","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"1:2.13.0-7"},"fixed_version":"1:2.13.0-5","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"1:2.13.0-7"},"fixed_version":"1:2.13.0-5","urgency":"not yet assigned"}}},"TEMP-0410588-2CACBB":{"debianbug":410588,"releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:2.13.0-3+deb12u1"},"fixed_version":"1:2.5.2-1","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:2.11.1-5+deb11u1"},"fixed_version":"1:2.5.2-1","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"1:2.13.0-7"},"fixed_version":"1:2.5.2-1","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"1:2.13.0-7"},"fixed_version":"1:2.5.2-1","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"1:2.13.0-7"},"fixed_version":"1:2.5.2-1","urgency":"unimportant"}}}},"amd64-microcode":{"CVE-2017-5715":{"description":"Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"3.20250311.1~deb12u1","bookworm-security":"3.20230719.1~deb12u1"},"fixed_version":"3.20180515.1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"3.20240820.1~deb11u1","bullseye-security":"3.20250311.1~deb11u1"},"fixed_version":"3.20180515.1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"3.20251202.1"},"fixed_version":"3.20180515.1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.20251202.1"},"fixed_version":"3.20180515.1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.20250311.1"},"fixed_version":"3.20180515.1","urgency":"not yet assigned"}}},"CVE-2019-9836":{"description":"Secure Encrypted Virtualization (SEV) on Advanced Micro Devices (AMD) Platform Security Processor (PSP; aka AMD Secure Processor or AMD-SP) 0.17 build 11 and earlier has an insecure cryptographic implementation.","debianbug":970395,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"3.20250311.1~deb12u1","bookworm-security":"3.20230719.1~deb12u1"},"fixed_version":"3.20220411.1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"3.20240820.1~deb11u1","bullseye-security":"3.20250311.1~deb11u1"},"fixed_version":"3.20230719.1~deb11u1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"3.20251202.1"},"fixed_version":"3.20220411.1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.20251202.1"},"fixed_version":"3.20220411.1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.20250311.1"},"fixed_version":"3.20220411.1","urgency":"not yet assigned"}}},"CVE-2023-20569":{"description":"A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address prediction. This may result in speculative execution at an attacker-controlled\u202faddress, potentially leading to information disclosure.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"3.20250311.1~deb12u1","bookworm-security":"3.20230719.1~deb12u1"},"fixed_version":"3.20230719.1~deb12u1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"3.20240820.1~deb11u1","bullseye-security":"3.20250311.1~deb11u1"},"fixed_version":"3.20230719.1~deb11u1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"3.20251202.1"},"fixed_version":"3.20230719.1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.20251202.1"},"fixed_version":"3.20230719.1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.20250311.1"},"fixed_version":"3.20230719.1","urgency":"not yet assigned"}}},"CVE-2023-20584":{"description":"IOMMU improperly handles certain special address ranges with invalid device table entries (DTEs), which may allow an attacker with privileges and a compromised Hypervisor to induce DTE faults to bypass RMP checks in SEV-SNP, potentially leading to a loss of guest integrity.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"3.20250311.1~deb12u1","bookworm-security":"3.20230719.1~deb12u1"},"fixed_version":"3.20240820.1~deb12u1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"3.20240820.1~deb11u1","bullseye-security":"3.20250311.1~deb11u1"},"fixed_version":"3.20240820.1~deb11u1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"3.20251202.1"},"fixed_version":"3.20240820.1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.20251202.1"},"fixed_version":"3.20240820.1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.20250311.1"},"fixed_version":"3.20240820.1","urgency":"not yet assigned"}}},"CVE-2023-20592":{"description":"Improper or unexpected behavior of the INVD instruction in some AMD CPUs may allow an attacker with a malicious hypervisor to affect cache line write-back behavior of the CPU leading to a potential loss of guest virtual machine (VM) memory integrity.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"3.20250311.1~deb12u1","bookworm-security":"3.20230719.1~deb12u1"},"fixed_version":"3.20230719.1~deb12u1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"3.20240820.1~deb11u1","bullseye-security":"3.20250311.1~deb11u1"},"fixed_version":"3.20230719.1~deb11u1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"3.20251202.1"},"fixed_version":"3.20230719.1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.20251202.1"},"fixed_version":"3.20230719.1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.20250311.1"},"fixed_version":"3.20230719.1","urgency":"not yet assigned"}}},"CVE-2023-20593":{"description":"An issue in \u201cZen 2\u201d CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information.","debianbug":1041863,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"3.20250311.1~deb12u1","bookworm-security":"3.20230719.1~deb12u1"},"fixed_version":"3.20230719.1~deb12u1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"3.20240820.1~deb11u1","bullseye-security":"3.20250311.1~deb11u1"},"fixed_version":"3.20230719.1~deb11u1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"3.20251202.1"},"fixed_version":"3.20230719.1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.20251202.1"},"fixed_version":"3.20230719.1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.20250311.1"},"fixed_version":"3.20230719.1","urgency":"not yet assigned"}}},"CVE-2023-31315":{"description":"Improper validation in a model specific register (MSR) could allow a malicious program with ring0 access to modify SMM configuration while SMI lock is enabled, potentially leading to arbitrary code execution.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"3.20250311.1~deb12u1","bookworm-security":"3.20230719.1~deb12u1"},"fixed_version":"3.20240710.2~deb12u1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"3.20240820.1~deb11u1","bullseye-security":"3.20250311.1~deb11u1"},"fixed_version":"3.20240710.2~deb11u1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"3.20251202.1"},"fixed_version":"3.20240710.1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.20251202.1"},"fixed_version":"3.20240710.1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.20250311.1"},"fixed_version":"3.20240710.1","urgency":"not yet assigned"}}},"CVE-2023-31356":{"description":"Incomplete system memory cleanup in SEV firmware could allow a privileged attacker to corrupt guest private memory, potentially resulting in a loss of data integrity.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"3.20250311.1~deb12u1","bookworm-security":"3.20230719.1~deb12u1"},"fixed_version":"3.20240820.1~deb12u1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"3.20240820.1~deb11u1","bullseye-security":"3.20250311.1~deb11u1"},"fixed_version":"3.20240820.1~deb11u1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"3.20251202.1"},"fixed_version":"3.20240820.1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.20251202.1"},"fixed_version":"3.20240820.1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.20250311.1"},"fixed_version":"3.20240820.1","urgency":"not yet assigned"}}},"CVE-2024-36348":{"description":"A transient execution vulnerability in some AMD processors may allow a user process to infer the control registers speculatively even if UMIP feature is enabled, potentially resulting in information leakage.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"3.20250311.1~deb12u1","bookworm-security":"3.20230719.1~deb12u1"},"urgency":"unimportant"},"bullseye":{"status":"open","repositories":{"bullseye":"3.20240820.1~deb11u1","bullseye-security":"3.20250311.1~deb11u1"},"urgency":"unimportant"},"forky":{"status":"open","repositories":{"forky":"3.20251202.1"},"urgency":"unimportant"},"sid":{"status":"open","repositories":{"sid":"3.20251202.1"},"urgency":"unimportant"},"trixie":{"status":"open","repositories":{"trixie":"3.20250311.1"},"urgency":"unimportant"}}},"CVE-2024-36349":{"description":"A transient execution vulnerability in some AMD processors may allow a user process to infer TSC_AUX even when such a read is disabled, potentially resulting in information leakage.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"3.20250311.1~deb12u1","bookworm-security":"3.20230719.1~deb12u1"},"urgency":"unimportant"},"bullseye":{"status":"open","repositories":{"bullseye":"3.20240820.1~deb11u1","bullseye-security":"3.20250311.1~deb11u1"},"urgency":"unimportant"},"forky":{"status":"open","repositories":{"forky":"3.20251202.1"},"urgency":"unimportant"},"sid":{"status":"open","repositories":{"sid":"3.20251202.1"},"urgency":"unimportant"},"trixie":{"status":"open","repositories":{"trixie":"3.20250311.1"},"urgency":"unimportant"}}},"CVE-2024-36350":{"description":"A transient execution vulnerability in some AMD processors may allow an attacker to infer data from previous stores, potentially resulting in the leakage of privileged information.","debianbug":1109035,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"3.20250311.1~deb12u1","bookworm-security":"3.20230719.1~deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"3.20240820.1~deb11u1","bullseye-security":"3.20250311.1~deb11u1"},"urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"3.20251202.1"},"fixed_version":"3.20251202.1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.20251202.1"},"fixed_version":"3.20251202.1","urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"3.20250311.1"},"urgency":"not yet assigned"}}},"CVE-2024-36357":{"description":"A transient execution vulnerability in some AMD processors may allow an attacker to infer data in the L1D cache, potentially resulting in the leakage of sensitive information across privileged boundaries.","debianbug":1109035,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"3.20250311.1~deb12u1","bookworm-security":"3.20230719.1~deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"3.20240820.1~deb11u1","bullseye-security":"3.20250311.1~deb11u1"},"urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"3.20251202.1"},"fixed_version":"3.20251202.1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.20251202.1"},"fixed_version":"3.20251202.1","urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"3.20250311.1"},"urgency":"not yet assigned"}}},"CVE-2024-56161":{"description":"Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious CPU microcode resulting in loss of confidentiality and integrity of a confidential guest running under AMD SEV-SNP.","debianbug":1095470,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"3.20250311.1~deb12u1","bookworm-security":"3.20230719.1~deb12u1"},"fixed_version":"3.20250311.1~deb12u1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"3.20240820.1~deb11u1","bullseye-security":"3.20250311.1~deb11u1"},"fixed_version":"3.20250311.1~deb11u1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"3.20251202.1"},"fixed_version":"3.20250311.1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.20251202.1"},"fixed_version":"3.20250311.1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"3.20250311.1"},"fixed_version":"3.20250311.1","urgency":"not yet assigned"}}},"CVE-2025-0033":{"description":"Improper access control within AMD SEV-SNP could allow an admin privileged attacker to write to the RMP during SNP initialization, potentially resulting in a loss of SEV-SNP guest memory integrity.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"3.20250311.1~deb12u1","bookworm-security":"3.20230719.1~deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"3.20240820.1~deb11u1","bullseye-security":"3.20250311.1~deb11u1"},"urgency":"not yet assigned"},"forky":{"status":"open","repositories":{"forky":"3.20251202.1"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"3.20251202.1"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"3.20250311.1"},"urgency":"not yet assigned"}}},"CVE-2025-29934":{"description":"A bug within some AMD CPUs could allow a local admin-privileged attacker to run a SEV-SNP guest using stale TLB entries, potentially resulting in loss of data integrity.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"3.20250311.1~deb12u1","bookworm-security":"3.20230719.1~deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"3.20240820.1~deb11u1","bullseye-security":"3.20250311.1~deb11u1"},"urgency":"not yet assigned"},"forky":{"status":"open","repositories":{"forky":"3.20251202.1"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"3.20251202.1"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"3.20250311.1"},"urgency":"not yet assigned"}}},"CVE-2025-29943":{"description":"Write what were condition within AMD CPUs may allow an admin-privileged attacker to modify the configuration of the CPU pipeline potentially resulting in the corruption of the stack pointer inside an SEV-SNP guest.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"3.20250311.1~deb12u1","bookworm-security":"3.20230719.1~deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"3.20240820.1~deb11u1","bullseye-security":"3.20250311.1~deb11u1"},"urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"3.20251202.1"},"fixed_version":"3.20251202.1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.20251202.1"},"fixed_version":"3.20251202.1","urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"3.20250311.1"},"urgency":"not yet assigned"}}},"CVE-2025-48514":{"description":"Insufficient Granularity of Access Control in SEV firmware can allow a privileged attacker to create a SEV-ES Guest to attack SNP guest, potentially resulting in a loss of confidentiality.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"3.20250311.1~deb12u1","bookworm-security":"3.20230719.1~deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"3.20240820.1~deb11u1","bullseye-security":"3.20250311.1~deb11u1"},"urgency":"not yet assigned"},"forky":{"status":"open","repositories":{"forky":"3.20251202.1"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"3.20251202.1"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"3.20250311.1"},"urgency":"not yet assigned"}}},"CVE-2025-48517":{"description":"Insufficient Granularity of Access Control in SEV firmware could allow a privileged user with a malicious hypervisor to create a SEV-ES guest with an ASID in the range meant for SEV-SNP guests potentially resulting in a partial loss of confidentiality.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"3.20250311.1~deb12u1","bookworm-security":"3.20230719.1~deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"3.20240820.1~deb11u1","bullseye-security":"3.20250311.1~deb11u1"},"urgency":"not yet assigned"},"forky":{"status":"open","repositories":{"forky":"3.20251202.1"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"3.20251202.1"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"3.20250311.1"},"urgency":"not yet assigned"}}},"CVE-2025-52534":{"description":"Improper bound check within AMD CPU microcode can allow a malicious guest to write to host memory, potentially resulting in loss of integrity.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"3.20250311.1~deb12u1","bookworm-security":"3.20230719.1~deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"3.20240820.1~deb11u1","bullseye-security":"3.20250311.1~deb11u1"},"urgency":"not yet assigned"},"forky":{"status":"open","repositories":{"forky":"3.20251202.1"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"3.20251202.1"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"3.20250311.1"},"urgency":"not yet assigned"}}},"CVE-2025-52536":{"description":"Improper Prevention of Lock Bit Modification in SEV firmware could allow a privileged attacker to downgrade firmware potentially resulting in a loss of integrity.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"3.20250311.1~deb12u1","bookworm-security":"3.20230719.1~deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"3.20240820.1~deb11u1","bullseye-security":"3.20250311.1~deb11u1"},"urgency":"not yet assigned"},"forky":{"status":"open","repositories":{"forky":"3.20251202.1"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"3.20251202.1"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"3.20250311.1"},"urgency":"not yet assigned"}}},"CVE-2025-54514":{"description":"Improper isolation of shared resources on a system on a chip by a malicious local attacker with high privileges could potentially lead to a partial loss of integrity.","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"3.20250311.1~deb12u1","bookworm-security":"3.20230719.1~deb12u1"},"urgency":"not yet assigned"},"bullseye":{"status":"open","repositories":{"bullseye":"3.20240820.1~deb11u1","bullseye-security":"3.20250311.1~deb11u1"},"urgency":"not yet assigned"},"forky":{"status":"open","repositories":{"forky":"3.20251202.1"},"urgency":"not yet assigned"},"sid":{"status":"open","repositories":{"sid":"3.20251202.1"},"urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"3.20250311.1"},"urgency":"not yet assigned"}}},"CVE-2025-62626":{"description":"Improper handling of insufficient entropy in the AMD CPUs could allow a local attacker to influence the values returned by the RDSEED instruction, potentially resulting in the consumption of insufficiently random values.","debianbug":1120005,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"3.20250311.1~deb12u1","bookworm-security":"3.20230719.1~deb12u1"},"urgency":"not yet assigned","nodsa":"Only affects AMD Zen 5 processors, limited support; problematic microcode update","nodsa_reason":"ignored"},"bullseye":{"status":"open","repositories":{"bullseye":"3.20240820.1~deb11u1","bullseye-security":"3.20250311.1~deb11u1"},"urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"3.20251202.1"},"fixed_version":"3.20251202.1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"3.20251202.1"},"fixed_version":"3.20251202.1","urgency":"not yet assigned"},"trixie":{"status":"open","repositories":{"trixie":"3.20250311.1"},"urgency":"not yet assigned","nodsa":"Only affects AMD Zen 5 processors, limited support; problematic microcode update","nodsa_reason":"ignored"}}}},"amule":{"CVE-2006-2691":{"description":"Unspecified \"information leakage\" vulnerabilities in aMuleWeb for AMule before 2.1.2 allow remote attackers to access arbitrary images, including dynamically generated images, via unknown vectors.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:2.3.3-3"},"fixed_version":"2.1.2-1","urgency":"medium"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:2.3.3-1"},"fixed_version":"2.1.2-1","urgency":"medium"},"forky":{"status":"resolved","repositories":{"forky":"1:2.3.3-4.1"},"fixed_version":"2.1.2-1","urgency":"medium"},"sid":{"status":"resolved","repositories":{"sid":"1:2.3.3-4.1"},"fixed_version":"2.1.2-1","urgency":"medium"},"trixie":{"status":"resolved","repositories":{"trixie":"1:2.3.3-3.2"},"fixed_version":"2.1.2-1","urgency":"medium"}}},"CVE-2006-2692":{"description":"Multiple unspecified vulnerabilities in aMuleWeb for AMule before 2.1.2 allow remote attackers to read arbitrary image, HTML, or PHP files via unknown vectors, probably related to directory traversal.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:2.3.3-3"},"fixed_version":"2.1.2-1","urgency":"medium"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:2.3.3-1"},"fixed_version":"2.1.2-1","urgency":"medium"},"forky":{"status":"resolved","repositories":{"forky":"1:2.3.3-4.1"},"fixed_version":"2.1.2-1","urgency":"medium"},"sid":{"status":"resolved","repositories":{"sid":"1:2.3.3-4.1"},"fixed_version":"2.1.2-1","urgency":"medium"},"trixie":{"status":"resolved","repositories":{"trixie":"1:2.3.3-3.2"},"fixed_version":"2.1.2-1","urgency":"medium"}}},"CVE-2008-2486":{"description":"Unspecified vulnerability in eMule Plus before 1.2d has unknown impact and attack vectors related to \"staticservers.dat processing.\"","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:2.3.3-3"},"fixed_version":"0","urgency":"unimportant"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:2.3.3-1"},"fixed_version":"0","urgency":"unimportant"},"forky":{"status":"resolved","repositories":{"forky":"1:2.3.3-4.1"},"fixed_version":"0","urgency":"unimportant"},"sid":{"status":"resolved","repositories":{"sid":"1:2.3.3-4.1"},"fixed_version":"0","urgency":"unimportant"},"trixie":{"status":"resolved","repositories":{"trixie":"1:2.3.3-3.2"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2009-1440":{"description":"Incomplete blacklist vulnerability in DownloadListCtrl.cpp in amule 2.2.4 allows remote attackers to conduct argument injection attacks into a command for mplayer via a crafted filename.","debianbug":525078,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1:2.3.3-3"},"fixed_version":"2.2.5-1.1","urgency":"low"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1:2.3.3-1"},"fixed_version":"2.2.5-1.1","urgency":"low"},"forky":{"status":"resolved","repositories":{"forky":"1:2.3.3-4.1"},"fixed_version":"2.2.5-1.1","urgency":"low"},"sid":{"status":"resolved","repositories":{"sid":"1:2.3.3-4.1"},"fixed_version":"2.2.5-1.1","urgency":"low"},"trixie":{"status":"resolved","repositories":{"trixie":"1:2.3.3-3.2"},"fixed_version":"2.2.5-1.1","urgency":"low"}}}},"analog":{"CVE-2002-1154":{"description":"anlgform.pl in Analog before 5.23 does not restrict access to the PROGRESSFREQ progress update command, which allows remote attackers to cause a denial of service (disk consumption) by using the command to report updates more frequently and fill the web server error log.","scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"2:6.0.17-3"},"fixed_version":"2:5.23","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"2:6.0-22"},"fixed_version":"2:5.23","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"2:6.0.17-3"},"fixed_version":"2:5.23","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"2:6.0.17-3"},"fixed_version":"2:5.23","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"2:6.0.17-3"},"fixed_version":"2:5.23","urgency":"not yet assigned"}}}},"android-framework-23":{"CVE-2017-0752":{"description":"A elevation of privilege vulnerability in the Android framework (windowmanager). Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-62196835.","scope":"local","releases":{"bullseye":{"status":"open","repositories":{"bullseye":"6.0.1+r72-6"},"urgency":"unimportant"},"sid":{"status":"open","repositories":{"sid":"6.0.1+r72-6"},"urgency":"unimportant"}}},"CVE-2017-0822":{"description":"An elevation of privilege vulnerability in the Android system (camera). Product: Android. Versions: 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-63787722.","scope":"local","releases":{"bullseye":{"status":"open","repositories":{"bullseye":"6.0.1+r72-6"},"urgency":"unimportant"},"sid":{"status":"open","repositories":{"sid":"6.0.1+r72-6"},"urgency":"unimportant"}}}},"android-platform-dalvik":{"CVE-2016-3758":{"description":"Multiple buffer overflows in libdex/OptInvocation.cpp in DexClassLoader in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-07-01 allow attackers to gain privileges via a crafted application that provides a long filename, aka internal bug 27840771.","scope":"local","releases":{"bullseye":{"status":"resolved","repositories":{"bullseye":"10.0.0+r36-1"},"fixed_version":"6.0.1+r55-1","urgency":"not yet assigned"}}}},"android-platform-external-libunwind":{"CVE-2015-3239":{"description":"Off-by-one error in the dwarf_to_unw_regnum function in include/dwarf_i.h in libunwind 1.1 allows local users to have unspecified impact via invalid dwarf opcodes.","debianbug":849346,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"10.0.0+r36-4"},"fixed_version":"7.0.0+r1-4","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"10.0.0+r36-4"},"fixed_version":"7.0.0+r1-4","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"10.0.0+r36-4.1"},"fixed_version":"7.0.0+r1-4","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"10.0.0+r36-4.1"},"fixed_version":"7.0.0+r1-4","urgency":"not yet assigned"}}}},"android-platform-frameworks-base":{"CVE-2021-39796":{"description":"In HarmfulAppWarningActivity of HarmfulAppWarningActivity.java, there is a possible way to trick victim to install harmful app due to a tapjacking/overlay attack. This could lead to local escalation of privilege with User execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-205595291","debianbug":1009626,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"1:10.0.0+r36-10"},"urgency":"unimportant"},"bullseye":{"status":"open","repositories":{"bullseye":"1:10.0.0+r36-3"},"urgency":"unimportant"},"forky":{"status":"open","repositories":{"forky":"1:14~beta1-5"},"urgency":"unimportant"},"sid":{"status":"open","repositories":{"sid":"1:14~beta1-5"},"urgency":"unimportant"},"trixie":{"status":"open","repositories":{"trixie":"1:14~beta1-3"},"urgency":"unimportant"}}},"CVE-2022-20011":{"description":"In getArray of NotificationManagerService.java , there is a possible leak of one user notifications to another due to missing check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-12 Android-12LAndroid ID: A-214999128","scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"1:10.0.0+r36-10"},"urgency":"unimportant"},"bullseye":{"status":"open","repositories":{"bullseye":"1:10.0.0+r36-3"},"urgency":"unimportant"},"forky":{"status":"open","repositories":{"forky":"1:14~beta1-5"},"urgency":"unimportant"},"sid":{"status":"open","repositories":{"sid":"1:14~beta1-5"},"urgency":"unimportant"},"trixie":{"status":"open","repositories":{"trixie":"1:14~beta1-3"},"urgency":"unimportant"}}}},"android-platform-frameworks-native":{"CVE-2015-3875":{"description":"libutils in Android before 5.1.1 LMY48T allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted audio file, aka internal bug 22952485.","debianbug":806375,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"1:10.0.0+r36-1"},"urgency":"unimportant"},"bullseye":{"status":"open","repositories":{"bullseye":"1:10.0.0+r36-1"},"urgency":"unimportant"}}},"CVE-2015-6602":{"description":"libutils in Android through 5.1.1 LMY48M allows remote attackers to execute arbitrary code via crafted metadata in a (1) MP3 or (2) MP4 file, as demonstrated by an attack against use of libutils by libstagefright in Android 5.x.","debianbug":806375,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"1:10.0.0+r36-1"},"urgency":"unimportant"},"bullseye":{"status":"open","repositories":{"bullseye":"1:10.0.0+r36-1"},"urgency":"unimportant"}}},"CVE-2015-6609":{"description":"libutils in Android before 5.1.1 LMY48X and 6.0 before 2015-11-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted audio file, aka internal bug 22953624.","debianbug":806375,"scope":"local","releases":{"bookworm":{"status":"open","repositories":{"bookworm":"1:10.0.0+r36-1"},"urgency":"unimportant"},"bullseye":{"status":"open","repositories":{"bullseye":"1:10.0.0+r36-1"},"urgency":"unimportant"}}}},"android-platform-system-core":{"CVE-2012-5564":{"description":"android-tools 4.1.1 in Android Debug Bridge (ADB) allows local users to overwrite arbitrary files via a symlink attack on /tmp/adb.log.","debianbug":823792,"scope":"local","releases":{"bullseye":{"status":"open","repositories":{"bullseye":"1:10.0.0+r36-7"},"urgency":"unimportant"}}},"CVE-2014-1909":{"description":"Integer signedness error in system/core/adb/adb_client.c in Android Debug Bridge (ADB) for Android 4.4 in the Android SDK Platform Tools 18.0.1 allows ADB servers to execute arbitrary code via a negative length value, which bypasses a signed comparison and triggers a stack-based buffer overflow.","scope":"local","releases":{"bullseye":{"status":"resolved","repositories":{"bullseye":"1:10.0.0+r36-7"},"fixed_version":"1:6.0.0+r26-1~stage1","urgency":"not yet assigned"}}},"CVE-2016-0807":{"description":"The get_build_id function in elf_utils.cpp in Debuggerd in Android 6.x before 2016-02-01 allows attackers to gain privileges via a crafted application that mishandles a Desc Size element in an ELF Note, aka internal bug 25187394.","scope":"local","releases":{"bullseye":{"status":"resolved","repositories":{"bullseye":"1:10.0.0+r36-7"},"fixed_version":"1:7.0.0+r1-1","urgency":"unimportant"}}},"CVE-2016-3861":{"description":"LibUtils in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-09-01, and 7.0 before 2016-09-01 mishandles conversions between Unicode character encodings with different encoding widths, which allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow) via a crafted file, aka internal bug 29250543.","debianbug":858177,"scope":"local","releases":{"bullseye":{"status":"resolved","repositories":{"bullseye":"1:10.0.0+r36-7"},"fixed_version":"1:7.0.0+r1-4","urgency":"unimportant"}}},"CVE-2016-3885":{"description":"debuggerd/debuggerd.cpp in Debuggerd in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-09-01, and 7.0 before 2016-09-01 mishandles the interaction between PTRACE_ATTACH operations and thread exits, which allows attackers to gain privileges via a crafted application, aka internal bug 29555636.","scope":"local","releases":{"bullseye":{"status":"resolved","repositories":{"bullseye":"1:10.0.0+r36-7"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2016-3890":{"description":"The Java Debug Wire Protocol (JDWP) implementation in adb/sockets.cpp in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-09-01 mishandles socket close operations, which allows attackers to gain privileges via a crafted application, aka internal bug 28347842.","scope":"local","releases":{"bullseye":{"status":"resolved","repositories":{"bullseye":"1:10.0.0+r36-7"},"fixed_version":"1:6.0.1+r43-1","urgency":"not yet assigned"}}},"CVE-2016-3921":{"description":"libsysutils/src/FrameworkListener.cpp in Framework Listener in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-10-01, and 7.0 before 2016-10-01 allows attackers to gain privileges via a crafted application, aka internal bug 29831647.","scope":"local","releases":{"bullseye":{"status":"resolved","repositories":{"bullseye":"1:10.0.0+r36-7"},"fixed_version":"0","urgency":"unimportant"}}},"CVE-2016-6762":{"description":"An elevation of privilege vulnerability in the libziparchive library could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as High because it could be used to gain local access to elevated capabilities, which are not normally accessible to a third-party application. Product: Android. Versions: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0. Android ID: A-31251826.","scope":"local","releases":{"bullseye":{"status":"resolved","repositories":{"bullseye":"1:10.0.0+r36-7"},"fixed_version":"1:7.0.0+r1-1","urgency":"not yet assigned"}}},"CVE-2017-0647":{"description":"An information disclosure vulnerability in libziparchive could enable a local malicious application to access data outside of its permission levels. This issue is rated as Moderate because it could be used to access sensitive data without permission. Product: Android. Versions: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-36392138.","debianbug":867229,"scope":"local","releases":{"bullseye":{"status":"resolved","repositories":{"bullseye":"1:10.0.0+r36-7"},"fixed_version":"1:7.0.0+r33-2","urgency":"unimportant"}}},"CVE-2017-0841":{"description":"A remote code execution vulnerability in the Android system (libutils). Product: Android. Versions: 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID: A-37723026.","scope":"local","releases":{"bullseye":{"status":"open","repositories":{"bullseye":"1:10.0.0+r36-7"},"urgency":"unimportant"}}},"CVE-2017-13156":{"description":"An elevation of privilege vulnerability in the Android system (art). Product: Android. Versions: 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0. Android ID A-64211847.","scope":"local","releases":{"bullseye":{"status":"resolved","repositories":{"bullseye":"1:10.0.0+r36-7"},"fixed_version":"0","urgency":"unimportant"}}}},"angular.js":{"CVE-2019-10768":{"description":"In AngularJS before 1.7.9 the function `merge()` could be tricked into adding or modifying properties of `Object.prototype` using a `__proto__` payload.","debianbug":945249,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1.8.3-1+deb12u1"},"fixed_version":"1.7.9-1","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.8.2-2","bullseye-security":"1.8.3-1+deb12u1~deb11u1"},"fixed_version":"1.7.9-1","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"1.8.3-3"},"fixed_version":"1.7.9-1","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"1.8.3-3"},"fixed_version":"1.7.9-1","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"1.8.3-3"},"fixed_version":"1.7.9-1","urgency":"not yet assigned"}}},"CVE-2019-14863":{"description":"There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.","debianbug":942833,"scope":"local","releases":{"bookworm":{"status":"resolved","repositories":{"bookworm":"1.8.3-1+deb12u1"},"fixed_version":"1.5.3-2","urgency":"not yet assigned"},"bullseye":{"status":"resolved","repositories":{"bullseye":"1.8.2-2","bullseye-security":"1.8.3-1+deb12u1~deb11u1"},"fixed_version":"1.5.3-2","urgency":"not yet assigned"},"forky":{"status":"resolved","repositories":{"forky":"1.8.3-3"},"fixed_version":"1.5.3-2","urgency":"not yet assigned"},"sid":{"status":"resolved","repositories":{"sid":"1.8.3-3"},"fixed_version":"1.5.3-2","urgency":"not yet assigned"},"trixie":{"status":"resolved","repositories":{"trixie":"1.8.3-3"},"fixed_version":"1.5.3-2","urgency":"not yet assigned"}}},"CVE-2020-7676":{"description":"angular.js prior to 1.8.0 allows cross site scripting. The regex-based input HTML replacement may turn sanitized code into unsanitized one. Wrapping \"

---