sunrat Posted December 20, 2019 Share Posted December 20, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4590-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff December 19, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : cyrus-imapd CVE ID : CVE-2019-19783 It was discovered that the lmtpd component of the Cyrus IMAP server created mailboxes with administrator privileges if the "fileinto" was used, bypassing ACL checks. For the oldstable distribution (stretch), this problem has been fixed in version 2.5.10-3+deb9u2. For the stable distribution (buster), this problem has been fixed in version 3.0.8-6+deb10u3. Link to comment Share on other sites More sharing options...
sunrat Posted December 20, 2019 Share Posted December 20, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4591-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso December 20, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : cyrus-sasl2 CVE ID : CVE-2019-19906 Debian Bug : 947043 Stephan Zeisberg reported an out-of-bounds write vulnerability in the _sasl_add_string() function in cyrus-sasl2, a library implementing the Simple Authentication and Security Layer. A remote attacker can take advantage of this issue to cause denial-of-service conditions for applications using the library. For the oldstable distribution (stretch), this problem has been fixed in version 2.1.27~101-g0780600+dfsg-3+deb9u1. For the stable distribution (buster), this problem has been fixed in version 2.1.27+dfsg-1+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted December 28, 2019 Share Posted December 28, 2019 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4592-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff December 26, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mediawiki CVE ID : CVE-2019-19709 It was discovered that the Title blacklist functionality in MediaWiki, a website engine for collaborative work, could by bypassed. For the oldstable distribution (stretch), this problem has been fixed in version 1:1.27.7-1~deb9u3. For the stable distribution (buster), this problem has been fixed in version 1:1.31.6-1~deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4593-1 security@debian.org https://www.debian.org/security/ Hugo Lefeuvre December 27, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : freeimage CVE ID : CVE-2019-12211 CVE-2019-12213 Debian Bug : 929597 It was found that freeimage, a graphics library, was affected by the following two security issues: CVE-2019-12211 Heap buffer overflow caused by invalid memcpy in PluginTIFF. This flaw might be leveraged by remote attackers to trigger denial of service or any other unspecified impact via crafted TIFF data. CVE-2019-12213 Stack exhaustion caused by unwanted recursion in PluginTIFF. This flaw might be leveraged by remote attackers to trigger denial of service via crafted TIFF data. For the oldstable distribution (stretch), these problems have been fixed in version 3.17.0+ds1-5+deb9u1. For the stable distribution (buster), these problems have been fixed in version 3.18.0+ds2-1+deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4594-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff December 27, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openssl1.0 CVE ID : CVE-2019-1551 Guido Vranken discovered an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. For the oldstable distribution (stretch), this problem has been fixed in version 1.0.2u-1~deb9u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4595-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff December 27, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : debian-lan-config CVE ID : CVE-2019-3467 Debian Bug : 947459 It was discovered that debian-lan-config, a FAI config space for the Debian-LAN system, configured too permissive ACLs for the Kerberos admin server, which allowed password changes for other user principals. This update provides a fixed configuration for new deployments, for existing setups, the NEWS file shipped in this update provides advice to fix the configuration. For the oldstable distribution (stretch), this problem has been fixed in version 0.23+deb9u1. For the stable distribution (buster), this problem has been fixed in version 0.25+deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4596-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff December 27, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tomcat8 CVE ID : CVE-2018-8014 CVE-2018-11784 CVE-2019-0199 CVE-2019-0221 CVE-2019-12418 CVE-2019-17563 Several issues were discovered in the Tomcat servlet and JSP engine, which could result in session fixation attacks, information disclosure, cross- site scripting, denial of service via resource exhaustion and insecure redirects. For the oldstable distribution (stretch), these problems have been fixed in version 8.5.50-0+deb9u1. This update also requires an updated version of tomcat-native which has been updated to 1.2.21-1~deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted January 4, 2020 Share Posted January 4, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4597-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 03, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : netty CVE ID : CVE-2019-16869 Debian Bug : 941266 It was reported that Netty, a Java NIO client/server framework, is prone to a HTTP request smuggling vulnerability due to mishandling whitespace before the colon in HTTP headers. For the oldstable distribution (stretch), this problem has been fixed in version 1:4.1.7-2+deb9u1. For the stable distribution (buster), this problem has been fixed in version 1:4.1.33-1+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted January 7, 2020 Share Posted January 7, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4598-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 07, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : python-django CVE ID : CVE-2019-19844 Debian Bug : 946937 Simon Charette reported that the password reset functionality in Django, a high-level Python web development framework, uses a Unicode case-insensitive query to retrieve accounts matching the email address requesting the password reset. An attacker can take advantage of this flaw to potentially retrieve password reset tokens and hijack accounts. For details please refer to https://www.djangoproject.com/weblog/2019/dec/18/security-releases/ For the oldstable distribution (stretch), this problem has been fixed in version 1:1.10.7-2+deb9u7. For the stable distribution (buster), this problem has been fixed in version 1:1.11.27-1~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted January 8, 2020 Share Posted January 8, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4599-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond January 08, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : wordpress CVE ID : CVE-2019-16217 CVE-2019-16218 CVE-2019-16219 CVE-2019-16220 CVE-2019-16221 CVE-2019-16222 CVE-2019-16223 CVE-2019-16780 CVE-2019-16781 CVE-2019-17669 CVE-2019-17671 CVE-2019-17672 CVE-2019-17673 CVE-2019-17674 CVE-2019-17675 CVE-2019-20041 CVE-2019-20042 CVE-2019-20043 Debian Bug : 939543 942459 946905 Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform various Cross-Side Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks, create open redirects, poison cache, and bypass authorization access and input sanitation. For the stable distribution (buster), these problems have been fixed in version 5.0.4+dfsg1-1+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted January 10, 2020 Share Posted January 10, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4600-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff January 09, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2019-17026 CVE-2019-17024 CVE-2019-17022 CVE-2019-17017 CVE-2019-17016 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, data exfiltration or cross-site scripting. For the oldstable distribution (stretch), this problem has been fixed in version 68.4.1esr-1~deb9u1. For the stable distribution (buster), this problem has been fixed in version 68.4.1esr-1~deb10u1 Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4601-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff January 09, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ldm CVE ID : not yet available It was discovered that a hook script of ldm, the display manager for the Linux Terminal Server Project incorrectly parsed responses from an SSH server which could result in local root privilege escalation. For the oldstable distribution (stretch), this problem has been fixed in version 2:2.2.18-2+deb9u1. For the stable distribution (buster), this problem has been fixed in version 2:2.18.06-1+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted January 14, 2020 Share Posted January 14, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4602-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff January 13, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : xen CVE ID : CVE-2019-17349 CVE-2019-17350 CVE-2019-18420 CVE-2019-18421 CVE-2019-18422 CVE-2019-18423 CVE-2019-18424 CVE-2019-18425 CVE-2019-19577 CVE-2019-19578 CVE-2019-19579 CVE-2019-19580 CVE-2019-19581 CVE-2019-19582 CVE-2019-19583 CVE-2018-12207 CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 CVE-2019-11135 CVE-2019-17348 CVE-2019-17347 CVE-2019-17346 CVE-2019-17345 CVE-2019-17344 CVE-2019-17343 CVE-2019-17342 CVE-2019-17341 CVE-2019-17340 Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, guest-to-host privilege escalation or information leaks. In addition this update provides mitigations for the "TSX Asynchronous Abort" speculative side channel attack. For additional information please refer to https://xenbits.xen.org/xsa/advisory-305.html For the oldstable distribution (stretch), these problems have been fixed in version 4.8.5.final+shim4.10.4-1+deb9u12. Note that this will be the last security update for Xen in the oldstable distribution; upstream support for the 4.8.x branch ended by the end of December 2019. If you rely on security support for your Xen installation an update to the stable distribution (buster) is recommended. For the stable distribution (buster), these problems have been fixed in version 4.11.3+24-g14b62ab3e5-1~deb10u1. 1 Link to comment Share on other sites More sharing options...
sunrat Posted January 17, 2020 Share Posted January 17, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4603-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff January 17, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2019-17016 CVE-2019-17017 CVE-2019-17022 CVE-2019-17024 CVE-2019-17026 Multiple security issues have been found in Thunderbird which could potentially result in the execution of arbitrary code or information disclosure. For the oldstable distribution (stretch), these problems have been fixed in version 1:68.4.1-1~deb9u1. For the stable distribution (buster), these problems have been fixed in version 1:68.4.1-1~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted January 20, 2020 Share Posted January 20, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4604-1 security@debian.org https://www.debian.org/security/ Hugo Lefeuvre January 19, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : cacti CVE ID : CVE-2019-16723 CVE-2019-17357 CVE-2019-17358 Debian Bug : 947374 947375 941036 Multiple issues have been found in cacti, a server monitoring system, potentially resulting in SQL code execution or information disclosure by authenticated users. CVE-2019-16723 Authenticated users may bypass authorization checks for viewing a graph by submitting requests with modified local_graph_id parameters. CVE-2019-17357 The graph administration interface insufficiently sanitizes the template_id parameter, potentially resulting in SQL injection. This vulnerability might be leveraged by authenticated attackers to perform unauthorized SQL code execution on the database. CVE-2019-17358 The sanitize_unserialize_selected_items function (lib/functions.php) insufficiently sanitizes user input before deserializing it, potentially resulting in unsafe deserialization of user-controlled data. This vulnerability might be leveraged by authenticated attackers to influence the program control flow or cause memory corruption. For the oldstable distribution (stretch), these problems have been fixed in version 0.8.8h+ds1-10+deb9u1. Note that stretch was only affected by CVE-2018-17358. For the stable distribution (buster), these problems have been fixed in version 1.2.2+ds1-2+deb10u2. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4605-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff January 19, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openjdk-11 CVE ID : CVE-2020-2583 CVE-2020-2590 CVE-2020-2593 CVE-2020-2601 CVE-2020-2604 CVE-2020-2654 CVE-2020-2655 Several vulnerabilities have been discovered in the OpenJDK Java runtime, resulting in denial of service, incorrect implementation of Kerberos GSSAPI and TGS requests or incorrect TLS handshakes. For the stable distribution (buster), these problems have been fixed in version 11.0.6+10-1~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted January 21, 2020 Share Posted January 21, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4606-1 security@debian.org https://www.debian.org/security/ Michael Gilbert January 20, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : chromium CVE ID : CVE-2019-13725 CVE-2019-13726 CVE-2019-13727 CVE-2019-13728 CVE-2019-13729 CVE-2019-13730 CVE-2019-13732 CVE-2019-13734 CVE-2019-13735 CVE-2019-13736 CVE-2019-13737 CVE-2019-13738 CVE-2019-13739 CVE-2019-13740 CVE-2019-13741 CVE-2019-13742 CVE-2019-13743 CVE-2019-13744 CVE-2019-13745 CVE-2019-13746 CVE-2019-13747 CVE-2019-13748 CVE-2019-13749 CVE-2019-13750 CVE-2019-13751 CVE-2019-13752 CVE-2019-13753 CVE-2019-13754 CVE-2019-13755 CVE-2019-13756 CVE-2019-13757 CVE-2019-13758 CVE-2019-13759 CVE-2019-13761 CVE-2019-13762 CVE-2019-13763 CVE-2019-13764 CVE-2019-13767 CVE-2020-6377 CVE-2020-6378 CVE-2020-6379 CVE-2020-6380 Several vulnerabilities have been discovered in the chromium web browser. CVE-2019-13725 Gengming Liu and Jianyu Chen discovered a use-after-free issue in the bluetooth implementation. CVE-2019-13726 Sergei Lazunov discovered a buffer overflow issue. CVE-2019-13727 @piochu discovered a policy enforcement error. CVE-2019-13728 Rong Jian and Guang Gong discovered an out-of-bounds write error in the v8 javascript library. CVE-2019-13729 Zhe Jin discovered a use-after-free issue. CVE-2019-13730 Soyeon Park and Wen Xu discovered the use of a wrong type in the v8 javascript library. CVE-2019-13732 Sergei Glazunov discovered a use-after-free issue in the WebAudio implementation. CVE-2019-13734 Wenxiang Qian discovered an out-of-bounds write issue in the sqlite library. CVE-2019-13735 Gengming Liu and Zhen Feng discovered an out-of-bounds write issue in the v8 javascript library. CVE-2019-13736 An integer overflow issue was discovered in the pdfium library. CVE-2019-13737 Mark Amery discovered a policy enforcement error. CVE-2019-13738 Johnathan Norman and Daniel Clark discovered a policy enforcement error. CVE-2019-13739 xisigr discovered a user interface error. CVE-2019-13740 Khalil Zhani discovered a user interface error. CVE-2019-13741 Michał Bentkowski discovered that user input could be incompletely validated. CVE-2019-13742 Khalil Zhani discovered a user interface error. CVE-2019-13743 Zhiyang Zeng discovered a user interface error. CVE-2019-13744 Prakash discovered a policy enforcement error. CVE-2019-13745 Luan Herrera discovered a policy enforcement error. CVE-2019-13746 David Erceg discovered a policy enforcement error. CVE-2019-13747 Ivan Popelyshev and André Bonatti discovered an uninitialized value. CVE-2019-13748 David Erceg discovered a policy enforcement error. CVE-2019-13749 Khalil Zhani discovered a user interface error. CVE-2019-13750 Wenxiang Qian discovered insufficient validation of data in the sqlite library. CVE-2019-13751 Wenxiang Qian discovered an uninitialized value in the sqlite library. CVE-2019-13752 Wenxiang Qian discovered an out-of-bounds read issue in the sqlite library. CVE-2019-13753 Wenxiang Qian discovered an out-of-bounds read issue in the sqlite library. CVE-2019-13754 Cody Crews discovered a policy enforcement error. CVE-2019-13755 Masato Kinugawa discovered a policy enforcement error. CVE-2019-13756 Khalil Zhani discovered a user interface error. CVE-2019-13757 Khalil Zhani discovered a user interface error. CVE-2019-13758 Khalil Zhani discovered a policy enforecement error. CVE-2019-13759 Wenxu Wu discovered a user interface error. CVE-2019-13761 Khalil Zhani discovered a user interface error. CVE-2019-13762 csanuragjain discovered a policy enforecement error. CVE-2019-13763 weiwangpp93 discovered a policy enforecement error. CVE-2019-13764 Soyeon Park and Wen Xu discovered the use of a wrong type in the v8 javascript library. CVE-2019-13767 Sergei Glazunov discovered a use-after-free issue. CVE-2020-6377 Zhe Jin discovered a use-after-free issue. CVE-2020-6378 Antti Levomäki and Christian Jalio discovered a use-after-free issue. CVE-2020-6379 Guang Gong discovered a use-after-free issue. CVE-2020-6380 Sergei Glazunov discovered an error verifying extension messages. For the oldstable distribution (stretch), security support for chromium has been discontinued. For the stable distribution (buster), these problems have been fixed in version 79.0.3945.130-1~deb10u1.  - ------------------------------------------------------------------------- Debian Security Advisory DSA-4607-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 20, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openconnect CVE ID : CVE-2019-16239 Debian Bug : 940871 Lukas Kupczyk reported a vulnerability in the handling of chunked HTTP in openconnect, an open client for Cisco AnyConnect, Pulse and GlobalProtect VPN. A malicious HTTP server (after having accepted its identity certificate), can provide bogus chunk lengths for chunked HTTP encoding and cause a heap-based buffer overflow. For the oldstable distribution (stretch), this problem has been fixed in version 7.08-1+deb9u1. For the stable distribution (buster), this problem has been fixed in version 8.02-1+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted January 21, 2020 Share Posted January 21, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4608-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff January 21, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tiff CVE ID : CVE-2019-14973 CVE-2019-17546 Multiple integer overflows have been discovered in the libtiff library and the included tools. For the stable distribution (buster), these problems have been fixed in version 4.1.0+git191117-2~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted January 25, 2020 Share Posted January 25, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4609-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff January 23, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : python-apt CVE ID : CVE-2019-15795 CVE-2019-15796 Debian Bug : 944696 Two security issues were found in the Python interface to the apt package manager; package downloads from unsigned repositories were incorrectly rejected and the hash validation relied on MD5. For the oldstable distribution (stretch), these problems have been fixed in version 1.4.1. For the stable distribution (buster), these problems have been fixed in version 1.8.4.1. Link to comment Share on other sites More sharing options...
sunrat Posted January 30, 2020 Share Posted January 30, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4610-1 security@debian.org https://www.debian.org/security/ Alberto Garcia January 29, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : webkit2gtk CVE ID : CVE-2019-8835 CVE-2019-8844 CVE-2019-8846 The following vulnerabilities have been discovered in the webkit2gtk web engine: CVE-2019-8835 An anonymous researcher discovered that maliciously crafted web content may lead to arbitrary code execution. CVE-2019-8844 William Bowling discovered that maliciously crafted web content may lead to arbitrary code execution. CVE-2019-8846 Marcin Towalski of Cisco Talos discovered that maliciously crafted web content may lead to arbitrary code execution. For the stable distribution (buster), these problems have been fixed in version 2.26.3-1~deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4611-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff January 29, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : opensmtpd CVE ID : CVE-2020-7247 Debian Bug : 950121 Qualys discovered that the OpenSMTPD SMTP server performed insufficient validation of email addresses which could result in the execution of arbitrary commands as root. In addition this update fixes a denial of service by triggering an opportunistic TLS downgrade. For the oldstable distribution (stretch), these problems have been fixed in version 6.0.2p1-2+deb9u2. For the stable distribution (buster), these problems have been fixed in version 6.0.3p1-5+deb10u3. This update also includes non-security bugfixes which were already lined up for the Buster 10.3 point release. Link to comment Share on other sites More sharing options...
sunrat Posted February 1, 2020 Share Posted February 1, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4612-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff January 31, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : prosody-modules CVE ID : CVE-2020-8086 It was discovered that the LDAP authentication modules for the Prosody Jabber/XMPP server incorrectly validated the XMPP address when checking whether a user has admin access. For the oldstable distribution (stretch), this problem has been fixed in version 0.0~hg20170123.3ed504b944e5+dfsg-1+deb9u1. For the stable distribution (buster), this problem has been fixed in version 0.0~hg20190203.b54e98d5c4a1+dfsg-1+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted February 1, 2020 Share Posted February 1, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4613-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 01, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libidn2 CVE ID : CVE-2019-18224 Debian Bug : 942895 A heap-based buffer overflow vulnerability was discovered in the idn2_to_ascii_4i() function in libidn2, the GNU library for Internationalized Domain Names (IDNs), which could result in denial of service, or the execution of arbitrary code when processing a long domain string. For the stable distribution (buster), this problem has been fixed in version 2.0.5-1+deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4614-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 01, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : sudo CVE ID : CVE-2019-18634 Debian Bug : 950371 Joe Vennix discovered a stack-based buffer overflow vulnerability in sudo, a program designed to provide limited super user privileges to specific users, triggerable when configured with the "pwfeedback" option enabled. An unprivileged user can take advantage of this flaw to obtain full root privileges. Details can be found in the upstream advisory at https://www.sudo.ws/alerts/pwfeedback.html . For the oldstable distribution (stretch), this problem has been fixed in version 1.8.19p1-2.1+deb9u2. For the stable distribution (buster), exploitation of the bug is prevented due to a change in EOF handling introduced in 1.8.26. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4615-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 01, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : spamassassin CVE ID : CVE-2020-1930 CVE-2020-1931 Debian Bug : 950258 Two vulnerabilities were discovered in spamassassin, a Perl-based spam filter using text analysis. Malicious rule or configuration files, possibly downloaded from an updates server, could execute arbitrary commands under multiple scenarios. For the oldstable distribution (stretch), these problems have been fixed in version 3.4.2-1~deb9u3. For the stable distribution (buster), these problems have been fixed in version 3.4.2-1+deb10u2. Link to comment Share on other sites More sharing options...
sunrat Posted February 2, 2020 Share Posted February 2, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4616-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 02, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : qemu CVE ID : CVE-2019-15890 CVE-2020-7039 CVE-2020-1711 Two security issues have been found in the SLiRP networking implementation of QEMU, a fast processor emulator, which could result in the execution of arbitrary code or denial of service. For the oldstable distribution (stretch), these problems have been fixed in version 1:2.8+dfsg-6+deb9u9. For the stable distribution (buster), these problems have been fixed in version 1:3.1+dfsg-8+deb10u4. Link to comment Share on other sites More sharing options...
sunrat Posted February 3, 2020 Share Posted February 3, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4617-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 03, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : qtbase-opensource-src CVE ID : CVE-2020-0569 CVE-2020-0570 Two security issues were found in the Qt library, which could result in plugins and libraries being loaded from the current working directory, resulting in potential code execution. For the oldstable distribution (stretch), these problems have been fixed in version 5.7.1+dfsg-3+deb9u2. For the stable distribution (buster), these problems have been fixed in version 5.11.3+dfsg1-1+deb10u3. Link to comment Share on other sites More sharing options...
sunrat Posted February 6, 2020 Share Posted February 6, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4618-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 06, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libexif CVE ID : CVE-2019-9278 Debian Bug : 945948 An out-of-bounds write vulnerability due to an integer overflow was reported in libexif, a library to parse EXIF files, which could result in denial of service, or potentially the execution of arbitrary code if specially crafted image files are processed. For the oldstable distribution (stretch), this problem has been fixed in version 0.6.21-2+deb9u1. For the stable distribution (buster), this problem has been fixed in version 0.6.21-5.1+deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4619-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 06, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libxmlrpc3-java CVE ID : CVE-2019-17570 Debian Bug : 949089 Guillaume Teissier reported that the XMLRPC client in libxmlrpc3-java, an XML-RPC implementation in Java, does perform deserialization of the server-side exception serialized in the faultCause attribute of XMLRPC error response messages. A malicious XMLRPC server can take advantage of this flaw to execute arbitrary code with the privileges of an application using the Apache XMLRPC client library. Note that a client that expects to get server-side exceptions need to set explicitly the enabledForExceptions property. For the oldstable distribution (stretch), this problem has been fixed in version 3.1.3-8+deb9u1. For the stable distribution (buster), this problem has been fixed in version 3.1.3-9+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted February 8, 2020 Share Posted February 8, 2020 ------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 10: 10.3 released press@debian.org February 8th, 2020 https://www.debian.org/News/2020/20200208 ------------------------------------------------------------------------ The Debian project is pleased to announce the third update of its stable distribution Debian 10 (codename "buster"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. Please note that the point release does not constitute a new version of Debian 10 but only updates some of the packages included. There is no need to throw away old "buster" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations. Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list  ------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 9: 9.12 released press@debian.org February 8th, 2020 https://www.debian.org/News/2020/2020020802 ------------------------------------------------------------------------ The Debian project is pleased to announce the twelth update of its oldstable distribution Debian 9 (codename "stretch"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. Please note that the point release does not constitute a new version of Debian 9 but only updates some of the packages included. There is no need to throw away old "stretch" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations. Link to comment Share on other sites More sharing options...
sunrat Posted February 13, 2020 Share Posted February 13, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4620-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 12, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2020-6796 CVE-2020-6798 CVE-2020-6800 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code. For the oldstable distribution (stretch), these problems have been fixed in version 68.5.0esr-1~deb9u1. For the stable distribution (buster), these problems have been fixed in version 68.5.0esr-1~deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4621-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 12, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openjdk-8 CVE ID : CVE-2020-2583 CVE-2020-2590 CVE-2020-2593 CVE-2020-2601 CVE-2020-2604 CVE-2020-2654 CVE-2020-2659 Several vulnerabilities have been discovered in the OpenJDK Java runtime, resulting in denial of service, incorrect implementation of Kerberos GSSAPI and TGS requests or incorrect TLS handshakes. For the oldstable distribution (stretch), these problems have been fixed in version 8u242-b08-1~deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted February 14, 2020 Share Posted February 14, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4622-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 13, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : postgresql-9.6 CVE ID : CVE-2020-1720 Tom Lane discovered that "ALTER ... DEPENDS ON EXTENSION" sub commands in the PostgreSQL database did not perform authorisation checks. For the oldstable distribution (stretch), this problem has been fixed in version 9.6.17-0+deb9u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4623-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 13, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : postgresql-11 CVE ID : CVE-2020-1720 Tom Lane discovered that "ALTER ... DEPENDS ON EXTENSION" sub commands in the PostgreSQL database did not perform authorisation checks. For the stable distribution (buster), this problem has been fixed in version 11.7-0+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted February 15, 2020 Share Posted February 15, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4624-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 14, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : evince CVE ID : CVE-2017-1000159 CVE-2019-11459 CVE-2019-1010006 Debian Bug : 927820 Several vulnerabilities were discovered in evince, a simple multi-page document viewer. CVE-2017-1000159 Tobias Mueller reported that the DVI exporter in evince is susceptible to a command injection vulnerability via specially crafted filenames. CVE-2019-11459 Andy Nguyen reported that the tiff_document_render() and tiff_document_get_thumbnail() functions in the TIFF document backend did not handle errors from TIFFReadRGBAImageOriented(), leading to disclosure of uninitialized memory when processing TIFF image files. CVE-2019-1010006 A buffer overflow vulnerability in the tiff backend could lead to denial of service, or potentially the execution of arbitrary code if a specially crafted PDF file is opened. For the oldstable distribution (stretch), these problems have been fixed in version 3.22.1-3+deb9u2. For the stable distribution (buster), these problems have been fixed in version 3.30.2-3+deb10u1. The stable distribution is only affected by CVE-2019-11459. Link to comment Share on other sites More sharing options...
sunrat Posted February 16, 2020 Share Posted February 16, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4625-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 15, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2020-6792 CVE-2020-6793 CVE-2020-6794 CVE-2020-6795 CVE-2020-6798 CVE-2020-6800 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code or denial of service. For the oldstable distribution (stretch), these problems have been fixed in version 1:68.5.0-1~deb9u1. For the stable distribution (buster), these problems have been fixed in version 1:68.5.0-1~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted February 18, 2020 Share Posted February 18, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4626-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 17, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : php7.3 CVE ID : CVE-2019-11045 CVE-2019-11046 CVE-2019-11047 CVE-2019-11049 CVE-2019-11050 CVE-2020-7059 CVE-2020-7060 Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in information disclosure, denial of service or incorrect validation of path names. For the stable distribution (buster), these problems have been fixed in version 7.3.14-1~deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4627-1 security@debian.org https://www.debian.org/security/ Alberto Garcia February 17, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : webkit2gtk CVE ID : CVE-2020-3862 CVE-2020-3864 CVE-2020-3865 CVE-2020-3867 CVE-2020-3868 The following vulnerabilities have been discovered in the webkit2gtk web engine: CVE-2020-3862 Srikanth Gatta discovered that a malicious website may be able to cause a denial of service. CVE-2020-3864 Ryan Pickren discovered that a DOM object context may not have had a unique security origin. CVE-2020-3865 Ryan Pickren discovered that a top-level DOM object context may have incorrectly been considered secure. CVE-2020-3867 An anonymous researcher discovered that processing maliciously crafted web content may lead to universal cross site scripting. CVE-2020-3868 Marcin Towalski discovered that processing maliciously crafted web content may lead to arbitrary code execution. For the stable distribution (buster), these problems have been fixed in version 2.26.4-1~deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4628-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 18, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : php7.0 CVE ID : CVE-2019-11045 CVE-2019-11046 CVE-2019-11047 CVE-2019-11050 CVE-2020-7059 CVE-2020-7060 Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in information disclosure, denial of service or incorrect validation of path names. For the oldstable distribution (stretch), these problems have been fixed in version 7.0.33-0+deb9u7. Link to comment Share on other sites More sharing options...
sunrat Posted February 19, 2020 Share Posted February 19, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4629-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond February 19, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : python-django CVE ID : CVE-2020-7471 Debian Bug : 950581 Simon Charette discovered that Django, a high-level Python web development framework, did not properly handle input in its PostgreSQL module. A remote attacker could leverage this to perform SQL injection attacks. For the oldstable distribution (stretch), this problem has been fixed in version 1:1.10.7-2+deb9u8. For the stable distribution (buster), this problem has been fixed in version 1:1.11.28-1~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted February 21, 2020 Share Posted February 21, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4630-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 21, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : python-pysaml2 CVE ID : CVE-2020-5390 It was discovered that pysaml2, a Python implementation of SAML to be used in a WSGI environment, was susceptible to XML signature wrapping attacks, which could result in a bypass of signature verification. For the oldstable distribution (stretch), this problem has been fixed in version 3.0.0-5+deb9u1. For the stable distribution (buster), this problem has been fixed in version 5.4.1-2+deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4631-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 21, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : pillow CVE ID : CVE-2019-16865 CVE-2019-19911 CVE-2020-5311 CVE-2020-5312 CVE-2020-5313 Multiple security issues were discovered in Pillow, a Python imaging library, which could result in denial of service and potentially the execution of arbitrary code if malformed PCX, FLI, SGI or TIFF images are processed. For the oldstable distribution (stretch), these problems have been fixed in version 4.0.0-4+deb9u1. For the stable distribution (buster), these problems have been fixed in version 5.4.1-2+deb10u1. 1 Link to comment Share on other sites More sharing options...
sunrat Posted February 22, 2020 Share Posted February 22, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4632-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 22, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ppp CVE ID : CVE-2020-8597 Debian Bug : 950618 Ilja Van Sprundel reported a logic flaw in the Extensible Authentication Protocol (EAP) packet parser in the Point-to-Point Protocol Daemon (pppd). An unauthenticated attacker can take advantage of this flaw to trigger a stack-based buffer overflow, leading to denial of service (pppd daemon crash). For the oldstable distribution (stretch), this problem has been fixed in version 2.4.7-1+4+deb9u1. For the stable distribution (buster), this problem has been fixed in version 2.4.7-2+4.1+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted February 24, 2020 Share Posted February 24, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4633-1 security@debian.org https://www.debian.org/security/ Alessandro Ghedini February 22, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : curl CVE ID : CVE-2019-5436 CVE-2019-5481 CVE-2019-5482 Debian Bug : 929351 940009 940010 Multiple vulnerabilities were discovered in cURL, an URL transfer library. CVE-2019-5436 A heap buffer overflow in the TFTP receiving code was discovered, which could allow DoS or arbitrary code execution. This only affects the oldstable distribution (stretch). CVE-2019-5481 Thomas Vegas discovered a double-free in the FTP-KRB code, triggered by a malicious server sending a very large data block. CVE-2019-5482 Thomas Vegas discovered a heap buffer overflow that could be triggered when a small non-default TFTP blocksize is used. For the oldstable distribution (stretch), these problems have been fixed in version 7.52.1-5+deb9u10. For the stable distribution (buster), these problems have been fixed in version 7.64.0-4+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted February 27, 2020 Share Posted February 27, 2020 ------------------------------------------------------------------------- Debian Security Advisory DSA-4634-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 26, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : opensmtpd CVE ID : CVE-2020-8794 Debian Bug : 952453 Qualys discovered that the OpenSMTPD SMTP server performed insufficient validation of SMTP commands, which could result in local privilege escalation or the execution of arbitrary code. For the oldstable distribution (stretch), this problem has been fixed in version 6.0.2p1-2+deb9u3. For the stable distribution (buster), this problem has been fixed in version 6.0.3p1-5+deb10u4. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4635-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 26, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : proftpd-dfsg CVE ID : CVE-2020-9273 Debian Bug : 951800 Antonio Morales discovered an user-after-free flaw in the memory pool allocator in ProFTPD, a powerful modular FTP/SFTP/FTPS server. Interrupting current data transfers can corrupt the ProFTPD memory pool, leading to denial of service, or potentially the execution of arbitrary code. For the oldstable distribution (stretch), this problem has been fixed in version 1.3.5b-4+deb9u4. For the stable distribution (buster), this problem has been fixed in version 1.3.6-4+deb10u4. Link to comment Share on other sites More sharing options...
Recommended Posts