Jump to content

Bruno

Recommended Posts

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4636-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
February 28, 2020                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : python-bleach
CVE ID         : CVE-2020-6802
Debian Bug     : 951907

It was reported that python-bleach, a whitelist-based HTML-sanitizing
library, is prone to a mutation XSS vulnerability in bleach.clean when
'noscript' and one or more raw text tags were whitelisted.

For the stable distribution (buster), this problem has been fixed in
version 3.1.1-0+deb10u1.
Link to comment
Share on other sites

  • 2 weeks later...
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4637-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 09, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : network-manager-ssh
CVE ID         : CVE-2020-9355

Kobus van Schoor discovered that network-manager-ssh, a plugin to
provide VPN integration for SSH in NetworkManager, is prone to a
privilege escalation vulnerability. A local user with privileges to
modify a connection can take advantage of this flaw to execute arbitrary
commands as root.

This update drops support to pass extra SSH options to the ssh
invocation.

For the oldstable distribution (stretch), this problem has been fixed
in version 1.2.1-1+deb9u1.

For the stable distribution (buster), this problem has been fixed in
version 1.2.10-1+deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4638-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
March 10, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium
CVE ID         : CVE-2019-19880 CVE-2019-19923 CVE-2019-19925 CVE-2019-19926
                 CVE-2020-6381 CVE-2020-6382 CVE-2020-6383 CVE-2020-6384
                 CVE-2020-6385 CVE-2020-6386 CVE-2020-6387 CVE-2020-6388
                 CVE-2020-6389 CVE-2020-6390 CVE-2020-6391 CVE-2020-6392
                 CVE-2020-6393 CVE-2020-6394 CVE-2020-6395 CVE-2020-6396
                 CVE-2020-6397 CVE-2020-6398 CVE-2020-6399 CVE-2020-6400
                 CVE-2020-6401 CVE-2020-6402 CVE-2020-6403 CVE-2020-6404
                 CVE-2020-6405 CVE-2020-6406 CVE-2020-6407 CVE-2020-6408
                 CVE-2020-6409 CVE-2020-6410 CVE-2020-6411 CVE-2020-6412
                 CVE-2020-6413 CVE-2020-6414 CVE-2020-6415 CVE-2020-6416
                 CVE-2020-6418 CVE-2020-6420

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2019-19880

    Richard Lorenz discovered an issue in the sqlite library.

CVE-2019-19923

    Richard Lorenz discovered an out-of-bounds read issue in the sqlite
    library.

CVE-2019-19925

    Richard Lorenz discovered an issue in the sqlite library.

CVE-2019-19926

    Richard Lorenz discovered an implementation error in the sqlite library.

CVE-2020-6381

    UK's National Cyber Security Centre discovered an integer overflow issue
    in the v8 javascript library.

CVE-2020-6382

    Soyeon Park and Wen Xu discovered a type error in the v8 javascript
    library.

CVE-2020-6383

    Sergei Glazunov discovered a type error in the v8 javascript library.

CVE-2020-6384

    David Manoucheri discovered a use-after-free issue in WebAudio.

CVE-2020-6385

    Sergei Glazunov discovered a policy enforcement error.

CVE-2020-6386

    Zhe Jin discovered a use-after-free issue in speech processing.

CVE-2020-6387

    Natalie Silvanovich discovered an out-of-bounds write error in the WebRTC
    implementation.

CVE-2020-6388

    Sergei Glazunov discovered an out-of-bounds read error in the WebRTC
    implementation.

CVE-2020-6389

    Natalie Silvanovich discovered an out-of-bounds write error in the WebRTC
    implementation.

CVE-2020-6390

    Sergei Glazunov discovered an out-of-bounds read error.

CVE-2020-6391

    Michał Bentkowski discoverd that untrusted input was insufficiently
    validated.

CVE-2020-6392

    The Microsoft Edge Team discovered a policy enforcement error.

CVE-2020-6393

    Mark Amery discovered a policy enforcement error.

CVE-2020-6394

    Phil Freo discovered a policy enforcement error.

CVE-2020-6395

    Pierre Langlois discovered an out-of-bounds read error in the v8
    javascript library.

CVE-2020-6396

    William Luc Ritchie discovered an error in the skia library.

CVE-2020-6397

    Khalil Zhani discovered a user interface error.

CVE-2020-6398

    pdknsk discovered an uninitialized variable in the pdfium library.

CVE-2020-6399

    Luan Herrera discovered a policy enforcement error.

CVE-2020-6400

    Takashi Yoneuchi discovered an error in Cross-Origin Resource Sharing.

CVE-2020-6401

    Tzachy Horesh discovered that user input was insufficiently validated.

CVE-2020-6402

    Vladimir Metnew discovered a policy enforcement error.

CVE-2020-6403

    Khalil Zhani discovered a user interface error.

CVE-2020-6404

    kanchi discovered an error in Blink/Webkit.

CVE-2020-6405

    Yongheng Chen and Rui Zhong discovered an out-of-bounds read issue in the
    sqlite library.

CVE-2020-6406

    Sergei Glazunov discovered a use-after-free issue.

CVE-2020-6407

    Sergei Glazunov discovered an out-of-bounds read error.

CVE-2020-6408

    Zhong Zhaochen discovered a policy enforcement error in Cross-Origin
    Resource Sharing.

CVE-2020-6409

    Divagar S and Bharathi V discovered an error in the omnibox
    implementation.

CVE-2020-6410

    evil1m0 discovered a policy enforcement error.

CVE-2020-6411

    Khalil Zhani discovered that user input was insufficiently validated.

CVE-2020-6412

    Zihan Zheng discovered that user input was insufficiently validated.

CVE-2020-6413

    Michał Bentkowski discovered an error in Blink/Webkit.

CVE-2020-6414

    Lijo A.T discovered a policy safe browsing policy enforcement error.

CVE-2020-6415

    Avihay Cohen discovered an implementation error in the v8 javascript
    library.

CVE-2020-6416

    Woojin Oh discovered that untrusted input was insufficiently validated.

CVE-2020-6418

    Clement Lecigne discovered a type error in the v8 javascript library.

CVE-2020-6420

    Taras Uzdenov discovered a policy enforcement error.

For the oldstable distribution (stretch), security support for chromium has
been discontinued.

For the stable distribution (buster), these problems have been fixed in
version 80.0.3987.132-1~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4639-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 11, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2019-20503 CVE-2020-6805 CVE-2020-6806 CVE-2020-6807 
                 CVE-2020-6811 CVE-2020-6812 CVE-2020-6814

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code.

For the oldstable distribution (stretch), these problems have been fixed
in version 68.6.0esr-1~deb9u1.

For the stable distribution (buster), these problems have been fixed in
version 68.6.0esr-1~deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4640-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 15, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : graphicsmagick
CVE ID         : CVE-2019-19950 CVE-2019-19951 CVE-2019-19953 CVE-2019-11474
                 CVE-2019-11473 CVE-2019-11506 CVE-2019-11505 CVE-2019-11010
                 CVE-2019-11009 CVE-2019-11008 CVE-2019-11007 CVE-2019-11006
                 CVE-2019-11005 CVE-2018-20189 CVE-2018-20185 CVE-2018-20184

This update fixes several vulnerabilities in Graphicsmagick: Various memory
handling problems and cases of missing or incomplete input sanitising
may result in denial of service, memory disclosure or the execution
of arbitrary code if malformed media files are processed.

For the oldstable distribution (stretch), these problems have been fixed
in version 1.3.30+hg15796-1~deb9u3.

For the stable distribution (buster), these problems have been fixed in
version 1.4~hg15978-1+deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4641-1                   security@debian.org
https://www.debian.org/security/                           Alberto Garcia
March 16, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : webkit2gtk
CVE ID         : CVE-2020-10018

The following vulnerability has been discovered in the webkit2gtk web
engine:

CVE-2020-10018

   Sudhakar Verma, Ashfaq Ansari and Siddhant Badhe discovered that
   processing maliciously crafted web content may lead to arbitrary
   code execution.

For the stable distribution (buster), this problem has been fixed in
version 2.26.4-1~deb10u2.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4642-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 19, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : CVE-2019-20503 CVE-2020-6805 CVE-2020-6806 CVE-2020-6807 
                 CVE-2020-6811 CVE-2020-6812 CVE-2020-6814

Multiple security issues have been found in Thunderbird which could
potentially result in the execution of arbitrary code.

For the oldstable distribution (stretch), these problems have been fixed
in version 1:68.6.0-1~deb9u1.

For the stable distribution (buster), these problems have been fixed in
version 1:68.6.0-1~deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4643-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 20, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : python-bleach
CVE ID         : CVE-2020-6816
Debian Bug     : 954236

It was reported that python-bleach, a whitelist-based HTML-sanitizing
library, is prone to a mutation XSS vulnerability in bleach.clean when
strip=False and 'math' or 'svg' tags and one or more of the RCDATA tags
were whitelisted.

For the stable distribution (buster), this problem has been fixed in
version 3.1.2-0+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4644-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 20, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tor
CVE ID         : CVE-2020-10592

A denial of service vulnerability (by triggering high CPU consumption)
was found in Tor, a connection-based low-latency anonymous communication
system.

For the stable distribution (buster), this problem has been fixed in
version 0.3.5.10-1.

For the oldstable distribution (stretch), support for tor is now
discontinued. Please upgrade to the stable release (buster) to continue
receiving tor updates.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4645-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
March 22, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium
CVE ID         : CVE-2019-20503 CVE-2020-6422 CVE-2020-6424 CVE-2020-6425
                 CVE-2020-6426 CVE-2020-6427 CVE-2020-6428 CVE-2020-6429
                 CVE-2020-6449

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2019-20503

   Natalie Silvanovich discovered an out-of-bounds read issue in the usrsctp
   library.

CVE-2020-6422

    David Manouchehri discovered a use-after-free issue in the WebGL
    implementation.

CVE-2020-6424

    Sergei Glazunov discovered a use-after-free issue.

CVE-2020-6425

    Sergei Glazunov discovered a policy enforcement error related to
    extensions.

CVE-2020-6426

    Avihay Cohen discovered an implementation error in the v8 javascript
    library.

CVE-2020-6427

    Man Yue Mo discovered a use-after-free issue in the audio implementation.

CVE-2020-6428

    Man Yue Mo discovered a use-after-free issue in the audio implementation.

CVE-2020-6429

    Man Yue Mo discovered a use-after-free issue in the audio implementation.

CVE-2020-6449

    Man Yue Mo discovered a use-after-free issue in the audio implementation.

For the oldstable distribution (stretch), security support for chromium has
been discontinued.

For the stable distribution (buster), these problems have been fixed in
version 80.0.3987.149-1~deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4646-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 25, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : icu
CVE ID         : CVE-2020-10531
Debian Bug     : 953747

Andre Bargull discovered an integer overflow in the International
Components for Unicode (ICU) library which could result in denial of
service and potentially the execution of arbitrary code.

For the oldstable distribution (stretch), this problem has been fixed
in version 57.1-6+deb9u4.

For the stable distribution (buster), this problem has been fixed in
version 63.1-6+deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4647-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 26, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : bluez
CVE ID         : CVE-2020-0556
Debian Bug     : 953770

It was reported that the BlueZ's HID and HOGP profile implementations
don't specifically require bonding between the device and the host.
Malicious devices can take advantage of this flaw to connect to a target
host and impersonate an existing HID device without security or to cause
an SDP or GATT service discovery to take place which would allow HID
reports to be injected to the input subsystem from a non-bonded source.

For the HID profile an new configuration option (ClassicBondedOnly) is
introduced to make sure that input connections only come from bonded
device connections. The options defaults to 'false' to maximize device
compatibility.

For the oldstable distribution (stretch), this problem has been fixed
in version 5.43-2+deb9u2.

For the stable distribution (buster), this problem has been fixed in
version 5.50-1.2~deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4648-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 31, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libpam-krb5
CVE ID         : CVE-2020-10595

Russ Allbery discovered a buffer overflow in the PAM module for MIT
Kerberos, which could result in denial of service or potentially the
execution of arbitrary code.

For the oldstable distribution (stretch), this problem has been fixed
in version 4.7-4+deb9u1.

For the stable distribution (buster), this problem has been fixed in
version 4.8-2+deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4649-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
April 02, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : haproxy
CVE ID         : CVE-2020-11100

Felix Wilhelm of Google Project Zero discovered that HAProxy, a TCP/HTTP
reverse proxy, did not properly handle HTTP/2 headers. This would allow
an attacker to write arbitrary bytes around a certain location on the
heap, resulting in denial-of-service or potential arbitrary code
execution.

For the stable distribution (buster), this problem has been fixed in
version 1.8.19-1+deb10u2.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4651-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 02, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : mediawiki
CVE ID         : CVE-2020-10960

It was discovered that some user-generated CSS selectors in MediaWiki, a
website engine for collaborative work, were not escaped.

The oldstable distribution (stretch) is not affected.

For the stable distribution (buster), this problem has been fixed in
version 1:1.31.7-1~deb10u1

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4650-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 02, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : qbittorrent
CVE ID         : CVE-2019-13640
Debian Bug     : 932539

Miguel Onoro reported that qbittorrent, a bittorrent client with a Qt5
GUI user interface, allows command injection via shell metacharacters in
the torrent name parameter or current tracker parameter, which could
result in remote command execution via a crafted name within an RSS feed
if qbittorrent is configured to run an external program on torrent
completion.

For the oldstable distribution (stretch), this problem has been fixed
in version 3.3.7-3+deb9u1.

For the stable distribution (buster), this problem has been fixed in
version 4.1.5-1+deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4652-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 04, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gnutls28
CVE ID         : CVE-2020-11501
Debian Bug     : 955556

A flaw was reported in the DTLS protocol implementation in GnuTLS, a
library implementing the TLS and SSL protocols. The DTLS client would
not contribute any randomness to the DTLS negotiation, breaking the
security guarantees of the DTLS protocol.

For the stable distribution (buster), this problem has been fixed in
version 3.6.7-4+deb10u3.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4653-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 04, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2020-6819 CVE-2020-6820

Two security issues have been found in the Mozilla Firefox web browser,
which could result in the execution of arbitrary code.

For the oldstable distribution (stretch), these problems have been fixed
in version 68.6.1esr-1~deb9u1.

For the stable distribution (buster), these problems have been fixed in
version 68.6.1esr-1~deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4654-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
April 07, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium
CVE ID         : CVE-2020-6450 CVE-2020-6451 CVE-2020-6452

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2020-6450

    Man Yue Mo discovered a use-after-free issue in the WebAudio
    implementation.

CVE-2020-6451

    Man Yue Mo discovered a use-after-free issue in the WebAudio
    implementation.

CVE-2020-6452

    asnine discovered a buffer overflow issue.

For the oldstable distribution (stretch), security support for chromium
has been discontinued.

For the stable distribution (buster), these problems have been fixed in
version 80.0.3987.162-1~deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4655-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 08, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2020-6821 CVE-2020-6822 CVE-2020-6825

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary code.

For the oldstable distribution (stretch), these problems have been fixed
in version 68.7.0esr-1~deb9u1.

For the stable distribution (buster), these problems have been fixed in
version 68.7.0esr-1~deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4656-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 13, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : CVE-2020-6819 CVE-2020-6820 CVE-2020-6821 CVE-2020-6822 
                 CVE-2020-6825

Multiple security issues have been found in Thunderbird which could result
in denial of service or potentially the execution of arbitrary code.

For the oldstable distribution (stretch), these problems have been fixed
in version 1:68.7.0-1~deb9u1.

For the stable distribution (buster), these problems have been fixed in
version 1:68.7.0-1~deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4657-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 14, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : git
CVE ID         : CVE-2020-5260

Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast,
scalable, distributed revision control system. With a crafted URL that
contains a newline, the credential helper machinery can be fooled to
return credential information for a wrong host.

For the oldstable distribution (stretch), this problem has been fixed
in version 1:2.11.0-3+deb9u6.

For the stable distribution (buster), this problem has been fixed in
version 1:2.20.1-2+deb10u2.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4658-1                   security@debian.org
https://www.debian.org/security/                           Alberto Garcia
April 16, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : webkit2gtk
CVE ID         : CVE-2020-11793

The following vulnerability has been discovered in the webkit2gtk web
engine:

CVE-2020-11793

   Cim Stordal discovered that maliciously crafted web content may
   lead to arbitrary code execution or a denial of service.

For the stable distribution (buster), this problem has been fixed in
version 2.26.4-1~deb10u3.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4659-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 20, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : git
CVE ID         : CVE-2020-11008

Carlo Arenas discovered a flaw in git, a fast, scalable, distributed
revision control system. With a crafted URL that contains a newline or
empty host, or lacks a scheme, the credential helper machinery can be
fooled into providing credential information that is not appropriate for
the protocol in use and host being contacted.

For the oldstable distribution (stretch), this problem has been fixed
in version 1:2.11.0-3+deb9u7.

For the stable distribution (buster), this problem has been fixed in
version 1:2.20.1-2+deb10u3.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4660-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
April 21, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : awl
CVE ID         : CVE-2020-11728 CVE-2020-11729
Debian Bug     : 956650

Andrew Bartlett discovered that awl, DAViCal Andrew's Web Libraries,
did not properly handle session management: this would allow a
malicious user to impersonate other sessions or users.

For the oldstable distribution (stretch), these problems have been fixed
in version 0.57-1+deb9u1.

For the stable distribution (buster), these problems have been fixed in
version 0.60-1+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4661-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 21, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openssl
CVE ID         : CVE-2020-1967

Bernd Edlinger discovered that malformed data passed to the
SSL_check_chain() function during or after a TLS 1.3 handshake could
cause a NULL dereference, resulting in denial of service.

The oldstable distribution (stretch) is not affected.

For the stable distribution (buster), this problem has been fixed in
version 1.1.1d-0+deb10u3.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4662-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 24, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openjdk-11
CVE ID         : CVE-2020-2754 CVE-2020-2755 CVE-2020-2756 CVE-2020-2757 
                 CVE-2020-2767 CVE-2020-2773 CVE-2020-2778 CVE-2020-2781 
                 CVE-2020-2800 CVE-2020-2803 CVE-2020-2805 CVE-2020-2816 
                 CVE-2020-2830

Several vulnerabilities have been discovered in the OpenJDK Java
runtime, resulting in denial of service, insecure TLS handshakes, bypass
of sandbox restrictions or HTTP response splitting attacks.

For the stable distribution (buster), these problems have been fixed in
version 11.0.7+10-3~deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4663-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 25, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : python-reportlab
CVE ID         : CVE-2019-17626
Debian Bug     : 942763

It was discovered that python-reportlab, a Python library to create PDF
documents, is prone to a code injection vulnerability while parsing a
color attribute. An attacker can take advantage of this flaw to execute
arbitrary code if a specially crafted document is processed.

For the oldstable distribution (stretch), this problem has been fixed
in version 3.3.0-2+deb9u1.

For the stable distribution (buster), this problem has been fixed in
version 3.5.13-1+deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4664-1                   security@debian.org
https://www.debian.org/security/                          Thijs Kinkhorst 
April 26, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : mailman
CVE ID         : CVE-2020-12137

Hanno Boeck discovered that it was possible to create a cross site
scripting attack on the webarchives of the Mailman mailing list manager,
by sending a special type of attachement.

For the oldstable distribution (stretch), this problem has been fixed
in version 1:2.1.23-1+deb9u5.

For the stable distribution (buster), this problem has been fixed in
version 1:2.1.29-1+deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4665-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 27, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : qemu
CVE ID         : CVE-2019-12068 CVE-2019-15034 CVE-2019-20382 CVE-2020-1983

Multiple security issues were discovered in QEMU, a fast processor emulator,
which could result in denial of service or the execution of arbitrary code.

For the stable distribution (buster), these problems have been fixed in
version 1:3.1+dfsg-8+deb10u5.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4666-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 28, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openldap
CVE ID         : CVE-2020-12243

A vulnerability was discovered in OpenLDAP, a free implementation of the
Lightweight Directory Access Protocol. LDAP search filters with nested
boolean expressions can result in denial of service (slapd daemon
crash).

For the oldstable distribution (stretch), this problem has been fixed
in version 2.4.44+dfsg-5+deb9u4.

For the stable distribution (buster), this problem has been fixed in
version 2.4.47+dfsg-3+deb10u2.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4668-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 28, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openjdk-8
CVE ID         : CVE-2020-2754 CVE-2020-2755 CVE-2020-2756 CVE-2020-2757 
                 CVE-2020-2773 CVE-2020-2781 CVE-2020-2800 CVE-2020-2803 
                 CVE-2020-2805

Several vulnerabilities have been discovered in the OpenJDK Java runtime,
resulting in denial of service, insecure TLS handshakes, bypass of
sandbox restrictions or HTTP response splitting attacks.

For the oldstable distribution (stretch), these problems have been fixed
in version 8u252-b09-1~deb9u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4667-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 28, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : linux
CVE ID         : CVE-2020-2732 CVE-2020-8428 CVE-2020-10942 CVE-2020-11565
                 CVE-2020-11884

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service, or information
leak.

CVE-2020-2732

    Paulo Bonzini discovered that the KVM implementation for Intel
    processors did not properly handle instruction emulation for L2
    guests when nested virtualization is enabled.  This could allow
    an L2 guest to cause privilege escalation, denial of service,
    or information leaks in the L1 guest.

CVE-2020-8428

    Al Viro discovered a use-after-free vulnerability in the VFS
    layer.  This allowed local users to cause a denial-of-service
    (crash) or obtain sensitive information from kernel memory.

CVE-2020-10942

    It was discovered that the vhost_net driver did not properly
    validate the type of sockets set as back-ends.  A local user
    permitted to access /dev/vhost-net could use this to cause a stack
    corruption via crafted system calls, resulting in denial of
    service (crash) or possibly privilege escalation.

CVE-2020-11565

    Entropy Moe reported that the shared memory filesystem (tmpfs) did
    not correctly handle an "mpol" mount option specifying an empty
    node list, leading to a stack-based out-of-bounds write.  If user
    namespaces are enabled, a local user could use this to cause a
    denial of service (crash) or possibly for privilege escalation.

CVE-2020-11884

    Al Viro reported a race condition in memory management code for
    IBM Z (s390x architecture), that can result in the kernel
    executing code from the user address space.  A local user could
    use this for privilege escalation.

For the stable distribution (buster), these problems have been fixed in
version 4.19.98-1+deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4669-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 29, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : nodejs
CVE ID         : CVE-2019-9511 CVE-2019-9513 CVE-2019-9514 CVE-2019-15604 
                 CVE-2019-15605 CVE-2019-15606

Multiple vulnerabilities were discovered in Node.js, which could result in
denial of service or HTTP request smuggling.

For the stable distribution (buster), these problems have been fixed in
version 10.19.0~dfsg1-1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4670-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 29, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tiff
CVE ID         : CVE-2018-12900 CVE-2018-17000 CVE-2018-17100 CVE-2018-19210
                 CVE-2019-7663 CVE-2019-14973 CVE-2019-17546
Debian Bug     : 902718 908778 909038 913675 934780

Several vulnerabilities have been found in the TIFF library, which may
result in denial of service or the execution of arbitrary code if
malformed image files are processed.

For the oldstable distribution (stretch), these problems have been fixed
in version 4.0.8-2+deb9u5.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4671-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 30, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : vlc
CVE ID         : CVE-2020-6071 CVE-2020-6072 CVE-2020-6073 CVE-2020-6077 
                 CVE-2020-6078 CVE-2020-6079 CVE-2020-6080

Multiple security issues were discovered in the microdns plugin of the
VLC media player, which could result in denial of service or potentially
the execution of arbitrary code via malicious mDNS packets.

For the oldstable distribution (stretch), these problems have been fixed
in version 3.0.10-0+deb9u1. This update disables the microdns plugin.

For the stable distribution (buster), these problems have been fixed in
version 3.0.10-0+deb10u1. This update disables the microdns plugin.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4672-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 01, 2020                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package        : trafficserver
CVE ID         : CVE-2019-17559 CVE-2019-17565 CVE-2020-1944 CVE-2020-9481

Several vulnerabilities were discovered in Apache Traffic Server, a
reverse and forward proxy server, which could result in denial of service
or request smuggling attacks.

For the stable distribution (buster), these problems have been fixed in
version 8.0.2+ds-1+deb10u2.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4673-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 03, 2020                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tomcat8
CVE ID         : CVE-2019-17569 CVE-2020-1935 CVE-2020-1938

Several vulnerabilities were discovered in the Tomcat servlet and JSP
engine, which could result in HTTP request smuggling and code execution
in the AJP connector (disabled by default in Debian).

For the oldstable distribution (stretch), these problems have been fixed
in version 8.5.54-0+deb9u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4674-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
May 05, 2020                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : roundcube
CVE ID         : CVE-2020-12625 CVE-2020-12626
Debian Bug     : 959140 959142

It was discovered that roundcube, a skinnable AJAX based webmail
solution for IMAP servers, did not correctly process and sanitize
requests. This would allow a remote attacker to perform either a
Cross-Site Request Forgery (CSRF) forcing an authenticated user to be
logged out, or a Cross-Side Scripting (XSS) leading to execution of
arbitrary code.

For the oldstable distribution (stretch), these problems have been fixed
in version 1.2.3+dfsg.1-4+deb9u4.

For the stable distribution (buster), these problems have been fixed in
version 1.3.11+dfsg.1-1~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4675-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 05, 2020                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : graphicsmagick
CVE ID         : CVE-2019-12921 CVE-2020-10938

Several vulnerabilities have been discovered in GraphicsMagick, a set of
command-line applications to manipulate image files, which could result
in information disclosure, denial of service or the execution of
arbitrary code if malformed image files are processed.

For the oldstable distribution (stretch), these problems have been fixed
in version 1.3.30+hg15796-1~deb9u4.

For the stable distribution (buster), these problems have been fixed in
version 1.4+really1.3.35-1~deb10u1.
Link to comment
Share on other sites

×
×
  • Create New...