sunrat Posted January 22, 2021 Share Posted January 22, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4834-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff January 22, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : vlc CVE ID : CVE-2020-26664 Debian Bug : 979676 Multiple vulnerabilities were discovered in the VLC media player, which could result in the execution of arbitrary code or denial of service if a malformed media file is opened. For the stable distribution (buster), this problem has been fixed in version 3.0.12-0+deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4835-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff January 22, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tomcat9 CVE ID : CVE-2020-13943 CVE-2020-17527 Two vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in information disclosure. For the stable distribution (buster), these problems have been fixed in version 9.0.31-1~deb10u3. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4836-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff January 22, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openvswitch CVE ID : CVE-2015-8011 CVE-2020-27827 Debian Bug : 980132 Two vulnerabilities were discovered in the LLPD implementation of Open vSwitch, a software-based Ethernet virtual switch, which could result in denial of service. For the stable distribution (buster), these problems have been fixed in version 2.10.6+ds1-0+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted January 23, 2021 Share Posted January 23, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4830-2 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 22, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : flatpak Debian Bug : 980323 The update for flatpak released as DSA 4830-1 introduced regressions with flatpak build and in the extra-data mechanism. Updated flatpak packages are now available to correct this issue. For the stable distribution (buster), this problem has been fixed in version 1.2.5-0+deb10u3. Link to comment Share on other sites More sharing options...
sunrat Posted January 24, 2021 Share Posted January 24, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4837-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 24, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : salt CVE ID : CVE-2020-16846 CVE-2020-17490 CVE-2020-25592 Several vulnerabilities were discovered in salt, a powerful remote execution manager. The flaws could result in authentication bypass and invocation of Salt SSH, creation of certificates with weak file permissions via the TLS execution module or shell injections with the Salt API using the SSH client. For the stable distribution (buster), these problems have been fixed in version 2018.3.4+dfsg1-6+deb10u2. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4833-2 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 24, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : gst-plugins-bad1.0 The update for gst-plugins-bad1.0 released as DSA 4833-1 choosed a package version incompatible with binNMUs and prevented upgrades to the fixed packages. Updated gst-plugins-bad1.0 packages are now available to correct this issue. For the stable distribution (buster), this problem has been fixed in version 1.14.4-1+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted January 25, 2021 Share Posted January 25, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4838-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 25, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mutt CVE ID : CVE-2021-3181 Debian Bug : 980326 Tavis Ormandy discovered a memory leak flaw in the rfc822 group recipient parsing in Mutt, a text-based mailreader supporting MIME, GPG, PGP and threading, which could result in denial of service. For the stable distribution (buster), this problem has been fixed in version 1.10.1-2.1+deb10u5. Link to comment Share on other sites More sharing options...
sunrat Posted January 27, 2021 Share Posted January 27, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4839-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 26, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : sudo CVE ID : CVE-2021-3156 The Qualys Research Labs discovered a heap-based buffer overflow vulnerability in sudo, a program designed to provide limited super user privileges to specific users. Any local user (sudoers and non-sudoers) can exploit this flaw for root privilege escalation. For the stable distribution (buster), this problem has been fixed in version 1.8.27-1+deb10u3. Link to comment Share on other sites More sharing options...
sunrat Posted January 27, 2021 Share Posted January 27, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4840-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff January 27, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2020-26976 CVE-2021-23953 CVE-2021-23954 CVE-2021-23960 CVE-2021-23964 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or information disclosure. For the stable distribution (buster), these problems have been fixed in version 78.7.0esr-1~deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4841-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff January 27, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : slurm-llnl CVE ID : CVE-2019-19728 CVE-2020-12693 CVE-2020-27745 CVE-2020-27746 Multiple security issues were discovered in the Simple Linux Utility for Resource Management (SLURM), a cluster resource management and job scheduling system, which could result in denial of service, information disclosure or privilege escalation. For the stable distribution (buster), these problems have been fixed in version 18.08.5.2-1+deb10u2. Link to comment Share on other sites More sharing options...
sunrat Posted February 1, 2021 Share Posted February 1, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4842-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff January 31, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2020-15685 CVE-2020-16044 CVE-2020-26976 CVE-2021-23953 CVE-2021-23954 CVE-2021-23960 CVE-2021-23964 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code, denial of service or an information leak. For the stable distribution (buster), these problems have been fixed in version 1:78.7.0-1~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted February 1, 2021 Share Posted February 1, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4843-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 01, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : linux CVE ID : CVE-2020-27815 CVE-2020-27825 CVE-2020-27830 CVE-2020-28374 CVE-2020-29568 CVE-2020-29569 CVE-2020-29660 CVE-2020-29661 CVE-2020-36158 CVE-2021-3347 CVE-2021-20177 Debian Bug : 970736 972345 977048 977615 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2020-27815 A flaw was reported in the JFS filesystem code allowing a local attacker with the ability to set extended attributes to cause a denial of service. CVE-2020-27825 Adam 'pi3' Zabrocki reported a use-after-free flaw in the ftrace ring buffer resizing logic due to a race condition, which could result in denial of service or information leak. CVE-2020-27830 Shisong Qin reported a NULL pointer dereference flaw in the Speakup screen reader core driver. CVE-2020-28374 David Disseldorp discovered that the LIO SCSI target implementation performed insufficient checking in certain XCOPY requests. An attacker with access to a LUN and knowledge of Unit Serial Number assignments can take advantage of this flaw to read and write to any LIO backstore, regardless of the SCSI transport settings. CVE-2020-29568 (XSA-349) Michael Kurth and Pawel Wieczorkiewicz reported that frontends can trigger OOM in backends by updating a watched path. CVE-2020-29569 (XSA-350) Olivier Benjamin and Pawel Wieczorkiewicz reported a use-after-free flaw which can be triggered by a block frontend in Linux blkback. A misbehaving guest can trigger a dom0 crash by continuously connecting / disconnecting a block frontend. CVE-2020-29660 Jann Horn reported a locking inconsistency issue in the tty subsystem which may allow a local attacker to mount a read-after-free attack against TIOCGSID. CVE-2020-29661 Jann Horn reported a locking issue in the tty subsystem which can result in a use-after-free. A local attacker can take advantage of this flaw for memory corruption or privilege escalation. CVE-2020-36158 A buffer overflow flaw was discovered in the mwifiex WiFi driver which could result in denial of service or the execution of arbitrary code via a long SSID value. CVE-2021-3347 It was discovered that PI futexes have a kernel stack use-after-free during fault handling. An unprivileged user could use this flaw to crash the kernel (resulting in denial of service) or for privilege escalation. CVE-2021-20177 A flaw was discovered in the Linux implementation of string matching within a packet. A privileged user (with root or CAP_NET_ADMIN) can take advantage of this flaw to cause a kernel panic when inserting iptables rules. For the stable distribution (buster), these problems have been fixed in version 4.19.171-2. Link to comment Share on other sites More sharing options...
sunrat Posted February 3, 2021 Share Posted February 3, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4845-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 03, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openldap CVE ID : CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36229 CVE-2020-36230 Several vulnerabilities were discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of these flaws to cause a denial of service (slapd daemon crash, infinite loops) via specially crafted packets. For the stable distribution (buster), these problems have been fixed in version 2.4.47+dfsg-3+deb10u5. Link to comment Share on other sites More sharing options...
sunrat Posted February 4, 2021 Share Posted February 4, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4844-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond February 02, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : dnsmasq CVE ID : CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25684 CVE-2020-25685 CVE-2020-25686 CVE-2020-25687 Moshe Kol and Shlomi Oberman of JSOF discovered several vulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP server. They could result in denial of service, cache poisoning or the execution of arbitrary code. For the stable distribution (buster), these problems have been fixed in version 2.80-1+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted February 7, 2021 Share Posted February 7, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4846-1 security@debian.org https://www.debian.org/security/ Michael Gilbert February 07, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : chromium CVE ID : CVE-2020-16044 CVE-2021-21117 CVE-2021-21118 CVE-2021-21119 CVE-2021-21120 CVE-2021-21121 CVE-2021-21122 CVE-2021-21123 CVE-2021-21124 CVE-2021-21125 CVE-2021-21126 CVE-2021-21127 CVE-2021-21128 CVE-2021-21129 CVE-2021-21130 CVE-2021-21131 CVE-2021-21132 CVE-2021-21133 CVE-2021-21134 CVE-2021-21135 CVE-2021-21136 CVE-2021-21137 CVE-2021-21138 CVE-2021-21139 CVE-2021-21140 CVE-2021-21141 CVE-2021-21142 CVE-2021-21143 CVE-2021-21144 CVE-2021-21145 CVE-2021-21146 CVE-2021-21147 Several vulnerabilities have been discovered in the chromium web browser. CVE-2020-16044 Ned Williamson discovered a use-after-free issue in the WebRTC implementation. CVE-2021-21117 Rory McNamara discovered a policy enforcement issue in Cryptohome. CVE-2021-21118 Tyler Nighswander discovered a data validation issue in the v8 javascript library. CVE-2021-21119 A use-after-free issue was discovered in media handling. CVE-2021-21120 Nan Wang and Guang Gong discovered a use-after-free issue in the WebSQL implementation. CVE-2021-21121 Leecraso and Guang Gong discovered a use-after-free issue in the Omnibox. CVE-2021-21122 Renata Hodovan discovered a use-after-free issue in Blink/WebKit. CVE-2021-21123 Maciej Pulikowski discovered a data validation issue. CVE-2021-21124 Chaoyang Ding discovered a use-after-free issue in the speech recognizer. CVE-2021-21125 Ron Masas discovered a policy enforcement issue. CVE-2021-21126 David Erceg discovered a policy enforcement issue in extensions. CVE-2021-21127 Jasminder Pal Singh discovered a policy enforcement issue in extensions. CVE-2021-21128 Liang Dong discovered a buffer overflow issue in Blink/WebKit. CVE-2021-21129 Maciej Pulikowski discovered a policy enforcement issue. CVE-2021-21130 Maciej Pulikowski discovered a policy enforcement issue. CVE-2021-21131 Maciej Pulikowski discovered a policy enforcement issue. CVE-2021-21132 David Erceg discovered an implementation error in the developer tools. CVE-2021-21133 wester0x01 discovered a policy enforcement issue. CVE-2021-21134 wester0x01 discovered a user interface error. CVE-2021-21135 ndevtk discovered an implementation error in the Performance API. CVE-2021-21136 Shiv Sahni, Movnavinothan V, and Imdad Mohammed discovered a policy enforcement error. CVE-2021-21137 bobbybear discovered an implementation error in the developer tools. CVE-2021-21138 Weipeng Jiang discovered a use-after-free issue in the developer tools. CVE-2021-21139 Jun Kokatsu discovered an implementation error in the iframe sandbox. CVE-2021-21140 David Manouchehri discovered uninitialized memory in the USB implementation. CVE-2021-21141 Maciej Pulikowski discovered a policy enforcement error. CVE-2021-21142 Khalil Zhani discovered a use-after-free issue. CVE-2021-21143 Allen Parker and Alex Morgan discovered a buffer overflow issue in extensions. CVE-2021-21144 Leecraso and Guang Gong discovered a buffer overflow issue. CVE-2021-21145 A use-after-free issue was discovered. CVE-2021-21146 Alison Huffman and Choongwoo Han discovered a use-after-free issue. CVE-2021-21147 Roman Starkov discovered an implementation error in the skia library. For the stable distribution (buster), these problems have been fixed in version 88.0.4324.146-1~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted February 8, 2021 Share Posted February 8, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4847-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 08, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : connman CVE ID : CVE-2021-26675 CVE-2021-26676 A remote information leak vulnerability and a remote buffer overflow vulnerability were discovered in ConnMan, a network manager for embedded devices, which could result in denial of service or the execution of arbitrary code. For the stable distribution (buster), these problems have been fixed in version 1.36-2.1~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted February 9, 2021 Share Posted February 9, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4848-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 08, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : golang-1.11 CVE ID : CVE-2020-7919 CVE-2020-15586 CVE-2020-16845 CVE-2021-3114 Multiple security issues were discovered in the implementation of the Go programming language, which could result in denial of service and the P-224 curve implementation could generate incorrect outputs. For the stable distribution (buster), these problems have been fixed in version 1.11.6-1+deb10u4. Link to comment Share on other sites More sharing options...
sunrat Posted February 10, 2021 Share Posted February 10, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4849-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 09, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firejail CVE ID : CVE-2021-26910 Roman Fiedler discovered a vulnerability in the OverlayFS code in firejail, a sandbox program to restrict the running environment of untrusted applications, which could result in root privilege escalation. This update disables OverlayFS support in firejail. For the stable distribution (buster), this problem has been fixed in version 0.9.58.2-2+deb10u2. Link to comment Share on other sites More sharing options...
sunrat Posted February 10, 2021 Share Posted February 10, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4850-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond February 10, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libzstd Debian Bug : 981404 It was discovered that zstd, a compression utility, temporarily exposed a world-readable version of its input even if the original file had restrictive permissions. For the stable distribution (buster), this problem has been fixed in version 1.3.8+dfsg-3+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted February 13, 2021 Share Posted February 13, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4851-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 13, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : subversion CVE ID : CVE-2020-17525 Debian Bug : 982464 Thomas Akesson discovered a remotely triggerable vulnerability in the mod_authz_svn module in Subversion, a version control system. When using in-repository authz rules with the AuthzSVNReposRelativeAccessFile option an unauthenticated remote client can take advantage of this flaw to cause a denial of service by sending a request for a non-existing repository URL. For the stable distribution (buster), this problem has been fixed in version 1.10.4-1+deb10u2. Link to comment Share on other sites More sharing options...
sunrat Posted February 15, 2021 Share Posted February 15, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4852-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond February 15, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openvswitch CVE ID : CVE-2020-35498 Debian Bug : 982493 Joakim Hindersson discovered that Open vSwitch, a software-based Ethernet virtual switch, allowed a malicious user to cause a denial-of-service by sending a specially crafted packet. For the stable distribution (buster), this problem has been fixed in version 2.10.7+ds1-0+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted February 17, 2021 Share Posted February 17, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4853-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond February 16, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : spip It was discovered that SPIP, a website engine for publishing, would allow a malicious user to perform cross-site scripting attacks, access sensitive information, or execute arbitrary code. For the stable distribution (buster), this problem has been fixed in version 3.2.4-1+deb10u4. Link to comment Share on other sites More sharing options...
sunrat Posted February 17, 2021 Share Posted February 17, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4855-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 17, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openssl CVE ID : CVE-2019-1551 CVE-2021-23840 CVE-2021-23841 Debian Bug : 947949 Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit. An overflow bug in the x64_64 Montgomery squaring procedure, an integer overflow in CipherUpdate and a NULL pointer dereference flaw X509_issuer_and_serial_hash() were found, which could result in denial of service. Additional details can be found in the upstream advisories https://www.openssl.org/news/secadv/20191206.txt and https://www.openssl.org/news/secadv/20210216.txt . For the stable distribution (buster), these problems have been fixed in version 1.1.1d-0+deb10u5. Link to comment Share on other sites More sharing options...
sunrat Posted February 19, 2021 Share Posted February 19, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4854-1 security@debian.org https://www.debian.org/security/ Alberto Garcia February 17, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : webkit2gtk CVE ID : CVE-2020-13558 The following vulnerabilities have been discovered in the webkit2gtk web engine: CVE-2020-13558 Marcin Noga discovered that processing maliciously crafted web content may lead to arbitrary code execution. For the stable distribution (buster), this problem has been fixed in version 2.30.5-1~deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4856-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 17, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : php7.3 CVE ID : CVE-2020-7068 CVE-2020-7069 CVE-2020-7070 CVE-2020-7071 CVE-2021-21702 Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in denial of service, information disclosure, cookie forgery or incorrect encryption. For the stable distribution (buster), these problems have been fixed in version 7.3.27-1~deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4857-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 18, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : bind9 CVE ID : CVE-2020-8625 Debian Bug : 983004 A buffer overflow vulnerability was discovered in the SPNEGO implementation affecting the GSSAPI security policy negotiation in BIND, a DNS server implementation, which could result in denial of service (daemon crash), or potentially the execution of arbitrary code. For the stable distribution (buster), this problem has been fixed in version 1:9.11.5.P4+dfsg-5.1+deb10u3. Link to comment Share on other sites More sharing options...
sunrat Posted February 20, 2021 Share Posted February 20, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4858-1 security@debian.org https://www.debian.org/security/ Michael Gilbert February 19, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : chromium CVE ID : CVE-2021-21148 CVE-2021-21149 CVE-2021-21150 CVE-2021-21151 CVE-2021-21152 CVE-2021-21153 CVE-2021-21154 CVE-2021-21155 CVE-2021-21156 CVE-2021-21157 Several vulnerabilities have been discovered in the chromium web browser. CVE-2021-21148 Mattias Buelens discovered a buffer overflow issue in the v8 javascript library. CVE-2021-21149 Ryoya Tsukasaki discovered a stack overflow issue in the Data Transfer implementation. CVE-2021-21150 Woojin Oh discovered a use-after-free issue in the file downloader. CVE-2021-21151 Khalil Zhani discovered a use-after-free issue in the payments system. CVE-2021-21152 A buffer overflow was discovered in media handling. CVE-2021-21153 Jan Ruge discovered a stack overflow issue in the GPU process. CVE-2021-21154 Abdulrahman Alqabandi discovered a buffer overflow issue in the Tab Strip implementation. CVE-2021-21155 Khalil Zhani discovered a buffer overflow issue in the Tab Strip implementation. CVE-2021-21156 Sergei Glazunov discovered a buffer overflow issue in the v8 javascript library. CVE-2021-21157 A use-after-free issue was discovered in the Web Sockets implementation. For the stable distribution (buster), these problems have been fixed in version 88.0.4324.182-1~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted February 21, 2021 Share Posted February 21, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4859-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond February 20, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libzstd Debian Bug : 982519 It was discovered that zstd, a compression utility, was vulnerable to a race condition: it temporarily exposed, during a very short timeframe, a world-readable version of its input even if the original file had restrictive permissions. For the stable distribution (buster), this problem has been fixed in version 1.3.8+dfsg-3+deb10u2. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4860-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 20, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openldap CVE ID : CVE-2021-27212 A vulnerability in the Certificate List Exact Assertion validation was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of this flaw to cause a denial of service (slapd daemon crash) via specially crafted packets. For the stable distribution (buster), this problem has been fixed in version 2.4.47+dfsg-3+deb10u6. Link to comment Share on other sites More sharing options...
sunrat Posted February 22, 2021 Share Posted February 22, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4861-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 21, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : screen CVE ID : CVE-2021-26937 Debian Bug : 982435 Felix Weinmann reported a flaw in the handling of combining characters in screen, a terminal multiplexer with VT100/ANSI terminal emulation, which can result in denial of service, or potentially the execution of arbitrary code via a specially crafted UTF-8 character sequence. For the stable distribution (buster), this problem has been fixed in version 4.6.2-3+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted February 24, 2021 Share Posted February 24, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4862-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 24, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2021-23968 CVE-2021-23969 CVE-2021-23973 CVE-2021-23978 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or information disclosure. For the stable distribution (buster), these problems have been fixed in version 78.8.0esr-1~deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4863-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 24, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : nodejs CVE ID : CVE-2021-22883 CVE-2021-22884 Two vulnerabilities were discovered in Node.js, which could result in denial of service or DNS rebinding attacks. For the stable distribution (buster), these problems have been fixed in version 10.24.0~dfsg-1~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted February 27, 2021 Share Posted February 27, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4864-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 27, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : python-aiohttp CVE ID : CVE-2021-21330 Beast Glatisant and Jelmer Vernooij reported that python-aiohttp, a async HTTP client/server framework, is prone to an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. For the stable distribution (buster), this problem has been fixed in version 3.5.1-1+deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4865-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 27, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : docker.io CVE ID : CVE-2020-15157 CVE-2020-15257 CVE-2021-21284 CVE-2021-21285 Multiple security issues were discovered in Docker, a Linux container runtime, which could result in denial of service, an information leak or privilege escalation. For the stable distribution (buster), these problems have been fixed in version 18.09.1+dfsg1-7.1+deb10u3. Link to comment Share on other sites More sharing options...
sunrat Posted February 28, 2021 Share Posted February 28, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4866-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 28, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2021-23968 CVE-2021-23969 CVE-2021-23973 CVE-2021-23978 Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code or information disclosure. For the stable distribution (buster), these problems have been fixed in version 1:78.8.0-1~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted March 2, 2021 Share Posted March 2, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4867-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 02, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : grub2 CVE ID : CVE-2020-14372 CVE-2020-25632 CVE-2020-25647 CVE-2020-27749 CVE-2020-27779 CVE-2021-20225 CVE-2021-20233 Several vulnerabilities have been discovered in the GRUB2 bootloader. CVE-2020-14372 It was discovered that the acpi command allows a privileged user to load crafted ACPI tables when Secure Boot is enabled. CVE-2020-25632 A use-after-free vulnerability was found in the rmmod command. CVE-2020-25647 An out-of-bound write vulnerability was found in the grub_usb_device_initialize() function, which is called to handle USB device initialization. CVE-2020-27749 A stack buffer overflow flaw was found in grub_parser_split_cmdline. CVE-2020-27779 It was discovered that the cutmem command allows a privileged user to remove memory regions when Secure Boot is enabled. CVE-2021-20225 A heap out-of-bounds write vulnerability was found in the short form option parser. CVE-2021-20233 A heap out-of-bound write flaw was found caused by mis-calculation of space required for quoting in the menu rendering. Further detailed information can be found at https://www.debian.org/security/2021-GRUB-UEFI-SecureBoot For the stable distribution (buster), these problems have been fixed in version 2.02+dfsg1-20+deb10u4. Link to comment Share on other sites More sharing options...
sunrat Posted March 13, 2021 Share Posted March 13, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4868-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 12, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : flatpak CVE ID : CVE-2021-21381 Anton Lydike discovered that sandbox restrictions in Flatpak, an application deployment framework for desktop apps, could by bypassed via a malicious .desktop file. For the stable distribution (buster), this problem has been fixed in version 1.2.5-0+deb10u4. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4869-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 12, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tiff CVE ID : CVE-2020-35523 CVE-2020-35524 Two vulnerabilities have been discovered in the libtiff library and the included tools, which may result in denial of service or the execution of arbitrary code if malformed image files are processed. For the stable distribution (buster), these problems have been fixed in version 4.1.0+git191117-2~deb10u2. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4870-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 12, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : pygments CVE ID : CVE-2021-20270 It was discovered that Pygments, a syntax highlighting package written in Python, could be forced into an infinite loop, resulting in denial of service. For the stable distribution (buster), this problem has been fixed in version 2.3.1+dfsg-1+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted March 16, 2021 Share Posted March 16, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4871-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 16, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tor CVE ID : CVE-2021-28089 CVE-2021-28090 Two vulnerabilities were discovered in Tor, a connection-based low-latency anonymous communication system, which could lead to excessive CPU usage or cause a directory authority to crash. For the stable distribution (buster), these problems have been fixed in version 0.3.5.14-1. Link to comment Share on other sites More sharing options...
sunrat Posted March 19, 2021 Share Posted March 19, 2021 ------------------------------------------------------------------------- Debian Security Advisory DSA-4872-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 18, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : shibboleth-sp CVE ID : not yet available Debian Bug : 985405 Toni Huttunen discovered that the Shibboleth service provider's template engine used to render error pages could be abused for phishing attacks. For additional information please refer to the upstream advisory at https://shibboleth.net/community/advisories/secadv_20210317.txt For the stable distribution (buster), this problem has been fixed in version 3.0.4+dfsg1-1+deb10u1. Link to comment Share on other sites More sharing options...
Recommended Posts