sunrat Posted May 18, 2021 Share Posted May 18, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4916-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 17, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : prosody CVE ID : CVE-2021-32917 CVE-2021-32918 CVE-2021-32919 CVE-2021-32920 CVE-2021-32921 Multiple security issues were found in Prosody, a lightweight Jabber/XMPP server, which could result in denial of service or information disclosure. For the stable distribution (buster), these problems have been fixed in version 0.11.2-1+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted May 18, 2021 Share Posted May 18, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4917-1 security@debian.org https://www.debian.org/security/ Michael Gilbert May 17, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : chromium CVE ID : CVE-2021-30506 CVE-2021-30507 CVE-2021-30508 CVE-2021-30509 CVE-2021-30510 CVE-2021-30511 CVE-2021-30512 CVE-2021-30513 CVE-2021-30514 CVE-2021-30515 CVE-2021-30516 CVE-2021-30517 CVE-2021-30518 CVE-2021-30519 CVE-2021-30520 Several vulnerabilities have been discovered in the chromium web browser. CVE-2021-30506 @retsew0x01 discovered an error in the Web App installation interface. CVE-2021-30507 Alison Huffman discovered an error in the Offline mode. CVE-2021-30508 Leecraso and Guang Gong discovered a buffer overflow issue in the Media Feeds implementation. CVE-2021-30509 David Erceg discovered an out-of-bounds write issue in the Tab Strip implementation. CVE-2021-30510 Weipeng Jiang discovered a race condition in the aura window manager. CVE-2021-30511 David Erceg discovered an out-of-bounds read issue in the Tab Strip implementation. CVE-2021-30512 ZhanJia Song discovered a use-after-free issue in the notifications implementation. CVE-2021-30513 Man Yue Mo discovered an incorrect type in the v8 javascript library. CVE-2021-30514 koocola and Wang discovered a use-after-free issue in the Autofill feature. CVE-2021-30515 Rong Jian and Guang Gong discovered a use-after-free issue in the file system access API. CVE-2021-30516 ZhanJia Song discovered a buffer overflow issue in the browsing history. CVE-2021-30517 Jun Kokatsu discovered a buffer overflow issue in the reader mode. CVE-2021-30518 laural discovered use of an incorrect type in the v8 javascript library. CVE-2021-30519 asnine discovered a use-after-free issue in the Payments feature. CVE-2021-30520 Khalil Zhani discovered a use-after-free issue in the Tab Strip implementation. For the stable distribution (buster), these problems have been fixed in version 90.0.4430.212-1~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted May 18, 2021 Share Posted May 18, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4918-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 18, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ruby-rack-cors CVE ID : CVE-2019-18978 Debian Bug : 944849 Improper pathname handling in ruby-rack-cors, a middleware that makes Rack-based apps CORS compatible, may result in access to private resources. For the stable distribution (buster), this problem has been fixed in version 1.0.2-1+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted May 21, 2021 Share Posted May 21, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4919-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 21, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : lz4 CVE ID : CVE-2021-3520 Debian Bug : 987856 Jasper Lievisse Adriaanse reported an integer overflow flaw in lz4, a fast LZ compression algorithm library, resulting in memory corruption. For the stable distribution (buster), this problem has been fixed in version 1.8.3-1+deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4916-2 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 21, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : prosody Debian Bug : 988756 The update for prosody released as DSA 4916-1 introduced a regression in websocket support. Updated prosody packages are now available to correct this issue. For the stable distribution (buster), these problems have been fixed in version 0.11.2-1+deb10u2. Link to comment Share on other sites More sharing options...
sunrat Posted May 24, 2021 Share Posted May 24, 2021 ------------------------------------------------------------------------- Debian Security Advisory DSA-4920-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 24, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libx11 CVE ID : CVE-2021-31535 Debian Bug : 988737 Roman Fiedler reported that missing length validation in various functions provided by libx11, the X11 client-side library, allow to inject X11 protocol commands on X clients, leading to authentication bypass, denial of service or potentially the execution of arbitrary code. For the stable distribution (buster), this problem has been fixed in version 2:1.6.7-1+deb10u2. Link to comment Share on other sites More sharing options...
sunrat Posted May 28, 2021 Share Posted May 28, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4921-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 28, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : nginx CVE ID : CVE-2021-23017 Debian Bug : 989095 Luis Merino, Markus Vervier and Eric Sesterhenn discovered an off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code. For the stable distribution (buster), this problem has been fixed in version 1.14.2-2+deb10u4. Link to comment Share on other sites More sharing options...
sunrat Posted May 29, 2021 Share Posted May 29, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4922-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 29, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : hyperkitty CVE ID : CVE-2021-33038 Amir Sarabadani and Kunal Mehta discovered that the import functionality of Hyperkitty, the web user interface to access Mailman 3 archives, did not restrict the visibility of private archives during the import, i.e. that during the import of a private Mailman 2 archive the archive was publicly accessible until the import completed. For the stable distribution (buster), this problem has been fixed in version 1.2.2-1+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted May 30, 2021 Share Posted May 30, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4923-1 security@debian.org https://www.debian.org/security/ Alberto Garcia May 30, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : webkit2gtk CVE ID : CVE-2021-1788 CVE-2021-1844 CVE-2021-1871 The following vulnerabilities have been discovered in the webkit2gtk web engine: CVE-2021-1788 Francisco Alonso discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2021-1844 Clement Lecigne and Alison Huffman discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2021-1871 An anonymous researcher discovered that a remote attacker may be able to cause arbitrary code execution. For the stable distribution (buster), these problems have been fixed in version 2.32.1-1~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted May 31, 2021 Share Posted May 31, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4899-2 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 31, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openjdk-11-jre-dcevm Debian Bug : 942876 The Dynamic Code Evolution Virtual Machine (DCE VM), an alternative VM for OpenJDK 11 with enhanced class redefinition, has been updated for compatibility with OpenJDK 11.0.11. For the stable distribution (buster), this problem has been fixed in version openjdk-11-jre-dcevm_11.0.11+9-2~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted June 2, 2021 Share Posted June 2, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4924-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 01, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : squid CVE ID : CVE-2021-28651 CVE-2021-28652 CVE-2021-28662 CVE-2021-31806 CVE-2021-31807 CVE-2021-31808 Debian Bug : 988891 988892 988893 989043 Multiple denial of service vulnerabilities were discovered in the Squid proxy caching server. For the stable distribution (buster), these problems have been fixed in version 4.6-1+deb10u6. Link to comment Share on other sites More sharing options...
sunrat Posted June 2, 2021 Share Posted June 2, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4925-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 02, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2021-29967 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code. For the stable distribution (buster), this problem has been fixed in version 78.11.0esr-1~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted June 4, 2021 Share Posted June 4, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4926-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 03, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : lasso CVE ID : CVE-2021-28091 It was discovered that lasso, a library which implements SAML 2.0 and Liberty Alliance standards, did not properly verify that all assertions in a SAML response were properly signed, allowing an attacker to impersonate users or bypass access control. For the stable distribution (buster), this problem has been fixed in version 2.6.0-2+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted June 4, 2021 Share Posted June 4, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4927-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 05, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2021-29956 CVE-2021-29957 CVE-2021-29967 Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code. In adddition two security issues were addressed in the OpenPGP support. For the stable distribution (buster), these problems have been fixed in version 1:78.11.0-1~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted June 10, 2021 Share Posted June 10, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4928-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 09, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : htmldoc CVE ID : CVE-2021-23158 CVE-2021-23165 CVE-2021-23180 CVE-2021-23191 CVE-2021-23206 CVE-2021-26252 CVE-2021-26259 CVE-2021-26948 A buffer overflow was discovered in HTMLDOC, a HTML processor that generates indexed HTML, PS, and PDF, which could potentially result in the execution of arbitrary code. In addition a number of crashes were addressed. For the stable distribution (buster), these problems have been fixed in version 1.9.3-1+deb10u2. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4929-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 09, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : rails CVE ID : CVE-2021-22880 CVE-2021-22885 CVE-2021-22904 Debian Bug : 988214 Multiple security issues were discovered in the Rails web framework which could result in denial of service. For the stable distribution (buster), these problems have been fixed in version 2:5.2.2.1+dfsg-1+deb10u3. Link to comment Share on other sites More sharing options...
sunrat Posted June 10, 2021 Share Posted June 10, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4930-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 10, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libwebp CVE ID : CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331 CVE-2020-36332 Multiple vulnerabilities were discovered in libwebp, the implementation of the WebP image format, which could result in denial of service, memory disclosure or potentially the execution of arbitrary code if malformed images are processed. For the stable distribution (buster), these problems have been fixed in version 0.6.1-2+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted June 16, 2021 Share Posted June 16, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4931-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 15, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : xen CVE ID : CVE-2021-0089 CVE-2021-26313 CVE-2021-28690 CVE-2021-28692 Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service or information leaks. For the stable distribution (buster), these problems have been fixed in version 4.11.4+107-gef32c7afa2-1. Link to comment Share on other sites More sharing options...
sunrat Posted June 18, 2021 Share Posted June 18, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4932-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 18, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tor CVE ID : CVE-2021-34548 CVE-2021-34549 CVE-2021-34550 Debian Bug : 990000 Multiple security vulnerabilities were discovered in Tor, a connection-based low-latency anonymous communication system, which could result in denial of service or spoofing. For the stable distribution (buster), these problems have been fixed in version 0.3.5.15-1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4933-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 18, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : nettle CVE ID : CVE-2021-3580 CVE-2021-20305 Debian Bug : 985652 989631 Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures. For the stable distribution (buster), these problems have been fixed in version 3.4.1-1+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted June 19, 2021 Share Posted June 19, 2021 ------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 10: 10.10 released press@debian.org June 19th, 2021 https://www.debian.org/News/2021/20210619 ------------------------------------------------------------------------ The Debian project is pleased to announce the tenth update of its stable distribution Debian 10 (codename "buster"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. Please note that the point release does not constitute a new version of Debian 10 but only updates some of the packages included. There is no need to throw away old "buster" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations. Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: +---------------------------+------------------------------------------+ | Package | Reason | +---------------------------+------------------------------------------+ | apt [1] | Accept suite name changes for | | | repositories by default (e.g. stable -> | | | oldstable) | | | | | awstats [2] | Fix remote file access issues [CVE-2020- | | | 29600 CVE-2020-35176] | | | | | base-files [3] | Update /etc/debian_version for the 10.10 | | | point release | | | | | berusky2 [4] | Fix segfault at startup | | | | | clamav [5] | New upstream stable release; fix denial | | | of security issue [CVE-2021-1405] | | | | | clevis [6] | Fix support for TPMs that only support | | | SHA256 | | | | | connman [7] | dnsproxy: Check the length of buffers | | | before memcpy [CVE-2021-33833] | | | | | crmsh [8] | Fix code execution issue [CVE-2020- | | | 35459] | | | | | debian-installer [9] | Use 4.19.0-17 Linux kernel ABI | | | | | debian-installer-netboot- | Rebuild against proposed-updates | | images [10] | | | | | | dnspython [11] | XFR: do not attempt to compare to a non- | | | existent "expiration" value | | | | | dput-ng [12] | Fix crash in the sftp uploader in case | | | of EACCES from the server; update | | | codenames; make "dcut dm" work for | | | non-uploading DMs; fix a TypeError in | | | http upload exception handling; don't | | | try and construct uploader email from | | | system hostname in .dak-commands files | | | | | eterm [13] | Fix code execution issue [CVE-2021- | | | 33477] | | | | | exactimage [14] | Fix build with C++11 and OpenEXR 2.5.x | | | | | fig2dev [15] | Fix buffer overflow [CVE-2021-3561]; | | | several output fixes; rebuild testsuite | | | during build and in autopkgtest | | | | | fluidsynth [16] | Fix use-after-free issue [CVE-2021- | | | 28421] | | | | | freediameter [17] | Fix denial of service issue [CVE-2020- | | | 6098] | | | | | fwupd [18] | Fix generation of the vendor SBAT | | | string; stop using dpkg-dev in | | | fwupd.preinst; new upstream stable | | | version | | | | | fwupd-amd64-signed [19] | Sync with fwupd | | | | | fwupd-arm64-signed [20] | Sync with fwupd | | | | | fwupd-armhf-signed [21] | Sync with fwupd | | | | | fwupd-i386-signed [22] | Sync with fwupd | | | | | fwupdate [23] | Improve SBAT support | | | | | fwupdate-amd64- | Sync with fwupdate | | signed [24] | | | | | | fwupdate-arm64- | Sync with fwupdate | | signed [25] | | | | | | fwupdate-armhf- | Sync with fwupdate | | signed [26] | | | | | | fwupdate-i386-signed [27] | Sync with fwupdate | | | | | glib2.0 [28] | Fix several integer overflow issues | | | [CVE-2021-27218 CVE-2021-27219]; fix a | | | symlink attack affecting file-roller | | | [CVE-2021-28153] | | | | | gnutls28 [29] | Fix null-pointer dereference issue | | | [CVE-2020-24659]; add several | | | improvements to memory reallocation | | | | | golang-github-docker- | Fix double free issue [CVE-2019-1020014] | | docker-credential- | | | helpers [30] | | | | | | htmldoc [31] | Fix buffer overflow issues [CVE-2019- | | | 19630 CVE-2021-20308] | | | | | ipmitool [32] | Fix buffer overflow issues [CVE-2020- | | | 5208] | | | | | ircii [33] | Fix denial of service issue [CVE-2021- | | | 29376] | | | | | isc-dhcp [34] | Fix buffer overrun issue [CVE-2021- | | | 25217] | | | | | isync [35] | Reject "funny" mailbox names from IMAP | | | LIST/LSUB [CVE-2021-20247]; fix handling | | | of unexpected APPENDUID response code | | | [CVE-2021-3578] | | | | | jackson-databind [36] | Fix external entity expansion issue | | | [CVE-2020-25649] and several | | | serialization-related issues [CVE-2020- | | | 24616 CVE-2020-24750 CVE-2020-35490 | | | CVE-2020-35491 CVE-2020-35728 CVE-2020- | | | 36179 CVE-2020-36180 CVE-2020-36181 | | | CVE-2020-36182 CVE-2020-36183 CVE-2020- | | | 36184 CVE-2020-36185 CVE-2020-36186 | | | CVE-2020-36187 CVE-2020-36188 CVE-2020- | | | 36189 CVE-2021-20190] | | | | | klibc [37] | malloc: Set errno on failure; fix | | | several overflow issues [CVE-2021-31873 | | | CVE-2021-31870 CVE-2021-31872]; cpio: | | | Fix possible crash on 64-bit systems | | | [CVE-2021-31871]; {set,long}jmp [s390x]: | | | save/restore the correct FPU registers | | | | | libbusiness-us-usps- | Update to new US-USPS API | | webtools-perl [38] | | | | | | libgcrypt20 [39] | Fix weak ElGamal encryption with keys | | | not generated by GnuPG/libgcrypt | | | [CVE-2021-33560] | | | | | libgetdata [40] | Fix use after free issue [CVE-2021- | | | 20204] | | | | | libmateweather [41] | Adapt to renaming of America/Godthab to | | | America/Nuuk in tzdata | | | | | libxml2 [42] | Fix out-of-bounds read in xmllint | | | [CVE-2020-24977]; fix use-after-free | | | issues in xmllint [CVE-2021-3516 | | | CVE-2021-3518]; validate UTF8 in | | | xmlEncodeEntities [CVE-2021-3517]; | | | propagate error in | | | xmlParseElementChildrenContentDeclPriv; | | | fix exponential entity expansion attack | | | [CVE-2021-3541] | | | | | liferea [43] | Fix compatibility with webkit2gtk >= | | | 2.32 | | | | | linux [44] | New upstream stable release; increase | | | ABI to 17; [rt] Update to 4.19.193-rt81 | | | | | linux-latest [45] | Update to 4.19.0-17 ABI | | | | | linux-signed-amd64 [46] | New upstream stable release; increase | | | ABI to 17; [rt] Update to 4.19.193-rt81 | | | | | linux-signed-arm64 [47] | New upstream stable release; increase | | | ABI to 17; [rt] Update to 4.19.193-rt81 | | | | | linux-signed-i386 [48] | New upstream stable release; increase | | | ABI to 17; [rt] Update to 4.19.193-rt81 | | | | | mariadb-10.3 [49] | New upstream release; security fixes | | | [CVE-2021-2154 CVE-2021-2166 CVE-2021- | | | 27928]; fix Innotop support; ship | | | caching_sha2_password.so | | | | | mqtt-client [50] | Fix denial of service issue [CVE-2019- | | | 0222] | | | | | mumble [51] | Fix remote code execution issue | | | [CVE-2021-27229] | | | | | mupdf [52] | Fix use-after-free issue [CVE-2020- | | | 16600] and double free issue [CVE-2021- | | | 3407] | | | | | nmap [53] | Update included MAC prefix list | | | | | node-glob-parent [54] | Fix regular expression denial of service | | | issue [CVE-2020-28469] | | | | | node-handlebars [55] | Fix code execution issues [CVE-2019- | | | 20920 CVE-2021-23369] | | | | | node-hosted-git-info [56] | Fix regular expression denial of service | | | issue [CVE-2021-23362] | | | | | node-redis [57] | Fix regular expression denial of service | | | issue [CVE-2021-29469] | | | | | node-ws [58] | Fix regular expression-related denial of | | | service issue [CVE-2021-32640] | | | | | nvidia-graphics- | Fix improper access control | | drivers [59] | vulnerability [CVE-2021-1076] | | | | | nvidia-graphics-drivers- | Fix improper access control | | legacy-390xx [60] | vulnerability [CVE-2021-1076]; fix | | | installation failure on Linux 5.11 | | | release candidates | | | | | opendmarc [61] | Fix heap overflow issue [CVE-2020-12460] | | | | | openvpn [62] | Fix "illegal client float" issue | | | [CVE-2020-11810]; ensure key state is | | | authenticated before sending push reply | | | [CVE-2020-15078]; increase listen() | | | backlog queue to 32 | | | | | php-horde-text- | Fix cross-site scripting issue | | filter [63] | [CVE-2021-26929] | | | | | plinth [64] | Use session to verify first boot welcome | | | step | | | | | ruby-websocket- | Fix denial of service issue [CVE-2020- | | extensions [65] | 7663] | | | | | rust-rustyline [66] | Fix build with newer rustc | | | | | rxvt-unicode [67] | Disable ESC G Q escape sequence | | | [CVE-2021-33477] | | | | | sabnzbdplus [68] | Fix code execution vulnerability | | | [CVE-2020-13124] | | | | | scrollz [69] | Fix denial of service issue [CVE-2021- | | | 29376] | | | | | shim [70] | New upstream release; add SBAT support; | | | fix i386 binary relocations; don't call | | | QueryVariableInfo() on EFI 1.10 machines | | | (e.g. older Intel Macs); fix handling of | | | ignore_db and user_insecure_mode; add | | | maintainer scripts to the template | | | packages to manage installing and | | | removing fbXXX.efi and mmXXX.efi when we | | | install/remove the shim-helpers-$arch- | | | signed packages; exit cleanly if | | | installed on a non-EFI system; don't | | | fail if debconf calls return errors | | | | | shim-helpers-amd64- | Sync with shim | | signed [71] | | | | | | shim-helpers-arm64- | Sync with shim | | signed [72] | | | | | | shim-helpers-i386- | Sync with shim | | signed [73] | | | | | | shim-signed [74] | Update for new shim; multiple bugfixes | | | in postinst and postrm handling; provide | | | unsigned binaries for arm64 (see | | | NEWS.Debian); exit cleanly if installed | | | on a non-EFI system; don't fail if | | | debconf calls return errors; fix | | | documentation links; build against shim- | | | unsigned 15.4-5~deb10u1; add explicit | | | dependency from shim-signed to shim- | | | signed-common | | | | | speedtest-cli [75] | Handle case where "ignoreids" is empty | | | or contains empty ids | | | | | tnef [76] | Fix buffer over-read issue [CVE-2019- | | | 18849] | | | | | uim [77] | libuim-data: Copy "Breaks" from uim- | | | data, fixing some upgrade scenarios | | | | | user-mode-linux [78] | Rebuild against Linux kernel 4.19.194-1 | | | | | velocity [79] | Fix potential arbitrary code execution | | | issue [CVE-2020-13936] | | | | | wml [80] | Fix regression in Unicode handling | | | | | xfce4-weather-plugin [81] | Move to version 2.0 met.no API | | | | +---------------------------+------------------------------------------+ Security Updates ---------------- This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates: +----------------+------------------------------+ | Advisory ID | Package | +----------------+------------------------------+ | DSA-4848 [82] | golang-1.11 [83] | | | | | DSA-4865 [84] | docker.io [85] | | | | | DSA-4873 [86] | squid [87] | | | | | DSA-4874 [88] | firefox-esr [89] | | | | | DSA-4875 [90] | openssl [91] | | | | | DSA-4877 [92] | webkit2gtk [93] | | | | | DSA-4878 [94] | pygments [95] | | | | | DSA-4879 [96] | spamassassin [97] | | | | | DSA-4880 [98] | lxml [99] | | | | | DSA-4881 [100] | curl [101] | | | | | DSA-4882 [102] | openjpeg2 [103] | | | | | DSA-4883 [104] | underscore [105] | | | | | DSA-4884 [106] | ldb [107] | | | | | DSA-4885 [108] | netty [109] | | | | | DSA-4886 [110] | chromium [111] | | | | | DSA-4887 [112] | lib3mf [113] | | | | | DSA-4888 [114] | xen [115] | | | | | DSA-4889 [116] | mediawiki [117] | | | | | DSA-4890 [118] | ruby-kramdown [119] | | | | | DSA-4891 [120] | tomcat9 [121] | | | | | DSA-4892 [122] | python-bleach [123] | | | | | DSA-4893 [124] | xorg-server [125] | | | | | DSA-4894 [126] | php-pear [127] | | | | | DSA-4895 [128] | firefox-esr [129] | | | | | DSA-4896 [130] | wordpress [131] | | | | | DSA-4898 [132] | wpa [133] | | | | | DSA-4899 [134] | openjdk-11-jre-dcevm [135] | | | | | DSA-4899 [136] | openjdk-11 [137] | | | | | DSA-4900 [138] | gst-plugins-good1.0 [139] | | | | | DSA-4901 [140] | gst-libav1.0 [141] | | | | | DSA-4902 [142] | gst-plugins-bad1.0 [143] | | | | | DSA-4903 [144] | gst-plugins-base1.0 [145] | | | | | DSA-4904 [146] | gst-plugins-ugly1.0 [147] | | | | | DSA-4905 [148] | shibboleth-sp [149] | | | | | DSA-4907 [150] | composer [151] | | | | | DSA-4908 [152] | libhibernate3-java [153] | | | | | DSA-4909 [154] | bind9 [155] | | | | | DSA-4910 [156] | libimage-exiftool-perl [157] | | | | | DSA-4912 [158] | exim4 [159] | | | | | DSA-4913 [160] | hivex [161] | | | | | DSA-4914 [162] | graphviz [163] | | | | | DSA-4915 [164] | postgresql-11 [165] | | | | | DSA-4916 [166] | prosody [167] | | | | | DSA-4918 [168] | ruby-rack-cors [169] | | | | | DSA-4919 [170] | lz4 [171] | | | | | DSA-4920 [172] | libx11 [173] | | | | | DSA-4921 [174] | nginx [175] | | | | | DSA-4922 [176] | hyperkitty [177] | | | | | DSA-4923 [178] | webkit2gtk [179] | | | | | DSA-4924 [180] | squid [181] | | | | | DSA-4925 [182] | firefox-esr [183] | | | | | DSA-4926 [184] | lasso [185] | | | | | DSA-4928 [186] | htmldoc [187] | | | | | DSA-4929 [188] | rails [189] | | | | | DSA-4930 [190] | libwebp [191] | | | | +----------------+------------------------------+ Removed packages ---------------- The following packages were removed due to circumstances beyond our control: +----------------------+-----------------------------------------------+ | Package | Reason | +----------------------+-----------------------------------------------+ | sogo-connector [192] | Incompatible with current Thunderbird | | | versions | | | | +----------------------+-----------------------------------------------+  Debian Installer ---------------- The installer has been updated to include the fixes incorporated into stable by the point release. URLs ---- The complete lists of packages that have changed with this revision: http://ftp.debian.org/debian/dists/buster/ChangeLog The current stable distribution: http://ftp.debian.org/debian/dists/stable/ Proposed updates to the stable distribution: http://ftp.debian.org/debian/dists/proposed-updates stable distribution information (release notes, errata etc.): https://www.debian.org/releases/stable/ Security announcements and information: https://www.debian.org/security/ Link to comment Share on other sites More sharing options...
sunrat Posted June 27, 2021 Share Posted June 27, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4934-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 26, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : intel-microcode CVE ID : CVE-2020-24489 CVE-2020-24511 CVE-2020-24512 CVE-2020-24513 This update ships updated CPU microcode for some types of Intel CPUs and provides mitigations for security vulnerabilities which could result in privilege escalation in combination with VT-d and various side channel attacks. For the stable distribution (buster), these problems have been fixed in version 3.20210608.2~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted July 6, 2021 Share Posted July 6, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4935-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 05, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : php7.3 CVE ID : CVE-2021-21704 CVE-2021-21705 Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result an SSRF bypass of the FILTER_VALIDATE_URL check and denial of service or potentially the execution of arbitrary code in the Firebird PDO. For the stable distribution (buster), these problems have been fixed in version 7.3.29-1~deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4936-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 05, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libuv1 CVE ID : CVE-2021-22918 Debian Bug : 990561 An out-of-bounds read was discovered in the uv__idna_to_ascii() function of Libuv, an asynchronous event notification library, which could result in denial of service or information disclosure. For the stable distribution (buster), this problem has been fixed in version 1.24.1-1+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted July 8, 2021 Share Posted July 8, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4937-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 08, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : apache2 CVE ID : CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641 CVE-2021-31618 Several vulnerabilities have been found in the Apache HTTP server, which could result in denial of service. In addition the implementation of the MergeSlashes option could result in unexpected behaviour. For the stable distribution (buster), these problems have been fixed in version 2.4.38-3+deb10u5. Link to comment Share on other sites More sharing options...
sunrat Posted July 14, 2021 Share Posted July 14, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4938-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 13, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : linuxptp CVE ID : CVE-2021-3570 Debian Bug : 990748 Miroslav Lichvar reported that the ptp4l program in linuxptp, an implementation of the Precision Time Protocol (PTP), does not validate the messageLength field of incoming messages, allowing a remote attacker to cause a denial of service, information leak, or potentially remote code execution. For the stable distribution (buster), this problem has been fixed in version 1.9.2-1+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted July 15, 2021 Share Posted July 15, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4939-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 14, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2021-29970 CVE-2021-29976 CVE-2021-30547 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code. For the stable distribution (buster), these problems have been fixed in version 78.12.0esr-1~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted July 19, 2021 Share Posted July 19, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4940-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 18, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2021-29969 CVE-2021-29970 CVE-2021-29976 CVE-2021-30547 Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code. For the stable distribution (buster), these problems have been fixed in version 1:78.12.0-1~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted July 21, 2021 Share Posted July 21, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4941-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 20, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : linux CVE ID : CVE-2020-36311 CVE-2021-3609 CVE-2021-33909 CVE-2021-34693 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2020-36311 A flaw was discovered in the KVM subsystem for AMD CPUs, allowing an attacker to cause a denial of service by triggering destruction of a large SEV VM. CVE-2021-3609 Norbert Slusarek reported a race condition vulnerability in the CAN BCM networking protocol, allowing a local attacker to escalate privileges. CVE-2021-33909 The Qualys Research Labs discovered a size_t-to-int conversion vulnerability in the Linux kernel's filesystem layer. An unprivileged local attacker able to create, mount, and then delete a deep directory structure whose total path length exceeds 1GB, can take advantage of this flaw for privilege escalation. Details can be found in the Qualys advisory at https://www.qualys.com/2021/07/20/cve-2021-33909/sequoia-local-privilege-escalation-linux.txt CVE-2021-34693 Norbert Slusarek discovered an information leak in the CAN BCM networking protocol. A local attacker can take advantage of this flaw to obtain sensitive information from kernel stack memory. For the stable distribution (buster), these problems have been fixed in version 4.19.194-3. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4942-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 20, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : systemd CVE ID : CVE-2021-33910 The Qualys Research Labs discovered that an attacker-controlled allocation using the alloca() function could result in memory corruption, allowing to crash systemd and hence the entire operating system. Details can be found in the Qualys advisory at https://www.qualys.com/2021/07/20/cve-2021-33910/denial-of-service-systemd.txt For the stable distribution (buster), this problem has been fixed in version 241-7~deb10u8. Link to comment Share on other sites More sharing options...
sunrat Posted July 23, 2021 Share Posted July 23, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4943-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 23, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : lemonldap-ng CVE ID : CVE-2021-35472 Several vulnerabilities were discovered in lemonldap-ng, a Web-SSO system. The flaws could result in information disclosure, authentication bypass, or could allow an attacker to increase its authentication level or impersonate another user, especially when lemonldap-ng is configured to increase authentication level for users authenticated via a second factor. For the stable distribution (buster), these problems have been fixed in version 2.0.2+ds-7+deb10u6. Link to comment Share on other sites More sharing options...
sunrat Posted July 25, 2021 Share Posted July 25, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4944-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 25, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : krb5 CVE ID : CVE-2021-36222 Debian Bug : 991365 It was discovered that the Key Distribution Center (KDC) in krb5, the MIT implementation of Kerberos, is prone to a NULL pointer dereference flaw. An unauthenticated attacker can take advantage of this flaw to cause a denial of service (KDC crash) by sending a request containing a PA-ENCRYPTED-CHALLENGE padata element without using FAST. For the stable distribution (buster), this problem has been fixed in version 1.17-3+deb10u2. Link to comment Share on other sites More sharing options...
sunrat Posted July 28, 2021 Share Posted July 28, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4945-1 security@debian.org https://www.debian.org/security/ Alberto Garcia July 28, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : webkit2gtk CVE ID : CVE-2021-21775 CVE-2021-21779 CVE-2021-30663 CVE-2021-30665 CVE-2021-30689 CVE-2021-30720 CVE-2021-30734 CVE-2021-30744 CVE-2021-30749 CVE-2021-30758 CVE-2021-30795 CVE-2021-30797 CVE-2021-30799 The following vulnerabilities have been discovered in the webkit2gtk web engine: CVE-2021-21775 Marcin Towalski discovered that a specially crafted web page can lead to a potential information leak and further memory corruption. In order to trigger the vulnerability, a victim must be tricked into visiting a malicious webpage. CVE-2021-21779 Marcin Towalski discovered that a specially crafted web page can lead to a potential information leak and further memory corruption. In order to trigger the vulnerability, a victim must be tricked into visiting a malicious webpage. CVE-2021-30663 An anonymous researcher discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2021-30665 yangkang discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. CVE-2021-30689 An anonymous researcher discovered that processing maliciously crafted web content may lead to universal cross site scripting. CVE-2021-30720 David Schutz discovered that a malicious website may be able to access restricted ports on arbitrary servers. CVE-2021-30734 Jack Dates discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2021-30744 Dan Hite discovered that processing maliciously crafted web content may lead to universal cross site scripting. CVE-2021-30749 An anonymous researcher discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2021-30758 Christoph Guttandin discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2021-30795 Sergei Glazunov discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2021-30797 Ivan Fratric discovered that processing maliciously crafted web content may lead to code execution. CVE-2021-30799 Sergei Glazunov discovered that processing maliciously crafted web content may lead to arbitrary code execution. For the stable distribution (buster), these problems have been fixed in version 2.32.3-1~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted July 30, 2021 Share Posted July 30, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4946-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 29, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openjdk-11 CVE ID : CVE-2021-2341 CVE-2021-2369 CVE-2021-2388 Several vulnerabilities have been discovered in the OpenJDK Java runtime, resulting in bypass of sandbox restrictions, incorrect validation of signed Jars or information disclosure. For the stable distribution (buster), these problems have been fixed in version 11.0.12+7-2~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted July 31, 2021 Share Posted July 31, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4947-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 30, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libsndfile CVE ID : CVE-2021-3246 Debian Bug : 991496 Andrea Fioraldi discovered a buffer overflow in libsndfile, a library for reading/writing audio files, which could result in denial of service or potentially the execution of arbitrary code when processing a malformed audio file. For the stable distribution (buster), this problem has been fixed in version 1.0.28-6+deb10u1. Link to comment Share on other sites More sharing options...
Recommended Posts