Jump to content

Bruno

Recommended Posts

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4948-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 01, 2021                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : aspell
CVE ID         : CVE-2019-17544 CVE-2019-25051
Debian Bug     : 991307

A buffer overflow was discovered in the Aspell spell checker, which could
result in the execution of arbitrary code.

For the stable distribution (buster), these problems have been fixed in
version 0.60.7~20110707-6+deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4949-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 04, 2021                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : jetty9
CVE ID         : CVE-2019-10241 CVE-2019-10247 CVE-2020-27216 CVE-2020-27223 
                 CVE-2020-28165 CVE-2020-28169 CVE-2021-34428

Multiple vulnerabilities were discovered in Jetty, a Java servlet engine
and webserver which could result in cross-site scripting, information
disclosure, privilege escalation or denial of service.

For the stable distribution (buster), these problems have been fixed in
version 9.4.16-0+deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4950-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 07, 2021                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ansible
CVE ID         : CVE-2019-10156 CVE-2019-10206 CVE-2019-14846 CVE-2019-14864 
                 CVE-2019-14904 CVE-2020-1733  CVE-2020-1735  CVE-2020-1739 
                 CVE-2020-1740  CVE-2020-1746  CVE-2020-1753  CVE-2020-10684 
                 CVE-2020-10685 CVE-2020-10729 CVE-2020-14330 CVE-2020-14332 
                 CVE-2020-14365 CVE-2021-20228

Several vulnerabilities have been found in Ansible, a configuration
management, deployment and task execution system, which could result in
information disclosure or argument injection. In addition a race
condition in become_user was fixed. 

For the stable distribution (buster), these problems have been fixed in
version 2.7.7+dfsg-1+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4951-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 07, 2021                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : bluez
CVE ID         : CVE-2020-26558 CVE-2020-27153 CVE-2021-0129
Debian Bug     : 989614

Several vulnerabilities were discovered in Bluez, the Linux Bluetooth
protocol stack.

CVE-2020-26558 / CVE-2021-0129

    It was discovered that Bluez does not properly check permissions
    during pairing operation, which could allow an attacker to
    impersonate the initiating device.

CVE-2020-27153

    Jay LV discovered a double free flaw in the disconnect_cb() routine
    in the gattool. A remote attacker can take advantage of this flaw
    during service discovery for denial of service, or potentially,
    execution of arbitrary code.

For the stable distribution (buster), these problems have been fixed in
version 5.50-1.2~deb10u2.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4952-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 09, 2021                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tomcat9
CVE ID         : CVE-2021-30640 CVE-2021-33037
Debian Bug     : 991046

Two vulnerabilities were discovered in the Tomcat servlet and JSP engine,
which could result in HTTP request smuggling, bypass of logout
restrictions or authentications using variations of a valid user name.

For the stable distribution (buster), these problems have been fixed in
version 9.0.31-1~deb10u5.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4953-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 10, 2021                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : lynx
CVE ID         : CVE-2021-38165
Debian Bug     : 991971

Thorsten Glaser and Axel Beckert reported that lynx, a non-graphical
(text-mode) web browser, does not properly handle the userinfo
subcomponent of a URI, which can lead to leaking of credential in
cleartext in SNI data.

For the stable distribution (buster), this problem has been fixed in
version 2.8.9rel.1-3+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4954-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 10, 2021                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : c-ares
CVE ID         : CVE-2021-3672
Debian Bug     : 992053

Philipp Jeitner and Haya Shulman discovered a flaw in c-ares, a library
that performs DNS requests and name resolution asynchronously. Missing
input validation of hostnames returned by DNS servers can lead to output
of wrong hostnames (leading to Domain Hijacking).

For the stable distribution (buster), this problem has been fixed in
version 1.14.0-1+deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4955-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 11, 2021                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libspf2
CVE ID         : CVE-2021-20314

Philipp Jeitner and Haya Shulman discovered a stack-based buffer
overflow in libspf2, a library for validating mail senders with SPF,
which could result in denial of service, or potentially execution of
arbitrary code when processing a specially crafted SPF record.

For the stable distribution (buster), this problem has been fixed in
version 1.2.10-7.1~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4956-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 11, 2021                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2021-29980 CVE-2021-29984 CVE-2021-29985 CVE-2021-29986 
                 CVE-2021-29988 CVE-2021-29989

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code.

For the stable distribution (buster), these problems have been fixed in
version 78.13.0esr-1~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4946-2                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 11, 2021                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openjdk-11-jre-dcevm
Debian Bug     : 991006

The Dynamic Code Evolution Virtual Machine (DCE VM), an alternative VM
for OpenJDK 11 with enhanced class redefinition, has been updated for
compatibility with OpenJDK 11.0.12.

For the stable distribution (buster), this problem has been fixed in
version 11.0.12+7-1~deb10u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4957-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 13, 2021                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : trafficserver
CVE ID         : CVE-2021-27577 CVE-2021-32566 CVE-2021-32567
                 CVE-2021-35474 CVE-2021-32565

Several vulnerabilities were discovered in Apache Traffic Server, a
reverse and forward proxy server, which could result in denial of
service, HTTP request smuggling or cache poisoning.

For the stable distribution (buster), these problems have been fixed in
version 8.0.2+ds-1+deb10u5.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4958-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 13, 2021                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : exiv2
CVE ID         : CVE-2019-20421 CVE-2021-3482 CVE-2021-29457
                 CVE-2021-29473 CVE-2021-31292

Several vulnerabilities have been discovered in Exiv2, a C++ library and
a command line utility to manage image metadata which could result in
denial of service or the execution of arbitrary code if a malformed
file is parsed.

For the stable distribution (buster), these problems have been fixed in
version 0.25-4+deb10u2.
Link to comment
Share on other sites

------------------------------------------------------------------------
The Debian Project                               https://www.debian.org/
Debian 11 "bullseye" released                           press@debian.org
August 14th, 2021              https://www.debian.org/News/2021/20210814
------------------------------------------------------------------------


After 2 years, 1 month, and 9 days of development, the Debian project is
proud to present its new stable version 11 (code name "bullseye"), which
will be supported for the next 5 years thanks to the combined work of
the Debian Security team [1] and the Debian Long Term Support [2] team.

    1: https://security-team.debian.org/
    2: https://wiki.debian.org/LTS

Debian 11 "bullseye" ships with several desktop applications and
environments. Amongst others it now includes the desktop environments:

  * Gnome 3.38,
  * KDE Plasma 5.20,
  * LXDE 11,
  * LXQt 0.16,
  * MATE 1.24,
  * Xfce 4.16.

This release contains over 11,294 new packages for a total count of
59,551 packages, along with a significant reduction of over 9,519
packages which were marked as "obsolete" and removed. 42,821 packages
were updated and 5,434 packages remained unchanged.

"bullseye" becomes our first release to provide a Linux kernel with
support for the exFAT filesystem and defaults to using it for mount
exFAT filesystems. Consequently it is no longer required to use the
filesystem-in-userspace implementation provided via the exfat-fuse
package. Tools for creating and checking an exFAT filesystem are
provided in the exfatprogs package.

Most modern printers are able to use driverless printing and scanning
without the need for vendor specific (often non-free) drivers.
"bullseye" brings forward a new package, ipp-usb, which uses the vendor
neutral IPP-over-USB protocol supported by many modern printers. This
allows a USB device to be treated as a network device. The official SANE
driverless backend is provided by sane-escl in libsane1, which uses the
eSCL protocol.

Systemd in "bullseye" activates its persistent journal functionality, by
default, with an implicit fallback to volatile storage. This allows
users that are not relying on special features to uninstall traditional
logging daemons and switch over to using only the systemd journal.

The Debian Med team has been taking part in the fight against COVID-19
by packaging software for researching the virus on the sequence level
and for fighting the pandemic with the tools used in epidemiology; this
work will continue with focus on machine learning tools for both fields.
The team's work with Quality Assurance and Continuous integration is
critical to the consistent reproducible results required in the
sciences. Debian Med Blend has a range of performance critical
applications which now benefit from SIMD Everywhere. To install packages
maintained by the Debian Med team, install the metapackages named med-*,
which are at version 3.6.x.

Chinese, Japanese, Korean, and many other languages now have a new Fcitx
5 input method, which is the successor of the popular Fcitx4 in
"buster" ; this new version has much better Wayland (default display
manager) addon support.

Debian 11 "bullseye" includes numerous updated software packages (over
72% of all packages in the previous release), such as:

  * Apache 2.4.48
  * BIND DNS Server 9.16
  * Calligra 3.2
  * Cryptsetup 2.3
  * Emacs 27.1
  * GIMP 2.10.22
  * GNU Compiler Collection 10.2
  * GnuPG 2.2.20
  * Inkscape 1.0.2
  * LibreOffice 7.0
  * Linux kernel 5.10 series
  * MariaDB 10.5
  * OpenSSH 8.4p1
  * Perl 5.32
  * PHP 7.4
  * PostgreSQL 13
  * Python 3, 3.9.1
  * Rustc 1.48
  * Samba 4.13
  * Vim 8.2
  * more than 59,000 other ready-to-use software packages, built from
more than 30,000 source packages.

With this broad selection of packages and its traditional wide
architecture support, Debian once again stays true to its goal of being
"The Universal Operating System". It is suitable for many different use
cases: from desktop systems to netbooks; from development servers to
cluster systems; and for database, web, and storage servers. At the same
time, additional quality assurance efforts like automatic installation
and upgrade tests for all packages in Debian's archive ensure that
"bullseye" fulfills the high expectations that users have of a stable
Debian release.

A total of nine architectures are supported: 64-bit PC / Intel EM64T /
x86-64 (amd64), 32-bit PC / Intel IA-32 (i386), 64-bit little-endian
Motorola/IBM PowerPC (ppc64el), 64-bit IBM S/390 (s390x), for ARM, armel
and armhf for older and more recent 32-bit hardware, plus arm64 for the
64-bit "AArch64" architecture, and for MIPS, mipsel (little-endian)
architectures for 32-bit hardware and mips64el architecture for 64-bit
little-endian hardware.

If you simply want to try Debian 11 "bullseye" without installing it,
you can use one of the available live images [3] which load and run the
complete operating system in a read-only state via your computer's
memory.

    3: https://www.debian.org/CD/live/

These live images are provided for the amd64 and i386 architectures and
are available for DVDs, USB sticks, and netboot setups. The user can
choose among different desktop environments to try: GNOME, KDE Plasma,
LXDE, LXQt, MATE, and Xfce. Debian Live "bullseye" has a standard live
image, so it is also possible to try a base Debian system without any of
the graphical user interfaces.

Should you enjoy the operating system you have the option of installing
from the live image onto your computer's hard disk. The live image
includes the Calamares independent installer as well as the standard
Debian Installer. More information is available in the release notes [4]
and the live install images [5] sections of the Debian website.

    4: https://www.debian.org/releases/bullseye/releasenotes
    5: https://www.debian.org/CD/live/

To install Debian 11 "bullseye" directly onto your computer's hard disk
you can choose from a variety of installation media such as Blu-ray
Disc, DVD, CD, USB stick, or via a network connection. Several desktop
environments — Cinnamon, GNOME, KDE Plasma Desktop and Applications,
LXDE, LXQt, MATE and Xfce — may be installed through those images. In
addition, "multi-architecture" CDs are available which support
installation from a choice of architectures from a single disc. Or you
can always create bootable USB installation media (see the Installation
Guide [6] for more details).

    6: https://www.debian.org/releases/bullseye/installmanual

There has been a lot of development on the Debian Installer, resulting
in improved hardware support and other new features.

In some cases, a successful installation can still have display issues
when rebooting into the installed system; for those cases there are a
few workarounds [7] that might help log in anyway. There is also an
isenkram-based procedure [7] which lets users detect and fix missing
firmware on their systems, in an automated fashion. Of course, one has
to weigh the pros and cons of using that tool since it's very likely
that it will need to install non-free packages.

    7:
https://www.debian.org/releases/bullseye/amd64/ch06s04#completing-installed-system

In addition to this, the non-free installer images that include firmware
packages [8] have been improved so that they can anticipate the need for
firmware in the installed system (e.g. firmware for AMD or Nvidia
graphics cards, or newer generations of Intel audio hardware).

    8:
https://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/

For cloud users, Debian offers direct support for many of the best-known
cloud platforms. Official Debian images are easily selected through each
image marketplace. Debian also publishes pre-built OpenStack images [9]
for the amd64 and arm64 architectures, ready to download and use in
local cloud setups.

    9: https://cloud.debian.org/images/openstack/current/

Debian can now be installed in 76 languages, with most of them available
in both text-based and graphical user interfaces.

The installation images may be downloaded right now via bittorrent [10]
(the recommended method), jigdo [11], or HTTP [12]; see Debian on
CDs [13] for further information. "bullseye" will soon be available on
physical DVD, CD-ROM, and Blu-ray Discs from numerous vendors [14] too.

   10: https://www.debian.org/CD/torrent-cd/
   11: https://www.debian.org/CD/jigdo-cd/#which
   12: https://www.debian.org/CD/http-ftp/
   13: https://www.debian.org/CD/
   14: https://www.debian.org/CD/vendors

Upgrades to Debian 11 from the previous release, Debian 10 (code name
"buster") are automatically handled by the APT package management tool
for most configurations.

For bullseye, the security suite is now named bullseye-security and
users should adapt their APT source-list files accordingly when
upgrading. If your APT configuration also involves pinning or
APT::Default-Release, it is likely to require adjustments too. See the
Changed security archive layout [15] section of the release notes for
more details.

   15:
https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information#security-archive

If you are upgrading remotely, be aware of the section No new SSH
connections possible during upgrade [16].

   16:
https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information#ssh-not-available

As always, Debian systems may be upgraded painlessly, in place, without
any forced downtime, but it is strongly recommended to read the release
notes [17] as well as the installation guide [18] for possible issues,
and for detailed instructions on installing and upgrading. The release
notes will be further improved and translated to additional languages in
the weeks after the release.

   17: https://www.debian.org/releases/bullseye/releasenotes
   18: https://www.debian.org/releases/bullseye/installmanual


About Debian
------------

Debian is a free operating system, developed by thousands of volunteers
from all over the world who collaborate via the Internet. The Debian
project's key strengths are its volunteer base, its dedication to the
Debian Social Contract and Free Software, and its commitment to provide
the best operating system possible. This new release is another
important step in that direction.


Contact Information
-------------------

For further information, please visit the Debian web pages at
https://www.debian.org/ or send mail to <press@debian.org>.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4959-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 15, 2021                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : CVE-2021-29980 CVE-2021-29984 CVE-2021-29985
                 CVE-2021-29986 CVE-2021-29988 CVE-2021-29989

Multiple security issues were discovered in Thunderbird, which could
result in the execution of arbitrary code.

For the stable distribution (bullseye), these problems have been fixed in
version 1:78.13.0-1~deb11u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4960-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 17, 2021                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : haproxy
CVE ID         : not yet assigned

Several vulnerabilities were discovered in HAProxy, a fast and reliable
load balancing reverse proxy, which can result in HTTP request
smuggling. By carefully crafting HTTP/2 requests, it is possible to
smuggle another HTTP request to the backend selected by the HTTP/2
request. With certain configurations, it allows an attacker to send an
HTTP request to a backend, circumventing the backend selection logic.

Known workarounds are to disable HTTP/2 and set
"tune.h2.max-concurrent-streams" to 0 in the "global" section.

    global
        tune.h2.max-concurrent-streams 0

For the stable distribution (bullseye), these problems have been fixed in
version 2.2.9-2+deb11u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4961-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 23, 2021                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tor
CVE ID         : CVE-2021-38385

Henry de Valence reported a flaw in the signature verification code in
Tor, a connection-based low-latency anonymous communication system. A
remote attacker can take advantage of this flaw to cause an assertion
failure, resulting in denial of service.

For the oldstable distribution (buster), this problem has been fixed
in version 0.3.5.16-1.

For the stable distribution (bullseye), this problem has been fixed in
version 0.4.5.10-1~deb11u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4962-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 23, 2021                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ledgersmb
CVE ID         : CVE-2021-3731 CVE-2021-3693 CVE-2021-3694

Several vulnerabilities were discovered in LedgerSMB, a financial
accounting and ERP program, which could result in cross-site scripting
or clickjacking.

For the oldstable distribution (buster), this problem has been fixed
in version 1.6.9+ds-1+deb10u2.

For the stable distribution (bullseye), this problem has been fixed in
version 1.6.9+ds-2+deb11u2.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4963-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 24, 2021                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openssl
CVE ID         : CVE-2021-3711 CVE-2021-3712

Multiple vulnerabilities have been discovered in OpenSSL, a Secure
Sockets Layer toolkit.

CVE-2021-3711

    John Ouyang reported a buffer overflow vulnerability in the SM2
    decryption. An attacker able to present SM2 content for
    decryption to an application can take advantage of this flaw to
    change application behaviour or cause the application to crash
    (denial of service).

CVE-2021-3712

    Ingo Schwarze reported a buffer overrun flaw when processing ASN.1
    strings in the X509_aux_print() function, which can result in denial
    of service.

Additional details can be found in the upstream advisory:
https://www.openssl.org/news/secadv/20210824.txt

For the oldstable distribution (buster), these problems have been fixed
in version 1.1.1d-0+deb10u7.

For the stable distribution (bullseye), these problems have been fixed in
version 1.1.1k-1+deb11u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4964-1                   security@debian.org
https://www.debian.org/security/                           Alberto Garcia
August 27, 2021                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : grilo
CVE ID         : CVE-2021-39365
Debian Bug     : 992971

Michael Catanzaro reported a problem in Grilo, a framework for
discovering and browsing media. TLS certificate verification is not
enabled on the SoupSessionAsync objects created by Grilo, leaving users
vulnerable to network MITM attacks.

For the oldstable distribution (buster), this problem has been fixed
in version 0.3.7-1+deb10u1.

For the stable distribution (bullseye), this problem has been fixed in
version 0.3.13-1+deb11u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4962-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 31, 2021                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ledgersmb

The update for ledgersmb released as DSA 4862-1 introduced a regression
in the display of some search results. Updated ledgersmb packages are
now available to correct this issue.

For the oldstable distribution (buster), this problem has been fixed
in version 1.6.9+ds-1+deb10u3.

For the stable distribution (bullseye), this problem has been fixed in
version 1.6.9+ds-2+deb11u3.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4965-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 31, 2021                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libssh
CVE ID         : CVE-2021-3634
Debian Bug     : 993046

It was discovered that a buffer overflow in rekeying in libssh could
result in denial of service or potentially the execution of arbitrary
code.

The oldstable distribution (buster) is not affected.

For the stable distribution (bullseye), this problem has been fixed in
version 0.9.5-1+deb11u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4966-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 31, 2021                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gpac
CVE ID         : CVE-2021-21834 CVE-2021-21836 CVE-2021-21837 CVE-2021-21838 
                 CVE-2021-21839 CVE-2021-21840 CVE-2021-21841 CVE-2021-21842 
                 CVE-2021-21843 CVE-2021-21844 CVE-2021-21845 CVE-2021-21846 
                 CVE-2021-21847 CVE-2021-21848 CVE-2021-21849 CVE-2021-21850 
                 CVE-2021-21853 CVE-2021-21854 CVE-2021-21855 CVE-2021-21857
		 CVE-2021-21858 CVE-2021-21859 CVE-2021-21860 CVE-2021-21861

Multiple security issues were discovered in the GPAC multimedia framework
which could result in denial of service or the execution of arbitrary code.

The oldstable distribution (buster) is not affected.

For the stable distribution (bullseye), these problems have been fixed in
version 1.0.1+dfsg1-4+deb11u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4967-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 04, 2021                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : squashfs-tools
CVE ID         : CVE-2021-40153

Etienne Stalmans discovered that unsquashfs in squashfs-tools, the tools
to create and extract Squashfs filesystems, does not validate filenames
for traversal outside of the destination directory. An attacker can take
advantage of this flaw for writing to arbitrary files to the filesystem
if a malformed Squashfs image is processed.

For the oldstable distribution (buster), this problem has been fixed
in version 1:4.3-12+deb10u1.

For the stable distribution (bullseye), this problem has been fixed in
version 1:4.4-2+deb11u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4968-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 07, 2021                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : haproxy
CVE ID         : CVE-2021-40346

Ori Hollander reported that missing header name length checks in the
htx_add_header() and htx_add_trailer() functions in HAProxy, a fast and
reliable load balancing reverse proxy, could result in request smuggling
attacks or response splitting attacks.

Additionally this update addresses #993303 introduced in DSA 4960-1
causing HAProxy to fail serving URLs with HTTP/2 containing '//'.

For the stable distribution (bullseye), this problem has been fixed in
version 2.2.9-2+deb11u2.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4969-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 09, 2021                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2021-38493

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code.

For the oldstable distribution (buster), this problem has been fixed
in version 78.14.0esr-1~deb10u1.

For the stable distribution (bullseye), this problem has been fixed in
version 78.14.0esr-1~deb11u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4970-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 09, 2021                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : postorius
CVE ID         : CVE-2021-40347

Kevin Israel discovered that Postorius, the administrative web frontend
for Mailman 3, didn't validate whether a logged-in user owns the email
address when unsubscribing.

For the oldstable distribution (buster), this problem has been fixed
in version 1.2.4-1+deb10u1.

For the stable distribution (bullseye), this problem has been fixed in
version 1.3.4-2+deb11u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4971-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 09, 2021                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ntfs-3g
CVE ID         : CVE-2021-33285 CVE-2021-33286 CVE-2021-33287 CVE-2021-33289
                 CVE-2021-35266 CVE-2021-35267 CVE-2021-35268 CVE-2021-35269
                 CVE-2021-39251 CVE-2021-39252 CVE-2021-39253 CVE-2021-39254
                 CVE-2021-39255 CVE-2021-39256 CVE-2021-39257 CVE-2021-39258
                 CVE-2021-39259 CVE-2021-39260 CVE-2021-39261 CVE-2021-39262
                 CVE-2021-39263
Debian Bug     : 988386

Several vulnerabilities were discovered in NTFS-3G, a read-write NTFS
driver for FUSE. A local user can take advantage of these flaws for
local root privilege escalation.

For the oldstable distribution (buster), these problems have been fixed
in version 1:2017.3.23AR.3-3+deb10u1.

For the stable distribution (bullseye), these problems have been fixed in
version 1:2017.3.23AR.3-4+deb11u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4972-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 10, 2021                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ghostscript
CVE ID         : CVE-2021-3781
Debian Bug     : 994011

It was discovered that Ghostscript, the GPL PostScript/PDF interpreter,
does not properly validate access for the "%pipe%", "%handle%" and
"%printer%" io devices, which could result in the execution of arbitrary
code if a malformed Postscript file is processed (despite the -dSAFER
sandbox being enabled).

For the stable distribution (bullseye), this problem has been fixed in
version 9.53.3~dfsg-7+deb11u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4973-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 10, 2021                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : CVE-2021-38493

Multiple security issues were discovered in Thunderbird, which could
result in the execution of arbitrary code.

For the oldstable distribution (buster), this problem has been fixed
in version 1:78.14.0-1~deb10u1.

For the stable distribution (bullseye), this problem has been fixed in
version 1:78.14.0-1~deb11u1.
Link to comment
Share on other sites

  • 2 weeks later...
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4974-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 19, 2021                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : nextcloud-desktop
CVE ID         : CVE-2021-22895 CVE-2021-32728
Debian Bug     : 989846

Two vulnerabilities were discovered in the Nextcloud desktop client,
which could result in information disclosure.

For the oldstable distribution (buster), these problems have been fixed
in version 2.5.1-3+deb10u2.

For the stable distribution (bullseye), these problems have been fixed in
version 3.1.1-2+deb11u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4977-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 20, 2021                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xen
CVE ID         : CVE-2021-28694 CVE-2021-28695 CVE-2021-28696 CVE-2021-28697 
                 CVE-2021-28698 CVE-2021-28699 CVE-2021-28700 CVE-2021-28701

Multiple vulnerabilities have been discovered in the Xen hypervisor,
which could result in privilege escalation, denial of service or
information leaks.

With the end of upstream support for the 4.11 branch, the version of xen
in the oldstable distribution (buster) is no longer supported. If you
rely on security support for your Xen installation an update to the
stable distribution (bullseye) is recommended.

For the stable distribution (bullseye), these problems have been fixed in
version 4.14.3-1~deb11u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4975-1                   security@debian.org
https://www.debian.org/security/                           Alberto Garcia
September 20, 2021                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : webkit2gtk
CVE ID         : CVE-2021-30858

The following vulnerabilities have been discovered in the webkit2gtk
web engine:

CVE-2021-30858
    An anonymous researcher discovered that processing maliciously
    crafted web content may lead to arbitrary code execution. Apple is
    aware of a report that this issue may have been actively
    exploited.

For the oldstable distribution (buster), this problem has been fixed
in version 2.32.4-1~deb10u1.

For the stable distribution (bullseye), this problem has been fixed in
version 2.32.4-1~deb11u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4976-1                   security@debian.org
https://www.debian.org/security/                           Alberto Garcia
September 20, 2021                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : wpewebkit
CVE ID         : CVE-2021-30858

The following vulnerabilities have been discovered in the webkit2gtk
web engine:

CVE-2021-30858
    An anonymous researcher discovered that processing maliciously
    crafted web content may lead to arbitrary code execution. Apple is
    aware of a report that this issue may have been actively
    exploited.

For the stable distribution (bullseye), this problem has been fixed in
version 2.32.4-1~deb11u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4978-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 25, 2021                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : linux
CVE ID         : CVE-2020-3702 CVE-2020-16119 CVE-2021-3653 CVE-2021-3656 
                 CVE-2021-3679 CVE-2021-3732 CVE-2021-3739 CVE-2021-3743 
                 CVE-2021-3753 CVE-2021-37576 CVE-2021-38160 CVE-2021-38166 
                 CVE-2021-38199 CVE-2021-40490 CVE-2021-41073
Debian Bug     : 993948 993978

Several vulnerabilities have been discovered in the Linux kernel
that may lead to a privilege escalation, denial of service or
information leaks.

CVE-2020-3702

    A flaw was found in the driver for Atheros IEEE 802.11n family of
    chipsets (ath9k) allowing information disclosure.

CVE-2020-16119

    Hadar Manor reported a use-after-free in the DCCP protocol
    implementation in the Linux kernel. A local attacker can take
    advantage of this flaw to cause a denial of service or potentially
    to execute arbitrary code.

CVE-2021-3653

    Maxim Levitsky discovered a vulnerability in the KVM hypervisor
    implementation for AMD processors in the Linux kernel: Missing
    validation of the `int_ctl` VMCB field could allow a malicious L1
    guest to enable AVIC support (Advanced Virtual Interrupt Controller)
    for the L2 guest. The L2 guest can take advantage of this flaw to
    write to a limited but still relatively large subset of the host
    physical memory.

CVE-2021-3656

    Maxim Levitsky and Paolo Bonzini discovered a flaw in the KVM
    hypervisor implementation for AMD processors in the Linux kernel.
    Missing validation of the the `virt_ext` VMCB field could allow a
    malicious L1 guest to disable both VMLOAD/VMSAVE intercepts and VLS
    (Virtual VMLOAD/VMSAVE) for the L2 guest. Under these circumstances,
    the L2 guest is able to run VMLOAD/VMSAVE unintercepted and thus
    read/write portions of the host's physical memory.

CVE-2021-3679

    A flaw in the Linux kernel tracing module functionality could allow
    a privileged local user (with CAP_SYS_ADMIN capability) to cause a
    denial of service (resource starvation).

CVE-2021-3732

    Alois Wohlschlager reported a flaw in the implementation of the
    overlayfs subsystem, allowing a local attacker with privileges to
    mount a filesystem to reveal files hidden in the original mount.

CVE-2021-3739

    A NULL pointer dereference flaw was found in the btrfs filesystem,
    allowing a local attacker with CAP_SYS_ADMIN capabilities to cause a
    denial of service.

CVE-2021-3743

    An out-of-bounds memory read was discovered in the Qualcomm IPC
    router protocol implementation, allowing to cause a denial of
    service or information leak.

CVE-2021-3753

    Minh Yuan reported a race condition in the vt_k_ioctl in
    drivers/tty/vt/vt_ioctl.c, which may cause an out of bounds
    read in vt.

CVE-2021-37576

    Alexey Kardashevskiy reported a buffer overflow in the KVM subsystem
    on the powerpc platform, which allows KVM guest OS users to cause
    memory corruption on the host.

CVE-2021-38160

    A flaw in the virtio_console was discovered allowing data corruption
    or data loss by an untrusted device.

CVE-2021-38166

    An integer overflow flaw in the BPF subsystem could allow a local
    attacker to cause a denial of service or potentially the execution
    of arbitrary code. This flaw is mitigated by default in Debian as
    unprivileged calls to bpf() are disabled.

CVE-2021-38199

    Michael Wakabayashi reported a flaw in the NFSv4 client
    implementation, where incorrect connection setup ordering allows
    operations of a remote NFSv4 server to cause a denial of service.

CVE-2021-40490

    A race condition was discovered in the ext4 subsystem when writing
    to an inline_data file while its xattrs are changing. This could
    result in denial of service.

CVE-2021-41073

    Valentina Palmiotti discovered a flaw in io_uring allowing a local
    attacker to escalate privileges.

For the stable distribution (bullseye), these problems have been fixed in
version 5.10.46-5. This update includes fixes for #993948 and #993978.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4979-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 01, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : mediawiki
CVE ID         : CVE-2021-35197 CVE-2021-41798 CVE-2021-41799 CVE-2021-41800 
                 CVE-2021-41801

Multiple security issues were found in MediaWiki, a website engine for
collaborative work, which could result in cross-site scripting,
denial of service and a bypass of restrictions in the "Replace Text"
extension.

For the oldstable distribution (buster), these problems have been fixed
in version 1:1.31.16-1~deb10u1.

For the stable distribution (bullseye), these problems have been fixed in
version 1:1.35.4-1~deb11u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4980-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 03, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : qemu
CVE ID         : CVE-2021-3544 CVE-2021-3545 CVE-2021-3546 CVE-2021-3638 
                 CVE-2021-3682 CVE-2021-3713 CVE-2021-3748
Debian Bug     : 988174 989042 991911 992726 992727 993401

Multiple security issues were discovered in QEMU, a fast processor
emulator, which could result in denial of service or the the execution
of arbitrary code.

For the stable distribution (bullseye), these problems have been fixed in
version 1:5.2+dfsg-11+deb11u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4981-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 06, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2021-38496 CVE-2021-38500

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code.

For the oldstable distribution (buster), these problems have been fixed
in version 78.15.0esr-1~deb10u1.

For the stable distribution (bullseye), these problems have been fixed in
version 78.15.0esr-1~deb11u1.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4982-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 08, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : apache2
CVE ID         : CVE-2021-34798 CVE-2021-36160 CVE-2021-39275 CVE-2021-40438

Several vulnerabilities have been found in the Apache HTTP server, which
could result in denial of service. In addition a vulnerability was
discovered in mod_proxy with which an attacker could trick the server
to forward requests to arbitrary origin servers.

For the oldstable distribution (buster), these problems have been fixed
in version 2.4.38-3+deb10u6.

For the stable distribution (bullseye), these problems have been fixed in
version 2.4.51-1~deb11u1.
Link to comment
Share on other sites

------------------------------------------------------------------------
The Debian Project                               https://www.debian.org/
Updated Debian 10: 10.11 released                       press@debian.org
October 9th, 2021            https://www.debian.org/News/2021/2021100902
------------------------------------------------------------------------


The Debian project is pleased to announce the eleventh update of its
oldstable distribution Debian 10 (codename "buster"). This point release
mainly adds corrections for security issues, along with a few
adjustments for serious problems. Security advisories have already been
published separately and are referenced where available.

Please note that the point release does not constitute a new version of
Debian 10 but only updates some of the packages included. There is no
need to throw away old "buster" media. After installation, packages can
be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list



Miscellaneous Bugfixes
----------------------

This oldstable update adds a few important corrections to the following
packages:

+---------------------------+-----------------------------------------+
| Package                   | Reason                                  |
+---------------------------+-----------------------------------------+
| atftp [1]                 | Fix buffer overflow [CVE-2021-41054]    |
|                           |                                         |
| base-files [2]            | Update for the 10.11 point release      |
|                           |                                         |
| btrbk [3]                 | Fix arbitrary code execution issue      |
|                           | [CVE-2021-38173]                        |
|                           |                                         |
| clamav [4]                | New upstream stable release; fix        |
|                           | clamdscan segfaults when --fdpass and   |
|                           | --multipass are used together with      |
|                           | ExcludePath                             |
|                           |                                         |
| commons-io [5]            | Fix path traversal issue [CVE-2021-     |
|                           | 29425]                                  |
|                           |                                         |
| cyrus-imapd [6]           | Fix denial-of-service issue [CVE-2021-  |
|                           | 33582]                                  |
|                           |                                         |
| debconf [7]               | Check that whiptail or dialog is        |
|                           | actually usable                         |
|                           |                                         |
| debian-installer [8]      | Rebuild against buster-proposed-        |
|                           | updates; update Linux ABI to 4.19.0-18  |
|                           |                                         |
| debian-installer-netboot- | Rebuild against buster-proposed-updates |
| images [9]                |                                         |
|                           |                                         |
| distcc [10]               | Fix GCC cross-compiler links in update- |
|                           | distcc-symlinks and add support for     |
|                           | clang and CUDA (nvcc)                   |
|                           |                                         |
| distro-info-data [11]     | Update included data for several        |
|                           | releases                                |
|                           |                                         |
| dwarf-fortress [12]       | Remove undistributable prebuilt shared  |
|                           | libraries from the source tarball       |
|                           |                                         |
| espeak-ng [13]            | Fix using espeak with mbrola-fr4 when   |
|                           | mbrola-fr1 is not installed             |
|                           |                                         |
| gcc-mingw-w64 [14]        | Fix gcov handling                       |
|                           |                                         |
| gthumb [15]               | Fix heap-based buffer overflow issue    |
|                           | [CVE-2019-20326]                        |
|                           |                                         |
| hg-git [16]               | Fix test failures with recent git       |
|                           | versions                                |
|                           |                                         |
| htslib [17]               | Fix autopkgtest on i386                 |
|                           |                                         |
| http-parser [18]          | Fix HTTP request smuggling issue        |
|                           | [CVE-2019-15605]                        |
|                           |                                         |
| irssi [19]                | Fix use after free issue when sending   |
|                           | SASL login to the server [CVE-2019-     |
|                           | 13045]                                  |
|                           |                                         |
| java-atk-wrapper [20]     | Also use dbus to detect accessibility   |
|                           | being enabled                           |
|                           |                                         |
| krb5 [21]                 | Fix KDC null dereference crash on FAST  |
|                           | request with no server field [CVE-2021- |
|                           | 37750]; fix memory leak in              |
|                           | krb5_gss_inquire_cred                   |
|                           |                                         |
| libdatetime-timezone-perl | New upstream stable release; update DST |
| [22]                      | rules for Samoa and Jordon;             |
|                           | confirmation of no leap second on 2021- |
|                           | 12-31                                   |
|                           |                                         |
| libpam-tacplus [23]       | Prevent shared secrets from being added |
|                           | in plaintext to the system log          |
|                           | [CVE-2020-13881]                        |
|                           |                                         |
| linux [24]                | "proc: Track /proc/$pid/attr/ opener    |
|                           | mm_struct" , fixing issues with lxc-    |
|                           | attach; new upstream stable release;    |
|                           | increase ABI version to 18; [rt] Update |
|                           | to 4.19.207-rt88; usb: hso: fix error   |
|                           | handling code of hso_create_net_device  |
|                           | [CVE-2021-37159]                        |
|                           |                                         |
| linux-latest [25]         | Update to 4.19.0-18 kernel ABI          |
|                           |                                         |
| linux-signed-amd64 [26]   | "proc: Track /proc/$pid/attr/ opener    |
|                           | mm_struct" , fixing issues with lxc-    |
|                           | attach; new upstream stable release;    |
|                           | increase ABI version to 18; [rt] Update |
|                           | to 4.19.207-rt88; usb: hso: fix error   |
|                           | handling code of hso_create_net_device  |
|                           | [CVE-2021-37159]                        |
|                           |                                         |
| linux-signed-arm64 [27]   | "proc: Track /proc/$pid/attr/ opener    |
|                           | mm_struct" , fixing issues with lxc-    |
|                           | attach; new upstream stable release;    |
|                           | increase ABI version to 18; [rt] Update |
|                           | to 4.19.207-rt88; usb: hso: fix error   |
|                           | handling code of hso_create_net_device  |
|                           | [CVE-2021-37159]                        |
|                           |                                         |
| linux-signed-i386 [28]    | "proc: Track /proc/$pid/attr/ opener    |
|                           | mm_struct" , fixing issues with lxc-    |
|                           | attach; new upstream stable release;    |
|                           | increase ABI version to 18; [rt] Update |
|                           | to 4.19.207-rt88; usb: hso: fix error   |
|                           | handling code of hso_create_net_device  |
|                           | [CVE-2021-37159]                        |
|                           |                                         |
| mariadb-10.3 [29]         | New upstream stable release; security   |
|                           | fixes [CVE-2021-2389 CVE-2021-2372];    |
|                           | fix Perl executable path in scripts     |
|                           |                                         |
| modsecurity-crs [30]      | Fix request body bypass issue           |
|                           | [CVE-2021-35368]                        |
|                           |                                         |
| node-ansi-regex [31]      | Fix regular expression-based denial of  |
|                           | service issue [CVE-2021-3807]           |
|                           |                                         |
| node-axios [32]           | Fix regular expression-based denial of  |
|                           | service issue [CVE-2021-3749]           |
|                           |                                         |
| node-jszip [33]           | Use a null prototype object for         |
|                           | this.files [CVE-2021-23413]             |
|                           |                                         |
| node-tar [34]             | Remove non-directory paths from the     |
|                           | directory cache [CVE-2021-32803]; strip |
|                           | absolute paths more comprehensively     |
|                           | [CVE-2021-32804]                        |
|                           |                                         |
| nvidia-cuda-toolkit [35]  | Fix setting of NVVMIR_LIBRARY_DIR on    |
|                           | ppc64el                                 |
|                           |                                         |
| nvidia-graphics-drivers   | New upstream stable release; fix denial |
| [36]                      | of service issues [CVE-2021-1093        |
|                           | CVE-2021-1094 CVE-2021-1095]; nvidia-   |
|                           | driver-libs: Add Recommends: libnvidia- |
|                           | encode1                                 |
|                           |                                         |
| nvidia-graphics-drivers-  | New upstream stable release; fix denial |
| legacy-390xx [37]         | of service issues [CVE-2021-1093        |
|                           | CVE-2021-1094 CVE-2021-1095]; nvidia-   |
|                           | legacy-390xx-driver-libs: Add           |
|                           | Recommends: libnvidia-legacy-390xx-     |
|                           | encode1                                 |
|                           |                                         |
| postgresql-11 [38]        | New upstream stable release; fix mis-   |
|                           | planning of repeated application of a   |
|                           | projection step [CVE-2021-3677];        |
|                           | disallow SSL renegotiation more         |
|                           | completely                              |
|                           |                                         |
| proftpd-dfsg [39]         | Fix  "mod_radius leaks memory contents  |
|                           | to radius server" ,  "cannot disable    |
|                           | client-initiated renegotiation for      |
|                           | FTPS" , navigation into symlinked       |
|                           | directories, mod_sftp crash when using  |
|                           | pubkey-auth with DSA keys               |
|                           |                                         |
| psmisc [40]               | Fix regression in killall not matching  |
|                           | process with names longer than 15       |
|                           | characters                              |
|                           |                                         |
| python-uflash [41]        | Update firmware URL                     |
|                           |                                         |
| request-tracker4 [42]     | Fix login timing side-channel attack    |
|                           | issue [CVE-2021-38562]                  |
|                           |                                         |
| ring [43]                 | Fix denial of service issue in the      |
|                           | embedded copy of pjproject [CVE-2021-   |
|                           | 21375]                                  |
|                           |                                         |
| sabnzbdplus [44]          | Prevent directory escape in renamer     |
|                           | function [CVE-2021-29488]               |
|                           |                                         |
| shim [45]                 | Add arm64 patch to tweak section layout |
|                           | and stop crashing problems; in insecure |
|                           | mode, don't abort if we can't create    |
|                           | the MokListXRT variable; don't abort on |
|                           | grub installation failures; warn        |
|                           | instead                                 |
|                           |                                         |
| shim-helpers-amd64-signed | Add arm64 patch to tweak section layout |
| [46]                      | and stop crashing problems; in insecure |
|                           | mode, don't abort if we can't create    |
|                           | the MokListXRT variable; don't abort on |
|                           | grub installation failures; warn        |
|                           | instead                                 |
|                           |                                         |
| shim-helpers-arm64-signed | Add arm64 patch to tweak section layout |
| [47]                      | and stop crashing problems; in insecure |
|                           | mode, don't abort if we can't create    |
|                           | the MokListXRT variable; don't abort on |
|                           | grub installation failures; warn        |
|                           | instead                                 |
|                           |                                         |
| shim-helpers-i386-signed  | Add arm64 patch to tweak section layout |
| [48]                      | and stop crashing problems; in insecure |
|                           | mode, don't abort if we can't create    |
|                           | the MokListXRT variable; don't abort on |
|                           | grub installation failures; warn        |
|                           | instead                                 |
|                           |                                         |
| shim-signed [49]          | Work around boot-breaking issues on     |
|                           | arm64 by including an older known       |
|                           | working version of unsigned shim on     |
|                           | that platform; switch arm64 back to     |
|                           | using a current unsigned build; add     |
|                           | arm64 patch to tweak section layout and |
|                           | stop crashing problems; in insecure     |
|                           | mode, don't abort if we can't create    |
|                           | the MokListXRT variable; don't abort on |
|                           | grub installation failures; warn        |
|                           | instead                                 |
|                           |                                         |
| shiro [50]                | Fix authentication bypass issues        |
|                           | [CVE-2020-1957 CVE-2020-11989 CVE-2020- |
|                           | 13933 CVE-2020-17510]; update Spring    |
|                           | Framework compatibility patch; support  |
|                           | Guice 4                                 |
|                           |                                         |
| tzdata [51]               | Update DST rules for Samoa and Jordan;  |
|                           | confirm the absence of a leap second on |
|                           | 2021-12-31                              |
|                           |                                         |
| ublock-origin [52]        | New upstream stable release; fix denial |
|                           | of service issue [CVE-2021-36773]       |
|                           |                                         |
| ulfius [53]               | Ensure memory is initialised before use |
|                           | [CVE-2021-40540]                        |
|                           |                                         |
| xmlgraphics-commons [54]  | Fix Server-Side Request Forgery issue   |
|                           | [CVE-2020-11988]                        |
|                           |                                         |
| yubikey-manager [55]      | Add missing dependency on python3-pkg-  |
|                           | resources to yubikey-manager            |
|                           |                                         |
+---------------------------+-----------------------------------------+
Security Updates
----------------

This revision adds the following security updates to the oldstable
release. The Security Team has already released an advisory for each of
these updates:

+----------------+----------------------------+
| Advisory ID    | Package                    |
+----------------+----------------------------+
| DSA-4842 [56]  | thunderbird [57]           |
|                |                            |
| DSA-4866 [58]  | thunderbird [59]           |
|                |                            |
| DSA-4876 [60]  | thunderbird [61]           |
|                |                            |
| DSA-4897 [62]  | thunderbird [63]           |
|                |                            |
| DSA-4927 [64]  | thunderbird [65]           |
|                |                            |
| DSA-4931 [66]  | xen [67]                   |
|                |                            |
| DSA-4932 [68]  | tor [69]                   |
|                |                            |
| DSA-4933 [70]  | nettle [71]                |
|                |                            |
| DSA-4934 [72]  | intel-microcode [73]       |
|                |                            |
| DSA-4935 [74]  | php7.3 [75]                |
|                |                            |
| DSA-4936 [76]  | libuv1 [77]                |
|                |                            |
| DSA-4937 [78]  | apache2 [79]               |
|                |                            |
| DSA-4938 [80]  | linuxptp [81]              |
|                |                            |
| DSA-4939 [82]  | firefox-esr [83]           |
|                |                            |
| DSA-4940 [84]  | thunderbird [85]           |
|                |                            |
| DSA-4941 [86]  | linux-signed-amd64 [87]    |
|                |                            |
| DSA-4941 [88]  | linux-signed-arm64 [89]    |
|                |                            |
| DSA-4941 [90]  | linux-signed-i386 [91]     |
|                |                            |
| DSA-4941 [92]  | linux [93]                 |
|                |                            |
| DSA-4942 [94]  | systemd [95]               |
|                |                            |
| DSA-4943 [96]  | lemonldap-ng [97]          |
|                |                            |
| DSA-4944 [98]  | krb5 [99]                  |
|                |                            |
| DSA-4945 [100] | webkit2gtk [101]           |
|                |                            |
| DSA-4946 [102] | openjdk-11-jre-dcevm [103] |
|                |                            |
| DSA-4946 [104] | openjdk-11 [105]           |
|                |                            |
| DSA-4947 [106] | libsndfile [107]           |
|                |                            |
| DSA-4948 [108] | aspell [109]               |
|                |                            |
| DSA-4949 [110] | jetty9 [111]               |
|                |                            |
| DSA-4950 [112] | ansible [113]              |
|                |                            |
| DSA-4951 [114] | bluez [115]                |
|                |                            |
| DSA-4952 [116] | tomcat9 [117]              |
|                |                            |
| DSA-4953 [118] | lynx [119]                 |
|                |                            |
| DSA-4954 [120] | c-ares [121]               |
|                |                            |
| DSA-4955 [122] | libspf2 [123]              |
|                |                            |
| DSA-4956 [124] | firefox-esr [125]          |
|                |                            |
| DSA-4957 [126] | trafficserver [127]        |
|                |                            |
| DSA-4958 [128] | exiv2 [129]                |
|                |                            |
| DSA-4959 [130] | thunderbird [131]          |
|                |                            |
| DSA-4961 [132] | tor [133]                  |
|                |                            |
| DSA-4962 [134] | ledgersmb [135]            |
|                |                            |
| DSA-4963 [136] | openssl [137]              |
|                |                            |
| DSA-4964 [138] | grilo [139]                |
|                |                            |
| DSA-4967 [140] | squashfs-tools [141]       |
|                |                            |
| DSA-4969 [142] | firefox-esr [143]          |
|                |                            |
| DSA-4970 [144] | postorius [145]            |
|                |                            |
| DSA-4971 [146] | ntfs-3g [147]              |
|                |                            |
| DSA-4973 [148] | thunderbird [149]          |
|                |                            |
| DSA-4974 [150] | nextcloud-desktop [151]    |
|                |                            |
| DSA-4975 [152] | webkit2gtk [153]           |
|                |                            |
| DSA-4979 [154] | mediawiki [155]            |
|                |                            |
+----------------+----------------------------+
Removed packages
----------------

The following packages were removed due to circumstances beyond our
control:

+-----------------------------+----------------------------------------+
| Package                     | Reason                                 |
+-----------------------------+----------------------------------------+
| birdtray [156]              | Incompatible with newer Thunderbird    |
|                             | versions                               |
|                             |                                        |
| libprotocol-acme-perl [157] | Only supports obsolete ACME version 1  |
|                             |                                        |
+-----------------------------+----------------------------------------+
Link to comment
Share on other sites

------------------------------------------------------------------------
The Debian Project                               https://www.debian.org/
Updated Debian 11: 11.1 released                        press@debian.org
October 9th, 2021              https://www.debian.org/News/2021/20211009
------------------------------------------------------------------------


The Debian project is pleased to announce the first update of its stable
distribution Debian 11 (codename "bullseye"). This point release mainly
adds corrections for security issues, along with a few adjustments for
serious problems. Security advisories have already been published
separately and are referenced where available.

Please note that the point release does not constitute a new version of
Debian 11 but only updates some of the packages included. There is no
need to throw away old "bullseye" media. After installation, packages
can be upgraded to the current versions using an up-to-date Debian
mirror.

Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list



Miscellaneous Bugfixes
----------------------

This stable update adds a few important corrections to the following
packages:

+---------------------------+-----------------------------------------+
| Package                   | Reason                                  |
+---------------------------+-----------------------------------------+
| apr [1]                   | Prevent out-of-bounds array dereference |
|                           |                                         |
| atftp [2]                 | Fix buffer overflow [CVE-2021-41054]    |
|                           |                                         |
| automysqlbackup [3]       | Fix crash when using  "LATEST=yes"      |
|                           |                                         |
| base-files [4]            | Update for the 11.1 point release       |
|                           |                                         |
| clamav [5]                | New upstream stable release; fix        |
|                           | clamdscan segfaults when --fdpass and   |
|                           | --multipass are used together with      |
|                           | ExcludePath                             |
|                           |                                         |
| cloud-init [6]            | Avoid duplicate includedir in /etc/     |
|                           | sudoers                                 |
|                           |                                         |
| cyrus-imapd [7]           | Fix denial-of-service issue [CVE-2021-  |
|                           | 33582]                                  |
|                           |                                         |
| dazzdb [8]                | Fix a use-after-free in DBstats         |
|                           |                                         |
| debian-edu-config [9]     | debian-edu-ltsp-install: extend main    |
|                           | server related exclude list; add slapd  |
|                           | and xrdp-sesman to the list of masked   |
|                           | services                                |
|                           |                                         |
| debian-installer [10]     | Rebuild against proposed updates;       |
|                           | update Linux ABI to 5.10.0-9; use udebs |
|                           | from proposed-updates                   |
|                           |                                         |
| debian-installer-netboot- | Rebuild against proposed-updates; use   |
| images [11]               | udebs from proposed-updates and stable; |
|                           | use xz-compressed Packages files        |
|                           |                                         |
| detox [12]                | Fix handling of large files             |
|                           |                                         |
| devscripts [13]           | Make the --bpo option target bullseye-  |
|                           | backports                               |
|                           |                                         |
| dlt-viewer [14]           | Add missing qdlt/qdlt*.h header files   |
|                           | to dev package                          |
|                           |                                         |
| dpdk [15]                 | New upstream stable release             |
|                           |                                         |
| fetchmail [16]            | Fix segmentation fault and security     |
|                           | regression                              |
|                           |                                         |
| flatpak [17]              | New upstream stable release; don't      |
|                           | inherit an unusual $XDG_RUNTIME_DIR     |
|                           | setting into the sandbox                |
|                           |                                         |
| freeradius [18]           | Fix thread crash and sample             |
|                           | configuration                           |
|                           |                                         |
| galera-3 [19]             | New upstream stable release             |
|                           |                                         |
| galera-4 [20]             | New upstream stable release; solve      |
|                           | circular Conflicts with galera-3 by no  |
|                           | longer providing a virtual  "galera"    |
|                           | package                                 |
|                           |                                         |
| glewlwyd [21]             | Fix possible buffer overflow during     |
|                           | FIDO2 signature validation in webauthn  |
|                           | registration [CVE-2021-40818]           |
|                           |                                         |
| glibc [22]                | Restart openssh-server even if it has   |
|                           | been deconfigured during the upgrade;   |
|                           | fix text fallback when debconf is       |
|                           | unusable                                |
|                           |                                         |
| gnome-maps [23]           | New upstream stable release; fix a      |
|                           | crash when starting up with last-used   |
|                           | map type being aerial, and no aerial    |
|                           | tile definition is found; don't         |
|                           | sometimes write broken last view        |
|                           | position on exit; fix hang when         |
|                           | dragging around route markers           |
|                           |                                         |
| gnome-shell [24]          | New upstream stable release; fix freeze |
|                           | after cancelling (some) system-modal    |
|                           | dialogs; fix word suggestions in on-    |
|                           | screen keyboard; fix crashes            |
|                           |                                         |
| hdf5 [25]                 | Adjust package dependencies to improve  |
|                           | upgrade paths from older releases       |
|                           |                                         |
| iotop-c [26]              | Properly handle UTF-8 process names     |
|                           |                                         |
| jailkit [27]              | Fix creation of jails that need to      |
|                           | use /dev; fix library presence check    |
|                           |                                         |
| java-atk-wrapper [28]     | Also use dbus to detect accessibility   |
|                           | being enabled                           |
|                           |                                         |
| krb5 [29]                 | Fix KDC null dereference crash on FAST  |
|                           | request with no server field [CVE-2021- |
|                           | 37750]; fix memory leak in              |
|                           | krb5_gss_inquire_cred                   |
|                           |                                         |
| libavif [30]              | Use correct libdir in libavif.pc        |
|                           | pkgconfig file                          |
|                           |                                         |
| libbluray [31]            | Switch to embedded libasm; the version  |
|                           | from libasm-java is too new             |
|                           |                                         |
| libdatetime-timezone-perl | New upstream stable release; update DST |
| [32]                      | rules for Samoa and Jordon;             |
|                           | confirmation of no leap second on 2021- |
|                           | 12-31                                   |
|                           |                                         |
| libslirp [33]             | Fix multiple buffer overflow issues     |
|                           | [CVE-2021-3592 CVE-2021-3593 CVE-2021-  |
|                           | 3594 CVE-2021-3595]                     |
|                           |                                         |
| linux [34]                | New upstream stable release; increase   |
|                           | ABI to 9; [rt] Update to 5.10.65-rt53;  |
|                           | [mipsel] bpf, mips: Validate            |
|                           | conditional branch offsets [CVE-2021-   |
|                           | 38300]                                  |
|                           |                                         |
| linux-signed-amd64 [35]   | New upstream stable release; increase   |
|                           | ABI to 9; [rt] Update to 5.10.65-rt53;  |
|                           | [mipsel] bpf, mips: Validate            |
|                           | conditional branch offsets [CVE-2021-   |
|                           | 38300]                                  |
|                           |                                         |
| linux-signed-arm64 [36]   | New upstream stable release; increase   |
|                           | ABI to 9; [rt] Update to 5.10.65-rt53;  |
|                           | [mipsel] bpf, mips: Validate            |
|                           | conditional branch offsets [CVE-2021-   |
|                           | 38300]                                  |
|                           |                                         |
| linux-signed-i386 [37]    | New upstream stable release; increase   |
|                           | ABI to 9; [rt] Update to 5.10.65-rt53;  |
|                           | [mipsel] bpf, mips: Validate            |
|                           | conditional branch offsets [CVE-2021-   |
|                           | 38300]                                  |
|                           |                                         |
| mariadb-10.5 [38]         | New upstream stable release; security   |
|                           | fixes [CVE-2021-2372 CVE-2021-2389]     |
|                           |                                         |
| mbrola [39]               | Fix end of file detection               |
|                           |                                         |
| modsecurity-crs [40]      | Fix request body bypass issue           |
|                           | [CVE-2021-35368]                        |
|                           |                                         |
| mtr [41]                  | Fix regression in JSON output           |
|                           |                                         |
| mutter [42]               | New upstream stable release; kms:       |
|                           | Improve handling of common video modes  |
|                           | that might exceed the possible          |
|                           | bandwidth; ensure valid window texture  |
|                           | size after viewport changes             |
|                           |                                         |
| nautilus [43]             | Avoid opening multiple selected files   |
|                           | in multiple application instances;      |
|                           | don't save window size and position     |
|                           | when tiled; fix some memory leaks;      |
|                           | update translations                     |
|                           |                                         |
| node-ansi-regex [44]      | Fix regular expression-based denial of  |
|                           | service issue [CVE-2021-3807]           |
|                           |                                         |
| node-axios [45]           | Fix regular expression-based denial of  |
|                           | service issue [CVE-2021-3749]           |
|                           |                                         |
| node-object-path [46]     | Fix prototype pollution issues          |
|                           | [CVE-2021-23434 CVE-2021-3805]          |
|                           |                                         |
| node-prismjs [47]         | Fix regular expression-based denial of  |
|                           | service issue [CVE-2021-3801]           |
|                           |                                         |
| node-set-value [48]       | Fix prototype pollution [CVE-2021-      |
|                           | 23440]                                  |
|                           |                                         |
| node-tar [49]             | Remove non-directory paths from the     |
|                           | directory cache [CVE-2021-32803]; strip |
|                           | absolute paths more comprehensively     |
|                           | [CVE-2021-32804]                        |
|                           |                                         |
| osmcoastline [50]         | Fix projections other than WGS84        |
|                           |                                         |
| osmpbf [51]               | Rebuild against protobuf 3.12.4         |
|                           |                                         |
| pam [52]                  | Fix syntax error in libpam0g.postinst   |
|                           | when a systemd unit fails               |
|                           |                                         |
| perl [53]                 | Security update; fix a regular          |
|                           | expression memory leak                  |
|                           |                                         |
| pglogical [54]            | Update for PostgreSQL 13.4 snapshot     |
|                           | handling fixes                          |
|                           |                                         |
| pmdk [55]                 | Fix missing barriers after non-temporal |
|                           | memcpy                                  |
|                           |                                         |
| postgresql-13 [56]        | New upstream stable release; fix mis-   |
|                           | planning of repeated application of a   |
|                           | projection step [CVE-2021-3677];        |
|                           | disallow SSL renegotiation more         |
|                           | completely                              |
|                           |                                         |
| proftpd-dfsg [57]         | Fix  "mod_radius leaks memory contents  |
|                           | to radius server"  and  "sftp           |
|                           | connection aborts with " Corrupted MAC  |
|                           | on input; skip escaping of already-     |
|                           | escaped SQL text                        |
|                           |                                         |
| pyx3 [58]                 | Fix horizontal font alignment issue     |
|                           | with texlive 2020                       |
|                           |                                         |
| reportbug [59]            | Update suite names following bullseye   |
|                           | release                                 |
|                           |                                         |
| request-tracker4 [60]     | Fix login timing side-channel attack    |
|                           | issue [CVE-2021-38562]                  |
|                           |                                         |
| rhonabwy [61]             | Fix JWE CBC tag computation and JWS     |
|                           | alg:none signature verification         |
|                           |                                         |
| rpki-trust-anchors [62]   | Add HTTPS URL to the LACNIC TAL         |
|                           |                                         |
| rsync [63]                | Re-add --copy-devices; fix regression   |
|                           | in --delay-updates; fix edge case in -- |
|                           | mkpath; fix rsync-ssl; fix --sparce and |
|                           | --inplace; update options available to  |
|                           | rrsync; documentation fixes             |
|                           |                                         |
| ruby-rqrcode-rails3 [64]  | Fix for ruby-rqrcode 1.0 compatibility  |
|                           |                                         |
| sabnzbdplus [65]          | Prevent directory escape in renamer     |
|                           | function [CVE-2021-29488]               |
|                           |                                         |
| shellcheck [66]           | Fix rendering of long options in        |
|                           | manpage                                 |
|                           |                                         |
| shiro [67]                | Fix authentication bypass issues        |
|                           | [CVE-2020-1957 CVE-2020-11989 CVE-2020- |
|                           | 13933 CVE-2020-17510]; update Spring    |
|                           | Framework compatibility patch; support  |
|                           | Guice 4                                 |
|                           |                                         |
| speech-dispatcher [68]    | Fix setting of voice name for the       |
|                           | generic module                          |
|                           |                                         |
| telegram-desktop [69]     | Avoid crash when auto-delete is enabled |
|                           |                                         |
| termshark [70]            | Include themes in package               |
|                           |                                         |
| tmux [71]                 | Fix a race condition which results in   |
|                           | the config not being loaded if several  |
|                           | clients are interacting with the server |
|                           | while it's initializing                 |
|                           |                                         |
| txt2man [72]              | Fix regression in handling display      |
|                           | blocks                                  |
|                           |                                         |
| tzdata [73]               | Update DST rules for Samoa and Jordan;  |
|                           | confirm the absence of a leap second on |
|                           | 2021-12-31                              |
|                           |                                         |
| ublock-origin [74]        | New upstream stable release; fix denial |
|                           | of service issue [CVE-2021-36773]       |
|                           |                                         |
| ulfius [75]               | Ensure memory is initialised before use |
|                           | [CVE-2021-40540]                        |
|                           |                                         |
+---------------------------+-----------------------------------------+
Security Updates
----------------

This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:

+----------------+--------------------------+
| Advisory ID    | Package                  |
+----------------+--------------------------+
| DSA-4959 [76]  | thunderbird [77]         |
|                |                          |
| DSA-4960 [78]  | haproxy [79]             |
|                |                          |
| DSA-4961 [80]  | tor [81]                 |
|                |                          |
| DSA-4962 [82]  | ledgersmb [83]           |
|                |                          |
| DSA-4963 [84]  | openssl [85]             |
|                |                          |
| DSA-4964 [86]  | grilo [87]               |
|                |                          |
| DSA-4965 [88]  | libssh [89]              |
|                |                          |
| DSA-4966 [90]  | gpac [91]                |
|                |                          |
| DSA-4967 [92]  | squashfs-tools [93]      |
|                |                          |
| DSA-4968 [94]  | haproxy [95]             |
|                |                          |
| DSA-4969 [96]  | firefox-esr [97]         |
|                |                          |
| DSA-4970 [98]  | postorius [99]           |
|                |                          |
| DSA-4971 [100] | ntfs-3g [101]            |
|                |                          |
| DSA-4972 [102] | ghostscript [103]        |
|                |                          |
| DSA-4973 [104] | thunderbird [105]        |
|                |                          |
| DSA-4974 [106] | nextcloud-desktop [107]  |
|                |                          |
| DSA-4975 [108] | webkit2gtk [109]         |
|                |                          |
| DSA-4976 [110] | wpewebkit [111]          |
|                |                          |
| DSA-4977 [112] | xen [113]                |
|                |                          |
| DSA-4978 [114] | linux-signed-amd64 [115] |
|                |                          |
| DSA-4978 [116] | linux-signed-arm64 [117] |
|                |                          |
| DSA-4978 [118] | linux-signed-i386 [119]  |
|                |                          |
| DSA-4978 [120] | linux [121]              |
|                |                          |
| DSA-4979 [122] | mediawiki [123]          |
|                |                          |
+----------------+--------------------------+
During the final stages of the bullseye freeze, some updates were
released via the security archive [124] but without an accompanying DSA.
These updates are detailed below.

  124: https://security.debian.org/

+---------------------------+------------------------------------------+
| Package                   | Reason                                   |
+---------------------------+------------------------------------------+
| apache2 [125]             | Fix mod_proxy HTTP2 request line         |
|                           | injection [CVE-2021-33193]               |
|                           |                                          |
| btrbk [126]               | Fix arbitrary code execution issue       |
|                           | [CVE-2021-38173]                         |
|                           |                                          |
| c-ares [127]              | Fix missing input validation on          |
|                           | hostnames returned by DNS servers        |
|                           | [CVE-2021-3672]                          |
|                           |                                          |
| exiv2 [128]               | Fix overflow issues [CVE-2021-29457      |
|                           | CVE-2021-31292]                          |
|                           |                                          |
| firefox-esr [129]         | New upstream stable release [CVE-2021-   |
|                           | 29980 CVE-2021-29984 CVE-2021-29985      |
|                           | CVE-2021-29986 CVE-2021-29988 CVE-2021-  |
|                           | 29989]                                   |
|                           |                                          |
| libencode-perl [130]      | Encode: mitigate @INC pollution when     |
|                           | loading ConfigLocal [CVE-2021-36770]     |
|                           |                                          |
| libspf2 [131]             | spf_compile.c: Correct size of ds_avail  |
|                           | [CVE-2021-20314]; fix  "reverse"  macro  |
|                           | modifier                                 |
|                           |                                          |
| lynx [132]                | Fix leakage of credentials if SNI was    |
|                           | used together with a URL containing      |
|                           | credentials [CVE-2021-38165]             |
|                           |                                          |
| nodejs [133]              | New upstream stable release; fix use     |
|                           | after free issue [CVE-2021-22930]        |
|                           |                                          |
| tomcat9 [134]             | Fix authentication bypass issue          |
|                           | [CVE-2021-30640] and request smuggling   |
|                           | issue [CVE-2021-33037]                   |
|                           |                                          |
| xmlgraphics-commons [135] | Fix server side request forgery issue    |
|                           | [CVE-2020-11988]                         |
|                           |                                          |
+---------------------------+------------------------------------------+
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4983-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 10, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : neutron
CVE ID         : CVE-2021-40085
Debian Bug     : 993398

Pavel Toporkov discovered a vulnerability in Neutron, the OpenStack
virtual network service, which allowed a reconfiguration of dnsmasq
via crafted dhcp_extra_opts parameters.

For the oldstable distribution (buster), this problem has been fixed
in version 2:13.0.7+git.2021.09.27.bace3d1890-0+deb10u1. This update
also fixes CVE-2021-20267.

For the stable distribution (bullseye), this problem has been fixed in
version 2:17.2.1-0+deb11u1. This update also fixes CVE-2021-38598.
Link to comment
Share on other sites

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4984-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 12, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : flatpak
CVE ID         : CVE-2021-41133
Debian Bug     : 995935

It was discovered that sandbox restrictions in Flatpak, an application
deployment framework for desktop apps, could be bypassed for a Flatpak
app with direct access to AF_UNIX sockets, by manipulating the VFS using
mount-related syscalls that are not blocked by Flatpak's denylist
seccomp filter.

Details can be found in the upstream advisory at
https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q

For the stable distribution (bullseye), this problem has been fixed in
version 1.10.5-0+deb11u1.
Link to comment
Share on other sites

×
×
  • Create New...