sunrat Posted October 14, 2021 Share Posted October 14, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4985-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond October 14, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : wordpress CVE ID : CVE-2021-39200 CVE-2021-39201 Debian Bug : 994059 994060 Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform Cross-Site Scripting (XSS) attacks or impersonate other users. For the oldstable distribution (buster), these problems have been fixed in version 5.0.14+dfsg1-0+deb10u1. For the stable distribution (bullseye), these problems have been fixed in version 5.7.3+dfsg1-0+deb11u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4984-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 14, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tomcat9 CVE ID : CVE-2021-30640 CVE-2021-41079 Two vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in denial of service. For the oldstable distribution (buster), these problems have been fixed in version 9.0.31-1~deb10u6. For the stable distribution (bullseye), these problems have been fixed in version 9.0.43-2~deb11u2. Link to comment Share on other sites More sharing options...
sunrat Posted October 15, 2021 Share Posted October 15, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4987-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 15, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : squashfs-tools CVE ID : CVE-2021-41072 Debian Bug : 994262 Richard Weinberger reported that unsquashfs in squashfs-tools, the tools to create and extract Squashfs filesystems, does not check for duplicate filenames within a directory. An attacker can take advantage of this flaw for writing to arbitrary files to the filesystem if a malformed Squashfs image is processed. For the oldstable distribution (buster), this problem has been fixed in version 1:4.3-12+deb10u2. For the stable distribution (bullseye), this problem has been fixed in version 1:4.4-2+deb11u2. Link to comment Share on other sites More sharing options...
sunrat Posted October 16, 2021 Share Posted October 16, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4988-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 16, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libreoffice CVE ID : CVE-2021-25633 CVE-2021-25634 Two security issues have been discovered in LibreOffice's support for digital signatures in ODF documents, which could result in incorrect signature indicators/timestamps being presented. For the stable distribution (bullseye), these problems have been fixed in version 1:7.0.4-4+deb11u1. Link to comment Share on other sites More sharing options...
sunrat Posted October 18, 2021 Share Posted October 18, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4989-1 security@debian.org https://www.debian.org/security/ Yves-Alexis Perez October 18, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : strongswan CVE ID : CVE-2021-41990 CVE-2021-41991 Researchers at the United States of America National Security Agency (NSA) identified two denial of services vulnerability in strongSwan, an IKE/IPsec suite. CVE-2021-41990 RSASSA-PSS signatures whose parameters define a very high salt length can trigger an integer overflow that can lead to a segmentation fault. . Generating a signature that bypasses the padding check to trigger the crash requires access to the private key that signed the certificate. However, the certificate does not have to be trusted. Because the gmp and the openssl plugins both check if a parsed certificate is self-signed (and the signature is valid), this can e.g. be triggered by an unrelated self-signed CA certificate sent by an initiator. CVE-2021-41991 Once the in-memory certificate cache is full it tries to randomly replace lesser used entries. Depending on the generated random value, this could lead to an integer overflow that results in a double-dereference and a call using out-of-bounds memory that most likely leads to a segmentation fault. . Remote code execution can't be ruled out completely, but attackers have no control over the dereferenced memory, so it seems unlikely at this point. For the oldstable distribution (buster), these problems have been fixed in version 5.7.2-1+deb10u1. For the stable distribution (bullseye), these problems have been fixed in version 5.9.1-1+deb11u1. Link to comment Share on other sites More sharing options...
sunrat Posted October 19, 2021 Share Posted October 19, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4990-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 19, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ffmpeg CVE ID : CVE-2020-20445 CVE-2020-20446 CVE-2020-20453 CVE-2020-21041 CVE-2020-22015 CVE-2020-22016 CVE-2020-22017 CVE-2020-22019 CVE-2020-22020 CVE-2020-22021 CVE-2020-22022 CVE-2020-22023 CVE-2020-22025 CVE-2020-22026 CVE-2020-22027 CVE-2020-22028 CVE-2020-22029 CVE-2020-22030 CVE-2020-22031 CVE-2020-22032 CVE-2020-22033 CVE-2020-22034 CVE-2020-22035 CVE-2020-22036 CVE-2020-22037 CVE-2020-22049 CVE-2020-22054 CVE-2020-35965 CVE-2021-38114 CVE-2021-38171 CVE-2021-38291 Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed. For the oldstable distribution (buster), these problems have been fixed in version 7:4.1.8-0+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted October 22, 2021 Share Posted October 22, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4991-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 22, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mailman CVE ID : CVE-2020-12108 CVE-2020-15011 CVE-2021-42096 CVE-2021-42097 Several vulnerabilities were discovered in mailman, a web-based mailing list manager, which could result in arbitrary content injection via the options and private archive login pages, and CSRF attacks or privilege escalation via the user options page. For the oldstable distribution (buster), these problems have been fixed in version 1:2.1.29-1+deb10u2. Link to comment Share on other sites More sharing options...
sunrat Posted October 25, 2021 Share Posted October 25, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4992-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 25, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : php7.4 CVE ID : CVE-2021-21703 Debian Bug : 997003 An out-of-bounds read and write flaw was discovered in the PHP-FPM code, which could result in escalation of privileges from local unprivileged user to the root user. For the stable distribution (bullseye), this problem has been fixed in version 7.4.25-1+deb11u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4993-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 25, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : php7.3 CVE ID : CVE-2021-21703 An out-of-bounds read and write flaw was discovered in the PHP-FPM code, which could result in escalation of privileges from local unprivileged user to the root user. For the oldstable distribution (buster), this problem has been fixed in version 7.3.31-1~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted October 29, 2021 Share Posted October 29, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4994-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 28, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : bind9 CVE ID : CVE-2021-25219 Kishore Kumar Kothapalli discovered that the lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts). For the oldstable distribution (buster), this problem has been fixed in version 1:9.11.5.P4+dfsg-5.1+deb10u6. For the stable distribution (bullseye), this problem has been fixed in version 1:9.16.22-1~deb11u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4995-1 security@debian.org https://www.debian.org/security/ Alberto Garcia October 29, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : webkit2gtk CVE ID : CVE-2021-30846 CVE-2021-30851 CVE-2021-42762 The following vulnerabilities have been discovered in the webkit2gtk web engine: CVE-2021-30846 Sergei Glazunov discovered that processing maliciously crafted web content may lead to arbitrary code execution CVE-2021-30851 Samuel Gross discovered that processing maliciously crafted web content may lead to code execution CVE-2021-42762 An anonymous reporter discovered a limited Bubblewrap sandbox bypass that allows a sandboxed process to trick host processes into thinking the sandboxed process is not confined. For the oldstable distribution (buster), these problems have been fixed in version 2.34.1-1~deb10u1. For the stable distribution (bullseye), these problems have been fixed in version 2.34.1-1~deb11u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4996-1 security@debian.org https://www.debian.org/security/ Alberto Garcia October 29, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : wpewebkit CVE ID : CVE-2021-30846 CVE-2021-30851 CVE-2021-42762 The following vulnerabilities have been discovered in the wpewebkit web engine: CVE-2021-30846 Sergei Glazunov discovered that processing maliciously crafted web content may lead to arbitrary code execution CVE-2021-30851 Samuel Gross discovered that processing maliciously crafted web content may lead to code execution CVE-2021-42762 An anonymous reporter discovered a limited Bubblewrap sandbox bypass that allows a sandboxed process to trick host processes into thinking the sandboxed process is not confined. For the stable distribution (bullseye), these problems have been fixed in version 2.34.1-1~deb11u1. Link to comment Share on other sites More sharing options...
sunrat Posted October 31, 2021 Share Posted October 31, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4997-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 31, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tiff CVE ID : CVE-2020-19143 A flaw was discovered in tiff, a Tag Image File Format library, which may result in denial of service or the execution of arbitrary code if malformed image files are processed. For the oldstable distribution (buster), this problem has been fixed in version 4.1.0+git191117-2~deb10u3. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4998-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 31, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ffmpeg CVE ID : CVE-2020-20446 CVE-2020-20450 CVE-2020-20453 CVE-2020-22037 CVE-2020-22042 CVE-2021-38114 CVE-2021-38171 CVE-2021-38291 CVE-2020-21697 CVE-2020-21688 CVE-2020-20445 Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed. For the stable distribution (bullseye), these problems have been fixed in version 7:4.3.3-0+deb11u1. Link to comment Share on other sites More sharing options...
sunrat Posted November 1, 2021 Share Posted November 1, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4999-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 01, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : asterisk CVE ID : CVE-2021-32558 CVE-2021-32686 Debian Bug : 991710 991931 Multiple vulnerabilities have been discovered in Asterisk, an open source PBX and telephony toolkit, which may result in denial of service. For the stable distribution (bullseye), these problems have been fixed in version 1:16.16.1~dfsg-1+deb11u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-5000-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 01, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openjdk-11 CVE ID : CVE-2021-35550 CVE-2021-35556 CVE-2021-35559 CVE-2021-35561 CVE-2021-35564 CVE-2021-35565 CVE-2021-35567 CVE-2021-35578 CVE-2021-35586 CVE-2021-35603 Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, incorrect Kerberos ticket use, selection of weak ciphers or information disclosure. The oldstable distribution (buster), needs additional updates to be able to build 11.0.13. An update will be provided in a followup advisory. For the stable distribution (bullseye), these problems have been fixed in version 11.0.13+8-1~deb11u1. Link to comment Share on other sites More sharing options...
sunrat Posted November 5, 2021 Share Posted November 5, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5001-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 05, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : redis CVE ID : CVE-2021-32626 CVE-2021-32627 CVE-2021-32628 CVE-2021-32672 CVE-2021-32675 CVE-2021-32687 CVE-2021-32762 CVE-2021-41099 CVE-2021-32761 Multiple vulnerabilities were discovered in Redis, a persistent key-value database, which could result in denial of service or the execution of arbitrary code. For the oldstable distribution (buster), these problems have been fixed in version 5:5.0.14-1+deb10u1. For the stable distribution (bullseye), these problems have been fixed in version 5:6.0.16-1+deb11u1. Link to comment Share on other sites More sharing options...
sunrat Posted November 7, 2021 Share Posted November 7, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5002-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 06, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : containerd CVE ID : CVE-2021-41103 A flaw was discovered in containerd, an open and reliable container runtime. Insufficiently restricted permissions on container root and plugin directories could result in privilege escalation. For the stable distribution (bullseye), this problem has been fixed in version 1.4.5~ds1-2+deb11u1. Link to comment Share on other sites More sharing options...
sunrat Posted November 9, 2021 Share Posted November 9, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5003-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 09, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : samba CVE ID : CVE-2016-2124 CVE-2020-25717 CVE-2020-25718 CVE-2020-25719 CVE-2020-25721 CVE-2020-25722 CVE-2021-3738 CVE-2021-23192 Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server for Unix. CVE-2016-2124 Stefan Metzmacher reported that SMB1 client connections can be downgraded to plaintext authentication. CVE-2020-25717 Andrew Bartlett reported that Samba may map domain users to local users in an undesired way, allowing for privilege escalation. The update introduces a new parameter "min domain uid" (default to 1000) to not accept a UNIX uid below this value. CVE-2020-25718 Andrew Bartlett reported that Samba as AD DC, when joined by an RODC, did not confirm if the RODC was allowed to print a ticket for that user, allowing an RODC to print administrator tickets. CVE-2020-25719 Andrew Bartlett reported that Samba as AD DC, did not always rely on the SID and PAC in Kerberos tickets and could be confused about the user a ticket represents. If a privileged account was attacked this could lead to total domain compromise. CVE-2020-25721 Andrew Bartlett reported that Samba as a AD DC did not provide a way for Linux applications to obtain a reliable SID (and samAccountName) in issued tickets. CVE-2020-25722 Andrew Bartlett reported that Samba as AD DC did not do sufficient access and conformance checking of data stored, potentially allowing total domain compromise. CVE-2021-3738 William Ross reported that the Samba AD DC RPC server can use memory that was free'd when a sub-connection is closed, resulting in denial of service, and potentially, escalation of privileges. CVE-2021-23192 Stefan Metzmacher reported that if a client to a Samba server sent a very large DCE/RPC request, and chose to fragment it, an attacker could replace later fragments with their own data, bypassing the signature requirements. For the stable distribution (bullseye), these problems have been fixed in version 2:4.13.13+dfsg-1~deb11u2. Link to comment Share on other sites More sharing options...
sunrat Posted November 10, 2021 Share Posted November 10, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5004-1 security@debian.org https://www.debian.org/security/ Markus Koschany November 10, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libxstream-java CVE ID : CVE-2021-39139 CVE-2021-39140 CVE-2021-39141 CVE-2021-39144 CVE-2021-39145 CVE-2021-39146 CVE-2021-39147 CVE-2021-39148 CVE-2021-39149 CVE-2021-39150 CVE-2021-39151 CVE-2021-39152 CVE-2021-39153 CVE-2021-39154 CVE-2021-21341 CVE-2021-21342 CVE-2021-21343 CVE-2021-21344 CVE-2021-21345 CVE-2021-21346 CVE-2021-21347 CVE-2021-21348 CVE-2021-21349 CVE-2021-21350 CVE-2021-21351 CVE-2021-29505 Multiple security vulnerabilities have been discovered in XStream, a Java library to serialize objects to XML and back again. These vulnerabilities may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. XStream itself sets up a whitelist by default now, i.e. it blocks all classes except those types it has explicit converters for. It used to have a blacklist by default, i.e. it tried to block all currently known critical classes of the Java runtime. Main reason for the blacklist were compatibility, it allowed to use newer versions of XStream as drop-in replacement. However, this approach has failed. A growing list of security reports has proven, that a blacklist is inherently unsafe, apart from the fact that types of 3rd libraries were not even considered. A blacklist scenario should be avoided in general, because it provides a false sense of security. For the oldstable distribution (buster), these problems have been fixed in version 1.4.11.1-1+deb10u3. For the stable distribution (bullseye), these problems have been fixed in version 1.4.15-3+deb11u1 Link to comment Share on other sites More sharing options...
sunrat Posted November 12, 2021 Share Posted November 12, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5005-1 security@debian.org https://www.debian.org/security/ Markus Koschany November 10, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ruby-kaminari CVE ID : CVE-2020-11082 Debian Bug : 961847 A security vulnerability has been found in Kaminari, a pagination engine plugin for Rails 3+ and other modern frameworks, that would allow an attacker to inject arbitrary code into pages with pagination links. For the oldstable distribution (buster), this problem has been fixed in version 1.0.1-4+deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-5006-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 11, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : postgresql-11 CVE ID : CVE-2021-23214 CVE-2021-23222 Jacob Champion discovered two vulnerabilities in the PostgreSQL database system, which could result in man-in-the-middle attacks. For the oldstable distribution (buster), these problems have been fixed in version 11.14-0+deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-5007-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 11, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : postgresql-13 CVE ID : CVE-2021-23214 CVE-2021-23222 Jacob Champion discovered two vulnerabilities in the PostgreSQL database system, which could result in man-in-the-middle attacks. For the stable distribution (bullseye), these problems have been fixed in version 13.5-0+deb11u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-5008-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 11, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : node-tar CVE ID : CVE-2021-37701 CVE-2021-37712 It was discovered that the symlink extraction protections in node-tar, a Tar archives module for Node.js could by bypassed; allowing a malicious Tar archive to symlink into an arbitrary location. For the stable distribution (bullseye), these problems have been fixed in version 6.0.5+ds1+~cs11.3.9-1+deb11u2. Link to comment Share on other sites More sharing options...
sunrat Posted November 12, 2021 Share Posted November 12, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5009-1 security@debian.org https://www.debian.org/security/ Markus Koschany November 12, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tomcat9 CVE ID : CVE-2021-42340 Apache Tomcat, the servlet and JSP engine, did not properly release an HTTP upgrade connection for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError. For the stable distribution (bullseye), this problem has been fixed in version 9.0.43-2~deb11u3. Link to comment Share on other sites More sharing options...
sunrat Posted November 15, 2021 Share Posted November 15, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5010-1 security@debian.org https://www.debian.org/security/ Markus Koschany November 15, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libxml-security-java CVE ID : CVE-2021-40690 Debian Bug : 994569 Apache Santuario - XML Security for Java is vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element. For the oldstable distribution (buster), this problem has been fixed in version 2.0.10-2+deb10u1. For the stable distribution (bullseye), this problem has been fixed in version 2.0.10-2+deb11u1. Link to comment Share on other sites More sharing options...
sunrat Posted November 19, 2021 Share Posted November 19, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5011-1 security@debian.org https://www.debian.org/security/ Markus Koschany November 19, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : salt CVE ID : CVE-2021-21996 CVE-2021-31607 CVE-2021-25284 CVE-2021-25283 CVE-2021-25282 CVE-2021-25281 CVE-2021-3197 CVE-2021-3148 CVE-2021-3144 CVE-2020-35662 CVE-2020-28972 CVE-2020-28243 Debian Bug : 983632 994016 987496 Multiple security vulnerabilities have been discovered in Salt, a powerful remote execution manager, that allow for local privilege escalation on a minion, server side template injection attacks, insufficient checks for eauth credentials, shell and command injections or incorrect validation of SSL certificates. For the oldstable distribution (buster), this problem has been fixed in version 2018.3.4+dfsg1-6+deb10u3. For the stable distribution (bullseye), this problem has been fixed in version 3002.6+dfsg1-4+deb11u1. Link to comment Share on other sites More sharing options...
sunrat Posted November 24, 2021 Share Posted November 24, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5012-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 23, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openjdk-17 CVE ID : CVE-2021-35556 CVE-2021-35559 CVE-2021-35561 CVE-2021-35564 CVE-2021-35567 CVE-2021-35578 CVE-2021-35586 CVE-2021-35603 Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, incorrect Kerberos ticket use, selection of weak ciphers or information disclosure. For the stable distribution (bullseye), these problems have been fixed in version 17.0.1+12-1+deb11u2. Link to comment Share on other sites More sharing options...
sunrat Posted November 27, 2021 Share Posted November 27, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5013-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond November 27, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : roundcube CVE ID : CVE-2021-44025 CVE-2021-44026 Debian Bug : 1000156 It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly sanitize requests and mail messages. This would allow an attacker to perform Cross-Side Scripting (XSS) or SQL injection attacks. For the oldstable distribution (buster), these problems have been fixed in version 1.3.17+dfsg.1-1~deb10u1. For the stable distribution (bullseye), these problems have been fixed in version 1.4.12+dfsg.1-1~deb11u1. Link to comment Share on other sites More sharing options...
sunrat Posted November 29, 2021 Share Posted November 29, 2021 Sorry to say I won't be maintaining this topic any more. With 258k views and over 2k posts in 12 years, it has been a steady trickle of readership and thanks for watching. If you still need regular Debian security update notifications, subscribe to the mailing list at https://lists.debian.org/debian-security-announce/ 1 Link to comment Share on other sites More sharing options...
Corrine Posted November 29, 2021 Share Posted November 29, 2021 There is another site I know you're a member of where you could post the updates if you're interested. 1 Link to comment Share on other sites More sharing options...
sunrat Posted November 30, 2021 Share Posted November 30, 2021 3 hours ago, Corrine said: There is another site I know you're a member of where you could post the updates if you're interested. I'm sure people can subscribe to the mailing list if they need security update notifications. A main motivator for doing it here was to continue the topic Bruno started in his honour. Wouldn't be the same anywhere else. Link to comment Share on other sites More sharing options...
Recommended Posts