sunrat Posted February 29, 2020 Posted February 29, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4636-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 28, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : python-bleach CVE ID : CVE-2020-6802 Debian Bug : 951907 It was reported that python-bleach, a whitelist-based HTML-sanitizing library, is prone to a mutation XSS vulnerability in bleach.clean when 'noscript' and one or more raw text tags were whitelisted. For the stable distribution (buster), this problem has been fixed in version 3.1.1-0+deb10u1.
sunrat Posted March 9, 2020 Posted March 9, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4637-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 09, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : network-manager-ssh CVE ID : CVE-2020-9355 Kobus van Schoor discovered that network-manager-ssh, a plugin to provide VPN integration for SSH in NetworkManager, is prone to a privilege escalation vulnerability. A local user with privileges to modify a connection can take advantage of this flaw to execute arbitrary commands as root. This update drops support to pass extra SSH options to the ssh invocation. For the oldstable distribution (stretch), this problem has been fixed in version 1.2.1-1+deb9u1. For the stable distribution (buster), this problem has been fixed in version 1.2.10-1+deb10u1.
sunrat Posted March 11, 2020 Posted March 11, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4638-1 security@debian.org https://www.debian.org/security/ Michael Gilbert March 10, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : chromium CVE ID : CVE-2019-19880 CVE-2019-19923 CVE-2019-19925 CVE-2019-19926 CVE-2020-6381 CVE-2020-6382 CVE-2020-6383 CVE-2020-6384 CVE-2020-6385 CVE-2020-6386 CVE-2020-6387 CVE-2020-6388 CVE-2020-6389 CVE-2020-6390 CVE-2020-6391 CVE-2020-6392 CVE-2020-6393 CVE-2020-6394 CVE-2020-6395 CVE-2020-6396 CVE-2020-6397 CVE-2020-6398 CVE-2020-6399 CVE-2020-6400 CVE-2020-6401 CVE-2020-6402 CVE-2020-6403 CVE-2020-6404 CVE-2020-6405 CVE-2020-6406 CVE-2020-6407 CVE-2020-6408 CVE-2020-6409 CVE-2020-6410 CVE-2020-6411 CVE-2020-6412 CVE-2020-6413 CVE-2020-6414 CVE-2020-6415 CVE-2020-6416 CVE-2020-6418 CVE-2020-6420 Several vulnerabilities have been discovered in the chromium web browser. CVE-2019-19880 Richard Lorenz discovered an issue in the sqlite library. CVE-2019-19923 Richard Lorenz discovered an out-of-bounds read issue in the sqlite library. CVE-2019-19925 Richard Lorenz discovered an issue in the sqlite library. CVE-2019-19926 Richard Lorenz discovered an implementation error in the sqlite library. CVE-2020-6381 UK's National Cyber Security Centre discovered an integer overflow issue in the v8 javascript library. CVE-2020-6382 Soyeon Park and Wen Xu discovered a type error in the v8 javascript library. CVE-2020-6383 Sergei Glazunov discovered a type error in the v8 javascript library. CVE-2020-6384 David Manoucheri discovered a use-after-free issue in WebAudio. CVE-2020-6385 Sergei Glazunov discovered a policy enforcement error. CVE-2020-6386 Zhe Jin discovered a use-after-free issue in speech processing. CVE-2020-6387 Natalie Silvanovich discovered an out-of-bounds write error in the WebRTC implementation. CVE-2020-6388 Sergei Glazunov discovered an out-of-bounds read error in the WebRTC implementation. CVE-2020-6389 Natalie Silvanovich discovered an out-of-bounds write error in the WebRTC implementation. CVE-2020-6390 Sergei Glazunov discovered an out-of-bounds read error. CVE-2020-6391 Michał Bentkowski discoverd that untrusted input was insufficiently validated. CVE-2020-6392 The Microsoft Edge Team discovered a policy enforcement error. CVE-2020-6393 Mark Amery discovered a policy enforcement error. CVE-2020-6394 Phil Freo discovered a policy enforcement error. CVE-2020-6395 Pierre Langlois discovered an out-of-bounds read error in the v8 javascript library. CVE-2020-6396 William Luc Ritchie discovered an error in the skia library. CVE-2020-6397 Khalil Zhani discovered a user interface error. CVE-2020-6398 pdknsk discovered an uninitialized variable in the pdfium library. CVE-2020-6399 Luan Herrera discovered a policy enforcement error. CVE-2020-6400 Takashi Yoneuchi discovered an error in Cross-Origin Resource Sharing. CVE-2020-6401 Tzachy Horesh discovered that user input was insufficiently validated. CVE-2020-6402 Vladimir Metnew discovered a policy enforcement error. CVE-2020-6403 Khalil Zhani discovered a user interface error. CVE-2020-6404 kanchi discovered an error in Blink/Webkit. CVE-2020-6405 Yongheng Chen and Rui Zhong discovered an out-of-bounds read issue in the sqlite library. CVE-2020-6406 Sergei Glazunov discovered a use-after-free issue. CVE-2020-6407 Sergei Glazunov discovered an out-of-bounds read error. CVE-2020-6408 Zhong Zhaochen discovered a policy enforcement error in Cross-Origin Resource Sharing. CVE-2020-6409 Divagar S and Bharathi V discovered an error in the omnibox implementation. CVE-2020-6410 evil1m0 discovered a policy enforcement error. CVE-2020-6411 Khalil Zhani discovered that user input was insufficiently validated. CVE-2020-6412 Zihan Zheng discovered that user input was insufficiently validated. CVE-2020-6413 Michał Bentkowski discovered an error in Blink/Webkit. CVE-2020-6414 Lijo A.T discovered a policy safe browsing policy enforcement error. CVE-2020-6415 Avihay Cohen discovered an implementation error in the v8 javascript library. CVE-2020-6416 Woojin Oh discovered that untrusted input was insufficiently validated. CVE-2020-6418 Clement Lecigne discovered a type error in the v8 javascript library. CVE-2020-6420 Taras Uzdenov discovered a policy enforcement error. For the oldstable distribution (stretch), security support for chromium has been discontinued. For the stable distribution (buster), these problems have been fixed in version 80.0.3987.132-1~deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4639-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 11, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2019-20503 CVE-2020-6805 CVE-2020-6806 CVE-2020-6807 CVE-2020-6811 CVE-2020-6812 CVE-2020-6814 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code. For the oldstable distribution (stretch), these problems have been fixed in version 68.6.0esr-1~deb9u1. For the stable distribution (buster), these problems have been fixed in version 68.6.0esr-1~deb10u1.
sunrat Posted March 16, 2020 Posted March 16, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4640-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 15, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : graphicsmagick CVE ID : CVE-2019-19950 CVE-2019-19951 CVE-2019-19953 CVE-2019-11474 CVE-2019-11473 CVE-2019-11506 CVE-2019-11505 CVE-2019-11010 CVE-2019-11009 CVE-2019-11008 CVE-2019-11007 CVE-2019-11006 CVE-2019-11005 CVE-2018-20189 CVE-2018-20185 CVE-2018-20184 This update fixes several vulnerabilities in Graphicsmagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure or the execution of arbitrary code if malformed media files are processed. For the oldstable distribution (stretch), these problems have been fixed in version 1.3.30+hg15796-1~deb9u3. For the stable distribution (buster), these problems have been fixed in version 1.4~hg15978-1+deb10u1.
sunrat Posted March 16, 2020 Posted March 16, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4641-1 security@debian.org https://www.debian.org/security/ Alberto Garcia March 16, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : webkit2gtk CVE ID : CVE-2020-10018 The following vulnerability has been discovered in the webkit2gtk web engine: CVE-2020-10018 Sudhakar Verma, Ashfaq Ansari and Siddhant Badhe discovered that processing maliciously crafted web content may lead to arbitrary code execution. For the stable distribution (buster), this problem has been fixed in version 2.26.4-1~deb10u2.
sunrat Posted March 20, 2020 Posted March 20, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4642-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 19, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2019-20503 CVE-2020-6805 CVE-2020-6806 CVE-2020-6807 CVE-2020-6811 CVE-2020-6812 CVE-2020-6814 Multiple security issues have been found in Thunderbird which could potentially result in the execution of arbitrary code. For the oldstable distribution (stretch), these problems have been fixed in version 1:68.6.0-1~deb9u1. For the stable distribution (buster), these problems have been fixed in version 1:68.6.0-1~deb10u1.
sunrat Posted March 20, 2020 Posted March 20, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4643-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 20, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : python-bleach CVE ID : CVE-2020-6816 Debian Bug : 954236 It was reported that python-bleach, a whitelist-based HTML-sanitizing library, is prone to a mutation XSS vulnerability in bleach.clean when strip=False and 'math' or 'svg' tags and one or more of the RCDATA tags were whitelisted. For the stable distribution (buster), this problem has been fixed in version 3.1.2-0+deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4644-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 20, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tor CVE ID : CVE-2020-10592 A denial of service vulnerability (by triggering high CPU consumption) was found in Tor, a connection-based low-latency anonymous communication system. For the stable distribution (buster), this problem has been fixed in version 0.3.5.10-1. For the oldstable distribution (stretch), support for tor is now discontinued. Please upgrade to the stable release (buster) to continue receiving tor updates.
sunrat Posted March 23, 2020 Posted March 23, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4645-1 security@debian.org https://www.debian.org/security/ Michael Gilbert March 22, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : chromium CVE ID : CVE-2019-20503 CVE-2020-6422 CVE-2020-6424 CVE-2020-6425 CVE-2020-6426 CVE-2020-6427 CVE-2020-6428 CVE-2020-6429 CVE-2020-6449 Several vulnerabilities have been discovered in the chromium web browser. CVE-2019-20503 Natalie Silvanovich discovered an out-of-bounds read issue in the usrsctp library. CVE-2020-6422 David Manouchehri discovered a use-after-free issue in the WebGL implementation. CVE-2020-6424 Sergei Glazunov discovered a use-after-free issue. CVE-2020-6425 Sergei Glazunov discovered a policy enforcement error related to extensions. CVE-2020-6426 Avihay Cohen discovered an implementation error in the v8 javascript library. CVE-2020-6427 Man Yue Mo discovered a use-after-free issue in the audio implementation. CVE-2020-6428 Man Yue Mo discovered a use-after-free issue in the audio implementation. CVE-2020-6429 Man Yue Mo discovered a use-after-free issue in the audio implementation. CVE-2020-6449 Man Yue Mo discovered a use-after-free issue in the audio implementation. For the oldstable distribution (stretch), security support for chromium has been discontinued. For the stable distribution (buster), these problems have been fixed in version 80.0.3987.149-1~deb10u1.
sunrat Posted March 25, 2020 Posted March 25, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4646-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 25, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : icu CVE ID : CVE-2020-10531 Debian Bug : 953747 Andre Bargull discovered an integer overflow in the International Components for Unicode (ICU) library which could result in denial of service and potentially the execution of arbitrary code. For the oldstable distribution (stretch), this problem has been fixed in version 57.1-6+deb9u4. For the stable distribution (buster), this problem has been fixed in version 63.1-6+deb10u1.
sunrat Posted March 27, 2020 Posted March 27, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4647-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 26, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : bluez CVE ID : CVE-2020-0556 Debian Bug : 953770 It was reported that the BlueZ's HID and HOGP profile implementations don't specifically require bonding between the device and the host. Malicious devices can take advantage of this flaw to connect to a target host and impersonate an existing HID device without security or to cause an SDP or GATT service discovery to take place which would allow HID reports to be injected to the input subsystem from a non-bonded source. For the HID profile an new configuration option (ClassicBondedOnly) is introduced to make sure that input connections only come from bonded device connections. The options defaults to 'false' to maximize device compatibility. For the oldstable distribution (stretch), this problem has been fixed in version 5.43-2+deb9u2. For the stable distribution (buster), this problem has been fixed in version 5.50-1.2~deb10u1.
sunrat Posted March 31, 2020 Posted March 31, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4648-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 31, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libpam-krb5 CVE ID : CVE-2020-10595 Russ Allbery discovered a buffer overflow in the PAM module for MIT Kerberos, which could result in denial of service or potentially the execution of arbitrary code. For the oldstable distribution (stretch), this problem has been fixed in version 4.7-4+deb9u1. For the stable distribution (buster), this problem has been fixed in version 4.8-2+deb10u1.
sunrat Posted April 2, 2020 Posted April 2, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4649-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond April 02, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : haproxy CVE ID : CVE-2020-11100 Felix Wilhelm of Google Project Zero discovered that HAProxy, a TCP/HTTP reverse proxy, did not properly handle HTTP/2 headers. This would allow an attacker to write arbitrary bytes around a certain location on the heap, resulting in denial-of-service or potential arbitrary code execution. For the stable distribution (buster), this problem has been fixed in version 1.8.19-1+deb10u2. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4651-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 02, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mediawiki CVE ID : CVE-2020-10960 It was discovered that some user-generated CSS selectors in MediaWiki, a website engine for collaborative work, were not escaped. The oldstable distribution (stretch) is not affected. For the stable distribution (buster), this problem has been fixed in version 1:1.31.7-1~deb10u1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4650-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 02, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : qbittorrent CVE ID : CVE-2019-13640 Debian Bug : 932539 Miguel Onoro reported that qbittorrent, a bittorrent client with a Qt5 GUI user interface, allows command injection via shell metacharacters in the torrent name parameter or current tracker parameter, which could result in remote command execution via a crafted name within an RSS feed if qbittorrent is configured to run an external program on torrent completion. For the oldstable distribution (stretch), this problem has been fixed in version 3.3.7-3+deb9u1. For the stable distribution (buster), this problem has been fixed in version 4.1.5-1+deb10u1.
sunrat Posted April 5, 2020 Posted April 5, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4652-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 04, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : gnutls28 CVE ID : CVE-2020-11501 Debian Bug : 955556 A flaw was reported in the DTLS protocol implementation in GnuTLS, a library implementing the TLS and SSL protocols. The DTLS client would not contribute any randomness to the DTLS negotiation, breaking the security guarantees of the DTLS protocol. For the stable distribution (buster), this problem has been fixed in version 3.6.7-4+deb10u3. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4653-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 04, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2020-6819 CVE-2020-6820 Two security issues have been found in the Mozilla Firefox web browser, which could result in the execution of arbitrary code. For the oldstable distribution (stretch), these problems have been fixed in version 68.6.1esr-1~deb9u1. For the stable distribution (buster), these problems have been fixed in version 68.6.1esr-1~deb10u1.
sunrat Posted April 8, 2020 Posted April 8, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4654-1 security@debian.org https://www.debian.org/security/ Michael Gilbert April 07, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : chromium CVE ID : CVE-2020-6450 CVE-2020-6451 CVE-2020-6452 Several vulnerabilities have been discovered in the chromium web browser. CVE-2020-6450 Man Yue Mo discovered a use-after-free issue in the WebAudio implementation. CVE-2020-6451 Man Yue Mo discovered a use-after-free issue in the WebAudio implementation. CVE-2020-6452 asnine discovered a buffer overflow issue. For the oldstable distribution (stretch), security support for chromium has been discontinued. For the stable distribution (buster), these problems have been fixed in version 80.0.3987.162-1~deb10u1.
sunrat Posted April 8, 2020 Posted April 8, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4655-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 08, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2020-6821 CVE-2020-6822 CVE-2020-6825 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code. For the oldstable distribution (stretch), these problems have been fixed in version 68.7.0esr-1~deb9u1. For the stable distribution (buster), these problems have been fixed in version 68.7.0esr-1~deb10u1.
sunrat Posted April 14, 2020 Posted April 14, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4656-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 13, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2020-6819 CVE-2020-6820 CVE-2020-6821 CVE-2020-6822 CVE-2020-6825 Multiple security issues have been found in Thunderbird which could result in denial of service or potentially the execution of arbitrary code. For the oldstable distribution (stretch), these problems have been fixed in version 1:68.7.0-1~deb9u1. For the stable distribution (buster), these problems have been fixed in version 1:68.7.0-1~deb10u1.
sunrat Posted April 15, 2020 Posted April 15, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4657-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 14, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : git CVE ID : CVE-2020-5260 Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host. For the oldstable distribution (stretch), this problem has been fixed in version 1:2.11.0-3+deb9u6. For the stable distribution (buster), this problem has been fixed in version 1:2.20.1-2+deb10u2.
sunrat Posted April 16, 2020 Posted April 16, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4658-1 security@debian.org https://www.debian.org/security/ Alberto Garcia April 16, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : webkit2gtk CVE ID : CVE-2020-11793 The following vulnerability has been discovered in the webkit2gtk web engine: CVE-2020-11793 Cim Stordal discovered that maliciously crafted web content may lead to arbitrary code execution or a denial of service. For the stable distribution (buster), this problem has been fixed in version 2.26.4-1~deb10u3.
sunrat Posted April 21, 2020 Posted April 21, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4659-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 20, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : git CVE ID : CVE-2020-11008 Carlo Arenas discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. For the oldstable distribution (stretch), this problem has been fixed in version 1:2.11.0-3+deb9u7. For the stable distribution (buster), this problem has been fixed in version 1:2.20.1-2+deb10u3.
sunrat Posted April 22, 2020 Posted April 22, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4660-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond April 21, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : awl CVE ID : CVE-2020-11728 CVE-2020-11729 Debian Bug : 956650 Andrew Bartlett discovered that awl, DAViCal Andrew's Web Libraries, did not properly handle session management: this would allow a malicious user to impersonate other sessions or users. For the oldstable distribution (stretch), these problems have been fixed in version 0.57-1+deb9u1. For the stable distribution (buster), these problems have been fixed in version 0.60-1+deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4661-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 21, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openssl CVE ID : CVE-2020-1967 Bernd Edlinger discovered that malformed data passed to the SSL_check_chain() function during or after a TLS 1.3 handshake could cause a NULL dereference, resulting in denial of service. The oldstable distribution (stretch) is not affected. For the stable distribution (buster), this problem has been fixed in version 1.1.1d-0+deb10u3.
sunrat Posted April 25, 2020 Posted April 25, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4662-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 24, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openjdk-11 CVE ID : CVE-2020-2754 CVE-2020-2755 CVE-2020-2756 CVE-2020-2757 CVE-2020-2767 CVE-2020-2773 CVE-2020-2778 CVE-2020-2781 CVE-2020-2800 CVE-2020-2803 CVE-2020-2805 CVE-2020-2816 CVE-2020-2830 Several vulnerabilities have been discovered in the OpenJDK Java runtime, resulting in denial of service, insecure TLS handshakes, bypass of sandbox restrictions or HTTP response splitting attacks. For the stable distribution (buster), these problems have been fixed in version 11.0.7+10-3~deb10u1.
sunrat Posted April 25, 2020 Posted April 25, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4663-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 25, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : python-reportlab CVE ID : CVE-2019-17626 Debian Bug : 942763 It was discovered that python-reportlab, a Python library to create PDF documents, is prone to a code injection vulnerability while parsing a color attribute. An attacker can take advantage of this flaw to execute arbitrary code if a specially crafted document is processed. For the oldstable distribution (stretch), this problem has been fixed in version 3.3.0-2+deb9u1. For the stable distribution (buster), this problem has been fixed in version 3.5.13-1+deb10u1.
sunrat Posted April 27, 2020 Posted April 27, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4664-1 security@debian.org https://www.debian.org/security/ Thijs Kinkhorst April 26, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mailman CVE ID : CVE-2020-12137 Hanno Boeck discovered that it was possible to create a cross site scripting attack on the webarchives of the Mailman mailing list manager, by sending a special type of attachement. For the oldstable distribution (stretch), this problem has been fixed in version 1:2.1.23-1+deb9u5. For the stable distribution (buster), this problem has been fixed in version 1:2.1.29-1+deb10u1.
sunrat Posted April 27, 2020 Posted April 27, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4665-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 27, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : qemu CVE ID : CVE-2019-12068 CVE-2019-15034 CVE-2019-20382 CVE-2020-1983 Multiple security issues were discovered in QEMU, a fast processor emulator, which could result in denial of service or the execution of arbitrary code. For the stable distribution (buster), these problems have been fixed in version 1:3.1+dfsg-8+deb10u5.
sunrat Posted April 28, 2020 Posted April 28, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4666-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 28, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openldap CVE ID : CVE-2020-12243 A vulnerability was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. LDAP search filters with nested boolean expressions can result in denial of service (slapd daemon crash). For the oldstable distribution (stretch), this problem has been fixed in version 2.4.44+dfsg-5+deb9u4. For the stable distribution (buster), this problem has been fixed in version 2.4.47+dfsg-3+deb10u2. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4668-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 28, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openjdk-8 CVE ID : CVE-2020-2754 CVE-2020-2755 CVE-2020-2756 CVE-2020-2757 CVE-2020-2773 CVE-2020-2781 CVE-2020-2800 CVE-2020-2803 CVE-2020-2805 Several vulnerabilities have been discovered in the OpenJDK Java runtime, resulting in denial of service, insecure TLS handshakes, bypass of sandbox restrictions or HTTP response splitting attacks. For the oldstable distribution (stretch), these problems have been fixed in version 8u252-b09-1~deb9u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4667-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 28, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : linux CVE ID : CVE-2020-2732 CVE-2020-8428 CVE-2020-10942 CVE-2020-11565 CVE-2020-11884 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, or information leak. CVE-2020-2732 Paulo Bonzini discovered that the KVM implementation for Intel processors did not properly handle instruction emulation for L2 guests when nested virtualization is enabled. This could allow an L2 guest to cause privilege escalation, denial of service, or information leaks in the L1 guest. CVE-2020-8428 Al Viro discovered a use-after-free vulnerability in the VFS layer. This allowed local users to cause a denial-of-service (crash) or obtain sensitive information from kernel memory. CVE-2020-10942 It was discovered that the vhost_net driver did not properly validate the type of sockets set as back-ends. A local user permitted to access /dev/vhost-net could use this to cause a stack corruption via crafted system calls, resulting in denial of service (crash) or possibly privilege escalation. CVE-2020-11565 Entropy Moe reported that the shared memory filesystem (tmpfs) did not correctly handle an "mpol" mount option specifying an empty node list, leading to a stack-based out-of-bounds write. If user namespaces are enabled, a local user could use this to cause a denial of service (crash) or possibly for privilege escalation. CVE-2020-11884 Al Viro reported a race condition in memory management code for IBM Z (s390x architecture), that can result in the kernel executing code from the user address space. A local user could use this for privilege escalation. For the stable distribution (buster), these problems have been fixed in version 4.19.98-1+deb10u1.
sunrat Posted April 29, 2020 Posted April 29, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4669-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 29, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : nodejs CVE ID : CVE-2019-9511 CVE-2019-9513 CVE-2019-9514 CVE-2019-15604 CVE-2019-15605 CVE-2019-15606 Multiple vulnerabilities were discovered in Node.js, which could result in denial of service or HTTP request smuggling. For the stable distribution (buster), these problems have been fixed in version 10.19.0~dfsg1-1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4670-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 29, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tiff CVE ID : CVE-2018-12900 CVE-2018-17000 CVE-2018-17100 CVE-2018-19210 CVE-2019-7663 CVE-2019-14973 CVE-2019-17546 Debian Bug : 902718 908778 909038 913675 934780 Several vulnerabilities have been found in the TIFF library, which may result in denial of service or the execution of arbitrary code if malformed image files are processed. For the oldstable distribution (stretch), these problems have been fixed in version 4.0.8-2+deb9u5.
sunrat Posted April 30, 2020 Posted April 30, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4671-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 30, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : vlc CVE ID : CVE-2020-6071 CVE-2020-6072 CVE-2020-6073 CVE-2020-6077 CVE-2020-6078 CVE-2020-6079 CVE-2020-6080 Multiple security issues were discovered in the microdns plugin of the VLC media player, which could result in denial of service or potentially the execution of arbitrary code via malicious mDNS packets. For the oldstable distribution (stretch), these problems have been fixed in version 3.0.10-0+deb9u1. This update disables the microdns plugin. For the stable distribution (buster), these problems have been fixed in version 3.0.10-0+deb10u1. This update disables the microdns plugin.
sunrat Posted May 2, 2020 Posted May 2, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4672-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 01, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : trafficserver CVE ID : CVE-2019-17559 CVE-2019-17565 CVE-2020-1944 CVE-2020-9481 Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service or request smuggling attacks. For the stable distribution (buster), these problems have been fixed in version 8.0.2+ds-1+deb10u2.
sunrat Posted May 4, 2020 Posted May 4, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4673-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 03, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tomcat8 CVE ID : CVE-2019-17569 CVE-2020-1935 CVE-2020-1938 Several vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in HTTP request smuggling and code execution in the AJP connector (disabled by default in Debian). For the oldstable distribution (stretch), these problems have been fixed in version 8.5.54-0+deb9u1.
sunrat Posted May 6, 2020 Posted May 6, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4674-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond May 05, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : roundcube CVE ID : CVE-2020-12625 CVE-2020-12626 Debian Bug : 959140 959142 It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not correctly process and sanitize requests. This would allow a remote attacker to perform either a Cross-Site Request Forgery (CSRF) forcing an authenticated user to be logged out, or a Cross-Side Scripting (XSS) leading to execution of arbitrary code. For the oldstable distribution (stretch), these problems have been fixed in version 1.2.3+dfsg.1-4+deb9u4. For the stable distribution (buster), these problems have been fixed in version 1.3.11+dfsg.1-1~deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4675-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 05, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : graphicsmagick CVE ID : CVE-2019-12921 CVE-2020-10938 Several vulnerabilities have been discovered in GraphicsMagick, a set of command-line applications to manipulate image files, which could result in information disclosure, denial of service or the execution of arbitrary code if malformed image files are processed. For the oldstable distribution (stretch), these problems have been fixed in version 1.3.30+hg15796-1~deb9u4. For the stable distribution (buster), these problems have been fixed in version 1.4+really1.3.35-1~deb10u1.
Recommended Posts