Jump to content
Bruno

NEW UPDATES Debian

Recommended Posts

sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4636-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
February 28, 2020                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : python-bleach
CVE ID         : CVE-2020-6802
Debian Bug     : 951907

It was reported that python-bleach, a whitelist-based HTML-sanitizing
library, is prone to a mutation XSS vulnerability in bleach.clean when
'noscript' and one or more raw text tags were whitelisted.

For the stable distribution (buster), this problem has been fixed in
version 3.1.1-0+deb10u1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4637-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 09, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : network-manager-ssh
CVE ID         : CVE-2020-9355

Kobus van Schoor discovered that network-manager-ssh, a plugin to
provide VPN integration for SSH in NetworkManager, is prone to a
privilege escalation vulnerability. A local user with privileges to
modify a connection can take advantage of this flaw to execute arbitrary
commands as root.

This update drops support to pass extra SSH options to the ssh
invocation.

For the oldstable distribution (stretch), this problem has been fixed
in version 1.2.1-1+deb9u1.

For the stable distribution (buster), this problem has been fixed in
version 1.2.10-1+deb10u1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4638-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
March 10, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium
CVE ID         : CVE-2019-19880 CVE-2019-19923 CVE-2019-19925 CVE-2019-19926
                 CVE-2020-6381 CVE-2020-6382 CVE-2020-6383 CVE-2020-6384
                 CVE-2020-6385 CVE-2020-6386 CVE-2020-6387 CVE-2020-6388
                 CVE-2020-6389 CVE-2020-6390 CVE-2020-6391 CVE-2020-6392
                 CVE-2020-6393 CVE-2020-6394 CVE-2020-6395 CVE-2020-6396
                 CVE-2020-6397 CVE-2020-6398 CVE-2020-6399 CVE-2020-6400
                 CVE-2020-6401 CVE-2020-6402 CVE-2020-6403 CVE-2020-6404
                 CVE-2020-6405 CVE-2020-6406 CVE-2020-6407 CVE-2020-6408
                 CVE-2020-6409 CVE-2020-6410 CVE-2020-6411 CVE-2020-6412
                 CVE-2020-6413 CVE-2020-6414 CVE-2020-6415 CVE-2020-6416
                 CVE-2020-6418 CVE-2020-6420

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2019-19880

    Richard Lorenz discovered an issue in the sqlite library.

CVE-2019-19923

    Richard Lorenz discovered an out-of-bounds read issue in the sqlite
    library.

CVE-2019-19925

    Richard Lorenz discovered an issue in the sqlite library.

CVE-2019-19926

    Richard Lorenz discovered an implementation error in the sqlite library.

CVE-2020-6381

    UK's National Cyber Security Centre discovered an integer overflow issue
    in the v8 javascript library.

CVE-2020-6382

    Soyeon Park and Wen Xu discovered a type error in the v8 javascript
    library.

CVE-2020-6383

    Sergei Glazunov discovered a type error in the v8 javascript library.

CVE-2020-6384

    David Manoucheri discovered a use-after-free issue in WebAudio.

CVE-2020-6385

    Sergei Glazunov discovered a policy enforcement error.

CVE-2020-6386

    Zhe Jin discovered a use-after-free issue in speech processing.

CVE-2020-6387

    Natalie Silvanovich discovered an out-of-bounds write error in the WebRTC
    implementation.

CVE-2020-6388

    Sergei Glazunov discovered an out-of-bounds read error in the WebRTC
    implementation.

CVE-2020-6389

    Natalie Silvanovich discovered an out-of-bounds write error in the WebRTC
    implementation.

CVE-2020-6390

    Sergei Glazunov discovered an out-of-bounds read error.

CVE-2020-6391

    Michał Bentkowski discoverd that untrusted input was insufficiently
    validated.

CVE-2020-6392

    The Microsoft Edge Team discovered a policy enforcement error.

CVE-2020-6393

    Mark Amery discovered a policy enforcement error.

CVE-2020-6394

    Phil Freo discovered a policy enforcement error.

CVE-2020-6395

    Pierre Langlois discovered an out-of-bounds read error in the v8
    javascript library.

CVE-2020-6396

    William Luc Ritchie discovered an error in the skia library.

CVE-2020-6397

    Khalil Zhani discovered a user interface error.

CVE-2020-6398

    pdknsk discovered an uninitialized variable in the pdfium library.

CVE-2020-6399

    Luan Herrera discovered a policy enforcement error.

CVE-2020-6400

    Takashi Yoneuchi discovered an error in Cross-Origin Resource Sharing.

CVE-2020-6401

    Tzachy Horesh discovered that user input was insufficiently validated.

CVE-2020-6402

    Vladimir Metnew discovered a policy enforcement error.

CVE-2020-6403

    Khalil Zhani discovered a user interface error.

CVE-2020-6404

    kanchi discovered an error in Blink/Webkit.

CVE-2020-6405

    Yongheng Chen and Rui Zhong discovered an out-of-bounds read issue in the
    sqlite library.

CVE-2020-6406

    Sergei Glazunov discovered a use-after-free issue.

CVE-2020-6407

    Sergei Glazunov discovered an out-of-bounds read error.

CVE-2020-6408

    Zhong Zhaochen discovered a policy enforcement error in Cross-Origin
    Resource Sharing.

CVE-2020-6409

    Divagar S and Bharathi V discovered an error in the omnibox
    implementation.

CVE-2020-6410

    evil1m0 discovered a policy enforcement error.

CVE-2020-6411

    Khalil Zhani discovered that user input was insufficiently validated.

CVE-2020-6412

    Zihan Zheng discovered that user input was insufficiently validated.

CVE-2020-6413

    Michał Bentkowski discovered an error in Blink/Webkit.

CVE-2020-6414

    Lijo A.T discovered a policy safe browsing policy enforcement error.

CVE-2020-6415

    Avihay Cohen discovered an implementation error in the v8 javascript
    library.

CVE-2020-6416

    Woojin Oh discovered that untrusted input was insufficiently validated.

CVE-2020-6418

    Clement Lecigne discovered a type error in the v8 javascript library.

CVE-2020-6420

    Taras Uzdenov discovered a policy enforcement error.

For the oldstable distribution (stretch), security support for chromium has
been discontinued.

For the stable distribution (buster), these problems have been fixed in
version 80.0.3987.132-1~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4639-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 11, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2019-20503 CVE-2020-6805 CVE-2020-6806 CVE-2020-6807 
                 CVE-2020-6811 CVE-2020-6812 CVE-2020-6814

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code.

For the oldstable distribution (stretch), these problems have been fixed
in version 68.6.0esr-1~deb9u1.

For the stable distribution (buster), these problems have been fixed in
version 68.6.0esr-1~deb10u1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4640-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 15, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : graphicsmagick
CVE ID         : CVE-2019-19950 CVE-2019-19951 CVE-2019-19953 CVE-2019-11474
                 CVE-2019-11473 CVE-2019-11506 CVE-2019-11505 CVE-2019-11010
                 CVE-2019-11009 CVE-2019-11008 CVE-2019-11007 CVE-2019-11006
                 CVE-2019-11005 CVE-2018-20189 CVE-2018-20185 CVE-2018-20184

This update fixes several vulnerabilities in Graphicsmagick: Various memory
handling problems and cases of missing or incomplete input sanitising
may result in denial of service, memory disclosure or the execution
of arbitrary code if malformed media files are processed.

For the oldstable distribution (stretch), these problems have been fixed
in version 1.3.30+hg15796-1~deb9u3.

For the stable distribution (buster), these problems have been fixed in
version 1.4~hg15978-1+deb10u1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4641-1                   security@debian.org
https://www.debian.org/security/                           Alberto Garcia
March 16, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : webkit2gtk
CVE ID         : CVE-2020-10018

The following vulnerability has been discovered in the webkit2gtk web
engine:

CVE-2020-10018

   Sudhakar Verma, Ashfaq Ansari and Siddhant Badhe discovered that
   processing maliciously crafted web content may lead to arbitrary
   code execution.

For the stable distribution (buster), this problem has been fixed in
version 2.26.4-1~deb10u2.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4642-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 19, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : CVE-2019-20503 CVE-2020-6805 CVE-2020-6806 CVE-2020-6807 
                 CVE-2020-6811 CVE-2020-6812 CVE-2020-6814

Multiple security issues have been found in Thunderbird which could
potentially result in the execution of arbitrary code.

For the oldstable distribution (stretch), these problems have been fixed
in version 1:68.6.0-1~deb9u1.

For the stable distribution (buster), these problems have been fixed in
version 1:68.6.0-1~deb10u1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4643-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 20, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : python-bleach
CVE ID         : CVE-2020-6816
Debian Bug     : 954236

It was reported that python-bleach, a whitelist-based HTML-sanitizing
library, is prone to a mutation XSS vulnerability in bleach.clean when
strip=False and 'math' or 'svg' tags and one or more of the RCDATA tags
were whitelisted.

For the stable distribution (buster), this problem has been fixed in
version 3.1.2-0+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4644-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 20, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tor
CVE ID         : CVE-2020-10592

A denial of service vulnerability (by triggering high CPU consumption)
was found in Tor, a connection-based low-latency anonymous communication
system.

For the stable distribution (buster), this problem has been fixed in
version 0.3.5.10-1.

For the oldstable distribution (stretch), support for tor is now
discontinued. Please upgrade to the stable release (buster) to continue
receiving tor updates.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4645-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
March 22, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium
CVE ID         : CVE-2019-20503 CVE-2020-6422 CVE-2020-6424 CVE-2020-6425
                 CVE-2020-6426 CVE-2020-6427 CVE-2020-6428 CVE-2020-6429
                 CVE-2020-6449

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2019-20503

   Natalie Silvanovich discovered an out-of-bounds read issue in the usrsctp
   library.

CVE-2020-6422

    David Manouchehri discovered a use-after-free issue in the WebGL
    implementation.

CVE-2020-6424

    Sergei Glazunov discovered a use-after-free issue.

CVE-2020-6425

    Sergei Glazunov discovered a policy enforcement error related to
    extensions.

CVE-2020-6426

    Avihay Cohen discovered an implementation error in the v8 javascript
    library.

CVE-2020-6427

    Man Yue Mo discovered a use-after-free issue in the audio implementation.

CVE-2020-6428

    Man Yue Mo discovered a use-after-free issue in the audio implementation.

CVE-2020-6429

    Man Yue Mo discovered a use-after-free issue in the audio implementation.

CVE-2020-6449

    Man Yue Mo discovered a use-after-free issue in the audio implementation.

For the oldstable distribution (stretch), security support for chromium has
been discontinued.

For the stable distribution (buster), these problems have been fixed in
version 80.0.3987.149-1~deb10u1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4646-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 25, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : icu
CVE ID         : CVE-2020-10531
Debian Bug     : 953747

Andre Bargull discovered an integer overflow in the International
Components for Unicode (ICU) library which could result in denial of
service and potentially the execution of arbitrary code.

For the oldstable distribution (stretch), this problem has been fixed
in version 57.1-6+deb9u4.

For the stable distribution (buster), this problem has been fixed in
version 63.1-6+deb10u1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4647-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 26, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : bluez
CVE ID         : CVE-2020-0556
Debian Bug     : 953770

It was reported that the BlueZ's HID and HOGP profile implementations
don't specifically require bonding between the device and the host.
Malicious devices can take advantage of this flaw to connect to a target
host and impersonate an existing HID device without security or to cause
an SDP or GATT service discovery to take place which would allow HID
reports to be injected to the input subsystem from a non-bonded source.

For the HID profile an new configuration option (ClassicBondedOnly) is
introduced to make sure that input connections only come from bonded
device connections. The options defaults to 'false' to maximize device
compatibility.

For the oldstable distribution (stretch), this problem has been fixed
in version 5.43-2+deb9u2.

For the stable distribution (buster), this problem has been fixed in
version 5.50-1.2~deb10u1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4648-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 31, 2020                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libpam-krb5
CVE ID         : CVE-2020-10595

Russ Allbery discovered a buffer overflow in the PAM module for MIT
Kerberos, which could result in denial of service or potentially the
execution of arbitrary code.

For the oldstable distribution (stretch), this problem has been fixed
in version 4.7-4+deb9u1.

For the stable distribution (buster), this problem has been fixed in
version 4.8-2+deb10u1.

Share this post


Link to post
Share on other sites

×
×
  • Create New...