sunrat Posted May 7, 2020 Share Posted May 7, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4676-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 06, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : salt CVE ID : CVE-2019-17361 CVE-2020-11651 CVE-2020-11652 Debian Bug : 949222 959684 Several vulnerabilities were discovered in salt, a powerful remote execution manager, which could result in retrieve of user tokens from the salt master, execution of arbitrary commands on salt minions, arbitrary directory access to authenticated users or arbitrary code execution on salt-api hosts. For the oldstable distribution (stretch), these problems have been fixed in version 2016.11.2+ds-1+deb9u3. For the stable distribution (buster), these problems have been fixed in version 2018.3.4+dfsg1-6+deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4677-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond May 06, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : wordpress CVE ID : CVE-2019-9787 CVE-2019-16217 CVE-2019-16218 CVE-2019-16219 CVE-2019-16220 CVE-2019-16221 CVE-2019-16222 CVE-2019-16223 CVE-2019-16780 CVE-2019-16781 CVE-2019-17669 CVE-2019-17671 CVE-2019-17672 CVE-2019-17673 CVE-2019-17674 CVE-2019-17675 CVE-2019-20041 CVE-2019-20042 CVE-2019-20043 CVE-2020-11025 CVE-2020-11026 CVE-2020-11027 CVE-2020-11028 CVE-2020-11029 CVE-2020-11030 Debian Bug : 924546 939543 942459 946905 959391 Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform various Cross-Side Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks, create files on the server, disclose private information, create open redirects, poison cache, and bypass authorization access and input sanitation. For the oldstable distribution (stretch), these problems have been fixed in version 4.7.5+dfsg-2+deb9u6. For the stable distribution (buster), these problems have been fixed in version 5.0.4+dfsg1-1+deb10u2. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4678-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 06, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2020-6831 CVE-2020-12387 CVE-2020-12392 CVE-2020-12395 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or information disclosure. For the oldstable distribution (stretch), these problems have been fixed in version 68.8.0esr-1~deb9u1. For the stable distribution (buster), these problems have been fixed in version 68.8.0esr-1~deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4679-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 06, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : keystone CVE ID : not yet available Debian Bug : 959900 A vulnerability was found in the EC2 credentials API of Keystone, the OpenStack identity service: Any user authenticated within a limited scope (trust/oauth/application credential) could create an EC2 credential with an escalated permission, such as obtaining "admin" while the user is on a limited "viewer" role. For the stable distribution (buster), this problem has been fixed in version 2:14.2.0-0+deb10u1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4680-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 06, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tomcat9 CVE ID : CVE-2019-10072 CVE-2019-12418 CVE-2019-17563 CVE-2019-17569 CVE-2020-1935 CVE-2020-1938 Several vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in HTTP request smuggling, code execution in the AJP connector (disabled by default in Debian) or a man-in-the-middle attack against the JMX interface. For the stable distribution (buster), these problems have been fixed in version 9.0.31-1~deb10u1. The fix for CVE-2020-1938 may require configuration changes when Tomcat is used with the AJP connector, e.g. in combination with libapache-mod-jk. For instance the attribute "secretRequired" is set to true by default now. For affected setups it's recommended to review https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html before the deploying the update. Link to comment Share on other sites More sharing options...
sunrat Posted May 7, 2020 Share Posted May 7, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4681-1 security@debian.org https://www.debian.org/security/ Alberto Garcia May 07, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : webkit2gtk CVE ID : CVE-2020-3885 CVE-2020-3894 CVE-2020-3895 CVE-2020-3897 CVE-2020-3899 CVE-2020-3900 CVE-2020-3901 CVE-2020-3902 The following vulnerability has been discovered in the webkit2gtk web engine: CVE-2020-3885 Ryan Pickren discovered that a file URL may be incorrectly processed. CVE-2020-3894 Sergei Glazunov discovered that a race condition may allow an application to read restricted memory. CVE-2020-3895 grigoritchy discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2020-3897 Brendan Draper discovered that a remote attacker may be able to cause arbitrary code execution. CVE-2020-3899 OSS-Fuzz discovered that A remote attacker may be able to cause arbitrary code execution. CVE-2020-3900 Dongzhuo Zhao discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2020-3901 Benjamin Randazzo discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2020-3902 Yigit Can Yilmaz discovered that processing maliciously crafted web content may lead to a cross site scripting attack. For the stable distribution (buster), these problems have been fixed in version 2.28.2-2~deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4676-2 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 07, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : salt CVE ID : CVE-2020-11651 CVE-2020-11652 Debian Bug : 959684 The update for salt for the oldstable distribution (stretch) released as DSA 4676-1 contained an incomplete fix to address CVE-2020-11651 and CVE-2020-11652. Updated salt packages are now available to correct this issue. For reference, the original advisory text follows. Several vulnerabilities were discovered in salt, a powerful remote execution manager, which could result in retrieve of user tokens from the salt master, execution of arbitrary commands on salt minions, arbitrary directory access to authenticated users or arbitrary code execution on salt-api hosts. For the oldstable distribution (stretch), these problems have been fixed in version 2016.11.2+ds-1+deb9u4. Link to comment Share on other sites More sharing options...
sunrat Posted May 8, 2020 Share Posted May 8, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4682-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 08, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : squid CVE ID : CVE-2019-12519 CVE-2019-12520 CVE-2019-12521 CVE-2019-12523 CVE-2019-12524 CVE-2019-12526 CVE-2019-12528 CVE-2019-18676 CVE-2019-18677 CVE-2019-18678 CVE-2019-18679 CVE-2020-8449 CVE-2020-8450 CVE-2020-11945 Multiple security issues were discovered in the Squid proxy caching server, which could result in the bypass of security filters, information disclosure, the execution of arbitrary code or denial of service. For the stable distribution (buster), these problems have been fixed in version 4.6-1+deb10u2. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4683-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 08, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2020-6831 CVE-2020-12387 CVE-2020-12392 CVE-2020-12395 CVE-2020-12397 Multiple security issues have been found in Thunderbird which could result in spoofing the displayed sender email address, denial of service or potentially the execution of arbitrary code. For the oldstable distribution (stretch), these problems have been fixed in version 1:68.8.0-1~deb9u1. For the stable distribution (buster), these problems have been fixed in version 1:68.8.0-1~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted May 9, 2020 Share Posted May 9, 2020 ------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 10: 10.4 released press@debian.org May 9th, 2020 https://www.debian.org/News/2020/20200509 ------------------------------------------------------------------------ The Debian project is pleased to announce the fourth update of its stable distribution Debian 10 (codename "buster"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. Please note that the point release does not constitute a new version of Debian 10 but only updates some of the packages included. There is no need to throw away old "buster" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations. Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: +---------------------------+-----------------------------------------+ | Package | Reason | +---------------------------+-----------------------------------------+ | apt-cacher-ng [1] | Enforce secured call to the server in | | | maintenance job triggering [CVE-2020- | | | 5202]; allow .zst compression for | | | tarballs; increase size of the | | | decompression line buffer for | | | configuration file reading | | | | | backuppc [2] | Pass the username to start-stop-daemon | | | when reloading, preventing reload | | | failures | | | | | base-files [3] | Update for the point release | | | | | brltty [4] | Reduce severity of log message to avoid | | | generating too many messages when used | | | with new Orca versions | | | | | checkstyle [5] | Fix XML External Entity injection issue | | | [CVE-2019-9658 CVE-2019-10782] | | | | | choose-mirror [6] | Update included mirror list | | | | | clamav [7] | New upstream release [CVE-2020-3123] | | | | | corosync [8] | totemsrp: Reduce MTU to avoid | | | generating oversized packets | | | | | corosync-qdevice [9] | Fix service startup | | | | | csync2 [10] | Fail HELLO command when SSL is required | | | | | cups [11] | Fix heap buffer overflow [CVE-2020- | | | 3898] and "the `ippReadIO` function | | | may under-read an extension | | | field" [CVE-2019-8842] | | | | | dav4tbsync [12] | New upstream release, restoring | | | compatibility with newer Thunderbird | | | versions | | | | | debian-edu-config [13] | Add policy files for Firefox ESR and | | | Thunderbird to fix the TLS/SSL setup | | | | | debian-installer [14] | Update for the 4.19.0-9 kernel ABI | | | | | debian-installer-netboot- | Rebuild against proposed-updates | | images [15] | | | | | | debian-security- | New upstream stable release; update | | support [16] | status of several packages; use | | | "runuser" rather than "su" | | | | | distro-info-data [17] | Add Ubuntu 20.10, and likely end of | | | support date for stretch | | | | | dojo [18] | Fix improper regular expression usage | | | [CVE-2019-10785] | | | | | dpdk [19] | New upstream stable release | | | | | dtv-scan-tables [20] | New upstream snapshot; add all current | | | German DVB-T2 muxes and the Eutelsat-5- | | | West-A satellite | | | | | eas4tbsync [21] | New upstream release, restoring | | | compatibility with newer Thunderbird | | | versions | | | | | edk2 [22] | Security fixes [CVE-2019-14558 | | | CVE-2019-14559 CVE-2019-14563 CVE-2019- | | | 14575 CVE-2019-14586 CVE-2019-14587] | | | | | el-api [23] | Fix stretch to buster upgrades that | | | involve Tomcat 8 | | | | | fex [24] | Fix a potential security issue in | | | fexsrv | | | | | filezilla [25] | Fix untrusted search path vulnerability | | | [CVE-2019-5429] | | | | | frr [26] | Fix extended next hop capability | | | | | fuse [27] | Remove outdated udevadm commands from | | | post-install scripts; don't explicitly | | | remove fuse.conf on purge | | | | | fuse3 [28] | Remove outdated udevadm commands from | | | post-install scripts; don't explicitly | | | remove fuse.conf on purge; fix memory | | | leak in fuse_session_new() | | | | | golang-github-prometheus- | Extend validity of test certificates | | common [29] | | | | | | gosa [30] | Replace (un)serialize with json_encode/ | | | json_decode to mitigate PHP object | | | injection [CVE-2019-14466] | | | | | hbci4java [31] | Support EU directive on payment | | | services (PSD2) | | | | | hibiscus [32] | Support EU directive on payment | | | services (PSD2) | | | | | iputils [33] | Correct an issue in which ping would | | | improperly exit with a failure code | | | when there were untried addresses still | | | available in the getaddrinfo() library | | | call return value | | | | | ircd-hybrid [34] | Use dhparam.pem to avoid crash on | | | startup | | | | | jekyll [35] | Allow use of ruby-i18n 0.x and 1.x | | | | | jsp-api [36] | Fix stretch to buster upgrades that | | | involve Tomcat 8 | | | | | lemonldap-ng [37] | Prevent unwanted access to | | | administration endpoints [CVE-2019- | | | 19791]; fix the GrantSession plugin | | | which could not prohibit logon when two | | | factor authentication was used; fix | | | arbitrary redirects with OIDC if | | | redirect_uri was not used | | | | | libdatetime-timezone- | Update included data | | perl [38] | | | | | | libreoffice [39] | Fix OpenGL slide transitions | | | | | libssh [40] | Fix possible denial of service issue | | | when handling AES-CTR keys with OpenSSL | | | [CVE-2020-1730] | | | | | libvncserver [41] | Fix heap overflow [CVE-2019-15690] | | | | | linux [42] | New upstream stable release | | | | | linux-latest [43] | Update kernel ABI to 4.19.0-9 | | | | | linux-signed-amd64 [44] | New upstream stable release | | | | | linux-signed-arm64 [45] | New upstream stable release | | | | | linux-signed-i386 [46] | New upstream stable release | | | | | lwip [47] | Fix buffer overflow [CVE-2020-8597] | | | | | lxc-templates [48] | New upstream stable release; handle | | | languages that are only UTF-8 encoded | | | | | manila [49] | Fix missing access permissions check | | | [CVE-2020-9543] | | | | | megatools [50] | Add support for the new format of | | | mega.nz links | | | | | mew [51] | Fix server SSL certificate validity | | | checking | | | | | mew-beta [52] | Fix server SSL certificate validity | | | checking | | | | | mkvtoolnix [53] | Rebuild to tighten libmatroska6v5 | | | dependency | | | | | ncbi-blast+ [54] | Disable SSE4.2 support | | | | | node-anymatch [55] | Remove unnecessary dependencies | | | | | node-dot [56] | Prevent code execution after prototype | | | pollution [CVE-2020-8141] | | | | | node-dot-prop [57] | Fix prototype pollution [CVE-2020-8116] | | | | | node-knockout [58] | Fix escaping with older Internet | | | Explorer versions [CVE-2019-14862] | | | | | node-mongodb [59] | Reject invalid _bsontypes [CVE-2019- | | | 2391 CVE-2020-7610] | | | | | node-yargs-parser [60] | Fix prototype pollution [CVE-2020-7608] | | | | | npm [61] | Fix arbitrary path access [CVE-2019- | | | 16775 CVE-2019-16776 CVE-2019-16777] | | | | | nvidia-graphics- | New upstream stable release | | drivers [62] | | | | | | nvidia-graphics-drivers- | New upstream stable release | | legacy-390xx [63] | | | | | | nvidia-settings- | New upstream release | | legacy-340xx [64] | | | | | | oar [65] | Revert to stretch behavior for | | | Storable::dclone perl function, fixing | | | recursion depth issues | | | | | opam [66] | Prefer mccs over aspcud | | | | | openvswitch [67] | Fix vswitchd abort when a port is added | | | and the controller is down | | | | | orocos-kdl [68] | Fix string conversion with Python 3 | | | | | owfs [69] | Remove broken Python 3 packages | | | | | pango1.0 [70] | Fix crash in | | | pango_fc_font_key_get_variations() when | | | key is null | | | | | pgcli [71] | Add missing dependency on python3-pkg- | | | resources | | | | | php-horde-data [72] | Fix authenticated remote code execution | | | vulnerability [CVE-2020-8518] | | | | | php-horde-form [73] | Fix authenticated remote code execution | | | vulnerability [CVE-2020-8866] | | | | | php-horde-trean [74] | Fix authenticated remote code execution | | | vulnerability [CVE-2020-8865] | | | | | postfix [75] | New upstream stable release; fix panic | | | with Postfix multi-Milter configuration | | | during MAIL FROM; fix d/init.d running | | | change so it works with multi-instance | | | again | | | | | proftpd-dfsg [76] | Fix memory access issue in keyboard- | | | interative code in mod_sftp; properly | | | handle DEBUG, IGNORE, DISCONNECT, and | | | UNIMPLEMENTED messages in keyboard- | | | interactive mode | | | | | puma [77] | Fix Denial of Service issue [CVE-2019- | | | 16770] | | | | | purple-discord [78] | Fix crashes in ssl_nss_read | | | | | python-oslo.utils [79] | Fix leak of sensitive information via | | | mistral logs [CVE-2019-3866] | | | | | rails [80] | Fix possible cross-site scripting via | | | Javascript escape helper [CVE-2020- | | | 5267] | | | | | rake [81] | Fix command injection vulnerability | | | [CVE-2020-8130] | | | | | raspi3-firmware [82] | Fix dtb names mismatch in z50-raspi- | | | firmware; fix boot on Raspberry Pi | | | families 1 and 0 | | | | | resource-agents [83] | Fix "ethmonitor does not list | | | interfaces without assigned IP | | | address" ; remove no longer required | | | xen-toolstack patch; fix non-standard | | | usage in ZFS agent | | | | | rootskel [84] | Disable multiple console support if | | | preseeding is in use | | | | | ruby-i18n [85] | Fix gemspec generation | | | | | rubygems-integration [86] | Avoid deprecation warnings when users | | | install a newer version of Rubygems via | | | "gem update --system" | | | | | schleuder [87] | Improve patch to handle encoding errors | | | introduced in the previous version; | | | switch default encoding to UTF-8; let | | | x-add-key handle mails with attached, | | | quoted-printable encoded keys; fix x- | | | attach-listkey with mails created by | | | Thunderbird that include protected | | | headers | | | | | scilab [88] | Fix library loading with OpenJDK 11.0.7 | | | | | serverspec-runner [89] | Support Ruby 2.5 | | | | | softflowd [90] | Fix broken flow aggregation which might | | | result in flow table overflow and 100% | | | CPU usage | | | | | speech-dispatcher [91] | Fix default pulseaudio latency which | | | triggers "scratchy" output | | | | | spl-linux [92] | Fix deadlock | | | | | sssd [93] | Fix sssd_be busy-looping when LDAP | | | connection is intermittent | | | | | systemd [94] | when authorizing via PolicyKit re- | | | resolve callback/userdata instead of | | | caching it [CVE-2020-1712]; install 60- | | | block.rules in udev-udeb and initramfs- | | | tools | | | | | taglib [95] | Fix corruption issues with OGG files | | | | | tbsync [96] | New upstream release, restoring | | | compatibility with newer Thunderbird | | | versions | | | | | timeshift [97] | Fix predictable temporary directory use | | | [CVE-2020-10174] | | | | | tinyproxy [98] | Only set PIDDIR, if PIDFILE is a non- | | | zero length string | | | | | tzdata [99] | New upstream stable release | | | | | uim [100] | unregister modules that are not | | | installed, fixing a regression in the | | | previous upload | | | | | user-mode-linux [101] | Fix build failure with current stable | | | kernels | | | | | vite [102] | Fix crash when there are more than 32 | | | elements | | | | | waagent [103] | New upstream release; support co- | | | installation with cloud-init | | | | | websocket-api [104] | Fix stretch to buster upgrades that | | | involve Tomcat 8 | | | | | wpa [105] | Do not try to detect PSK mismatch | | | during PTK rekeying; check for FT | | | support when selecting FT suites; fix | | | MAC randomisation issue with some cards | | | | | xdg-utils [106] | xdg-open: fix pcmanfm check and | | | handling of directories with spaces in | | | their names; xdg-screensaver: Sanitise | | | window name before sending it over D- | | | Bus; xdg-mime: Create config directory | | | if it does not exist yet | | | | | xtrlock [107] | Fix blocking of (some) multitouch | | | devices while locked [CVE-2016-10894] | | | | | zfs-linux [108] | Fix potential deadlock issues | | | | +---------------------------+-----------------------------------------+ Security Updates ---------------- This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates: +----------------+-----------------------------+ | Advisory ID | Package | +----------------+-----------------------------+ | DSA-4616 [109] | qemu [110] | | | | | DSA-4617 [111] | qtbase-opensource-src [112] | | | | | DSA-4618 [113] | libexif [114] | | | | | DSA-4619 [115] | libxmlrpc3-java [116] | | | | | DSA-4620 [117] | firefox-esr [118] | | | | | DSA-4623 [119] | postgresql-11 [120] | | | | | DSA-4624 [121] | evince [122] | | | | | DSA-4625 [123] | thunderbird [124] | | | | | DSA-4627 [125] | webkit2gtk [126] | | | | | DSA-4629 [127] | python-django [128] | | | | | DSA-4630 [129] | python-pysaml2 [130] | | | | | DSA-4631 [131] | pillow [132] | | | | | DSA-4632 [133] | ppp [134] | | | | | DSA-4633 [135] | curl [136] | | | | | DSA-4634 [137] | opensmtpd [138] | | | | | DSA-4635 [139] | proftpd-dfsg [140] | | | | | DSA-4636 [141] | python-bleach [142] | | | | | DSA-4637 [143] | network-manager-ssh [144] | | | | | DSA-4638 [145] | chromium [146] | | | | | DSA-4639 [147] | firefox-esr [148] | | | | | DSA-4640 [149] | graphicsmagick [150] | | | | | DSA-4641 [151] | webkit2gtk [152] | | | | | DSA-4642 [153] | thunderbird [154] | | | | | DSA-4643 [155] | python-bleach [156] | | | | | DSA-4644 [157] | tor [158] | | | | | DSA-4645 [159] | chromium [160] | | | | | DSA-4646 [161] | icu [162] | | | | | DSA-4647 [163] | bluez [164] | | | | | DSA-4648 [165] | libpam-krb5 [166] | | | | | DSA-4649 [167] | haproxy [168] | | | | | DSA-4650 [169] | qbittorrent [170] | | | | | DSA-4651 [171] | mediawiki [172] | | | | | DSA-4652 [173] | gnutls28 [174] | | | | | DSA-4653 [175] | firefox-esr [176] | | | | | DSA-4654 [177] | chromium [178] | | | | | DSA-4655 [179] | firefox-esr [180] | | | | | DSA-4656 [181] | thunderbird [182] | | | | | DSA-4657 [183] | git [184] | | | | | DSA-4658 [185] | webkit2gtk [186] | | | | | DSA-4659 [187] | git [188] | | | | | DSA-4660 [189] | awl [190] | | | | | DSA-4661 [191] | openssl [192] | | | | | DSA-4663 [193] | python-reportlab [194] | | | | | DSA-4664 [195] | mailman [196] | | | | | DSA-4665 [197] | qemu [198] | | | | | DSA-4666 [199] | openldap [200] | | | | | DSA-4667 [201] | linux-signed-amd64 [202] | | | | | DSA-4667 [203] | linux-signed-arm64 [204] | | | | | DSA-4667 [205] | linux-signed-i386 [206] | | | | | DSA-4667 [207] | linux [208] | | | | | DSA-4669 [209] | nodejs [210] | | | | | DSA-4671 [211] | vlc [212] | | | | | DSA-4672 [213] | trafficserver [214] | | | | +----------------+-----------------------------+ Removed packages ---------------- The following packages were removed due to circumstances beyond our control: +-------------------------+--------------------------------------------+ | Package | Reason | +-------------------------+--------------------------------------------+ | getlive [215] | Broken due to Hotmail changes | | | | | gplaycli [216] | Broken by Google API changes | | | | | kerneloops [217] | Upstream service no longer available | | | | | lambda-align2 [218] | [arm64 armel armhf i386 mips64el ppc64el | | | s390x] Broken on non-amd64 architectures | | | | | libmicrodns [219] | Security issues | | | | | libperlspeak-perl [220] | Security issues; unmaintained | | | | | quotecolors [221] | Incompatible with newer Thunderbird | | | versions | | | | | torbirdy [222] | Incompatible with newer Thunderbird | | | versions | | | | | ugene [223] | Non-free; fails to build | | | | | yahoo2mbox [224] | Broken for several years | | | | +-------------------------+--------------------------------------------+ Debian Installer ---------------- The installer has been updated to include the fixes incorporated into stable by the point release. URLs ---- The complete lists of packages that have changed with this revision: http://ftp.debian.org/debian/dists/buster/ChangeLog The current stable distribution: http://ftp.debian.org/debian/dists/stable/ Proposed updates to the stable distribution: http://ftp.debian.org/debian/dists/proposed-updates stable distribution information (release notes, errata etc.): https://www.debian.org/releases/stable/ Security announcements and information: https://www.debian.org/security/ Link to comment Share on other sites More sharing options...
sunrat Posted May 13, 2020 Share Posted May 13, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4684-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 13, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libreswan CVE ID : CVE-2020-1763 Debian Bug : 960458 Stephan Zeisberg discovered that the libreswan IPsec implementation could be forced into a crash/restart via a malformed IKEv1 Informational Exchange packet, resulting in denial of service. For the stable distribution (buster), this problem has been fixed in version 3.27-6+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted May 15, 2020 Share Posted May 15, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4685-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 14, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : apt CVE ID : CVE-2020-3810 Shuaibing Lu discovered that missing input validation in the ar/tar implementations of APT, the high level package manager, could result in denial of service when processing specially crafted deb files. For the oldstable distribution (stretch), this problem has been fixed in version 1.4.10. For the stable distribution (buster), this problem has been fixed in version 1.8.2.1. Link to comment Share on other sites More sharing options...
sunrat Posted May 16, 2020 Share Posted May 16, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4686-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 16, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : apache-log4j1.2 CVE ID : CVE-2019-17571 Debian Bug : 947124 It was discovered that the SocketServer class included in apache-log4j1.2, a logging library for java, is vulnerable to deserialization of untrusted data. An attacker can take advantage of this flaw to execute arbitrary code in the context of the logger application by sending a specially crafted log event. For the oldstable distribution (stretch), this problem has been fixed in version 1.2.17-7+deb9u1. For the stable distribution (buster), this problem has been fixed in version 1.2.17-8+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted May 16, 2020 Share Posted May 16, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4687-1 security@debian.org https://www.debian.org/security/ Florian Weimer May 16, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : exim4 CVE ID : CVE-2020-12783 It was discovered that exim4, a mail transport agent, suffers from a authentication bypass vulnerability in the spa authentication driver. The spa authentication driver is not enabled by default. For the oldstable distribution (stretch), this problem has been fixed in version 4.89-2+deb9u7. For the stable distribution (buster), this problem has been fixed in version 4.92-8+deb10u4. Link to comment Share on other sites More sharing options...
sunrat Posted May 18, 2020 Share Posted May 18, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4688-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 18, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : dpdk CVE ID : CVE-2020-10722 CVE-2020-10723 CVE-2020-10724 Multiple vulnerabilities were discovered in the vhost code of DPDK, a set of libraries for fast packet processing, which could result in denial of service or the execution of arbitrary code by malicious guests/containers. For the oldstable distribution (stretch), these problems have been fixed in version 16.11.11-1+deb9u2. For the stable distribution (buster), these problems have been fixed in version 18.11.6-1~deb10u2. Link to comment Share on other sites More sharing options...
sunrat Posted May 19, 2020 Share Posted May 19, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4689-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 19, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : bind9 CVE ID : CVE-2019-6477 CVE-2020-8616 CVE-2020-8617 Debian Bug : 945171 Several vulnerabilities were discovered in BIND, a DNS server implementation. CVE-2019-6477 It was discovered that TCP-pipelined queries can bypass tcp-client limits resulting in denial of service. CVE-2020-8616 It was discovered that BIND does not sufficiently limit the number of fetches performed when processing referrals. An attacker can take advantage of this flaw to cause a denial of service (performance degradation) or use the recursing server in a reflection attack with a high amplification factor. CVE-2020-8617 It was discovered that a logic error in the code which checks TSIG validity can be used to trigger an assertion failure, resulting in denial of service. For the oldstable distribution (stretch), these problems have been fixed in version 1:9.10.3.dfsg.P4-12.3+deb9u6. For the stable distribution (buster), these problems have been fixed in version 1:9.11.5.P4+dfsg-5.1+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted May 21, 2020 Share Posted May 21, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4690-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 20, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : dovecot CVE ID : CVE-2020-10957 CVE-2020-10958 CVE-2020-10967 Debian Bug : 960963 Several vulnerabilities were discovered in the Dovecot email server, which could cause crashes in the submission, submission-login or lmtp services, resulting in denial of service. For the stable distribution (buster), these problems have been fixed in version 1:2.3.4.1-5+deb10u2. Link to comment Share on other sites More sharing options...
sunrat Posted May 22, 2020 Share Posted May 22, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4691-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 21, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : pdns-recursor CVE ID : CVE-2020-10955 CVE-2020-12244 Two vulnerabiliites have been discovered in PDNS Recursor, a resolving name server; a traffic amplification attack against third party authoritative name servers (NXNSAttack) and insufficient validation of NXDOMAIN responses lacking an SOA. The version of pdns-recursor in the oldstable distribution (stretch) is no longer supported. If these security issues affect your setup, you should upgrade to the stable distribution (buster). For the stable distribution (buster), these problems have been fixed in version 4.1.11-1+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted May 24, 2020 Share Posted May 24, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4692-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 24, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : netqmail CVE ID : CVE-2005-1513 CVE-2005-1514 CVE-2005-1515 CVE-2020-3811 CVE-2020-3812 Debian Bug : 961060 Georgi Guninski and the Qualys Research Labs discovered multiple vulnerabilities in qmail (shipped in Debian as netqmail with additional patches) which could result in the execution of arbitrary code, bypass of mail address verification and a local information leak whether a file exists or not. For the oldstable distribution (stretch), these problems have been fixed in version 1.06-6.2~deb9u1. For the stable distribution (buster), these problems have been fixed in version 1.06-6.2~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted May 27, 2020 Share Posted May 27, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4693-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 26, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : drupal7 CVE ID : CVE-2020-11022 CVE-2020-11023 SA-CORE-2020-003 Several vulnerabilities were discovered in Drupal, a fully-featured content management framework, which could result in an open redirect or cross-site scripting. For the oldstable distribution (stretch), these problems have been fixed in version 7.52-2+deb9u10. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4694-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 26, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : unbound CVE ID : CVE-2020-12662 CVE-2020-12663 Two vulnerabiliites have been discovered in Unbound, a recursive-only caching DNS server; a traffic amplification attack against third party authoritative name servers (NXNSAttack) and insufficient sanitisation of replies from upstream servers could result in denial of service via an infinite loop. The version of Unbound in the oldstable distribution (stretch) is no longer supported. If these security issues affect your setup, you should upgrade to the stable distribution (buster). For the stable distribution (buster), these problems have been fixed in version 1.9.0-2+deb10u2. Link to comment Share on other sites More sharing options...
sunrat Posted June 4, 2020 Share Posted June 4, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4695-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 03, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2020-12399 CVE-2020-12405 CVE-2020-12406 CVE-2020-12410 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or a timing attack on cryptographic keys. For the oldstable distribution (stretch), these problems have been fixed in version 68.9.0esr-1~deb9u1. For the stable distribution (buster), these problems have been fixed in version 68.9.0esr-1~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted June 6, 2020 Share Posted June 6, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4696-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 06, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : nodejs CVE ID : CVE-2020-8174 CVE-2020-11080 Debian Bug : 962145 Two vulnerabilities were discovered in Node.js, which could result in denial of service and potentially the execution of arbitrary code. For the stable distribution (buster), these problems have been fixed in version 10.21.0~dfsg-1~deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4697-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 06, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : gnutls28 CVE ID : CVE-2020-13777 Debian Bug : 962289 A flaw was reported in the TLS session ticket key construction in GnuTLS, a library implementing the TLS and SSL protocols. The flaw caused the TLS server to not securely construct a session ticket encryption key considering the application supplied secret, allowing a man-in-the-middle attacker to bypass authentication in TLS 1.3 and recover previous conversations in TLS 1.2. For the stable distribution (buster), this problem has been fixed in version 3.6.7-4+deb10u4. Link to comment Share on other sites More sharing options...
sunrat Posted June 10, 2020 Share Posted June 10, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4698-1 security@debian.org https://www.debian.org/security/ Ben Hutchings June 09, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : linux CVE ID : CVE-2019-2182 CVE-2019-5108 CVE-2019-19319 CVE-2019-19462 CVE-2019-19768 CVE-2019-20806 CVE-2019-20811 CVE-2020-0543 CVE-2020-2732 CVE-2020-8428 CVE-2020-8647 CVE-2020-8648 CVE-2020-8649 CVE-2020-9383 CVE-2020-10711 CVE-2020-10732 CVE-2020-10751 CVE-2020-10757 CVE-2020-10942 CVE-2020-11494 CVE-2020-11565 CVE-2020-11608 CVE-2020-11609 CVE-2020-11668 CVE-2020-12114 CVE-2020-12464 CVE-2020-12652 CVE-2020-12653 CVE-2020-12654 CVE-2020-12770 CVE-2020-13143 Debian Bug : 952660 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2019-2182 Hanjun Guo and Lei Li reported a race condition in the arm64 virtual memory management code, which could lead to an information disclosure, denial of service (crash), or possibly privilege escalation. CVE-2019-5108 Mitchell Frank of Cisco discovered that when the IEEE 802.11 (WiFi) stack was used in AP mode with roaming, it would trigger roaming for a newly associated station before the station was authenticated. An attacker within range of the AP could use this to cause a denial of service, either by filling up a switching table or by redirecting traffic away from other stations. CVE-2019-19319 Jungyeon discovered that a crafted filesystem can cause the ext4 implementation to deallocate or reallocate journal blocks. A user permitted to mount filesystems could use this to cause a denial of service (crash), or possibly for privilege escalation. CVE-2019-19462 The syzbot tool found a missing error check in the 'relay' library used to implement various files under debugfs. A local user permitted to access debugfs could use this to cause a denial of service (crash) or possibly for privilege escalation. CVE-2019-19768 Tristan Madani reported a race condition in the blktrace debug facility that could result in a use-after-free. A local user able to trigger removal of block devices could possibly use this to cause a denial of service (crash) or for privilege escalation. CVE-2019-20806 A potential null pointer dereference was discovered in the tw5864 media driver. The security impact of this is unclear. CVE-2019-20811 The Hulk Robot tool found a reference-counting bug in an error path in the network subsystem. The security impact of this is unclear. CVE-2020-0543 Researchers at VU Amsterdam discovered that on some Intel CPUs supporting the RDRAND and RDSEED instructions, part of a random value generated by these instructions may be used in a later speculative execution on any core of the same physical CPU. Depending on how these instructions are used by applications, a local user or VM guest could use this to obtain sensitive information such as cryptographic keys from other users or VMs. This vulnerability can be mitigated by a microcode update, either as part of system firmware (BIOS) or through the intel-microcode package in Debian's non-free archive section. This kernel update only provides reporting of the vulnerability and the option to disable the mitigation if it is not needed. CVE-2020-2732 Paulo Bonzini discovered that the KVM implementation for Intel processors did not properly handle instruction emulation for L2 guests when nested virtualization is enabled. This could allow an L2 guest to cause privilege escalation, denial of service, or information leaks in the L1 guest. CVE-2020-8428 Al Viro discovered a potential use-after-free in the filesystem core (vfs). A local user could exploit this to cause a denial of service (crash) or possibly to obtain sensitive information from the kernel. CVE-2020-8647, CVE-2020-8649 The Hulk Robot tool found a potential MMIO out-of-bounds access in the vgacon driver. A local user permitted to access a virtual terminal (/dev/tty1 etc.) on a system using the vgacon driver could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-8648 The syzbot tool found a race condition in the the virtual terminal driver, which could result in a use-after-free. A local user permitted to access a virtual terminal could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-9383 Jordy Zomer reported an incorrect range check in the floppy driver which could lead to a static out-of-bounds access. A local user permitted to access a floppy drive could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-10711 Matthew Sheets reported NULL pointer dereference issues in the SELinux subsystem while receiving CIPSO packet with null category. A remote attacker can take advantage of this flaw to cause a denial of service (crash). Note that this issue does not affect the binary packages distributed in Debian as CONFIG_NETLABEL is not enabled. CVE-2020-10732 An information leak of kernel private memory to userspace was found in the kernel's implementation of core dumping userspace processes. CVE-2020-10751 Dmitry Vyukov reported that the SELinux subsystem did not properly handle validating multiple messages, which could allow a privileged attacker to bypass SELinux netlink restrictions. CVE-2020-10757 Fan Yang reported a flaw in the way mremap handled DAX hugepages, allowing a local user to escalate their privileges CVE-2020-10942 It was discovered that the vhost_net driver did not properly validate the type of sockets set as back-ends. A local user permitted to access /dev/vhost-net could use this to cause a stack corruption via crafted system calls, resulting in denial of service (crash) or possibly privilege escalation. CVE-2020-11494 It was discovered that the slcan (serial line CAN) network driver did not fully initialise CAN headers for received packets, resulting in an information leak from the kernel to user-space or over the CAN network. CVE-2020-11565 Entropy Moe reported that the shared memory filesystem (tmpfs) did not correctly handle an "mpol" mount option specifying an empty node list, leading to a stack-based out-of-bounds write. If user namespaces are enabled, a local user could use this to cause a denial of service (crash) or possibly for privilege escalation. CVE-2020-11608, CVE-2020-11609, CVE-2020-11668 It was discovered that the ov519, stv06xx, and xirlink_cit media drivers did not properly validate USB device descriptors. A physically present user with a specially constructed USB device could use this to cause a denial-of-service (crash) or possibly for privilege escalation. CVE-2020-12114 Piotr Krysiuk discovered a race condition between the umount and pivot_root operations in the filesystem core (vfs). A local user with the CAP_SYS_ADMIN capability in any user namespace could use this to cause a denial of service (crash). CVE-2020-12464 Kyungtae Kim reported a race condition in the USB core that can result in a use-after-free. It is not clear how this can be exploited, but it could result in a denial of service (crash or memory corruption) or privilege escalation. CVE-2020-12652 Tom Hatskevich reported a bug in the mptfusion storage drivers. An ioctl handler fetched a parameter from user memory twice, creating a race condition which could result in incorrect locking of internal data structures. A local user permitted to access /dev/mptctl could use this to cause a denial of service (crash or memory corruption) or for privilege escalation. CVE-2020-12653 It was discovered that the mwifiex WiFi driver did not sufficiently validate scan requests, resulting a potential heap buffer overflow. A local user with CAP_NET_ADMIN capability could use this to cause a denial of service (crash or memory corruption) or possibly for privilege escalation. CVE-2020-12654 It was discovered that the mwifiex WiFi driver did not sufficiently validate WMM parameters received from an access point (AP), resulting a potential heap buffer overflow. A malicious AP could use this to cause a denial of service (crash or memory corruption) or possibly to execute code on a vulnerable system. CVE-2020-12770 It was discovered that the sg (SCSI generic) driver did not correctly release internal resources in a particular error case. A local user permitted to access an sg device could possibly use this to cause a denial of service (resource exhaustion). CVE-2020-13143 Kyungtae Kim reported a potential heap out-of-bounds write in the USB gadget subsystem. A local user permitted to write to the gadget configuration filesystem could use this to cause a denial of service (crash or memory corruption) or potentially for privilege escalation. For the oldstable distribution (stretch), these problems have been fixed in version 4.9.210-1+deb9u1. This version also fixes some related bugs that do not have their own CVE IDs, and a regression in the macvlan driver introduced in the previous point release (bug #952660). - ------------------------------------------------------------------------- Debian Security Advisory DSA-4699-1 security@debian.org https://www.debian.org/security/ Ben Hutchings June 09, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : linux CVE ID : CVE-2019-3016 CVE-2019-19462 CVE-2020-0543 CVE-2020-10711 CVE-2020-10732 CVE-2020-10751 CVE-2020-10757 CVE-2020-12114 CVE-2020-12464 CVE-2020-12768 CVE-2020-12770 CVE-2020-13143 Debian Bug : 960271 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2019-3016 It was discovered that the KVM implementation for x86 did not always perform TLB flushes when needed, if the paravirtualised TLB flush feature was enabled. This could lead to disclosure of sensitive information within a guest VM. CVE-2019-19462 The syzkaller tool found a missing error check in the 'relay' library used to implement various files under debugfs. A local user permitted to access debugfs could use this to cause a denial of service (crash) or possibly for privilege escalation. CVE-2020-0543 Researchers at VU Amsterdam discovered that on some Intel CPUs supporting the RDRAND and RDSEED instructions, part of a random value generated by these instructions may be used in a later speculative execution on any core of the same physical CPU. Depending on how these instructions are used by applications, a local user or VM guest could use this to obtain sensitive information such as cryptographic keys from other users or VMs. This vulnerability can be mitigated by a microcode update, either as part of system firmware (BIOS) or through the intel-microcode package in Debian's non-free archive section. This kernel update only provides reporting of the vulnerability and the option to disable the mitigation if it is not needed. CVE-2020-10711 Matthew Sheets reported NULL pointer dereference issues in the SELinux subsystem while receiving CIPSO packet with null category. A remote attacker can take advantage of this flaw to cause a denial of service (crash). Note that this issue does not affect the binary packages distributed in Debian as CONFIG_NETLABEL is not enabled. CVE-2020-10732 An information leak of kernel private memory to userspace was found in the kernel's implementation of core dumping userspace processes. CVE-2020-10751 Dmitry Vyukov reported that the SELinux subsystem did not properly handle validating multiple messages, which could allow a privileged attacker to bypass SELinux netlink restrictions. CVE-2020-10757 Fan Yang reported a flaw in the way mremap handled DAX hugepages, allowing a local user to escalate their privileges. CVE-2020-12114 Piotr Krysiuk discovered a race condition between the umount and pivot_root operations in the filesystem core (vfs). A local user with the CAP_SYS_ADMIN capability in any user namespace could use this to cause a denial of service (crash). CVE-2020-12464 Kyungtae Kim reported a race condition in the USB core that can result in a use-after-free. It is not clear how this can be exploited, but it could result in a denial of service (crash or memory corruption) or privilege escalation. CVE-2020-12768 A bug was discovered in the KVM implementation for AMD processors, which could result in a memory leak. The security impact of this is unclear. CVE-2020-12770 It was discovered that the sg (SCSI generic) driver did not correctly release internal resources in a particular error case. A local user permitted to access an sg device could possibly use this to cause a denial of service (resource exhaustion). CVE-2020-13143 Kyungtae Kim reported a potential heap out-of-bounds write in the USB gadget subsystem. A local user permitted to write to the gadget configuration filesystem could use this to cause a denial of service (crash or memory corruption) or potentially for privilege escalation. For the stable distribution (buster), these problems have been fixed in version 4.19.118-2+deb10u1. This version also fixes some related bugs that do not have their own CVE IDs, and a regression in the <linux/swab.h> UAPI header introduced in the previous point release (bug #960271). Link to comment Share on other sites More sharing options...
sunrat Posted June 11, 2020 Share Posted June 11, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4700-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond June 11, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : roundcube CVE ID : CVE-2020-13964 CVE-2020-13965 Debian Bug : 962123 962124 Matei Badanoiu and LoRexxar@knownsec discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not correctly process and sanitize requests. This would allow a remote attacker to perform a Cross-Side Scripting (XSS) attack leading to the execution of arbitrary code. For the oldstable distribution (stretch), these problems have been fixed in version 1.2.3+dfsg.1-4+deb9u5. For the stable distribution (buster), these problems have been fixed in version 1.3.13+dfsg.1-1~deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4701-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 11, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : intel-microcode CVE ID : CVE-2020-0543 CVE-2020-0548 CVE-2020-0549 This update ships updated CPU microcode for some types of Intel CPUs and provides mitigations for the Special Register Buffer Data Sampling (CVE-2020-0543), Vector Register Sampling (CVE-2020-0548) and L1D Eviction Sampling (CVE-2020-0549) hardware vulnerabilities. The microcode update for HEDT and Xeon CPUs with signature 0x50654 which was reverted in DSA 4565-2 is now included again with a fixed release. The upstream update for Skylake-U/Y (signature 0x406e3) had to be excluded from this update due to reported hangs on boot. For details refer to https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00320.html https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00329.html For the oldstable distribution (stretch), these problems have been fixed in version 3.20200609.2~deb9u1. For the stable distribution (buster), these problems have been fixed in version 3.20200609.2~deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4702-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 11, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2020-12410 CVE-2020-12406 CVE-2020-12405 CVE-2020-12399 CVE-2020-12398 Multiple security issues have been found in Thunderbird which could result in the setup of a non-encrypted IMAP connection, denial of service or potentially the execution of arbitrary code. For the oldstable distribution (stretch), this problem has been fixed in version 1:68.9.0-1~deb9u1. For the stable distribution (buster), this problem has been fixed in version 1:68.9.0-1~deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4703-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 11, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mysql-connector-java CVE ID : CVE-2020-2875 CVE-2020-2933 CVE-2020-2934 Three vulnerabilities have been found in the MySQL Connector/J JDBC driver. For the oldstable distribution (stretch), these problems have been fixed in version 5.1.49-0+deb9u1. Link to comment Share on other sites More sharing options...
sunrat Posted June 16, 2020 Share Posted June 16, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4704-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 16, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : vlc CVE ID : CVE-2020-13428 A vulnerability was discovered in the VLC media player, which could result in the execution of arbitrary code or denial of service if a malformed video file is opened. For the oldstable distribution (stretch), this problem has been fixed in version 3.0.11-0+deb9u1. For the stable distribution (buster), this problem has been fixed in version 3.0.11-0+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted June 19, 2020 Share Posted June 19, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4705-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond June 18, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : python-django CVE ID : CVE-2020-9402 CVE-2020-13254 CVE-2020-13596 It was discovered that Django, a high-level Python web development framework, did not properly sanitize input. This would allow a remote attacker to perform SQL injection attacks, Cross-Site Scripting (XSS) attacks, or leak sensitive information. For the oldstable distribution (stretch), these problems have been fixed in version 1:1.10.7-2+deb9u9. For the stable distribution (buster), these problems have been fixed in version 1:1.11.29-1~deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4706-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 18, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : drupal7 CVE ID : CVE-2020-13663 It was discovered that Drupal, a fully-featured content management framework, was suspectible to cross site request forgery. For additional information, please refer to the upstream advisory at https://www.drupal.org/sa-core-2020-004 For the oldstable distribution (stretch), this problem has been fixed in version 7.52-2+deb9u11. Link to comment Share on other sites More sharing options...
sunrat Posted June 20, 2020 Share Posted June 20, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4707-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 19, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mutt CVE ID : CVE-2020-14093 Damian Poddebniak and Fabian Ising discovered two security issues in the STARTTLS handling of the Mutt mail client, which could enable MITM attacks. For the oldstable distribution (stretch), these problems have been fixed in version 1.7.2-1+deb9u3. For the stable distribution (buster), these problems have been fixed in version 1.10.1-2.1+deb10u2. Link to comment Share on other sites More sharing options...
sunrat Posted June 21, 2020 Share Posted June 21, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4708-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 21, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : neomutt CVE ID : CVE-2020-14093 CVE-2020-14954 Damian Poddebniak and Fabian Ising discovered two security issues in the STARTTLS handling of the Neomutt mail client, which could enable MITM attacks. For the stable distribution (buster), these problems have been fixed in version 20180716+dfsg.1-1+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted June 24, 2020 Share Posted June 24, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4709-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond June 23, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : wordpress CVE ID : CVE-2020-4046 CVE-2020-4047 CVE-2020-4048 CVE-2020-4049 CVE-2020-4050 Debian Bug : 962685 Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform various Cross-Side Scripting (XSS) attacks, create open redirects, escalate privileges, and bypass authorization access. For the stable distribution (buster), these problems have been fixed in version 5.0.10+dfsg1-0+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted June 27, 2020 Share Posted June 27, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4710-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 27, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : trafficserver CVE ID : CVE-2020-9494 Debian Bug : 963629 A vulnerability was discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service via malformed HTTP/2 headers. For the stable distribution (buster), this problem has been fixed in version 8.0.2+ds-1+deb10u3. Link to comment Share on other sites More sharing options...
sunrat Posted June 30, 2020 Share Posted June 30, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4711-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso June 29, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : coturn CVE ID : CVE-2020-4067 CVE-2020-6061 CVE-2020-6062 Debian Bug : 951876 Several vulnerabilities were discovered in coturn, a TURN and STUN server for VoIP. CVE-2020-4067 Felix Doerre reported that the STUN response buffer was not properly initialised, which could allow an attacker to leak bytes in the padding bytes from the connection of another client. CVE-2020-6061 Aleksandar Nikolic reported that a crafted HTTP POST request can lead to information leaks and other misbehavior. CVE-2020-6062 Aleksandar Nikolic reported that a crafted HTTP POST request can lead to server crash and denial of service. For the oldstable distribution (stretch), these problems have been fixed in version 4.5.0.5-1+deb9u2. For the stable distribution (buster), these problems have been fixed in version 4.5.1.1-1.1+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted June 30, 2020 Share Posted June 30, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4712-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff June 30, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : imagemagick CVE ID : CVE-2019-7175 CVE-2019-7395 CVE-2019-7396 CVE-2019-7397 CVE-2019-7398 CVE-2019-10649 CVE-2019-11470 CVE-2019-11472 CVE-2019-11597 CVE-2019-11598 CVE-2019-12974 CVE-2019-12975 CVE-2019-12976 CVE-2019-12977 CVE-2019-12978 CVE-2019-12979 CVE-2019-13135 CVE-2019-13137 CVE-2019-13295 CVE-2019-13297 CVE-2019-13300 CVE-2019-13301 CVE-2019-13304 CVE-2019-13305 CVE-2019-13307 CVE-2019-13308 CVE-2019-13309 CVE-2019-13311 CVE-2019-13454 CVE-2019-14981 CVE-2019-15139 CVE-2019-15140 CVE-2019-16708 CVE-2019-16710 CVE-2019-16711 CVE-2019-16713 CVE-2019-19948 CVE-2019-19949 This update fixes multiple vulnerabilities in Imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure or potentially the execution of arbitrary code if malformed image files are processed. For the stable distribution (buster), these problems have been fixed in version 8:6.9.10.23+dfsg-2.1+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted July 1, 2020 Share Posted July 1, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4713-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 01, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2020-12417 CVE-2020-12418 CVE-2020-12419 CVE-2020-12420 CVE-2020-12421 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code. For the oldstable distribution (stretch), these problems have been fixed in version 68.10.0esr-1~deb9u1. For the stable distribution (buster), these problems have been fixed in version 68.10.0esr-1~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted July 3, 2020 Share Posted July 3, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4714-1 security@debian.org https://www.debian.org/security/ Michael Gilbert July 01, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : chromium CVE ID : CVE-2020-6423 CVE-2020-6430 CVE-2020-6431 CVE-2020-6432 CVE-2020-6433 CVE-2020-6434 CVE-2020-6435 CVE-2020-6436 CVE-2020-6437 CVE-2020-6438 CVE-2020-6439 CVE-2020-6440 CVE-2020-6441 CVE-2020-6442 CVE-2020-6443 CVE-2020-6444 CVE-2020-6445 CVE-2020-6446 CVE-2020-6447 CVE-2020-6448 CVE-2020-6454 CVE-2020-6455 CVE-2020-6456 CVE-2020-6457 CVE-2020-6458 CVE-2020-6459 CVE-2020-6460 CVE-2020-6461 CVE-2020-6462 CVE-2020-6463 CVE-2020-6464 CVE-2020-6465 CVE-2020-6466 CVE-2020-6467 CVE-2020-6468 CVE-2020-6469 CVE-2020-6470 CVE-2020-6471 CVE-2020-6472 CVE-2020-6473 CVE-2020-6474 CVE-2020-6475 CVE-2020-6476 CVE-2020-6478 CVE-2020-6479 CVE-2020-6480 CVE-2020-6481 CVE-2020-6482 CVE-2020-6483 CVE-2020-6484 CVE-2020-6485 CVE-2020-6486 CVE-2020-6487 CVE-2020-6488 CVE-2020-6489 CVE-2020-6490 CVE-2020-6491 CVE-2020-6493 CVE-2020-6494 CVE-2020-6495 CVE-2020-6496 CVE-2020-6497 CVE-2020-6498 CVE-2020-6505 CVE-2020-6506 CVE-2020-6507 CVE-2020-6509 CVE-2020-6831 Several vulnerabilities have been discovered in the chromium web browser. CVE-2020-6423 A use-after-free issue was found in the audio implementation. CVE-2020-6430 Avihay Cohen discovered a type confusion issue in the v8 javascript library. CVE-2020-6431 Luan Herrera discovered a policy enforcement error. CVE-2020-6432 Luan Herrera discovered a policy enforcement error. CVE-2020-6433 Luan Herrera discovered a policy enforcement error in extensions. CVE-2020-6434 HyungSeok Han discovered a use-after-free issue in the developer tools. CVE-2020-6435 Sergei Glazunov discovered a policy enforcement error in extensions. CVE-2020-6436 Igor Bukanov discovered a use-after-free issue. CVE-2020-6437 Jann Horn discovered an implementation error in WebView. CVE-2020-6438 Ng Yik Phang discovered a policy enforcement error in extensions. CVE-2020-6439 remkoboonstra discovered a policy enforcement error. CVE-2020-6440 David Erceg discovered an implementation error in extensions. CVE-2020-6441 David Erceg discovered a policy enforcement error. CVE-2020-6442 B@rMey discovered an implementation error in the page cache. CVE-2020-6443 @lovasoa discovered an implementation error in the developer tools. CVE-2020-6444 mlfbrown discovered an uninitialized variable in the WebRTC implementation. CVE-2020-6445 Jun Kokatsu discovered a policy enforcement error. CVE-2020-6446 Jun Kokatsu discovered a policy enforcement error. CVE-2020-6447 David Erceg discovered an implementation error in the developer tools. CVE-2020-6448 Guang Gong discovered a use-after-free issue in the v8 javascript library. CVE-2020-6454 Leecraso and Guang Gong discovered a use-after-free issue in extensions. CVE-2020-6455 Nan Wang and Guang Gong discovered an out-of-bounds read issue in the WebSQL implementation. CVE-2020-6456 Michał Bentkowski discovered insufficient validation of untrusted input. CVE-2020-6457 Leecraso and Guang Gong discovered a use-after-free issue in the speech recognizer. CVE-2020-6458 Aleksandar Nikolic discoved an out-of-bounds read and write issue in the pdfium library. CVE-2020-6459 Zhe Jin discovered a use-after-free issue in the payments implementation. CVE-2020-6460 It was discovered that URL formatting was insufficiently validated. CVE-2020-6461 Zhe Jin discovered a use-after-free issue. CVE-2020-6462 Zhe Jin discovered a use-after-free issue in task scheduling. CVE-2020-6463 Pawel Wylecial discovered a use-after-free issue in the ANGLE library. CVE-2020-6464 Looben Yang discovered a type confusion issue in Blink/Webkit. CVE-2020-6465 Woojin Oh discovered a use-after-free issue. CVE-2020-6466 Zhe Jin discovered a use-after-free issue. CVE-2020-6467 ZhanJia Song discovered a use-after-free issue in the WebRTC implementation. CVE-2020-6468 Chris Salls and Jake Corina discovered a type confusion issue in the v8 javascript library. CVE-2020-6469 David Erceg discovered a policy enforcement error in the developer tools. CVE-2020-6470 Michał Bentkowski discovered insufficient validation of untrusted input. CVE-2020-6471 David Erceg discovered a policy enforcement error in the developer tools. CVE-2020-6472 David Erceg discovered a policy enforcement error in the developer tools. CVE-2020-6473 Soroush Karami and Panagiotis Ilia discovered a policy enforcement error in Blink/Webkit. CVE-2020-6474 Zhe Jin discovered a use-after-free issue in Blink/Webkit. CVE-2020-6475 Khalil Zhani discovered a user interface error. CVE-2020-6476 Alexandre Le Borgne discovered a policy enforcement error. CVE-2020-6478 Khalil Zhani discovered an implementation error in full screen mode. CVE-2020-6479 Zhong Zhaochen discovered an implementation error. CVE-2020-6480 Marvin Witt discovered a policy enforcement error. CVE-2020-6481 Rayyan Bijoora discovered a policy enforcement error. CVE-2020-6482 Abdulrahman Alqabandi discovered a policy enforcement error in the developer tools. CVE-2020-6483 Jun Kokatsu discovered a policy enforcement error in payments. CVE-2020-6484 Artem Zinenko discovered insufficient validation of user data in the ChromeDriver implementation. CVE-2020-6485 Sergei Glazunov discovered a policy enforcement error. CVE-2020-6486 David Erceg discovered a policy enforcement error. CVE-2020-6487 Jun Kokatsu discovered a policy enforcement error. CVE-2020-6488 David Erceg discovered a policy enforcement error. CVE-2020-6489 @lovasoa discovered an implementation error in the developer tools. CVE-2020-6490 Insufficient validation of untrusted data was discovered. CVE-2020-6491 Sultan Haikal discovered a user interface error. CVE-2020-6493 A use-after-free issue was discovered in the WebAuthentication implementation. CVE-2020-6494 Juho Nurimen discovered a user interface error. CVE-2020-6495 David Erceg discovered a policy enforcement error in the developer tools. CVE-2020-6496 Khalil Zhani discovered a use-after-free issue in payments. CVE-2020-6497 Rayyan Bijoora discovered a policy enforcement issue. CVE-2020-6498 Rayyan Bijoora discovered a user interface error. CVE-2020-6505 Khalil Zhani discovered a use-after-free issue. CVE-2020-6506 Alesandro Ortiz discovered a policy enforcement error. CVE-2020-6507 Sergei Glazunov discovered an out-of-bounds write issue in the v8 javascript library. CVE-2020-6509 A use-after-free issue was discovered in extensions. CVE-2020-6831 Natalie Silvanovich discovered a buffer overflow issue in the SCTP library. For the oldstable distribution (stretch), security support for chromium has been discontinued. For the stable distribution (buster), these problems have been fixed in version 83.0.4103.116-1~deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4715-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 02, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : imagemagick CVE ID : CVE-2019-13300 CVE-2019-13304 CVE-2019-13306 CVE-2019-13307 CVE-2019-15140 CVE-2019-19948 This update fixes multiple vulnerabilities in Imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure or potentially the execution of arbitrary code if malformed image files are processed. For the oldstable distribution (stretch), these problems have been fixed in version 8:6.9.7.4+dfsg-11+deb9u8. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4716-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 02, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : docker.io CVE ID : CVE-2020-13401 Debian Bug : 962141 Etienne Champetier discovered that Docker, a Linux container runtime, created network bridges which by default accept IPv6 router advertisements. This could allow an attacker with the CAP_NET_RAW capability in a container to spoof router advertisements, resulting in information disclosure or denial of service. For the stable distribution (buster), this problem has been fixed in version 18.09.1+dfsg1-7.1+deb10u2. Link to comment Share on other sites More sharing options...
sunrat Posted July 6, 2020 Share Posted July 6, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4714-2 security@debian.org https://www.debian.org/security/ Michael Gilbert July 04, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : chromium Debian Bug : 964145 The previous update for chromium released as DSA 4714-1 was mistakenly built without compiler optimizations. This caused high CPU load and frequent crashes. Updated chromium packages are now available that correct this issue. For the oldstable distribution (stretch), security support for chromium has been discontinued. For the stable distribution (buster), this problem has been fixed in version 83.0.4103.116-1~deb10u2. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4717-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 05, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : php7.0 CVE ID : CVE-2019-11048 CVE-2020-7062 CVE-2020-7063 CVE-2020-7064 CVE-2020-7066 CVE-2020-7067 Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in information disclosure, denial of service or potentially the execution of arbitrary code. For the oldstable distribution (stretch), these problems have been fixed in version 7.0.33-0+deb9u8. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4718-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 05, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2020-12417 CVE-2020-12418 CVE-2020-12419 CVE-2020-12420 CVE-2020-12421 Multiple security issues have been found in Thunderbird which could result in denial of service or potentially the execution of arbitrary code. For the oldstable distribution (stretch), these problems have been fixed in version 1:68.10.0-1~deb9u1. For the stable distribution (buster), these problems have been fixed in version 1:68.10.0-1~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted July 6, 2020 Share Posted July 6, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4719-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 06, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : php7.3 CVE ID : CVE-2019-11048 CVE-2020-7062 CVE-2020-7063 CVE-2020-7064 CVE-2020-7065 CVE-2020-7066 CVE-2020-7067 Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in information disclosure, denial of service or potentially the execution of arbitrary code. For the stable distribution (buster), these problems have been fixed in version 7.3.19-1~deb10u1. Link to comment Share on other sites More sharing options...
Recommended Posts