Jump to content
Bruno

NEW UPDATES Debian

Recommended Posts

sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4676-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 06, 2020                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : salt
CVE ID         : CVE-2019-17361 CVE-2020-11651 CVE-2020-11652
Debian Bug     : 949222 959684

Several vulnerabilities were discovered in salt, a powerful remote
execution manager, which could result in retrieve of user tokens from
the salt master, execution of arbitrary commands on salt minions,
arbitrary directory access to authenticated users or arbitrary code
execution on salt-api hosts.

For the oldstable distribution (stretch), these problems have been fixed
in version 2016.11.2+ds-1+deb9u3.

For the stable distribution (buster), these problems have been fixed in
version 2018.3.4+dfsg1-6+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4677-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
May 06, 2020                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : wordpress
CVE ID         : CVE-2019-9787 CVE-2019-16217 CVE-2019-16218 CVE-2019-16219 
                 CVE-2019-16220 CVE-2019-16221 CVE-2019-16222 CVE-2019-16223 
                 CVE-2019-16780 CVE-2019-16781 CVE-2019-17669 CVE-2019-17671 
                 CVE-2019-17672 CVE-2019-17673 CVE-2019-17674 CVE-2019-17675 
                 CVE-2019-20041 CVE-2019-20042 CVE-2019-20043 CVE-2020-11025 
                 CVE-2020-11026 CVE-2020-11027 CVE-2020-11028 CVE-2020-11029 
                 CVE-2020-11030
Debian Bug     : 924546 939543 942459 946905 959391

Several vulnerabilities were discovered in Wordpress, a web blogging
tool. They allowed remote attackers to perform various Cross-Side
Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks, create
files on the server, disclose private information, create open
redirects, poison cache, and bypass authorization access and input
sanitation.

For the oldstable distribution (stretch), these problems have been fixed
in version 4.7.5+dfsg-2+deb9u6.

For the stable distribution (buster), these problems have been fixed in
version 5.0.4+dfsg1-1+deb10u2.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4678-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 06, 2020                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2020-6831 CVE-2020-12387 CVE-2020-12392 CVE-2020-12395

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code or information disclosure.

For the oldstable distribution (stretch), these problems have been fixed
in version 68.8.0esr-1~deb9u1.

For the stable distribution (buster), these problems have been fixed in
version 68.8.0esr-1~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4679-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 06, 2020                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : keystone
CVE ID         : not yet available
Debian Bug     : 959900

A vulnerability was found in the EC2 credentials API of Keystone, the
OpenStack identity service: Any user authenticated within a limited
scope (trust/oauth/application credential) could create an EC2 credential
with an escalated permission, such as obtaining "admin" while
the user is on a limited "viewer" role.

For the stable distribution (buster), this problem has been fixed in
version 2:14.2.0-0+deb10u1

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4680-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 06, 2020                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tomcat9
CVE ID         : CVE-2019-10072 CVE-2019-12418 CVE-2019-17563
                 CVE-2019-17569 CVE-2020-1935 CVE-2020-1938

Several vulnerabilities were discovered in the Tomcat servlet and JSP
engine, which could result in HTTP request smuggling, code execution
in the AJP connector (disabled by default in Debian) or a man-in-the-middle
attack against the JMX interface.

For the stable distribution (buster), these problems have been fixed in
version 9.0.31-1~deb10u1. The fix for CVE-2020-1938 may require
configuration changes when Tomcat is used with the AJP connector, e.g.
in combination with libapache-mod-jk. For instance the attribute
"secretRequired" is set to true by default now. For affected setups it's
recommended to review https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html
before the deploying the update.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4681-1                   security@debian.org
https://www.debian.org/security/                           Alberto Garcia
May 07, 2020                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : webkit2gtk
CVE ID         : CVE-2020-3885 CVE-2020-3894 CVE-2020-3895 CVE-2020-3897
                 CVE-2020-3899 CVE-2020-3900 CVE-2020-3901 CVE-2020-3902

The following vulnerability has been discovered in the webkit2gtk web
engine:

CVE-2020-3885

    Ryan Pickren discovered that a file URL may be incorrectly
    processed.

CVE-2020-3894

    Sergei Glazunov discovered that a race condition may allow an
    application to read restricted memory.

CVE-2020-3895

    grigoritchy discovered that processing maliciously crafted web
    content may lead to arbitrary code execution.

CVE-2020-3897

    Brendan Draper discovered that a remote attacker may be able to
    cause arbitrary code execution.

CVE-2020-3899

    OSS-Fuzz discovered that A remote attacker may be able to cause
    arbitrary code execution.

CVE-2020-3900

    Dongzhuo Zhao discovered that processing maliciously crafted web
    content may lead to arbitrary code execution.

CVE-2020-3901

    Benjamin Randazzo discovered that processing maliciously crafted
    web content may lead to arbitrary code execution.

CVE-2020-3902

    Yigit Can Yilmaz discovered that processing maliciously crafted
    web content may lead to a cross site scripting attack.

For the stable distribution (buster), these problems have been fixed in
version 2.28.2-2~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4676-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 07, 2020                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : salt
CVE ID         : CVE-2020-11651 CVE-2020-11652
Debian Bug     : 959684

The update for salt for the oldstable distribution (stretch) released as
DSA 4676-1 contained an incomplete fix to address CVE-2020-11651 and
CVE-2020-11652. Updated salt packages are now available to correct this
issue. For reference, the original advisory text follows.

Several vulnerabilities were discovered in salt, a powerful remote
execution manager, which could result in retrieve of user tokens from
the salt master, execution of arbitrary commands on salt minions,
arbitrary directory access to authenticated users or arbitrary code
execution on salt-api hosts.

For the oldstable distribution (stretch), these problems have been fixed
in version 2016.11.2+ds-1+deb9u4.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4682-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 08, 2020                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : squid
CVE ID         : CVE-2019-12519 CVE-2019-12520 CVE-2019-12521 CVE-2019-12523 
                 CVE-2019-12524 CVE-2019-12526 CVE-2019-12528 CVE-2019-18676 
                 CVE-2019-18677 CVE-2019-18678 CVE-2019-18679 CVE-2020-8449 
                 CVE-2020-8450 CVE-2020-11945

Multiple security issues were discovered in the Squid proxy caching
server, which could result in the bypass of security filters, information
disclosure, the execution of arbitrary code or denial of service.

For the stable distribution (buster), these problems have been fixed in
version 4.6-1+deb10u2.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4683-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 08, 2020                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : CVE-2020-6831 CVE-2020-12387 CVE-2020-12392 CVE-2020-12395 
                 CVE-2020-12397

Multiple security issues have been found in Thunderbird which could
result in spoofing the displayed sender email address, denial of service
or potentially the execution of arbitrary code.

For the oldstable distribution (stretch), these problems have been fixed
in version 1:68.8.0-1~deb9u1.

For the stable distribution (buster), these problems have been fixed in
version 1:68.8.0-1~deb10u1.

Share this post


Link to post
Share on other sites
sunrat
------------------------------------------------------------------------
The Debian Project                               https://www.debian.org/
Updated Debian 10: 10.4 released                        press@debian.org
May 9th, 2020                  https://www.debian.org/News/2020/20200509
------------------------------------------------------------------------


The Debian project is pleased to announce the fourth update of its
stable distribution Debian 10 (codename "buster"). This point release
mainly adds corrections for security issues, along with a few
adjustments for serious problems. Security advisories have already been
published separately and are referenced where available.

Please note that the point release does not constitute a new version of
Debian 10 but only updates some of the packages included. There is no
need to throw away old "buster" media. After installation, packages can
be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list



Miscellaneous Bugfixes
----------------------

This stable update adds a few important corrections to the following
packages:

+---------------------------+-----------------------------------------+
| Package                   | Reason                                  |
+---------------------------+-----------------------------------------+
| apt-cacher-ng [1]         | Enforce secured call to the server in   |
|                           | maintenance job triggering [CVE-2020-   |
|                           | 5202]; allow .zst compression for       |
|                           | tarballs; increase size of the          |
|                           | decompression line buffer for           |
|                           | configuration file reading              |
|                           |                                         |
| backuppc [2]              | Pass the username to start-stop-daemon  |
|                           | when reloading, preventing reload       |
|                           | failures                                |
|                           |                                         |
| base-files [3]            | Update for the point release            |
|                           |                                         |
| brltty [4]                | Reduce severity of log message to avoid |
|                           | generating too many messages when used  |
|                           | with new Orca versions                  |
|                           |                                         |
| checkstyle [5]            | Fix XML External Entity injection issue |
|                           | [CVE-2019-9658 CVE-2019-10782]          |
|                           |                                         |
| choose-mirror [6]         | Update included mirror list             |
|                           |                                         |
| clamav [7]                | New upstream release [CVE-2020-3123]    |
|                           |                                         |
| corosync [8]              | totemsrp: Reduce MTU to avoid           |
|                           | generating oversized packets            |
|                           |                                         |
| corosync-qdevice [9]      | Fix service startup                     |
|                           |                                         |
| csync2 [10]               | Fail HELLO command when SSL is required |
|                           |                                         |
| cups [11]                 | Fix heap buffer overflow [CVE-2020-     |
|                           | 3898] and  "the `ippReadIO` function    |
|                           | may under-read an extension             |
|                           | field"  [CVE-2019-8842]                 |
|                           |                                         |
| dav4tbsync [12]           | New upstream release, restoring         |
|                           | compatibility with newer Thunderbird    |
|                           | versions                                |
|                           |                                         |
| debian-edu-config [13]    | Add policy files for Firefox ESR and    |
|                           | Thunderbird to fix the TLS/SSL setup    |
|                           |                                         |
| debian-installer [14]     | Update for the 4.19.0-9 kernel ABI      |
|                           |                                         |
| debian-installer-netboot- | Rebuild against proposed-updates        |
| images [15]               |                                         |
|                           |                                         |
| debian-security-          | New upstream stable release; update     |
| support [16]              | status of several packages; use         |
|                           | "runuser"  rather than  "su"            |
|                           |                                         |
| distro-info-data [17]     | Add Ubuntu 20.10, and likely end of     |
|                           | support date for stretch                |
|                           |                                         |
| dojo [18]                 | Fix improper regular expression usage   |
|                           | [CVE-2019-10785]                        |
|                           |                                         |
| dpdk [19]                 | New upstream stable release             |
|                           |                                         |
| dtv-scan-tables [20]      | New upstream snapshot; add all current  |
|                           | German DVB-T2 muxes and the Eutelsat-5- |
|                           | West-A satellite                        |
|                           |                                         |
| eas4tbsync [21]           | New upstream release, restoring         |
|                           | compatibility with newer Thunderbird    |
|                           | versions                                |
|                           |                                         |
| edk2 [22]                 | Security fixes [CVE-2019-14558          |
|                           | CVE-2019-14559 CVE-2019-14563 CVE-2019- |
|                           | 14575 CVE-2019-14586 CVE-2019-14587]    |
|                           |                                         |
| el-api [23]               | Fix stretch to buster upgrades that     |
|                           | involve Tomcat 8                        |
|                           |                                         |
| fex [24]                  | Fix a potential security issue in       |
|                           | fexsrv                                  |
|                           |                                         |
| filezilla [25]            | Fix untrusted search path vulnerability |
|                           | [CVE-2019-5429]                         |
|                           |                                         |
| frr [26]                  | Fix extended next hop capability        |
|                           |                                         |
| fuse [27]                 | Remove outdated udevadm commands from   |
|                           | post-install scripts; don't explicitly  |
|                           | remove fuse.conf on purge               |
|                           |                                         |
| fuse3 [28]                | Remove outdated udevadm commands from   |
|                           | post-install scripts; don't explicitly  |
|                           | remove fuse.conf on purge; fix memory   |
|                           | leak in fuse_session_new()              |
|                           |                                         |
| golang-github-prometheus- | Extend validity of test certificates    |
| common [29]               |                                         |
|                           |                                         |
| gosa [30]                 | Replace (un)serialize with json_encode/ |
|                           | json_decode to mitigate PHP object      |
|                           | injection [CVE-2019-14466]              |
|                           |                                         |
| hbci4java [31]            | Support EU directive on payment         |
|                           | services (PSD2)                         |
|                           |                                         |
| hibiscus [32]             | Support EU directive on payment         |
|                           | services (PSD2)                         |
|                           |                                         |
| iputils [33]              | Correct an issue in which ping would    |
|                           | improperly exit with a failure code     |
|                           | when there were untried addresses still |
|                           | available in the getaddrinfo() library  |
|                           | call return value                       |
|                           |                                         |
| ircd-hybrid [34]          | Use dhparam.pem to avoid crash on       |
|                           | startup                                 |
|                           |                                         |
| jekyll [35]               | Allow use of ruby-i18n 0.x and 1.x      |
|                           |                                         |
| jsp-api [36]              | Fix stretch to buster upgrades that     |
|                           | involve Tomcat 8                        |
|                           |                                         |
| lemonldap-ng [37]         | Prevent unwanted access to              |
|                           | administration endpoints [CVE-2019-     |
|                           | 19791]; fix the GrantSession plugin     |
|                           | which could not prohibit logon when two |
|                           | factor authentication was used; fix     |
|                           | arbitrary redirects with OIDC if        |
|                           | redirect_uri was not used               |
|                           |                                         |
| libdatetime-timezone-     | Update included data                    |
| perl [38]                 |                                         |
|                           |                                         |
| libreoffice [39]          | Fix OpenGL slide transitions            |
|                           |                                         |
| libssh [40]               | Fix possible denial of service issue    |
|                           | when handling AES-CTR keys with OpenSSL |
|                           | [CVE-2020-1730]                         |
|                           |                                         |
| libvncserver [41]         | Fix heap overflow [CVE-2019-15690]      |
|                           |                                         |
| linux [42]                | New upstream stable release             |
|                           |                                         |
| linux-latest [43]         | Update kernel ABI to 4.19.0-9           |
|                           |                                         |
| linux-signed-amd64 [44]   | New upstream stable release             |
|                           |                                         |
| linux-signed-arm64 [45]   | New upstream stable release             |
|                           |                                         |
| linux-signed-i386 [46]    | New upstream stable release             |
|                           |                                         |
| lwip [47]                 | Fix buffer overflow [CVE-2020-8597]     |
|                           |                                         |
| lxc-templates [48]        | New upstream stable release; handle     |
|                           | languages that are only UTF-8 encoded   |
|                           |                                         |
| manila [49]               | Fix missing access permissions check    |
|                           | [CVE-2020-9543]                         |
|                           |                                         |
| megatools [50]            | Add support for the new format of       |
|                           | mega.nz links                           |
|                           |                                         |
| mew [51]                  | Fix server SSL certificate validity     |
|                           | checking                                |
|                           |                                         |
| mew-beta [52]             | Fix server SSL certificate validity     |
|                           | checking                                |
|                           |                                         |
| mkvtoolnix [53]           | Rebuild to tighten libmatroska6v5       |
|                           | dependency                              |
|                           |                                         |
| ncbi-blast+ [54]          | Disable SSE4.2 support                  |
|                           |                                         |
| node-anymatch [55]        | Remove unnecessary dependencies         |
|                           |                                         |
| node-dot [56]             | Prevent code execution after prototype  |
|                           | pollution [CVE-2020-8141]               |
|                           |                                         |
| node-dot-prop [57]        | Fix prototype pollution [CVE-2020-8116] |
|                           |                                         |
| node-knockout [58]        | Fix escaping with older Internet        |
|                           | Explorer versions [CVE-2019-14862]      |
|                           |                                         |
| node-mongodb [59]         | Reject invalid _bsontypes [CVE-2019-    |
|                           | 2391 CVE-2020-7610]                     |
|                           |                                         |
| node-yargs-parser [60]    | Fix prototype pollution [CVE-2020-7608] |
|                           |                                         |
| npm [61]                  | Fix arbitrary path access [CVE-2019-    |
|                           | 16775 CVE-2019-16776 CVE-2019-16777]    |
|                           |                                         |
| nvidia-graphics-          | New upstream stable release             |
| drivers [62]              |                                         |
|                           |                                         |
| nvidia-graphics-drivers-  | New upstream stable release             |
| legacy-390xx [63]         |                                         |
|                           |                                         |
| nvidia-settings-          | New upstream release                    |
| legacy-340xx [64]         |                                         |
|                           |                                         |
| oar [65]                  | Revert to stretch behavior for          |
|                           | Storable::dclone perl function, fixing  |
|                           | recursion depth issues                  |
|                           |                                         |
| opam [66]                 | Prefer mccs over aspcud                 |
|                           |                                         |
| openvswitch [67]          | Fix vswitchd abort when a port is added |
|                           | and the controller is down              |
|                           |                                         |
| orocos-kdl [68]           | Fix string conversion with Python 3     |
|                           |                                         |
| owfs [69]                 | Remove broken Python 3 packages         |
|                           |                                         |
| pango1.0 [70]             | Fix crash in                            |
|                           | pango_fc_font_key_get_variations() when |
|                           | key is null                             |
|                           |                                         |
| pgcli [71]                | Add missing dependency on python3-pkg-  |
|                           | resources                               |
|                           |                                         |
| php-horde-data [72]       | Fix authenticated remote code execution |
|                           | vulnerability [CVE-2020-8518]           |
|                           |                                         |
| php-horde-form [73]       | Fix authenticated remote code execution |
|                           | vulnerability [CVE-2020-8866]           |
|                           |                                         |
| php-horde-trean [74]      | Fix authenticated remote code execution |
|                           | vulnerability [CVE-2020-8865]           |
|                           |                                         |
| postfix [75]              | New upstream stable release; fix panic  |
|                           | with Postfix multi-Milter configuration |
|                           | during MAIL FROM; fix d/init.d running  |
|                           | change so it works with multi-instance  |
|                           | again                                   |
|                           |                                         |
| proftpd-dfsg [76]         | Fix memory access issue in keyboard-    |
|                           | interative code in mod_sftp; properly   |
|                           | handle DEBUG, IGNORE, DISCONNECT, and   |
|                           | UNIMPLEMENTED messages in keyboard-     |
|                           | interactive mode                        |
|                           |                                         |
| puma [77]                 | Fix Denial of Service issue [CVE-2019-  |
|                           | 16770]                                  |
|                           |                                         |
| purple-discord [78]       | Fix crashes in ssl_nss_read             |
|                           |                                         |
| python-oslo.utils [79]    | Fix leak of sensitive information via   |
|                           | mistral logs [CVE-2019-3866]            |
|                           |                                         |
| rails [80]                | Fix possible cross-site scripting via   |
|                           | Javascript escape helper [CVE-2020-     |
|                           | 5267]                                   |
|                           |                                         |
| rake [81]                 | Fix command injection vulnerability     |
|                           | [CVE-2020-8130]                         |
|                           |                                         |
| raspi3-firmware [82]      | Fix dtb names mismatch in z50-raspi-    |
|                           | firmware; fix boot on Raspberry Pi      |
|                           | families 1 and 0                        |
|                           |                                         |
| resource-agents [83]      | Fix  "ethmonitor does not list          |
|                           | interfaces without assigned IP          |
|                           | address" ; remove no longer required    |
|                           | xen-toolstack patch; fix non-standard   |
|                           | usage in ZFS agent                      |
|                           |                                         |
| rootskel [84]             | Disable multiple console support if     |
|                           | preseeding is in use                    |
|                           |                                         |
| ruby-i18n [85]            | Fix gemspec generation                  |
|                           |                                         |
| rubygems-integration [86] | Avoid deprecation warnings when users   |
|                           | install a newer version of Rubygems via |
|                           | "gem update --system"                   |
|                           |                                         |
| schleuder [87]            | Improve patch to handle encoding errors |
|                           | introduced in the previous version;     |
|                           | switch default encoding to UTF-8; let   |
|                           | x-add-key handle mails with attached,   |
|                           | quoted-printable encoded keys; fix x-   |
|                           | attach-listkey with mails created by    |
|                           | Thunderbird that include protected      |
|                           | headers                                 |
|                           |                                         |
| scilab [88]               | Fix library loading with OpenJDK 11.0.7 |
|                           |                                         |
| serverspec-runner [89]    | Support Ruby 2.5                        |
|                           |                                         |
| softflowd [90]            | Fix broken flow aggregation which might |
|                           | result in flow table overflow and 100%  |
|                           | CPU usage                               |
|                           |                                         |
| speech-dispatcher [91]    | Fix default pulseaudio latency which    |
|                           | triggers  "scratchy"  output            |
|                           |                                         |
| spl-linux [92]            | Fix deadlock                            |
|                           |                                         |
| sssd [93]                 | Fix sssd_be busy-looping when LDAP      |
|                           | connection is intermittent              |
|                           |                                         |
| systemd [94]              | when authorizing via PolicyKit re-      |
|                           | resolve callback/userdata instead of    |
|                           | caching it [CVE-2020-1712]; install 60- |
|                           | block.rules in udev-udeb and initramfs- |
|                           | tools                                   |
|                           |                                         |
| taglib [95]               | Fix corruption issues with OGG files    |
|                           |                                         |
| tbsync [96]               | New upstream release, restoring         |
|                           | compatibility with newer Thunderbird    |
|                           | versions                                |
|                           |                                         |
| timeshift [97]            | Fix predictable temporary directory use |
|                           | [CVE-2020-10174]                        |
|                           |                                         |
| tinyproxy [98]            | Only set PIDDIR, if PIDFILE is a non-   |
|                           | zero length string                      |
|                           |                                         |
| tzdata [99]               | New upstream stable release             |
|                           |                                         |
| uim [100]                 | unregister modules that are not         |
|                           | installed, fixing a regression in the   |
|                           | previous upload                         |
|                           |                                         |
| user-mode-linux [101]     | Fix build failure with current stable   |
|                           | kernels                                 |
|                           |                                         |
| vite [102]                | Fix crash when there are more than 32   |
|                           | elements                                |
|                           |                                         |
| waagent [103]             | New upstream release; support co-       |
|                           | installation with cloud-init            |
|                           |                                         |
| websocket-api [104]       | Fix stretch to buster upgrades that     |
|                           | involve Tomcat 8                        |
|                           |                                         |
| wpa [105]                 | Do not try to detect PSK mismatch       |
|                           | during PTK rekeying; check for FT       |
|                           | support when selecting FT suites; fix   |
|                           | MAC randomisation issue with some cards |
|                           |                                         |
| xdg-utils [106]           | xdg-open: fix pcmanfm check and         |
|                           | handling of directories with spaces in  |
|                           | their names; xdg-screensaver: Sanitise  |
|                           | window name before sending it over D-   |
|                           | Bus; xdg-mime: Create config directory  |
|                           | if it does not exist yet                |
|                           |                                         |
| xtrlock [107]             | Fix blocking of (some) multitouch       |
|                           | devices while locked [CVE-2016-10894]   |
|                           |                                         |
| zfs-linux [108]           | Fix potential deadlock issues           |
|                           |                                         |
+---------------------------+-----------------------------------------+

Security Updates
----------------

This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:

+----------------+-----------------------------+
| Advisory ID    | Package                     |
+----------------+-----------------------------+
| DSA-4616 [109] | qemu [110]                  |
|                |                             |
| DSA-4617 [111] | qtbase-opensource-src [112] |
|                |                             |
| DSA-4618 [113] | libexif [114]               |
|                |                             |
| DSA-4619 [115] | libxmlrpc3-java [116]       |
|                |                             |
| DSA-4620 [117] | firefox-esr [118]           |
|                |                             |
| DSA-4623 [119] | postgresql-11 [120]         |
|                |                             |
| DSA-4624 [121] | evince [122]                |
|                |                             |
| DSA-4625 [123] | thunderbird [124]           |
|                |                             |
| DSA-4627 [125] | webkit2gtk [126]            |
|                |                             |
| DSA-4629 [127] | python-django [128]         |
|                |                             |
| DSA-4630 [129] | python-pysaml2 [130]        |
|                |                             |
| DSA-4631 [131] | pillow [132]                |
|                |                             |
| DSA-4632 [133] | ppp [134]                   |
|                |                             |
| DSA-4633 [135] | curl [136]                  |
|                |                             |
| DSA-4634 [137] | opensmtpd [138]             |
|                |                             |
| DSA-4635 [139] | proftpd-dfsg [140]          |
|                |                             |
| DSA-4636 [141] | python-bleach [142]         |
|                |                             |
| DSA-4637 [143] | network-manager-ssh [144]   |
|                |                             |
| DSA-4638 [145] | chromium [146]              |
|                |                             |
| DSA-4639 [147] | firefox-esr [148]           |
|                |                             |
| DSA-4640 [149] | graphicsmagick [150]        |
|                |                             |
| DSA-4641 [151] | webkit2gtk [152]            |
|                |                             |
| DSA-4642 [153] | thunderbird [154]           |
|                |                             |
| DSA-4643 [155] | python-bleach [156]         |
|                |                             |
| DSA-4644 [157] | tor [158]                   |
|                |                             |
| DSA-4645 [159] | chromium [160]              |
|                |                             |
| DSA-4646 [161] | icu [162]                   |
|                |                             |
| DSA-4647 [163] | bluez [164]                 |
|                |                             |
| DSA-4648 [165] | libpam-krb5 [166]           |
|                |                             |
| DSA-4649 [167] | haproxy [168]               |
|                |                             |
| DSA-4650 [169] | qbittorrent [170]           |
|                |                             |
| DSA-4651 [171] | mediawiki [172]             |
|                |                             |
| DSA-4652 [173] | gnutls28 [174]              |
|                |                             |
| DSA-4653 [175] | firefox-esr [176]           |
|                |                             |
| DSA-4654 [177] | chromium [178]              |
|                |                             |
| DSA-4655 [179] | firefox-esr [180]           |
|                |                             |
| DSA-4656 [181] | thunderbird [182]           |
|                |                             |
| DSA-4657 [183] | git [184]                   |
|                |                             |
| DSA-4658 [185] | webkit2gtk [186]            |
|                |                             |
| DSA-4659 [187] | git [188]                   |
|                |                             |
| DSA-4660 [189] | awl [190]                   |
|                |                             |
| DSA-4661 [191] | openssl [192]               |
|                |                             |
| DSA-4663 [193] | python-reportlab [194]      |
|                |                             |
| DSA-4664 [195] | mailman [196]               |
|                |                             |
| DSA-4665 [197] | qemu [198]                  |
|                |                             |
| DSA-4666 [199] | openldap [200]              |
|                |                             |
| DSA-4667 [201] | linux-signed-amd64 [202]    |
|                |                             |
| DSA-4667 [203] | linux-signed-arm64 [204]    |
|                |                             |
| DSA-4667 [205] | linux-signed-i386 [206]     |
|                |                             |
| DSA-4667 [207] | linux [208]                 |
|                |                             |
| DSA-4669 [209] | nodejs [210]                |
|                |                             |
| DSA-4671 [211] | vlc [212]                   |
|                |                             |
| DSA-4672 [213] | trafficserver [214]         |
|                |                             |
+----------------+-----------------------------+

Removed packages
----------------

The following packages were removed due to circumstances beyond our
control:

+-------------------------+--------------------------------------------+
| Package                 | Reason                                     |
+-------------------------+--------------------------------------------+
| getlive [215]           | Broken due to Hotmail changes              |
|                         |                                            |
| gplaycli [216]          | Broken by Google API changes               |
|                         |                                            |
| kerneloops [217]        | Upstream service no longer available       |
|                         |                                            |
| lambda-align2 [218]     | [arm64 armel armhf i386 mips64el ppc64el   |
|                         | s390x] Broken on non-amd64 architectures   |
|                         |                                            |
| libmicrodns [219]       | Security issues                            |
|                         |                                            |
| libperlspeak-perl [220] | Security issues; unmaintained              |
|                         |                                            |
| quotecolors [221]       | Incompatible with newer Thunderbird        |
|                         | versions                                   |
|                         |                                            |
| torbirdy [222]          | Incompatible with newer Thunderbird        |
|                         | versions                                   |
|                         |                                            |
| ugene [223]             | Non-free; fails to build                   |
|                         |                                            |
| yahoo2mbox [224]        | Broken for several years                   |
|                         |                                            |
+-------------------------+--------------------------------------------+

Debian Installer
----------------

The installer has been updated to include the fixes incorporated into
stable by the point release.


URLs
----

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/buster/ChangeLog


The current stable distribution:

http://ftp.debian.org/debian/dists/stable/


Proposed updates to the stable distribution:

http://ftp.debian.org/debian/dists/proposed-updates


stable distribution information (release notes, errata etc.):

https://www.debian.org/releases/stable/


Security announcements and information:

https://www.debian.org/security/


Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4684-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 13, 2020                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libreswan
CVE ID         : CVE-2020-1763
Debian Bug     : 960458

Stephan Zeisberg discovered that the libreswan IPsec implementation
could be forced into a crash/restart via a malformed IKEv1 Informational
Exchange packet, resulting in denial of service.

For the stable distribution (buster), this problem has been fixed in
version 3.27-6+deb10u1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4685-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 14, 2020                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : apt
CVE ID         : CVE-2020-3810

Shuaibing Lu discovered that missing input validation in the ar/tar
implementations of APT, the high level package manager, could result in
denial of service when processing specially crafted deb files.

For the oldstable distribution (stretch), this problem has been fixed
in version 1.4.10.

For the stable distribution (buster), this problem has been fixed in
version 1.8.2.1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4686-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 16, 2020                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : apache-log4j1.2
CVE ID         : CVE-2019-17571
Debian Bug     : 947124

It was discovered that the SocketServer class included in
apache-log4j1.2, a logging library for java, is vulnerable to
deserialization of untrusted data. An attacker can take advantage of
this flaw to execute arbitrary code in the context of the logger
application by sending a specially crafted log event.

For the oldstable distribution (stretch), this problem has been fixed
in version 1.2.17-7+deb9u1.

For the stable distribution (buster), this problem has been fixed in
version 1.2.17-8+deb10u1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4687-1                   security@debian.org
https://www.debian.org/security/                           Florian Weimer
May 16, 2020                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : exim4
CVE ID         : CVE-2020-12783

It was discovered that exim4, a mail transport agent, suffers from a
authentication bypass vulnerability in the spa authentication driver.
The spa authentication driver is not enabled by default.

For the oldstable distribution (stretch), this problem has been fixed
in version 4.89-2+deb9u7.

For the stable distribution (buster), this problem has been fixed in
version 4.92-8+deb10u4.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4688-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 18, 2020                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : dpdk
CVE ID         : CVE-2020-10722 CVE-2020-10723 CVE-2020-10724

Multiple vulnerabilities were discovered in the vhost code of DPDK,
a set of libraries for fast packet processing, which could result
in denial of service or the execution of arbitrary code by malicious
guests/containers.

For the oldstable distribution (stretch), these problems have been fixed
in version 16.11.11-1+deb9u2.

For the stable distribution (buster), these problems have been fixed in
version 18.11.6-1~deb10u2.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4689-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 19, 2020                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : bind9
CVE ID         : CVE-2019-6477 CVE-2020-8616 CVE-2020-8617
Debian Bug     : 945171

Several vulnerabilities were discovered in BIND, a DNS server
implementation.

CVE-2019-6477

    It was discovered that TCP-pipelined queries can bypass tcp-client
    limits resulting in denial of service.

CVE-2020-8616

    It was discovered that BIND does not sufficiently limit the number
    of fetches performed when processing referrals. An attacker can take
    advantage of this flaw to cause a denial of service (performance
    degradation) or use the recursing server in a reflection attack with
    a high amplification factor.

CVE-2020-8617

    It was discovered that a logic error in the code which checks TSIG
    validity can be used to trigger an assertion failure, resulting in
    denial of service.

For the oldstable distribution (stretch), these problems have been fixed
in version 1:9.10.3.dfsg.P4-12.3+deb9u6.

For the stable distribution (buster), these problems have been fixed in
version 1:9.11.5.P4+dfsg-5.1+deb10u1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4690-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 20, 2020                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : dovecot
CVE ID         : CVE-2020-10957 CVE-2020-10958 CVE-2020-10967
Debian Bug     : 960963

Several vulnerabilities were discovered in the Dovecot email server,
which could cause crashes in the submission, submission-login or lmtp
services, resulting in denial of service.

For the stable distribution (buster), these problems have been fixed in
version 1:2.3.4.1-5+deb10u2.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4691-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 21, 2020                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : pdns-recursor
CVE ID         : CVE-2020-10955 CVE-2020-12244

Two vulnerabiliites have been discovered in PDNS Recursor, a resolving
name server; a traffic amplification attack against third party
authoritative name servers (NXNSAttack) and insufficient validation of
NXDOMAIN responses lacking an SOA.

The version of pdns-recursor in the oldstable distribution (stretch) is
no longer supported. If these security issues affect your setup, you
should upgrade to the stable distribution (buster).

For the stable distribution (buster), these problems have been fixed in
version 4.1.11-1+deb10u1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4692-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 24, 2020                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : netqmail
CVE ID         : CVE-2005-1513 CVE-2005-1514 CVE-2005-1515 CVE-2020-3811
                 CVE-2020-3812
Debian Bug     : 961060

Georgi Guninski and the Qualys Research Labs discovered multiple
vulnerabilities in qmail (shipped in Debian as netqmail with additional
patches) which could result in the execution of arbitrary code, bypass
of mail address verification and a local information leak whether a file
exists or not.

For the oldstable distribution (stretch), these problems have been fixed
in version 1.06-6.2~deb9u1.

For the stable distribution (buster), these problems have been fixed in
version 1.06-6.2~deb10u1.

Share this post


Link to post
Share on other sites

×
×
  • Create New...