sunrat Posted July 8, 2020 Posted July 8, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4720-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond July 08, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : roundcube CVE ID : CVE-2020-15562 Debian Bug : 964355 It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly sanitize incoming mail messages. This would allow a remote attacker to perform a Cross-Side Scripting (XSS) attack. For the stable distribution (buster), this problem has been fixed in version 1.3.14+dfsg.1-1~deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4721-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 08, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ruby2.5 CVE ID : CVE-2020-10663 CVE-2020-10933 Several vulnerabilities have been discovered in the interpreter for the Ruby language. CVE-2020-10663 Jeremy Evans reported an unsafe object creation vulnerability in the json gem bundled with Ruby. When parsing certain JSON documents, the json gem can be coerced into creating arbitrary objects in the target system. CVE-2020-10933 Samuel Williams reported a flaw in the socket library which may lead to exposure of possibly sensitive data from the interpreter. For the stable distribution (buster), these problems have been fixed in version 2.5.5-3+deb10u2. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4722-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 08, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ffmpeg CVE ID : CVE-2019-13390 CVE-2019-17539 CVE-2019-17542 CVE-2020-12284 CVE-2020-13904 Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed. For the stable distribution (buster), these problems have been fixed in version 7:4.1.6-1~deb10u1.
sunrat Posted July 9, 2020 Posted July 9, 2020 ------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Debian 8 Long Term Support reaching end-of-life press@debian.org July 9th, 2020 https://www.debian.org/News/2020/20200709 ------------------------------------------------------------------------ The Debian Long Term Support (LTS) Team hereby announces that Debian 8 "jessie" support has reached its end-of-life on June 30, 2020, five years after its initial release on April 26, 2015. Debian will not provide further security updates for Debian 8. A subset of "jessie" packages will be supported by external parties. Detailed information can be found at Extended LTS [1]. 1: https://wiki.debian.org/LTS/Extended The LTS Team will prepare the transition to Debian 9 "stretch", which is the current oldstable release. The LTS Team has taken over support from the Security Team on July 6, 2020 while the final point update for "stretch" will be released on July 18, 2020. Debian 9 will also receive Long Term Support for five years after its initial release with support ending on June 30, 2022. The supported architectures remain amd64, i386, armel and armhf. In addition we are pleased to announce, for the first time support will be extended to include the arm64 architecture. For further information about using "stretch" LTS and upgrading from "jessie" LTS, please refer to LTS/Using [2]. 2: https://wiki.debian.org/LTS/Using
sunrat Posted July 12, 2020 Posted July 12, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4723-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 12, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : xen CVE ID : CVE-2020-11739 CVE-2020-11740 CVE-2020-11741 CVE-2020-11742 CVE-2020-11743 CVE-2020-15563 CVE-2020-15564 CVE-2020-15565 CVE-2020-15566 CVE-2020-15567 Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, guest-to-host privilege escalation or information leaks. For the stable distribution (buster), these problems have been fixed in version 4.11.4+24-gddaaccbbab-1~deb10u1.
sunrat Posted July 14, 2020 Posted July 14, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4714-3 security@debian.org https://www.debian.org/security/ Michael Gilbert July 13, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : chromium Debian Bug : 963548 The previous update for chromium released as DSA 4714-2 contained a flaw in the service worker implementation. This problem causes the browser to crash when a connection error occurs. Updated chromium packages are now available that correct this issue. For the stable distribution (buster), this problem has been fixed in version 83.0.4103.116-1~deb10u3.
sunrat Posted July 15, 2020 Posted July 15, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4724-1 security@debian.org https://www.debian.org/security/ Alberto Garcia July 15, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : webkit2gtk CVE ID : CVE-2020-9802 CVE-2020-9803 CVE-2020-9805 CVE-2020-9806 CVE-2020-9807 CVE-2020-9843 CVE-2020-9850 CVE-2020-13753 The following vulnerabilities have been discovered in the webkit2gtk web engine: CVE-2020-9802 Samuel Gross discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2020-9803 Wen Xu discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2020-9805 An anonymous researcher discovered that processing maliciously crafted web content may lead to universal cross site scripting. CVE-2020-9806 Wen Xu discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2020-9807 Wen Xu discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2020-9843 Ryan Pickren discovered that processing maliciously crafted web content may lead to a cross site scripting attack. CVE-2020-9850 @jinmo123, @setuid0x0_, and @insu_yun_en discovered that a remote attacker may be able to cause arbitrary code execution. CVE-2020-13753 Milan Crha discovered that an attacker may be able to execute commands outside the bubblewrap sandbox. For the stable distribution (buster), these problems have been fixed in version 2.28.3-2~deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4725-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 15, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : evolution-data-server CVE ID : CVE-2020-14928 Damian Poddebniak and Fabian Ising discovered a response injection vulnerability in Evolution data server, which could enable MITM attacks. For the stable distribution (buster), this problem has been fixed in version 3.30.5-1+deb10u1.
sunrat Posted July 17, 2020 Posted July 17, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4726-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 17, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : nss CVE ID : CVE-2019-17006 CVE-2019-17023 CVE-2020-12399 CVE-2020-12402 Several vulnerabilities were discovered in NSS, a set of cryptographic libraries, which may result in side channel/timing attacks or denial of service. For the stable distribution (buster), these problems have been fixed in version 2:3.42.1-1+deb10u3. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4727-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 17, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tomcat9 CVE ID : CVE-2020-9484 CVE-2020-11996 CVE-2020-13934 CVE-2020-13935 Several vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in code execution or denial of service. For the stable distribution (buster), these problems have been fixed in version 9.0.31-1~deb10u2.
sunrat Posted July 18, 2020 Posted July 18, 2020 ------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 9: 9.13 released press@debian.org July 18th, 2020 https://www.debian.org/News/2020/20200718 ------------------------------------------------------------------------ The Debian project is pleased to announce the thirteenth (and final) update of its oldstable distribution Debian 9 (codename "stretch"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. After this point release, Debian's Security and Release Teams will no longer be producing updates for Debian 9. Users wishing to continue to receive security support should upgrade to Debian 10, or see https://wiki.debian.org/LTS for details about the subset of architectures and packages covered by the Long Term Support project. Please note that the point release does not constitute a new version of Debian 9 but only updates some of the packages included. There is no need to throw away old "stretch" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations. Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list Miscellaneous Bugfixes ---------------------- This oldstable update adds a few important corrections to the following packages: +--------------------------+------------------------------------------+ | Package | Reason | +--------------------------+------------------------------------------+ | acmetool [1] | Rebuild against recent golang to pick up | | | security fixes | | | | | atril [2] | dvi: Mitigate command injection attacks | | | by quoting filename [CVE-2017-1000159]; | | | fix overflow checks in tiff backend | | | [CVE-2019-1010006]; tiff: Handle failure | | | from TIFFReadRGBAImageOriented | | | [CVE-2019-11459] | | | | | bacula [3] | Add transitional package bacula- | | | director-common, avoiding loss of /etc/ | | | bacula/bacula-dir.conf when purged; make | | | PID files owned by root | | | | | base-files [4] | Update /etc/debian_version for the point | | | release | | | | | batik [5] | Fix server-side request forgery via | | | xlink:href attributes [CVE-2019-17566] | | | | | c-icap-modules [6] | Support ClamAV 0.102 | | | | | ca-certificates [7] | Update Mozilla CA bundle to 2.40, | | | blacklist distrusted Symantec roots and | | | expired "AddTrust External Root" ; | | | remove e-mail only certificates | | | | | chasquid [8] | Rebuild against recent golang to pick up | | | security fixes | | | | | checkstyle [9] | Fix XML External Entity injection issue | | | [CVE-2019-9658 CVE-2019-10782] | | | | | clamav [10] | New upstream release [CVE-2020-3123]; | | | security fixes [CVE-2020-3327 CVE-2020- | | | 3341] | | | | | compactheader [11] | New upstream version, compatible with | | | newer Thunderbird versions | | | | | cram [12] | Ignore test failures to fix build issues | | | | | csync2 [13] | Fail HELLO command when SSL is required | | | | | cups [14] | Fix heap buffer overflow [CVE-2020-3898] | | | and "the `ippReadIO` function may | | | under-read an extension | | | field" [CVE-2019-8842] | | | | | dbus [15] | New upstream stable release; prevent a | | | denial of service issue [CVE-2020- | | | 12049]; prevent use-after-free if two | | | usernames share a uid | | | | | debian-installer [16] | Update for the 4.9.0-13 Linux kernel ABI | | | | | debian-installer- | Rebuild against stretch-proposed-updates | | netboot-images [17] | | | | | | debian-security- | Update support status of several | | support [18] | packages | | | | | erlang [19] | Fix use of weak TLS ciphers [CVE-2020- | | | 12872] | | | | | exiv2 [20] | Fix denial of service issue [CVE-2018- | | | 16336]; fix over-restrictive fix for | | | CVE-2018-10958 and CVE-2018-10999 | | | | | fex [21] | Security update | | | | | file-roller [22] | Security fix [CVE-2020-11736] | | | | | fwupd [23] | New upstream release; use a CNAME to | | | redirect to the correct CDN for | | | metadata; do not abort startup if the | | | XML metadata file is invalid; add the | | | Linux Foundation public GPG keys for | | | firmware and metadata; raise the | | | metadata limit to 10MB | | | | | glib-networking [24] | Return bad identity error if identity is | | | unset [CVE-2020-13645] | | | | | gnutls28 [25] | Fix memory corruption issue [CVE-2019- | | | 3829]; fix memory leak; add support for | | | zero length session tickets, fix | | | connection errors on TLS1.2 sessions to | | | some hosting providers | | | | | gosa [26] | Tighten check on LDAP success/failure | | | [CVE-2019-11187]; fix compatibility with | | | newer PHP versions; backport several | | | other patches; replace (un)serialize | | | with json_encode/json_decode to mitigate | | | PHP object injection [CVE-2019-14466] | | | | | heartbleeder [27] | Rebuild against recent golang to pick up | | | security fixes | | | | | intel-microcode [28] | Downgrade some microcodes to previously | | | released revisions, working around hangs | | | on boot on Skylake-U/Y and Skylake Xeon | | | E3 | | | | | iptables-persistent [29] | Don't fail if modprobe does | | | | | jackson-databind [30] | Fix multiple security issues affecting | | | BeanDeserializerFactory [CVE-2020-9548 | | | CVE-2020-9547 CVE-2020-9546 CVE-2020- | | | 8840 CVE-2020-14195 CVE-2020-14062 | | | CVE-2020-14061 CVE-2020-14060 CVE-2020- | | | 11620 CVE-2020-11619 CVE-2020-11113 | | | CVE-2020-11112 CVE-2020-11111 CVE-2020- | | | 10969 CVE-2020-10968 CVE-2020-10673 | | | CVE-2020-10672 CVE-2019-20330 CVE-2019- | | | 17531 and CVE-2019-17267] | | | | | libbusiness-hours- | Use explicit 4 digit years, fixing build | | perl [31] | and usage issues | | | | | libclamunrar [32] | New upstream stable release; add an | | | unversioned meta-package | | | | | libdbi [33] | Comment out _error_handler() call again, | | | fixing issues with consumers | | | | | libembperl-perl [34] | Handle error pages from Apache >= 2.4.40 | | | | | libexif [35] | Security fixes [CVE-2016-6328 CVE-2017- | | | 7544 CVE-2018-20030 CVE-2020-12767 | | | CVE-2020-0093]; security fixes | | | [CVE-2020-13112 CVE-2020-13113 CVE-2020- | | | 13114]; fix a buffer read overflow | | | [CVE-2020-0182] and an unsigned integer | | | overflow [CVE-2020-0198] | | | | | libvncserver [36] | Fix heap overflow [CVE-2019-15690] | | | | | linux [37] | New upstream stable release; update ABI | | | to 4.9.0-13 | | | | | linux-latest [38] | Update for 4.9.0-13 kernel ABI | | | | | mariadb-10.1 [39] | New upstream stable release; security | | | fixes [CVE-2020-2752 CVE-2020-2812 | | | CVE-2020-2814] | | | | | megatools [40] | Add support for the new format of | | | mega.nz links | | | | | mod-gnutls [41] | Avoid deprecated ciphersuites in test | | | suite; fix test failures when combined | | | with Apache's fix for CVE-2019-10092 | | | | | mongo-tools [42] | Rebuild against recent golang to pick up | | | security fixes | | | | | neon27 [43] | Treat OpenSSL-related test failures as | | | non-fatal | | | | | nfs-utils [44] | Fix potential file overwrite | | | vulnerability [CVE-2019-3689]; don't | | | make all of /var/lib/nfs owned by the | | | statd user | | | | | nginx [45] | Fix error page request smuggling | | | vulnerability [CVE-2019-20372] | | | | | node-url-parse [46] | Sanitize paths and hosts before parsing | | | [CVE-2018-3774] | | | | | nvidia-graphics- | New upstream stable release; new | | drivers [47] | upstream stable release; security fixes | | | [CVE-2020-5963 CVE-2020-5967] | | | | | pcl [48] | Fix missing dependency on libvtk6-qt-dev | | | | | perl [49] | Fix multiple regular expression related | | | security issues [CVE-2020-10543 | | | CVE-2020-10878 CVE-2020-12723] | | | | | php-horde [50] | Fix cross-site scripting vulnerability | | | [CVE-2020-8035] | | | | | php-horde-data [51] | Fix authenticated remote code execution | | | vulnerability [CVE-2020-8518] | | | | | php-horde-form [52] | Fix authenticated remote code execution | | | vulnerability [CVE-2020-8866] | | | | | php-horde-gollem [53] | Fix cross-site scripting vulnerability | | | in breadcrumb output [CVE-2020-8034] | | | | | php-horde-trean [54] | Fix authenticated remote code execution | | | vulnerability [CVE-2020-8865] | | | | | phpmyadmin [55] | Several security fixes [CVE-2018-19968 | | | CVE-2018-19970 CVE-2018-7260 CVE-2019- | | | 11768 CVE-2019-12616 CVE-2019-6798 | | | CVE-2019-6799 CVE-2020-10802 CVE-2020- | | | 10803 CVE-2020-10804 CVE-2020-5504] | | | | | postfix [56] | New upstream stable release | | | | | proftpd-dfsg [57] | Fix handling SSH_MSG_IGNORE packets | | | | | python-icalendar [58] | Fix Python3 dependencies | | | | | rails [59] | Fix possible cross-site scripting via | | | Javascript escape helper [CVE-2020-5267] | | | | | rake [60] | Fix command injection vulnerability | | | [CVE-2020-8130] | | | | | roundcube [61] | Fix cross-site scripting issue via HTML | | | messages with malicious svg/namespace | | | [CVE-2020-15562] | | | | | ruby-json [62] | Fix unsafe object creation vulnerability | | | [CVE-2020-10663] | | | | | ruby2.3 [63] | Fix unsafe object creation vulnerability | | | [CVE-2020-10663] | | | | | sendmail [64] | Fix finding the queue runner control | | | process in "split daemon" mode, | | | "NOQUEUE: connect from (null)" , removal | | | failure when using BTRFS | | | | | sogo-connector [65] | New upstream version, compatible with | | | newer Thunderbird versions | | | | | ssvnc [66] | Fix out-of-bounds write [CVE-2018- | | | 20020], infinite loop [CVE-2018-20021], | | | improper initialisation [CVE-2018- | | | 20022], potential denial-of-service | | | [CVE-2018-20024] | | | | | storebackup [67] | Fix possible privilege escalation | | | vulnerability [CVE-2020-7040] | | | | | swt-gtk [68] | Fix missing dependency on | | | libwebkitgtk-1.0-0 | | | | | tinyproxy [69] | Create PID file before dropping | | | privileges to non-root account | | | [CVE-2017-11747] | | | | | tzdata [70] | New upstream stable release | | | | | websockify [71] | Fix missing dependency on python{3,}- | | | pkg-resources | | | | | wpa [72] | Fix AP mode PMF disconnection protection | | | bypass [CVE-2019-16275]; fix MAC | | | randomisation issues with some cards | | | | | xdg-utils [73] | Sanitise window name before sending it | | | over D-Bus; correctly handle directories | | | with names containing spaces; create the | | | "applications" directory if needed | | | | | xml-security-c [74] | Fix length calculation in the concat | | | method | | | | | xtrlock [75] | Fix blocking of (some) multitouch | | | devices while locked [CVE-2016-10894] | | | | +--------------------------+------------------------------------------+ Security Updates ---------------- This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates: +----------------+----------------------------+ | Advisory ID | Package | +----------------+----------------------------+ | DSA-4005 [76] | openjfx [77] | | | | | DSA-4255 [78] | ant [79] | | | | | DSA-4352 [80] | chromium-browser [81] | | | | | DSA-4379 [82] | golang-1.7 [83] | | | | | DSA-4380 [84] | golang-1.8 [85] | | | | | DSA-4395 [86] | chromium [87] | | | | | DSA-4421 [88] | chromium [89] | | | | | DSA-4616 [90] | qemu [91] | | | | | DSA-4617 [92] | qtbase-opensource-src [93] | | | | | DSA-4618 [94] | libexif [95] | | | | | DSA-4619 [96] | libxmlrpc3-java [97] | | | | | DSA-4620 [98] | firefox-esr [99] | | | | | DSA-4621 [100] | openjdk-8 [101] | | | | | DSA-4622 [102] | postgresql-9.6 [103] | | | | | DSA-4624 [104] | evince [105] | | | | | DSA-4625 [106] | thunderbird [107] | | | | | DSA-4628 [108] | php7.0 [109] | | | | | DSA-4629 [110] | python-django [111] | | | | | DSA-4630 [112] | python-pysaml2 [113] | | | | | DSA-4631 [114] | pillow [115] | | | | | DSA-4632 [116] | ppp [117] | | | | | DSA-4633 [118] | curl [119] | | | | | DSA-4634 [120] | opensmtpd [121] | | | | | DSA-4635 [122] | proftpd-dfsg [123] | | | | | DSA-4637 [124] | network-manager-ssh [125] | | | | | DSA-4639 [126] | firefox-esr [127] | | | | | DSA-4640 [128] | graphicsmagick [129] | | | | | DSA-4642 [130] | thunderbird [131] | | | | | DSA-4646 [132] | icu [133] | | | | | DSA-4647 [134] | bluez [135] | | | | | DSA-4648 [136] | libpam-krb5 [137] | | | | | DSA-4650 [138] | qbittorrent [139] | | | | | DSA-4653 [140] | firefox-esr [141] | | | | | DSA-4655 [142] | firefox-esr [143] | | | | | DSA-4656 [144] | thunderbird [145] | | | | | DSA-4657 [146] | git [147] | | | | | DSA-4659 [148] | git [149] | | | | | DSA-4660 [150] | awl [151] | | | | | DSA-4663 [152] | python-reportlab [153] | | | | | DSA-4664 [154] | mailman [155] | | | | | DSA-4666 [156] | openldap [157] | | | | | DSA-4668 [158] | openjdk-8 [159] | | | | | DSA-4670 [160] | tiff [161] | | | | | DSA-4671 [162] | vlc [163] | | | | | DSA-4673 [164] | tomcat8 [165] | | | | | DSA-4674 [166] | roundcube [167] | | | | | DSA-4675 [168] | graphicsmagick [169] | | | | | DSA-4676 [170] | salt [171] | | | | | DSA-4677 [172] | wordpress [173] | | | | | DSA-4678 [174] | firefox-esr [175] | | | | | DSA-4683 [176] | thunderbird [177] | | | | | DSA-4685 [178] | apt [179] | | | | | DSA-4686 [180] | apache-log4j1.2 [181] | | | | | DSA-4687 [182] | exim4 [183] | | | | | DSA-4688 [184] | dpdk [185] | | | | | DSA-4689 [186] | bind9 [187] | | | | | DSA-4692 [188] | netqmail [189] | | | | | DSA-4693 [190] | drupal7 [191] | | | | | DSA-4695 [192] | firefox-esr [193] | | | | | DSA-4698 [194] | linux [195] | | | | | DSA-4700 [196] | roundcube [197] | | | | | DSA-4701 [198] | intel-microcode [199] | | | | | DSA-4702 [200] | thunderbird [201] | | | | | DSA-4703 [202] | mysql-connector-java [203] | | | | | DSA-4704 [204] | vlc [205] | | | | | DSA-4705 [206] | python-django [207] | | | | | DSA-4706 [208] | drupal7 [209] | | | | | DSA-4707 [210] | mutt [211] | | | | | DSA-4711 [212] | coturn [213] | | | | | DSA-4713 [214] | firefox-esr [215] | | | | | DSA-4715 [216] | imagemagick [217] | | | | | DSA-4717 [218] | php7.0 [219] | | | | | DSA-4718 [220] | thunderbird [221] | | | | +----------------+----------------------------+ Removed packages ---------------- The following packages were removed due to circumstances beyond our control: +------------------------------+---------------------------------------+ | Package | Reason | +------------------------------+---------------------------------------+ | certificatepatrol [222] | Incompatible with newer Firefox ESR | | | versions | | | | | colorediffs-extension [223] | Incompatible with newer Thunderbird | | | versions | | | | | dynalogin [224] | Depends on to-be-removed simpleid | | | | | enigmail [225] | Incompatible with newer Thunderbird | | | versions | | | | | firefox-esr [226] | [armel] No longer supported (requires | | | nodejs) | | | | | firefox-esr [226] | [mips mipsel mips64el] No longer | | | supported (needs newer rustc) | | | | | getlive [227] | Broken due to Hotmail changes | | | | | gplaycli [228] | Broken by Google API changes | | | | | kerneloops [229] | Upstream service no longer available | | | | | libmicrodns [230] | Security issues | | | | | libperlspeak-perl [231] | Security issues; unmaintained | | | | | mathematica-fonts [232] | Relies on unavailable download | | | location | | | | | pdns-recursor [233] | Security issues; unsupported | | | | | predictprotein [234] | Depends on to-be-removed profphd | | | | | profphd [235] | Unusable | | | | | quotecolors [236] | Incompatible with newer Thunderbird | | | versions | | | | | selenium-firefoxdriver [237] | Incompatible with newer Firefox ESR | | | versions | | | | | simpleid [238] | Does not work with PHP7 | | | | | simpleid-ldap [239] | Depends on to-be-removed simpleid | | | | | torbirdy [240] | Incompatible with newer Thunderbird | | | versions | | | | | weboob [241] | Unmaintained; already removed from | | | later releases | | | | | yahoo2mbox [242] | Broken for several years | | | | +------------------------------+---------------------------------------+ Debian Installer ---------------- The installer has been updated to include the fixes incorporated into oldstable by the point release. URLs ---- The complete lists of packages that have changed with this revision: http://ftp.debian.org/debian/dists/stretch/ChangeLog The current oldstable distribution: http://ftp.debian.org/debian/dists/oldstable/
sunrat Posted July 19, 2020 Posted July 19, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4728-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 19, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : qemu CVE ID : CVE-2020-10756 CVE-2020-13361 CVE-2020-13362 CVE-2020-13754 CVE-2020-13659 Debian Bug : 964247 961887 961887 961888 Multiple security issues were discovered in QEMU, a fast processor emulator, which could result in denial of service. For the stable distribution (buster), these problems have been fixed in version 1:3.1+dfsg-8+deb10u6. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4729-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 19, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libopenmpt CVE ID : CVE-2019-14380 CVE-2019-17113 Two security issues were found in libopenmpt, a cross-platform C++ and C library to decode tracked music files, which could result in denial of service and potentially the execution of arbitrary if malformed music files are processed. For the stable distribution (buster), these problems have been fixed in version 0.4.3-1+deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4730-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 19, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ruby-sanitize CVE ID : CVE-2020-4054 Debian Bug : 963808 Michal Bentkowski discovered that ruby-sanitize, a whitelist-based HTML sanitizer, is prone to a HTML sanitization bypass vulnerability when using the "relaxed" or a custom config allowing certain elements. Content in a <math> or <svg> element may not be sanitized correctly even if math and svg are not in the allowlist. For the stable distribution (buster), this problem has been fixed in version 4.6.6-2.1~deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4731-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 19, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : redis CVE ID : CVE-2020-14147 An integer overflow flaw leading to a stack-based buffer overflow was discovered in redis, a persistent key-value database. A remote attacker can use this flaw to cause a denial of service (application crash). For the stable distribution (buster), this problem has been fixed in version 5:5.0.3-4+deb10u2.
sunrat Posted July 22, 2020 Posted July 22, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4732-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 21, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : squid CVE ID : CVE-2019-18860 CVE-2020-1504 Two security issues were discovered in the Squid proxy caching server, which could result in cache poisoning, request smuggling and incomplete validation of hostnames in cachemgr.cgi. For the stable distribution (buster), these problems have been fixed in version 4.6-1+deb10u3.
sunrat Posted July 24, 2020 Posted July 24, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4733-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 24, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : qemu CVE ID : CVE-2020-8608 Debian Bug : 964793 It was discovered that incorrect memory handling in the SLIRP networking implementation could result in denial of service or potentially the execution of arbitrary code. For the stable distribution (buster), this problem has been fixed in version 1:3.1+dfsg-8+deb10u7. In addition this update fixes a regression caused by the patch for CVE-2020-13754, which could lead to startup failures in some Xen setups.
sunrat Posted July 26, 2020 Posted July 26, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4734-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 26, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openjdk-11 CVE ID : CVE-2020-14556 CVE-2020-14562 CVE-2020-14573 CVE-2020-14577 CVE-2020-14578 CVE-2020-14579 CVE-2020-14581 CVE-2020-14583 CVE-2020-14593 CVE-2020-14621 Several vulnerabilities have been discovered in the OpenJDK Java runtime, resulting in denial of service, bypass of access/sandbox restrictions or information disclosure. For the stable distribution (buster), these problems have been fixed in version 11.0.8+10-1~deb10u1.
sunrat Posted July 30, 2020 Posted July 30, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4735-1 security@debian.org https://www.debian.org/security/ Yves-Alexis Perez July 29, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : grub2 CVE ID : CVE-2020-10713 CVE-2020-14308 CVE-2020-14309 CVE-2020-14310 CVE-2020-14311 CVE-2020-15706 CVE-2020-15707 Several vulnerabilities have been discovered in the GRUB2 bootloader. CVE-2020-10713 A flaw in the grub.cfg parsing code was found allowing to break UEFI Secure Boot and load arbitrary code. Details can be found at https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/ CVE-2020-14308 It was discovered that grub_malloc does not validate the allocation size allowing for arithmetic overflow and subsequently a heap-based buffer overflow. CVE-2020-14309 An integer overflow in grub_squash_read_symlink may lead to a heap- based buffer overflow. CVE-2020-14310 An integer overflow in read_section_from_string may lead to a heap- based buffer overflow. CVE-2020-14311 An integer overflow in grub_ext2_read_link may lead to a heap-based buffer overflow. CVE-2020-15706 script: Avoid a use-after-free when redefining a function during execution. CVE-2020-15707 An integer overflow flaw was found in the initrd size handling. Further detailed information can be found at https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot For the stable distribution (buster), these problems have been fixed in version 2.02+dfsg1-20+deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4736-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 29, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2020-6463 CVE-2020-6514 CVE-2020-15652 CVE-2020-15659 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or an information leak. For the stable distribution (buster), these problems have been fixed in version 68.11.0esr-1~deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4737-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 29, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : xrdp CVE ID : CVE-2020-4044 Debian Bug : 964573 Ashley Newson discovered that the XRDP sessions manager was susceptible to denial of service. A local attacker can further take advantage of this flaw to impersonate the XRDP sessions manager and capture any user credentials that are submitted to XRDP, approve or reject arbitrary login credentials or to hijack existing sessions for xorgxrdp sessions. For the stable distribution (buster), this problem has been fixed in version 0.9.9-1+deb10u1.
sunrat Posted July 31, 2020 Posted July 31, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4735-2 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso July 30, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : grub2 Debian Bug : 966554 The update for grub2 released as DSA 4735-1 caused a boot-regression when chainloading another bootlaoder and breaking notably dual-boot with Windows. Updated grub2 packages are now available to correct this issue. For the stable distribution (buster), this problem has been fixed in version 2.02+dfsg1-20+deb10u2.
sunrat Posted August 1, 2020 Posted August 1, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4738-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff July 31, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ark CVE ID : CVE-2020-16116 Dominik Penner discovered that the Ark archive manager did not sanitise extraction paths, which could result in maliciously crafted archives writing outside the extraction directory. For the stable distribution (buster), this problem has been fixed in version 4:18.08.3-1+deb10u1.
sunrat Posted August 1, 2020 Posted August 1, 2020 ------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 10: 10.5 released press@debian.org August 1st, 2020 https://www.debian.org/News/2020/20200801 ------------------------------------------------------------------------ The Debian project is pleased to announce the fifth update of its stable distribution Debian 10 (codename "buster"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. This point release also addresses Debian Security Advisory: DSA-4735-1 grub2 -- security update [1] which covers multiple CVE issues regarding the GRUB2 UEFI SecureBoot 'BootHole' vulnerability [2]. 1: https://www.debian.org/security/2020/dsa-4735 2: https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot/ Please note that the point release does not constitute a new version of Debian 10 but only updates some of the packages included. There is no need to throw away old "buster" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations. Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: +---------------------------+------------------------------------------+ | Package | Reason | +---------------------------+------------------------------------------+ | appstream-glib [3] | Fix build failures in 2020 and later | | | | | asunder [4] | Use gnudb instead of freedb by default | | | | | b43-fwcutter [5] | Ensure removal succeeds under non- | | | English locales; do not fail removal if | | | some files no longer exist; fix missing | | | dependencies on pciutils and ca- | | | certificates | | | | | balsa [6] | Provide server identity when validating | | | certificates, allowing successful | | | validation when using the glib- | | | networking patch for CVE-2020-13645 | | | | | base-files [7] | Update for the point release | | | | | batik [8] | Fix server-side request forgery via | | | xlink:href attributes [CVE-2019-17566] | | | | | borgbackup [9] | Fix index corruption bug leading to data | | | loss | | | | | bundler [10] | Update required version of ruby- | | | molinillo | | | | | c-icap-modules [11] | Add support for ClamAV 0.102 | | | | | cacti [12] | Fix issue where UNIX timestamps after | | | September 13th 2020 were rejected as | | | graph start / end; fix remote code | | | execution [CVE-2020-7237], cross-site | | | scripting [CVE-2020-7106], CSRF issue | | | [CVE-2020-13231]; disabling a user | | | account does not immediately invalidate | | | permissions [CVE-2020-13230] | | | | | calamares-settings- | Enable displaymanager module, fixing | | debian [13] | autologin options; use xdg-user-dir to | | | specify Desktop directory | | | | | clamav [14] | New upstream release; security fixes | | | [CVE-2020-3327 CVE-2020-3341 CVE-2020- | | | 3350 CVE-2020-3327 CVE-2020-3481] | | | | | cloud-init [15] | New upstream release | | | | | commons- | Prevent object creation when loading | | configuration2 [16] | YAML files [CVE-2020-1953] | | | | | confget [17] | Fix the Python module's handling of | | | values containing "=" | | | | | dbus [18] | New upstream stable release; prevent a | | | denial of service issue [CVE-2020- | | | 12049]; prevent use-after-free if two | | | usernames share a uid | | | | | debian-edu-config [19] | Fix loss of dynamically allocated IPv4 | | | address | | | | | debian-installer [20] | Update Linux ABI to 4.19.0-10 | | | | | debian-installer-netboot- | Rebuild against proposed-updates | | images [21] | | | | | | debian-ports-archive- | Increase the expiration date of the 2020 | | keyring [22] | key (84C573CD4E1AFD6C) by one year; add | | | Debian Ports Archive Automatic Signing | | | Key (2021); move the 2018 key (ID: | | | 06AED62430CB581C) to the removed keyring | | | | | debian-security- | Update support status of several | | support [23] | packages | | | | | dpdk [24] | New upstream release | | | | | exiv2 [25] | Adjust overly restrictive security patch | | | [CVE-2018-10958 and CVE-2018-10999]; fix | | | denial of service issue [CVE-2018-16336] | | | | | fdroidserver [26] | Fix Litecoin address validation | | | | | file-roller [27] | Security fix [CVE-2020-11736] | | | | | freerdp2 [28] | Fix smartcard logins; security fixes | | | [CVE-2020-11521 CVE-2020-11522 CVE-2020- | | | 11523 CVE-2020-11524 CVE-2020-11525 | | | CVE-2020-11526] | | | | | fwupd [29] | New upstream release; fix possible | | | signature verification issue [CVE-2020- | | | 10759]; use rotated Debian signing keys | | | | | fwupd-amd64-signed [30] | New upstream release; fix possible | | | signature verification issue [CVE-2020- | | | 10759]; use rotated Debian signing keys | | | | | fwupd-arm64-signed [31] | New upstream release; fix possible | | | signature verification issue [CVE-2020- | | | 10759]; use rotated Debian signing keys | | | | | fwupd-armhf-signed [32] | New upstream release; fix possible | | | signature verification issue [CVE-2020- | | | 10759]; use rotated Debian signing keys | | | | | fwupd-i386-signed [33] | New upstream release; fix possible | | | signature verification issue [CVE-2020- | | | 10759]; use rotated Debian signing keys | | | | | fwupdate [34] | Use rotated Debian signing keys | | | | | fwupdate-amd64- | Use rotated Debian signing keys | | signed [35] | | | | | | fwupdate-arm64- | Use rotated Debian signing keys | | signed [36] | | | | | | fwupdate-armhf- | Use rotated Debian signing keys | | signed [37] | | | | | | fwupdate-i386-signed [38] | Use rotated Debian signing keys | | | | | gist [39] | Avoid deprecated authorization API | | | | | glib-networking [40] | Return bad identity error if identity is | | | unset [CVE-2020-13645]; break balsa | | | older than 2.5.6-2+deb10u1 as the fix | | | for CVE-2020-13645 breaks balsa's | | | certificate verification | | | | | gnutls28 [41] | Fix TL1.2 resumption errors; fix memory | | | leak; handle zero length session | | | tickets, fixing connection errors on | | | TLS1.2 sessions to some big hosting | | | providers; fix verification error with | | | alternate chains | | | | | intel-microcode [42] | Downgrade some microcodes to previously | | | issued versions, working around hangs on | | | boot on Skylake-U/Y and Skylake Xeon E3 | | | | | jackson-databind [43] | Fix multiple security issues affecting | | | BeanDeserializerFactory [CVE-2020-9548 | | | CVE-2020-9547 CVE-2020-9546 CVE-2020- | | | 8840 CVE-2020-14195 CVE-2020-14062 | | | CVE-2020-14061 CVE-2020-14060 CVE-2020- | | | 11620 CVE-2020-11619 CVE-2020-11113 | | | CVE-2020-11112 CVE-2020-11111 CVE-2020- | | | 10969 CVE-2020-10968 CVE-2020-10673 | | | CVE-2020-10672 CVE-2019-20330 CVE-2019- | | | 17531 and CVE-2019-17267] | | | | | jameica [44] | Add mckoisqldb to classpath, allowing | | | use of SynTAX plugin | | | | | jigdo [45] | Fix HTTPS support in jigdo-lite and | | | jigdo-mirror | | | | | ksh [46] | Fix environment variable restriction | | | issue [CVE-2019-14868] | | | | | lemonldap-ng [47] | Fix nginx configuration regression | | | introduced by the fix for CVE-2019-19791 | | | | | libapache-mod-jk [48] | Rename Apache configuration file so it | | | can be automatically enabled and | | | disabled | | | | | libclamunrar [49] | New upstream stable release; add an | | | unversioned meta-package | | | | | libembperl-perl [50] | Handle error pages from Apache >= 2.4.40 | | | | | libexif [51] | Security fixes [CVE-2020-12767 CVE-2020- | | | 0093 CVE-2020-13112 CVE-2020-13113 | | | CVE-2020-13114]; fix buffer overflow | | | [CVE-2020-0182] and integer overflow | | | [CVE-2020-0198] | | | | | libinput [52] | Quirks: add trackpoint integration | | | attribute | | | | | libntlm [53] | Fix buffer overflow [CVE-2019-17455] | | | | | libpam-radius-auth [54] | Fix buffer overflow in password field | | | [CVE-2015-9542] | | | | | libunwind [55] | Fix segfaults on mips; manually enable C | | | ++ exception support only on i386 and | | | amd64 | | | | | libyang [56] | Fix cache corruption crash, CVE-2019- | | | 19333, CVE-2019-19334 | | | | | linux [57] | New upstream stable release | | | | | linux-latest [58] | Update for 4.19.0-10 kernel ABI | | | | | linux-signed-amd64 [59] | New upstream stable release | | | | | linux-signed-arm64 [60] | New upstream stable release | | | | | linux-signed-i386 [61] | New upstream stable release | | | | | lirc [62] | Fix conffile management | | | | | mailutils [63] | maidag: drop setuid privileges for all | | | delivery operations but mda [CVE-2019- | | | 18862] | | | | | mariadb-10.3 [64] | New upstream stable release; security | | | fixes [CVE-2020-2752 CVE-2020-2760 | | | CVE-2020-2812 CVE-2020-2814 CVE-2020- | | | 13249]; fix regression in RocksDB ZSTD | | | detection | | | | | mod-gnutls [65] | Fix a possible segfault on failed TLS | | | handshake; fix test failures | | | | | multipath-tools [66] | kpartx: use correct path to partx in | | | udev rule | | | | | mutt [67] | Don't check IMAP PREAUTH encryption if | | | $tunnel is in use | | | | | mydumper [68] | Link against libm | | | | | nfs-utils [69] | statd: take user-id from /var/lib/nfs/sm | | | [CVE-2019-3689]; don't make /var/lib/nfs | | | owned by statd | | | | | nginx [70] | Fix error page request smuggling | | | vulnerability [CVE-2019-20372] | | | | | nmap [71] | Update default key size to 2048 bits | | | | | node-dot-prop [72] | Fix regression introduced in CVE-2020- | | | 8116 fix | | | | | node-handlebars [73] | Disallow calling "helperMissing" and | | | "blockHelperMissing" directly | | | [CVE-2019-19919] | | | | | node-minimist [74] | Fix prototype pollution [CVE-2020-7598] | | | | | nvidia-graphics- | New upstream stable release; security | | drivers [75] | fixes [CVE-2020-5963 CVE-2020-5967] | | | | | nvidia-graphics-drivers- | New upstream stable release; security | | legacy-390xx [76] | fixes [CVE-2020-5963 CVE-2020-5967] | | | | | openstack-debian- | Install resolvconf if installing cloud- | | images [77] | init | | | | | pagekite [78] | Avoid issues with expiry of shipped SSL | | | certificates by using those from the ca- | | | certificates package | | | | | pdfchain [79] | Fix crash at startup | | | | | perl [80] | Fix multiple regular expression related | | | security issues [CVE-2020-10543 | | | CVE-2020-10878 CVE-2020-12723] | | | | | php-horde [81] | Fix cross-site scripting vulnerability | | | [CVE-2020-8035] | | | | | php-horde-gollem [82] | Fix cross-site scripting vulnerability | | | in breadcrumb output [CVE-2020-8034] | | | | | pillow [83] | Fix multiple out-of-bounds read issues | | | [CVE-2020-11538 CVE-2020-10378 CVE-2020- | | | 10177] | | | | | policyd-rate-limit [84] | Fix issues in accounting due to socket | | | reuse | | | | | postfix [85] | New upstream stable release; fix | | | segfault in the tlsproxy client role | | | when the server role was disabled; fix | | | "maillog_file_rotate_suffix default | | | value used the minute instead of the | | | month" ; fix several TLS related issues; | | | README.Debian fixes | | | | | python-markdown2 [86] | Fix cross-site scripting issue | | | [CVE-2020-11888] | | | | | python3.7 [87] | Avoid infinite loop when reading | | | specially crafted TAR files using the | | | tarfile module [CVE-2019-20907]; resolve | | | hash collisions for IPv4Interface and | | | IPv6Interface [CVE-2020-14422]; fix | | | denial of service issue in | | | urllib.request.AbstractBasicAuthHandler | | | [CVE-2020-8492] | | | | | qdirstat [88] | Fix saving of user-configured MIME | | | categories | | | | | raspi3-firmware [89] | Fix typo that could lead to unbootable | | | systems | | | | | resource-agents [90] | IPsrcaddr: make "proto" optional to | | | fix regression when used without | | | NetworkManager | | | | | ruby-json [91] | Fix unsafe object creation vulnerability | | | [CVE-2020-10663] | | | | | shim [92] | Use rotated Debian signing keys | | | | | shim-helpers-amd64- | Use rotated Debian signing keys | | signed [93] | | | | | | shim-helpers-arm64- | Use rotated Debian signing keys | | signed [94] | | | | | | shim-helpers-i386- | Use rotated Debian signing keys | | signed [95] | | | | | | speedtest-cli [96] | Pass correct headers to fix upload speed | | | test | | | | | ssvnc [97] | Fix out-of-bounds write [CVE-2018- | | | 20020], infinite loop [CVE-2018-20021], | | | improper initialisation [CVE-2018- | | | 20022], potential denial-of-service | | | [CVE-2018-20024] | | | | | storebackup [98] | Fix possible privilege escalation | | | vulnerability [CVE-2020-7040] | | | | | suricata [99] | Fix dropping privileges in nflog runmode | | | | | tigervnc [100] | Don't use libunwind on armel, armhf or | | | arm64 | | | | | transmission [101] | Fix possible denial of service issue | | | [CVE-2018-10756] | | | | | wav2cdr [102] | Use C99 fixed-size integer types to fix | | | runtime assertion on 64bit architectures | | | other than amd64 and alpha | | | | | zipios++ [103] | Security fix [CVE-2019-13453] | | | | +---------------------------+------------------------------------------+ Security Updates ---------------- This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates: +----------------+-----------------------------+ | Advisory ID | Package | +----------------+-----------------------------+ | DSA-4626 [104] | php7.3 [105] | | | | | DSA-4674 [106] | roundcube [107] | | | | | DSA-4675 [108] | graphicsmagick [109] | | | | | DSA-4676 [110] | salt [111] | | | | | DSA-4677 [112] | wordpress [113] | | | | | DSA-4678 [114] | firefox-esr [115] | | | | | DSA-4679 [116] | keystone [117] | | | | | DSA-4680 [118] | tomcat9 [119] | | | | | DSA-4681 [120] | webkit2gtk [121] | | | | | DSA-4682 [122] | squid [123] | | | | | DSA-4683 [124] | thunderbird [125] | | | | | DSA-4684 [126] | libreswan [127] | | | | | DSA-4685 [128] | apt [129] | | | | | DSA-4686 [130] | apache-log4j1.2 [131] | | | | | DSA-4687 [132] | exim4 [133] | | | | | DSA-4688 [134] | dpdk [135] | | | | | DSA-4689 [136] | bind9 [137] | | | | | DSA-4690 [138] | dovecot [139] | | | | | DSA-4691 [140] | pdns-recursor [141] | | | | | DSA-4692 [142] | netqmail [143] | | | | | DSA-4694 [144] | unbound [145] | | | | | DSA-4695 [146] | firefox-esr [147] | | | | | DSA-4696 [148] | nodejs [149] | | | | | DSA-4697 [150] | gnutls28 [151] | | | | | DSA-4699 [152] | linux-signed-amd64 [153] | | | | | DSA-4699 [154] | linux-signed-arm64 [155] | | | | | DSA-4699 [156] | linux-signed-i386 [157] | | | | | DSA-4699 [158] | linux [159] | | | | | DSA-4700 [160] | roundcube [161] | | | | | DSA-4701 [162] | intel-microcode [163] | | | | | DSA-4702 [164] | thunderbird [165] | | | | | DSA-4704 [166] | vlc [167] | | | | | DSA-4705 [168] | python-django [169] | | | | | DSA-4707 [170] | mutt [171] | | | | | DSA-4708 [172] | neomutt [173] | | | | | DSA-4709 [174] | wordpress [175] | | | | | DSA-4710 [176] | trafficserver [177] | | | | | DSA-4711 [178] | coturn [179] | | | | | DSA-4712 [180] | imagemagick [181] | | | | | DSA-4713 [182] | firefox-esr [183] | | | | | DSA-4714 [184] | chromium [185] | | | | | DSA-4716 [186] | docker.io [187] | | | | | DSA-4718 [188] | thunderbird [189] | | | | | DSA-4719 [190] | php7.3 [191] | | | | | DSA-4720 [192] | roundcube [193] | | | | | DSA-4721 [194] | ruby2.5 [195] | | | | | DSA-4722 [196] | ffmpeg [197] | | | | | DSA-4723 [198] | xen [199] | | | | | DSA-4724 [200] | webkit2gtk [201] | | | | | DSA-4725 [202] | evolution-data-server [203] | | | | | DSA-4726 [204] | nss [205] | | | | | DSA-4727 [206] | tomcat9 [207] | | | | | DSA-4728 [208] | qemu [209] | | | | | DSA-4729 [210] | libopenmpt [211] | | | | | DSA-4730 [212] | ruby-sanitize [213] | | | | | DSA-4731 [214] | redis [215] | | | | | DSA-4732 [216] | squid [217] | | | | | DSA-4733 [218] | qemu [219] | | | | | DSA-4735 [220] | grub-efi-amd64-signed [221] | | | | | DSA-4735 [222] | grub-efi-arm64-signed [223] | | | | | DSA-4735 [224] | grub-efi-ia32-signed [225] | | | | | DSA-4735 [226] | grub2 [227] | | | | +----------------+-----------------------------+ Removed packages ---------------- The following packages were removed due to circumstances beyond our control: +--------------------------------+------------------------------------+ | Package | Reason | +--------------------------------+------------------------------------+ | golang-github-unknwon- | Security issues; unmaintained | | cae [228] | | | | | | janus [229] | Not supportable in stable | | | | | mathematica-fonts [230] | Relies on unavailable download | | | location | | | | | matrix-synapse [231] | Security issues; unsupportable | | | | | selenium-firefoxdriver [232] | Incompatible with newer Firefox | | | ESR versions | | | | +--------------------------------+------------------------------------+ Debian Installer ---------------- The installer has been updated to include the fixes incorporated into stable by the point release.
sunrat Posted August 3, 2020 Posted August 3, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4740-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 02, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2020-6463 CVE-2020-6514 CVE-2020-15652 CVE-2020-15659 Multiple security issues have been found in Thunderbird which could result in denial of service or potentially the execution of arbitrary code. For the stable distribution (buster), these problems have been fixed in version 1:68.11.0-1~deb10u1.
sunrat Posted August 3, 2020 Posted August 3, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4739-1 security@debian.org https://www.debian.org/security/ Alberto Garcia August 03, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : webkit2gtk CVE ID : CVE-2020-9862 CVE-2020-9893 CVE-2020-9894 CVE-2020-9895 CVE-2020-9915 CVE-2020-9925 The following vulnerabilities have been discovered in the webkit2gtk web engine: CVE-2020-9862 Ophir Lojkine discovered that copying a URL from the Web Inspector may lead to command injection. CVE-2020-9893 0011 discovered that a remote attacker may be able to cause unexpected application termination or arbitrary code execution. CVE-2020-9894 0011 discovered that a remote attacker may be able to cause unexpected application termination or arbitrary code execution. CVE-2020-9895 Wen Xu discovered that a remote attacker may be able to cause unexpected application termination or arbitrary code execution. CVE-2020-9915 Ayoub Ait Elmokhtar discovered that processing maliciously crafted web content may prevent Content Security Policy from being enforced. CVE-2020-9925 An anonymous researcher discovered that processing maliciously crafted web content may lead to universal cross site scripting. For the stable distribution (buster), these problems have been fixed in version 2.28.4-1~deb10u1.
sunrat Posted August 6, 2020 Posted August 6, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4741-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 05, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : json-c CVE ID : CVE-2020-12762 Tobias Stoeckmann discovered an integer overflow in the json-c JSON library, which could result in denial of service or potentially the execution of arbitrary code if large malformed JSON files are processed. For the stable distribution (buster), this problem has been fixed in version 0.12.1+ds-2+deb10u1.
sunrat Posted August 7, 2020 Posted August 7, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4742-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 06, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firejail CVE ID : CVE-2020-17367 CVE-2020-17368 Tim Starling discovered two vulnerabilities in firejail, a sandbox program to restrict the running environment of untrusted applications. CVE-2020-17367 It was reported that firejail does not respect the end-of-options separator ("--"), allowing an attacker with control over the command line options of the sandboxed application, to write data to a specified file. CVE-2020-17368 It was reported that firejail when redirecting output via --output or --output-stderr, concatenates all command line arguments into a single string that is passed to a shell. An attacker who has control over the command line arguments of the sandboxed application could take advantage of this flaw to run run arbitrary other commands. For the stable distribution (buster), these problems have been fixed in version 0.9.58.2-2+deb10u1.
sunrat Posted August 10, 2020 Posted August 10, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4743-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 10, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ruby-kramdown CVE ID : CVE-2020-14001 Debian Bug : 965305 A flaw was discovered in ruby-kramdown, a fast, pure ruby, Markdown parser and converter, which could result in unintended read access to files or unintended embedded Ruby code execution when the {::options /} extension is used together with the 'template' option. The Update introduces a new option 'forbidden_inline_options' to restrict the options allowed with the {::options /} extension. By default the 'template' option is forbidden. For the stable distribution (buster), this problem has been fixed in version 1.17.0-1+deb10u1.
sunrat Posted August 12, 2020 Posted August 12, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4744-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 12, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : roundcube CVE ID : CVE-2020-16145 Debian Bug : 968216 It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, is prone to cross-site scripting vulnerabilities in handling invalid svg and math tag content. For the stable distribution (buster), this problem has been fixed in version 1.3.15+dfsg.1-1~deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4745-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 12, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : dovecot CVE ID : CVE-2020-12100 CVE-2020-12673 CVE-2020-12674 Several vulnerabilities have been discovered in the Dovecot email server. CVE-2020-12100 Receiving mail with deeply nested MIME parts leads to resource exhaustion as Dovecot attempts to parse it. CVE-2020-12673 Dovecot's NTLM implementation does not correctly check message buffer size, which leads to a crash when reading past allocation. CVE-2020-12674 Dovecot's RPA mechanism implementation accepts zero-length message, which leads to assert-crash later on. For the stable distribution (buster), these problems have been fixed in version 1:2.3.4.1-5+deb10u3.
sunrat Posted August 15, 2020 Posted August 15, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4746-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 15, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : net-snmp CVE ID : CVE-2020-15861 CVE-2020-15862 Debian Bug : 965166 966599 Several vulnerabilities were discovered in net-snmp, a suite of Simple Network Management Protocol applications, which could lead to privilege escalation. For the stable distribution (buster), these problems have been fixed in version 5.7.3+dfsg-5+deb10u1.
sunrat Posted August 23, 2020 Posted August 23, 2020 ------------------------------------------------------------------------- Debian Security Advisory DSA-4747-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 23, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : icingaweb2 CVE ID : CVE-2020-24368 Debian Bug : 968833 A directory traversal vulnerability was discovered in Icinga Web 2, a web interface for Icinga, which could result in the disclosure of files readable by the process. For the stable distribution (buster), this problem has been fixed in version 2.6.2-3+deb10u1.
sunrat Posted August 25, 2020 Posted August 25, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4748-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 25, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ghostscript CVE ID : CVE-2020-16287 CVE-2020-16288 CVE-2020-16289 CVE-2020-16290 CVE-2020-16291 CVE-2020-16292 CVE-2020-16293 CVE-2020-16294 CVE-2020-16295 CVE-2020-16296 CVE-2020-16297 CVE-2020-16298 CVE-2020-16299 CVE-2020-16300 CVE-2020-16301 CVE-2020-16302 CVE-2020-16303 CVE-2020-16304 CVE-2020-16305 CVE-2020-16306 CVE-2020-16307 CVE-2020-16308 CVE-2020-16309 CVE-2020-16310 CVE-2020-17538 Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed. For the stable distribution (buster), these problems have been fixed in version 9.27~dfsg-2+deb10u4.
sunrat Posted August 27, 2020 Posted August 27, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4749-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 26, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2020-15664 CVE-2020-15669 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or unintended or malicious extensions being installed. For the stable distribution (buster), these problems have been fixed in version 68.12.0esr-1~deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4750-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 26, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : nginx CVE ID : CVE-2020-11724 Debian Bug : 964950 It was reported that the Lua module for Nginx, a high-performance web and reverse proxy server, is prone to a HTTP request smuggling vulnerability. For the stable distribution (buster), this problem has been fixed in version 1.14.2-2+deb10u3.
sunrat Posted August 27, 2020 Posted August 27, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4751-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 27, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : squid CVE ID : CVE-2020-15810 CVE-2020-15811 CVE-2020-24606 Debian Bug : 968932 968933 968934 Several vulnerabilities were discovered in Squid, a fully featured web proxy cache, which could result in request splitting, request smuggling (leading to cache poisoning) and denial of service when processing crafted cache digest responses messages. For the stable distribution (buster), these problems have been fixed in version 4.6-1+deb10u4. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4752-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 27, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : bind9 CVE ID : CVE-2020-8619 CVE-2020-8622 CVE-2020-8623 CVE-2020-8624 Debian Bug : 966497 Several vulnerabilities were discovered in BIND, a DNS server implementation. CVE-2020-8619 It was discovered that an asterisk character in an empty non- terminal can cause an assertion failure, resulting in denial of service. CVE-2020-8622 Dave Feldman, Jeff Warren, and Joel Cunningham reported that a truncated TSIG response can lead to an assertion failure, resulting in denial of service. CVE-2020-8623 Lyu Chiy reported that a flaw in the native PKCS#11 code can lead to a remotely triggerable assertion failure, resulting in denial of service. CVE-2020-8624 Joop Boonen reported that update-policy rules of type "subdomain" are enforced incorrectly, allowing updates to all parts of the zone along with the intended subdomain. For the stable distribution (buster), these problems have been fixed in version 1:9.11.5.P4+dfsg-5.1+deb10u2.
sunrat Posted August 29, 2020 Posted August 29, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4753-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 29, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mupdf CVE ID : CVE-2019-13290 Debian Bug : 931475 A heap-based buffer overflow flaw was discovered in MuPDF, a lightweight PDF viewer, which may result in denial of service or the execution of arbitrary code if a malformed PDF file is opened. For the stable distribution (buster), this problem has been fixed in version 1.14.0+ds1-4+deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4754-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 29, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2020-15664 CVE-2020-15669 Multiple security issues have been found in Thunderbird which could result in the execution of arbitrary code or the unintended installation of extensions. For the stable distribution (buster), these problems have been fixed in version 1:68.12.0-1~deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4755-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 29, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openexr CVE ID : CVE-2017-9111 CVE-2017-9113 CVE-2017-9114 CVE-2017-9115 CVE-2020-11758 CVE-2020-11759 CVE-2020-11760 CVE-2020-11761 CVE-2020-11762 CVE-2020-11763 CVE-2020-11764 CVE-2020-11765 CVE-2020-15305 CVE-2020-15306 Multiple security issues were found in the OpenEXR image library, which could result in denial of service and potentially the execution of arbitrary code when processing malformed EXR image files. For the stable distribution (buster), these problems have been fixed in version 2.2.1-4.1+deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4756-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 29, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : lilypond CVE ID : CVE-2020-17353 Faidon Liambotis discovered that Lilypond, a program for typesetting sheet music, did not restrict the inclusion of Postscript and SVG commands when operating in safe mode, which could result in the execution of arbitrary code when rendering a typesheet file with embedded Postscript code. For the stable distribution (buster), this problem has been fixed in version 2.19.81+really-2.18.2-13+deb10u1.
sunrat Posted September 1, 2020 Posted September 1, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4757-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 31, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : apache2 CVE ID : CVE-2020-1927 CVE-2020-1934 CVE-2020-9490 CVE-2020-11984 CVE-2020-11993 Several vulnerabilities have been found in the Apache HTTPD server. CVE-2020-1927 Fabrice Perez reported that certain mod_rewrite configurations are prone to an open redirect. CVE-2020-1934 Chamal De Silva discovered that the mod_proxy_ftp module uses uninitialized memory when proxying to a malicious FTP backend. CVE-2020-9490 Felix Wilhelm discovered that a specially crafted value for the 'Cache-Digest' header in a HTTP/2 request could cause a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. CVE-2020-11984 Felix Wilhelm reported a buffer overflow flaw in the mod_proxy_uwsgi module which could result in information disclosure or potentially remote code execution. CVE-2020-11993 Felix Wilhelm reported that when trace/debug was enabled for the HTTP/2 module certain traffic edge patterns can cause logging statements on the wrong connection, causing concurrent use of memory pools. For the stable distribution (buster), these problems have been fixed in version 2.4.38-3+deb10u4.
sunrat Posted September 5, 2020 Posted September 5, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4758-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 04, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : xorg-server CVE ID : CVE-2020-14345 CVE-2020-14346 CVE-2020-14347 CVE-2020-14361 CVE-2020-14362 Debian Bug : 968986 Several vulnerabilities have been discovered in the X.Org X server. Missing input sanitising in X server extensions may result in local privilege escalation if the X server is configured to run with root privileges. In addition an ASLR bypass was fixed. For the stable distribution (buster), these problems have been fixed in version 2:1.20.4-1+deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4759-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 04, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ark CVE ID : CVE-2020-24654 Debian Bug : 969437 Fabian Vogt reported that the Ark archive manager did not sanitise extraction paths, which could result in maliciously crafted archives with symlinks writing outside the extraction directory. For the stable distribution (buster), this problem has been fixed in version 4:18.08.3-1+deb10u2.
sunrat Posted September 6, 2020 Posted September 6, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4760-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff September 06, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : qemu CVE ID : CVE-2020-12829 CVE-2020-14364 CVE-2020-15863 CVE-2020-16092 Debian Bug : 961451 968947 Multiple security issues were discovered in QEMU, a fast processor emulator: CVE-2020-12829 An integer overflow in the sm501 display device may result in denial of service. CVE-2020-14364 An out-of-bands write in the USB emulation code may result in guest-to-host code execution. CVE-2020-15863 A buffer overflow in the XGMAC network device may result in denial of service or the execution of arbitrary code. CVE-2020-16092 A triggerable assert in the e1000e and vmxnet3 devices may result in denial of service. For the stable distribution (buster), these problems have been fixed in version 1:3.1+dfsg-8+deb10u8.
Recommended Posts