Jump to content
Bruno

NEW UPDATES Debian

Recommended Posts

sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4720-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
July 08, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : roundcube
CVE ID         : CVE-2020-15562
Debian Bug     : 964355

It was discovered that roundcube, a skinnable AJAX based webmail
solution for IMAP servers, did not properly sanitize incoming mail
messages. This would allow a remote attacker to perform a Cross-Side
Scripting (XSS) attack.

For the stable distribution (buster), this problem has been fixed in
version 1.3.14+dfsg.1-1~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4721-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
July 08, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ruby2.5
CVE ID         : CVE-2020-10663 CVE-2020-10933

Several vulnerabilities have been discovered in the interpreter for the
Ruby language.

CVE-2020-10663

    Jeremy Evans reported an unsafe object creation vulnerability in the
    json gem bundled with Ruby. When parsing certain JSON documents, the
    json gem can be coerced into creating arbitrary objects in the
    target system.

CVE-2020-10933

    Samuel Williams reported a flaw in the socket library which may lead
    to exposure of possibly sensitive data from the interpreter.

For the stable distribution (buster), these problems have been fixed in
version 2.5.5-3+deb10u2.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4722-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 08, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ffmpeg
CVE ID         : CVE-2019-13390 CVE-2019-17539 CVE-2019-17542
                 CVE-2020-12284 CVE-2020-13904

Several vulnerabilities have been discovered in the FFmpeg multimedia
framework, which could result in denial of service or potentially the
execution of arbitrary code if malformed files/streams are processed.

For the stable distribution (buster), these problems have been fixed in
version 7:4.1.6-1~deb10u1.

Share this post


Link to post
Share on other sites
sunrat
------------------------------------------------------------------------
The Debian Project                               https://www.debian.org/
Debian 8 Long Term Support reaching end-of-life         press@debian.org
July 9th, 2020                 https://www.debian.org/News/2020/20200709
------------------------------------------------------------------------


The Debian Long Term Support (LTS) Team hereby announces that Debian 8
"jessie" support has reached its end-of-life on June 30, 2020, five
years after its initial release on April 26, 2015.

Debian will not provide further security updates for Debian 8. A subset
of "jessie" packages will be supported by external parties. Detailed
information can be found at Extended LTS [1].

    1: https://wiki.debian.org/LTS/Extended

The LTS Team will prepare the transition to Debian 9 "stretch", which is
the current oldstable release. The LTS Team has taken over support from
the Security Team on July 6, 2020 while the final point update for
"stretch" will be released on July 18, 2020.

Debian 9 will also receive Long Term Support for five years after its
initial release with support ending on June 30, 2022. The supported
architectures remain amd64, i386, armel and armhf. In addition we are
pleased to announce, for the first time support will be extended to
include the arm64 architecture.

For further information about using "stretch" LTS and upgrading from
"jessie" LTS, please refer to LTS/Using [2].

    2: https://wiki.debian.org/LTS/Using

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4723-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 12, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xen
CVE ID         : CVE-2020-11739 CVE-2020-11740 CVE-2020-11741 CVE-2020-11742 
                 CVE-2020-11743 CVE-2020-15563 CVE-2020-15564 CVE-2020-15565 
                 CVE-2020-15566 CVE-2020-15567

Multiple vulnerabilities have been discovered in the Xen hypervisor,
which could result in denial of service, guest-to-host privilege
escalation or information leaks.
      
For the stable distribution (buster), these problems have been fixed in
version 4.11.4+24-gddaaccbbab-1~deb10u1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4714-3                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
July 13, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium
Debian Bug     : 963548

The previous update for chromium released as DSA 4714-2 contained a flaw in
the service worker implementation.  This problem causes the browser to crash
when a connection error occurs.  Updated chromium packages are now available
that correct this issue.

For the stable distribution (buster), this problem has been fixed in
version 83.0.4103.116-1~deb10u3.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4724-1                   security@debian.org
https://www.debian.org/security/                           Alberto Garcia
July 15, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : webkit2gtk
CVE ID         : CVE-2020-9802 CVE-2020-9803 CVE-2020-9805 CVE-2020-9806
                 CVE-2020-9807 CVE-2020-9843 CVE-2020-9850 CVE-2020-13753

The following vulnerabilities have been discovered in the webkit2gtk
web engine:

CVE-2020-9802

    Samuel Gross discovered that processing maliciously crafted web
    content may lead to arbitrary code execution.

CVE-2020-9803

    Wen Xu discovered that processing maliciously crafted web content
    may lead to arbitrary code execution.

CVE-2020-9805

    An anonymous researcher discovered that processing maliciously
    crafted web content may lead to universal cross site scripting.

CVE-2020-9806

    Wen Xu discovered that processing maliciously crafted web content
    may lead to arbitrary code execution.

CVE-2020-9807

    Wen Xu discovered that processing maliciously crafted web content
    may lead to arbitrary code execution.

CVE-2020-9843

    Ryan Pickren discovered that processing maliciously crafted web
    content may lead to a cross site scripting attack.

CVE-2020-9850

    @jinmo123, @setuid0x0_, and @insu_yun_en discovered that a remote
    attacker may be able to cause arbitrary code execution.

CVE-2020-13753

    Milan Crha discovered that an attacker may be able to execute
    commands outside the bubblewrap sandbox.

For the stable distribution (buster), these problems have been fixed in
version 2.28.3-2~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4725-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 15, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : evolution-data-server
CVE ID         : CVE-2020-14928

Damian Poddebniak and Fabian Ising discovered a response injection
vulnerability in Evolution data server, which could enable MITM
attacks.

For the stable distribution (buster), this problem has been fixed in
version 3.30.5-1+deb10u1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4726-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 17, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : nss
CVE ID         : CVE-2019-17006 CVE-2019-17023 CVE-2020-12399 CVE-2020-12402

Several vulnerabilities were discovered in NSS, a set of cryptographic
libraries, which may result in side channel/timing attacks or denial
of service.

For the stable distribution (buster), these problems have been fixed in
version 2:3.42.1-1+deb10u3.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4727-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 17, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tomcat9
CVE ID         : CVE-2020-9484 CVE-2020-11996 CVE-2020-13934 CVE-2020-13935

Several vulnerabilities were discovered in the Tomcat servlet and JSP
engine, which could result in code execution or denial of service.

For the stable distribution (buster), these problems have been fixed in
version 9.0.31-1~deb10u2.

Share this post


Link to post
Share on other sites
sunrat
------------------------------------------------------------------------
The Debian Project                               https://www.debian.org/
Updated Debian 9: 9.13 released                         press@debian.org
July 18th, 2020                https://www.debian.org/News/2020/20200718
------------------------------------------------------------------------

The Debian project is pleased to announce the thirteenth (and final)
update of its oldstable distribution Debian 9 (codename "stretch"). This
point release mainly adds corrections for security issues, along with a
few adjustments for serious problems. Security advisories have already
been published separately and are referenced where available.

After this point release, Debian's Security and Release Teams will no
longer be producing updates for Debian 9. Users wishing to continue to
receive security support should upgrade to Debian 10, or see
https://wiki.debian.org/LTS for details about the subset of
architectures and packages covered by the Long Term Support project.

Please note that the point release does not constitute a new version of
Debian 9 but only updates some of the packages included. There is no
need to throw away old "stretch" media. After installation, packages can
be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list


Miscellaneous Bugfixes
----------------------

This oldstable update adds a few important corrections to the following
packages:

+--------------------------+------------------------------------------+
| Package                  | Reason                                   |
+--------------------------+------------------------------------------+
| acmetool [1]             | Rebuild against recent golang to pick up |
|                          | security fixes                           |
|                          |                                          |
| atril [2]                | dvi: Mitigate command injection attacks  |
|                          | by quoting filename [CVE-2017-1000159];  |
|                          | fix overflow checks in tiff backend      |
|                          | [CVE-2019-1010006]; tiff: Handle failure |
|                          | from TIFFReadRGBAImageOriented           |
|                          | [CVE-2019-11459]                         |
|                          |                                          |
| bacula [3]               | Add transitional package bacula-         |
|                          | director-common, avoiding loss of /etc/  |
|                          | bacula/bacula-dir.conf when purged; make |
|                          | PID files owned by root                  |
|                          |                                          |
| base-files [4]           | Update /etc/debian_version for the point |
|                          | release                                  |
|                          |                                          |
| batik [5]                | Fix server-side request forgery via      |
|                          | xlink:href attributes [CVE-2019-17566]   |
|                          |                                          |
| c-icap-modules [6]       | Support ClamAV 0.102                     |
|                          |                                          |
| ca-certificates [7]      | Update Mozilla CA bundle to 2.40,        |
|                          | blacklist distrusted Symantec roots and  |
|                          | expired  "AddTrust External Root" ;      |
|                          | remove e-mail only certificates          |
|                          |                                          |
| chasquid [8]             | Rebuild against recent golang to pick up |
|                          | security fixes                           |
|                          |                                          |
| checkstyle [9]           | Fix XML External Entity injection issue  |
|                          | [CVE-2019-9658 CVE-2019-10782]           |
|                          |                                          |
| clamav [10]              | New upstream release [CVE-2020-3123];    |
|                          | security fixes [CVE-2020-3327 CVE-2020-  |
|                          | 3341]                                    |
|                          |                                          |
| compactheader [11]       | New upstream version, compatible with    |
|                          | newer Thunderbird versions               |
|                          |                                          |
| cram [12]                | Ignore test failures to fix build issues |
|                          |                                          |
| csync2 [13]              | Fail HELLO command when SSL is required  |
|                          |                                          |
| cups [14]                | Fix heap buffer overflow [CVE-2020-3898] |
|                          | and  "the `ippReadIO` function may       |
|                          | under-read an extension                  |
|                          | field"  [CVE-2019-8842]                  |
|                          |                                          |
| dbus [15]                | New upstream stable release; prevent a   |
|                          | denial of service issue [CVE-2020-       |
|                          | 12049]; prevent use-after-free if two    |
|                          | usernames share a uid                    |
|                          |                                          |
| debian-installer [16]    | Update for the 4.9.0-13 Linux kernel ABI |
|                          |                                          |
| debian-installer-        | Rebuild against stretch-proposed-updates |
| netboot-images [17]      |                                          |
|                          |                                          |
| debian-security-         | Update support status of several         |
| support [18]             | packages                                 |
|                          |                                          |
| erlang [19]              | Fix use of weak TLS ciphers [CVE-2020-   |
|                          | 12872]                                   |
|                          |                                          |
| exiv2 [20]               | Fix denial of service issue [CVE-2018-   |
|                          | 16336]; fix over-restrictive fix for     |
|                          | CVE-2018-10958 and CVE-2018-10999        |
|                          |                                          |
| fex [21]                 | Security update                          |
|                          |                                          |
| file-roller [22]         | Security fix [CVE-2020-11736]            |
|                          |                                          |
| fwupd [23]               | New upstream release; use a CNAME to     |
|                          | redirect to the correct CDN for          |
|                          | metadata; do not abort startup if the    |
|                          | XML metadata file is invalid; add the    |
|                          | Linux Foundation public GPG keys for     |
|                          | firmware and metadata; raise the         |
|                          | metadata limit to 10MB                   |
|                          |                                          |
| glib-networking [24]     | Return bad identity error if identity is |
|                          | unset [CVE-2020-13645]                   |
|                          |                                          |
| gnutls28 [25]            | Fix memory corruption issue [CVE-2019-   |
|                          | 3829]; fix memory leak; add support for  |
|                          | zero length session tickets, fix         |
|                          | connection errors on TLS1.2 sessions to  |
|                          | some hosting providers                   |
|                          |                                          |
| gosa [26]                | Tighten check on LDAP success/failure    |
|                          | [CVE-2019-11187]; fix compatibility with |
|                          | newer PHP versions; backport several     |
|                          | other patches; replace (un)serialize     |
|                          | with json_encode/json_decode to mitigate |
|                          | PHP object injection [CVE-2019-14466]    |
|                          |                                          |
| heartbleeder [27]        | Rebuild against recent golang to pick up |
|                          | security fixes                           |
|                          |                                          |
| intel-microcode [28]     | Downgrade some microcodes to previously  |
|                          | released revisions, working around hangs |
|                          | on boot on Skylake-U/Y and Skylake Xeon  |
|                          | E3                                       |
|                          |                                          |
| iptables-persistent [29] | Don't fail if modprobe does              |
|                          |                                          |
| jackson-databind [30]    | Fix multiple security issues affecting   |
|                          | BeanDeserializerFactory [CVE-2020-9548   |
|                          | CVE-2020-9547 CVE-2020-9546 CVE-2020-    |
|                          | 8840 CVE-2020-14195 CVE-2020-14062       |
|                          | CVE-2020-14061 CVE-2020-14060 CVE-2020-  |
|                          | 11620 CVE-2020-11619 CVE-2020-11113      |
|                          | CVE-2020-11112 CVE-2020-11111 CVE-2020-  |
|                          | 10969 CVE-2020-10968 CVE-2020-10673      |
|                          | CVE-2020-10672 CVE-2019-20330 CVE-2019-  |
|                          | 17531 and CVE-2019-17267]                |
|                          |                                          |
| libbusiness-hours-       | Use explicit 4 digit years, fixing build |
| perl [31]                | and usage issues                         |
|                          |                                          |
| libclamunrar [32]        | New upstream stable release; add an      |
|                          | unversioned meta-package                 |
|                          |                                          |
| libdbi [33]              | Comment out _error_handler() call again, |
|                          | fixing issues with consumers             |
|                          |                                          |
| libembperl-perl [34]     | Handle error pages from Apache >= 2.4.40 |
|                          |                                          |
| libexif [35]             | Security fixes [CVE-2016-6328 CVE-2017-  |
|                          | 7544 CVE-2018-20030 CVE-2020-12767       |
|                          | CVE-2020-0093]; security fixes           |
|                          | [CVE-2020-13112 CVE-2020-13113 CVE-2020- |
|                          | 13114]; fix a buffer read overflow       |
|                          | [CVE-2020-0182] and an unsigned integer  |
|                          | overflow [CVE-2020-0198]                 |
|                          |                                          |
| libvncserver [36]        | Fix heap overflow [CVE-2019-15690]       |
|                          |                                          |
| linux [37]               | New upstream stable release; update ABI  |
|                          | to 4.9.0-13                              |
|                          |                                          |
| linux-latest [38]        | Update for 4.9.0-13 kernel ABI           |
|                          |                                          |
| mariadb-10.1 [39]        | New upstream stable release; security    |
|                          | fixes [CVE-2020-2752 CVE-2020-2812       |
|                          | CVE-2020-2814]                           |
|                          |                                          |
| megatools [40]           | Add support for the new format of        |
|                          | mega.nz links                            |
|                          |                                          |
| mod-gnutls [41]          | Avoid deprecated ciphersuites in test    |
|                          | suite; fix test failures when combined   |
|                          | with Apache's fix for CVE-2019-10092     |
|                          |                                          |
| mongo-tools [42]         | Rebuild against recent golang to pick up |
|                          | security fixes                           |
|                          |                                          |
| neon27 [43]              | Treat OpenSSL-related test failures as   |
|                          | non-fatal                                |
|                          |                                          |
| nfs-utils [44]           | Fix potential file overwrite             |
|                          | vulnerability [CVE-2019-3689]; don't     |
|                          | make all of /var/lib/nfs owned by the    |
|                          | statd user                               |
|                          |                                          |
| nginx [45]               | Fix error page request smuggling         |
|                          | vulnerability [CVE-2019-20372]           |
|                          |                                          |
| node-url-parse [46]      | Sanitize paths and hosts before parsing  |
|                          | [CVE-2018-3774]                          |
|                          |                                          |
| nvidia-graphics-         | New upstream stable release; new         |
| drivers [47]             | upstream stable release; security fixes  |
|                          | [CVE-2020-5963 CVE-2020-5967]            |
|                          |                                          |
| pcl [48]                 | Fix missing dependency on libvtk6-qt-dev |
|                          |                                          |
| perl [49]                | Fix multiple regular expression related  |
|                          | security issues [CVE-2020-10543          |
|                          | CVE-2020-10878 CVE-2020-12723]           |
|                          |                                          |
| php-horde [50]           | Fix cross-site scripting vulnerability   |
|                          | [CVE-2020-8035]                          |
|                          |                                          |
| php-horde-data [51]      | Fix authenticated remote code execution  |
|                          | vulnerability [CVE-2020-8518]            |
|                          |                                          |
| php-horde-form [52]      | Fix authenticated remote code execution  |
|                          | vulnerability [CVE-2020-8866]            |
|                          |                                          |
| php-horde-gollem [53]    | Fix cross-site scripting vulnerability   |
|                          | in breadcrumb output [CVE-2020-8034]     |
|                          |                                          |
| php-horde-trean [54]     | Fix authenticated remote code execution  |
|                          | vulnerability [CVE-2020-8865]            |
|                          |                                          |
| phpmyadmin [55]          | Several security fixes [CVE-2018-19968   |
|                          | CVE-2018-19970 CVE-2018-7260 CVE-2019-   |
|                          | 11768 CVE-2019-12616 CVE-2019-6798       |
|                          | CVE-2019-6799 CVE-2020-10802 CVE-2020-   |
|                          | 10803 CVE-2020-10804 CVE-2020-5504]      |
|                          |                                          |
| postfix [56]             | New upstream stable release              |
|                          |                                          |
| proftpd-dfsg [57]        | Fix handling SSH_MSG_IGNORE packets      |
|                          |                                          |
| python-icalendar [58]    | Fix Python3 dependencies                 |
|                          |                                          |
| rails [59]               | Fix possible cross-site scripting via    |
|                          | Javascript escape helper [CVE-2020-5267] |
|                          |                                          |
| rake [60]                | Fix command injection vulnerability      |
|                          | [CVE-2020-8130]                          |
|                          |                                          |
| roundcube [61]           | Fix cross-site scripting issue via HTML  |
|                          | messages with malicious svg/namespace    |
|                          | [CVE-2020-15562]                         |
|                          |                                          |
| ruby-json [62]           | Fix unsafe object creation vulnerability |
|                          | [CVE-2020-10663]                         |
|                          |                                          |
| ruby2.3 [63]             | Fix unsafe object creation vulnerability |
|                          | [CVE-2020-10663]                         |
|                          |                                          |
| sendmail [64]            | Fix finding the queue runner control     |
|                          | process in  "split daemon"  mode,        |
|                          | "NOQUEUE: connect from (null)" , removal |
|                          | failure when using BTRFS                 |
|                          |                                          |
| sogo-connector [65]      | New upstream version, compatible with    |
|                          | newer Thunderbird versions               |
|                          |                                          |
| ssvnc [66]               | Fix out-of-bounds write [CVE-2018-       |
|                          | 20020], infinite loop [CVE-2018-20021],  |
|                          | improper initialisation [CVE-2018-       |
|                          | 20022], potential denial-of-service      |
|                          | [CVE-2018-20024]                         |
|                          |                                          |
| storebackup [67]         | Fix possible privilege escalation        |
|                          | vulnerability [CVE-2020-7040]            |
|                          |                                          |
| swt-gtk [68]             | Fix missing dependency on                |
|                          | libwebkitgtk-1.0-0                       |
|                          |                                          |
| tinyproxy [69]           | Create PID file before dropping          |
|                          | privileges to non-root account           |
|                          | [CVE-2017-11747]                         |
|                          |                                          |
| tzdata [70]              | New upstream stable release              |
|                          |                                          |
| websockify [71]          | Fix missing dependency on python{3,}-    |
|                          | pkg-resources                            |
|                          |                                          |
| wpa [72]                 | Fix AP mode PMF disconnection protection |
|                          | bypass [CVE-2019-16275]; fix MAC         |
|                          | randomisation issues with some cards     |
|                          |                                          |
| xdg-utils [73]           | Sanitise window name before sending it   |
|                          | over D-Bus; correctly handle directories |
|                          | with names containing spaces; create the |
|                          | "applications"  directory if needed      |
|                          |                                          |
| xml-security-c [74]      | Fix length calculation in the concat     |
|                          | method                                   |
|                          |                                          |
| xtrlock [75]             | Fix blocking of (some) multitouch        |
|                          | devices while locked [CVE-2016-10894]    |
|                          |                                          |
+--------------------------+------------------------------------------+

 

Security Updates
----------------

This revision adds the following security updates to the oldstable
release. The Security Team has already released an advisory for each of
these updates:

+----------------+----------------------------+
| Advisory ID    | Package                    |
+----------------+----------------------------+
| DSA-4005 [76]  | openjfx [77]               |
|                |                            |
| DSA-4255 [78]  | ant [79]                   |
|                |                            |
| DSA-4352 [80]  | chromium-browser [81]      |
|                |                            |
| DSA-4379 [82]  | golang-1.7 [83]            |
|                |                            |
| DSA-4380 [84]  | golang-1.8 [85]            |
|                |                            |
| DSA-4395 [86]  | chromium [87]              |
|                |                            |
| DSA-4421 [88]  | chromium [89]              |
|                |                            |
| DSA-4616 [90]  | qemu [91]                  |
|                |                            |
| DSA-4617 [92]  | qtbase-opensource-src [93] |
|                |                            |
| DSA-4618 [94]  | libexif [95]               |
|                |                            |
| DSA-4619 [96]  | libxmlrpc3-java [97]       |
|                |                            |
| DSA-4620 [98]  | firefox-esr [99]           |
|                |                            |
| DSA-4621 [100] | openjdk-8 [101]            |
|                |                            |
| DSA-4622 [102] | postgresql-9.6 [103]       |
|                |                            |
| DSA-4624 [104] | evince [105]               |
|                |                            |
| DSA-4625 [106] | thunderbird [107]          |
|                |                            |
| DSA-4628 [108] | php7.0 [109]               |
|                |                            |
| DSA-4629 [110] | python-django [111]        |
|                |                            |
| DSA-4630 [112] | python-pysaml2 [113]       |
|                |                            |
| DSA-4631 [114] | pillow [115]               |
|                |                            |
| DSA-4632 [116] | ppp [117]                  |
|                |                            |
| DSA-4633 [118] | curl [119]                 |
|                |                            |
| DSA-4634 [120] | opensmtpd [121]            |
|                |                            |
| DSA-4635 [122] | proftpd-dfsg [123]         |
|                |                            |
| DSA-4637 [124] | network-manager-ssh [125]  |
|                |                            |
| DSA-4639 [126] | firefox-esr [127]          |
|                |                            |
| DSA-4640 [128] | graphicsmagick [129]       |
|                |                            |
| DSA-4642 [130] | thunderbird [131]          |
|                |                            |
| DSA-4646 [132] | icu [133]                  |
|                |                            |
| DSA-4647 [134] | bluez [135]                |
|                |                            |
| DSA-4648 [136] | libpam-krb5 [137]          |
|                |                            |
| DSA-4650 [138] | qbittorrent [139]          |
|                |                            |
| DSA-4653 [140] | firefox-esr [141]          |
|                |                            |
| DSA-4655 [142] | firefox-esr [143]          |
|                |                            |
| DSA-4656 [144] | thunderbird [145]          |
|                |                            |
| DSA-4657 [146] | git [147]                  |
|                |                            |
| DSA-4659 [148] | git [149]                  |
|                |                            |
| DSA-4660 [150] | awl [151]                  |
|                |                            |
| DSA-4663 [152] | python-reportlab [153]     |
|                |                            |
| DSA-4664 [154] | mailman [155]              |
|                |                            |
| DSA-4666 [156] | openldap [157]             |
|                |                            |
| DSA-4668 [158] | openjdk-8 [159]            |
|                |                            |
| DSA-4670 [160] | tiff [161]                 |
|                |                            |
| DSA-4671 [162] | vlc [163]                  |
|                |                            |
| DSA-4673 [164] | tomcat8 [165]              |
|                |                            |
| DSA-4674 [166] | roundcube [167]            |
|                |                            |
| DSA-4675 [168] | graphicsmagick [169]       |
|                |                            |
| DSA-4676 [170] | salt [171]                 |
|                |                            |
| DSA-4677 [172] | wordpress [173]            |
|                |                            |
| DSA-4678 [174] | firefox-esr [175]          |
|                |                            |
| DSA-4683 [176] | thunderbird [177]          |
|                |                            |
| DSA-4685 [178] | apt [179]                  |
|                |                            |
| DSA-4686 [180] | apache-log4j1.2 [181]      |
|                |                            |
| DSA-4687 [182] | exim4 [183]                |
|                |                            |
| DSA-4688 [184] | dpdk [185]                 |
|                |                            |
| DSA-4689 [186] | bind9 [187]                |
|                |                            |
| DSA-4692 [188] | netqmail [189]             |
|                |                            |
| DSA-4693 [190] | drupal7 [191]              |
|                |                            |
| DSA-4695 [192] | firefox-esr [193]          |
|                |                            |
| DSA-4698 [194] | linux [195]                |
|                |                            |
| DSA-4700 [196] | roundcube [197]            |
|                |                            |
| DSA-4701 [198] | intel-microcode [199]      |
|                |                            |
| DSA-4702 [200] | thunderbird [201]          |
|                |                            |
| DSA-4703 [202] | mysql-connector-java [203] |
|                |                            |
| DSA-4704 [204] | vlc [205]                  |
|                |                            |
| DSA-4705 [206] | python-django [207]        |
|                |                            |
| DSA-4706 [208] | drupal7 [209]              |
|                |                            |
| DSA-4707 [210] | mutt [211]                 |
|                |                            |
| DSA-4711 [212] | coturn [213]               |
|                |                            |
| DSA-4713 [214] | firefox-esr [215]          |
|                |                            |
| DSA-4715 [216] | imagemagick [217]          |
|                |                            |
| DSA-4717 [218] | php7.0 [219]               |
|                |                            |
| DSA-4718 [220] | thunderbird [221]          |
|                |                            |
+----------------+----------------------------+

 

Removed packages
----------------

The following packages were removed due to circumstances beyond our
control:

+------------------------------+---------------------------------------+
| Package                      | Reason                                |
+------------------------------+---------------------------------------+
| certificatepatrol [222]      | Incompatible with newer Firefox ESR   |
|                              | versions                              |
|                              |                                       |
| colorediffs-extension [223]  | Incompatible with newer Thunderbird   |
|                              | versions                              |
|                              |                                       |
| dynalogin [224]              | Depends on to-be-removed simpleid     |
|                              |                                       |
| enigmail [225]               | Incompatible with newer Thunderbird   |
|                              | versions                              |
|                              |                                       |
| firefox-esr [226]            | [armel] No longer supported (requires |
|                              | nodejs)                               |
|                              |                                       |
| firefox-esr [226]            | [mips mipsel mips64el] No longer      |
|                              | supported (needs newer rustc)         |
|                              |                                       |
| getlive [227]                | Broken due to Hotmail changes         |
|                              |                                       |
| gplaycli [228]               | Broken by Google API changes          |
|                              |                                       |
| kerneloops [229]             | Upstream service no longer available  |
|                              |                                       |
| libmicrodns [230]            | Security issues                       |
|                              |                                       |
| libperlspeak-perl [231]      | Security issues; unmaintained         |
|                              |                                       |
| mathematica-fonts [232]      | Relies on unavailable download        |
|                              | location                              |
|                              |                                       |
| pdns-recursor [233]          | Security issues; unsupported          |
|                              |                                       |
| predictprotein [234]         | Depends on to-be-removed profphd      |
|                              |                                       |
| profphd [235]                | Unusable                              |
|                              |                                       |
| quotecolors [236]            | Incompatible with newer Thunderbird   |
|                              | versions                              |
|                              |                                       |
| selenium-firefoxdriver [237] | Incompatible with newer Firefox ESR   |
|                              | versions                              |
|                              |                                       |
| simpleid [238]               | Does not work with PHP7               |
|                              |                                       |
| simpleid-ldap [239]          | Depends on to-be-removed simpleid     |
|                              |                                       |
| torbirdy [240]               | Incompatible with newer Thunderbird   |
|                              | versions                              |
|                              |                                       |
| weboob [241]                 | Unmaintained; already removed from    |
|                              | later releases                        |
|                              |                                       |
| yahoo2mbox [242]             | Broken for several years              |
|                              |                                       |
+------------------------------+---------------------------------------+

 

Debian Installer
----------------

The installer has been updated to include the fixes incorporated into
oldstable by the point release.


URLs
----

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/stretch/ChangeLog


The current oldstable distribution:

http://ftp.debian.org/debian/dists/oldstable/

 

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4728-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 19, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : qemu
CVE ID         : CVE-2020-10756 CVE-2020-13361 CVE-2020-13362 
                 CVE-2020-13754 CVE-2020-13659
Debian Bug     : 964247 961887 961887 961888

Multiple security issues were discovered in QEMU, a fast processor
emulator, which could result in denial of service.

For the stable distribution (buster), these problems have been fixed in
version 1:3.1+dfsg-8+deb10u6.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4729-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 19, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libopenmpt
CVE ID         : CVE-2019-14380 CVE-2019-17113

Two security issues were found in libopenmpt, a cross-platform C++ and
C library to decode tracked music files, which could result in denial of
service and potentially the execution of arbitrary if malformed music
files are processed.

For the stable distribution (buster), these problems have been fixed in
version 0.4.3-1+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4730-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
July 19, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ruby-sanitize
CVE ID         : CVE-2020-4054
Debian Bug     : 963808

Michal Bentkowski discovered that ruby-sanitize, a whitelist-based HTML
sanitizer, is prone to a HTML sanitization bypass vulnerability when
using the "relaxed" or a custom config allowing certain elements.
Content in a <math> or <svg> element may not be sanitized correctly even
if math and svg are not in the allowlist.

For the stable distribution (buster), this problem has been fixed in
version 4.6.6-2.1~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4731-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
July 19, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : redis
CVE ID         : CVE-2020-14147

An integer overflow flaw leading to a stack-based buffer overflow was
discovered in redis, a persistent key-value database. A remote attacker
can use this flaw to cause a denial of service (application crash).

For the stable distribution (buster), this problem has been fixed in
version 5:5.0.3-4+deb10u2.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4732-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 21, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : squid
CVE ID         : CVE-2019-18860 CVE-2020-1504

Two security issues were discovered in the Squid proxy caching
server, which could result in cache poisoning, request smuggling
and incomplete validation of hostnames in cachemgr.cgi.

For the stable distribution (buster), these problems have been fixed in
version 4.6-1+deb10u3.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4733-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 24, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : qemu
CVE ID         : CVE-2020-8608
Debian Bug     : 964793

It was discovered that incorrect memory handling in the SLIRP networking
implementation could result in denial of service or potentially the
execution of arbitrary code.

For the stable distribution (buster), this problem has been fixed in
version 1:3.1+dfsg-8+deb10u7. In addition this update fixes a regression
caused by the patch for CVE-2020-13754, which could lead to startup
failures in some Xen setups.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4734-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 26, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openjdk-11
CVE ID         : CVE-2020-14556 CVE-2020-14562 CVE-2020-14573 CVE-2020-14577 
                 CVE-2020-14578 CVE-2020-14579 CVE-2020-14581 CVE-2020-14583 
                 CVE-2020-14593 CVE-2020-14621

Several vulnerabilities have been discovered in the OpenJDK Java runtime,
resulting in denial of service, bypass of access/sandbox restrictions or
information disclosure.

For the stable distribution (buster), these problems have been fixed in
version 11.0.8+10-1~deb10u1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4735-1                   security@debian.org
https://www.debian.org/security/                        Yves-Alexis Perez
July 29, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : grub2
CVE ID         : CVE-2020-10713 CVE-2020-14308 CVE-2020-14309 CVE-2020-14310
                 CVE-2020-14311 CVE-2020-15706 CVE-2020-15707

Several vulnerabilities have been discovered in the GRUB2 bootloader.

CVE-2020-10713

    A flaw in the grub.cfg parsing code was found allowing to break
    UEFI Secure Boot and load arbitrary code. Details can be found at
    https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/

CVE-2020-14308

    It was discovered that grub_malloc does not validate the allocation
    size allowing for arithmetic overflow and subsequently a heap-based
    buffer overflow.

CVE-2020-14309

    An integer overflow in grub_squash_read_symlink may lead to a heap-
    based buffer overflow.

CVE-2020-14310

    An integer overflow in read_section_from_string may lead to a heap-
    based buffer overflow.

CVE-2020-14311

    An integer overflow in grub_ext2_read_link may lead to a heap-based
    buffer overflow.

CVE-2020-15706

    script: Avoid a use-after-free when redefining a function during
    execution.

CVE-2020-15707

    An integer overflow flaw was found in the initrd size handling.

Further detailed information can be found at
https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot

For the stable distribution (buster), these problems have been fixed in
version 2.02+dfsg1-20+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4736-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 29, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2020-6463 CVE-2020-6514 CVE-2020-15652 CVE-2020-15659

Multiple security issues have been found in the Mozilla Firefox
web browser, which could potentially result in the execution of
arbitrary code or an information leak.

For the stable distribution (buster), these problems have been fixed in
version 68.11.0esr-1~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4737-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
July 29, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xrdp
CVE ID         : CVE-2020-4044
Debian Bug     : 964573

Ashley Newson discovered that the XRDP sessions manager was susceptible
to denial of service. A local attacker can further take advantage of
this flaw to impersonate the XRDP sessions manager and capture any user
credentials that are submitted to XRDP, approve or reject arbitrary
login credentials or to hijack existing sessions for xorgxrdp sessions.

For the stable distribution (buster), this problem has been fixed in
version 0.9.9-1+deb10u1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4735-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
July 30, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : grub2
Debian Bug     : 966554

The update for grub2 released as DSA 4735-1 caused a boot-regression
when chainloading another bootlaoder and breaking notably dual-boot with
Windows. Updated grub2 packages are now available to correct this issue.

For the stable distribution (buster), this problem has been fixed in
version 2.02+dfsg1-20+deb10u2.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4738-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
July 31, 2020                         https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ark
CVE ID         : CVE-2020-16116

Dominik Penner discovered that the Ark archive manager did not sanitise
extraction paths, which could result in maliciously crafted archives
writing outside the extraction directory.

For the stable distribution (buster), this problem has been fixed in
version 4:18.08.3-1+deb10u1.

Share this post


Link to post
Share on other sites
sunrat
------------------------------------------------------------------------
The Debian Project                               https://www.debian.org/
Updated Debian 10: 10.5 released                        press@debian.org
August 1st, 2020               https://www.debian.org/News/2020/20200801
------------------------------------------------------------------------


The Debian project is pleased to announce the fifth update of its stable
distribution Debian 10 (codename "buster"). This point release mainly
adds corrections for security issues, along with a few adjustments for
serious problems. Security advisories have already been published
separately and are referenced where available.

This point release also addresses Debian Security Advisory: DSA-4735-1
grub2 -- security update [1] which covers multiple CVE issues regarding
the GRUB2 UEFI SecureBoot 'BootHole' vulnerability [2].

    1: https://www.debian.org/security/2020/dsa-4735
    2: https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot/

Please note that the point release does not constitute a new version of
Debian 10 but only updates some of the packages included. There is no
need to throw away old "buster" media. After installation, packages can
be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list



Miscellaneous Bugfixes
----------------------

This stable update adds a few important corrections to the following
packages:

+---------------------------+------------------------------------------+
| Package                   | Reason                                   |
+---------------------------+------------------------------------------+
| appstream-glib [3]        | Fix build failures in 2020 and later     |
|                           |                                          |
| asunder [4]               | Use gnudb instead of freedb by default   |
|                           |                                          |
| b43-fwcutter [5]          | Ensure removal succeeds under non-       |
|                           | English locales; do not fail removal if  |
|                           | some files no longer exist; fix missing  |
|                           | dependencies on pciutils and ca-         |
|                           | certificates                             |
|                           |                                          |
| balsa [6]                 | Provide server identity when validating  |
|                           | certificates, allowing successful        |
|                           | validation when using the glib-          |
|                           | networking patch for CVE-2020-13645      |
|                           |                                          |
| base-files [7]            | Update for the point release             |
|                           |                                          |
| batik [8]                 | Fix server-side request forgery via      |
|                           | xlink:href attributes [CVE-2019-17566]   |
|                           |                                          |
| borgbackup [9]            | Fix index corruption bug leading to data |
|                           | loss                                     |
|                           |                                          |
| bundler [10]              | Update required version of ruby-         |
|                           | molinillo                                |
|                           |                                          |
| c-icap-modules [11]       | Add support for ClamAV 0.102             |
|                           |                                          |
| cacti [12]                | Fix issue where UNIX timestamps after    |
|                           | September 13th 2020 were rejected as     |
|                           | graph start / end; fix remote code       |
|                           | execution [CVE-2020-7237], cross-site    |
|                           | scripting [CVE-2020-7106], CSRF issue    |
|                           | [CVE-2020-13231]; disabling a user       |
|                           | account does not immediately invalidate  |
|                           | permissions [CVE-2020-13230]             |
|                           |                                          |
| calamares-settings-       | Enable displaymanager module, fixing     |
| debian [13]               | autologin options; use xdg-user-dir to   |
|                           | specify Desktop directory                |
|                           |                                          |
| clamav [14]               | New upstream release; security fixes     |
|                           | [CVE-2020-3327 CVE-2020-3341 CVE-2020-   |
|                           | 3350 CVE-2020-3327 CVE-2020-3481]        |
|                           |                                          |
| cloud-init [15]           | New upstream release                     |
|                           |                                          |
| commons-                  | Prevent object creation when loading     |
| configuration2 [16]       | YAML files [CVE-2020-1953]               |
|                           |                                          |
| confget [17]              | Fix the Python module's handling of      |
|                           | values containing  "="                   |
|                           |                                          |
| dbus [18]                 | New upstream stable release; prevent a   |
|                           | denial of service issue [CVE-2020-       |
|                           | 12049]; prevent use-after-free if two    |
|                           | usernames share a uid                    |
|                           |                                          |
| debian-edu-config [19]    | Fix loss of dynamically allocated IPv4   |
|                           | address                                  |
|                           |                                          |
| debian-installer [20]     | Update Linux ABI to 4.19.0-10            |
|                           |                                          |
| debian-installer-netboot- | Rebuild against proposed-updates         |
| images [21]               |                                          |
|                           |                                          |
| debian-ports-archive-     | Increase the expiration date of the 2020 |
| keyring [22]              | key (84C573CD4E1AFD6C) by one year; add  |
|                           | Debian Ports Archive Automatic Signing   |
|                           | Key (2021); move the 2018 key (ID:       |
|                           | 06AED62430CB581C) to the removed keyring |
|                           |                                          |
| debian-security-          | Update support status of several         |
| support [23]              | packages                                 |
|                           |                                          |
| dpdk [24]                 | New upstream release                     |
|                           |                                          |
| exiv2 [25]                | Adjust overly restrictive security patch |
|                           | [CVE-2018-10958 and CVE-2018-10999]; fix |
|                           | denial of service issue [CVE-2018-16336] |
|                           |                                          |
| fdroidserver [26]         | Fix Litecoin address validation          |
|                           |                                          |
| file-roller [27]          | Security fix [CVE-2020-11736]            |
|                           |                                          |
| freerdp2 [28]             | Fix smartcard logins; security fixes     |
|                           | [CVE-2020-11521 CVE-2020-11522 CVE-2020- |
|                           | 11523 CVE-2020-11524 CVE-2020-11525      |
|                           | CVE-2020-11526]                          |
|                           |                                          |
| fwupd [29]                | New upstream release; fix possible       |
|                           | signature verification issue [CVE-2020-  |
|                           | 10759]; use rotated Debian signing keys  |
|                           |                                          |
| fwupd-amd64-signed [30]   | New upstream release; fix possible       |
|                           | signature verification issue [CVE-2020-  |
|                           | 10759]; use rotated Debian signing keys  |
|                           |                                          |
| fwupd-arm64-signed [31]   | New upstream release; fix possible       |
|                           | signature verification issue [CVE-2020-  |
|                           | 10759]; use rotated Debian signing keys  |
|                           |                                          |
| fwupd-armhf-signed [32]   | New upstream release; fix possible       |
|                           | signature verification issue [CVE-2020-  |
|                           | 10759]; use rotated Debian signing keys  |
|                           |                                          |
| fwupd-i386-signed [33]    | New upstream release; fix possible       |
|                           | signature verification issue [CVE-2020-  |
|                           | 10759]; use rotated Debian signing keys  |
|                           |                                          |
| fwupdate [34]             | Use rotated Debian signing keys          |
|                           |                                          |
| fwupdate-amd64-           | Use rotated Debian signing keys          |
| signed [35]               |                                          |
|                           |                                          |
| fwupdate-arm64-           | Use rotated Debian signing keys          |
| signed [36]               |                                          |
|                           |                                          |
| fwupdate-armhf-           | Use rotated Debian signing keys          |
| signed [37]               |                                          |
|                           |                                          |
| fwupdate-i386-signed [38] | Use rotated Debian signing keys          |
|                           |                                          |
| gist [39]                 | Avoid deprecated authorization API       |
|                           |                                          |
| glib-networking [40]      | Return bad identity error if identity is |
|                           | unset [CVE-2020-13645]; break balsa      |
|                           | older than 2.5.6-2+deb10u1 as the fix    |
|                           | for CVE-2020-13645 breaks balsa's        |
|                           | certificate verification                 |
|                           |                                          |
| gnutls28 [41]             | Fix TL1.2 resumption errors; fix memory  |
|                           | leak; handle zero length session         |
|                           | tickets, fixing connection errors on     |
|                           | TLS1.2 sessions to some big hosting      |
|                           | providers; fix verification error with   |
|                           | alternate chains                         |
|                           |                                          |
| intel-microcode [42]      | Downgrade some microcodes to previously  |
|                           | issued versions, working around hangs on |
|                           | boot on Skylake-U/Y and Skylake Xeon E3  |
|                           |                                          |
| jackson-databind [43]     | Fix multiple security issues affecting   |
|                           | BeanDeserializerFactory [CVE-2020-9548   |
|                           | CVE-2020-9547 CVE-2020-9546 CVE-2020-    |
|                           | 8840 CVE-2020-14195 CVE-2020-14062       |
|                           | CVE-2020-14061 CVE-2020-14060 CVE-2020-  |
|                           | 11620 CVE-2020-11619 CVE-2020-11113      |
|                           | CVE-2020-11112 CVE-2020-11111 CVE-2020-  |
|                           | 10969 CVE-2020-10968 CVE-2020-10673      |
|                           | CVE-2020-10672 CVE-2019-20330 CVE-2019-  |
|                           | 17531 and CVE-2019-17267]                |
|                           |                                          |
| jameica [44]              | Add mckoisqldb to classpath, allowing    |
|                           | use of SynTAX plugin                     |
|                           |                                          |
| jigdo [45]                | Fix HTTPS support in jigdo-lite and      |
|                           | jigdo-mirror                             |
|                           |                                          |
| ksh [46]                  | Fix environment variable restriction     |
|                           | issue [CVE-2019-14868]                   |
|                           |                                          |
| lemonldap-ng [47]         | Fix nginx configuration regression       |
|                           | introduced by the fix for CVE-2019-19791 |
|                           |                                          |
| libapache-mod-jk [48]     | Rename Apache configuration file so it   |
|                           | can be automatically enabled and         |
|                           | disabled                                 |
|                           |                                          |
| libclamunrar [49]         | New upstream stable release; add an      |
|                           | unversioned meta-package                 |
|                           |                                          |
| libembperl-perl [50]      | Handle error pages from Apache >= 2.4.40 |
|                           |                                          |
| libexif [51]              | Security fixes [CVE-2020-12767 CVE-2020- |
|                           | 0093 CVE-2020-13112 CVE-2020-13113       |
|                           | CVE-2020-13114]; fix buffer overflow     |
|                           | [CVE-2020-0182] and integer overflow     |
|                           | [CVE-2020-0198]                          |
|                           |                                          |
| libinput [52]             | Quirks: add trackpoint integration       |
|                           | attribute                                |
|                           |                                          |
| libntlm [53]              | Fix buffer overflow [CVE-2019-17455]     |
|                           |                                          |
| libpam-radius-auth [54]   | Fix buffer overflow in password field    |
|                           | [CVE-2015-9542]                          |
|                           |                                          |
| libunwind [55]            | Fix segfaults on mips; manually enable C |
|                           | ++ exception support only on i386 and    |
|                           | amd64                                    |
|                           |                                          |
| libyang [56]              | Fix cache corruption crash, CVE-2019-    |
|                           | 19333, CVE-2019-19334                    |
|                           |                                          |
| linux [57]                | New upstream stable release              |
|                           |                                          |
| linux-latest [58]         | Update for 4.19.0-10 kernel ABI          |
|                           |                                          |
| linux-signed-amd64 [59]   | New upstream stable release              |
|                           |                                          |
| linux-signed-arm64 [60]   | New upstream stable release              |
|                           |                                          |
| linux-signed-i386 [61]    | New upstream stable release              |
|                           |                                          |
| lirc [62]                 | Fix conffile management                  |
|                           |                                          |
| mailutils [63]            | maidag: drop setuid privileges for all   |
|                           | delivery operations but mda [CVE-2019-   |
|                           | 18862]                                   |
|                           |                                          |
| mariadb-10.3 [64]         | New upstream stable release; security    |
|                           | fixes [CVE-2020-2752 CVE-2020-2760       |
|                           | CVE-2020-2812 CVE-2020-2814 CVE-2020-    |
|                           | 13249]; fix regression in RocksDB ZSTD   |
|                           | detection                                |
|                           |                                          |
| mod-gnutls [65]           | Fix a possible segfault on failed TLS    |
|                           | handshake; fix test failures             |
|                           |                                          |
| multipath-tools [66]      | kpartx: use correct path to partx in     |
|                           | udev rule                                |
|                           |                                          |
| mutt [67]                 | Don't check IMAP PREAUTH encryption if   |
|                           | $tunnel is in use                        |
|                           |                                          |
| mydumper [68]             | Link against libm                        |
|                           |                                          |
| nfs-utils [69]            | statd: take user-id from /var/lib/nfs/sm |
|                           | [CVE-2019-3689]; don't make /var/lib/nfs |
|                           | owned by statd                           |
|                           |                                          |
| nginx [70]                | Fix error page request smuggling         |
|                           | vulnerability [CVE-2019-20372]           |
|                           |                                          |
| nmap [71]                 | Update default key size to 2048 bits     |
|                           |                                          |
| node-dot-prop [72]        | Fix regression introduced in CVE-2020-   |
|                           | 8116 fix                                 |
|                           |                                          |
| node-handlebars [73]      | Disallow calling  "helperMissing"  and   |
|                           | "blockHelperMissing"  directly           |
|                           | [CVE-2019-19919]                         |
|                           |                                          |
| node-minimist [74]        | Fix prototype pollution [CVE-2020-7598]  |
|                           |                                          |
| nvidia-graphics-          | New upstream stable release; security    |
| drivers [75]              | fixes [CVE-2020-5963 CVE-2020-5967]      |
|                           |                                          |
| nvidia-graphics-drivers-  | New upstream stable release; security    |
| legacy-390xx [76]         | fixes [CVE-2020-5963 CVE-2020-5967]      |
|                           |                                          |
| openstack-debian-         | Install resolvconf if installing cloud-  |
| images [77]               | init                                     |
|                           |                                          |
| pagekite [78]             | Avoid issues with expiry of shipped SSL  |
|                           | certificates by using those from the ca- |
|                           | certificates package                     |
|                           |                                          |
| pdfchain [79]             | Fix crash at startup                     |
|                           |                                          |
| perl [80]                 | Fix multiple regular expression related  |
|                           | security issues [CVE-2020-10543          |
|                           | CVE-2020-10878 CVE-2020-12723]           |
|                           |                                          |
| php-horde [81]            | Fix cross-site scripting vulnerability   |
|                           | [CVE-2020-8035]                          |
|                           |                                          |
| php-horde-gollem [82]     | Fix cross-site scripting vulnerability   |
|                           | in breadcrumb output [CVE-2020-8034]     |
|                           |                                          |
| pillow [83]               | Fix multiple out-of-bounds read issues   |
|                           | [CVE-2020-11538 CVE-2020-10378 CVE-2020- |
|                           | 10177]                                   |
|                           |                                          |
| policyd-rate-limit [84]   | Fix issues in accounting due to socket   |
|                           | reuse                                    |
|                           |                                          |
| postfix [85]              | New upstream stable release; fix         |
|                           | segfault in the tlsproxy client role     |
|                           | when the server role was disabled; fix   |
|                           | "maillog_file_rotate_suffix default      |
|                           | value used the minute instead of the     |
|                           | month" ; fix several TLS related issues; |
|                           | README.Debian fixes                      |
|                           |                                          |
| python-markdown2 [86]     | Fix cross-site scripting issue           |
|                           | [CVE-2020-11888]                         |
|                           |                                          |
| python3.7 [87]            | Avoid infinite loop when reading         |
|                           | specially crafted TAR files using the    |
|                           | tarfile module [CVE-2019-20907]; resolve |
|                           | hash collisions for IPv4Interface and    |
|                           | IPv6Interface [CVE-2020-14422]; fix      |
|                           | denial of service issue in               |
|                           | urllib.request.AbstractBasicAuthHandler  |
|                           | [CVE-2020-8492]                          |
|                           |                                          |
| qdirstat [88]             | Fix saving of user-configured MIME       |
|                           | categories                               |
|                           |                                          |
| raspi3-firmware [89]      | Fix typo that could lead to unbootable   |
|                           | systems                                  |
|                           |                                          |
| resource-agents [90]      | IPsrcaddr: make  "proto"  optional to    |
|                           | fix regression when used without         |
|                           | NetworkManager                           |
|                           |                                          |
| ruby-json [91]            | Fix unsafe object creation vulnerability |
|                           | [CVE-2020-10663]                         |
|                           |                                          |
| shim [92]                 | Use rotated Debian signing keys          |
|                           |                                          |
| shim-helpers-amd64-       | Use rotated Debian signing keys          |
| signed [93]               |                                          |
|                           |                                          |
| shim-helpers-arm64-       | Use rotated Debian signing keys          |
| signed [94]               |                                          |
|                           |                                          |
| shim-helpers-i386-        | Use rotated Debian signing keys          |
| signed [95]               |                                          |
|                           |                                          |
| speedtest-cli [96]        | Pass correct headers to fix upload speed |
|                           | test                                     |
|                           |                                          |
| ssvnc [97]                | Fix out-of-bounds write [CVE-2018-       |
|                           | 20020], infinite loop [CVE-2018-20021],  |
|                           | improper initialisation [CVE-2018-       |
|                           | 20022], potential denial-of-service      |
|                           | [CVE-2018-20024]                         |
|                           |                                          |
| storebackup [98]          | Fix possible privilege escalation        |
|                           | vulnerability [CVE-2020-7040]            |
|                           |                                          |
| suricata [99]             | Fix dropping privileges in nflog runmode |
|                           |                                          |
| tigervnc [100]            | Don't use libunwind on armel, armhf or   |
|                           | arm64                                    |
|                           |                                          |
| transmission [101]        | Fix possible denial of service issue     |
|                           | [CVE-2018-10756]                         |
|                           |                                          |
| wav2cdr [102]             | Use C99 fixed-size integer types to fix  |
|                           | runtime assertion on 64bit architectures |
|                           | other than amd64 and alpha               |
|                           |                                          |
| zipios++ [103]            | Security fix [CVE-2019-13453]            |
|                           |                                          |
+---------------------------+------------------------------------------+

 

Security Updates
----------------

This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:

+----------------+-----------------------------+
| Advisory ID    | Package                     |
+----------------+-----------------------------+
| DSA-4626 [104] | php7.3 [105]                |
|                |                             |
| DSA-4674 [106] | roundcube [107]             |
|                |                             |
| DSA-4675 [108] | graphicsmagick [109]        |
|                |                             |
| DSA-4676 [110] | salt [111]                  |
|                |                             |
| DSA-4677 [112] | wordpress [113]             |
|                |                             |
| DSA-4678 [114] | firefox-esr [115]           |
|                |                             |
| DSA-4679 [116] | keystone [117]              |
|                |                             |
| DSA-4680 [118] | tomcat9 [119]               |
|                |                             |
| DSA-4681 [120] | webkit2gtk [121]            |
|                |                             |
| DSA-4682 [122] | squid [123]                 |
|                |                             |
| DSA-4683 [124] | thunderbird [125]           |
|                |                             |
| DSA-4684 [126] | libreswan [127]             |
|                |                             |
| DSA-4685 [128] | apt [129]                   |
|                |                             |
| DSA-4686 [130] | apache-log4j1.2 [131]       |
|                |                             |
| DSA-4687 [132] | exim4 [133]                 |
|                |                             |
| DSA-4688 [134] | dpdk [135]                  |
|                |                             |
| DSA-4689 [136] | bind9 [137]                 |
|                |                             |
| DSA-4690 [138] | dovecot [139]               |
|                |                             |
| DSA-4691 [140] | pdns-recursor [141]         |
|                |                             |
| DSA-4692 [142] | netqmail [143]              |
|                |                             |
| DSA-4694 [144] | unbound [145]               |
|                |                             |
| DSA-4695 [146] | firefox-esr [147]           |
|                |                             |
| DSA-4696 [148] | nodejs [149]                |
|                |                             |
| DSA-4697 [150] | gnutls28 [151]              |
|                |                             |
| DSA-4699 [152] | linux-signed-amd64 [153]    |
|                |                             |
| DSA-4699 [154] | linux-signed-arm64 [155]    |
|                |                             |
| DSA-4699 [156] | linux-signed-i386 [157]     |
|                |                             |
| DSA-4699 [158] | linux [159]                 |
|                |                             |
| DSA-4700 [160] | roundcube [161]             |
|                |                             |
| DSA-4701 [162] | intel-microcode [163]       |
|                |                             |
| DSA-4702 [164] | thunderbird [165]           |
|                |                             |
| DSA-4704 [166] | vlc [167]                   |
|                |                             |
| DSA-4705 [168] | python-django [169]         |
|                |                             |
| DSA-4707 [170] | mutt [171]                  |
|                |                             |
| DSA-4708 [172] | neomutt [173]               |
|                |                             |
| DSA-4709 [174] | wordpress [175]             |
|                |                             |
| DSA-4710 [176] | trafficserver [177]         |
|                |                             |
| DSA-4711 [178] | coturn [179]                |
|                |                             |
| DSA-4712 [180] | imagemagick [181]           |
|                |                             |
| DSA-4713 [182] | firefox-esr [183]           |
|                |                             |
| DSA-4714 [184] | chromium [185]              |
|                |                             |
| DSA-4716 [186] | docker.io [187]             |
|                |                             |
| DSA-4718 [188] | thunderbird [189]           |
|                |                             |
| DSA-4719 [190] | php7.3 [191]                |
|                |                             |
| DSA-4720 [192] | roundcube [193]             |
|                |                             |
| DSA-4721 [194] | ruby2.5 [195]               |
|                |                             |
| DSA-4722 [196] | ffmpeg [197]                |
|                |                             |
| DSA-4723 [198] | xen [199]                   |
|                |                             |
| DSA-4724 [200] | webkit2gtk [201]            |
|                |                             |
| DSA-4725 [202] | evolution-data-server [203] |
|                |                             |
| DSA-4726 [204] | nss [205]                   |
|                |                             |
| DSA-4727 [206] | tomcat9 [207]               |
|                |                             |
| DSA-4728 [208] | qemu [209]                  |
|                |                             |
| DSA-4729 [210] | libopenmpt [211]            |
|                |                             |
| DSA-4730 [212] | ruby-sanitize [213]         |
|                |                             |
| DSA-4731 [214] | redis [215]                 |
|                |                             |
| DSA-4732 [216] | squid [217]                 |
|                |                             |
| DSA-4733 [218] | qemu [219]                  |
|                |                             |
| DSA-4735 [220] | grub-efi-amd64-signed [221] |
|                |                             |
| DSA-4735 [222] | grub-efi-arm64-signed [223] |
|                |                             |
| DSA-4735 [224] | grub-efi-ia32-signed [225]  |
|                |                             |
| DSA-4735 [226] | grub2 [227]                 |
|                |                             |
+----------------+-----------------------------+

 

Removed packages
----------------

The following packages were removed due to circumstances beyond our
control:

+--------------------------------+------------------------------------+
| Package                        | Reason                             |
+--------------------------------+------------------------------------+
| golang-github-unknwon-         | Security issues; unmaintained      |
| cae [228]                      |                                    |
|                                |                                    |
| janus [229]                    | Not supportable in stable          |
|                                |                                    |
| mathematica-fonts [230]        | Relies on unavailable download     |
|                                | location                           |
|                                |                                    |
| matrix-synapse [231]           | Security issues; unsupportable     |
|                                |                                    |
| selenium-firefoxdriver [232]   | Incompatible with newer Firefox    |
|                                | ESR versions                       |
|                                |                                    |
+--------------------------------+------------------------------------+

 

Debian Installer
----------------

The installer has been updated to include the fixes incorporated into
stable by the point release.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4740-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 02, 2020                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : CVE-2020-6463 CVE-2020-6514 CVE-2020-15652 CVE-2020-15659

Multiple security issues have been found in Thunderbird which could
result in denial of service or potentially the execution of arbitrary
code.

For the stable distribution (buster), these problems have been fixed in
version 1:68.11.0-1~deb10u1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4739-1                   security@debian.org
https://www.debian.org/security/                           Alberto Garcia
August 03, 2020                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : webkit2gtk
CVE ID         : CVE-2020-9862 CVE-2020-9893 CVE-2020-9894 CVE-2020-9895
                 CVE-2020-9915 CVE-2020-9925

The following vulnerabilities have been discovered in the webkit2gtk
web engine:

CVE-2020-9862

    Ophir Lojkine discovered that copying a URL from the Web Inspector
    may lead to command injection.

CVE-2020-9893

    0011 discovered that a remote attacker may be able to cause
    unexpected application termination or arbitrary code execution.

CVE-2020-9894

    0011 discovered that a remote attacker may be able to cause
    unexpected application termination or arbitrary code execution.

CVE-2020-9895

    Wen Xu discovered that a remote attacker may be able to cause
    unexpected application termination or arbitrary code execution.

CVE-2020-9915

    Ayoub Ait Elmokhtar discovered that processing maliciously crafted
    web content may prevent Content Security Policy from being
    enforced.

CVE-2020-9925

    An anonymous researcher discovered that processing maliciously
    crafted web content may lead to universal cross site scripting.

For the stable distribution (buster), these problems have been fixed in
version 2.28.4-1~deb10u1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4741-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 05, 2020                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : json-c
CVE ID         : CVE-2020-12762

Tobias Stoeckmann discovered an integer overflow in the json-c JSON
library, which could result in denial of service or potentially the
execution of arbitrary code if large malformed JSON files are processed.

For the stable distribution (buster), this problem has been fixed in
version 0.12.1+ds-2+deb10u1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4742-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 06, 2020                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firejail
CVE ID         : CVE-2020-17367 CVE-2020-17368

Tim Starling discovered two vulnerabilities in firejail, a sandbox
program to restrict the running environment of untrusted applications.

CVE-2020-17367

    It was reported that firejail does not respect the end-of-options
    separator ("--"), allowing an attacker with control over the command
    line options of the sandboxed application, to write data to a
    specified file.

CVE-2020-17368

    It was reported that firejail when redirecting output via --output
    or --output-stderr, concatenates all command line arguments into a
    single string that is passed to a shell. An attacker who has control
    over the command line arguments of the sandboxed application could
    take advantage of this flaw to run run arbitrary other commands.

For the stable distribution (buster), these problems have been fixed in
version 0.9.58.2-2+deb10u1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4743-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 10, 2020                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ruby-kramdown
CVE ID         : CVE-2020-14001
Debian Bug     : 965305

A flaw was discovered in ruby-kramdown, a fast, pure ruby, Markdown
parser and converter, which could result in unintended read access to
files or unintended embedded Ruby code execution when the {::options /}
extension is used together with the 'template' option.

The Update introduces a new option 'forbidden_inline_options' to
restrict the options allowed with the {::options /} extension. By
default the 'template' option is forbidden.

For the stable distribution (buster), this problem has been fixed in
version 1.17.0-1+deb10u1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4744-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 12, 2020                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : roundcube
CVE ID         : CVE-2020-16145
Debian Bug     : 968216

It was discovered that roundcube, a skinnable AJAX based webmail
solution for IMAP servers, is prone to cross-site scripting
vulnerabilities in handling invalid svg and math tag content.

For the stable distribution (buster), this problem has been fixed in
version 1.3.15+dfsg.1-1~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4745-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 12, 2020                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : dovecot
CVE ID         : CVE-2020-12100 CVE-2020-12673 CVE-2020-12674

Several vulnerabilities have been discovered in the Dovecot email
server.

CVE-2020-12100

    Receiving mail with deeply nested MIME parts leads to resource
    exhaustion as Dovecot attempts to parse it.

CVE-2020-12673

    Dovecot's NTLM implementation does not correctly check message
    buffer size, which leads to a crash when reading past allocation.

CVE-2020-12674

    Dovecot's RPA mechanism implementation accepts zero-length message,
    which leads to assert-crash later on.

For the stable distribution (buster), these problems have been fixed in
version 1:2.3.4.1-5+deb10u3.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4746-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 15, 2020                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : net-snmp
CVE ID         : CVE-2020-15861 CVE-2020-15862
Debian Bug     : 965166 966599

Several vulnerabilities were discovered in net-snmp, a suite of Simple
Network Management Protocol applications, which could lead to privilege
escalation.

For the stable distribution (buster), these problems have been fixed in
version 5.7.3+dfsg-5+deb10u1.

Share this post


Link to post
Share on other sites
sunrat
 -------------------------------------------------------------------------
Debian Security Advisory DSA-4747-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 23, 2020                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : icingaweb2
CVE ID         : CVE-2020-24368
Debian Bug     : 968833

A directory traversal vulnerability was discovered in Icinga Web 2, a
web interface for Icinga, which could result in the disclosure of files
readable by the process.

For the stable distribution (buster), this problem has been fixed in
version 2.6.2-3+deb10u1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4748-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 25, 2020                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ghostscript
CVE ID         : CVE-2020-16287 CVE-2020-16288 CVE-2020-16289 CVE-2020-16290 
                 CVE-2020-16291 CVE-2020-16292 CVE-2020-16293 CVE-2020-16294 
                 CVE-2020-16295 CVE-2020-16296 CVE-2020-16297 CVE-2020-16298 
                 CVE-2020-16299 CVE-2020-16300 CVE-2020-16301 CVE-2020-16302 
                 CVE-2020-16303 CVE-2020-16304 CVE-2020-16305 CVE-2020-16306 
                 CVE-2020-16307 CVE-2020-16308 CVE-2020-16309 CVE-2020-16310 
                 CVE-2020-17538

Multiple security issues were discovered in Ghostscript, the GPL
PostScript/PDF interpreter which could result in denial of service and
potentially the execution of arbitrary code if malformed document files
are processed.

For the stable distribution (buster), these problems have been fixed in
version 9.27~dfsg-2+deb10u4.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4749-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 26, 2020                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2020-15664 CVE-2020-15669

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code or unintended or malicious extensions being installed.

For the stable distribution (buster), these problems have been fixed in
version 68.12.0esr-1~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4750-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 26, 2020                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : nginx
CVE ID         : CVE-2020-11724
Debian Bug     : 964950

It was reported that the Lua module for Nginx, a high-performance web
and reverse proxy server, is prone to a HTTP request smuggling
vulnerability.

For the stable distribution (buster), this problem has been fixed in
version 1.14.2-2+deb10u3.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4751-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 27, 2020                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : squid
CVE ID         : CVE-2020-15810 CVE-2020-15811 CVE-2020-24606
Debian Bug     : 968932 968933 968934

Several vulnerabilities were discovered in Squid, a fully featured web
proxy cache, which could result in request splitting, request smuggling
(leading to cache poisoning) and denial of service when processing
crafted cache digest responses messages.

For the stable distribution (buster), these problems have been fixed in
version 4.6-1+deb10u4.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4752-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 27, 2020                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : bind9
CVE ID         : CVE-2020-8619 CVE-2020-8622 CVE-2020-8623 CVE-2020-8624
Debian Bug     : 966497

Several vulnerabilities were discovered in BIND, a DNS server
implementation.

CVE-2020-8619

    It was discovered that an asterisk character in an empty non-
    terminal can cause an assertion failure, resulting in denial
    of service.

CVE-2020-8622

    Dave Feldman, Jeff Warren, and Joel Cunningham reported that a
    truncated TSIG response can lead to an assertion failure, resulting
    in denial of service.

CVE-2020-8623

    Lyu Chiy reported that a flaw in the native PKCS#11 code can lead
    to a remotely triggerable assertion failure, resulting in denial
    of service.

CVE-2020-8624

    Joop Boonen reported that update-policy rules of type "subdomain"
    are enforced incorrectly, allowing updates to all parts of the zone
    along with the intended subdomain.

For the stable distribution (buster), these problems have been fixed in
version 1:9.11.5.P4+dfsg-5.1+deb10u2.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4753-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 29, 2020                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : mupdf
CVE ID         : CVE-2019-13290
Debian Bug     : 931475

A heap-based buffer overflow flaw was discovered in MuPDF, a lightweight
PDF viewer, which may result in denial of service or the execution of
arbitrary code if a malformed PDF file is opened.

For the stable distribution (buster), this problem has been fixed in
version 1.14.0+ds1-4+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4754-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 29, 2020                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : CVE-2020-15664 CVE-2020-15669

Multiple security issues have been found in Thunderbird which could
result in the execution of arbitrary code or the unintended installation
of extensions.

For the stable distribution (buster), these problems have been fixed in
version 1:68.12.0-1~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4755-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 29, 2020                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openexr
CVE ID         : CVE-2017-9111 CVE-2017-9113 CVE-2017-9114 CVE-2017-9115 
                 CVE-2020-11758 CVE-2020-11759 CVE-2020-11760 CVE-2020-11761 
                 CVE-2020-11762 CVE-2020-11763 CVE-2020-11764 CVE-2020-11765 
                 CVE-2020-15305 CVE-2020-15306

Multiple security issues were found in the OpenEXR image library, which
could result in denial of service and potentially the execution of
arbitrary code when processing malformed EXR image files.

For the stable distribution (buster), these problems have been fixed in
version 2.2.1-4.1+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4756-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
August 29, 2020                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : lilypond
CVE ID         : CVE-2020-17353

Faidon Liambotis discovered that Lilypond, a program for typesetting
sheet music, did not restrict the inclusion of Postscript and SVG
commands when operating in safe mode, which could result in the
execution of arbitrary code when rendering a typesheet file with
embedded Postscript code.

For the stable distribution (buster), this problem has been fixed in
version 2.19.81+really-2.18.2-13+deb10u1.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4757-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 31, 2020                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : apache2
CVE ID         : CVE-2020-1927 CVE-2020-1934 CVE-2020-9490 CVE-2020-11984
                 CVE-2020-11993

Several vulnerabilities have been found in the Apache HTTPD server.

CVE-2020-1927

    Fabrice Perez reported that certain mod_rewrite configurations are
    prone to an open redirect.

CVE-2020-1934

    Chamal De Silva discovered that the mod_proxy_ftp module uses
    uninitialized memory when proxying to a malicious FTP backend.

CVE-2020-9490

    Felix Wilhelm discovered that a specially crafted value for the
    'Cache-Digest' header in a HTTP/2 request could cause a crash when
    the server actually tries to HTTP/2 PUSH a resource afterwards.

CVE-2020-11984

    Felix Wilhelm reported a buffer overflow flaw in the mod_proxy_uwsgi
    module which could result in information disclosure or potentially
    remote code execution.

CVE-2020-11993

    Felix Wilhelm reported that when trace/debug was enabled for the
    HTTP/2 module certain traffic edge patterns can cause logging
    statements on the wrong connection, causing concurrent use of
    memory pools.

For the stable distribution (buster), these problems have been fixed in
version 2.4.38-3+deb10u4.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4758-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 04, 2020                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xorg-server
CVE ID         : CVE-2020-14345 CVE-2020-14346 CVE-2020-14347 CVE-2020-14361
                 CVE-2020-14362
Debian Bug     : 968986

Several vulnerabilities have been discovered in the X.Org X server.
Missing input sanitising in X server extensions may result in local
privilege escalation if the X server is configured to run with root
privileges. In addition an ASLR bypass was fixed.

For the stable distribution (buster), these problems have been fixed in
version 2:1.20.4-1+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4759-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
September 04, 2020                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ark
CVE ID         : CVE-2020-24654
Debian Bug     : 969437

Fabian Vogt reported that the Ark archive manager did not sanitise
extraction paths, which could result in maliciously crafted archives
with symlinks writing outside the extraction directory.

For the stable distribution (buster), this problem has been fixed in
version 4:18.08.3-1+deb10u2.

Share this post


Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4760-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
September 06, 2020                    https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : qemu
CVE ID         : CVE-2020-12829 CVE-2020-14364 CVE-2020-15863 CVE-2020-16092
Debian Bug     : 961451 968947

Multiple security issues were discovered in QEMU, a fast processor
emulator:

CVE-2020-12829

    An integer overflow in the sm501 display device may result in denial of
    service.

CVE-2020-14364

    An out-of-bands write in the USB emulation code may result in
    guest-to-host code execution.

CVE-2020-15863

    A buffer overflow in the XGMAC network device may result in denial of
    service or the execution of arbitrary code.

CVE-2020-16092

    A triggerable assert in the e1000e and vmxnet3 devices may result in
    denial of service.

For the stable distribution (buster), these problems have been fixed in
version 1:3.1+dfsg-8+deb10u8.

Share this post


Link to post
Share on other sites

×
×
  • Create New...