sunrat Posted September 7, 2020 Posted September 7, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4761-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 07, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : zeromq3 CVE ID : CVE-2020-15166 It was discovered that ZeroMQ, a lightweight messaging kernel library does not properly handle connecting peers before a handshake is completed. A remote, unauthenticated client connecting to an application using the libzmq library, running with a socket listening with CURVE encryption/authentication enabled can take advantage of this flaw to cause a denial of service affecting authenticated and encrypted clients. For the stable distribution (buster), this problem has been fixed in version 4.3.1-4+deb10u2. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4762-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff September 07, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : lemonldap-ng CVE ID : CVE-2020-24660 It was discovered that the default configuration files for running the Lemonldap::NG Web SSO system on the Nginx web server were susceptible to authorisation bypass of URL access rules. The Debian packages do not use Nginx by default. For the stable distribution (buster), this problem has been fixed in version 2.0.2+ds-7+deb10u5, this update provides fixed example configuration which needs to be integrated into Lemonldap::NG deployments based on Nginx.
sunrat Posted September 15, 2020 Posted September 15, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4763-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff September 14, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : teeworlds CVE ID : CVE-2020-12066 It was discovered that insufficient sanitising of received network packets in the game server of Teeworlds, an online multi-player platform 2D shooter, could result in denial of service. For the stable distribution (buster), this problem has been fixed in version 0.7.2-5+deb10u1.
sunrat Posted September 18, 2020 Posted September 18, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4764-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff September 18, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : inspircd CVE ID : CVE-2019-20917 CVE-2020-25269 Debian Bug : 960650 Two security issues were discovered in the pgsql and mysql modules of the InspIRCd IRC daemon, which could result in denial of service. For the stable distribution (buster), these problems have been fixed in version 2.0.27-1+deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4765-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff September 18, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : modsecurity CVE ID : CVE-2020-15598 Ervin Hegedues discovered that ModSecurity v3 enabled global regular expression matching which could result in denial of service. For additional information please refer to https://coreruleset.org/20200914/cve-2020-15598/ For the stable distribution (buster), this problem has been fixed in version 3.0.3-1+deb10u2.
sunrat Posted September 24, 2020 Posted September 24, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4766-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff September 24, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : rails CVE ID : CVE-2020-8162 CVE-2020-8164 CVE-2020-8165 CVE-2020-8166 CVE-2020-8167 CVE-2020-15169 Multiple security issues were discovered in the Rails web framework which could result in cross-site scripting, information leaks, code execution, cross-site request forgery or bypass of upload limits. For the stable distribution (buster), these problems have been fixed in version 2:5.2.2.1+dfsg-1+deb10u2.
sunrat Posted September 25, 2020 Posted September 25, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4767-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff September 25, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mediawiki CVE ID : CVE-2020-15005 CVE-2020-25812 CVE-2020-25813 CVE-2020-25814 CVE-2020-25815 CVE-2020-25827 CVE-2020-25828 Multiple security issues were discovered in MediaWiki, a website engine for collaborative work: SpecialUserRights could leak whether a user existed or not, multiple code paths lacked HTML sanitisation allowing for cross-site scripting and TOTP validation applied insufficient rate limiting against brute force attempts. For the stable distribution (buster), these problems have been fixed in version 1:1.31.10-1~deb10u1.
sunrat Posted September 26, 2020 Posted September 26, 2020 ------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 10: 10.6 released press@debian.org September 26th, 2020 https://www.debian.org/News/2020/20200926 ------------------------------------------------------------------------ The Debian project is pleased to announce the sixth update of its stable distribution Debian 10 (codename "buster"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. Please note that the point release does not constitute a new version of Debian 10 but only updates some of the packages included. There is no need to throw away old "buster" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations. Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages. Note that, due to build issues, the updates for the cargo, rustc and rustc-bindgen packages are currently not available for the "armel" architecture. They may be added at a later date if the issues are resolved. +--------------------------+------------------------------------------+ | Package | Reason | +--------------------------+------------------------------------------+ | arch-test [1] | Fix detection of s390x sometimes failing | | | | | asterisk [2] | Fix crash when negotiating for T.38 with | | | a declined stream [CVE-2019-15297], | | | "SIP request can change address of a SIP | | | peer" [CVE-2019-18790], "AMI user | | | could execute system | | | commands" [CVE-2019-18610], segfault in | | | pjsip show history with IPv6 peers | | | | | bacula [3] | Fix "oversized digest strings allow a | | | malicious client to cause a heap | | | overflow in the director's | | | memory" [CVE-2020-11061] | | | | | base-files [4] | Update /etc/debian_version for the point | | | release | | | | | calamares-settings- | Disable displaymanager module | | debian [5] | | | | | | cargo [6] | New upstream release, to support | | | upcoming Firefox ESR versions | | | | | chocolate-doom [7] | Fix missing validation [CVE-2020-14983] | | | | | chrony [8] | Prevent symlink race when writing to the | | | PID file [CVE-2020-14367]; fix | | | temperature reading | | | | | debian-installer [9] | Update Linux ABI to 4.19.0-11 | | | | | debian-installer- | Rebuild against proposed-updates | | netboot-images [10] | | | | | | diaspora-installer [11] | Use --frozen option to bundle install to | | | use upstream Gemfile.lock; don't exclude | | | Gemfile.lock during upgrades; don't | | | overwrite config/oidc_key.pem during | | | upgrades; make config/schedule.yml | | | writeable | | | | | dojo [12] | Fix prototype pollution in deepCopy | | | method [CVE-2020-5258] and in jqMix | | | method [CVE-2020-5259] | | | | | dovecot [13] | Fix dsync sieve filter sync regression; | | | fix handling of getpwent result in | | | userdb-passwd | | | | | facter [14] | Change Google GCE Metadata endpoint from | | | "v1beta1" to "v1" | | | | | gnome-maps [15] | Fix an issue with misaligned shape layer | | | rendering | | | | | gnome-shell [16] | LoginDialog: Reset auth prompt on VT | | | switch before fade in [CVE-2020-17489] | | | | | gnome-weather [17] | Prevent a crash when the configured set | | | of locations are invalid | | | | | grunt [18] | Use safeLoad when loading YAML files | | | [CVE-2020-7729] | | | | | gssdp [19] | New upstream stable release | | | | | gupnp [20] | New upstream stable release; prevent the | | | "CallStranger" attack [CVE-2020-12695]; | | | require GSSDP 1.0.5 | | | | | haproxy [21] | logrotate.conf: use rsyslog helper | | | instead of SysV init script; reject | | | messages where "chunked" is missing | | | from Transfer-Encoding [CVE-2019-18277] | | | | | icinga2 [22] | Fix symlink attack [CVE-2020-14004] | | | | | incron [23] | Fix cleanup of zombie processes | | | | | inetutils [24] | Fix remote code execution issue | | | [CVE-2020-10188] | | | | | libcommons-compress- | Fix denial of service issue [CVE-2019- | | java [25] | 12402] | | | | | libdbi-perl [26] | Fix memory corruption in XS functions | | | when Perl stack is reallocated | | | [CVE-2020-14392]; fix a buffer overflow | | | on an overlong DBD class name [CVE-2020- | | | 14393]; fix a NULL profile dereference | | | in dbi_profile() [CVE-2019-20919] | | | | | libvncserver [27] | libvncclient: bail out if UNIX socket | | | name would overflow [CVE-2019-20839]; | | | fix pointer aliasing/alignment issue | | | [CVE-2020-14399]; limit max textchat | | | size [CVE-2020-14405]; libvncserver: add | | | missing NULL pointer checks [CVE-2020- | | | 14397]; fix pointer aliasing/alignment | | | issue [CVE-2020-14400]; scale: cast to | | | 64 bit before shifting [CVE-2020-14401]; | | | prevent OOB accesses [CVE-2020-14402 | | | CVE-2020-14403 CVE-2020-14404] | | | | | libx11 [28] | Fix integer overflows [CVE-2020-14344 | | | CVE-2020-14363] | | | | | lighttpd [29] | Backport several usability and security | | | fixes | | | | | linux [30] | New upstream stable release; increase | | | ABI to 11 | | | | | linux-latest [31] | Update for -11 Linux kernel ABI | | | | | linux-signed-amd64 [32] | New upstream stable release | | | | | linux-signed-arm64 [33] | New upstream stable release | | | | | linux-signed-i386 [34] | New upstream stable release | | | | | llvm-toolchain-7 [35] | New upstream release, to support | | | upcoming Firefox ESR versions; fix bugs | | | affecting rustc build | | | | | lucene-solr [36] | Fix security issue in DataImportHandler | | | configuration handling [CVE-2019-0193] | | | | | milkytracker [37] | Fix heap overflow [CVE-2019-14464], | | | stack overflow [CVE-2019-14496], heap | | | overflow [CVE-2019-14497], use after | | | free [CVE-2020-15569] | | | | | node-bl [38] | Fix over-read vulnerability [CVE-2020- | | | 8244] | | | | | node-elliptic [39] | Prevent malleability and overflows | | | [CVE-2020-13822] | | | | | node-mysql [40] | Add localInfile option to control LOAD | | | DATA LOCAL INFILE [CVE-2019-14939] | | | | | node-url-parse [41] | Fix insufficient validation and | | | sanitization of user input [CVE-2020- | | | 8124] | | | | | npm [42] | Don't show password in logs [CVE-2020- | | | 15095] | | | | | orocos-kdl [43] | Remove explicit inclusion of default | | | include path, fixing issues with cmake < | | | 3.16 | | | | | postgresql-11 [44] | New upstream stable release; set a | | | secure search_path in logical | | | replication walsenders and apply workers | | | [CVE-2020-14349]; make contrib modules' | | | installation scripts more secure | | | [CVE-2020-14350] | | | | | postgresql-common [45] | Don't drop plpgsql before testing | | | extensions | | | | | pyzmq [46] | Asyncio: wait for POLLOUT on sender in | | | can_connect | | | | | qt4-x11 [47] | Fix buffer overflow in XBM parser | | | [CVE-2020-17507] | | | | | qtbase-opensource- | Fix buffer overflow in XBM parser | | src [48] | [CVE-2020-17507]; fix clipboard breaking | | | when timer wraps after 50 days | | | | | ros-actionlib [49] | Load YAML safely [CVE-2020-10289] | | | | | rustc [50] | New upstream release, to support | | | upcoming Firefox ESR versions | | | | | rust-cbindgen [51] | New upstream release, to support | | | upcoming Firefox ESR versions | | | | | ruby-ronn [52] | Fix handling of UTF-8 content in | | | manpages | | | | | s390-tools [53] | Hardcode perl dependency instead of | | | using ${perl:Depends}, fixing | | | installation under debootstrap | | | | +--------------------------+------------------------------------------+ Security Updates ---------------- This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates: +----------------+--------------------+ | Advisory ID | Package | +----------------+--------------------+ | DSA-4662 [54] | openjdk-11 [55] | | | | | DSA-4734 [56] | openjdk-11 [57] | | | | | DSA-4736 [58] | firefox-esr [59] | | | | | DSA-4737 [60] | xrdp [61] | | | | | DSA-4738 [62] | ark [63] | | | | | DSA-4739 [64] | webkit2gtk [65] | | | | | DSA-4740 [66] | thunderbird [67] | | | | | DSA-4741 [68] | json-c [69] | | | | | DSA-4742 [70] | firejail [71] | | | | | DSA-4743 [72] | ruby-kramdown [73] | | | | | DSA-4744 [74] | roundcube [75] | | | | | DSA-4745 [76] | dovecot [77] | | | | | DSA-4746 [78] | net-snmp [79] | | | | | DSA-4747 [80] | icingaweb2 [81] | | | | | DSA-4748 [82] | ghostscript [83] | | | | | DSA-4749 [84] | firefox-esr [85] | | | | | DSA-4750 [86] | nginx [87] | | | | | DSA-4751 [88] | squid [89] | | | | | DSA-4752 [90] | bind9 [91] | | | | | DSA-4753 [92] | mupdf [93] | | | | | DSA-4754 [94] | thunderbird [95] | | | | | DSA-4755 [96] | openexr [97] | | | | | DSA-4756 [98] | lilypond [99] | | | | | DSA-4757 [100] | apache2 [101] | | | | | DSA-4758 [102] | xorg-server [103] | | | | | DSA-4759 [104] | ark [105] | | | | | DSA-4760 [106] | qemu [107] | | | | | DSA-4761 [108] | zeromq3 [109] | | | | | DSA-4762 [110] | lemonldap-ng [111] | | | | | DSA-4763 [112] | teeworlds [113] | | | | | DSA-4764 [114] | inspircd [115] | | | | | DSA-4765 [116] | modsecurity [117] | | | | +----------------+--------------------+ Debian Installer ---------------- The installer has been updated to include the fixes incorporated into stable by the point release. URLs ---- The complete lists of packages that have changed with this revision: http://ftp.debian.org/debian/dists/buster/ChangeLog The current stable distribution: http://ftp.debian.org/debian/dists/stable/ Proposed updates to the stable distribution: http://ftp.debian.org/debian/dists/proposed-updates stable distribution information (release notes, errata etc.): https://www.debian.org/releases/stable/ Security announcements and information: https://www.debian.org/security/ About Debian ------------ The Debian Project is an association of Free Software developers who volunteer their time and effort in order to produce the completely free operating system Debian. Contact Information ------------------- For further information, please visit the Debian web pages at https://www.debian.org/, send mail to <press@debian.org>, or contact the stable release team at <debian-release@lists.debian.org>.
sunrat Posted September 28, 2020 Posted September 28, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4768-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff September 28, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2020-15673 CVE-2020-15676 CVE-2020-15677 CVE-2020-15678 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, cross-site scripting or spoofing the origin of a download. Debian follows the extended support releases (ESR) of Firefox. Support for the 68.x series has ended, so starting with this update we're now following the 78.x releases. Between 68.x and 78.x, Firefox has seen a number of feature updates. For more information please refer to https://www.mozilla.org/en-US/firefox/78.0esr/releasenotes/ For the stable distribution (buster), these problems have been fixed in version 78.3.0esr-1~deb10u1.
sunrat Posted October 2, 2020 Posted October 2, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4769-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 02, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : xen CVE ID : CVE-2020-25595 CVE-2020-25596 CVE-2020-25597 CVE-2020-25599 CVE-2020-25600 CVE-2020-25601 CVE-2020-25602 CVE-2020-25603 CVE-2020-25604 Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, guest-to-host privilege escalation or information leaks. For the stable distribution (buster), these problems have been fixed in version 4.11.4+37-g3263f257ca-1.
sunrat Posted October 6, 2020 Posted October 6, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4770-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 06, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2020-15673 CVE-2020-15676 CVE-2020-15677 CVE-2020-15678 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code or denial of service. Debian follows the Thunderbird upstream releases. Support for the 68.x series has ended, so starting with this update we're now following the 78.x releases. The 78.x series discontinues support for some addons. Also, starting with 78, Thunderbird supports OpenPGP natively. If you are currently using the Enigmail addon for PGP, please refer to the included NEWS and README.Debian.gz files for information on how to migrate your keys. For the stable distribution (buster), this problem has been fixed in version 1:78.3.1-2~deb10u2.
sunrat Posted October 11, 2020 Posted October 11, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4771-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 11, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : spice CVE ID : CVE-2020-14355 Debian Bug : 971750 Frediano Ziglio discovered multiple buffer overflow vulnerabilities in the QUIC image decoding process of spice, a SPICE protocol client and server library, which could result in denial of service, or possibly, execution of arbitrary code. For the stable distribution (buster), this problem has been fixed in version 0.14.0-1.3+deb10u1.
sunrat Posted October 14, 2020 Posted October 14, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4772-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 14, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : httpcomponents-client CVE ID : CVE-2020-13956 Priyank Nigam discovered that HttpComponents Client, a Java HTTP agent implementation, could misinterpret malformed authority component in a request URI and pick the wrong target host for request execution. For the stable distribution (buster), this problem has been fixed in version 4.5.7-1+deb10u1.
sunrat Posted October 17, 2020 Posted October 17, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4773-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 16, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : yaws CVE ID : CVE-2020-24379 CVE-2020-24916 Two vulnerabilities were discovered in yaws, a high performance HTTP 1.1 webserver written in Erlang. CVE-2020-24379 The WebDAV implementation is prone to a XML External Entity (XXE) injection vulnerability. CVE-2020-24916 The CGI implementation does not properly sanitize CGI requests allowing a remote attacker to execute arbitrary shell commands via specially crafted CGI executable names. For the stable distribution (buster), these problems have been fixed in version 2.0.6+dfsg-1+deb10u1.
sunrat Posted October 19, 2020 Posted October 19, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4774-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 19, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : linux CVE ID : CVE-2020-12351 CVE-2020-12352 CVE-2020-25211 CVE-2020-25643 CVE-2020-25645 Debian Bug : 908712 Several vulnerabilities have been discovered in the Linux kernel that may lead to the execution of arbitrary code, privilege escalation, denial of service or information leaks. CVE-2020-12351 Andy Nguyen discovered a flaw in the Bluetooth implementation in the way L2CAP packets with A2MP CID are handled. A remote attacker in short distance knowing the victim's Bluetooth device address can send a malicious l2cap packet and cause a denial of service or possibly arbitrary code execution with kernel privileges. CVE-2020-12352 Andy Nguyen discovered a flaw in the Bluetooth implementation. Stack memory is not properly initialised when handling certain AMP packets. A remote attacker in short distance knowing the victim's Bluetooth device address address can retrieve kernel stack information. CVE-2020-25211 A flaw was discovered in netfilter subsystem. A local attacker able to inject conntrack Netlink configuration can cause a denial of service. CVE-2020-25643 ChenNan Of Chaitin Security Research Lab discovered a flaw in the hdlc_ppp module. Improper input validation in the ppp_cp_parse_cr() function may lead to memory corruption and information disclosure. CVE-2020-25645 A flaw was discovered in the interface driver for GENEVE encapsulated traffic when combined with IPsec. If IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel, tunneled data isn't correctly routed over the encrypted link and sent unencrypted instead. For the stable distribution (buster), these problems have been fixed in version 4.19.152-1. The vulnerabilities are fixed by rebasing to the new stable upstream version 4.19.152 which includes additional bugfixes. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4775-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 19, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : python-flask-cors CVE ID : CVE-2020-25032 Debian Bug : 969362 A directory traversal vulnerability was discovered in python-flask-cors, a Flask extension for handling Cross Origin Resource Sharing (CORS), allowing to access private resources. For the stable distribution (buster), this problem has been fixed in version 3.0.7-1+deb10u1.
sunrat Posted October 20, 2020 Posted October 20, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4776-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 20, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mariadb-10.3 CVE ID : CVE-2020-15180 A security issue was discovered in the MariaDB database server. For the stable distribution (buster), this problem has been fixed in version 1:10.3.25-0+deb10u1.
sunrat Posted October 21, 2020 Posted October 21, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4777-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 21, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : freetype CVE ID : CVE-2020-15999 Debian Bug : 972586 Sergei Glazunov discovered a heap-based buffer overflow vulnerability in the handling of embedded PNG bitmaps in FreeType. Opening malformed fonts may result in denial of service or the execution of arbitrary code. For the stable distribution (buster), this problem has been fixed in version 2.9.1-3+deb10u2. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4778-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 21, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2020-15683 CVE-2020-15969 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code. For the stable distribution (buster), these problems have been fixed in version 78.4.0esr-1~deb10u2.
sunrat Posted October 25, 2020 Posted October 25, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4779-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 25, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openjdk-11 CVE ID : CVE-2020-14779 CVE-2020-14781 CVE-2020-14782 CVE-2020-14792 CVE-2020-14796 CVE-2020-14797 CVE-2020-14798 CVE-2020-14803 Several vulnerabilities have been discovered in the OpenJDK Java runtime, which could result in denial of service, information disclosure, bypass of access/sandbox restrictions or the acceptance of untrusted certificates. For the stable distribution (buster), these problems have been fixed in version 11.0.9+11-1~deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4780-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 25, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2020-15683 CVE-2020-15969 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code or denial of service. For the stable distribution (buster), these problems have been fixed in version 1:78.4.0-1~deb10u1.
sunrat Posted October 27, 2020 Posted October 27, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4781-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 27, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : blueman CVE ID : CVE-2020-15238 Vaisha Bernard discovered that Blueman, a graphical bluetooth manager performed insufficient validation on a D-Bus interface, which could result in denial of service or privilege escalation. For the stable distribution (buster), this problem has been fixed in version 2.0.8-1+deb10u1.
sunrat Posted October 30, 2020 Posted October 30, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4782-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 30, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openldap CVE ID : none assigned yet A vulnerability in the handling of normalization with modrdn was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can use this flaw to cause a denial of service (slapd daemon crash) via a specially crafted packet. For the stable distribution (buster), this problem has been fixed in version 2.4.47+dfsg-3+deb10u3.
sunrat Posted November 5, 2020 Posted November 5, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4783-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 05, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : sddm CVE ID : CVE-2020-28049 Debian Bug : 973748 Fabian Vogt discovered a flaw in sddm, a modern display manager for X11. A local attacker can take advantage of a race condition when creating the Xauthority file to escalate privileges. For the stable distribution (buster), this problem has been fixed in version 0.18.0-1+deb10u1.
sunrat Posted November 7, 2020 Posted November 7, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4784-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond November 06, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : wordpress CVE ID : CVE-2020-28032 CVE-2020-28033 CVE-2020-28034 CVE-2020-28035 CVE-2020-28036 CVE-2020-28037 CVE-2020-28038 CVE-2020-28039 CVE-2020-28040 Debian Bug : 971914 973562 Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to run insecure deserialization, embed spam, perform various Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF) attacks, escalate privileges, run arbitrary code, and delete arbitrary files. For the stable distribution (buster), these problems have been fixed in version 5.0.11+dfsg1-0+deb10u1.
sunrat Posted November 7, 2020 Posted November 7, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4785-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 07, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : raptor2 CVE ID : CVE-2017-18926 Debian Bug : 973889 It was discovered that raptor2, an RDF parser library, is prone to heap-based buffer overflow flaws, which could result in denial of service, or potentially the execution of arbitrary code, if a specially crafted file is processed. For the stable distribution (buster), this problem has been fixed in version 2.0.14-1.1~deb10u1.
sunrat Posted November 8, 2020 Posted November 8, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4786-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 08, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libexif CVE ID : CVE-2020-0452 It was discovered that a boundary check in libexif, a library to parse EXIF files, could be optimised away by the compiler, resulting in a potential buffer overflow. For the stable distribution (buster), this problem has been fixed in version 0.6.21-5.1+deb10u5.
sunrat Posted November 10, 2020 Posted November 10, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4787-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 09, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : moin CVE ID : CVE-2020-15275 CVE-2020-25074 Two vulnerabilities were discovered in moin, a Python clone of WikiWiki. CVE-2020-15275 Catarina Leite discovered that moin is prone to a stored XSS vulnerability via SVG attachments. CVE-2020-25074 Michael Chapman discovered that moin is prone to a remote code execution vulnerability via the cache action. For the stable distribution (buster), these problems have been fixed in version 1.9.9-1+deb10u1.
sunrat Posted November 10, 2020 Posted November 10, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4788-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 10, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2020-26950 A use-after-free was found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code. For the stable distribution (buster), this problem has been fixed in version 78.4.1esr-1~deb10u1.
sunrat Posted November 12, 2020 Posted November 12, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4789-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond November 12, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : codemirror-js CVE ID : CVE-2020-7760 It was discovered that codemirror, a browser-based text editor implemented in JavaScript, was vulnerable to regular expression denial-of-service. For the stable distribution (buster), this problem has been fixed in version 5.43.0-1+deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4790-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 12, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2020-26950 A use-after-free was found in Thunderbird, which could potentially result in the execution of arbitrary code. For the stable distribution (buster), this problem has been fixed in version 1:78.4.2-1~deb10u1.
sunrat Posted November 13, 2020 Posted November 13, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4791-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 13, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : pacemaker CVE ID : CVE-2020-25654 Debian Bug : 973254 Ken Gaillot discovered a vulnerability in the Pacemaker cluster resource manager: If ACLs were configured for users in the "haclient" group, the ACL restrictions could be bypassed via unrestricted IPC communication, resulting in cluster-wide arbitrary code execution with root privileges. If the "enable-acl" cluster option isn't enabled, members of the "haclient" group can modify Pacemaker's Cluster Information Base without restriction, which already gives them these capabilities, so there is no additional exposure in such a setup. For the stable distribution (buster), this problem has been fixed in version 2.0.1-5+deb10u1.
sunrat Posted November 17, 2020 Posted November 17, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4792-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 17, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openldap CVE ID : CVE-2020-25709 CVE-2020-25710 Two vulnerabilities in the certificate list syntax verification and in the handling of CSN normalization were discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. An unauthenticated remote attacker can take advantage of these flaws to cause a denial of service (slapd daemon crash) via specially crafted packets. For the stable distribution (buster), these problems have been fixed in version 2.4.47+dfsg-3+deb10u4.
sunrat Posted November 18, 2020 Posted November 18, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4793-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 18, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2020-16012 CVE-2020-26951 CVE-2020-26953 CVE-2020-26956 CVE-2020-26958 CVE-2020-26959 CVE-2020-26960 CVE-2020-26961 CVE-2020-26965 CVE-2020-26968 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure, phishing, cross-site scripting or a DNS rebinding attack. For the stable distribution (buster), these problems have been fixed in version 78.5.0esr-1~deb10u1.
sunrat Posted November 21, 2020 Posted November 21, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4794-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 21, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mupdf CVE ID : CVE-2020-26519 Debian Bug : 971595 A heap-based buffer overflow flaw was discovered in MuPDF, a lightweight PDF viewer, which may result in denial of service or the execution of arbitrary code if malformed documents are opened. For the stable distribution (buster), this problem has been fixed in version 1.14.0+ds1-4+deb10u2. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4795-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 21, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : krb5 CVE ID : CVE-2020-28196 Demi Obeneour discovered that unbounded recursion in the ASN1 parser of libkrb5 could result in denial of service. For the stable distribution (buster), this problem has been fixed in version 1.17-3+deb10u1. - ------------------------------------------------------------------------- Debian Security Advisory DSA-4796-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff November 21, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2020-16012 CVE-2020-26951 CVE-2020-26953 CVE-2020-26956 CVE-2020-26958 CVE-2020-26959 CVE-2020-26960 CVE-2020-26961 CVE-2020-26965 CVE-2020-26968 Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code or denial of service. For the stable distribution (buster), these problems have been fixed in version 1:78.5.0-1~deb10u1.
sunrat Posted November 24, 2020 Posted November 24, 2020 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4797-1 security@debian.org https://www.debian.org/security/ Alberto Garcia November 23, 2020 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : webkit2gtk CVE ID : CVE-2020-9948 CVE-2020-9951 CVE-2020-9983 CVE-2020-13584 The following vulnerabilities have been discovered in the webkit2gtk web engine: CVE-2020-9948 Brendan Draper discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2020-9951 Marcin Noga discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2020-9983 zhunki discovered that processing maliciously crafted web content may lead to code execution. CVE-2020-13584 Cisco discovered that processing maliciously crafted web content may lead to arbitrary code execution. For the stable distribution (buster), these problems have been fixed in version 2.30.3-1~deb10u1.
Recommended Posts