Jump to content

Recommended Posts

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4798-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
November 25, 2020                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : spip
CVE ID         : CVE-2020-28984

It was discovered that SPIP, a website engine for publishing, did not
correctly validate its input. This would allow authenticated users to
execute arbitrary code.

For the stable distribution (buster), this problem has been fixed in
version 3.2.4-1+deb10u3.
Link to post
Share on other sites
  • Replies 1.9k
  • Created
  • Last Reply

Top Posters In This Topic

  • sunrat

    1598

  • V.T. Eric Layton

    171

  • securitybreach

    112

  • Bruno

    65

Top Posters In This Topic

Popular Posts

- ------------------------------------------------------------------------- Debian Security Advisory DSA-3093-1 security@debian.org http://www.debian.org/security/

- ------------------------------------------------------------------------- Debian Security Advisory DSA-3401-1 security@debian.org https://www.debian.org/security/

- ------------------------------------------------------------------------- Debian Security Advisory DSA-4123-1 security@debian.org https://www.debian.org/security/

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4799-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 28, 2020                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : x11vnc
CVE ID         : CVE-2020-29074
Debian Bug     : 975875

Guenal Davalan reported a flaw in x11vnc, a VNC server to allow remote
access to an existing X session. x11vnc creates shared memory segments
with 0777 mode. A local attacker can take advantage of this flaw for
information disclosure, denial of service or interfering with the VNC
session of another user on the host.

For the stable distribution (buster), this problem has been fixed in
version 0.9.13-6+deb10u1.
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4800-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 28, 2020                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libproxy
CVE ID         : CVE-2020-25219 CVE-2020-26154
Debian Bug     : 968366 971394

Two vulnerabilities were discovered in libproxy, an automatic proxy
configuration management library, which could result in denial of
service, or possibly, execution of arbitrary code.

For the stable distribution (buster), these problems have been fixed in
version 0.4.15-5+deb10u1.
Link to post
Share on other sites
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4801-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 01, 2020                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : brotli
CVE ID         : CVE-2020-8927

A buffer overflow was discovered in Brotli, a generic-purpose lossless
compression suite.

For the stable distribution (buster), this problem has been fixed in
version 1.0.7-2+deb10u1.
Link to post
Share on other sites
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4802-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 03, 2020                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : CVE-2020-26970

Chiaki Ishikawa discovered a stack overflow in SMTP server status
handling which could potentially result in the execution of arbitrary
code.

For the stable distribution (buster), this problem has been fixed in
version 1:78.5.1-1~deb10u1.
Link to post
Share on other sites
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4803-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 04, 2020                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xorg-server
CVE ID         : CVE-2020-14360 CVE-2020-25712

Jan-Niklas Sohn discovered that the XKB extension of the Xorg X server
performed incomplete input validation, which could result in privilege
escalation.

For the stable distribution (buster), these problems have been fixed in
version 2:1.20.4-1+deb10u2.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4804-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 04, 2020                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xen
CVE ID         : CVE-2020-27670 CVE-2020-27671 CVE-2020-27672 CVE-2020-27674 
                 CVE-2020-28368

Multiple vulnerabilities have been discovered in the Xen hypervisor,
which could result in denial of service, privilege escalation or
information leaks.

For the stable distribution (buster), these problems have been fixed in
version 4.11.4+57-g41a822c392-1.
Link to post
Share on other sites
------------------------------------------------------------------------
The Debian Project                               https://www.debian.org/
Updated Debian 10: 10.7 released                        press@debian.org
December 5th, 2020             https://www.debian.org/News/2020/20201205
------------------------------------------------------------------------


The Debian project is pleased to announce the seventh update of its
stable distribution Debian 10 (codename "buster"). This point release
mainly adds corrections for security issues, along with a few
adjustments for serious problems. Security advisories have already been
published separately and are referenced where available.

Please note that the point release does not constitute a new version of
Debian 10 but only updates some of the packages included. There is no
need to throw away old "buster" media. After installation, packages can
be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list



Miscellaneous Bugfixes
----------------------

This stable update adds a few important corrections to the following
packages:

+-------------------------+-------------------------------------------+
| Package                 | Reason                                    |
+-------------------------+-------------------------------------------+
| base-files [1]          | Update for the point release              |
|                         |                                           |
| choose-mirror [2]       | Update mirror list                        |
|                         |                                           |
| cups [3]                | Fix 'printer-alert' invalid free          |
|                         |                                           |
| dav4tbsync [4]          | New upstream release, compatible with     |
|                         | newer Thunderbird versions                |
|                         |                                           |
| debian-installer [5]    | Use 4.19.0-13 Linux kernel ABI; add grub2 |
|                         | to Built-Using                            |
|                         |                                           |
| debian-installer-       | Rebuild against proposed-updates          |
| netboot-images [6]      |                                           |
|                         |                                           |
| distro-info-data [7]    | Add Ubuntu 21.04, Hirsute Hippo           |
|                         |                                           |
| dpdk [8]                | New upstream stable release; fix remote   |
|                         | code execution issue [CVE-2020-14374],    |
|                         | TOCTOU issues [CVE-2020-14375], buffer    |
|                         | overflow [CVE-2020-14376], buffer over    |
|                         | read [CVE-2020-14377] and integer         |
|                         | underflow [CVE-2020-14377]; fix armhf     |
|                         | build with NEON                           |
|                         |                                           |
| eas4tbsync [9]          | New upstream release, compatible with     |
|                         | newer Thunderbird versions                |
|                         |                                           |
| edk2 [10]               | Fix integer overflow in                   |
|                         | DxeImageVerificationHandler [CVE-2019-    |
|                         | 14562]                                    |
|                         |                                           |
| efivar [11]             | Add support for nvme-fabrics and nvme-    |
|                         | subsystem devices; fix uninitialized      |
|                         | variable in parse_acpi_root, avoiding     |
|                         | possible segfault                         |
|                         |                                           |
| enigmail [12]           | Introduce migration assistant to          |
|                         | Thunderbird's built-in GPG support        |
|                         |                                           |
| espeak [13]             | Fix using espeak with mbrola-fr4 when     |
|                         | mbrola-fr1 is not installed               |
|                         |                                           |
| fastd [14]              | Fix memory leak when receiving too many   |
|                         | invalid packets [CVE-2020-27638]          |
|                         |                                           |
| fish [15]               | Ensure TTY options are restored on exit   |
|                         |                                           |
| freecol [16]            | Fix XML External Entity vulnerability     |
|                         | [CVE-2018-1000825]                        |
|                         |                                           |
| gajim-omemo [17]        | Use 12-byte IV, for better compatibility  |
|                         | with iOS clients                          |
|                         |                                           |
| glances [18]            | Listen only on localhost by default       |
|                         |                                           |
| iptables-               | Don't force-load kernel modules; improve  |
| persistent [19]         | rule flushing logic                       |
|                         |                                           |
| lacme [20]              | Use upstream certificate chain instead of |
|                         | an hardcoded one, easing support for new  |
|                         | Let's Encrypt root and intermediate       |
|                         | certificates                              |
|                         |                                           |
| libdatetime-timezone-   | Update included data to tzdata 2020d      |
| perl [21]               |                                           |
|                         |                                           |
| libimobiledevice [22]   | Add partial support for iOS 14            |
|                         |                                           |
| libjpeg-turbo [23]      | Fix denial of service [CVE-2018-1152],    |
|                         | buffer over read [CVE-2018-14498],        |
|                         | possible remote code execution [CVE-2019- |
|                         | 2201], buffer over read [CVE-2020-13790]  |
|                         |                                           |
| libxml2 [24]            | Fix denial of service [CVE-2017-18258],   |
|                         | NULL pointer dereference [CVE-2018-       |
|                         | 14404], infinite loop [CVE-2018-14567],   |
|                         | memory leak [CVE-2019-19956 CVE-2019-     |
|                         | 20388], infinite loop [CVE-2020-7595]     |
|                         |                                           |
| linux [25]              | New upstream stable release               |
|                         |                                           |
| linux-latest [26]       | Update for 4.19.0-13 kernel ABI           |
|                         |                                           |
| linux-signed-amd64 [27] | New upstream stable release               |
|                         |                                           |
| linux-signed-arm64 [28] | New upstream stable release               |
|                         |                                           |
| linux-signed-i386 [29]  | New upstream stable release               |
|                         |                                           |
| lmod [30]               | Change architecture to  "any"  - required |
|                         | due to LUA_PATH and LUA_CPATH being       |
|                         | determined at build time                  |
|                         |                                           |
| mariadb-10.3 [31]       | New upstream stable release; security     |
|                         | fixes [CVE-2020-14765 CVE-2020-14776      |
|                         | CVE-2020-14789 CVE-2020-14812 CVE-2020-   |
|                         | 28912]                                    |
|                         |                                           |
| mutt [32]               | Ensure IMAP connection is closed after a  |
|                         | connection error [CVE-2020-28896]         |
|                         |                                           |
| neomutt [33]            | Ensure IMAP connection is closed after a  |
|                         | connection error [CVE-2020-28896]         |
|                         |                                           |
| node-object-path [34]   | Fix prototype pollution in set()          |
|                         | [CVE-2020-15256]                          |
|                         |                                           |
| node-pathval [35]       | Fix prototype pollution [CVE-2020-7751]   |
|                         |                                           |
| okular [36]             | Fix code execution via action link        |
|                         | [CVE-2020-9359]                           |
|                         |                                           |
| openjdk-11 [37]         | New upstream release; fix JVM crash       |
|                         |                                           |
| partman-auto [38]       | Increase /boot sizes in most recipes to   |
|                         | between 512 and 768M, to better handle    |
|                         | kernel ABI changes and larger             |
|                         | initramfses; cap RAM size as used for     |
|                         | swap partition calculations, resolving    |
|                         | issues on machines with more RAM than     |
|                         | disk space                                |
|                         |                                           |
| pcaudiolib [39]         | Cap cancellation latency to 10ms          |
|                         |                                           |
| plinth [40]             | Apache: Disable mod_status [CVE-2020-     |
|                         | 25073]                                    |
|                         |                                           |
| puma [41]               | Fix HTTP injection and HTTP smuggling     |
|                         | issues [CVE-2020-5247 CVE-2020-5249       |
|                         | CVE-2020-11076 CVE-2020-11077]            |
|                         |                                           |
| ros-ros-comm [42]       | Fix integer overflow [CVE-2020-16124]     |
|                         |                                           |
| ruby2.5 [43]            | Fix potential HTTP request smuggling      |
|                         | vulnerability in WEBrick [CVE-2020-25613] |
|                         |                                           |
| sleuthkit [44]          | Fix stack buffer overflow in              |
|                         | yaffsfs_istat [CVE-2020-10232]            |
|                         |                                           |
| sqlite3 [45]            | Fix division by zero [CVE-2019-16168],    |
|                         | NULL pointer dereference [CVE-2019-       |
|                         | 19923], mishandling of NULL pathname      |
|                         | during an update of a ZIP archive         |
|                         | [CVE-2019-19925], mishandling of embedded |
|                         | NULs in filenames [CVE-2019-19959],       |
|                         | possible crash (unwinding WITH stack)     |
|                         | [CVE-2019-20218], integer overflow        |
|                         | [CVE-2020-13434], segmentation fault      |
|                         | [CVE-2020-13435], use-after-free issue    |
|                         | [CVE-2020-13630], NULL pointer            |
|                         | dereference [CVE-2020-13632], heap        |
|                         | overflow [CVE-2020-15358]                 |
|                         |                                           |
| systemd [46]            | Basic/cap-list: parse/print numerical     |
|                         | capabilities; recognise new capabilities  |
|                         | from Linux kernel 5.8; networkd: do not   |
|                         | generate MAC for bridge device            |
|                         |                                           |
| tbsync [47]             | New upstream release, compatible with     |
|                         | newer Thunderbird versions                |
|                         |                                           |
| tcpdump [48]            | Fix untrusted input issue in the PPP      |
|                         | printer [CVE-2020-8037]                   |
|                         |                                           |
| tigervnc [49]           | Properly store certificate exceptions in  |
|                         | native and java VNC viewer [CVE-2020-     |
|                         | 26117]                                    |
|                         |                                           |
| tor [50]                | New upstream stable release; multiple     |
|                         | security, usability, portability, and     |
|                         | reliability fixes                         |
|                         |                                           |
| transmission [51]       | Fix memory leak                           |
|                         |                                           |
| tzdata [52]             | New upstream release                      |
|                         |                                           |
| ublock-origin [53]      | New upstream version; split plugin to     |
|                         | browser-specific packages                 |
|                         |                                           |
| vips [54]               | Fix use of uninitialised variable         |
|                         | [CVE-2020-20739]                          |
|                         |                                           |
+-------------------------+-------------------------------------------+

  
Security Updates
----------------

This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:

+----------------+----------------------------+
| Advisory ID    | Package                    |
+----------------+----------------------------+
| DSA-4766 [55]  | rails [56]                 |
|                |                            |
| DSA-4767 [57]  | mediawiki [58]             |
|                |                            |
| DSA-4768 [59]  | firefox-esr [60]           |
|                |                            |
| DSA-4769 [61]  | xen [62]                   |
|                |                            |
| DSA-4770 [63]  | thunderbird [64]           |
|                |                            |
| DSA-4771 [65]  | spice [66]                 |
|                |                            |
| DSA-4772 [67]  | httpcomponents-client [68] |
|                |                            |
| DSA-4773 [69]  | yaws [70]                  |
|                |                            |
| DSA-4774 [71]  | linux-latest [72]          |
|                |                            |
| DSA-4774 [73]  | linux-signed-amd64 [74]    |
|                |                            |
| DSA-4774 [75]  | linux-signed-arm64 [76]    |
|                |                            |
| DSA-4774 [77]  | linux-signed-i386 [78]     |
|                |                            |
| DSA-4774 [79]  | linux [80]                 |
|                |                            |
| DSA-4775 [81]  | python-flask-cors [82]     |
|                |                            |
| DSA-4776 [83]  | mariadb-10.3 [84]          |
|                |                            |
| DSA-4777 [85]  | freetype [86]              |
|                |                            |
| DSA-4778 [87]  | firefox-esr [88]           |
|                |                            |
| DSA-4779 [89]  | openjdk-11 [90]            |
|                |                            |
| DSA-4780 [91]  | thunderbird [92]           |
|                |                            |
| DSA-4781 [93]  | blueman [94]               |
|                |                            |
| DSA-4782 [95]  | openldap [96]              |
|                |                            |
| DSA-4783 [97]  | sddm [98]                  |
|                |                            |
| DSA-4784 [99]  | wordpress [100]            |
|                |                            |
| DSA-4785 [101] | raptor2 [102]              |
|                |                            |
| DSA-4786 [103] | libexif [104]              |
|                |                            |
| DSA-4787 [105] | moin [106]                 |
|                |                            |
| DSA-4788 [107] | firefox-esr [108]          |
|                |                            |
| DSA-4789 [109] | codemirror-js [110]        |
|                |                            |
| DSA-4790 [111] | thunderbird [112]          |
|                |                            |
| DSA-4791 [113] | pacemaker [114]            |
|                |                            |
| DSA-4792 [115] | openldap [116]             |
|                |                            |
| DSA-4793 [117] | firefox-esr [118]          |
|                |                            |
| DSA-4794 [119] | mupdf [120]                |
|                |                            |
| DSA-4795 [121] | krb5 [122]                 |
|                |                            |
| DSA-4796 [123] | thunderbird [124]          |
|                |                            |
| DSA-4798 [125] | spip [126]                 |
|                |                            |
| DSA-4799 [127] | x11vnc [128]               |
|                |                            |
| DSA-4800 [129] | libproxy [130]             |
|                |                            |
+----------------+----------------------------+

  
Removed packages
----------------

The following packages were removed due to circumstances beyond our
control:

+-------------------------+--------------------------------------------+
| Package                 | Reason                                     |
+-------------------------+--------------------------------------------+
| freshplayerplugin [131] | Unsupported by browsers; discontinued      |
|                         | upstream                                   |
|                         |                                            |
| nostalgy [132]          | Incompatible with newer Thunderbird        |
|                         | versions                                   |
|                         |                                            |
| sieve-extension [133]   | Incompatible with newer Thunderbird        |
|                         | versions                                   |
|                         |                                            |
+-------------------------+--------------------------------------------+

 
Debian Installer
----------------

The installer has been updated to include the fixes incorporated into
stable by the point release.


URLs
----

The complete lists of packages that have changed with this revision:

http://ftp.debian.org/debian/dists/buster/ChangeLog


The current stable distribution:

http://ftp.debian.org/debian/dists/stable/


Proposed updates to the stable distribution:

http://ftp.debian.org/debian/dists/proposed-updates


stable distribution information (release notes, errata etc.):

https://www.debian.org/releases/stable/


Security announcements and information:

https://www.debian.org/security/



About Debian
------------

The Debian Project is an association of Free Software developers who
volunteer their time and effort in order to produce the completely free
operating system Debian.


Contact Information
-------------------

For further information, please visit the Debian web pages at
https://www.debian.org/, send mail to <press@debian.org>, or contact the
stable release team at <debian-release@lists.debian.org>.
Link to post
Share on other sites
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4805-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 07, 2020                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : trafficserver
CVE ID         : CVE-2020-17508 CVE-2020-17509

Two vulnerabilities were discovered in Apache Traffic Server, a reverse
and forward proxy server:

CVE-2020-17508

    The ESI plugin was vulnerable to memory disclosure.

CVE-2020-17509

    The negative cache option was vulnerable to cache poisoning.

For the stable distribution (buster), these problems have been fixed in
version 8.0.2+ds-1+deb10u4.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4806-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 07, 2020                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : minidlna
CVE ID         : CVE-2020-12695 CVE-2020-28926
Debian Bug     : 976594 976595

It was discovered that missing input validation in minidlna, a
lightweight DLNA/UPnP-AV server could result in the execution of
arbitrary code. In addition minidlna was susceptible to the
"CallStranger" UPnP vulnerability.

For the stable distribution (buster), these problems have been fixed in
version 1.2.1+dfsg-2+deb10u1.
Link to post
Share on other sites
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4807-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
December 08, 2020                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openssl
CVE ID         : CVE-2020-1971

David Benjamin discovered a flaw in the GENERAL_NAME_cmp() function
which could cause a NULL dereference, resulting in denial of service.

Additional details can be found in the upstream advisory:
https://www.openssl.org/news/secadv/20201208.txt

For the stable distribution (buster), this problem has been fixed in
version 1.1.1d-0+deb10u4.
Link to post
Share on other sites
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4808-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
December 09, 2020                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : apt
CVE ID         : CVE-2020-27350

It was discovered that missing input validation in the ar/tar
implementations of APT, the high level package manager, could cause
out-of-bounds reads or infinite loops, resulting in denial of service
when processing malformed deb files.

For the stable distribution (buster), this problem has been fixed in
version 1.8.2.2.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4809-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
December 09, 2020                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : python-apt
CVE ID         : CVE-2020-27351

Various memory and file descriptor leaks were discovered in the Python
interface to the APT package management runtime library, which could
result in denial of service.

For the stable distribution (buster), this problem has been fixed in
version 1.8.4.2.
Link to post
Share on other sites
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4810-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 13, 2020                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : lxml
CVE ID         : CVE-2020-27783

Yaniv Nizry discovered that the clean module of lxml, Python bindings for
libxml2 and libxslt could be bypassed.

For the stable distribution (buster), this problem has been fixed in
version 4.3.2-1+deb10u1.
Link to post
Share on other sites
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4811-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 15, 2020                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libxstream-java
CVE ID         : CVE-2020-26217

It was discovered that the default blacklist of XStream, a Java library
to serialise objects to XML and back again, was vulnerable to the
execution of arbitrary shell commands by manipulating the processed
input stream.

For additional defense-in-depth it is recommended to switch to the
whitelist approach of XStream's security framework. For additional
information please refer to
https://github.com/x-stream/xstream/security/advisories/GHSA-mw36-7c6c-q4q2

For the stable distribution (buster), this problem has been fixed in
version 1.4.11.1-1+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4812-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 15, 2020                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xen
CVE ID         : CVE-2020-29479 CVE-2020-29480 CVE-2020-29481 CVE-2020-29482 
                 CVE-2020-29483 CVE-2020-29484 CVE-2020-29485 CVE-2020-29486 
                 CVE-2020-29566 CVE-2020-29570 CVE-2020-29571

Multiple vulnerabilities have been discovered in the Xen hypervisor:

Several security issues affecting Xenstore could result in cross
domain access (denial of service, information leaks or privilege
escalation) or denial of service against xenstored.

Additional vulnerabilities could result in guest-to-host denial of
service.

For the stable distribution (buster), these problems have been fixed in
version 4.11.4+57-g41a822c392-2.
Link to post
Share on other sites
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4813-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 16, 2020                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2020-16042 CVE-2020-26971 CVE-2020-26973 CVE-2020-26974 
                 CVE-2020-26978 CVE-2020-35111 CVE-2020-35113

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code, information disclosure or CSS sanitiser bypass.

For the stable distribution (buster), these problems have been fixed in
version 78.6.0esr-1~deb10u1.
Link to post
Share on other sites
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4814-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
December 17, 2020                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xerces-c
CVE ID         : CVE-2018-1311
Debian Bug     : 947431

It was discovered that xerces-c, a validating XML parser library for
C++, did not correctly scan DTDs. The use-after-free vulnerability
resulting from this issue would allow a remote attacker to leverage a
specially crafted XML file in order to crash the application or
potentially execute arbitrary code.
Please note that the patch fixing this issue comes at the expense of a
newly introduced memory leak.

For the stable distribution (buster), this problem has been fixed in
version 3.2.2+debian-1+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4815-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
December 17, 2020                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : CVE-2020-16042 CVE-2020-26971 CVE-2020-26973 CVE-2020-26974
                 CVE-2020-26978 CVE-2020-35111 CVE-2020-35113

Multiple security issues have been found in Thunderbird, which may lead
to the execution of arbitrary code, denial of service or information
leak.

For the stable distribution (buster), these problems have been fixed in
version 1:78.6.0-1~deb10u1.
Link to post
Share on other sites
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4816-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 18, 2020                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : mediawiki
CVE ID         : CVE-2020-35475 CVE-2020-35477 CVE-2020-35479 CVE-2020-35480
Debian Bug     : 971985 971986

Multiple security issues were discovered in MediaWiki, a website engine
for collaborative work, which could result in cross-site scripting or
the disclosure of hidden users.	
	
For the stable distribution (buster), these problems have been fixed in
version 1:1.31.12-1~deb10u1.
Link to post
Share on other sites
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4810-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
December 19, 2020                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : lxml

The update for lxml released as 4810-1 introduced a regression when
running under Python 2. Updated lxml packages are now available to
correct this issue.

For the stable distribution (buster), this problem has been fixed in
version 4.3.2-1+deb10u2.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4817-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
December 19, 2020                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : php-pear
CVE ID         : CVE-2020-28948 CVE-2020-28949
Debian Bug     : 976108

Two vulnerabilities were discovered in the PEAR Archive_Tar package for
handling tar files in PHP, potentially allowing a remote attacker to
execute arbitrary code or overwrite files.

For the stable distribution (buster), these problems have been fixed in
version 1:1.10.6+submodules+notgz-1.1+deb10u1.
Link to post
Share on other sites
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4797-2                   security@debian.org
https://www.debian.org/security/                           Alberto Garcia
December 22, 2020                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : webkit2gtk
Debian Bug     : 976437

The update for webkit2gtk released as 4797-1 introduced a regression
with the WebSockets functionality. Updated webkit2gtk packages are now
available to correct this issue.

For the stable distribution (buster), this problem has been fixed in
version 2.30.4-1~deb10u1.
Link to post
Share on other sites
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4818-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
December 23, 2020                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : sympa
CVE ID         : CVE-2020-9369 CVE-2020-10936 CVE-2020-26932 CVE-2020-29668
Debian Bug     : 952428 961491 971904 976020

Several vulnerabilities were discovered in Sympa, a mailing list
manager, which could result in local privilege escalation, denial of
service or unauthorized access via the SOAP API.

Additionally to mitigate CVE-2020-26880 the sympa_newaliases-wrapper is
no longer installed setuid root by default. A new Debconf question is
introduced to allow setuid installations in setups where it is needed.

For the stable distribution (buster), these problems have been fixed in
version 6.2.40~dfsg-1+deb10u1.
Link to post
Share on other sites
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4819-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 26, 2020                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : kitty
CVE ID         : CVE-2020-35605

Stephane Chauveau discovered that the graphics protocol implementation in
Kitty, a GPU-based terminal emulator, did not sanitise a filename when
returning an error message, which could result in the execution of
arbitrary shell commands when displaying a file with cat.

For the stable distribution (buster), this problem has been fixed in
version 0.13.3-1+deb10u1.
Link to post
Share on other sites
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4809-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
December 27, 2020                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : python-apt
Debian Bug     : 977000

The update for python-apt released as DSA 4809-1 introduced a regression
when passing a file descriptor to apt_inst.ArFile or apt_inst.DebFile
causing a segmentation fault. Updated python-apt packages are now
available to correct this issue.

For the stable distribution (buster), this problem has been fixed in
version 1.8.4.3.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4820-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 27, 2020                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : horizon
CVE ID         : CVE-2020-29565
Debian Bug     : 976872

Pritam Singh discovered an open redirect in the workflow forms of
OpenStack Horizon.

For the stable distribution (buster), this problem has been fixed in
version 3:14.0.2-3+deb10u2.
Link to post
Share on other sites
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4821-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
December 28, 2020                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : roundcube
CVE ID         : CVE-2020-35730
Debian Bug     : 978491

Alex Birnberg discovered that roundcube, a skinnable AJAX based webmail
solution for IMAP servers, is prone to a cross-site scripting
vulnerability in handling HTML or Plain text messages with malicious
content.

For the stable distribution (buster), this problem has been fixed in
version 1.3.16+dfsg.1-1~deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4822-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
January 01, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : p11-kit
CVE ID         : CVE-2020-29361 CVE-2020-29362 CVE-2020-29363

David Cook reported several memory safety issues affecting the RPC
protocol in p11-kit, a library providing a way to load and enumerate
PKCS#11 modules.

For the stable distribution (buster), these problems have been fixed in
version 0.23.15-2+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4823-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 01, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : influxdb
CVE ID         : CVE-2019-20933

It was discovered that incorrect validation of JWT tokens in InfluxDB,
a time series, metrics, and analytics database, could result in
authentication bypass.

For the stable distribution (buster), this problem has been fixed in
version 1.6.4-1+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4824-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 01, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium
CVE ID         : CVE-2019-8075 CVE-2020-6510 CVE-2020-6511 CVE-2020-6512 
                 CVE-2020-6513 CVE-2020-6514 CVE-2020-6515 CVE-2020-6516 
                 CVE-2020-6517 CVE-2020-6518 CVE-2020-6519 CVE-2020-6520 
                 CVE-2020-6521 CVE-2020-6522 CVE-2020-6523 CVE-2020-6524 
                 CVE-2020-6525 CVE-2020-6526 CVE-2020-6527 CVE-2020-6528 
                 CVE-2020-6529 CVE-2020-6530 CVE-2020-6531 CVE-2020-6532 
                 CVE-2020-6533 CVE-2020-6534 CVE-2020-6535 CVE-2020-6536 
                 CVE-2020-6537 CVE-2020-6538 CVE-2020-6539 CVE-2020-6540 
                 CVE-2020-6541 CVE-2020-6542 CVE-2020-6543 CVE-2020-6544 
                 CVE-2020-6545 CVE-2020-6546 CVE-2020-6547 CVE-2020-6548 
                 CVE-2020-6549 CVE-2020-6550 CVE-2020-6551 CVE-2020-6552 
                 CVE-2020-6553 CVE-2020-6554 CVE-2020-6555 CVE-2020-6556 
                 CVE-2020-6557 CVE-2020-6558 CVE-2020-6559 CVE-2020-6560 
                 CVE-2020-6561 CVE-2020-6562 CVE-2020-6563 CVE-2020-6564 
                 CVE-2020-6565 CVE-2020-6566 CVE-2020-6567 CVE-2020-6568 
                 CVE-2020-6569 CVE-2020-6570 CVE-2020-6571 CVE-2020-6573 
                 CVE-2020-6574 CVE-2020-6575 CVE-2020-6576 CVE-2020-15959 
                 CVE-2020-15960 CVE-2020-15961 CVE-2020-15962 CVE-2020-15963 
                 CVE-2020-15964 CVE-2020-15965 CVE-2020-15966 CVE-2020-15967 
                 CVE-2020-15968 CVE-2020-15969 CVE-2020-15970 CVE-2020-15971 
                 CVE-2020-15972 CVE-2020-15973 CVE-2020-15974 CVE-2020-15975 
                 CVE-2020-15976 CVE-2020-15977 CVE-2020-15978 CVE-2020-15979 
                 CVE-2020-15980 CVE-2020-15981 CVE-2020-15982 CVE-2020-15983 
                 CVE-2020-15984 CVE-2020-15985 CVE-2020-15986 CVE-2020-15987 
                 CVE-2020-15988 CVE-2020-15989 CVE-2020-15990 CVE-2020-15991 
                 CVE-2020-15992 CVE-2020-15999 CVE-2020-16000 CVE-2020-16001 
                 CVE-2020-16002 CVE-2020-16003 CVE-2020-16004 CVE-2020-16005 
                 CVE-2020-16006 CVE-2020-16007 CVE-2020-16008 CVE-2020-16009 
                 CVE-2020-16011 CVE-2020-16012 CVE-2020-16013 CVE-2020-16014 
                 CVE-2020-16015 CVE-2020-16016 CVE-2020-16017 CVE-2020-16018 
                 CVE-2020-16019 CVE-2020-16020 CVE-2020-16021 CVE-2020-16022 
                 CVE-2020-16023 CVE-2020-16024 CVE-2020-16025 CVE-2020-16026 
                 CVE-2020-16027 CVE-2020-16028 CVE-2020-16029 CVE-2020-16030 
                 CVE-2020-16031 CVE-2020-16032 CVE-2020-16033 CVE-2020-16034 
                 CVE-2020-16035 CVE-2020-16036 CVE-2020-16037 CVE-2020-16038 
                 CVE-2020-16039 CVE-2020-16040 CVE-2020-16041 CVE-2020-16042

Multiple security issues were discovered in the Chromium web browser, which
could result in the execution of arbitrary code, denial of service
or information disclosure.

For the stable distribution (buster), these problems have been fixed in
version 87.0.4280.88-0.4~deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4825-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
January 04, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : dovecot
CVE ID         : CVE-2020-24386 CVE-2020-25275

Several vulnerabilities have been discovered in the Dovecot email
server.

CVE-2020-24386

    When imap hibernation is active, an attacker (with valid credentials
    to access the mail server) can cause Dovecot to discover file system
    directory structures and access other users' emails via specially
    crafted commands.

CVE-2020-25275

    Innokentii Sennovskiy reported that the mail delivery and parsing in
    Dovecot can crash when the 10000th MIME part is message/rfc822 (or
    if the parent was multipart/digest). This flaw was introduced by
    earlier changes addressing CVE-2020-12100.

For the stable distribution (buster), these problems have been fixed in
version 1:2.3.4.1-5+deb10u5.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4806-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
January 05, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : minidlna
Debian Bug     : 975372

The update for minidlna released as DSA 4806-1 introduced a regression
when purging the package. Updated minidlna packages are now available to
correct this issue.

For the stable distribution (buster), this problem has been fixed in
version 1.2.1+dfsg-2+deb10u2.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4826-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 06, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : nodejs
CVE ID         : CVE-2020-8265 CVE-2020-8287

Two vulnerabilities were discovered in Node.js, which could result in
denial of service and potentially the execution of arbitrary code or
HTTP request smuggling.

For the stable distribution (buster), these problems have been fixed in
version 10.23.1~dfsg-1~deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4827-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 07, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2020-16044

A security issue was found in the Mozilla Firefox web browser, which
could potentially result in the execution of arbitrary code.

For the stable distribution (buster), this problem has been fixed in
version 78.6.1esr-1~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4828-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 07, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libxstream-java
CVE ID         : CVE-2020-26258 CVE-2020-26259

Liaogui Zhong discovered two security issues in XStream, a Java library
to serialise objects to XML and back again, which could result in the
deletion of files or server-side request forgery when unmarshalling.

For the stable distribution (buster), these problems have been fixed in
version 1.4.11.1-1+deb10u2.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4829-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
January 11, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : coturn
CVE ID         : CVE-2020-26262

A flaw was discovered in coturn, a TURN and STUN server for VoIP. By
default coturn does not allow peers on the loopback addresses
(127.x.x.x and ::1). A remote attacker can bypass the protection via a
specially crafted request using a peer address of '0.0.0.0' and trick
coturn in relaying to the loopback interface. If listening on IPv6 the
loopback interface can also be reached by using either [::1] or [::] as
the address.

For the stable distribution (buster), this problem has been fixed in
version 4.5.1.1-1.1+deb10u2.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4830-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 14, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : flatpak
CVE ID         : not yet available

Simon McVittie discovered a bug in the flatpak-portal service that can
allow sandboxed applications to execute arbitrary code on the host system
(a sandbox escape).

The Flatpak portal D-Bus service (flatpak-portal, also known by its
D-Bus service name org.freedesktop.portal.Flatpak) allows apps in a
Flatpak sandbox to launch their own subprocesses in a new sandbox
instance, either with the same security settings as the caller or
with more restrictive security settings. For example, this is used in
Flatpak-packaged web browsers such as Chromium to launch subprocesses
that will process untrusted web content, and give those subprocesses a
more restrictive sandbox than the browser itself.

In vulnerable versions, the Flatpak portal service passes caller-specified
environment variables to non-sandboxed processes on the host system,
and in particular to the flatpak run command that is used to launch the
new sandbox instance. A malicious or compromised Flatpak app could set
environment variables that are trusted by the flatpak run command, and
use them to execute arbitrary code that is not in a sandbox.

For the stable distribution (buster), this problem has been fixed in
version 1.2.5-0+deb10u2.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4831-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
January 15, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ruby-redcarpet
CVE ID         : CVE-2020-26298
Debian Bug     : 980057

Johan Smits discovered that ruby-redcarpet, a markdown parser, did not
properly validate its input. This would allow an attacker to mount a
cross-site scripting attack.

For the stable distribution (buster), this problem has been fixed in
version 3.4.0-4+deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4832-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
January 16, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium
CVE ID         : CVE-2020-15995 CVE-2020-16043 CVE-2021-21106 CVE-2021-21107
                 CVE-2021-21108 CVE-2021-21109 CVE-2021-21110 CVE-2021-21111
                 CVE-2021-21112 CVE-2021-21113 CVE-2021-21114 CVE-2021-21115
                 CVE-2021-21116
Debian Bug     : 979533

Multiple security issues were discovered in the Chromium web browser, which
could result in the execution of arbitrary code, denial of service
or information disclosure.

For the stable distribution (buster), these problems have been fixed in
version 87.0.4280.141-0.1~deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4833-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 18, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gst-plugins-bad1.0
CVE ID         : not yet available

Andrew Wesie discovered a buffer overflow in the H264 support of the
GStreamer multimedia framework, which could potentially result in the
execution of arbitrary code.

For the stable distribution (buster), this problem has been fixed in
version 1.14.4-1deb10u1.
Link to post
Share on other sites

×
×
  • Create New...