Jump to content

Recommended Posts

sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4834-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 22, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : vlc
CVE ID         : CVE-2020-26664
Debian Bug     : 979676

Multiple vulnerabilities were discovered in the VLC media player, which
could result in the execution of arbitrary code or denial of service if
a malformed media file is opened.

For the stable distribution (buster), this problem has been fixed in
version 3.0.12-0+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4835-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 22, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tomcat9
CVE ID         : CVE-2020-13943 CVE-2020-17527

Two vulnerabilities were discovered in the Tomcat servlet and JSP
engine, which could result in information disclosure.

For the stable distribution (buster), these problems have been fixed in
version 9.0.31-1~deb10u3.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4836-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 22, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openvswitch
CVE ID         : CVE-2015-8011 CVE-2020-27827
Debian Bug     : 980132

Two vulnerabilities were discovered in the LLPD implementation of Open
vSwitch, a software-based Ethernet virtual switch, which could result in
denial of service.

For the stable distribution (buster), these problems have been fixed in
version 2.10.6+ds1-0+deb10u1.
Link to post
Share on other sites
  • Replies 1.9k
  • Created
  • Last Reply

Top Posters In This Topic

  • sunrat

    1568

  • V.T. Eric Layton

    171

  • securitybreach

    112

  • Bruno

    65

Top Posters In This Topic

Popular Posts

- ------------------------------------------------------------------------- Debian Security Advisory DSA-3093-1 security@debian.org http://www.debian.org/security/

- ------------------------------------------------------------------------- Debian Security Advisory DSA-3401-1 security@debian.org https://www.debian.org/security/

- ------------------------------------------------------------------------- Debian Security Advisory DSA-4123-1 security@debian.org https://www.debian.org/security/

sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4830-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
January 22, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : flatpak
Debian Bug     : 980323

The update for flatpak released as DSA 4830-1 introduced regressions
with flatpak build and in the extra-data mechanism. Updated flatpak
packages are now available to correct this issue.

For the stable distribution (buster), this problem has been fixed in
version 1.2.5-0+deb10u3.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4837-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
January 24, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : salt
CVE ID         : CVE-2020-16846 CVE-2020-17490 CVE-2020-25592

Several vulnerabilities were discovered in salt, a powerful remote
execution manager. The flaws could result in authentication bypass and
invocation of Salt SSH, creation of certificates with weak file
permissions via the TLS execution module or shell injections with the
Salt API using the SSH client.

For the stable distribution (buster), these problems have been fixed in
version 2018.3.4+dfsg1-6+deb10u2.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4833-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
January 24, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gst-plugins-bad1.0

The update for gst-plugins-bad1.0 released as DSA 4833-1 choosed a
package version incompatible with binNMUs and prevented upgrades to the
fixed packages. Updated gst-plugins-bad1.0 packages are now available to
correct this issue.

For the stable distribution (buster), this problem has been fixed in
version 1.14.4-1+deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4838-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
January 25, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : mutt
CVE ID         : CVE-2021-3181
Debian Bug     : 980326

Tavis Ormandy discovered a memory leak flaw in the rfc822 group recipient
parsing in Mutt, a text-based mailreader supporting MIME, GPG, PGP and
threading, which could result in denial of service.

For the stable distribution (buster), this problem has been fixed in
version 1.10.1-2.1+deb10u5.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4839-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
January 26, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : sudo
CVE ID         : CVE-2021-3156

The Qualys Research Labs discovered a heap-based buffer overflow
vulnerability in sudo, a program designed to provide limited super user
privileges to specific users. Any local user (sudoers and non-sudoers)
can exploit this flaw for root privilege escalation.

For the stable distribution (buster), this problem has been fixed in
version 1.8.27-1+deb10u3.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4840-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 27, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2020-26976 CVE-2021-23953 CVE-2021-23954
                 CVE-2021-23960 CVE-2021-23964

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code or information disclosure.

For the stable distribution (buster), these problems have been fixed in
version 78.7.0esr-1~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4841-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 27, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : slurm-llnl
CVE ID         : CVE-2019-19728 CVE-2020-12693 CVE-2020-27745 CVE-2020-27746

Multiple security issues were discovered in the Simple Linux Utility for
Resource Management (SLURM), a cluster resource management and job
scheduling system, which could result in denial of service, information
disclosure or privilege escalation.

For the stable distribution (buster), these problems have been fixed in
version 18.08.5.2-1+deb10u2.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4842-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
January 31, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : CVE-2020-15685 CVE-2020-16044 CVE-2020-26976 CVE-2021-23953 
                 CVE-2021-23954 CVE-2021-23960 CVE-2021-23964

Multiple security issues have been found in Thunderbird, which may lead
to the execution of arbitrary code, denial of service or an information
leak.

For the stable distribution (buster), these problems have been fixed in
version 1:78.7.0-1~deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4843-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
February 01, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : linux
CVE ID         : CVE-2020-27815 CVE-2020-27825 CVE-2020-27830 CVE-2020-28374
                 CVE-2020-29568 CVE-2020-29569 CVE-2020-29660 CVE-2020-29661
                 CVE-2020-36158 CVE-2021-3347 CVE-2021-20177
Debian Bug     : 970736 972345 977048 977615

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2020-27815

    A flaw was reported in the JFS filesystem code allowing a local
    attacker with the ability to set extended attributes to cause a
    denial of service.

CVE-2020-27825

    Adam 'pi3' Zabrocki reported a use-after-free flaw in the ftrace
    ring buffer resizing logic due to a race condition, which could
    result in denial of service or information leak.

CVE-2020-27830

    Shisong Qin reported a NULL pointer dereference flaw in the Speakup
    screen reader core driver.

CVE-2020-28374

    David Disseldorp discovered that the LIO SCSI target implementation
    performed insufficient checking in certain XCOPY requests. An
    attacker with access to a LUN and knowledge of Unit Serial Number
    assignments can take advantage of this flaw to read and write to any
    LIO backstore, regardless of the SCSI transport settings.

CVE-2020-29568 (XSA-349)

    Michael Kurth and Pawel Wieczorkiewicz reported that frontends can
    trigger OOM in backends by updating a watched path.

CVE-2020-29569 (XSA-350)

    Olivier Benjamin and Pawel Wieczorkiewicz reported a use-after-free
    flaw which can be triggered by a block frontend in Linux blkback. A
    misbehaving guest can trigger a dom0 crash by continuously
    connecting / disconnecting a block frontend.

CVE-2020-29660

    Jann Horn reported a locking inconsistency issue in the tty
    subsystem which may allow a local attacker to mount a
    read-after-free attack against TIOCGSID.

CVE-2020-29661

    Jann Horn reported a locking issue in the tty subsystem which can
    result in a use-after-free. A local attacker can take advantage of
    this flaw for memory corruption or privilege escalation.

CVE-2020-36158

    A buffer overflow flaw was discovered in the mwifiex WiFi driver
    which could result in denial of service or the execution of
    arbitrary code via a long SSID value.

CVE-2021-3347

    It was discovered that PI futexes have a kernel stack use-after-free
    during fault handling. An unprivileged user could use this flaw to
    crash the kernel (resulting in denial of service) or for privilege
    escalation.

CVE-2021-20177

    A flaw was discovered in the Linux implementation of string matching
    within a packet. A privileged user (with root or CAP_NET_ADMIN) can
    take advantage of this flaw to cause a kernel panic when inserting
    iptables rules.

For the stable distribution (buster), these problems have been fixed in
version 4.19.171-2.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4845-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
February 03, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openldap
CVE ID         : CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224
                 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228
                 CVE-2020-36229 CVE-2020-36230

Several vulnerabilities were discovered in OpenLDAP, a free
implementation of the Lightweight Directory Access Protocol. An
unauthenticated remote attacker can take advantage of these flaws to
cause a denial of service (slapd daemon crash, infinite loops) via
specially crafted packets.

For the stable distribution (buster), these problems have been fixed in
version 2.4.47+dfsg-3+deb10u5.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4844-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
February 02, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : dnsmasq
CVE ID         : CVE-2020-25681 CVE-2020-25682 CVE-2020-25683 CVE-2020-25684 
                 CVE-2020-25685 CVE-2020-25686 CVE-2020-25687

Moshe Kol and Shlomi Oberman of JSOF discovered several
vulnerabilities in dnsmasq, a small caching DNS proxy and DHCP/TFTP
server. They could result in denial of service, cache poisoning or the
execution of arbitrary code.

For the stable distribution (buster), these problems have been fixed in
version 2.80-1+deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4846-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
February 07, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium
CVE ID         : CVE-2020-16044 CVE-2021-21117 CVE-2021-21118 CVE-2021-21119
                 CVE-2021-21120 CVE-2021-21121 CVE-2021-21122 CVE-2021-21123
                 CVE-2021-21124 CVE-2021-21125 CVE-2021-21126 CVE-2021-21127
                 CVE-2021-21128 CVE-2021-21129 CVE-2021-21130 CVE-2021-21131
                 CVE-2021-21132 CVE-2021-21133 CVE-2021-21134 CVE-2021-21135
                 CVE-2021-21136 CVE-2021-21137 CVE-2021-21138 CVE-2021-21139
                 CVE-2021-21140 CVE-2021-21141 CVE-2021-21142 CVE-2021-21143
                 CVE-2021-21144 CVE-2021-21145 CVE-2021-21146 CVE-2021-21147

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2020-16044

    Ned Williamson discovered a use-after-free issue in the WebRTC
    implementation.

CVE-2021-21117

    Rory McNamara discovered a policy enforcement issue in Cryptohome.

CVE-2021-21118

    Tyler Nighswander discovered a data validation issue in the v8 javascript
    library.

CVE-2021-21119

    A use-after-free issue was discovered in media handling.

CVE-2021-21120

    Nan Wang and Guang Gong discovered a use-after-free issue in the WebSQL
    implementation.

CVE-2021-21121

    Leecraso and Guang Gong discovered a use-after-free issue in the Omnibox.

CVE-2021-21122

    Renata Hodovan discovered a use-after-free issue in Blink/WebKit.

CVE-2021-21123

    Maciej Pulikowski discovered a data validation issue.

CVE-2021-21124

    Chaoyang Ding discovered a use-after-free issue in the speech recognizer.

CVE-2021-21125

    Ron Masas discovered a policy enforcement issue.

CVE-2021-21126

    David Erceg discovered a policy enforcement issue in extensions.

CVE-2021-21127

    Jasminder Pal Singh discovered a policy enforcement issue in extensions.

CVE-2021-21128

    Liang Dong discovered a buffer overflow issue in Blink/WebKit.

CVE-2021-21129

    Maciej Pulikowski discovered a policy enforcement issue.

CVE-2021-21130

    Maciej Pulikowski discovered a policy enforcement issue.

CVE-2021-21131

    Maciej Pulikowski discovered a policy enforcement issue.

CVE-2021-21132

    David Erceg discovered an implementation error in the developer tools.

CVE-2021-21133

    wester0x01 discovered a policy enforcement issue.

CVE-2021-21134

    wester0x01 discovered a user interface error.

CVE-2021-21135

    ndevtk discovered an implementation error in the Performance API.

CVE-2021-21136

    Shiv Sahni, Movnavinothan V, and Imdad Mohammed discovered a policy
    enforcement error.

CVE-2021-21137

    bobbybear discovered an implementation error in the developer tools.

CVE-2021-21138

    Weipeng Jiang discovered a use-after-free issue in the developer tools.

CVE-2021-21139

    Jun Kokatsu discovered an implementation error in the iframe sandbox.

CVE-2021-21140

    David Manouchehri discovered uninitialized memory in the USB
    implementation.

CVE-2021-21141

    Maciej Pulikowski discovered a policy enforcement error.

CVE-2021-21142

    Khalil Zhani discovered a use-after-free issue.

CVE-2021-21143

    Allen Parker and Alex Morgan discovered a buffer overflow issue in
    extensions.

CVE-2021-21144

    Leecraso and Guang Gong discovered a buffer overflow issue.

CVE-2021-21145

    A use-after-free issue was discovered.

CVE-2021-21146

    Alison Huffman and Choongwoo Han discovered a use-after-free issue.

CVE-2021-21147

    Roman Starkov discovered an implementation error in the skia library.

For the stable distribution (buster), these problems have been fixed in
version 88.0.4324.146-1~deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4847-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
February 08, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : connman
CVE ID         : CVE-2021-26675 CVE-2021-26676

A remote information leak vulnerability and a remote buffer overflow
vulnerability were discovered in ConnMan, a network manager for embedded
devices, which could result in denial of service or the execution of
arbitrary code.

For the stable distribution (buster), these problems have been fixed in
version 1.36-2.1~deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4848-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
February 08, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : golang-1.11
CVE ID         : CVE-2020-7919 CVE-2020-15586 CVE-2020-16845 CVE-2021-3114

Multiple security issues were discovered in the implementation of the
Go programming language, which could result in denial of service and
the P-224 curve implementation could generate incorrect outputs.

For the stable distribution (buster), these problems have been fixed in
version 1.11.6-1+deb10u4.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4849-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
February 09, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firejail
CVE ID         : CVE-2021-26910

Roman Fiedler discovered a vulnerability in the OverlayFS code in
firejail, a sandbox program to restrict the running environment of
untrusted applications, which could result in root privilege escalation.
This update disables OverlayFS support in firejail.

For the stable distribution (buster), this problem has been fixed in
version 0.9.58.2-2+deb10u2.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4850-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
February 10, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libzstd
Debian Bug     : 981404

It was discovered that zstd, a compression utility, temporarily
exposed a world-readable version of its input even if the original
file had restrictive permissions.

For the stable distribution (buster), this problem has been fixed in
version 1.3.8+dfsg-3+deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4851-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
February 13, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : subversion
CVE ID         : CVE-2020-17525
Debian Bug     : 982464

Thomas Akesson discovered a remotely triggerable vulnerability in the
mod_authz_svn module in Subversion, a version control system. When using
in-repository authz rules with the AuthzSVNReposRelativeAccessFile
option an unauthenticated remote client can take advantage of this flaw
to cause a denial of service by sending a request for a non-existing
repository URL.

For the stable distribution (buster), this problem has been fixed in
version 1.10.4-1+deb10u2.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4852-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
February 15, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openvswitch
CVE ID         : CVE-2020-35498
Debian Bug     : 982493

Joakim Hindersson discovered that Open vSwitch, a software-based
Ethernet virtual switch, allowed a malicious user to cause a
denial-of-service by sending a specially crafted packet.

For the stable distribution (buster), this problem has been fixed in
version 2.10.7+ds1-0+deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4853-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
February 16, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : spip

It was discovered that SPIP, a website engine for publishing, would
allow a malicious user to perform cross-site scripting attacks, access
sensitive information, or execute arbitrary code.

For the stable distribution (buster), this problem has been fixed in
version 3.2.4-1+deb10u4.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4855-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
February 17, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openssl
CVE ID         : CVE-2019-1551 CVE-2021-23840 CVE-2021-23841
Debian Bug     : 947949

Multiple vulnerabilities have been discovered in OpenSSL, a Secure
Sockets Layer toolkit. An overflow bug in the x64_64 Montgomery squaring
procedure, an integer overflow in CipherUpdate and a NULL pointer
dereference flaw X509_issuer_and_serial_hash() were found, which could
result in denial of service.

Additional details can be found in the upstream advisories
https://www.openssl.org/news/secadv/20191206.txt and
https://www.openssl.org/news/secadv/20210216.txt .

For the stable distribution (buster), these problems have been fixed in
version 1.1.1d-0+deb10u5.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4854-1                   security@debian.org
https://www.debian.org/security/                           Alberto Garcia
February 17, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : webkit2gtk
CVE ID         : CVE-2020-13558

The following vulnerabilities have been discovered in the webkit2gtk
web engine:

CVE-2020-13558

    Marcin Noga discovered that processing maliciously crafted web
    content may lead to arbitrary code execution.

For the stable distribution (buster), this problem has been fixed in
version 2.30.5-1~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4856-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
February 17, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : php7.3
CVE ID         : CVE-2020-7068 CVE-2020-7069 CVE-2020-7070 CVE-2020-7071 
                 CVE-2021-21702

Multiple security issues were found in PHP, a widely-used open source
general purpose scripting language which could result in denial of
service, information disclosure, cookie forgery or incorrect encryption.

For the stable distribution (buster), these problems have been fixed in
version 7.3.27-1~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4857-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
February 18, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : bind9
CVE ID         : CVE-2020-8625
Debian Bug     : 983004

A buffer overflow vulnerability was discovered in the SPNEGO
implementation affecting the GSSAPI security policy negotiation in BIND,
a DNS server implementation, which could result in denial of service
(daemon crash), or potentially the execution of arbitrary code.

For the stable distribution (buster), this problem has been fixed in
version 1:9.11.5.P4+dfsg-5.1+deb10u3.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4858-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
February 19, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium
CVE ID         : CVE-2021-21148 CVE-2021-21149 CVE-2021-21150 CVE-2021-21151
                 CVE-2021-21152 CVE-2021-21153 CVE-2021-21154 CVE-2021-21155
                 CVE-2021-21156 CVE-2021-21157

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2021-21148

    Mattias Buelens discovered a buffer overflow issue in the v8 javascript
    library.

CVE-2021-21149

    Ryoya Tsukasaki discovered a stack overflow issue in the Data Transfer
    implementation.

CVE-2021-21150

    Woojin Oh discovered a use-after-free issue in the file downloader.

CVE-2021-21151

    Khalil Zhani discovered a use-after-free issue in the payments system.

CVE-2021-21152

    A buffer overflow was discovered in media handling.

CVE-2021-21153

    Jan Ruge discovered a stack overflow issue in the GPU process.

CVE-2021-21154

    Abdulrahman Alqabandi discovered a buffer overflow issue in the Tab Strip
    implementation.

CVE-2021-21155

    Khalil Zhani discovered a buffer overflow issue in the Tab Strip
    implementation.

CVE-2021-21156

    Sergei Glazunov discovered a buffer overflow issue in the v8 javascript
    library.

CVE-2021-21157

    A use-after-free issue was discovered in the Web Sockets implementation.

For the stable distribution (buster), these problems have been fixed in
version 88.0.4324.182-1~deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4859-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
February 20, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libzstd
Debian Bug     : 982519

It was discovered that zstd, a compression utility, was vulnerable to
a race condition: it temporarily exposed, during a very short
timeframe, a world-readable version of its input even if the original
file had restrictive permissions.

For the stable distribution (buster), this problem has been fixed in
version 1.3.8+dfsg-3+deb10u2.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4860-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
February 20, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openldap
CVE ID         : CVE-2021-27212

A vulnerability in the Certificate List Exact Assertion validation was
discovered in OpenLDAP, a free implementation of the Lightweight
Directory Access Protocol. An unauthenticated remote attacker can take
advantage of this flaw to cause a denial of service (slapd daemon crash)
via specially crafted packets.

For the stable distribution (buster), this problem has been fixed in
version 2.4.47+dfsg-3+deb10u6.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4861-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
February 21, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : screen
CVE ID         : CVE-2021-26937
Debian Bug     : 982435

Felix Weinmann reported a flaw in the handling of combining characters
in screen, a terminal multiplexer with VT100/ANSI terminal emulation,
which can result in denial of service, or potentially the execution of
arbitrary code via a specially crafted UTF-8 character sequence.

For the stable distribution (buster), this problem has been fixed in
version 4.6.2-3+deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4862-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
February 24, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2021-23968 CVE-2021-23969 CVE-2021-23973 CVE-2021-23978

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code or information disclosure.

For the stable distribution (buster), these problems have been fixed in
version 78.8.0esr-1~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4863-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
February 24, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : nodejs
CVE ID         : CVE-2021-22883 CVE-2021-22884

Two vulnerabilities were discovered in Node.js, which could result in
denial of service or DNS rebinding attacks.
   
For the stable distribution (buster), these problems have been fixed in
version 10.24.0~dfsg-1~deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4864-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
February 27, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : python-aiohttp
CVE ID         : CVE-2021-21330

Beast Glatisant and Jelmer Vernooij reported that python-aiohttp, a
async HTTP client/server framework, is prone to an open redirect
vulnerability. A maliciously crafted link to an aiohttp-based web-server
could redirect the browser to a different website.

For the stable distribution (buster), this problem has been fixed in
version 3.5.1-1+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4865-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
February 27, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : docker.io
CVE ID         : CVE-2020-15157 CVE-2020-15257 CVE-2021-21284 CVE-2021-21285

Multiple security issues were discovered in Docker, a Linux container
runtime, which could result in denial of service, an information leak
or privilege escalation.

For the stable distribution (buster), these problems have been fixed in
version 18.09.1+dfsg1-7.1+deb10u3.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4866-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
February 28, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : CVE-2021-23968 CVE-2021-23969 CVE-2021-23973 CVE-2021-23978

Multiple security issues were discovered in Thunderbird, which could
result in the execution of arbitrary code or information disclosure.
		  		     
For the stable distribution (buster), these problems have been fixed in
version 1:78.8.0-1~deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4867-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 02, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : grub2
CVE ID         : CVE-2020-14372 CVE-2020-25632 CVE-2020-25647 CVE-2020-27749
                 CVE-2020-27779 CVE-2021-20225 CVE-2021-20233

Several vulnerabilities have been discovered in the GRUB2 bootloader.

CVE-2020-14372

    It was discovered that the acpi command allows a privileged user to
    load crafted ACPI tables when Secure Boot is enabled.

CVE-2020-25632

    A use-after-free vulnerability was found in the rmmod command.

CVE-2020-25647

    An out-of-bound write vulnerability was found in the
    grub_usb_device_initialize() function, which is called to handle USB
    device initialization.

CVE-2020-27749

    A stack buffer overflow flaw was found in grub_parser_split_cmdline.

CVE-2020-27779

    It was discovered that the cutmem command allows a privileged user
    to remove memory regions when Secure Boot is enabled.

CVE-2021-20225

    A heap out-of-bounds write vulnerability was found in the short form
    option parser.

CVE-2021-20233

    A heap out-of-bound write flaw was found caused by mis-calculation
    of space required for quoting in the menu rendering.

Further detailed information can be found at
https://www.debian.org/security/2021-GRUB-UEFI-SecureBoot

For the stable distribution (buster), these problems have been fixed in
version 2.02+dfsg1-20+deb10u4.
Link to post
Share on other sites
  • 2 weeks later...
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4868-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 12, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : flatpak
CVE ID         : CVE-2021-21381

Anton Lydike discovered that sandbox restrictions in Flatpak, an
application deployment framework for desktop apps, could by bypassed
via a malicious .desktop file.

For the stable distribution (buster), this problem has been fixed in
version 1.2.5-0+deb10u4.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4869-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 12, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tiff
CVE ID         : CVE-2020-35523 CVE-2020-35524

Two vulnerabilities have been discovered in the libtiff library
and the included tools, which may result in denial of service or the
execution of arbitrary code if malformed image files are processed.

For the stable distribution (buster), these problems have been fixed in
version 4.1.0+git191117-2~deb10u2.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4870-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 12, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : pygments
CVE ID         : CVE-2021-20270

It was discovered that Pygments, a syntax highlighting package written
in Python, could be forced into an infinite loop, resulting in denial
of service.

For the stable distribution (buster), this problem has been fixed in
version 2.3.1+dfsg-1+deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4871-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 16, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tor
CVE ID         : CVE-2021-28089 CVE-2021-28090

Two vulnerabilities were discovered in Tor, a connection-based
low-latency anonymous communication system, which could lead to
excessive CPU usage or cause a directory authority to crash.

For the stable distribution (buster), these problems have been fixed in
version 0.3.5.14-1.
Link to post
Share on other sites
sunrat
-------------------------------------------------------------------------
Debian Security Advisory DSA-4872-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 18, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : shibboleth-sp
CVE ID         : not yet available
Debian Bug     : 985405

Toni Huttunen discovered that the Shibboleth service provider's template
engine used to render error pages could be abused for phishing attacks.

For additional information please refer to the upstream advisory at
https://shibboleth.net/community/advisories/secadv_20210317.txt

For the stable distribution (buster), this problem has been fixed in
version 3.0.4+dfsg1-1+deb10u1.
Link to post
Share on other sites

×
×
  • Create New...