sunrat 2,316 Posted March 23 Share Posted March 23 - ----------------------------------------------------------------------- Debian Security Advisory DSA-4873-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 23, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : squid CVE ID : CVE-2020-25097 Debian Bug : 985068 Jianjun Chen discovered that the Squid proxy caching server was susceptible to HTTP request smuggling. For the stable distribution (buster), this problem has been fixed in version 4.6-1+deb10u5. Link to post Share on other sites
sunrat 2,316 Posted March 24 Share Posted March 24 ------------------------------------------------------------------------- Debian Security Advisory DSA-4874-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 24, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2021-23981 CVE-2021-23982 CVE-2021-23984 CVE-2021-23987 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure or spoofing attacks. For the stable distribution (buster), these problems have been fixed in version 78.9.0esr-1~deb10u1. Link to post Share on other sites
sunrat 2,316 Posted March 25 Share Posted March 25 ------------------------------------------------------------------------- Debian Security Advisory DSA-4875-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 25, 2021 https://www.debian.org/security/faq ------------------------------------------------------------------------- Package : openssl CVE ID : CVE-2021-3449 A NULL pointer dereference was found in the signature_algorithms processing in OpenSSL, a Secure Sockets Layer toolkit, which could result in denial of service. Additional details can be found in the upstream advisory: https://www.openssl.org/news/secadv/20210325.txt For the stable distribution (buster), this problem has been fixed in version 1.1.1d-0+deb10u6. Link to post Share on other sites
sunrat 2,316 Posted March 26 Share Posted March 26 ------------------------------------------------------------------------- Debian Security Advisory DSA-4876-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 25, 2021 https://www.debian.org/security/faq ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2021-23981 CVE-2021-23982 CVE-2021-23984 CVE-2021-23987 Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code or information disclosure. For the stable distribution (buster), these problems have been fixed in version 1:78.9.0-1~deb10u1. Link to post Share on other sites
sunrat 2,316 Posted March 27 Share Posted March 27 ---------------------------------------------------------------------- Debian Security Advisory DSA-4877-1 security@debian.org https://www.debian.org/security/ Alberto Garcia March 27, 2021 https://www.debian.org/security/faq ---------------------------------------------------------------------- Package : webkit2gtk CVE ID : CVE-2020-27918 CVE-2020-29623 CVE-2021-1765 CVE-2021-1789 CVE-2021-1799 CVE-2021-1801 CVE-2021-1870 The following vulnerabilities have been discovered in the webkit2gtk web engine: CVE-2020-27918 Liu Long discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2020-29623 Simon Hunt discovered that users may be unable to fully delete their browsing history under some circumstances. CVE-2021-1765 Eliya Stein discovered that maliciously crafted web content may violate iframe sandboxing policy. CVE-2021-1789 @S0rryMybad discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2021-1799 Gregory Vishnepolsky, Ben Seri and Samy Kamkar discovered that a malicious website may be able to access restricted ports on arbitrary servers. CVE-2021-1801 Eliya Stein discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2021-1870 An anonymous researcher discovered that processing maliciously crafted web content may lead to arbitrary code execution. For the stable distribution (buster), these problems have been fixed in version 2.30.6-1~deb10u1. Â ---------------------------------------------------------------------- Debian Security Advisory DSA-4878-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 27, 2021 https://www.debian.org/security/faq ---------------------------------------------------------------------- Package : pygments CVE ID : CVE-2021-27291 Debian Bug : 985574 Ben Caller discovered that Pygments, a syntax highlighting package written in Python 3, used regular expressions which could result in denial of service. For the stable distribution (buster), this problem has been fixed in version 2.3.1+dfsg-1+deb10u2. Â ---------------------------------------------------------------------- Debian Security Advisory DSA-4879-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 27, 2021 https://www.debian.org/security/faq ---------------------------------------------------------------------- Package : spamassassin CVE ID : CVE-2020-1946 Debian Bug : 985962 Damian Lukowski discovered a flaw in spamassassin, a Perl-based spam filter using text analysis. Malicious rule configuration files, possibly downloaded from an updates server, could execute arbitrary commands under multiple scenarios. For the stable distribution (buster), this problem has been fixed in version 3.4.2-1+deb10u3. Link to post Share on other sites
sunrat 2,316 Posted March 27 Share Posted March 27 ------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 10: 10.9 released press@debian.org March 27th, 2021 https://www.debian.org/News/2021/20210327 ------------------------------------------------------------------------ The Debian project is pleased to announce the ninth update of its stable distribution Debian 10 (codename "buster"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. Please note that the point release does not constitute a new version of Debian 10 but only updates some of the packages included. There is no need to throw away old "buster" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations. Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: +---------------------------+-----------------------------------------+ | Package | Reason | +---------------------------+-----------------------------------------+ | avahi [1] | Remove avahi-daemon-check-dns | | | mechanism, which is no longer needed | | | | | base-files [2] | Update /etc/debian_version for the 10.9 | | | point release | | | | | cloud-init [3] | Avoid logging generated passwords to | | | world-readable log files [CVE-2021- | | | 3429] | | | | | debian-archive- | Add bullseye keys; retire jessie keys | | keyring [4] | | | | | | debian-installer [5] | Use 4.19.0-16 Linux kernel ABI | | | | | debian-installer-netboot- | Rebuild against proposed-updates | | images [6] | | | | | | exim4 [7] | Fix use of concurrent TLS connections | | | under GnuTLS; fix TLS certificate | | | verification with CNAMEs; | | | README.Debian: document the limitation/ | | | extent of server certificate | | | verification in the default | | | configuration | | | | | fetchmail [8] | No longer report "System error during | | | SSL_connect(): Success" ; remove | | | OpenSSL version check | | | | | fwupd [9] | Add SBAT support | | | | | fwupd-amd64-signed [10] | Add SBAT support | | | | | fwupd-arm64-signed [11] | Add SBAT support | | | | | fwupd-armhf-signed [12] | Add SBAT support | | | | | fwupd-i386-signed [13] | Add SBAT support | | | | | fwupdate [14] | Add SBAT support | | | | | fwupdate-amd64- | Add SBAT support | | signed [15] | | | | | | fwupdate-arm64- | Add SBAT support | | signed [16] | | | | | | fwupdate-armhf- | Add SBAT support | | signed [17] | | | | | | fwupdate-i386-signed [18] | Add SBAT support | | | | | gdnsd [19] | Fix stack overflow with overly-large | | | IPv6 addresses [CVE-2019-13952] | | | | | groff [20] | Rebuild against ghostscript 9.27 | | | | | hwloc-contrib [21] | Enable support for the ppc64el | | | architecture | | | | | intel-microcode [22] | Update various microcode | | | | | iputils [23] | Fix ping rounding errors; fix tracepath | | | target corruption | | | | | jquery [24] | Fix untrusted code execution | | | vulnerabilities [CVE-2020-11022 | | | CVE-2020-11023] | | | | | libbsd [25] | Fix out-of-bounds read issue [CVE-2019- | | | 20367] | | | | | libpano13 [26] | Fix format string vulnerability | | | | | libreoffice [27] | Do not load encodings.py from current | | | directoy | | | | | linux [28] | New upstream stable release; update ABI | | | to -16; rotate secure boot signing | | | keys; rt: update to 4.19.173-rt72 | | | | | linux-latest [29] | Update to -15 kernel ABI; update for | | | -16 kernel ABI | | | | | linux-signed-amd64 [30] | New upstream stable release; update ABI | | | to -16; rotate secure boot signing | | | keys; rt: update to 4.19.173-rt72 | | | | | linux-signed-arm64 [31] | New upstream stable release; update ABI | | | to -16; rotate secure boot signing | | | keys; rt: update to 4.19.173-rt72 | | | | | linux-signed-i386 [32] | New upstream stable release; update ABI | | | to -16; rotate secure boot signing | | | keys; rt: update to 4.19.173-rt72 | | | | | lirc [33] | Normalize embedded $ | | | {DEB_HOST_MULTIARCH} value in /etc/ | | | lirc/lirc_options.conf to find | | | unmodified configuration files on all | | | architectures; recommend gir1.2- | | | vte-2.91 instead of non-existent | | | gir1.2-vte | | | | | m2crypto [34] | Fix test failure with recent OpenSSL | | | versions | | | | | openafs [35] | Fix outgoing connections after unix | | | epoch time 0x60000000 (14 January 2021) | | | | | portaudio19 [36] | Handle EPIPE from | | | alsa_snd_pcm_poll_descriptors, fixing | | | crash | | | | | postgresql-11 [37] | New upstream stable release; fix | | | information leakage in constraint- | | | violation error messages [CVE-2021- | | | 3393]; fix CREATE INDEX CONCURRENTLY to | | | wait for concurrent prepared | | | transactions | | | | | privoxy [38] | Security issues [CVE-2020-35502 | | | CVE-2021-20209 CVE-2021-20210 CVE-2021- | | | 20211 CVE-2021-20212 CVE-2021-20213 | | | CVE-2021-20214 CVE-2021-20215 CVE-2021- | | | 20216 CVE-2021-20217 CVE-2021-20272 | | | CVE-2021-20273 CVE-2021-20275 CVE-2021- | | | 20276] | | | | | python3.7 [39] | Fix CRLF injection in http.client | | | [CVE-2020-26116]; fix buffer overflow | | | in PyCArg_repr in _ctypes/callproc.c | | | [CVE-2021-3177] | | | | | redis [40] | Fix a series of integer overflow issues | | | on 32-bit systems [CVE-2021-21309] | | | | | ruby-mechanize [41] | Fix command injection issue [CVE-2021- | | | 21289] | | | | | systemd [42] | core: make sure to restore the control | | | command id, too, fixing a segfault; | | | seccomp: allow turning off of seccomp | | | filtering via an environment variable | | | | | uim [43] | libuim-data: Perform symlink_to_dir | | | conversion of /usr/share/doc/libuim- | | | data in the resurrected package for | | | clean upgrades from stretch | | | | | xcftools [44] | Fix integer overflow vulnerability | | | [CVE-2019-5086 CVE-2019-5087] | | | | | xterm [45] | Correct upper-limit for selection | | | buffer, accounting for combining | | | characters [CVE-2021-27135] | | | | +---------------------------+-----------------------------------------+  Security Updates ---------------- This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates: +----------------+----------------------------+ | Advisory ID | Package | +----------------+----------------------------+ | DSA-4826 [46] | nodejs [47] | | | | | DSA-4844 [48] | dnsmasq [49] | | | | | DSA-4845 [50] | openldap [51] | | | | | DSA-4846 [52] | chromium [53] | | | | | DSA-4847 [54] | connman [55] | | | | | DSA-4849 [56] | firejail [57] | | | | | DSA-4850 [58] | libzstd [59] | | | | | DSA-4851 [60] | subversion [61] | | | | | DSA-4853 [62] | spip [63] | | | | | DSA-4854 [64] | webkit2gtk [65] | | | | | DSA-4855 [66] | openssl [67] | | | | | DSA-4856 [68] | php7.3 [69] | | | | | DSA-4857 [70] | bind9 [71] | | | | | DSA-4858 [72] | chromium [73] | | | | | DSA-4859 [74] | libzstd [75] | | | | | DSA-4860 [76] | openldap [77] | | | | | DSA-4861 [78] | screen [79] | | | | | DSA-4862 [80] | firefox-esr [81] | | | | | DSA-4863 [82] | nodejs [83] | | | | | DSA-4864 [84] | python-aiohttp [85] | | | | | DSA-4865 [86] | docker.io [87] | | | | | DSA-4867 [88] | grub-efi-amd64-signed [89] | | | | | DSA-4867 [90] | grub-efi-arm64-signed [91] | | | | | DSA-4867 [92] | grub-efi-ia32-signed [93] | | | | | DSA-4867 [94] | grub2 [95] | | | | | DSA-4868 [96] | flatpak [97] | | | | | DSA-4869 [98] | tiff [99] | | | | | DSA-4870 [100] | pygments [101] | | | | | DSA-4871 [102] | tor [103] | | | | | DSA-4872 [104] | shibboleth-sp [105] | | | | +----------------+----------------------------+  Debian Installer ---------------- The installer has been updated to include the fixes incorporated into stable by the point release. Link to post Share on other sites
sunrat 2,316 Posted March 29 Share Posted March 29 ------------------------------------------------------------------------- Debian Security Advisory DSA-4880-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond March 29, 2021 https://www.debian.org/security/faq ------------------------------------------------------------------------- Package : lxml CVE ID : CVE-2021-28957 Debian Bug : 985643 Kevin Chung discovered that lxml, a Python binding for the libxml2 and libxslt libraries, did not properly sanitize its input. This would allow a malicious user to mount a cross-site scripting attack. For the stable distribution (buster), this problem has been fixed in version 4.3.2-1+deb10u3. Link to post Share on other sites
sunrat 2,316 Posted March 31 Share Posted March 31 ------------------------------------------------------------------------- Debian Security Advisory DSA-4881-1 security@debian.org https://www.debian.org/security/ Alessandro Ghedini March 30, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : curl CVE ID : CVE-2020-8169 CVE-2020-8177 CVE-2020-8231 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2021-22876 CVE-2021-22890 Debian Bug : 965280 965281 968831 977161 977162 977163 Multiple vulnerabilities were discovered in cURL, an URL transfer library: CVE-2020-8169 Marek Szlagor reported that libcurl could be tricked into prepending a part of the password to the host name before it resolves it, potentially leaking the partial password over the network and to the DNS server(s). CVE-2020-8177 sn reported that curl could be tricked by a malicious server into overwriting a local file when using th -J (--remote-header-name) and -i (--include) options in the same command line. CVE-2020-8231 Marc Aldorasi reported that libcurl might use the wrong connection when an application using libcurl's multi API sets the option CURLOPT_CONNECT_ONLY, which could lead to information leaks. CVE-2020-8284 Varnavas Papaioannou reported that a malicious server could use the PASV response to trick curl into connecting back to an arbitrary IP address and port, potentially making curl extract information about services that are otherwise private and not disclosed. CVE-2020-8285 xnynx reported that libcurl could run out of stack space when using tha FTP wildcard matching functionality (CURLOPT_CHUNK_BGN_FUNCTION). CVE-2020-8286 It was reported that libcurl didn't verify that an OCSP response actually matches the certificate it is intended to. CVE-2021-22876 Viktor Szakats reported that libcurl does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. CVE-2021-22890 Mingtao Yang reported that, when using an HTTPS proxy and TLS 1.3, libcurl could confuse session tickets arriving from the HTTPS proxy as if they arrived from the remote server instead. This could allow an HTTPS proxy to trick libcurl into using the wrong session ticket for the host and thereby circumvent the server TLS certificate check. For the stable distribution (buster), these problems have been fixed in version 7.64.0-4+deb10u2. Link to post Share on other sites
sunrat 2,316 Posted April 1 Share Posted April 1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4882-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 01, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openjpeg2 CVE ID : CVE-2020-6851 CVE-2020-8112 CVE-2020-15389 CVE-2020-27814 CVE-2020-27823 CVE-2020-27824 CVE-2020-27841 CVE-2020-27842 CVE-2020-27843 CVE-2020-27845 Multiple vulnerabilities have been discovered in openjpeg2, the open-source JPEG 2000 codec, which could result in denial of service or the execution of arbitrary code when opening a malformed image. For the stable distribution (buster), these problems have been fixed in version 2.3.0-2+deb10u2. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4883-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 01, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : underscore CVE ID : CVE-2021-23358 Debian Bug : 986171 It was discovered that missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code. For the stable distribution (buster), this problem has been fixed in version 1.9.1~dfsg-1+deb10u1. Link to post Share on other sites
sunrat 2,316 Posted April 2 Share Posted April 2 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4884-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 02, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ldb CVE ID : CVE-2020-10730 CVE-2020-27840 CVE-2021-20277 Debian Bug : 985935 985936 Multiple vulnerabilities have been discovered in ldb, a LDAP-like embedded database built on top of TDB. CVE-2020-10730 Andrew Bartlett discovered a NULL pointer dereference and use-after-free flaw when handling 'ASQ' and 'VLV' LDAP controls and combinations with the LDAP paged_results feature. CVE-2020-27840 Douglas Bagnall discovered a heap corruption flaw via crafted DN strings. CVE-2021-20277 Douglas Bagnall discovered an out-of-bounds read vulnerability in handling LDAP attributes that contains multiple consecutive leading spaces. For the stable distribution (buster), these problems have been fixed in version 2:1.5.1+really1.4.6-3+deb10u1. Link to post Share on other sites
sunrat 2,316 Posted April 5 Share Posted April 5 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4885-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 05, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : netty CVE ID : CVE-2019-20444 CVE-2019-20445 CVE-2020-7238 CVE-2020-11612 CVE-2021-21290 CVE-2021-21295 CVE-2021-21409 Multiple security issues were discovered in Netty, a Java NIO client/server framework, which could result in HTTP request smuggling, denial of service or information disclosure. For the stable distribution (buster), these problems have been fixed in version 1:4.1.33-1+deb10u2. Link to post Share on other sites
sunrat 2,316 Posted April 7 Share Posted April 7 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4886-1 security@debian.org https://www.debian.org/security/ Michael Gilbert April 06, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : chromium CVE ID : CVE-2021-21159 CVE-2021-21160 CVE-2021-21161 CVE-2021-21162 CVE-2021-21163 CVE-2021-21165 CVE-2021-21166 CVE-2021-21167 CVE-2021-21168 CVE-2021-21169 CVE-2021-21170 CVE-2021-21171 CVE-2021-21172 CVE-2021-21173 CVE-2021-21174 CVE-2021-21175 CVE-2021-21176 CVE-2021-21177 CVE-2021-21178 CVE-2021-21179 CVE-2021-21180 CVE-2021-21181 CVE-2021-21182 CVE-2021-21183 CVE-2021-21184 CVE-2021-21185 CVE-2021-21186 CVE-2021-21187 CVE-2021-21188 CVE-2021-21189 CVE-2021-21190 CVE-2021-21191 CVE-2021-21192 CVE-2021-21193 CVE-2021-21194 CVE-2021-21195 CVE-2021-21196 CVE-2021-21197 CVE-2021-21198 CVE-2021-21199 Several vulnerabilites have been discovered in the chromium web browser. CVE-2021-21159 Khalil Zhani disocvered a buffer overflow issue in the tab implementation. CVE-2021-21160 Marcin Noga discovered a buffer overflow issue in WebAudio. CVE-2021-21161 Khalil Zhani disocvered a buffer overflow issue in the tab implementation. CVE-2021-21162 A use-after-free issue was discovered in the WebRTC implementation. CVE-2021-21163 Alison Huffman discovered a data validation issue. CVE-2021-21165 Alison Huffman discovered an error in the audio implementation. CVE-2021-21166 Alison Huffman discovered an error in the audio implementation. CVE-2021-21167 Leecraso and Guang Gong discovered a use-after-free issue in the bookmarks implementation. CVE-2021-21168 Luan Herrera discovered a policy enforcement error in the appcache. CVE-2021-21169 Bohan Liu and Moon Liang discovered an out-of-bounds access issue in the v8 javascript library. CVE-2021-21170 David Erceg discovered a user interface error. CVE-2021-21171 Irvan Kurniawan discovered a user interface error. CVE-2021-21172 Maciej Pulikowski discovered a policy enforcement error in the File System API. CVE-2021-21173 Tom Van Goethem discovered a network based information leak. CVE-2021-21174 Ashish Guatam Kambled discovered an implementation error in the Referrer policy. CVE-2021-21175 Jun Kokatsu discovered an implementation error in the Site Isolation feature. CVE-2021-21176 Luan Herrera discovered an implementation error in the full screen mode. CVE-2021-21177 Abdulrahman Alqabandi discovered a policy enforcement error in the Autofill feature. CVE-2021-21178 Japong discovered an error in the Compositor implementation. CVE-2021-21179 A use-after-free issue was discovered in the networking implementation. CVE-2021-21180 Abdulrahman Alqabandi discovered a use-after-free issue in the tab search feature. CVE-2021-21181 Xu Lin, Panagiotis Ilias, and Jason Polakis discovered a side-channel information leak in the Autofill feature. CVE-2021-21182 Luan Herrera discovered a policy enforcement error in the site navigation implementation. CVE-2021-21183 Takashi Yoneuchi discovered an implementation error in the Performance API. CVE-2021-21184 James Hartig discovered an implementation error in the Performance API. CVE-2021-21185 David Erceg discovered a policy enforcement error in Extensions. CVE-2021-21186 dhirajkumarnifty discovered a policy enforcement error in the QR scan implementation. CVE-2021-21187 Kirtikumar Anandrao Ramchandani discovered a data validation error in URL formatting. CVE-2021-21188 Woojin Oh discovered a use-after-free issue in Blink/Webkit. CVE-2021-21189 Khalil Zhani discovered a policy enforcement error in the Payments implementation. CVE-2021-21190 Zhou Aiting discovered use of uninitialized memory in the pdfium library. CVE-2021-21191 raven discovered a use-after-free issue in the WebRTC implementation. CVE-2021-21192 Abdulrahman Alqabandi discovered a buffer overflow issue in the tab implementation. CVE-2021-21193 A use-after-free issue was discovered in Blink/Webkit. CVE-2021-21194 Leecraso and Guang Gong discovered a use-after-free issue in the screen capture feature. CVE-2021-21195 Liu and Liang discovered a use-after-free issue in the v8 javascript library. CVE-2021-21196 Khalil Zhani discovered a buffer overflow issue in the tab implementation. CVE-2021-21197 Abdulrahman Alqabandi discovered a buffer overflow issue in the tab implementation. CVE-2021-21198 Mark Brand discovered an out-of-bounds read issue in the Inter-Process Communication implementation. CVE-2021-21199 Weipeng Jiang discovered a use-after-free issue in the Aura window and event manager. For the stable distribution (buster), these problems have been fixed in version 89.0.4389.114-1~deb10u1. Link to post Share on other sites
sunrat 2,316 Posted April 8 Share Posted April 8 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4887-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 08, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : lib3mf CVE ID : CVE-2021-21772 Debian Bug : 985092 A use-after-free was discovered in Lib3MF, a C++ implementation of the 3D Manufacturing Format, which could result in the execution of arbitrary code if a malformed file is opened. For the stable distribution (buster), this problem has been fixed in version 1.8.1+ds-3+deb10u1. Link to post Share on other sites
sunrat 2,316 Posted Saturday at 10:38 PM Share Posted Saturday at 10:38 PM - ------------------------------------------------------------------------- Debian Security Advisory DSA-4888-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 10, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : xen CVE ID : CVE-2021-26933 CVE-2021-27379 Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, privilege escalation or memory disclosure. For the stable distribution (buster), these problems have been fixed in version 4.11.4+99-g8bce4698f6-1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4889-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 10, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mediawiki CVE ID : CVE-2021-20270 CVE-2021-27291 CVE-2021-30152 CVE-2021-30159 CVE-2021-30154 CVE-2021-30155 CVE-2021-30157 CVE-2021-30158 Multiple security issues were found in MediaWiki, a website engine for collaborative work, which could result in incomplete page/blocking protection, denial of service or cross-site scripting. For the stable distribution (buster), these problems have been fixed in version 1:1.31.14-1~deb10u1. Link to post Share on other sites
sunrat 2,316 Posted Tuesday at 05:21 AM Share Posted Tuesday at 05:21 AM - ------------------------------------------------------------------------- Debian Security Advisory DSA-4890-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 12, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ruby-kramdown CVE ID : CVE-2021-28834 Debian Bug : 985569 Stan Hu discovered that kramdown, a pure Ruby Markdown parser and converter, performed insufficient namespace validation of Rouge syntax highlighting formatters. For the stable distribution (buster), this problem has been fixed in version 1.17.0-1+deb10u2. Link to post Share on other sites
sunrat 2,316 Posted yesterday at 12:25 AM Share Posted yesterday at 12:25 AM - ------------------------------------------------------------------------- Debian Security Advisory DSA-4891-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 13, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tomcat9 CVE ID : CVE-2021-25122 CVE-2021-25329 Two vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in information disclosure or denial of service. For the stable distribution (buster), these problems have been fixed in version 9.0.31-1~deb10u4. Link to post Share on other sites
Recommended Posts