sunrat Posted March 23, 2021 Posted March 23, 2021 - ----------------------------------------------------------------------- Debian Security Advisory DSA-4873-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 23, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : squid CVE ID : CVE-2020-25097 Debian Bug : 985068 Jianjun Chen discovered that the Squid proxy caching server was susceptible to HTTP request smuggling. For the stable distribution (buster), this problem has been fixed in version 4.6-1+deb10u5.
sunrat Posted March 24, 2021 Posted March 24, 2021 ------------------------------------------------------------------------- Debian Security Advisory DSA-4874-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 24, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2021-23981 CVE-2021-23982 CVE-2021-23984 CVE-2021-23987 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure or spoofing attacks. For the stable distribution (buster), these problems have been fixed in version 78.9.0esr-1~deb10u1.
sunrat Posted March 25, 2021 Posted March 25, 2021 ------------------------------------------------------------------------- Debian Security Advisory DSA-4875-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 25, 2021 https://www.debian.org/security/faq ------------------------------------------------------------------------- Package : openssl CVE ID : CVE-2021-3449 A NULL pointer dereference was found in the signature_algorithms processing in OpenSSL, a Secure Sockets Layer toolkit, which could result in denial of service. Additional details can be found in the upstream advisory: https://www.openssl.org/news/secadv/20210325.txt For the stable distribution (buster), this problem has been fixed in version 1.1.1d-0+deb10u6.
sunrat Posted March 26, 2021 Posted March 26, 2021 ------------------------------------------------------------------------- Debian Security Advisory DSA-4876-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 25, 2021 https://www.debian.org/security/faq ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2021-23981 CVE-2021-23982 CVE-2021-23984 CVE-2021-23987 Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code or information disclosure. For the stable distribution (buster), these problems have been fixed in version 1:78.9.0-1~deb10u1.
sunrat Posted March 27, 2021 Posted March 27, 2021 ---------------------------------------------------------------------- Debian Security Advisory DSA-4877-1 security@debian.org https://www.debian.org/security/ Alberto Garcia March 27, 2021 https://www.debian.org/security/faq ---------------------------------------------------------------------- Package : webkit2gtk CVE ID : CVE-2020-27918 CVE-2020-29623 CVE-2021-1765 CVE-2021-1789 CVE-2021-1799 CVE-2021-1801 CVE-2021-1870 The following vulnerabilities have been discovered in the webkit2gtk web engine: CVE-2020-27918 Liu Long discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2020-29623 Simon Hunt discovered that users may be unable to fully delete their browsing history under some circumstances. CVE-2021-1765 Eliya Stein discovered that maliciously crafted web content may violate iframe sandboxing policy. CVE-2021-1789 @S0rryMybad discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2021-1799 Gregory Vishnepolsky, Ben Seri and Samy Kamkar discovered that a malicious website may be able to access restricted ports on arbitrary servers. CVE-2021-1801 Eliya Stein discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2021-1870 An anonymous researcher discovered that processing maliciously crafted web content may lead to arbitrary code execution. For the stable distribution (buster), these problems have been fixed in version 2.30.6-1~deb10u1. Â ---------------------------------------------------------------------- Debian Security Advisory DSA-4878-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff March 27, 2021 https://www.debian.org/security/faq ---------------------------------------------------------------------- Package : pygments CVE ID : CVE-2021-27291 Debian Bug : 985574 Ben Caller discovered that Pygments, a syntax highlighting package written in Python 3, used regular expressions which could result in denial of service. For the stable distribution (buster), this problem has been fixed in version 2.3.1+dfsg-1+deb10u2. Â ---------------------------------------------------------------------- Debian Security Advisory DSA-4879-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso March 27, 2021 https://www.debian.org/security/faq ---------------------------------------------------------------------- Package : spamassassin CVE ID : CVE-2020-1946 Debian Bug : 985962 Damian Lukowski discovered a flaw in spamassassin, a Perl-based spam filter using text analysis. Malicious rule configuration files, possibly downloaded from an updates server, could execute arbitrary commands under multiple scenarios. For the stable distribution (buster), this problem has been fixed in version 3.4.2-1+deb10u3.
sunrat Posted March 27, 2021 Posted March 27, 2021 ------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 10: 10.9 released press@debian.org March 27th, 2021 https://www.debian.org/News/2021/20210327 ------------------------------------------------------------------------ The Debian project is pleased to announce the ninth update of its stable distribution Debian 10 (codename "buster"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. Please note that the point release does not constitute a new version of Debian 10 but only updates some of the packages included. There is no need to throw away old "buster" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations. Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: +---------------------------+-----------------------------------------+ | Package | Reason | +---------------------------+-----------------------------------------+ | avahi [1] | Remove avahi-daemon-check-dns | | | mechanism, which is no longer needed | | | | | base-files [2] | Update /etc/debian_version for the 10.9 | | | point release | | | | | cloud-init [3] | Avoid logging generated passwords to | | | world-readable log files [CVE-2021- | | | 3429] | | | | | debian-archive- | Add bullseye keys; retire jessie keys | | keyring [4] | | | | | | debian-installer [5] | Use 4.19.0-16 Linux kernel ABI | | | | | debian-installer-netboot- | Rebuild against proposed-updates | | images [6] | | | | | | exim4 [7] | Fix use of concurrent TLS connections | | | under GnuTLS; fix TLS certificate | | | verification with CNAMEs; | | | README.Debian: document the limitation/ | | | extent of server certificate | | | verification in the default | | | configuration | | | | | fetchmail [8] | No longer report "System error during | | | SSL_connect(): Success" ; remove | | | OpenSSL version check | | | | | fwupd [9] | Add SBAT support | | | | | fwupd-amd64-signed [10] | Add SBAT support | | | | | fwupd-arm64-signed [11] | Add SBAT support | | | | | fwupd-armhf-signed [12] | Add SBAT support | | | | | fwupd-i386-signed [13] | Add SBAT support | | | | | fwupdate [14] | Add SBAT support | | | | | fwupdate-amd64- | Add SBAT support | | signed [15] | | | | | | fwupdate-arm64- | Add SBAT support | | signed [16] | | | | | | fwupdate-armhf- | Add SBAT support | | signed [17] | | | | | | fwupdate-i386-signed [18] | Add SBAT support | | | | | gdnsd [19] | Fix stack overflow with overly-large | | | IPv6 addresses [CVE-2019-13952] | | | | | groff [20] | Rebuild against ghostscript 9.27 | | | | | hwloc-contrib [21] | Enable support for the ppc64el | | | architecture | | | | | intel-microcode [22] | Update various microcode | | | | | iputils [23] | Fix ping rounding errors; fix tracepath | | | target corruption | | | | | jquery [24] | Fix untrusted code execution | | | vulnerabilities [CVE-2020-11022 | | | CVE-2020-11023] | | | | | libbsd [25] | Fix out-of-bounds read issue [CVE-2019- | | | 20367] | | | | | libpano13 [26] | Fix format string vulnerability | | | | | libreoffice [27] | Do not load encodings.py from current | | | directoy | | | | | linux [28] | New upstream stable release; update ABI | | | to -16; rotate secure boot signing | | | keys; rt: update to 4.19.173-rt72 | | | | | linux-latest [29] | Update to -15 kernel ABI; update for | | | -16 kernel ABI | | | | | linux-signed-amd64 [30] | New upstream stable release; update ABI | | | to -16; rotate secure boot signing | | | keys; rt: update to 4.19.173-rt72 | | | | | linux-signed-arm64 [31] | New upstream stable release; update ABI | | | to -16; rotate secure boot signing | | | keys; rt: update to 4.19.173-rt72 | | | | | linux-signed-i386 [32] | New upstream stable release; update ABI | | | to -16; rotate secure boot signing | | | keys; rt: update to 4.19.173-rt72 | | | | | lirc [33] | Normalize embedded $ | | | {DEB_HOST_MULTIARCH} value in /etc/ | | | lirc/lirc_options.conf to find | | | unmodified configuration files on all | | | architectures; recommend gir1.2- | | | vte-2.91 instead of non-existent | | | gir1.2-vte | | | | | m2crypto [34] | Fix test failure with recent OpenSSL | | | versions | | | | | openafs [35] | Fix outgoing connections after unix | | | epoch time 0x60000000 (14 January 2021) | | | | | portaudio19 [36] | Handle EPIPE from | | | alsa_snd_pcm_poll_descriptors, fixing | | | crash | | | | | postgresql-11 [37] | New upstream stable release; fix | | | information leakage in constraint- | | | violation error messages [CVE-2021- | | | 3393]; fix CREATE INDEX CONCURRENTLY to | | | wait for concurrent prepared | | | transactions | | | | | privoxy [38] | Security issues [CVE-2020-35502 | | | CVE-2021-20209 CVE-2021-20210 CVE-2021- | | | 20211 CVE-2021-20212 CVE-2021-20213 | | | CVE-2021-20214 CVE-2021-20215 CVE-2021- | | | 20216 CVE-2021-20217 CVE-2021-20272 | | | CVE-2021-20273 CVE-2021-20275 CVE-2021- | | | 20276] | | | | | python3.7 [39] | Fix CRLF injection in http.client | | | [CVE-2020-26116]; fix buffer overflow | | | in PyCArg_repr in _ctypes/callproc.c | | | [CVE-2021-3177] | | | | | redis [40] | Fix a series of integer overflow issues | | | on 32-bit systems [CVE-2021-21309] | | | | | ruby-mechanize [41] | Fix command injection issue [CVE-2021- | | | 21289] | | | | | systemd [42] | core: make sure to restore the control | | | command id, too, fixing a segfault; | | | seccomp: allow turning off of seccomp | | | filtering via an environment variable | | | | | uim [43] | libuim-data: Perform symlink_to_dir | | | conversion of /usr/share/doc/libuim- | | | data in the resurrected package for | | | clean upgrades from stretch | | | | | xcftools [44] | Fix integer overflow vulnerability | | | [CVE-2019-5086 CVE-2019-5087] | | | | | xterm [45] | Correct upper-limit for selection | | | buffer, accounting for combining | | | characters [CVE-2021-27135] | | | | +---------------------------+-----------------------------------------+  Security Updates ---------------- This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates: +----------------+----------------------------+ | Advisory ID | Package | +----------------+----------------------------+ | DSA-4826 [46] | nodejs [47] | | | | | DSA-4844 [48] | dnsmasq [49] | | | | | DSA-4845 [50] | openldap [51] | | | | | DSA-4846 [52] | chromium [53] | | | | | DSA-4847 [54] | connman [55] | | | | | DSA-4849 [56] | firejail [57] | | | | | DSA-4850 [58] | libzstd [59] | | | | | DSA-4851 [60] | subversion [61] | | | | | DSA-4853 [62] | spip [63] | | | | | DSA-4854 [64] | webkit2gtk [65] | | | | | DSA-4855 [66] | openssl [67] | | | | | DSA-4856 [68] | php7.3 [69] | | | | | DSA-4857 [70] | bind9 [71] | | | | | DSA-4858 [72] | chromium [73] | | | | | DSA-4859 [74] | libzstd [75] | | | | | DSA-4860 [76] | openldap [77] | | | | | DSA-4861 [78] | screen [79] | | | | | DSA-4862 [80] | firefox-esr [81] | | | | | DSA-4863 [82] | nodejs [83] | | | | | DSA-4864 [84] | python-aiohttp [85] | | | | | DSA-4865 [86] | docker.io [87] | | | | | DSA-4867 [88] | grub-efi-amd64-signed [89] | | | | | DSA-4867 [90] | grub-efi-arm64-signed [91] | | | | | DSA-4867 [92] | grub-efi-ia32-signed [93] | | | | | DSA-4867 [94] | grub2 [95] | | | | | DSA-4868 [96] | flatpak [97] | | | | | DSA-4869 [98] | tiff [99] | | | | | DSA-4870 [100] | pygments [101] | | | | | DSA-4871 [102] | tor [103] | | | | | DSA-4872 [104] | shibboleth-sp [105] | | | | +----------------+----------------------------+  Debian Installer ---------------- The installer has been updated to include the fixes incorporated into stable by the point release.
sunrat Posted March 29, 2021 Posted March 29, 2021 ------------------------------------------------------------------------- Debian Security Advisory DSA-4880-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond March 29, 2021 https://www.debian.org/security/faq ------------------------------------------------------------------------- Package : lxml CVE ID : CVE-2021-28957 Debian Bug : 985643 Kevin Chung discovered that lxml, a Python binding for the libxml2 and libxslt libraries, did not properly sanitize its input. This would allow a malicious user to mount a cross-site scripting attack. For the stable distribution (buster), this problem has been fixed in version 4.3.2-1+deb10u3.
sunrat Posted March 31, 2021 Posted March 31, 2021 ------------------------------------------------------------------------- Debian Security Advisory DSA-4881-1 security@debian.org https://www.debian.org/security/ Alessandro Ghedini March 30, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : curl CVE ID : CVE-2020-8169 CVE-2020-8177 CVE-2020-8231 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2021-22876 CVE-2021-22890 Debian Bug : 965280 965281 968831 977161 977162 977163 Multiple vulnerabilities were discovered in cURL, an URL transfer library: CVE-2020-8169 Marek Szlagor reported that libcurl could be tricked into prepending a part of the password to the host name before it resolves it, potentially leaking the partial password over the network and to the DNS server(s). CVE-2020-8177 sn reported that curl could be tricked by a malicious server into overwriting a local file when using th -J (--remote-header-name) and -i (--include) options in the same command line. CVE-2020-8231 Marc Aldorasi reported that libcurl might use the wrong connection when an application using libcurl's multi API sets the option CURLOPT_CONNECT_ONLY, which could lead to information leaks. CVE-2020-8284 Varnavas Papaioannou reported that a malicious server could use the PASV response to trick curl into connecting back to an arbitrary IP address and port, potentially making curl extract information about services that are otherwise private and not disclosed. CVE-2020-8285 xnynx reported that libcurl could run out of stack space when using tha FTP wildcard matching functionality (CURLOPT_CHUNK_BGN_FUNCTION). CVE-2020-8286 It was reported that libcurl didn't verify that an OCSP response actually matches the certificate it is intended to. CVE-2021-22876 Viktor Szakats reported that libcurl does not strip off user credentials from the URL when automatically populating the Referer HTTP request header field in outgoing HTTP requests. CVE-2021-22890 Mingtao Yang reported that, when using an HTTPS proxy and TLS 1.3, libcurl could confuse session tickets arriving from the HTTPS proxy as if they arrived from the remote server instead. This could allow an HTTPS proxy to trick libcurl into using the wrong session ticket for the host and thereby circumvent the server TLS certificate check. For the stable distribution (buster), these problems have been fixed in version 7.64.0-4+deb10u2.
sunrat Posted April 1, 2021 Posted April 1, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4882-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 01, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openjpeg2 CVE ID : CVE-2020-6851 CVE-2020-8112 CVE-2020-15389 CVE-2020-27814 CVE-2020-27823 CVE-2020-27824 CVE-2020-27841 CVE-2020-27842 CVE-2020-27843 CVE-2020-27845 Multiple vulnerabilities have been discovered in openjpeg2, the open-source JPEG 2000 codec, which could result in denial of service or the execution of arbitrary code when opening a malformed image. For the stable distribution (buster), these problems have been fixed in version 2.3.0-2+deb10u2. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4883-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 01, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : underscore CVE ID : CVE-2021-23358 Debian Bug : 986171 It was discovered that missing input sanitising in the template() function of the Underscore JavaScript library could result in the execution of arbitrary code. For the stable distribution (buster), this problem has been fixed in version 1.9.1~dfsg-1+deb10u1.
sunrat Posted April 2, 2021 Posted April 2, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4884-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 02, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ldb CVE ID : CVE-2020-10730 CVE-2020-27840 CVE-2021-20277 Debian Bug : 985935 985936 Multiple vulnerabilities have been discovered in ldb, a LDAP-like embedded database built on top of TDB. CVE-2020-10730 Andrew Bartlett discovered a NULL pointer dereference and use-after-free flaw when handling 'ASQ' and 'VLV' LDAP controls and combinations with the LDAP paged_results feature. CVE-2020-27840 Douglas Bagnall discovered a heap corruption flaw via crafted DN strings. CVE-2021-20277 Douglas Bagnall discovered an out-of-bounds read vulnerability in handling LDAP attributes that contains multiple consecutive leading spaces. For the stable distribution (buster), these problems have been fixed in version 2:1.5.1+really1.4.6-3+deb10u1.
sunrat Posted April 5, 2021 Posted April 5, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4885-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 05, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : netty CVE ID : CVE-2019-20444 CVE-2019-20445 CVE-2020-7238 CVE-2020-11612 CVE-2021-21290 CVE-2021-21295 CVE-2021-21409 Multiple security issues were discovered in Netty, a Java NIO client/server framework, which could result in HTTP request smuggling, denial of service or information disclosure. For the stable distribution (buster), these problems have been fixed in version 1:4.1.33-1+deb10u2.
sunrat Posted April 7, 2021 Posted April 7, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4886-1 security@debian.org https://www.debian.org/security/ Michael Gilbert April 06, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : chromium CVE ID : CVE-2021-21159 CVE-2021-21160 CVE-2021-21161 CVE-2021-21162 CVE-2021-21163 CVE-2021-21165 CVE-2021-21166 CVE-2021-21167 CVE-2021-21168 CVE-2021-21169 CVE-2021-21170 CVE-2021-21171 CVE-2021-21172 CVE-2021-21173 CVE-2021-21174 CVE-2021-21175 CVE-2021-21176 CVE-2021-21177 CVE-2021-21178 CVE-2021-21179 CVE-2021-21180 CVE-2021-21181 CVE-2021-21182 CVE-2021-21183 CVE-2021-21184 CVE-2021-21185 CVE-2021-21186 CVE-2021-21187 CVE-2021-21188 CVE-2021-21189 CVE-2021-21190 CVE-2021-21191 CVE-2021-21192 CVE-2021-21193 CVE-2021-21194 CVE-2021-21195 CVE-2021-21196 CVE-2021-21197 CVE-2021-21198 CVE-2021-21199 Several vulnerabilites have been discovered in the chromium web browser. CVE-2021-21159 Khalil Zhani disocvered a buffer overflow issue in the tab implementation. CVE-2021-21160 Marcin Noga discovered a buffer overflow issue in WebAudio. CVE-2021-21161 Khalil Zhani disocvered a buffer overflow issue in the tab implementation. CVE-2021-21162 A use-after-free issue was discovered in the WebRTC implementation. CVE-2021-21163 Alison Huffman discovered a data validation issue. CVE-2021-21165 Alison Huffman discovered an error in the audio implementation. CVE-2021-21166 Alison Huffman discovered an error in the audio implementation. CVE-2021-21167 Leecraso and Guang Gong discovered a use-after-free issue in the bookmarks implementation. CVE-2021-21168 Luan Herrera discovered a policy enforcement error in the appcache. CVE-2021-21169 Bohan Liu and Moon Liang discovered an out-of-bounds access issue in the v8 javascript library. CVE-2021-21170 David Erceg discovered a user interface error. CVE-2021-21171 Irvan Kurniawan discovered a user interface error. CVE-2021-21172 Maciej Pulikowski discovered a policy enforcement error in the File System API. CVE-2021-21173 Tom Van Goethem discovered a network based information leak. CVE-2021-21174 Ashish Guatam Kambled discovered an implementation error in the Referrer policy. CVE-2021-21175 Jun Kokatsu discovered an implementation error in the Site Isolation feature. CVE-2021-21176 Luan Herrera discovered an implementation error in the full screen mode. CVE-2021-21177 Abdulrahman Alqabandi discovered a policy enforcement error in the Autofill feature. CVE-2021-21178 Japong discovered an error in the Compositor implementation. CVE-2021-21179 A use-after-free issue was discovered in the networking implementation. CVE-2021-21180 Abdulrahman Alqabandi discovered a use-after-free issue in the tab search feature. CVE-2021-21181 Xu Lin, Panagiotis Ilias, and Jason Polakis discovered a side-channel information leak in the Autofill feature. CVE-2021-21182 Luan Herrera discovered a policy enforcement error in the site navigation implementation. CVE-2021-21183 Takashi Yoneuchi discovered an implementation error in the Performance API. CVE-2021-21184 James Hartig discovered an implementation error in the Performance API. CVE-2021-21185 David Erceg discovered a policy enforcement error in Extensions. CVE-2021-21186 dhirajkumarnifty discovered a policy enforcement error in the QR scan implementation. CVE-2021-21187 Kirtikumar Anandrao Ramchandani discovered a data validation error in URL formatting. CVE-2021-21188 Woojin Oh discovered a use-after-free issue in Blink/Webkit. CVE-2021-21189 Khalil Zhani discovered a policy enforcement error in the Payments implementation. CVE-2021-21190 Zhou Aiting discovered use of uninitialized memory in the pdfium library. CVE-2021-21191 raven discovered a use-after-free issue in the WebRTC implementation. CVE-2021-21192 Abdulrahman Alqabandi discovered a buffer overflow issue in the tab implementation. CVE-2021-21193 A use-after-free issue was discovered in Blink/Webkit. CVE-2021-21194 Leecraso and Guang Gong discovered a use-after-free issue in the screen capture feature. CVE-2021-21195 Liu and Liang discovered a use-after-free issue in the v8 javascript library. CVE-2021-21196 Khalil Zhani discovered a buffer overflow issue in the tab implementation. CVE-2021-21197 Abdulrahman Alqabandi discovered a buffer overflow issue in the tab implementation. CVE-2021-21198 Mark Brand discovered an out-of-bounds read issue in the Inter-Process Communication implementation. CVE-2021-21199 Weipeng Jiang discovered a use-after-free issue in the Aura window and event manager. For the stable distribution (buster), these problems have been fixed in version 89.0.4389.114-1~deb10u1.
sunrat Posted April 8, 2021 Posted April 8, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4887-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 08, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : lib3mf CVE ID : CVE-2021-21772 Debian Bug : 985092 A use-after-free was discovered in Lib3MF, a C++ implementation of the 3D Manufacturing Format, which could result in the execution of arbitrary code if a malformed file is opened. For the stable distribution (buster), this problem has been fixed in version 1.8.1+ds-3+deb10u1.
sunrat Posted April 10, 2021 Posted April 10, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4888-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 10, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : xen CVE ID : CVE-2021-26933 CVE-2021-27379 Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, privilege escalation or memory disclosure. For the stable distribution (buster), these problems have been fixed in version 4.11.4+99-g8bce4698f6-1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4889-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 10, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mediawiki CVE ID : CVE-2021-20270 CVE-2021-27291 CVE-2021-30152 CVE-2021-30159 CVE-2021-30154 CVE-2021-30155 CVE-2021-30157 CVE-2021-30158 Multiple security issues were found in MediaWiki, a website engine for collaborative work, which could result in incomplete page/blocking protection, denial of service or cross-site scripting. For the stable distribution (buster), these problems have been fixed in version 1:1.31.14-1~deb10u1.
sunrat Posted April 13, 2021 Posted April 13, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4890-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 12, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ruby-kramdown CVE ID : CVE-2021-28834 Debian Bug : 985569 Stan Hu discovered that kramdown, a pure Ruby Markdown parser and converter, performed insufficient namespace validation of Rouge syntax highlighting formatters. For the stable distribution (buster), this problem has been fixed in version 1.17.0-1+deb10u2.
sunrat Posted April 14, 2021 Posted April 14, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4891-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 13, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tomcat9 CVE ID : CVE-2021-25122 CVE-2021-25329 Two vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in information disclosure or denial of service. For the stable distribution (buster), these problems have been fixed in version 9.0.31-1~deb10u4.
sunrat Posted April 19, 2021 Posted April 19, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4892-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 18, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : python-bleach CVE ID : CVE-2021-23980 Debian Bug : 986251 It was reported that python-bleach, a whitelist-based HTML-sanitizing library, is prone to a mutation XSS vulnerability in bleach.clean when 'svg' or 'math' are in the allowed tags, 'p' or 'br' are in allowed tags, 'style', 'title', 'noscript', 'script', 'textarea', 'noframes', 'iframe', or 'xmp' are in allowed tags and 'strip_comments=False' is set. For the stable distribution (buster), this problem has been fixed in version 3.1.2-0+deb10u2.
sunrat Posted April 19, 2021 Posted April 19, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4893-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 19, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : xorg-server CVE ID : CVE-2021-3472 Jan-Niklas Sohn discovered that missing input sanitising in the XInput extension of the X.org X server may result in privilege escalation if the X server is running privileged. For the stable distribution (buster), this problem has been fixed in version 2:1.20.4-1+deb10u3.
sunrat Posted April 20, 2021 Posted April 20, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4894-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 20, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : php-pear CVE ID : CVE-2020-36193 Debian Bug : 980428 It was discovered that the PEAR Archive_Tar package for handling tar files in PHP is prone to a directory traversal flaw due to inadequate checking of symbolic links. For the stable distribution (buster), this problem has been fixed in version 1:1.10.6+submodules+notgz-1.1+deb10u2. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4895-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 20, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2021-23961 CVE-2021-23994 CVE-2021-23995 CVE-2021-23998 CVE-2021-23999 CVE-2021-24002 CVE-2021-29945 CVE-2021-29946 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure, privilege escalation or spoofing. For the stable distribution (buster), these problems have been fixed in version 78.10.0esr-1~deb10u1.
sunrat Posted April 22, 2021 Posted April 22, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4896-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond April 22, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : wordpress CVE ID : CVE-2021-29447 CVE-2021-29450 Debian Bug : 987065 Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform XML External Entity (XXE) attacks, and access private content. For the stable distribution (buster), these problems have been fixed in version 5.0.12+dfsg1-0+deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4897-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 22, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2021-23961 CVE-2021-23991 CVE-2021-23992 CVE-2021-23993 CVE-2021-23994 CVE-2021-23995 CVE-2021-23998 CVE-2021-23999 CVE-2021-24002 CVE-2021-29945 CVE-2021-29946 CVE-2021-29948 CVE-2021-29949 Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code or information disclosure. In adddition a number of security issues were addressed in the OpenPGP support. For the stable distribution (buster), these problems have been fixed in version 1:78.10.0-1~deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4898-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 22, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : wpa CVE ID : CVE-2020-12695 CVE-2021-0326 CVE-2021-27803 Debian Bug : 976106 981971 Several vulnerabilities have been discovered in wpa_supplicant and hostapd. CVE-2020-12695 It was discovered that hostapd does not properly handle UPnP subscribe messages under certain conditions, allowing an attacker to cause a denial of service. CVE-2021-0326 It was discovered that wpa_supplicant does not properly process P2P (Wi-Fi Direct) group information from active group owners. An attacker within radio range of the device running P2P could take advantage of this flaw to cause a denial of service or potentially execute arbitrary code. CVE-2021-27803 It was discovered that wpa_supplicant does not properly process P2P (Wi-Fi Direct) provision discovery requests. An attacker within radio range of the device running P2P could take advantage of this flaw to cause a denial of service or potentially execute arbitrary code. For the stable distribution (buster), these problems have been fixed in version 2:2.7+git20190128+0c1e29f-6+deb10u3.
sunrat Posted April 25, 2021 Posted April 25, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4899-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 23, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openjdk-11 CVE ID : CVE-2021-2161 It was discovered that the OpenJDK Java platform incompletely enforced configuration settings used in Jar signing verifications. For the stable distribution (buster), this problem has been fixed in version 11.0.11+9-1~deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4900-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 24, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : gst-plugins-good1.0 CVE ID : CVE-2021-3497 CVE-2021-3498 Debian Bug : 986910 986911 Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened. For the stable distribution (buster), these problems have been fixed in version 1.14.4-1+deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4901-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 24, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : gst-libav1.0 CVE ID : not yet available Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened. For the stable distribution (buster), this problem has been fixed in version 1.15.0.1+git20180723+db823502-2+deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4902-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 24, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : gst-plugins-bad1.0 CVE ID : not yet available Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened. For the stable distribution (buster), this problem has been fixed in version 1.14.4-1+deb10u2. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4903-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 24, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : gst-plugins-base1.0 CVE ID : not yet available Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened. For the stable distribution (buster), this problem has been fixed in version 1.14.4-2+deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4904-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff April 24, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : gst-plugins-ugly1.0 CVE ID : not yet available Multiple vulnerabilities were discovered in plugins for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened. For the stable distribution (buster), this problem has been fixed in version 1.14.4-1+deb10u1.
sunrat Posted April 28, 2021 Posted April 28, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4905-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 27, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : shibboleth-sp CVE ID : CVE-2021-31826 Debian Bug : 987608 It was discovered that the Shibboleth Service Provider is prone to a NULL pointer dereference flaw in the cookie-based session recovery feature. A remote, unauthenticated attacker can take advantage of this flaw to cause a denial of service (crash in the shibd daemon/service). For additional information please refer to the upstream advisory at https://shibboleth.net/community/advisories/secadv_20210426.txt For the stable distribution (buster), this problem has been fixed in version 3.0.4+dfsg1-1+deb10u2.
sunrat Posted April 28, 2021 Posted April 28, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4906-1 security@debian.org https://www.debian.org/security/ Michael Gilbert April 27, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : chromium CVE ID : CVE-2021-21201 CVE-2021-21202 CVE-2021-21203 CVE-2021-21204 CVE-2021-21205 CVE-2021-21207 CVE-2021-21208 CVE-2021-21209 CVE-2021-21210 CVE-2021-21211 CVE-2021-21212 CVE-2021-21213 CVE-2021-21214 CVE-2021-21215 CVE-2021-21216 CVE-2021-21217 CVE-2021-21218 CVE-2021-21219 CVE-2021-21221 CVE-2021-21222 CVE-2021-21223 CVE-2021-21224 CVE-2021-21225 CVE-2021-21226 Several vulnerabilities have been discovered in the chromium web browser. CVE-2021-21201 Gengming Liu and Jianyu Chen discovered a use-after-free issue. CVE-2021-21202 David Erceg discovered a use-after-free issue in extensions. CVE-2021-21203 asnine discovered a use-after-free issue in Blink/Webkit. CVE-2021-21204 Tsai-Simek, Jeanette Ulloa, and Emily Voigtlander discovered a use-after-free issue in Blink/Webkit. CVE-2021-21205 Alison Huffman discovered a policy enforcement error. CVE-2021-21207 koocola and Nan Wang discovered a use-after-free in the indexed database. CVE-2021-21208 Ahmed Elsobky discovered a data validation error in the QR code scanner. CVE-2021-21209 Tom Van Goethem discovered an implementation error in the Storage API. CVE-2021-21210 @bananabr discovered an error in the networking implementation. CVE-2021-21211 Akash Labade discovered an error in the navigation implementation. CVE-2021-21212 Hugo Hue and Sze Yui Chau discovered an error in the network configuration user interface. CVE-2021-21213 raven discovered a use-after-free issue in the WebMIDI implementation. CVE-2021-21214 A use-after-free issue was discovered in the networking implementation. CVE-2021-21215 Abdulrahman Alqabandi discovered an error in the Autofill feature. CVE-2021-21216 Abdulrahman Alqabandi discovered an error in the Autofill feature. CVE-2021-21217 Zhou Aiting discovered use of uninitialized memory in the pdfium library. CVE-2021-21218 Zhou Aiting discovered use of uninitialized memory in the pdfium library. CVE-2021-21219 Zhou Aiting discovered use of uninitialized memory in the pdfium library. CVE-2021-21221 Guang Gong discovered insufficient validation of untrusted input. CVE-2021-21222 Guang Gong discovered a buffer overflow issue in the v8 javascript library. CVE-2021-21223 Guang Gong discovered an integer overflow issue. CVE-2021-21224 Jose Martinez discovered a type error in the v8 javascript library. CVE-2021-21225 Brendon Tiszka discovered an out-of-bounds memory access issue in the v8 javascript library. CVE-2021-21226 Brendon Tiszka discovered a use-after-free issue in the networking implementation. For the stable distribution (buster), these problems have been fixed in version 90.0.4430.85-1~deb10u1.
sunrat Posted April 30, 2021 Posted April 30, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4907-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond April 29, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : composer CVE ID : CVE-2021-29472 It was discovered that composer, a dependency manager for PHP, did not properly sanitize Mercurial URLs, which could lead to arbitrary code execution. For the stable distribution (buster), this problem has been fixed in version 1.8.4-1+deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4908-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso April 29, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libhibernate3-java CVE ID : CVE-2020-25638 It was discovered that libhibernate3-java, a powerful, high performance object/relational persistence and query service, is prone to an SQL injection vulnerability allowing an attacker to access unauthorized information or possibly conduct further attacks. For the stable distribution (buster), this problem has been fixed in version 3.6.10.Final-9+deb10u1.
sunrat Posted May 1, 2021 Posted May 1, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4909-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 01, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : bind9 CVE ID : CVE-2021-25214 CVE-2021-25215 CVE-2021-25216 Debian Bug : 987741 987742 987743 Several vulnerabilities were discovered in BIND, a DNS server implementation. CVE-2021-25214 Greg Kuechle discovered that a malformed incoming IXFR transfer could trigger an assertion failure in named, resulting in denial of service. CVE-2021-25215 Siva Kakarla discovered that named could crash when a DNAME record placed in the ANSWER section during DNAME chasing turned out to be the final answer to a client query. CVE-2021-25216 It was discovered that the SPNEGO implementation used by BIND is prone to a buffer overflow vulnerability. This update switches to use the SPNEGO implementation from the Kerberos libraries. For the stable distribution (buster), these problems have been fixed in version 1:9.11.5.P4+dfsg-5.1+deb10u5.
sunrat Posted May 2, 2021 Posted May 2, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4910-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 02, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libimage-exiftool-perl CVE ID : CVE-2021-22204 Debian Bug : 987505 A vulnerability was discovered in libimage-exiftool-perl, a library and program to read and write meta information in multimedia files, which may result in execution of arbitrary code if a malformed DjVu file is processed. For the stable distribution (buster), this problem has been fixed in version 11.16-1+deb10u1.
sunrat Posted May 5, 2021 Posted May 5, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4911-1 security@debian.org https://www.debian.org/security/ Michael Gilbert May 03, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : chromium CVE ID : CVE-2021-21227 CVE-2021-21228 CVE-2021-21229 CVE-2021-21230 CVE-2021-21231 CVE-2021-21232 CVE-2021-21233 Several vulnerabilities have been discovered in the chromium web browser. CVE-2021-21227 Gengming Liu discovered a data validation issue in the v8 javascript library. CVE-2021-21228 Rob Wu discovered a policy enforcement error. CVE-2021-21229 Mohit Raj discovered a user interface error in the file downloader. CVE-2021-21230 Manfred Paul discovered use of an incorrect type. CVE-2021-21231 Sergei Glazunov discovered a data validation issue in the v8 javascript library. CVE-2021-21232 Abdulrahman Alqabandi discovered a use-after-free issue in the developer tools. CVE-2021-21233 Omair discovered a buffer overflow issue in the ANGLE library. For the stable distribution (buster), these problems have been fixed in version 90.0.4430.93-1~deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4912-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso May 04, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : exim4 CVE ID : CVE-2020-28007 CVE-2020-28008 CVE-2020-28009 CVE-2020-28010 CVE-2020-28011 CVE-2020-28012 CVE-2020-28013 CVE-2020-28014 CVE-2020-28015 CVE-2020-28017 CVE-2020-28019 CVE-2020-28021 CVE-2020-28022 CVE-2020-28023 CVE-2020-28024 CVE-2020-28025 CVE-2020-28026 The Qualys Research Labs reported several vulnerabilities in Exim, a mail transport agent, which could result in local privilege escalation and remote code execution. Details can be found in the Qualys advisory at https://www.qualys.com/2021/05/04/21nails/21nails.txt For the stable distribution (buster), these problems have been fixed in version 4.92-8+deb10u6.
sunrat Posted May 10, 2021 Posted May 10, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4913-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 10, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : hivex CVE ID : CVE-2021-3504 Debian Bug : 988024 Jemery Galindo discovered an out-of-bounds memory access in Hivex, a library to parse Windows Registry hive files. For the stable distribution (buster), this problem has been fixed in version 1.3.18-1+deb10u1.
sunrat Posted May 12, 2021 Posted May 12, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4914-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 12, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : graphviz CVE ID : CVE-2020-18032 Debian Bug : 988000 A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file. For the stable distribution (buster), this problem has been fixed in version 2.40.1-6+deb10u1.
sunrat Posted May 13, 2021 Posted May 13, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4915-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff May 13, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : postgresql-11 CVE ID : CVE-2021-32027 CVE-2021-32028 CVE-2021-32029 Multiple security issues have been discovered in the PostgreSQL database system, which could result in the execution of arbitrary code or disclosure of memory content. For the stable distribution (buster), these problems have been fixed in version 11.12-0+deb10u1.
Recommended Posts