Jump to content

Recommended Posts

sunrat
- -----------------------------------------------------------------------
Debian Security Advisory DSA-4873-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 23, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : squid
CVE ID         : CVE-2020-25097
Debian Bug     : 985068

Jianjun Chen discovered that the Squid proxy caching server was
susceptible to HTTP request smuggling.

For the stable distribution (buster), this problem has been fixed in
version 4.6-1+deb10u5.
Link to post
Share on other sites
  • Replies 1.9k
  • Created
  • Last Reply

Top Posters In This Topic

  • sunrat

    1598

  • V.T. Eric Layton

    171

  • securitybreach

    112

  • Bruno

    65

Top Posters In This Topic

Popular Posts

- ------------------------------------------------------------------------- Debian Security Advisory DSA-3093-1 security@debian.org http://www.debian.org/security/

- ------------------------------------------------------------------------- Debian Security Advisory DSA-3401-1 security@debian.org https://www.debian.org/security/

- ------------------------------------------------------------------------- Debian Security Advisory DSA-4123-1 security@debian.org https://www.debian.org/security/

sunrat
-------------------------------------------------------------------------
Debian Security Advisory DSA-4874-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 24, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2021-23981 CVE-2021-23982 CVE-2021-23984 CVE-2021-23987

Multiple security issues have been found in the Mozilla Firefox
web browser, which could potentially result in the execution
of arbitrary code, information disclosure or spoofing attacks.

For the stable distribution (buster), these problems have been fixed in
version 78.9.0esr-1~deb10u1.
Link to post
Share on other sites
sunrat
-------------------------------------------------------------------------
Debian Security Advisory DSA-4875-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 25, 2021                        https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package        : openssl
CVE ID         : CVE-2021-3449

A NULL pointer dereference was found in the signature_algorithms
processing in OpenSSL, a Secure Sockets Layer toolkit, which could
result in denial of service.

Additional details can be found in the upstream advisory:
https://www.openssl.org/news/secadv/20210325.txt

For the stable distribution (buster), this problem has been fixed in
version 1.1.1d-0+deb10u6.
Link to post
Share on other sites
sunrat
-------------------------------------------------------------------------
Debian Security Advisory DSA-4876-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 25, 2021                        https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : CVE-2021-23981 CVE-2021-23982 CVE-2021-23984 CVE-2021-23987

Multiple security issues were discovered in Thunderbird, which could
result in the execution of arbitrary code or information disclosure.

For the stable distribution (buster), these problems have been fixed in
version 1:78.9.0-1~deb10u1.
Link to post
Share on other sites
sunrat
----------------------------------------------------------------------
Debian Security Advisory DSA-4877-1                   security@debian.org
https://www.debian.org/security/                           Alberto Garcia
March 27, 2021                        https://www.debian.org/security/faq
----------------------------------------------------------------------

Package        : webkit2gtk
CVE ID         : CVE-2020-27918 CVE-2020-29623 CVE-2021-1765 CVE-2021-1789
                 CVE-2021-1799 CVE-2021-1801 CVE-2021-1870

The following vulnerabilities have been discovered in the webkit2gtk
web engine:

CVE-2020-27918

    Liu Long discovered that processing maliciously crafted web
    content may lead to arbitrary code execution.

CVE-2020-29623

    Simon Hunt discovered that users may be unable to fully delete
    their browsing history under some circumstances.

CVE-2021-1765

    Eliya Stein discovered that maliciously crafted web content may
    violate iframe sandboxing policy.

CVE-2021-1789

    @S0rryMybad discovered that processing maliciously crafted web
    content may lead to arbitrary code execution.

CVE-2021-1799

    Gregory Vishnepolsky, Ben Seri and Samy Kamkar discovered that a
    malicious website may be able to access restricted ports on
    arbitrary servers.

CVE-2021-1801

    Eliya Stein discovered that processing maliciously crafted web
    content may lead to arbitrary code execution.

CVE-2021-1870

    An anonymous researcher discovered that processing maliciously
    crafted web content may lead to arbitrary code execution.

For the stable distribution (buster), these problems have been fixed in
version 2.30.6-1~deb10u1.

 

----------------------------------------------------------------------
Debian Security Advisory DSA-4878-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 27, 2021                        https://www.debian.org/security/faq
----------------------------------------------------------------------

Package        : pygments
CVE ID         : CVE-2021-27291
Debian Bug     : 985574

Ben Caller discovered that Pygments, a syntax highlighting package
written in Python 3, used regular expressions which could result in
denial of service.

For the stable distribution (buster), this problem has been fixed in
version 2.3.1+dfsg-1+deb10u2.

 

----------------------------------------------------------------------
Debian Security Advisory DSA-4879-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 27, 2021                        https://www.debian.org/security/faq
----------------------------------------------------------------------

Package        : spamassassin
CVE ID         : CVE-2020-1946
Debian Bug     : 985962

Damian Lukowski discovered a flaw in spamassassin, a Perl-based spam
filter using text analysis. Malicious rule configuration files, possibly
downloaded from an updates server, could execute arbitrary commands
under multiple scenarios.

For the stable distribution (buster), this problem has been fixed in
version 3.4.2-1+deb10u3.
Link to post
Share on other sites
sunrat
------------------------------------------------------------------------
The Debian Project                               https://www.debian.org/
Updated Debian 10: 10.9 released                        press@debian.org
March 27th, 2021               https://www.debian.org/News/2021/20210327
------------------------------------------------------------------------


The Debian project is pleased to announce the ninth update of its stable
distribution Debian 10 (codename "buster"). This point release mainly
adds corrections for security issues, along with a few adjustments for
serious problems. Security advisories have already been published
separately and are referenced where available.

Please note that the point release does not constitute a new version of
Debian 10 but only updates some of the packages included. There is no
need to throw away old "buster" media. After installation, packages can
be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list



Miscellaneous Bugfixes
----------------------

This stable update adds a few important corrections to the following
packages:

+---------------------------+-----------------------------------------+
| Package                   | Reason                                  |
+---------------------------+-----------------------------------------+
| avahi [1]                 | Remove avahi-daemon-check-dns          
 |
|                           | mechanism, which is no longer needed    |
|                           |                                         |
| base-files [2]            | Update /etc/debian_version for the 10.9 |
|                           | point release                           |
|                           |                                         |
| cloud-init [3]            | Avoid logging generated passwords to   
 |
|                           | world-readable log files [CVE-2021-     |
|                           | 3429]                                   |
|                           |                                         |
| debian-archive-           | Add bullseye keys; retire jessie keys   |
| keyring [4]               |                                        
 |
|                           |                                         |
| debian-installer [5]      | Use 4.19.0-16 Linux kernel ABI         
 |
|                           |                                         |
| debian-installer-netboot- | Rebuild against proposed-updates        |
| images [6]                |                                        
 |
|                           |                                         |
| exim4 [7]                 | Fix use of concurrent TLS connections  
 |
|                           | under GnuTLS; fix TLS certificate       |
|                           | verification with CNAMEs;               |
|                           | README.Debian: document the limitation/ |
|                           | extent of server certificate            |
|                           | verification in the default             |
|                           | configuration                           |
|                           |                                         |
| fetchmail [8]             | No longer report  "System error during 
 |
|                           | SSL_connect(): Success" ; remove        |
|                           | OpenSSL version check                   |
|                           |                                         |
| fwupd [9]                 | Add SBAT support                       
 |
|                           |                                         |
| fwupd-amd64-signed [10]   | Add SBAT support                       
 |
|                           |                                         |
| fwupd-arm64-signed [11]   | Add SBAT support                       
 |
|                           |                                         |
| fwupd-armhf-signed [12]   | Add SBAT support                       
 |
|                           |                                         |
| fwupd-i386-signed [13]    | Add SBAT support                       
 |
|                           |                                         |
| fwupdate [14]             | Add SBAT support                       
 |
|                           |                                         |
| fwupdate-amd64-           | Add SBAT support                        |
| signed [15]               |                                        
 |
|                           |                                         |
| fwupdate-arm64-           | Add SBAT support                        |
| signed [16]               |                                        
 |
|                           |                                         |
| fwupdate-armhf-           | Add SBAT support                        |
| signed [17]               |                                        
 |
|                           |                                         |
| fwupdate-i386-signed [18] | Add SBAT support                       
 |
|                           |                                         |
| gdnsd [19]                | Fix stack overflow with overly-large   
 |
|                           | IPv6 addresses [CVE-2019-13952]         |
|                           |                                         |
| groff [20]                | Rebuild against ghostscript 9.27       
 |
|                           |                                         |
| hwloc-contrib [21]        | Enable support for the ppc64el         
 |
|                           | architecture                            |
|                           |                                         |
| intel-microcode [22]      | Update various microcode               
 |
|                           |                                         |
| iputils [23]              | Fix ping rounding errors; fix tracepath |
|                           | target corruption                       |
|                           |                                         |
| jquery [24]               | Fix untrusted code execution           
 |
|                           | vulnerabilities [CVE-2020-11022         |
|                           | CVE-2020-11023]                         |
|                           |                                         |
| libbsd [25]               | Fix out-of-bounds read issue [CVE-2019- |
|                           | 20367]                                  |
|                           |                                         |
| libpano13 [26]            | Fix format string vulnerability        
 |
|                           |                                         |
| libreoffice [27]          | Do not load encodings.py from current  
 |
|                           | directoy                                |
|                           |                                         |
| linux [28]                | New upstream stable release; update ABI |
|                           | to -16; rotate secure boot signing      |
|                           | keys; rt: update to 4.19.173-rt72       |
|                           |                                         |
| linux-latest [29]         | Update to -15 kernel ABI; update for   
 |
|                           | -16 kernel ABI                          |
|                           |                                         |
| linux-signed-amd64 [30]   | New upstream stable release; update ABI |
|                           | to -16; rotate secure boot signing      |
|                           | keys; rt: update to 4.19.173-rt72       |
|                           |                                         |
| linux-signed-arm64 [31]   | New upstream stable release; update ABI |
|                           | to -16; rotate secure boot signing      |
|                           | keys; rt: update to 4.19.173-rt72       |
|                           |                                         |
| linux-signed-i386 [32]    | New upstream stable release; update ABI |
|                           | to -16; rotate secure boot signing      |
|                           | keys; rt: update to 4.19.173-rt72       |
|                           |                                         |
| lirc [33]                 | Normalize embedded $                   
 |
|                           | {DEB_HOST_MULTIARCH} value in /etc/     |
|                           | lirc/lirc_options.conf to find          |
|                           | unmodified configuration files on all   |
|                           | architectures; recommend gir1.2-        |
|                           | vte-2.91 instead of non-existent        |
|                           | gir1.2-vte                              |
|                           |                                         |
| m2crypto [34]             | Fix test failure with recent OpenSSL   
 |
|                           | versions                                |
|                           |                                         |
| openafs [35]              | Fix outgoing connections after unix    
 |
|                           | epoch time 0x60000000 (14 January 2021) |
|                           |                                         |
| portaudio19 [36]          | Handle EPIPE from                      
 |
|                           | alsa_snd_pcm_poll_descriptors, fixing   |
|                           | crash                                   |
|                           |                                         |
| postgresql-11 [37]        | New upstream stable release; fix       
 |
|                           | information leakage in constraint-      |
|                           | violation error messages [CVE-2021-     |
|                           | 3393]; fix CREATE INDEX CONCURRENTLY to |
|                           | wait for concurrent prepared            |
|                           | transactions                            |
|                           |                                         |
| privoxy [38]              | Security issues [CVE-2020-35502        
 |
|                           | CVE-2021-20209 CVE-2021-20210 CVE-2021- |
|                           | 20211 CVE-2021-20212 CVE-2021-20213     |
|                           | CVE-2021-20214 CVE-2021-20215 CVE-2021- |
|                           | 20216 CVE-2021-20217 CVE-2021-20272     |
|                           | CVE-2021-20273 CVE-2021-20275 CVE-2021- |
|                           | 20276]                                  |
|                           |                                         |
| python3.7 [39]            | Fix CRLF injection in http.client      
 |
|                           | [CVE-2020-26116]; fix buffer overflow   |
|                           | in PyCArg_repr in _ctypes/callproc.c    |
|                           | [CVE-2021-3177]                         |
|                           |                                         |
| redis [40]                | Fix a series of integer overflow issues |
|                           | on 32-bit systems [CVE-2021-21309]      |
|                           |                                         |
| ruby-mechanize [41]       | Fix command injection issue [CVE-2021- 
 |
|                           | 21289]                                  |
|                           |                                         |
| systemd [42]              | core: make sure to restore the control 
 |
|                           | command id, too, fixing a segfault;     |
|                           | seccomp: allow turning off of seccomp   |
|                           | filtering via an environment variable   |
|                           |                                         |
| uim [43]                  | libuim-data: Perform symlink_to_dir    
 |
|                           | conversion of /usr/share/doc/libuim-    |
|                           | data in the resurrected package for     |
|                           | clean upgrades from stretch             |
|                           |                                         |
| xcftools [44]             | Fix integer overflow vulnerability     
 |
|                           | [CVE-2019-5086 CVE-2019-5087]           |
|                           |                                         |
| xterm [45]                | Correct upper-limit for selection      
 |
|                           | buffer, accounting for combining        |
|                           | characters [CVE-2021-27135]             |
|                           |                                         |
+---------------------------+-----------------------------------------+

 

Security Updates
----------------

This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:

+----------------+----------------------------+
| Advisory ID    | Package                    |
+----------------+----------------------------+
| DSA-4826 [46]  | nodejs [47]                |
|                |                            |
| DSA-4844 [48]  | dnsmasq [49]               |
|                |                            |
| DSA-4845 [50]  | openldap [51]              |
|                |                            |
| DSA-4846 [52]  | chromium [53]              |
|                |                            |
| DSA-4847 [54]  | connman [55]               |
|                |                            |
| DSA-4849 [56]  | firejail [57]              |
|                |                            |
| DSA-4850 [58]  | libzstd [59]               |
|                |                            |
| DSA-4851 [60]  | subversion [61]            |
|                |                            |
| DSA-4853 [62]  | spip [63]                  |
|                |                            |
| DSA-4854 [64]  | webkit2gtk [65]            |
|                |                            |
| DSA-4855 [66]  | openssl [67]               |
|                |                            |
| DSA-4856 [68]  | php7.3 [69]                |
|                |                            |
| DSA-4857 [70]  | bind9 [71]                 |
|                |                            |
| DSA-4858 [72]  | chromium [73]              |
|                |                            |
| DSA-4859 [74]  | libzstd [75]               |
|                |                            |
| DSA-4860 [76]  | openldap [77]              |
|                |                            |
| DSA-4861 [78]  | screen [79]                |
|                |                            |
| DSA-4862 [80]  | firefox-esr [81]           |
|                |                            |
| DSA-4863 [82]  | nodejs [83]                |
|                |                            |
| DSA-4864 [84]  | python-aiohttp [85]        |
|                |                            |
| DSA-4865 [86]  | docker.io [87]             |
|                |                            |
| DSA-4867 [88]  | grub-efi-amd64-signed [89] |
|                |                            |
| DSA-4867 [90]  | grub-efi-arm64-signed [91] |
|                |                            |
| DSA-4867 [92]  | grub-efi-ia32-signed [93]  |
|                |                            |
| DSA-4867 [94]  | grub2 [95]                 |
|                |                            |
| DSA-4868 [96]  | flatpak [97]               |
|                |                            |
| DSA-4869 [98]  | tiff [99]                  |
|                |                            |
| DSA-4870 [100] | pygments [101]             |
|                |                            |
| DSA-4871 [102] | tor [103]                  |
|                |                            |
| DSA-4872 [104] | shibboleth-sp [105]        |
|                |                            |
+----------------+----------------------------+

 

Debian Installer
----------------

The installer has been updated to include the fixes incorporated into
stable by the point release.
Link to post
Share on other sites
sunrat
-------------------------------------------------------------------------
Debian Security Advisory DSA-4880-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
March 29, 2021                        https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package        : lxml
CVE ID         : CVE-2021-28957
Debian Bug     : 985643

Kevin Chung discovered that lxml, a Python binding for the libxml2 and
libxslt libraries, did not properly sanitize its input. This would
allow a malicious user to mount a cross-site scripting attack.

For the stable distribution (buster), this problem has been fixed in
version 4.3.2-1+deb10u3.
Link to post
Share on other sites
sunrat
-------------------------------------------------------------------------
Debian Security Advisory DSA-4881-1                   security@debian.org
https://www.debian.org/security/                       Alessandro Ghedini
March 30, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : curl
CVE ID         : CVE-2020-8169 CVE-2020-8177 CVE-2020-8231 CVE-2020-8284 
                 CVE-2020-8285 CVE-2020-8286 CVE-2021-22876 CVE-2021-22890
Debian Bug     : 965280 965281 968831 977161 977162 977163

Multiple vulnerabilities were discovered in cURL, an URL transfer library:

CVE-2020-8169

    Marek Szlagor reported that libcurl could be tricked into prepending
    a part of the password to the host name before it resolves it,
    potentially leaking the partial password over the network and to the
    DNS server(s).

CVE-2020-8177

    sn reported that curl could be tricked by a malicious server into
    overwriting a local file when using th -J (--remote-header-name) and
    -i (--include) options in the same command line.

CVE-2020-8231

    Marc Aldorasi reported that libcurl might use the wrong connection
    when an application using libcurl's multi API sets the option
    CURLOPT_CONNECT_ONLY, which could lead to information leaks.

CVE-2020-8284

    Varnavas Papaioannou reported that a malicious server could use the
    PASV response to trick curl into connecting back to an arbitrary IP
    address and port, potentially making curl extract information about
    services that are otherwise private and not disclosed.

CVE-2020-8285

    xnynx reported that libcurl could run out of stack space when using
    tha FTP wildcard matching functionality (CURLOPT_CHUNK_BGN_FUNCTION).

CVE-2020-8286

    It was reported that libcurl didn't verify that an OCSP response
    actually matches the certificate it is intended to.

CVE-2021-22876

    Viktor Szakats reported that libcurl does not strip off user
    credentials from the URL when automatically populating the Referer
    HTTP request header field in outgoing HTTP requests.

CVE-2021-22890

    Mingtao Yang reported that, when using an HTTPS proxy and TLS 1.3,
    libcurl could confuse session tickets arriving from the HTTPS proxy
    as if they arrived from the remote server instead. This could allow
    an HTTPS proxy to trick libcurl into using the wrong session ticket
    for the host and thereby circumvent the server TLS certificate check.

For the stable distribution (buster), these problems have been fixed in
version 7.64.0-4+deb10u2.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4882-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 01, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openjpeg2
CVE ID         : CVE-2020-6851 CVE-2020-8112 CVE-2020-15389 CVE-2020-27814 
                 CVE-2020-27823 CVE-2020-27824 CVE-2020-27841 CVE-2020-27842 
                 CVE-2020-27843 CVE-2020-27845

Multiple vulnerabilities have been discovered in openjpeg2, the
open-source JPEG 2000 codec, which could result in denial of service or
the execution of arbitrary code when opening a malformed image.
      
For the stable distribution (buster), these problems have been fixed in
version 2.3.0-2+deb10u2.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4883-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 01, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : underscore
CVE ID         : CVE-2021-23358
Debian Bug     : 986171

It was discovered that missing input sanitising in the template()
function of the Underscore JavaScript library could result in the
execution of arbitrary code.

For the stable distribution (buster), this problem has been fixed in
version 1.9.1~dfsg-1+deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4884-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 02, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ldb
CVE ID         : CVE-2020-10730 CVE-2020-27840 CVE-2021-20277
Debian Bug     : 985935 985936

Multiple vulnerabilities have been discovered in ldb, a LDAP-like
embedded database built on top of TDB.

CVE-2020-10730

    Andrew Bartlett discovered a NULL pointer dereference and
    use-after-free flaw when handling 'ASQ' and 'VLV' LDAP controls and
    combinations with the LDAP paged_results feature.

CVE-2020-27840

    Douglas Bagnall discovered a heap corruption flaw via crafted
    DN strings.

CVE-2021-20277

    Douglas Bagnall discovered an out-of-bounds read vulnerability in
    handling LDAP attributes that contains multiple consecutive
    leading spaces.

For the stable distribution (buster), these problems have been fixed in
version 2:1.5.1+really1.4.6-3+deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4885-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 05, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : netty
CVE ID         : CVE-2019-20444 CVE-2019-20445 CVE-2020-7238 CVE-2020-11612 
                 CVE-2021-21290 CVE-2021-21295 CVE-2021-21409

Multiple security issues were discovered in Netty, a Java NIO
client/server framework, which could result in HTTP request smuggling,
denial of service or information disclosure.

For the stable distribution (buster), these problems have been fixed in
version 1:4.1.33-1+deb10u2.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4886-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
April 06, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium
CVE ID         : CVE-2021-21159 CVE-2021-21160 CVE-2021-21161 CVE-2021-21162
                 CVE-2021-21163 CVE-2021-21165 CVE-2021-21166 CVE-2021-21167
                 CVE-2021-21168 CVE-2021-21169 CVE-2021-21170 CVE-2021-21171
                 CVE-2021-21172 CVE-2021-21173 CVE-2021-21174 CVE-2021-21175
                 CVE-2021-21176 CVE-2021-21177 CVE-2021-21178 CVE-2021-21179
                 CVE-2021-21180 CVE-2021-21181 CVE-2021-21182 CVE-2021-21183
                 CVE-2021-21184 CVE-2021-21185 CVE-2021-21186 CVE-2021-21187
                 CVE-2021-21188 CVE-2021-21189 CVE-2021-21190 CVE-2021-21191
                 CVE-2021-21192 CVE-2021-21193 CVE-2021-21194 CVE-2021-21195
                 CVE-2021-21196 CVE-2021-21197 CVE-2021-21198 CVE-2021-21199

Several vulnerabilites have been discovered in the chromium web browser.

CVE-2021-21159

    Khalil Zhani disocvered a buffer overflow issue in the tab implementation.

CVE-2021-21160

    Marcin Noga discovered a buffer overflow issue in WebAudio.

CVE-2021-21161

    Khalil Zhani disocvered a buffer overflow issue in the tab implementation.

CVE-2021-21162

    A use-after-free issue was discovered in the WebRTC implementation.

CVE-2021-21163

    Alison Huffman discovered a data validation issue.

CVE-2021-21165

    Alison Huffman discovered an error in the audio implementation.

CVE-2021-21166

    Alison Huffman discovered an error in the audio implementation.

CVE-2021-21167

    Leecraso and Guang Gong discovered a use-after-free issue in the bookmarks
    implementation.

CVE-2021-21168

    Luan Herrera discovered a policy enforcement error in the appcache.

CVE-2021-21169

    Bohan Liu and Moon Liang discovered an out-of-bounds access issue in the
    v8 javascript library.

CVE-2021-21170

    David Erceg discovered a user interface error.

CVE-2021-21171

    Irvan Kurniawan discovered a user interface error.

CVE-2021-21172

    Maciej Pulikowski discovered a policy enforcement error in the File
    System API.

CVE-2021-21173

    Tom Van Goethem discovered a network based information leak.

CVE-2021-21174

    Ashish Guatam Kambled discovered an implementation error in the Referrer
    policy.

CVE-2021-21175

    Jun Kokatsu discovered an implementation error in the Site Isolation
    feature.

CVE-2021-21176

    Luan Herrera discovered an implementation error in the full screen mode.

CVE-2021-21177

    Abdulrahman Alqabandi discovered a policy enforcement error in the
    Autofill feature.

CVE-2021-21178

    Japong discovered an error in the Compositor implementation.

CVE-2021-21179

    A use-after-free issue was discovered in the networking implementation.

CVE-2021-21180

    Abdulrahman Alqabandi discovered a use-after-free issue in the tab search
    feature.

CVE-2021-21181

    Xu Lin, Panagiotis Ilias, and Jason Polakis discovered a side-channel
    information leak in the Autofill feature.

CVE-2021-21182

    Luan Herrera discovered a policy enforcement error in the site navigation
    implementation.

CVE-2021-21183

    Takashi Yoneuchi discovered an implementation error in the Performance API.

CVE-2021-21184

    James Hartig discovered an implementation error in the Performance API.

CVE-2021-21185

    David Erceg discovered a policy enforcement error in Extensions.

CVE-2021-21186

    dhirajkumarnifty discovered a policy enforcement error in the QR scan
    implementation.

CVE-2021-21187

    Kirtikumar Anandrao Ramchandani discovered a data validation error in
    URL formatting.

CVE-2021-21188

    Woojin Oh discovered a use-after-free issue in Blink/Webkit.

CVE-2021-21189

    Khalil Zhani discovered a policy enforcement error in the Payments
    implementation.

CVE-2021-21190

    Zhou Aiting discovered use of uninitialized memory in the pdfium library.

CVE-2021-21191

    raven discovered a use-after-free issue in the WebRTC implementation.

CVE-2021-21192

    Abdulrahman Alqabandi discovered a buffer overflow issue in the tab
    implementation.

CVE-2021-21193

    A use-after-free issue was discovered in Blink/Webkit.

CVE-2021-21194

    Leecraso and Guang Gong discovered a use-after-free issue in the screen
    capture feature.

CVE-2021-21195

    Liu and Liang discovered a use-after-free issue in the v8 javascript
    library.

CVE-2021-21196

    Khalil Zhani discovered a buffer overflow issue in the tab implementation.

CVE-2021-21197

     Abdulrahman Alqabandi discovered a buffer overflow issue in the tab
     implementation.

CVE-2021-21198

    Mark Brand discovered an out-of-bounds read issue in the Inter-Process
    Communication implementation.

CVE-2021-21199

    Weipeng Jiang discovered a use-after-free issue in the Aura window and
    event manager.

For the stable distribution (buster), these problems have been fixed in
version 89.0.4389.114-1~deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4887-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 08, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : lib3mf
CVE ID         : CVE-2021-21772
Debian Bug     : 985092

A use-after-free was discovered in Lib3MF, a C++ implementation of the
3D Manufacturing Format, which could result in the execution of
arbitrary code if a malformed file is opened.

For the stable distribution (buster), this problem has been fixed in
version 1.8.1+ds-3+deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4888-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 10, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xen
CVE ID         : CVE-2021-26933 CVE-2021-27379

Multiple vulnerabilities have been discovered in the Xen hypervisor,
which could result in denial of service, privilege escalation or memory
disclosure.

For the stable distribution (buster), these problems have been fixed in
version 4.11.4+99-g8bce4698f6-1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4889-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 10, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : mediawiki
CVE ID         : CVE-2021-20270 CVE-2021-27291 CVE-2021-30152 CVE-2021-30159
                 CVE-2021-30154 CVE-2021-30155 CVE-2021-30157 CVE-2021-30158 

Multiple security issues were found in MediaWiki, a website engine for
collaborative work, which could result in incomplete page/blocking
protection, denial of service or cross-site scripting.

For the stable distribution (buster), these problems have been fixed in
version 1:1.31.14-1~deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4890-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 12, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ruby-kramdown
CVE ID         : CVE-2021-28834
Debian Bug     : 985569

Stan Hu discovered that kramdown, a pure Ruby Markdown parser and
converter, performed insufficient namespace validation of Rouge syntax
highlighting formatters.

For the stable distribution (buster), this problem has been fixed in
version 1.17.0-1+deb10u2.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4891-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 13, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tomcat9
CVE ID         : CVE-2021-25122 CVE-2021-25329

Two vulnerabilities were discovered in the Tomcat servlet and JSP engine,
which could result in information disclosure or denial of service.

For the stable distribution (buster), these problems have been fixed in
version 9.0.31-1~deb10u4.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4892-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 18, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : python-bleach
CVE ID         : CVE-2021-23980
Debian Bug     : 986251

It was reported that python-bleach, a whitelist-based HTML-sanitizing
library, is prone to a mutation XSS vulnerability in bleach.clean when
'svg' or 'math' are in the allowed tags, 'p' or 'br' are in allowed
tags, 'style', 'title', 'noscript', 'script', 'textarea', 'noframes',
'iframe', or 'xmp' are in allowed tags and 'strip_comments=False' is
set.

For the stable distribution (buster), this problem has been fixed in
version 3.1.2-0+deb10u2.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4893-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 19, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xorg-server
CVE ID         : CVE-2021-3472

Jan-Niklas Sohn discovered that missing input sanitising in the XInput
extension of the X.org X server may result in privilege escalation if
the X server is running privileged.

For the stable distribution (buster), this problem has been fixed in
version 2:1.20.4-1+deb10u3.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4894-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 20, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : php-pear
CVE ID         : CVE-2020-36193
Debian Bug     : 980428

It was discovered that the PEAR Archive_Tar package for handling tar
files in PHP is prone to a directory traversal flaw due to inadequate
checking of symbolic links.

For the stable distribution (buster), this problem has been fixed in
version 1:1.10.6+submodules+notgz-1.1+deb10u2.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4895-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 20, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2021-23961 CVE-2021-23994 CVE-2021-23995 CVE-2021-23998 
                 CVE-2021-23999 CVE-2021-24002 CVE-2021-29945 CVE-2021-29946

Multiple security issues have been found in the Mozilla Firefox web
browser, which could potentially result in the execution of arbitrary
code, information disclosure, privilege escalation or spoofing.

For the stable distribution (buster), these problems have been fixed in
version 78.10.0esr-1~deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4896-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
April 22, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : wordpress
CVE ID         : CVE-2021-29447 CVE-2021-29450
Debian Bug     : 987065

Several vulnerabilities were discovered in Wordpress, a web blogging
tool. They allowed remote attackers to perform XML External Entity
(XXE) attacks, and access private content.

For the stable distribution (buster), these problems have been fixed in
version 5.0.12+dfsg1-0+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4897-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 22, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : CVE-2021-23961 CVE-2021-23991 CVE-2021-23992 CVE-2021-23993 
                 CVE-2021-23994 CVE-2021-23995 CVE-2021-23998 CVE-2021-23999 
                 CVE-2021-24002 CVE-2021-29945 CVE-2021-29946 CVE-2021-29948 
                 CVE-2021-29949

Multiple security issues were discovered in Thunderbird, which could
result in the execution of arbitrary code or information disclosure.
In adddition a number of security issues were addressed in the OpenPGP
support.

For the stable distribution (buster), these problems have been fixed in
version 1:78.10.0-1~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4898-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 22, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : wpa
CVE ID         : CVE-2020-12695 CVE-2021-0326 CVE-2021-27803
Debian Bug     : 976106 981971

Several vulnerabilities have been discovered in wpa_supplicant and
hostapd.

CVE-2020-12695

    It was discovered that hostapd does not properly handle UPnP
    subscribe messages under certain conditions, allowing an attacker to
    cause a denial of service.

CVE-2021-0326

    It was discovered that wpa_supplicant does not properly process P2P
    (Wi-Fi Direct) group information from active group owners. An
    attacker within radio range of the device running P2P could take
    advantage of this flaw to cause a denial of service or potentially
    execute arbitrary code.

CVE-2021-27803

    It was discovered that wpa_supplicant does not properly process
    P2P (Wi-Fi Direct) provision discovery requests. An attacker
    within radio range of the device running P2P could take advantage
    of this flaw to cause a denial of service or potentially execute
    arbitrary code.

For the stable distribution (buster), these problems have been fixed in
version 2:2.7+git20190128+0c1e29f-6+deb10u3.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4899-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 23, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openjdk-11
CVE ID         : CVE-2021-2161

It was discovered that the OpenJDK Java platform incompletely enforced
configuration settings used in Jar signing verifications.

For the stable distribution (buster), this problem has been fixed in
version 11.0.11+9-1~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4900-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 24, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gst-plugins-good1.0
CVE ID         : CVE-2021-3497 CVE-2021-3498
Debian Bug     : 986910 986911

Multiple vulnerabilities were discovered in plugins for the GStreamer
media framework, which may result in denial of service or potentially
the execution of arbitrary code if a malformed media file is opened.

For the stable distribution (buster), these problems have been fixed in
version 1.14.4-1+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4901-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 24, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gst-libav1.0
CVE ID         : not yet available

Multiple vulnerabilities were discovered in plugins for the GStreamer
media framework, which may result in denial of service or potentially
the execution of arbitrary code if a malformed media file is opened.
      
For the stable distribution (buster), this problem has been fixed in
version 1.15.0.1+git20180723+db823502-2+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4902-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 24, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gst-plugins-bad1.0
CVE ID         : not yet available

Multiple vulnerabilities were discovered in plugins for the GStreamer
media framework, which may result in denial of service or potentially
the execution of arbitrary code if a malformed media file is opened.

For the stable distribution (buster), this problem has been fixed in
version 1.14.4-1+deb10u2.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4903-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 24, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gst-plugins-base1.0
CVE ID         : not yet available

Multiple vulnerabilities were discovered in plugins for the GStreamer
media framework, which may result in denial of service or potentially
the execution of arbitrary code if a malformed media file is opened.

For the stable distribution (buster), this problem has been fixed in
version 1.14.4-2+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4904-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 24, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gst-plugins-ugly1.0
CVE ID         : not yet available

Multiple vulnerabilities were discovered in plugins for the GStreamer
media framework, which may result in denial of service or potentially
the execution of arbitrary code if a malformed media file is opened.

For the stable distribution (buster), this problem has been fixed in
version 1.14.4-1+deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4905-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 27, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : shibboleth-sp
CVE ID         : CVE-2021-31826
Debian Bug     : 987608

It was discovered that the Shibboleth Service Provider is prone to a
NULL pointer dereference flaw in the cookie-based session recovery
feature. A remote, unauthenticated attacker can take advantage of this
flaw to cause a denial of service (crash in the shibd daemon/service).

For additional information please refer to the upstream advisory at
https://shibboleth.net/community/advisories/secadv_20210426.txt

For the stable distribution (buster), this problem has been fixed in
version 3.0.4+dfsg1-1+deb10u2.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4906-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
April 27, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium
CVE ID         : CVE-2021-21201 CVE-2021-21202 CVE-2021-21203 CVE-2021-21204
                 CVE-2021-21205 CVE-2021-21207 CVE-2021-21208 CVE-2021-21209
                 CVE-2021-21210 CVE-2021-21211 CVE-2021-21212 CVE-2021-21213
                 CVE-2021-21214 CVE-2021-21215 CVE-2021-21216 CVE-2021-21217
                 CVE-2021-21218 CVE-2021-21219 CVE-2021-21221 CVE-2021-21222
                 CVE-2021-21223 CVE-2021-21224 CVE-2021-21225 CVE-2021-21226

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2021-21201

    Gengming Liu and Jianyu Chen discovered a use-after-free issue.

CVE-2021-21202

    David Erceg discovered a use-after-free issue in extensions.

CVE-2021-21203

    asnine discovered a use-after-free issue in Blink/Webkit.

CVE-2021-21204

    Tsai-Simek, Jeanette Ulloa, and Emily Voigtlander discovered a
    use-after-free issue in Blink/Webkit.

CVE-2021-21205

    Alison Huffman discovered a policy enforcement error.

CVE-2021-21207

    koocola and Nan Wang discovered a use-after-free in the indexed database.

CVE-2021-21208

    Ahmed Elsobky discovered a data validation error in the QR code scanner.

CVE-2021-21209

    Tom Van Goethem discovered an implementation error in the Storage API.

CVE-2021-21210

    @bananabr discovered an error in the networking implementation.

CVE-2021-21211

    Akash Labade discovered an error in the navigation implementation.

CVE-2021-21212

    Hugo Hue and Sze Yui Chau discovered an error in the network configuration
    user interface.

CVE-2021-21213

    raven discovered a use-after-free issue in the WebMIDI implementation.

CVE-2021-21214

    A use-after-free issue was discovered in the networking implementation.

CVE-2021-21215

    Abdulrahman Alqabandi discovered an error in the Autofill feature.

CVE-2021-21216

    Abdulrahman Alqabandi discovered an error in the Autofill feature.

CVE-2021-21217

    Zhou Aiting discovered use of uninitialized memory in the pdfium library.

CVE-2021-21218

    Zhou Aiting discovered use of uninitialized memory in the pdfium library.

CVE-2021-21219

    Zhou Aiting discovered use of uninitialized memory in the pdfium library.

CVE-2021-21221

    Guang Gong discovered insufficient validation of untrusted input.

CVE-2021-21222

    Guang Gong discovered a buffer overflow issue in the v8 javascript
    library.

CVE-2021-21223

    Guang Gong discovered an integer overflow issue.

CVE-2021-21224

    Jose Martinez discovered a type error in the v8 javascript library.

CVE-2021-21225

    Brendon Tiszka discovered an out-of-bounds memory access issue in the v8
    javascript library.

CVE-2021-21226

    Brendon Tiszka discovered a use-after-free issue in the networking
    implementation.

For the stable distribution (buster), these problems have been fixed in
version 90.0.4430.85-1~deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4907-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
April 29, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : composer
CVE ID         : CVE-2021-29472

It was discovered that composer, a dependency manager for PHP, did not
properly sanitize Mercurial URLs, which could lead to arbitrary code
execution.

For the stable distribution (buster), this problem has been fixed in
version 1.8.4-1+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4908-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 29, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libhibernate3-java
CVE ID         : CVE-2020-25638

It was discovered that libhibernate3-java, a powerful, high performance
object/relational persistence and query service, is prone to an SQL
injection vulnerability allowing an attacker to access unauthorized
information or possibly conduct further attacks.

For the stable distribution (buster), this problem has been fixed in
version 3.6.10.Final-9+deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4909-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 01, 2021                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : bind9
CVE ID         : CVE-2021-25214 CVE-2021-25215 CVE-2021-25216
Debian Bug     : 987741 987742 987743

Several vulnerabilities were discovered in BIND, a DNS server
implementation.

CVE-2021-25214

    Greg Kuechle discovered that a malformed incoming IXFR transfer
    could trigger an assertion failure in named, resulting in denial
    of service.

CVE-2021-25215

    Siva Kakarla discovered that named could crash when a DNAME record
    placed in the ANSWER section during DNAME chasing turned out to be
    the final answer to a client query.

CVE-2021-25216

    It was discovered that the SPNEGO implementation used by BIND is
    prone to a buffer overflow vulnerability. This update switches to
    use the SPNEGO implementation from the Kerberos libraries.

For the stable distribution (buster), these problems have been fixed in
version 1:9.11.5.P4+dfsg-5.1+deb10u5.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4910-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 02, 2021                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libimage-exiftool-perl
CVE ID         : CVE-2021-22204
Debian Bug     : 987505

A vulnerability was discovered in libimage-exiftool-perl, a library and
program to read and write meta information in multimedia files, which
may result in execution of arbitrary code if a malformed DjVu file is
processed.

For the stable distribution (buster), this problem has been fixed in
version 11.16-1+deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4911-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
May 03, 2021                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium
CVE ID         : CVE-2021-21227 CVE-2021-21228 CVE-2021-21229 CVE-2021-21230
                 CVE-2021-21231 CVE-2021-21232 CVE-2021-21233

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2021-21227

    Gengming Liu discovered a data validation issue in the v8 javascript
    library.

CVE-2021-21228

    Rob Wu discovered a policy enforcement error.

CVE-2021-21229

    Mohit Raj discovered a user interface error in the file downloader.

CVE-2021-21230

    Manfred Paul discovered use of an incorrect type.

CVE-2021-21231

    Sergei Glazunov discovered a data validation issue in the v8 javascript
    library.

CVE-2021-21232

    Abdulrahman Alqabandi discovered a use-after-free issue in the developer
    tools.

CVE-2021-21233

    Omair discovered a buffer overflow issue in the ANGLE library.

For the stable distribution (buster), these problems have been fixed in
version 90.0.4430.93-1~deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4912-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 04, 2021                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : exim4
CVE ID         : CVE-2020-28007 CVE-2020-28008 CVE-2020-28009 CVE-2020-28010
                 CVE-2020-28011 CVE-2020-28012 CVE-2020-28013 CVE-2020-28014
                 CVE-2020-28015 CVE-2020-28017 CVE-2020-28019 CVE-2020-28021
                 CVE-2020-28022 CVE-2020-28023 CVE-2020-28024 CVE-2020-28025
                 CVE-2020-28026

The Qualys Research Labs reported several vulnerabilities in Exim, a
mail transport agent, which could result in local privilege escalation
and remote code execution.

Details can be found in the Qualys advisory at
https://www.qualys.com/2021/05/04/21nails/21nails.txt

For the stable distribution (buster), these problems have been fixed in
version 4.92-8+deb10u6.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4913-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 10, 2021                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : hivex
CVE ID         : CVE-2021-3504
Debian Bug     : 988024

Jemery Galindo discovered an out-of-bounds memory access in Hivex, a
library to parse Windows Registry hive files.

For the stable distribution (buster), this problem has been fixed in
version 1.3.18-1+deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4914-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 12, 2021                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : graphviz
CVE ID         : CVE-2020-18032
Debian Bug     : 988000

A buffer overflow was discovered in Graphviz, which could potentially
result in the execution of arbitrary code when processing a malformed
file.

For the stable distribution (buster), this problem has been fixed in
version 2.40.1-6+deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4915-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 13, 2021                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : postgresql-11
CVE ID         : CVE-2021-32027 CVE-2021-32028 CVE-2021-32029

Multiple security issues have been discovered in the PostgreSQL database
system, which could result in the execution of arbitrary code or
disclosure of memory content.

For the stable distribution (buster), these problems have been fixed in
version 11.12-0+deb10u1.
Link to post
Share on other sites

×
×
  • Create New...