Jump to content

Recommended Posts

sunrat
- -----------------------------------------------------------------------
Debian Security Advisory DSA-4873-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 23, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : squid
CVE ID         : CVE-2020-25097
Debian Bug     : 985068

Jianjun Chen discovered that the Squid proxy caching server was
susceptible to HTTP request smuggling.

For the stable distribution (buster), this problem has been fixed in
version 4.6-1+deb10u5.
Link to post
Share on other sites
  • Replies 1.9k
  • Created
  • Last Reply

Top Posters In This Topic

  • sunrat

    1557

  • V.T. Eric Layton

    171

  • securitybreach

    112

  • Bruno

    65

Top Posters In This Topic

Popular Posts

- ------------------------------------------------------------------------- Debian Security Advisory DSA-3093-1 security@debian.org http://www.debian.org/security/

- ------------------------------------------------------------------------- Debian Security Advisory DSA-3401-1 security@debian.org https://www.debian.org/security/

- ------------------------------------------------------------------------- Debian Security Advisory DSA-4123-1 security@debian.org https://www.debian.org/security/

sunrat
-------------------------------------------------------------------------
Debian Security Advisory DSA-4874-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 24, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : firefox-esr
CVE ID         : CVE-2021-23981 CVE-2021-23982 CVE-2021-23984 CVE-2021-23987

Multiple security issues have been found in the Mozilla Firefox
web browser, which could potentially result in the execution
of arbitrary code, information disclosure or spoofing attacks.

For the stable distribution (buster), these problems have been fixed in
version 78.9.0esr-1~deb10u1.
Link to post
Share on other sites
sunrat
-------------------------------------------------------------------------
Debian Security Advisory DSA-4875-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 25, 2021                        https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package        : openssl
CVE ID         : CVE-2021-3449

A NULL pointer dereference was found in the signature_algorithms
processing in OpenSSL, a Secure Sockets Layer toolkit, which could
result in denial of service.

Additional details can be found in the upstream advisory:
https://www.openssl.org/news/secadv/20210325.txt

For the stable distribution (buster), this problem has been fixed in
version 1.1.1d-0+deb10u6.
Link to post
Share on other sites
sunrat
-------------------------------------------------------------------------
Debian Security Advisory DSA-4876-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 25, 2021                        https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package        : thunderbird
CVE ID         : CVE-2021-23981 CVE-2021-23982 CVE-2021-23984 CVE-2021-23987

Multiple security issues were discovered in Thunderbird, which could
result in the execution of arbitrary code or information disclosure.

For the stable distribution (buster), these problems have been fixed in
version 1:78.9.0-1~deb10u1.
Link to post
Share on other sites
sunrat
----------------------------------------------------------------------
Debian Security Advisory DSA-4877-1                   security@debian.org
https://www.debian.org/security/                           Alberto Garcia
March 27, 2021                        https://www.debian.org/security/faq
----------------------------------------------------------------------

Package        : webkit2gtk
CVE ID         : CVE-2020-27918 CVE-2020-29623 CVE-2021-1765 CVE-2021-1789
                 CVE-2021-1799 CVE-2021-1801 CVE-2021-1870

The following vulnerabilities have been discovered in the webkit2gtk
web engine:

CVE-2020-27918

    Liu Long discovered that processing maliciously crafted web
    content may lead to arbitrary code execution.

CVE-2020-29623

    Simon Hunt discovered that users may be unable to fully delete
    their browsing history under some circumstances.

CVE-2021-1765

    Eliya Stein discovered that maliciously crafted web content may
    violate iframe sandboxing policy.

CVE-2021-1789

    @S0rryMybad discovered that processing maliciously crafted web
    content may lead to arbitrary code execution.

CVE-2021-1799

    Gregory Vishnepolsky, Ben Seri and Samy Kamkar discovered that a
    malicious website may be able to access restricted ports on
    arbitrary servers.

CVE-2021-1801

    Eliya Stein discovered that processing maliciously crafted web
    content may lead to arbitrary code execution.

CVE-2021-1870

    An anonymous researcher discovered that processing maliciously
    crafted web content may lead to arbitrary code execution.

For the stable distribution (buster), these problems have been fixed in
version 2.30.6-1~deb10u1.

 

----------------------------------------------------------------------
Debian Security Advisory DSA-4878-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
March 27, 2021                        https://www.debian.org/security/faq
----------------------------------------------------------------------

Package        : pygments
CVE ID         : CVE-2021-27291
Debian Bug     : 985574

Ben Caller discovered that Pygments, a syntax highlighting package
written in Python 3, used regular expressions which could result in
denial of service.

For the stable distribution (buster), this problem has been fixed in
version 2.3.1+dfsg-1+deb10u2.

 

----------------------------------------------------------------------
Debian Security Advisory DSA-4879-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
March 27, 2021                        https://www.debian.org/security/faq
----------------------------------------------------------------------

Package        : spamassassin
CVE ID         : CVE-2020-1946
Debian Bug     : 985962

Damian Lukowski discovered a flaw in spamassassin, a Perl-based spam
filter using text analysis. Malicious rule configuration files, possibly
downloaded from an updates server, could execute arbitrary commands
under multiple scenarios.

For the stable distribution (buster), this problem has been fixed in
version 3.4.2-1+deb10u3.
Link to post
Share on other sites
sunrat
------------------------------------------------------------------------
The Debian Project                               https://www.debian.org/
Updated Debian 10: 10.9 released                        press@debian.org
March 27th, 2021               https://www.debian.org/News/2021/20210327
------------------------------------------------------------------------


The Debian project is pleased to announce the ninth update of its stable
distribution Debian 10 (codename "buster"). This point release mainly
adds corrections for security issues, along with a few adjustments for
serious problems. Security advisories have already been published
separately and are referenced where available.

Please note that the point release does not constitute a new version of
Debian 10 but only updates some of the packages included. There is no
need to throw away old "buster" media. After installation, packages can
be upgraded to the current versions using an up-to-date Debian mirror.

Those who frequently install updates from security.debian.org won't have
to update many packages, and most such updates are included in the point
release.

New installation images will be available soon at the regular locations.

Upgrading an existing installation to this revision can be achieved by
pointing the package management system at one of Debian's many HTTP
mirrors. A comprehensive list of mirrors is available at:

https://www.debian.org/mirror/list



Miscellaneous Bugfixes
----------------------

This stable update adds a few important corrections to the following
packages:

+---------------------------+-----------------------------------------+
| Package                   | Reason                                  |
+---------------------------+-----------------------------------------+
| avahi [1]                 | Remove avahi-daemon-check-dns          
 |
|                           | mechanism, which is no longer needed    |
|                           |                                         |
| base-files [2]            | Update /etc/debian_version for the 10.9 |
|                           | point release                           |
|                           |                                         |
| cloud-init [3]            | Avoid logging generated passwords to   
 |
|                           | world-readable log files [CVE-2021-     |
|                           | 3429]                                   |
|                           |                                         |
| debian-archive-           | Add bullseye keys; retire jessie keys   |
| keyring [4]               |                                        
 |
|                           |                                         |
| debian-installer [5]      | Use 4.19.0-16 Linux kernel ABI         
 |
|                           |                                         |
| debian-installer-netboot- | Rebuild against proposed-updates        |
| images [6]                |                                        
 |
|                           |                                         |
| exim4 [7]                 | Fix use of concurrent TLS connections  
 |
|                           | under GnuTLS; fix TLS certificate       |
|                           | verification with CNAMEs;               |
|                           | README.Debian: document the limitation/ |
|                           | extent of server certificate            |
|                           | verification in the default             |
|                           | configuration                           |
|                           |                                         |
| fetchmail [8]             | No longer report  "System error during 
 |
|                           | SSL_connect(): Success" ; remove        |
|                           | OpenSSL version check                   |
|                           |                                         |
| fwupd [9]                 | Add SBAT support                       
 |
|                           |                                         |
| fwupd-amd64-signed [10]   | Add SBAT support                       
 |
|                           |                                         |
| fwupd-arm64-signed [11]   | Add SBAT support                       
 |
|                           |                                         |
| fwupd-armhf-signed [12]   | Add SBAT support                       
 |
|                           |                                         |
| fwupd-i386-signed [13]    | Add SBAT support                       
 |
|                           |                                         |
| fwupdate [14]             | Add SBAT support                       
 |
|                           |                                         |
| fwupdate-amd64-           | Add SBAT support                        |
| signed [15]               |                                        
 |
|                           |                                         |
| fwupdate-arm64-           | Add SBAT support                        |
| signed [16]               |                                        
 |
|                           |                                         |
| fwupdate-armhf-           | Add SBAT support                        |
| signed [17]               |                                        
 |
|                           |                                         |
| fwupdate-i386-signed [18] | Add SBAT support                       
 |
|                           |                                         |
| gdnsd [19]                | Fix stack overflow with overly-large   
 |
|                           | IPv6 addresses [CVE-2019-13952]         |
|                           |                                         |
| groff [20]                | Rebuild against ghostscript 9.27       
 |
|                           |                                         |
| hwloc-contrib [21]        | Enable support for the ppc64el         
 |
|                           | architecture                            |
|                           |                                         |
| intel-microcode [22]      | Update various microcode               
 |
|                           |                                         |
| iputils [23]              | Fix ping rounding errors; fix tracepath |
|                           | target corruption                       |
|                           |                                         |
| jquery [24]               | Fix untrusted code execution           
 |
|                           | vulnerabilities [CVE-2020-11022         |
|                           | CVE-2020-11023]                         |
|                           |                                         |
| libbsd [25]               | Fix out-of-bounds read issue [CVE-2019- |
|                           | 20367]                                  |
|                           |                                         |
| libpano13 [26]            | Fix format string vulnerability        
 |
|                           |                                         |
| libreoffice [27]          | Do not load encodings.py from current  
 |
|                           | directoy                                |
|                           |                                         |
| linux [28]                | New upstream stable release; update ABI |
|                           | to -16; rotate secure boot signing      |
|                           | keys; rt: update to 4.19.173-rt72       |
|                           |                                         |
| linux-latest [29]         | Update to -15 kernel ABI; update for   
 |
|                           | -16 kernel ABI                          |
|                           |                                         |
| linux-signed-amd64 [30]   | New upstream stable release; update ABI |
|                           | to -16; rotate secure boot signing      |
|                           | keys; rt: update to 4.19.173-rt72       |
|                           |                                         |
| linux-signed-arm64 [31]   | New upstream stable release; update ABI |
|                           | to -16; rotate secure boot signing      |
|                           | keys; rt: update to 4.19.173-rt72       |
|                           |                                         |
| linux-signed-i386 [32]    | New upstream stable release; update ABI |
|                           | to -16; rotate secure boot signing      |
|                           | keys; rt: update to 4.19.173-rt72       |
|                           |                                         |
| lirc [33]                 | Normalize embedded $                   
 |
|                           | {DEB_HOST_MULTIARCH} value in /etc/     |
|                           | lirc/lirc_options.conf to find          |
|                           | unmodified configuration files on all   |
|                           | architectures; recommend gir1.2-        |
|                           | vte-2.91 instead of non-existent        |
|                           | gir1.2-vte                              |
|                           |                                         |
| m2crypto [34]             | Fix test failure with recent OpenSSL   
 |
|                           | versions                                |
|                           |                                         |
| openafs [35]              | Fix outgoing connections after unix    
 |
|                           | epoch time 0x60000000 (14 January 2021) |
|                           |                                         |
| portaudio19 [36]          | Handle EPIPE from                      
 |
|                           | alsa_snd_pcm_poll_descriptors, fixing   |
|                           | crash                                   |
|                           |                                         |
| postgresql-11 [37]        | New upstream stable release; fix       
 |
|                           | information leakage in constraint-      |
|                           | violation error messages [CVE-2021-     |
|                           | 3393]; fix CREATE INDEX CONCURRENTLY to |
|                           | wait for concurrent prepared            |
|                           | transactions                            |
|                           |                                         |
| privoxy [38]              | Security issues [CVE-2020-35502        
 |
|                           | CVE-2021-20209 CVE-2021-20210 CVE-2021- |
|                           | 20211 CVE-2021-20212 CVE-2021-20213     |
|                           | CVE-2021-20214 CVE-2021-20215 CVE-2021- |
|                           | 20216 CVE-2021-20217 CVE-2021-20272     |
|                           | CVE-2021-20273 CVE-2021-20275 CVE-2021- |
|                           | 20276]                                  |
|                           |                                         |
| python3.7 [39]            | Fix CRLF injection in http.client      
 |
|                           | [CVE-2020-26116]; fix buffer overflow   |
|                           | in PyCArg_repr in _ctypes/callproc.c    |
|                           | [CVE-2021-3177]                         |
|                           |                                         |
| redis [40]                | Fix a series of integer overflow issues |
|                           | on 32-bit systems [CVE-2021-21309]      |
|                           |                                         |
| ruby-mechanize [41]       | Fix command injection issue [CVE-2021- 
 |
|                           | 21289]                                  |
|                           |                                         |
| systemd [42]              | core: make sure to restore the control 
 |
|                           | command id, too, fixing a segfault;     |
|                           | seccomp: allow turning off of seccomp   |
|                           | filtering via an environment variable   |
|                           |                                         |
| uim [43]                  | libuim-data: Perform symlink_to_dir    
 |
|                           | conversion of /usr/share/doc/libuim-    |
|                           | data in the resurrected package for     |
|                           | clean upgrades from stretch             |
|                           |                                         |
| xcftools [44]             | Fix integer overflow vulnerability     
 |
|                           | [CVE-2019-5086 CVE-2019-5087]           |
|                           |                                         |
| xterm [45]                | Correct upper-limit for selection      
 |
|                           | buffer, accounting for combining        |
|                           | characters [CVE-2021-27135]             |
|                           |                                         |
+---------------------------+-----------------------------------------+

 

Security Updates
----------------

This revision adds the following security updates to the stable release.
The Security Team has already released an advisory for each of these
updates:

+----------------+----------------------------+
| Advisory ID    | Package                    |
+----------------+----------------------------+
| DSA-4826 [46]  | nodejs [47]                |
|                |                            |
| DSA-4844 [48]  | dnsmasq [49]               |
|                |                            |
| DSA-4845 [50]  | openldap [51]              |
|                |                            |
| DSA-4846 [52]  | chromium [53]              |
|                |                            |
| DSA-4847 [54]  | connman [55]               |
|                |                            |
| DSA-4849 [56]  | firejail [57]              |
|                |                            |
| DSA-4850 [58]  | libzstd [59]               |
|                |                            |
| DSA-4851 [60]  | subversion [61]            |
|                |                            |
| DSA-4853 [62]  | spip [63]                  |
|                |                            |
| DSA-4854 [64]  | webkit2gtk [65]            |
|                |                            |
| DSA-4855 [66]  | openssl [67]               |
|                |                            |
| DSA-4856 [68]  | php7.3 [69]                |
|                |                            |
| DSA-4857 [70]  | bind9 [71]                 |
|                |                            |
| DSA-4858 [72]  | chromium [73]              |
|                |                            |
| DSA-4859 [74]  | libzstd [75]               |
|                |                            |
| DSA-4860 [76]  | openldap [77]              |
|                |                            |
| DSA-4861 [78]  | screen [79]                |
|                |                            |
| DSA-4862 [80]  | firefox-esr [81]           |
|                |                            |
| DSA-4863 [82]  | nodejs [83]                |
|                |                            |
| DSA-4864 [84]  | python-aiohttp [85]        |
|                |                            |
| DSA-4865 [86]  | docker.io [87]             |
|                |                            |
| DSA-4867 [88]  | grub-efi-amd64-signed [89] |
|                |                            |
| DSA-4867 [90]  | grub-efi-arm64-signed [91] |
|                |                            |
| DSA-4867 [92]  | grub-efi-ia32-signed [93]  |
|                |                            |
| DSA-4867 [94]  | grub2 [95]                 |
|                |                            |
| DSA-4868 [96]  | flatpak [97]               |
|                |                            |
| DSA-4869 [98]  | tiff [99]                  |
|                |                            |
| DSA-4870 [100] | pygments [101]             |
|                |                            |
| DSA-4871 [102] | tor [103]                  |
|                |                            |
| DSA-4872 [104] | shibboleth-sp [105]        |
|                |                            |
+----------------+----------------------------+

 

Debian Installer
----------------

The installer has been updated to include the fixes incorporated into
stable by the point release.
Link to post
Share on other sites
sunrat
-------------------------------------------------------------------------
Debian Security Advisory DSA-4880-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
March 29, 2021                        https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package        : lxml
CVE ID         : CVE-2021-28957
Debian Bug     : 985643

Kevin Chung discovered that lxml, a Python binding for the libxml2 and
libxslt libraries, did not properly sanitize its input. This would
allow a malicious user to mount a cross-site scripting attack.

For the stable distribution (buster), this problem has been fixed in
version 4.3.2-1+deb10u3.
Link to post
Share on other sites
sunrat
-------------------------------------------------------------------------
Debian Security Advisory DSA-4881-1                   security@debian.org
https://www.debian.org/security/                       Alessandro Ghedini
March 30, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : curl
CVE ID         : CVE-2020-8169 CVE-2020-8177 CVE-2020-8231 CVE-2020-8284 
                 CVE-2020-8285 CVE-2020-8286 CVE-2021-22876 CVE-2021-22890
Debian Bug     : 965280 965281 968831 977161 977162 977163

Multiple vulnerabilities were discovered in cURL, an URL transfer library:

CVE-2020-8169

    Marek Szlagor reported that libcurl could be tricked into prepending
    a part of the password to the host name before it resolves it,
    potentially leaking the partial password over the network and to the
    DNS server(s).

CVE-2020-8177

    sn reported that curl could be tricked by a malicious server into
    overwriting a local file when using th -J (--remote-header-name) and
    -i (--include) options in the same command line.

CVE-2020-8231

    Marc Aldorasi reported that libcurl might use the wrong connection
    when an application using libcurl's multi API sets the option
    CURLOPT_CONNECT_ONLY, which could lead to information leaks.

CVE-2020-8284

    Varnavas Papaioannou reported that a malicious server could use the
    PASV response to trick curl into connecting back to an arbitrary IP
    address and port, potentially making curl extract information about
    services that are otherwise private and not disclosed.

CVE-2020-8285

    xnynx reported that libcurl could run out of stack space when using
    tha FTP wildcard matching functionality (CURLOPT_CHUNK_BGN_FUNCTION).

CVE-2020-8286

    It was reported that libcurl didn't verify that an OCSP response
    actually matches the certificate it is intended to.

CVE-2021-22876

    Viktor Szakats reported that libcurl does not strip off user
    credentials from the URL when automatically populating the Referer
    HTTP request header field in outgoing HTTP requests.

CVE-2021-22890

    Mingtao Yang reported that, when using an HTTPS proxy and TLS 1.3,
    libcurl could confuse session tickets arriving from the HTTPS proxy
    as if they arrived from the remote server instead. This could allow
    an HTTPS proxy to trick libcurl into using the wrong session ticket
    for the host and thereby circumvent the server TLS certificate check.

For the stable distribution (buster), these problems have been fixed in
version 7.64.0-4+deb10u2.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4882-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 01, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openjpeg2
CVE ID         : CVE-2020-6851 CVE-2020-8112 CVE-2020-15389 CVE-2020-27814 
                 CVE-2020-27823 CVE-2020-27824 CVE-2020-27841 CVE-2020-27842 
                 CVE-2020-27843 CVE-2020-27845

Multiple vulnerabilities have been discovered in openjpeg2, the
open-source JPEG 2000 codec, which could result in denial of service or
the execution of arbitrary code when opening a malformed image.
      
For the stable distribution (buster), these problems have been fixed in
version 2.3.0-2+deb10u2.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4883-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 01, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : underscore
CVE ID         : CVE-2021-23358
Debian Bug     : 986171

It was discovered that missing input sanitising in the template()
function of the Underscore JavaScript library could result in the
execution of arbitrary code.

For the stable distribution (buster), this problem has been fixed in
version 1.9.1~dfsg-1+deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4884-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
April 02, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ldb
CVE ID         : CVE-2020-10730 CVE-2020-27840 CVE-2021-20277
Debian Bug     : 985935 985936

Multiple vulnerabilities have been discovered in ldb, a LDAP-like
embedded database built on top of TDB.

CVE-2020-10730

    Andrew Bartlett discovered a NULL pointer dereference and
    use-after-free flaw when handling 'ASQ' and 'VLV' LDAP controls and
    combinations with the LDAP paged_results feature.

CVE-2020-27840

    Douglas Bagnall discovered a heap corruption flaw via crafted
    DN strings.

CVE-2021-20277

    Douglas Bagnall discovered an out-of-bounds read vulnerability in
    handling LDAP attributes that contains multiple consecutive
    leading spaces.

For the stable distribution (buster), these problems have been fixed in
version 2:1.5.1+really1.4.6-3+deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4885-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 05, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : netty
CVE ID         : CVE-2019-20444 CVE-2019-20445 CVE-2020-7238 CVE-2020-11612 
                 CVE-2021-21290 CVE-2021-21295 CVE-2021-21409

Multiple security issues were discovered in Netty, a Java NIO
client/server framework, which could result in HTTP request smuggling,
denial of service or information disclosure.

For the stable distribution (buster), these problems have been fixed in
version 1:4.1.33-1+deb10u2.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4886-1                   security@debian.org
https://www.debian.org/security/                          Michael Gilbert
April 06, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium
CVE ID         : CVE-2021-21159 CVE-2021-21160 CVE-2021-21161 CVE-2021-21162
                 CVE-2021-21163 CVE-2021-21165 CVE-2021-21166 CVE-2021-21167
                 CVE-2021-21168 CVE-2021-21169 CVE-2021-21170 CVE-2021-21171
                 CVE-2021-21172 CVE-2021-21173 CVE-2021-21174 CVE-2021-21175
                 CVE-2021-21176 CVE-2021-21177 CVE-2021-21178 CVE-2021-21179
                 CVE-2021-21180 CVE-2021-21181 CVE-2021-21182 CVE-2021-21183
                 CVE-2021-21184 CVE-2021-21185 CVE-2021-21186 CVE-2021-21187
                 CVE-2021-21188 CVE-2021-21189 CVE-2021-21190 CVE-2021-21191
                 CVE-2021-21192 CVE-2021-21193 CVE-2021-21194 CVE-2021-21195
                 CVE-2021-21196 CVE-2021-21197 CVE-2021-21198 CVE-2021-21199

Several vulnerabilites have been discovered in the chromium web browser.

CVE-2021-21159

    Khalil Zhani disocvered a buffer overflow issue in the tab implementation.

CVE-2021-21160

    Marcin Noga discovered a buffer overflow issue in WebAudio.

CVE-2021-21161

    Khalil Zhani disocvered a buffer overflow issue in the tab implementation.

CVE-2021-21162

    A use-after-free issue was discovered in the WebRTC implementation.

CVE-2021-21163

    Alison Huffman discovered a data validation issue.

CVE-2021-21165

    Alison Huffman discovered an error in the audio implementation.

CVE-2021-21166

    Alison Huffman discovered an error in the audio implementation.

CVE-2021-21167

    Leecraso and Guang Gong discovered a use-after-free issue in the bookmarks
    implementation.

CVE-2021-21168

    Luan Herrera discovered a policy enforcement error in the appcache.

CVE-2021-21169

    Bohan Liu and Moon Liang discovered an out-of-bounds access issue in the
    v8 javascript library.

CVE-2021-21170

    David Erceg discovered a user interface error.

CVE-2021-21171

    Irvan Kurniawan discovered a user interface error.

CVE-2021-21172

    Maciej Pulikowski discovered a policy enforcement error in the File
    System API.

CVE-2021-21173

    Tom Van Goethem discovered a network based information leak.

CVE-2021-21174

    Ashish Guatam Kambled discovered an implementation error in the Referrer
    policy.

CVE-2021-21175

    Jun Kokatsu discovered an implementation error in the Site Isolation
    feature.

CVE-2021-21176

    Luan Herrera discovered an implementation error in the full screen mode.

CVE-2021-21177

    Abdulrahman Alqabandi discovered a policy enforcement error in the
    Autofill feature.

CVE-2021-21178

    Japong discovered an error in the Compositor implementation.

CVE-2021-21179

    A use-after-free issue was discovered in the networking implementation.

CVE-2021-21180

    Abdulrahman Alqabandi discovered a use-after-free issue in the tab search
    feature.

CVE-2021-21181

    Xu Lin, Panagiotis Ilias, and Jason Polakis discovered a side-channel
    information leak in the Autofill feature.

CVE-2021-21182

    Luan Herrera discovered a policy enforcement error in the site navigation
    implementation.

CVE-2021-21183

    Takashi Yoneuchi discovered an implementation error in the Performance API.

CVE-2021-21184

    James Hartig discovered an implementation error in the Performance API.

CVE-2021-21185

    David Erceg discovered a policy enforcement error in Extensions.

CVE-2021-21186

    dhirajkumarnifty discovered a policy enforcement error in the QR scan
    implementation.

CVE-2021-21187

    Kirtikumar Anandrao Ramchandani discovered a data validation error in
    URL formatting.

CVE-2021-21188

    Woojin Oh discovered a use-after-free issue in Blink/Webkit.

CVE-2021-21189

    Khalil Zhani discovered a policy enforcement error in the Payments
    implementation.

CVE-2021-21190

    Zhou Aiting discovered use of uninitialized memory in the pdfium library.

CVE-2021-21191

    raven discovered a use-after-free issue in the WebRTC implementation.

CVE-2021-21192

    Abdulrahman Alqabandi discovered a buffer overflow issue in the tab
    implementation.

CVE-2021-21193

    A use-after-free issue was discovered in Blink/Webkit.

CVE-2021-21194

    Leecraso and Guang Gong discovered a use-after-free issue in the screen
    capture feature.

CVE-2021-21195

    Liu and Liang discovered a use-after-free issue in the v8 javascript
    library.

CVE-2021-21196

    Khalil Zhani discovered a buffer overflow issue in the tab implementation.

CVE-2021-21197

     Abdulrahman Alqabandi discovered a buffer overflow issue in the tab
     implementation.

CVE-2021-21198

    Mark Brand discovered an out-of-bounds read issue in the Inter-Process
    Communication implementation.

CVE-2021-21199

    Weipeng Jiang discovered a use-after-free issue in the Aura window and
    event manager.

For the stable distribution (buster), these problems have been fixed in
version 89.0.4389.114-1~deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4887-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 08, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : lib3mf
CVE ID         : CVE-2021-21772
Debian Bug     : 985092

A use-after-free was discovered in Lib3MF, a C++ implementation of the
3D Manufacturing Format, which could result in the execution of
arbitrary code if a malformed file is opened.

For the stable distribution (buster), this problem has been fixed in
version 1.8.1+ds-3+deb10u1.
Link to post
Share on other sites
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4888-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 10, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : xen
CVE ID         : CVE-2021-26933 CVE-2021-27379

Multiple vulnerabilities have been discovered in the Xen hypervisor,
which could result in denial of service, privilege escalation or memory
disclosure.

For the stable distribution (buster), these problems have been fixed in
version 4.11.4+99-g8bce4698f6-1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4889-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 10, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : mediawiki
CVE ID         : CVE-2021-20270 CVE-2021-27291 CVE-2021-30152 CVE-2021-30159
                 CVE-2021-30154 CVE-2021-30155 CVE-2021-30157 CVE-2021-30158 

Multiple security issues were found in MediaWiki, a website engine for
collaborative work, which could result in incomplete page/blocking
protection, denial of service or cross-site scripting.

For the stable distribution (buster), these problems have been fixed in
version 1:1.31.14-1~deb10u1.
Link to post
Share on other sites
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4890-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 12, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ruby-kramdown
CVE ID         : CVE-2021-28834
Debian Bug     : 985569

Stan Hu discovered that kramdown, a pure Ruby Markdown parser and
converter, performed insufficient namespace validation of Rouge syntax
highlighting formatters.

For the stable distribution (buster), this problem has been fixed in
version 1.17.0-1+deb10u2.
Link to post
Share on other sites
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4891-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
April 13, 2021                        https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tomcat9
CVE ID         : CVE-2021-25122 CVE-2021-25329

Two vulnerabilities were discovered in the Tomcat servlet and JSP engine,
which could result in information disclosure or denial of service.

For the stable distribution (buster), these problems have been fixed in
version 9.0.31-1~deb10u4.
Link to post
Share on other sites

×
×
  • Create New...