sunrat Posted August 2, 2021 Share Posted August 2, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4948-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 01, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : aspell CVE ID : CVE-2019-17544 CVE-2019-25051 Debian Bug : 991307 A buffer overflow was discovered in the Aspell spell checker, which could result in the execution of arbitrary code. For the stable distribution (buster), these problems have been fixed in version 0.60.7~20110707-6+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted August 5, 2021 Share Posted August 5, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4949-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 04, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : jetty9 CVE ID : CVE-2019-10241 CVE-2019-10247 CVE-2020-27216 CVE-2020-27223 CVE-2020-28165 CVE-2020-28169 CVE-2021-34428 Multiple vulnerabilities were discovered in Jetty, a Java servlet engine and webserver which could result in cross-site scripting, information disclosure, privilege escalation or denial of service. For the stable distribution (buster), these problems have been fixed in version 9.4.16-0+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted August 8, 2021 Share Posted August 8, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4950-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 07, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ansible CVE ID : CVE-2019-10156 CVE-2019-10206 CVE-2019-14846 CVE-2019-14864 CVE-2019-14904 CVE-2020-1733 CVE-2020-1735 CVE-2020-1739 CVE-2020-1740 CVE-2020-1746 CVE-2020-1753 CVE-2020-10684 CVE-2020-10685 CVE-2020-10729 CVE-2020-14330 CVE-2020-14332 CVE-2020-14365 CVE-2021-20228 Several vulnerabilities have been found in Ansible, a configuration management, deployment and task execution system, which could result in information disclosure or argument injection. In addition a race condition in become_user was fixed. For the stable distribution (buster), these problems have been fixed in version 2.7.7+dfsg-1+deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4951-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 07, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : bluez CVE ID : CVE-2020-26558 CVE-2020-27153 CVE-2021-0129 Debian Bug : 989614 Several vulnerabilities were discovered in Bluez, the Linux Bluetooth protocol stack. CVE-2020-26558 / CVE-2021-0129 It was discovered that Bluez does not properly check permissions during pairing operation, which could allow an attacker to impersonate the initiating device. CVE-2020-27153 Jay LV discovered a double free flaw in the disconnect_cb() routine in the gattool. A remote attacker can take advantage of this flaw during service discovery for denial of service, or potentially, execution of arbitrary code. For the stable distribution (buster), these problems have been fixed in version 5.50-1.2~deb10u2. Link to comment Share on other sites More sharing options...
sunrat Posted August 10, 2021 Share Posted August 10, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4952-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 09, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tomcat9 CVE ID : CVE-2021-30640 CVE-2021-33037 Debian Bug : 991046 Two vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in HTTP request smuggling, bypass of logout restrictions or authentications using variations of a valid user name. For the stable distribution (buster), these problems have been fixed in version 9.0.31-1~deb10u5. Link to comment Share on other sites More sharing options...
sunrat Posted August 11, 2021 Share Posted August 11, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4953-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 10, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : lynx CVE ID : CVE-2021-38165 Debian Bug : 991971 Thorsten Glaser and Axel Beckert reported that lynx, a non-graphical (text-mode) web browser, does not properly handle the userinfo subcomponent of a URI, which can lead to leaking of credential in cleartext in SNI data. For the stable distribution (buster), this problem has been fixed in version 2.8.9rel.1-3+deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4954-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 10, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : c-ares CVE ID : CVE-2021-3672 Debian Bug : 992053 Philipp Jeitner and Haya Shulman discovered a flaw in c-ares, a library that performs DNS requests and name resolution asynchronously. Missing input validation of hostnames returned by DNS servers can lead to output of wrong hostnames (leading to Domain Hijacking). For the stable distribution (buster), this problem has been fixed in version 1.14.0-1+deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted August 12, 2021 Share Posted August 12, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4955-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 11, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libspf2 CVE ID : CVE-2021-20314 Philipp Jeitner and Haya Shulman discovered a stack-based buffer overflow in libspf2, a library for validating mail senders with SPF, which could result in denial of service, or potentially execution of arbitrary code when processing a specially crafted SPF record. For the stable distribution (buster), this problem has been fixed in version 1.2.10-7.1~deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4956-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 11, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2021-29980 CVE-2021-29984 CVE-2021-29985 CVE-2021-29986 CVE-2021-29988 CVE-2021-29989 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code. For the stable distribution (buster), these problems have been fixed in version 78.13.0esr-1~deb10u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4946-2 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 11, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openjdk-11-jre-dcevm Debian Bug : 991006 The Dynamic Code Evolution Virtual Machine (DCE VM), an alternative VM for OpenJDK 11 with enhanced class redefinition, has been updated for compatibility with OpenJDK 11.0.12. For the stable distribution (buster), this problem has been fixed in version 11.0.12+7-1~deb10u1. Link to comment Share on other sites More sharing options...
sunrat Posted August 14, 2021 Share Posted August 14, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4957-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 13, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : trafficserver CVE ID : CVE-2021-27577 CVE-2021-32566 CVE-2021-32567 CVE-2021-35474 CVE-2021-32565 Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service, HTTP request smuggling or cache poisoning. For the stable distribution (buster), these problems have been fixed in version 8.0.2+ds-1+deb10u5. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4958-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 13, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : exiv2 CVE ID : CVE-2019-20421 CVE-2021-3482 CVE-2021-29457 CVE-2021-29473 CVE-2021-31292 Several vulnerabilities have been discovered in Exiv2, a C++ library and a command line utility to manage image metadata which could result in denial of service or the execution of arbitrary code if a malformed file is parsed. For the stable distribution (buster), these problems have been fixed in version 0.25-4+deb10u2. Link to comment Share on other sites More sharing options...
sunrat Posted August 14, 2021 Share Posted August 14, 2021 ------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Debian 11 "bullseye" released press@debian.org August 14th, 2021 https://www.debian.org/News/2021/20210814 ------------------------------------------------------------------------ After 2 years, 1 month, and 9 days of development, the Debian project is proud to present its new stable version 11 (code name "bullseye"), which will be supported for the next 5 years thanks to the combined work of the Debian Security team [1] and the Debian Long Term Support [2] team. 1: https://security-team.debian.org/ 2: https://wiki.debian.org/LTS Debian 11 "bullseye" ships with several desktop applications and environments. Amongst others it now includes the desktop environments: * Gnome 3.38, * KDE Plasma 5.20, * LXDE 11, * LXQt 0.16, * MATE 1.24, * Xfce 4.16. This release contains over 11,294 new packages for a total count of 59,551 packages, along with a significant reduction of over 9,519 packages which were marked as "obsolete" and removed. 42,821 packages were updated and 5,434 packages remained unchanged. "bullseye" becomes our first release to provide a Linux kernel with support for the exFAT filesystem and defaults to using it for mount exFAT filesystems. Consequently it is no longer required to use the filesystem-in-userspace implementation provided via the exfat-fuse package. Tools for creating and checking an exFAT filesystem are provided in the exfatprogs package. Most modern printers are able to use driverless printing and scanning without the need for vendor specific (often non-free) drivers. "bullseye" brings forward a new package, ipp-usb, which uses the vendor neutral IPP-over-USB protocol supported by many modern printers. This allows a USB device to be treated as a network device. The official SANE driverless backend is provided by sane-escl in libsane1, which uses the eSCL protocol. Systemd in "bullseye" activates its persistent journal functionality, by default, with an implicit fallback to volatile storage. This allows users that are not relying on special features to uninstall traditional logging daemons and switch over to using only the systemd journal. The Debian Med team has been taking part in the fight against COVID-19 by packaging software for researching the virus on the sequence level and for fighting the pandemic with the tools used in epidemiology; this work will continue with focus on machine learning tools for both fields. The team's work with Quality Assurance and Continuous integration is critical to the consistent reproducible results required in the sciences. Debian Med Blend has a range of performance critical applications which now benefit from SIMD Everywhere. To install packages maintained by the Debian Med team, install the metapackages named med-*, which are at version 3.6.x. Chinese, Japanese, Korean, and many other languages now have a new Fcitx 5 input method, which is the successor of the popular Fcitx4 in "buster" ; this new version has much better Wayland (default display manager) addon support. Debian 11 "bullseye" includes numerous updated software packages (over 72% of all packages in the previous release), such as: * Apache 2.4.48 * BIND DNS Server 9.16 * Calligra 3.2 * Cryptsetup 2.3 * Emacs 27.1 * GIMP 2.10.22 * GNU Compiler Collection 10.2 * GnuPG 2.2.20 * Inkscape 1.0.2 * LibreOffice 7.0 * Linux kernel 5.10 series * MariaDB 10.5 * OpenSSH 8.4p1 * Perl 5.32 * PHP 7.4 * PostgreSQL 13 * Python 3, 3.9.1 * Rustc 1.48 * Samba 4.13 * Vim 8.2 * more than 59,000 other ready-to-use software packages, built from more than 30,000 source packages. With this broad selection of packages and its traditional wide architecture support, Debian once again stays true to its goal of being "The Universal Operating System". It is suitable for many different use cases: from desktop systems to netbooks; from development servers to cluster systems; and for database, web, and storage servers. At the same time, additional quality assurance efforts like automatic installation and upgrade tests for all packages in Debian's archive ensure that "bullseye" fulfills the high expectations that users have of a stable Debian release. A total of nine architectures are supported: 64-bit PC / Intel EM64T / x86-64 (amd64), 32-bit PC / Intel IA-32 (i386), 64-bit little-endian Motorola/IBM PowerPC (ppc64el), 64-bit IBM S/390 (s390x), for ARM, armel and armhf for older and more recent 32-bit hardware, plus arm64 for the 64-bit "AArch64" architecture, and for MIPS, mipsel (little-endian) architectures for 32-bit hardware and mips64el architecture for 64-bit little-endian hardware. If you simply want to try Debian 11 "bullseye" without installing it, you can use one of the available live images [3] which load and run the complete operating system in a read-only state via your computer's memory. 3: https://www.debian.org/CD/live/ These live images are provided for the amd64 and i386 architectures and are available for DVDs, USB sticks, and netboot setups. The user can choose among different desktop environments to try: GNOME, KDE Plasma, LXDE, LXQt, MATE, and Xfce. Debian Live "bullseye" has a standard live image, so it is also possible to try a base Debian system without any of the graphical user interfaces. Should you enjoy the operating system you have the option of installing from the live image onto your computer's hard disk. The live image includes the Calamares independent installer as well as the standard Debian Installer. More information is available in the release notes [4] and the live install images [5] sections of the Debian website. 4: https://www.debian.org/releases/bullseye/releasenotes 5: https://www.debian.org/CD/live/ To install Debian 11 "bullseye" directly onto your computer's hard disk you can choose from a variety of installation media such as Blu-ray Disc, DVD, CD, USB stick, or via a network connection. Several desktop environments — Cinnamon, GNOME, KDE Plasma Desktop and Applications, LXDE, LXQt, MATE and Xfce — may be installed through those images. In addition, "multi-architecture" CDs are available which support installation from a choice of architectures from a single disc. Or you can always create bootable USB installation media (see the Installation Guide [6] for more details). 6: https://www.debian.org/releases/bullseye/installmanual There has been a lot of development on the Debian Installer, resulting in improved hardware support and other new features. In some cases, a successful installation can still have display issues when rebooting into the installed system; for those cases there are a few workarounds [7] that might help log in anyway. There is also an isenkram-based procedure [7] which lets users detect and fix missing firmware on their systems, in an automated fashion. Of course, one has to weigh the pros and cons of using that tool since it's very likely that it will need to install non-free packages. 7: https://www.debian.org/releases/bullseye/amd64/ch06s04#completing-installed-system In addition to this, the non-free installer images that include firmware packages [8] have been improved so that they can anticipate the need for firmware in the installed system (e.g. firmware for AMD or Nvidia graphics cards, or newer generations of Intel audio hardware). 8: https://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/ For cloud users, Debian offers direct support for many of the best-known cloud platforms. Official Debian images are easily selected through each image marketplace. Debian also publishes pre-built OpenStack images [9] for the amd64 and arm64 architectures, ready to download and use in local cloud setups. 9: https://cloud.debian.org/images/openstack/current/ Debian can now be installed in 76 languages, with most of them available in both text-based and graphical user interfaces. The installation images may be downloaded right now via bittorrent [10] (the recommended method), jigdo [11], or HTTP [12]; see Debian on CDs [13] for further information. "bullseye" will soon be available on physical DVD, CD-ROM, and Blu-ray Discs from numerous vendors [14] too. 10: https://www.debian.org/CD/torrent-cd/ 11: https://www.debian.org/CD/jigdo-cd/#which 12: https://www.debian.org/CD/http-ftp/ 13: https://www.debian.org/CD/ 14: https://www.debian.org/CD/vendors Upgrades to Debian 11 from the previous release, Debian 10 (code name "buster") are automatically handled by the APT package management tool for most configurations. For bullseye, the security suite is now named bullseye-security and users should adapt their APT source-list files accordingly when upgrading. If your APT configuration also involves pinning or APT::Default-Release, it is likely to require adjustments too. See the Changed security archive layout [15] section of the release notes for more details. 15: https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information#security-archive If you are upgrading remotely, be aware of the section No new SSH connections possible during upgrade [16]. 16: https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information#ssh-not-available As always, Debian systems may be upgraded painlessly, in place, without any forced downtime, but it is strongly recommended to read the release notes [17] as well as the installation guide [18] for possible issues, and for detailed instructions on installing and upgrading. The release notes will be further improved and translated to additional languages in the weeks after the release. 17: https://www.debian.org/releases/bullseye/releasenotes 18: https://www.debian.org/releases/bullseye/installmanual About Debian ------------ Debian is a free operating system, developed by thousands of volunteers from all over the world who collaborate via the Internet. The Debian project's key strengths are its volunteer base, its dedication to the Debian Social Contract and Free Software, and its commitment to provide the best operating system possible. This new release is another important step in that direction. Contact Information ------------------- For further information, please visit the Debian web pages at https://www.debian.org/ or send mail to <press@debian.org>. Link to comment Share on other sites More sharing options...
sunrat Posted August 16, 2021 Share Posted August 16, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4959-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 15, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2021-29980 CVE-2021-29984 CVE-2021-29985 CVE-2021-29986 CVE-2021-29988 CVE-2021-29989 Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code. For the stable distribution (bullseye), these problems have been fixed in version 1:78.13.0-1~deb11u1. Link to comment Share on other sites More sharing options...
sunrat Posted August 18, 2021 Share Posted August 18, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4960-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 17, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : haproxy CVE ID : not yet assigned Several vulnerabilities were discovered in HAProxy, a fast and reliable load balancing reverse proxy, which can result in HTTP request smuggling. By carefully crafting HTTP/2 requests, it is possible to smuggle another HTTP request to the backend selected by the HTTP/2 request. With certain configurations, it allows an attacker to send an HTTP request to a backend, circumventing the backend selection logic. Known workarounds are to disable HTTP/2 and set "tune.h2.max-concurrent-streams" to 0 in the "global" section. global tune.h2.max-concurrent-streams 0 For the stable distribution (bullseye), these problems have been fixed in version 2.2.9-2+deb11u1. Link to comment Share on other sites More sharing options...
sunrat Posted August 23, 2021 Share Posted August 23, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4961-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 23, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tor CVE ID : CVE-2021-38385 Henry de Valence reported a flaw in the signature verification code in Tor, a connection-based low-latency anonymous communication system. A remote attacker can take advantage of this flaw to cause an assertion failure, resulting in denial of service. For the oldstable distribution (buster), this problem has been fixed in version 0.3.5.16-1. For the stable distribution (bullseye), this problem has been fixed in version 0.4.5.10-1~deb11u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4962-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 23, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ledgersmb CVE ID : CVE-2021-3731 CVE-2021-3693 CVE-2021-3694 Several vulnerabilities were discovered in LedgerSMB, a financial accounting and ERP program, which could result in cross-site scripting or clickjacking. For the oldstable distribution (buster), this problem has been fixed in version 1.6.9+ds-1+deb10u2. For the stable distribution (bullseye), this problem has been fixed in version 1.6.9+ds-2+deb11u2. Link to comment Share on other sites More sharing options...
sunrat Posted August 24, 2021 Share Posted August 24, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4963-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso August 24, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : openssl CVE ID : CVE-2021-3711 CVE-2021-3712 Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit. CVE-2021-3711 John Ouyang reported a buffer overflow vulnerability in the SM2 decryption. An attacker able to present SM2 content for decryption to an application can take advantage of this flaw to change application behaviour or cause the application to crash (denial of service). CVE-2021-3712 Ingo Schwarze reported a buffer overrun flaw when processing ASN.1 strings in the X509_aux_print() function, which can result in denial of service. Additional details can be found in the upstream advisory: https://www.openssl.org/news/secadv/20210824.txt For the oldstable distribution (buster), these problems have been fixed in version 1.1.1d-0+deb10u7. For the stable distribution (bullseye), these problems have been fixed in version 1.1.1k-1+deb11u1. Link to comment Share on other sites More sharing options...
sunrat Posted August 27, 2021 Share Posted August 27, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4964-1 security@debian.org https://www.debian.org/security/ Alberto Garcia August 27, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : grilo CVE ID : CVE-2021-39365 Debian Bug : 992971 Michael Catanzaro reported a problem in Grilo, a framework for discovering and browsing media. TLS certificate verification is not enabled on the SoupSessionAsync objects created by Grilo, leaving users vulnerable to network MITM attacks. For the oldstable distribution (buster), this problem has been fixed in version 0.3.7-1+deb10u1. For the stable distribution (bullseye), this problem has been fixed in version 0.3.13-1+deb11u1. Link to comment Share on other sites More sharing options...
sunrat Posted September 1, 2021 Share Posted September 1, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4962-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 31, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ledgersmb The update for ledgersmb released as DSA 4862-1 introduced a regression in the display of some search results. Updated ledgersmb packages are now available to correct this issue. For the oldstable distribution (buster), this problem has been fixed in version 1.6.9+ds-1+deb10u3. For the stable distribution (bullseye), this problem has been fixed in version 1.6.9+ds-2+deb11u3. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4965-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 31, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libssh CVE ID : CVE-2021-3634 Debian Bug : 993046 It was discovered that a buffer overflow in rekeying in libssh could result in denial of service or potentially the execution of arbitrary code. The oldstable distribution (buster) is not affected. For the stable distribution (bullseye), this problem has been fixed in version 0.9.5-1+deb11u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4966-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff August 31, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : gpac CVE ID : CVE-2021-21834 CVE-2021-21836 CVE-2021-21837 CVE-2021-21838 CVE-2021-21839 CVE-2021-21840 CVE-2021-21841 CVE-2021-21842 CVE-2021-21843 CVE-2021-21844 CVE-2021-21845 CVE-2021-21846 CVE-2021-21847 CVE-2021-21848 CVE-2021-21849 CVE-2021-21850 CVE-2021-21853 CVE-2021-21854 CVE-2021-21855 CVE-2021-21857 CVE-2021-21858 CVE-2021-21859 CVE-2021-21860 CVE-2021-21861 Multiple security issues were discovered in the GPAC multimedia framework which could result in denial of service or the execution of arbitrary code. The oldstable distribution (buster) is not affected. For the stable distribution (bullseye), these problems have been fixed in version 1.0.1+dfsg1-4+deb11u1. Link to comment Share on other sites More sharing options...
sunrat Posted September 4, 2021 Share Posted September 4, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4967-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 04, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : squashfs-tools CVE ID : CVE-2021-40153 Etienne Stalmans discovered that unsquashfs in squashfs-tools, the tools to create and extract Squashfs filesystems, does not validate filenames for traversal outside of the destination directory. An attacker can take advantage of this flaw for writing to arbitrary files to the filesystem if a malformed Squashfs image is processed. For the oldstable distribution (buster), this problem has been fixed in version 1:4.3-12+deb10u1. For the stable distribution (bullseye), this problem has been fixed in version 1:4.4-2+deb11u1. Link to comment Share on other sites More sharing options...
sunrat Posted September 7, 2021 Share Posted September 7, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4968-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 07, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : haproxy CVE ID : CVE-2021-40346 Ori Hollander reported that missing header name length checks in the htx_add_header() and htx_add_trailer() functions in HAProxy, a fast and reliable load balancing reverse proxy, could result in request smuggling attacks or response splitting attacks. Additionally this update addresses #993303 introduced in DSA 4960-1 causing HAProxy to fail serving URLs with HTTP/2 containing '//'. For the stable distribution (bullseye), this problem has been fixed in version 2.2.9-2+deb11u2. Link to comment Share on other sites More sharing options...
sunrat Posted September 9, 2021 Share Posted September 9, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4969-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff September 09, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2021-38493 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code. For the oldstable distribution (buster), this problem has been fixed in version 78.14.0esr-1~deb10u1. For the stable distribution (bullseye), this problem has been fixed in version 78.14.0esr-1~deb11u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4970-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff September 09, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : postorius CVE ID : CVE-2021-40347 Kevin Israel discovered that Postorius, the administrative web frontend for Mailman 3, didn't validate whether a logged-in user owns the email address when unsubscribing. For the oldstable distribution (buster), this problem has been fixed in version 1.2.4-1+deb10u1. For the stable distribution (bullseye), this problem has been fixed in version 1.3.4-2+deb11u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4971-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 09, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ntfs-3g CVE ID : CVE-2021-33285 CVE-2021-33286 CVE-2021-33287 CVE-2021-33289 CVE-2021-35266 CVE-2021-35267 CVE-2021-35268 CVE-2021-35269 CVE-2021-39251 CVE-2021-39252 CVE-2021-39253 CVE-2021-39254 CVE-2021-39255 CVE-2021-39256 CVE-2021-39257 CVE-2021-39258 CVE-2021-39259 CVE-2021-39260 CVE-2021-39261 CVE-2021-39262 CVE-2021-39263 Debian Bug : 988386 Several vulnerabilities were discovered in NTFS-3G, a read-write NTFS driver for FUSE. A local user can take advantage of these flaws for local root privilege escalation. For the oldstable distribution (buster), these problems have been fixed in version 1:2017.3.23AR.3-3+deb10u1. For the stable distribution (bullseye), these problems have been fixed in version 1:2017.3.23AR.3-4+deb11u1. Link to comment Share on other sites More sharing options...
sunrat Posted September 11, 2021 Share Posted September 11, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4972-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 10, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ghostscript CVE ID : CVE-2021-3781 Debian Bug : 994011 It was discovered that Ghostscript, the GPL PostScript/PDF interpreter, does not properly validate access for the "%pipe%", "%handle%" and "%printer%" io devices, which could result in the execution of arbitrary code if a malformed Postscript file is processed (despite the -dSAFER sandbox being enabled). For the stable distribution (bullseye), this problem has been fixed in version 9.53.3~dfsg-7+deb11u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4973-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff September 10, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : thunderbird CVE ID : CVE-2021-38493 Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code. For the oldstable distribution (buster), this problem has been fixed in version 1:78.14.0-1~deb10u1. For the stable distribution (bullseye), this problem has been fixed in version 1:78.14.0-1~deb11u1. Link to comment Share on other sites More sharing options...
sunrat Posted September 19, 2021 Share Posted September 19, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4974-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff September 19, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : nextcloud-desktop CVE ID : CVE-2021-22895 CVE-2021-32728 Debian Bug : 989846 Two vulnerabilities were discovered in the Nextcloud desktop client, which could result in information disclosure. For the oldstable distribution (buster), these problems have been fixed in version 2.5.1-3+deb10u2. For the stable distribution (bullseye), these problems have been fixed in version 3.1.1-2+deb11u1. Link to comment Share on other sites More sharing options...
sunrat Posted September 21, 2021 Share Posted September 21, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4977-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff September 20, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : xen CVE ID : CVE-2021-28694 CVE-2021-28695 CVE-2021-28696 CVE-2021-28697 CVE-2021-28698 CVE-2021-28699 CVE-2021-28700 CVE-2021-28701 Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in privilege escalation, denial of service or information leaks. With the end of upstream support for the 4.11 branch, the version of xen in the oldstable distribution (buster) is no longer supported. If you rely on security support for your Xen installation an update to the stable distribution (bullseye) is recommended. For the stable distribution (bullseye), these problems have been fixed in version 4.14.3-1~deb11u1. Link to comment Share on other sites More sharing options...
sunrat Posted September 21, 2021 Share Posted September 21, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4975-1 security@debian.org https://www.debian.org/security/ Alberto Garcia September 20, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : webkit2gtk CVE ID : CVE-2021-30858 The following vulnerabilities have been discovered in the webkit2gtk web engine: CVE-2021-30858 An anonymous researcher discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. For the oldstable distribution (buster), this problem has been fixed in version 2.32.4-1~deb10u1. For the stable distribution (bullseye), this problem has been fixed in version 2.32.4-1~deb11u1. Â - ------------------------------------------------------------------------- Debian Security Advisory DSA-4976-1 security@debian.org https://www.debian.org/security/ Alberto Garcia September 20, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : wpewebkit CVE ID : CVE-2021-30858 The following vulnerabilities have been discovered in the webkit2gtk web engine: CVE-2021-30858 An anonymous researcher discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. For the stable distribution (bullseye), this problem has been fixed in version 2.32.4-1~deb11u1. Link to comment Share on other sites More sharing options...
sunrat Posted September 25, 2021 Share Posted September 25, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4978-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso September 25, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : linux CVE ID : CVE-2020-3702 CVE-2020-16119 CVE-2021-3653 CVE-2021-3656 CVE-2021-3679 CVE-2021-3732 CVE-2021-3739 CVE-2021-3743 CVE-2021-3753 CVE-2021-37576 CVE-2021-38160 CVE-2021-38166 CVE-2021-38199 CVE-2021-40490 CVE-2021-41073 Debian Bug : 993948 993978 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. CVE-2020-3702 A flaw was found in the driver for Atheros IEEE 802.11n family of chipsets (ath9k) allowing information disclosure. CVE-2020-16119 Hadar Manor reported a use-after-free in the DCCP protocol implementation in the Linux kernel. A local attacker can take advantage of this flaw to cause a denial of service or potentially to execute arbitrary code. CVE-2021-3653 Maxim Levitsky discovered a vulnerability in the KVM hypervisor implementation for AMD processors in the Linux kernel: Missing validation of the `int_ctl` VMCB field could allow a malicious L1 guest to enable AVIC support (Advanced Virtual Interrupt Controller) for the L2 guest. The L2 guest can take advantage of this flaw to write to a limited but still relatively large subset of the host physical memory. CVE-2021-3656 Maxim Levitsky and Paolo Bonzini discovered a flaw in the KVM hypervisor implementation for AMD processors in the Linux kernel. Missing validation of the the `virt_ext` VMCB field could allow a malicious L1 guest to disable both VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. Under these circumstances, the L2 guest is able to run VMLOAD/VMSAVE unintercepted and thus read/write portions of the host's physical memory. CVE-2021-3679 A flaw in the Linux kernel tracing module functionality could allow a privileged local user (with CAP_SYS_ADMIN capability) to cause a denial of service (resource starvation). CVE-2021-3732 Alois Wohlschlager reported a flaw in the implementation of the overlayfs subsystem, allowing a local attacker with privileges to mount a filesystem to reveal files hidden in the original mount. CVE-2021-3739 A NULL pointer dereference flaw was found in the btrfs filesystem, allowing a local attacker with CAP_SYS_ADMIN capabilities to cause a denial of service. CVE-2021-3743 An out-of-bounds memory read was discovered in the Qualcomm IPC router protocol implementation, allowing to cause a denial of service or information leak. CVE-2021-3753 Minh Yuan reported a race condition in the vt_k_ioctl in drivers/tty/vt/vt_ioctl.c, which may cause an out of bounds read in vt. CVE-2021-37576 Alexey Kardashevskiy reported a buffer overflow in the KVM subsystem on the powerpc platform, which allows KVM guest OS users to cause memory corruption on the host. CVE-2021-38160 A flaw in the virtio_console was discovered allowing data corruption or data loss by an untrusted device. CVE-2021-38166 An integer overflow flaw in the BPF subsystem could allow a local attacker to cause a denial of service or potentially the execution of arbitrary code. This flaw is mitigated by default in Debian as unprivileged calls to bpf() are disabled. CVE-2021-38199 Michael Wakabayashi reported a flaw in the NFSv4 client implementation, where incorrect connection setup ordering allows operations of a remote NFSv4 server to cause a denial of service. CVE-2021-40490 A race condition was discovered in the ext4 subsystem when writing to an inline_data file while its xattrs are changing. This could result in denial of service. CVE-2021-41073 Valentina Palmiotti discovered a flaw in io_uring allowing a local attacker to escalate privileges. For the stable distribution (bullseye), these problems have been fixed in version 5.10.46-5. This update includes fixes for #993948 and #993978. Link to comment Share on other sites More sharing options...
sunrat Posted October 2, 2021 Share Posted October 2, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4979-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 01, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mediawiki CVE ID : CVE-2021-35197 CVE-2021-41798 CVE-2021-41799 CVE-2021-41800 CVE-2021-41801 Multiple security issues were found in MediaWiki, a website engine for collaborative work, which could result in cross-site scripting, denial of service and a bypass of restrictions in the "Replace Text" extension. For the oldstable distribution (buster), these problems have been fixed in version 1:1.31.16-1~deb10u1. For the stable distribution (bullseye), these problems have been fixed in version 1:1.35.4-1~deb11u1. Link to comment Share on other sites More sharing options...
sunrat Posted October 3, 2021 Share Posted October 3, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4980-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 03, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : qemu CVE ID : CVE-2021-3544 CVE-2021-3545 CVE-2021-3546 CVE-2021-3638 CVE-2021-3682 CVE-2021-3713 CVE-2021-3748 Debian Bug : 988174 989042 991911 992726 992727 993401 Multiple security issues were discovered in QEMU, a fast processor emulator, which could result in denial of service or the the execution of arbitrary code. For the stable distribution (bullseye), these problems have been fixed in version 1:5.2+dfsg-11+deb11u1. Link to comment Share on other sites More sharing options...
sunrat Posted October 6, 2021 Share Posted October 6, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4981-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 06, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : firefox-esr CVE ID : CVE-2021-38496 CVE-2021-38500 Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code. For the oldstable distribution (buster), these problems have been fixed in version 78.15.0esr-1~deb10u1. For the stable distribution (bullseye), these problems have been fixed in version 78.15.0esr-1~deb11u1. Link to comment Share on other sites More sharing options...
sunrat Posted October 9, 2021 Share Posted October 9, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4982-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 08, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : apache2 CVE ID : CVE-2021-34798 CVE-2021-36160 CVE-2021-39275 CVE-2021-40438 Several vulnerabilities have been found in the Apache HTTP server, which could result in denial of service. In addition a vulnerability was discovered in mod_proxy with which an attacker could trick the server to forward requests to arbitrary origin servers. For the oldstable distribution (buster), these problems have been fixed in version 2.4.38-3+deb10u6. For the stable distribution (bullseye), these problems have been fixed in version 2.4.51-1~deb11u1. Link to comment Share on other sites More sharing options...
sunrat Posted October 10, 2021 Share Posted October 10, 2021 ------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 10: 10.11 released press@debian.org October 9th, 2021 https://www.debian.org/News/2021/2021100902 ------------------------------------------------------------------------ The Debian project is pleased to announce the eleventh update of its oldstable distribution Debian 10 (codename "buster"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. Please note that the point release does not constitute a new version of Debian 10 but only updates some of the packages included. There is no need to throw away old "buster" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations. Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list Miscellaneous Bugfixes ---------------------- This oldstable update adds a few important corrections to the following packages: +---------------------------+-----------------------------------------+ | Package | Reason | +---------------------------+-----------------------------------------+ | atftp [1] | Fix buffer overflow [CVE-2021-41054] | | | | | base-files [2] | Update for the 10.11 point release | | | | | btrbk [3] | Fix arbitrary code execution issue | | | [CVE-2021-38173] | | | | | clamav [4] | New upstream stable release; fix | | | clamdscan segfaults when --fdpass and | | | --multipass are used together with | | | ExcludePath | | | | | commons-io [5] | Fix path traversal issue [CVE-2021- | | | 29425] | | | | | cyrus-imapd [6] | Fix denial-of-service issue [CVE-2021- | | | 33582] | | | | | debconf [7] | Check that whiptail or dialog is | | | actually usable | | | | | debian-installer [8] | Rebuild against buster-proposed- | | | updates; update Linux ABI to 4.19.0-18 | | | | | debian-installer-netboot- | Rebuild against buster-proposed-updates | | images [9] | | | | | | distcc [10] | Fix GCC cross-compiler links in update- | | | distcc-symlinks and add support for | | | clang and CUDA (nvcc) | | | | | distro-info-data [11] | Update included data for several | | | releases | | | | | dwarf-fortress [12] | Remove undistributable prebuilt shared | | | libraries from the source tarball | | | | | espeak-ng [13] | Fix using espeak with mbrola-fr4 when | | | mbrola-fr1 is not installed | | | | | gcc-mingw-w64 [14] | Fix gcov handling | | | | | gthumb [15] | Fix heap-based buffer overflow issue | | | [CVE-2019-20326] | | | | | hg-git [16] | Fix test failures with recent git | | | versions | | | | | htslib [17] | Fix autopkgtest on i386 | | | | | http-parser [18] | Fix HTTP request smuggling issue | | | [CVE-2019-15605] | | | | | irssi [19] | Fix use after free issue when sending | | | SASL login to the server [CVE-2019- | | | 13045] | | | | | java-atk-wrapper [20] | Also use dbus to detect accessibility | | | being enabled | | | | | krb5 [21] | Fix KDC null dereference crash on FAST | | | request with no server field [CVE-2021- | | | 37750]; fix memory leak in | | | krb5_gss_inquire_cred | | | | | libdatetime-timezone-perl | New upstream stable release; update DST | | [22] | rules for Samoa and Jordon; | | | confirmation of no leap second on 2021- | | | 12-31 | | | | | libpam-tacplus [23] | Prevent shared secrets from being added | | | in plaintext to the system log | | | [CVE-2020-13881] | | | | | linux [24] | "proc: Track /proc/$pid/attr/ opener | | | mm_struct" , fixing issues with lxc- | | | attach; new upstream stable release; | | | increase ABI version to 18; [rt] Update | | | to 4.19.207-rt88; usb: hso: fix error | | | handling code of hso_create_net_device | | | [CVE-2021-37159] | | | | | linux-latest [25] | Update to 4.19.0-18 kernel ABI | | | | | linux-signed-amd64 [26] | "proc: Track /proc/$pid/attr/ opener | | | mm_struct" , fixing issues with lxc- | | | attach; new upstream stable release; | | | increase ABI version to 18; [rt] Update | | | to 4.19.207-rt88; usb: hso: fix error | | | handling code of hso_create_net_device | | | [CVE-2021-37159] | | | | | linux-signed-arm64 [27] | "proc: Track /proc/$pid/attr/ opener | | | mm_struct" , fixing issues with lxc- | | | attach; new upstream stable release; | | | increase ABI version to 18; [rt] Update | | | to 4.19.207-rt88; usb: hso: fix error | | | handling code of hso_create_net_device | | | [CVE-2021-37159] | | | | | linux-signed-i386 [28] | "proc: Track /proc/$pid/attr/ opener | | | mm_struct" , fixing issues with lxc- | | | attach; new upstream stable release; | | | increase ABI version to 18; [rt] Update | | | to 4.19.207-rt88; usb: hso: fix error | | | handling code of hso_create_net_device | | | [CVE-2021-37159] | | | | | mariadb-10.3 [29] | New upstream stable release; security | | | fixes [CVE-2021-2389 CVE-2021-2372]; | | | fix Perl executable path in scripts | | | | | modsecurity-crs [30] | Fix request body bypass issue | | | [CVE-2021-35368] | | | | | node-ansi-regex [31] | Fix regular expression-based denial of | | | service issue [CVE-2021-3807] | | | | | node-axios [32] | Fix regular expression-based denial of | | | service issue [CVE-2021-3749] | | | | | node-jszip [33] | Use a null prototype object for | | | this.files [CVE-2021-23413] | | | | | node-tar [34] | Remove non-directory paths from the | | | directory cache [CVE-2021-32803]; strip | | | absolute paths more comprehensively | | | [CVE-2021-32804] | | | | | nvidia-cuda-toolkit [35] | Fix setting of NVVMIR_LIBRARY_DIR on | | | ppc64el | | | | | nvidia-graphics-drivers | New upstream stable release; fix denial | | [36] | of service issues [CVE-2021-1093 | | | CVE-2021-1094 CVE-2021-1095]; nvidia- | | | driver-libs: Add Recommends: libnvidia- | | | encode1 | | | | | nvidia-graphics-drivers- | New upstream stable release; fix denial | | legacy-390xx [37] | of service issues [CVE-2021-1093 | | | CVE-2021-1094 CVE-2021-1095]; nvidia- | | | legacy-390xx-driver-libs: Add | | | Recommends: libnvidia-legacy-390xx- | | | encode1 | | | | | postgresql-11 [38] | New upstream stable release; fix mis- | | | planning of repeated application of a | | | projection step [CVE-2021-3677]; | | | disallow SSL renegotiation more | | | completely | | | | | proftpd-dfsg [39] | Fix "mod_radius leaks memory contents | | | to radius server" , "cannot disable | | | client-initiated renegotiation for | | | FTPS" , navigation into symlinked | | | directories, mod_sftp crash when using | | | pubkey-auth with DSA keys | | | | | psmisc [40] | Fix regression in killall not matching | | | process with names longer than 15 | | | characters | | | | | python-uflash [41] | Update firmware URL | | | | | request-tracker4 [42] | Fix login timing side-channel attack | | | issue [CVE-2021-38562] | | | | | ring [43] | Fix denial of service issue in the | | | embedded copy of pjproject [CVE-2021- | | | 21375] | | | | | sabnzbdplus [44] | Prevent directory escape in renamer | | | function [CVE-2021-29488] | | | | | shim [45] | Add arm64 patch to tweak section layout | | | and stop crashing problems; in insecure | | | mode, don't abort if we can't create | | | the MokListXRT variable; don't abort on | | | grub installation failures; warn | | | instead | | | | | shim-helpers-amd64-signed | Add arm64 patch to tweak section layout | | [46] | and stop crashing problems; in insecure | | | mode, don't abort if we can't create | | | the MokListXRT variable; don't abort on | | | grub installation failures; warn | | | instead | | | | | shim-helpers-arm64-signed | Add arm64 patch to tweak section layout | | [47] | and stop crashing problems; in insecure | | | mode, don't abort if we can't create | | | the MokListXRT variable; don't abort on | | | grub installation failures; warn | | | instead | | | | | shim-helpers-i386-signed | Add arm64 patch to tweak section layout | | [48] | and stop crashing problems; in insecure | | | mode, don't abort if we can't create | | | the MokListXRT variable; don't abort on | | | grub installation failures; warn | | | instead | | | | | shim-signed [49] | Work around boot-breaking issues on | | | arm64 by including an older known | | | working version of unsigned shim on | | | that platform; switch arm64 back to | | | using a current unsigned build; add | | | arm64 patch to tweak section layout and | | | stop crashing problems; in insecure | | | mode, don't abort if we can't create | | | the MokListXRT variable; don't abort on | | | grub installation failures; warn | | | instead | | | | | shiro [50] | Fix authentication bypass issues | | | [CVE-2020-1957 CVE-2020-11989 CVE-2020- | | | 13933 CVE-2020-17510]; update Spring | | | Framework compatibility patch; support | | | Guice 4 | | | | | tzdata [51] | Update DST rules for Samoa and Jordan; | | | confirm the absence of a leap second on | | | 2021-12-31 | | | | | ublock-origin [52] | New upstream stable release; fix denial | | | of service issue [CVE-2021-36773] | | | | | ulfius [53] | Ensure memory is initialised before use | | | [CVE-2021-40540] | | | | | xmlgraphics-commons [54] | Fix Server-Side Request Forgery issue | | | [CVE-2020-11988] | | | | | yubikey-manager [55] | Add missing dependency on python3-pkg- | | | resources to yubikey-manager | | | | +---------------------------+-----------------------------------------+ Security Updates ---------------- This revision adds the following security updates to the oldstable release. The Security Team has already released an advisory for each of these updates: +----------------+----------------------------+ | Advisory ID | Package | +----------------+----------------------------+ | DSA-4842 [56] | thunderbird [57] | | | | | DSA-4866 [58] | thunderbird [59] | | | | | DSA-4876 [60] | thunderbird [61] | | | | | DSA-4897 [62] | thunderbird [63] | | | | | DSA-4927 [64] | thunderbird [65] | | | | | DSA-4931 [66] | xen [67] | | | | | DSA-4932 [68] | tor [69] | | | | | DSA-4933 [70] | nettle [71] | | | | | DSA-4934 [72] | intel-microcode [73] | | | | | DSA-4935 [74] | php7.3 [75] | | | | | DSA-4936 [76] | libuv1 [77] | | | | | DSA-4937 [78] | apache2 [79] | | | | | DSA-4938 [80] | linuxptp [81] | | | | | DSA-4939 [82] | firefox-esr [83] | | | | | DSA-4940 [84] | thunderbird [85] | | | | | DSA-4941 [86] | linux-signed-amd64 [87] | | | | | DSA-4941 [88] | linux-signed-arm64 [89] | | | | | DSA-4941 [90] | linux-signed-i386 [91] | | | | | DSA-4941 [92] | linux [93] | | | | | DSA-4942 [94] | systemd [95] | | | | | DSA-4943 [96] | lemonldap-ng [97] | | | | | DSA-4944 [98] | krb5 [99] | | | | | DSA-4945 [100] | webkit2gtk [101] | | | | | DSA-4946 [102] | openjdk-11-jre-dcevm [103] | | | | | DSA-4946 [104] | openjdk-11 [105] | | | | | DSA-4947 [106] | libsndfile [107] | | | | | DSA-4948 [108] | aspell [109] | | | | | DSA-4949 [110] | jetty9 [111] | | | | | DSA-4950 [112] | ansible [113] | | | | | DSA-4951 [114] | bluez [115] | | | | | DSA-4952 [116] | tomcat9 [117] | | | | | DSA-4953 [118] | lynx [119] | | | | | DSA-4954 [120] | c-ares [121] | | | | | DSA-4955 [122] | libspf2 [123] | | | | | DSA-4956 [124] | firefox-esr [125] | | | | | DSA-4957 [126] | trafficserver [127] | | | | | DSA-4958 [128] | exiv2 [129] | | | | | DSA-4959 [130] | thunderbird [131] | | | | | DSA-4961 [132] | tor [133] | | | | | DSA-4962 [134] | ledgersmb [135] | | | | | DSA-4963 [136] | openssl [137] | | | | | DSA-4964 [138] | grilo [139] | | | | | DSA-4967 [140] | squashfs-tools [141] | | | | | DSA-4969 [142] | firefox-esr [143] | | | | | DSA-4970 [144] | postorius [145] | | | | | DSA-4971 [146] | ntfs-3g [147] | | | | | DSA-4973 [148] | thunderbird [149] | | | | | DSA-4974 [150] | nextcloud-desktop [151] | | | | | DSA-4975 [152] | webkit2gtk [153] | | | | | DSA-4979 [154] | mediawiki [155] | | | | +----------------+----------------------------+ Removed packages ---------------- The following packages were removed due to circumstances beyond our control: +-----------------------------+----------------------------------------+ | Package | Reason | +-----------------------------+----------------------------------------+ | birdtray [156] | Incompatible with newer Thunderbird | | | versions | | | | | libprotocol-acme-perl [157] | Only supports obsolete ACME version 1 | | | | +-----------------------------+----------------------------------------+ Link to comment Share on other sites More sharing options...
sunrat Posted October 10, 2021 Share Posted October 10, 2021 ------------------------------------------------------------------------ The Debian Project https://www.debian.org/ Updated Debian 11: 11.1 released press@debian.org October 9th, 2021 https://www.debian.org/News/2021/20211009 ------------------------------------------------------------------------ The Debian project is pleased to announce the first update of its stable distribution Debian 11 (codename "bullseye"). This point release mainly adds corrections for security issues, along with a few adjustments for serious problems. Security advisories have already been published separately and are referenced where available. Please note that the point release does not constitute a new version of Debian 11 but only updates some of the packages included. There is no need to throw away old "bullseye" media. After installation, packages can be upgraded to the current versions using an up-to-date Debian mirror. Those who frequently install updates from security.debian.org won't have to update many packages, and most such updates are included in the point release. New installation images will be available soon at the regular locations. Upgrading an existing installation to this revision can be achieved by pointing the package management system at one of Debian's many HTTP mirrors. A comprehensive list of mirrors is available at: https://www.debian.org/mirror/list Miscellaneous Bugfixes ---------------------- This stable update adds a few important corrections to the following packages: +---------------------------+-----------------------------------------+ | Package | Reason | +---------------------------+-----------------------------------------+ | apr [1] | Prevent out-of-bounds array dereference | | | | | atftp [2] | Fix buffer overflow [CVE-2021-41054] | | | | | automysqlbackup [3] | Fix crash when using "LATEST=yes" | | | | | base-files [4] | Update for the 11.1 point release | | | | | clamav [5] | New upstream stable release; fix | | | clamdscan segfaults when --fdpass and | | | --multipass are used together with | | | ExcludePath | | | | | cloud-init [6] | Avoid duplicate includedir in /etc/ | | | sudoers | | | | | cyrus-imapd [7] | Fix denial-of-service issue [CVE-2021- | | | 33582] | | | | | dazzdb [8] | Fix a use-after-free in DBstats | | | | | debian-edu-config [9] | debian-edu-ltsp-install: extend main | | | server related exclude list; add slapd | | | and xrdp-sesman to the list of masked | | | services | | | | | debian-installer [10] | Rebuild against proposed updates; | | | update Linux ABI to 5.10.0-9; use udebs | | | from proposed-updates | | | | | debian-installer-netboot- | Rebuild against proposed-updates; use | | images [11] | udebs from proposed-updates and stable; | | | use xz-compressed Packages files | | | | | detox [12] | Fix handling of large files | | | | | devscripts [13] | Make the --bpo option target bullseye- | | | backports | | | | | dlt-viewer [14] | Add missing qdlt/qdlt*.h header files | | | to dev package | | | | | dpdk [15] | New upstream stable release | | | | | fetchmail [16] | Fix segmentation fault and security | | | regression | | | | | flatpak [17] | New upstream stable release; don't | | | inherit an unusual $XDG_RUNTIME_DIR | | | setting into the sandbox | | | | | freeradius [18] | Fix thread crash and sample | | | configuration | | | | | galera-3 [19] | New upstream stable release | | | | | galera-4 [20] | New upstream stable release; solve | | | circular Conflicts with galera-3 by no | | | longer providing a virtual "galera" | | | package | | | | | glewlwyd [21] | Fix possible buffer overflow during | | | FIDO2 signature validation in webauthn | | | registration [CVE-2021-40818] | | | | | glibc [22] | Restart openssh-server even if it has | | | been deconfigured during the upgrade; | | | fix text fallback when debconf is | | | unusable | | | | | gnome-maps [23] | New upstream stable release; fix a | | | crash when starting up with last-used | | | map type being aerial, and no aerial | | | tile definition is found; don't | | | sometimes write broken last view | | | position on exit; fix hang when | | | dragging around route markers | | | | | gnome-shell [24] | New upstream stable release; fix freeze | | | after cancelling (some) system-modal | | | dialogs; fix word suggestions in on- | | | screen keyboard; fix crashes | | | | | hdf5 [25] | Adjust package dependencies to improve | | | upgrade paths from older releases | | | | | iotop-c [26] | Properly handle UTF-8 process names | | | | | jailkit [27] | Fix creation of jails that need to | | | use /dev; fix library presence check | | | | | java-atk-wrapper [28] | Also use dbus to detect accessibility | | | being enabled | | | | | krb5 [29] | Fix KDC null dereference crash on FAST | | | request with no server field [CVE-2021- | | | 37750]; fix memory leak in | | | krb5_gss_inquire_cred | | | | | libavif [30] | Use correct libdir in libavif.pc | | | pkgconfig file | | | | | libbluray [31] | Switch to embedded libasm; the version | | | from libasm-java is too new | | | | | libdatetime-timezone-perl | New upstream stable release; update DST | | [32] | rules for Samoa and Jordon; | | | confirmation of no leap second on 2021- | | | 12-31 | | | | | libslirp [33] | Fix multiple buffer overflow issues | | | [CVE-2021-3592 CVE-2021-3593 CVE-2021- | | | 3594 CVE-2021-3595] | | | | | linux [34] | New upstream stable release; increase | | | ABI to 9; [rt] Update to 5.10.65-rt53; | | | [mipsel] bpf, mips: Validate | | | conditional branch offsets [CVE-2021- | | | 38300] | | | | | linux-signed-amd64 [35] | New upstream stable release; increase | | | ABI to 9; [rt] Update to 5.10.65-rt53; | | | [mipsel] bpf, mips: Validate | | | conditional branch offsets [CVE-2021- | | | 38300] | | | | | linux-signed-arm64 [36] | New upstream stable release; increase | | | ABI to 9; [rt] Update to 5.10.65-rt53; | | | [mipsel] bpf, mips: Validate | | | conditional branch offsets [CVE-2021- | | | 38300] | | | | | linux-signed-i386 [37] | New upstream stable release; increase | | | ABI to 9; [rt] Update to 5.10.65-rt53; | | | [mipsel] bpf, mips: Validate | | | conditional branch offsets [CVE-2021- | | | 38300] | | | | | mariadb-10.5 [38] | New upstream stable release; security | | | fixes [CVE-2021-2372 CVE-2021-2389] | | | | | mbrola [39] | Fix end of file detection | | | | | modsecurity-crs [40] | Fix request body bypass issue | | | [CVE-2021-35368] | | | | | mtr [41] | Fix regression in JSON output | | | | | mutter [42] | New upstream stable release; kms: | | | Improve handling of common video modes | | | that might exceed the possible | | | bandwidth; ensure valid window texture | | | size after viewport changes | | | | | nautilus [43] | Avoid opening multiple selected files | | | in multiple application instances; | | | don't save window size and position | | | when tiled; fix some memory leaks; | | | update translations | | | | | node-ansi-regex [44] | Fix regular expression-based denial of | | | service issue [CVE-2021-3807] | | | | | node-axios [45] | Fix regular expression-based denial of | | | service issue [CVE-2021-3749] | | | | | node-object-path [46] | Fix prototype pollution issues | | | [CVE-2021-23434 CVE-2021-3805] | | | | | node-prismjs [47] | Fix regular expression-based denial of | | | service issue [CVE-2021-3801] | | | | | node-set-value [48] | Fix prototype pollution [CVE-2021- | | | 23440] | | | | | node-tar [49] | Remove non-directory paths from the | | | directory cache [CVE-2021-32803]; strip | | | absolute paths more comprehensively | | | [CVE-2021-32804] | | | | | osmcoastline [50] | Fix projections other than WGS84 | | | | | osmpbf [51] | Rebuild against protobuf 3.12.4 | | | | | pam [52] | Fix syntax error in libpam0g.postinst | | | when a systemd unit fails | | | | | perl [53] | Security update; fix a regular | | | expression memory leak | | | | | pglogical [54] | Update for PostgreSQL 13.4 snapshot | | | handling fixes | | | | | pmdk [55] | Fix missing barriers after non-temporal | | | memcpy | | | | | postgresql-13 [56] | New upstream stable release; fix mis- | | | planning of repeated application of a | | | projection step [CVE-2021-3677]; | | | disallow SSL renegotiation more | | | completely | | | | | proftpd-dfsg [57] | Fix "mod_radius leaks memory contents | | | to radius server" and "sftp | | | connection aborts with " Corrupted MAC | | | on input; skip escaping of already- | | | escaped SQL text | | | | | pyx3 [58] | Fix horizontal font alignment issue | | | with texlive 2020 | | | | | reportbug [59] | Update suite names following bullseye | | | release | | | | | request-tracker4 [60] | Fix login timing side-channel attack | | | issue [CVE-2021-38562] | | | | | rhonabwy [61] | Fix JWE CBC tag computation and JWS | | | alg:none signature verification | | | | | rpki-trust-anchors [62] | Add HTTPS URL to the LACNIC TAL | | | | | rsync [63] | Re-add --copy-devices; fix regression | | | in --delay-updates; fix edge case in -- | | | mkpath; fix rsync-ssl; fix --sparce and | | | --inplace; update options available to | | | rrsync; documentation fixes | | | | | ruby-rqrcode-rails3 [64] | Fix for ruby-rqrcode 1.0 compatibility | | | | | sabnzbdplus [65] | Prevent directory escape in renamer | | | function [CVE-2021-29488] | | | | | shellcheck [66] | Fix rendering of long options in | | | manpage | | | | | shiro [67] | Fix authentication bypass issues | | | [CVE-2020-1957 CVE-2020-11989 CVE-2020- | | | 13933 CVE-2020-17510]; update Spring | | | Framework compatibility patch; support | | | Guice 4 | | | | | speech-dispatcher [68] | Fix setting of voice name for the | | | generic module | | | | | telegram-desktop [69] | Avoid crash when auto-delete is enabled | | | | | termshark [70] | Include themes in package | | | | | tmux [71] | Fix a race condition which results in | | | the config not being loaded if several | | | clients are interacting with the server | | | while it's initializing | | | | | txt2man [72] | Fix regression in handling display | | | blocks | | | | | tzdata [73] | Update DST rules for Samoa and Jordan; | | | confirm the absence of a leap second on | | | 2021-12-31 | | | | | ublock-origin [74] | New upstream stable release; fix denial | | | of service issue [CVE-2021-36773] | | | | | ulfius [75] | Ensure memory is initialised before use | | | [CVE-2021-40540] | | | | +---------------------------+-----------------------------------------+ Security Updates ---------------- This revision adds the following security updates to the stable release. The Security Team has already released an advisory for each of these updates: +----------------+--------------------------+ | Advisory ID | Package | +----------------+--------------------------+ | DSA-4959 [76] | thunderbird [77] | | | | | DSA-4960 [78] | haproxy [79] | | | | | DSA-4961 [80] | tor [81] | | | | | DSA-4962 [82] | ledgersmb [83] | | | | | DSA-4963 [84] | openssl [85] | | | | | DSA-4964 [86] | grilo [87] | | | | | DSA-4965 [88] | libssh [89] | | | | | DSA-4966 [90] | gpac [91] | | | | | DSA-4967 [92] | squashfs-tools [93] | | | | | DSA-4968 [94] | haproxy [95] | | | | | DSA-4969 [96] | firefox-esr [97] | | | | | DSA-4970 [98] | postorius [99] | | | | | DSA-4971 [100] | ntfs-3g [101] | | | | | DSA-4972 [102] | ghostscript [103] | | | | | DSA-4973 [104] | thunderbird [105] | | | | | DSA-4974 [106] | nextcloud-desktop [107] | | | | | DSA-4975 [108] | webkit2gtk [109] | | | | | DSA-4976 [110] | wpewebkit [111] | | | | | DSA-4977 [112] | xen [113] | | | | | DSA-4978 [114] | linux-signed-amd64 [115] | | | | | DSA-4978 [116] | linux-signed-arm64 [117] | | | | | DSA-4978 [118] | linux-signed-i386 [119] | | | | | DSA-4978 [120] | linux [121] | | | | | DSA-4979 [122] | mediawiki [123] | | | | +----------------+--------------------------+ During the final stages of the bullseye freeze, some updates were released via the security archive [124] but without an accompanying DSA. These updates are detailed below. 124: https://security.debian.org/ +---------------------------+------------------------------------------+ | Package | Reason | +---------------------------+------------------------------------------+ | apache2 [125] | Fix mod_proxy HTTP2 request line | | | injection [CVE-2021-33193] | | | | | btrbk [126] | Fix arbitrary code execution issue | | | [CVE-2021-38173] | | | | | c-ares [127] | Fix missing input validation on | | | hostnames returned by DNS servers | | | [CVE-2021-3672] | | | | | exiv2 [128] | Fix overflow issues [CVE-2021-29457 | | | CVE-2021-31292] | | | | | firefox-esr [129] | New upstream stable release [CVE-2021- | | | 29980 CVE-2021-29984 CVE-2021-29985 | | | CVE-2021-29986 CVE-2021-29988 CVE-2021- | | | 29989] | | | | | libencode-perl [130] | Encode: mitigate @INC pollution when | | | loading ConfigLocal [CVE-2021-36770] | | | | | libspf2 [131] | spf_compile.c: Correct size of ds_avail | | | [CVE-2021-20314]; fix "reverse" macro | | | modifier | | | | | lynx [132] | Fix leakage of credentials if SNI was | | | used together with a URL containing | | | credentials [CVE-2021-38165] | | | | | nodejs [133] | New upstream stable release; fix use | | | after free issue [CVE-2021-22930] | | | | | tomcat9 [134] | Fix authentication bypass issue | | | [CVE-2021-30640] and request smuggling | | | issue [CVE-2021-33037] | | | | | xmlgraphics-commons [135] | Fix server side request forgery issue | | | [CVE-2020-11988] | | | | +---------------------------+------------------------------------------+ Link to comment Share on other sites More sharing options...
sunrat Posted October 10, 2021 Share Posted October 10, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4983-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 10, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : neutron CVE ID : CVE-2021-40085 Debian Bug : 993398 Pavel Toporkov discovered a vulnerability in Neutron, the OpenStack virtual network service, which allowed a reconfiguration of dnsmasq via crafted dhcp_extra_opts parameters. For the oldstable distribution (buster), this problem has been fixed in version 2:13.0.7+git.2021.09.27.bace3d1890-0+deb10u1. This update also fixes CVE-2021-20267. For the stable distribution (bullseye), this problem has been fixed in version 2:17.2.1-0+deb11u1. This update also fixes CVE-2021-38598. Link to comment Share on other sites More sharing options...
sunrat Posted October 13, 2021 Share Posted October 13, 2021 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4984-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 12, 2021 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : flatpak CVE ID : CVE-2021-41133 Debian Bug : 995935 It was discovered that sandbox restrictions in Flatpak, an application deployment framework for desktop apps, could be bypassed for a Flatpak app with direct access to AF_UNIX sockets, by manipulating the VFS using mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter. Details can be found in the upstream advisory at https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q For the stable distribution (bullseye), this problem has been fixed in version 1.10.5-0+deb11u1. Link to comment Share on other sites More sharing options...
Recommended Posts