Jump to content

Recommended Posts

sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4985-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
October 14, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : wordpress
CVE ID         : CVE-2021-39200 CVE-2021-39201
Debian Bug     : 994059 994060

Several vulnerabilities were discovered in Wordpress, a web blogging
tool. They allowed remote attackers to perform Cross-Site Scripting
(XSS) attacks or impersonate other users.

For the oldstable distribution (buster), these problems have been fixed
in version 5.0.14+dfsg1-0+deb10u1.

For the stable distribution (bullseye), these problems have been fixed in
version 5.7.3+dfsg1-0+deb11u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4984-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 14, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tomcat9
CVE ID         : CVE-2021-30640 CVE-2021-41079

Two vulnerabilities were discovered in the Tomcat servlet and JSP engine,
which could result in denial of service.

For the oldstable distribution (buster), these problems have been fixed
in version 9.0.31-1~deb10u6.

For the stable distribution (bullseye), these problems have been fixed in
version 9.0.43-2~deb11u2.
Link to post
Share on other sites
  • Replies 2k
  • Created
  • Last Reply

Top Posters In This Topic

  • sunrat

    1652

  • V.T. Eric Layton

    171

  • securitybreach

    112

  • Bruno

    65

Top Posters In This Topic

Popular Posts

- ------------------------------------------------------------------------- Debian Security Advisory DSA-3093-1 security@debian.org http://www.debian.org/security/

- ------------------------------------------------------------------------- Debian Security Advisory DSA-3401-1 security@debian.org https://www.debian.org/security/

- ------------------------------------------------------------------------- Debian Security Advisory DSA-4123-1 security@debian.org https://www.debian.org/security/

sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4987-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 15, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : squashfs-tools
CVE ID         : CVE-2021-41072
Debian Bug     : 994262

Richard Weinberger reported that unsquashfs in squashfs-tools, the tools
to create and extract Squashfs filesystems, does not check for duplicate
filenames within a directory. An attacker can take advantage of this
flaw for writing to arbitrary files to the filesystem if a malformed
Squashfs image is processed.

For the oldstable distribution (buster), this problem has been fixed
in version 1:4.3-12+deb10u2.

For the stable distribution (bullseye), this problem has been fixed in
version 1:4.4-2+deb11u2.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4988-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 16, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libreoffice
CVE ID         : CVE-2021-25633 CVE-2021-25634

Two security issues have been discovered in LibreOffice's support for
digital signatures in ODF documents, which could result in incorrect
signature indicators/timestamps being presented.

For the stable distribution (bullseye), these problems have been fixed in
version 1:7.0.4-4+deb11u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4989-1                   security@debian.org
https://www.debian.org/security/                        Yves-Alexis Perez
October 18, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : strongswan
CVE ID         : CVE-2021-41990 CVE-2021-41991

Researchers at the United States of America National Security Agency (NSA)
identified two denial of services vulnerability in strongSwan, an IKE/IPsec
suite.

CVE-2021-41990

    RSASSA-PSS signatures whose parameters define a very high salt length can
    trigger an integer overflow that can lead to a segmentation fault.
    .
    Generating a signature that bypasses the padding check to trigger the crash
    requires access to the private key that signed the certificate.  However,
    the certificate does not have to be trusted.  Because the gmp and the
    openssl plugins both check if a parsed certificate is self-signed (and the
    signature is valid), this can e.g.  be triggered by an unrelated
    self-signed CA certificate sent by an initiator.

CVE-2021-41991

    Once the in-memory certificate cache is full it tries to randomly replace
    lesser used entries. Depending on the generated random value, this could
    lead to an integer overflow that results in a double-dereference and a call
    using out-of-bounds memory that most likely leads to a segmentation fault.
    .
    Remote code execution can't be ruled out completely, but attackers have no
    control over the dereferenced memory, so it seems unlikely at this point.

For the oldstable distribution (buster), these problems have been fixed
in version 5.7.2-1+deb10u1.

For the stable distribution (bullseye), these problems have been fixed in
version 5.9.1-1+deb11u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4990-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 19, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ffmpeg
CVE ID         : CVE-2020-20445 CVE-2020-20446 CVE-2020-20453 CVE-2020-21041 
                 CVE-2020-22015 CVE-2020-22016 CVE-2020-22017 CVE-2020-22019 
                 CVE-2020-22020 CVE-2020-22021 CVE-2020-22022 CVE-2020-22023 
                 CVE-2020-22025 CVE-2020-22026 CVE-2020-22027 CVE-2020-22028 
                 CVE-2020-22029 CVE-2020-22030 CVE-2020-22031 CVE-2020-22032 
                 CVE-2020-22033 CVE-2020-22034 CVE-2020-22035 CVE-2020-22036 
                 CVE-2020-22037 CVE-2020-22049 CVE-2020-22054 CVE-2020-35965 
                 CVE-2021-38114 CVE-2021-38171 CVE-2021-38291

Several vulnerabilities have been discovered in the FFmpeg multimedia
framework, which could result in denial of service or potentially the
execution of arbitrary code if malformed files/streams are processed.

For the oldstable distribution (buster), these problems have been fixed
in version 7:4.1.8-0+deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4991-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 22, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : mailman
CVE ID         : CVE-2020-12108 CVE-2020-15011 CVE-2021-42096 CVE-2021-42097

Several vulnerabilities were discovered in mailman, a web-based mailing
list manager, which could result in arbitrary content injection via the
options and private archive login pages, and CSRF attacks or privilege
escalation via the user options page.

For the oldstable distribution (buster), these problems have been fixed
in version 1:2.1.29-1+deb10u2.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4992-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 25, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : php7.4
CVE ID         : CVE-2021-21703
Debian Bug     : 997003

An out-of-bounds read and write flaw was discovered in the PHP-FPM code,
which could result in escalation of privileges from local unprivileged
user to the root user.

For the stable distribution (bullseye), this problem has been fixed in
version 7.4.25-1+deb11u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4993-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 25, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : php7.3
CVE ID         : CVE-2021-21703

An out-of-bounds read and write flaw was discovered in the PHP-FPM code,
which could result in escalation of privileges from local unprivileged
user to the root user.

For the oldstable distribution (buster), this problem has been fixed
in version 7.3.31-1~deb10u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4994-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 28, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : bind9
CVE ID         : CVE-2021-25219

Kishore Kumar Kothapalli discovered that the lame server cache in BIND,
a DNS server implementation, can be abused by an attacker to
significantly degrade resolver performance, resulting in denial of
service (large delays for responses for client queries and DNS timeouts
on client hosts).

For the oldstable distribution (buster), this problem has been fixed
in version 1:9.11.5.P4+dfsg-5.1+deb10u6.

For the stable distribution (bullseye), this problem has been fixed in
version 1:9.16.22-1~deb11u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4995-1                   security@debian.org
https://www.debian.org/security/                           Alberto Garcia
October 29, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : webkit2gtk
CVE ID         : CVE-2021-30846 CVE-2021-30851 CVE-2021-42762

The following vulnerabilities have been discovered in the webkit2gtk
web engine:

CVE-2021-30846

    Sergei Glazunov discovered that processing maliciously crafted web
    content may lead to arbitrary code execution

CVE-2021-30851

    Samuel Gross discovered that processing maliciously crafted web
    content may lead to code execution

CVE-2021-42762

    An anonymous reporter discovered a limited Bubblewrap sandbox
    bypass that allows a sandboxed process to trick host processes
    into thinking the sandboxed process is not confined.

For the oldstable distribution (buster), these problems have been fixed
in version 2.34.1-1~deb10u1.

For the stable distribution (bullseye), these problems have been fixed in
version 2.34.1-1~deb11u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4996-1                   security@debian.org
https://www.debian.org/security/                           Alberto Garcia
October 29, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : wpewebkit
CVE ID         : CVE-2021-30846 CVE-2021-30851 CVE-2021-42762

The following vulnerabilities have been discovered in the wpewebkit
web engine:

CVE-2021-30846

    Sergei Glazunov discovered that processing maliciously crafted web
    content may lead to arbitrary code execution

CVE-2021-30851

    Samuel Gross discovered that processing maliciously crafted web
    content may lead to code execution

CVE-2021-42762

    An anonymous reporter discovered a limited Bubblewrap sandbox
    bypass that allows a sandboxed process to trick host processes
    into thinking the sandboxed process is not confined.

For the stable distribution (bullseye), these problems have been fixed in
version 2.34.1-1~deb11u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4997-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
October 31, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tiff
CVE ID         : CVE-2020-19143

A flaw was discovered in tiff, a Tag Image File Format library, which
may result in denial of service or the execution of arbitrary code if
malformed image files are processed.

For the oldstable distribution (buster), this problem has been fixed
in version 4.1.0+git191117-2~deb10u3.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4998-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
October 31, 2021                      https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ffmpeg
CVE ID         : CVE-2020-20446 CVE-2020-20450 CVE-2020-20453 CVE-2020-22037 
                 CVE-2020-22042 CVE-2021-38114 CVE-2021-38171 CVE-2021-38291
                 CVE-2020-21697 CVE-2020-21688 CVE-2020-20445

Several vulnerabilities have been discovered in the FFmpeg multimedia
framework, which could result in denial of service or potentially the
execution of arbitrary code if malformed files/streams are processed.

For the stable distribution (bullseye), these problems have been fixed in
version 7:4.3.3-0+deb11u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-4999-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 01, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : asterisk
CVE ID         : CVE-2021-32558 CVE-2021-32686
Debian Bug     : 991710 991931

Multiple vulnerabilities have been discovered in Asterisk, an open
source PBX and telephony toolkit, which may result in denial of service.

For the stable distribution (bullseye), these problems have been fixed in
version 1:16.16.1~dfsg-1+deb11u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-5000-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 01, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openjdk-11
CVE ID         : CVE-2021-35550 CVE-2021-35556 CVE-2021-35559 CVE-2021-35561 
                 CVE-2021-35564 CVE-2021-35565 CVE-2021-35567 CVE-2021-35578 
                 CVE-2021-35586 CVE-2021-35603

Several vulnerabilities have been discovered in the OpenJDK Java
runtime, which may result in denial of service, incorrect Kerberos ticket
use, selection of weak ciphers or information disclosure.

The oldstable distribution (buster), needs additional updates to be able
to build 11.0.13. An update will be provided in a followup advisory.

For the stable distribution (bullseye), these problems have been fixed in
version 11.0.13+8-1~deb11u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5001-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 05, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : redis
CVE ID         : CVE-2021-32626 CVE-2021-32627 CVE-2021-32628 CVE-2021-32672 
                 CVE-2021-32675 CVE-2021-32687 CVE-2021-32762 CVE-2021-41099
                 CVE-2021-32761

Multiple vulnerabilities were discovered in Redis, a persistent key-value
database, which could result in denial of service or the execution of
arbitrary code.

For the oldstable distribution (buster), these problems have been fixed
in version 5:5.0.14-1+deb10u1.

For the stable distribution (bullseye), these problems have been fixed in
version 5:6.0.16-1+deb11u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5002-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 06, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : containerd
CVE ID         : CVE-2021-41103

A flaw was discovered in containerd, an open and reliable container
runtime. Insufficiently restricted permissions on container root and
plugin directories could result in privilege escalation.

For the stable distribution (bullseye), this problem has been fixed in
version 1.4.5~ds1-2+deb11u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5003-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
November 09, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : samba
CVE ID         : CVE-2016-2124 CVE-2020-25717 CVE-2020-25718 CVE-2020-25719 
                 CVE-2020-25721 CVE-2020-25722 CVE-2021-3738 CVE-2021-23192

Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,
print, and login server for Unix.

CVE-2016-2124

    Stefan Metzmacher reported that SMB1 client connections can be
    downgraded to plaintext authentication.

CVE-2020-25717

    Andrew Bartlett reported that Samba may map domain users to local
    users in an undesired way, allowing for privilege escalation. The
    update introduces a new parameter "min domain uid" (default to 1000)
    to not accept a UNIX uid below this value.

CVE-2020-25718

    Andrew Bartlett reported that Samba as AD DC, when joined by an
    RODC, did not confirm if the RODC was allowed to print a ticket for
    that user, allowing an RODC to print administrator tickets.

CVE-2020-25719

    Andrew Bartlett reported that Samba as AD DC, did not always rely on
    the SID and PAC in Kerberos tickets and could be confused about the
    user a ticket represents. If a privileged account was attacked this
    could lead to total domain compromise.

CVE-2020-25721

    Andrew Bartlett reported that Samba as a AD DC did not provide a way
    for Linux applications to obtain a reliable SID (and samAccountName)
    in issued tickets.

CVE-2020-25722

    Andrew Bartlett reported that Samba as AD DC did not do sufficient
    access and conformance checking of data stored, potentially allowing
    total domain compromise.

CVE-2021-3738

    William Ross reported that the Samba AD DC RPC server can use memory
    that was free'd when a sub-connection is closed, resulting in denial
    of service, and potentially, escalation of privileges.

CVE-2021-23192

    Stefan Metzmacher reported that if a client to a Samba server sent a
    very large DCE/RPC request, and chose to fragment it, an attacker
    could replace later fragments with their own data, bypassing the
    signature requirements.

For the stable distribution (bullseye), these problems have been fixed in
version 2:4.13.13+dfsg-1~deb11u2.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5004-1                   security@debian.org
https://www.debian.org/security/                          Markus Koschany
November 10, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libxstream-java
CVE ID         : CVE-2021-39139 CVE-2021-39140 CVE-2021-39141 CVE-2021-39144
                 CVE-2021-39145 CVE-2021-39146 CVE-2021-39147 CVE-2021-39148
                 CVE-2021-39149 CVE-2021-39150 CVE-2021-39151 CVE-2021-39152
                 CVE-2021-39153 CVE-2021-39154 CVE-2021-21341 CVE-2021-21342
                 CVE-2021-21343 CVE-2021-21344 CVE-2021-21345 CVE-2021-21346
                 CVE-2021-21347 CVE-2021-21348 CVE-2021-21349 CVE-2021-21350
                 CVE-2021-21351 CVE-2021-29505

Multiple security vulnerabilities have been discovered in XStream, a Java
library to serialize objects to XML and back again.

These vulnerabilities may allow a remote attacker to load and execute arbitrary
code from a remote host only by manipulating the processed input stream.

XStream itself sets up a whitelist by default now, i.e. it blocks all classes
except those types it has explicit converters for. It used to have a blacklist
by default, i.e. it tried to block all currently known critical classes of the
Java runtime. Main reason for the blacklist were compatibility, it allowed to
use newer versions of XStream as drop-in replacement. However, this approach
has failed. A growing list of security reports has proven, that a blacklist is
inherently unsafe, apart from the fact that types of 3rd libraries were not
even considered. A blacklist scenario should be avoided in general, because it
provides a false sense of security.

For the oldstable distribution (buster), these problems have been fixed
in version 1.4.11.1-1+deb10u3.

For the stable distribution (bullseye), these problems have been fixed in
version 1.4.15-3+deb11u1

 

Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5005-1                   security@debian.org
https://www.debian.org/security/                          Markus Koschany
November 10, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : ruby-kaminari
CVE ID         : CVE-2020-11082
Debian Bug     : 961847

A security vulnerability has been found in Kaminari, a pagination engine plugin
for Rails 3+ and other modern frameworks, that would allow an attacker to
inject arbitrary code into pages with pagination links.

For the oldstable distribution (buster), this problem has been fixed
in version 1.0.1-4+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-5006-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 11, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : postgresql-11
CVE ID         : CVE-2021-23214 CVE-2021-23222

Jacob Champion discovered two vulnerabilities in the PostgreSQL database
system, which could result in man-in-the-middle attacks.

For the oldstable distribution (buster), these problems have been fixed
in version 11.14-0+deb10u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-5007-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 11, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : postgresql-13
CVE ID         : CVE-2021-23214 CVE-2021-23222

Jacob Champion discovered two vulnerabilities in the PostgreSQL database
system, which could result in man-in-the-middle attacks.

For the stable distribution (bullseye), these problems have been fixed in
version 13.5-0+deb11u1.

 

- -------------------------------------------------------------------------
Debian Security Advisory DSA-5008-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 11, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : node-tar
CVE ID         : CVE-2021-37701 CVE-2021-37712

It was discovered that the symlink extraction protections in node-tar,
a Tar archives module for Node.js could by bypassed; allowing a malicious
Tar archive to symlink into an arbitrary location.

For the stable distribution (bullseye), these problems have been fixed in
version 6.0.5+ds1+~cs11.3.9-1+deb11u2.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5009-1                   security@debian.org
https://www.debian.org/security/                          Markus Koschany
November 12, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : tomcat9
CVE ID         : CVE-2021-42340

Apache Tomcat, the servlet and JSP engine, did not properly release an HTTP
upgrade connection for WebSocket connections once the WebSocket connection was
closed. This created a memory leak that, over time, could lead to a denial of
service via an OutOfMemoryError.

For the stable distribution (bullseye), this problem has been fixed in
version 9.0.43-2~deb11u3.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5010-1                   security@debian.org
https://www.debian.org/security/                          Markus Koschany
November 15, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : libxml-security-java
CVE ID         : CVE-2021-40690
Debian Bug     : 994569

Apache Santuario - XML Security for Java is vulnerable to an issue where the
"secureValidation" property is not passed correctly when creating a KeyInfo
from a KeyInfoReference element. This allows an attacker to abuse an XPath
Transform to extract any local .xml files in a RetrievalMethod element.

For the oldstable distribution (buster), this problem has been fixed
in version 2.0.10-2+deb10u1.

For the stable distribution (bullseye), this problem has been fixed in
version 2.0.10-2+deb11u1.
Link to post
Share on other sites
sunrat
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5011-1                   security@debian.org
https://www.debian.org/security/                          Markus Koschany
November 19, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : salt
CVE ID         : CVE-2021-21996 CVE-2021-31607 CVE-2021-25284 CVE-2021-25283
                 CVE-2021-25282 CVE-2021-25281 CVE-2021-3197 CVE-2021-3148
                 CVE-2021-3144 CVE-2020-35662 CVE-2020-28972 CVE-2020-28243
Debian Bug     : 983632 994016 987496

Multiple security vulnerabilities have been discovered in Salt, a powerful
remote execution manager, that allow for local privilege escalation on a
minion, server side template injection attacks, insufficient checks for eauth
credentials, shell and command injections or incorrect validation of SSL
certificates.

For the oldstable distribution (buster), this problem has been fixed
in version 2018.3.4+dfsg1-6+deb10u3.

For the stable distribution (bullseye), this problem has been fixed in
version 3002.6+dfsg1-4+deb11u1.
Link to post
Share on other sites
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5012-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
November 23, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : openjdk-17
CVE ID         : CVE-2021-35556 CVE-2021-35559 CVE-2021-35561 CVE-2021-35564 
                 CVE-2021-35567 CVE-2021-35578 CVE-2021-35586 CVE-2021-35603

Several vulnerabilities have been discovered in the OpenJDK Java runtime,
which may result in denial of service, incorrect Kerberos ticket use,
selection of weak ciphers or information disclosure.

For the stable distribution (bullseye), these problems have been fixed in
version 17.0.1+12-1+deb11u2.
Link to post
Share on other sites
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5013-1                   security@debian.org
https://www.debian.org/security/                       Sebastien Delafond
November 27, 2021                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : roundcube
CVE ID         : CVE-2021-44025 CVE-2021-44026
Debian Bug     : 1000156

It was discovered that roundcube, a skinnable AJAX based webmail
solution for IMAP servers, did not properly sanitize requests and mail
messages. This would allow an attacker to perform Cross-Side Scripting
(XSS) or SQL injection attacks.

For the oldstable distribution (buster), these problems have been fixed
in version 1.3.17+dfsg.1-1~deb10u1.

For the stable distribution (bullseye), these problems have been fixed in
version 1.4.12+dfsg.1-1~deb11u1.
Link to post
Share on other sites
Corrine

There is another site I know you're a member of where you could post the updates if you're interested.  

Link to post
Share on other sites

×
×
  • Create New...