Debian Security Advisory

    • Offizieller Beitrag

    Package : awl

    CVE ID : CVE-2020-11728 CVE-2020-11729

    Debian Bug : 956650

    Andrew Bartlett discovered that awl, DAViCal Andrew's Web Libraries, did not properly handle session management: this would allow a malicious user to impersonate other sessions or users.

    For the oldstable distribution (stretch), these problems have been fixed in version 0.57-1+deb9u1.

    For the stable distribution (buster), these problems have been fixed in version 0.60-1+deb10u1.

    We recommend that you upgrade your awl packages.

    For the detailed security status of awl please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/awl

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openssl

    CVE ID : CVE-2020-1967

    Bernd Edlinger discovered that malformed data passed to the

    SSL_check_chain() function during or after a TLS 1.3 handshake could cause a NULL dereference, resulting in denial of service.

    The oldstable distribution (stretch) is not affected.

    For the stable distribution (buster), this problem has been fixed in version 1.1.1d-0+deb10u3.

    We recommend that you upgrade your openssl packages.

    For the detailed security status of openssl please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/openssl

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openjdk-11

    CVE ID : CVE-2020-2754 CVE-2020-2755 CVE-2020-2756 CVE-2020-2757

    CVE-2020-2767 CVE-2020-2773 CVE-2020-2778 CVE-2020-2781

    CVE-2020-2800 CVE-2020-2803 CVE-2020-2805 CVE-2020-2816

    CVE-2020-2830

    Several vulnerabilities have been discovered in the OpenJDK Java runtime, resulting in denial of service, insecure TLS handshakes, bypass of sandbox restrictions or HTTP response splitting attacks.

    For the stable distribution (buster), these problems have been fixed in version 11.0.7+10-3~deb10u1.

    We recommend that you upgrade your openjdk-11 packages.

    For the detailed security status of openjdk-11 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/openjdk-11

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : python-reportlab

    CVE ID : CVE-2019-17626

    Debian Bug : 942763

    It was discovered that python-reportlab, a Python library to create PDF documents, is prone to a code injection vulnerability while parsing a color attribute. An attacker can take advantage of this flaw to execute arbitrary code if a specially crafted document is processed.

    For the oldstable distribution (stretch), this problem has been fixed in version 3.3.0-2+deb9u1.

    For the stable distribution (buster), this problem has been fixed in version 3.5.13-1+deb10u1.

    We recommend that you upgrade your python-reportlab packages.

    For the detailed security status of python-reportlab please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/python-reportlab

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : mailman

    CVE ID : CVE-2020-12137

    Hanno Boeck discovered that it was possible to create a cross site scripting attack on the webarchives of the Mailman mailing list manager, by sending a special type of attachement.

    For the oldstable distribution (stretch), this problem has been fixed in version 1:2.1.23-1+deb9u5.

    For the stable distribution (buster), this problem has been fixed in version 1:2.1.29-1+deb10u1.

    We recommend that you upgrade your mailman packages.

    For the detailed security status of mailman please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/mailman

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : qemu

    CVE ID : CVE-2019-12068 CVE-2019-15034 CVE-2019-20382 CVE-2020-1983

    Multiple security issues were discovered in QEMU, a fast processor emulator, which could result in denial of service or the execution of arbitrary code.

    For the stable distribution (buster), these problems have been fixed in version 1:3.1+dfsg-8+deb10u5.

    We recommend that you upgrade your qemu packages.

    For the detailed security status of qemu please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/qemu

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openldap

    CVE ID : CVE-2020-12243

    A vulnerability was discovered in OpenLDAP, a free implementation of the Lightweight Directory Access Protocol. LDAP search filters with nested boolean expressions can result in denial of service (slapd daemon crash).

    For the oldstable distribution (stretch), this problem has been fixed in version 2.4.44+dfsg-5+deb9u4.

    For the stable distribution (buster), this problem has been fixed in version 2.4.47+dfsg-3+deb10u2.

    We recommend that you upgrade your openldap packages.

    For the detailed security status of openldap please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/openldap

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : linux

    CVE ID : CVE-2020-2732 CVE-2020-8428 CVE-2020-10942 CVE-2020-11565

    CVE-2020-11884

    Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service, or information leak.

    CVE-2020-2732

    Paulo Bonzini discovered that the KVM implementation for Intel

    processors did not properly handle instruction emulation for L2

    guests when nested virtualization is enabled. This could allow

    an L2 guest to cause privilege escalation, denial of service,

    or information leaks in the L1 guest.

    CVE-2020-8428

    Al Viro discovered a use-after-free vulnerability in the VFS

    layer. This allowed local users to cause a denial-of-service

    (crash) or obtain sensitive information from kernel memory.

    CVE-2020-10942

    It was discovered that the vhost_net driver did not properly

    validate the type of sockets set as back-ends. A local user

    permitted to access /dev/vhost-net could use this to cause a stack

    corruption via crafted system calls, resulting in denial of

    service (crash) or possibly privilege escalation.

    CVE-2020-11565

    Entropy Moe reported that the shared memory filesystem (tmpfs) did

    not correctly handle an "mpol" mount option specifying an empty

    node list, leading to a stack-based out-of-bounds write. If user

    namespaces are enabled, a local user could use this to cause a

    denial of service (crash) or possibly for privilege escalation.

    CVE-2020-11884

    Al Viro reported a race condition in memory management code for

    IBM Z (s390x architecture), that can result in the kernel

    executing code from the user address space. A local user could

    use this for privilege escalation.

    For the stable distribution (buster), these problems have been fixed in version 4.19.98-1+deb10u1.

    We recommend that you upgrade your linux packages.

    For the detailed security status of linux please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/linux

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openjdk-8

    CVE ID : CVE-2020-2754 CVE-2020-2755 CVE-2020-2756 CVE-2020-2757

    CVE-2020-2773 CVE-2020-2781 CVE-2020-2800 CVE-2020-2803

    CVE-2020-2805

    Several vulnerabilities have been discovered in the OpenJDK Java runtime, resulting in denial of service, insecure TLS handshakes, bypass of sandbox restrictions or HTTP response splitting attacks.

    For the oldstable distribution (stretch), these problems have been fixed in version 8u252-b09-1~deb9u1.

    We recommend that you upgrade your openjdk-8 packages.

    For the detailed security status of openjdk-8 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/openjdk-8

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : nodejs

    CVE ID : CVE-2019-9511 CVE-2019-9513 CVE-2019-9514 CVE-2019-15604

    CVE-2019-15605 CVE-2019-15606

    Multiple vulnerabilities were discovered in Node.js, which could result in denial of service or HTTP request smuggling.

    For the stable distribution (buster), these problems have been fixed in version 10.19.0~dfsg1-1.

    We recommend that you upgrade your nodejs packages.

    For the detailed security status of nodejs please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/nodejs

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : tiff

    CVE ID : CVE-2018-12900 CVE-2018-17000 CVE-2018-17100 CVE-2018-19210

    CVE-2019-7663 CVE-2019-14973 CVE-2019-17546

    Debian Bug : 902718 908778 909038 913675 934780

    Several vulnerabilities have been found in the TIFF library, which may result in denial of service or the execution of arbitrary code if malformed image files are processed.

    For the oldstable distribution (stretch), these problems have been fixed in version 4.0.8-2+deb9u5.

    We recommend that you upgrade your tiff packages.

    For the detailed security status of tiff please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/tiff

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : vlc

    CVE ID : CVE-2020-6071 CVE-2020-6072 CVE-2020-6073 CVE-2020-6077

    CVE-2020-6078 CVE-2020-6079 CVE-2020-6080

    Multiple security issues were discovered in the microdns plugin of the VLC media player, which could result in denial of service or potentially the execution of arbitrary code via malicious mDNS packets.

    For the oldstable distribution (stretch), these problems have been fixed in version 3.0.10-0+deb9u1. This update disables the microdns plugin.

    For the stable distribution (buster), these problems have been fixed in version 3.0.10-0+deb10u1. This update disables the microdns plugin.

    We recommend that you upgrade your vlc packages.

    For the detailed security status of vlc please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/vlc

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : trafficserver

    CVE ID : CVE-2019-17559 CVE-2019-17565 CVE-2020-1944 CVE-2020-9481

    Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service or request smuggling attacks.

    For the stable distribution (buster), these problems have been fixed in version 8.0.2+ds-1+deb10u2.

    We recommend that you upgrade your trafficserver packages.

    For the detailed security status of trafficserver please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/trafficserver

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : tomcat8

    CVE ID : CVE-2019-17569 CVE-2020-1935 CVE-2020-1938

    Several vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in HTTP request smuggling and code execution in the AJP connector (disabled by default in Debian).

    For the oldstable distribution (stretch), these problems have been fixed in version 8.5.54-0+deb9u1.

    We recommend that you upgrade your tomcat8 packages.

    For the detailed security status of tomcat8 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/tomcat8

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : roundcube

    CVE ID : CVE-2020-12625 CVE-2020-12626

    Debian Bug : 959140 959142

    It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not correctly process and sanitize requests. This would allow a remote attacker to perform either a Cross-Site Request Forgery (CSRF) forcing an authenticated user to be logged out, or a Cross-Side Scripting (XSS) leading to execution of arbitrary code.

    For the oldstable distribution (stretch), these problems have been fixed in version 1.2.3+dfsg.1-4+deb9u4.

    For the stable distribution (buster), these problems have been fixed in version 1.3.11+dfsg.1-1~deb10u1.

    We recommend that you upgrade your roundcube packages.

    For the detailed security status of roundcube please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/roundcube

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : graphicsmagick

    CVE ID : CVE-2019-12921 CVE-2020-10938

    Several vulnerabilities have been discovered in GraphicsMagick, a set of command-line applications to manipulate image files, which could result in information disclosure, denial of service or the execution of arbitrary code if malformed image files are processed.

    For the oldstable distribution (stretch), these problems have been fixed in version 1.3.30+hg15796-1~deb9u4.

    For the stable distribution (buster), these problems have been fixed in version 1.4+really1.3.35-1~deb10u1.

    We recommend that you upgrade your graphicsmagick packages.

    For the detailed security status of graphicsmagick please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/graphicsmagick

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : salt

    CVE ID : CVE-2019-17361 CVE-2020-11651 CVE-2020-11652

    Debian Bug : 949222 959684

    Several vulnerabilities were discovered in salt, a powerful remote execution manager, which could result in retrieve of user tokens from the salt master, execution of arbitrary commands on salt minions, arbitrary directory access to authenticated users or arbitrary code execution on salt-api hosts.

    For the oldstable distribution (stretch), these problems have been fixed in version 2016.11.2+ds-1+deb9u3.

    For the stable distribution (buster), these problems have been fixed in version 2018.3.4+dfsg1-6+deb10u1.

    We recommend that you upgrade your salt packages.

    For the detailed security status of salt please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/salt

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : wordpress

    CVE ID : CVE-2019-9787 CVE-2019-16217 CVE-2019-16218 CVE-2019-16219

    CVE-2019-16220 CVE-2019-16221 CVE-2019-16222 CVE-2019-16223

    CVE-2019-16780 CVE-2019-16781 CVE-2019-17669 CVE-2019-17671

    CVE-2019-17672 CVE-2019-17673 CVE-2019-17674 CVE-2019-17675

    CVE-2019-20041 CVE-2019-20042 CVE-2019-20043 CVE-2020-11025

    CVE-2020-11026 CVE-2020-11027 CVE-2020-11028 CVE-2020-11029

    CVE-2020-11030

    Debian Bug : 924546 939543 942459 946905 959391

    Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform various Cross-Side Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks, create files on the server, disclose private information, create open redirects, poison cache, and bypass authorization access and input sanitation.

    For the oldstable distribution (stretch), these problems have been fixed in version 4.7.5+dfsg-2+deb9u6.

    For the stable distribution (buster), these problems have been fixed in version 5.0.4+dfsg1-1+deb10u2.

    We recommend that you upgrade your wordpress packages.

    For the detailed security status of wordpress please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/wordpress

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2020-6831 CVE-2020-12387 CVE-2020-12392 CVE-2020-12395

    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or information disclosure.

    For the oldstable distribution (stretch), these problems have been fixed in version 68.8.0esr-1~deb9u1.

    For the stable distribution (buster), these problems have been fixed in version 68.8.0esr-1~deb10u1.

    We recommend that you upgrade your firefox-esr packages.

    For the detailed security status of firefox-esr please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/firefox-esr

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : keystone

    CVE ID : not yet available

    Debian Bug : 959900

    A vulnerability was found in the EC2 credentials API of Keystone, the OpenStack identity service: Any user authenticated within a limited scope (trust/oauth/application credential) could create an EC2 credential with an escalated permission, such as obtaining "admin" while the user is on a limited "viewer" role.

    For the stable distribution (buster), this problem has been fixed in version 2:14.2.0-0+deb10u1.

    We recommend that you upgrade your keystone packages.

    For the detailed security status of keystone please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/keystone

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/