Debian Security Advisory

    • Offizieller Beitrag

    Package : htmldoc

    CVE ID : CVE-2021-23158 CVE-2021-23165 CVE-2021-23180

    CVE-2021-23191 CVE-2021-23206 CVE-2021-26252

    CVE-2021-26259 CVE-2021-26948


    A buffer overflow was discovered in HTMLDOC, a HTML processor that generates indexed HTML, PS, and PDF, which could potentially result in the execution of arbitrary code. In addition a number of crashes were addressed.


    For the stable distribution (buster), these problems have been fixed in version 1.9.3-1+deb10u2.


    We recommend that you upgrade your htmldoc packages.


    For the detailed security status of htmldoc please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/htmldoc


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : rails

    CVE ID : CVE-2021-22880 CVE-2021-22885 CVE-2021-22904

    Debian Bug : 988214


    Multiple security issues were discovered in the Rails web framework which could result in denial of service.


    For the stable distribution (buster), these problems have been fixed in version 2:5.2.2.1+dfsg-1+deb10u3.


    We recommend that you upgrade your rails packages.


    For the detailed security status of rails please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/rails


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : xen

    CVE ID : CVE-2021-0089 CVE-2021-26313 CVE-2021-28690 CVE-2021-28692


    Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service or information leaks.


    For the stable distribution (buster), these problems have been fixed in version 4.11.4+107-gef32c7afa2-1.


    We recommend that you upgrade your xen packages.


    For the detailed security status of xen please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/xen


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : tor

    CVE ID : CVE-2021-34548 CVE-2021-34549 CVE-2021-34550

    Debian Bug : 990000


    Multiple security vulnerabilities were discovered in Tor, a connection-based low-latency anonymous communication system, which could result in denial of service or spoofing.


    For the stable distribution (buster), these problems have been fixed in version 0.3.5.15-1.


    We recommend that you upgrade your tor packages.


    For the detailed security status of tor please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/tor


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : nettle

    CVE ID : CVE-2021-3580 CVE-2021-20305

    Debian Bug : 985652 989631


    Multiple vulnerabilities were discovered in nettle, a low level cryptographic library, which could result in denial of service (remote crash in RSA decryption via specially crafted ciphertext, crash on ECDSA signature verification) or incorrect verification of ECDSA signatures.


    For the stable distribution (buster), these problems have been fixed in version 3.4.1-1+deb10u1.


    We recommend that you upgrade your nettle packages.


    For the detailed security status of nettle please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/nettle


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : intel-microcode

    CVE ID : CVE-2020-24489 CVE-2020-24511 CVE-2020-24512 CVE-2020-24513


    This update ships updated CPU microcode for some types of Intel CPUs and provides mitigations for security vulnerabilities which could result in privilege escalation in combination with VT-d and various side channel attacks.


    For the stable distribution (buster), these problems have been fixed in version 3.20210608.2~deb10u1.


    Note that there are two reported regressions; for some CoffeeLake CPUs this update may break iwlwifi

    (https://github.com/intel/Intel-Li…Files/issues/56)

    and some for Skylake R0/D0 CPUs on systems using a very outdated firmware/BIOS, the system may hang on boot:

    (https://github.com/intel/Intel-Li…Files/issues/31)


    If you are affected by those issues, you can recover by disabling microcode loading on boot (as documented in README.Debian (also available online at

    https://salsa.debian.org/hmh/intel-micr…/README.Debian))


    We recommend that you upgrade your intel-microcode packages.


    For the detailed security status of intel-microcode please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/intel-microcode


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : php7.3

    CVE ID : CVE-2021-21704 CVE-2021-21705


    Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result an SSRF bypass of the FILTER_VALIDATE_URL check and denial of service or potentially the execution of arbitrary code in the Firebird PDO.


    For the stable distribution (buster), these problems have been fixed in version 7.3.29-1~deb10u1.


    We recommend that you upgrade your php7.3 packages.


    For the detailed security status of php7.3 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/php7.3


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libuv1

    CVE ID : CVE-2021-22918

    Debian Bug : 990561


    An out-of-bounds read was discovered in the uv__idna_to_ascii() function of Libuv, an asynchronous event notification library, which could result in denial of service or information disclosure.


    For the stable distribution (buster), this problem has been fixed in version 1.24.1-1+deb10u1.


    We recommend that you upgrade your libuv1 packages.


    For the detailed security status of libuv1 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/libuv1


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : apache2

    CVE ID : CVE-2020-35452 CVE-2021-26690 CVE-2021-26691 CVE-2021-30641

    CVE-2021-31618


    Several vulnerabilities have been found in the Apache HTTP server, which could result in denial of service. In addition the implementation of the MergeSlashes option could result in unexpected behaviour.


    For the stable distribution (buster), these problems have been fixed in version 2.4.38-3+deb10u5.


    We recommend that you upgrade your apache2 packages.


    For the detailed security status of apache2 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/apache2


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : linuxptp

    CVE ID : CVE-2021-3570

    Debian Bug : 990748


    Miroslav Lichvar reported that the ptp4l program in linuxptp, an implementation of the Precision Time Protocol (PTP), does not validate the messageLength field of incoming messages, allowing a remote attacker to cause a denial of service, information leak, or potentially remote code execution.


    For the stable distribution (buster), this problem has been fixed in version 1.9.2-1+deb10u1.


    We recommend that you upgrade your linuxptp packages.


    For the detailed security status of linuxptp please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/linuxptp


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2021-29970 CVE-2021-29976 CVE-2021-30547


    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.


    For the stable distribution (buster), these problems have been fixed in version 78.12.0esr-1~deb10u1.


    We recommend that you upgrade your firefox-esr packages.


    For the detailed security status of firefox-esr please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/firefox-esr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2021-29969 CVE-2021-29970 CVE-2021-29976 CVE-2021-30547


    Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code.


    For the stable distribution (buster), these problems have been fixed in version 1:78.12.0-1~deb10u1.


    We recommend that you upgrade your thunderbird packages.


    For the detailed security status of thunderbird please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/thunderbird


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : linux

    CVE ID : CVE-2020-36311 CVE-2021-3609 CVE-2021-33909 CVE-2021-34693


    Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.


    CVE-2020-36311


    A flaw was discovered in the KVM subsystem for AMD CPUs, allowing an

    attacker to cause a denial of service by triggering destruction of a

    large SEV VM.


    CVE-2021-3609


    Norbert Slusarek reported a race condition vulnerability in the CAN

    BCM networking protocol, allowing a local attacker to escalate

    privileges.


    CVE-2021-33909


    The Qualys Research Labs discovered a size_t-to-int conversion

    vulnerability in the Linux kernel's filesystem layer. An

    unprivileged local attacker able to create, mount, and then delete a

    deep directory structure whose total path length exceeds 1GB, can

    take advantage of this flaw for privilege escalation.


    Details can be found in the Qualys advisory at

    https://www.qualys.com/2021/07/20/cve…ation-linux.txt


    CVE-2021-34693


    Norbert Slusarek discovered an information leak in the CAN BCM

    networking protocol. A local attacker can take advantage of this

    flaw to obtain sensitive information from kernel stack memory.


    For the stable distribution (buster), these problems have been fixed in version 4.19.194-3.


    We recommend that you upgrade your linux packages.


    For the detailed security status of linux please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/linux


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : systemd

    CVE ID : CVE-2021-33910


    The Qualys Research Labs discovered that an attacker-controlled allocation using the alloca() function could result in memory corruption, allowing to crash systemd and hence the entire operating system.


    Details can be found in the Qualys advisory at https://www.qualys.com/2021/07/20/cve…ice-systemd.txt


    For the stable distribution (buster), this problem has been fixed in version 241-7~deb10u8.


    We recommend that you upgrade your systemd packages.


    For the detailed security status of systemd please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/systemd


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : lemonldap-ng

    CVE ID : CVE-2021-35472


    Several vulnerabilities were discovered in lemonldap-ng, a Web-SSO system. The flaws could result in information disclosure, authentication bypass, or could allow an attacker to increase its authentication level or impersonate another user, especially when lemonldap-ng is configured to increase authentication level for users authenticated via a second factor.


    For the stable distribution (buster), these problems have been fixed in version 2.0.2+ds-7+deb10u6.


    We recommend that you upgrade your lemonldap-ng packages.


    For the detailed security status of lemonldap-ng please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/lemonldap-ng


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : krb5

    CVE ID : CVE-2021-36222

    Debian Bug : 991365


    It was discovered that the Key Distribution Center (KDC) in krb5, the MIT implementation of Kerberos, is prone to a NULL pointer dereference flaw. An unauthenticated attacker can take advantage of this flaw to cause a denial of service (KDC crash) by sending a request containing a PA-ENCRYPTED-CHALLENGE padata element without using FAST.


    For the stable distribution (buster), this problem has been fixed in version 1.17-3+deb10u2.


    We recommend that you upgrade your krb5 packages.


    For the detailed security status of krb5 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/krb5


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : webkit2gtk

    CVE ID : CVE-2021-21775 CVE-2021-21779 CVE-2021-30663 CVE-2021-30665

    CVE-2021-30689 CVE-2021-30720 CVE-2021-30734 CVE-2021-30744

    CVE-2021-30749 CVE-2021-30758 CVE-2021-30795 CVE-2021-30797

    CVE-2021-30799


    The following vulnerabilities have been discovered in the webkit2gtk web engine:


    CVE-2021-21775


    Marcin Towalski discovered that a specially crafted web page can

    lead to a potential information leak and further memory

    corruption. In order to trigger the vulnerability, a victim must

    be tricked into visiting a malicious webpage.


    CVE-2021-21779


    Marcin Towalski discovered that a specially crafted web page can

    lead to a potential information leak and further memory

    corruption. In order to trigger the vulnerability, a victim must

    be tricked into visiting a malicious webpage.


    CVE-2021-30663


    An anonymous researcher discovered that processing maliciously

    crafted web content may lead to arbitrary code execution.


    CVE-2021-30665


    yangkang discovered that processing maliciously crafted web

    content may lead to arbitrary code execution. Apple is aware of a

    report that this issue may have been actively exploited.


    CVE-2021-30689


    An anonymous researcher discovered that processing maliciously

    crafted web content may lead to universal cross site scripting.


    CVE-2021-30720


    David Schutz discovered that a malicious website may be able to

    access restricted ports on arbitrary servers.


    CVE-2021-30734


    Jack Dates discovered that processing maliciously crafted web

    content may lead to arbitrary code execution.


    CVE-2021-30744


    Dan Hite discovered that processing maliciously crafted web

    content may lead to universal cross site scripting.


    CVE-2021-30749


    An anonymous researcher discovered that processing maliciously

    crafted web content may lead to arbitrary code execution.


    CVE-2021-30758


    Christoph Guttandin discovered that processing maliciously crafted

    web content may lead to arbitrary code execution.


    CVE-2021-30795


    Sergei Glazunov discovered that processing maliciously crafted web

    content may lead to arbitrary code execution.


    CVE-2021-30797


    Ivan Fratric discovered that processing maliciously crafted web

    content may lead to code execution.


    CVE-2021-30799


    Sergei Glazunov discovered that processing maliciously crafted web

    content may lead to arbitrary code execution.


    For the stable distribution (buster), these problems have been fixed in version 2.32.3-1~deb10u1.


    We recommend that you upgrade your webkit2gtk packages.


    For the detailed security status of webkit2gtk please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/webkit2gtk


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openjdk-11

    CVE ID : CVE-2021-2341 CVE-2021-2369 CVE-2021-2388


    Several vulnerabilities have been discovered in the OpenJDK Java runtime, resulting in bypass of sandbox restrictions, incorrect validation of signed Jars or information disclosure.


    For the stable distribution (buster), these problems have been fixed in version 11.0.12+7-2~deb10u1.


    We recommend that you upgrade your openjdk-11 packages.


    For the detailed security status of openjdk-11 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/openjdk-11


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libsndfile

    CVE ID : CVE-2021-3246

    Debian Bug : 991496


    Andrea Fioraldi discovered a buffer overflow in libsndfile, a library for reading/writing audio files, which could result in denial of service or potentially the execution of arbitrary code when processing a malformed audio file.


    For the stable distribution (buster), this problem has been fixed in version 1.0.28-6+deb10u1.


    We recommend that you upgrade your libsndfile packages.


    For the detailed security status of libsndfile please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/libsndfile


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : aspell

    CVE ID : CVE-2019-17544 CVE-2019-25051

    Debian Bug : 991307


    A buffer overflow was discovered in the Aspell spell checker, which could result in the execution of arbitrary code.


    For the stable distribution (buster), these problems have been fixed in version 0.60.7~20110707-6+deb10u1.


    We recommend that you upgrade your aspell packages.


    For the detailed security status of aspell please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/aspell


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/