Debian Security Advisory

    • Offizieller Beitrag

    Package : ipython


    CVE ID : CVE-2022-21699



    It was discovered that IPython, an enhanced interactive Python shell, executed config files from the current working directory, which could result in cross-user attacks if run from a directory multiple users may write to.



    For the oldstable distribution (buster), this problem has been fixed in version 5.8.0-1+deb10u1.



    For the stable distribution (bullseye), this problem has been fixed in version 7.20.0-1+deb11u1.



    We recommend that you upgrade your ipython packages.



    For the detailed security status of ipython please refer to its security tracker page at:


    Information on source package ipython



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ruby2.5


    CVE ID : CVE-2021-28965 CVE-2021-31799 CVE-2021-31810


    CVE-2021-41817 CVE-2021-41819 CVE-2021-32066



    Several vulnerabilities have been discovered in the interpreter for the Ruby language and the Rubygems included, which may result on result in XML roundtrip attacks, the execution of arbitrary code, information disclosure, StartTLS stripping in IMAP or denial of service.



    For the oldstable distribution (buster), these problems have been fixed in version 2.5.5-3+deb10u4.



    We recommend that you upgrade your ruby2.5 packages.



    For the detailed security status of ruby2.5 please refer to its security tracker page at:


    Information on source package ruby2.5



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ruby2.7


    CVE ID : CVE-2021-41816 CVE-2021-41817 CVE-2021-41819



    Several vulnerabilities have been discovered in the interpreter for the Ruby language and the Rubygems included, which may result on result in information disclosure or denial of service.



    For the stable distribution (bullseye), these problems have been fixed in version 2.7.4-1+deb11u1.



    We recommend that you upgrade your ruby2.7 packages.



    For the detailed security status of ruby2.7 please refer to its security tracker page at:


    Information on source package ruby2.7



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium


    CVE ID : CVE-2022-0452 CVE-2022-0453 CVE-2022-0454 CVE-2022-0455


    CVE-2022-0456 CVE-2022-0457 CVE-2022-0458 CVE-2022-0459


    CVE-2022-0460 CVE-2022-0461 CVE-2022-0462 CVE-2022-0463


    CVE-2022-0464 CVE-2022-0465 CVE-2022-0466 CVE-2022-0467


    CVE-2022-0468 CVE-2022-0469 CVE-2022-0470



    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.



    For the stable distribution (bullseye), these problems have been fixed in version 98.0.4758.80-1~deb11u1.



    We recommend that you upgrade your chromium packages.



    For the detailed security status of chromium please refer to its security tracker page at:


    Information on source package chromium



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr


    CVE ID : CVE-2022-22754 CVE-2022-22756 CVE-2022-22759 CVE-2022-22760


    CVE-2022-22761 CVE-2022-22763 CVE-2022-22764



    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure or spoofing.



    For the oldstable distribution (buster), these problems have been fixed in version 91.6.0esr-1~deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 91.6.0esr-1~deb11u1.



    We recommend that you upgrade your firefox-esr packages.



    For the detailed security status of firefox-esr please refer to its security tracker page at:


    Information on source package firefox-esr



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : cryptsetup


    CVE ID : CVE-2021-4122


    Debian Bug : 1003686 949336



    CVE-2021-4122



    Milan Broz, its maintainer, discovered an issue in cryptsetup, the disk


    encryption configuration tool for Linux.




    LUKS2 (an on-disk format) online reencryption is an optional extension to


    allow a user to change the data reencryption key while the data device is


    available for use during the whole reencryption process.




    An attacker can modify on-disk metadata to simulate decryption in progress


    with crashed (unfinished) reencryption step and persistently decrypt part


    of the LUKS2 device (LUKS1 devices are indirectly affected as well, see


    below).




    This attack requires repeated physical access to the LUKS2 device but no


    knowledge of user passphrases.




    The decryption step is performed after a valid user activates the device


    with a correct passphrase and modified metadata.




    The size of possible decrypted data per attack step depends on configured


    LUKS2 header size (metadata size is configurable for LUKS2). With the


    default LUKS2 parameters (16 MiB header) and only one allocated keyslot


    (512 bit key for AES-XTS), simulated decryption with checksum resilience


    SHA1 (20 bytes checksum for 4096-byte blocks), the maximal decrypted size


    can be over 3GiB.




    The attack is not applicable to LUKS1 format, but the attacker can update


    metadata in place to LUKS2 format as an additional step. For such a


    converted LUKS2 header, the keyslot area is limited to decrypted size (with


    SHA1 checksums) over 300 MiB.




    LUKS devices that were formatted using a cryptsetup binary from Debian


    Stretch or earlier are using LUKS1. However since Debian Buster the default


    on-disk LUKS format version is LUKS2. In particular, encrypted devices


    formatted by the Debian Buster and Bullseye installers are using LUKS2 by


    default.



    Key truncation in dm-integrity



    This update additionaly fixes a key truncation issue for standalone


    dm-integrity devices using HMAC integrity protection. For existing such


    devices with extra long HMAC keys (typically >106 bytes of length), one


    might need to manually truncate the key using integritysetup(8)'s


    `--integrity-key-size` option in order to properly map the device under


    2:2.3.7-1+deb11u1 and later.




    Only standalone dm-integrity devices are affected. dm-crypt devices,


    including those using authenticated disk encryption, are unaffected.



    For the oldstable distribution (buster), this problem is not present.



    For the stable distribution (bullseye), this problem has been fixed in in version 2:2.3.7-1+deb11u1.



    We recommend that you upgrade your cryptsetup packages.



    For the detailed security status of cryptsetup please refer to its security tracker page at:


    Information on source package cryptsetup



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : samba


    CVE ID : CVE-2021-44142 CVE-2022-0336


    Debian Bug : 1001068 1004693 1004694



    Several vulnerabilities were discovered in Samba, a SMB/CIFS file, print, and login server for Unix.



    CVE-2021-44142



    Orange Tsai reported an out-of-bounds heap write vulnerability in


    the VFS module vfs_fruit, which could result in remote execution of


    arbitrary code as root.



    CVE-2022-0336



    Kees van Vloten reported that Samba AD users with permission to


    write to an account can impersonate arbitrary services.



    For the oldstable distribution (buster), these problems have been fixed in version 2:4.9.5+dfsg-5+deb10u3. As per DSA 5015-1, CVE-2022-0336 has not been addressed for the oldstable distribution (buster).



    For the stable distribution (bullseye), these problems have been fixed in version 2:4.13.13+dfsg-1~deb11u3. Additionally, some followup fixes for CVE-2020-25717 are included in this update (Cf. #1001068).



    We recommend that you upgrade your samba packages.



    For the detailed security status of samba please refer to its security tracker page at:


    Information on source package samba



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : debian-edu-config


    CVE ID : CVE-2021-20001



    Marcel Neumann, Robert Altschaffel, Loris Guba and Dustin Hermann discovered that debian-edu-config, a set of configuration files used for the Debian Edu blend configured insecure permissions for the user web shares (~/public_html), which could result in privilege escalation.



    If PHP functionality is needed for the user web shares, please refer to /usr/share/doc/debian-edu-config/README.public_html_with_PHP-CGI+suExec.md



    For the oldstable distribution (buster), this problem has been fixed in version 2.10.65+deb10u8.



    For the stable distribution (bullseye), this problem has been fixed in version 2.11.56+deb11u3.



    We recommend that you upgrade your debian-edu-config packages.



    For the detailed security status of debian-edu-config please refer to its security tracker page at:


    Information on source package debian-edu-config



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : expat


    CVE ID : CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823


    CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827


    CVE-2022-23852 CVE-2022-23990


    Debian Bug : 1002994 1003474



    Several vulnerabilities have been discovered in Expat, an XML parsing C library, which could result in denial of service or potentially the execution of arbitrary code, if a malformed XML file is processed.



    For the oldstable distribution (buster), these problems have been fixed in version 2.2.6-2+deb10u2.



    For the stable distribution (bullseye), these problems have been fixed in version 2.2.10-2+deb11u1.



    We recommend that you upgrade your expat packages.



    For the detailed security status of expat please refer to its security tracker page at:


    Information on source package expat



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird


    CVE ID : CVE-2022-22754 CVE-2022-22756 CVE-2022-22759 CVE-2022-22760


    CVE-2022-22761 CVE-2022-22763 CVE-2022-22764



    Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.



    For the oldstable distribution (buster), these problems have been fixed in version 1:91.6.0-1~deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 1:91.6.0-1~deb11u1.



    We recommend that you upgrade your thunderbird packages.



    For the detailed security status of thunderbird please refer to its security tracker page at:


    Information on source package thunderbird



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : minetest


    CVE ID : CVE-2022-24300 CVE-2022-24301


    Debian Bug : 1004223



    Several vulnerabilities have been discovered in Minetest, a sandbox video game and game creation system. These issues may allow attackers to manipulate game mods and grant them an unfair advantage over other players. These flaws could also be abused for a denial of service attack against a Minetest server or if user input is passed directly to minetest.deserialize without serializing it first, then a malicious user could run Lua code in the server environment.



    For the oldstable distribution (buster), these problems have been fixed in version 0.4.17.1+repack-1+deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 5.3.0+repack-2.1+deb11u1.



    We recommend that you upgrade your minetest packages.



    For the detailed security status of minetest please refer to its security tracker page at:


    Information on source package minetest



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : h2database


    CVE ID : CVE-2021-42392 CVE-2022-23221


    Debian Bug : 1003894



    Security researchers of JFrog Security and Ismail Aydemir discovered two remote code execution vulnerabilities in the H2 Java SQL database engine which can be exploited through various attack vectors, most notably through the H2 Console and by loading custom classes from remote servers through JNDI. The H2 console is a developer tool and not required by any reverse-dependency in Debian. It has been disabled in (old)stable releases. Database developers are advised to use at least version 2.1.210-1, currently available in Debian unstable.



    For the oldstable distribution (buster), these problems have been fixed in version 1.4.197-4+deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 1.4.197-4+deb11u1.



    We recommend that you upgrade your h2database packages.



    For the detailed security status of h2database please refer to its security tracker page at:


    Information on source package h2database



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : librecad


    CVE ID : CVE-2021-21898 CVE-2021-21899 CVE-2021-21900 CVE-2021-45341


    CVE-2021-45342 CVE-2021-45343


    Debian Bug : 1004518



    Multiple security issues were discovered in LibreCAD, an application for computer aided design (CAD) which could result in denial of service or the execution of arbitrary code if a malformed CAD file is opened.



    For the oldstable distribution (buster), these problems have been fixed in version 2.1.3-1.2+deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 2.1.3-1.3+deb11u1.



    We recommend that you upgrade your librecad packages.



    For the detailed security status of librecad please refer to its security tracker page at:


    Information on source package librecad



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : zsh


    CVE ID : CVE-2021-45444



    It was discovered that zsh, a powerful shell and scripting language, did not prevent recursive prompt expansion. This would allow an attacker to execute arbitrary commands into a user's shell, for instance by tricking a vcs_info user into checking out a git branch with a specially crafted name.



    For the oldstable distribution (buster), this problem has been fixed in version 5.7.1-1+deb10u1.



    For the stable distribution (bullseye), this problem has been fixed in version 5.8-6+deb11u1.



    We recommend that you upgrade your zsh packages.



    For the detailed security status of zsh please refer to its security tracker page at:


    Information on source package zsh



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium


    CVE ID : CVE-2022-0603 CVE-2022-0604 CVE-2022-0605 CVE-2022-0606


    CVE-2022-0607 CVE-2022-0608 CVE-2022-0609 CVE-2022-0610


    Debian Bug : 954824 970571 1005230 1005466



    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.



    For the stable distribution (bullseye), these problems have been fixed in version 98.0.4758.102-1~deb11u1.



    We recommend that you upgrade your chromium packages.



    For the detailed security status of chromium please refer to its security tracker page at:


    Information on source package chromium



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : snapd


    CVE ID : CVE-2021-44730 CVE-2021-44731



    Multiple vulnerabilties were discovered in snapd, a daemon and tooling that enable Snap packages, which could result in bypass of access restrictions or privilege escalation.



    For the oldstable distribution (buster), these problems have been fixed in version 2.37.4-1+deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 2.49-1+deb11u1.



    We recommend that you upgrade your snapd packages.



    For the detailed security status of snapd please refer to its security tracker page at:


    Information on source package snapd



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : redis


    CVE ID : CVE-2022-0543


    Debian Bug : 1005787



    Reginaldo Silva discovered a (Debian-specific) Lua sandbox escape in Redis, a persistent key-value database.



    For the oldstable distribution (buster), this problem has been fixed in version 5:5.0.14-1+deb10u2.



    For the stable distribution (bullseye), this problem has been fixed in version 5:6.0.16-1+deb11u2.



    We recommend that you upgrade your redis packages.



    For the detailed security status of redis please refer to its security tracker page at:


    Information on source package redis



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : php7.4


    CVE ID : CVE-2021-21707 CVE-2021-21708



    Two security issues were found in PHP, a widely-used open source general purpose scripting language which could result in information disclosure or denial of service.



    For the stable distribution (bullseye), these problems have been fixed in version 7.4.28-1+deb11u1.



    We recommend that you upgrade your php7.4 packages.



    For the detailed security status of php7.4 please refer to its security tracker page at:


    Information on source package php7.4



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : webkit2gtk


    CVE ID : CVE-2022-22589 CVE-2022-22590 CVE-2022-22592 CVE-2022-22620



    The following vulnerabilities have been discovered in the WebKitGTK web engine:



    CVE-2022-22589



    Heige and Bo Qu discovered that processing a maliciously crafted


    mail message may lead to running arbitrary javascript.



    CVE-2022-22590



    Toan Pham discovered that processing maliciously crafted web


    content may lead to arbitrary code execution.



    CVE-2022-22592



    Prakash discovered that processing maliciously crafted web content


    may prevent Content Security Policy from being enforced.



    CVE-2022-22620



    An anonymous researcher discovered that processing maliciously


    crafted web content may lead to arbitrary code execution. Apple is


    aware of a report that this issue may have been actively


    exploited.



    For the oldstable distribution (buster), these problems have been fixed in version 2.34.6-1~deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 2.34.6-1~deb11u1.



    We recommend that you upgrade your webkit2gtk packages.



    For the detailed security status of webkit2gtk please refer to its security tracker page at:


    Information on source package webkit2gtk



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : wpewebkit


    CVE ID : CVE-2022-22589 CVE-2022-22590 CVE-2022-22592 CVE-2022-22620



    The following vulnerabilities have been discovered in the WPE WebKit web engine:



    CVE-2022-22589



    Heige and Bo Qu discovered that processing a maliciously crafted


    mail message may lead to running arbitrary javascript.



    CVE-2022-22590



    Toan Pham discovered that processing maliciously crafted web


    content may lead to arbitrary code execution.



    CVE-2022-22592



    Prakash discovered that processing maliciously crafted web content


    may prevent Content Security Policy from being enforced.



    CVE-2022-22620



    An anonymous researcher discovered that processing maliciously


    crafted web content may lead to arbitrary code execution. Apple is


    aware of a report that this issue may have been actively


    exploited.



    For the stable distribution (bullseye), these problems have been fixed in version 2.34.6-1~deb11u1.



    We recommend that you upgrade your wpewebkit packages.



    For the detailed security status of wpewebkit please refer to its security tracker page at:


    Information on source package wpewebkit



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/