Debian Security Advisory

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2019-17026 CVE-2019-17024 CVE-2019-17022

    CVE-2019-17017 CVE-2019-17016

    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, data exfiltration or cross-site scripting.

    For the oldstable distribution (stretch), this problem has been fixed in version 68.4.1esr-1~deb9u1.

    For the stable distribution (buster), this problem has been fixed in version 68.4.1esr-1~deb10u1.

    We recommend that you upgrade your firefox-esr packages.

    For the detailed security status of firefox-esr please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/firefox-esr

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ldm

    CVE ID : not yet available

    It was discovered that a hook script of ldm, the display manager for the Linux Terminal Server Project incorrectly parsed responses from an SSH server which could result in local root privilege escalation.

    For the oldstable distribution (stretch), this problem has been fixed in version 2:2.2.18-2+deb9u1.

    For the stable distribution (buster), this problem has been fixed in version 2:2.18.06-1+deb10u1.

    We recommend that you upgrade your ldm packages.

    For the detailed security status of ldm please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/ldm

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : xen

    CVE ID : CVE-2019-17349 CVE-2019-17350 CVE-2019-18420 CVE-2019-18421

    CVE-2019-18422 CVE-2019-18423 CVE-2019-18424 CVE-2019-18425

    CVE-2019-19577 CVE-2019-19578 CVE-2019-19579 CVE-2019-19580

    CVE-2019-19581 CVE-2019-19582 CVE-2019-19583 CVE-2018-12207

    CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091

    CVE-2019-11135 CVE-2019-17348 CVE-2019-17347 CVE-2019-17346

    CVE-2019-17345 CVE-2019-17344 CVE-2019-17343 CVE-2019-17342

    CVE-2019-17341 CVE-2019-17340

    Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, guest-to-host privilege escalation or information leaks.

    In addition this update provides mitigations for the "TSX Asynchronous Abort"

    speculative side channel attack. For additional information please refer to https://xenbits.xen.org/xsa/advisory-305.html

    For the oldstable distribution (stretch), these problems have been fixed in version 4.8.5.final+shim4.10.4-1+deb9u12. Note that this will be the last security update for Xen in the oldstable distribution; upstream support for the 4.8.x branch ended by the end of December 2019. If you rely on security support for your Xen installation an update to the stable distribution (buster) is recommended.

    For the stable distribution (buster), these problems have been fixed in version 4.11.3+24-g14b62ab3e5-1~deb10u1.

    We recommend that you upgrade your xen packages.

    For the detailed security status of xen please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/xen

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2019-17016 CVE-2019-17017 CVE-2019-17022

    CVE-2019-17024 CVE-2019-17026

    Multiple security issues have been found in Thunderbird which could potentially result in the execution of arbitrary code or information disclosure.

    For the oldstable distribution (stretch), these problems have been fixed in version 1:68.4.1-1~deb9u1.

    For the stable distribution (buster), these problems have been fixed in version 1:68.4.1-1~deb10u1.

    We recommend that you upgrade your thunderbird packages.

    For the detailed security status of thunderbird please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/thunderbird

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : cacti

    CVE ID : CVE-2019-16723 CVE-2019-17357 CVE-2019-17358

    Debian Bug : 947374 947375 941036

    Multiple issues have been found in cacti, a server monitoring system, potentially resulting in SQL code execution or information disclosure by authenticated users.

    CVE-2019-16723

    Authenticated users may bypass authorization checks for viewing a graph

    by submitting requests with modified local_graph_id parameters.

    CVE-2019-17357

    The graph administration interface insufficiently sanitizes the

    template_id parameter, potentially resulting in SQL injection. This

    vulnerability might be leveraged by authenticated attackers to perform

    unauthorized SQL code execution on the database.

    CVE-2019-17358

    The sanitize_unserialize_selected_items function (lib/functions.php)

    insufficiently sanitizes user input before deserializing it,

    potentially resulting in unsafe deserialization of user-controlled

    data. This vulnerability might be leveraged by authenticated attackers

    to influence the program control flow or cause memory corruption.

    For the oldstable distribution (stretch), these problems have been fixed in version 0.8.8h+ds1-10+deb9u1. Note that stretch was only affected by CVE-2018-17358.

    For the stable distribution (buster), these problems have been fixed in version 1.2.2+ds1-2+deb10u2.

    We recommend that you upgrade your cacti packages.

    For the detailed security status of cacti please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/cacti

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openjdk-11

    CVE ID : CVE-2020-2583 CVE-2020-2590 CVE-2020-2593 CVE-2020-2601

    CVE-2020-2604 CVE-2020-2654 CVE-2020-2655

    Several vulnerabilities have been discovered in the OpenJDK Java runtime, resulting in denial of service, incorrect implementation of Kerberos GSSAPI and TGS requests or incorrect TLS handshakes.

    For the stable distribution (buster), these problems have been fixed in version 11.0.6+10-1~deb10u1.

    We recommend that you upgrade your openjdk-11 packages.

    For the detailed security status of openjdk-11 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/openjdk-11

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2019-13725 CVE-2019-13726 CVE-2019-13727 CVE-2019-13728

    CVE-2019-13729 CVE-2019-13730 CVE-2019-13732 CVE-2019-13734

    CVE-2019-13735 CVE-2019-13736 CVE-2019-13737 CVE-2019-13738

    CVE-2019-13739 CVE-2019-13740 CVE-2019-13741 CVE-2019-13742

    CVE-2019-13743 CVE-2019-13744 CVE-2019-13745 CVE-2019-13746

    CVE-2019-13747 CVE-2019-13748 CVE-2019-13749 CVE-2019-13750

    CVE-2019-13751 CVE-2019-13752 CVE-2019-13753 CVE-2019-13754

    CVE-2019-13755 CVE-2019-13756 CVE-2019-13757 CVE-2019-13758

    CVE-2019-13759 CVE-2019-13761 CVE-2019-13762 CVE-2019-13763

    CVE-2019-13764 CVE-2019-13767 CVE-2020-6377 CVE-2020-6378

    CVE-2020-6379 CVE-2020-6380

    Several vulnerabilities have been discovered in the chromium web browser.

    CVE-2019-13725

    Gengming Liu and Jianyu Chen discovered a use-after-free issue in the

    bluetooth implementation.

    CVE-2019-13726

    Sergei Lazunov discovered a buffer overflow issue.

    CVE-2019-13727

    @piochu discovered a policy enforcement error.

    CVE-2019-13728

    Rong Jian and Guang Gong discovered an out-of-bounds write error in the

    v8 javascript library.

    CVE-2019-13729

    Zhe Jin discovered a use-after-free issue.

    CVE-2019-13730

    Soyeon Park and Wen Xu discovered the use of a wrong type in the v8

    javascript library.

    CVE-2019-13732

    Sergei Glazunov discovered a use-after-free issue in the WebAudio

    implementation.

    CVE-2019-13734

    Wenxiang Qian discovered an out-of-bounds write issue in the sqlite

    library.

    CVE-2019-13735

    Gengming Liu and Zhen Feng discovered an out-of-bounds write issue in the

    v8 javascript library.

    CVE-2019-13736

    An integer overflow issue was discovered in the pdfium library.

    CVE-2019-13737

    Mark Amery discovered a policy enforcement error.

    CVE-2019-13738

    Johnathan Norman and Daniel Clark discovered a policy enforcement error.

    CVE-2019-13739

    xisigr discovered a user interface error.

    CVE-2019-13740

    Khalil Zhani discovered a user interface error.

    CVE-2019-13741

    Michał Bentkowski discovered that user input could be incompletely

    validated.

    CVE-2019-13742

    Khalil Zhani discovered a user interface error.

    CVE-2019-13743

    Zhiyang Zeng discovered a user interface error.

    CVE-2019-13744

    Prakash discovered a policy enforcement error.

    CVE-2019-13745

    Luan Herrera discovered a policy enforcement error.

    CVE-2019-13746

    David Erceg discovered a policy enforcement error.

    CVE-2019-13747

    Ivan Popelyshev and André Bonatti discovered an uninitialized value.

    CVE-2019-13748

    David Erceg discovered a policy enforcement error.

    CVE-2019-13749

    Khalil Zhani discovered a user interface error.

    CVE-2019-13750

    Wenxiang Qian discovered insufficient validation of data in the sqlite

    library.

    CVE-2019-13751

    Wenxiang Qian discovered an uninitialized value in the sqlite library.

    CVE-2019-13752

    Wenxiang Qian discovered an out-of-bounds read issue in the sqlite

    library.

    CVE-2019-13753

    Wenxiang Qian discovered an out-of-bounds read issue in the sqlite

    library.

    CVE-2019-13754

    Cody Crews discovered a policy enforcement error.

    CVE-2019-13755

    Masato Kinugawa discovered a policy enforcement error.

    CVE-2019-13756

    Khalil Zhani discovered a user interface error.

    CVE-2019-13757

    Khalil Zhani discovered a user interface error.

    CVE-2019-13758

    Khalil Zhani discovered a policy enforecement error.

    CVE-2019-13759

    Wenxu Wu discovered a user interface error.

    CVE-2019-13761

    Khalil Zhani discovered a user interface error.

    CVE-2019-13762

    csanuragjain discovered a policy enforecement error.

    CVE-2019-13763

    weiwangpp93 discovered a policy enforecement error.

    CVE-2019-13764

    Soyeon Park and Wen Xu discovered the use of a wrong type in the v8

    javascript library.

    CVE-2019-13767

    Sergei Glazunov discovered a use-after-free issue.

    CVE-2020-6377

    Zhe Jin discovered a use-after-free issue.

    CVE-2020-6378

    Antti Levomäki and Christian Jalio discovered a use-after-free issue.

    CVE-2020-6379

    Guang Gong discovered a use-after-free issue.

    CVE-2020-6380

    Sergei Glazunov discovered an error verifying extension messages.

    For the oldstable distribution (stretch), security support for chromium has been discontinued.

    For the stable distribution (buster), these problems have been fixed in version 79.0.3945.130-1~deb10u1.

    We recommend that you upgrade your chromium packages.

    For the detailed security status of chromium please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/chromium

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openconnect

    CVE ID : CVE-2019-16239

    Debian Bug : 940871

    Lukas Kupczyk reported a vulnerability in the handling of chunked HTTP in openconnect, an open client for Cisco AnyConnect, Pulse and GlobalProtect VPN. A malicious HTTP server (after having accepted its identity certificate), can provide bogus chunk lengths for chunked HTTP encoding and cause a heap-based buffer overflow.

    For the oldstable distribution (stretch), this problem has been fixed in version 7.08-1+deb9u1.

    For the stable distribution (buster), this problem has been fixed in version 8.02-1+deb10u1.

    We recommend that you upgrade your openconnect packages.

    For the detailed security status of openconnect please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/openconnect

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : tiff

    CVE ID : CVE-2019-14973 CVE-2019-17546

    Multiple integer overflows have been discovered in the libtiff library and the included tools.

    For the stable distribution (buster), these problems have been fixed in version 4.1.0+git191117-2~deb10u1.

    We recommend that you upgrade your tiff packages.

    For the detailed security status of tiff please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/tiff

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : python-apt

    CVE ID : CVE-2019-15795 CVE-2019-15796

    Debian Bug : 944696

    Two security issues were found in the Python interface to the apt package manager; package downloads from unsigned repositories were incorrectly rejected and the hash validation relied on MD5.

    For the oldstable distribution (stretch), these problems have been fixed in version 1.4.1.

    For the stable distribution (buster), these problems have been fixed in version 1.8.4.1.

    We recommend that you upgrade your python-apt packages.

    For the detailed security status of python-apt please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/python-apt

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : webkit2gtk

    CVE ID : CVE-2019-8835 CVE-2019-8844 CVE-2019-8846

    The following vulnerabilities have been discovered in the webkit2gtk web engine:

    CVE-2019-8835

    An anonymous researcher discovered that maliciously crafted web

    content may lead to arbitrary code execution.

    CVE-2019-8844

    William Bowling discovered that maliciously crafted web content

    may lead to arbitrary code execution.

    CVE-2019-8846

    Marcin Towalski of Cisco Talos discovered that maliciously crafted

    web content may lead to arbitrary code execution.

    For the stable distribution (buster), these problems have been fixed in version 2.26.3-1~deb10u1.

    We recommend that you upgrade your webkit2gtk packages.

    For the detailed security status of webkit2gtk please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/webkit2gtk

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : opensmtpd

    CVE ID : CVE-2020-7247

    Debian Bug : 950121

    Qualys discovered that the OpenSMTPD SMTP server performed insufficient validation of email addresses which could result in the execution of arbitrary commands as root. In addition this update fixes a denial of service by triggering an opportunistic TLS downgrade.

    For the oldstable distribution (stretch), these problems have been fixed in version 6.0.2p1-2+deb9u2.

    For the stable distribution (buster), these problems have been fixed in version 6.0.3p1-5+deb10u3. This update also includes non-security bugfixes which were already lined up for the Buster 10.3 point release.

    We recommend that you upgrade your opensmtpd packages.

    For the detailed security status of opensmtpd please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/opensmtpd

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : prosody-modules

    CVE ID : CVE-2020-8086

    It was discovered that the LDAP authentication modules for the Prosody Jabber/XMPP server incorrectly validated the XMPP address when checking whether a user has admin access.

    For the oldstable distribution (stretch), this problem has been fixed in version 0.0~hg20170123.3ed504b944e5+dfsg-1+deb9u1.

    For the stable distribution (buster), this problem has been fixed in version 0.0~hg20190203.b54e98d5c4a1+dfsg-1+deb10u1.

    We recommend that you upgrade your prosody-modules packages.

    For the detailed security status of prosody-modules please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/prosody-modules

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libidn2

    CVE ID : CVE-2019-18224

    Debian Bug : 942895

    A heap-based buffer overflow vulnerability was discovered in the

    idn2_to_ascii_4i() function in libidn2, the GNU library for Internationalized Domain Names (IDNs), which could result in denial of service, or the execution of arbitrary code when processing a long domain string.

    For the stable distribution (buster), this problem has been fixed in version 2.0.5-1+deb10u1.

    We recommend that you upgrade your libidn2 packages.

    For the detailed security status of libidn2 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/libidn2

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : sudo

    CVE ID : CVE-2019-18634

    Debian Bug : 950371

    Joe Vennix discovered a stack-based buffer overflow vulnerability in sudo, a program designed to provide limited super user privileges to specific users, triggerable when configured with the "pwfeedback" option enabled. An unprivileged user can take advantage of this flaw to obtain full root privileges.

    Details can be found in the upstream advisory at https://www.sudo.ws/alerts/pwfeedback.html .

    For the oldstable distribution (stretch), this problem has been fixed in version 1.8.19p1-2.1+deb9u2.

    For the stable distribution (buster), exploitation of the bug is prevented due to a change in EOF handling introduced in 1.8.26.

    We recommend that you upgrade your sudo packages.

    For the detailed security status of sudo please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/sudo

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : spamassassin

    CVE ID : CVE-2020-1930 CVE-2020-1931

    Debian Bug : 950258

    Two vulnerabilities were discovered in spamassassin, a Perl-based spam filter using text analysis. Malicious rule or configuration files, possibly downloaded from an updates server, could execute arbitrary commands under multiple scenarios.

    For the oldstable distribution (stretch), these problems have been fixed in version 3.4.2-1~deb9u3.

    For the stable distribution (buster), these problems have been fixed in version 3.4.2-1+deb10u2.

    We recommend that you upgrade your spamassassin packages.

    For the detailed security status of spamassassin please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/spamassassin

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : qemu

    CVE ID : CVE-2019-15890 CVE-2020-7039 CVE-2020-1711

    Two security issues have been found in the SLiRP networking implementation of QEMU, a fast processor emulator, which could result in the execution of arbitrary code or denial of service.

    For the oldstable distribution (stretch), these problems have been fixed in version 1:2.8+dfsg-6+deb9u9.

    For the stable distribution (buster), these problems have been fixed in version 1:3.1+dfsg-8+deb10u4.

    We recommend that you upgrade your qemu packages.

    For the detailed security status of qemu please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/qemu

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : qtbase-opensource-src

    CVE ID : CVE-2020-0569 CVE-2020-0570

    Two security issues were found in the Qt library, which could result in plugins and libraries being loaded from the current working directory, resulting in potential code execution.

    For the oldstable distribution (stretch), these problems have been fixed in version 5.7.1+dfsg-3+deb9u2.

    For the stable distribution (buster), these problems have been fixed in version 5.11.3+dfsg1-1+deb10u3.

    We recommend that you upgrade your qtbase-opensource-src packages.

    For the detailed security status of qtbase-opensource-src please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/qtbase-opensource-src

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libexif

    CVE ID : CVE-2019-9278

    Debian Bug : 945948

    An out-of-bounds write vulnerability due to an integer overflow was reported in libexif, a library to parse EXIF files, which could result in denial of service, or potentially the execution of arbitrary code if specially crafted image files are processed.

    For the oldstable distribution (stretch), this problem has been fixed in version 0.6.21-2+deb9u1.

    For the stable distribution (buster), this problem has been fixed in version 0.6.21-5.1+deb10u1.

    We recommend that you upgrade your libexif packages.

    For the detailed security status of libexif please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/libexif

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libxmlrpc3-java

    CVE ID : CVE-2019-17570

    Debian Bug : 949089

    Guillaume Teissier reported that the XMLRPC client in libxmlrpc3-java, an XML-RPC implementation in Java, does perform deserialization of the server-side exception serialized in the faultCause attribute of XMLRPC error response messages. A malicious XMLRPC server can take advantage of this flaw to execute arbitrary code with the privileges of an application using the Apache XMLRPC client library.

    Note that a client that expects to get server-side exceptions need to set explicitly the enabledForExceptions property.

    For the oldstable distribution (stretch), this problem has been fixed in version 3.1.3-8+deb9u1.

    For the stable distribution (buster), this problem has been fixed in version 3.1.3-9+deb10u1.

    We recommend that you upgrade your libxmlrpc3-java packages.

    For the detailed security status of libxmlrpc3-java please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/libxmlrpc3-java

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/