Debian Security Advisory

Package : firefox-esr

CVE ID : CVE-2020-6796 CVE-2020-6798 CVE-2020-6800

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.

For the oldstable distribution (stretch), these problems have been fixed in version 68.5.0esr-1~deb9u1.

For the stable distribution (buster), these problems have been fixed in version 68.5.0esr-1~deb10u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : openjdk-8

CVE ID : CVE-2020-2583 CVE-2020-2590 CVE-2020-2593 CVE-2020-2601

CVE-2020-2604 CVE-2020-2654 CVE-2020-2659

Several vulnerabilities have been discovered in the OpenJDK Java runtime, resulting in denial of service, incorrect implementation of Kerberos GSSAPI and TGS requests or incorrect TLS handshakes.

For the oldstable distribution (stretch), these problems have been fixed in version 8u242-b08-1~deb9u1.

We recommend that you upgrade your openjdk-8 packages.

For the detailed security status of openjdk-8 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/openjdk-8

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : postgresql-9.6

CVE ID : CVE-2020-1720

Tom Lane discovered that "ALTER ... DEPENDS ON EXTENSION" sub commands in the PostgreSQL database did not perform authorisation checks.

For the oldstable distribution (stretch), this problem has been fixed in version 9.6.17-0+deb9u1.

We recommend that you upgrade your postgresql-9.6 packages.

For the detailed security status of postgresql-9.6 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/postgresql-9.6

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : postgresql-11

CVE ID : CVE-2020-1720

Tom Lane discovered that "ALTER ... DEPENDS ON EXTENSION" sub commands in the PostgreSQL database did not perform authorisation checks.

For the stable distribution (buster), this problem has been fixed in version 11.7-0+deb10u1.

We recommend that you upgrade your postgresql-11 packages.

For the detailed security status of postgresql-11 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/postgresql-11

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : evince

CVE ID : CVE-2017-1000159 CVE-2019-11459 CVE-2019-1010006

Debian Bug : 927820

Several vulnerabilities were discovered in evince, a simple multi-page document viewer.

CVE-2017-1000159

Tobias Mueller reported that the DVI exporter in evince is

susceptible to a command injection vulnerability via specially

crafted filenames.

CVE-2019-11459

Andy Nguyen reported that the tiff_document_render() and

tiff_document_get_thumbnail() functions in the TIFF document backend

did not handle errors from TIFFReadRGBAImageOriented(), leading to

disclosure of uninitialized memory when processing TIFF image files.

CVE-2019-1010006

A buffer overflow vulnerability in the tiff backend could lead to

denial of service, or potentially the execution of arbitrary code if

a specially crafted PDF file is opened.

For the oldstable distribution (stretch), these problems have been fixed in version 3.22.1-3+deb9u2.

For the stable distribution (buster), these problems have been fixed in version 3.30.2-3+deb10u1. The stable distribution is only affected by CVE-2019-11459.

We recommend that you upgrade your evince packages.

For the detailed security status of evince please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/evince

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : thunderbird

CVE ID : CVE-2020-6792 CVE-2020-6793 CVE-2020-6794 CVE-2020-6795

CVE-2020-6798 CVE-2020-6800

Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code or denial of service.

For the oldstable distribution (stretch), these problems have been fixed in version 1:68.5.0-1~deb9u1.

For the stable distribution (buster), these problems have been fixed in version 1:68.5.0-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : php7.3

CVE ID : CVE-2019-11045 CVE-2019-11046 CVE-2019-11047

CVE-2019-11049 CVE-2019-11050 CVE-2020-7059

CVE-2020-7060

Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in information disclosure, denial of service or incorrect validation of path names.

For the stable distribution (buster), these problems have been fixed in version 7.3.14-1~deb10u1.

We recommend that you upgrade your php7.3 packages.

For the detailed security status of php7.3 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/php7.3

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : webkit2gtk

CVE ID : CVE-2020-3862 CVE-2020-3864 CVE-2020-3865 CVE-2020-3867

CVE-2020-3868

The following vulnerabilities have been discovered in the webkit2gtk web engine:

CVE-2020-3862

Srikanth Gatta discovered that a malicious website may be able to

cause a denial of service.

CVE-2020-3864

Ryan Pickren discovered that a DOM object context may not have had

a unique security origin.

CVE-2020-3865

Ryan Pickren discovered that a top-level DOM object context may

have incorrectly been considered secure.

CVE-2020-3867

An anonymous researcher discovered that processing maliciously

crafted web content may lead to universal cross site scripting.

CVE-2020-3868

Marcin Towalski discovered that processing maliciously crafted web

content may lead to arbitrary code execution.

For the stable distribution (buster), these problems have been fixed in version 2.26.4-1~deb10u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : php7.0

CVE ID : CVE-2019-11045 CVE-2019-11046 CVE-2019-11047

CVE-2019-11050 CVE-2020-7059 CVE-2020-7060

Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in information disclosure, denial of service or incorrect validation of path names.

For the oldstable distribution (stretch), these problems have been fixed in version 7.0.33-0+deb9u7.

We recommend that you upgrade your php7.0 packages.

For the detailed security status of php7.0 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/php7.0

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : python-django

CVE ID : CVE-2020-7471

Debian Bug : 950581

Simon Charette discovered that Django, a high-level Python web development framework, did not properly handle input in its PostgreSQL module. A remote attacker could leverage this to perform SQL injection attacks.

For the oldstable distribution (stretch), this problem has been fixed in version 1:1.10.7-2+deb9u8.

For the stable distribution (buster), this problem has been fixed in version 1:1.11.28-1~deb10u1.

We recommend that you upgrade your python-django packages.

For the detailed security status of python-django please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/python-django

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : python-pysaml2

CVE ID : CVE-2020-5390

It was discovered that pysaml2, a Python implementation of SAML to be used in a WSGI environment, was susceptible to XML signature wrapping attacks, which could result in a bypass of signature verification.

For the oldstable distribution (stretch), this problem has been fixed in version 3.0.0-5+deb9u1.

For the stable distribution (buster), this problem has been fixed in version 5.4.1-2+deb10u1.

We recommend that you upgrade your python-pysaml2 packages.

For the detailed security status of python-pysaml2 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/python-pysaml2

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : pillow

CVE ID : CVE-2019-16865 CVE-2019-19911 CVE-2020-5311

CVE-2020-5312 CVE-2020-5313

Multiple security issues were discovered in Pillow, a Python imaging library, which could result in denial of service and potentially the execution of arbitrary code if malformed PCX, FLI, SGI or TIFF images are processed.

For the oldstable distribution (stretch), these problems have been fixed in version 4.0.0-4+deb9u1.

For the stable distribution (buster), these problems have been fixed in version 5.4.1-2+deb10u1.

We recommend that you upgrade your pillow packages.

For the detailed security status of pillow please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/pillow

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : ppp

CVE ID : CVE-2020-8597

Debian Bug : 950618

Ilja Van Sprundel reported a logic flaw in the Extensible Authentication Protocol (EAP) packet parser in the Point-to-Point Protocol Daemon (pppd). An unauthenticated attacker can take advantage of this flaw to trigger a stack-based buffer overflow, leading to denial of service (pppd daemon crash).

For the oldstable distribution (stretch), this problem has been fixed in version 2.4.7-1+4+deb9u1.

For the stable distribution (buster), this problem has been fixed in version 2.4.7-2+4.1+deb10u1.

We recommend that you upgrade your ppp packages.

For the detailed security status of ppp please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/ppp

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : curl

CVE ID : CVE-2019-5436 CVE-2019-5481 CVE-2019-5482

Debian Bug : 929351 940009 940010

Multiple vulnerabilities were discovered in cURL, an URL transfer library.

CVE-2019-5436

A heap buffer overflow in the TFTP receiving code was discovered,

which could allow DoS or arbitrary code execution. This only affects

the oldstable distribution (stretch).

CVE-2019-5481

Thomas Vegas discovered a double-free in the FTP-KRB code, triggered

by a malicious server sending a very large data block.

CVE-2019-5482

Thomas Vegas discovered a heap buffer overflow that could be

triggered when a small non-default TFTP blocksize is used.

For the oldstable distribution (stretch), these problems have been fixed in version 7.52.1-5+deb9u10.

For the stable distribution (buster), these problems have been fixed in version 7.64.0-4+deb10u1.

We recommend that you upgrade your curl packages.

For the detailed security status of curl please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/curl

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : opensmtpd

CVE ID : CVE-2020-8794

Debian Bug : 952453

Qualys discovered that the OpenSMTPD SMTP server performed insufficient validation of SMTP commands, which could result in local privilege escalation or the execution of arbitrary code.

For the oldstable distribution (stretch), this problem has been fixed in version 6.0.2p1-2+deb9u3.

For the stable distribution (buster), this problem has been fixed in version 6.0.3p1-5+deb10u4.

We recommend that you upgrade your opensmtpd packages.

For the detailed security status of opensmtpd please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/opensmtpd

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : proftpd-dfsg

CVE ID : CVE-2020-9273

Debian Bug : 951800

Antonio Morales discovered an user-after-free flaw in the memory pool allocator in ProFTPD, a powerful modular FTP/SFTP/FTPS server.

Interrupting current data transfers can corrupt the ProFTPD memory pool, leading to denial of service, or potentially the execution of arbitrary code.

For the oldstable distribution (stretch), this problem has been fixed in version 1.3.5b-4+deb9u4.

For the stable distribution (buster), this problem has been fixed in version 1.3.6-4+deb10u4.

We recommend that you upgrade your proftpd-dfsg packages.

For the detailed security status of proftpd-dfsg please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/proftpd-dfsg

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : python-bleach

CVE ID : CVE-2020-6802

Debian Bug : 951907

It was reported that python-bleach, a whitelist-based HTML-sanitizing library, is prone to a mutation XSS vulnerability in bleach.clean when 'noscript' and one or more raw text tags were whitelisted.

For the stable distribution (buster), this problem has been fixed in version 3.1.1-0+deb10u1.

We recommend that you upgrade your python-bleach packages.

For the detailed security status of python-bleach please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/python-bleach

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : network-manager-ssh

CVE ID : CVE-2020-9355

Kobus van Schoor discovered that network-manager-ssh, a plugin to provide VPN integration for SSH in NetworkManager, is prone to a privilege escalation vulnerability. A local user with privileges to modify a connection can take advantage of this flaw to execute arbitrary commands as root.

This update drops support to pass extra SSH options to the ssh invocation.

For the oldstable distribution (stretch), this problem has been fixed in version 1.2.1-1+deb9u1.

For the stable distribution (buster), this problem has been fixed in version 1.2.10-1+deb10u1.

We recommend that you upgrade your network-manager-ssh packages.

For the detailed security status of network-manager-ssh please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/network-manager-ssh

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : chromium

CVE ID : CVE-2019-19880 CVE-2019-19923 CVE-2019-19925 CVE-2019-19926

CVE-2020-6381 CVE-2020-6382 CVE-2020-6383 CVE-2020-6384

CVE-2020-6385 CVE-2020-6386 CVE-2020-6387 CVE-2020-6388

CVE-2020-6389 CVE-2020-6390 CVE-2020-6391 CVE-2020-6392

CVE-2020-6393 CVE-2020-6394 CVE-2020-6395 CVE-2020-6396

CVE-2020-6397 CVE-2020-6398 CVE-2020-6399 CVE-2020-6400

CVE-2020-6401 CVE-2020-6402 CVE-2020-6403 CVE-2020-6404

CVE-2020-6405 CVE-2020-6406 CVE-2020-6407 CVE-2020-6408

CVE-2020-6409 CVE-2020-6410 CVE-2020-6411 CVE-2020-6412

CVE-2020-6413 CVE-2020-6414 CVE-2020-6415 CVE-2020-6416

CVE-2020-6418 CVE-2020-6420

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2019-19880

Richard Lorenz discovered an issue in the sqlite library.

CVE-2019-19923

Richard Lorenz discovered an out-of-bounds read issue in the sqlite

library.

CVE-2019-19925

Richard Lorenz discovered an issue in the sqlite library.

CVE-2019-19926

Richard Lorenz discovered an implementation error in the sqlite library.

CVE-2020-6381

UK's National Cyber Security Centre discovered an integer overflow issue

in the v8 javascript library.

CVE-2020-6382

Soyeon Park and Wen Xu discovered a type error in the v8 javascript

library.

CVE-2020-6383

Sergei Glazunov discovered a type error in the v8 javascript library.

CVE-2020-6384

David Manoucheri discovered a use-after-free issue in WebAudio.

CVE-2020-6385

Sergei Glazunov discovered a policy enforcement error.

CVE-2020-6386

Zhe Jin discovered a use-after-free issue in speech processing.

CVE-2020-6387

Natalie Silvanovich discovered an out-of-bounds write error in the WebRTC

implementation.

CVE-2020-6388

Sergei Glazunov discovered an out-of-bounds read error in the WebRTC

implementation.

CVE-2020-6389

Natalie Silvanovich discovered an out-of-bounds write error in the WebRTC

implementation.

CVE-2020-6390

Sergei Glazunov discovered an out-of-bounds read error.

CVE-2020-6391

Michał Bentkowski discoverd that untrusted input was insufficiently

validated.

CVE-2020-6392

The Microsoft Edge Team discovered a policy enforcement error.

CVE-2020-6393

Mark Amery discovered a policy enforcement error.

CVE-2020-6394

Phil Freo discovered a policy enforcement error.

CVE-2020-6395

Pierre Langlois discovered an out-of-bounds read error in the v8

javascript library.

CVE-2020-6396

William Luc Ritchie discovered an error in the skia library.

CVE-2020-6397

Khalil Zhani discovered a user interface error.

CVE-2020-6398

pdknsk discovered an uninitialized variable in the pdfium library.

CVE-2020-6399

Luan Herrera discovered a policy enforcement error.

CVE-2020-6400

Takashi Yoneuchi discovered an error in Cross-Origin Resource Sharing.

CVE-2020-6401

Tzachy Horesh discovered that user input was insufficiently validated.

CVE-2020-6402

Vladimir Metnew discovered a policy enforcement error.

CVE-2020-6403

Khalil Zhani discovered a user interface error.

CVE-2020-6404

kanchi discovered an error in Blink/Webkit.

CVE-2020-6405

Yongheng Chen and Rui Zhong discovered an out-of-bounds read issue in the

sqlite library.

CVE-2020-6406

Sergei Glazunov discovered a use-after-free issue.

CVE-2020-6407

Sergei Glazunov discovered an out-of-bounds read error.

CVE-2020-6408

Zhong Zhaochen discovered a policy enforcement error in Cross-Origin

Resource Sharing.

CVE-2020-6409

Divagar S and Bharathi V discovered an error in the omnibox

implementation.

CVE-2020-6410

evil1m0 discovered a policy enforcement error.

CVE-2020-6411

Khalil Zhani discovered that user input was insufficiently validated.

CVE-2020-6412

Zihan Zheng discovered that user input was insufficiently validated.

CVE-2020-6413

Michał Bentkowski discovered an error in Blink/Webkit.

CVE-2020-6414

Lijo A.T discovered a policy safe browsing policy enforcement error.

CVE-2020-6415

Avihay Cohen discovered an implementation error in the v8 javascript

library.

CVE-2020-6416

Woojin Oh discovered that untrusted input was insufficiently validated.

CVE-2020-6418

Clement Lecigne discovered a type error in the v8 javascript library.

CVE-2020-6420

Taras Uzdenov discovered a policy enforcement error.

For the oldstable distribution (stretch), security support for chromium has been discontinued.

For the stable distribution (buster), these problems have been fixed in version 80.0.3987.132-1~deb10u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : firefox-esr

CVE ID : CVE-2019-20503 CVE-2020-6805 CVE-2020-6806 CVE-2020-6807

CVE-2020-6811 CVE-2020-6812 CVE-2020-6814

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.

For the oldstable distribution (stretch), these problems have been fixed in version 68.6.0esr-1~deb9u1.

For the stable distribution (buster), these problems have been fixed in version 68.6.0esr-1~deb10u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/