Debian Security Advisory

    • Offizieller Beitrag

    Package : graphicsmagick

    CVE ID : CVE-2019-19950 CVE-2019-19951 CVE-2019-19953 CVE-2019-11474

    CVE-2019-11473 CVE-2019-11506 CVE-2019-11505 CVE-2019-11010

    CVE-2019-11009 CVE-2019-11008 CVE-2019-11007 CVE-2019-11006

    CVE-2019-11005 CVE-2018-20189 CVE-2018-20185 CVE-2018-20184

    This update fixes several vulnerabilities in Graphicsmagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure or the execution of arbitrary code if malformed media files are processed.

    For the oldstable distribution (stretch), these problems have been fixed in version 1.3.30+hg15796-1~deb9u3.

    For the stable distribution (buster), these problems have been fixed in version 1.4~hg15978-1+deb10u1.

    We recommend that you upgrade your graphicsmagick packages.

    For the detailed security status of graphicsmagick please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/graphicsmagick

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : webkit2gtk

    CVE ID : CVE-2020-10018

    The following vulnerability has been discovered in the webkit2gtk web

    engine:

    CVE-2020-10018

    Sudhakar Verma, Ashfaq Ansari and Siddhant Badhe discovered that

    processing maliciously crafted web content may lead to arbitrary

    code execution.

    For the stable distribution (buster), this problem has been fixed in version 2.26.4-1~deb10u2.

    We recommend that you upgrade your webkit2gtk packages.

    For the detailed security status of webkit2gtk please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/webkit2gtk

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2019-20503 CVE-2020-6805 CVE-2020-6806 CVE-2020-6807

    CVE-2020-6811 CVE-2020-6812 CVE-2020-6814

    Multiple security issues have been found in Thunderbird which could potentially result in the execution of arbitrary code.

    For the oldstable distribution (stretch), these problems have been fixed in version 1:68.6.0-1~deb9u1.

    For the stable distribution (buster), these problems have been fixed in version 1:68.6.0-1~deb10u1.

    We recommend that you upgrade your thunderbird packages.

    For the detailed security status of thunderbird please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/thunderbird

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : python-bleach

    CVE ID : CVE-2020-6816

    Debian Bug : 954236

    It was reported that python-bleach, a whitelist-based HTML-sanitizing library, is prone to a mutation XSS vulnerability in bleach.clean when strip=False and 'math' or 'svg' tags and one or more of the RCDATA tags were whitelisted.

    For the stable distribution (buster), this problem has been fixed in version 3.1.2-0+deb10u1.

    We recommend that you upgrade your python-bleach packages.

    For the detailed security status of python-bleach please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/python-bleach

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : tor

    CVE ID : CVE-2020-10592

    A denial of service vulnerability (by triggering high CPU consumption) was found in Tor, a connection-based low-latency anonymous communication system.

    For the stable distribution (buster), this problem has been fixed in version 0.3.5.10-1.

    For the oldstable distribution (stretch), support for tor is now discontinued. Please upgrade to the stable release (buster) to continue receiving tor updates.

    We recommend that you upgrade your tor packages.

    For the detailed security status of tor please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/tor

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2019-20503 CVE-2020-6422 CVE-2020-6424 CVE-2020-6425

    CVE-2020-6426 CVE-2020-6427 CVE-2020-6428 CVE-2020-6429

    CVE-2020-6449

    Several vulnerabilities have been discovered in the chromium web browser.

    CVE-2019-20503

    Natalie Silvanovich discovered an out-of-bounds read issue in the usrsctp

    library.

    CVE-2020-6422

    David Manouchehri discovered a use-after-free issue in the WebGL

    implementation.

    CVE-2020-6424

    Sergei Glazunov discovered a use-after-free issue.

    CVE-2020-6425

    Sergei Glazunov discovered a policy enforcement error related to

    extensions.

    CVE-2020-6426

    Avihay Cohen discovered an implementation error in the v8 javascript

    library.

    CVE-2020-6427

    Man Yue Mo discovered a use-after-free issue in the audio implementation.

    CVE-2020-6428

    Man Yue Mo discovered a use-after-free issue in the audio implementation.

    CVE-2020-6429

    Man Yue Mo discovered a use-after-free issue in the audio implementation.

    CVE-2020-6449

    Man Yue Mo discovered a use-after-free issue in the audio implementation.

    For the oldstable distribution (stretch), security support for chromium has been discontinued.

    For the stable distribution (buster), these problems have been fixed in version 80.0.3987.149-1~deb10u1.

    We recommend that you upgrade your chromium packages.

    For the detailed security status of chromium please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/chromium

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : icu

    CVE ID : CVE-2020-10531

    Debian Bug : 953747

    Andre Bargull discovered an integer overflow in the International Components for Unicode (ICU) library which could result in denial of service and potentially the execution of arbitrary code.

    For the oldstable distribution (stretch), this problem has been fixed in version 57.1-6+deb9u4.

    For the stable distribution (buster), this problem has been fixed in version 63.1-6+deb10u1.

    We recommend that you upgrade your icu packages.

    For the detailed security status of icu please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/icu

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : bluez

    CVE ID : CVE-2020-0556

    Debian Bug : 953770

    It was reported that the BlueZ's HID and HOGP profile implementations don't specifically require bonding between the device and the host.

    Malicious devices can take advantage of this flaw to connect to a target host and impersonate an existing HID device without security or to cause an SDP or GATT service discovery to take place which would allow HID reports to be injected to the input subsystem from a non-bonded source.

    For the HID profile an new configuration option (ClassicBondedOnly) is introduced to make sure that input connections only come from bonded device connections. The options defaults to 'false' to maximize device compatibility.

    For the oldstable distribution (stretch), this problem has been fixed in version 5.43-2+deb9u2.

    For the stable distribution (buster), this problem has been fixed in version 5.50-1.2~deb10u1.

    We recommend that you upgrade your bluez packages.

    For the detailed security status of bluez please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/bluez

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libpam-krb5

    CVE ID : CVE-2020-10595

    Russ Allbery discovered a buffer overflow in the PAM module for MIT Kerberos, which could result in denial of service or potentially the execution of arbitrary code.

    For the oldstable distribution (stretch), this problem has been fixed in version 4.7-4+deb9u1.

    For the stable distribution (buster), this problem has been fixed in version 4.8-2+deb10u1.

    We recommend that you upgrade your libpam-krb5 packages.

    For the detailed security status of libpam-krb5 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/libpam-krb5

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : haproxy

    CVE ID : CVE-2020-11100

    Felix Wilhelm of Google Project Zero discovered that HAProxy, a TCP/HTTP reverse proxy, did not properly handle HTTP/2 headers. This would allow an attacker to write arbitrary bytes around a certain location on the heap, resulting in denial-of-service or potential arbitrary code execution.

    For the stable distribution (buster), this problem has been fixed in version 1.8.19-1+deb10u2.

    We recommend that you upgrade your haproxy packages.

    For the detailed security status of haproxy please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/haproxy

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : mediawiki

    CVE ID : CVE-2020-10960

    It was discovered that some user-generated CSS selectors in MediaWiki, a website engine for collaborative work, were not escaped.

    The oldstable distribution (stretch) is not affected.

    For the stable distribution (buster), this problem has been fixed in version 1:1.31.7-1~deb10u1.

    We recommend that you upgrade your mediawiki packages.

    For the detailed security status of mediawiki please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/mediawiki

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : qbittorrent

    CVE ID : CVE-2019-13640

    Debian Bug : 932539

    Miguel Onoro reported that qbittorrent, a bittorrent client with a Qt5 GUI user interface, allows command injection via shell metacharacters in the torrent name parameter or current tracker parameter, which could result in remote command execution via a crafted name within an RSS feed if qbittorrent is configured to run an external program on torrent completion.

    For the oldstable distribution (stretch), this problem has been fixed in version 3.3.7-3+deb9u1.

    For the stable distribution (buster), this problem has been fixed in version 4.1.5-1+deb10u1.

    We recommend that you upgrade your qbittorrent packages.

    For the detailed security status of qbittorrent please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/qbittorrent

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : gnutls28

    CVE ID : CVE-2020-11501

    Debian Bug : 955556

    A flaw was reported in the DTLS protocol implementation in GnuTLS, a library implementing the TLS and SSL protocols. The DTLS client would not contribute any randomness to the DTLS negotiation, breaking the security guarantees of the DTLS protocol.

    For the stable distribution (buster), this problem has been fixed in version 3.6.7-4+deb10u3.

    We recommend that you upgrade your gnutls28 packages.

    For the detailed security status of gnutls28 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/gnutls28

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2020-6819 CVE-2020-6820

    Two security issues have been found in the Mozilla Firefox web browser, which could result in the execution of arbitrary code.

    For the oldstable distribution (stretch), these problems have been fixed in version 68.6.1esr-1~deb9u1.

    For the stable distribution (buster), these problems have been fixed in version 68.6.1esr-1~deb10u1.

    We recommend that you upgrade your firefox-esr packages.

    For the detailed security status of firefox-esr please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/firefox-esr

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2020-6450 CVE-2020-6451 CVE-2020-6452

    Several vulnerabilities have been discovered in the chromium web browser.

    CVE-2020-6450

    Man Yue Mo discovered a use-after-free issue in the WebAudio

    implementation.

    CVE-2020-6451

    Man Yue Mo discovered a use-after-free issue in the WebAudio

    implementation.

    CVE-2020-6452

    asnine discovered a buffer overflow issue.

    For the oldstable distribution (stretch), security support for chromium has been discontinued.

    For the stable distribution (buster), these problems have been fixed in version 80.0.3987.162-1~deb10u1.

    We recommend that you upgrade your chromium packages.

    For the detailed security status of chromium please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/chromium

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2020-6821 CVE-2020-6822 CVE-2020-6825

    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.

    For the oldstable distribution (stretch), these problems have been fixed in version 68.7.0esr-1~deb9u1.

    For the stable distribution (buster), these problems have been fixed in version 68.7.0esr-1~deb10u1.

    We recommend that you upgrade your firefox-esr packages.

    For the detailed security status of firefox-esr please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/firefox-esr

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2020-6819 CVE-2020-6820 CVE-2020-6821 CVE-2020-6822

    CVE-2020-6825

    Multiple security issues have been found in Thunderbird which could result in denial of service or potentially the execution of arbitrary code.

    For the oldstable distribution (stretch), these problems have been fixed in version 1:68.7.0-1~deb9u1.

    For the stable distribution (buster), these problems have been fixed in version 1:68.7.0-1~deb10u1.

    We recommend that you upgrade your thunderbird packages.

    For the detailed security status of thunderbird please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/thunderbird

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : git

    CVE ID : CVE-2020-5260

    Felix Wilhelm of Google Project Zero discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline, the credential helper machinery can be fooled to return credential information for a wrong host.

    For the oldstable distribution (stretch), this problem has been fixed in version 1:2.11.0-3+deb9u6.

    For the stable distribution (buster), this problem has been fixed in version 1:2.20.1-2+deb10u2.

    We recommend that you upgrade your git packages.

    For the detailed security status of git please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/git

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : webkit2gtk

    CVE ID : CVE-2020-11793

    The following vulnerability has been discovered in the webkit2gtk web

    engine:

    CVE-2020-11793

    Cim Stordal discovered that maliciously crafted web content may

    lead to arbitrary code execution or a denial of service.

    For the stable distribution (buster), this problem has been fixed in version 2.26.4-1~deb10u3.

    We recommend that you upgrade your webkit2gtk packages.

    For the detailed security status of webkit2gtk please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/webkit2gtk

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Carlo Arenas discovered a flaw in git, a fast, scalable, distributed revision control system. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted.

    For the oldstable distribution (stretch), this problem has been fixed in version 1:2.11.0-3+deb9u7.

    For the stable distribution (buster), this problem has been fixed in version 1:2.20.1-2+deb10u3.

    We recommend that you upgrade your git packages.

    For the detailed security status of git please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/git

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/