Debian Security Advisory

Package : tomcat9

CVE ID : CVE-2019-10072 CVE-2019-12418 CVE-2019-17563

CVE-2019-17569 CVE-2020-1935 CVE-2020-1938

Several vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in HTTP request smuggling, code execution in the AJP connector (disabled by default in Debian) or a man-in-the-middle attack against the JMX interface.

For the stable distribution (buster), these problems have been fixed in version 9.0.31-1~deb10u1. The fix for CVE-2020-1938 may require configuration changes when Tomcat is used with the AJP connector, e.g.

in combination with libapache-mod-jk. For instance the attribute "secretRequired" is set to true by default now. For affected setups it's recommended to review https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html

before the deploying the update.

We recommend that you upgrade your tomcat9 packages.

For the detailed security status of tomcat9 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/tomcat9

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : webkit2gtk

CVE ID : CVE-2020-3885 CVE-2020-3894 CVE-2020-3895 CVE-2020-3897

CVE-2020-3899 CVE-2020-3900 CVE-2020-3901 CVE-2020-3902

The following vulnerability has been discovered in the webkit2gtk web

engine:

CVE-2020-3885

Ryan Pickren discovered that a file URL may be incorrectly

processed.

CVE-2020-3894

Sergei Glazunov discovered that a race condition may allow an

application to read restricted memory.

CVE-2020-3895

grigoritchy discovered that processing maliciously crafted web

content may lead to arbitrary code execution.

CVE-2020-3897

Brendan Draper discovered that a remote attacker may be able to

cause arbitrary code execution.

CVE-2020-3899

OSS-Fuzz discovered that A remote attacker may be able to cause

arbitrary code execution.

CVE-2020-3900

Dongzhuo Zhao discovered that processing maliciously crafted web

content may lead to arbitrary code execution.

CVE-2020-3901

Benjamin Randazzo discovered that processing maliciously crafted

web content may lead to arbitrary code execution.

CVE-2020-3902

Yigit Can Yilmaz discovered that processing maliciously crafted

web content may lead to a cross site scripting attack.

For the stable distribution (buster), these problems have been fixed in version 2.28.2-2~deb10u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : salt

CVE ID : CVE-2020-11651 CVE-2020-11652

Debian Bug : 959684

The update for salt for the oldstable distribution (stretch) released as DSA 4676-1 contained an incomplete fix to address CVE-2020-11651 and CVE-2020-11652. Updated salt packages are now available to correct this issue. For reference, the original advisory text follows.

Several vulnerabilities were discovered in salt, a powerful remote execution manager, which could result in retrieve of user tokens from the salt master, execution of arbitrary commands on salt minions, arbitrary directory access to authenticated users or arbitrary code execution on salt-api hosts.

For the oldstable distribution (stretch), these problems have been fixed in version 2016.11.2+ds-1+deb9u4.

We recommend that you upgrade your salt packages.

For the detailed security status of salt please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/salt

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : squid

CVE ID : CVE-2019-12519 CVE-2019-12520 CVE-2019-12521 CVE-2019-12523

CVE-2019-12524 CVE-2019-12526 CVE-2019-12528 CVE-2019-18676

CVE-2019-18677 CVE-2019-18678 CVE-2019-18679 CVE-2020-8449

CVE-2020-8450 CVE-2020-11945

Multiple security issues were discovered in the Squid proxy caching server, which could result in the bypass of security filters, information disclosure, the execution of arbitrary code or denial of service.

For the stable distribution (buster), these problems have been fixed in version 4.6-1+deb10u2.

We recommend that you upgrade your squid packages.

For the detailed security status of squid please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/squid

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : thunderbird

CVE ID : CVE-2020-6831 CVE-2020-12387 CVE-2020-12392 CVE-2020-12395

CVE-2020-12397

Multiple security issues have been found in Thunderbird which could result in spoofing the displayed sender email address, denial of service or potentially the execution of arbitrary code.

For the oldstable distribution (stretch), these problems have been fixed in version 1:68.8.0-1~deb9u1.

For the stable distribution (buster), these problems have been fixed in version 1:68.8.0-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : libreswan

CVE ID : CVE-2020-1763

Debian Bug : 960458

Stephan Zeisberg discovered that the libreswan IPsec implementation could be forced into a crash/restart via a malformed IKEv1 Informational Exchange packet, resulting in denial of service.

For the stable distribution (buster), this problem has been fixed in version 3.27-6+deb10u1.

We recommend that you upgrade your libreswan packages.

For the detailed security status of libreswan please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/libreswan

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : apt

CVE ID : CVE-2020-3810

Shuaibing Lu discovered that missing input validation in the ar/tar implementations of APT, the high level package manager, could result in denial of service when processing specially crafted deb files.

For the oldstable distribution (stretch), this problem has been fixed in version 1.4.10.

For the stable distribution (buster), this problem has been fixed in version 1.8.2.1.

We recommend that you upgrade your apt packages.

For the detailed security status of apt please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/apt

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : apache-log4j1.2

CVE ID : CVE-2019-17571

Debian Bug : 947124

It was discovered that the SocketServer class included in apache-log4j1.2, a logging library for java, is vulnerable to deserialization of untrusted data. An attacker can take advantage of this flaw to execute arbitrary code in the context of the logger application by sending a specially crafted log event.

For the oldstable distribution (stretch), this problem has been fixed in version 1.2.17-7+deb9u1.

For the stable distribution (buster), this problem has been fixed in version 1.2.17-8+deb10u1.

We recommend that you upgrade your apache-log4j1.2 packages.

For the detailed security status of apache-log4j1.2 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/apache-log4j1.2

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : exim4

CVE ID : CVE-2020-12783

It was discovered that exim4, a mail transport agent, suffers from a authentication bypass vulnerability in the spa authentication driver.

The spa authentication driver is not enabled by default.

For the oldstable distribution (stretch), this problem has been fixed in version 4.89-2+deb9u7.

For the stable distribution (buster), this problem has been fixed in version 4.92-8+deb10u4.

We recommend that you upgrade your exim4 packages.

For the detailed security status of exim4 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/exim4

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : dpdk

CVE ID : CVE-2020-10722 CVE-2020-10723 CVE-2020-10724

Multiple vulnerabilities were discovered in the vhost code of DPDK, a set of libraries for fast packet processing, which could result in denial of service or the execution of arbitrary code by malicious guests/containers.

For the oldstable distribution (stretch), these problems have been fixed in version 16.11.11-1+deb9u2.

For the stable distribution (buster), these problems have been fixed in version 18.11.6-1~deb10u2.

We recommend that you upgrade your dpdk packages.

For the detailed security status of dpdk please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/dpdk

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : bind9

CVE ID : CVE-2019-6477 CVE-2020-8616 CVE-2020-8617

Debian Bug : 945171

Several vulnerabilities were discovered in BIND, a DNS server implementation.

CVE-2019-6477

It was discovered that TCP-pipelined queries can bypass tcp-client

limits resulting in denial of service.

CVE-2020-8616

It was discovered that BIND does not sufficiently limit the number

of fetches performed when processing referrals. An attacker can take

advantage of this flaw to cause a denial of service (performance

degradation) or use the recursing server in a reflection attack with

a high amplification factor.

CVE-2020-8617

It was discovered that a logic error in the code which checks TSIG

validity can be used to trigger an assertion failure, resulting in

denial of service.

For the oldstable distribution (stretch), these problems have been fixed in version 1:9.10.3.dfsg.P4-12.3+deb9u6.

For the stable distribution (buster), these problems have been fixed in version 1:9.11.5.P4+dfsg-5.1+deb10u1.

We recommend that you upgrade your bind9 packages.

For the detailed security status of bind9 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/bind9

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : dovecot

CVE ID : CVE-2020-10957 CVE-2020-10958 CVE-2020-10967

Debian Bug : 960963

Several vulnerabilities were discovered in the Dovecot email server, which could cause crashes in the submission, submission-login or lmtp services, resulting in denial of service.

For the stable distribution (buster), these problems have been fixed in version 1:2.3.4.1-5+deb10u2.

We recommend that you upgrade your dovecot packages.

For the detailed security status of dovecot please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/dovecot

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : pdns-recursor

CVE ID : CVE-2020-10955 CVE-2020-12244

Two vulnerabiliites have been discovered in PDNS Recursor, a resolving name server; a traffic amplification attack against third party authoritative name servers (NXNSAttack) and insufficient validation of NXDOMAIN responses lacking an SOA.

The version of pdns-recursor in the oldstable distribution (stretch) is no longer supported. If these security issues affect your setup, you should upgrade to the stable distribution (buster).

For the stable distribution (buster), these problems have been fixed in version 4.1.11-1+deb10u1.

We recommend that you upgrade your pdns-recursor packages.

For the detailed security status of pdns-recursor please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/pdns-recursor

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : netqmail

CVE ID : CVE-2005-1513 CVE-2005-1514 CVE-2005-1515 CVE-2020-3811

CVE-2020-3812

Debian Bug : 961060

Georgi Guninski and the Qualys Research Labs discovered multiple vulnerabilities in qmail (shipped in Debian as netqmail with additional

patches) which could result in the execution of arbitrary code, bypass of mail address verification and a local information leak whether a file exists or not.

For the oldstable distribution (stretch), these problems have been fixed in version 1.06-6.2~deb9u1.

For the stable distribution (buster), these problems have been fixed in version 1.06-6.2~deb10u1.

We recommend that you upgrade your netqmail packages.

For the detailed security status of netqmail please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/netqmail

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : drupal7

CVE ID : CVE-2020-11022 CVE-2020-11023 SA-CORE-2020-003

Several vulnerabilities were discovered in Drupal, a fully-featured content management framework, which could result in an open redirect or cross-site scripting.

For the oldstable distribution (stretch), these problems have been fixed in version 7.52-2+deb9u10.

We recommend that you upgrade your drupal7 packages.

For the detailed security status of drupal7 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/drupal7

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : unbound

CVE ID : CVE-2020-12662 CVE-2020-12663

Two vulnerabiliites have been discovered in Unbound, a recursive-only caching DNS server; a traffic amplification attack against third party authoritative name servers (NXNSAttack) and insufficient sanitisation of replies from upstream servers could result in denial of service via an infinite loop.

The version of Unbound in the oldstable distribution (stretch) is no longer supported. If these security issues affect your setup, you should upgrade to the stable distribution (buster).

For the stable distribution (buster), these problems have been fixed in version 1.9.0-2+deb10u2.

We recommend that you upgrade your unbound packages.

For the detailed security status of unbound please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/unbound

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : firefox-esr

CVE ID : CVE-2020-12399 CVE-2020-12405 CVE-2020-12406 CVE-2020-12410

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or a timing attack on cryptographic keys.

For the oldstable distribution (stretch), these problems have been fixed in version 68.9.0esr-1~deb9u1.

For the stable distribution (buster), these problems have been fixed in version 68.9.0esr-1~deb10u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : nodejs

CVE ID : CVE-2020-8174 CVE-2020-11080

Debian Bug : 962145

Two vulnerabilities were discovered in Node.js, which could result in denial of service and potentially the execution of arbitrary code.

For the stable distribution (buster), these problems have been fixed in version 10.21.0~dfsg-1~deb10u1.

We recommend that you upgrade your nodejs packages.

For the detailed security status of nodejs please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/nodejs

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : gnutls28

CVE ID : CVE-2020-13777

Debian Bug : 962289

A flaw was reported in the TLS session ticket key construction in GnuTLS, a library implementing the TLS and SSL protocols. The flaw caused the TLS server to not securely construct a session ticket encryption key considering the application supplied secret, allowing a man-in-the-middle attacker to bypass authentication in TLS 1.3 and recover previous conversations in TLS 1.2.

For the stable distribution (buster), this problem has been fixed in version 3.6.7-4+deb10u4.

We recommend that you upgrade your gnutls28 packages.

For the detailed security status of gnutls28 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/gnutls28

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : linux

CVE ID : CVE-2019-2182 CVE-2019-5108 CVE-2019-19319 CVE-2019-19462

CVE-2019-19768 CVE-2019-20806 CVE-2019-20811 CVE-2020-0543

CVE-2020-2732 CVE-2020-8428 CVE-2020-8647 CVE-2020-8648

CVE-2020-8649 CVE-2020-9383 CVE-2020-10711 CVE-2020-10732

CVE-2020-10751 CVE-2020-10757 CVE-2020-10942 CVE-2020-11494

CVE-2020-11565 CVE-2020-11608 CVE-2020-11609 CVE-2020-11668

CVE-2020-12114 CVE-2020-12464 CVE-2020-12652 CVE-2020-12653

CVE-2020-12654 CVE-2020-12770 CVE-2020-13143

Debian Bug : 952660

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2019-2182

Hanjun Guo and Lei Li reported a race condition in the arm64

virtual memory management code, which could lead to an information

disclosure, denial of service (crash), or possibly privilege

escalation.

CVE-2019-5108

Mitchell Frank of Cisco discovered that when the IEEE 802.11

(WiFi) stack was used in AP mode with roaming, it would trigger

roaming for a newly associated station before the station was

authenticated. An attacker within range of the AP could use this

to cause a denial of service, either by filling up a switching

table or by redirecting traffic away from other stations.

CVE-2019-19319

Jungyeon discovered that a crafted filesystem can cause the ext4

implementation to deallocate or reallocate journal blocks. A user

permitted to mount filesystems could use this to cause a denial of

service (crash), or possibly for privilege escalation.

CVE-2019-19462

The syzbot tool found a missing error check in the 'relay'

library used to implement various files under debugfs. A local

user permitted to access debugfs could use this to cause a denial

of service (crash) or possibly for privilege escalation.

CVE-2019-19768

Tristan Madani reported a race condition in the blktrace debug

facility that could result in a use-after-free. A local user able

to trigger removal of block devices could possibly use this to

cause a denial of service (crash) or for privilege escalation.

CVE-2019-20806

A potential null pointer dereference was discovered in the tw5864

media driver. The security impact of this is unclear.

CVE-2019-20811

The Hulk Robot tool found a reference-counting bug in an error

path in the network subsystem. The security impact of this is

unclear.

CVE-2020-0543

Researchers at VU Amsterdam discovered that on some Intel CPUs

supporting the RDRAND and RDSEED instructions, part of a random

value generated by these instructions may be used in a later

speculative execution on any core of the same physical CPU.

Depending on how these instructions are used by applications, a

local user or VM guest could use this to obtain sensitive

information such as cryptographic keys from other users or VMs.

This vulnerability can be mitigated by a microcode update, either

as part of system firmware (BIOS) or through the intel-microcode

package in Debian's non-free archive section. This kernel update

only provides reporting of the vulnerability and the option to

disable the mitigation if it is not needed.

CVE-2020-2732

Paulo Bonzini discovered that the KVM implementation for Intel

processors did not properly handle instruction emulation for L2

guests when nested virtualization is enabled. This could allow an

L2 guest to cause privilege escalation, denial of service, or

information leaks in the L1 guest.

CVE-2020-8428

Al Viro discovered a potential use-after-free in the filesystem

core (vfs). A local user could exploit this to cause a denial of

service (crash) or possibly to obtain sensitive information from

the kernel.

CVE-2020-8647, CVE-2020-8649

The Hulk Robot tool found a potential MMIO out-of-bounds access in

the vgacon driver. A local user permitted to access a virtual

terminal (/dev/tty1 etc.) on a system using the vgacon driver

could use this to cause a denial of service (crash or memory

corruption) or possibly for privilege escalation.

CVE-2020-8648

The syzbot tool found a race condition in the the virtual terminal

driver, which could result in a use-after-free. A local user

permitted to access a virtual terminal could use this to cause a

denial of service (crash or memory corruption) or possibly for

privilege escalation.

CVE-2020-9383

Jordy Zomer reported an incorrect range check in the floppy driver

which could lead to a static out-of-bounds access. A local user

permitted to access a floppy drive could use this to cause a

denial of service (crash or memory corruption) or possibly for

privilege escalation.

CVE-2020-10711

Matthew Sheets reported NULL pointer dereference issues in the

SELinux subsystem while receiving CIPSO packet with null category. A

remote attacker can take advantage of this flaw to cause a denial of

service (crash). Note that this issue does not affect the binary

packages distributed in Debian as CONFIG_NETLABEL is not enabled.

CVE-2020-10732

An information leak of kernel private memory to userspace was found

in the kernel's implementation of core dumping userspace processes.

CVE-2020-10751

Dmitry Vyukov reported that the SELinux subsystem did not properly

handle validating multiple messages, which could allow a privileged

attacker to bypass SELinux netlink restrictions.

CVE-2020-10757

Fan Yang reported a flaw in the way mremap handled DAX hugepages,

allowing a local user to escalate their privileges

CVE-2020-10942

It was discovered that the vhost_net driver did not properly

validate the type of sockets set as back-ends. A local user

permitted to access /dev/vhost-net could use this to cause a stack

corruption via crafted system calls, resulting in denial of

service (crash) or possibly privilege escalation.

CVE-2020-11494

It was discovered that the slcan (serial line CAN) network driver

did not fully initialise CAN headers for received packets,

resulting in an information leak from the kernel to user-space or

over the CAN network.

CVE-2020-11565

Entropy Moe reported that the shared memory filesystem (tmpfs) did

not correctly handle an "mpol" mount option specifying an empty

node list, leading to a stack-based out-of-bounds write. If user

namespaces are enabled, a local user could use this to cause a

denial of service (crash) or possibly for privilege escalation.

CVE-2020-11608, CVE-2020-11609, CVE-2020-11668

It was discovered that the ov519, stv06xx, and xirlink_cit media

drivers did not properly validate USB device descriptors. A

physically present user with a specially constructed USB device

could use this to cause a denial-of-service (crash) or possibly

for privilege escalation.

CVE-2020-12114

Piotr Krysiuk discovered a race condition between the umount and

pivot_root operations in the filesystem core (vfs). A local user

with the CAP_SYS_ADMIN capability in any user namespace could use

this to cause a denial of service (crash).

CVE-2020-12464

Kyungtae Kim reported a race condition in the USB core that can

result in a use-after-free. It is not clear how this can be

exploited, but it could result in a denial of service (crash or

memory corruption) or privilege escalation.

CVE-2020-12652

Tom Hatskevich reported a bug in the mptfusion storage drivers.

An ioctl handler fetched a parameter from user memory twice,

creating a race condition which could result in incorrect locking

of internal data structures. A local user permitted to access

/dev/mptctl could use this to cause a denial of service (crash or

memory corruption) or for privilege escalation.

CVE-2020-12653

It was discovered that the mwifiex WiFi driver did not

sufficiently validate scan requests, resulting a potential heap

buffer overflow. A local user with CAP_NET_ADMIN capability could

use this to cause a denial of service (crash or memory corruption)

or possibly for privilege escalation.

CVE-2020-12654

It was discovered that the mwifiex WiFi driver did not

sufficiently validate WMM parameters received from an access point

(AP), resulting a potential heap buffer overflow. A malicious AP

could use this to cause a denial of service (crash or memory

corruption) or possibly to execute code on a vulnerable system.

CVE-2020-12770

It was discovered that the sg (SCSI generic) driver did not

correctly release internal resources in a particular error case.

A local user permitted to access an sg device could possibly use

this to cause a denial of service (resource exhaustion).

CVE-2020-13143

Kyungtae Kim reported a potential heap out-of-bounds write in

the USB gadget subsystem. A local user permitted to write to

the gadget configuration filesystem could use this to cause a

denial of service (crash or memory corruption) or potentially

for privilege escalation.

For the oldstable distribution (stretch), these problems have been fixed in version 4.9.210-1+deb9u1. This version also fixes some related bugs that do not have their own CVE IDs, and a regression in the macvlan driver introduced in the previous point release (bug #952660).

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/