Debian Security Advisory

    • Offizieller Beitrag

    Package : linux

    CVE ID : CVE-2019-3016 CVE-2019-19462 CVE-2020-0543 CVE-2020-10711

    CVE-2020-10732 CVE-2020-10751 CVE-2020-10757 CVE-2020-12114

    CVE-2020-12464 CVE-2020-12768 CVE-2020-12770 CVE-2020-13143

    Debian Bug : 960271

    Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

    CVE-2019-3016

    It was discovered that the KVM implementation for x86 did not

    always perform TLB flushes when needed, if the paravirtualised

    TLB flush feature was enabled. This could lead to disclosure of

    sensitive information within a guest VM.

    CVE-2019-19462

    The syzkaller tool found a missing error check in the 'relay'

    library used to implement various files under debugfs. A local

    user permitted to access debugfs could use this to cause a denial

    of service (crash) or possibly for privilege escalation.

    CVE-2020-0543

    Researchers at VU Amsterdam discovered that on some Intel CPUs

    supporting the RDRAND and RDSEED instructions, part of a random

    value generated by these instructions may be used in a later

    speculative execution on any core of the same physical CPU.

    Depending on how these instructions are used by applications, a

    local user or VM guest could use this to obtain sensitive

    information such as cryptographic keys from other users or VMs.

    This vulnerability can be mitigated by a microcode update, either

    as part of system firmware (BIOS) or through the intel-microcode

    package in Debian's non-free archive section. This kernel update

    only provides reporting of the vulnerability and the option to

    disable the mitigation if it is not needed.

    CVE-2020-10711

    Matthew Sheets reported NULL pointer dereference issues in the

    SELinux subsystem while receiving CIPSO packet with null category. A

    remote attacker can take advantage of this flaw to cause a denial of

    service (crash). Note that this issue does not affect the binary

    packages distributed in Debian as CONFIG_NETLABEL is not enabled.

    CVE-2020-10732

    An information leak of kernel private memory to userspace was found

    in the kernel's implementation of core dumping userspace processes.

    CVE-2020-10751

    Dmitry Vyukov reported that the SELinux subsystem did not properly

    handle validating multiple messages, which could allow a privileged

    attacker to bypass SELinux netlink restrictions.

    CVE-2020-10757

    Fan Yang reported a flaw in the way mremap handled DAX hugepages,

    allowing a local user to escalate their privileges.

    CVE-2020-12114

    Piotr Krysiuk discovered a race condition between the umount and

    pivot_root operations in the filesystem core (vfs). A local user

    with the CAP_SYS_ADMIN capability in any user namespace could use

    this to cause a denial of service (crash).

    CVE-2020-12464

    Kyungtae Kim reported a race condition in the USB core that can

    result in a use-after-free. It is not clear how this can be

    exploited, but it could result in a denial of service (crash or

    memory corruption) or privilege escalation.

    CVE-2020-12768

    A bug was discovered in the KVM implementation for AMD processors,

    which could result in a memory leak. The security impact of this

    is unclear.

    CVE-2020-12770

    It was discovered that the sg (SCSI generic) driver did not

    correctly release internal resources in a particular error case.

    A local user permitted to access an sg device could possibly use

    this to cause a denial of service (resource exhaustion).

    CVE-2020-13143

    Kyungtae Kim reported a potential heap out-of-bounds write in

    the USB gadget subsystem. A local user permitted to write to

    the gadget configuration filesystem could use this to cause a

    denial of service (crash or memory corruption) or potentially

    for privilege escalation.

    For the stable distribution (buster), these problems have been fixed in version 4.19.118-2+deb10u1. This version also fixes some related bugs that do not have their own CVE IDs, and a regression in the <linux/swab.h> UAPI header introduced in the previous point release (bug #960271).

    We recommend that you upgrade your linux packages.

    For the detailed security status of linux please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/linux

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : roundcube

    CVE ID : CVE-2020-13964 CVE-2020-13965

    Debian Bug : 962123 962124

    Matei Badanoiu and LoRexxar@knownsec discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not correctly process and sanitize requests. This would allow a remote attacker to perform a Cross-Side Scripting (XSS) attack leading to the execution of arbitrary code.

    For the oldstable distribution (stretch), these problems have been fixed in version 1.2.3+dfsg.1-4+deb9u5.

    For the stable distribution (buster), these problems have been fixed in version 1.3.13+dfsg.1-1~deb10u1.

    We recommend that you upgrade your roundcube packages.

    For the detailed security status of roundcube please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/roundcube

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : intel-microcode

    CVE ID : CVE-2020-0543 CVE-2020-0548 CVE-2020-0549

    This update ships updated CPU microcode for some types of Intel CPUs and provides mitigations for the Special Register Buffer Data Sampling (CVE-2020-0543), Vector Register Sampling (CVE-2020-0548) and L1D Eviction Sampling (CVE-2020-0549) hardware vulnerabilities.

    The microcode update for HEDT and Xeon CPUs with signature 0x50654 which was reverted in DSA 4565-2 is now included again with a fixed release.

    The upstream update for Skylake-U/Y (signature 0x406e3) had to be excluded from this update due to reported hangs on boot.

    For details refer to

    https://www.intel.com/content/www/us…l-sa-00320.html

    https://www.intel.com/content/www/us…l-sa-00329.html

    For the oldstable distribution (stretch), these problems have been fixed in version 3.20200609.2~deb9u1.

    For the stable distribution (buster), these problems have been fixed in version 3.20200609.2~deb10u1.

    We recommend that you upgrade your intel-microcode packages.

    For the detailed security status of intel-microcode please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/intel-microcode

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2020-12410 CVE-2020-12406 CVE-2020-12405

    CVE-2020-12399 CVE-2020-12398

    Multiple security issues have been found in Thunderbird which could result in the setup of a non-encrypted IMAP connection, denial of service or potentially the execution of arbitrary code.

    For the oldstable distribution (stretch), this problem has been fixed in version 1:68.9.0-1~deb9u1.

    For the stable distribution (buster), this problem has been fixed in version 1:68.9.0-1~deb10u1.

    We recommend that you upgrade your thunderbird packages.

    For the detailed security status of thunderbird please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/thunderbird

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : mysql-connector-java

    CVE ID : CVE-2020-2875 CVE-2020-2933 CVE-2020-2934

    Three vulnerabilities have been found in the MySQL Connector/J JDBC driver.

    For the oldstable distribution (stretch), these problems have been fixed in version 5.1.49-0+deb9u1.

    We recommend that you upgrade your mysql-connector-java packages.

    For the detailed security status of mysql-connector-java please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/mysql-connector-java

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : vlc

    CVE ID : CVE-2020-13428

    A vulnerability was discovered in the VLC media player, which could result in the execution of arbitrary code or denial of service if a malformed video file is opened.

    For the oldstable distribution (stretch), this problem has been fixed in version 3.0.11-0+deb9u1.

    For the stable distribution (buster), this problem has been fixed in version 3.0.11-0+deb10u1.

    We recommend that you upgrade your vlc packages.

    For the detailed security status of vlc please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/vlc

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : python-django

    CVE ID : CVE-2020-9402 CVE-2020-13254 CVE-2020-13596

    It was discovered that Django, a high-level Python web development framework, did not properly sanitize input. This would allow a remote attacker to perform SQL injection attacks, Cross-Site Scripting (XSS) attacks, or leak sensitive information.

    For the oldstable distribution (stretch), these problems have been fixed in version 1:1.10.7-2+deb9u9.

    For the stable distribution (buster), these problems have been fixed in version 1:1.11.29-1~deb10u1.

    We recommend that you upgrade your python-django packages.

    For the detailed security status of python-django please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/python-django

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : mutt

    CVE ID : CVE-2020-14093

    Damian Poddebniak and Fabian Ising discovered two security issues in the STARTTLS handling of the Mutt mail client, which could enable MITM attacks.

    For the oldstable distribution (stretch), these problems have been fixed in version 1.7.2-1+deb9u3.

    For the stable distribution (buster), these problems have been fixed in version 1.10.1-2.1+deb10u2.

    We recommend that you upgrade your mutt packages.

    For the detailed security status of mutt please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/mutt

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : neomutt

    CVE ID : CVE-2020-14093 CVE-2020-14954

    Damian Poddebniak and Fabian Ising discovered two security issues in the STARTTLS handling of the Neomutt mail client, which could enable MITM attacks.

    For the stable distribution (buster), these problems have been fixed in version 20180716+dfsg.1-1+deb10u1.

    We recommend that you upgrade your neomutt packages.

    For the detailed security status of neomutt please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/neomutt

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : wordpress

    CVE ID : CVE-2020-4046 CVE-2020-4047 CVE-2020-4048 CVE-2020-4049

    CVE-2020-4050

    Debian Bug : 962685

    Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform various Cross-Side Scripting (XSS) attacks, create open redirects, escalate privileges, and bypass authorization access.

    For the stable distribution (buster), these problems have been fixed in version 5.0.10+dfsg1-0+deb10u1.

    We recommend that you upgrade your wordpress packages.

    For the detailed security status of wordpress please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/wordpress

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : trafficserver

    CVE ID : CVE-2020-9494

    Debian Bug : 963629

    A vulnerability was discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service via malformed HTTP/2 headers.

    For the stable distribution (buster), this problem has been fixed in version 8.0.2+ds-1+deb10u3.

    We recommend that you upgrade your trafficserver packages.

    For the detailed security status of trafficserver please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/trafficserver

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : coturn

    CVE ID : CVE-2020-4067 CVE-2020-6061 CVE-2020-6062

    Debian Bug : 951876

    Several vulnerabilities were discovered in coturn, a TURN and STUN server for VoIP.

    CVE-2020-4067

    Felix Doerre reported that the STUN response buffer was not properly

    initialised, which could allow an attacker to leak bytes in the

    padding bytes from the connection of another client.

    CVE-2020-6061

    Aleksandar Nikolic reported that a crafted HTTP POST request can

    lead to information leaks and other misbehavior.

    CVE-2020-6062

    Aleksandar Nikolic reported that a crafted HTTP POST request can

    lead to server crash and denial of service.

    For the oldstable distribution (stretch), these problems have been fixed in version 4.5.0.5-1+deb9u2.

    For the stable distribution (buster), these problems have been fixed in version 4.5.1.1-1.1+deb10u1.

    We recommend that you upgrade your coturn packages.

    For the detailed security status of coturn please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/coturn

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : imagemagick

    CVE ID : CVE-2019-7175 CVE-2019-7395 CVE-2019-7396 CVE-2019-7397

    CVE-2019-7398 CVE-2019-10649 CVE-2019-11470 CVE-2019-11472

    CVE-2019-11597 CVE-2019-11598 CVE-2019-12974 CVE-2019-12975

    CVE-2019-12976 CVE-2019-12977 CVE-2019-12978 CVE-2019-12979

    CVE-2019-13135 CVE-2019-13137 CVE-2019-13295 CVE-2019-13297

    CVE-2019-13300 CVE-2019-13301 CVE-2019-13304 CVE-2019-13305

    CVE-2019-13307 CVE-2019-13308 CVE-2019-13309 CVE-2019-13311

    CVE-2019-13454 CVE-2019-14981 CVE-2019-15139 CVE-2019-15140

    CVE-2019-16708 CVE-2019-16710 CVE-2019-16711 CVE-2019-16713

    CVE-2019-19948 CVE-2019-19949

    This update fixes multiple vulnerabilities in Imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure or potentially the execution of arbitrary code if malformed image files are processed.

    For the stable distribution (buster), these problems have been fixed in version 8:6.9.10.23+dfsg-2.1+deb10u1.

    We recommend that you upgrade your imagemagick packages.

    For the detailed security status of imagemagick please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/imagemagick

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2020-12417 CVE-2020-12418 CVE-2020-12419 CVE-2020-12420

    CVE-2020-12421

    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.

    For the oldstable distribution (stretch), these problems have been fixed in version 68.10.0esr-1~deb9u1.

    For the stable distribution (buster), these problems have been fixed in version 68.10.0esr-1~deb10u1.

    We recommend that you upgrade your firefox-esr packages.

    For the detailed security status of firefox-esr please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/firefox-esr

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2020-6423 CVE-2020-6430 CVE-2020-6431 CVE-2020-6432

    CVE-2020-6433 CVE-2020-6434 CVE-2020-6435 CVE-2020-6436

    CVE-2020-6437 CVE-2020-6438 CVE-2020-6439 CVE-2020-6440

    CVE-2020-6441 CVE-2020-6442 CVE-2020-6443 CVE-2020-6444

    CVE-2020-6445 CVE-2020-6446 CVE-2020-6447 CVE-2020-6448

    CVE-2020-6454 CVE-2020-6455 CVE-2020-6456 CVE-2020-6457

    CVE-2020-6458 CVE-2020-6459 CVE-2020-6460 CVE-2020-6461

    CVE-2020-6462 CVE-2020-6463 CVE-2020-6464 CVE-2020-6465

    CVE-2020-6466 CVE-2020-6467 CVE-2020-6468 CVE-2020-6469

    CVE-2020-6470 CVE-2020-6471 CVE-2020-6472 CVE-2020-6473

    CVE-2020-6474 CVE-2020-6475 CVE-2020-6476 CVE-2020-6478

    CVE-2020-6479 CVE-2020-6480 CVE-2020-6481 CVE-2020-6482

    CVE-2020-6483 CVE-2020-6484 CVE-2020-6485 CVE-2020-6486

    CVE-2020-6487 CVE-2020-6488 CVE-2020-6489 CVE-2020-6490

    CVE-2020-6491 CVE-2020-6493 CVE-2020-6494 CVE-2020-6495

    CVE-2020-6496 CVE-2020-6497 CVE-2020-6498 CVE-2020-6505

    CVE-2020-6506 CVE-2020-6507 CVE-2020-6509 CVE-2020-6831

    Several vulnerabilities have been discovered in the chromium web browser.

    CVE-2020-6423

    A use-after-free issue was found in the audio implementation.

    CVE-2020-6430

    Avihay Cohen discovered a type confusion issue in the v8 javascript

    library.

    CVE-2020-6431

    Luan Herrera discovered a policy enforcement error.

    CVE-2020-6432

    Luan Herrera discovered a policy enforcement error.

    CVE-2020-6433

    Luan Herrera discovered a policy enforcement error in extensions.

    CVE-2020-6434

    HyungSeok Han discovered a use-after-free issue in the developer tools.

    CVE-2020-6435

    Sergei Glazunov discovered a policy enforcement error in extensions.

    CVE-2020-6436

    Igor Bukanov discovered a use-after-free issue.

    CVE-2020-6437

    Jann Horn discovered an implementation error in WebView.

    CVE-2020-6438

    Ng Yik Phang discovered a policy enforcement error in extensions.

    CVE-2020-6439

    remkoboonstra discovered a policy enforcement error.

    CVE-2020-6440

    David Erceg discovered an implementation error in extensions.

    CVE-2020-6441

    David Erceg discovered a policy enforcement error.

    CVE-2020-6442

    B@rMey discovered an implementation error in the page cache.

    CVE-2020-6443

    @lovasoa discovered an implementation error in the developer tools.

    CVE-2020-6444

    mlfbrown discovered an uninitialized variable in the WebRTC

    implementation.

    CVE-2020-6445

    Jun Kokatsu discovered a policy enforcement error.

    CVE-2020-6446

    Jun Kokatsu discovered a policy enforcement error.

    CVE-2020-6447

    David Erceg discovered an implementation error in the developer tools.

    CVE-2020-6448

    Guang Gong discovered a use-after-free issue in the v8 javascript library.

    CVE-2020-6454

    Leecraso and Guang Gong discovered a use-after-free issue in extensions.

    CVE-2020-6455

    Nan Wang and Guang Gong discovered an out-of-bounds read issue in the

    WebSQL implementation.

    CVE-2020-6456

    Michał Bentkowski discovered insufficient validation of untrusted input.

    CVE-2020-6457

    Leecraso and Guang Gong discovered a use-after-free issue in the speech

    recognizer.

    CVE-2020-6458

    Aleksandar Nikolic discoved an out-of-bounds read and write issue in the

    pdfium library.

    CVE-2020-6459

    Zhe Jin discovered a use-after-free issue in the payments implementation.

    CVE-2020-6460

    It was discovered that URL formatting was insufficiently validated.

    CVE-2020-6461

    Zhe Jin discovered a use-after-free issue.

    CVE-2020-6462

    Zhe Jin discovered a use-after-free issue in task scheduling.

    CVE-2020-6463

    Pawel Wylecial discovered a use-after-free issue in the ANGLE library.

    CVE-2020-6464

    Looben Yang discovered a type confusion issue in Blink/Webkit.

    CVE-2020-6465

    Woojin Oh discovered a use-after-free issue.

    CVE-2020-6466

    Zhe Jin discovered a use-after-free issue.

    CVE-2020-6467

    ZhanJia Song discovered a use-after-free issue in the WebRTC

    implementation.

    CVE-2020-6468

    Chris Salls and Jake Corina discovered a type confusion issue in the v8

    javascript library.

    CVE-2020-6469

    David Erceg discovered a policy enforcement error in the developer tools.

    CVE-2020-6470

    Michał Bentkowski discovered insufficient validation of untrusted input.

    CVE-2020-6471

    David Erceg discovered a policy enforcement error in the developer tools.

    CVE-2020-6472

    David Erceg discovered a policy enforcement error in the developer tools.

    CVE-2020-6473

    Soroush Karami and Panagiotis Ilia discovered a policy enforcement error

    in Blink/Webkit.

    CVE-2020-6474

    Zhe Jin discovered a use-after-free issue in Blink/Webkit.

    CVE-2020-6475

    Khalil Zhani discovered a user interface error.

    CVE-2020-6476

    Alexandre Le Borgne discovered a policy enforcement error.

    CVE-2020-6478

    Khalil Zhani discovered an implementation error in full screen mode.

    CVE-2020-6479

    Zhong Zhaochen discovered an implementation error.

    CVE-2020-6480

    Marvin Witt discovered a policy enforcement error.

    CVE-2020-6481

    Rayyan Bijoora discovered a policy enforcement error.

    CVE-2020-6482

    Abdulrahman Alqabandi discovered a policy enforcement error in the

    developer tools.

    CVE-2020-6483

    Jun Kokatsu discovered a policy enforcement error in payments.

    CVE-2020-6484

    Artem Zinenko discovered insufficient validation of user data in the

    ChromeDriver implementation.

    CVE-2020-6485

    Sergei Glazunov discovered a policy enforcement error.

    CVE-2020-6486

    David Erceg discovered a policy enforcement error.

    CVE-2020-6487

    Jun Kokatsu discovered a policy enforcement error.

    CVE-2020-6488

    David Erceg discovered a policy enforcement error.

    CVE-2020-6489

    @lovasoa discovered an implementation error in the developer tools.

    CVE-2020-6490

    Insufficient validation of untrusted data was discovered.

    CVE-2020-6491

    Sultan Haikal discovered a user interface error.

    CVE-2020-6493

    A use-after-free issue was discovered in the WebAuthentication

    implementation.

    CVE-2020-6494

    Juho Nurimen discovered a user interface error.

    CVE-2020-6495

    David Erceg discovered a policy enforcement error in the developer tools.

    CVE-2020-6496

    Khalil Zhani discovered a use-after-free issue in payments.

    CVE-2020-6497

    Rayyan Bijoora discovered a policy enforcement issue.

    CVE-2020-6498

    Rayyan Bijoora discovered a user interface error.

    CVE-2020-6505

    Khalil Zhani discovered a use-after-free issue.

    CVE-2020-6506

    Alesandro Ortiz discovered a policy enforcement error.

    CVE-2020-6507

    Sergei Glazunov discovered an out-of-bounds write issue in the v8

    javascript library.

    CVE-2020-6509

    A use-after-free issue was discovered in extensions.

    CVE-2020-6831

    Natalie Silvanovich discovered a buffer overflow issue in the SCTP

    library.

    For the oldstable distribution (stretch), security support for chromium has been discontinued.

    For the stable distribution (buster), these problems have been fixed in version 83.0.4103.116-1~deb10u1.

    We recommend that you upgrade your chromium packages.

    For the detailed security status of chromium please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/chromium

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : imagemagick

    CVE ID : CVE-2019-13300 CVE-2019-13304 CVE-2019-13306 CVE-2019-13307

    CVE-2019-15140 CVE-2019-19948

    This update fixes multiple vulnerabilities in Imagemagick: Various memory handling problems and cases of missing or incomplete input sanitising may result in denial of service, memory disclosure or potentially the execution of arbitrary code if malformed image files are processed.

    For the oldstable distribution (stretch), these problems have been fixed in version 8:6.9.7.4+dfsg-11+deb9u8.

    We recommend that you upgrade your imagemagick packages.

    For the detailed security status of imagemagick please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/imagemagick

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : docker.io

    CVE ID : CVE-2020-13401

    Debian Bug : 962141

    Etienne Champetier discovered that Docker, a Linux container runtime, created network bridges which by default accept IPv6 router advertisements.

    This could allow an attacker with the CAP_NET_RAW capability in a container to spoof router advertisements, resulting in information disclosure or denial of service.

    For the stable distribution (buster), this problem has been fixed in version 18.09.1+dfsg1-7.1+deb10u2.

    We recommend that you upgrade your docker.io packages.

    For the detailed security status of docker.io please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/docker.io

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    Debian Bug : 964145

    The previous update for chromium released as DSA 4714-1 was mistakenly built without compiler optimizations. This caused high CPU load and frequent crashes. Updated chromium packages are now available that correct this issue.

    For the oldstable distribution (stretch), security support for chromium has been discontinued.

    For the stable distribution (buster), this problem has been fixed in version 83.0.4103.116-1~deb10u2.

    We recommend that you upgrade your chromium packages.

    For the detailed security status of chromium please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/chromium

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : php7.0

    CVE ID : CVE-2019-11048 CVE-2020-7062 CVE-2020-7063 CVE-2020-7064

    CVE-2020-7066 CVE-2020-7067

    Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in information disclosure, denial of service or potentially the execution of arbitrary code.

    For the oldstable distribution (stretch), these problems have been fixed in version 7.0.33-0+deb9u8.

    We recommend that you upgrade your php7.0 packages.

    For the detailed security status of php7.0 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/php7.0

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2020-12417 CVE-2020-12418 CVE-2020-12419

    CVE-2020-12420 CVE-2020-12421

    Multiple security issues have been found in Thunderbird which could result in denial of service or potentially the execution of arbitrary code.

    For the oldstable distribution (stretch), these problems have been fixed in version 1:68.10.0-1~deb9u1.

    For the stable distribution (buster), these problems have been fixed in version 1:68.10.0-1~deb10u1.

    We recommend that you upgrade your thunderbird packages.

    For the detailed security status of thunderbird please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/thunderbird

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/