Debian Security Advisory

    • Offizieller Beitrag

    Package : php7.3

    CVE ID : CVE-2019-11048 CVE-2020-7062 CVE-2020-7063 CVE-2020-7064

    CVE-2020-7065 CVE-2020-7066 CVE-2020-7067

    Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in information disclosure, denial of service or potentially the execution of arbitrary code.

    For the stable distribution (buster), these problems have been fixed in version 7.3.19-1~deb10u1.

    We recommend that you upgrade your php7.3 packages.

    For the detailed security status of php7.3 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/php7.3

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : roundcube

    CVE ID : CVE-2020-15562

    Debian Bug : 964355

    It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly sanitize incoming mail messages. This would allow a remote attacker to perform a Cross-Side Scripting (XSS) attack.

    For the stable distribution (buster), this problem has been fixed in version 1.3.14+dfsg.1-1~deb10u1.

    We recommend that you upgrade your roundcube packages.

    For the detailed security status of roundcube please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/roundcube

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ruby2.5

    CVE ID : CVE-2020-10663 CVE-2020-10933

    Several vulnerabilities have been discovered in the interpreter for the Ruby language.

    CVE-2020-10663

    Jeremy Evans reported an unsafe object creation vulnerability in the

    json gem bundled with Ruby. When parsing certain JSON documents, the

    json gem can be coerced into creating arbitrary objects in the

    target system.

    CVE-2020-10933

    Samuel Williams reported a flaw in the socket library which may lead

    to exposure of possibly sensitive data from the interpreter.

    For the stable distribution (buster), these problems have been fixed in version 2.5.5-3+deb10u2.

    We recommend that you upgrade your ruby2.5 packages.

    For the detailed security status of ruby2.5 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/ruby2.5

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ffmpeg

    CVE ID : CVE-2019-13390 CVE-2019-17539 CVE-2019-17542

    CVE-2020-12284 CVE-2020-13904

    Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed.

    For the stable distribution (buster), these problems have been fixed in version 7:4.1.6-1~deb10u1.

    We recommend that you upgrade your ffmpeg packages.

    For the detailed security status of ffmpeg please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/ffmpeg

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    Debian Bug : 963548

    The previous update for chromium released as DSA 4714-2 contained a flaw in the service worker implementation. This problem causes the browser to crash when a connection error occurs. Updated chromium packages are now available that correct this issue.

    For the stable distribution (buster), this problem has been fixed in version 83.0.4103.116-1~deb10u3.

    We recommend that you upgrade your chromium packages.

    For the detailed security status of chromium please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/chromium

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : xen

    CVE ID : CVE-2020-11739 CVE-2020-11740 CVE-2020-11741 CVE-2020-11742

    CVE-2020-11743 CVE-2020-15563 CVE-2020-15564 CVE-2020-15565

    CVE-2020-15566 CVE-2020-15567

    Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, guest-to-host privilege escalation or information leaks.

    For the stable distribution (buster), these problems have been fixed in version 4.11.4+24-gddaaccbbab-1~deb10u1.

    We recommend that you upgrade your xen packages.

    For the detailed security status of xen please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/xen

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : webkit2gtk

    CVE ID : CVE-2020-9802 CVE-2020-9803 CVE-2020-9805 CVE-2020-9806

    CVE-2020-9807 CVE-2020-9843 CVE-2020-9850 CVE-2020-13753

    The following vulnerabilities have been discovered in the webkit2gtk web engine:

    CVE-2020-9802

    Samuel Gross discovered that processing maliciously crafted web

    content may lead to arbitrary code execution.

    CVE-2020-9803

    Wen Xu discovered that processing maliciously crafted web content

    may lead to arbitrary code execution.

    CVE-2020-9805

    An anonymous researcher discovered that processing maliciously

    crafted web content may lead to universal cross site scripting.

    CVE-2020-9806

    Wen Xu discovered that processing maliciously crafted web content

    may lead to arbitrary code execution.

    CVE-2020-9807

    Wen Xu discovered that processing maliciously crafted web content

    may lead to arbitrary code execution.

    CVE-2020-9843

    Ryan Pickren discovered that processing maliciously crafted web

    content may lead to a cross site scripting attack.

    CVE-2020-9850

    @jinmo123, @setuid0x0_, and @insu_yun_en discovered that a remote

    attacker may be able to cause arbitrary code execution.

    CVE-2020-13753

    Milan Crha discovered that an attacker may be able to execute

    commands outside the bubblewrap sandbox.

    For the stable distribution (buster), these problems have been fixed in version 2.28.3-2~deb10u1.

    We recommend that you upgrade your webkit2gtk packages.

    For the detailed security status of webkit2gtk please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/webkit2gtk

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : evolution-data-server

    CVE ID : CVE-2020-14928

    Damian Poddebniak and Fabian Ising discovered a response injection vulnerability in Evolution data server, which could enable MITM attacks.

    For the stable distribution (buster), this problem has been fixed in version 3.30.5-1+deb10u1.

    We recommend that you upgrade your evolution-data-server packages.

    For the detailed security status of evolution-data-server please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/evolution-data-server

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : nss

    CVE ID : CVE-2019-17006 CVE-2019-17023 CVE-2020-12399 CVE-2020-12402

    Several vulnerabilities were discovered in NSS, a set of cryptographic libraries, which may result in side channel/timing attacks or denial of service.

    For the stable distribution (buster), these problems have been fixed in version 2:3.42.1-1+deb10u3.

    We recommend that you upgrade your nss packages.

    For the detailed security status of nss please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/nss

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : tomcat9

    CVE ID : CVE-2020-9484 CVE-2020-11996 CVE-2020-13934 CVE-2020-13935

    Several vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in code execution or denial of service.

    For the stable distribution (buster), these problems have been fixed in version 9.0.31-1~deb10u2.

    We recommend that you upgrade your tomcat9 packages.

    For the detailed security status of tomcat9 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/tomcat9

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : qemu

    CVE ID : CVE-2020-10756 CVE-2020-13361 CVE-2020-13362

    CVE-2020-13754 CVE-2020-13659

    Debian Bug : 964247 961887 961887 961888

    Multiple security issues were discovered in QEMU, a fast processor emulator, which could result in denial of service.

    For the stable distribution (buster), these problems have been fixed in version 1:3.1+dfsg-8+deb10u6.

    We recommend that you upgrade your qemu packages.

    For the detailed security status of qemu please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/qemu

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libopenmpt

    CVE ID : CVE-2019-14380 CVE-2019-17113

    Two security issues were found in libopenmpt, a cross-platform C++ and C library to decode tracked music files, which could result in denial of service and potentially the execution of arbitrary if malformed music files are processed.

    For the stable distribution (buster), these problems have been fixed in version 0.4.3-1+deb10u1.

    We recommend that you upgrade your libopenmpt packages.

    For the detailed security status of libopenmpt please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/libopenmpt

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ruby-sanitize

    CVE ID : CVE-2020-4054

    Debian Bug : 963808

    Michal Bentkowski discovered that ruby-sanitize, a whitelist-based HTML sanitizer, is prone to a HTML sanitization bypass vulnerability when using the "relaxed" or a custom config allowing certain elements.

    Content in a <math> or <svg> element may not be sanitized correctly even if math and svg are not in the allowlist.

    For the stable distribution (buster), this problem has been fixed in version 4.6.6-2.1~deb10u1.

    We recommend that you upgrade your ruby-sanitize packages.

    For the detailed security status of ruby-sanitize please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/ruby-sanitize

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : redis

    CVE ID : CVE-2020-14147

    An integer overflow flaw leading to a stack-based buffer overflow was discovered in redis, a persistent key-value database. A remote attacker can use this flaw to cause a denial of service (application crash).

    For the stable distribution (buster), this problem has been fixed in version 5:5.0.3-4+deb10u2.

    We recommend that you upgrade your redis packages.

    For the detailed security status of redis please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/redis

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : squid

    CVE ID : CVE-2019-18860 CVE-2020-1504

    Two security issues were discovered in the Squid proxy caching server, which could result in cache poisoning, request smuggling and incomplete validation of hostnames in cachemgr.cgi.

    For the stable distribution (buster), these problems have been fixed in version 4.6-1+deb10u3.

    We recommend that you upgrade your squid packages.

    For the detailed security status of squid please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/squid

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : qemu

    CVE ID : CVE-2020-8608

    Debian Bug : 964793

    It was discovered that incorrect memory handling in the SLIRP networking implementation could result in denial of service or potentially the execution of arbitrary code.

    For the stable distribution (buster), this problem has been fixed in version 1:3.1+dfsg-8+deb10u7. In addition this update fixes a regression caused by the patch for CVE-2020-13754, which could lead to startup failures in some Xen setups.

    We recommend that you upgrade your qemu packages.

    For the detailed security status of qemu please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/qemu

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openjdk-11

    CVE ID : CVE-2020-14556 CVE-2020-14562 CVE-2020-14573 CVE-2020-14577

    CVE-2020-14578 CVE-2020-14579 CVE-2020-14581 CVE-2020-14583

    CVE-2020-14593 CVE-2020-14621

    Several vulnerabilities have been discovered in the OpenJDK Java runtime, resulting in denial of service, bypass of access/sandbox restrictions or information disclosure.

    For the stable distribution (buster), these problems have been fixed in version 11.0.8+10-1~deb10u1.

    We recommend that you upgrade your openjdk-11 packages.

    For the detailed security status of openjdk-11 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/openjdk-11

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : grub2

    CVE ID : CVE-2020-10713 CVE-2020-14308 CVE-2020-14309 CVE-2020-14310

    CVE-2020-14311 CVE-2020-15706 CVE-2020-15707

    Several vulnerabilities have been discovered in the GRUB2 bootloader.

    CVE-2020-10713

    A flaw in the grub.cfg parsing code was found allowing to break

    UEFI Secure Boot and load arbitrary code. Details can be found at

    https://www.eclypsium.com/2020/07/29/the…le-in-the-boot/

    CVE-2020-14308

    It was discovered that grub_malloc does not validate the allocation

    size allowing for arithmetic overflow and subsequently a heap-based

    buffer overflow.

    CVE-2020-14309

    An integer overflow in grub_squash_read_symlink may lead to a heap-

    based buffer overflow.

    CVE-2020-14310

    An integer overflow in read_section_from_string may lead to a heap-

    based buffer overflow.

    CVE-2020-14311

    An integer overflow in grub_ext2_read_link may lead to a heap-based

    buffer overflow.

    CVE-2020-15706

    script: Avoid a use-after-free when redefining a function during

    execution.

    CVE-2020-15707

    An integer overflow flaw was found in the initrd size handling.

    Further detailed information can be found at https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot

    For the stable distribution (buster), these problems have been fixed in version 2.02+dfsg1-20+deb10u1.

    We recommend that you upgrade your grub2 packages.

    For the detailed security status of grub2 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/grub2

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : grub2

    Debian Bug : 966554

    The update for grub2 released as DSA 4735-1 caused a boot-regression when chainloading another bootlaoder and breaking notably dual-boot with Windows. Updated grub2 packages are now available to correct this issue.

    For the stable distribution (buster), this problem has been fixed in version 2.02+dfsg1-20+deb10u2.

    We recommend that you upgrade your grub2 packages.

    For the detailed security status of grub2 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/grub2

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2020-6463 CVE-2020-6514 CVE-2020-15652 CVE-2020-15659

    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or an information leak.

    For the stable distribution (buster), these problems have been fixed in version 68.11.0esr-1~deb10u1.

    We recommend that you upgrade your firefox-esr packages.

    For the detailed security status of firefox-esr please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/firefox-esr

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/