Debian Security Advisory

Package : xrdp

CVE ID : CVE-2020-4044

Debian Bug : 964573

Ashley Newson discovered that the XRDP sessions manager was susceptible to denial of service. A local attacker can further take advantage of this flaw to impersonate the XRDP sessions manager and capture any user credentials that are submitted to XRDP, approve or reject arbitrary login credentials or to hijack existing sessions for xorgxrdp sessions.

For the stable distribution (buster), this problem has been fixed in version 0.9.9-1+deb10u1.

We recommend that you upgrade your xrdp packages.

For the detailed security status of xrdp please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/xrdp

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : ark

CVE ID : CVE-2020-16116

Dominik Penner discovered that the Ark archive manager did not sanitise extraction paths, which could result in maliciously crafted archives writing outside the extraction directory.

For the stable distribution (buster), this problem has been fixed in version 4:18.08.3-1+deb10u1.

We recommend that you upgrade your ark packages.

For the detailed security status of ark please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/ark

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : webkit2gtk

CVE ID : CVE-2020-9862 CVE-2020-9893 CVE-2020-9894 CVE-2020-9895

CVE-2020-9915 CVE-2020-9925

The following vulnerabilities have been discovered in the webkit2gtk web engine:

CVE-2020-9862

Ophir Lojkine discovered that copying a URL from the Web Inspector

may lead to command injection.

CVE-2020-9893

0011 discovered that a remote attacker may be able to cause

unexpected application termination or arbitrary code execution.

CVE-2020-9894

0011 discovered that a remote attacker may be able to cause

unexpected application termination or arbitrary code execution.

CVE-2020-9895

Wen Xu discovered that a remote attacker may be able to cause

unexpected application termination or arbitrary code execution.

CVE-2020-9915

Ayoub Ait Elmokhtar discovered that processing maliciously crafted

web content may prevent Content Security Policy from being

enforced.

CVE-2020-9925

An anonymous researcher discovered that processing maliciously

crafted web content may lead to universal cross site scripting.

For the stable distribution (buster), these problems have been fixed in version 2.28.4-1~deb10u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : thunderbird

CVE ID : CVE-2020-6463 CVE-2020-6514 CVE-2020-15652 CVE-2020-15659

Multiple security issues have been found in Thunderbird which could result in denial of service or potentially the execution of arbitrary code.

For the stable distribution (buster), these problems have been fixed in version 1:68.11.0-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : firejail

CVE ID : CVE-2020-17367 CVE-2020-17368

Tim Starling discovered two vulnerabilities in firejail, a sandbox program to restrict the running environment of untrusted applications.

CVE-2020-17367

It was reported that firejail does not respect the end-of-options

separator ("--"), allowing an attacker with control over the command

line options of the sandboxed application, to write data to a

specified file.

CVE-2020-17368

It was reported that firejail when redirecting output via --output

or --output-stderr, concatenates all command line arguments into a

single string that is passed to a shell. An attacker who has control

over the command line arguments of the sandboxed application could

take advantage of this flaw to run run arbitrary other commands.

For the stable distribution (buster), these problems have been fixed in version 0.9.58.2-2+deb10u1.

We recommend that you upgrade your firejail packages.

For the detailed security status of firejail please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/firejail

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : json-c

CVE ID : CVE-2020-12762

Tobias Stoeckmann discovered an integer overflow in the json-c JSON library, which could result in denial of service or potentially the execution of arbitrary code if large malformed JSON files are processed.

For the stable distribution (buster), this problem has been fixed in version 0.12.1+ds-2+deb10u1.

We recommend that you upgrade your json-c packages.

For the detailed security status of json-c please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/json-c

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : ruby-kramdown

CVE ID : CVE-2020-14001

Debian Bug : 965305

A flaw was discovered in ruby-kramdown, a fast, pure ruby, Markdown parser and converter, which could result in unintended read access to files or unintended embedded Ruby code execution when the {::options /} extension is used together with the 'template' option.

The Update introduces a new option 'forbidden_inline_options' to restrict the options allowed with the {::options /} extension. By default the 'template' option is forbidden.

For the stable distribution (buster), this problem has been fixed in version 1.17.0-1+deb10u1.

We recommend that you upgrade your ruby-kramdown packages.

For the detailed security status of ruby-kramdown please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/ruby-kramdown

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : roundcube

CVE ID : CVE-2020-16145

Debian Bug : 968216

It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, is prone to cross-site scripting vulnerabilities in handling invalid svg and math tag content.

For the stable distribution (buster), this problem has been fixed in version 1.3.15+dfsg.1-1~deb10u1.

We recommend that you upgrade your roundcube packages.

For the detailed security status of roundcube please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/roundcube

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : dovecot

CVE ID : CVE-2020-12100 CVE-2020-12673 CVE-2020-12674

Several vulnerabilities have been discovered in the Dovecot email server.

CVE-2020-12100

Receiving mail with deeply nested MIME parts leads to resource

exhaustion as Dovecot attempts to parse it.

CVE-2020-12673

Dovecot's NTLM implementation does not correctly check message

buffer size, which leads to a crash when reading past allocation.

CVE-2020-12674

Dovecot's RPA mechanism implementation accepts zero-length message,

which leads to assert-crash later on.

For the stable distribution (buster), these problems have been fixed in version 1:2.3.4.1-5+deb10u3.

We recommend that you upgrade your dovecot packages.

For the detailed security status of dovecot please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/dovecot

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : net-snmp

CVE ID : CVE-2020-15861 CVE-2020-15862

Debian Bug : 965166 966599

Several vulnerabilities were discovered in net-snmp, a suite of Simple Network Management Protocol applications, which could lead to privilege escalation.

For the stable distribution (buster), these problems have been fixed in version 5.7.3+dfsg-5+deb10u1.

We recommend that you upgrade your net-snmp packages.

For the detailed security status of net-snmp please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/net-snmp

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : icingaweb2

CVE ID : CVE-2020-24368

Debian Bug : 968833

A directory traversal vulnerability was discovered in Icinga Web 2, a web interface for Icinga, which could result in the disclosure of files readable by the process.

For the stable distribution (buster), this problem has been fixed in version 2.6.2-3+deb10u1.

We recommend that you upgrade your icingaweb2 packages.

For the detailed security status of icingaweb2 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/icingaweb2

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : ghostscript

CVE ID : CVE-2020-16287 CVE-2020-16288 CVE-2020-16289 CVE-2020-16290

CVE-2020-16291 CVE-2020-16292 CVE-2020-16293 CVE-2020-16294

CVE-2020-16295 CVE-2020-16296 CVE-2020-16297 CVE-2020-16298

CVE-2020-16299 CVE-2020-16300 CVE-2020-16301 CVE-2020-16302

CVE-2020-16303 CVE-2020-16304 CVE-2020-16305 CVE-2020-16306

CVE-2020-16307 CVE-2020-16308 CVE-2020-16309 CVE-2020-16310

CVE-2020-17538

Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed.

For the stable distribution (buster), these problems have been fixed in version 9.27~dfsg-2+deb10u4.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/ghostscript

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : firefox-esr

CVE ID : CVE-2020-15664 CVE-2020-15669

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or unintended or malicious extensions being installed.

For the stable distribution (buster), these problems have been fixed in version 68.12.0esr-1~deb10u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : nginx

CVE ID : CVE-2020-11724

Debian Bug : 964950

It was reported that the Lua module for Nginx, a high-performance web and reverse proxy server, is prone to a HTTP request smuggling vulnerability.

For the stable distribution (buster), this problem has been fixed in version 1.14.2-2+deb10u3.

We recommend that you upgrade your nginx packages.

For the detailed security status of nginx please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/nginx

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : squid

CVE ID : CVE-2020-15810 CVE-2020-15811 CVE-2020-24606

Debian Bug : 968932 968933 968934

Several vulnerabilities were discovered in Squid, a fully featured web proxy cache, which could result in request splitting, request smuggling (leading to cache poisoning) and denial of service when processing crafted cache digest responses messages.

For the stable distribution (buster), these problems have been fixed in version 4.6-1+deb10u4.

We recommend that you upgrade your squid packages.

For the detailed security status of squid please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/squid

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : bind9

CVE ID : CVE-2020-8619 CVE-2020-8622 CVE-2020-8623 CVE-2020-8624

Debian Bug : 966497

Several vulnerabilities were discovered in BIND, a DNS server implementation.

CVE-2020-8619

It was discovered that an asterisk character in an empty non-

terminal can cause an assertion failure, resulting in denial

of service.

CVE-2020-8622

Dave Feldman, Jeff Warren, and Joel Cunningham reported that a

truncated TSIG response can lead to an assertion failure, resulting

in denial of service.

CVE-2020-8623

Lyu Chiy reported that a flaw in the native PKCS#11 code can lead

to a remotely triggerable assertion failure, resulting in denial

of service.

CVE-2020-8624

Joop Boonen reported that update-policy rules of type "subdomain"

are enforced incorrectly, allowing updates to all parts of the zone

along with the intended subdomain.

For the stable distribution (buster), these problems have been fixed in version 1:9.11.5.P4+dfsg-5.1+deb10u2.

We recommend that you upgrade your bind9 packages.

For the detailed security status of bind9 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/bind9

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : mupdf

CVE ID : CVE-2019-13290

Debian Bug : 931475

A heap-based buffer overflow flaw was discovered in MuPDF, a lightweight PDF viewer, which may result in denial of service or the execution of arbitrary code if a malformed PDF file is opened.

For the stable distribution (buster), this problem has been fixed in version 1.14.0+ds1-4+deb10u1.

We recommend that you upgrade your mupdf packages.

For the detailed security status of mupdf please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/mupdf

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : thunderbird

CVE ID : CVE-2020-15664 CVE-2020-15669

Multiple security issues have been found in Thunderbird which could result in the execution of arbitrary code or the unintended installation of extensions.

For the stable distribution (buster), these problems have been fixed in version 1:68.12.0-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : openexr

CVE ID : CVE-2017-9111 CVE-2017-9113 CVE-2017-9114 CVE-2017-9115

CVE-2020-11758 CVE-2020-11759 CVE-2020-11760 CVE-2020-11761

CVE-2020-11762 CVE-2020-11763 CVE-2020-11764 CVE-2020-11765

CVE-2020-15305 CVE-2020-15306

Multiple security issues were found in the OpenEXR image library, which could result in denial of service and potentially the execution of arbitrary code when processing malformed EXR image files.

For the stable distribution (buster), these problems have been fixed in version 2.2.1-4.1+deb10u1.

We recommend that you upgrade your openexr packages.

For the detailed security status of openexr please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/openexr

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : lilypond

CVE ID : CVE-2020-17353

Faidon Liambotis discovered that Lilypond, a program for typesetting sheet music, did not restrict the inclusion of Postscript and SVG commands when operating in safe mode, which could result in the execution of arbitrary code when rendering a typesheet file with embedded Postscript code.

For the stable distribution (buster), this problem has been fixed in version 2.19.81+really-2.18.2-13+deb10u1.

We recommend that you upgrade your lilypond packages.

For the detailed security status of lilypond please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/lilypond

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/