Debian Security Advisory

    • Offizieller Beitrag

    Package : apache2

    CVE ID : CVE-2020-1927 CVE-2020-1934 CVE-2020-9490 CVE-2020-11984

    CVE-2020-11993

    Several vulnerabilities have been found in the Apache HTTPD server.

    CVE-2020-1927

    Fabrice Perez reported that certain mod_rewrite configurations are

    prone to an open redirect.

    CVE-2020-1934

    Chamal De Silva discovered that the mod_proxy_ftp module uses

    uninitialized memory when proxying to a malicious FTP backend.

    CVE-2020-9490

    Felix Wilhelm discovered that a specially crafted value for the

    'Cache-Digest' header in a HTTP/2 request could cause a crash when

    the server actually tries to HTTP/2 PUSH a resource afterwards.

    CVE-2020-11984

    Felix Wilhelm reported a buffer overflow flaw in the mod_proxy_uwsgi

    module which could result in information disclosure or potentially

    remote code execution.

    CVE-2020-11993

    Felix Wilhelm reported that when trace/debug was enabled for the

    HTTP/2 module certain traffic edge patterns can cause logging

    statements on the wrong connection, causing concurrent use of

    memory pools.

    For the stable distribution (buster), these problems have been fixed in version 2.4.38-3+deb10u4.

    We recommend that you upgrade your apache2 packages.

    For the detailed security status of apache2 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/apache2

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : xorg-server

    CVE ID : CVE-2020-14345 CVE-2020-14346 CVE-2020-14347 CVE-2020-14361

    CVE-2020-14362

    Debian Bug : 968986

    Several vulnerabilities have been discovered in the X.Org X server.

    Missing input sanitising in X server extensions may result in local privilege escalation if the X server is configured to run with root privileges. In addition an ASLR bypass was fixed.

    For the stable distribution (buster), these problems have been fixed in version 2:1.20.4-1+deb10u1.

    We recommend that you upgrade your xorg-server packages.

    For the detailed security status of xorg-server please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/xorg-server

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ark

    CVE ID : CVE-2020-24654

    Debian Bug : 969437

    Fabian Vogt reported that the Ark archive manager did not sanitise extraction paths, which could result in maliciously crafted archives with symlinks writing outside the extraction directory.

    For the stable distribution (buster), this problem has been fixed in version 4:18.08.3-1+deb10u2.

    We recommend that you upgrade your ark packages.

    For the detailed security status of ark please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/ark

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : qemu

    CVE ID : CVE-2020-12829 CVE-2020-14364 CVE-2020-15863 CVE-2020-16092

    Debian Bug : 961451 968947

    Multiple security issues were discovered in QEMU, a fast processor

    emulator:

    CVE-2020-12829

    An integer overflow in the sm501 display device may result in denial of

    service.

    CVE-2020-14364

    An out-of-bands write in the USB emulation code may result in

    guest-to-host code execution.

    CVE-2020-15863

    A buffer overflow in the XGMAC network device may result in denial of

    service or the execution of arbitrary code.

    CVE-2020-16092

    A triggerable assert in the e1000e and vmxnet3 devices may result in

    denial of service.

    For the stable distribution (buster), these problems have been fixed in version 1:3.1+dfsg-8+deb10u8.

    We recommend that you upgrade your qemu packages.

    For the detailed security status of qemu please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/qemu

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : zeromq3

    CVE ID : CVE-2020-15166

    It was discovered that ZeroMQ, a lightweight messaging kernel library does not properly handle connecting peers before a handshake is completed. A remote, unauthenticated client connecting to an application using the libzmq library, running with a socket listening with CURVE encryption/authentication enabled can take advantage of this flaw to cause a denial of service affecting authenticated and encrypted clients.

    For the stable distribution (buster), this problem has been fixed in version 4.3.1-4+deb10u2.

    We recommend that you upgrade your zeromq3 packages.

    For the detailed security status of zeromq3 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/zeromq3

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : lemonldap-ng

    CVE ID : CVE-2020-24660

    It was discovered that the default configuration files for running the Lemonldap::NG Web SSO system on the Nginx web server were susceptible to authorisation bypass of URL access rules. The Debian packages do not use Nginx by default.

    For the stable distribution (buster), this problem has been fixed in version 2.0.2+ds-7+deb10u5, this update provides fixed example configuration which needs to be integrated into Lemonldap::NG deployments based on Nginx.

    We recommend that you upgrade your lemonldap-ng packages.

    For the detailed security status of lemonldap-ng please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/lemonldap-ng

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : teeworlds

    CVE ID : CVE-2020-12066

    It was discovered that insufficient sanitising of received network packets in the game server of Teeworlds, an online multi-player platform 2D shooter, could result in denial of service.

    For the stable distribution (buster), this problem has been fixed in version 0.7.2-5+deb10u1.

    We recommend that you upgrade your teeworlds packages.

    For the detailed security status of teeworlds please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/teeworlds

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : inspircd

    CVE ID : CVE-2019-20917 CVE-2020-25269

    Debian Bug : 960650

    Two security issues were discovered in the pgsql and mysql modules of the InspIRCd IRC daemon, which could result in denial of service.

    For the stable distribution (buster), these problems have been fixed in version 2.0.27-1+deb10u1.

    We recommend that you upgrade your inspircd packages.

    For the detailed security status of inspircd please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/inspircd

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : modsecurity

    CVE ID : CVE-2020-15598

    Ervin Hegedues discovered that ModSecurity v3 enabled global regular expression matching which could result in denial of service. For additional information please refer to https://coreruleset.org/20200914/cve-2020-15598/

    For the stable distribution (buster), this problem has been fixed in version 3.0.3-1+deb10u2.

    We recommend that you upgrade your modsecurity packages.

    For the detailed security status of modsecurity please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/modsecurity

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : rails

    CVE ID : CVE-2020-8162 CVE-2020-8164 CVE-2020-8165 CVE-2020-8166

    CVE-2020-8167 CVE-2020-15169

    Multiple security issues were discovered in the Rails web framework which could result in cross-site scripting, information leaks, code execution, cross-site request forgery or bypass of upload limits.

    For the stable distribution (buster), these problems have been fixed in version 2:5.2.2.1+dfsg-1+deb10u2.

    We recommend that you upgrade your rails packages.

    For the detailed security status of rails please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/rails

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : mediawiki

    CVE ID : CVE-2020-15005 CVE-2020-25812 CVE-2020-25813 CVE-2020-25814

    CVE-2020-25815 CVE-2020-25827 CVE-2020-25828

    Multiple security issues were discovered in MediaWiki, a website engine for collaborative work: SpecialUserRights could leak whether a user existed or not, multiple code paths lacked HTML sanitisation allowing for cross-site scripting and TOTP validation applied insufficient rate limiting against brute force attempts.

    For the stable distribution (buster), these problems have been fixed in version 1:1.31.10-1~deb10u1.

    We recommend that you upgrade your mediawiki packages.

    For the detailed security status of mediawiki please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/mediawiki

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2020-15673 CVE-2020-15676 CVE-2020-15677 CVE-2020-15678

    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, cross-site scripting or spoofing the origin of a download.

    Debian follows the extended support releases (ESR) of Firefox. Support for the 68.x series has ended, so starting with this update we're now following the 78.x releases.

    Between 68.x and 78.x, Firefox has seen a number of feature updates.

    For more information please refer to

    https://www.mozilla.org/en-US/firefox/78.0esr/releasenotes/

    For the stable distribution (buster), these problems have been fixed in version 78.3.0esr-1~deb10u1.

    We recommend that you upgrade your firefox-esr packages.

    For the detailed security status of firefox-esr please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/firefox-esr

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : xen

    CVE ID : CVE-2020-25595 CVE-2020-25596 CVE-2020-25597

    CVE-2020-25599 CVE-2020-25600 CVE-2020-25601

    CVE-2020-25602 CVE-2020-25603 CVE-2020-25604

    Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in denial of service, guest-to-host privilege escalation or information leaks.

    For the stable distribution (buster), these problems have been fixed in version 4.11.4+37-g3263f257ca-1.

    We recommend that you upgrade your xen packages.

    For the detailed security status of xen please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/xen

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2020-15673 CVE-2020-15676 CVE-2020-15677

    CVE-2020-15678

    Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code or denial of service.

    Debian follows the Thunderbird upstream releases. Support for the 68.x series has ended, so starting with this update we're now following the 78.x releases.

    The 78.x series discontinues support for some addons. Also, starting with 78, Thunderbird supports OpenPGP natively. If you are currently using the Enigmail addon for PGP, please refer to the included NEWS and README.Debian.gz files for information on how to migrate your keys.

    For the stable distribution (buster), this problem has been fixed in version 1:78.3.1-2~deb10u2.

    We recommend that you upgrade your thunderbird packages.

    For the detailed security status of thunderbird please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/thunderbird

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : spice

    CVE ID : CVE-2020-14355

    Debian Bug : 971750

    Frediano Ziglio discovered multiple buffer overflow vulnerabilities in the QUIC image decoding process of spice, a SPICE protocol client and server library, which could result in denial of service, or possibly, execution of arbitrary code.

    For the stable distribution (buster), this problem has been fixed in version 0.14.0-1.3+deb10u1.

    We recommend that you upgrade your spice packages.

    For the detailed security status of spice please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/spice

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : httpcomponents-client

    CVE ID : CVE-2020-13956

    Priyank Nigam discovered that HttpComponents Client, a Java HTTP agent implementation, could misinterpret malformed authority component in a request URI and pick the wrong target host for request execution.

    For the stable distribution (buster), this problem has been fixed in version 4.5.7-1+deb10u1.

    We recommend that you upgrade your httpcomponents-client packages.

    For the detailed security status of httpcomponents-client please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/httpcomponents-client

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : yaws

    CVE ID : CVE-2020-24379 CVE-2020-24916

    Two vulnerabilities were discovered in yaws, a high performance HTTP 1.1 webserver written in Erlang.

    CVE-2020-24379

    The WebDAV implementation is prone to a XML External Entity (XXE)

    injection vulnerability.

    CVE-2020-24916

    The CGI implementation does not properly sanitize CGI requests

    allowing a remote attacker to execute arbitrary shell commands via

    specially crafted CGI executable names.

    For the stable distribution (buster), these problems have been fixed in version 2.0.6+dfsg-1+deb10u1.

    We recommend that you upgrade your yaws packages.

    For the detailed security status of yaws please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/yaws

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : linux

    CVE ID : CVE-2020-12351 CVE-2020-12352 CVE-2020-25211 CVE-2020-25643

    CVE-2020-25645

    Debian Bug : 908712

    Several vulnerabilities have been discovered in the Linux kernel that may lead to the execution of arbitrary code, privilege escalation, denial of service or information leaks.

    CVE-2020-12351

    Andy Nguyen discovered a flaw in the Bluetooth implementation in the

    way L2CAP packets with A2MP CID are handled. A remote attacker in

    short distance knowing the victim's Bluetooth device address can

    send a malicious l2cap packet and cause a denial of service or

    possibly arbitrary code execution with kernel privileges.

    CVE-2020-12352

    Andy Nguyen discovered a flaw in the Bluetooth implementation. Stack

    memory is not properly initialised when handling certain AMP

    packets. A remote attacker in short distance knowing the victim's

    Bluetooth device address address can retrieve kernel stack

    information.

    CVE-2020-25211

    A flaw was discovered in netfilter subsystem. A local attacker

    able to inject conntrack Netlink configuration can cause a denial

    of service.

    CVE-2020-25643

    ChenNan Of Chaitin Security Research Lab discovered a flaw in the

    hdlc_ppp module. Improper input validation in the ppp_cp_parse_cr()

    function may lead to memory corruption and information disclosure.

    CVE-2020-25645

    A flaw was discovered in the interface driver for GENEVE

    encapsulated traffic when combined with IPsec. If IPsec is

    configured to encrypt traffic for the specific UDP port used by the

    GENEVE tunnel, tunneled data isn't correctly routed over the

    encrypted link and sent unencrypted instead.

    For the stable distribution (buster), these problems have been fixed in version 4.19.152-1. The vulnerabilities are fixed by rebasing to the new stable upstream version 4.19.152 which includes additional bugfixes.

    We recommend that you upgrade your linux packages.

    For the detailed security status of linux please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/linux

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : python-flask-cors

    CVE ID : CVE-2020-25032

    Debian Bug : 969362

    A directory traversal vulnerability was discovered in python-flask-cors, a Flask extension for handling Cross Origin Resource Sharing (CORS), allowing to access private resources.

    For the stable distribution (buster), this problem has been fixed in version 3.0.7-1+deb10u1.

    We recommend that you upgrade your python-flask-cors packages.

    For the detailed security status of python-flask-cors please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/python-flask-cors

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : mariadb-10.3

    CVE ID : CVE-2020-15180

    A security issue was discovered in the MariaDB database server.

    For the stable distribution (buster), this problem has been fixed in version 1:10.3.25-0+deb10u1.

    We recommend that you upgrade your mariadb-10.3 packages.

    For the detailed security status of mariadb-10.3 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/mariadb-10.3

    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/