Debian Security Advisory

    • Offizieller Beitrag

    Package : libimage-exiftool-perl

    CVE ID : CVE-2021-22204

    Debian Bug : 987505


    A vulnerability was discovered in libimage-exiftool-perl, a library and program to read and write meta information in multimedia files, which may result in execution of arbitrary code if a malformed DjVu file is processed.


    For the stable distribution (buster), this problem has been fixed in version 11.16-1+deb10u1.


    We recommend that you upgrade your libimage-exiftool-perl packages.


    For the detailed security status of libimage-exiftool-perl please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/libimage-exiftool-perl


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2021-21227 CVE-2021-21228 CVE-2021-21229 CVE-2021-21230

    CVE-2021-21231 CVE-2021-21232 CVE-2021-21233


    Several vulnerabilities have been discovered in the chromium web browser.


    CVE-2021-21227


    Gengming Liu discovered a data validation issue in the v8 javascript

    library.


    CVE-2021-21228


    Rob Wu discovered a policy enforcement error.


    CVE-2021-21229


    Mohit Raj discovered a user interface error in the file downloader.


    CVE-2021-21230


    Manfred Paul discovered use of an incorrect type.


    CVE-2021-21231


    Sergei Glazunov discovered a data validation issue in the v8 javascript

    library.


    CVE-2021-21232


    Abdulrahman Alqabandi discovered a use-after-free issue in the developer

    tools.


    CVE-2021-21233


    Omair discovered a buffer overflow issue in the ANGLE library.


    For the stable distribution (buster), these problems have been fixed in version 90.0.4430.93-1~deb10u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : exim4

    CVE ID : CVE-2020-28007 CVE-2020-28008 CVE-2020-28009 CVE-2020-28010

    CVE-2020-28011 CVE-2020-28012 CVE-2020-28013 CVE-2020-28014

    CVE-2020-28015 CVE-2020-28017 CVE-2020-28019 CVE-2020-28021

    CVE-2020-28022 CVE-2020-28023 CVE-2020-28024 CVE-2020-28025

    CVE-2020-28026


    The Qualys Research Labs reported several vulnerabilities in Exim, a mail transport agent, which could result in local privilege escalation and remote code execution.


    Details can be found in the Qualys advisory at https://www.qualys.com/2021/05/04/21nails/21nails.txt


    For the stable distribution (buster), these problems have been fixed in version 4.92-8+deb10u6.


    We recommend that you upgrade your exim4 packages.


    For the detailed security status of exim4 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/exim4


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : hivex

    CVE ID : CVE-2021-3504

    Debian Bug : 988024


    Jemery Galindo discovered an out-of-bounds memory access in Hivex, a library to parse Windows Registry hive files.


    For the stable distribution (buster), this problem has been fixed in version 1.3.18-1+deb10u1.


    We recommend that you upgrade your hivex packages.


    For the detailed security status of hivex please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/hivex


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : graphviz

    CVE ID : CVE-2020-18032

    Debian Bug : 988000


    A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file.


    For the stable distribution (buster), this problem has been fixed in version 2.40.1-6+deb10u1.


    We recommend that you upgrade your graphviz packages.


    For the detailed security status of graphviz please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/graphviz


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : postgresql-11

    CVE ID : CVE-2021-32027 CVE-2021-32028 CVE-2021-32029


    Multiple security issues have been discovered in the PostgreSQL database system, which could result in the execution of arbitrary code or disclosure of memory content.


    For the stable distribution (buster), these problems have been fixed in version 11.12-0+deb10u1.


    We recommend that you upgrade your postgresql-11 packages.


    For the detailed security status of postgresql-11 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/postgresql-11


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : prosody

    CVE ID : CVE-2021-32917 CVE-2021-32918 CVE-2021-32919 CVE-2021-32920

    CVE-2021-32921


    Multiple security issues were found in Prosody, a lightweight Jabber/XMPP server, which could result in denial of service or information disclosure.


    For the stable distribution (buster), these problems have been fixed in version 0.11.2-1+deb10u1.


    We recommend that you upgrade your prosody packages.


    For the detailed security status of prosody please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/prosody


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2021-30506 CVE-2021-30507 CVE-2021-30508 CVE-2021-30509

    CVE-2021-30510 CVE-2021-30511 CVE-2021-30512 CVE-2021-30513

    CVE-2021-30514 CVE-2021-30515 CVE-2021-30516 CVE-2021-30517

    CVE-2021-30518 CVE-2021-30519 CVE-2021-30520


    Several vulnerabilities have been discovered in the chromium web browser.


    CVE-2021-30506


    @retsew0x01 discovered an error in the Web App installation interface.


    CVE-2021-30507


    Alison Huffman discovered an error in the Offline mode.


    CVE-2021-30508


    Leecraso and Guang Gong discovered a buffer overflow issue in the Media

    Feeds implementation.


    CVE-2021-30509


    David Erceg discovered an out-of-bounds write issue in the Tab Strip

    implementation.


    CVE-2021-30510


    Weipeng Jiang discovered a race condition in the aura window manager.


    CVE-2021-30511


    David Erceg discovered an out-of-bounds read issue in the Tab Strip

    implementation.


    CVE-2021-30512


    ZhanJia Song discovered a use-after-free issue in the notifications

    implementation.


    CVE-2021-30513


    Man Yue Mo discovered an incorrect type in the v8 javascript library.


    CVE-2021-30514


    koocola and Wang discovered a use-after-free issue in the Autofill

    feature.


    CVE-2021-30515


    Rong Jian and Guang Gong discovered a use-after-free issue in the file

    system access API.


    CVE-2021-30516


    ZhanJia Song discovered a buffer overflow issue in the browsing history.


    CVE-2021-30517


    Jun Kokatsu discovered a buffer overflow issue in the reader mode.


    CVE-2021-30518


    laural discovered use of an incorrect type in the v8 javascript library.


    CVE-2021-30519


    asnine discovered a use-after-free issue in the Payments feature.


    CVE-2021-30520


    Khalil Zhani discovered a use-after-free issue in the Tab Strip

    implementation.


    For the stable distribution (buster), these problems have been fixed in version 90.0.4430.212-1~deb10u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ruby-rack-cors

    CVE ID : CVE-2019-18978

    Debian Bug : 944849


    Improper pathname handling in ruby-rack-cors, a middleware that makes Rack-based apps CORS compatible, may result in access to private resources.


    For the stable distribution (buster), this problem has been fixed in version 1.0.2-1+deb10u1.


    We recommend that you upgrade your ruby-rack-cors packages.


    For the detailed security status of ruby-rack-cors please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/ruby-rack-cors


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : prosody

    Debian Bug : 988756


    The update for prosody released as DSA 4916-1 introduced a regression in websocket support. Updated prosody packages are now available to correct this issue.


    For the stable distribution (buster), these problems have been fixed in version 0.11.2-1+deb10u2.


    We recommend that you upgrade your prosody packages.


    For the detailed security status of prosody please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/prosody


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : lz4

    CVE ID : CVE-2021-3520

    Debian Bug : 987856


    Jasper Lievisse Adriaanse reported an integer overflow flaw in lz4, a fast LZ compression algorithm library, resulting in memory corruption.


    For the stable distribution (buster), this problem has been fixed in version 1.8.3-1+deb10u1.


    We recommend that you upgrade your lz4 packages.


    For the detailed security status of lz4 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/lz4


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libx11

    CVE ID : CVE-2021-31535

    Debian Bug : 988737


    Roman Fiedler reported that missing length validation in various functions provided by libx11, the X11 client-side library, allow to inject X11 protocol commands on X clients, leading to authentication bypass, denial of service or potentially the execution of arbitrary code.


    For the stable distribution (buster), this problem has been fixed in version 2:1.6.7-1+deb10u2.


    We recommend that you upgrade your libx11 packages.


    For the detailed security status of libx11 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/libx11


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : nginx

    CVE ID : CVE-2021-23017

    Debian Bug : 989095


    Luis Merino, Markus Vervier and Eric Sesterhenn discovered an off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code.


    For the stable distribution (buster), this problem has been fixed in version 1.14.2-2+deb10u4.


    We recommend that you upgrade your nginx packages.


    For the detailed security status of nginx please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/nginx


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : hyperkitty

    CVE ID : CVE-2021-33038


    Amir Sarabadani and Kunal Mehta discovered that the import functionality of Hyperkitty, the web user interface to access Mailman 3 archives, did not restrict the visibility of private archives during the import, i.e.

    that during the import of a private Mailman 2 archive the archive was publicly accessible until the import completed.


    For the stable distribution (buster), this problem has been fixed in version 1.2.2-1+deb10u1.


    We recommend that you upgrade your hyperkitty packages.


    For the detailed security status of hyperkitty please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/hyperkitty


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openjdk-11-jre-dcevm

    Debian Bug : 942876


    The Dynamic Code Evolution Virtual Machine (DCE VM), an alternative VM for OpenJDK 11 with enhanced class redefinition, has been updated for compatibility with OpenJDK 11.0.11.


    For the stable distribution (buster), this problem has been fixed in version openjdk-11-jre-dcevm_11.0.11+9-2~deb10u1.


    We recommend that you upgrade your openjdk-11-jre-dcevm packages.


    For the detailed security status of openjdk-11-jre-dcevm please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/openjdk-11-jre-dcevm


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : webkit2gtk

    CVE ID : CVE-2021-1788 CVE-2021-1844 CVE-2021-1871


    The following vulnerabilities have been discovered in the webkit2gtk web engine:


    CVE-2021-1788


    Francisco Alonso discovered that processing maliciously crafted

    web content may lead to arbitrary code execution.


    CVE-2021-1844


    Clement Lecigne and Alison Huffman discovered that processing

    maliciously crafted web content may lead to arbitrary code

    execution.


    CVE-2021-1871


    An anonymous researcher discovered that a remote attacker may be

    able to cause arbitrary code execution.


    For the stable distribution (buster), these problems have been fixed in version 2.32.1-1~deb10u1.


    We recommend that you upgrade your webkit2gtk packages.


    For the detailed security status of webkit2gtk please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/webkit2gtk


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : squid

    CVE ID : CVE-2021-28651 CVE-2021-28652 CVE-2021-28662 CVE-2021-31806

    CVE-2021-31807 CVE-2021-31808

    Debian Bug : 988891 988892 988893 989043


    Multiple denial of service vulnerabilities were discovered in the Squid proxy caching server.


    For the stable distribution (buster), these problems have been fixed in version 4.6-1+deb10u6.


    We recommend that you upgrade your squid packages.


    For the detailed security status of squid please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/squid


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2021-29967


    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.


    For the stable distribution (buster), this problem has been fixed in version 78.11.0esr-1~deb10u1.


    We recommend that you upgrade your firefox-esr packages.


    For the detailed security status of firefox-esr please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/firefox-esr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : lasso

    CVE ID : CVE-2021-28091


    It was discovered that lasso, a library which implements SAML 2.0 and Liberty Alliance standards, did not properly verify that all assertions in a SAML response were properly signed, allowing an attacker to impersonate users or bypass access control.


    For the stable distribution (buster), this problem has been fixed in version 2.6.0-2+deb10u1.


    We recommend that you upgrade your lasso packages.


    For the detailed security status of lasso please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/lasso


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2021-29956 CVE-2021-29957 CVE-2021-29967


    Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code. In adddition two security issues were addressed in the OpenPGP support.


    For the stable distribution (buster), these problems have been fixed in version 1:78.11.0-1~deb10u1.


    We recommend that you upgrade your thunderbird packages.


    For the detailed security status of thunderbird please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/thunderbird


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/