Debian Security Advisory

    • Offizieller Beitrag

    Package : jetty9

    CVE ID : CVE-2019-10241 CVE-2019-10247 CVE-2020-27216 CVE-2020-27223

    CVE-2020-28165 CVE-2020-28169 CVE-2021-34428


    Multiple vulnerabilities were discovered in Jetty, a Java servlet engine and webserver which could result in cross-site scripting, information disclosure, privilege escalation or denial of service.


    For the stable distribution (buster), these problems have been fixed in version 9.4.16-0+deb10u1.


    We recommend that you upgrade your jetty9 packages.


    For the detailed security status of jetty9 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/jetty9


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ansible

    CVE ID : CVE-2019-10156 CVE-2019-10206 CVE-2019-14846 CVE-2019-14864

    CVE-2019-14904 CVE-2020-1733 CVE-2020-1735 CVE-2020-1739

    CVE-2020-1740 CVE-2020-1746 CVE-2020-1753 CVE-2020-10684

    CVE-2020-10685 CVE-2020-10729 CVE-2020-14330 CVE-2020-14332

    CVE-2020-14365 CVE-2021-20228


    Several vulnerabilities have been found in Ansible, a configuration management, deployment and task execution system, which could result in information disclosure or argument injection. In addition a race condition in become_user was fixed.


    For the stable distribution (buster), these problems have been fixed in version 2.7.7+dfsg-1+deb10u1.


    We recommend that you upgrade your ansible packages.


    For the detailed security status of ansible please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/ansible


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : bluez

    CVE ID : CVE-2020-26558 CVE-2020-27153 CVE-2021-0129

    Debian Bug : 989614


    Several vulnerabilities were discovered in Bluez, the Linux Bluetooth protocol stack.


    CVE-2020-26558 / CVE-2021-0129


    It was discovered that Bluez does not properly check permissions

    during pairing operation, which could allow an attacker to

    impersonate the initiating device.


    CVE-2020-27153


    Jay LV discovered a double free flaw in the disconnect_cb() routine

    in the gattool. A remote attacker can take advantage of this flaw

    during service discovery for denial of service, or potentially,

    execution of arbitrary code.


    For the stable distribution (buster), these problems have been fixed in version 5.50-1.2~deb10u2.


    We recommend that you upgrade your bluez packages.


    For the detailed security status of bluez please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/bluez


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : tomcat9

    CVE ID : CVE-2021-30640 CVE-2021-33037

    Debian Bug : 991046


    Two vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in HTTP request smuggling, bypass of logout restrictions or authentications using variations of a valid user name.


    For the stable distribution (buster), these problems have been fixed in version 9.0.31-1~deb10u5.


    We recommend that you upgrade your tomcat9 packages.


    For the detailed security status of tomcat9 please refer to its security tracker page at:

    Information on source package tomcat9


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : lynx

    CVE ID : CVE-2021-38165

    Debian Bug : 991971


    Thorsten Glaser and Axel Beckert reported that lynx, a non-graphical

    (text-mode) web browser, does not properly handle the userinfo subcomponent of a URI, which can lead to leaking of credential in cleartext in SNI data.


    For the stable distribution (buster), this problem has been fixed in version 2.8.9rel.1-3+deb10u1.


    We recommend that you upgrade your lynx packages.


    For the detailed security status of lynx please refer to its security tracker page at:

    Information on source package lynx


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : c-ares

    CVE ID : CVE-2021-3672

    Debian Bug : 992053


    Philipp Jeitner and Haya Shulman discovered a flaw in c-ares, a library that performs DNS requests and name resolution asynchronously. Missing input validation of hostnames returned by DNS servers can lead to output of wrong hostnames (leading to Domain Hijacking).


    For the stable distribution (buster), this problem has been fixed in version 1.14.0-1+deb10u1.


    We recommend that you upgrade your c-ares packages.


    For the detailed security status of c-ares please refer to its security tracker page at:

    Information on source package c-ares


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libspf2

    CVE ID : CVE-2021-20314


    Philipp Jeitner and Haya Shulman discovered a stack-based buffer overflow in libspf2, a library for validating mail senders with SPF, which could result in denial of service, or potentially execution of arbitrary code when processing a specially crafted SPF record.


    For the stable distribution (buster), this problem has been fixed in version 1.2.10-7.1~deb10u1.


    We recommend that you upgrade your libspf2 packages.


    For the detailed security status of libspf2 please refer to its security tracker page at:

    Information on source package libspf2


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openjdk-11-jre-dcevm

    Debian Bug : 991006


    The Dynamic Code Evolution Virtual Machine (DCE VM), an alternative VM for OpenJDK 11 with enhanced class redefinition, has been updated for compatibility with OpenJDK 11.0.12.


    For the stable distribution (buster), this problem has been fixed in version 11.0.12+7-1~deb10u1.


    We recommend that you upgrade your openjdk-11-jre-dcevm packages.


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2021-29980 CVE-2021-29984 CVE-2021-29985 CVE-2021-29986

    CVE-2021-29988 CVE-2021-29989


    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.


    For the stable distribution (buster), these problems have been fixed in version 78.13.0esr-1~deb10u1.


    We recommend that you upgrade your firefox-esr packages.


    For the detailed security status of firefox-esr please refer to its security tracker page at:

    Information on source package firefox-esr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : trafficserver

    CVE ID : CVE-2021-27577 CVE-2021-32566 CVE-2021-32567

    CVE-2021-35474 CVE-2021-32565


    Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in denial of service, HTTP request smuggling or cache poisoning.


    For the stable distribution (buster), these problems have been fixed in version 8.0.2+ds-1+deb10u5.


    We recommend that you upgrade your trafficserver packages.


    For the detailed security status of trafficserver please refer to its security tracker page at:

    Information on source package trafficserver


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : exiv2

    CVE ID : CVE-2019-20421 CVE-2021-3482 CVE-2021-29457

    CVE-2021-29473 CVE-2021-31292


    Several vulnerabilities have been discovered in Exiv2, a C++ library and a command line utility to manage image metadata which could result in denial of service or the execution of arbitrary code if a malformed file is parsed.


    For the stable distribution (buster), these problems have been fixed in version 0.25-4+deb10u2.


    We recommend that you upgrade your exiv2 packages.


    For the detailed security status of exiv2 please refer to its security tracker page at:

    Information on source package exiv2


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2021-29980 CVE-2021-29984 CVE-2021-29985

    CVE-2021-29986 CVE-2021-29988 CVE-2021-29989


    Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code.


    For the stable distribution (bullseye), these problems have been fixed in version 1:78.13.0-1~deb11u1.


    For the oldstable distribution (buster), these problems have been fixed in version 1:78.13.0-1~deb10u1.


    We recommend that you upgrade your thunderbird packages.


    For the detailed security status of thunderbird please refer to its security tracker page at:

    Information on source package thunderbird


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : haproxy

    CVE ID : not yet assigned


    Several vulnerabilities were discovered in HAProxy, a fast and reliable load balancing reverse proxy, which can result in HTTP request smuggling. By carefully crafting HTTP/2 requests, it is possible to smuggle another HTTP request to the backend selected by the HTTP/2 request. With certain configurations, it allows an attacker to send an HTTP request to a backend, circumventing the backend selection logic.


    Known workarounds are to disable HTTP/2 and set "tune.h2.max-concurrent-streams" to 0 in the "global" section.


    global

    tune.h2.max-concurrent-streams 0


    For the stable distribution (bullseye), these problems have been fixed in version 2.2.9-2+deb11u1.


    We recommend that you upgrade your haproxy packages.


    For the detailed security status of haproxy please refer to its security tracker page at:

    Information on source package haproxy


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : tor

    CVE ID : CVE-2021-38385


    Henry de Valence reported a flaw in the signature verification code in Tor, a connection-based low-latency anonymous communication system. A remote attacker can take advantage of this flaw to cause an assertion failure, resulting in denial of service.


    For the oldstable distribution (buster), this problem has been fixed in version 0.3.5.16-1.


    For the stable distribution (bullseye), this problem has been fixed in version 0.4.5.10-1~deb11u1.


    We recommend that you upgrade your tor packages.


    For the detailed security status of tor please refer to its security tracker page at:

    Information on source package tor


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openssl

    CVE ID : CVE-2021-3711 CVE-2021-3712


    Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit.


    CVE-2021-3711


    John Ouyang reported a buffer overflow vulnerability in the SM2

    decryption. An attacker able to present SM2 content for

    decryption to an application can take advantage of this flaw to

    change application behaviour or cause the application to crash

    (denial of service).


    CVE-2021-3712


    Ingo Schwarze reported a buffer overrun flaw when processing ASN.1

    strings in the X509_aux_print() function, which can result in denial

    of service.


    Additional details can be found in the upstream advisory:

    https://www.openssl.org/news/secadv/20210824.txt


    For the oldstable distribution (buster), these problems have been fixed in version 1.1.1d-0+deb10u7.


    For the stable distribution (bullseye), these problems have been fixed in version 1.1.1k-1+deb11u1.


    We recommend that you upgrade your openssl packages.


    For the detailed security status of openssl please refer to its security tracker page at:

    Information on source package openssl


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : grilo

    CVE ID : CVE-2021-39365

    Debian Bug : 992971


    Michael Catanzaro reported a problem in Grilo, a framework for discovering and browsing media. TLS certificate verification is not enabled on the SoupSessionAsync objects created by Grilo, leaving users vulnerable to network MITM attacks.


    For the oldstable distribution (buster), this problem has been fixed in version 0.3.7-1+deb10u1.


    For the stable distribution (bullseye), this problem has been fixed in version 0.3.13-1+deb11u1.


    We recommend that you upgrade your grilo packages.


    For the detailed security status of grilo please refer to its security tracker page at:

    Information on source package grilo


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ledgersmb

    CVE ID : CVE-2021-3731 CVE-2021-3693 CVE-2021-3694


    Several vulnerabilities were discovered in LedgerSMB, a financial accounting and ERP program, which could result in cross-site scripting or clickjacking.


    For the oldstable distribution (buster), this problem has been fixed in version 1.6.9+ds-1+deb10u2.


    For the stable distribution (bullseye), this problem has been fixed in version 1.6.9+ds-2+deb11u2.


    We recommend that you upgrade your ledgersmb packages.


    For the detailed security status of ledgersmb please refer to its security tracker page at:

    Information on source package ledgersmb


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ledgersmb


    The update for ledgersmb released as DSA 4862-1 introduced a regression in the display of some search results. Updated ledgersmb packages are now available to correct this issue.


    For the oldstable distribution (buster), this problem has been fixed in version 1.6.9+ds-1+deb10u3.


    For the stable distribution (bullseye), this problem has been fixed in version 1.6.9+ds-2+deb11u3.


    We recommend that you upgrade your ledgersmb packages.


    For the detailed security status of ledgersmb please refer to its security tracker page at:

    Information on source package ledgersmb


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libssh

    CVE ID : CVE-2021-3634

    Debian Bug : 993046


    It was discovered that a buffer overflow in rekeying in libssh could result in denial of service or potentially the execution of arbitrary code.


    The oldstable distribution (buster) is not affected.


    For the stable distribution (bullseye), this problem has been fixed in version 0.9.5-1+deb11u1.


    We recommend that you upgrade your libssh packages.


    For the detailed security status of libssh please refer to its security tracker page at:

    Information on source package libssh


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : gpac

    CVE ID : CVE-2021-21834 CVE-2021-21836 CVE-2021-21837 CVE-2021-21838

    CVE-2021-21839 CVE-2021-21840 CVE-2021-21841 CVE-2021-21842

    CVE-2021-21843 CVE-2021-21844 CVE-2021-21845 CVE-2021-21846

    CVE-2021-21847 CVE-2021-21848 CVE-2021-21849 CVE-2021-21850

    CVE-2021-21853 CVE-2021-21854 CVE-2021-21855 CVE-2021-21857

    CVE-2021-21858 CVE-2021-21859 CVE-2021-21860 CVE-2021-21861


    Multiple security issues were discovered in the GPAC multimedia framework which could result in denial of service or the execution of arbitrary code.


    The oldstable distribution (buster) is not affected.


    For the stable distribution (bullseye), these problems have been fixed in version 1.0.1+dfsg1-4+deb11u1.


    We recommend that you upgrade your gpac packages.


    For the detailed security status of gpac please refer to its security tracker page at:

    Information on source package gpac


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/