Debian Security Advisory

    • Offizieller Beitrag

    Package : squashfs-tools


    CVE ID : CVE-2021-40153



    Etienne Stalmans discovered that unsquashfs in squashfs-tools, the tools to create and extract Squashfs filesystems, does not validate filenames for traversal outside of the destination directory. An attacker can take advantage of this flaw for writing to arbitrary files to the filesystem if a malformed Squashfs image is processed.



    For the oldstable distribution (buster), this problem has been fixed in version 1:4.3-12+deb10u1.



    For the stable distribution (bullseye), this problem has been fixed in version 1:4.4-2+deb11u1.



    We recommend that you upgrade your squashfs-tools packages.



    For the detailed security status of squashfs-tools please refer to its security tracker page at:


    Information on source package squashfs-tools



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : haproxy


    CVE ID : CVE-2021-40346



    Ori Hollander reported that missing header name length checks in the


    htx_add_header() and htx_add_trailer() functions in HAProxy, a fast and reliable load balancing reverse proxy, could result in request smuggling attacks or response splitting attacks.



    Additionally this update addresses #993303 introduced in DSA 4960-1 causing HAProxy to fail serving URLs with HTTP/2 containing '//'.



    For the stable distribution (bullseye), this problem has been fixed in version 2.2.9-2+deb11u2.



    We recommend that you upgrade your haproxy packages.



    For the detailed security status of haproxy please refer to its security tracker page at:


    Information on source package haproxy



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr


    CVE ID : CVE-2021-38493



    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.



    For the oldstable distribution (buster), this problem has been fixed in version 78.14.0esr-1~deb10u1.



    For the stable distribution (bullseye), this problem has been fixed in version 78.14.0esr-1~deb11u1.



    We recommend that you upgrade your firefox-esr packages.



    For the detailed security status of firefox-esr please refer to its security tracker page at:


    Information on source package firefox-esr



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : postorius


    CVE ID : CVE-2021-40347



    Kevin Israel discovered that Postorius, the administrative web frontend for Mailman 3, didn't validate whether a logged-in user owns the email address when unsubscribing.



    For the oldstable distribution (buster), this problem has been fixed in version 1.2.4-1+deb10u1.



    For the stable distribution (bullseye), this problem has been fixed in version 1.3.4-2+deb11u1.



    We recommend that you upgrade your postorius packages.



    For the detailed security status of postorius please refer to its security tracker page at:


    Information on source package postorius



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ntfs-3g


    CVE ID : CVE-2021-33285 CVE-2021-33286 CVE-2021-33287 CVE-2021-33289


    CVE-2021-35266 CVE-2021-35267 CVE-2021-35268 CVE-2021-35269


    CVE-2021-39251 CVE-2021-39252 CVE-2021-39253 CVE-2021-39254


    CVE-2021-39255 CVE-2021-39256 CVE-2021-39257 CVE-2021-39258


    CVE-2021-39259 CVE-2021-39260 CVE-2021-39261 CVE-2021-39262


    CVE-2021-39263


    Debian Bug : 988386



    Several vulnerabilities were discovered in NTFS-3G, a read-write NTFS driver for FUSE. A local user can take advantage of these flaws for local root privilege escalation.



    For the oldstable distribution (buster), these problems have been fixed in version 1:2017.3.23AR.3-3+deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 1:2017.3.23AR.3-4+deb11u1.



    We recommend that you upgrade your ntfs-3g packages.



    For the detailed security status of ntfs-3g please refer to its security tracker page at:


    Information on source package ntfs-3g



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ghostscript


    CVE ID : CVE-2021-3781


    Debian Bug : 994011



    It was discovered that Ghostscript, the GPL PostScript/PDF interpreter, does not properly validate access for the "%pipe%", "%handle%" and "%printer%" io devices, which could result in the execution of arbitrary code if a malformed Postscript file is processed (despite the -dSAFER sandbox being enabled).



    For the stable distribution (bullseye), this problem has been fixed in version 9.53.3~dfsg-7+deb11u1.



    We recommend that you upgrade your ghostscript packages.



    For the detailed security status of ghostscript please refer to its security tracker page at:


    Information on source package ghostscript



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird


    CVE ID : CVE-2021-38493



    Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code.



    For the oldstable distribution (buster), this problem has been fixed in version 1:78.14.0-1~deb10u1.



    For the stable distribution (bullseye), this problem has been fixed in version 1:78.14.0-1~deb11u1.



    We recommend that you upgrade your thunderbird packages.



    For the detailed security status of thunderbird please refer to its security tracker page at:


    Information on source package thunderbird



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : nextcloud-desktop


    CVE ID : CVE-2021-22895 CVE-2021-32728


    Debian Bug : 989846



    Two vulnerabilities were discovered in the Nextcloud desktop client, which could result in information disclosure.



    For the oldstable distribution (buster), these problems have been fixed in version 2.5.1-3+deb10u2.



    For the stable distribution (bullseye), these problems have been fixed in version 3.1.1-2+deb11u1.



    We recommend that you upgrade your nextcloud-desktop packages.



    For the detailed security status of nextcloud-desktop please refer to its security tracker page at:


    Information on source package nextcloud-desktop



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : webkit2gtk


    CVE ID : CVE-2021-30858



    The following vulnerabilities have been discovered in the webkit2gtk web engine:



    CVE-2021-30858


    An anonymous researcher discovered that processing maliciously


    crafted web content may lead to arbitrary code execution. Apple is


    aware of a report that this issue may have been actively


    exploited.



    For the oldstable distribution (buster), this problem has been fixed in version 2.32.4-1~deb10u1.



    For the stable distribution (bullseye), this problem has been fixed in version 2.32.4-1~deb11u1.



    We recommend that you upgrade your webkit2gtk packages.



    For the detailed security status of webkit2gtk please refer to its security tracker page at:


    Information on source package webkit2gtk



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : wpewebkit


    CVE ID : CVE-2021-30858



    The following vulnerabilities have been discovered in the webkit2gtk web engine:



    CVE-2021-30858


    An anonymous researcher discovered that processing maliciously


    crafted web content may lead to arbitrary code execution. Apple is


    aware of a report that this issue may have been actively


    exploited.



    For the stable distribution (bullseye), this problem has been fixed in version 2.32.4-1~deb11u1.



    We recommend that you upgrade your wpewebkit packages.



    For the detailed security status of wpewebkit please refer to its security tracker page at:


    Information on source package wpewebkit



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : xen


    CVE ID : CVE-2021-28694 CVE-2021-28695 CVE-2021-28696 CVE-2021-28697


    CVE-2021-28698 CVE-2021-28699 CVE-2021-28700 CVE-2021-28701



    Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in privilege escalation, denial of service or information leaks.



    With the end of upstream support for the 4.11 branch, the version of xen in the oldstable distribution (buster) is no longer supported. If you rely on security support for your Xen installation an update to the stable distribution (bullseye) is recommended.



    For the stable distribution (bullseye), these problems have been fixed in version 4.14.3-1~deb11u1.



    We recommend that you upgrade your xen packages.



    For the detailed security status of xen please refer to its security tracker page at:


    Information on source package xen



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : linux


    CVE ID : CVE-2020-3702 CVE-2020-16119 CVE-2021-3653 CVE-2021-3656


    CVE-2021-3679 CVE-2021-3732 CVE-2021-3739 CVE-2021-3743


    CVE-2021-3753 CVE-2021-37576 CVE-2021-38160 CVE-2021-38166


    CVE-2021-38199 CVE-2021-40490 CVE-2021-41073


    Debian Bug : 993948 993978



    Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.



    CVE-2020-3702



    A flaw was found in the driver for Atheros IEEE 802.11n family of


    chipsets (ath9k) allowing information disclosure.



    CVE-2020-16119



    Hadar Manor reported a use-after-free in the DCCP protocol


    implementation in the Linux kernel. A local attacker can take


    advantage of this flaw to cause a denial of service or potentially


    to execute arbitrary code.



    CVE-2021-3653



    Maxim Levitsky discovered a vulnerability in the KVM hypervisor


    implementation for AMD processors in the Linux kernel: Missing


    validation of the `int_ctl` VMCB field could allow a malicious L1


    guest to enable AVIC support (Advanced Virtual Interrupt Controller)


    for the L2 guest. The L2 guest can take advantage of this flaw to


    write to a limited but still relatively large subset of the host


    physical memory.



    CVE-2021-3656



    Maxim Levitsky and Paolo Bonzini discovered a flaw in the KVM


    hypervisor implementation for AMD processors in the Linux kernel.


    Missing validation of the the `virt_ext` VMCB field could allow a


    malicious L1 guest to disable both VMLOAD/VMSAVE intercepts and VLS


    (Virtual VMLOAD/VMSAVE) for the L2 guest. Under these circumstances,


    the L2 guest is able to run VMLOAD/VMSAVE unintercepted and thus


    read/write portions of the host's physical memory.



    CVE-2021-3679



    A flaw in the Linux kernel tracing module functionality could allow


    a privileged local user (with CAP_SYS_ADMIN capability) to cause a


    denial of service (resource starvation).



    CVE-2021-3732



    Alois Wohlschlager reported a flaw in the implementation of the


    overlayfs subsystem, allowing a local attacker with privileges to


    mount a filesystem to reveal files hidden in the original mount.



    CVE-2021-3739



    A NULL pointer dereference flaw was found in the btrfs filesystem,


    allowing a local attacker with CAP_SYS_ADMIN capabilities to cause a


    denial of service.



    CVE-2021-3743



    An out-of-bounds memory read was discovered in the Qualcomm IPC


    router protocol implementation, allowing to cause a denial of


    service or information leak.



    CVE-2021-3753



    Minh Yuan reported a race condition in the vt_k_ioctl in


    drivers/tty/vt/vt_ioctl.c, which may cause an out of bounds


    read in vt.



    CVE-2021-37576



    Alexey Kardashevskiy reported a buffer overflow in the KVM subsystem


    on the powerpc platform, which allows KVM guest OS users to cause


    memory corruption on the host.



    CVE-2021-38160



    A flaw in the virtio_console was discovered allowing data corruption


    or data loss by an untrusted device.



    CVE-2021-38166



    An integer overflow flaw in the BPF subsystem could allow a local


    attacker to cause a denial of service or potentially the execution


    of arbitrary code. This flaw is mitigated by default in Debian as


    unprivileged calls to bpf() are disabled.



    CVE-2021-38199



    Michael Wakabayashi reported a flaw in the NFSv4 client


    implementation, where incorrect connection setup ordering allows


    operations of a remote NFSv4 server to cause a denial of service.



    CVE-2021-40490



    A race condition was discovered in the ext4 subsystem when writing


    to an inline_data file while its xattrs are changing. This could


    result in denial of service.



    CVE-2021-41073



    Valentina Palmiotti discovered a flaw in io_uring allowing a local


    attacker to escalate privileges.



    For the stable distribution (bullseye), these problems have been fixed in version 5.10.46-5. This update includes fixes for #993948 and #993978.



    We recommend that you upgrade your linux packages.



    For the detailed security status of linux please refer to its security tracker page at:


    Information on source package linux



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : mediawiki


    CVE ID : CVE-2021-35197 CVE-2021-41798 CVE-2021-41799 CVE-2021-41800


    CVE-2021-41801



    Multiple security issues were found in MediaWiki, a website engine for collaborative work, which could result in cross-site scripting, denial of service and a bypass of restrictions in the "Replace Text"


    extension.



    For the oldstable distribution (buster), these problems have been fixed in version 1:1.31.16-1~deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 1:1.35.4-1~deb11u1.



    We recommend that you upgrade your mediawiki packages.



    For the detailed security status of mediawiki please refer to its security tracker page at:


    Information on source package mediawiki



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : qemu


    CVE ID : CVE-2021-3544 CVE-2021-3545 CVE-2021-3546 CVE-2021-3638


    CVE-2021-3682 CVE-2021-3713 CVE-2021-3748


    Debian Bug : 988174 989042 991911 992726 992727 993401



    Multiple security issues were discovered in QEMU, a fast processor emulator, which could result in denial of service or the the execution of arbitrary code.



    For the stable distribution (bullseye), these problems have been fixed in version 1:5.2+dfsg-11+deb11u1.



    We recommend that you upgrade your qemu packages.



    For the detailed security status of qemu please refer to its security tracker page at:


    Information on source package qemu



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr


    CVE ID : CVE-2021-38496 CVE-2021-38500



    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.



    For the oldstable distribution (buster), these problems have been fixed in version 78.15.0esr-1~deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 78.15.0esr-1~deb11u1.



    We recommend that you upgrade your firefox-esr packages.



    For the detailed security status of firefox-esr please refer to its security tracker page at:


    Information on source package firefox-esr



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : apache2


    CVE ID : CVE-2021-34798 CVE-2021-36160 CVE-2021-39275 CVE-2021-40438



    Several vulnerabilities have been found in the Apache HTTP server, which could result in denial of service. In addition a vulnerability was discovered in mod_proxy with which an attacker could trick the server to forward requests to arbitrary origin servers.



    For the oldstable distribution (buster), these problems have been fixed in version 2.4.38-3+deb10u6.



    For the stable distribution (bullseye), these problems have been fixed in version 2.4.51-1~deb11u1.



    We recommend that you upgrade your apache2 packages.



    For the detailed security status of apache2 please refer to its security tracker page at:


    Information on source package apache2



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : neutron


    CVE ID : CVE-2021-40085


    Debian Bug : 993398



    Pavel Toporkov discovered a vulnerability in Neutron, the OpenStack virtual network service, which allowed a reconfiguration of dnsmasq via crafted dhcp_extra_opts parameters.



    For the oldstable distribution (buster), this problem has been fixed in version 2:13.0.7+git.2021.09.27.bace3d1890-0+deb10u1. This update also fixes CVE-2021-20267.



    For the stable distribution (bullseye), this problem has been fixed in version 2:17.2.1-0+deb11u1. This update also fixes CVE-2021-38598.



    We recommend that you upgrade your neutron packages.



    For the detailed security status of neutron please refer to its security tracker page at:


    Information on source package neutron



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : flatpak


    CVE ID : CVE-2021-41133


    Debian Bug : 995935



    It was discovered that sandbox restrictions in Flatpak, an application deployment framework for desktop apps, could be bypassed for a Flatpak app with direct access to AF_UNIX sockets, by manipulating the VFS using mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter.



    Details can be found in the upstream advisory at https://github.com/flatpak/fla…ories/GHSA-67h7-w3jq-vh4q



    For the stable distribution (bullseye), this problem has been fixed in version 1.10.5-0+deb11u1.



    We recommend that you upgrade your flatpak packages.



    For the detailed security status of flatpak please refer to its security tracker page at:


    Information on source package flatpak



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : tomcat9


    CVE ID : CVE-2021-30640 CVE-2021-41079



    Two vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in denial of service.



    For the oldstable distribution (buster), these problems have been fixed in version 9.0.31-1~deb10u6.



    For the stable distribution (bullseye), these problems have been fixed in version 9.0.43-2~deb11u2.



    We recommend that you upgrade your tomcat9 packages.



    For the detailed security status of tomcat9 please refer to its security tracker page at:


    Information on source package tomcat9



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : wordpress


    CVE ID : CVE-2021-39200 CVE-2021-39201


    Debian Bug : 994059 994060



    Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform Cross-Site Scripting


    (XSS) attacks or impersonate other users.



    For the oldstable distribution (buster), these problems have been fixed in version 5.0.14+dfsg1-0+deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 5.7.3+dfsg1-0+deb11u1.



    We recommend that you upgrade your wordpress packages.



    For the detailed security status of wordpress please refer to its security tracker page at:


    Information on source package wordpress



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/