Debian Security Advisory

    • Offizieller Beitrag

    Package : squashfs-tools

    CVE ID : CVE-2021-40153


    Etienne Stalmans discovered that unsquashfs in squashfs-tools, the tools to create and extract Squashfs filesystems, does not validate filenames for traversal outside of the destination directory. An attacker can take advantage of this flaw for writing to arbitrary files to the filesystem if a malformed Squashfs image is processed.


    For the oldstable distribution (buster), this problem has been fixed in version 1:4.3-12+deb10u1.


    For the stable distribution (bullseye), this problem has been fixed in version 1:4.4-2+deb11u1.


    We recommend that you upgrade your squashfs-tools packages.


    For the detailed security status of squashfs-tools please refer to its security tracker page at:

    Information on source package squashfs-tools


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : haproxy

    CVE ID : CVE-2021-40346


    Ori Hollander reported that missing header name length checks in the

    htx_add_header() and htx_add_trailer() functions in HAProxy, a fast and reliable load balancing reverse proxy, could result in request smuggling attacks or response splitting attacks.


    Additionally this update addresses #993303 introduced in DSA 4960-1 causing HAProxy to fail serving URLs with HTTP/2 containing '//'.


    For the stable distribution (bullseye), this problem has been fixed in version 2.2.9-2+deb11u2.


    We recommend that you upgrade your haproxy packages.


    For the detailed security status of haproxy please refer to its security tracker page at:

    Information on source package haproxy


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2021-38493


    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.


    For the oldstable distribution (buster), this problem has been fixed in version 78.14.0esr-1~deb10u1.


    For the stable distribution (bullseye), this problem has been fixed in version 78.14.0esr-1~deb11u1.


    We recommend that you upgrade your firefox-esr packages.


    For the detailed security status of firefox-esr please refer to its security tracker page at:

    Information on source package firefox-esr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : postorius

    CVE ID : CVE-2021-40347


    Kevin Israel discovered that Postorius, the administrative web frontend for Mailman 3, didn't validate whether a logged-in user owns the email address when unsubscribing.


    For the oldstable distribution (buster), this problem has been fixed in version 1.2.4-1+deb10u1.


    For the stable distribution (bullseye), this problem has been fixed in version 1.3.4-2+deb11u1.


    We recommend that you upgrade your postorius packages.


    For the detailed security status of postorius please refer to its security tracker page at:

    Information on source package postorius


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ntfs-3g

    CVE ID : CVE-2021-33285 CVE-2021-33286 CVE-2021-33287 CVE-2021-33289

    CVE-2021-35266 CVE-2021-35267 CVE-2021-35268 CVE-2021-35269

    CVE-2021-39251 CVE-2021-39252 CVE-2021-39253 CVE-2021-39254

    CVE-2021-39255 CVE-2021-39256 CVE-2021-39257 CVE-2021-39258

    CVE-2021-39259 CVE-2021-39260 CVE-2021-39261 CVE-2021-39262

    CVE-2021-39263

    Debian Bug : 988386


    Several vulnerabilities were discovered in NTFS-3G, a read-write NTFS driver for FUSE. A local user can take advantage of these flaws for local root privilege escalation.


    For the oldstable distribution (buster), these problems have been fixed in version 1:2017.3.23AR.3-3+deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 1:2017.3.23AR.3-4+deb11u1.


    We recommend that you upgrade your ntfs-3g packages.


    For the detailed security status of ntfs-3g please refer to its security tracker page at:

    Information on source package ntfs-3g


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ghostscript

    CVE ID : CVE-2021-3781

    Debian Bug : 994011


    It was discovered that Ghostscript, the GPL PostScript/PDF interpreter, does not properly validate access for the "%pipe%", "%handle%" and "%printer%" io devices, which could result in the execution of arbitrary code if a malformed Postscript file is processed (despite the -dSAFER sandbox being enabled).


    For the stable distribution (bullseye), this problem has been fixed in version 9.53.3~dfsg-7+deb11u1.


    We recommend that you upgrade your ghostscript packages.


    For the detailed security status of ghostscript please refer to its security tracker page at:

    Information on source package ghostscript


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2021-38493


    Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code.


    For the oldstable distribution (buster), this problem has been fixed in version 1:78.14.0-1~deb10u1.


    For the stable distribution (bullseye), this problem has been fixed in version 1:78.14.0-1~deb11u1.


    We recommend that you upgrade your thunderbird packages.


    For the detailed security status of thunderbird please refer to its security tracker page at:

    Information on source package thunderbird


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : nextcloud-desktop

    CVE ID : CVE-2021-22895 CVE-2021-32728

    Debian Bug : 989846


    Two vulnerabilities were discovered in the Nextcloud desktop client, which could result in information disclosure.


    For the oldstable distribution (buster), these problems have been fixed in version 2.5.1-3+deb10u2.


    For the stable distribution (bullseye), these problems have been fixed in version 3.1.1-2+deb11u1.


    We recommend that you upgrade your nextcloud-desktop packages.


    For the detailed security status of nextcloud-desktop please refer to its security tracker page at:

    Information on source package nextcloud-desktop


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : webkit2gtk

    CVE ID : CVE-2021-30858


    The following vulnerabilities have been discovered in the webkit2gtk web engine:


    CVE-2021-30858

    An anonymous researcher discovered that processing maliciously

    crafted web content may lead to arbitrary code execution. Apple is

    aware of a report that this issue may have been actively

    exploited.


    For the oldstable distribution (buster), this problem has been fixed in version 2.32.4-1~deb10u1.


    For the stable distribution (bullseye), this problem has been fixed in version 2.32.4-1~deb11u1.


    We recommend that you upgrade your webkit2gtk packages.


    For the detailed security status of webkit2gtk please refer to its security tracker page at:

    Information on source package webkit2gtk


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : wpewebkit

    CVE ID : CVE-2021-30858


    The following vulnerabilities have been discovered in the webkit2gtk web engine:


    CVE-2021-30858

    An anonymous researcher discovered that processing maliciously

    crafted web content may lead to arbitrary code execution. Apple is

    aware of a report that this issue may have been actively

    exploited.


    For the stable distribution (bullseye), this problem has been fixed in version 2.32.4-1~deb11u1.


    We recommend that you upgrade your wpewebkit packages.


    For the detailed security status of wpewebkit please refer to its security tracker page at:

    Information on source package wpewebkit


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : xen

    CVE ID : CVE-2021-28694 CVE-2021-28695 CVE-2021-28696 CVE-2021-28697

    CVE-2021-28698 CVE-2021-28699 CVE-2021-28700 CVE-2021-28701


    Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in privilege escalation, denial of service or information leaks.


    With the end of upstream support for the 4.11 branch, the version of xen in the oldstable distribution (buster) is no longer supported. If you rely on security support for your Xen installation an update to the stable distribution (bullseye) is recommended.


    For the stable distribution (bullseye), these problems have been fixed in version 4.14.3-1~deb11u1.


    We recommend that you upgrade your xen packages.


    For the detailed security status of xen please refer to its security tracker page at:

    Information on source package xen


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : linux

    CVE ID : CVE-2020-3702 CVE-2020-16119 CVE-2021-3653 CVE-2021-3656

    CVE-2021-3679 CVE-2021-3732 CVE-2021-3739 CVE-2021-3743

    CVE-2021-3753 CVE-2021-37576 CVE-2021-38160 CVE-2021-38166

    CVE-2021-38199 CVE-2021-40490 CVE-2021-41073

    Debian Bug : 993948 993978


    Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.


    CVE-2020-3702


    A flaw was found in the driver for Atheros IEEE 802.11n family of

    chipsets (ath9k) allowing information disclosure.


    CVE-2020-16119


    Hadar Manor reported a use-after-free in the DCCP protocol

    implementation in the Linux kernel. A local attacker can take

    advantage of this flaw to cause a denial of service or potentially

    to execute arbitrary code.


    CVE-2021-3653


    Maxim Levitsky discovered a vulnerability in the KVM hypervisor

    implementation for AMD processors in the Linux kernel: Missing

    validation of the `int_ctl` VMCB field could allow a malicious L1

    guest to enable AVIC support (Advanced Virtual Interrupt Controller)

    for the L2 guest. The L2 guest can take advantage of this flaw to

    write to a limited but still relatively large subset of the host

    physical memory.


    CVE-2021-3656


    Maxim Levitsky and Paolo Bonzini discovered a flaw in the KVM

    hypervisor implementation for AMD processors in the Linux kernel.

    Missing validation of the the `virt_ext` VMCB field could allow a

    malicious L1 guest to disable both VMLOAD/VMSAVE intercepts and VLS

    (Virtual VMLOAD/VMSAVE) for the L2 guest. Under these circumstances,

    the L2 guest is able to run VMLOAD/VMSAVE unintercepted and thus

    read/write portions of the host's physical memory.


    CVE-2021-3679


    A flaw in the Linux kernel tracing module functionality could allow

    a privileged local user (with CAP_SYS_ADMIN capability) to cause a

    denial of service (resource starvation).


    CVE-2021-3732


    Alois Wohlschlager reported a flaw in the implementation of the

    overlayfs subsystem, allowing a local attacker with privileges to

    mount a filesystem to reveal files hidden in the original mount.


    CVE-2021-3739


    A NULL pointer dereference flaw was found in the btrfs filesystem,

    allowing a local attacker with CAP_SYS_ADMIN capabilities to cause a

    denial of service.


    CVE-2021-3743


    An out-of-bounds memory read was discovered in the Qualcomm IPC

    router protocol implementation, allowing to cause a denial of

    service or information leak.


    CVE-2021-3753


    Minh Yuan reported a race condition in the vt_k_ioctl in

    drivers/tty/vt/vt_ioctl.c, which may cause an out of bounds

    read in vt.


    CVE-2021-37576


    Alexey Kardashevskiy reported a buffer overflow in the KVM subsystem

    on the powerpc platform, which allows KVM guest OS users to cause

    memory corruption on the host.


    CVE-2021-38160


    A flaw in the virtio_console was discovered allowing data corruption

    or data loss by an untrusted device.


    CVE-2021-38166


    An integer overflow flaw in the BPF subsystem could allow a local

    attacker to cause a denial of service or potentially the execution

    of arbitrary code. This flaw is mitigated by default in Debian as

    unprivileged calls to bpf() are disabled.


    CVE-2021-38199


    Michael Wakabayashi reported a flaw in the NFSv4 client

    implementation, where incorrect connection setup ordering allows

    operations of a remote NFSv4 server to cause a denial of service.


    CVE-2021-40490


    A race condition was discovered in the ext4 subsystem when writing

    to an inline_data file while its xattrs are changing. This could

    result in denial of service.


    CVE-2021-41073


    Valentina Palmiotti discovered a flaw in io_uring allowing a local

    attacker to escalate privileges.


    For the stable distribution (bullseye), these problems have been fixed in version 5.10.46-5. This update includes fixes for #993948 and #993978.


    We recommend that you upgrade your linux packages.


    For the detailed security status of linux please refer to its security tracker page at:

    Information on source package linux


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : mediawiki

    CVE ID : CVE-2021-35197 CVE-2021-41798 CVE-2021-41799 CVE-2021-41800

    CVE-2021-41801


    Multiple security issues were found in MediaWiki, a website engine for collaborative work, which could result in cross-site scripting, denial of service and a bypass of restrictions in the "Replace Text"

    extension.


    For the oldstable distribution (buster), these problems have been fixed in version 1:1.31.16-1~deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 1:1.35.4-1~deb11u1.


    We recommend that you upgrade your mediawiki packages.


    For the detailed security status of mediawiki please refer to its security tracker page at:

    Information on source package mediawiki


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : qemu

    CVE ID : CVE-2021-3544 CVE-2021-3545 CVE-2021-3546 CVE-2021-3638

    CVE-2021-3682 CVE-2021-3713 CVE-2021-3748

    Debian Bug : 988174 989042 991911 992726 992727 993401


    Multiple security issues were discovered in QEMU, a fast processor emulator, which could result in denial of service or the the execution of arbitrary code.


    For the stable distribution (bullseye), these problems have been fixed in version 1:5.2+dfsg-11+deb11u1.


    We recommend that you upgrade your qemu packages.


    For the detailed security status of qemu please refer to its security tracker page at:

    Information on source package qemu


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2021-38496 CVE-2021-38500


    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.


    For the oldstable distribution (buster), these problems have been fixed in version 78.15.0esr-1~deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 78.15.0esr-1~deb11u1.


    We recommend that you upgrade your firefox-esr packages.


    For the detailed security status of firefox-esr please refer to its security tracker page at:

    Information on source package firefox-esr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : apache2

    CVE ID : CVE-2021-34798 CVE-2021-36160 CVE-2021-39275 CVE-2021-40438


    Several vulnerabilities have been found in the Apache HTTP server, which could result in denial of service. In addition a vulnerability was discovered in mod_proxy with which an attacker could trick the server to forward requests to arbitrary origin servers.


    For the oldstable distribution (buster), these problems have been fixed in version 2.4.38-3+deb10u6.


    For the stable distribution (bullseye), these problems have been fixed in version 2.4.51-1~deb11u1.


    We recommend that you upgrade your apache2 packages.


    For the detailed security status of apache2 please refer to its security tracker page at:

    Information on source package apache2


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : neutron

    CVE ID : CVE-2021-40085

    Debian Bug : 993398


    Pavel Toporkov discovered a vulnerability in Neutron, the OpenStack virtual network service, which allowed a reconfiguration of dnsmasq via crafted dhcp_extra_opts parameters.


    For the oldstable distribution (buster), this problem has been fixed in version 2:13.0.7+git.2021.09.27.bace3d1890-0+deb10u1. This update also fixes CVE-2021-20267.


    For the stable distribution (bullseye), this problem has been fixed in version 2:17.2.1-0+deb11u1. This update also fixes CVE-2021-38598.


    We recommend that you upgrade your neutron packages.


    For the detailed security status of neutron please refer to its security tracker page at:

    Information on source package neutron


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : flatpak

    CVE ID : CVE-2021-41133

    Debian Bug : 995935


    It was discovered that sandbox restrictions in Flatpak, an application deployment framework for desktop apps, could be bypassed for a Flatpak app with direct access to AF_UNIX sockets, by manipulating the VFS using mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter.


    Details can be found in the upstream advisory at https://github.com/flatpak/flatpa…-67h7-w3jq-vh4q


    For the stable distribution (bullseye), this problem has been fixed in version 1.10.5-0+deb11u1.


    We recommend that you upgrade your flatpak packages.


    For the detailed security status of flatpak please refer to its security tracker page at:

    Information on source package flatpak


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : tomcat9

    CVE ID : CVE-2021-30640 CVE-2021-41079


    Two vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in denial of service.


    For the oldstable distribution (buster), these problems have been fixed in version 9.0.31-1~deb10u6.


    For the stable distribution (bullseye), these problems have been fixed in version 9.0.43-2~deb11u2.


    We recommend that you upgrade your tomcat9 packages.


    For the detailed security status of tomcat9 please refer to its security tracker page at:

    Information on source package tomcat9


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : wordpress

    CVE ID : CVE-2021-39200 CVE-2021-39201

    Debian Bug : 994059 994060


    Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform Cross-Site Scripting

    (XSS) attacks or impersonate other users.


    For the oldstable distribution (buster), these problems have been fixed in version 5.0.14+dfsg1-0+deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 5.7.3+dfsg1-0+deb11u1.


    We recommend that you upgrade your wordpress packages.


    For the detailed security status of wordpress please refer to its security tracker page at:

    Information on source package wordpress


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/