Debian Security Advisory

    • Offizieller Beitrag

    Package : squashfs-tools

    CVE ID : CVE-2021-41072

    Debian Bug : 994262


    Richard Weinberger reported that unsquashfs in squashfs-tools, the tools to create and extract Squashfs filesystems, does not check for duplicate filenames within a directory. An attacker can take advantage of this flaw for writing to arbitrary files to the filesystem if a malformed Squashfs image is processed.


    For the oldstable distribution (buster), this problem has been fixed in version 1:4.3-12+deb10u2.


    For the stable distribution (bullseye), this problem has been fixed in version 1:4.4-2+deb11u2.


    We recommend that you upgrade your squashfs-tools packages.


    For the detailed security status of squashfs-tools please refer to its security tracker page at:

    Information on source package squashfs-tools


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libreoffice

    CVE ID : CVE-2021-25633 CVE-2021-25634


    Two security issues have been discovered in LibreOffice's support for digital signatures in ODF documents, which could result in incorrect signature indicators/timestamps being presented.


    For the stable distribution (bullseye), these problems have been fixed in version 1:7.0.4-4+deb11u1.


    We recommend that you upgrade your libreoffice packages.


    For the detailed security status of libreoffice please refer to its security tracker page at:

    Information on source package libreoffice


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ffmpeg

    CVE ID : CVE-2020-20445 CVE-2020-20446 CVE-2020-20453 CVE-2020-21041

    CVE-2020-22015 CVE-2020-22016 CVE-2020-22017 CVE-2020-22019

    CVE-2020-22020 CVE-2020-22021 CVE-2020-22022 CVE-2020-22023

    CVE-2020-22025 CVE-2020-22026 CVE-2020-22027 CVE-2020-22028

    CVE-2020-22029 CVE-2020-22030 CVE-2020-22031 CVE-2020-22032

    CVE-2020-22033 CVE-2020-22034 CVE-2020-22035 CVE-2020-22036

    CVE-2020-22037 CVE-2020-22049 CVE-2020-22054 CVE-2020-35965

    CVE-2021-38114 CVE-2021-38171 CVE-2021-38291


    Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed.


    For the oldstable distribution (buster), these problems have been fixed in version 7:4.1.8-0+deb10u1.


    We recommend that you upgrade your ffmpeg packages.


    For the detailed security status of ffmpeg please refer to its security tracker page at:

    Information on source package ffmpeg


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : mailman

    CVE ID : CVE-2020-12108 CVE-2020-15011 CVE-2021-42096 CVE-2021-42097


    Several vulnerabilities were discovered in mailman, a web-based mailing list manager, which could result in arbitrary content injection via the options and private archive login pages, and CSRF attacks or privilege escalation via the user options page.


    For the oldstable distribution (buster), these problems have been fixed in version 1:2.1.29-1+deb10u2.


    We recommend that you upgrade your mailman packages.


    For the detailed security status of mailman please refer to its security tracker page at:

    Information on source package mailman


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : php7.4

    CVE ID : CVE-2021-21703

    Debian Bug : 997003


    An out-of-bounds read and write flaw was discovered in the PHP-FPM code, which could result in escalation of privileges from local unprivileged user to the root user.


    For the stable distribution (bullseye), this problem has been fixed in version 7.4.25-1+deb11u1.


    We recommend that you upgrade your php7.4 packages.


    For the detailed security status of php7.4 please refer to its security tracker page at:

    Information on source package php7.4


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : php7.3

    CVE ID : CVE-2021-21703


    An out-of-bounds read and write flaw was discovered in the PHP-FPM code, which could result in escalation of privileges from local unprivileged user to the root user.


    For the oldstable distribution (buster), this problem has been fixed in version 7.3.31-1~deb10u1.


    We recommend that you upgrade your php7.3 packages.


    For the detailed security status of php7.3 please refer to its security tracker page at:

    Information on source package php7.3


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : bind9

    CVE ID : CVE-2021-25219


    Kishore Kumar Kothapalli discovered that the lame server cache in BIND, a DNS server implementation, can be abused by an attacker to significantly degrade resolver performance, resulting in denial of service (large delays for responses for client queries and DNS timeouts on client hosts).


    For the oldstable distribution (buster), this problem has been fixed in version 1:9.11.5.P4+dfsg-5.1+deb10u6.


    For the stable distribution (bullseye), this problem has been fixed in version 1:9.16.22-1~deb11u1.


    We recommend that you upgrade your bind9 packages.


    For the detailed security status of bind9 please refer to its security tracker page at:

    Information on source package bind9


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : webkit2gtk

    CVE ID : CVE-2021-30846 CVE-2021-30851 CVE-2021-42762


    The following vulnerabilities have been discovered in the webkit2gtk web engine:


    CVE-2021-30846


    Sergei Glazunov discovered that processing maliciously crafted web

    content may lead to arbitrary code execution


    CVE-2021-30851


    Samuel Gross discovered that processing maliciously crafted web

    content may lead to code execution


    CVE-2021-42762


    An anonymous reporter discovered a limited Bubblewrap sandbox

    bypass that allows a sandboxed process to trick host processes

    into thinking the sandboxed process is not confined.


    For the oldstable distribution (buster), these problems have been fixed in version 2.34.1-1~deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 2.34.1-1~deb11u1.


    We recommend that you upgrade your webkit2gtk packages.


    For the detailed security status of webkit2gtk please refer to its security tracker page at:

    Information on source package webkit2gtk


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : wpewebkit

    CVE ID : CVE-2021-30846 CVE-2021-30851 CVE-2021-42762


    The following vulnerabilities have been discovered in the wpewebkit web engine:


    CVE-2021-30846


    Sergei Glazunov discovered that processing maliciously crafted web

    content may lead to arbitrary code execution


    CVE-2021-30851


    Samuel Gross discovered that processing maliciously crafted web

    content may lead to code execution


    CVE-2021-42762


    An anonymous reporter discovered a limited Bubblewrap sandbox

    bypass that allows a sandboxed process to trick host processes

    into thinking the sandboxed process is not confined.


    For the stable distribution (bullseye), these problems have been fixed in version 2.34.1-1~deb11u1.


    We recommend that you upgrade your wpewebkit packages.


    For the detailed security status of wpewebkit please refer to its security tracker page at:

    Information on source package wpewebkit


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : tiff

    CVE ID : CVE-2020-19143


    A flaw was discovered in tiff, a Tag Image File Format library, which may result in denial of service or the execution of arbitrary code if malformed image files are processed.


    For the oldstable distribution (buster), this problem has been fixed in version 4.1.0+git191117-2~deb10u3.


    We recommend that you upgrade your tiff packages.


    For the detailed security status of tiff please refer to its security tracker page at:

    Information on source package tiff


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ffmpeg

    CVE ID : CVE-2020-20446 CVE-2020-20450 CVE-2020-20453 CVE-2020-22037

    CVE-2020-22042 CVE-2021-38114 CVE-2021-38171 CVE-2021-38291

    CVE-2020-21697 CVE-2020-21688 CVE-2020-20445


    Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed.


    For the stable distribution (bullseye), these problems have been fixed in version 7:4.3.3-0+deb11u1.


    We recommend that you upgrade your ffmpeg packages.


    For the detailed security status of ffmpeg please refer to its security tracker page at:

    Information on source package ffmpeg


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : asterisk

    CVE ID : CVE-2021-32558 CVE-2021-32686

    Debian Bug : 991710 991931


    Multiple vulnerabilities have been discovered in Asterisk, an open source PBX and telephony toolkit, which may result in denial of service.


    For the stable distribution (bullseye), these problems have been fixed in version 1:16.16.1~dfsg-1+deb11u1.


    We recommend that you upgrade your asterisk packages.


    For the detailed security status of asterisk please refer to its security tracker page at:

    Information on source package asterisk


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openjdk-11

    CVE ID : CVE-2021-35550 CVE-2021-35556 CVE-2021-35559 CVE-2021-35561

    CVE-2021-35564 CVE-2021-35565 CVE-2021-35567 CVE-2021-35578

    CVE-2021-35586 CVE-2021-35603


    Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, incorrect Kerberos ticket use, selection of weak ciphers or information disclosure.


    The oldstable distribution (buster), needs additional updates to be able to build 11.0.13. An update will be provided in a followup advisory.


    For the stable distribution (bullseye), these problems have been fixed in version 11.0.13+8-1~deb11u1.


    We recommend that you upgrade your openjdk-11 packages.


    For the detailed security status of openjdk-11 please refer to its security tracker page at:

    Information on source package openjdk-11


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : redis

    CVE ID : CVE-2021-32626 CVE-2021-32627 CVE-2021-32628 CVE-2021-32672

    CVE-2021-32675 CVE-2021-32687 CVE-2021-32762 CVE-2021-41099

    CVE-2021-32761


    Multiple vulnerabilities were discovered in Redis, a persistent key-value database, which could result in denial of service or the execution of arbitrary code.


    For the oldstable distribution (buster), these problems have been fixed in version 5:5.0.14-1+deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 5:6.0.16-1+deb11u1.


    We recommend that you upgrade your redis packages.


    For the detailed security status of redis please refer to its security tracker page at:

    Information on source package redis


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : containerd

    CVE ID : CVE-2021-41103


    A flaw was discovered in containerd, an open and reliable container runtime. Insufficiently restricted permissions on container root and plugin directories could result in privilege escalation.


    For the stable distribution (bullseye), this problem has been fixed in version 1.4.5~ds1-2+deb11u1.


    We recommend that you upgrade your containerd packages.


    For the detailed security status of containerd please refer to its security tracker page at:

    Information on source package containerd


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : samba

    CVE ID : CVE-2016-2124 CVE-2020-25717 CVE-2020-25718 CVE-2020-25719

    CVE-2020-25721 CVE-2020-25722 CVE-2021-3738 CVE-2021-23192


    Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server for Unix.


    CVE-2016-2124


    Stefan Metzmacher reported that SMB1 client connections can be

    downgraded to plaintext authentication.


    CVE-2020-25717


    Andrew Bartlett reported that Samba may map domain users to local

    users in an undesired way, allowing for privilege escalation. The

    update introduces a new parameter "min domain uid" (default to 1000)

    to not accept a UNIX uid below this value.


    CVE-2020-25718


    Andrew Bartlett reported that Samba as AD DC, when joined by an

    RODC, did not confirm if the RODC was allowed to print a ticket for

    that user, allowing an RODC to print administrator tickets.


    CVE-2020-25719


    Andrew Bartlett reported that Samba as AD DC, did not always rely on

    the SID and PAC in Kerberos tickets and could be confused about the

    user a ticket represents. If a privileged account was attacked this

    could lead to total domain compromise.


    CVE-2020-25721


    Andrew Bartlett reported that Samba as a AD DC did not provide a way

    for Linux applications to obtain a reliable SID (and samAccountName)

    in issued tickets.


    CVE-2020-25722


    Andrew Bartlett reported that Samba as AD DC did not do sufficient

    access and conformance checking of data stored, potentially allowing

    total domain compromise.


    CVE-2021-3738


    William Ross reported that the Samba AD DC RPC server can use memory

    that was free'd when a sub-connection is closed, resulting in denial

    of service, and potentially, escalation of privileges.


    CVE-2021-23192


    Stefan Metzmacher reported that if a client to a Samba server sent a

    very large DCE/RPC request, and chose to fragment it, an attacker

    could replace later fragments with their own data, bypassing the

    signature requirements.


    For the stable distribution (bullseye), these problems have been fixed in version 2:4.13.13+dfsg-1~deb11u2.


    We recommend that you upgrade your samba packages.


    For the detailed security status of samba please refer to its security tracker page at:

    Information on source package samba


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libxstream-java

    CVE ID : CVE-2021-39139 CVE-2021-39140 CVE-2021-39141 CVE-2021-39144

    CVE-2021-39145 CVE-2021-39146 CVE-2021-39147 CVE-2021-39148

    CVE-2021-39149 CVE-2021-39150 CVE-2021-39151 CVE-2021-39152

    CVE-2021-39153 CVE-2021-39154 CVE-2021-21341 CVE-2021-21342

    CVE-2021-21343 CVE-2021-21344 CVE-2021-21345 CVE-2021-21346

    CVE-2021-21347 CVE-2021-21348 CVE-2021-21349 CVE-2021-21350

    CVE-2021-21351 CVE-2021-29505


    Multiple security vulnerabilities have been discovered in XStream, a Java library to serialize objects to XML and back again.


    These vulnerabilities may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream.


    XStream itself sets up a whitelist by default now, i.e. it blocks all classes except those types it has explicit converters for. It used to have a blacklist by default, i.e. it tried to block all currently known critical classes of the Java runtime. Main reason for the blacklist were compatibility, it allowed to use newer versions of XStream as drop-in replacement. However, this approach has failed. A growing list of security reports has proven, that a blacklist is inherently unsafe, apart from the fact that types of 3rd libraries were not even considered. A blacklist scenario should be avoided in general, because it provides a false sense of security.


    For the oldstable distribution (buster), these problems have been fixed in version 1.4.11.1-1+deb10u3.


    For the stable distribution (bullseye), these problems have been fixed in version 1.4.15-3+deb11u1.


    We recommend that you upgrade your libxstream-java packages.


    For the detailed security status of libxstream-java please refer to its security tracker page at:

    Information on source package libxstream-java


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libxstream-java

    CVE ID : CVE-2021-39139 CVE-2021-39140 CVE-2021-39141 CVE-2021-39144

    CVE-2021-39145 CVE-2021-39146 CVE-2021-39147 CVE-2021-39148

    CVE-2021-39149 CVE-2021-39150 CVE-2021-39151 CVE-2021-39152

    CVE-2021-39153 CVE-2021-39154 CVE-2021-21341 CVE-2021-21342

    CVE-2021-21343 CVE-2021-21344 CVE-2021-21345 CVE-2021-21346

    CVE-2021-21347 CVE-2021-21348 CVE-2021-21349 CVE-2021-21350

    CVE-2021-21351 CVE-2021-29505


    Multiple security vulnerabilities have been discovered in XStream, a Java library to serialize objects to XML and back again.


    These vulnerabilities may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream.


    XStream itself sets up a whitelist by default now, i.e. it blocks all classes except those types it has explicit converters for. It used to have a blacklist by default, i.e. it tried to block all currently known critical classes of the Java runtime. Main reason for the blacklist were compatibility, it allowed to use newer versions of XStream as drop-in replacement. However, this approach has failed. A growing list of security reports has proven, that a blacklist is inherently unsafe, apart from the fact that types of 3rd libraries were not even considered. A blacklist scenario should be avoided in general, because it provides a false sense of security.


    For the oldstable distribution (buster), these problems have been fixed in version 1.4.11.1-1+deb10u3.


    For the stable distribution (bullseye), these problems have been fixed in version 1.4.15-3+deb11u1.


    We recommend that you upgrade your libxstream-java packages.


    For the detailed security status of libxstream-java please refer to its security tracker page at:

    Information on source package libxstream-java


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ruby-kaminari

    CVE ID : CVE-2020-11082

    Debian Bug : 961847


    A security vulnerability has been found in Kaminari, a pagination engine plugin for Rails 3+ and other modern frameworks, that would allow an attacker to inject arbitrary code into pages with pagination links.


    For the oldstable distribution (buster), this problem has been fixed in version 1.0.1-4+deb10u1.


    We recommend that you upgrade your ruby-kaminari packages.


    For the detailed security status of ruby-kaminari please refer to its security tracker page at:

    Information on source package ruby-kaminari


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : postgresql-11

    CVE ID : CVE-2021-23214 CVE-2021-23222


    Jacob Champion discovered two vulnerabilities in the PostgreSQL database system, which could result in man-in-the-middle attacks.


    For the oldstable distribution (buster), these problems have been fixed in version 11.14-0+deb10u1.


    We recommend that you upgrade your postgresql-11 packages.


    For the detailed security status of postgresql-11 please refer to its security tracker page at:

    Information on source package postgresql-11


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/