Debian Security Advisory

    • Offizieller Beitrag

    Package : firefox-esr


    CVE ID : CVE-2021-43546 CVE-2021-43545 CVE-2021-43543 CVE-2021-43542


    CVE-2021-43541 CVE-2021-43539 CVE-2021-43538 CVE-2021-43537


    CVE-2021-43536 CVE-2021-43535 CVE-2021-43534 CVE-2021-38509


    CVE-2021-38508 CVE-2021-38507 CVE-2021-38506 CVE-2021-38504


    CVE-2021-38503



    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure or spoofing.



    Debian follows the extended support releases (ESR) of Firefox. Support for the 78.x series has ended, so starting with this update we're now following the 91.x releases.



    Between 78.x and 91.x, Firefox has seen a number of feature updates. For more information please refer to https://www.mozilla.org/en-US/firefox/91.0esr/releasenotes/




    For the oldstable distribution (buster) one more final toolchain update is needed, updated packages will shortly be available as 91.4.1esr-1~deb10u1



    For the stable distribution (bullseye), these problem have been fixed in version 91.4.1esr-1~deb11u1.



    We recommend that you upgrade your firefox-esr packages.



    For the detailed security status of firefox-esr please refer to its security tracker page at:


    Information on source package firefox-esr



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : xorg-server


    CVE ID : CVE-2021-4008 CVE-2021-4009 CVE-2021-4010 CVE-2021-4011



    Jan-Niklas Sohn discovered that multiple input validation failures in X server extensions of the X.org X server may result in privilege escalation if the X server is running privileged.



    For the oldstable distribution (buster), these problems have been fixed in version 2:1.20.4-1+deb10u4.



    For the stable distribution (bullseye), these problems have been fixed in version 2:1.20.11-1+deb11u1.



    We recommend that you upgrade your xorg-server packages.



    For the detailed security status of xorg-server please refer to its security tracker page at:


    Information on source package xorg-server



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : spip



    It was discovered that SPIP, a website engine for publishing, would allow a malicious user to perform cross-site scripting and SQL injection attacks, or execute arbitrary code.



    For the oldstable distribution (buster), this problem has been fixed in version 3.2.4-1+deb10u5.



    For the stable distribution (bullseye), this problem has been fixed in version 3.2.11-3+deb11u1.



    We recommend that you upgrade your spip packages.



    For the detailed security status of spip please refer to its security tracker page at:


    Information on source package spip



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : sogo


    CVE ID : CVE-2021-33054



    It was discovered that missing SAML signature validation in the SOGo groupware could result in impersonation attacks.



    For the oldstable distribution (buster), this problem has been fixed in version 4.0.7-1+deb10u2.



    For the stable distribution (bullseye), this problem has been fixed in version 5.0.1-4+deb11u1.



    We recommend that you upgrade your sogo packages.



    For the detailed security status of sogo please refer to its security tracker page at:


    Information on source package sogo



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : webkit2gtk


    CVE ID : CVE-2021-30887 CVE-2021-30890



    The following vulnerabilities have been discovered in the webkit2gtk web engine:



    CVE-2021-30887



    Narendra Bhati discovered that processing maliciously crafted web


    content may lead to unexpectedly unenforced Content Security


    Policy.



    CVE-2021-30890



    An anonymous researcher discovered that processing maliciously


    crafted web content may lead to universal cross site scripting.



    For the oldstable distribution (buster), these problems have been fixed in version 2.34.3-1~deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 2.34.3-1~deb11u1.



    We recommend that you upgrade your webkit2gtk packages.



    For the detailed security status of webkit2gtk please refer to its security tracker page at:


    Information on source package webkit2gtk



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : wpewebkit


    CVE ID : CVE-2021-30887 CVE-2021-30890



    The following vulnerabilities have been discovered in the wpewebkit web engine:



    CVE-2021-30887



    Narendra Bhati discovered that processing maliciously crafted web


    content may lead to unexpectedly unenforced Content Security


    Policy.



    CVE-2021-30890



    An anonymous researcher discovered that processing maliciously


    crafted web content may lead to universal cross site scripting.



    For the stable distribution (bullseye), these problems have been fixed in version 2.34.3-1~deb11u1.



    We recommend that you upgrade your wpewebkit packages.



    For the detailed security status of wpewebkit please refer to its security tracker page at:


    Information on source package wpewebkit



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : djvulibre


    CVE ID : CVE-2019-15142 CVE-2019-15143 CVE-2019-15144 CVE-2019-15145


    CVE-2019-18804 CVE-2021-3500 CVE-2021-3630 CVE-2021-32490


    CVE-2021-32491 CVE-2021-32492 CVE-2021-32493


    Debian Bug : 945114 988215




    Several vulnerabilities were discovered in djvulibre, a library and set of tools to handle documents in the DjVu format. An attacker could crash document viewers and possibly execute arbitrary code through crafted DjVu files.



    For the oldstable distribution (buster), these problems have been fixed in version 3.5.27.1-10+deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 3.5.28-2.



    We recommend that you upgrade your djvulibre packages.



    For the detailed security status of djvulibre please refer to its security tracker page at:


    Information on source package djvulibre



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : fort-validator


    CVE ID : CVE-2021-3907 CVE-2021-3909 CVE-2021-43173 CVE-2021-43114



    Multiple vulnerabilities were discovered in the FORT RPKI validator, which could result in denial of service or path traversal.



    For the stable distribution (bullseye), these problems have been fixed in version 1.5.3-1~deb11u1.



    We recommend that you upgrade your fort-validator packages.



    For the detailed security status of fort-validator please refer to its security tracker page at:


    Information on source package fort-validator



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird


    CVE ID : CVE-2021-4126 CVE-2021-38496 CVE-2021-38500 CVE-2021-38502


    CVE-2021-38503 CVE-2021-38504 CVE-2021-38506 CVE-2021-38507


    CVE-2021-38508 CVE-2021-38509 CVE-2021-43528 CVE-2021-43529


    CVE-2021-43534 CVE-2021-43535 CVE-2021-43536 CVE-2021-43537


    CVE-2021-43538 CVE-2021-43539 CVE-2021-43541 CVE-2021-43542


    CVE-2021-43543 CVE-2021-43545 CVE-2021-43546 CVE-2021-44538



    Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code, spoofing, information disclosure, downgrade attacks on SMTP STARTTLS connections or misleading display of OpenPGP/MIME signatures.



    For the oldstable distribution (buster), these problems have been fixed in version 1:91.4.1-1~deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 1:91.4.1-1~deb11u1.



    We recommend that you upgrade your thunderbird packages.



    For the detailed security status of thunderbird please refer to its security tracker page at:


    Information on source package thunderbird



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : apache2


    CVE ID : CVE-2021-44224 CVE-2021-44790



    Two vulnerabilities have been discovered in the Apache HTTP server:



    CVE-2021-44224



    When operating as a forward proxy, Apache was depending on the setup


    suspectible to denial of service or Server Side Request forgery.



    CVE-2021-44790



    A buffer overflow in mod_lua may result in denial of service or


    potentially the execution of arbitrary code.



    For the oldstable distribution (buster), these problems have been fixed in version 2.4.38-3+deb10u7.



    For the stable distribution (bullseye), these problems have been fixed in version 2.4.52-1~deb11u2.



    We recommend that you upgrade your apache2 packages.



    For the detailed security status of apache2 please refer to its security tracker page at:


    Information on source package apache2



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : sphinxsearch


    CVE ID : CVE-2020-29050



    It was discovered that sphinxsearch, a fast standalone full-text SQL search engine, could allow arbitrary files to be read by abusing a configuration option.



    For the oldstable distribution (buster), this problem has been fixed in version 2.2.11-2+deb10u1.



    We recommend that you upgrade your sphinxsearch packages.



    For the detailed security status of sphinxsearch please refer to its security tracker page at:


    Information on source package sphinxsearch



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : roundcube


    CVE ID : CVE-2021-46144


    Debian Bug : 1003027



    It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly sanitize HTML messages. This would allow an attacker to perform Cross-Side Scripting


    (XSS) attacks.



    For the oldstable distribution (buster), this problem has been fixed in version 1.3.17+dfsg.1-1~deb10u2.



    For the stable distribution (bullseye), this problem has been fixed in version 1.4.13+dfsg.1-1~deb11u1.



    We recommend that you upgrade your roundcube packages.



    For the detailed security status of roundcube please refer to its security tracker page at:


    Information on source package roundcube



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ghostscript


    CVE ID : CVE-2021-45944 CVE-2021-45949



    Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed.



    For the oldstable distribution (buster), these problems have been fixed in version 9.27~dfsg-2+deb10u5.



    For the stable distribution (bullseye), these problems have been fixed in version 9.53.3~dfsg-7+deb11u2.



    We recommend that you upgrade your ghostscript packages.



    For the detailed security status of ghostscript please refer to its security tracker page at:


    Information on source package ghostscript



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : wordpress


    CVE ID : CVE-2022-21661 CVE-2022-21662 CVE-2022-21663 CVE-2022-21664


    Debian Bug : 1003243



    Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform SQL injection, run unchecked SQL queries, bypass hardening, or perform Cross-Site Scripting (XSS) attacks.



    For the oldstable distribution (buster), these problems have been fixed in version 5.0.15+dfsg1-0+deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 5.7.5+dfsg1-0+deb11u1.



    We recommend that you upgrade your wordpress packages.



    For the detailed security status of wordpress please refer to its security tracker page at:


    Information on source package wordpress



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : lighttpd


    CVE ID : CVE-2022-22707



    An out-of-bounds memory access was discovered in the mod_extforward plugin of the lighttpd web server, which may result in denial of service.



    For the oldstable distribution (buster), this problem has been fixed in version 1.4.53-4+deb10u2.



    For the stable distribution (bullseye), this problem has been fixed in version 1.4.59-1+deb11u1.



    We recommend that you upgrade your lighttpd packages.



    For the detailed security status of lighttpd please refer to its security tracker page at:


    Information on source package lighttpd



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : cfrpki


    CVE ID : CVE-2021-3761 CVE-2021-3907 CVE-2021-3908 CVE-2021-3909


    CVE-2021-3910 CVE-2021-3911 CVE-2021-3912 CVE-2021-43173


    CVE-2021-43174



    Multiple vulnerabilities were discovered in Cloudflare's RPKI validator, which could result in denial of service or path traversal.



    For the stable distribution (bullseye), these problems have been fixed in version 1.4.2-1~deb11u1.



    We recommend that you upgrade your cfrpki packages.



    For the detailed security status of cfrpki please refer to its security tracker page at:


    Information on source package cfrpki



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : epiphany-browser


    CVE ID : CVE-2021-45085 CVE-2021-45086 CVE-2021-45087 CVE-2021-45088



    Several vulnerabities have been discovered in Epiphany, the GNOME web browser, allowing XSS attacks under certain circumstances.



    For the stable distribution (bullseye), these problems have been fixed in version 3.38.2-1+deb11u1.



    We recommend that you upgrade your epiphany-browser packages.



    For the detailed security status of epiphany-browser please refer to its security tracker page at:


    Information on source package epiphany-browser



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : lxml


    CVE ID : CVE-2021-43818


    Debian Bug : 1001885



    It was discovered that lxml, a Python binding for the libxml2 and libxslt libraries, does not properly sanitize its input, which could lead to cross-site scripting.



    For the oldstable distribution (buster), this problem has been fixed in version 4.3.2-1+deb10u4.



    For the stable distribution (bullseye), this problem has been fixed in version 4.6.3+dfsg-0.1+deb11u1.



    We recommend that you upgrade your lxml packages.



    For the detailed security status of lxml please refer to its security tracker page at:


    Information on source package lxml



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr


    CVE ID : CVE-2021-4140 CVE-2022-22737 CVE-2022-22738 CVE-2022-22739


    CVE-2022-22740 CVE-2022-22741 CVE-2022-22742 CVE-2022-22743


    CVE-2022-22745 CVE-2022-22747 CVE-2022-22748 CVE-2022-22751



    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure, denial of service or spoofing.



    For the oldstable distribution (buster), these problems have been fixed in version 91.5.0esr-1~deb10u1. Not all architectures are available for oldstable yet, most notably i386 (32 bits x86) is missing.



    For the stable distribution (bullseye), these problems have been fixed in version 91.5.0esr-1~deb11u1.



    We recommend that you upgrade your firefox-esr packages.



    For the detailed security status of firefox-esr please refer to its security tracker page at:


    Information on source package firefox-esr



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird


    CVE ID : CVE-2021-4140 CVE-2022-22737 CVE-2022-22738 CVE-2022-22739


    CVE-2022-22740 CVE-2022-22741 CVE-2022-22742 CVE-2022-22743


    CVE-2022-22745 CVE-2022-22747 CVE-2022-22748 CVE-2022-22751



    Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.



    For the oldstable distribution (buster), these problems have been fixed in version 1:91.5.0-2~deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 1:91.5.0-2~deb11u1.



    We recommend that you upgrade your thunderbird packages.



    For the detailed security status of thunderbird please refer to its security tracker page at:


    Information on source package thunderbird



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/