Debian Security Advisory

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2021-43546 CVE-2021-43545 CVE-2021-43543 CVE-2021-43542

    CVE-2021-43541 CVE-2021-43539 CVE-2021-43538 CVE-2021-43537

    CVE-2021-43536 CVE-2021-43535 CVE-2021-43534 CVE-2021-38509

    CVE-2021-38508 CVE-2021-38507 CVE-2021-38506 CVE-2021-38504

    CVE-2021-38503


    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure or spoofing.


    Debian follows the extended support releases (ESR) of Firefox. Support for the 78.x series has ended, so starting with this update we're now following the 91.x releases.


    Between 78.x and 91.x, Firefox has seen a number of feature updates. For more information please refer to https://www.mozilla.org/en-US/firefox/91.0esr/releasenotes/


    For the oldstable distribution (buster) one more final toolchain update is needed, updated packages will shortly be available as 91.4.1esr-1~deb10u1


    For the stable distribution (bullseye), these problem have been fixed in version 91.4.1esr-1~deb11u1.


    We recommend that you upgrade your firefox-esr packages.


    For the detailed security status of firefox-esr please refer to its security tracker page at:

    Information on source package firefox-esr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : xorg-server

    CVE ID : CVE-2021-4008 CVE-2021-4009 CVE-2021-4010 CVE-2021-4011


    Jan-Niklas Sohn discovered that multiple input validation failures in X server extensions of the X.org X server may result in privilege escalation if the X server is running privileged.


    For the oldstable distribution (buster), these problems have been fixed in version 2:1.20.4-1+deb10u4.


    For the stable distribution (bullseye), these problems have been fixed in version 2:1.20.11-1+deb11u1.


    We recommend that you upgrade your xorg-server packages.


    For the detailed security status of xorg-server please refer to its security tracker page at:

    Information on source package xorg-server


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : spip


    It was discovered that SPIP, a website engine for publishing, would allow a malicious user to perform cross-site scripting and SQL injection attacks, or execute arbitrary code.


    For the oldstable distribution (buster), this problem has been fixed in version 3.2.4-1+deb10u5.


    For the stable distribution (bullseye), this problem has been fixed in version 3.2.11-3+deb11u1.


    We recommend that you upgrade your spip packages.


    For the detailed security status of spip please refer to its security tracker page at:

    Information on source package spip


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : sogo

    CVE ID : CVE-2021-33054


    It was discovered that missing SAML signature validation in the SOGo groupware could result in impersonation attacks.


    For the oldstable distribution (buster), this problem has been fixed in version 4.0.7-1+deb10u2.


    For the stable distribution (bullseye), this problem has been fixed in version 5.0.1-4+deb11u1.


    We recommend that you upgrade your sogo packages.


    For the detailed security status of sogo please refer to its security tracker page at:

    Information on source package sogo


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : webkit2gtk

    CVE ID : CVE-2021-30887 CVE-2021-30890


    The following vulnerabilities have been discovered in the webkit2gtk web engine:


    CVE-2021-30887


    Narendra Bhati discovered that processing maliciously crafted web

    content may lead to unexpectedly unenforced Content Security

    Policy.


    CVE-2021-30890


    An anonymous researcher discovered that processing maliciously

    crafted web content may lead to universal cross site scripting.


    For the oldstable distribution (buster), these problems have been fixed in version 2.34.3-1~deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 2.34.3-1~deb11u1.


    We recommend that you upgrade your webkit2gtk packages.


    For the detailed security status of webkit2gtk please refer to its security tracker page at:

    Information on source package webkit2gtk


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : wpewebkit

    CVE ID : CVE-2021-30887 CVE-2021-30890


    The following vulnerabilities have been discovered in the wpewebkit web engine:


    CVE-2021-30887


    Narendra Bhati discovered that processing maliciously crafted web

    content may lead to unexpectedly unenforced Content Security

    Policy.


    CVE-2021-30890


    An anonymous researcher discovered that processing maliciously

    crafted web content may lead to universal cross site scripting.


    For the stable distribution (bullseye), these problems have been fixed in version 2.34.3-1~deb11u1.


    We recommend that you upgrade your wpewebkit packages.


    For the detailed security status of wpewebkit please refer to its security tracker page at:

    Information on source package wpewebkit


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : djvulibre

    CVE ID : CVE-2019-15142 CVE-2019-15143 CVE-2019-15144 CVE-2019-15145

    CVE-2019-18804 CVE-2021-3500 CVE-2021-3630 CVE-2021-32490

    CVE-2021-32491 CVE-2021-32492 CVE-2021-32493

    Debian Bug : 945114 988215


    Several vulnerabilities were discovered in djvulibre, a library and set of tools to handle documents in the DjVu format. An attacker could crash document viewers and possibly execute arbitrary code through crafted DjVu files.


    For the oldstable distribution (buster), these problems have been fixed in version 3.5.27.1-10+deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 3.5.28-2.


    We recommend that you upgrade your djvulibre packages.


    For the detailed security status of djvulibre please refer to its security tracker page at:

    Information on source package djvulibre


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : fort-validator

    CVE ID : CVE-2021-3907 CVE-2021-3909 CVE-2021-43173 CVE-2021-43114


    Multiple vulnerabilities were discovered in the FORT RPKI validator, which could result in denial of service or path traversal.


    For the stable distribution (bullseye), these problems have been fixed in version 1.5.3-1~deb11u1.


    We recommend that you upgrade your fort-validator packages.


    For the detailed security status of fort-validator please refer to its security tracker page at:

    Information on source package fort-validator


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2021-4126 CVE-2021-38496 CVE-2021-38500 CVE-2021-38502

    CVE-2021-38503 CVE-2021-38504 CVE-2021-38506 CVE-2021-38507

    CVE-2021-38508 CVE-2021-38509 CVE-2021-43528 CVE-2021-43529

    CVE-2021-43534 CVE-2021-43535 CVE-2021-43536 CVE-2021-43537

    CVE-2021-43538 CVE-2021-43539 CVE-2021-43541 CVE-2021-43542

    CVE-2021-43543 CVE-2021-43545 CVE-2021-43546 CVE-2021-44538


    Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code, spoofing, information disclosure, downgrade attacks on SMTP STARTTLS connections or misleading display of OpenPGP/MIME signatures.


    For the oldstable distribution (buster), these problems have been fixed in version 1:91.4.1-1~deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 1:91.4.1-1~deb11u1.


    We recommend that you upgrade your thunderbird packages.


    For the detailed security status of thunderbird please refer to its security tracker page at:

    Information on source package thunderbird


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : apache2

    CVE ID : CVE-2021-44224 CVE-2021-44790


    Two vulnerabilities have been discovered in the Apache HTTP server:


    CVE-2021-44224


    When operating as a forward proxy, Apache was depending on the setup

    suspectible to denial of service or Server Side Request forgery.


    CVE-2021-44790


    A buffer overflow in mod_lua may result in denial of service or

    potentially the execution of arbitrary code.


    For the oldstable distribution (buster), these problems have been fixed in version 2.4.38-3+deb10u7.


    For the stable distribution (bullseye), these problems have been fixed in version 2.4.52-1~deb11u2.


    We recommend that you upgrade your apache2 packages.


    For the detailed security status of apache2 please refer to its security tracker page at:

    Information on source package apache2


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : sphinxsearch

    CVE ID : CVE-2020-29050


    It was discovered that sphinxsearch, a fast standalone full-text SQL search engine, could allow arbitrary files to be read by abusing a configuration option.


    For the oldstable distribution (buster), this problem has been fixed in version 2.2.11-2+deb10u1.


    We recommend that you upgrade your sphinxsearch packages.


    For the detailed security status of sphinxsearch please refer to its security tracker page at:

    Information on source package sphinxsearch


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : roundcube

    CVE ID : CVE-2021-46144

    Debian Bug : 1003027


    It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly sanitize HTML messages. This would allow an attacker to perform Cross-Side Scripting

    (XSS) attacks.


    For the oldstable distribution (buster), this problem has been fixed in version 1.3.17+dfsg.1-1~deb10u2.


    For the stable distribution (bullseye), this problem has been fixed in version 1.4.13+dfsg.1-1~deb11u1.


    We recommend that you upgrade your roundcube packages.


    For the detailed security status of roundcube please refer to its security tracker page at:

    Information on source package roundcube


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ghostscript

    CVE ID : CVE-2021-45944 CVE-2021-45949


    Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed.


    For the oldstable distribution (buster), these problems have been fixed in version 9.27~dfsg-2+deb10u5.


    For the stable distribution (bullseye), these problems have been fixed in version 9.53.3~dfsg-7+deb11u2.


    We recommend that you upgrade your ghostscript packages.


    For the detailed security status of ghostscript please refer to its security tracker page at:

    Information on source package ghostscript


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : wordpress

    CVE ID : CVE-2022-21661 CVE-2022-21662 CVE-2022-21663 CVE-2022-21664

    Debian Bug : 1003243


    Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform SQL injection, run unchecked SQL queries, bypass hardening, or perform Cross-Site Scripting (XSS) attacks.


    For the oldstable distribution (buster), these problems have been fixed in version 5.0.15+dfsg1-0+deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 5.7.5+dfsg1-0+deb11u1.


    We recommend that you upgrade your wordpress packages.


    For the detailed security status of wordpress please refer to its security tracker page at:

    Information on source package wordpress


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : lighttpd

    CVE ID : CVE-2022-22707


    An out-of-bounds memory access was discovered in the mod_extforward plugin of the lighttpd web server, which may result in denial of service.


    For the oldstable distribution (buster), this problem has been fixed in version 1.4.53-4+deb10u2.


    For the stable distribution (bullseye), this problem has been fixed in version 1.4.59-1+deb11u1.


    We recommend that you upgrade your lighttpd packages.


    For the detailed security status of lighttpd please refer to its security tracker page at:

    Information on source package lighttpd


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : cfrpki

    CVE ID : CVE-2021-3761 CVE-2021-3907 CVE-2021-3908 CVE-2021-3909

    CVE-2021-3910 CVE-2021-3911 CVE-2021-3912 CVE-2021-43173

    CVE-2021-43174


    Multiple vulnerabilities were discovered in Cloudflare's RPKI validator, which could result in denial of service or path traversal.


    For the stable distribution (bullseye), these problems have been fixed in version 1.4.2-1~deb11u1.


    We recommend that you upgrade your cfrpki packages.


    For the detailed security status of cfrpki please refer to its security tracker page at:

    Information on source package cfrpki


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : epiphany-browser

    CVE ID : CVE-2021-45085 CVE-2021-45086 CVE-2021-45087 CVE-2021-45088


    Several vulnerabities have been discovered in Epiphany, the GNOME web browser, allowing XSS attacks under certain circumstances.


    For the stable distribution (bullseye), these problems have been fixed in version 3.38.2-1+deb11u1.


    We recommend that you upgrade your epiphany-browser packages.


    For the detailed security status of epiphany-browser please refer to its security tracker page at:

    Information on source package epiphany-browser


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : lxml

    CVE ID : CVE-2021-43818

    Debian Bug : 1001885


    It was discovered that lxml, a Python binding for the libxml2 and libxslt libraries, does not properly sanitize its input, which could lead to cross-site scripting.


    For the oldstable distribution (buster), this problem has been fixed in version 4.3.2-1+deb10u4.


    For the stable distribution (bullseye), this problem has been fixed in version 4.6.3+dfsg-0.1+deb11u1.


    We recommend that you upgrade your lxml packages.


    For the detailed security status of lxml please refer to its security tracker page at:

    Information on source package lxml


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2021-4140 CVE-2022-22737 CVE-2022-22738 CVE-2022-22739

    CVE-2022-22740 CVE-2022-22741 CVE-2022-22742 CVE-2022-22743

    CVE-2022-22745 CVE-2022-22747 CVE-2022-22748 CVE-2022-22751


    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure, denial of service or spoofing.


    For the oldstable distribution (buster), these problems have been fixed in version 91.5.0esr-1~deb10u1. Not all architectures are available for oldstable yet, most notably i386 (32 bits x86) is missing.


    For the stable distribution (bullseye), these problems have been fixed in version 91.5.0esr-1~deb11u1.


    We recommend that you upgrade your firefox-esr packages.


    For the detailed security status of firefox-esr please refer to its security tracker page at:

    Information on source package firefox-esr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2021-4140 CVE-2022-22737 CVE-2022-22738 CVE-2022-22739

    CVE-2022-22740 CVE-2022-22741 CVE-2022-22742 CVE-2022-22743

    CVE-2022-22745 CVE-2022-22747 CVE-2022-22748 CVE-2022-22751


    Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.


    For the oldstable distribution (buster), these problems have been fixed in version 1:91.5.0-2~deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 1:91.5.0-2~deb11u1.


    We recommend that you upgrade your thunderbird packages.


    For the detailed security status of thunderbird please refer to its security tracker page at:

    Information on source package thunderbird


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/