Debian Security Advisory

    • Offizieller Beitrag

    Package : chromium


    CVE ID : CVE-2021-4052 CVE-2021-4053 CVE-2021-4054 CVE-2021-4055


    CVE-2021-4056 CVE-2021-4057 CVE-2021-4058 CVE-2021-4059


    CVE-2021-4061 CVE-2021-4062 CVE-2021-4063 CVE-2021-4064


    CVE-2021-4065 CVE-2021-4066 CVE-2021-4067 CVE-2021-4068


    CVE-2021-4078 CVE-2021-4079 CVE-2021-4098 CVE-2021-4099


    CVE-2021-4100 CVE-2021-4101 CVE-2021-4102 CVE-2021-37956


    CVE-2021-37957 CVE-2021-37958 CVE-2021-37959 CVE-2021-37961


    CVE-2021-37962 CVE-2021-37963 CVE-2021-37964 CVE-2021-37965


    CVE-2021-37966 CVE-2021-37967 CVE-2021-37968 CVE-2021-37969


    CVE-2021-37970 CVE-2021-37971 CVE-2021-37972 CVE-2021-37973


    CVE-2021-37974 CVE-2021-37975 CVE-2021-37976 CVE-2021-37977


    CVE-2021-37978 CVE-2021-37979 CVE-2021-37980 CVE-2021-37981


    CVE-2021-37982 CVE-2021-37983 CVE-2021-37984 CVE-2021-37985


    CVE-2021-37986 CVE-2021-37987 CVE-2021-37988 CVE-2021-37989


    CVE-2021-37990 CVE-2021-37991 CVE-2021-37992 CVE-2021-37993


    CVE-2021-37994 CVE-2021-37995 CVE-2021-37996 CVE-2021-37997


    CVE-2021-37998 CVE-2021-37999 CVE-2021-38000 CVE-2021-38001


    CVE-2021-38002 CVE-2021-38003 CVE-2021-38004 CVE-2021-38005


    CVE-2021-38006 CVE-2021-38007 CVE-2021-38008 CVE-2021-38009


    CVE-2021-38010 CVE-2021-38011 CVE-2021-38012 CVE-2021-38013


    CVE-2021-38014 CVE-2021-38015 CVE-2021-38016 CVE-2021-38017


    CVE-2021-38018 CVE-2021-38019 CVE-2021-38020 CVE-2021-38021


    CVE-2021-38022 CVE-2022-0096 CVE-2022-0097 CVE-2022-0098


    CVE-2022-0099 CVE-2022-0100 CVE-2022-0101 CVE-2022-0102


    CVE-2022-0103 CVE-2022-0104 CVE-2022-0105 CVE-2022-0106


    CVE-2022-0107 CVE-2022-0108 CVE-2022-0109 CVE-2022-0110


    CVE-2022-0111 CVE-2022-0112 CVE-2022-0113 CVE-2022-0114


    CVE-2022-0115 CVE-2022-0116 CVE-2022-0117 CVE-2022-0118


    CVE-2022-0120



    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.



    For the oldstable distribution (buster), security support for Chromium has been discontinued due to toolchain issues which no longer allow to build current Chromium releases on buster. You can either upgrade to the stable release (bullseye) or switch to a browser which continues to receive security supports in buster (firefox-esr or browsers based on webkit2gtk)



    For the stable distribution (bullseye), these problems have been fixed in version 97.0.4692.71-0.1~deb11u1.



    We recommend that you upgrade your chromium packages.



    For the detailed security status of chromium please refer to its security tracker page at:


    Information on source package chromium



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : prosody


    CVE ID : CVE-2022-0217



    Matthew Wild discovered that the WebSockets code in Prosody, a lightweight Jabber/XMPP server, was susceptible to denial of service.



    For the oldstable distribution (buster), this problem has been fixed in version 0.11.2-1+deb10u3.



    For the stable distribution (bullseye), this problem has been fixed in version 0.11.9-2+deb11u1.



    We recommend that you upgrade your prosody packages.



    For the detailed security status of prosody please refer to its security tracker page at:


    Information on source package prosody



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libreswan


    CVE ID : CVE-2022-23094



    It was discovered that the libreswan IPsec implementation could be forced into a crash/restart via a malformed IKEv1 packet, resulting in denial of service.



    For the stable distribution (bullseye), this problem has been fixed in version 4.3-1+deb11u1.



    We recommend that you upgrade your libreswan packages.



    For the detailed security status of libreswan please refer to its security tracker page at:


    Information on source package libreswan



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : flatpak


    CVE ID : CVE-2021-43860 CVE-2022-21682



    Several vulnerabilities were discovered in Flatpak, an application deployment framework for desktop apps.



    CVE-2021-43860



    Ryan Gonzalez discovered that Flatpak didn't properly validate


    that the permissions displayed to the user for an app at install


    time match the actual permissions granted to the app at


    runtime. Malicious apps could therefore grant themselves


    permissions without the consent of the user.



    CVE-2022-21682



    Flatpak didn't always prevent a malicious flatpak-builder user


    from writing to the local filesystem.



    For the stable distribution (bullseye), these problems have been fixed in version 1.10.7-0+deb11u1.



    Please note that flatpak-builder also needed an update for compatibility, and is now at version 1.0.12-1+deb11u1 in bullseye.



    We recommend that you upgrade your flatpak and flatpak-builder packages.



    For the detailed security status of flatpak please refer to its security tracker page at:


    Information on source package flatpak



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : linux


    CVE ID : CVE-2021-4155 CVE-2021-28711 CVE-2021-28712 CVE-2021-28713


    CVE-2021-28714 CVE-2021-28715 CVE-2021-39685 CVE-2021-45095


    CVE-2021-45469 CVE-2021-45480 CVE-2022-0185 CVE-2022-23222


    Debian Bug : 988044 996974



    Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.



    CVE-2021-4155



    Kirill Tkhai discovered a data leak in the way the XFS_IOC_ALLOCSP


    IOCTL in the XFS filesystem allowed for a size increase of files


    with unaligned size. A local attacker can take advantage of this


    flaw to leak data on the XFS filesystem.



    CVE-2021-28711, CVE-2021-28712, CVE-2021-28713 (XSA-391)



    Juergen Gross reported that malicious PV backends can cause a denial


    of service to guests being serviced by those backends via high


    frequency events, even if those backends are running in a less


    privileged environment.



    CVE-2021-28714, CVE-2021-28715 (XSA-392)



    Juergen Gross discovered that Xen guests can force the Linux


    netback driver to hog large amounts of kernel memory, resulting in


    denial of service.



    CVE-2021-39685



    Szymon Heidrich discovered a buffer overflow vulnerability in the


    USB gadget subsystem, resulting in information disclosure, denial of


    service or privilege escalation.



    CVE-2021-45095



    It was discovered that the Phone Network protocol (PhoNet) driver


    has a reference count leak in the pep_sock_accept() function.



    CVE-2021-45469



    Wenqing Liu reported an out-of-bounds memory access in the f2fs


    implementation if an inode has an invalid last xattr entry. An


    attacker able to mount a specially crafted image can take advantage


    of this flaw for denial of service.



    CVE-2021-45480



    A memory leak flaw was discovered in the __rds_conn_create()


    function in the RDS (Reliable Datagram Sockets) protocol subsystem.



    CVE-2022-0185



    William Liu, Jamie Hill-Daniel, Isaac Badipe, Alec Petridis, Hrvoje


    Misetic and Philip Papurt discovered a heap-based buffer overflow


    flaw in the legacy_parse_param function in the Filesystem Context


    functionality, allowing an local user (with CAP_SYS_ADMIN capability


    in the current namespace) to escalate privileges.



    CVE-2022-23222



    'tr3e' discovered that the BPF verifier does not properly restrict


    several *_OR_NULL pointer types allowing these types to do pointer


    arithmetic. A local user with the ability to call bpf(), can take


    advantage of this flaw to excalate privileges. Unprivileged calls to


    bpf() are disabled by default in Debian, mitigating this flaw.



    For the stable distribution (bullseye), these problems have been fixed in version 5.10.92-1. This version includes changes which were aimed to land in the next Debian bullseye point release.



    We recommend that you upgrade your linux packages.



    For the detailed security status of linux please refer to its security tracker page at:


    Information on source package linux



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : aide


    CVE ID : CVE-2021-45417



    David Bouman discovered a heap-based buffer overflow vulnerability in the base64 functions of aide, an advanced intrusion detection system, which can be triggered via large extended file attributes or ACLs. This may result in denial of service or privilege escalation.



    For the oldstable distribution (buster), this problem has been fixed in version 0.16.1-1+deb10u1.



    For the stable distribution (bullseye), this problem has been fixed in version 0.17.3-4+deb11u1.



    We recommend that you upgrade your aide packages.



    For the detailed security status of aide please refer to its security tracker page at:


    Information on source package aide



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : usbview


    CVE ID : CVE-2022-23220



    Matthias Gerstner reported that usbview, a USB device viewer, does not properly handle authorization in the PolicyKit policy configuration, which could result in root privilege escalation.



    For the oldstable distribution (buster), this problem has been fixed in version 2.0-21-g6fe2f4f-2+deb10u1.



    For the stable distribution (bullseye), this problem has been fixed in version 2.0-21-g6fe2f4f-2+deb11u1.



    We recommend that you upgrade your usbview packages.



    For the detailed security status of usbview please refer to its security tracker page at:


    Information on source package usbview



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : pillow


    CVE ID : CVE-2022-22815 CVE-2022-22816 CVE-2022-22817



    Multiple security issues were discovered in Pillow, a Python imaging library, which could result in denial of service and potentially the execution of arbitrary code if malformed images are processed.



    For the oldstable distribution (buster), these problems have been fixed in version 5.4.1-2+deb10u3.



    For the stable distribution (bullseye), these problems have been fixed in version 8.1.2+dfsg-0.3+deb11u1.



    We recommend that you upgrade your pillow packages.



    For the detailed security status of pillow please refer to its security tracker page at:


    Information on source package pillow



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium


    CVE ID : CVE-2022-0289 CVE-2022-0290 CVE-2022-0291 CVE-2022-0292


    CVE-2022-0293 CVE-2022-0294 CVE-2022-0295 CVE-2022-0296


    CVE-2022-0297 CVE-2022-0298 CVE-2022-0300 CVE-2022-0301


    CVE-2022-0302 CVE-2022-0303 CVE-2022-0304 CVE-2022-0305


    CVE-2022-0306 CVE-2022-0307 CVE-2022-0308 CVE-2022-0309


    CVE-2022-0310 CVE-2022-0311



    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.



    For the stable distribution (bullseye), this problem has been fixed in version 97.0.4692.99-1~deb11u2.



    We recommend that you upgrade your chromium packages.



    For the detailed security status of chromium please refer to its security tracker page at:


    Information on source package chromium



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : util-linux


    CVE ID : CVE-2021-3995 CVE-2021-3996



    The Qualys Research Labs discovered two vulnerabilities in util-linux's libmount. These flaws allow an unprivileged user to unmount other users'


    filesystems that are either world-writable themselves or mounted in a world-writable directory (CVE-2021-3996), or to unmount FUSE filesystems that belong to certain other users (CVE-2021-3995).



    For the stable distribution (bullseye), these problems have been fixed in version 2.36.1-8+deb11u1.



    We recommend that you upgrade your util-linux packages.



    For the detailed security status of util-linux please refer to its security tracker page at:


    Information on source package util-linux



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : strongswan


    CVE ID : CVE-2021-45079



    Zhuowei Zhang discovered a bug in the EAP authentication client code of strongSwan, an IKE/IPsec suite, that may allow to bypass the client and in some scenarios even the server authentication, or could lead to a denial-of-service attack.



    When using EAP authentication (RFC 3748), the successful completion of the authentication is indicated by an EAP-Success message sent by the server to the client. strongSwan's EAP client code handled early EAP-Success messages incorrectly, either crashing the IKE daemon or concluding the EAP method prematurely.



    End result depend on the used configuration, more details can be found in upstream advisory at https://www.strongswan.org/blo…ity-(cve-2021-45079).html



    For the oldstable distribution (buster), this problem has been fixed in version 5.7.2-1+deb10u2.



    For the stable distribution (bullseye), this problem has been fixed in version 5.9.1-1+deb11u2.



    We recommend that you upgrade your strongswan packages.



    For the detailed security status of strongswan please refer to its security tracker page at:


    Information on source package strongswan



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openjdk-11


    CVE ID : CVE-2022-21248 CVE-2022-21277 CVE-2022-21282 CVE-2022-21283


    CVE-2022-21291 CVE-2022-21293 CVE-2022-21294 CVE-2022-21296


    CVE-2022-21299 CVE-2022-21305 CVE-2022-21340 CVE-2022-21341


    CVE-2022-21360 CVE-2022-21365 CVE-2022-21366



    Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, bypass of deserialization restrictions or information disclosure.



    For the oldstable distribution (buster), these problems have been fixed in version 11.0.14+9-1~deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 11.0.14+9-1~deb11u1.



    We recommend that you upgrade your openjdk-11 packages.



    For the detailed security status of openjdk-11 please refer to its security tracker page at:


    Information on source package openjdk-11



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openjdk-17


    CVE ID : CVE-2022-21248 CVE-2022-21277 CVE-2022-21282 CVE-2022-21283


    CVE-2022-21291 CVE-2022-21293 CVE-2022-21294 CVE-2022-21296


    CVE-2022-21299 CVE-2022-21305 CVE-2022-21340 CVE-2022-21341


    CVE-2022-21360 CVE-2022-21365 CVE-2022-21366



    Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, bypass of deserialization restrictions or information disclosure.



    For the stable distribution (bullseye), these problems have been fixed in version 17.0.2+8-1~deb11u1.



    We recommend that you upgrade your openjdk-17 packages.



    For the detailed security status of openjdk-17 please refer to its security tracker page at:


    Information on source package openjdk-17



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : policykit-1


    CVE ID : CVE-2021-4034



    The Qualys Research Labs discovered a local privilege escalation in PolicyKit's pkexec.



    Details can be found in the Qualys advisory at https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt



    For the oldstable distribution (buster), this problem has been fixed in version 0.105-25+deb10u1.



    For the stable distribution (bullseye), this problem has been fixed in version 0.105-31+deb11u1.



    We recommend that you upgrade your policykit-1 packages.



    For the detailed security status of policykit-1 please refer to its security tracker page at:


    Information on source package policykit-1



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : webkit2gtk


    CVE ID : CVE-2021-30934 CVE-2021-30936 CVE-2021-30951 CVE-2021-30952


    CVE-2021-30953 CVE-2021-30954 CVE-2021-30984



    The following vulnerabilities have been discovered in the webkit2gtk web engine:



    CVE-2021-30934



    Dani Biro discovered that processing maliciously crafted web


    content may lead to arbitrary code execution.



    CVE-2021-30936



    Chijin Zhou discovered that processing maliciously crafted web


    content may lead to arbitrary code execution.



    CVE-2021-30951



    Pangu discovered that processing maliciously crafted web content


    may lead to arbitrary code execution.



    CVE-2021-30952



    WeBin discovered that processing maliciously crafted web content


    may lead to arbitrary code execution.



    CVE-2021-30953



    VRIJ discovered that processing maliciously crafted web content


    may lead to arbitrary code execution.



    CVE-2021-30954



    Kunlun Lab discovered that processing maliciously crafted web


    content may lead to arbitrary code execution.



    CVE-2021-30984



    Kunlun Lab discovered that processing maliciously crafted web


    content may lead to arbitrary code execution.



    For the oldstable distribution (buster), these problems have been fixed in version 2.34.4-1~deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 2.34.4-1~deb11u1.



    We recommend that you upgrade your webkit2gtk packages.



    For the detailed security status of webkit2gtk please refer to its security tracker page at:


    Information on source package webkit2gtk



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : wpewebkit


    CVE ID : CVE-2021-30934 CVE-2021-30936 CVE-2021-30951 CVE-2021-30952


    CVE-2021-30953 CVE-2021-30954 CVE-2021-30984



    The following vulnerabilities have been discovered in the wpewebkit web engine:



    CVE-2021-30934



    Dani Biro discovered that processing maliciously crafted web


    content may lead to arbitrary code execution.



    CVE-2021-30936



    Chijin Zhou discovered that processing maliciously crafted web


    content may lead to arbitrary code execution.



    CVE-2021-30951



    Pangu discovered that processing maliciously crafted web content


    may lead to arbitrary code execution.



    CVE-2021-30952



    WeBin discovered that processing maliciously crafted web content


    may lead to arbitrary code execution.



    CVE-2021-30953



    VRIJ discovered that processing maliciously crafted web content


    may lead to arbitrary code execution.



    CVE-2021-30954



    Kunlun Lab discovered that processing maliciously crafted web


    content may lead to arbitrary code execution.



    CVE-2021-30984



    Kunlun Lab discovered that processing maliciously crafted web


    content may lead to arbitrary code execution.



    For the stable distribution (bullseye), these problems have been fixed in version 2.34.4-1~deb11u1.



    We recommend that you upgrade your wpewebkit packages.



    For the detailed security status of wpewebkit please refer to its security tracker page at:


    Information on source package wpewebkit



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : nss


    CVE ID : CVE-2022-22747



    Tavis Ormandy discovered that incorrect parsing of pkcs7 sequences in nss, the Mozilla Network Security Service library, may result in denial of service.



    For the oldstable distribution (buster), this problem has been fixed in version 2:3.42.1-1+deb10u5.



    For the stable distribution (bullseye), this problem has been fixed in version 2:3.61-1+deb11u2.



    We recommend that you upgrade your nss packages.



    For the detailed security status of nss please refer to its security tracker page at:


    Information on source package nss



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : uriparser


    CVE ID : CVE-2021-46141 CVE-2021-46142



    Two vulnerabilities were discovered in uriparser, a library that parses Uniform Resource Identifiers (URIs), which may result in denial of service or potentially in the the execution of arbitrary code.



    For the oldstable distribution (buster), these problems have been fixed in version 0.9.1-1+deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 0.9.4+dfsg-1+deb11u1.



    We recommend that you upgrade your uriparser packages.



    For the detailed security status of uriparser please refer to its security tracker page at:


    Information on source package uriparser



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : prosody


    Debian Bug : 1004173



    The update for prosody released as DSA 5047 introduced a memory leak.


    Updated prosody packages are now available to correct this issue.



    For the oldstable distribution (buster), this problem has been fixed in version 0.11.2-1+deb10u4.



    For the stable distribution (bullseye), this problem has been fixed in version 0.11.9-2+deb11u2.



    We recommend that you upgrade your prosody packages.



    For the detailed security status of prosody please refer to its security tracker page at:


    Information on source package prosody



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : python-nbxmpp


    CVE ID : CVE-2021-41055



    It was discovered that missing input sanitising in python-nbxmpp, a Jabber/XMPP Python library, could result in denial of service in clients based on it (such as Gajim).



    The oldstable distribution (buster) is not affected.



    For the stable distribution (bullseye), this problem has been fixed in version 2.0.2-1+deb11u1.



    We recommend that you upgrade your python-nbxmpp packages.



    For the detailed security status of python-nbxmpp please refer to its security tracker page at:


    Information on source package python-nbxmpp



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/