Debian Security Advisory

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2021-4052 CVE-2021-4053 CVE-2021-4054 CVE-2021-4055

    CVE-2021-4056 CVE-2021-4057 CVE-2021-4058 CVE-2021-4059

    CVE-2021-4061 CVE-2021-4062 CVE-2021-4063 CVE-2021-4064

    CVE-2021-4065 CVE-2021-4066 CVE-2021-4067 CVE-2021-4068

    CVE-2021-4078 CVE-2021-4079 CVE-2021-4098 CVE-2021-4099

    CVE-2021-4100 CVE-2021-4101 CVE-2021-4102 CVE-2021-37956

    CVE-2021-37957 CVE-2021-37958 CVE-2021-37959 CVE-2021-37961

    CVE-2021-37962 CVE-2021-37963 CVE-2021-37964 CVE-2021-37965

    CVE-2021-37966 CVE-2021-37967 CVE-2021-37968 CVE-2021-37969

    CVE-2021-37970 CVE-2021-37971 CVE-2021-37972 CVE-2021-37973

    CVE-2021-37974 CVE-2021-37975 CVE-2021-37976 CVE-2021-37977

    CVE-2021-37978 CVE-2021-37979 CVE-2021-37980 CVE-2021-37981

    CVE-2021-37982 CVE-2021-37983 CVE-2021-37984 CVE-2021-37985

    CVE-2021-37986 CVE-2021-37987 CVE-2021-37988 CVE-2021-37989

    CVE-2021-37990 CVE-2021-37991 CVE-2021-37992 CVE-2021-37993

    CVE-2021-37994 CVE-2021-37995 CVE-2021-37996 CVE-2021-37997

    CVE-2021-37998 CVE-2021-37999 CVE-2021-38000 CVE-2021-38001

    CVE-2021-38002 CVE-2021-38003 CVE-2021-38004 CVE-2021-38005

    CVE-2021-38006 CVE-2021-38007 CVE-2021-38008 CVE-2021-38009

    CVE-2021-38010 CVE-2021-38011 CVE-2021-38012 CVE-2021-38013

    CVE-2021-38014 CVE-2021-38015 CVE-2021-38016 CVE-2021-38017

    CVE-2021-38018 CVE-2021-38019 CVE-2021-38020 CVE-2021-38021

    CVE-2021-38022 CVE-2022-0096 CVE-2022-0097 CVE-2022-0098

    CVE-2022-0099 CVE-2022-0100 CVE-2022-0101 CVE-2022-0102

    CVE-2022-0103 CVE-2022-0104 CVE-2022-0105 CVE-2022-0106

    CVE-2022-0107 CVE-2022-0108 CVE-2022-0109 CVE-2022-0110

    CVE-2022-0111 CVE-2022-0112 CVE-2022-0113 CVE-2022-0114

    CVE-2022-0115 CVE-2022-0116 CVE-2022-0117 CVE-2022-0118

    CVE-2022-0120


    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the oldstable distribution (buster), security support for Chromium has been discontinued due to toolchain issues which no longer allow to build current Chromium releases on buster. You can either upgrade to the stable release (bullseye) or switch to a browser which continues to receive security supports in buster (firefox-esr or browsers based on webkit2gtk)


    For the stable distribution (bullseye), these problems have been fixed in version 97.0.4692.71-0.1~deb11u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : prosody

    CVE ID : CVE-2022-0217


    Matthew Wild discovered that the WebSockets code in Prosody, a lightweight Jabber/XMPP server, was susceptible to denial of service.


    For the oldstable distribution (buster), this problem has been fixed in version 0.11.2-1+deb10u3.


    For the stable distribution (bullseye), this problem has been fixed in version 0.11.9-2+deb11u1.


    We recommend that you upgrade your prosody packages.


    For the detailed security status of prosody please refer to its security tracker page at:

    Information on source package prosody


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libreswan

    CVE ID : CVE-2022-23094


    It was discovered that the libreswan IPsec implementation could be forced into a crash/restart via a malformed IKEv1 packet, resulting in denial of service.


    For the stable distribution (bullseye), this problem has been fixed in version 4.3-1+deb11u1.


    We recommend that you upgrade your libreswan packages.


    For the detailed security status of libreswan please refer to its security tracker page at:

    Information on source package libreswan


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : flatpak

    CVE ID : CVE-2021-43860 CVE-2022-21682


    Several vulnerabilities were discovered in Flatpak, an application deployment framework for desktop apps.


    CVE-2021-43860


    Ryan Gonzalez discovered that Flatpak didn't properly validate

    that the permissions displayed to the user for an app at install

    time match the actual permissions granted to the app at

    runtime. Malicious apps could therefore grant themselves

    permissions without the consent of the user.


    CVE-2022-21682


    Flatpak didn't always prevent a malicious flatpak-builder user

    from writing to the local filesystem.


    For the stable distribution (bullseye), these problems have been fixed in version 1.10.7-0+deb11u1.


    Please note that flatpak-builder also needed an update for compatibility, and is now at version 1.0.12-1+deb11u1 in bullseye.


    We recommend that you upgrade your flatpak and flatpak-builder packages.


    For the detailed security status of flatpak please refer to its security tracker page at:

    Information on source package flatpak


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : linux

    CVE ID : CVE-2021-4155 CVE-2021-28711 CVE-2021-28712 CVE-2021-28713

    CVE-2021-28714 CVE-2021-28715 CVE-2021-39685 CVE-2021-45095

    CVE-2021-45469 CVE-2021-45480 CVE-2022-0185 CVE-2022-23222

    Debian Bug : 988044 996974


    Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.


    CVE-2021-4155


    Kirill Tkhai discovered a data leak in the way the XFS_IOC_ALLOCSP

    IOCTL in the XFS filesystem allowed for a size increase of files

    with unaligned size. A local attacker can take advantage of this

    flaw to leak data on the XFS filesystem.


    CVE-2021-28711, CVE-2021-28712, CVE-2021-28713 (XSA-391)


    Juergen Gross reported that malicious PV backends can cause a denial

    of service to guests being serviced by those backends via high

    frequency events, even if those backends are running in a less

    privileged environment.


    CVE-2021-28714, CVE-2021-28715 (XSA-392)


    Juergen Gross discovered that Xen guests can force the Linux

    netback driver to hog large amounts of kernel memory, resulting in

    denial of service.


    CVE-2021-39685


    Szymon Heidrich discovered a buffer overflow vulnerability in the

    USB gadget subsystem, resulting in information disclosure, denial of

    service or privilege escalation.


    CVE-2021-45095


    It was discovered that the Phone Network protocol (PhoNet) driver

    has a reference count leak in the pep_sock_accept() function.


    CVE-2021-45469


    Wenqing Liu reported an out-of-bounds memory access in the f2fs

    implementation if an inode has an invalid last xattr entry. An

    attacker able to mount a specially crafted image can take advantage

    of this flaw for denial of service.


    CVE-2021-45480


    A memory leak flaw was discovered in the __rds_conn_create()

    function in the RDS (Reliable Datagram Sockets) protocol subsystem.


    CVE-2022-0185


    William Liu, Jamie Hill-Daniel, Isaac Badipe, Alec Petridis, Hrvoje

    Misetic and Philip Papurt discovered a heap-based buffer overflow

    flaw in the legacy_parse_param function in the Filesystem Context

    functionality, allowing an local user (with CAP_SYS_ADMIN capability

    in the current namespace) to escalate privileges.


    CVE-2022-23222


    'tr3e' discovered that the BPF verifier does not properly restrict

    several *_OR_NULL pointer types allowing these types to do pointer

    arithmetic. A local user with the ability to call bpf(), can take

    advantage of this flaw to excalate privileges. Unprivileged calls to

    bpf() are disabled by default in Debian, mitigating this flaw.


    For the stable distribution (bullseye), these problems have been fixed in version 5.10.92-1. This version includes changes which were aimed to land in the next Debian bullseye point release.


    We recommend that you upgrade your linux packages.


    For the detailed security status of linux please refer to its security tracker page at:

    Information on source package linux


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : aide

    CVE ID : CVE-2021-45417


    David Bouman discovered a heap-based buffer overflow vulnerability in the base64 functions of aide, an advanced intrusion detection system, which can be triggered via large extended file attributes or ACLs. This may result in denial of service or privilege escalation.


    For the oldstable distribution (buster), this problem has been fixed in version 0.16.1-1+deb10u1.


    For the stable distribution (bullseye), this problem has been fixed in version 0.17.3-4+deb11u1.


    We recommend that you upgrade your aide packages.


    For the detailed security status of aide please refer to its security tracker page at:

    Information on source package aide


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : usbview

    CVE ID : CVE-2022-23220


    Matthias Gerstner reported that usbview, a USB device viewer, does not properly handle authorization in the PolicyKit policy configuration, which could result in root privilege escalation.


    For the oldstable distribution (buster), this problem has been fixed in version 2.0-21-g6fe2f4f-2+deb10u1.


    For the stable distribution (bullseye), this problem has been fixed in version 2.0-21-g6fe2f4f-2+deb11u1.


    We recommend that you upgrade your usbview packages.


    For the detailed security status of usbview please refer to its security tracker page at:

    Information on source package usbview


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : pillow

    CVE ID : CVE-2022-22815 CVE-2022-22816 CVE-2022-22817


    Multiple security issues were discovered in Pillow, a Python imaging library, which could result in denial of service and potentially the execution of arbitrary code if malformed images are processed.


    For the oldstable distribution (buster), these problems have been fixed in version 5.4.1-2+deb10u3.


    For the stable distribution (bullseye), these problems have been fixed in version 8.1.2+dfsg-0.3+deb11u1.


    We recommend that you upgrade your pillow packages.


    For the detailed security status of pillow please refer to its security tracker page at:

    Information on source package pillow


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2022-0289 CVE-2022-0290 CVE-2022-0291 CVE-2022-0292

    CVE-2022-0293 CVE-2022-0294 CVE-2022-0295 CVE-2022-0296

    CVE-2022-0297 CVE-2022-0298 CVE-2022-0300 CVE-2022-0301

    CVE-2022-0302 CVE-2022-0303 CVE-2022-0304 CVE-2022-0305

    CVE-2022-0306 CVE-2022-0307 CVE-2022-0308 CVE-2022-0309

    CVE-2022-0310 CVE-2022-0311


    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bullseye), this problem has been fixed in version 97.0.4692.99-1~deb11u2.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : util-linux

    CVE ID : CVE-2021-3995 CVE-2021-3996


    The Qualys Research Labs discovered two vulnerabilities in util-linux's libmount. These flaws allow an unprivileged user to unmount other users'

    filesystems that are either world-writable themselves or mounted in a world-writable directory (CVE-2021-3996), or to unmount FUSE filesystems that belong to certain other users (CVE-2021-3995).


    For the stable distribution (bullseye), these problems have been fixed in version 2.36.1-8+deb11u1.


    We recommend that you upgrade your util-linux packages.


    For the detailed security status of util-linux please refer to its security tracker page at:

    Information on source package util-linux


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : strongswan

    CVE ID : CVE-2021-45079


    Zhuowei Zhang discovered a bug in the EAP authentication client code of strongSwan, an IKE/IPsec suite, that may allow to bypass the client and in some scenarios even the server authentication, or could lead to a denial-of-service attack.


    When using EAP authentication (RFC 3748), the successful completion of the authentication is indicated by an EAP-Success message sent by the server to the client. strongSwan's EAP client code handled early EAP-Success messages incorrectly, either crashing the IKE daemon or concluding the EAP method prematurely.


    End result depend on the used configuration, more details can be found in upstream advisory at https://www.strongswan.org/blog/2022/01/2…021-45079).html


    For the oldstable distribution (buster), this problem has been fixed in version 5.7.2-1+deb10u2.


    For the stable distribution (bullseye), this problem has been fixed in version 5.9.1-1+deb11u2.


    We recommend that you upgrade your strongswan packages.


    For the detailed security status of strongswan please refer to its security tracker page at:

    Information on source package strongswan


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openjdk-11

    CVE ID : CVE-2022-21248 CVE-2022-21277 CVE-2022-21282 CVE-2022-21283

    CVE-2022-21291 CVE-2022-21293 CVE-2022-21294 CVE-2022-21296

    CVE-2022-21299 CVE-2022-21305 CVE-2022-21340 CVE-2022-21341

    CVE-2022-21360 CVE-2022-21365 CVE-2022-21366


    Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, bypass of deserialization restrictions or information disclosure.


    For the oldstable distribution (buster), these problems have been fixed in version 11.0.14+9-1~deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 11.0.14+9-1~deb11u1.


    We recommend that you upgrade your openjdk-11 packages.


    For the detailed security status of openjdk-11 please refer to its security tracker page at:

    Information on source package openjdk-11


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openjdk-17

    CVE ID : CVE-2022-21248 CVE-2022-21277 CVE-2022-21282 CVE-2022-21283

    CVE-2022-21291 CVE-2022-21293 CVE-2022-21294 CVE-2022-21296

    CVE-2022-21299 CVE-2022-21305 CVE-2022-21340 CVE-2022-21341

    CVE-2022-21360 CVE-2022-21365 CVE-2022-21366


    Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in denial of service, bypass of deserialization restrictions or information disclosure.


    For the stable distribution (bullseye), these problems have been fixed in version 17.0.2+8-1~deb11u1.


    We recommend that you upgrade your openjdk-17 packages.


    For the detailed security status of openjdk-17 please refer to its security tracker page at:

    Information on source package openjdk-17


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : policykit-1

    CVE ID : CVE-2021-4034


    The Qualys Research Labs discovered a local privilege escalation in PolicyKit's pkexec.


    Details can be found in the Qualys advisory at https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt


    For the oldstable distribution (buster), this problem has been fixed in version 0.105-25+deb10u1.


    For the stable distribution (bullseye), this problem has been fixed in version 0.105-31+deb11u1.


    We recommend that you upgrade your policykit-1 packages.


    For the detailed security status of policykit-1 please refer to its security tracker page at:

    Information on source package policykit-1


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : webkit2gtk

    CVE ID : CVE-2021-30934 CVE-2021-30936 CVE-2021-30951 CVE-2021-30952

    CVE-2021-30953 CVE-2021-30954 CVE-2021-30984


    The following vulnerabilities have been discovered in the webkit2gtk web engine:


    CVE-2021-30934


    Dani Biro discovered that processing maliciously crafted web

    content may lead to arbitrary code execution.


    CVE-2021-30936


    Chijin Zhou discovered that processing maliciously crafted web

    content may lead to arbitrary code execution.


    CVE-2021-30951


    Pangu discovered that processing maliciously crafted web content

    may lead to arbitrary code execution.


    CVE-2021-30952


    WeBin discovered that processing maliciously crafted web content

    may lead to arbitrary code execution.


    CVE-2021-30953


    VRIJ discovered that processing maliciously crafted web content

    may lead to arbitrary code execution.


    CVE-2021-30954


    Kunlun Lab discovered that processing maliciously crafted web

    content may lead to arbitrary code execution.


    CVE-2021-30984


    Kunlun Lab discovered that processing maliciously crafted web

    content may lead to arbitrary code execution.


    For the oldstable distribution (buster), these problems have been fixed in version 2.34.4-1~deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 2.34.4-1~deb11u1.


    We recommend that you upgrade your webkit2gtk packages.


    For the detailed security status of webkit2gtk please refer to its security tracker page at:

    Information on source package webkit2gtk


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : wpewebkit

    CVE ID : CVE-2021-30934 CVE-2021-30936 CVE-2021-30951 CVE-2021-30952

    CVE-2021-30953 CVE-2021-30954 CVE-2021-30984


    The following vulnerabilities have been discovered in the wpewebkit web engine:


    CVE-2021-30934


    Dani Biro discovered that processing maliciously crafted web

    content may lead to arbitrary code execution.


    CVE-2021-30936


    Chijin Zhou discovered that processing maliciously crafted web

    content may lead to arbitrary code execution.


    CVE-2021-30951


    Pangu discovered that processing maliciously crafted web content

    may lead to arbitrary code execution.


    CVE-2021-30952


    WeBin discovered that processing maliciously crafted web content

    may lead to arbitrary code execution.


    CVE-2021-30953


    VRIJ discovered that processing maliciously crafted web content

    may lead to arbitrary code execution.


    CVE-2021-30954


    Kunlun Lab discovered that processing maliciously crafted web

    content may lead to arbitrary code execution.


    CVE-2021-30984


    Kunlun Lab discovered that processing maliciously crafted web

    content may lead to arbitrary code execution.


    For the stable distribution (bullseye), these problems have been fixed in version 2.34.4-1~deb11u1.


    We recommend that you upgrade your wpewebkit packages.


    For the detailed security status of wpewebkit please refer to its security tracker page at:

    Information on source package wpewebkit


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : nss

    CVE ID : CVE-2022-22747


    Tavis Ormandy discovered that incorrect parsing of pkcs7 sequences in nss, the Mozilla Network Security Service library, may result in denial of service.


    For the oldstable distribution (buster), this problem has been fixed in version 2:3.42.1-1+deb10u5.


    For the stable distribution (bullseye), this problem has been fixed in version 2:3.61-1+deb11u2.


    We recommend that you upgrade your nss packages.


    For the detailed security status of nss please refer to its security tracker page at:

    Information on source package nss


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : uriparser

    CVE ID : CVE-2021-46141 CVE-2021-46142


    Two vulnerabilities were discovered in uriparser, a library that parses Uniform Resource Identifiers (URIs), which may result in denial of service or potentially in the the execution of arbitrary code.


    For the oldstable distribution (buster), these problems have been fixed in version 0.9.1-1+deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 0.9.4+dfsg-1+deb11u1.


    We recommend that you upgrade your uriparser packages.


    For the detailed security status of uriparser please refer to its security tracker page at:

    Information on source package uriparser


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : prosody

    Debian Bug : 1004173


    The update for prosody released as DSA 5047 introduced a memory leak.

    Updated prosody packages are now available to correct this issue.


    For the oldstable distribution (buster), this problem has been fixed in version 0.11.2-1+deb10u4.


    For the stable distribution (bullseye), this problem has been fixed in version 0.11.9-2+deb11u2.


    We recommend that you upgrade your prosody packages.


    For the detailed security status of prosody please refer to its security tracker page at:

    Information on source package prosody


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : python-nbxmpp

    CVE ID : CVE-2021-41055


    It was discovered that missing input sanitising in python-nbxmpp, a Jabber/XMPP Python library, could result in denial of service in clients based on it (such as Gajim).


    The oldstable distribution (buster) is not affected.


    For the stable distribution (bullseye), this problem has been fixed in version 2.0.2-1+deb11u1.


    We recommend that you upgrade your python-nbxmpp packages.


    For the detailed security status of python-nbxmpp please refer to its security tracker page at:

    Information on source package python-nbxmpp


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/