Debian Security Advisory

    • Offizieller Beitrag

    Package : ipython

    CVE ID : CVE-2022-21699


    It was discovered that IPython, an enhanced interactive Python shell, executed config files from the current working directory, which could result in cross-user attacks if run from a directory multiple users may write to.


    For the oldstable distribution (buster), this problem has been fixed in version 5.8.0-1+deb10u1.


    For the stable distribution (bullseye), this problem has been fixed in version 7.20.0-1+deb11u1.


    We recommend that you upgrade your ipython packages.


    For the detailed security status of ipython please refer to its security tracker page at:

    Information on source package ipython


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ruby2.5

    CVE ID : CVE-2021-28965 CVE-2021-31799 CVE-2021-31810

    CVE-2021-41817 CVE-2021-41819 CVE-2021-32066


    Several vulnerabilities have been discovered in the interpreter for the Ruby language and the Rubygems included, which may result on result in XML roundtrip attacks, the execution of arbitrary code, information disclosure, StartTLS stripping in IMAP or denial of service.


    For the oldstable distribution (buster), these problems have been fixed in version 2.5.5-3+deb10u4.


    We recommend that you upgrade your ruby2.5 packages.


    For the detailed security status of ruby2.5 please refer to its security tracker page at:

    Information on source package ruby2.5


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ruby2.7

    CVE ID : CVE-2021-41816 CVE-2021-41817 CVE-2021-41819


    Several vulnerabilities have been discovered in the interpreter for the Ruby language and the Rubygems included, which may result on result in information disclosure or denial of service.


    For the stable distribution (bullseye), these problems have been fixed in version 2.7.4-1+deb11u1.


    We recommend that you upgrade your ruby2.7 packages.


    For the detailed security status of ruby2.7 please refer to its security tracker page at:

    Information on source package ruby2.7


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2022-0452 CVE-2022-0453 CVE-2022-0454 CVE-2022-0455

    CVE-2022-0456 CVE-2022-0457 CVE-2022-0458 CVE-2022-0459

    CVE-2022-0460 CVE-2022-0461 CVE-2022-0462 CVE-2022-0463

    CVE-2022-0464 CVE-2022-0465 CVE-2022-0466 CVE-2022-0467

    CVE-2022-0468 CVE-2022-0469 CVE-2022-0470


    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bullseye), these problems have been fixed in version 98.0.4758.80-1~deb11u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2022-22754 CVE-2022-22756 CVE-2022-22759 CVE-2022-22760

    CVE-2022-22761 CVE-2022-22763 CVE-2022-22764


    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure or spoofing.


    For the oldstable distribution (buster), these problems have been fixed in version 91.6.0esr-1~deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 91.6.0esr-1~deb11u1.


    We recommend that you upgrade your firefox-esr packages.


    For the detailed security status of firefox-esr please refer to its security tracker page at:

    Information on source package firefox-esr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : cryptsetup

    CVE ID : CVE-2021-4122

    Debian Bug : 1003686 949336


    CVE-2021-4122


    Milan Broz, its maintainer, discovered an issue in cryptsetup, the disk

    encryption configuration tool for Linux.


    LUKS2 (an on-disk format) online reencryption is an optional extension to

    allow a user to change the data reencryption key while the data device is

    available for use during the whole reencryption process.


    An attacker can modify on-disk metadata to simulate decryption in progress

    with crashed (unfinished) reencryption step and persistently decrypt part

    of the LUKS2 device (LUKS1 devices are indirectly affected as well, see

    below).


    This attack requires repeated physical access to the LUKS2 device but no

    knowledge of user passphrases.


    The decryption step is performed after a valid user activates the device

    with a correct passphrase and modified metadata.


    The size of possible decrypted data per attack step depends on configured

    LUKS2 header size (metadata size is configurable for LUKS2). With the

    default LUKS2 parameters (16 MiB header) and only one allocated keyslot

    (512 bit key for AES-XTS), simulated decryption with checksum resilience

    SHA1 (20 bytes checksum for 4096-byte blocks), the maximal decrypted size

    can be over 3GiB.


    The attack is not applicable to LUKS1 format, but the attacker can update

    metadata in place to LUKS2 format as an additional step. For such a

    converted LUKS2 header, the keyslot area is limited to decrypted size (with

    SHA1 checksums) over 300 MiB.


    LUKS devices that were formatted using a cryptsetup binary from Debian

    Stretch or earlier are using LUKS1. However since Debian Buster the default

    on-disk LUKS format version is LUKS2. In particular, encrypted devices

    formatted by the Debian Buster and Bullseye installers are using LUKS2 by

    default.


    Key truncation in dm-integrity


    This update additionaly fixes a key truncation issue for standalone

    dm-integrity devices using HMAC integrity protection. For existing such

    devices with extra long HMAC keys (typically >106 bytes of length), one

    might need to manually truncate the key using integritysetup(8)'s

    `--integrity-key-size` option in order to properly map the device under

    2:2.3.7-1+deb11u1 and later.


    Only standalone dm-integrity devices are affected. dm-crypt devices,

    including those using authenticated disk encryption, are unaffected.


    For the oldstable distribution (buster), this problem is not present.


    For the stable distribution (bullseye), this problem has been fixed in in version 2:2.3.7-1+deb11u1.


    We recommend that you upgrade your cryptsetup packages.


    For the detailed security status of cryptsetup please refer to its security tracker page at:

    Information on source package cryptsetup


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : samba

    CVE ID : CVE-2021-44142 CVE-2022-0336

    Debian Bug : 1001068 1004693 1004694


    Several vulnerabilities were discovered in Samba, a SMB/CIFS file, print, and login server for Unix.


    CVE-2021-44142


    Orange Tsai reported an out-of-bounds heap write vulnerability in

    the VFS module vfs_fruit, which could result in remote execution of

    arbitrary code as root.


    CVE-2022-0336


    Kees van Vloten reported that Samba AD users with permission to

    write to an account can impersonate arbitrary services.


    For the oldstable distribution (buster), these problems have been fixed in version 2:4.9.5+dfsg-5+deb10u3. As per DSA 5015-1, CVE-2022-0336 has not been addressed for the oldstable distribution (buster).


    For the stable distribution (bullseye), these problems have been fixed in version 2:4.13.13+dfsg-1~deb11u3. Additionally, some followup fixes for CVE-2020-25717 are included in this update (Cf. #1001068).


    We recommend that you upgrade your samba packages.


    For the detailed security status of samba please refer to its security tracker page at:

    Information on source package samba


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : debian-edu-config

    CVE ID : CVE-2021-20001


    Marcel Neumann, Robert Altschaffel, Loris Guba and Dustin Hermann discovered that debian-edu-config, a set of configuration files used for the Debian Edu blend configured insecure permissions for the user web shares (~/public_html), which could result in privilege escalation.


    If PHP functionality is needed for the user web shares, please refer to /usr/share/doc/debian-edu-config/README.public_html_with_PHP-CGI+suExec.md


    For the oldstable distribution (buster), this problem has been fixed in version 2.10.65+deb10u8.


    For the stable distribution (bullseye), this problem has been fixed in version 2.11.56+deb11u3.


    We recommend that you upgrade your debian-edu-config packages.


    For the detailed security status of debian-edu-config please refer to its security tracker page at:

    Information on source package debian-edu-config


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : expat

    CVE ID : CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823

    CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827

    CVE-2022-23852 CVE-2022-23990

    Debian Bug : 1002994 1003474


    Several vulnerabilities have been discovered in Expat, an XML parsing C library, which could result in denial of service or potentially the execution of arbitrary code, if a malformed XML file is processed.


    For the oldstable distribution (buster), these problems have been fixed in version 2.2.6-2+deb10u2.


    For the stable distribution (bullseye), these problems have been fixed in version 2.2.10-2+deb11u1.


    We recommend that you upgrade your expat packages.


    For the detailed security status of expat please refer to its security tracker page at:

    Information on source package expat


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2022-22754 CVE-2022-22756 CVE-2022-22759 CVE-2022-22760

    CVE-2022-22761 CVE-2022-22763 CVE-2022-22764


    Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.


    For the oldstable distribution (buster), these problems have been fixed in version 1:91.6.0-1~deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 1:91.6.0-1~deb11u1.


    We recommend that you upgrade your thunderbird packages.


    For the detailed security status of thunderbird please refer to its security tracker page at:

    Information on source package thunderbird


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : minetest

    CVE ID : CVE-2022-24300 CVE-2022-24301

    Debian Bug : 1004223


    Several vulnerabilities have been discovered in Minetest, a sandbox video game and game creation system. These issues may allow attackers to manipulate game mods and grant them an unfair advantage over other players. These flaws could also be abused for a denial of service attack against a Minetest server or if user input is passed directly to minetest.deserialize without serializing it first, then a malicious user could run Lua code in the server environment.


    For the oldstable distribution (buster), these problems have been fixed in version 0.4.17.1+repack-1+deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 5.3.0+repack-2.1+deb11u1.


    We recommend that you upgrade your minetest packages.


    For the detailed security status of minetest please refer to its security tracker page at:

    Information on source package minetest


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : h2database

    CVE ID : CVE-2021-42392 CVE-2022-23221

    Debian Bug : 1003894


    Security researchers of JFrog Security and Ismail Aydemir discovered two remote code execution vulnerabilities in the H2 Java SQL database engine which can be exploited through various attack vectors, most notably through the H2 Console and by loading custom classes from remote servers through JNDI. The H2 console is a developer tool and not required by any reverse-dependency in Debian. It has been disabled in (old)stable releases. Database developers are advised to use at least version 2.1.210-1, currently available in Debian unstable.


    For the oldstable distribution (buster), these problems have been fixed in version 1.4.197-4+deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 1.4.197-4+deb11u1.


    We recommend that you upgrade your h2database packages.


    For the detailed security status of h2database please refer to its security tracker page at:

    Information on source package h2database


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : librecad

    CVE ID : CVE-2021-21898 CVE-2021-21899 CVE-2021-21900 CVE-2021-45341

    CVE-2021-45342 CVE-2021-45343

    Debian Bug : 1004518


    Multiple security issues were discovered in LibreCAD, an application for computer aided design (CAD) which could result in denial of service or the execution of arbitrary code if a malformed CAD file is opened.


    For the oldstable distribution (buster), these problems have been fixed in version 2.1.3-1.2+deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 2.1.3-1.3+deb11u1.


    We recommend that you upgrade your librecad packages.


    For the detailed security status of librecad please refer to its security tracker page at:

    Information on source package librecad


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : zsh

    CVE ID : CVE-2021-45444


    It was discovered that zsh, a powerful shell and scripting language, did not prevent recursive prompt expansion. This would allow an attacker to execute arbitrary commands into a user's shell, for instance by tricking a vcs_info user into checking out a git branch with a specially crafted name.


    For the oldstable distribution (buster), this problem has been fixed in version 5.7.1-1+deb10u1.


    For the stable distribution (bullseye), this problem has been fixed in version 5.8-6+deb11u1.


    We recommend that you upgrade your zsh packages.


    For the detailed security status of zsh please refer to its security tracker page at:

    Information on source package zsh


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2022-0603 CVE-2022-0604 CVE-2022-0605 CVE-2022-0606

    CVE-2022-0607 CVE-2022-0608 CVE-2022-0609 CVE-2022-0610

    Debian Bug : 954824 970571 1005230 1005466


    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bullseye), these problems have been fixed in version 98.0.4758.102-1~deb11u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : snapd

    CVE ID : CVE-2021-44730 CVE-2021-44731


    Multiple vulnerabilties were discovered in snapd, a daemon and tooling that enable Snap packages, which could result in bypass of access restrictions or privilege escalation.


    For the oldstable distribution (buster), these problems have been fixed in version 2.37.4-1+deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 2.49-1+deb11u1.


    We recommend that you upgrade your snapd packages.


    For the detailed security status of snapd please refer to its security tracker page at:

    Information on source package snapd


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : redis

    CVE ID : CVE-2022-0543

    Debian Bug : 1005787


    Reginaldo Silva discovered a (Debian-specific) Lua sandbox escape in Redis, a persistent key-value database.


    For the oldstable distribution (buster), this problem has been fixed in version 5:5.0.14-1+deb10u2.


    For the stable distribution (bullseye), this problem has been fixed in version 5:6.0.16-1+deb11u2.


    We recommend that you upgrade your redis packages.


    For the detailed security status of redis please refer to its security tracker page at:

    Information on source package redis


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : php7.4

    CVE ID : CVE-2021-21707 CVE-2021-21708


    Two security issues were found in PHP, a widely-used open source general purpose scripting language which could result in information disclosure or denial of service.


    For the stable distribution (bullseye), these problems have been fixed in version 7.4.28-1+deb11u1.


    We recommend that you upgrade your php7.4 packages.


    For the detailed security status of php7.4 please refer to its security tracker page at:

    Information on source package php7.4


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : webkit2gtk

    CVE ID : CVE-2022-22589 CVE-2022-22590 CVE-2022-22592 CVE-2022-22620


    The following vulnerabilities have been discovered in the WebKitGTK web engine:


    CVE-2022-22589


    Heige and Bo Qu discovered that processing a maliciously crafted

    mail message may lead to running arbitrary javascript.


    CVE-2022-22590


    Toan Pham discovered that processing maliciously crafted web

    content may lead to arbitrary code execution.


    CVE-2022-22592


    Prakash discovered that processing maliciously crafted web content

    may prevent Content Security Policy from being enforced.


    CVE-2022-22620


    An anonymous researcher discovered that processing maliciously

    crafted web content may lead to arbitrary code execution. Apple is

    aware of a report that this issue may have been actively

    exploited.


    For the oldstable distribution (buster), these problems have been fixed in version 2.34.6-1~deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 2.34.6-1~deb11u1.


    We recommend that you upgrade your webkit2gtk packages.


    For the detailed security status of webkit2gtk please refer to its security tracker page at:

    Information on source package webkit2gtk


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : wpewebkit

    CVE ID : CVE-2022-22589 CVE-2022-22590 CVE-2022-22592 CVE-2022-22620


    The following vulnerabilities have been discovered in the WPE WebKit web engine:


    CVE-2022-22589


    Heige and Bo Qu discovered that processing a maliciously crafted

    mail message may lead to running arbitrary javascript.


    CVE-2022-22590


    Toan Pham discovered that processing maliciously crafted web

    content may lead to arbitrary code execution.


    CVE-2022-22592


    Prakash discovered that processing maliciously crafted web content

    may prevent Content Security Policy from being enforced.


    CVE-2022-22620


    An anonymous researcher discovered that processing maliciously

    crafted web content may lead to arbitrary code execution. Apple is

    aware of a report that this issue may have been actively

    exploited.


    For the stable distribution (bullseye), these problems have been fixed in version 2.34.6-1~deb11u1.


    We recommend that you upgrade your wpewebkit packages.


    For the detailed security status of wpewebkit please refer to its security tracker page at:

    Information on source package wpewebkit


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/