Debian Security Advisory

    • Offizieller Beitrag

    Package : condor

    CVE ID : CVE-2019-18823 CVE-2022-26110

    Debian Bug : 963777 1008634


    Several flaws have been discovered in HTCondor, a distributed workload management system, which allow users with only READ access to any daemon to use a different authentication method than the administrator has specified. If the administrator has configured the READ or WRITE methods to include CLAIMTOBE, then it is possible to impersonate another user and submit or remove jobs.


    For the oldstable distribution (buster), these problems have been fixed in version 8.6.8~dfsg.1-2+deb10u1.


    We recommend that you upgrade your condor packages.


    For the detailed security status of condor please refer to its security tracker page at:

    Information on source package condor


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : lrzip

    CVE ID : CVE-2018-5786 CVE-2022-26291 CVE-2022-28044


    Multiple vulnerabilities have been discovered in the lrzip compression program which could result in denial of service or potentially the execution of arbitrary code.


    For the oldstable distribution (buster), these problems have been fixed in version 0.631+git180528-1+deb10u1. This update also addresses CVE-2021-27345, CVE-2020-25467 and CVE-2021-27347.


    For the stable distribution (bullseye), these problems have been fixed in version 0.641-1+deb11u1.


    We recommend that you upgrade your lrzip packages.


    For the detailed security status of lrzip please refer to its security tracker page at:

    Information on source package lrzip


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : puma

    CVE ID : CVE-2021-41136 CVE-2022-23634 CVE-2022-24790


    Multiple security vulnerabilities were discovered in Puma, a HTTP server for Ruby/Rack applications, which could result in HTTP request smuggling or information disclosure.


    For the stable distribution (bullseye), this problem has been fixed in version 4.3.8-1+deb11u2.


    We recommend that you upgrade your puma packages.


    For the detailed security status of puma please refer to its security tracker page at:

    Information on source package puma


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : dpkg

    CVE ID : CVE-2022-1664


    Max Justicz reported a directory traversal vulnerability in Dpkg::Source::Archive in dpkg, the Debian package management system.

    This affects extracting untrusted source packages in the v2 and v3 source package formats that include a debian.tar.


    For the oldstable distribution (buster), this problem has been fixed in version 1.19.8.


    For the stable distribution (bullseye), this problem has been fixed in version 1.20.10.


    We recommend that you upgrade your dpkg packages.


    For the detailed security status of dpkg please refer to its security tracker page at:

    Information on source package dpkg


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2022-1853 CVE-2022-1854 CVE-2022-1855 CVE-2022-1856

    CVE-2022-1857 CVE-2022-1858 CVE-2022-1859 CVE-2022-1860

    CVE-2022-1861 CVE-2022-1862 CVE-2022-1863 CVE-2022-1864

    CVE-2022-1865 CVE-2022-1866 CVE-2022-1867 CVE-2022-1868

    CVE-2022-1869 CVE-2022-1870 CVE-2022-1871 CVE-2022-1872

    CVE-2022-1873 CVE-2022-1874 CVE-2022-1875 CVE-2022-1876


    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bullseye), these problems have been fixed in version 102.0.5005.61-1~deb11u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : cups

    CVE ID : CVE-2022-26691


    Joshua Mason discovered that a logic error in the validation of the secret key used in the "local" authorisation mode of the CUPS printing system may result in privilege escalation.


    For the oldstable distribution (buster), this problem has been fixed in version 2.2.10-6+deb10u6.


    For the stable distribution (bullseye), this problem has been fixed in version 2.3.3op2-3+deb11u2.


    We recommend that you upgrade your cups packages.


    For the detailed security status of cups please refer to its security tracker page at:

    Information on source package cups


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : rsyslog

    CVE ID : CVE-2022-24903

    Debian Bug : 1010619


    Peter Agten discovered that several modules for TCP syslog reception in rsyslog, a system and kernel logging daemon, have buffer overflow flaws when octet-counted framing is used, which could result in denial of service or potentially the execution of arbitrary code.


    For the oldstable distribution (buster), this problem has been fixed in version 8.1901.0-1+deb10u2.


    For the stable distribution (bullseye), this problem has been fixed in version 8.2102.0-2+deb11u1.


    We recommend that you upgrade your rsyslog packages.


    For the detailed security status of rsyslog please refer to its security tracker page at:

    Information on source package rsyslog


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : smarty3

    CVE ID : CVE-2021-21408 CVE-2021-26119 CVE-2021-26120 CVE-2021-29454

    CVE-2022-29221

    Debian Bug : 1010375 1011758


    Several security vulnerabilities have been discovered in smarty3, the compiling PHP template engine. Template authors are able to run restricted static php methods or even arbitrary PHP code by crafting a malicious math string or by choosing an invalid {block} or {include} file name. If a math string was passed through as user provided data to the math function, remote users were able to run arbitrary PHP code as well.


    For the oldstable distribution (buster), these problems have been fixed in version 3.1.33+20180830.1.3a78a21f+selfpack1-1+deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 3.1.39-2+deb11u1.


    We recommend that you upgrade your smarty3 packages.


    For the detailed security status of smarty3 please refer to its security tracker page at:

    Information on source package smarty3


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : spip


    It was discovered that SPIP, a website engine for publishing, would allow a malicious user to perform cross-site scripting attacks.


    For the oldstable distribution (buster), this problem has been fixed in version 3.2.4-1+deb10u8.


    For the stable distribution (bullseye), this problem has been fixed in version 3.2.11-3+deb11u4.


    We recommend that you upgrade your spip packages.


    For the detailed security status of spip please refer to its security tracker page at:

    Information on source package spip


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : trafficserver

    CVE ID : CVE-2021-37147 CVE-2021-37148 CVE-2021-37149 CVE-2021-38161

    CVE-2021-44040 CVE-2021-44759


    Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in HTTP request smuggling or MITM attacks.


    For the oldstable distribution (buster), these problems have been fixed in version 8.0.2+ds-1+deb10u6.


    For the stable distribution (bullseye), these problems have been fixed in version 8.1.1+ds-1.1+deb11u1.


    We recommend that you upgrade your trafficserver packages.


    For the detailed security status of trafficserver please refer to its security tracker page at:

    Information on source package trafficserver


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : webkit2gtk

    CVE ID : CVE-2022-26700 CVE-2022-26709 CVE-2022-26716 CVE-2022-26717

    CVE-2022-26719 CVE-2022-30293 CVE-2022-30294


    The following vulnerabilities have been discovered in the WebKitGTK web engine:


    CVE-2022-26700


    ryuzaki discovered that processing maliciously crafted web content

    may lead to code execution.


    CVE-2022-26709


    Chijin Zhou discovered that processing maliciously crafted web

    content may lead to arbitrary code execution.


    CVE-2022-26716


    SorryMybad discovered that Processing maliciously crafted web

    content may lead to arbitrary code execution.


    CVE-2022-26717


    Jeonghoon Shin discovered that Processing maliciously crafted web

    content may lead to arbitrary code execution.


    CVE-2022-26719


    Dongzhuo Zhao discovered that Processing maliciously crafted web

    content may lead to arbitrary code execution.


    CVE-2022-30293


    Chijin Zhou discovered that processing maliciously crafted web

    content may lead to arbitrary code execution or to a denial of

    service (application crash).


    CVE-2022-30294


    Chijin Zhou discovered that processing maliciously crafted web

    content may lead to arbitrary code execution or to a denial of

    service (application crash).


    For the oldstable distribution (buster), these problems have been fixed in version 2.36.3-1~deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 2.36.3-1~deb11u1.


    We recommend that you upgrade your webkit2gtk packages.


    For the detailed security status of webkit2gtk please refer to its security tracker page at:

    Information on source package webkit2gtk


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : wpewebkit

    CVE ID : CVE-2022-26700 CVE-2022-26709 CVE-2022-26716 CVE-2022-26717

    CVE-2022-26719 CVE-2022-30293 CVE-2022-30294


    The following vulnerabilities have been discovered in the WPE WebKit web engine:


    CVE-2022-26700


    ryuzaki discovered that processing maliciously crafted web content

    may lead to code execution.


    CVE-2022-26709


    Chijin Zhou discovered that processing maliciously crafted web

    content may lead to arbitrary code execution.


    CVE-2022-26716


    SorryMybad discovered that Processing maliciously crafted web

    content may lead to arbitrary code execution.


    CVE-2022-26717


    Jeonghoon Shin discovered that Processing maliciously crafted web

    content may lead to arbitrary code execution.


    CVE-2022-26719


    Dongzhuo Zhao discovered that Processing maliciously crafted web

    content may lead to arbitrary code execution.


    CVE-2022-30293


    Chijin Zhou discovered that processing maliciously crafted web

    content may lead to arbitrary code execution or to a denial of

    service (application crash).


    CVE-2022-30294


    Chijin Zhou discovered that processing maliciously crafted web

    content may lead to arbitrary code execution or to a denial of

    service (application crash).


    For the stable distribution (bullseye), these problems have been fixed in version 2.36.3-1~deb11u1.


    We recommend that you upgrade your wpewebkit packages.


    For the detailed security status of wpewebkit please refer to its security tracker page at:

    Information on source package wpewebkit


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2022-31736 CVE-2022-31737 CVE-2022-31738 CVE-2022-31740

    CVE-2022-31741 CVE-2022-31742 CVE-2022-31747


    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure or spoofing.


    For the oldstable distribution (buster), these problems have been fixed in version 91.10.0esr-1~deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 91.10.0esr-1~deb11u1.


    We recommend that you upgrade your firefox-esr packages.


    For the detailed security status of firefox-esr please refer to its security tracker page at:

    Information on source package firefox-esr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : cifs-utils

    CVE ID : CVE-2022-27239 CVE-2022-29869

    Debian Bug : 1010818


    Jeffrey Bencteux reported two vulnerabilities in cifs-utils, the Common Internet File System utilities, which can result in escalation of privileges (CVE-2022-27239) or an information leak (CVE-2022-29869).


    For the oldstable distribution (buster), these problems have been fixed in version 2:6.8-2+deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 2:6.11-3.1+deb11u1.


    We recommend that you upgrade your cifs-utils packages.


    For the detailed security status of cifs-utils please refer to its security tracker page at:

    Information on source package cifs-utils


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2022-1529 CVE-2022-1802 CVE-2022-1834 CVE-2022-31736

    CVE-2022-31737 CVE-2022-31738 CVE-2022-31740 CVE-2022-31741

    CVE-2022-31742 CVE-2022-31747


    Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.


    For the oldstable distribution (buster), these problems have been fixed in version 1:91.10.0-1~deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 1:91.10.0-1~deb11u1.


    We recommend that you upgrade your thunderbird packages.


    For the detailed security status of thunderbird please refer to its security tracker page at:

    Information on source package thunderbird


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : python-bottle

    CVE ID : CVE-2022-31799


    Elton Nokaj discovered that incorrect error handling in Bottle, a WSGI framework for Python, could result in the disclosure of sensitive information.


    For the oldstable distribution (buster), this problem has been fixed in version 0.12.15-2+deb10u2.


    For the stable distribution (bullseye), this problem has been fixed in version 0.12.19-1+deb11u1.


    We recommend that you upgrade your python-bottle packages.


    For the detailed security status of python-bottle please refer to its security tracker page at:

    Information on source package python-bottle


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ntfs-3g

    CVE ID : CVE-2021-46790 CVE-2022-30783 CVE-2022-30784 CVE-2022-30785

    CVE-2022-30786 CVE-2022-30787 CVE-2022-30788 CVE-2022-30789

    Debian Bug : 1011770


    Several vulnerabilities were discovered in NTFS-3G, a read-write NTFS driver for FUSE. A local user can take advantage of these flaws for local root privilege escalation.


    For the oldstable distribution (buster), these problems have been fixed in version 1:2017.3.23AR.3-3+deb10u2.


    For the stable distribution (bullseye), these problems have been fixed in version 1:2017.3.23AR.3-4+deb11u2.


    We recommend that you upgrade your ntfs-3g packages.


    For the detailed security status of ntfs-3g please refer to its security tracker page at:

    Information on source package ntfs-3g


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : linux

    CVE ID : CVE-2022-0494 CVE-2022-0854 CVE-2022-1012 CVE-2022-1729

    CVE-2022-1786 CVE-2022-1789 CVE-2022-1852 CVE-2022-1966

    CVE-2022-1972 CVE-2022-1974 CVE-2022-1975 CVE-2022-21499

    CVE-2022-28893


    Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.


    CVE-2022-0494


    The scsi_ioctl() was susceptible to an information leak only

    exploitable by users with CAP_SYS_ADMIN or CAP_SYS_RAWIO

    capabilities.


    CVE-2022-0854


    Ali Haider discovered a potential information leak in the DMA

    subsystem. On systems where the swiotlb feature is needed, this

    might allow a local user to read sensitive information.


    CVE-2022-1012


    The randomisation when calculating port offsets in the IP

    implementation was enhanced.


    CVE-2022-1729


    Norbert Slusarek discovered a race condition in the perf subsystem

    which could result in local privilege escalation to root. The

    default settings in Debian prevent exploitation unless more

    permissive settings have been applied in the

    kernel.perf_event_paranoid sysctl.


    CVE-2022-1786


    Kyle Zeng discovered a use-after-free in the io_uring subsystem

    which way result in local privilege escalation to root.


    CVE-2022-1789 / CVE-2022-1852


    Yongkang Jia, Gaoning Pan and Qiuhao Li discovered two NULL pointer

    dereferences in KVM's CPU instruction handling, resulting in denial

    of service.


    CVE-2022-1966


    Aaron Adams discovered a use-after-free in Netfilter which may

    result in local privilege escalation to root.


    CVE-2022-1972


    Ziming Zhang discovered an out-of-bound write in Netfilter which may

    result in local privilege escalation to root.


    CVE-2022-1974 / CVE-2022-1975


    Duoming Zhou discovered that the NFC netlink interface was

    suspectible to denial of service.


    CVE-2022-21499


    It was discovered that the kernel debugger could be used to bypass

    UEFI Secure Boot restrictions.


    CVE-2022-28893


    Felix Fu discovered a use-after-free in the implementation of the

    Remote Procedure Call (SunRPC) protocol, which could in denial of

    service or an information leak.


    For the stable distribution (bullseye), these problems have been fixed in version 5.10.120-1.


    We recommend that you upgrade your linux packages.


    For the detailed security status of linux please refer to its security tracker page at:

    Information on source package linux


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : containerd

    CVE ID : CVE-2022-24769 CVE-2022-31030


    Two vulnerabilities were discovered that the containerd container runtime, which could result in denial of service or incomplete restriction of capabilities.


    For the stable distribution (bullseye), these problems have been fixed in version 1.4.13~ds1-1~deb11u2.


    We recommend that you upgrade your containerd packages.


    For the detailed security status of containerd please refer to its security tracker page at:

    Information on source package containerd


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2022-2007 CVE-2022-2008 CVE-2022-2010 CVE-2022-2011


    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bullseye), these problems have been fixed in version 102.0.5005.115-1~deb11u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/