Debian Security Advisory

    • Offizieller Beitrag

    Package : vlc

    CVE ID : not yet available


    Multiple vulnerabilities were discovered in the VLC media player, which could result in the execution of arbitrary code or denial of service if a malformed file is opened.


    For the oldstable distribution (buster), this problem has been fixed in version 3.0.17.4-0+deb10u1.


    For the stable distribution (bullseye), this problem has been fixed in version 3.0.17.4-0+deb11u1.


    We recommend that you upgrade your vlc packages.


    For the detailed security status of vlc please refer to its security tracker page at:

    Information on source package vlc


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : slurm-wlm

    CVE ID : CVE-2022-29500 CVE-2022-29501

    Debian Bug : 1010633 1010634


    Two security issues were discovered in the Simple Linux Utility for Resource Management (SLURM), a cluster resource management and job scheduling system, which could result in privilege escalation.


    For the stable distribution (bullseye), these problems have been fixed in version 20.11.7+really20.11.4-2+deb11u1.


    We recommend that you upgrade your slurm-wlm packages.


    For the detailed security status of slurm-wlm please refer to its security tracker page at:

    Information on source package slurm-wlm


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firejail

    CVE ID : CVE-2022-31214

    Debian Bug : 1012510


    Matthias Gerstner discovered that the --join option of Firejail, a sandbox to restrict an application environment, was susceptible to local privilege escalation to root.


    For the oldstable distribution (buster), this problem has been fixed in version 0.9.58.2-2+deb10u3.


    For the stable distribution (bullseye), this problem has been fixed in version 0.9.64.4-2+deb11u1.


    We recommend that you upgrade your firejail packages.


    For the detailed security status of firejail please refer to its security tracker page at:

    Information on source package firejail


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2022-2156 CVE-2022-2157 CVE-2022-2158 CVE-2022-2160

    CVE-2022-2161 CVE-2022-2162 CVE-2022-2163 CVE-2022-2164

    CVE-2022-2165


    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bullseye), these problems have been fixed in version 103.0.5060.53-1~deb11u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openssl

    CVE ID : CVE-2022-2068


    It was discovered that the c_rehash script included in OpenSSL did not sanitise shell meta characters which could result in the execution of arbitrary commands.


    For the oldstable distribution (buster), this problem has been fixed in version 1.1.1n-0+deb10u3.


    For the stable distribution (bullseye), this problem has been fixed in version 1.1.1n-0+deb11u3.


    We recommend that you upgrade your openssl packages.


    For the detailed security status of openssl please refer to its security tracker page at:

    Information on source package openssl


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : nodejs

    CVE ID : CVE-2021-22959 CVE-2021-22960 CVE-2021-44532 CVE-2021-44533

    CVE-2022-21824 CVE-2021-44531


    Multiple vulnerabilities were discovered in Node.js, which could result in HTTP request smuggling, a bypass of certificate verification or prototype pollution.


    For the stable distribution (bullseye), these problems have been fixed in version 12.22.12~dfsg-1~deb11u1.


    We recommend that you upgrade your nodejs packages.


    For the detailed security status of nodejs please refer to its security tracker page at:

    Information on source package nodejs


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : squid

    CVE ID : CVE-2021-28116 CVE-2021-46784


    Multiple security issues were discovered in the Squid proxy caching

    server:


    CVE-2021-28116


    Amos Jeffries discovered an information leak if WCCPv2 is enabled


    CVE-2021-46784


    Joshua Rogers discovered that an error in parsing Gopher server

    responses may result in denial of service


    For the oldstable distribution (buster), these problems have been fixed in version 4.6-1+deb10u7.


    For the stable distribution (bullseye), these problems have been fixed in version 4.13-10+deb11u1.


    We recommend that you upgrade your squid packages.


    For the detailed security status of squid please refer to its security tracker page at:

    Information on source package squid


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2022-2200 CVE-2022-31744 CVE-2022-34468 CVE-2022-34470

    CVE-2022-34472 CVE-2022-34479 CVE-2022-34481 CVE-2022-34484


    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or spoofing.


    For the oldstable distribution (buster), these problems have been fixed in version 91.11.0esr-1~deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 91.11.0esr-1~deb11u1.


    We recommend that you upgrade your firefox-esr packages.


    For the detailed security status of firefox-esr please refer to its security tracker page at:

    Information on source package firefox-esr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : linux

    CVE ID : CVE-2021-4197 CVE-2022-0494 CVE-2022-0812 CVE-2022-0854

    CVE-2022-1011 CVE-2022-1012 CVE-2022-1016 CVE-2022-1048

    CVE-2022-1184 CVE-2022-1195 CVE-2022-1198 CVE-2022-1199

    CVE-2022-1204 CVE-2022-1205 CVE-2022-1353 CVE-2022-1419

    CVE-2022-1516 CVE-2022-1652 CVE-2022-1729 CVE-2022-1734

    CVE-2022-1974 CVE-2022-1975 CVE-2022-2153 CVE-2022-21123

    CVE-2022-21125 CVE-2022-21166 CVE-2022-23960 CVE-2022-26490

    CVE-2022-27666 CVE-2022-28356 CVE-2022-28388 CVE-2022-28389

    CVE-2022-28390 CVE-2022-29581 CVE-2022-30594 CVE-2022-32250

    CVE-2022-32296 CVE-2022-33981

    Debian Bug : 922204 1006346 1013299


    Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.


    CVE-2021-4197


    Eric Biederman reported that incorrect permission checks in the

    cgroup process migration implementation can allow a local attacker

    to escalate privileges.


    CVE-2022-0494


    The scsi_ioctl() was susceptible to an information leak only

    exploitable by users with CAP_SYS_ADMIN or CAP_SYS_RAWIO

    capabilities.


    CVE-2022-0812


    It was discovered that the RDMA transport for NFS (xprtrdma)

    miscalculated the size of message headers, which could lead to a

    leak of sensitive information between NFS servers and clients.


    CVE-2022-0854


    Ali Haider discovered a potential information leak in the DMA

    subsystem. On systems where the swiotlb feature is needed, this

    might allow a local user to read sensitive information.


    CVE-2022-1011


    Jann Horn discovered a flaw in the FUSE (Filesystem in User-Space)

    implementation. A local user permitted to mount FUSE filesystems

    could exploit this to cause a use-after-free and read sensitive

    information.


    CVE-2022-1012, CVE-2022-32296


    Moshe Kol, Amit Klein, and Yossi Gilad discovered a weakness

    in randomisation of TCP source port selection.


    CVE-2022-1016


    David Bouman discovered a flaw in the netfilter subsystem where

    the nft_do_chain function did not initialize register data that

    nf_tables expressions can read from and write to. A local attacker

    can take advantage of this to read sensitive information.


    CVE-2022-1048


    Hu Jiahui discovered a race condition in the sound subsystem that

    can result in a use-after-free. A local user permitted to access a

    PCM sound device can take advantage of this flaw to crash the

    system or potentially for privilege escalation.


    CVE-2022-1184


    A flaw was discovered in the ext4 filesystem driver which can lead

    to a use-after-free. A local user permitted to mount arbitrary

    filesystems could exploit this to cause a denial of service (crash

    or memory corruption) or possibly for privilege escalation.


    CVE-2022-1195


    Lin Ma discovered race conditions in the 6pack and mkiss hamradio

    drivers, which could lead to a use-after-free. A local user could

    exploit these to cause a denial of service (memory corruption or

    crash) or possibly for privilege escalation.


    CVE-2022-1198


    Duoming Zhou discovered a race condition in the 6pack hamradio

    driver, which could lead to a use-after-free. A local user could

    exploit this to cause a denial of service (memory corruption or

    crash) or possibly for privilege escalation.


    CVE-2022-1199, CVE-2022-1204, CVE-2022-1205


    Duoming Zhou discovered race conditions in the AX.25 hamradio

    protocol, which could lead to a use-after-free or null pointer

    dereference. A local user could exploit this to cause a denial of

    service (memory corruption or crash) or possibly for privilege

    escalation.


    CVE-2022-1353


    The TCS Robot tool found an information leak in the PF_KEY

    subsystem. A local user can receive a netlink message when an

    IPsec daemon registers with the kernel, and this could include

    sensitive information.


    CVE-2022-1419


    Minh Yuan discovered a race condition in the vgem virtual GPU

    driver that can lead to a use-after-free. A local user permitted

    to access the GPU device can exploit this to cause a denial of

    service (crash or memory corruption) or possibly for privilege

    escalation.


    CVE-2022-1516


    A NULL pointer dereference flaw in the implementation of the X.25

    set of standardized network protocols, which can result in denial

    of service.


    This driver is not enabled in Debian's official kernel

    configurations.


    CVE-2022-1652


    Minh Yuan discovered a race condition in the floppy driver that

    can lead to a use-after-free. A local user permitted to access a

    floppy drive device can exploit this to cause a denial of service

    (crash or memory corruption) or possibly for privilege escalation.


    CVE-2022-1729


    Norbert Slusarek discovered a race condition in the perf subsystem

    which could result in local privilege escalation to root. The

    default settings in Debian prevent exploitation unless more

    permissive settings have been applied in the

    kernel.perf_event_paranoid sysctl.


    CVE-2022-1734


    Duoming Zhou discovered race conditions in the nfcmrvl NFC driver

    that could lead to a use-after-free, double-free or null pointer

    dereference. A local user might be able to exploit these for

    denial of service (crash or memory corruption) or possibly for

    privilege escalation.


    This driver is not enabled in Debian's official kernel

    configurations.


    CVE-2022-1974, CVE-2022-1975


    Duoming Zhou discovered that the NFC netlink interface was

    suspectible to denial of service.


    CVE-2022-2153


    "kangel" reported a flaw in the KVM implementation for x86

    processors which could lead to a null pointer dereference. A local

    user permitted to access /dev/kvm could exploit this to cause a

    denial of service (crash).


    CVE-2022-21123, CVE-2022-21125, CVE-2022-21166


    Various researchers discovered flaws in Intel x86 processors,

    collectively referred to as MMIO Stale Data vulnerabilities.

    These are similar to the previously published Microarchitectural

    Data Sampling (MDS) issues and could be exploited by local users

    to leak sensitive information.


    For some CPUs, the mitigations for these issues require updated

    microcode. An updated intel-microcode package may be provided at

    a later date. The updated CPU microcode may also be available as

    part of a system firmware ("BIOS") update.


    Further information on the mitigation can be found at

    <https://www.kernel.org/doc/html/lates…stale_data.html>

    or in the linux-doc-4.19 package.


    CVE-2022-23960


    Researchers at VUSec discovered that the Branch History Buffer in

    Arm processors can be exploited to create information side-

    channels with speculative execution. This issue is similar to

    Spectre variant 2, but requires additional mitigations on some

    processors.


    This was previously mitigated for 32-bit Arm (armel and armhf)

    architectures and is now also mitigated for 64-bit Arm (arm64).


    This can be exploited to obtain sensitive information from a

    different security context, such as from user-space to the kernel,

    or from a KVM guest to the kernel.


    CVE-2022-26490


    Buffer overflows in the STMicroelectronics ST21NFCA core driver

    can result in denial of service or privilege escalation.


    This driver is not enabled in Debian's official kernel

    configurations.


    CVE-2022-27666


    "valis" reported a possible buffer overflow in the IPsec ESP

    transformation code. A local user can take advantage of this flaw

    to cause a denial of service or for privilege escalation.


    CVE-2022-28356


    "Beraphin" discovered that the ANSI/IEEE 802.2 LLC type 2 driver did

    not properly perform reference counting on some error paths. A

    local attacker can take advantage of this flaw to cause a denial

    of service.


    CVE-2022-28388


    A double free vulnerability was discovered in the 8 devices

    USB2CAN interface driver.


    CVE-2022-28389


    A double free vulnerability was discovered in the Microchip CAN

    BUS Analyzer interface driver.


    CVE-2022-28390


    A double free vulnerability was discovered in the EMS CPC-USB/ARM7

    CAN/USB interface driver.


    CVE-2022-29581


    Kyle Zeng discovered a reference-counting bug in the cls_u32

    network classifier which can lead to a use-after-free. A local

    user can exploit this to cause a denial of service (crash or

    memory corruption) or possibly for privilege escalation.


    CVE-2022-30594


    Jann Horn discovered a flaw in the interaction between ptrace and

    seccomp subsystems. A process sandboxed using seccomp() but still

    permitted to use ptrace() could exploit this to remove the seccomp

    restrictions.


    CVE-2022-32250


    Aaron Adams discovered a use-after-free in Netfilter which may

    result in local privilege escalation to root.


    CVE-2022-33981


    Yuan Ming from Tsinghua University reported a race condition in

    the floppy driver involving use of the FDRAWCMD ioctl, which could

    lead to a use-after-free. A local user with access to a floppy

    drive device could exploit this to cause a denial of service

    (crash or memory corruption) or possibly for privilege escalation.

    This ioctl is now disabled by default.


    For the oldstable distribution (buster), these problems have been fixed in version 4.19.249-2.


    Due to an issue in the signing service (Cf. Debian bug #1012741), the vport-vxlan module cannot be loaded for the signed kernel for amd64 in this update.


    This update also corrects a regression in the network scheduler subsystem (bug #1013299).


    For the 32-bit Arm (armel and armhf) architectures, this update enables optimised implementations of several cryptographic and CRC algorithms. For at least AES, this should remove a timing side- channel that could lead to a leak of sensitive information.


    This update includes many more bug fixes from stable updates

    4.19.236-4.19.249 inclusive, including for bug #1006346. The random driver has been backported from Linux 5.19, fixing numerous performance and correctness issues. Some changes will be visible:


    - - The entropy pool size is now 256 bits instead of 4096. You may need

    to adjust the configuration of system monitoring or user-space

    entropy gathering services to allow for this.


    - - On systems without a hardware RNG, the kernel may log more uses of

    /dev/urandom before it is fully initialised. These uses were

    previously under-counted and this is not a regression.


    We recommend that you upgrade your linux packages.


    For the detailed security status of linux please refer to its security tracker page at:

    Information on source package linux


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : gnupg2

    CVE ID : CVE-2022-34903

    Debian Bug : 1014157


    Demi Marie Obenour discovered a flaw in GnuPG, allowing for signature spoofing via arbitrary injection into the status line. An attacker who controls the secret part of any signing-capable key or subkey in the victim's keyring, can take advantage of this flaw to provide a correctly-formed signature that some software, including gpgme, will accept to have validity and signer fingerprint chosen from the attacker.


    For the oldstable distribution (buster), this problem has been fixed in version 2.2.12-1+deb10u2.


    For the stable distribution (bullseye), this problem has been fixed in version 2.2.27-2+deb11u2.


    We recommend that you upgrade your gnupg2 packages.


    For the detailed security status of gnupg2 please refer to its security tracker page at:

    Information on source package gnupg2


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2022-2200 CVE-2022-2226 CVE-2022-31744 CVE-2022-34468

    CVE-2022-34470 CVE-2022-34472 CVE-2022-34479 CVE-2022-34481

    CVE-2022-34484


    Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.


    For the oldstable distribution (buster), these problems have been fixed in version 1:91.11.0-1~deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 1:91.11.0-1~deb11u1.


    We recommend that you upgrade your thunderbird packages.


    For the detailed security status of thunderbird please refer to its security tracker page at:

    Information on source package thunderbird


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : blender

    CVE ID : CVE-2022-0544 CVE-2022-0545 CVE-2022-0546


    Multiple vulnerabilities have been discovered in various image parsers in Blender, a 3D modeller/ renderer, which may result in denial of service of the execution of arbitrary code if a malformed file is opened.


    For the oldstable distribution (buster), these problems have been fixed in version 2.79.b+dfsg0-7+deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 2.83.5+dfsg-5+deb11u1.


    We recommend that you upgrade your blender packages.


    For the detailed security status of blender please refer to its security tracker page at:

    Information on source package blender


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ldap-account-manager

    CVE ID : CVE-2022-24851 CVE-2022-31084 CVE-2022-31085 CVE-2022-31086

    CVE-2022-31087 CVE-2022-31088


    Arseniy Sharoglazov discovered multiple security issues in LDAP Account Manager (LAM), a web frontend for managing accounts in an LDAP directory, which could result in information disclosure or unauthenticated remote code execution.


    For the stable distribution (bullseye), these problems have been fixed in version 8.0.1-0+deb11u1.


    We recommend that you upgrade your ldap-account-manager packages.


    For the detailed security status of ldap-account-manager please refer to its security tracker page at:

    Information on source package ldap-account-manager


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : intel-microcode

    CVE ID : CVE-2022-21123 CVE-2022-21125 CVE-2022-21127 CVE-2022-21151

    CVE-2022-21166

    Debian Bug : 1010947


    This update ships updated CPU microcode for some types of Intel CPUs and provides mitigations for security vulnerabilities.


    CVE-2022-21123, CVE-2022-21125, CVE-2022-21127, CVE-2022-21166


    Various researchers discovered flaws in Intel processors,

    collectively referred to as MMIO Stale Data vulnerabilities, which

    may result in information leak to local users.


    For details please refer to

    Processor MMIO Stale Data Vulnerabilities
    Disclosure, description, enumeration, and mitigation recommendations for a class of processor MMIO vulnerabilities that can expose data.
    www.intel.com


    CVE-2022-21151


    Alysa Milburn, Jason Brandt, Avishai Redelman and Nir Lavi

    discovered that for some Intel processors optimization removal or

    modification of security-critical code may result in information

    disclosure to local users.


    For the oldstable distribution (buster), these problems have been fixed in version 3.20220510.1~deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 3.20220510.1~deb11u1.


    We recommend that you upgrade your intel-microcode packages.


    For the detailed security status of intel-microcode please refer to its security tracker page at:

    Information on source package intel-microcode


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : php7.4

    CVE ID : CVE-2022-31625 CVE-2022-31626


    Charles Fol discovered two security issues in PHP, a widely-used open source general purpose scripting language which could result an denial of service or potentially the execution of arbitrary code:


    CVE-2022-31625


    Incorrect memory handling in the pg_query_params() function.


    CVE-2022-31626


    A buffer overflow in the mysqld extension.


    For the stable distribution (bullseye), these problems have been fixed in version 7.4.30-1+deb11u1.


    We recommend that you upgrade your php7.4 packages.


    For the detailed security status of php7.4 please refer to its security tracker page at:

    Information on source package php7.4


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2022-2294 CVE-2022-2295 CVE-2022-2296


    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bullseye), these problems have been fixed in version 103.0.5060.114-1~deb11u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : request-tracker4

    CVE ID : CVE-2022-25802


    Multiple vulnerabilities have been discovered in Request Tracker, an extensible trouble-ticket tracking system.


    CVE-2022-25802


    It was discovered that Request Tracker is vulnerable to a cross-site

    scripting (XSS) attack when displaying attachment content with

    fraudulent content types.


    Additionally it was discovered that Request Tracker did not perform full rights checks on accesses to file or image type custom fields, possibly allowing access to these custom fields by users without rights to access to the associated objects, resulting in information disclosure.


    For the oldstable distribution (buster), these problems have been fixed in version 4.4.3-2+deb10u2.


    For the stable distribution (bullseye), these problems have been fixed in version 4.4.4+dfsg-2+deb11u2.


    We recommend that you upgrade your request-tracker4 packages.


    For the detailed security status of request-tracker4 please refer to its security tracker page at:

    Information on source package request-tracker4


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : webkit2gtk

    CVE ID : CVE-2022-22677 CVE-2022-26710


    The following vulnerabilities have been discovered in the WebKitGTK web engine:


    CVE-2022-22677


    An anonymous researcher discovered that the video in a webRTC call

    may be interrupted if the audio capture gets interrupted.


    CVE-2022-26710


    Chijin Zhou discovered that processing maliciously crafted web

    content may lead to arbitrary code execution.


    For the oldstable distribution (buster), these problems have been fixed in version 2.36.4-1~deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 2.36.4-1~deb11u1.


    We recommend that you upgrade your webkit2gtk packages.


    For the detailed security status of webkit2gtk please refer to its security tracker page at:

    Information on source package webkit2gtk


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : wpewebkit

    CVE ID : CVE-2022-22677 CVE-2022-26710


    The following vulnerabilities have been discovered in the WPE WebKit web engine:


    CVE-2022-22677


    An anonymous researcher discovered that the video in a webRTC call

    may be interrupted if the audio capture gets interrupted.


    CVE-2022-26710


    Chijin Zhou discovered that processing maliciously crafted web

    content may lead to arbitrary code execution.


    For the stable distribution (bullseye), these problems have been fixed in version 2.36.4-1~deb11u1.


    We recommend that you upgrade your wpewebkit packages.


    For the detailed security status of wpewebkit please refer to its security tracker page at:

    Information on source package wpewebkit


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : xen

    CVE ID : CVE-2022-21123 CVE-2022-21125 CVE-2022-21166 CVE-2022-23816

    CVE-2022-23825 CVE-2022-26362 CVE-2022-26363 CVE-2022-26364

    CVE-2022-29900


    Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in privilege escalation. In addition this updates provides mitigations for the "Retbleed" speculative execution attack and the "MMIO stale data" vulnerabilities.


    For additional information please refer to the following pages:

    XSA-404 - Xen Security Advisories

    XSA-407 - Xen Security Advisories


    For the stable distribution (bullseye), these problems have been fixed in version 4.14.5+24-g87d90d511c-1.


    We recommend that you upgrade your xen packages.


    For the detailed security status of xen please refer to its security tracker page at:

    Information on source package xen


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/