Debian Security Advisory

    • Offizieller Beitrag

    Package : mat2

    CVE ID : CVE-2022-35410


    A directory traversal vulnerability was discovered in the Metadata anonymisation toolkit, which could result in information disclosure via a malformed ZIP archive.


    For the oldstable distribution (buster), this problem has been fixed in version 0.8.0-3+deb10u1.


    For the stable distribution (bullseye), this problem has been fixed in version 0.12.1-2+deb11u1.


    We recommend that you upgrade your mat2 packages.


    For the detailed security status of mat2 please refer to its security tracker page at:

    Information on source package mat2


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : djangorestframework

    CVE ID : CVE-2020-25626


    Two cross-site scripting vulnerabilities were discovered in the Django Rest Framework, a toolkit to build web APIs.


    For the oldstable distribution (buster), this problem has been fixed in version 3.9.0-1+deb10u1.


    The stable distribution (bullseye) is not affected.


    We recommend that you upgrade your djangorestframework packages.


    For the detailed security status of djangorestframework please refer to its security tracker page at:

    Information on source package djangorestframework


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : djangorestframework

    CVE ID : CVE-2020-25626


    Two cross-site scripting vulnerabilities were discovered in the Django Rest Framework, a toolkit to build web APIs.


    For the oldstable distribution (buster), this problem has been fixed in version 3.9.0-1+deb10u1.


    The stable distribution (bullseye) is not affected.


    We recommend that you upgrade your djangorestframework packages.


    For the detailed security status of djangorestframework please refer to its security tracker page at:

    Information on source package djangorestframework


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2022-2163 CVE-2022-2477 CVE-2022-2478 CVE-2022-2479

    CVE-2022-2480 CVE-2022-2481


    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bullseye), these problems have been fixed in version 103.0.5060.134-1~deb11u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openjdk-11

    CVE ID : CVE-2022-21540 CVE-2022-21541 CVE-2022-34169


    Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in the execution of arbitrary Java bytecode or the bypass of the Java sandbox.


    For the oldstable distribution (buster), these problems have been fixed in version 11.0.16+8-1~deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 11.0.16+8-1~deb11u1.


    We recommend that you upgrade your openjdk-11 packages.


    For the detailed security status of openjdk-11 please refer to its security tracker page at:

    Information on source package openjdk-11


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : gsasl

    CVE ID : CVE-2022-2469


    Simon Josefsson discovered an out-of-bounds memory read in GNU SASL, an implementation of the Simple Authentication and Security Layer framework, which could result in denial of service.


    For the oldstable distribution (buster), this problem has been fixed in version 1.8.0-8+deb10u1.


    For the stable distribution (bullseye), this problem has been fixed in version 1.10.0-4+deb11u1.


    We recommend that you upgrade your gsasl packages.


    For the detailed security status of gsasl please refer to its security tracker page at:

    Information on source package gsasl


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : spip

    CVE ID : not yet available


    It was discovered that SPIP, a website engine for publishing, would allow a malicious user to execute arbitrary code or escalate privileges.


    For the oldstable distribution (buster), this problem has been fixed in version 3.2.4-1+deb10u9.


    For the stable distribution (bullseye), this problem has been fixed in version 3.2.11-3+deb11u5.


    We recommend that you upgrade your spip packages.


    For the detailed security status of spip please refer to its security tracker page at:

    Information on source package spip


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : linux

    CVE ID : CVE-2021-33655 CVE-2022-2318 CVE-2022-26365 CVE-2022-33740

    CVE-2022-33741 CVE-2022-33742 CVE-2022-33743 CVE-2022-33744

    CVE-2022-34918


    Several vulnerabilities have been discovered in the Linux kernel that may lead to privilege escalation, denial of service or information leaks:


    CVE-2021-33655


    A user with access to a framebuffer console driver could cause a

    memory out-of-bounds write via the FBIOPUT_VSCREENINFO ioctl.


    CVE-2022-2318


    A use-after-free in the Amateur Radio X.25 PLP (Rose) support may

    result in denial of service.


    CVE-2022-26365 / CVE-2022-33740 / CVE-2022-33741 / CVE-2022-33742


    Roger Pau Monne discovered that Xen block and network PV device

    frontends don't zero out memory regions before sharing them with the

    backend, which may result in information disclosure. Additionally it

    was discovered that the granularity of the grant table doesn't permit

    sharing less than a 4k page, which may also result in information

    disclosure.


    CVE-2022-33743


    Jan Beulich discovered that incorrect memory handling in the Xen

    network backend may lead to denial of service.


    CVE-2022-33744


    Oleksandr Tyshchenko discovered that ARM Xen guests can cause a denial

    of service to the Dom0 via paravirtual devices.


    CVE-2022-34918


    Arthur Mongodin discovered a heap buffer overflow in the Netfilter

    subsystem which may result in local privilege escalation.


    For the stable distribution (bullseye), these problems have been fixed in version 5.10.127-2.


    We recommend that you upgrade your linux packages.


    For the detailed security status of linux please refer to its security tracker page at:

    Information on source package linux


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openjdk-17

    CVE ID : CVE-2022-21540 CVE-2022-21541 CVE-2022-21549

    CVE-2022-34169


    Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in the execution of arbitrary Java bytecode or the bypass of the Java sandbox.


    For the stable distribution (bullseye), this problem has been fixed in version 17.0.4+8-1~deb11u1.


    We recommend that you upgrade your openjdk-17 packages.


    For the detailed security status of openjdk-17 please refer to its security tracker page at:

    Information on source package openjdk-17


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2022-36318 CVE-2022-36319


    Multiple security issues have been found in the Mozilla Firefox web browser, which could result in spoofing.


    For the oldstable distribution (buster), these problems have been fixed in version 91.12.0esr-1~deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 91.12.0esr-1~deb11u1.


    We recommend that you upgrade your firefox-esr packages.


    For the detailed security status of firefox-esr please refer to its security tracker page at:

    Information on source package firefox-esr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : booth

    CVE ID : CVE-2022-2553


    It was discovered that Booth, a cluster ticket manager, didn't correctly restrict intra-node communication when configuring the "authfile"

    configuration directive.


    For the oldstable distribution (buster), this problem has been fixed in version 1.0-162-g27f917f-2+deb10u1.


    For the stable distribution (bullseye), this problem has been fixed in version 1.0-237-gdd88847-2+deb11u1.


    We recommend that you upgrade your booth packages.


    For the detailed security status of booth please refer to its security tracker page at:

    Information on source package booth


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2022-36318 CVE-2022-36319


    Multiple security issues were discovered in Thunderbird, which could result in spoofing.


    For the oldstable distribution (buster), these problems have been fixed in version 1:91.12.0-1~deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 1:91.12.0-1~deb11u1.


    We recommend that you upgrade your thunderbird packages.


    For the detailed security status of thunderbird please refer to its security tracker page at:

    Information on source package thunderbird


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libpgjava

    CVE ID : CVE-2020-13692 CVE-2022-21724 CVE-2022-26520

    Debian Bug : 962828


    Several security vulnerabilities have been found in libpgjava, the official PostgreSQL JDBC Driver.


    CVE-2020-13692


    An XML External Entity (XXE) weakness was found in PostgreSQL JDBC.


    CVE-2022-21724


    The JDBC driver did not verify if certain classes implemented the expected

    interface before instantiating the class. This can lead to code execution

    loaded via arbitrary classes.


    CVE-2022-26520


    An attacker (who controls the jdbc URL or properties) can call

    java.util.logging.FileHandler to write to arbitrary files through the

    loggerFile and loggerLevel connection properties.


    For the oldstable distribution (buster), these problems have been fixed in version 42.2.5-2+deb10u1.


    For the stable distribution (bullseye), these problems have been fixed in version 42.2.15-1+deb11u1.


    We recommend that you upgrade your libpgjava packages.


    For the detailed security status of libpgjava please refer to its security tracker page at:

    Information on source package libpgjava


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : curl

    CVE ID : CVE-2021-22898 CVE-2021-22924 CVE-2021-22945 CVE-2021-22946

    CVE-2021-22947 CVE-2022-22576 CVE-2022-27774 CVE-2022-27775

    CVE-2022-27776 CVE-2022-27781 CVE-2022-27782 CVE-2022-32205

    CVE-2022-32206 CVE-2022-32207 CVE-2022-32208

    Debian Bug : 989228 991492 1010295 1010254 1010253 1010252


    Multiple security vulnerabilities have been discovered in cURL, an URL transfer library. These flaws may allow remote attackers to obtain sensitive information, leak authentication or cookie header data or facilitate a denial of service attack.


    For the stable distribution (bullseye), these problems have been fixed in version 7.74.0-1.3+deb11u2.


    We recommend that you upgrade your curl packages.


    For the detailed security status of curl please refer to its security tracker page at:

    Information on source package curl


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : jetty9

    CVE ID : CVE-2022-2047 CVE-2022-2048


    Two security vulnerabilities were discovered in Jetty, a Java servlet engine and webserver.


    CVE-2022-2047


    In Eclipse Jetty the parsing of the authority segment of an http scheme

    URI, the Jetty HttpURI class improperly detects an invalid input as a

    hostname. This can lead to failures in a Proxy scenario.


    CVE-2022-2048


    In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid

    HTTP/2 request, the error handling has a bug that can wind up not properly

    cleaning up the active connections and associated resources. This can lead

    to a Denial of Service scenario where there are no enough resources left to

    process good requests.


    For the stable distribution (bullseye), these problems have been fixed in version 9.4.39-3+deb11u1.


    We recommend that you upgrade your jetty9 packages.


    For the detailed security status of jetty9 please refer to its security tracker page at:

    Information on source package jetty9


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : xorg-server

    CVE ID : CVE-2022-2319 CVE-2022-2320

    Debian Bug : 1014903


    Jan-Niklas Sohn discovered that multiple input validation failures in the Xkb extension of the X.org X server may result in privilege escalation if the X server is running privileged.


    For the stable distribution (bullseye), these problems have been fixed in version 2:1.20.11-1+deb11u2.


    We recommend that you upgrade your xorg-server packages.


    For the detailed security status of xorg-server please refer to its security tracker page at:

    Information on source package xorg-server


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2022-2603 CVE-2022-2604 CVE-2022-2605 CVE-2022-2606

    CVE-2022-2607 CVE-2022-2608 CVE-2022-2609 CVE-2022-2610

    CVE-2022-2611 CVE-2022-2612 CVE-2022-2613 CVE-2022-2614

    CVE-2022-2615 CVE-2022-2616 CVE-2022-2617 CVE-2022-2618

    CVE-2022-2619 CVE-2022-2620 CVE-2022-2621 CVE-2022-2622

    CVE-2022-2623 CVE-2022-2624


    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bullseye), these problems have been fixed in version 104.0.5112.79-1~deb11u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libtirpc

    CVE ID : CVE-2021-46828

    Debian Bug : 1015873


    It was discovered that libtirpc, a transport-independent RPC library, does not properly handle idle TCP connections. A remote attacker can take advantage of this flaw to cause a denial of service.


    For the stable distribution (bullseye), this problem has been fixed in version 1.3.1-1+deb11u1.


    We recommend that you upgrade your libtirpc packages.


    For the detailed security status of libtirpc please refer to its security tracker page at:

    Information on source package libtirpc


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : unzip

    CVE ID : CVE-2022-0529 CVE-2022-0530

    Debian Bug : 1010355


    Sandipan Roy discovered two vulnerabilities in InfoZIP's unzip program, a de-archiver for .zip files, which could result in denial of service or potentially the execution of arbitrary code.


    For the stable distribution (bullseye), these problems have been fixed in version 6.0-26+deb11u1.


    We recommend that you upgrade your unzip packages.


    For the detailed security status of unzip please refer to its security tracker page at:

    Information on source package unzip


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : gnutls28

    CVE ID : CVE-2022-2509


    Jaak Ristioja discovered a double-free vulnerability in GnuTLS, a library implementing the TLS and SSL protocols, during verification of

    pkcs7 signatures. A remote attacker can take advantage of this flaw to cause an application using the GnuTLS library to crash (denial of service), or potentially, to execute arbitrary code.


    For the stable distribution (bullseye), this problem has been fixed in version 3.7.1-5+deb11u2.


    We recommend that you upgrade your gnutls28 packages.


    For the detailed security status of gnutls28 please refer to its security tracker page at:

    Information on source package gnutls28


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/