Debian Security Advisory

    • Offizieller Beitrag

    Package : mat2


    CVE ID : CVE-2022-35410



    A directory traversal vulnerability was discovered in the Metadata anonymisation toolkit, which could result in information disclosure via a malformed ZIP archive.



    For the oldstable distribution (buster), this problem has been fixed in version 0.8.0-3+deb10u1.



    For the stable distribution (bullseye), this problem has been fixed in version 0.12.1-2+deb11u1.



    We recommend that you upgrade your mat2 packages.



    For the detailed security status of mat2 please refer to its security tracker page at:


    Information on source package mat2



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : djangorestframework


    CVE ID : CVE-2020-25626



    Two cross-site scripting vulnerabilities were discovered in the Django Rest Framework, a toolkit to build web APIs.



    For the oldstable distribution (buster), this problem has been fixed in version 3.9.0-1+deb10u1.



    The stable distribution (bullseye) is not affected.



    We recommend that you upgrade your djangorestframework packages.



    For the detailed security status of djangorestframework please refer to its security tracker page at:


    Information on source package djangorestframework



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : djangorestframework


    CVE ID : CVE-2020-25626



    Two cross-site scripting vulnerabilities were discovered in the Django Rest Framework, a toolkit to build web APIs.



    For the oldstable distribution (buster), this problem has been fixed in version 3.9.0-1+deb10u1.



    The stable distribution (bullseye) is not affected.



    We recommend that you upgrade your djangorestframework packages.



    For the detailed security status of djangorestframework please refer to its security tracker page at:


    Information on source package djangorestframework



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium


    CVE ID : CVE-2022-2163 CVE-2022-2477 CVE-2022-2478 CVE-2022-2479


    CVE-2022-2480 CVE-2022-2481



    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.



    For the stable distribution (bullseye), these problems have been fixed in version 103.0.5060.134-1~deb11u1.



    We recommend that you upgrade your chromium packages.



    For the detailed security status of chromium please refer to its security tracker page at:


    Information on source package chromium



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openjdk-11


    CVE ID : CVE-2022-21540 CVE-2022-21541 CVE-2022-34169



    Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in the execution of arbitrary Java bytecode or the bypass of the Java sandbox.



    For the oldstable distribution (buster), these problems have been fixed in version 11.0.16+8-1~deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 11.0.16+8-1~deb11u1.



    We recommend that you upgrade your openjdk-11 packages.



    For the detailed security status of openjdk-11 please refer to its security tracker page at:


    Information on source package openjdk-11



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : gsasl


    CVE ID : CVE-2022-2469



    Simon Josefsson discovered an out-of-bounds memory read in GNU SASL, an implementation of the Simple Authentication and Security Layer framework, which could result in denial of service.



    For the oldstable distribution (buster), this problem has been fixed in version 1.8.0-8+deb10u1.



    For the stable distribution (bullseye), this problem has been fixed in version 1.10.0-4+deb11u1.



    We recommend that you upgrade your gsasl packages.



    For the detailed security status of gsasl please refer to its security tracker page at:


    Information on source package gsasl



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : spip


    CVE ID : not yet available



    It was discovered that SPIP, a website engine for publishing, would allow a malicious user to execute arbitrary code or escalate privileges.




    For the oldstable distribution (buster), this problem has been fixed in version 3.2.4-1+deb10u9.



    For the stable distribution (bullseye), this problem has been fixed in version 3.2.11-3+deb11u5.



    We recommend that you upgrade your spip packages.



    For the detailed security status of spip please refer to its security tracker page at:


    Information on source package spip



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : linux


    CVE ID : CVE-2021-33655 CVE-2022-2318 CVE-2022-26365 CVE-2022-33740


    CVE-2022-33741 CVE-2022-33742 CVE-2022-33743 CVE-2022-33744


    CVE-2022-34918



    Several vulnerabilities have been discovered in the Linux kernel that may lead to privilege escalation, denial of service or information leaks:



    CVE-2021-33655



    A user with access to a framebuffer console driver could cause a


    memory out-of-bounds write via the FBIOPUT_VSCREENINFO ioctl.



    CVE-2022-2318



    A use-after-free in the Amateur Radio X.25 PLP (Rose) support may


    result in denial of service.



    CVE-2022-26365 / CVE-2022-33740 / CVE-2022-33741 / CVE-2022-33742



    Roger Pau Monne discovered that Xen block and network PV device


    frontends don't zero out memory regions before sharing them with the


    backend, which may result in information disclosure. Additionally it


    was discovered that the granularity of the grant table doesn't permit


    sharing less than a 4k page, which may also result in information


    disclosure.



    CVE-2022-33743



    Jan Beulich discovered that incorrect memory handling in the Xen


    network backend may lead to denial of service.



    CVE-2022-33744



    Oleksandr Tyshchenko discovered that ARM Xen guests can cause a denial


    of service to the Dom0 via paravirtual devices.



    CVE-2022-34918



    Arthur Mongodin discovered a heap buffer overflow in the Netfilter


    subsystem which may result in local privilege escalation.



    For the stable distribution (bullseye), these problems have been fixed in version 5.10.127-2.



    We recommend that you upgrade your linux packages.



    For the detailed security status of linux please refer to its security tracker page at:


    Information on source package linux



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openjdk-17


    CVE ID : CVE-2022-21540 CVE-2022-21541 CVE-2022-21549


    CVE-2022-34169



    Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in the execution of arbitrary Java bytecode or the bypass of the Java sandbox.



    For the stable distribution (bullseye), this problem has been fixed in version 17.0.4+8-1~deb11u1.



    We recommend that you upgrade your openjdk-17 packages.



    For the detailed security status of openjdk-17 please refer to its security tracker page at:


    Information on source package openjdk-17



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr


    CVE ID : CVE-2022-36318 CVE-2022-36319



    Multiple security issues have been found in the Mozilla Firefox web browser, which could result in spoofing.



    For the oldstable distribution (buster), these problems have been fixed in version 91.12.0esr-1~deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 91.12.0esr-1~deb11u1.



    We recommend that you upgrade your firefox-esr packages.



    For the detailed security status of firefox-esr please refer to its security tracker page at:


    Information on source package firefox-esr



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : booth


    CVE ID : CVE-2022-2553



    It was discovered that Booth, a cluster ticket manager, didn't correctly restrict intra-node communication when configuring the "authfile"


    configuration directive.



    For the oldstable distribution (buster), this problem has been fixed in version 1.0-162-g27f917f-2+deb10u1.



    For the stable distribution (bullseye), this problem has been fixed in version 1.0-237-gdd88847-2+deb11u1.



    We recommend that you upgrade your booth packages.



    For the detailed security status of booth please refer to its security tracker page at:


    Information on source package booth



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird


    CVE ID : CVE-2022-36318 CVE-2022-36319



    Multiple security issues were discovered in Thunderbird, which could result in spoofing.



    For the oldstable distribution (buster), these problems have been fixed in version 1:91.12.0-1~deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 1:91.12.0-1~deb11u1.



    We recommend that you upgrade your thunderbird packages.



    For the detailed security status of thunderbird please refer to its security tracker page at:


    Information on source package thunderbird



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libpgjava


    CVE ID : CVE-2020-13692 CVE-2022-21724 CVE-2022-26520


    Debian Bug : 962828



    Several security vulnerabilities have been found in libpgjava, the official PostgreSQL JDBC Driver.



    CVE-2020-13692



    An XML External Entity (XXE) weakness was found in PostgreSQL JDBC.



    CVE-2022-21724



    The JDBC driver did not verify if certain classes implemented the expected


    interface before instantiating the class. This can lead to code execution


    loaded via arbitrary classes.



    CVE-2022-26520



    An attacker (who controls the jdbc URL or properties) can call


    java.util.logging.FileHandler to write to arbitrary files through the


    loggerFile and loggerLevel connection properties.



    For the oldstable distribution (buster), these problems have been fixed in version 42.2.5-2+deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 42.2.15-1+deb11u1.



    We recommend that you upgrade your libpgjava packages.



    For the detailed security status of libpgjava please refer to its security tracker page at:


    Information on source package libpgjava



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : curl


    CVE ID : CVE-2021-22898 CVE-2021-22924 CVE-2021-22945 CVE-2021-22946


    CVE-2021-22947 CVE-2022-22576 CVE-2022-27774 CVE-2022-27775


    CVE-2022-27776 CVE-2022-27781 CVE-2022-27782 CVE-2022-32205


    CVE-2022-32206 CVE-2022-32207 CVE-2022-32208


    Debian Bug : 989228 991492 1010295 1010254 1010253 1010252



    Multiple security vulnerabilities have been discovered in cURL, an URL transfer library. These flaws may allow remote attackers to obtain sensitive information, leak authentication or cookie header data or facilitate a denial of service attack.



    For the stable distribution (bullseye), these problems have been fixed in version 7.74.0-1.3+deb11u2.



    We recommend that you upgrade your curl packages.



    For the detailed security status of curl please refer to its security tracker page at:


    Information on source package curl



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : jetty9


    CVE ID : CVE-2022-2047 CVE-2022-2048



    Two security vulnerabilities were discovered in Jetty, a Java servlet engine and webserver.



    CVE-2022-2047



    In Eclipse Jetty the parsing of the authority segment of an http scheme


    URI, the Jetty HttpURI class improperly detects an invalid input as a


    hostname. This can lead to failures in a Proxy scenario.



    CVE-2022-2048



    In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid


    HTTP/2 request, the error handling has a bug that can wind up not properly


    cleaning up the active connections and associated resources. This can lead


    to a Denial of Service scenario where there are no enough resources left to


    process good requests.



    For the stable distribution (bullseye), these problems have been fixed in version 9.4.39-3+deb11u1.



    We recommend that you upgrade your jetty9 packages.



    For the detailed security status of jetty9 please refer to its security tracker page at:


    Information on source package jetty9



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/