Debian Security Advisory

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2022-3038 CVE-2022-3039 CVE-2022-3040 CVE-2022-3041

    CVE-2022-3042 CVE-2022-3043 CVE-2022-3044 CVE-2022-3045

    CVE-2022-3046 CVE-2022-3047 CVE-2022-3048 CVE-2022-3049

    CVE-2022-3050 CVE-2022-3051 CVE-2022-3052 CVE-2022-3053

    CVE-2022-3054 CVE-2022-3055 CVE-2022-3056 CVE-2022-3057

    CVE-2022-3058 CVE-2022-3071

    Debian Bug : 987292


    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bullseye), these problems have been fixed in version 105.0.5195.52-1~deb11u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : poppler

    CVE ID : CVE-2022-27337 CVE-2022-38784

    Debian Bug : 1010695 1018971


    Two vulnerabilities were discovered in poppler, a PDF rendering library, which could result in denial of service or the execution of arbitrary code if a malformed PDF file or JBIG2 image is processed.


    For the stable distribution (bullseye), these problems have been fixed in version 20.09.0-3.1+deb11u1.


    We recommend that you upgrade your poppler packages.


    For the detailed security status of poppler please refer to its security tracker page at:

    Information on source package poppler


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2022-3075

    Debian Bug : 1018937


    A security issue was discovered in Chromium, which could result in the execution of arbitrary code.


    For the stable distribution (bullseye), this problem has been fixed in version 105.0.5195.102-1~deb11u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : pcs

    CVE ID : CVE-2022-1049 CVE-2022-2735

    Debian Bug : 1018930


    Two security issues were discovered in pcs, a corosync and pacemaker configuration tool:


    CVE-2022-1049


    It was discovered that expired accounts were still able to login

    via PAM.


    CVE-2022-2735


    Ondrej Mular discovered that incorrect permissions on a Unix socket

    setup for internal communication could result in privilege escalation.


    For the stable distribution (bullseye), these problems have been fixed in version 0.10.8-1+deb11u1.


    We recommend that you upgrade your pcs packages.


    For the detailed security status of pcs please refer to its security tracker page at:

    Information on source package pcs


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libgoogle-gson-java

    CVE ID : CVE-2022-25647

    Debian Bug : 1010670


    It was discovered that Gson, a Java library that can be used to convert Java Objects into their JSON representations and vice versa, was vulnerable to a de- serialization flaw. An application would de-serialize untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution. This can lead to a denial of service or even the execution of arbitrary code.


    For the stable distribution (bullseye), this problem has been fixed in version 2.8.6-1+deb11u1.


    We recommend that you upgrade your libgoogle-gson-java packages.


    For the detailed security status of libgoogle-gson-java please refer to its security tracker page at:

    Information on source package libgoogle-gson-java


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : gdk-pixbuf

    CVE ID : CVE-2021-44648 CVE-2021-46829

    Debian Bug : 1014600


    Several vulnerabilities were discovered in gdk-pixbuf, the GDK Pixbuf library.


    CVE-2021-44648


    Sahil Dhar reported a heap-based buffer overflow vulnerability when

    decoding the lzw compressed stream of image data, which may result

    in the execution of arbitrary code or denial of service if a

    malformed GIF image is processed.


    CVE-2021-46829


    Pedro Ribeiro reported a heap-based buffer overflow vulnerability

    when compositing or clearing frames in GIF files, which may result

    in the execution of arbitrary code or denial of service if a

    malformed GIF image is processed.


    For the stable distribution (bullseye), these problems have been fixed in version 2.42.2+dfsg-1+deb11u1.


    We recommend that you upgrade your gdk-pixbuf packages.


    For the detailed security status of gdk-pixbuf please refer to its security tracker page at:

    Information on source package gdk-pixbuf


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : gdk-pixbuf

    CVE ID : CVE-2021-44648 CVE-2021-46829

    Debian Bug : 1014600


    Several vulnerabilities were discovered in gdk-pixbuf, the GDK Pixbuf library.


    CVE-2021-44648


    Sahil Dhar reported a heap-based buffer overflow vulnerability when

    decoding the lzw compressed stream of image data, which may result

    in the execution of arbitrary code or denial of service if a

    malformed GIF image is processed.


    CVE-2021-46829


    Pedro Ribeiro reported a heap-based buffer overflow vulnerability

    when compositing or clearing frames in GIF files, which may result

    in the execution of arbitrary code or denial of service if a

    malformed GIF image is processed.


    For the stable distribution (bullseye), these problems have been fixed in version 2.42.2+dfsg-1+deb11u1.


    We recommend that you upgrade your gdk-pixbuf packages.


    For the detailed security status of gdk-pixbuf please refer to its security tracker page at:

    Information on source package gdk-pixbuf


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : freecad

    CVE ID : CVE-2021-45844 CVE-2021-45845


    Two vulnerabilities were discovered in FreeCAD, a CAD/CAM program, which could result in the execution of arbitrary shell commands when opening a malformed file.


    For the stable distribution (bullseye), these problems have been fixed in version 0.19.1+dfsg1-2+deb11u1.


    We recommend that you upgrade your freecad packages.


    For the detailed security status of freecad please refer to its security tracker page at:

    Information on source package freecad


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2022-3195 CVE-2022-3196 CVE-2022-3197 CVE-2022-3198

    CVE-2022-3199 CVE-2022-3200 CVE-2022-3201


    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bullseye), these problems have been fixed in version 105.0.5195.125-1~deb11u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : connman

    CVE ID : CVE-2022-23096 CVE-2022-23097 CVE-2022-23098 CVE-2022-32292

    CVE-2022-32293

    Debian Bug : 1004935 1016976


    Several vulnerabilities were discovered in ConnMan, a network manager for embedded devices, which could result in denial of service or the execution of arbitrary code.


    For the stable distribution (bullseye), these problems have been fixed in version 1.36-2.2+deb11u1.


    We recommend that you upgrade your connman packages.


    For the detailed security status of connman please refer to its security tracker page at:

    Information on source package connman


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : tinygltf

    CVE ID : CVE-2022-3008

    Debian Bug : 1019357


    It was discovered that the wordexp() function of tinygltf, a library to load/save glTF (GL Transmission Format) files was susceptible to command execution when processing untrusted files.


    For the stable distribution (bullseye), this problem has been fixed in version 2.5.0+dfsg-3+deb11u1.


    We recommend that you upgrade your tinygltf packages.


    For the detailed security status of tinygltf please refer to its security tracker page at:

    Information on source package tinygltf


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : e17

    CVE ID : CVE-2022-37706


    Maher Azzouzi discovered that missing input sanitising in the Enlightenment window manager may result in local privilege escalation to root.


    For the stable distribution (bullseye), this problem has been fixed in version 0.24.2-8+deb11u1.


    We recommend that you upgrade your e17 packages.


    For the detailed security status of e17 please refer to its security tracker page at:

    Information on source package e17


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : fish

    CVE ID : CVE-2022-20001


    An arbitrary code execution vulnerability was disovered in fish, a command line shell. When using the default configuraton of fish, changing to a directory automatically ran `git` commands in order to display information about the current repository in the prompt. Such repositories can contain per-repository configuration that change the behavior of git, including running arbitrary commands.


    For the stable distribution (bullseye), this problem has been fixed in version 3.1.2-3+deb11u1.


    We recommend that you upgrade your fish packages.


    For the detailed security status of fish please refer to its security tracker page at:

    Information on source package fish


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : bind9

    CVE ID : CVE-2022-2795 CVE-2022-3080 CVE-2022-38177 CVE-2022-38178


    Several vulnerabilities were discovered in BIND, a DNS server implementation.


    CVE-2022-2795


    Yehuda Afek, Anat Bremler-Barr and Shani Stajnrod discovered that a

    flaw in the resolver code can cause named to spend excessive amounts

    of time on processing large delegations, significantly degrade

    resolver performance and result in denial of service.


    CVE-2022-3080


    Maksym Odinintsev discovered that the resolver can crash when stale

    cache and stale answers are enabled with a zero

    stale-answer-timeout. A remote attacker can take advantage of this

    flaw to cause a denial of service (daemon crash) via specially

    crafted queries to the resolver.


    CVE-2022-38177


    It was discovered that the DNSSEC verification code for the ECDSA

    algorithm is susceptible to a memory leak flaw. A remote attacker

    can take advantage of this flaw to cause BIND to consume resources,

    resulting in a denial of service.


    CVE-2022-38178


    It was discovered that the DNSSEC verification code for the EdDSA

    algorithm is susceptible to a memory leak flaw. A remote attacker

    can take advantage of this flaw to cause BIND to consume resources,

    resulting in a denial of service.


    For the stable distribution (bullseye), these problems have been fixed in version 1:9.16.33-1~deb11u1.


    We recommend that you upgrade your bind9 packages.


    For the detailed security status of bind9 please refer to its security tracker page at:

    Information on source package bind9


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : expat

    CVE ID : CVE-2022-40674

    Debian Bug : 1019761


    Rhodri James discovered a heap use-after-free vulnerability in the doContent function in Expat, an XML parsing C library, which could result in denial of service or potentially the execution of arbitrary code, if a malformed XML file is processed.


    For the stable distribution (bullseye), this problem has been fixed in version 2.2.10-2+deb11u4.


    We recommend that you upgrade your expat packages.


    For the detailed security status of expat please refer to its security tracker page at:

    Information on source package expat


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2022-40956 CVE-2022-40957 CVE-2022-40958 CVE-2022-40959

    CVE-2022-40960 CVE-2022-40962


    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, CSP bypass or session fixation.


    Debian follows the extended support releases (ESR) of Firefox. Support for the 91.x series has ended, so starting with this update we're now following the 102.x releases.


    Between 91.x and 102.x, Firefox has seen a number of feature updates.

    For more information please refer to


    For the stable distribution (bullseye), these problems have been fixed in version 102.3.0esr-1~deb11u1.


    We recommend that you upgrade your firefox-esr packages.


    For the detailed security status of firefox-esr please refer to its security tracker page at:

    Information on source package firefox-esr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2022-40956 CVE-2022-40957 CVE-2022-40958 CVE-2022-40959

    CVE-2022-40960 CVE-2022-40962


    Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.


    For the stable distribution (bullseye), these problems have been fixed in version 1:102.3.0-1~deb11u1. Debian follows the Thunderbird upstream releases. Support for the 91.x series has ended, so starting with this update we're now following the 102.x series.


    We recommend that you upgrade your thunderbird packages.


    For the detailed security status of thunderbird please refer to its security tracker page at:

    Information on source package thunderbird


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : gdal

    CVE ID : CVE-2021-45943


    A heap-based buffer overflow vulnerability was discovered in gdal, a Geospatial Data Abstraction Library, which could result in denial of service or potentially the execution of arbitrary code, if a specially crafted file is processed with the PCIDSK driver.


    For the stable distribution (bullseye), this problem has been fixed in version 3.2.2+dfsg-2+deb11u2.


    We recommend that you upgrade your gdal packages.


    For the detailed security status of gdal please refer to its security tracker page at:

    Information on source package gdal


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : webkit2gtk

    CVE ID : CVE-2022-32886


    The following vulnerabilities have been discovered in the WebKitGTK web engine:


    CVE-2022-32886


    P1umer, afang5472 and xmzyshypnc discovered that processing

    maliciously crafted web content may lead to arbitrary code

    execution


    For the stable distribution (bullseye), this problem has been fixed in version 2.38.0-1~deb11u1.


    We recommend that you upgrade your webkit2gtk packages.


    For the detailed security status of webkit2gtk please refer to its security tracker page at:

    Information on source package webkit2gtk


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : wpewebkit

    CVE ID : CVE-2022-32886


    The following vulnerabilities have been discovered in the WPE WebKit web engine:


    CVE-2022-32886


    P1umer, afang5472 and xmzyshypnc discovered that processing

    maliciously crafted web content may lead to arbitrary code

    execution


    For the stable distribution (bullseye), this problem has been fixed in version 2.38.0-1~deb11u1.


    We recommend that you upgrade your wpewebkit packages.


    For the detailed security status of wpewebkit please refer to its security tracker page at:

    Information on source package wpewebkit


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/