Debian Security Advisory

    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2022-42927 CVE-2022-42928 CVE-2022-42929 CVE-2022-42932


    Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.


    For the stable distribution (bullseye), these problems have been fixed in version 1:102.4.0-1~deb11u1.


    We recommend that you upgrade your thunderbird packages.


    For the detailed security status of thunderbird please refer to its security tracker page at:

    Information on source package thunderbird


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2022-3723


    A security issue was discovered in Chromium, which could result in the execution of arbitrary code.


    For the stable distribution (bullseye), this problem has been fixed in version 107.0.5304.87-1~deb11u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : batik

    CVE ID : CVE-2022-41704 CVE-2022-42890


    It was discovered that Apache Batik, a SVG library for Java, allowed attackers to run arbitrary Java code by processing a malicious SVG file.


    For the stable distribution (bullseye), these problems have been fixed in version 1.12-4+deb11u1.


    We recommend that you upgrade your batik packages.


    For the detailed security status of batik please refer to its security tracker page at:

    Information on source package batik


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : tomcat9

    CVE ID : CVE-2021-43980 CVE-2022-23181 CVE-2022-29885


    Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.


    CVE-2021-43980


    The simplified implementation of blocking reads and writes introduced in

    Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing

    (but extremely hard to trigger) concurrency bug that could cause client

    connections to share an Http11Processor instance resulting in responses, or

    part responses, to be received by the wrong client.


    CVE-2022-23181


    The fix for bug CVE-2020-9484 introduced a time of check, time of use

    vulnerability into Apache Tomcat that allowed a local attacker to perform

    actions with the privileges of the user that the Tomcat process is using.

    This issue is only exploitable when Tomcat is configured to persist

    sessions using the FileStore.


    CVE-2022-29885


    The documentation of Apache Tomcat for the EncryptInterceptor incorrectly

    stated it enabled Tomcat clustering to run over an untrusted network. This

    was not correct. While the EncryptInterceptor does provide confidentiality

    and integrity protection, it does not protect against all risks associated

    with running over any untrusted network, particularly DoS risks.


    For the stable distribution (bullseye), these problems have been fixed in version 9.0.43-2~deb11u4.


    We recommend that you upgrade your tomcat9 packages.


    For the detailed security status of tomcat9 please refer to its security tracker page at:

    Information on source package tomcat9


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : expat

    CVE ID : CVE-2022-43680

    Debian Bug : 1022743


    A heap use-after-free vulnerability after overeager destruction of a shared DTD in the XML_ExternalEntityParserCreate function in Expat, an XML parsing C library, may result in denial of service or potentially the execution of arbitrary code.


    For the stable distribution (bullseye), this problem has been fixed in version 2.2.10-2+deb11u5.


    We recommend that you upgrade your expat packages.


    For the detailed security status of expat please refer to its security tracker page at:

    Information on source package expat


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : pysha3

    CVE ID : CVE-2022-37454

    Debian Bug : 1023030


    Nicky Mouha discovered a buffer overflow in 'sha3', a Python library for the SHA-3 hashing functions.


    For the stable distribution (bullseye), this problem has been fixed in version 1.0.2-4.1+deb11u1.


    We recommend that you upgrade your pysha3 packages.


    For the detailed security status of pysha3 please refer to its security tracker page at:

    Information on source package pysha3


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ffmpeg


    Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed.


    For the stable distribution (bullseye), this problem has been fixed in version 7:4.3.5-0+deb11u1.


    We recommend that you upgrade your ffmpeg packages.


    For the detailed security status of ffmpeg please refer to its security tracker page at:

    Information on source package ffmpeg


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : pypy3

    CVE ID : CVE-2022-37454


    Nicky Mouha discovered a buffer overflow in the sha3 module of PyPy, a fast, compliant alternative implementation of the Python language.


    For the stable distribution (bullseye), this problem has been fixed in version 7.3.5+dfsg-2+deb11u2.


    We recommend that you upgrade your pypy3 packages.


    For the detailed security status of pypy3 please refer to its security tracker page at:

    Information on source package pypy3


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ntfs-3g

    CVE ID : CVE-2022-40284


    Yuchen Zeng and Eduardo Vela discovered a buffer overflow in NTFS-3G, a read-write NTFS driver for FUSE, due to incorrect validation of some of the NTFS metadata. A local user can take advantage of this flaw for local root privilege escalation.


    For the stable distribution (bullseye), this problem has been fixed in version 1:2017.3.23AR.3-4+deb11u3.


    We recommend that you upgrade your ntfs-3g packages.


    For the detailed security status of ntfs-3g please refer to its security tracker page at:

    Information on source package ntfs-3g


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libxml2

    CVE ID : CVE-2022-40303 CVE-2022-40304

    Debian Bug : 1022224 1022225


    Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files.


    CVE-2022-40303


    Maddie Stone discovered that missing safety checks in several

    functions can result in integer overflows when parsing a XML

    document with the XML_PARSE_HUGE option enabled.


    CVE-2022-40304


    Ned Williamson and Nathan Wachholz discovered a vulnerability when

    handling detection of entity reference cycles, which may result in

    corrupted dictionary entries. This flaw may lead to logic errors,

    including memory errors like double free flaws.


    For the stable distribution (bullseye), these problems have been fixed in version 2.9.10+dfsg-6.7+deb11u3.


    We recommend that you upgrade your libxml2 packages.


    For the detailed security status of libxml2 please refer to its security tracker page at:

    Information on source package libxml2


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : xen

    CVE ID : CVE-2022-33745 CVE-2022-33746 CVE-2022-33747 CVE-2022-33748

    CVE-2022-42309 CVE-2022-42310 CVE-2022-42311 CVE-2022-42312

    CVE-2022-42313 CVE-2022-42314 CVE-2022-42315 CVE-2022-42316

    CVE-2022-42317 CVE-2022-42318 CVE-2022-42319 CVE-2022-42320

    CVE-2022-42321 CVE-2022-42322 CVE-2022-42323 CVE-2022-42324

    CVE-2022-42325 CVE-2022-42326


    Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in privilege escalation, denial of service or information leaks.


    For the stable distribution (bullseye), these problems have been fixed in version 4.14.5+86-g1c354767d5-1.


    We recommend that you upgrade your xen packages.


    For the detailed security status of xen please refer to its security tracker page at:

    Information on source package xen


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : webkit2gtk

    CVE ID : CVE-2022-42799 CVE-2022-42823 CVE-2022-42824


    The following vulnerabilities have been discovered in the WebKitGTK web engine:


    CVE-2022-42799


    Jihwan Kim and Dohyun Lee discovered that visiting a malicious

    website may lead to user interface spoofing.


    CVE-2022-42823


    Dohyun Lee discovered that processing maliciously crafted web

    content may lead to arbitrary code execution.


    CVE-2022-42824


    Abdulrahman Alqabandi, Ryan Shin and Dohyun Lee discovered that

    processing maliciously crafted web content may disclose sensitive

    user information.


    For the stable distribution (bullseye), these problems have been fixed in version 2.38.2-1~deb11u1.


    We recommend that you upgrade your webkit2gtk packages.


    For the detailed security status of webkit2gtk please refer to its security tracker page at:

    Information on source package webkit2gtk


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : wpewebkit

    CVE ID : CVE-2022-42799 CVE-2022-42823 CVE-2022-42824


    The following vulnerabilities have been discovered in the WPE WebKit web engine:


    CVE-2022-42799


    Jihwan Kim and Dohyun Lee discovered that visiting a malicious

    website may lead to user interface spoofing.


    CVE-2022-42823


    Dohyun Lee discovered that processing maliciously crafted web

    content may lead to arbitrary code execution.


    CVE-2022-42824


    Abdulrahman Alqabandi, Ryan Shin and Dohyun Lee discovered that

    processing maliciously crafted web content may disclose sensitive

    user information.


    For the stable distribution (bullseye), these problems have been fixed in version 2.38.2-1~deb11u1.


    We recommend that you upgrade your wpewebkit packages.


    For the detailed security status of wpewebkit please refer to its security tracker page at:

    Information on source package wpewebkit


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2022-3885 CVE-2022-3886 CVE-2022-3887 CVE-2022-3888

    CVE-2022-3889 CVE-2022-3890

    Debian Bug : 1015931


    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bullseye), these problems have been fixed in version 107.0.5304.110-1~deb11u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : pixman

    CVE ID : CVE-2022-44638

    Debian Bug : 1023427


    Maddie Stone reported a heap-based buffer overflow flaw in pixman, a pixel-manipulation library for X and cairo, which could result in denial of service or potentially the execution of arbitrary code.


    For the stable distribution (bullseye), this problem has been fixed in version 0.40.0-1.1~deb11u1.


    We recommend that you upgrade your pixman packages.


    For the detailed security status of pixman please refer to its security tracker page at:

    Information on source package pixman


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : php7.4

    CVE ID : CVE-2022-31630 CVE-2022-37454 CVE-2022-31629 CVE-2022-31628


    Multiple security issues were discovered in PHP, a widely-used open source general purpose scripting language which could result an denial of service, information disclosure, insecure cooking handling or potentially the execution of arbitrary code.


    For the stable distribution (bullseye), these problems have been fixed in version 7.4.33-1+deb11u1.


    We recommend that you upgrade your php7.4 packages.


    For the detailed security status of php7.4 please refer to its security tracker page at:

    Information on source package php7.4


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : xorg-server

    CVE ID : CVE-2022-3550 CVE-2022-3551


    It was discovered that a buffer overflow in the _getCountedString() function of the Xorg X server may result in denial of service or potentially the execution of arbitrary code.


    For the stable distribution (bullseye), these problems have been fixed in version 2:1.20.11-1+deb11u3.


    We recommend that you upgrade your xorg-server packages.


    For the detailed security status of xorg-server please refer to its security tracker page at:

    Information on source package xorg-server


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : wordpress

    Debian Bug : 1007005 1018863 1022575


    Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform SQL injection, create open redirects, bypass authorization access, or perform Cross-Site Request Forgery (CSRF) or Cross-Site Scripting (XSS) attacks.


    For the stable distribution (bullseye), this problem has been fixed in version 5.7.8+dfsg1-0+deb11u1.


    We recommend that you upgrade your wordpress packages.


    For the detailed security status of wordpress please refer to its security tracker page at:

    Information on source package wordpress


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : grub2

    CVE ID : CVE-2022-2601 CVE-2022-3775


    Several issues were found in GRUB2's font handling code, which could result in crashes and potentially execution of arbitrary code. These could lead to by-pass of UEFI Secure Boot on affected systems.


    Further, issues were found in image loading that could potentially lead to memory overflows.


    For the stable distribution (bullseye), these problems have been fixed in version 2.06-3~deb11u4.


    We recommend that you upgrade your grub2 packages.


    For the detailed security status of grub2 please refer to its security tracker page at:

    Information on source package grub2


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : nginx

    CVE ID : CVE-2022-41741 CVE-2022-41742


    It was discovered that parsing errors in the mp4 module of Nginx, a high-performance web and reverse proxy server, could result in denial of service, memory disclosure or potentially the execution of arbitrary code when processing a malformed mp4 file.


    This module is only enabled in the nginx-extras binary package.


    For the stable distribution (bullseye), these problems have been fixed in version 1.18.0-6.1+deb11u3.


    We recommend that you upgrade your nginx packages.


    For the detailed security status of nginx please refer to its security tracker page at:

    Information on source package nginx


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/