Debian Security Advisory

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2022-45403 CVE-2022-45404 CVE-2022-45405 CVE-2022-45406

    CVE-2022-45408 CVE-2022-45409 CVE-2022-45410 CVE-2022-45411

    CVE-2022-45412 CVE-2022-45416 CVE-2022-45418 CVE-2022-45420

    CVE-2022-45421


    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure, spoofing or bypass of the SameSite cookie policy.


    For the stable distribution (bullseye), these problems have been fixed in version 102.5.0esr-1~deb11u1.


    We recommend that you upgrade your firefox-esr packages.


    For the detailed security status of firefox-esr please refer to its security tracker page at:

    Information on source package firefox-esr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : wordpress

    Debian Bug : 1007005 1018863 1022575 1024249


    The wordpress package released in DSA-5279-1 had incorrect dependencies that could not be satisfied in Debian stable: this update corrects the problem. For reference, the original advisory text is provided here again:


    Several vulnerabilities were discovered in Wordpress, a web blogging

    tool. They allowed remote attackers to perform SQL injection, create

    open redirects, bypass authorization access, or perform Cross-Site

    Request Forgery (CSRF) or Cross-Site Scripting (XSS) attacks.


    For the stable distribution (bullseye), this problem has been fixed in version 5.7.8+dfsg1-0+deb11u2.


    We recommend that you upgrade your wordpress packages.


    For the detailed security status of wordpress please refer to its security tracker page at:

    Information on source package wordpress


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : jackson-databind

    CVE ID : CVE-2020-36518 CVE-2022-42003 CVE-2022-42004

    Debian Bug : 1007109


    Several flaws were discovered in jackson-databind, a fast and powerful JSON library for Java.


    CVE-2020-36518


    Java StackOverflow exception and denial of service via a large depth of

    nested objects.


    CVE-2022-42003


    In FasterXML jackson-databind resource exhaustion can occur because of a

    lack of a check in primitive value deserializers to avoid deep wrapper

    array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.


    CVE-2022-42004


    In FasterXML jackson-databind resource exhaustion can occur because of a

    lack of a check in BeanDeserializerBase.deserializeFromArray to prevent use

    of deeply nested arrays. An application is vulnerable only with certain

    customized choices for deserialization.


    For the stable distribution (bullseye), these problems have been fixed in version 2.12.1-1+deb11u1.


    We recommend that you upgrade your jackson-databind packages.


    For the detailed security status of jackson-databind please refer to its security tracker page at:

    Information on source package jackson-databind


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2022-45403 CVE-2022-45404 CVE-2022-45405 CVE-2022-45406

    CVE-2022-45408 CVE-2022-45409 CVE-2022-45410 CVE-2022-45411

    CVE-2022-45412 CVE-2022-45416 CVE-2022-45418 CVE-2022-45420

    CVE-2022-45421


    Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.


    For the stable distribution (bullseye), these problems have been fixed in version 1:102.5.0-1~deb11u1.


    We recommend that you upgrade your thunderbird packages.


    For the detailed security status of thunderbird please refer to its security tracker page at:

    Information on source package thunderbird


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Debian Security Advisory DSA-5285-1 security@debian.org

    https://www.debian.org/security/ Markus Koschany

    November 17, 2022 https://www.debian.org/security/faq

    - -------------------------------------------------------------------------


    Package : asterisk

    CVE ID : CVE-2021-37706 CVE-2021-43299 CVE-2021-43300 CVE-2021-43301

    CVE-2021-43302 CVE-2021-43303 CVE-2021-43804 CVE-2021-43845

    CVE-2021-46837 CVE-2022-21722 CVE-2022-21723 CVE-2022-23608

    CVE-2022-24763 CVE-2022-24764 CVE-2022-24786 CVE-2022-24792

    CVE-2022-24793 CVE-2022-26498 CVE-2022-26499 CVE-2022-26651

    Debian Bug : 1014998 1018073 1014976


    Multiple security vulnerabilities have been found in Asterisk, an Open Source Private Branch Exchange. Buffer overflows and other programming errors could be exploited for information disclosure or the execution of arbitrary code.


    Special care should be taken when upgrading to this new upstream release.

    Some configuration files and options have changed in order to remedy certain security vulnerabilities. Most notably the pjsip TLS listener only accepts TLSv1.3 connections in the default configuration now. This can be reverted by adding method=tlsv1_2 to the transport in pjsip.conf. See also https://issues.asterisk.org/jira/browse/ASTERISK-29017.


    For the stable distribution (bullseye), these problems have been fixed in version 1:16.28.0~dfsg-0+deb11u1.


    We recommend that you upgrade your asterisk packages.


    For the detailed security status of asterisk please refer to its security tracker page at:

    Information on source package asterisk


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : krb5

    CVE ID : CVE-2022-42898

    Debian Bug : 1024267


    Greg Hudson discovered integer overflow flaws in the PAC parsing in krb5, the MIT implementation of Kerberos, which may result in remote code execution (in a KDC, kadmin, or GSS or Kerberos application server process), information exposure (to a cross-realm KDC acting maliciously), or denial of service (KDC or kadmind process crash).


    For the stable distribution (bullseye), this problem has been fixed in version 1.18.3-6+deb11u3.


    We recommend that you upgrade your krb5 packages.


    For the detailed security status of krb5 please refer to its security tracker page at:

    Information on source package krb5


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : heimdal

    CVE ID : CVE-2021-3671 CVE-2021-44758 CVE-2022-3437 CVE-2022-41916

    CVE-2022-42898 CVE-2022-44640

    Debian Bug : 996586


    Several vulnerabilities were discovered in Heimdal, an implementation of Kerberos 5 that aims to be compatible with MIT Kerberos.


    CVE-2021-3671


    Joseph Sutton discovered that the Heimdal KDC does not validate that

    the server name in the TGS-REQ is present before dereferencing,

    which may result in denial of service.


    CVE-2021-44758


    It was discovered that Heimdal is prone to a NULL dereference in

    acceptors where an initial SPNEGO token that has no acceptable

    mechanisms, which may result in denial of service for a server

    application that uses SPNEGO.


    CVE-2022-3437


    Several buffer overflow flaws and non-constant time leaks were

    discovered when using 1DES, 3DES or RC4 (arcfour).


    CVE-2022-41916


    An out-of-bounds memory access was discovered when Heimdal

    normalizes Unicode, which may result in denial of service.


    CVE-2022-42898


    It was discovered that integer overflows in PAC parsing may result

    in denial of service for Heimdal KDCs or possibly Heimdal servers.


    CVE-2022-44640


    It was discovered that the Heimdal's ASN.1 compiler generates code

    that allows specially crafted DER encodings to invoke an invalid

    free on the decoded structure upon decode error, which may result in

    remote code execution in the Heimdal KDC.


    For the stable distribution (bullseye), these problems have been fixed in version 7.7.0+dfsg-2+deb11u2.


    We recommend that you upgrade your heimdal packages.


    For the detailed security status of heimdal please refer to its security tracker page at:

    Information on source package heimdal


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : graphicsmagick

    CVE ID : CVE-2022-1270


    It was discovered that a buffer overflow in GraphicsMagick, a collection of image processing tools, could potentially result in the execution of arbitrary code when processing a malformed MIFF image.


    For the stable distribution (bullseye), this problem has been fixed in version 1.4+really1.3.36+hg16481-2+deb11u1.


    We recommend that you upgrade your graphicsmagick packages.


    For the detailed security status of graphicsmagick please refer to its security tracker page at:

    Information on source package graphicsmagick


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2022-4135


    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code.


    For the stable distribution (bullseye), this problem has been fixed in version 107.0.5304.121-1~deb11u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : commons-configuration2

    CVE ID : CVE-2022-33980

    Debian Bug : 1014960


    Apache Commons Configuration, a Java library providing a generic configuration interface, performs variable interpolation, allowing properties to be dynamically evaluated and expanded. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote server applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used.


    For the stable distribution (bullseye), this problem has been fixed in version 2.8.0-1~deb11u1.


    We recommend that you upgrade your commons-configuration2 packages.


    For the detailed security status of commons-configuration2 please refer to its security tracker page at:

    Information on source package commons-configuration2


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : mujs

    CVE ID : CVE-2022-30974 CVE-2022-30975 CVE-2022-44789


    Multiple security issues were discovered in MuJS, a lightweight JavaScript interpreter, which could result in denial of service and potentially the execution of arbitrary code.


    For the stable distribution (bullseye), these problems have been fixed in version 1.1.0-1+deb11u2.


    We recommend that you upgrade your mujs packages.


    For the detailed security status of mujs please refer to its security tracker page at:

    Information on source package mujs


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : snapd

    CVE ID : CVE-2022-3328


    The Qualys Research Team discovered a race condition in the snapd-confine binary which could result in local privilege escalation.


    For the stable distribution (bullseye), this problem has been fixed in version 2.49-1+deb11u2.


    We recommend that you upgrade your snapd packages.


    For the detailed security status of snapd please refer to its security tracker page at:

    Information on source package snapd


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bullseye), these problems have been fixed in version 108.0.5359.71-2~deb11u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : jhead

    CVE ID : CVE-2021-34055 CVE-2022-41751

    Debian Bug : 1024272 1022028


    Jhead, a tool for manipulating EXIF data embedded in JPEG images, allowed attackers to execute arbitrary OS commands by placing them in a JPEG filename and then using the regeneration -rgt50, -autorot or -ce option. In addition a buffer overflow error in exif.c has been addressed which could lead to a denial of service (application crash).


    For the stable distribution (bullseye), these problems have been fixed in version 1:3.04-6+deb11u1.


    We recommend that you upgrade your jhead packages.


    For the detailed security status of jhead please refer to its security tracker page at:

    Information on source package jhead


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2022-4262


    A security issue was discovered in Chromium, which could result in the execution of arbitrary code.


    For the stable distribution (bullseye), this problem has been fixed in version 108.0.5359.94-1~deb11u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : xfce4-settings

    CVE ID : CVE-2022-45062

    Debian Bug : 1023732


    Robin Peraglie and Johannes Moritz discovered an argument injection bug in the xfce4-mime-helper component of xfce4-settings, which can be exploited using the xdg-open common tool. Since xdg-open is used by multiple standard applications for opening links, this bug could be exploited by an attacker to run arbitrary code on an user machine by providing a malicious PDF file with specifically crafted links.


    For the stable distribution (bullseye), this problem has been fixed in version 4.16.0-1+deb11u1.


    We recommend that you upgrade your xfce4-settings packages.


    For the detailed security status of xfce4-settings please refer to its security tracker page at:

    Information on source package xfce4-settings


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : vlc

    CVE ID : CVE-2022-41325


    A buffer overflow was discovered in the VNC module of the VLC media player, which could result in the execution of arbitrary code.


    For the stable distribution (bullseye), this problem has been fixed in version 3.0.18-0+deb11u1.


    We recommend that you upgrade your vlc packages.


    For the detailed security status of vlc please refer to its security tracker page at:

    Information on source package vlc


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : cacti

    CVE ID : CVE-2022-0730 CVE-2022-46169

    Debian Bug : 1008693 1025648


    Two security vulnerabilities have been discovered in Cacti, a web interface for graphing of monitoring systems, which could result in unauthenticated command injection or LDAP authentication bypass.


    For the stable distribution (bullseye), these problems have been fixed in version 1.2.16+ds1-2+deb11u1.


    We recommend that you upgrade your cacti packages.


    For the detailed security status of cacti please refer to its security tracker page at:

    Information on source package cacti


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openexr

    CVE ID : CVE-2021-3598 CVE-2021-3605 CVE-2021-3933 CVE-2021-3941

    CVE-2021-23215 CVE-2021-26260 CVE-2021-45942

    Debian Bug : 992703 990450 990899 1014828 1014828


    Multiple security vulnerabilities have been found in OpenEXR, command-line tools and a library for the OpenEXR image format. Buffer overflows or out-of-bound reads could lead to a denial of service (application crash) if a malformed image file is processed.


    For the stable distribution (bullseye), these problems have been fixed in version 2.5.4-2+deb11u1.


    We recommend that you upgrade your openexr packages.


    For the detailed security status of openexr please refer to its security tracker page at:

    Information on source package openexr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : pngcheck

    CVE ID : CVE-2020-35511


    Multiple security issues were discovered in pngcheck, a tool to verify the integrity of PNG, JNG and MNG files, which could potentially result in the execution of arbitrary code.


    For the stable distribution (bullseye), this problem has been fixed in version 3.0.3-1~deb11u1.


    We recommend that you upgrade your pngcheck packages.


    For the detailed security status of pngcheck please refer to its security tracker page at:

    Information on source package pngcheck


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/