Debian Security Advisory

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2022-46872 CVE-2022-46874 CVE-2022-46878 CVE-2022-46880

    CVE-2022-46881 CVE-2022-46882


    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or information disclosure.


    For the stable distribution (bullseye), these problems have been fixed in version 102.6.0esr-1~deb11u1.


    We recommend that you upgrade your firefox-esr packages.


    For the detailed security status of firefox-esr please refer to its security tracker page at:

    Information on source package firefox-esr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2022-4436 CVE-2022-4437 CVE-2022-4438 CVE-2022-4439

    CVE-2022-4440


    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bullseye), these problems have been fixed in version 108.0.5359.124-1~deb11u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2022-46882 CVE-2022-46881 CVE-2022-46880 CVE-2022-46878

    CVE-2022-46874 CVE-2022-46872 CVE-2022-45414


    Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code or information disclosure.


    For the stable distribution (bullseye), this problem has been fixed in version 1:102.6.0-1~deb11u1.


    We recommend that you upgrade your thunderbird packages.


    For the detailed security status of thunderbird please refer to its security tracker page at:

    Information on source package thunderbird


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : xorg-server

    CVE ID : CVE-2022-4283 CVE-2022-46340 CVE-2022-46341 CVE-2022-46342

    CVE-2022-46343 CVE-2022-46344

    Debian Bug : 1026071


    Jan-Niklas Sohn discovered several vulnerabilities in X server extensions in the X.Org X server, which may result in privilege escalation if the X server is running privileged.


    For the stable distribution (bullseye), these problems have been fixed in version 2:1.20.11-1+deb11u4.


    We recommend that you upgrade your xorg-server packages.


    For the detailed security status of xorg-server please refer to its security tracker page at:

    Information on source package xorg-server


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libksba

    CVE ID : CVE-2022-47629


    An integer overflow flaw was discovered in the CRL signature parser in libksba, an X.509 and CMS support library, which could result in denial of service or the execution of arbitrary code.


    For the stable distribution (bullseye), this problem has been fixed in version 1.5.0-3+deb11u2.


    We recommend that you upgrade your libksba packages.


    For the detailed security status of libksba please refer to its security tracker page at:

    Information on source package libksba


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : gerbv

    CVE ID : CVE-2021-40393 CVE-2021-40394 CVE-2021-40401 CVE-2021-40403


    Several vulnerabilities were discovered in gerbv, a Gerber file viewer, which could result in the execution of arbitrary code, denial of service or information disclosure if a specially crafted file is processed.


    For the stable distribution (bullseye), these problems have been fixed in version 2.7.0-2+deb11u2.


    We recommend that you upgrade your gerbv packages.


    For the detailed security status of gerbv please refer to its security tracker page at:

    Information on source package gerbv


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libcommons-net-java

    CVE ID : CVE-2021-37533

    Debian Bug : 1025910


    ZeddYu Lu discovered that the FTP client of Apache Commons Net, a Java client API for basic Internet protocols, trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client.


    For the stable distribution (bullseye), this problem has been fixed in version 3.6-1+deb11u1.


    We recommend that you upgrade your libcommons-net-java packages.


    For the detailed security status of libcommons-net-java please refer to its security tracker page at:

    Information on source package libcommons-net-java


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : webkit2gtk

    CVE ID : CVE-2022-42852 CVE-2022-42856 CVE-2022-42867 CVE-2022-46692

    CVE-2022-46698 CVE-2022-46699 CVE-2022-46700


    The following vulnerabilities have been discovered in the WebKitGTK web engine:


    CVE-2022-42852


    hazbinhotel discovered that processing maliciously crafted web

    content may result in the disclosure of process memory.


    CVE-2022-42856


    Clement Lecigne discovered that processing maliciously crafted web

    content may lead to arbitrary code execution.


    CVE-2022-42867


    Maddie Stone discovered that processing maliciously crafted web

    content may lead to arbitrary code execution.


    CVE-2022-46692


    KirtiKumar Anandrao Ramchandani discovered that processing

    maliciously crafted web content may bypass Same Origin Policy.


    CVE-2022-46698


    Dohyun Lee and Ryan Shin discovered that processing maliciously

    crafted web content may disclose sensitive user information.


    CVE-2022-46699


    Samuel Gross discovered that processing maliciously crafted web

    content may lead to arbitrary code execution.


    CVE-2022-46700


    Samuel Gross discovered that processing maliciously crafted web

    content may lead to arbitrary code execution.


    For the stable distribution (bullseye), these problems have been fixed in version 2.38.3-1~deb11u1.


    We recommend that you upgrade your webkit2gtk packages.


    For the detailed security status of webkit2gtk please refer to its security tracker page at:

    Information on source package webkit2gtk


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : wpewebkit

    CVE ID : CVE-2022-42852 CVE-2022-42856 CVE-2022-42867 CVE-2022-46692

    CVE-2022-46698 CVE-2022-46699 CVE-2022-46700


    The following vulnerabilities have been discovered in the WPE WebKit web engine:


    CVE-2022-42852


    hazbinhotel discovered that processing maliciously crafted web

    content may result in the disclosure of process memory.


    CVE-2022-42856


    Clement Lecigne discovered that processing maliciously crafted web

    content may lead to arbitrary code execution.


    CVE-2022-42867


    Maddie Stone discovered that processing maliciously crafted web

    content may lead to arbitrary code execution.


    CVE-2022-46692


    KirtiKumar Anandrao Ramchandani discovered that processing

    maliciously crafted web content may bypass Same Origin Policy.


    CVE-2022-46698


    Dohyun Lee and Ryan Shin discovered that processing maliciously

    crafted web content may disclose sensitive user information.


    CVE-2022-46699


    Samuel Gross discovered that processing maliciously crafted web

    content may lead to arbitrary code execution.


    CVE-2022-46700


    Samuel Gross discovered that processing maliciously crafted web

    content may lead to arbitrary code execution.


    For the stable distribution (bullseye), these problems have been fixed in version 2.38.3-1~deb11u1.


    We recommend that you upgrade your wpewebkit packages.


    For the detailed security status of wpewebkit please refer to its security tracker page at:

    Information on source package wpewebkit


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ruby-image-processing

    CVE ID : CVE-2022-24720

    Debian Bug : 1007225


    It was discovered that ruby-image-processing, a ruby package that provides higher-level image processing helpers, is prone to a remote shell execution vulnerability when using the #apply method to apply a series of operations coming from unsanitized user input.


    For the stable distribution (bullseye), this problem has been fixed in version 1.10.3-1+deb11u1.


    We recommend that you upgrade your ruby-image-processing packages.


    For the detailed security status of ruby-image-processing please refer to its security tracker page at:

    Information on source package ruby-image-processing


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : trafficserver

    CVE ID : CVE-2022-32749 CVE-2022-37392


    Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in HTTP request smuggling, cache poisoning or denial of service.


    For the stable distribution (bullseye), these problems have been fixed in version 8.1.6+ds-1~deb11u1.


    We recommend that you upgrade your trafficserver packages.


    For the detailed security status of trafficserver please refer to its security tracker page at:

    Information on source package trafficserver


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libjettison-java

    CVE ID : CVE-2022-40149 CVE-2022-40150 CVE-2022-45685 CVE-2022-45693

    Debian Bug : 1022553 1022554


    Several flaws have been discovered in libjettison-java, a collection of StAX parsers and writers for JSON. Specially crafted user input may cause a denial of service via out-of-memory or stack overflow errors.


    For the stable distribution (bullseye), these problems have been fixed in version 1.5.3-1~deb11u1.


    We recommend that you upgrade your libjettison-java packages.


    For the detailed security status of libjettison-java please refer to its security tracker page at:

    Information on source package libjettison-java


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : hsqldb

    CVE ID : CVE-2022-41853

    Debian Bug : 1023573


    It was found that those using java.sql.Statement or java.sql.PreparedStatement in hsqldb, a Java SQL database, to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.5.1-1+deb11u1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called.

    For example, System.setProperty("hsqldb.method_class_names","abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version

    2.5.1-1+deb11u1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.


    For the stable distribution (bullseye), this problem has been fixed in version 2.5.1-1+deb11u1.


    We recommend that you upgrade your hsqldb packages.


    For the detailed security status of hsqldb please refer to its security tracker page at:

    Information on source package hsqldb


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : emacs

    CVE ID : CVE-2022-45939

    Debian Bug : 1025009


    It was discovered that missing input sanitising in the ctags functionality of Emacs may result in the execution of arbitrary shell commands.


    For the stable distribution (bullseye), this problem has been fixed in version 1:27.1+1-3.1+deb11u1.


    We recommend that you upgrade your emacs packages.


    For the detailed security status of emacs please refer to its security tracker page at:

    Information on source package emacs


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libxstream-java

    CVE ID : CVE-2022-41966

    Debian Bug : 1027754


    XStream serializes Java objects to XML and back again. Versions prior to

    1.4.15-3+deb11u2 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation of the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This update handles the stack overflow and raises an InputManipulationException instead.


    For the stable distribution (bullseye), this problem has been fixed in version 1.4.15-3+deb11u2.


    We recommend that you upgrade your libxstream-java packages.


    For the detailed security status of libxstream-java please refer to its security tracker page at:

    Information on source package libxstream-java


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : netty

    CVE ID : CVE-2021-37136 CVE-2021-37137 CVE-2021-43797 CVE-2022-41881

    CVE-2022-41915

    Debian Bug : 1027180 1014769 1001437


    Several out-of-memory, stack overflow or HTTP request smuggling vulnerabilities have been discovered in Netty, a Java NIO client/server socket framework, which may allow attackers to cause a denial of service or bypass restrictions when used as a proxy.


    For the stable distribution (bullseye), these problems have been fixed in version 1:4.1.48-4+deb11u1.


    We recommend that you upgrade your netty packages.


    For the detailed security status of netty please refer to its security tracker page at:

    Information on source package netty


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2023-0141 CVE-2023-0140 CVE-2023-0139 CVE-2023-0138

    CVE-2023-0137 CVE-2023-0136 CVE-2023-0135 CVE-2023-0134

    CVE-2023-0133 CVE-2023-0132 CVE-2023-0131 CVE-2023-0130

    CVE-2023-0129 CVE-2023-0128


    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the stable distribution (bullseye), this problem has been fixed in version 109.0.5414.74-2~deb11u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : lava

    CVE ID : CVE-2022-44641

    Debian Bug : 1024429


    Igor Ponomarev discovered that LAVA, a continuous integration system for deploying operating systems onto physical and virtual hardware for running tests, was suspectible to denial of service via recursive XML entity expansion.


    For the stable distribution (bullseye), this problem has been fixed in version 2020.12-5+deb11u2.


    We recommend that you upgrade your lava packages.


    For the detailed security status of lava please refer to its security tracker page at:

    Information on source package lava


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : openvswitch

    CVE ID : CVE-2022-4337 CVE-2022-4338

    Debian Bug : 1027273


    Two vulnerabilities were discovered in the LLPD implementation of Open vSwitch, software-based Ethernet virtual switch, which could result in denial of service.


    For the stable distribution (bullseye), these problems have been fixed in version 2.15.0+ds1-2+deb11u2.


    We recommend that you upgrade your openvswitch packages.


    For the detailed security status of openvswitch please refer to its security tracker page at:

    Information on source package openvswitch


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : tor

    CVE ID : CVE-2023-23589


    A logic error was discovered in the implementation of the "SafeSocks"

    option of Tor, a connection-based low-latency anonymous communication system, which did result in allowing unsafe SOCKS4 traffic to pass.


    For the stable distribution (bullseye), this problem has been fixed in version 0.4.5.16-1.


    We recommend that you upgrade your tor packages.


    For the detailed security status of tor please refer to its security tracker page at:

    Information on source package tor


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/