Debian Security Advisory

    • Offizieller Beitrag

    Package : openjdk-17


    CVE ID : CVE-2023-22006 CVE-2023-22036 CVE-2023-22041 CVE-2023-22044


    CVE-2023-22045 CVE-2023-22049



    Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in bypass of sandbox restrictions, information disclosure, reduced cryptographic strength of the AES implementation, directory traversal or denial of service.



    For the oldstable distribution (bullseye) additional build dependencies need to be backported, a fixed package will be provided when these are ready as 17.0.8+7-1~deb11u1.



    For the stable distribution (bookworm), these problems have been fixed in version 17.0.8+7-1~deb12u1.



    We recommend that you upgrade your openjdk-17 packages.



    For the detailed security status of openjdk-17 please refer to its security tracker page at:


    Information on source package openjdk-17



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : amd64-microcode


    CVE ID : CVE-2023-20593


    Debian Bug : 1041863



    Tavis Ormandy discovered that under specific microarchitectural circumstances, a vector register in "Zen 2" CPUs may not be written to 0 correctly. This flaw allows an attacker to leak register contents across concurrent processes, hyper threads and virtualized guests.



    For details please refer to


    Zenbleed


    AMD: Information Leak in Zen 2
    ## Summary The `VZEROUPPER` instruction can be used to zero the upper 128 bits of the YMM registers. The architecture documentation recommends using it to…
    github.com



    The initial microcode release by AMD only provides updates for second generation EPYC CPUs: Various Ryzen CPUs are also affected, but no updates are available yet. Fixes will be provided in a later update once they are released.



    For more specific details and target dates please refer to the AMD advisory at https://www.amd.com/en/resourc…bulletin/amd-sb-7008.html



    For the oldstable distribution (bullseye), this problem has been fixed in version 3.20230719.1~deb11u1. Additionally the update contains a fix for CVE-2019-9836.



    For the stable distribution (bookworm), this problem has been fixed in version 3.20230719.1~deb12u1.


    We recommend that you upgrade your amd64-microcode packages.



    For the detailed security status of amd64-microcode please refer to its security tracker page at:


    Information on source package amd64-microcode



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : curl


    CVE ID : CVE-2023-32001



    It was discovered that Curl performed incorrect file path handling when saving cookies to files, which could lead to the creation or overwriting of files.



    The oldstable distribution (bullseye) is not affected.



    For the stable distribution (bookworm), this problem has been fixed in version 7.88.1-10+deb12u1.



    We recommend that you upgrade your curl packages.



    For the detailed security status of curl please refer to its security tracker page at:


    Information on source package curl



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : linux


    CVE ID : CVE-2023-3390 CVE-2023-3610 CVE-2023-20593



    Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.



    CVE-2023-3390



    A use-after-free flaw in the netfilter subsystem caused by incorrect


    error path handling may result in denial of service or privilege


    escalation.



    CVE-2023-3610



    A use-after-free flaw in the netfilter subsystem caused by incorrect


    refcount handling on the table and chain destroy path may result in


    denial of service or privilege escalation.



    CVE-2023-20593



    Tavis Ormandy discovered that under specific microarchitectural


    circumstances, a vector register in AMD "Zen 2" CPUs may not be


    written to 0 correctly. This flaw allows an attacker to leak


    sensitive information across concurrent processes, hyper threads


    and virtualized guests.



    For details please refer to


    <https://lock.cmpxchg8b.com/zenbleed.html> and


    <https://github.com/google/secu…ories/GHSA-v6wh-rxpg-cmm8>.



    This issue can also be mitigated by a microcode update through the


    amd64-microcode package or a system firmware (BIOS/UEFI) update.


    However, the initial microcode release by AMD only provides


    updates for second generation EPYC CPUs. Various Ryzen CPUs are


    also affected, but no updates are available yet.



    For the oldstable distribution (bullseye), these problems have been fixed in version 5.10.179-3.



    We recommend that you upgrade your linux packages.



    For the detailed security status of linux please refer to its security tracker page at:


    Information on source package linux



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : linux


    CVE ID : CVE-2023-20593



    Tavis Ormandy discovered that under specific microarchitectural circumstances, a vector register in AMD "Zen 2" CPUs may not be written to 0 correctly. This flaw allows an attacker to leak sensitive information across concurrent processes, hyper threads and virtualized guests.



    For details please refer to


    <https://lock.cmpxchg8b.com/zenbleed.html> and <https://github.com/google/secu…ories/GHSA-v6wh-rxpg-cmm8>.



    This issue can also be mitigated by a microcode update through the amd64-microcode package or a system firmware (BIOS/UEFI) update.


    However, the initial microcode release by AMD only provides updates for second generation EPYC CPUs. Various Ryzen CPUs are also affected, but no updates are available yet.



    For the stable distribution (bookworm), this problem has been fixed in version 6.1.38-2.



    We recommend that you upgrade your linux packages.



    For the detailed security status of linux please refer to its security tracker page at:


    Information on source package linux



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird


    CVE ID : CVE-2023-3417



    A security issue was discovered in Thunderbird, which could result in spoofing of filenames of email attachments.



    For the oldstable distribution (bullseye), this problem has been fixed in version 1:102.13.1-1~deb11u1.



    For the stable distribution (bookworm), this problem has been fixed in version 1:102.13.1-1~deb12u1.



    We recommend that you upgrade your thunderbird packages.



    For the detailed security status of thunderbird please refer to its security tracker page at:


    Information on source package thunderbird



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr


    CVE ID : CVE-2023-4045 CVE-2023-4046 CVE-2023-4047 CVE-2023-4048


    CVE-2023-4049 CVE-2023-4050 CVE-2023-4055 CVE-2023-4056



    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, bypass of the same-origin policy, spoofing or sandbox bypass.



    For the oldstable distribution (bullseye), these problems have been fixed in version 102.14.0esr-1~deb11u1.



    For the stable distribution (bookworm), these problems have been fixed in version 102.14.0esr-1~deb12u1.



    We recommend that you upgrade your firefox-esr packages.



    For the detailed security status of firefox-esr please refer to its security tracker page at:


    Information on source package firefox-esr



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : python-django


    CVE ID : CVE-2023-36053



    Seokchan Yoon discovered that missing sanitising in the email and URL validators of Django, a Python web development framework, could result in denial of service.



    For the oldstable distribution (bullseye), this problem has been fixed in version 2:2.2.28-1~deb11u2. This update also addresses CVE-2023-23969,


    CVE-2023-31047 and CVE-2023-24580.



    For the stable distribution (bookworm), this problem has been fixed in version 3:3.2.19-1+deb12u1.



    We recommend that you upgrade your python-django packages.



    For the detailed security status of python-django please refer to its security tracker page at:


    Information on source package python-django



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ntpsec


    CVE ID : CVE-2023-4012


    Debian Bug : 1038422



    It was discovered that ntpd in ntpsec, a secure, hardened, and improved implementation derived from the original NTP project, could crash if NTS is disabled and an NTS-enabled client request (mode 3) is received.



    For the stable distribution (bookworm), this problem has been fixed in version 1.2.2+dfsg1-1+deb12u1.



    We recommend that you upgrade your ntpsec packages.



    For the detailed security status of ntpsec please refer to its security tracker page at:


    Information on source package ntpsec



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium


    CVE ID : CVE-2023-4068 CVE-2023-4069 CVE-2023-4070 CVE-2023-4071


    CVE-2023-4072 CVE-2023-4073 CVE-2023-4074 CVE-2023-4075


    CVE-2023-4076 CVE-2023-4077 CVE-2023-4078



    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.



    For the oldstable distribution (bullseye), these problems have been fixed in version 115.0.5790.170-1~deb11u1.



    For the stable distribution (bookworm), these problems have been fixed in version 115.0.5790.170-1~deb12u1.



    We recommend that you upgrade your chromium packages.



    For the detailed security status of chromium please refer to its security tracker page at:


    Information on source package chromium



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : webkit2gtk


    CVE ID : CVE-2023-38133 CVE-2023-38572 CVE-2023-38592 CVE-2023-38594


    CVE-2023-38595 CVE-2023-38597 CVE-2023-38599 CVE-2023-38600


    CVE-2023-38611



    The following vulnerabilities have been discovered in the WebKitGTK web engine:



    CVE-2023-38133



    YeongHyeon Choi discovered that processing web content may


    disclose sensitive information.



    CVE-2023-38572



    Narendra Bhati discovered that a website may be able to bypass the


    Same Origin Policy.



    CVE-2023-38592



    Narendra Bhati, Valentino Dalla Valle, Pedro Bernardo, Marco


    Squarcina, and Lorenzo Veronese discovered that processing web


    content may lead to arbitrary code execution.



    CVE-2023-38594



    Yuhao Hu discovered that processing web content may lead to


    arbitrary code execution.



    CVE-2023-38595



    An anonymous researcher, Jiming Wang, and Jikai Ren discovered


    that processing web content may lead to arbitrary code execution.



    CVE-2023-38597



    Junsung Lee discovered that processing web content may lead to


    arbitrary code execution.



    CVE-2023-38599



    Hritvik Taneja, Jason Kim, Jie Jeff Xu, Stephan van Schaik, Daniel


    Genkin, and Yuval Yarom discovered that a website may be able to


    track sensitive user information.



    CVE-2023-38600



    An anonymous researcher discovered that processing web content may


    lead to arbitrary code execution.



    CVE-2023-38611



    Francisco Alonso discovered that processing web content may lead


    to arbitrary code execution.



    For the oldstable distribution (bullseye), these problems have been fixed in version 2.40.5-1~deb11u1.



    For the stable distribution (bookworm), these problems have been fixed in version 2.40.5-1~deb12u1.



    We recommend that you upgrade your webkit2gtk packages.



    For the detailed security status of webkit2gtk please refer to its security tracker page at:


    Information on source package webkit2gtk



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird


    CVE ID : CVE-2023-4045 CVE-2023-4046 CVE-2023-4047 CVE-2023-4048


    CVE-2023-4049 CVE-2023-4050 CVE-2023-4055 CVE-2023-4056



    Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.



    For the oldstable distribution (bullseye), these problems have been fixed in version 1:102.14.0-1~deb11u1.



    For the stable distribution (bookworm), these problems have been fixed in version 1:102.14.0-1~deb12u1.



    We recommend that you upgrade your thunderbird packages.



    For the detailed security status of thunderbird please refer to its security tracker page at:


    Information on source package thunderbird



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : python-werkzeug


    CVE ID : CVE-2023-23934 CVE-2023-25577


    Debian Bug : 1031370



    Several vulnerabilities were discovered in python-werkzeug, a collection of utilities for WSGI applications.



    CVE-2023-23934



    It was discovered that Werkzeug did not properly handle the parsing


    of nameless cookies which may allow shadowing of other cookies.



    CVE-2023-25577



    It was discovered that Werkzeug could parse unlimited number of


    parts, including file parts, which may result in denial of service.



    For the oldstable distribution (bullseye), these problems have been fixed in version 1.0.1+dfsg1-2+deb11u1.



    We recommend that you upgrade your python-werkzeug packages.



    For the detailed security status of python-werkzeug please refer to its security tracker page at:


    Information on source package python-werkzeug



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : libhtmlcleaner-java


    CVE ID : CVE-2023-34624



    A security vulnerability has been discovered in libhtmlcleaner-java, a Java HTML parser library. An attacker was able to cause a denial of service


    (StackOverflowError) if the parser runs on user supplied input with deeply nested HTML elements. This update introduces a new nesting depth limit which can be overridden in cleaner properties.



    For the oldstable distribution (bullseye), this problem has been fixed in version 2.24-1+deb11u1.



    For the stable distribution (bookworm), this problem has been fixed in version 2.26-1+deb12u1.



    We recommend that you upgrade your libhtmlcleaner-java packages.



    For the detailed security status of libhtmlcleaner-java please refer to its security tracker page at:


    Information on source package libhtmlcleaner-java



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : cjose


    CVE ID : CVE-2023-37464


    Debian Bug : 1041423



    It was discovered that an incorrect implementation of AES GCM decryption in cjose, a C library implementing the JOSE standard may allow an attacker to provide a truncated Authentication Tag and modify the JWE object.



    For the oldstable distribution (bullseye), this problem has been fixed in version 0.6.1+dfsg1-1+deb11u1.



    For the stable distribution (bookworm), this problem has been fixed in version 0.6.2.1-1+deb12u1.



    We recommend that you upgrade your cjose packages.



    For the detailed security status of cjose please refer to its security tracker page at:


    Information on source package cjose



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : orthanc


    CVE ID : CVE-2023-33466


    Debian Bug : 1040597



    It was discovered that authenticated API users of Orthanc, a DICOM server for medical imaging, could overwrite arbitrary files and in some setups execute arbitrary code.



    This update backports the option RestApiWriteToFileSystemEnabled, setting it to 'true' in /etc/orthanc/orthanc.json restores the previous behaviour.



    For the oldstable distribution (bullseye), this problem has been fixed in version 1.9.2+really1.9.1+dfsg-1+deb11u1.



    For the stable distribution (bookworm), this problem has been fixed in version 1.10.1+dfsg-2+deb12u1.



    We recommend that you upgrade your orthanc packages.



    For the detailed security status of orthanc please refer to its security tracker page at:


    Information on source package orthanc



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : intel-microcode


    CVE ID : CVE-2022-40982 CVE-2022-41804 CVE-2023-23908


    Debian Bug : 1043305



    This update ships updated CPU microcode for some types of Intel CPUs and provides mitigations for security vulnerabilities.



    CVE-2022-40982



    Daniel Moghimi discovered Gather Data Sampling (GDS), a hardware


    vulnerability which allows unprivileged speculative access to data


    which was previously stored in vector registers.



    For details please refer to


    <https://downfall.page/> and


    <https://www.intel.com/content/…gather-data-sampling.html>.



    CVE-2022-41804



    Unauthorized error injection in Intel SGX or Intel TDX for some


    Intel Xeon Processors which may allow a local user to potentially


    escalate privileges.



    CVE-2023-23908



    Improper access control in some 3rd Generation Intel Xeon Scalable


    processors may result in an information leak.



    For the oldstable distribution (bullseye), these problems have been fixed in version 3.20230808.1~deb11u1.



    For the stable distribution (bookworm), these problems have been fixed in version 3.20230808.1~deb12u1.



    We recommend that you upgrade your intel-microcode packages.



    For the detailed security status of intel-microcode please refer to its security tracker page at:


    Information on source package intel-microcode



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : linux


    CVE ID : CVE-2022-40982 CVE-2023-20569



    CVE-2022-40982



    Daniel Moghimi discovered Gather Data Sampling (GDS), a hardware


    vulnerability for Intel CPUs which allows unprivileged speculative


    access to data which was previously stored in vector registers.



    This mitigation requires updated CPU microcode provided in the


    intel-microcode package.



    For details please refer to


    <https://downfall.page/> and


    <https://www.intel.com/content/…gather-data-sampling.html>.



    CVE-2023-20569



    Daniel Trujillo, Johannes Wikner and Kaveh Razavi discovered


    INCEPTION, also known as Speculative Return Stack Overflow (SRSO),


    a transient execution attack that leaks arbitrary data on all AMD


    Zen CPUs. An attacker can mis-train the CPU BTB to predict non-


    architectural CALL instructions in kernel space and use this to


    control the speculative target of a subsequent kernel RET,


    potentially leading to information disclosure via a speculative


    side-channel.



    For details please refer to


    <https://comsec.ethz.ch/research/microarch/inception/> and


    <https://www.amd.com/en/corpora…rity/bulletin/amd-sb-7005>.



    For the oldstable distribution (bullseye), these problems have been fixed in version 5.10.179-5.



    For the stable distribution (bookworm), these problems have been fixed in version 6.1.38-4.



    We recommend that you upgrade your linux packages.



    For the detailed security status of linux please refer to its security tracker page at:


    Information on source package linux



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : gst-plugins-ugly1.0


    CVE ID : not yet available



    Multiple vulnerabilities were discovered in the RealMedia demuxers for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened.



    For the oldstable distribution (bullseye), this problem has been fixed in version 1.18.4-2+deb11u1.



    For the stable distribution (bookworm), this problem has been fixed in version 1.22.0-2+deb12u1.



    We recommend that you upgrade your gst-plugins-ugly1.0 packages.



    For the detailed security status of gst-plugins-ugly1.0 please refer to its security tracker page at:


    Information on source package gst-plugins-ugly1.0



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Neu
    • Offizieller Beitrag

    Package : samba


    CVE ID : CVE-2022-2127 CVE-2023-3347 CVE-2023-34966 CVE-2023-34967


    CVE-2023-34968


    Debian Bug : 1041043



    Several vulnerabilities have been discovered in Samba, which could result in information disclosure, denial of service or insufficient enforcement of security-relevant config directives.



    The version of Samba in the oldstable distribution (bullseye) cannot be fully supported further: If you are using Samba as a domain controller you should either upgrade to the stable distribution or if that's not an immediate option consider to migrate to Samba from bullseye-backports (which will be kept updated to the version in stable). Operating Samba as a file/print server will continue to be supported, a separate DSA will provide an update update along with documentation about the scope of continued support.



    For the stable distribution (bookworm), these problems have been fixed in version 2:4.17.10+dfsg-0+deb12u1.



    We recommend that you upgrade your samba packages.



    For the detailed security status of samba please refer to its security tracker page at:


    Information on source package samba



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/