Debian Security Advisory

    • Offizieller Beitrag

    Package : openjdk-17

    CVE ID : CVE-2023-22006 CVE-2023-22036 CVE-2023-22041 CVE-2023-22044

    CVE-2023-22045 CVE-2023-22049


    Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in bypass of sandbox restrictions, information disclosure, reduced cryptographic strength of the AES implementation, directory traversal or denial of service.


    For the oldstable distribution (bullseye) additional build dependencies need to be backported, a fixed package will be provided when these are ready as 17.0.8+7-1~deb11u1.


    For the stable distribution (bookworm), these problems have been fixed in version 17.0.8+7-1~deb12u1.


    We recommend that you upgrade your openjdk-17 packages.


    For the detailed security status of openjdk-17 please refer to its security tracker page at:

    Information on source package openjdk-17


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : amd64-microcode

    CVE ID : CVE-2023-20593

    Debian Bug : 1041863


    Tavis Ormandy discovered that under specific microarchitectural circumstances, a vector register in "Zen 2" CPUs may not be written to 0 correctly. This flaw allows an attacker to leak register contents across concurrent processes, hyper threads and virtualized guests.


    For details please refer to

    Zenbleed

    AMD: Information Leak in Zen 2
    ## Summary The `VZEROUPPER` instruction can be used to zero the upper 128 bits of the YMM registers. The architecture documentation recommends using it to…
    github.com


    The initial microcode release by AMD only provides updates for second generation EPYC CPUs: Various Ryzen CPUs are also affected, but no updates are available yet. Fixes will be provided in a later update once they are released.


    For more specific details and target dates please refer to the AMD advisory at https://www.amd.com/en/resources/p…md-sb-7008.html


    For the oldstable distribution (bullseye), this problem has been fixed in version 3.20230719.1~deb11u1. Additionally the update contains a fix for CVE-2019-9836.


    For the stable distribution (bookworm), this problem has been fixed in version 3.20230719.1~deb12u1.

    We recommend that you upgrade your amd64-microcode packages.


    For the detailed security status of amd64-microcode please refer to its security tracker page at:

    Information on source package amd64-microcode


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : curl

    CVE ID : CVE-2023-32001


    It was discovered that Curl performed incorrect file path handling when saving cookies to files, which could lead to the creation or overwriting of files.


    The oldstable distribution (bullseye) is not affected.


    For the stable distribution (bookworm), this problem has been fixed in version 7.88.1-10+deb12u1.


    We recommend that you upgrade your curl packages.


    For the detailed security status of curl please refer to its security tracker page at:

    Information on source package curl


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : linux

    CVE ID : CVE-2023-3390 CVE-2023-3610 CVE-2023-20593


    Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.


    CVE-2023-3390


    A use-after-free flaw in the netfilter subsystem caused by incorrect

    error path handling may result in denial of service or privilege

    escalation.


    CVE-2023-3610


    A use-after-free flaw in the netfilter subsystem caused by incorrect

    refcount handling on the table and chain destroy path may result in

    denial of service or privilege escalation.


    CVE-2023-20593


    Tavis Ormandy discovered that under specific microarchitectural

    circumstances, a vector register in AMD "Zen 2" CPUs may not be

    written to 0 correctly. This flaw allows an attacker to leak

    sensitive information across concurrent processes, hyper threads

    and virtualized guests.


    For details please refer to

    <https://lock.cmpxchg8b.com/zenbleed.html> and

    <https://github.com/google/securit…-v6wh-rxpg-cmm8>.


    This issue can also be mitigated by a microcode update through the

    amd64-microcode package or a system firmware (BIOS/UEFI) update.

    However, the initial microcode release by AMD only provides

    updates for second generation EPYC CPUs. Various Ryzen CPUs are

    also affected, but no updates are available yet.


    For the oldstable distribution (bullseye), these problems have been fixed in version 5.10.179-3.


    We recommend that you upgrade your linux packages.


    For the detailed security status of linux please refer to its security tracker page at:

    Information on source package linux


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : linux

    CVE ID : CVE-2023-20593


    Tavis Ormandy discovered that under specific microarchitectural circumstances, a vector register in AMD "Zen 2" CPUs may not be written to 0 correctly. This flaw allows an attacker to leak sensitive information across concurrent processes, hyper threads and virtualized guests.


    For details please refer to

    <https://lock.cmpxchg8b.com/zenbleed.html> and <https://github.com/google/securit…-v6wh-rxpg-cmm8>.


    This issue can also be mitigated by a microcode update through the amd64-microcode package or a system firmware (BIOS/UEFI) update.

    However, the initial microcode release by AMD only provides updates for second generation EPYC CPUs. Various Ryzen CPUs are also affected, but no updates are available yet.


    For the stable distribution (bookworm), this problem has been fixed in version 6.1.38-2.


    We recommend that you upgrade your linux packages.


    For the detailed security status of linux please refer to its security tracker page at:

    Information on source package linux


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2023-3417


    A security issue was discovered in Thunderbird, which could result in spoofing of filenames of email attachments.


    For the oldstable distribution (bullseye), this problem has been fixed in version 1:102.13.1-1~deb11u1.


    For the stable distribution (bookworm), this problem has been fixed in version 1:102.13.1-1~deb12u1.


    We recommend that you upgrade your thunderbird packages.


    For the detailed security status of thunderbird please refer to its security tracker page at:

    Information on source package thunderbird


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : firefox-esr

    CVE ID : CVE-2023-4045 CVE-2023-4046 CVE-2023-4047 CVE-2023-4048

    CVE-2023-4049 CVE-2023-4050 CVE-2023-4055 CVE-2023-4056


    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, bypass of the same-origin policy, spoofing or sandbox bypass.


    For the oldstable distribution (bullseye), these problems have been fixed in version 102.14.0esr-1~deb11u1.


    For the stable distribution (bookworm), these problems have been fixed in version 102.14.0esr-1~deb12u1.


    We recommend that you upgrade your firefox-esr packages.


    For the detailed security status of firefox-esr please refer to its security tracker page at:

    Information on source package firefox-esr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : python-django

    CVE ID : CVE-2023-36053


    Seokchan Yoon discovered that missing sanitising in the email and URL validators of Django, a Python web development framework, could result in denial of service.


    For the oldstable distribution (bullseye), this problem has been fixed in version 2:2.2.28-1~deb11u2. This update also addresses CVE-2023-23969,

    CVE-2023-31047 and CVE-2023-24580.


    For the stable distribution (bookworm), this problem has been fixed in version 3:3.2.19-1+deb12u1.


    We recommend that you upgrade your python-django packages.


    For the detailed security status of python-django please refer to its security tracker page at:

    Information on source package python-django


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : ntpsec

    CVE ID : CVE-2023-4012

    Debian Bug : 1038422


    It was discovered that ntpd in ntpsec, a secure, hardened, and improved implementation derived from the original NTP project, could crash if NTS is disabled and an NTS-enabled client request (mode 3) is received.


    For the stable distribution (bookworm), this problem has been fixed in version 1.2.2+dfsg1-1+deb12u1.


    We recommend that you upgrade your ntpsec packages.


    For the detailed security status of ntpsec please refer to its security tracker page at:

    Information on source package ntpsec


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : chromium

    CVE ID : CVE-2023-4068 CVE-2023-4069 CVE-2023-4070 CVE-2023-4071

    CVE-2023-4072 CVE-2023-4073 CVE-2023-4074 CVE-2023-4075

    CVE-2023-4076 CVE-2023-4077 CVE-2023-4078


    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.


    For the oldstable distribution (bullseye), these problems have been fixed in version 115.0.5790.170-1~deb11u1.


    For the stable distribution (bookworm), these problems have been fixed in version 115.0.5790.170-1~deb12u1.


    We recommend that you upgrade your chromium packages.


    For the detailed security status of chromium please refer to its security tracker page at:

    Information on source package chromium


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : webkit2gtk

    CVE ID : CVE-2023-38133 CVE-2023-38572 CVE-2023-38592 CVE-2023-38594

    CVE-2023-38595 CVE-2023-38597 CVE-2023-38599 CVE-2023-38600

    CVE-2023-38611


    The following vulnerabilities have been discovered in the WebKitGTK web engine:


    CVE-2023-38133


    YeongHyeon Choi discovered that processing web content may

    disclose sensitive information.


    CVE-2023-38572


    Narendra Bhati discovered that a website may be able to bypass the

    Same Origin Policy.


    CVE-2023-38592


    Narendra Bhati, Valentino Dalla Valle, Pedro Bernardo, Marco

    Squarcina, and Lorenzo Veronese discovered that processing web

    content may lead to arbitrary code execution.


    CVE-2023-38594


    Yuhao Hu discovered that processing web content may lead to

    arbitrary code execution.


    CVE-2023-38595


    An anonymous researcher, Jiming Wang, and Jikai Ren discovered

    that processing web content may lead to arbitrary code execution.


    CVE-2023-38597


    Junsung Lee discovered that processing web content may lead to

    arbitrary code execution.


    CVE-2023-38599


    Hritvik Taneja, Jason Kim, Jie Jeff Xu, Stephan van Schaik, Daniel

    Genkin, and Yuval Yarom discovered that a website may be able to

    track sensitive user information.


    CVE-2023-38600


    An anonymous researcher discovered that processing web content may

    lead to arbitrary code execution.


    CVE-2023-38611


    Francisco Alonso discovered that processing web content may lead

    to arbitrary code execution.


    For the oldstable distribution (bullseye), these problems have been fixed in version 2.40.5-1~deb11u1.


    For the stable distribution (bookworm), these problems have been fixed in version 2.40.5-1~deb12u1.


    We recommend that you upgrade your webkit2gtk packages.


    For the detailed security status of webkit2gtk please refer to its security tracker page at:

    Information on source package webkit2gtk


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : thunderbird

    CVE ID : CVE-2023-4045 CVE-2023-4046 CVE-2023-4047 CVE-2023-4048

    CVE-2023-4049 CVE-2023-4050 CVE-2023-4055 CVE-2023-4056


    Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.


    For the oldstable distribution (bullseye), these problems have been fixed in version 1:102.14.0-1~deb11u1.


    For the stable distribution (bookworm), these problems have been fixed in version 1:102.14.0-1~deb12u1.


    We recommend that you upgrade your thunderbird packages.


    For the detailed security status of thunderbird please refer to its security tracker page at:

    Information on source package thunderbird


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : python-werkzeug

    CVE ID : CVE-2023-23934 CVE-2023-25577

    Debian Bug : 1031370


    Several vulnerabilities were discovered in python-werkzeug, a collection of utilities for WSGI applications.


    CVE-2023-23934


    It was discovered that Werkzeug did not properly handle the parsing

    of nameless cookies which may allow shadowing of other cookies.


    CVE-2023-25577


    It was discovered that Werkzeug could parse unlimited number of

    parts, including file parts, which may result in denial of service.


    For the oldstable distribution (bullseye), these problems have been fixed in version 1.0.1+dfsg1-2+deb11u1.


    We recommend that you upgrade your python-werkzeug packages.


    For the detailed security status of python-werkzeug please refer to its security tracker page at:

    Information on source package python-werkzeug


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : libhtmlcleaner-java

    CVE ID : CVE-2023-34624


    A security vulnerability has been discovered in libhtmlcleaner-java, a Java HTML parser library. An attacker was able to cause a denial of service

    (StackOverflowError) if the parser runs on user supplied input with deeply nested HTML elements. This update introduces a new nesting depth limit which can be overridden in cleaner properties.


    For the oldstable distribution (bullseye), this problem has been fixed in version 2.24-1+deb11u1.


    For the stable distribution (bookworm), this problem has been fixed in version 2.26-1+deb12u1.


    We recommend that you upgrade your libhtmlcleaner-java packages.


    For the detailed security status of libhtmlcleaner-java please refer to its security tracker page at:

    Information on source package libhtmlcleaner-java


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : cjose

    CVE ID : CVE-2023-37464

    Debian Bug : 1041423


    It was discovered that an incorrect implementation of AES GCM decryption in cjose, a C library implementing the JOSE standard may allow an attacker to provide a truncated Authentication Tag and modify the JWE object.


    For the oldstable distribution (bullseye), this problem has been fixed in version 0.6.1+dfsg1-1+deb11u1.


    For the stable distribution (bookworm), this problem has been fixed in version 0.6.2.1-1+deb12u1.


    We recommend that you upgrade your cjose packages.


    For the detailed security status of cjose please refer to its security tracker page at:

    Information on source package cjose


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : orthanc

    CVE ID : CVE-2023-33466

    Debian Bug : 1040597


    It was discovered that authenticated API users of Orthanc, a DICOM server for medical imaging, could overwrite arbitrary files and in some setups execute arbitrary code.


    This update backports the option RestApiWriteToFileSystemEnabled, setting it to 'true' in /etc/orthanc/orthanc.json restores the previous behaviour.


    For the oldstable distribution (bullseye), this problem has been fixed in version 1.9.2+really1.9.1+dfsg-1+deb11u1.


    For the stable distribution (bookworm), this problem has been fixed in version 1.10.1+dfsg-2+deb12u1.


    We recommend that you upgrade your orthanc packages.


    For the detailed security status of orthanc please refer to its security tracker page at:

    Information on source package orthanc


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : intel-microcode

    CVE ID : CVE-2022-40982 CVE-2022-41804 CVE-2023-23908

    Debian Bug : 1043305


    This update ships updated CPU microcode for some types of Intel CPUs and provides mitigations for security vulnerabilities.


    CVE-2022-40982


    Daniel Moghimi discovered Gather Data Sampling (GDS), a hardware

    vulnerability which allows unprivileged speculative access to data

    which was previously stored in vector registers.


    For details please refer to

    <https://downfall.page/> and

    <https://www.intel.com/content/www/us…a-sampling.html>.


    CVE-2022-41804


    Unauthorized error injection in Intel SGX or Intel TDX for some

    Intel Xeon Processors which may allow a local user to potentially

    escalate privileges.


    CVE-2023-23908


    Improper access control in some 3rd Generation Intel Xeon Scalable

    processors may result in an information leak.


    For the oldstable distribution (bullseye), these problems have been fixed in version 3.20230808.1~deb11u1.


    For the stable distribution (bookworm), these problems have been fixed in version 3.20230808.1~deb12u1.


    We recommend that you upgrade your intel-microcode packages.


    For the detailed security status of intel-microcode please refer to its security tracker page at:

    Information on source package intel-microcode


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : linux

    CVE ID : CVE-2022-40982 CVE-2023-20569


    CVE-2022-40982


    Daniel Moghimi discovered Gather Data Sampling (GDS), a hardware

    vulnerability for Intel CPUs which allows unprivileged speculative

    access to data which was previously stored in vector registers.


    This mitigation requires updated CPU microcode provided in the

    intel-microcode package.


    For details please refer to

    <https://downfall.page/> and

    <https://www.intel.com/content/www/us…a-sampling.html>.


    CVE-2023-20569


    Daniel Trujillo, Johannes Wikner and Kaveh Razavi discovered

    INCEPTION, also known as Speculative Return Stack Overflow (SRSO),

    a transient execution attack that leaks arbitrary data on all AMD

    Zen CPUs. An attacker can mis-train the CPU BTB to predict non-

    architectural CALL instructions in kernel space and use this to

    control the speculative target of a subsequent kernel RET,

    potentially leading to information disclosure via a speculative

    side-channel.


    For details please refer to

    <https://comsec.ethz.ch/research/microarch/inception/> and

    <https://www.amd.com/en/corporate/p…tin/amd-sb-7005>.


    For the oldstable distribution (bullseye), these problems have been fixed in version 5.10.179-5.


    For the stable distribution (bookworm), these problems have been fixed in version 6.1.38-4.


    We recommend that you upgrade your linux packages.


    For the detailed security status of linux please refer to its security tracker page at:

    Information on source package linux


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : gst-plugins-ugly1.0

    CVE ID : not yet available


    Multiple vulnerabilities were discovered in the RealMedia demuxers for the GStreamer media framework, which may result in denial of service or potentially the execution of arbitrary code if a malformed media file is opened.


    For the oldstable distribution (bullseye), this problem has been fixed in version 1.18.4-2+deb11u1.


    For the stable distribution (bookworm), this problem has been fixed in version 1.22.0-2+deb12u1.


    We recommend that you upgrade your gst-plugins-ugly1.0 packages.


    For the detailed security status of gst-plugins-ugly1.0 please refer to its security tracker page at:

    Information on source package gst-plugins-ugly1.0


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    • Offizieller Beitrag

    Package : samba

    CVE ID : CVE-2022-2127 CVE-2023-3347 CVE-2023-34966 CVE-2023-34967

    CVE-2023-34968

    Debian Bug : 1041043


    Several vulnerabilities have been discovered in Samba, which could result in information disclosure, denial of service or insufficient enforcement of security-relevant config directives.


    The version of Samba in the oldstable distribution (bullseye) cannot be fully supported further: If you are using Samba as a domain controller you should either upgrade to the stable distribution or if that's not an immediate option consider to migrate to Samba from bullseye-backports (which will be kept updated to the version in stable). Operating Samba as a file/print server will continue to be supported, a separate DSA will provide an update update along with documentation about the scope of continued support.


    For the stable distribution (bookworm), these problems have been fixed in version 2:4.17.10+dfsg-0+deb12u1.


    We recommend that you upgrade your samba packages.


    For the detailed security status of samba please refer to its security tracker page at:

    Information on source package samba


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/