Beiträge von Micha

    Package : pillow


    CVE ID : CVE-2022-22815 CVE-2022-22816 CVE-2022-22817



    Multiple security issues were discovered in Pillow, a Python imaging library, which could result in denial of service and potentially the execution of arbitrary code if malformed images are processed.



    For the oldstable distribution (buster), these problems have been fixed in version 5.4.1-2+deb10u3.



    For the stable distribution (bullseye), these problems have been fixed in version 8.1.2+dfsg-0.3+deb11u1.



    We recommend that you upgrade your pillow packages.



    For the detailed security status of pillow please refer to its security tracker page at:


    Information on source package pillow



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : usbview


    CVE ID : CVE-2022-23220



    Matthias Gerstner reported that usbview, a USB device viewer, does not properly handle authorization in the PolicyKit policy configuration, which could result in root privilege escalation.



    For the oldstable distribution (buster), this problem has been fixed in version 2.0-21-g6fe2f4f-2+deb10u1.



    For the stable distribution (bullseye), this problem has been fixed in version 2.0-21-g6fe2f4f-2+deb11u1.



    We recommend that you upgrade your usbview packages.



    For the detailed security status of usbview please refer to its security tracker page at:


    Information on source package usbview



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : aide


    CVE ID : CVE-2021-45417



    David Bouman discovered a heap-based buffer overflow vulnerability in the base64 functions of aide, an advanced intrusion detection system, which can be triggered via large extended file attributes or ACLs. This may result in denial of service or privilege escalation.



    For the oldstable distribution (buster), this problem has been fixed in version 0.16.1-1+deb10u1.



    For the stable distribution (bullseye), this problem has been fixed in version 0.17.3-4+deb11u1.



    We recommend that you upgrade your aide packages.



    For the detailed security status of aide please refer to its security tracker page at:


    Information on source package aide



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : linux


    CVE ID : CVE-2021-4155 CVE-2021-28711 CVE-2021-28712 CVE-2021-28713


    CVE-2021-28714 CVE-2021-28715 CVE-2021-39685 CVE-2021-45095


    CVE-2021-45469 CVE-2021-45480 CVE-2022-0185 CVE-2022-23222


    Debian Bug : 988044 996974



    Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.



    CVE-2021-4155



    Kirill Tkhai discovered a data leak in the way the XFS_IOC_ALLOCSP


    IOCTL in the XFS filesystem allowed for a size increase of files


    with unaligned size. A local attacker can take advantage of this


    flaw to leak data on the XFS filesystem.



    CVE-2021-28711, CVE-2021-28712, CVE-2021-28713 (XSA-391)



    Juergen Gross reported that malicious PV backends can cause a denial


    of service to guests being serviced by those backends via high


    frequency events, even if those backends are running in a less


    privileged environment.



    CVE-2021-28714, CVE-2021-28715 (XSA-392)



    Juergen Gross discovered that Xen guests can force the Linux


    netback driver to hog large amounts of kernel memory, resulting in


    denial of service.



    CVE-2021-39685



    Szymon Heidrich discovered a buffer overflow vulnerability in the


    USB gadget subsystem, resulting in information disclosure, denial of


    service or privilege escalation.



    CVE-2021-45095



    It was discovered that the Phone Network protocol (PhoNet) driver


    has a reference count leak in the pep_sock_accept() function.



    CVE-2021-45469



    Wenqing Liu reported an out-of-bounds memory access in the f2fs


    implementation if an inode has an invalid last xattr entry. An


    attacker able to mount a specially crafted image can take advantage


    of this flaw for denial of service.



    CVE-2021-45480



    A memory leak flaw was discovered in the __rds_conn_create()


    function in the RDS (Reliable Datagram Sockets) protocol subsystem.



    CVE-2022-0185



    William Liu, Jamie Hill-Daniel, Isaac Badipe, Alec Petridis, Hrvoje


    Misetic and Philip Papurt discovered a heap-based buffer overflow


    flaw in the legacy_parse_param function in the Filesystem Context


    functionality, allowing an local user (with CAP_SYS_ADMIN capability


    in the current namespace) to escalate privileges.



    CVE-2022-23222



    'tr3e' discovered that the BPF verifier does not properly restrict


    several *_OR_NULL pointer types allowing these types to do pointer


    arithmetic. A local user with the ability to call bpf(), can take


    advantage of this flaw to excalate privileges. Unprivileged calls to


    bpf() are disabled by default in Debian, mitigating this flaw.



    For the stable distribution (bullseye), these problems have been fixed in version 5.10.92-1. This version includes changes which were aimed to land in the next Debian bullseye point release.



    We recommend that you upgrade your linux packages.



    For the detailed security status of linux please refer to its security tracker page at:


    Information on source package linux



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : flatpak


    CVE ID : CVE-2021-43860 CVE-2022-21682



    Several vulnerabilities were discovered in Flatpak, an application deployment framework for desktop apps.



    CVE-2021-43860



    Ryan Gonzalez discovered that Flatpak didn't properly validate


    that the permissions displayed to the user for an app at install


    time match the actual permissions granted to the app at


    runtime. Malicious apps could therefore grant themselves


    permissions without the consent of the user.



    CVE-2022-21682



    Flatpak didn't always prevent a malicious flatpak-builder user


    from writing to the local filesystem.



    For the stable distribution (bullseye), these problems have been fixed in version 1.10.7-0+deb11u1.



    Please note that flatpak-builder also needed an update for compatibility, and is now at version 1.0.12-1+deb11u1 in bullseye.



    We recommend that you upgrade your flatpak and flatpak-builder packages.



    For the detailed security status of flatpak please refer to its security tracker page at:


    Information on source package flatpak



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : libreswan


    CVE ID : CVE-2022-23094



    It was discovered that the libreswan IPsec implementation could be forced into a crash/restart via a malformed IKEv1 packet, resulting in denial of service.



    For the stable distribution (bullseye), this problem has been fixed in version 4.3-1+deb11u1.



    We recommend that you upgrade your libreswan packages.



    For the detailed security status of libreswan please refer to its security tracker page at:


    Information on source package libreswan



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : prosody


    CVE ID : CVE-2022-0217



    Matthew Wild discovered that the WebSockets code in Prosody, a lightweight Jabber/XMPP server, was susceptible to denial of service.



    For the oldstable distribution (buster), this problem has been fixed in version 0.11.2-1+deb10u3.



    For the stable distribution (bullseye), this problem has been fixed in version 0.11.9-2+deb11u1.



    We recommend that you upgrade your prosody packages.



    For the detailed security status of prosody please refer to its security tracker page at:


    Information on source package prosody



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : chromium


    CVE ID : CVE-2021-4052 CVE-2021-4053 CVE-2021-4054 CVE-2021-4055


    CVE-2021-4056 CVE-2021-4057 CVE-2021-4058 CVE-2021-4059


    CVE-2021-4061 CVE-2021-4062 CVE-2021-4063 CVE-2021-4064


    CVE-2021-4065 CVE-2021-4066 CVE-2021-4067 CVE-2021-4068


    CVE-2021-4078 CVE-2021-4079 CVE-2021-4098 CVE-2021-4099


    CVE-2021-4100 CVE-2021-4101 CVE-2021-4102 CVE-2021-37956


    CVE-2021-37957 CVE-2021-37958 CVE-2021-37959 CVE-2021-37961


    CVE-2021-37962 CVE-2021-37963 CVE-2021-37964 CVE-2021-37965


    CVE-2021-37966 CVE-2021-37967 CVE-2021-37968 CVE-2021-37969


    CVE-2021-37970 CVE-2021-37971 CVE-2021-37972 CVE-2021-37973


    CVE-2021-37974 CVE-2021-37975 CVE-2021-37976 CVE-2021-37977


    CVE-2021-37978 CVE-2021-37979 CVE-2021-37980 CVE-2021-37981


    CVE-2021-37982 CVE-2021-37983 CVE-2021-37984 CVE-2021-37985


    CVE-2021-37986 CVE-2021-37987 CVE-2021-37988 CVE-2021-37989


    CVE-2021-37990 CVE-2021-37991 CVE-2021-37992 CVE-2021-37993


    CVE-2021-37994 CVE-2021-37995 CVE-2021-37996 CVE-2021-37997


    CVE-2021-37998 CVE-2021-37999 CVE-2021-38000 CVE-2021-38001


    CVE-2021-38002 CVE-2021-38003 CVE-2021-38004 CVE-2021-38005


    CVE-2021-38006 CVE-2021-38007 CVE-2021-38008 CVE-2021-38009


    CVE-2021-38010 CVE-2021-38011 CVE-2021-38012 CVE-2021-38013


    CVE-2021-38014 CVE-2021-38015 CVE-2021-38016 CVE-2021-38017


    CVE-2021-38018 CVE-2021-38019 CVE-2021-38020 CVE-2021-38021


    CVE-2021-38022 CVE-2022-0096 CVE-2022-0097 CVE-2022-0098


    CVE-2022-0099 CVE-2022-0100 CVE-2022-0101 CVE-2022-0102


    CVE-2022-0103 CVE-2022-0104 CVE-2022-0105 CVE-2022-0106


    CVE-2022-0107 CVE-2022-0108 CVE-2022-0109 CVE-2022-0110


    CVE-2022-0111 CVE-2022-0112 CVE-2022-0113 CVE-2022-0114


    CVE-2022-0115 CVE-2022-0116 CVE-2022-0117 CVE-2022-0118


    CVE-2022-0120



    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.



    For the oldstable distribution (buster), security support for Chromium has been discontinued due to toolchain issues which no longer allow to build current Chromium releases on buster. You can either upgrade to the stable release (bullseye) or switch to a browser which continues to receive security supports in buster (firefox-esr or browsers based on webkit2gtk)



    For the stable distribution (bullseye), these problems have been fixed in version 97.0.4692.71-0.1~deb11u1.



    We recommend that you upgrade your chromium packages.



    For the detailed security status of chromium please refer to its security tracker page at:


    Information on source package chromium



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : thunderbird


    CVE ID : CVE-2021-4140 CVE-2022-22737 CVE-2022-22738 CVE-2022-22739


    CVE-2022-22740 CVE-2022-22741 CVE-2022-22742 CVE-2022-22743


    CVE-2022-22745 CVE-2022-22747 CVE-2022-22748 CVE-2022-22751



    Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.



    For the oldstable distribution (buster), these problems have been fixed in version 1:91.5.0-2~deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 1:91.5.0-2~deb11u1.



    We recommend that you upgrade your thunderbird packages.



    For the detailed security status of thunderbird please refer to its security tracker page at:


    Information on source package thunderbird



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : firefox-esr


    CVE ID : CVE-2021-4140 CVE-2022-22737 CVE-2022-22738 CVE-2022-22739


    CVE-2022-22740 CVE-2022-22741 CVE-2022-22742 CVE-2022-22743


    CVE-2022-22745 CVE-2022-22747 CVE-2022-22748 CVE-2022-22751



    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure, denial of service or spoofing.



    For the oldstable distribution (buster), these problems have been fixed in version 91.5.0esr-1~deb10u1. Not all architectures are available for oldstable yet, most notably i386 (32 bits x86) is missing.



    For the stable distribution (bullseye), these problems have been fixed in version 91.5.0esr-1~deb11u1.



    We recommend that you upgrade your firefox-esr packages.



    For the detailed security status of firefox-esr please refer to its security tracker page at:


    Information on source package firefox-esr



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : lxml


    CVE ID : CVE-2021-43818


    Debian Bug : 1001885



    It was discovered that lxml, a Python binding for the libxml2 and libxslt libraries, does not properly sanitize its input, which could lead to cross-site scripting.



    For the oldstable distribution (buster), this problem has been fixed in version 4.3.2-1+deb10u4.



    For the stable distribution (bullseye), this problem has been fixed in version 4.6.3+dfsg-0.1+deb11u1.



    We recommend that you upgrade your lxml packages.



    For the detailed security status of lxml please refer to its security tracker page at:


    Information on source package lxml



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : epiphany-browser


    CVE ID : CVE-2021-45085 CVE-2021-45086 CVE-2021-45087 CVE-2021-45088



    Several vulnerabities have been discovered in Epiphany, the GNOME web browser, allowing XSS attacks under certain circumstances.



    For the stable distribution (bullseye), these problems have been fixed in version 3.38.2-1+deb11u1.



    We recommend that you upgrade your epiphany-browser packages.



    For the detailed security status of epiphany-browser please refer to its security tracker page at:


    Information on source package epiphany-browser



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : cfrpki


    CVE ID : CVE-2021-3761 CVE-2021-3907 CVE-2021-3908 CVE-2021-3909


    CVE-2021-3910 CVE-2021-3911 CVE-2021-3912 CVE-2021-43173


    CVE-2021-43174



    Multiple vulnerabilities were discovered in Cloudflare's RPKI validator, which could result in denial of service or path traversal.



    For the stable distribution (bullseye), these problems have been fixed in version 1.4.2-1~deb11u1.



    We recommend that you upgrade your cfrpki packages.



    For the detailed security status of cfrpki please refer to its security tracker page at:


    Information on source package cfrpki



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : lighttpd


    CVE ID : CVE-2022-22707



    An out-of-bounds memory access was discovered in the mod_extforward plugin of the lighttpd web server, which may result in denial of service.



    For the oldstable distribution (buster), this problem has been fixed in version 1.4.53-4+deb10u2.



    For the stable distribution (bullseye), this problem has been fixed in version 1.4.59-1+deb11u1.



    We recommend that you upgrade your lighttpd packages.



    For the detailed security status of lighttpd please refer to its security tracker page at:


    Information on source package lighttpd



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : wordpress


    CVE ID : CVE-2022-21661 CVE-2022-21662 CVE-2022-21663 CVE-2022-21664


    Debian Bug : 1003243



    Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform SQL injection, run unchecked SQL queries, bypass hardening, or perform Cross-Site Scripting (XSS) attacks.



    For the oldstable distribution (buster), these problems have been fixed in version 5.0.15+dfsg1-0+deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 5.7.5+dfsg1-0+deb11u1.



    We recommend that you upgrade your wordpress packages.



    For the detailed security status of wordpress please refer to its security tracker page at:


    Information on source package wordpress



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : ghostscript


    CVE ID : CVE-2021-45944 CVE-2021-45949



    Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed.



    For the oldstable distribution (buster), these problems have been fixed in version 9.27~dfsg-2+deb10u5.



    For the stable distribution (bullseye), these problems have been fixed in version 9.53.3~dfsg-7+deb11u2.



    We recommend that you upgrade your ghostscript packages.



    For the detailed security status of ghostscript please refer to its security tracker page at:


    Information on source package ghostscript



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : roundcube


    CVE ID : CVE-2021-46144


    Debian Bug : 1003027



    It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly sanitize HTML messages. This would allow an attacker to perform Cross-Side Scripting


    (XSS) attacks.



    For the oldstable distribution (buster), this problem has been fixed in version 1.3.17+dfsg.1-1~deb10u2.



    For the stable distribution (bullseye), this problem has been fixed in version 1.4.13+dfsg.1-1~deb11u1.



    We recommend that you upgrade your roundcube packages.



    For the detailed security status of roundcube please refer to its security tracker page at:


    Information on source package roundcube



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : sphinxsearch


    CVE ID : CVE-2020-29050



    It was discovered that sphinxsearch, a fast standalone full-text SQL search engine, could allow arbitrary files to be read by abusing a configuration option.



    For the oldstable distribution (buster), this problem has been fixed in version 2.2.11-2+deb10u1.



    We recommend that you upgrade your sphinxsearch packages.



    For the detailed security status of sphinxsearch please refer to its security tracker page at:


    Information on source package sphinxsearch



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : apache2


    CVE ID : CVE-2021-44224 CVE-2021-44790



    Two vulnerabilities have been discovered in the Apache HTTP server:



    CVE-2021-44224



    When operating as a forward proxy, Apache was depending on the setup


    suspectible to denial of service or Server Side Request forgery.



    CVE-2021-44790



    A buffer overflow in mod_lua may result in denial of service or


    potentially the execution of arbitrary code.



    For the oldstable distribution (buster), these problems have been fixed in version 2.4.38-3+deb10u7.



    For the stable distribution (bullseye), these problems have been fixed in version 2.4.52-1~deb11u2.



    We recommend that you upgrade your apache2 packages.



    For the detailed security status of apache2 please refer to its security tracker page at:


    Information on source package apache2



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : thunderbird


    CVE ID : CVE-2021-4126 CVE-2021-38496 CVE-2021-38500 CVE-2021-38502


    CVE-2021-38503 CVE-2021-38504 CVE-2021-38506 CVE-2021-38507


    CVE-2021-38508 CVE-2021-38509 CVE-2021-43528 CVE-2021-43529


    CVE-2021-43534 CVE-2021-43535 CVE-2021-43536 CVE-2021-43537


    CVE-2021-43538 CVE-2021-43539 CVE-2021-43541 CVE-2021-43542


    CVE-2021-43543 CVE-2021-43545 CVE-2021-43546 CVE-2021-44538



    Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code, spoofing, information disclosure, downgrade attacks on SMTP STARTTLS connections or misleading display of OpenPGP/MIME signatures.



    For the oldstable distribution (buster), these problems have been fixed in version 1:91.4.1-1~deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 1:91.4.1-1~deb11u1.



    We recommend that you upgrade your thunderbird packages.



    For the detailed security status of thunderbird please refer to its security tracker page at:


    Information on source package thunderbird



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/