Beiträge von Micha

    Package : modsecurity

    CVE ID : CVE-2020-15598


    Ervin Hegedues discovered that ModSecurity v3 enabled global regular expression matching which could result in denial of service. For additional information please refer to https://coreruleset.org/20200914/cve-2020-15598/


    For the stable distribution (buster), this problem has been fixed in version 3.0.3-1+deb10u2.


    We recommend that you upgrade your modsecurity packages.


    For the detailed security status of modsecurity please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/modsecurity


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : inspircd

    CVE ID : CVE-2019-20917 CVE-2020-25269

    Debian Bug : 960650


    Two security issues were discovered in the pgsql and mysql modules of the InspIRCd IRC daemon, which could result in denial of service.


    For the stable distribution (buster), these problems have been fixed in version 2.0.27-1+deb10u1.


    We recommend that you upgrade your inspircd packages.


    For the detailed security status of inspircd please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/inspircd


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : teeworlds

    CVE ID : CVE-2020-12066


    It was discovered that insufficient sanitising of received network packets in the game server of Teeworlds, an online multi-player platform 2D shooter, could result in denial of service.


    For the stable distribution (buster), this problem has been fixed in version 0.7.2-5+deb10u1.


    We recommend that you upgrade your teeworlds packages.


    For the detailed security status of teeworlds please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/teeworlds


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : lemonldap-ng

    CVE ID : CVE-2020-24660


    It was discovered that the default configuration files for running the Lemonldap::NG Web SSO system on the Nginx web server were susceptible to authorisation bypass of URL access rules. The Debian packages do not use Nginx by default.


    For the stable distribution (buster), this problem has been fixed in version 2.0.2+ds-7+deb10u5, this update provides fixed example configuration which needs to be integrated into Lemonldap::NG deployments based on Nginx.


    We recommend that you upgrade your lemonldap-ng packages.


    For the detailed security status of lemonldap-ng please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/lemonldap-ng


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : zeromq3

    CVE ID : CVE-2020-15166


    It was discovered that ZeroMQ, a lightweight messaging kernel library does not properly handle connecting peers before a handshake is completed. A remote, unauthenticated client connecting to an application using the libzmq library, running with a socket listening with CURVE encryption/authentication enabled can take advantage of this flaw to cause a denial of service affecting authenticated and encrypted clients.


    For the stable distribution (buster), this problem has been fixed in version 4.3.1-4+deb10u2.


    We recommend that you upgrade your zeromq3 packages.


    For the detailed security status of zeromq3 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/zeromq3


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : qemu

    CVE ID : CVE-2020-12829 CVE-2020-14364 CVE-2020-15863 CVE-2020-16092

    Debian Bug : 961451 968947


    Multiple security issues were discovered in QEMU, a fast processor

    emulator:


    CVE-2020-12829


    An integer overflow in the sm501 display device may result in denial of

    service.


    CVE-2020-14364


    An out-of-bands write in the USB emulation code may result in

    guest-to-host code execution.


    CVE-2020-15863


    A buffer overflow in the XGMAC network device may result in denial of

    service or the execution of arbitrary code.


    CVE-2020-16092


    A triggerable assert in the e1000e and vmxnet3 devices may result in

    denial of service.


    For the stable distribution (buster), these problems have been fixed in version 1:3.1+dfsg-8+deb10u8.


    We recommend that you upgrade your qemu packages.


    For the detailed security status of qemu please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/qemu


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : ark

    CVE ID : CVE-2020-24654

    Debian Bug : 969437


    Fabian Vogt reported that the Ark archive manager did not sanitise extraction paths, which could result in maliciously crafted archives with symlinks writing outside the extraction directory.


    For the stable distribution (buster), this problem has been fixed in version 4:18.08.3-1+deb10u2.


    We recommend that you upgrade your ark packages.


    For the detailed security status of ark please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/ark


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : xorg-server

    CVE ID : CVE-2020-14345 CVE-2020-14346 CVE-2020-14347 CVE-2020-14361

    CVE-2020-14362

    Debian Bug : 968986


    Several vulnerabilities have been discovered in the X.Org X server.

    Missing input sanitising in X server extensions may result in local privilege escalation if the X server is configured to run with root privileges. In addition an ASLR bypass was fixed.


    For the stable distribution (buster), these problems have been fixed in version 2:1.20.4-1+deb10u1.


    We recommend that you upgrade your xorg-server packages.


    For the detailed security status of xorg-server please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/xorg-server


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : apache2

    CVE ID : CVE-2020-1927 CVE-2020-1934 CVE-2020-9490 CVE-2020-11984

    CVE-2020-11993


    Several vulnerabilities have been found in the Apache HTTPD server.


    CVE-2020-1927


    Fabrice Perez reported that certain mod_rewrite configurations are

    prone to an open redirect.


    CVE-2020-1934


    Chamal De Silva discovered that the mod_proxy_ftp module uses

    uninitialized memory when proxying to a malicious FTP backend.


    CVE-2020-9490


    Felix Wilhelm discovered that a specially crafted value for the

    'Cache-Digest' header in a HTTP/2 request could cause a crash when

    the server actually tries to HTTP/2 PUSH a resource afterwards.


    CVE-2020-11984


    Felix Wilhelm reported a buffer overflow flaw in the mod_proxy_uwsgi

    module which could result in information disclosure or potentially

    remote code execution.


    CVE-2020-11993


    Felix Wilhelm reported that when trace/debug was enabled for the

    HTTP/2 module certain traffic edge patterns can cause logging

    statements on the wrong connection, causing concurrent use of

    memory pools.


    For the stable distribution (buster), these problems have been fixed in version 2.4.38-3+deb10u4.


    We recommend that you upgrade your apache2 packages.


    For the detailed security status of apache2 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/apache2


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : lilypond

    CVE ID : CVE-2020-17353


    Faidon Liambotis discovered that Lilypond, a program for typesetting sheet music, did not restrict the inclusion of Postscript and SVG commands when operating in safe mode, which could result in the execution of arbitrary code when rendering a typesheet file with embedded Postscript code.


    For the stable distribution (buster), this problem has been fixed in version 2.19.81+really-2.18.2-13+deb10u1.


    We recommend that you upgrade your lilypond packages.


    For the detailed security status of lilypond please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/lilypond


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : openexr

    CVE ID : CVE-2017-9111 CVE-2017-9113 CVE-2017-9114 CVE-2017-9115

    CVE-2020-11758 CVE-2020-11759 CVE-2020-11760 CVE-2020-11761

    CVE-2020-11762 CVE-2020-11763 CVE-2020-11764 CVE-2020-11765

    CVE-2020-15305 CVE-2020-15306


    Multiple security issues were found in the OpenEXR image library, which could result in denial of service and potentially the execution of arbitrary code when processing malformed EXR image files.


    For the stable distribution (buster), these problems have been fixed in version 2.2.1-4.1+deb10u1.


    We recommend that you upgrade your openexr packages.


    For the detailed security status of openexr please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/openexr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : thunderbird

    CVE ID : CVE-2020-15664 CVE-2020-15669


    Multiple security issues have been found in Thunderbird which could result in the execution of arbitrary code or the unintended installation of extensions.


    For the stable distribution (buster), these problems have been fixed in version 1:68.12.0-1~deb10u1.


    We recommend that you upgrade your thunderbird packages.


    For the detailed security status of thunderbird please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/thunderbird


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : mupdf

    CVE ID : CVE-2019-13290

    Debian Bug : 931475


    A heap-based buffer overflow flaw was discovered in MuPDF, a lightweight PDF viewer, which may result in denial of service or the execution of arbitrary code if a malformed PDF file is opened.


    For the stable distribution (buster), this problem has been fixed in version 1.14.0+ds1-4+deb10u1.


    We recommend that you upgrade your mupdf packages.


    For the detailed security status of mupdf please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/mupdf


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : bind9

    CVE ID : CVE-2020-8619 CVE-2020-8622 CVE-2020-8623 CVE-2020-8624

    Debian Bug : 966497


    Several vulnerabilities were discovered in BIND, a DNS server implementation.


    CVE-2020-8619


    It was discovered that an asterisk character in an empty non-

    terminal can cause an assertion failure, resulting in denial

    of service.


    CVE-2020-8622


    Dave Feldman, Jeff Warren, and Joel Cunningham reported that a

    truncated TSIG response can lead to an assertion failure, resulting

    in denial of service.


    CVE-2020-8623


    Lyu Chiy reported that a flaw in the native PKCS#11 code can lead

    to a remotely triggerable assertion failure, resulting in denial

    of service.


    CVE-2020-8624


    Joop Boonen reported that update-policy rules of type "subdomain"

    are enforced incorrectly, allowing updates to all parts of the zone

    along with the intended subdomain.


    For the stable distribution (buster), these problems have been fixed in version 1:9.11.5.P4+dfsg-5.1+deb10u2.


    We recommend that you upgrade your bind9 packages.


    For the detailed security status of bind9 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/bind9


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : squid

    CVE ID : CVE-2020-15810 CVE-2020-15811 CVE-2020-24606

    Debian Bug : 968932 968933 968934


    Several vulnerabilities were discovered in Squid, a fully featured web proxy cache, which could result in request splitting, request smuggling (leading to cache poisoning) and denial of service when processing crafted cache digest responses messages.


    For the stable distribution (buster), these problems have been fixed in version 4.6-1+deb10u4.


    We recommend that you upgrade your squid packages.


    For the detailed security status of squid please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/squid


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : nginx

    CVE ID : CVE-2020-11724

    Debian Bug : 964950


    It was reported that the Lua module for Nginx, a high-performance web and reverse proxy server, is prone to a HTTP request smuggling vulnerability.


    For the stable distribution (buster), this problem has been fixed in version 1.14.2-2+deb10u3.


    We recommend that you upgrade your nginx packages.


    For the detailed security status of nginx please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/nginx


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : firefox-esr

    CVE ID : CVE-2020-15664 CVE-2020-15669


    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code or unintended or malicious extensions being installed.


    For the stable distribution (buster), these problems have been fixed in version 68.12.0esr-1~deb10u1.


    We recommend that you upgrade your firefox-esr packages.


    For the detailed security status of firefox-esr please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/firefox-esr


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : ghostscript

    CVE ID : CVE-2020-16287 CVE-2020-16288 CVE-2020-16289 CVE-2020-16290

    CVE-2020-16291 CVE-2020-16292 CVE-2020-16293 CVE-2020-16294

    CVE-2020-16295 CVE-2020-16296 CVE-2020-16297 CVE-2020-16298

    CVE-2020-16299 CVE-2020-16300 CVE-2020-16301 CVE-2020-16302

    CVE-2020-16303 CVE-2020-16304 CVE-2020-16305 CVE-2020-16306

    CVE-2020-16307 CVE-2020-16308 CVE-2020-16309 CVE-2020-16310

    CVE-2020-17538


    Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed.


    For the stable distribution (buster), these problems have been fixed in version 9.27~dfsg-2+deb10u4.


    We recommend that you upgrade your ghostscript packages.


    For the detailed security status of ghostscript please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/ghostscript


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : icingaweb2

    CVE ID : CVE-2020-24368

    Debian Bug : 968833


    A directory traversal vulnerability was discovered in Icinga Web 2, a web interface for Icinga, which could result in the disclosure of files readable by the process.


    For the stable distribution (buster), this problem has been fixed in version 2.6.2-3+deb10u1.


    We recommend that you upgrade your icingaweb2 packages.


    For the detailed security status of icingaweb2 please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/icingaweb2


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : net-snmp

    CVE ID : CVE-2020-15861 CVE-2020-15862

    Debian Bug : 965166 966599


    Several vulnerabilities were discovered in net-snmp, a suite of Simple Network Management Protocol applications, which could lead to privilege escalation.


    For the stable distribution (buster), these problems have been fixed in version 5.7.3+dfsg-5+deb10u1.


    We recommend that you upgrade your net-snmp packages.


    For the detailed security status of net-snmp please refer to its security tracker page at:

    https://security-tracker.debian.org/tracker/net-snmp


    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/