Beiträge von Micha

    Package : chromium


    CVE ID : CVE-2022-2156 CVE-2022-2157 CVE-2022-2158 CVE-2022-2160


    CVE-2022-2161 CVE-2022-2162 CVE-2022-2163 CVE-2022-2164


    CVE-2022-2165



    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.



    For the stable distribution (bullseye), these problems have been fixed in version 103.0.5060.53-1~deb11u1.



    We recommend that you upgrade your chromium packages.



    For the detailed security status of chromium please refer to its security tracker page at:


    Information on source package chromium



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : firejail


    CVE ID : CVE-2022-31214


    Debian Bug : 1012510



    Matthias Gerstner discovered that the --join option of Firejail, a sandbox to restrict an application environment, was susceptible to local privilege escalation to root.



    For the oldstable distribution (buster), this problem has been fixed in version 0.9.58.2-2+deb10u3.



    For the stable distribution (bullseye), this problem has been fixed in version 0.9.64.4-2+deb11u1.



    We recommend that you upgrade your firejail packages.



    For the detailed security status of firejail please refer to its security tracker page at:


    Information on source package firejail



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : slurm-wlm


    CVE ID : CVE-2022-29500 CVE-2022-29501


    Debian Bug : 1010633 1010634



    Two security issues were discovered in the Simple Linux Utility for Resource Management (SLURM), a cluster resource management and job scheduling system, which could result in privilege escalation.



    For the stable distribution (bullseye), these problems have been fixed in version 20.11.7+really20.11.4-2+deb11u1.



    We recommend that you upgrade your slurm-wlm packages.



    For the detailed security status of slurm-wlm please refer to its security tracker page at:


    Information on source package slurm-wlm



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : vlc


    CVE ID : not yet available



    Multiple vulnerabilities were discovered in the VLC media player, which could result in the execution of arbitrary code or denial of service if a malformed file is opened.



    For the oldstable distribution (buster), this problem has been fixed in version 3.0.17.4-0+deb10u1.



    For the stable distribution (bullseye), this problem has been fixed in version 3.0.17.4-0+deb11u1.



    We recommend that you upgrade your vlc packages.



    For the detailed security status of vlc please refer to its security tracker page at:


    Information on source package vlc



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : chromium


    CVE ID : CVE-2022-2007 CVE-2022-2008 CVE-2022-2010 CVE-2022-2011



    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.



    For the stable distribution (bullseye), these problems have been fixed in version 102.0.5005.115-1~deb11u1.



    We recommend that you upgrade your chromium packages.



    For the detailed security status of chromium please refer to its security tracker page at:


    Information on source package chromium



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : containerd


    CVE ID : CVE-2022-24769 CVE-2022-31030



    Two vulnerabilities were discovered that the containerd container runtime, which could result in denial of service or incomplete restriction of capabilities.



    For the stable distribution (bullseye), these problems have been fixed in version 1.4.13~ds1-1~deb11u2.



    We recommend that you upgrade your containerd packages.



    For the detailed security status of containerd please refer to its security tracker page at:


    Information on source package containerd



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : linux


    CVE ID : CVE-2022-0494 CVE-2022-0854 CVE-2022-1012 CVE-2022-1729


    CVE-2022-1786 CVE-2022-1789 CVE-2022-1852 CVE-2022-1966


    CVE-2022-1972 CVE-2022-1974 CVE-2022-1975 CVE-2022-21499


    CVE-2022-28893



    Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.



    CVE-2022-0494



    The scsi_ioctl() was susceptible to an information leak only


    exploitable by users with CAP_SYS_ADMIN or CAP_SYS_RAWIO


    capabilities.



    CVE-2022-0854



    Ali Haider discovered a potential information leak in the DMA


    subsystem. On systems where the swiotlb feature is needed, this


    might allow a local user to read sensitive information.



    CVE-2022-1012



    The randomisation when calculating port offsets in the IP


    implementation was enhanced.



    CVE-2022-1729



    Norbert Slusarek discovered a race condition in the perf subsystem


    which could result in local privilege escalation to root. The


    default settings in Debian prevent exploitation unless more


    permissive settings have been applied in the


    kernel.perf_event_paranoid sysctl.



    CVE-2022-1786



    Kyle Zeng discovered a use-after-free in the io_uring subsystem


    which way result in local privilege escalation to root.



    CVE-2022-1789 / CVE-2022-1852



    Yongkang Jia, Gaoning Pan and Qiuhao Li discovered two NULL pointer


    dereferences in KVM's CPU instruction handling, resulting in denial


    of service.



    CVE-2022-1966



    Aaron Adams discovered a use-after-free in Netfilter which may


    result in local privilege escalation to root.



    CVE-2022-1972



    Ziming Zhang discovered an out-of-bound write in Netfilter which may


    result in local privilege escalation to root.



    CVE-2022-1974 / CVE-2022-1975



    Duoming Zhou discovered that the NFC netlink interface was


    suspectible to denial of service.



    CVE-2022-21499



    It was discovered that the kernel debugger could be used to bypass


    UEFI Secure Boot restrictions.



    CVE-2022-28893



    Felix Fu discovered a use-after-free in the implementation of the


    Remote Procedure Call (SunRPC) protocol, which could in denial of


    service or an information leak.



    For the stable distribution (bullseye), these problems have been fixed in version 5.10.120-1.



    We recommend that you upgrade your linux packages.



    For the detailed security status of linux please refer to its security tracker page at:


    Information on source package linux



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : ntfs-3g


    CVE ID : CVE-2021-46790 CVE-2022-30783 CVE-2022-30784 CVE-2022-30785


    CVE-2022-30786 CVE-2022-30787 CVE-2022-30788 CVE-2022-30789


    Debian Bug : 1011770



    Several vulnerabilities were discovered in NTFS-3G, a read-write NTFS driver for FUSE. A local user can take advantage of these flaws for local root privilege escalation.



    For the oldstable distribution (buster), these problems have been fixed in version 1:2017.3.23AR.3-3+deb10u2.



    For the stable distribution (bullseye), these problems have been fixed in version 1:2017.3.23AR.3-4+deb11u2.



    We recommend that you upgrade your ntfs-3g packages.



    For the detailed security status of ntfs-3g please refer to its security tracker page at:


    Information on source package ntfs-3g



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : python-bottle


    CVE ID : CVE-2022-31799



    Elton Nokaj discovered that incorrect error handling in Bottle, a WSGI framework for Python, could result in the disclosure of sensitive information.



    For the oldstable distribution (buster), this problem has been fixed in version 0.12.15-2+deb10u2.



    For the stable distribution (bullseye), this problem has been fixed in version 0.12.19-1+deb11u1.



    We recommend that you upgrade your python-bottle packages.



    For the detailed security status of python-bottle please refer to its security tracker page at:


    Information on source package python-bottle



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : thunderbird


    CVE ID : CVE-2022-1529 CVE-2022-1802 CVE-2022-1834 CVE-2022-31736


    CVE-2022-31737 CVE-2022-31738 CVE-2022-31740 CVE-2022-31741


    CVE-2022-31742 CVE-2022-31747



    Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.



    For the oldstable distribution (buster), these problems have been fixed in version 1:91.10.0-1~deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 1:91.10.0-1~deb11u1.



    We recommend that you upgrade your thunderbird packages.



    For the detailed security status of thunderbird please refer to its security tracker page at:


    Information on source package thunderbird



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : cifs-utils


    CVE ID : CVE-2022-27239 CVE-2022-29869


    Debian Bug : 1010818



    Jeffrey Bencteux reported two vulnerabilities in cifs-utils, the Common Internet File System utilities, which can result in escalation of privileges (CVE-2022-27239) or an information leak (CVE-2022-29869).



    For the oldstable distribution (buster), these problems have been fixed in version 2:6.8-2+deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 2:6.11-3.1+deb11u1.



    We recommend that you upgrade your cifs-utils packages.



    For the detailed security status of cifs-utils please refer to its security tracker page at:


    Information on source package cifs-utils



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : firefox-esr


    CVE ID : CVE-2022-31736 CVE-2022-31737 CVE-2022-31738 CVE-2022-31740


    CVE-2022-31741 CVE-2022-31742 CVE-2022-31747



    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure or spoofing.



    For the oldstable distribution (buster), these problems have been fixed in version 91.10.0esr-1~deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 91.10.0esr-1~deb11u1.



    We recommend that you upgrade your firefox-esr packages.



    For the detailed security status of firefox-esr please refer to its security tracker page at:


    Information on source package firefox-esr



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : wpewebkit


    CVE ID : CVE-2022-26700 CVE-2022-26709 CVE-2022-26716 CVE-2022-26717


    CVE-2022-26719 CVE-2022-30293 CVE-2022-30294



    The following vulnerabilities have been discovered in the WPE WebKit web engine:



    CVE-2022-26700



    ryuzaki discovered that processing maliciously crafted web content


    may lead to code execution.



    CVE-2022-26709



    Chijin Zhou discovered that processing maliciously crafted web


    content may lead to arbitrary code execution.



    CVE-2022-26716



    SorryMybad discovered that Processing maliciously crafted web


    content may lead to arbitrary code execution.



    CVE-2022-26717



    Jeonghoon Shin discovered that Processing maliciously crafted web


    content may lead to arbitrary code execution.



    CVE-2022-26719



    Dongzhuo Zhao discovered that Processing maliciously crafted web


    content may lead to arbitrary code execution.



    CVE-2022-30293



    Chijin Zhou discovered that processing maliciously crafted web


    content may lead to arbitrary code execution or to a denial of


    service (application crash).



    CVE-2022-30294



    Chijin Zhou discovered that processing maliciously crafted web


    content may lead to arbitrary code execution or to a denial of


    service (application crash).



    For the stable distribution (bullseye), these problems have been fixed in version 2.36.3-1~deb11u1.



    We recommend that you upgrade your wpewebkit packages.



    For the detailed security status of wpewebkit please refer to its security tracker page at:


    Information on source package wpewebkit



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : webkit2gtk


    CVE ID : CVE-2022-26700 CVE-2022-26709 CVE-2022-26716 CVE-2022-26717


    CVE-2022-26719 CVE-2022-30293 CVE-2022-30294



    The following vulnerabilities have been discovered in the WebKitGTK web engine:



    CVE-2022-26700



    ryuzaki discovered that processing maliciously crafted web content


    may lead to code execution.



    CVE-2022-26709



    Chijin Zhou discovered that processing maliciously crafted web


    content may lead to arbitrary code execution.



    CVE-2022-26716



    SorryMybad discovered that Processing maliciously crafted web


    content may lead to arbitrary code execution.



    CVE-2022-26717



    Jeonghoon Shin discovered that Processing maliciously crafted web


    content may lead to arbitrary code execution.



    CVE-2022-26719



    Dongzhuo Zhao discovered that Processing maliciously crafted web


    content may lead to arbitrary code execution.



    CVE-2022-30293



    Chijin Zhou discovered that processing maliciously crafted web


    content may lead to arbitrary code execution or to a denial of


    service (application crash).



    CVE-2022-30294



    Chijin Zhou discovered that processing maliciously crafted web


    content may lead to arbitrary code execution or to a denial of


    service (application crash).



    For the oldstable distribution (buster), these problems have been fixed in version 2.36.3-1~deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 2.36.3-1~deb11u1.



    We recommend that you upgrade your webkit2gtk packages.



    For the detailed security status of webkit2gtk please refer to its security tracker page at:


    Information on source package webkit2gtk



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : trafficserver


    CVE ID : CVE-2021-37147 CVE-2021-37148 CVE-2021-37149 CVE-2021-38161


    CVE-2021-44040 CVE-2021-44759



    Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in HTTP request smuggling or MITM attacks.



    For the oldstable distribution (buster), these problems have been fixed in version 8.0.2+ds-1+deb10u6.



    For the stable distribution (bullseye), these problems have been fixed in version 8.1.1+ds-1.1+deb11u1.



    We recommend that you upgrade your trafficserver packages.



    For the detailed security status of trafficserver please refer to its security tracker page at:


    Information on source package trafficserver



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : spip



    It was discovered that SPIP, a website engine for publishing, would allow a malicious user to perform cross-site scripting attacks.



    For the oldstable distribution (buster), this problem has been fixed in version 3.2.4-1+deb10u8.



    For the stable distribution (bullseye), this problem has been fixed in version 3.2.11-3+deb11u4.



    We recommend that you upgrade your spip packages.



    For the detailed security status of spip please refer to its security tracker page at:


    Information on source package spip



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : smarty3


    CVE ID : CVE-2021-21408 CVE-2021-26119 CVE-2021-26120 CVE-2021-29454


    CVE-2022-29221


    Debian Bug : 1010375 1011758



    Several security vulnerabilities have been discovered in smarty3, the compiling PHP template engine. Template authors are able to run restricted static php methods or even arbitrary PHP code by crafting a malicious math string or by choosing an invalid {block} or {include} file name. If a math string was passed through as user provided data to the math function, remote users were able to run arbitrary PHP code as well.



    For the oldstable distribution (buster), these problems have been fixed in version 3.1.33+20180830.1.3a78a21f+selfpack1-1+deb10u1.



    For the stable distribution (bullseye), these problems have been fixed in version 3.1.39-2+deb11u1.



    We recommend that you upgrade your smarty3 packages.



    For the detailed security status of smarty3 please refer to its security tracker page at:


    Information on source package smarty3



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : rsyslog


    CVE ID : CVE-2022-24903


    Debian Bug : 1010619



    Peter Agten discovered that several modules for TCP syslog reception in rsyslog, a system and kernel logging daemon, have buffer overflow flaws when octet-counted framing is used, which could result in denial of service or potentially the execution of arbitrary code.



    For the oldstable distribution (buster), this problem has been fixed in version 8.1901.0-1+deb10u2.



    For the stable distribution (bullseye), this problem has been fixed in version 8.2102.0-2+deb11u1.



    We recommend that you upgrade your rsyslog packages.



    For the detailed security status of rsyslog please refer to its security tracker page at:


    Information on source package rsyslog



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : cups


    CVE ID : CVE-2022-26691



    Joshua Mason discovered that a logic error in the validation of the secret key used in the "local" authorisation mode of the CUPS printing system may result in privilege escalation.



    For the oldstable distribution (buster), this problem has been fixed in version 2.2.10-6+deb10u6.



    For the stable distribution (bullseye), this problem has been fixed in version 2.3.3op2-3+deb11u2.



    We recommend that you upgrade your cups packages.



    For the detailed security status of cups please refer to its security tracker page at:


    Information on source package cups



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : chromium


    CVE ID : CVE-2022-1853 CVE-2022-1854 CVE-2022-1855 CVE-2022-1856


    CVE-2022-1857 CVE-2022-1858 CVE-2022-1859 CVE-2022-1860


    CVE-2022-1861 CVE-2022-1862 CVE-2022-1863 CVE-2022-1864


    CVE-2022-1865 CVE-2022-1866 CVE-2022-1867 CVE-2022-1868


    CVE-2022-1869 CVE-2022-1870 CVE-2022-1871 CVE-2022-1872


    CVE-2022-1873 CVE-2022-1874 CVE-2022-1875 CVE-2022-1876



    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.



    For the stable distribution (bullseye), these problems have been fixed in version 102.0.5005.61-1~deb11u1.



    We recommend that you upgrade your chromium packages.



    For the detailed security status of chromium please refer to its security tracker page at:


    Information on source package chromium



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/