Beiträge von Micha

Package : chromium

CVE ID : CVE-2022-2156 CVE-2022-2157 CVE-2022-2158 CVE-2022-2160

CVE-2022-2161 CVE-2022-2162 CVE-2022-2163 CVE-2022-2164

CVE-2022-2165

Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

For the stable distribution (bullseye), these problems have been fixed in version 103.0.5060.53-1~deb11u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to its security tracker page at:

Information on source package chromium

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : firejail

CVE ID : CVE-2022-31214

Debian Bug : 1012510

Matthias Gerstner discovered that the --join option of Firejail, a sandbox to restrict an application environment, was susceptible to local privilege escalation to root.

For the oldstable distribution (buster), this problem has been fixed in version 0.9.58.2-2+deb10u3.

For the stable distribution (bullseye), this problem has been fixed in version 0.9.64.4-2+deb11u1.

We recommend that you upgrade your firejail packages.

For the detailed security status of firejail please refer to its security tracker page at:

Information on source package firejail

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : slurm-wlm

CVE ID : CVE-2022-29500 CVE-2022-29501

Debian Bug : 1010633 1010634

Two security issues were discovered in the Simple Linux Utility for Resource Management (SLURM), a cluster resource management and job scheduling system, which could result in privilege escalation.

For the stable distribution (bullseye), these problems have been fixed in version 20.11.7+really20.11.4-2+deb11u1.

We recommend that you upgrade your slurm-wlm packages.

For the detailed security status of slurm-wlm please refer to its security tracker page at:

Information on source package slurm-wlm

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : vlc

CVE ID : not yet available

Multiple vulnerabilities were discovered in the VLC media player, which could result in the execution of arbitrary code or denial of service if a malformed file is opened.

For the oldstable distribution (buster), this problem has been fixed in version 3.0.17.4-0+deb10u1.

For the stable distribution (bullseye), this problem has been fixed in version 3.0.17.4-0+deb11u1.

We recommend that you upgrade your vlc packages.

For the detailed security status of vlc please refer to its security tracker page at:

Information on source package vlc

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : chromium

CVE ID : CVE-2022-2007 CVE-2022-2008 CVE-2022-2010 CVE-2022-2011

Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

For the stable distribution (bullseye), these problems have been fixed in version 102.0.5005.115-1~deb11u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to its security tracker page at:

Information on source package chromium

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : containerd

CVE ID : CVE-2022-24769 CVE-2022-31030

Two vulnerabilities were discovered that the containerd container runtime, which could result in denial of service or incomplete restriction of capabilities.

For the stable distribution (bullseye), these problems have been fixed in version 1.4.13~ds1-1~deb11u2.

We recommend that you upgrade your containerd packages.

For the detailed security status of containerd please refer to its security tracker page at:

Information on source package containerd

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : linux

CVE ID : CVE-2022-0494 CVE-2022-0854 CVE-2022-1012 CVE-2022-1729

CVE-2022-1786 CVE-2022-1789 CVE-2022-1852 CVE-2022-1966

CVE-2022-1972 CVE-2022-1974 CVE-2022-1975 CVE-2022-21499

CVE-2022-28893

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2022-0494

The scsi_ioctl() was susceptible to an information leak only

exploitable by users with CAP_SYS_ADMIN or CAP_SYS_RAWIO

capabilities.

CVE-2022-0854

Ali Haider discovered a potential information leak in the DMA

subsystem. On systems where the swiotlb feature is needed, this

might allow a local user to read sensitive information.

CVE-2022-1012

The randomisation when calculating port offsets in the IP

implementation was enhanced.

CVE-2022-1729

Norbert Slusarek discovered a race condition in the perf subsystem

which could result in local privilege escalation to root. The

default settings in Debian prevent exploitation unless more

permissive settings have been applied in the

kernel.perf_event_paranoid sysctl.

CVE-2022-1786

Kyle Zeng discovered a use-after-free in the io_uring subsystem

which way result in local privilege escalation to root.

CVE-2022-1789 / CVE-2022-1852

Yongkang Jia, Gaoning Pan and Qiuhao Li discovered two NULL pointer

dereferences in KVM's CPU instruction handling, resulting in denial

of service.

CVE-2022-1966

Aaron Adams discovered a use-after-free in Netfilter which may

result in local privilege escalation to root.

CVE-2022-1972

Ziming Zhang discovered an out-of-bound write in Netfilter which may

result in local privilege escalation to root.

CVE-2022-1974 / CVE-2022-1975

Duoming Zhou discovered that the NFC netlink interface was

suspectible to denial of service.

CVE-2022-21499

It was discovered that the kernel debugger could be used to bypass

UEFI Secure Boot restrictions.

CVE-2022-28893

Felix Fu discovered a use-after-free in the implementation of the

Remote Procedure Call (SunRPC) protocol, which could in denial of

service or an information leak.

For the stable distribution (bullseye), these problems have been fixed in version 5.10.120-1.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security tracker page at:

Information on source package linux

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : ntfs-3g

CVE ID : CVE-2021-46790 CVE-2022-30783 CVE-2022-30784 CVE-2022-30785

CVE-2022-30786 CVE-2022-30787 CVE-2022-30788 CVE-2022-30789

Debian Bug : 1011770

Several vulnerabilities were discovered in NTFS-3G, a read-write NTFS driver for FUSE. A local user can take advantage of these flaws for local root privilege escalation.

For the oldstable distribution (buster), these problems have been fixed in version 1:2017.3.23AR.3-3+deb10u2.

For the stable distribution (bullseye), these problems have been fixed in version 1:2017.3.23AR.3-4+deb11u2.

We recommend that you upgrade your ntfs-3g packages.

For the detailed security status of ntfs-3g please refer to its security tracker page at:

Information on source package ntfs-3g

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : python-bottle

CVE ID : CVE-2022-31799

Elton Nokaj discovered that incorrect error handling in Bottle, a WSGI framework for Python, could result in the disclosure of sensitive information.

For the oldstable distribution (buster), this problem has been fixed in version 0.12.15-2+deb10u2.

For the stable distribution (bullseye), this problem has been fixed in version 0.12.19-1+deb11u1.

We recommend that you upgrade your python-bottle packages.

For the detailed security status of python-bottle please refer to its security tracker page at:

Information on source package python-bottle

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : thunderbird

CVE ID : CVE-2022-1529 CVE-2022-1802 CVE-2022-1834 CVE-2022-31736

CVE-2022-31737 CVE-2022-31738 CVE-2022-31740 CVE-2022-31741

CVE-2022-31742 CVE-2022-31747

Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.

For the oldstable distribution (buster), these problems have been fixed in version 1:91.10.0-1~deb10u1.

For the stable distribution (bullseye), these problems have been fixed in version 1:91.10.0-1~deb11u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to its security tracker page at:

Information on source package thunderbird

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : cifs-utils

CVE ID : CVE-2022-27239 CVE-2022-29869

Debian Bug : 1010818

Jeffrey Bencteux reported two vulnerabilities in cifs-utils, the Common Internet File System utilities, which can result in escalation of privileges (CVE-2022-27239) or an information leak (CVE-2022-29869).

For the oldstable distribution (buster), these problems have been fixed in version 2:6.8-2+deb10u1.

For the stable distribution (bullseye), these problems have been fixed in version 2:6.11-3.1+deb11u1.

We recommend that you upgrade your cifs-utils packages.

For the detailed security status of cifs-utils please refer to its security tracker page at:

Information on source package cifs-utils

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : firefox-esr

CVE ID : CVE-2022-31736 CVE-2022-31737 CVE-2022-31738 CVE-2022-31740

CVE-2022-31741 CVE-2022-31742 CVE-2022-31747

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure or spoofing.

For the oldstable distribution (buster), these problems have been fixed in version 91.10.0esr-1~deb10u1.

For the stable distribution (bullseye), these problems have been fixed in version 91.10.0esr-1~deb11u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to its security tracker page at:

Information on source package firefox-esr

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : wpewebkit

CVE ID : CVE-2022-26700 CVE-2022-26709 CVE-2022-26716 CVE-2022-26717

CVE-2022-26719 CVE-2022-30293 CVE-2022-30294

The following vulnerabilities have been discovered in the WPE WebKit web engine:

CVE-2022-26700

ryuzaki discovered that processing maliciously crafted web content

may lead to code execution.

CVE-2022-26709

Chijin Zhou discovered that processing maliciously crafted web

content may lead to arbitrary code execution.

CVE-2022-26716

SorryMybad discovered that Processing maliciously crafted web

content may lead to arbitrary code execution.

CVE-2022-26717

Jeonghoon Shin discovered that Processing maliciously crafted web

content may lead to arbitrary code execution.

CVE-2022-26719

Dongzhuo Zhao discovered that Processing maliciously crafted web

content may lead to arbitrary code execution.

CVE-2022-30293

Chijin Zhou discovered that processing maliciously crafted web

content may lead to arbitrary code execution or to a denial of

service (application crash).

CVE-2022-30294

Chijin Zhou discovered that processing maliciously crafted web

content may lead to arbitrary code execution or to a denial of

service (application crash).

For the stable distribution (bullseye), these problems have been fixed in version 2.36.3-1~deb11u1.

We recommend that you upgrade your wpewebkit packages.

For the detailed security status of wpewebkit please refer to its security tracker page at:

Information on source package wpewebkit

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : webkit2gtk

CVE ID : CVE-2022-26700 CVE-2022-26709 CVE-2022-26716 CVE-2022-26717

CVE-2022-26719 CVE-2022-30293 CVE-2022-30294

The following vulnerabilities have been discovered in the WebKitGTK web engine:

CVE-2022-26700

ryuzaki discovered that processing maliciously crafted web content

may lead to code execution.

CVE-2022-26709

Chijin Zhou discovered that processing maliciously crafted web

content may lead to arbitrary code execution.

CVE-2022-26716

SorryMybad discovered that Processing maliciously crafted web

content may lead to arbitrary code execution.

CVE-2022-26717

Jeonghoon Shin discovered that Processing maliciously crafted web

content may lead to arbitrary code execution.

CVE-2022-26719

Dongzhuo Zhao discovered that Processing maliciously crafted web

content may lead to arbitrary code execution.

CVE-2022-30293

Chijin Zhou discovered that processing maliciously crafted web

content may lead to arbitrary code execution or to a denial of

service (application crash).

CVE-2022-30294

Chijin Zhou discovered that processing maliciously crafted web

content may lead to arbitrary code execution or to a denial of

service (application crash).

For the oldstable distribution (buster), these problems have been fixed in version 2.36.3-1~deb10u1.

For the stable distribution (bullseye), these problems have been fixed in version 2.36.3-1~deb11u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to its security tracker page at:

Information on source package webkit2gtk

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : trafficserver

CVE ID : CVE-2021-37147 CVE-2021-37148 CVE-2021-37149 CVE-2021-38161

CVE-2021-44040 CVE-2021-44759

Several vulnerabilities were discovered in Apache Traffic Server, a reverse and forward proxy server, which could result in HTTP request smuggling or MITM attacks.

For the oldstable distribution (buster), these problems have been fixed in version 8.0.2+ds-1+deb10u6.

For the stable distribution (bullseye), these problems have been fixed in version 8.1.1+ds-1.1+deb11u1.

We recommend that you upgrade your trafficserver packages.

For the detailed security status of trafficserver please refer to its security tracker page at:

Information on source package trafficserver

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : spip

It was discovered that SPIP, a website engine for publishing, would allow a malicious user to perform cross-site scripting attacks.

For the oldstable distribution (buster), this problem has been fixed in version 3.2.4-1+deb10u8.

For the stable distribution (bullseye), this problem has been fixed in version 3.2.11-3+deb11u4.

We recommend that you upgrade your spip packages.

For the detailed security status of spip please refer to its security tracker page at:

Information on source package spip

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : smarty3

CVE ID : CVE-2021-21408 CVE-2021-26119 CVE-2021-26120 CVE-2021-29454

CVE-2022-29221

Debian Bug : 1010375 1011758

Several security vulnerabilities have been discovered in smarty3, the compiling PHP template engine. Template authors are able to run restricted static php methods or even arbitrary PHP code by crafting a malicious math string or by choosing an invalid {block} or {include} file name. If a math string was passed through as user provided data to the math function, remote users were able to run arbitrary PHP code as well.

For the oldstable distribution (buster), these problems have been fixed in version 3.1.33+20180830.1.3a78a21f+selfpack1-1+deb10u1.

For the stable distribution (bullseye), these problems have been fixed in version 3.1.39-2+deb11u1.

We recommend that you upgrade your smarty3 packages.

For the detailed security status of smarty3 please refer to its security tracker page at:

Information on source package smarty3

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : rsyslog

CVE ID : CVE-2022-24903

Debian Bug : 1010619

Peter Agten discovered that several modules for TCP syslog reception in rsyslog, a system and kernel logging daemon, have buffer overflow flaws when octet-counted framing is used, which could result in denial of service or potentially the execution of arbitrary code.

For the oldstable distribution (buster), this problem has been fixed in version 8.1901.0-1+deb10u2.

For the stable distribution (bullseye), this problem has been fixed in version 8.2102.0-2+deb11u1.

We recommend that you upgrade your rsyslog packages.

For the detailed security status of rsyslog please refer to its security tracker page at:

Information on source package rsyslog

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : cups

CVE ID : CVE-2022-26691

Joshua Mason discovered that a logic error in the validation of the secret key used in the "local" authorisation mode of the CUPS printing system may result in privilege escalation.

For the oldstable distribution (buster), this problem has been fixed in version 2.2.10-6+deb10u6.

For the stable distribution (bullseye), this problem has been fixed in version 2.3.3op2-3+deb11u2.

We recommend that you upgrade your cups packages.

For the detailed security status of cups please refer to its security tracker page at:

Information on source package cups

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : chromium

CVE ID : CVE-2022-1853 CVE-2022-1854 CVE-2022-1855 CVE-2022-1856

CVE-2022-1857 CVE-2022-1858 CVE-2022-1859 CVE-2022-1860

CVE-2022-1861 CVE-2022-1862 CVE-2022-1863 CVE-2022-1864

CVE-2022-1865 CVE-2022-1866 CVE-2022-1867 CVE-2022-1868

CVE-2022-1869 CVE-2022-1870 CVE-2022-1871 CVE-2022-1872

CVE-2022-1873 CVE-2022-1874 CVE-2022-1875 CVE-2022-1876

Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

For the stable distribution (bullseye), these problems have been fixed in version 102.0.5005.61-1~deb11u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to its security tracker page at:

Information on source package chromium

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/