Beiträge von Micha

    Package : thunderbird


    CVE ID : CVE-2021-29956 CVE-2021-29957 CVE-2021-29967



    Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code. In adddition two security issues were addressed in the OpenPGP support.



    For the stable distribution (buster), these problems have been fixed in version 1:78.11.0-1~deb10u1.



    We recommend that you upgrade your thunderbird packages.



    For the detailed security status of thunderbird please refer to its security tracker page at:


    https://security-tracker.debian.org/tracker/thunderbird



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : lasso


    CVE ID : CVE-2021-28091



    It was discovered that lasso, a library which implements SAML 2.0 and Liberty Alliance standards, did not properly verify that all assertions in a SAML response were properly signed, allowing an attacker to impersonate users or bypass access control.



    For the stable distribution (buster), this problem has been fixed in version 2.6.0-2+deb10u1.



    We recommend that you upgrade your lasso packages.



    For the detailed security status of lasso please refer to its security tracker page at:


    https://security-tracker.debian.org/tracker/lasso



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : firefox-esr


    CVE ID : CVE-2021-29967



    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.



    For the stable distribution (buster), this problem has been fixed in version 78.11.0esr-1~deb10u1.



    We recommend that you upgrade your firefox-esr packages.



    For the detailed security status of firefox-esr please refer to its security tracker page at:


    https://security-tracker.debian.org/tracker/firefox-esr



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : squid


    CVE ID : CVE-2021-28651 CVE-2021-28652 CVE-2021-28662 CVE-2021-31806


    CVE-2021-31807 CVE-2021-31808


    Debian Bug : 988891 988892 988893 989043



    Multiple denial of service vulnerabilities were discovered in the Squid proxy caching server.



    For the stable distribution (buster), these problems have been fixed in version 4.6-1+deb10u6.



    We recommend that you upgrade your squid packages.



    For the detailed security status of squid please refer to its security tracker page at:


    https://security-tracker.debian.org/tracker/squid



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : webkit2gtk


    CVE ID : CVE-2021-1788 CVE-2021-1844 CVE-2021-1871



    The following vulnerabilities have been discovered in the webkit2gtk web engine:



    CVE-2021-1788



    Francisco Alonso discovered that processing maliciously crafted


    web content may lead to arbitrary code execution.



    CVE-2021-1844



    Clement Lecigne and Alison Huffman discovered that processing


    maliciously crafted web content may lead to arbitrary code


    execution.



    CVE-2021-1871



    An anonymous researcher discovered that a remote attacker may be


    able to cause arbitrary code execution.



    For the stable distribution (buster), these problems have been fixed in version 2.32.1-1~deb10u1.



    We recommend that you upgrade your webkit2gtk packages.



    For the detailed security status of webkit2gtk please refer to its security tracker page at:


    https://security-tracker.debian.org/tracker/webkit2gtk



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : openjdk-11-jre-dcevm


    Debian Bug : 942876



    The Dynamic Code Evolution Virtual Machine (DCE VM), an alternative VM for OpenJDK 11 with enhanced class redefinition, has been updated for compatibility with OpenJDK 11.0.11.



    For the stable distribution (buster), this problem has been fixed in version openjdk-11-jre-dcevm_11.0.11+9-2~deb10u1.



    We recommend that you upgrade your openjdk-11-jre-dcevm packages.



    For the detailed security status of openjdk-11-jre-dcevm please refer to its security tracker page at:


    https://security-tracker.debia…cker/openjdk-11-jre-dcevm



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : hyperkitty


    CVE ID : CVE-2021-33038



    Amir Sarabadani and Kunal Mehta discovered that the import functionality of Hyperkitty, the web user interface to access Mailman 3 archives, did not restrict the visibility of private archives during the import, i.e.


    that during the import of a private Mailman 2 archive the archive was publicly accessible until the import completed.



    For the stable distribution (buster), this problem has been fixed in version 1.2.2-1+deb10u1.



    We recommend that you upgrade your hyperkitty packages.



    For the detailed security status of hyperkitty please refer to its security tracker page at:


    https://security-tracker.debian.org/tracker/hyperkitty



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : nginx


    CVE ID : CVE-2021-23017


    Debian Bug : 989095



    Luis Merino, Markus Vervier and Eric Sesterhenn discovered an off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code.



    For the stable distribution (buster), this problem has been fixed in version 1.14.2-2+deb10u4.



    We recommend that you upgrade your nginx packages.



    For the detailed security status of nginx please refer to its security tracker page at:


    https://security-tracker.debian.org/tracker/nginx



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : libx11


    CVE ID : CVE-2021-31535


    Debian Bug : 988737



    Roman Fiedler reported that missing length validation in various functions provided by libx11, the X11 client-side library, allow to inject X11 protocol commands on X clients, leading to authentication bypass, denial of service or potentially the execution of arbitrary code.



    For the stable distribution (buster), this problem has been fixed in version 2:1.6.7-1+deb10u2.



    We recommend that you upgrade your libx11 packages.



    For the detailed security status of libx11 please refer to its security tracker page at:


    https://security-tracker.debian.org/tracker/libx11



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : lz4


    CVE ID : CVE-2021-3520


    Debian Bug : 987856



    Jasper Lievisse Adriaanse reported an integer overflow flaw in lz4, a fast LZ compression algorithm library, resulting in memory corruption.



    For the stable distribution (buster), this problem has been fixed in version 1.8.3-1+deb10u1.



    We recommend that you upgrade your lz4 packages.



    For the detailed security status of lz4 please refer to its security tracker page at:


    https://security-tracker.debian.org/tracker/lz4



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : prosody


    Debian Bug : 988756



    The update for prosody released as DSA 4916-1 introduced a regression in websocket support. Updated prosody packages are now available to correct this issue.



    For the stable distribution (buster), these problems have been fixed in version 0.11.2-1+deb10u2.



    We recommend that you upgrade your prosody packages.



    For the detailed security status of prosody please refer to its security tracker page at:


    https://security-tracker.debian.org/tracker/prosody



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : ruby-rack-cors


    CVE ID : CVE-2019-18978


    Debian Bug : 944849



    Improper pathname handling in ruby-rack-cors, a middleware that makes Rack-based apps CORS compatible, may result in access to private resources.



    For the stable distribution (buster), this problem has been fixed in version 1.0.2-1+deb10u1.



    We recommend that you upgrade your ruby-rack-cors packages.



    For the detailed security status of ruby-rack-cors please refer to its security tracker page at:


    https://security-tracker.debian.org/tracker/ruby-rack-cors



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : chromium


    CVE ID : CVE-2021-30506 CVE-2021-30507 CVE-2021-30508 CVE-2021-30509


    CVE-2021-30510 CVE-2021-30511 CVE-2021-30512 CVE-2021-30513


    CVE-2021-30514 CVE-2021-30515 CVE-2021-30516 CVE-2021-30517


    CVE-2021-30518 CVE-2021-30519 CVE-2021-30520



    Several vulnerabilities have been discovered in the chromium web browser.



    CVE-2021-30506



    @retsew0x01 discovered an error in the Web App installation interface.



    CVE-2021-30507



    Alison Huffman discovered an error in the Offline mode.



    CVE-2021-30508



    Leecraso and Guang Gong discovered a buffer overflow issue in the Media


    Feeds implementation.



    CVE-2021-30509



    David Erceg discovered an out-of-bounds write issue in the Tab Strip


    implementation.



    CVE-2021-30510



    Weipeng Jiang discovered a race condition in the aura window manager.



    CVE-2021-30511



    David Erceg discovered an out-of-bounds read issue in the Tab Strip


    implementation.



    CVE-2021-30512



    ZhanJia Song discovered a use-after-free issue in the notifications


    implementation.



    CVE-2021-30513



    Man Yue Mo discovered an incorrect type in the v8 javascript library.



    CVE-2021-30514



    koocola and Wang discovered a use-after-free issue in the Autofill


    feature.



    CVE-2021-30515



    Rong Jian and Guang Gong discovered a use-after-free issue in the file


    system access API.



    CVE-2021-30516



    ZhanJia Song discovered a buffer overflow issue in the browsing history.



    CVE-2021-30517



    Jun Kokatsu discovered a buffer overflow issue in the reader mode.



    CVE-2021-30518



    laural discovered use of an incorrect type in the v8 javascript library.



    CVE-2021-30519



    asnine discovered a use-after-free issue in the Payments feature.



    CVE-2021-30520



    Khalil Zhani discovered a use-after-free issue in the Tab Strip


    implementation.



    For the stable distribution (buster), these problems have been fixed in version 90.0.4430.212-1~deb10u1.



    We recommend that you upgrade your chromium packages.



    For the detailed security status of chromium please refer to its security tracker page at:


    https://security-tracker.debian.org/tracker/chromium



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : prosody


    CVE ID : CVE-2021-32917 CVE-2021-32918 CVE-2021-32919 CVE-2021-32920


    CVE-2021-32921



    Multiple security issues were found in Prosody, a lightweight Jabber/XMPP server, which could result in denial of service or information disclosure.



    For the stable distribution (buster), these problems have been fixed in version 0.11.2-1+deb10u1.



    We recommend that you upgrade your prosody packages.



    For the detailed security status of prosody please refer to its security tracker page at:


    https://security-tracker.debian.org/tracker/prosody



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : postgresql-11


    CVE ID : CVE-2021-32027 CVE-2021-32028 CVE-2021-32029



    Multiple security issues have been discovered in the PostgreSQL database system, which could result in the execution of arbitrary code or disclosure of memory content.



    For the stable distribution (buster), these problems have been fixed in version 11.12-0+deb10u1.



    We recommend that you upgrade your postgresql-11 packages.



    For the detailed security status of postgresql-11 please refer to its security tracker page at:


    https://security-tracker.debian.org/tracker/postgresql-11



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : graphviz


    CVE ID : CVE-2020-18032


    Debian Bug : 988000



    A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file.



    For the stable distribution (buster), this problem has been fixed in version 2.40.1-6+deb10u1.



    We recommend that you upgrade your graphviz packages.



    For the detailed security status of graphviz please refer to its security tracker page at:


    https://security-tracker.debian.org/tracker/graphviz



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : hivex


    CVE ID : CVE-2021-3504


    Debian Bug : 988024



    Jemery Galindo discovered an out-of-bounds memory access in Hivex, a library to parse Windows Registry hive files.



    For the stable distribution (buster), this problem has been fixed in version 1.3.18-1+deb10u1.



    We recommend that you upgrade your hivex packages.



    For the detailed security status of hivex please refer to its security tracker page at:


    https://security-tracker.debian.org/tracker/hivex



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : exim4


    CVE ID : CVE-2020-28007 CVE-2020-28008 CVE-2020-28009 CVE-2020-28010


    CVE-2020-28011 CVE-2020-28012 CVE-2020-28013 CVE-2020-28014


    CVE-2020-28015 CVE-2020-28017 CVE-2020-28019 CVE-2020-28021


    CVE-2020-28022 CVE-2020-28023 CVE-2020-28024 CVE-2020-28025


    CVE-2020-28026



    The Qualys Research Labs reported several vulnerabilities in Exim, a mail transport agent, which could result in local privilege escalation and remote code execution.



    Details can be found in the Qualys advisory at https://www.qualys.com/2021/05/04/21nails/21nails.txt



    For the stable distribution (buster), these problems have been fixed in version 4.92-8+deb10u6.



    We recommend that you upgrade your exim4 packages.



    For the detailed security status of exim4 please refer to its security tracker page at:


    https://security-tracker.debian.org/tracker/exim4



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : chromium


    CVE ID : CVE-2021-21227 CVE-2021-21228 CVE-2021-21229 CVE-2021-21230


    CVE-2021-21231 CVE-2021-21232 CVE-2021-21233



    Several vulnerabilities have been discovered in the chromium web browser.



    CVE-2021-21227



    Gengming Liu discovered a data validation issue in the v8 javascript


    library.



    CVE-2021-21228



    Rob Wu discovered a policy enforcement error.



    CVE-2021-21229



    Mohit Raj discovered a user interface error in the file downloader.



    CVE-2021-21230



    Manfred Paul discovered use of an incorrect type.



    CVE-2021-21231



    Sergei Glazunov discovered a data validation issue in the v8 javascript


    library.



    CVE-2021-21232



    Abdulrahman Alqabandi discovered a use-after-free issue in the developer


    tools.



    CVE-2021-21233



    Omair discovered a buffer overflow issue in the ANGLE library.



    For the stable distribution (buster), these problems have been fixed in version 90.0.4430.93-1~deb10u1.



    We recommend that you upgrade your chromium packages.



    For the detailed security status of chromium please refer to its security tracker page at:


    https://security-tracker.debian.org/tracker/chromium



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : libimage-exiftool-perl


    CVE ID : CVE-2021-22204


    Debian Bug : 987505



    A vulnerability was discovered in libimage-exiftool-perl, a library and program to read and write meta information in multimedia files, which may result in execution of arbitrary code if a malformed DjVu file is processed.



    For the stable distribution (buster), this problem has been fixed in version 11.16-1+deb10u1.



    We recommend that you upgrade your libimage-exiftool-perl packages.



    For the detailed security status of libimage-exiftool-perl please refer to its security tracker page at:


    https://security-tracker.debia…er/libimage-exiftool-perl



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/