Beiträge von Micha

Package : thunderbird

CVE ID : CVE-2021-29956 CVE-2021-29957 CVE-2021-29967

Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code. In adddition two security issues were addressed in the OpenPGP support.

For the stable distribution (buster), these problems have been fixed in version 1:78.11.0-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : lasso

CVE ID : CVE-2021-28091

It was discovered that lasso, a library which implements SAML 2.0 and Liberty Alliance standards, did not properly verify that all assertions in a SAML response were properly signed, allowing an attacker to impersonate users or bypass access control.

For the stable distribution (buster), this problem has been fixed in version 2.6.0-2+deb10u1.

We recommend that you upgrade your lasso packages.

For the detailed security status of lasso please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/lasso

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : firefox-esr

CVE ID : CVE-2021-29967

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.

For the stable distribution (buster), this problem has been fixed in version 78.11.0esr-1~deb10u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : squid

CVE ID : CVE-2021-28651 CVE-2021-28652 CVE-2021-28662 CVE-2021-31806

CVE-2021-31807 CVE-2021-31808

Debian Bug : 988891 988892 988893 989043

Multiple denial of service vulnerabilities were discovered in the Squid proxy caching server.

For the stable distribution (buster), these problems have been fixed in version 4.6-1+deb10u6.

We recommend that you upgrade your squid packages.

For the detailed security status of squid please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/squid

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : webkit2gtk

CVE ID : CVE-2021-1788 CVE-2021-1844 CVE-2021-1871

The following vulnerabilities have been discovered in the webkit2gtk web engine:

CVE-2021-1788

Francisco Alonso discovered that processing maliciously crafted

web content may lead to arbitrary code execution.

CVE-2021-1844

Clement Lecigne and Alison Huffman discovered that processing

maliciously crafted web content may lead to arbitrary code

execution.

CVE-2021-1871

An anonymous researcher discovered that a remote attacker may be

able to cause arbitrary code execution.

For the stable distribution (buster), these problems have been fixed in version 2.32.1-1~deb10u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : openjdk-11-jre-dcevm

Debian Bug : 942876

The Dynamic Code Evolution Virtual Machine (DCE VM), an alternative VM for OpenJDK 11 with enhanced class redefinition, has been updated for compatibility with OpenJDK 11.0.11.

For the stable distribution (buster), this problem has been fixed in version openjdk-11-jre-dcevm_11.0.11+9-2~deb10u1.

We recommend that you upgrade your openjdk-11-jre-dcevm packages.

For the detailed security status of openjdk-11-jre-dcevm please refer to its security tracker page at:

https://security-tracker.debia…cker/openjdk-11-jre-dcevm

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : hyperkitty

CVE ID : CVE-2021-33038

Amir Sarabadani and Kunal Mehta discovered that the import functionality of Hyperkitty, the web user interface to access Mailman 3 archives, did not restrict the visibility of private archives during the import, i.e.

that during the import of a private Mailman 2 archive the archive was publicly accessible until the import completed.

For the stable distribution (buster), this problem has been fixed in version 1.2.2-1+deb10u1.

We recommend that you upgrade your hyperkitty packages.

For the detailed security status of hyperkitty please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/hyperkitty

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : nginx

CVE ID : CVE-2021-23017

Debian Bug : 989095

Luis Merino, Markus Vervier and Eric Sesterhenn discovered an off-by-one in Nginx, a high-performance web and reverse proxy server, which could result in denial of service and potentially the execution of arbitrary code.

For the stable distribution (buster), this problem has been fixed in version 1.14.2-2+deb10u4.

We recommend that you upgrade your nginx packages.

For the detailed security status of nginx please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/nginx

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : libx11

CVE ID : CVE-2021-31535

Debian Bug : 988737

Roman Fiedler reported that missing length validation in various functions provided by libx11, the X11 client-side library, allow to inject X11 protocol commands on X clients, leading to authentication bypass, denial of service or potentially the execution of arbitrary code.

For the stable distribution (buster), this problem has been fixed in version 2:1.6.7-1+deb10u2.

We recommend that you upgrade your libx11 packages.

For the detailed security status of libx11 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/libx11

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : lz4

CVE ID : CVE-2021-3520

Debian Bug : 987856

Jasper Lievisse Adriaanse reported an integer overflow flaw in lz4, a fast LZ compression algorithm library, resulting in memory corruption.

For the stable distribution (buster), this problem has been fixed in version 1.8.3-1+deb10u1.

We recommend that you upgrade your lz4 packages.

For the detailed security status of lz4 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/lz4

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : prosody

Debian Bug : 988756

The update for prosody released as DSA 4916-1 introduced a regression in websocket support. Updated prosody packages are now available to correct this issue.

For the stable distribution (buster), these problems have been fixed in version 0.11.2-1+deb10u2.

We recommend that you upgrade your prosody packages.

For the detailed security status of prosody please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/prosody

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : ruby-rack-cors

CVE ID : CVE-2019-18978

Debian Bug : 944849

Improper pathname handling in ruby-rack-cors, a middleware that makes Rack-based apps CORS compatible, may result in access to private resources.

For the stable distribution (buster), this problem has been fixed in version 1.0.2-1+deb10u1.

We recommend that you upgrade your ruby-rack-cors packages.

For the detailed security status of ruby-rack-cors please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/ruby-rack-cors

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : chromium

CVE ID : CVE-2021-30506 CVE-2021-30507 CVE-2021-30508 CVE-2021-30509

CVE-2021-30510 CVE-2021-30511 CVE-2021-30512 CVE-2021-30513

CVE-2021-30514 CVE-2021-30515 CVE-2021-30516 CVE-2021-30517

CVE-2021-30518 CVE-2021-30519 CVE-2021-30520

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2021-30506

@retsew0x01 discovered an error in the Web App installation interface.

CVE-2021-30507

Alison Huffman discovered an error in the Offline mode.

CVE-2021-30508

Leecraso and Guang Gong discovered a buffer overflow issue in the Media

Feeds implementation.

CVE-2021-30509

David Erceg discovered an out-of-bounds write issue in the Tab Strip

implementation.

CVE-2021-30510

Weipeng Jiang discovered a race condition in the aura window manager.

CVE-2021-30511

David Erceg discovered an out-of-bounds read issue in the Tab Strip

implementation.

CVE-2021-30512

ZhanJia Song discovered a use-after-free issue in the notifications

implementation.

CVE-2021-30513

Man Yue Mo discovered an incorrect type in the v8 javascript library.

CVE-2021-30514

koocola and Wang discovered a use-after-free issue in the Autofill

feature.

CVE-2021-30515

Rong Jian and Guang Gong discovered a use-after-free issue in the file

system access API.

CVE-2021-30516

ZhanJia Song discovered a buffer overflow issue in the browsing history.

CVE-2021-30517

Jun Kokatsu discovered a buffer overflow issue in the reader mode.

CVE-2021-30518

laural discovered use of an incorrect type in the v8 javascript library.

CVE-2021-30519

asnine discovered a use-after-free issue in the Payments feature.

CVE-2021-30520

Khalil Zhani discovered a use-after-free issue in the Tab Strip

implementation.

For the stable distribution (buster), these problems have been fixed in version 90.0.4430.212-1~deb10u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : prosody

CVE ID : CVE-2021-32917 CVE-2021-32918 CVE-2021-32919 CVE-2021-32920

CVE-2021-32921

Multiple security issues were found in Prosody, a lightweight Jabber/XMPP server, which could result in denial of service or information disclosure.

For the stable distribution (buster), these problems have been fixed in version 0.11.2-1+deb10u1.

We recommend that you upgrade your prosody packages.

For the detailed security status of prosody please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/prosody

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : postgresql-11

CVE ID : CVE-2021-32027 CVE-2021-32028 CVE-2021-32029

Multiple security issues have been discovered in the PostgreSQL database system, which could result in the execution of arbitrary code or disclosure of memory content.

For the stable distribution (buster), these problems have been fixed in version 11.12-0+deb10u1.

We recommend that you upgrade your postgresql-11 packages.

For the detailed security status of postgresql-11 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/postgresql-11

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : graphviz

CVE ID : CVE-2020-18032

Debian Bug : 988000

A buffer overflow was discovered in Graphviz, which could potentially result in the execution of arbitrary code when processing a malformed file.

For the stable distribution (buster), this problem has been fixed in version 2.40.1-6+deb10u1.

We recommend that you upgrade your graphviz packages.

For the detailed security status of graphviz please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/graphviz

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : hivex

CVE ID : CVE-2021-3504

Debian Bug : 988024

Jemery Galindo discovered an out-of-bounds memory access in Hivex, a library to parse Windows Registry hive files.

For the stable distribution (buster), this problem has been fixed in version 1.3.18-1+deb10u1.

We recommend that you upgrade your hivex packages.

For the detailed security status of hivex please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/hivex

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : exim4

CVE ID : CVE-2020-28007 CVE-2020-28008 CVE-2020-28009 CVE-2020-28010

CVE-2020-28011 CVE-2020-28012 CVE-2020-28013 CVE-2020-28014

CVE-2020-28015 CVE-2020-28017 CVE-2020-28019 CVE-2020-28021

CVE-2020-28022 CVE-2020-28023 CVE-2020-28024 CVE-2020-28025

CVE-2020-28026

The Qualys Research Labs reported several vulnerabilities in Exim, a mail transport agent, which could result in local privilege escalation and remote code execution.

Details can be found in the Qualys advisory at https://www.qualys.com/2021/05/04/21nails/21nails.txt

For the stable distribution (buster), these problems have been fixed in version 4.92-8+deb10u6.

We recommend that you upgrade your exim4 packages.

For the detailed security status of exim4 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/exim4

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : chromium

CVE ID : CVE-2021-21227 CVE-2021-21228 CVE-2021-21229 CVE-2021-21230

CVE-2021-21231 CVE-2021-21232 CVE-2021-21233

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2021-21227

Gengming Liu discovered a data validation issue in the v8 javascript

library.

CVE-2021-21228

Rob Wu discovered a policy enforcement error.

CVE-2021-21229

Mohit Raj discovered a user interface error in the file downloader.

CVE-2021-21230

Manfred Paul discovered use of an incorrect type.

CVE-2021-21231

Sergei Glazunov discovered a data validation issue in the v8 javascript

library.

CVE-2021-21232

Abdulrahman Alqabandi discovered a use-after-free issue in the developer

tools.

CVE-2021-21233

Omair discovered a buffer overflow issue in the ANGLE library.

For the stable distribution (buster), these problems have been fixed in version 90.0.4430.93-1~deb10u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : libimage-exiftool-perl

CVE ID : CVE-2021-22204

Debian Bug : 987505

A vulnerability was discovered in libimage-exiftool-perl, a library and program to read and write meta information in multimedia files, which may result in execution of arbitrary code if a malformed DjVu file is processed.

For the stable distribution (buster), this problem has been fixed in version 11.16-1+deb10u1.

We recommend that you upgrade your libimage-exiftool-perl packages.

For the detailed security status of libimage-exiftool-perl please refer to its security tracker page at:

https://security-tracker.debia…er/libimage-exiftool-perl

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/