Beiträge von Micha

Package : pillow

CVE ID : CVE-2022-22815 CVE-2022-22816 CVE-2022-22817

Multiple security issues were discovered in Pillow, a Python imaging library, which could result in denial of service and potentially the execution of arbitrary code if malformed images are processed.

For the oldstable distribution (buster), these problems have been fixed in version 5.4.1-2+deb10u3.

For the stable distribution (bullseye), these problems have been fixed in version 8.1.2+dfsg-0.3+deb11u1.

We recommend that you upgrade your pillow packages.

For the detailed security status of pillow please refer to its security tracker page at:

Information on source package pillow

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : usbview

CVE ID : CVE-2022-23220

Matthias Gerstner reported that usbview, a USB device viewer, does not properly handle authorization in the PolicyKit policy configuration, which could result in root privilege escalation.

For the oldstable distribution (buster), this problem has been fixed in version 2.0-21-g6fe2f4f-2+deb10u1.

For the stable distribution (bullseye), this problem has been fixed in version 2.0-21-g6fe2f4f-2+deb11u1.

We recommend that you upgrade your usbview packages.

For the detailed security status of usbview please refer to its security tracker page at:

Information on source package usbview

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : aide

CVE ID : CVE-2021-45417

David Bouman discovered a heap-based buffer overflow vulnerability in the base64 functions of aide, an advanced intrusion detection system, which can be triggered via large extended file attributes or ACLs. This may result in denial of service or privilege escalation.

For the oldstable distribution (buster), this problem has been fixed in version 0.16.1-1+deb10u1.

For the stable distribution (bullseye), this problem has been fixed in version 0.17.3-4+deb11u1.

We recommend that you upgrade your aide packages.

For the detailed security status of aide please refer to its security tracker page at:

Information on source package aide

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : linux

CVE ID : CVE-2021-4155 CVE-2021-28711 CVE-2021-28712 CVE-2021-28713

CVE-2021-28714 CVE-2021-28715 CVE-2021-39685 CVE-2021-45095

CVE-2021-45469 CVE-2021-45480 CVE-2022-0185 CVE-2022-23222

Debian Bug : 988044 996974

Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

CVE-2021-4155

Kirill Tkhai discovered a data leak in the way the XFS_IOC_ALLOCSP

IOCTL in the XFS filesystem allowed for a size increase of files

with unaligned size. A local attacker can take advantage of this

flaw to leak data on the XFS filesystem.

CVE-2021-28711, CVE-2021-28712, CVE-2021-28713 (XSA-391)

Juergen Gross reported that malicious PV backends can cause a denial

of service to guests being serviced by those backends via high

frequency events, even if those backends are running in a less

privileged environment.

CVE-2021-28714, CVE-2021-28715 (XSA-392)

Juergen Gross discovered that Xen guests can force the Linux

netback driver to hog large amounts of kernel memory, resulting in

denial of service.

CVE-2021-39685

Szymon Heidrich discovered a buffer overflow vulnerability in the

USB gadget subsystem, resulting in information disclosure, denial of

service or privilege escalation.

CVE-2021-45095

It was discovered that the Phone Network protocol (PhoNet) driver

has a reference count leak in the pep_sock_accept() function.

CVE-2021-45469

Wenqing Liu reported an out-of-bounds memory access in the f2fs

implementation if an inode has an invalid last xattr entry. An

attacker able to mount a specially crafted image can take advantage

of this flaw for denial of service.

CVE-2021-45480

A memory leak flaw was discovered in the __rds_conn_create()

function in the RDS (Reliable Datagram Sockets) protocol subsystem.

CVE-2022-0185

William Liu, Jamie Hill-Daniel, Isaac Badipe, Alec Petridis, Hrvoje

Misetic and Philip Papurt discovered a heap-based buffer overflow

flaw in the legacy_parse_param function in the Filesystem Context

functionality, allowing an local user (with CAP_SYS_ADMIN capability

in the current namespace) to escalate privileges.

CVE-2022-23222

'tr3e' discovered that the BPF verifier does not properly restrict

several *_OR_NULL pointer types allowing these types to do pointer

arithmetic. A local user with the ability to call bpf(), can take

advantage of this flaw to excalate privileges. Unprivileged calls to

bpf() are disabled by default in Debian, mitigating this flaw.

For the stable distribution (bullseye), these problems have been fixed in version 5.10.92-1. This version includes changes which were aimed to land in the next Debian bullseye point release.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security tracker page at:

Information on source package linux

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : flatpak

CVE ID : CVE-2021-43860 CVE-2022-21682

Several vulnerabilities were discovered in Flatpak, an application deployment framework for desktop apps.

CVE-2021-43860

Ryan Gonzalez discovered that Flatpak didn't properly validate

that the permissions displayed to the user for an app at install

time match the actual permissions granted to the app at

runtime. Malicious apps could therefore grant themselves

permissions without the consent of the user.

CVE-2022-21682

Flatpak didn't always prevent a malicious flatpak-builder user

from writing to the local filesystem.

For the stable distribution (bullseye), these problems have been fixed in version 1.10.7-0+deb11u1.

Please note that flatpak-builder also needed an update for compatibility, and is now at version 1.0.12-1+deb11u1 in bullseye.

We recommend that you upgrade your flatpak and flatpak-builder packages.

For the detailed security status of flatpak please refer to its security tracker page at:

Information on source package flatpak

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : libreswan

CVE ID : CVE-2022-23094

It was discovered that the libreswan IPsec implementation could be forced into a crash/restart via a malformed IKEv1 packet, resulting in denial of service.

For the stable distribution (bullseye), this problem has been fixed in version 4.3-1+deb11u1.

We recommend that you upgrade your libreswan packages.

For the detailed security status of libreswan please refer to its security tracker page at:

Information on source package libreswan

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : prosody

CVE ID : CVE-2022-0217

Matthew Wild discovered that the WebSockets code in Prosody, a lightweight Jabber/XMPP server, was susceptible to denial of service.

For the oldstable distribution (buster), this problem has been fixed in version 0.11.2-1+deb10u3.

For the stable distribution (bullseye), this problem has been fixed in version 0.11.9-2+deb11u1.

We recommend that you upgrade your prosody packages.

For the detailed security status of prosody please refer to its security tracker page at:

Information on source package prosody

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : chromium

CVE ID : CVE-2021-4052 CVE-2021-4053 CVE-2021-4054 CVE-2021-4055

CVE-2021-4056 CVE-2021-4057 CVE-2021-4058 CVE-2021-4059

CVE-2021-4061 CVE-2021-4062 CVE-2021-4063 CVE-2021-4064

CVE-2021-4065 CVE-2021-4066 CVE-2021-4067 CVE-2021-4068

CVE-2021-4078 CVE-2021-4079 CVE-2021-4098 CVE-2021-4099

CVE-2021-4100 CVE-2021-4101 CVE-2021-4102 CVE-2021-37956

CVE-2021-37957 CVE-2021-37958 CVE-2021-37959 CVE-2021-37961

CVE-2021-37962 CVE-2021-37963 CVE-2021-37964 CVE-2021-37965

CVE-2021-37966 CVE-2021-37967 CVE-2021-37968 CVE-2021-37969

CVE-2021-37970 CVE-2021-37971 CVE-2021-37972 CVE-2021-37973

CVE-2021-37974 CVE-2021-37975 CVE-2021-37976 CVE-2021-37977

CVE-2021-37978 CVE-2021-37979 CVE-2021-37980 CVE-2021-37981

CVE-2021-37982 CVE-2021-37983 CVE-2021-37984 CVE-2021-37985

CVE-2021-37986 CVE-2021-37987 CVE-2021-37988 CVE-2021-37989

CVE-2021-37990 CVE-2021-37991 CVE-2021-37992 CVE-2021-37993

CVE-2021-37994 CVE-2021-37995 CVE-2021-37996 CVE-2021-37997

CVE-2021-37998 CVE-2021-37999 CVE-2021-38000 CVE-2021-38001

CVE-2021-38002 CVE-2021-38003 CVE-2021-38004 CVE-2021-38005

CVE-2021-38006 CVE-2021-38007 CVE-2021-38008 CVE-2021-38009

CVE-2021-38010 CVE-2021-38011 CVE-2021-38012 CVE-2021-38013

CVE-2021-38014 CVE-2021-38015 CVE-2021-38016 CVE-2021-38017

CVE-2021-38018 CVE-2021-38019 CVE-2021-38020 CVE-2021-38021

CVE-2021-38022 CVE-2022-0096 CVE-2022-0097 CVE-2022-0098

CVE-2022-0099 CVE-2022-0100 CVE-2022-0101 CVE-2022-0102

CVE-2022-0103 CVE-2022-0104 CVE-2022-0105 CVE-2022-0106

CVE-2022-0107 CVE-2022-0108 CVE-2022-0109 CVE-2022-0110

CVE-2022-0111 CVE-2022-0112 CVE-2022-0113 CVE-2022-0114

CVE-2022-0115 CVE-2022-0116 CVE-2022-0117 CVE-2022-0118

CVE-2022-0120

Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

For the oldstable distribution (buster), security support for Chromium has been discontinued due to toolchain issues which no longer allow to build current Chromium releases on buster. You can either upgrade to the stable release (bullseye) or switch to a browser which continues to receive security supports in buster (firefox-esr or browsers based on webkit2gtk)

For the stable distribution (bullseye), these problems have been fixed in version 97.0.4692.71-0.1~deb11u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to its security tracker page at:

Information on source package chromium

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : thunderbird

CVE ID : CVE-2021-4140 CVE-2022-22737 CVE-2022-22738 CVE-2022-22739

CVE-2022-22740 CVE-2022-22741 CVE-2022-22742 CVE-2022-22743

CVE-2022-22745 CVE-2022-22747 CVE-2022-22748 CVE-2022-22751

Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.

For the oldstable distribution (buster), these problems have been fixed in version 1:91.5.0-2~deb10u1.

For the stable distribution (bullseye), these problems have been fixed in version 1:91.5.0-2~deb11u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to its security tracker page at:

Information on source package thunderbird

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : firefox-esr

CVE ID : CVE-2021-4140 CVE-2022-22737 CVE-2022-22738 CVE-2022-22739

CVE-2022-22740 CVE-2022-22741 CVE-2022-22742 CVE-2022-22743

CVE-2022-22745 CVE-2022-22747 CVE-2022-22748 CVE-2022-22751

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure, denial of service or spoofing.

For the oldstable distribution (buster), these problems have been fixed in version 91.5.0esr-1~deb10u1. Not all architectures are available for oldstable yet, most notably i386 (32 bits x86) is missing.

For the stable distribution (bullseye), these problems have been fixed in version 91.5.0esr-1~deb11u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to its security tracker page at:

Information on source package firefox-esr

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : lxml

CVE ID : CVE-2021-43818

Debian Bug : 1001885

It was discovered that lxml, a Python binding for the libxml2 and libxslt libraries, does not properly sanitize its input, which could lead to cross-site scripting.

For the oldstable distribution (buster), this problem has been fixed in version 4.3.2-1+deb10u4.

For the stable distribution (bullseye), this problem has been fixed in version 4.6.3+dfsg-0.1+deb11u1.

We recommend that you upgrade your lxml packages.

For the detailed security status of lxml please refer to its security tracker page at:

Information on source package lxml

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : epiphany-browser

CVE ID : CVE-2021-45085 CVE-2021-45086 CVE-2021-45087 CVE-2021-45088

Several vulnerabities have been discovered in Epiphany, the GNOME web browser, allowing XSS attacks under certain circumstances.

For the stable distribution (bullseye), these problems have been fixed in version 3.38.2-1+deb11u1.

We recommend that you upgrade your epiphany-browser packages.

For the detailed security status of epiphany-browser please refer to its security tracker page at:

Information on source package epiphany-browser

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : cfrpki

CVE ID : CVE-2021-3761 CVE-2021-3907 CVE-2021-3908 CVE-2021-3909

CVE-2021-3910 CVE-2021-3911 CVE-2021-3912 CVE-2021-43173

CVE-2021-43174

Multiple vulnerabilities were discovered in Cloudflare's RPKI validator, which could result in denial of service or path traversal.

For the stable distribution (bullseye), these problems have been fixed in version 1.4.2-1~deb11u1.

We recommend that you upgrade your cfrpki packages.

For the detailed security status of cfrpki please refer to its security tracker page at:

Information on source package cfrpki

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : lighttpd

CVE ID : CVE-2022-22707

An out-of-bounds memory access was discovered in the mod_extforward plugin of the lighttpd web server, which may result in denial of service.

For the oldstable distribution (buster), this problem has been fixed in version 1.4.53-4+deb10u2.

For the stable distribution (bullseye), this problem has been fixed in version 1.4.59-1+deb11u1.

We recommend that you upgrade your lighttpd packages.

For the detailed security status of lighttpd please refer to its security tracker page at:

Information on source package lighttpd

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : wordpress

CVE ID : CVE-2022-21661 CVE-2022-21662 CVE-2022-21663 CVE-2022-21664

Debian Bug : 1003243

Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform SQL injection, run unchecked SQL queries, bypass hardening, or perform Cross-Site Scripting (XSS) attacks.

For the oldstable distribution (buster), these problems have been fixed in version 5.0.15+dfsg1-0+deb10u1.

For the stable distribution (bullseye), these problems have been fixed in version 5.7.5+dfsg1-0+deb11u1.

We recommend that you upgrade your wordpress packages.

For the detailed security status of wordpress please refer to its security tracker page at:

Information on source package wordpress

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : ghostscript

CVE ID : CVE-2021-45944 CVE-2021-45949

Multiple security issues were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which could result in denial of service and potentially the execution of arbitrary code if malformed document files are processed.

For the oldstable distribution (buster), these problems have been fixed in version 9.27~dfsg-2+deb10u5.

For the stable distribution (bullseye), these problems have been fixed in version 9.53.3~dfsg-7+deb11u2.

We recommend that you upgrade your ghostscript packages.

For the detailed security status of ghostscript please refer to its security tracker page at:

Information on source package ghostscript

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : roundcube

CVE ID : CVE-2021-46144

Debian Bug : 1003027

It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly sanitize HTML messages. This would allow an attacker to perform Cross-Side Scripting

(XSS) attacks.

For the oldstable distribution (buster), this problem has been fixed in version 1.3.17+dfsg.1-1~deb10u2.

For the stable distribution (bullseye), this problem has been fixed in version 1.4.13+dfsg.1-1~deb11u1.

We recommend that you upgrade your roundcube packages.

For the detailed security status of roundcube please refer to its security tracker page at:

Information on source package roundcube

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : sphinxsearch

CVE ID : CVE-2020-29050

It was discovered that sphinxsearch, a fast standalone full-text SQL search engine, could allow arbitrary files to be read by abusing a configuration option.

For the oldstable distribution (buster), this problem has been fixed in version 2.2.11-2+deb10u1.

We recommend that you upgrade your sphinxsearch packages.

For the detailed security status of sphinxsearch please refer to its security tracker page at:

Information on source package sphinxsearch

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : apache2

CVE ID : CVE-2021-44224 CVE-2021-44790

Two vulnerabilities have been discovered in the Apache HTTP server:

CVE-2021-44224

When operating as a forward proxy, Apache was depending on the setup

suspectible to denial of service or Server Side Request forgery.

CVE-2021-44790

A buffer overflow in mod_lua may result in denial of service or

potentially the execution of arbitrary code.

For the oldstable distribution (buster), these problems have been fixed in version 2.4.38-3+deb10u7.

For the stable distribution (bullseye), these problems have been fixed in version 2.4.52-1~deb11u2.

We recommend that you upgrade your apache2 packages.

For the detailed security status of apache2 please refer to its security tracker page at:

Information on source package apache2

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : thunderbird

CVE ID : CVE-2021-4126 CVE-2021-38496 CVE-2021-38500 CVE-2021-38502

CVE-2021-38503 CVE-2021-38504 CVE-2021-38506 CVE-2021-38507

CVE-2021-38508 CVE-2021-38509 CVE-2021-43528 CVE-2021-43529

CVE-2021-43534 CVE-2021-43535 CVE-2021-43536 CVE-2021-43537

CVE-2021-43538 CVE-2021-43539 CVE-2021-43541 CVE-2021-43542

CVE-2021-43543 CVE-2021-43545 CVE-2021-43546 CVE-2021-44538

Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code, spoofing, information disclosure, downgrade attacks on SMTP STARTTLS connections or misleading display of OpenPGP/MIME signatures.

For the oldstable distribution (buster), these problems have been fixed in version 1:91.4.1-1~deb10u1.

For the stable distribution (bullseye), these problems have been fixed in version 1:91.4.1-1~deb11u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to its security tracker page at:

Information on source package thunderbird

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/