Beiträge von Micha

Package : thunderbird

CVE ID : CVE-2020-6792 CVE-2020-6793 CVE-2020-6794 CVE-2020-6795

CVE-2020-6798 CVE-2020-6800

Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code or denial of service.

For the oldstable distribution (stretch), these problems have been fixed in version 1:68.5.0-1~deb9u1.

For the stable distribution (buster), these problems have been fixed in version 1:68.5.0-1~deb10u1.

We recommend that you upgrade your thunderbird packages.

For the detailed security status of thunderbird please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/thunderbird

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : evince

CVE ID : CVE-2017-1000159 CVE-2019-11459 CVE-2019-1010006

Debian Bug : 927820

Several vulnerabilities were discovered in evince, a simple multi-page document viewer.

CVE-2017-1000159

Tobias Mueller reported that the DVI exporter in evince is

susceptible to a command injection vulnerability via specially

crafted filenames.

CVE-2019-11459

Andy Nguyen reported that the tiff_document_render() and

tiff_document_get_thumbnail() functions in the TIFF document backend

did not handle errors from TIFFReadRGBAImageOriented(), leading to

disclosure of uninitialized memory when processing TIFF image files.

CVE-2019-1010006

A buffer overflow vulnerability in the tiff backend could lead to

denial of service, or potentially the execution of arbitrary code if

a specially crafted PDF file is opened.

For the oldstable distribution (stretch), these problems have been fixed in version 3.22.1-3+deb9u2.

For the stable distribution (buster), these problems have been fixed in version 3.30.2-3+deb10u1. The stable distribution is only affected by CVE-2019-11459.

We recommend that you upgrade your evince packages.

For the detailed security status of evince please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/evince

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : postgresql-11

CVE ID : CVE-2020-1720

Tom Lane discovered that "ALTER ... DEPENDS ON EXTENSION" sub commands in the PostgreSQL database did not perform authorisation checks.

For the stable distribution (buster), this problem has been fixed in version 11.7-0+deb10u1.

We recommend that you upgrade your postgresql-11 packages.

For the detailed security status of postgresql-11 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/postgresql-11

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : postgresql-9.6

CVE ID : CVE-2020-1720

Tom Lane discovered that "ALTER ... DEPENDS ON EXTENSION" sub commands in the PostgreSQL database did not perform authorisation checks.

For the oldstable distribution (stretch), this problem has been fixed in version 9.6.17-0+deb9u1.

We recommend that you upgrade your postgresql-9.6 packages.

For the detailed security status of postgresql-9.6 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/postgresql-9.6

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : openjdk-8

CVE ID : CVE-2020-2583 CVE-2020-2590 CVE-2020-2593 CVE-2020-2601

CVE-2020-2604 CVE-2020-2654 CVE-2020-2659

Several vulnerabilities have been discovered in the OpenJDK Java runtime, resulting in denial of service, incorrect implementation of Kerberos GSSAPI and TGS requests or incorrect TLS handshakes.

For the oldstable distribution (stretch), these problems have been fixed in version 8u242-b08-1~deb9u1.

We recommend that you upgrade your openjdk-8 packages.

For the detailed security status of openjdk-8 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/openjdk-8

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : firefox-esr

CVE ID : CVE-2020-6796 CVE-2020-6798 CVE-2020-6800

Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code.

For the oldstable distribution (stretch), these problems have been fixed in version 68.5.0esr-1~deb9u1.

For the stable distribution (buster), these problems have been fixed in version 68.5.0esr-1~deb10u1.

We recommend that you upgrade your firefox-esr packages.

For the detailed security status of firefox-esr please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/firefox-esr

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : libxmlrpc3-java

CVE ID : CVE-2019-17570

Debian Bug : 949089

Guillaume Teissier reported that the XMLRPC client in libxmlrpc3-java, an XML-RPC implementation in Java, does perform deserialization of the server-side exception serialized in the faultCause attribute of XMLRPC error response messages. A malicious XMLRPC server can take advantage of this flaw to execute arbitrary code with the privileges of an application using the Apache XMLRPC client library.

Note that a client that expects to get server-side exceptions need to set explicitly the enabledForExceptions property.

For the oldstable distribution (stretch), this problem has been fixed in version 3.1.3-8+deb9u1.

For the stable distribution (buster), this problem has been fixed in version 3.1.3-9+deb10u1.

We recommend that you upgrade your libxmlrpc3-java packages.

For the detailed security status of libxmlrpc3-java please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/libxmlrpc3-java

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : libexif

CVE ID : CVE-2019-9278

Debian Bug : 945948

An out-of-bounds write vulnerability due to an integer overflow was reported in libexif, a library to parse EXIF files, which could result in denial of service, or potentially the execution of arbitrary code if specially crafted image files are processed.

For the oldstable distribution (stretch), this problem has been fixed in version 0.6.21-2+deb9u1.

For the stable distribution (buster), this problem has been fixed in version 0.6.21-5.1+deb10u1.

We recommend that you upgrade your libexif packages.

For the detailed security status of libexif please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/libexif

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : qtbase-opensource-src

CVE ID : CVE-2020-0569 CVE-2020-0570

Two security issues were found in the Qt library, which could result in plugins and libraries being loaded from the current working directory, resulting in potential code execution.

For the oldstable distribution (stretch), these problems have been fixed in version 5.7.1+dfsg-3+deb9u2.

For the stable distribution (buster), these problems have been fixed in version 5.11.3+dfsg1-1+deb10u3.

We recommend that you upgrade your qtbase-opensource-src packages.

For the detailed security status of qtbase-opensource-src please refer to its security tracker page at:

https://security-tracker.debia…ker/qtbase-opensource-src

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : qemu

CVE ID : CVE-2019-15890 CVE-2020-7039 CVE-2020-1711

Two security issues have been found in the SLiRP networking implementation of QEMU, a fast processor emulator, which could result in the execution of arbitrary code or denial of service.

For the oldstable distribution (stretch), these problems have been fixed in version 1:2.8+dfsg-6+deb9u9.

For the stable distribution (buster), these problems have been fixed in version 1:3.1+dfsg-8+deb10u4.

We recommend that you upgrade your qemu packages.

For the detailed security status of qemu please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/qemu

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : spamassassin

CVE ID : CVE-2020-1930 CVE-2020-1931

Debian Bug : 950258

Two vulnerabilities were discovered in spamassassin, a Perl-based spam filter using text analysis. Malicious rule or configuration files, possibly downloaded from an updates server, could execute arbitrary commands under multiple scenarios.

For the oldstable distribution (stretch), these problems have been fixed in version 3.4.2-1~deb9u3.

For the stable distribution (buster), these problems have been fixed in version 3.4.2-1+deb10u2.

We recommend that you upgrade your spamassassin packages.

For the detailed security status of spamassassin please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/spamassassin

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : sudo

CVE ID : CVE-2019-18634

Debian Bug : 950371

Joe Vennix discovered a stack-based buffer overflow vulnerability in sudo, a program designed to provide limited super user privileges to specific users, triggerable when configured with the "pwfeedback" option enabled. An unprivileged user can take advantage of this flaw to obtain full root privileges.

Details can be found in the upstream advisory at https://www.sudo.ws/alerts/pwfeedback.html .

For the oldstable distribution (stretch), this problem has been fixed in version 1.8.19p1-2.1+deb9u2.

For the stable distribution (buster), exploitation of the bug is prevented due to a change in EOF handling introduced in 1.8.26.

We recommend that you upgrade your sudo packages.

For the detailed security status of sudo please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/sudo

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : libidn2

CVE ID : CVE-2019-18224

Debian Bug : 942895

A heap-based buffer overflow vulnerability was discovered in the

idn2_to_ascii_4i() function in libidn2, the GNU library for Internationalized Domain Names (IDNs), which could result in denial of service, or the execution of arbitrary code when processing a long domain string.

For the stable distribution (buster), this problem has been fixed in version 2.0.5-1+deb10u1.

We recommend that you upgrade your libidn2 packages.

For the detailed security status of libidn2 please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/libidn2

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : prosody-modules

CVE ID : CVE-2020-8086

It was discovered that the LDAP authentication modules for the Prosody Jabber/XMPP server incorrectly validated the XMPP address when checking whether a user has admin access.

For the oldstable distribution (stretch), this problem has been fixed in version 0.0~hg20170123.3ed504b944e5+dfsg-1+deb9u1.

For the stable distribution (buster), this problem has been fixed in version 0.0~hg20190203.b54e98d5c4a1+dfsg-1+deb10u1.

We recommend that you upgrade your prosody-modules packages.

For the detailed security status of prosody-modules please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/prosody-modules

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : opensmtpd

CVE ID : CVE-2020-7247

Debian Bug : 950121

Qualys discovered that the OpenSMTPD SMTP server performed insufficient validation of email addresses which could result in the execution of arbitrary commands as root. In addition this update fixes a denial of service by triggering an opportunistic TLS downgrade.

For the oldstable distribution (stretch), these problems have been fixed in version 6.0.2p1-2+deb9u2.

For the stable distribution (buster), these problems have been fixed in version 6.0.3p1-5+deb10u3. This update also includes non-security bugfixes which were already lined up for the Buster 10.3 point release.

We recommend that you upgrade your opensmtpd packages.

For the detailed security status of opensmtpd please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/opensmtpd

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : webkit2gtk

CVE ID : CVE-2019-8835 CVE-2019-8844 CVE-2019-8846

The following vulnerabilities have been discovered in the webkit2gtk web engine:

CVE-2019-8835

An anonymous researcher discovered that maliciously crafted web

content may lead to arbitrary code execution.

CVE-2019-8844

William Bowling discovered that maliciously crafted web content

may lead to arbitrary code execution.

CVE-2019-8846

Marcin Towalski of Cisco Talos discovered that maliciously crafted

web content may lead to arbitrary code execution.

For the stable distribution (buster), these problems have been fixed in version 2.26.3-1~deb10u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : python-apt

CVE ID : CVE-2019-15795 CVE-2019-15796

Debian Bug : 944696

Two security issues were found in the Python interface to the apt package manager; package downloads from unsigned repositories were incorrectly rejected and the hash validation relied on MD5.

For the oldstable distribution (stretch), these problems have been fixed in version 1.4.1.

For the stable distribution (buster), these problems have been fixed in version 1.8.4.1.

We recommend that you upgrade your python-apt packages.

For the detailed security status of python-apt please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/python-apt

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : tiff

CVE ID : CVE-2019-14973 CVE-2019-17546

Multiple integer overflows have been discovered in the libtiff library and the included tools.

For the stable distribution (buster), these problems have been fixed in version 4.1.0+git191117-2~deb10u1.

We recommend that you upgrade your tiff packages.

For the detailed security status of tiff please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/tiff

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : openconnect

CVE ID : CVE-2019-16239

Debian Bug : 940871

Lukas Kupczyk reported a vulnerability in the handling of chunked HTTP in openconnect, an open client for Cisco AnyConnect, Pulse and GlobalProtect VPN. A malicious HTTP server (after having accepted its identity certificate), can provide bogus chunk lengths for chunked HTTP encoding and cause a heap-based buffer overflow.

For the oldstable distribution (stretch), this problem has been fixed in version 7.08-1+deb9u1.

For the stable distribution (buster), this problem has been fixed in version 8.02-1+deb10u1.

We recommend that you upgrade your openconnect packages.

For the detailed security status of openconnect please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/openconnect

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Package : chromium

CVE ID : CVE-2019-13725 CVE-2019-13726 CVE-2019-13727 CVE-2019-13728

CVE-2019-13729 CVE-2019-13730 CVE-2019-13732 CVE-2019-13734

CVE-2019-13735 CVE-2019-13736 CVE-2019-13737 CVE-2019-13738

CVE-2019-13739 CVE-2019-13740 CVE-2019-13741 CVE-2019-13742

CVE-2019-13743 CVE-2019-13744 CVE-2019-13745 CVE-2019-13746

CVE-2019-13747 CVE-2019-13748 CVE-2019-13749 CVE-2019-13750

CVE-2019-13751 CVE-2019-13752 CVE-2019-13753 CVE-2019-13754

CVE-2019-13755 CVE-2019-13756 CVE-2019-13757 CVE-2019-13758

CVE-2019-13759 CVE-2019-13761 CVE-2019-13762 CVE-2019-13763

CVE-2019-13764 CVE-2019-13767 CVE-2020-6377 CVE-2020-6378

CVE-2020-6379 CVE-2020-6380

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2019-13725

Gengming Liu and Jianyu Chen discovered a use-after-free issue in the

bluetooth implementation.

CVE-2019-13726

Sergei Lazunov discovered a buffer overflow issue.

CVE-2019-13727

@piochu discovered a policy enforcement error.

CVE-2019-13728

Rong Jian and Guang Gong discovered an out-of-bounds write error in the

v8 javascript library.

CVE-2019-13729

Zhe Jin discovered a use-after-free issue.

CVE-2019-13730

Soyeon Park and Wen Xu discovered the use of a wrong type in the v8

javascript library.

CVE-2019-13732

Sergei Glazunov discovered a use-after-free issue in the WebAudio

implementation.

CVE-2019-13734

Wenxiang Qian discovered an out-of-bounds write issue in the sqlite

library.

CVE-2019-13735

Gengming Liu and Zhen Feng discovered an out-of-bounds write issue in the

v8 javascript library.

CVE-2019-13736

An integer overflow issue was discovered in the pdfium library.

CVE-2019-13737

Mark Amery discovered a policy enforcement error.

CVE-2019-13738

Johnathan Norman and Daniel Clark discovered a policy enforcement error.

CVE-2019-13739

xisigr discovered a user interface error.

CVE-2019-13740

Khalil Zhani discovered a user interface error.

CVE-2019-13741

Michał Bentkowski discovered that user input could be incompletely

validated.

CVE-2019-13742

Khalil Zhani discovered a user interface error.

CVE-2019-13743

Zhiyang Zeng discovered a user interface error.

CVE-2019-13744

Prakash discovered a policy enforcement error.

CVE-2019-13745

Luan Herrera discovered a policy enforcement error.

CVE-2019-13746

David Erceg discovered a policy enforcement error.

CVE-2019-13747

Ivan Popelyshev and André Bonatti discovered an uninitialized value.

CVE-2019-13748

David Erceg discovered a policy enforcement error.

CVE-2019-13749

Khalil Zhani discovered a user interface error.

CVE-2019-13750

Wenxiang Qian discovered insufficient validation of data in the sqlite

library.

CVE-2019-13751

Wenxiang Qian discovered an uninitialized value in the sqlite library.

CVE-2019-13752

Wenxiang Qian discovered an out-of-bounds read issue in the sqlite

library.

CVE-2019-13753

Wenxiang Qian discovered an out-of-bounds read issue in the sqlite

library.

CVE-2019-13754

Cody Crews discovered a policy enforcement error.

CVE-2019-13755

Masato Kinugawa discovered a policy enforcement error.

CVE-2019-13756

Khalil Zhani discovered a user interface error.

CVE-2019-13757

Khalil Zhani discovered a user interface error.

CVE-2019-13758

Khalil Zhani discovered a policy enforecement error.

CVE-2019-13759

Wenxu Wu discovered a user interface error.

CVE-2019-13761

Khalil Zhani discovered a user interface error.

CVE-2019-13762

csanuragjain discovered a policy enforecement error.

CVE-2019-13763

weiwangpp93 discovered a policy enforecement error.

CVE-2019-13764

Soyeon Park and Wen Xu discovered the use of a wrong type in the v8

javascript library.

CVE-2019-13767

Sergei Glazunov discovered a use-after-free issue.

CVE-2020-6377

Zhe Jin discovered a use-after-free issue.

CVE-2020-6378

Antti Levomäki and Christian Jalio discovered a use-after-free issue.

CVE-2020-6379

Guang Gong discovered a use-after-free issue.

CVE-2020-6380

Sergei Glazunov discovered an error verifying extension messages.

For the oldstable distribution (stretch), security support for chromium has been discontinued.

For the stable distribution (buster), these problems have been fixed in version 79.0.3945.130-1~deb10u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to its security tracker page at:

https://security-tracker.debian.org/tracker/chromium

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/