Beiträge von Micha

    Package : krb5


    CVE ID : CVE-2022-42898


    Debian Bug : 1024267



    Greg Hudson discovered integer overflow flaws in the PAC parsing in krb5, the MIT implementation of Kerberos, which may result in remote code execution (in a KDC, kadmin, or GSS or Kerberos application server process), information exposure (to a cross-realm KDC acting maliciously), or denial of service (KDC or kadmind process crash).



    For the stable distribution (bullseye), this problem has been fixed in version 1.18.3-6+deb11u3.



    We recommend that you upgrade your krb5 packages.



    For the detailed security status of krb5 please refer to its security tracker page at:


    Information on source package krb5



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Debian Security Advisory DSA-5285-1 security@debian.org


    https://www.debian.org/security/ Markus Koschany


    November 17, 2022 https://www.debian.org/security/faq


    - -------------------------------------------------------------------------



    Package : asterisk


    CVE ID : CVE-2021-37706 CVE-2021-43299 CVE-2021-43300 CVE-2021-43301


    CVE-2021-43302 CVE-2021-43303 CVE-2021-43804 CVE-2021-43845


    CVE-2021-46837 CVE-2022-21722 CVE-2022-21723 CVE-2022-23608


    CVE-2022-24763 CVE-2022-24764 CVE-2022-24786 CVE-2022-24792


    CVE-2022-24793 CVE-2022-26498 CVE-2022-26499 CVE-2022-26651


    Debian Bug : 1014998 1018073 1014976



    Multiple security vulnerabilities have been found in Asterisk, an Open Source Private Branch Exchange. Buffer overflows and other programming errors could be exploited for information disclosure or the execution of arbitrary code.



    Special care should be taken when upgrading to this new upstream release.


    Some configuration files and options have changed in order to remedy certain security vulnerabilities. Most notably the pjsip TLS listener only accepts TLSv1.3 connections in the default configuration now. This can be reverted by adding method=tlsv1_2 to the transport in pjsip.conf. See also https://issues.asterisk.org/jira/browse/ASTERISK-29017.



    For the stable distribution (bullseye), these problems have been fixed in version 1:16.28.0~dfsg-0+deb11u1.



    We recommend that you upgrade your asterisk packages.



    For the detailed security status of asterisk please refer to its security tracker page at:


    Information on source package asterisk



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : thunderbird


    CVE ID : CVE-2022-45403 CVE-2022-45404 CVE-2022-45405 CVE-2022-45406


    CVE-2022-45408 CVE-2022-45409 CVE-2022-45410 CVE-2022-45411


    CVE-2022-45412 CVE-2022-45416 CVE-2022-45418 CVE-2022-45420


    CVE-2022-45421



    Multiple security issues were discovered in Thunderbird, which could result in denial of service or the execution of arbitrary code.



    For the stable distribution (bullseye), these problems have been fixed in version 1:102.5.0-1~deb11u1.



    We recommend that you upgrade your thunderbird packages.



    For the detailed security status of thunderbird please refer to its security tracker page at:


    Information on source package thunderbird



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : jackson-databind


    CVE ID : CVE-2020-36518 CVE-2022-42003 CVE-2022-42004


    Debian Bug : 1007109



    Several flaws were discovered in jackson-databind, a fast and powerful JSON library for Java.



    CVE-2020-36518



    Java StackOverflow exception and denial of service via a large depth of


    nested objects.



    CVE-2022-42003



    In FasterXML jackson-databind resource exhaustion can occur because of a


    lack of a check in primitive value deserializers to avoid deep wrapper


    array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.



    CVE-2022-42004



    In FasterXML jackson-databind resource exhaustion can occur because of a


    lack of a check in BeanDeserializerBase.deserializeFromArray to prevent use


    of deeply nested arrays. An application is vulnerable only with certain


    customized choices for deserialization.



    For the stable distribution (bullseye), these problems have been fixed in version 2.12.1-1+deb11u1.



    We recommend that you upgrade your jackson-databind packages.



    For the detailed security status of jackson-databind please refer to its security tracker page at:


    Information on source package jackson-databind



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : wordpress


    Debian Bug : 1007005 1018863 1022575 1024249



    The wordpress package released in DSA-5279-1 had incorrect dependencies that could not be satisfied in Debian stable: this update corrects the problem. For reference, the original advisory text is provided here again:



    Several vulnerabilities were discovered in Wordpress, a web blogging


    tool. They allowed remote attackers to perform SQL injection, create


    open redirects, bypass authorization access, or perform Cross-Site


    Request Forgery (CSRF) or Cross-Site Scripting (XSS) attacks.



    For the stable distribution (bullseye), this problem has been fixed in version 5.7.8+dfsg1-0+deb11u2.



    We recommend that you upgrade your wordpress packages.



    For the detailed security status of wordpress please refer to its security tracker page at:


    Information on source package wordpress



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : firefox-esr


    CVE ID : CVE-2022-45403 CVE-2022-45404 CVE-2022-45405 CVE-2022-45406


    CVE-2022-45408 CVE-2022-45409 CVE-2022-45410 CVE-2022-45411


    CVE-2022-45412 CVE-2022-45416 CVE-2022-45418 CVE-2022-45420


    CVE-2022-45421



    Multiple security issues have been found in the Mozilla Firefox web browser, which could potentially result in the execution of arbitrary code, information disclosure, spoofing or bypass of the SameSite cookie policy.



    For the stable distribution (bullseye), these problems have been fixed in version 102.5.0esr-1~deb11u1.



    We recommend that you upgrade your firefox-esr packages.



    For the detailed security status of firefox-esr please refer to its security tracker page at:


    Information on source package firefox-esr



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : nginx


    CVE ID : CVE-2022-41741 CVE-2022-41742



    It was discovered that parsing errors in the mp4 module of Nginx, a high-performance web and reverse proxy server, could result in denial of service, memory disclosure or potentially the execution of arbitrary code when processing a malformed mp4 file.



    This module is only enabled in the nginx-extras binary package.



    For the stable distribution (bullseye), these problems have been fixed in version 1.18.0-6.1+deb11u3.



    We recommend that you upgrade your nginx packages.



    For the detailed security status of nginx please refer to its security tracker page at:


    Information on source package nginx



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : grub2


    CVE ID : CVE-2022-2601 CVE-2022-3775



    Several issues were found in GRUB2's font handling code, which could result in crashes and potentially execution of arbitrary code. These could lead to by-pass of UEFI Secure Boot on affected systems.



    Further, issues were found in image loading that could potentially lead to memory overflows.



    For the stable distribution (bullseye), these problems have been fixed in version 2.06-3~deb11u4.



    We recommend that you upgrade your grub2 packages.



    For the detailed security status of grub2 please refer to its security tracker page at:


    Information on source package grub2



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : wordpress


    Debian Bug : 1007005 1018863 1022575



    Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform SQL injection, create open redirects, bypass authorization access, or perform Cross-Site Request Forgery (CSRF) or Cross-Site Scripting (XSS) attacks.



    For the stable distribution (bullseye), this problem has been fixed in version 5.7.8+dfsg1-0+deb11u1.



    We recommend that you upgrade your wordpress packages.



    For the detailed security status of wordpress please refer to its security tracker page at:


    Information on source package wordpress



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : xorg-server


    CVE ID : CVE-2022-3550 CVE-2022-3551



    It was discovered that a buffer overflow in the _getCountedString() function of the Xorg X server may result in denial of service or potentially the execution of arbitrary code.



    For the stable distribution (bullseye), these problems have been fixed in version 2:1.20.11-1+deb11u3.



    We recommend that you upgrade your xorg-server packages.



    For the detailed security status of xorg-server please refer to its security tracker page at:


    Information on source package xorg-server



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : php7.4


    CVE ID : CVE-2022-31630 CVE-2022-37454 CVE-2022-31629 CVE-2022-31628



    Multiple security issues were discovered in PHP, a widely-used open source general purpose scripting language which could result an denial of service, information disclosure, insecure cooking handling or potentially the execution of arbitrary code.



    For the stable distribution (bullseye), these problems have been fixed in version 7.4.33-1+deb11u1.



    We recommend that you upgrade your php7.4 packages.



    For the detailed security status of php7.4 please refer to its security tracker page at:


    Information on source package php7.4



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : pixman


    CVE ID : CVE-2022-44638


    Debian Bug : 1023427



    Maddie Stone reported a heap-based buffer overflow flaw in pixman, a pixel-manipulation library for X and cairo, which could result in denial of service or potentially the execution of arbitrary code.



    For the stable distribution (bullseye), this problem has been fixed in version 0.40.0-1.1~deb11u1.



    We recommend that you upgrade your pixman packages.



    For the detailed security status of pixman please refer to its security tracker page at:


    Information on source package pixman



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : chromium


    CVE ID : CVE-2022-3885 CVE-2022-3886 CVE-2022-3887 CVE-2022-3888


    CVE-2022-3889 CVE-2022-3890


    Debian Bug : 1015931



    Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.



    For the stable distribution (bullseye), these problems have been fixed in version 107.0.5304.110-1~deb11u1.



    We recommend that you upgrade your chromium packages.



    For the detailed security status of chromium please refer to its security tracker page at:


    Information on source package chromium



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : wpewebkit


    CVE ID : CVE-2022-42799 CVE-2022-42823 CVE-2022-42824



    The following vulnerabilities have been discovered in the WPE WebKit web engine:



    CVE-2022-42799



    Jihwan Kim and Dohyun Lee discovered that visiting a malicious


    website may lead to user interface spoofing.



    CVE-2022-42823



    Dohyun Lee discovered that processing maliciously crafted web


    content may lead to arbitrary code execution.



    CVE-2022-42824



    Abdulrahman Alqabandi, Ryan Shin and Dohyun Lee discovered that


    processing maliciously crafted web content may disclose sensitive


    user information.



    For the stable distribution (bullseye), these problems have been fixed in version 2.38.2-1~deb11u1.



    We recommend that you upgrade your wpewebkit packages.



    For the detailed security status of wpewebkit please refer to its security tracker page at:


    Information on source package wpewebkit



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : webkit2gtk


    CVE ID : CVE-2022-42799 CVE-2022-42823 CVE-2022-42824



    The following vulnerabilities have been discovered in the WebKitGTK web engine:



    CVE-2022-42799



    Jihwan Kim and Dohyun Lee discovered that visiting a malicious


    website may lead to user interface spoofing.



    CVE-2022-42823



    Dohyun Lee discovered that processing maliciously crafted web


    content may lead to arbitrary code execution.



    CVE-2022-42824



    Abdulrahman Alqabandi, Ryan Shin and Dohyun Lee discovered that


    processing maliciously crafted web content may disclose sensitive


    user information.



    For the stable distribution (bullseye), these problems have been fixed in version 2.38.2-1~deb11u1.



    We recommend that you upgrade your webkit2gtk packages.



    For the detailed security status of webkit2gtk please refer to its security tracker page at:


    Information on source package webkit2gtk



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : xen


    CVE ID : CVE-2022-33745 CVE-2022-33746 CVE-2022-33747 CVE-2022-33748


    CVE-2022-42309 CVE-2022-42310 CVE-2022-42311 CVE-2022-42312


    CVE-2022-42313 CVE-2022-42314 CVE-2022-42315 CVE-2022-42316


    CVE-2022-42317 CVE-2022-42318 CVE-2022-42319 CVE-2022-42320


    CVE-2022-42321 CVE-2022-42322 CVE-2022-42323 CVE-2022-42324


    CVE-2022-42325 CVE-2022-42326



    Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in privilege escalation, denial of service or information leaks.



    For the stable distribution (bullseye), these problems have been fixed in version 4.14.5+86-g1c354767d5-1.



    We recommend that you upgrade your xen packages.



    For the detailed security status of xen please refer to its security tracker page at:


    Information on source package xen



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : libxml2


    CVE ID : CVE-2022-40303 CVE-2022-40304


    Debian Bug : 1022224 1022225



    Several vulnerabilities were discovered in libxml2, a library providing support to read, modify and write XML and HTML files.



    CVE-2022-40303



    Maddie Stone discovered that missing safety checks in several


    functions can result in integer overflows when parsing a XML


    document with the XML_PARSE_HUGE option enabled.



    CVE-2022-40304



    Ned Williamson and Nathan Wachholz discovered a vulnerability when


    handling detection of entity reference cycles, which may result in


    corrupted dictionary entries. This flaw may lead to logic errors,


    including memory errors like double free flaws.



    For the stable distribution (bullseye), these problems have been fixed in version 2.9.10+dfsg-6.7+deb11u3.



    We recommend that you upgrade your libxml2 packages.



    For the detailed security status of libxml2 please refer to its security tracker page at:


    Information on source package libxml2



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : ntfs-3g


    CVE ID : CVE-2022-40284



    Yuchen Zeng and Eduardo Vela discovered a buffer overflow in NTFS-3G, a read-write NTFS driver for FUSE, due to incorrect validation of some of the NTFS metadata. A local user can take advantage of this flaw for local root privilege escalation.



    For the stable distribution (bullseye), this problem has been fixed in version 1:2017.3.23AR.3-4+deb11u3.



    We recommend that you upgrade your ntfs-3g packages.



    For the detailed security status of ntfs-3g please refer to its security tracker page at:


    Information on source package ntfs-3g



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : pypy3


    CVE ID : CVE-2022-37454



    Nicky Mouha discovered a buffer overflow in the sha3 module of PyPy, a fast, compliant alternative implementation of the Python language.



    For the stable distribution (bullseye), this problem has been fixed in version 7.3.5+dfsg-2+deb11u2.



    We recommend that you upgrade your pypy3 packages.



    For the detailed security status of pypy3 please refer to its security tracker page at:


    Information on source package pypy3



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

    Package : ffmpeg



    Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed.




    For the stable distribution (bullseye), this problem has been fixed in version 7:4.3.5-0+deb11u1.



    We recommend that you upgrade your ffmpeg packages.



    For the detailed security status of ffmpeg please refer to its security tracker page at:


    Information on source package ffmpeg



    Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/